This branch has only the CMS code

CONTRIBUTING.md

@@ -12,12 +12,14 @@ If you think you found a bug, file a ticket on GitHub. Please DO NOT report
 security issues here, there is a separate procedure which is described on
 ["Security at ruby-lang.org"](https://www.ruby-lang.org/en/security/).
 
-When reporting a bug, please make sure you include the version of Ruby, the
-version of openssl gem, the version of the OpenSSL library, along with a sample
-file that illustrates the problem or link to repository or gem that is
-associated with the bug.
-
-There is a number of unresolved issues and feature requests for openssl that
+When reporting a bug, please make sure you include: 
+* Ruby version 
+* OpenSSL gem version
+* OpenSSL library version 
+* A sample file that illustrates the problem or link to the repository or 
+  gem that is associated with the bug.
+
+There are a number of unresolved issues and feature requests for openssl that
 need review. Before submitting a new ticket, it is recommended to check
 [known issues] and [bugs.ruby-lang.org], the previous issue tracker.
 

DTLS.md

@@ -0,0 +1,43 @@
+
+In order to get DTLS to work, you need a patched copy of Openssl.
+Get it here:
+   https://github.com/mcr/openssl/tree/dtls-listen-refactor
+
+build and install it.  You might want to compile without DSO support, as that will
+make it easier for the ruby-openssl module to link in the right code. To do
+that you can do:
+     ./Configure no-shared --prefix=/sandel/3rd/openssl --debug linux-x86_64
+
+(--debug being optional)
+
+The resulting openssl.so will be significantly bigger, btw:
+    %size tmp/x86_64-linux/openssl/2.4.1/openssl.so
+       text    data     bss     dec     hex filename
+    3889567  261788   16856 4168211  3f9a13 tmp/x86_64-linux/openssl/2.4.1/openssl.so
+
+
+Pick a --prefix which is not on your regular paths.  Probably gem can be
+persuaded to do all of this, but hopefully the code will upstreamed sooner
+and the problem will go away.
+
+If DTLSv1_accept() is not available, then the DTLS support will not include
+server side code, only client side code.  No patches are necessary to make
+client-side DTLS work.  To be sure that the patch has been found is enabled
+check for:
+
+    checking for DTLSv1_accept()... yes
+
+
+Then build with:
+
+    rake compile -- --with-openssl-dir=/sandel/3rd/openssl
+
+I don't know how to add the extra arguments required to your Gemfile so that
+it will be built properly during bundle processing. I'm sure that there is a way,
+patches welcome. I do:
+    gem build openssl
+    gem install ./openssl-2.2.0.pre.mcr1.gem
+
+BTW: the pull request is at:
+    https://github.com/openssl/openssl/pull/5024
+and comments would be welcome.

ext/openssl/extconf.rb

@@ -165,6 +165,7 @@ def find_openssl_library
 have_func("X509_get0_notBefore")
 have_func("SSL_SESSION_get_protocol_version")
 have_func("EVP_PBE_scrypt")
+have_func("CMS_sign")
 
 Logging::message "=== Checking done. ===\n"
 

ext/openssl/openssl_missing.h

@@ -185,7 +185,7 @@ IMPL_KEY_ACCESSOR3(DSA, pqg, p, q, g, (p == obj->p || q == obj->q || g == obj->g
 #if !defined(OPENSSL_NO_DH)
 IMPL_PKEY_GETTER(DH, dh)
 IMPL_KEY_ACCESSOR2(DH, key, pub_key, priv_key, (pub_key == obj->pub_key || (obj->priv_key && priv_key == obj->priv_key)))
-IMPL_KEY_ACCESSOR3(DH, pqg, p, q, g, (p == obj->p || obj->q && q == obj->q || g == obj->g))
+IMPL_KEY_ACCESSOR3(DH, pqg, p, q, g, (p == obj->p || (obj->q && q == obj->q) || g == obj->g))
 static inline ENGINE *DH_get0_engine(DH *dh) { return dh->engine; }
 #endif
 

ext/openssl/ossl.c

@@ -1202,6 +1202,9 @@ Init_openssl(void)
     Init_ossl_ns_spki();
     Init_ossl_pkcs12();
     Init_ossl_pkcs7();
+#if defined(HAVE_CMS_SIGN)
+    Init_ossl_cms();
+#endif
     Init_ossl_pkey();
     Init_ossl_rand();
     Init_ossl_ssl();

ext/openssl/ossl.h

@@ -24,6 +24,9 @@
 #include <openssl/ssl.h>
 #include <openssl/pkcs12.h>
 #include <openssl/pkcs7.h>
+#if defined(HAVE_CMS_SIGN)
+#include <openssl/cms.h>
+#endif
 #include <openssl/hmac.h>
 #include <openssl/rand.h>
 #include <openssl/conf.h>
@@ -165,6 +168,7 @@ void ossl_debug(const char *, ...);
 #include "ossl_ocsp.h"
 #include "ossl_pkcs12.h"
 #include "ossl_pkcs7.h"
+#include "ossl_cms.h"
 #include "ossl_pkey.h"
 #include "ossl_rand.h"
 #include "ossl_ssl.h"

ext/openssl/ossl_asn1.c

@@ -1824,6 +1824,7 @@ do{\
     rb_define_method(cASN1EndOfContent, "to_der", ossl_asn1eoc_to_der, 0);
 
     class_tag_map = rb_hash_new();
+    rb_global_variable(&class_tag_map);
     rb_hash_aset(class_tag_map, cASN1EndOfContent, INT2NUM(V_ASN1_EOC));
     rb_hash_aset(class_tag_map, cASN1Boolean, INT2NUM(V_ASN1_BOOLEAN));
     rb_hash_aset(class_tag_map, cASN1Integer, INT2NUM(V_ASN1_INTEGER));
@@ -1847,7 +1848,6 @@ do{\
     rb_hash_aset(class_tag_map, cASN1GeneralString, INT2NUM(V_ASN1_GENERALSTRING));
     rb_hash_aset(class_tag_map, cASN1UniversalString, INT2NUM(V_ASN1_UNIVERSALSTRING));
     rb_hash_aset(class_tag_map, cASN1BMPString, INT2NUM(V_ASN1_BMPSTRING));
-    rb_global_variable(&class_tag_map);
 
     id_each = rb_intern_const("each");
 }

ext/openssl/ossl_cipher.c

@@ -896,7 +896,7 @@ Init_ossl_cipher(void)
      * without processing the password further. A simple and secure way to
      * create a key for a particular Cipher is
      *
-     *  cipher = OpenSSL::AES256.new(:CFB)
+     *  cipher = OpenSSL::Cipher::AES256.new(:CFB)
      *  cipher.encrypt
      *  key = cipher.random_key # also sets the generated key on the Cipher
      *