From 3ab0720cc4a6b2525850ea192a99235873f22d6b Mon Sep 17 00:00:00 2001
From: Kazuki Yamaguchi <k@rhe.jp>
Date: Fri, 27 Jul 2018 17:01:04 +0900
Subject: [PATCH] x509name: fix OpenSSL::X509::Name#{cmp,<=>}

Fix wrong use of X509_NAME_cmp() return value. OpenSSL::X509::Name#<=>
could return 0 when the two objects aren't identical.

Reported by Tyler Eckstein. CVE-2018-16395.

Reference: https://hackerone.com/reports/387250
---
 ext/openssl/ossl_x509name.c   |  2 +-
 test/openssl/test_x509name.rb | 14 ++++++++++----
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/ext/openssl/ossl_x509name.c b/ext/openssl/ossl_x509name.c
index 4b397055ab..a2662159e3 100644
--- a/ext/openssl/ossl_x509name.c
+++ b/ext/openssl/ossl_x509name.c
@@ -321,7 +321,7 @@ ossl_x509name_cmp(VALUE self, VALUE other)
 
     result = ossl_x509name_cmp0(self, other);
     if (result < 0) return INT2FIX(-1);
-    if (result > 1) return INT2FIX(1);
+    if (result > 0) return INT2FIX(1);
 
     return INT2FIX(0);
 }
diff --git a/test/openssl/test_x509name.rb b/test/openssl/test_x509name.rb
index de35fc303a..642d7094a8 100644
--- a/test/openssl/test_x509name.rb
+++ b/test/openssl/test_x509name.rb
@@ -337,10 +337,16 @@ class OpenSSL::TestX509Name < Test::Unit::TestCase
   end
 
   def test_spaceship
-    n1 = OpenSSL::X509::Name.parse 'CN=a'
-    n2 = OpenSSL::X509::Name.parse 'CN=b'
-
-    assert_equal(-1, n1 <=> n2)
+    n1 = OpenSSL::X509::Name.new([["CN", "a"]])
+    n2 = OpenSSL::X509::Name.new([["CN", "a"]])
+    n3 = OpenSSL::X509::Name.new([["CN", "ab"]])
+
+    assert_equal 0, n1 <=> n2
+    assert_equal -1, n1 <=> n3
+    assert_equal 0, n2 <=> n1
+    assert_equal -1, n2 <=> n3
+    assert_equal 1, n3 <=> n1
+    assert_equal 1, n3 <=> n2
   end
 
   def name_hash(name)
-- 
2.17.1