From 3ab0720cc4a6b2525850ea192a99235873f22d6b Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi Date: Fri, 27 Jul 2018 17:01:04 +0900 Subject: [PATCH] x509name: fix OpenSSL::X509::Name#{cmp,<=>} Fix wrong use of X509_NAME_cmp() return value. OpenSSL::X509::Name#<=> could return 0 when the two objects aren't identical. Reported by Tyler Eckstein. CVE-2018-16395. Reference: https://hackerone.com/reports/387250 --- ext/openssl/ossl_x509name.c | 2 +- test/openssl/test_x509name.rb | 14 ++++++++++---- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/ext/openssl/ossl_x509name.c b/ext/openssl/ossl_x509name.c index 4b397055ab..a2662159e3 100644 --- a/ext/openssl/ossl_x509name.c +++ b/ext/openssl/ossl_x509name.c @@ -321,7 +321,7 @@ ossl_x509name_cmp(VALUE self, VALUE other) result = ossl_x509name_cmp0(self, other); if (result < 0) return INT2FIX(-1); - if (result > 1) return INT2FIX(1); + if (result > 0) return INT2FIX(1); return INT2FIX(0); } diff --git a/test/openssl/test_x509name.rb b/test/openssl/test_x509name.rb index de35fc303a..642d7094a8 100644 --- a/test/openssl/test_x509name.rb +++ b/test/openssl/test_x509name.rb @@ -337,10 +337,16 @@ class OpenSSL::TestX509Name < Test::Unit::TestCase end def test_spaceship - n1 = OpenSSL::X509::Name.parse 'CN=a' - n2 = OpenSSL::X509::Name.parse 'CN=b' - - assert_equal(-1, n1 <=> n2) + n1 = OpenSSL::X509::Name.new([["CN", "a"]]) + n2 = OpenSSL::X509::Name.new([["CN", "a"]]) + n3 = OpenSSL::X509::Name.new([["CN", "ab"]]) + + assert_equal 0, n1 <=> n2 + assert_equal -1, n1 <=> n3 + assert_equal 0, n2 <=> n1 + assert_equal -1, n2 <=> n3 + assert_equal 1, n3 <=> n1 + assert_equal 1, n3 <=> n2 end def name_hash(name) -- 2.17.1