updated ext/openssl to 2.0.9

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@65134 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

ext/openssl/History.md

@@ -1,3 +1,26 @@
+Version 2.0.9
+=============
+
+Security fixes
+--------------
+
+* OpenSSL::X509::Name#<=> could incorrectly return 0 (= equal) for non-equal
+  objects. CVE-2018-16395 is assigned for this issue.
+  https://hackerone.com/reports/387250
+
+Bug fixes
+---------
+
+* Fixed OpenSSL::PKey::*.{new,generate} immediately aborting if the thread is
+  interrupted.
+  [[Bug #14882]](https://bugs.ruby-lang.org/issues/14882)
+  [[GitHub #205]](https://github.com/ruby/openssl/pull/205)
+* Fixed OpenSSL::X509::Name#to_s failing with OpenSSL::X509::NameError if
+  called against an empty instance.
+  [[GitHub #200]](https://github.com/ruby/openssl/issues/200)
+  [[GitHub #211]](https://github.com/ruby/openssl/pull/211)
+
+
 Version 2.0.8
 =============
 

ext/openssl/extconf.rb

@@ -33,6 +33,9 @@ end
 Logging::message "=== Checking for system dependent stuff... ===\n"
 have_library("nsl", "t_open")
 have_library("socket", "socket")
+if $mswin || $mingw
+  have_library("ws2_32")
+end
 
 Logging::message "=== Checking for required stuff... ===\n"
 result = pkg_config("openssl") && have_header("openssl/ssl.h")
@@ -122,6 +125,10 @@ engines.each { |name|
   OpenSSL.check_func_or_macro("ENGINE_load_#{name}", "openssl/engine.h")
 }
 
+if ($mswin || $mingw) && have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h")
+  $defs.push("-DNOCRYPT")
+end
+
 # added in 0.9.8X
 have_func("EVP_CIPHER_CTX_new")
 have_func("EVP_CIPHER_CTX_free")

ext/openssl/openssl.gemspec

@@ -1,20 +1,20 @@
 # -*- encoding: utf-8 -*-
-# stub: openssl 2.0.8 ruby lib
+# stub: openssl 2.0.9 ruby lib
 # stub: ext/openssl/extconf.rb
 
