From 3ab0720cc4a6b2525850ea192a99235873f22d6b Mon Sep 17 00:00:00 2001

From: Kazuki Yamaguchi <k@rhe.jp>

Date: Fri, 27 Jul 2018 17:01:04 +0900

Subject: [PATCH] x509name: fix OpenSSL::X509::Name#{cmp,<=>}

Fix wrong use of X509_NAME_cmp() return value. OpenSSL::X509::Name#<=>

could return 0 when the two objects aren't identical.

Reported by Tyler Eckstein. CVE-2018-16395.

Reference: https://hackerone.com/reports/387250

---

 ext/openssl/ossl_x509name.c   |  2 +-

 test/openssl/test_x509name.rb | 14 ++++++++++----

 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/ext/openssl/ossl_x509name.c b/ext/openssl/ossl_x509name.c

index 4b397055ab..a2662159e3 100644

--- a/ext/openssl/ossl_x509name.c

+++ b/ext/openssl/ossl_x509name.c

@@ -321,7 +321,7 @@ ossl_x509name_cmp(VALUE self, VALUE other)

     result = ossl_x509name_cmp0(self, other);

     if (result < 0) return INT2FIX(-1);

-    if (result > 1) return INT2FIX(1);

+    if (result > 0) return INT2FIX(1);

     return INT2FIX(0);

 }

diff --git a/test/openssl/test_x509name.rb b/test/openssl/test_x509name.rb

index de35fc303a..642d7094a8 100644

--- a/test/openssl/test_x509name.rb

+++ b/test/openssl/test_x509name.rb

@@ -337,10 +337,16 @@ class OpenSSL::TestX509Name < Test::Unit::TestCase

   end

   def test_spaceship

-    n1 = OpenSSL::X509::Name.parse 'CN=a'

-    n2 = OpenSSL::X509::Name.parse 'CN=b'

-

-    assert_equal(-1, n1 <=> n2)

+    n1 = OpenSSL::X509::Name.new([["CN", "a"]])

+    n2 = OpenSSL::X509::Name.new([["CN", "a"]])

+    n3 = OpenSSL::X509::Name.new([["CN", "ab"]])

+

+    assert_equal 0, n1 <=> n2

+    assert_equal -1, n1 <=> n3

+    assert_equal 0, n2 <=> n1

+    assert_equal -1, n2 <=> n3

+    assert_equal 1, n3 <=> n1

+    assert_equal 1, n3 <=> n2

   end

   def name_hash(name)

-- 

2.17.1