359f671f88 (master): [ruby/openssl] x509name: check for error of X509_NAME_cmp()
0 views
Skip to first unread message
ndossche
Apr 20, 2026, 5:45:07 AM (19 hours ago) Apr 20
to ruby...@g.ruby-lang.org
ndossche 2026-04-18 11:19:32 +0000 (Sat, 18 Apr 2026)
New Revision: 359f671f88
https://github.com/ruby/ruby/commit/359f671f88
Log:
[ruby/openssl] x509name: check for error of X509_NAME_cmp()
These functions may return -2 to indicate an error according to the
manual [1]. This can also be confirmed when looking at the code as it
may call into i2d_X509_NAME() which can fail [2].
In such cases, the failure is reinterpreted as a "less than" comparison
and the error is not reported, potentially leading to wrong results in
userland code.
[1] https://manpages.opensuse.org/Tumbleweed/openssl-3-doc/X509_NAME_cmp.33ssl.en.html
[2] https://github.com/openssl/openssl/blob/f023662d1bde1fcb7fecf976b25a45afd55734b8/crypto/x509/x509_cmp.c#L269-L271
https://github.com/ruby/openssl/commit/08e5547b85
Modified files:
ext/openssl/ossl_x509name.c
New Revision: 359f671f88
https://github.com/ruby/ruby/commit/359f671f88
Log:
[ruby/openssl] x509name: check for error of X509_NAME_cmp()
These functions may return -2 to indicate an error according to the
manual [1]. This can also be confirmed when looking at the code as it
may call into i2d_X509_NAME() which can fail [2].
In such cases, the failure is reinterpreted as a "less than" comparison
and the error is not reported, potentially leading to wrong results in
userland code.
[1] https://manpages.opensuse.org/Tumbleweed/openssl-3-doc/X509_NAME_cmp.33ssl.en.html
[2] https://github.com/openssl/openssl/blob/f023662d1bde1fcb7fecf976b25a45afd55734b8/crypto/x509/x509_cmp.c#L269-L271
https://github.com/ruby/openssl/commit/08e5547b85
Modified files:
ext/openssl/ossl_x509name.c
Reply all
Reply to author
Forward
0 new messages