 Gem::Specification.new do |s|
   s.name = "openssl".freeze
-  s.version = "2.0.8"
+  s.version = "2.0.9"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0".freeze) if s.respond_to? :required_rubygems_version=
   s.metadata = { "msys2_mingw_dependencies" => "openssl" } if s.respond_to? :metadata=
   s.require_paths = ["lib".freeze]
   s.authors = ["Martin Bosslet".freeze, "SHIBATA Hiroshi".freeze, "Zachary Scott".freeze, "Kazuki Yamaguchi".freeze]
-  s.date = "2018-05-12"
+  s.date = "2018-10-17"
   s.description = "It wraps the OpenSSL library.".freeze
   s.email = ["ruby-core@ruby-lang.org".freeze]
   s.extensions = ["ext/openssl/extconf.rb".freeze]
-  s.extra_rdoc_files = ["CONTRIBUTING.md".freeze, "History.md".freeze, "README.md".freeze]
+  s.extra_rdoc_files = ["CONTRIBUTING.md".freeze, "README.md".freeze, "History.md".freeze]
   s.files = ["BSDL".freeze, "CONTRIBUTING.md".freeze, "History.md".freeze, "LICENSE.txt".freeze, "README.md".freeze, "ext/openssl/deprecation.rb".freeze, "ext/openssl/extconf.rb".freeze, "ext/openssl/openssl_missing.c".freeze, "ext/openssl/openssl_missing.h".freeze, "ext/openssl/ossl.c".freeze, "ext/openssl/ossl.h".freeze, "ext/openssl/ossl_asn1.c".freeze, "ext/openssl/ossl_asn1.h".freeze, "ext/openssl/ossl_bio.c".freeze, "ext/openssl/ossl_bio.h".freeze, "ext/openssl/ossl_bn.c".freeze, "ext/openssl/ossl_bn.h".freeze, "ext/openssl/ossl_cipher.c".freeze, "ext/openssl/ossl_cipher.h".freeze, "ext/openssl/ossl_config.c".freeze, "ext/openssl/ossl_config.h".freeze, "ext/openssl/ossl_digest.c".freeze, "ext/openssl/ossl_digest.h".freeze, "ext/openssl/ossl_engine.c".freeze, "ext/openssl/ossl_engine.h".freeze, "ext/openssl/ossl_hmac.c".freeze, "ext/openssl/ossl_hmac.h".freeze, "ext/openssl/ossl_ns_spki.c".freeze, "ext/openssl/ossl_ns_spki.h".freeze, "ext/openssl/ossl_ocsp.c".freeze, "ext/openssl/ossl_ocsp.h".freeze, "ext/openssl/ossl_pkcs12.c".freeze, "ext/openssl/ossl_pkcs12.h".freeze, "ext/openssl/ossl_pkcs5.c".freeze, "ext/openssl/ossl_pkcs5.h".freeze, "ext/openssl/ossl_pkcs7.c".freeze, "ext/openssl/ossl_pkcs7.h".freeze, "ext/openssl/ossl_pkey.c".freeze, "ext/openssl/ossl_pkey.h".freeze, "ext/openssl/ossl_pkey_dh.c".freeze, "ext/openssl/ossl_pkey_dsa.c".freeze, "ext/openssl/ossl_pkey_ec.c".freeze, "ext/openssl/ossl_pkey_rsa.c".freeze, "ext/openssl/ossl_rand.c".freeze, "ext/openssl/ossl_rand.h".freeze, "ext/openssl/ossl_ssl.c".freeze, "ext/openssl/ossl_ssl.h".freeze, "ext/openssl/ossl_ssl_session.c".freeze, "ext/openssl/ossl_version.h".freeze, "ext/openssl/ossl_x509.c".freeze, "ext/openssl/ossl_x509.h".freeze, "ext/openssl/ossl_x509attr.c".freeze, "ext/openssl/ossl_x509cert.c".freeze, "ext/openssl/ossl_x509crl.c".freeze, "ext/openssl/ossl_x509ext.c".freeze, "ext/openssl/ossl_x509name.c".freeze, "ext/openssl/ossl_x509req.c".freeze, "ext/openssl/ossl_x509revoked.c".freeze, "ext/openssl/ossl_x509store.c".freeze, "ext/openssl/ruby_missing.h".freeze, "lib/openssl.rb".freeze, "lib/openssl/bn.rb".freeze, "lib/openssl/buffering.rb".freeze, "lib/openssl/cipher.rb".freeze, "lib/openssl/config.rb".freeze, "lib/openssl/digest.rb".freeze, "lib/openssl/pkey.rb".freeze, "lib/openssl/ssl.rb".freeze, "lib/openssl/x509.rb".freeze]
   s.homepage = "https://www.ruby-lang.org/".freeze
   s.licenses = ["Ruby".freeze]

ext/openssl/openssl_missing.h

@@ -196,7 +196,7 @@ void ossl_X509_REQ_get0_signature(const X509_REQ *, const ASN1_BIT_STRING **, co
 static inline _type *EVP_PKEY_get0_##_type(EVP_PKEY *pkey) { \
 	return pkey->pkey._name; }
 #define IMPL_KEY_ACCESSOR2(_type, _group, a1, a2, _fail_cond) \
-static inline void _type##_get0_##_group(_type *obj, const BIGNUM **a1, const BIGNUM **a2) { \
+static inline void _type##_get0_##_group(const _type *obj, const BIGNUM **a1, const BIGNUM **a2) { \
 	if (a1) *a1 = obj->a1; \
 	if (a2) *a2 = obj->a2; } \
 static inline int _type##_set0_##_group(_type *obj, BIGNUM *a1, BIGNUM *a2) { \
@@ -205,7 +205,7 @@ static inline int _type##_set0_##_group(_type *obj, BIGNUM *a1, BIGNUM *a2) { \
 	BN_clear_free(obj->a2); obj->a2 = a2; \
 	return 1; }
 #define IMPL_KEY_ACCESSOR3(_type, _group, a1, a2, a3, _fail_cond) \
-static inline void _type##_get0_##_group(_type *obj, const BIGNUM **a1, const BIGNUM **a2, const BIGNUM **a3) { \
+static inline void _type##_get0_##_group(const _type *obj, const BIGNUM **a1, const BIGNUM **a2, const BIGNUM **a3) { \
 	if (a1) *a1 = obj->a1; \
 	if (a2) *a2 = obj->a2; \
 	if (a3) *a3 = obj->a3; } \

