x509name: fix OpenSSL::X509::Name#{cmp,<=>}

rhenium · rhenium · commit f653cfa43f0f · 2018-10-17T16:42:36.000+09:00
Fix wrong use of X509_NAME_cmp() return value. OpenSSL::X509::Name#<=> could return 0 when the two objects aren't identical. Reported by Tyler Eckstein. CVE-2018-16395. Reference: https://hackerone.com/reports/387250
diff --git a/ext/openssl/ossl_x509name.c b/ext/openssl/ossl_x509name.c
@@ -358,7 +358,7 @@ ossl_x509name_cmp(VALUE self, VALUE other)
 
     result = ossl_x509name_cmp0(self, other);
     if (result < 0) return INT2FIX(-1);
-    if (result > 1) return INT2FIX(1);
+    if (result > 0) return INT2FIX(1);
 
     return INT2FIX(0);
 }
diff --git a/test/test_x509name.rb b/test/test_x509name.rb
@@ -330,10 +330,16 @@ def test_equals2
   end
 
   def test_spaceship
-    n1 = OpenSSL::X509::Name.parse 'CN=a'
-    n2 = OpenSSL::X509::Name.parse 'CN=b'
-
-    assert_equal(-1, n1 <=> n2)
+    n1 = OpenSSL::X509::Name.new([["CN", "a"]])
+    n2 = OpenSSL::X509::Name.new([["CN", "a"]])
+    n3 = OpenSSL::X509::Name.new([["CN", "ab"]])
+
+    assert_equal 0, n1 <=> n2
+    assert_equal -1, n1 <=> n3
+    assert_equal 0, n2 <=> n1
+    assert_equal -1, n2 <=> n3
+    assert_equal 1, n3 <=> n1
+    assert_equal 1, n3 <=> n2
   end
 
   def name_hash(name)

Original file line number	Diff line number	Diff line change
`@@ -358,7 +358,7 @@ ossl_x509name_cmp(VALUE self, VALUE other)`
`358`	`358`
`359`	`359`	`result = ossl_x509name_cmp0(self, other);`
`360`	`360`	`if (result < 0) return INT2FIX(-1);`
`361`		`- if (result > 1) return INT2FIX(1);`
	`361`	`+ if (result > 0) return INT2FIX(1);`
`362`	`362`
`363`	`363`	`return INT2FIX(0);`
`364`	`364`	`}`