ext/openssl/ossl.c

@@ -1078,6 +1078,7 @@ static void Init_ossl_locks(void)
 void
 Init_openssl(void)
 {
+#undef rb_intern
     /*
      * Init timezone info
      */

ext/openssl/ossl_asn1.c

@@ -1412,6 +1412,7 @@ OSSL_ASN1_IMPL_FACTORY_METHOD(EndOfContent)
 void
 Init_ossl_asn1(void)
 {
+#undef rb_intern
     VALUE ary;
     int i;
 

ext/openssl/ossl_pkcs12.c

@@ -237,6 +237,7 @@ ossl_pkcs12_to_der(VALUE self)
 void
 Init_ossl_pkcs12(void)
 {
+#undef rb_intern
 #if 0
     mOSSL = rb_define_module("OpenSSL");
     eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);

ext/openssl/ossl_pkcs7.c

@@ -1054,6 +1054,7 @@ ossl_pkcs7ri_get_enc_key(VALUE self)
 void
 Init_ossl_pkcs7(void)
 {
+#undef rb_intern
 #if 0
     mOSSL = rb_define_module("OpenSSL");
     eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);

ext/openssl/ossl_pkey.c

@@ -20,6 +20,21 @@ static ID id_private_q;
 /*
  * callback for generating keys
  */
+static VALUE
+call_check_ints0(VALUE arg)
+{
+    rb_thread_check_ints();
+    return Qnil;
+}
+
+static void *
+call_check_ints(void *arg)
+{
+    int state;
+    rb_protect(call_check_ints0, Qnil, &state);
+    return (void *)(VALUE)state;
+}
+
 int
 ossl_generate_cb_2(int p, int n, BN_GENCB *cb)
 {
@@ -38,11 +53,18 @@ ossl_generate_cb_2(int p, int n, BN_GENCB *cb)
 	*/
 	rb_protect(rb_yield, ary, &state);
 	if (state) {
-	    arg->stop = 1;
 	    arg->state = state;
+	    return 0;
+	}
+    }
+    if (arg->interrupted) {
+	arg->interrupted = 0;
+	state = (int)(VALUE)rb_thread_call_with_gvl(call_check_ints, NULL);
+	if (state) {
+	    arg->state = state;
+	    return 0;
 	}
     }
-    if (arg->stop) return 0;
     return 1;
 }
 
@@ -50,7 +72,7 @@ void
 ossl_generate_cb_stop(void *ptr)
 {
     struct ossl_generate_cb_arg *arg = (struct ossl_generate_cb_arg *)ptr;
-    arg->stop = 1;
+    arg->interrupted = 1;
 }
 
 static void
@@ -389,6 +411,7 @@ ossl_pkey_verify(VALUE self, VALUE digest, VALUE sig, VALUE data)
 void
 Init_ossl_pkey(void)
 {
+#undef rb_intern
 #if 0
     mOSSL = rb_define_module("OpenSSL");
     eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);

ext/openssl/ossl_pkey.h

@@ -41,7 +41,7 @@ extern const rb_data_type_t ossl_evp_pkey_type;
 
 struct ossl_generate_cb_arg {
     int yield;
-    int stop;
+    int interrupted;
     int state;
 };
 int ossl_generate_cb_2(int p, int n, BN_GENCB *cb);

ext/openssl/ossl_pkey_ec.c

@@ -1676,6 +1676,7 @@ static VALUE ossl_ec_point_mul(int argc, VALUE *argv, VALUE self)
 
 void Init_ossl_ec(void)
 {
+#undef rb_intern
 #if 0
     mPKey = rb_define_module_under(mOSSL, "PKey");
     cPKey = rb_define_class_under(mPKey, "PKey", rb_cObject);

ext/openssl/ossl_version.h

@@ -10,6 +10,6 @@
 #if !defined(_OSSL_VERSION_H_)
 #define _OSSL_VERSION_H_
 
-#define OSSL_VERSION "2.0.8"
+#define OSSL_VERSION "2.0.9"
 
 #endif /* _OSSL_VERSION_H_ */

ext/openssl/ossl_x509ext.c

@@ -441,6 +441,7 @@ ossl_x509ext_to_der(VALUE obj)
 void
 Init_ossl_x509ext(void)
 {
+#undef rb_intern
 #if 0
     mOSSL = rb_define_module("OpenSSL");
     eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);

ext/openssl/ossl_x509name.c

@@ -239,14 +239,31 @@ ossl_x509name_to_s_old(VALUE self)
 {
     X509_NAME *name;
     char *buf;
-    VALUE str;
 
     GetX509Name(self, name);
     buf = X509_NAME_oneline(name, NULL, 0);
-    str = rb_str_new2(buf);
-    OPENSSL_free(buf);
+    if (!buf)
+	ossl_raise(eX509NameError, "X509_NAME_oneline");
+    return ossl_buf2str(buf, rb_long2int(strlen(buf)));
+}
 
-    return str;
+static VALUE
+x509name_print(VALUE self, unsigned long iflag)
+{
+    X509_NAME *name;
+    BIO *out;
+    int ret;
+
+    GetX509Name(self, name);
+    out = BIO_new(BIO_s_mem());
+    if (!out)
+	ossl_raise(eX509NameError, NULL);
+    ret = X509_NAME_print_ex(out, name, 0, iflag);
+    if (ret < 0 || iflag == XN_FLAG_COMPAT && ret == 0) {
+	BIO_free(out);
+	ossl_raise(eX509NameError, "X509_NAME_print_ex");
+    }
+    return ossl_membio2str(out);
 }
 
 /*
@@ -264,25 +281,12 @@ ossl_x509name_to_s_old(VALUE self)
 static VALUE
 ossl_x509name_to_s(int argc, VALUE *argv, VALUE self)
 {
-    X509_NAME *name;
-    VALUE flag, str;
-    BIO *out;
-    unsigned long iflag;
-
-    rb_scan_args(argc, argv, "01", &flag);
-    if (NIL_P(flag))
+    rb_check_arity(argc, 0, 1);
+    /* name.to_s(nil) was allowed */
+    if (!argc || NIL_P(argv[0]))
 	return ossl_x509name_to_s_old(self);
-    else iflag = NUM2ULONG(flag);
-    if (!(out = BIO_new(BIO_s_mem())))
-	ossl_raise(eX509NameError, NULL);
-    GetX509Name(self, name);
-    if (!X509_NAME_print_ex(out, name, 0, iflag)){
-	BIO_free(out);
-	ossl_raise(eX509NameError, NULL);
-    }
-    str = ossl_membio2str(out);
-
-    return str;
+    else
+	return x509name_print(self, NUM2ULONG(argv[0]));
 }
 
 /*
@@ -358,7 +362,7 @@ ossl_x509name_cmp(VALUE self, VALUE other)
 
     result = ossl_x509name_cmp0(self, other);
     if (result < 0) return INT2FIX(-1);
-    if (result > 1) return INT2FIX(1);
+    if (result > 0) return INT2FIX(1);
 
     return INT2FIX(0);
 }
@@ -462,6 +466,7 @@ ossl_x509name_to_der(VALUE self)
 void
 Init_ossl_x509name(void)
 {
+#undef rb_intern
     VALUE utf8str, ptrstr, ia5str, hash;
 
 #if 0

ext/openssl/ossl_x509store.c

@@ -800,6 +800,7 @@ ossl_x509stctx_set_time(VALUE self, VALUE time)
 void
 Init_ossl_x509store(void)
 {
+#undef rb_intern
 #if 0
     mOSSL = rb_define_module("OpenSSL");
     eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);

test/openssl/test_ssl.rb

@@ -48,6 +48,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
         assert_equal 2, ssl.peer_cert_chain.size
         assert_equal @svr_cert.to_der, ssl.peer_cert_chain[0].to_der
         assert_equal @ca_cert.to_der, ssl.peer_cert_chain[1].to_der
+
+        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
       ensure
         ssl&.close
         sock&.close
@@ -77,6 +79,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
         sock = TCPSocket.new("127.0.0.1", port)
         ssl = OpenSSL::SSL::SSLSocket.new(sock)
         ssl.connect
+        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
         ssl.close
         assert_not_predicate sock, :closed?
       ensure
@@ -88,6 +91,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
         ssl = OpenSSL::SSL::SSLSocket.new(sock)
         ssl.sync_close = true  # !!
         ssl.connect
+        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
         ssl.close
         assert_predicate sock, :closed?
       ensure
@@ -179,7 +183,10 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
         client_ca_from_server = sslconn.client_ca
         [@cli_cert, @cli_key]
       end
-      server_connect(port, ctx) { |ssl| assert_equal([@ca], client_ca_from_server) }
+      server_connect(port, ctx) { |ssl|
+        assert_equal([@ca], client_ca_from_server)
+        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
+      }
     }
   end
 
@@ -276,21 +283,16 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
     }
 
     start_server { |port|
-      sock = TCPSocket.new("127.0.0.1", port)
       ctx = OpenSSL::SSL::SSLContext.new
       ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
       ctx.verify_callback = Proc.new do |preverify_ok, store_ctx|
         store_ctx.error = OpenSSL::X509::V_OK
         true
       end
-      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
-      ssl.sync_close = true
-      begin
-        ssl.connect
+      server_connect(port, ctx) { |ssl|
         assert_equal(OpenSSL::X509::V_OK, ssl.verify_result)
-      ensure
-        ssl.close
-      end
+        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
+      }
     }
 
     start_server(ignore_listener_error: true) { |port|
@@ -377,6 +379,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
 
     start_server { |port|
       server_connect(port) { |ssl|
+        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
+
         assert_raise(sslerr){ssl.post_connection_check("localhost.localdomain")}
         assert_raise(sslerr){ssl.post_connection_check("127.0.0.1")}
         assert(ssl.post_connection_check("localhost"))
@@ -398,6 +402,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
     @svr_cert = issue_cert(@svr, @svr_key, 4, exts, @ca_cert, @ca_key)
     start_server { |port|
       server_connect(port) { |ssl|
+        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
+
         assert(ssl.post_connection_check("localhost.localdomain"))
         assert(ssl.post_connection_check("127.0.0.1"))
         assert_raise(sslerr){ssl.post_connection_check("localhost")}
@@ -418,6 +424,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
     @svr_cert = issue_cert(@svr, @svr_key, 5, exts, @ca_cert, @ca_key)
     start_server { |port|
       server_connect(port) { |ssl|
+        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
+
         assert(ssl.post_connection_check("localhost.localdomain"))
         assert_raise(sslerr){ssl.post_connection_check("127.0.0.1")}
         assert_raise(sslerr){ssl.post_connection_check("localhost")}
@@ -644,6 +652,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
         ssl.connect
         assert_equal @cli_cert.serial, ssl.peer_cert.serial
         assert_predicate fooctx, :frozen?
+
+        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
       ensure
         ssl&.close
         sock.close
@@ -655,6 +665,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
         ssl.hostname = "bar.example.com"
         ssl.connect
         assert_equal @svr_cert.serial, ssl.peer_cert.serial
+
+        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
       ensure
         ssl&.close
         sock.close
@@ -727,7 +739,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
           ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
           ssl.hostname = name
           if expected_ok
-            assert_nothing_raised { ssl.connect }
+            ssl.connect
+            ssl.puts "abc"; assert_equal "abc\n", ssl.gets
           else
             assert_handshake_error { ssl.connect }
           end
@@ -856,6 +869,7 @@ end
     start_server_version(:SSLv23, ctx_proc) { |port|
       server_connect(port) { |ssl|
         assert_equal(1, num_handshakes)
+        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
       }
     }
   end
@@ -874,6 +888,7 @@ if openssl?(1, 0, 2) || libressl?
       ctx.alpn_protocols = advertised
       server_connect(port, ctx) { |ssl|
         assert_equal(advertised.first, ssl.alpn_protocol)
+        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
       }
     }
   end
@@ -996,14 +1011,11 @@ end
   end
 
   def test_close_after_socket_close
-    server_proc = proc { |ctx, ssl|
-      # Do nothing
-    }
-    start_server(server_proc: server_proc) { |port|
+    start_server { |port|
       sock = TCPSocket.new("127.0.0.1", port)
       ssl = OpenSSL::SSL::SSLSocket.new(sock)
-      ssl.sync_close = true
       ssl.connect
+      ssl.puts "abc"; assert_equal "abc\n", ssl.gets
       sock.close
       assert_nothing_raised do
         ssl.close
@@ -1068,6 +1080,7 @@ end
         ctx.ciphers = "DEFAULT:!kRSA:!kEDH"
         server_connect(port, ctx) { |ssl|
           assert_instance_of OpenSSL::PKey::EC, ssl.tmp_key
+          ssl.puts "abc"; assert_equal "abc\n", ssl.gets
         }
       end
     end
@@ -1158,6 +1171,7 @@ end
             assert_equal "secp384r1", ssl.tmp_key.group.curve_name
           end
         end
+        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
       }
 
       if openssl?(1, 0, 2) || libressl?(2, 5, 1)
@@ -1173,6 +1187,7 @@ end
 
         server_connect(port, ctx) { |ssl|
           assert_equal "secp521r1", ssl.tmp_key.group.curve_name
+          ssl.puts "abc"; assert_equal "abc\n", ssl.gets
         }
       end
     end

test/openssl/test_ssl_session.rb

@@ -113,6 +113,7 @@ __EOS__
     non_resumable = nil
     start_server { |port|
       server_connect_with_session(port, nil, nil) { |ssl|
+        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
         non_resumable = ssl.session
       }
     }

test/openssl/test_x509name.rb

@@ -1,4 +1,4 @@
-# coding: US-ASCII
+# coding: ASCII-8BIT
 # frozen_string_literal: false
 require_relative 'utils'
 
@@ -322,6 +322,34 @@ class OpenSSL::TestX509Name < OpenSSL::TestCase
     assert_equal("Namiki", ary[5][1])
   end
 
+  def test_to_s
+    dn = [
+      ["DC", "org"],
+      ["DC", "ruby-lang"],
+      ["CN", "フー, バー"],
+    ]
+    name = OpenSSL::X509::Name.new
+    dn.each { |x| name.add_entry(*x) }
+
+    assert_equal "/DC=org/DC=ruby-lang/" \
+      "CN=\\xE3\\x83\\x95\\xE3\\x83\\xBC, \\xE3\\x83\\x90\\xE3\\x83\\xBC",
+      name.to_s
+    # OpenSSL escapes characters with MSB by default
+    assert_equal \
+      "CN=\\E3\\83\\95\\E3\\83\\BC\\, \\E3\\83\\90\\E3\\83\\BC," \
+      "DC=ruby-lang,DC=org",
+      name.to_s(OpenSSL::X509::Name::RFC2253)
+    assert_equal "DC = org, DC = ruby-lang, " \
+      "CN = \"\\E3\\83\\95\\E3\\83\\BC, \\E3\\83\\90\\E3\\83\\BC\"",
+      name.to_s(OpenSSL::X509::Name::ONELINE)
+
+    empty = OpenSSL::X509::Name.new
+    assert_equal "", empty.to_s
+    assert_equal "", empty.to_s(OpenSSL::X509::Name::COMPAT)
+    assert_equal "", empty.to_s(OpenSSL::X509::Name::RFC2253)
+    assert_equal "", empty.to_s(OpenSSL::X509::Name::ONELINE)
+  end
+
   def test_equals2
     n1 = OpenSSL::X509::Name.parse 'CN=a'
     n2 = OpenSSL::X509::Name.parse 'CN=a'
@@ -330,10 +358,16 @@ class OpenSSL::TestX509Name < OpenSSL::TestCase
   end
 
   def test_spaceship
-    n1 = OpenSSL::X509::Name.parse 'CN=a'
-    n2 = OpenSSL::X509::Name.parse 'CN=b'
+    n1 = OpenSSL::X509::Name.new([["CN", "a"]])
+    n2 = OpenSSL::X509::Name.new([["CN", "a"]])
+    n3 = OpenSSL::X509::Name.new([["CN", "ab"]])
 
-    assert_equal(-1, n1 <=> n2)
+    assert_equal 0, n1 <=> n2
+    assert_equal -1, n1 <=> n3
+    assert_equal 0, n2 <=> n1
+    assert_equal -1, n2 <=> n3
+    assert_equal 1, n3 <=> n1
+    assert_equal 1, n3 <=> n2
   end
 
   def name_hash(name)

version.h

@@ -1,6 +1,6 @@
 #define RUBY_VERSION "2.4.5"
 #define RUBY_RELEASE_DATE "2018-10-18"
-#define RUBY_PATCHLEVEL 334
+#define RUBY_PATCHLEVEL 335
 
 #define RUBY_RELEASE_YEAR 2018
 #define RUBY_RELEASE_MONTH 10