1 diff --git Configurations/unix-Makefile.tmpl Configurations/unix-Makefile.tmpl
2 index 66617d6f..0a46a241 100644
3 --- Configurations/unix-Makefile.tmpl
4 +++ Configurations/unix-Makefile.tmpl
5 @@ -887,6 +887,7 @@ generate_crypto_objects:
6 crypto/objects/obj_mac.num \
7 crypto/objects/obj_xref.txt \
8 > crypto/objects/obj_xref.h )
9 + ( cd $(SRCDIR); cat crypto/objects/obj_compat.h >> include/openssl/obj_mac.h )
12 ( cd $(SRCDIR); $(PERL) crypto/conf/keysets.pl \
13 diff --git apps/cms.c apps/cms.c
14 index 71554037..7fe22a90 100644
17 @@ -75,15 +75,16 @@ typedef enum OPTION_choice {
18 OPT_NOSIGS, OPT_NO_CONTENT_VERIFY, OPT_NO_ATTR_VERIFY, OPT_INDEF,
19 OPT_NOINDEF, OPT_CRLFEOL, OPT_NOOUT, OPT_RR_PRINT,
20 OPT_RR_ALL, OPT_RR_FIRST, OPT_RCTFORM, OPT_CERTFILE, OPT_CAFILE,
21 - OPT_CAPATH, OPT_NOCAPATH, OPT_NOCAFILE,OPT_CONTENT, OPT_PRINT,
22 + OPT_CAPATH, OPT_NOCAPATH, OPT_NOCAFILE,OPT_CONTENT, OPT_PRINT, OPT_NAMEOPT,
23 OPT_SECRETKEY, OPT_SECRETKEYID, OPT_PWRI_PASSWORD, OPT_ECONTENT_TYPE,
24 OPT_PASSIN, OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP,
25 OPT_CERTSOUT, OPT_MD, OPT_INKEY, OPT_KEYFORM, OPT_KEYOPT, OPT_RR_FROM,
26 OPT_RR_TO, OPT_AES128_WRAP, OPT_AES192_WRAP, OPT_AES256_WRAP,
27 - OPT_3DES_WRAP, OPT_ENGINE,
28 + OPT_3DES_WRAP, OPT_WRAP, OPT_ENGINE,
36 const OPTIONS cms_options[] = {
37 @@ -150,6 +151,8 @@ const OPTIONS cms_options[] = {
38 "Supply or override content for detached signature"},
39 {"print", OPT_PRINT, '-',
40 "For the -cmsout operation print out all fields of the CMS structure"},
41 + {"nameopt", OPT_NAMEOPT, 's',
42 + "For the -print option specifies various strings printing options"},
43 {"secretkey", OPT_SECRETKEY, 's'},
44 {"secretkeyid", OPT_SECRETKEYID, 's'},
45 {"pwri_password", OPT_PWRI_PASSWORD, 's'},
46 @@ -159,6 +162,7 @@ const OPTIONS cms_options[] = {
47 {"from", OPT_FROM, 's', "From address"},
48 {"subject", OPT_SUBJECT, 's', "Subject"},
49 {"signer", OPT_SIGNER, 's', "Signer certificate file"},
50 + {"originator", OPT_ORIGINATOR, 's', "Originator certificate file"},
51 {"recip", OPT_RECIP, '<', "Recipient cert file for decryption"},
52 {"certsout", OPT_CERTSOUT, '>', "Certificate output file"},
53 {"md", OPT_MD, 's', "Digest algorithm to use when signing or resigning"},
54 @@ -177,6 +181,7 @@ const OPTIONS cms_options[] = {
55 # ifndef OPENSSL_NO_DES
56 {"des3-wrap", OPT_3DES_WRAP, '-', "Use 3DES-EDE to wrap key"},
58 + {"wrap", OPT_WRAP, 's', "Any wrap cipher to wrap key"},
59 # ifndef OPENSSL_NO_ENGINE
60 {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
62 @@ -196,7 +201,7 @@ int cms_main(int argc, char **argv)
63 STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL;
64 STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL;
65 STACK_OF(X509) *encerts = NULL, *other = NULL;
66 - X509 *cert = NULL, *recip = NULL, *signer = NULL;
67 + X509 *cert = NULL, *recip = NULL, *signer = NULL, *originator = 0;
68 X509_STORE *store = NULL;
69 X509_VERIFY_PARAM *vpm = NULL;
70 char *certfile = NULL, *keyfile = NULL, *contfile = NULL;
71 @@ -204,7 +209,7 @@ int cms_main(int argc, char **argv)
72 char *certsoutfile = NULL;
73 int noCAfile = 0, noCApath = 0;
74 char *infile = NULL, *outfile = NULL, *rctfile = NULL;
75 - char *passinarg = NULL, *passin = NULL, *signerfile = NULL, *recipfile = NULL;
76 + char *passinarg = NULL, *passin = NULL, *signerfile = NULL, *originatorfile = NULL, *recipfile = NULL;
77 char *to = NULL, *from = NULL, *subject = NULL, *prog;
78 cms_key_param *key_first = NULL, *key_param = NULL;
79 int flags = CMS_DETACHED, noout = 0, print = 0, keyidx = -1, vpmtouched = 0;
80 @@ -406,6 +411,10 @@ int cms_main(int argc, char **argv)
85 + if (!set_nameopt(opt_arg()))
89 if (secret_key != NULL) {
90 BIO_printf(bio_err, "Invalid key (supplied twice) %s\n",
91 @@ -486,6 +495,9 @@ int cms_main(int argc, char **argv)
93 signerfile = opt_arg();
95 + case OPT_ORIGINATOR:
96 + originatorfile = opt_arg();
99 /* If previous -inkey argument add signer to list */
100 if (keyfile != NULL) {
101 @@ -582,6 +594,10 @@ int cms_main(int argc, char **argv)
102 case OPT_AES256_WRAP:
103 wrap_cipher = EVP_aes_256_wrap();
106 + if (!opt_cipher(opt_unknown(), &wrap_cipher))
111 argc = opt_num_rest();
112 @@ -689,11 +705,11 @@ int cms_main(int argc, char **argv)
115 if (certfile != NULL) {
116 - if (!load_certs(certfile, &other, FORMAT_PEM, NULL,
117 - "certificate file")) {
118 - ERR_print_errors(bio_err);
121 + if (!load_certs(certfile, &other, FORMAT_PEM, NULL,
122 + "certificate file")) {
123 + ERR_print_errors(bio_err);
128 if (recipfile != NULL && (operation == SMIME_DECRYPT)) {
129 @@ -704,6 +720,15 @@ int cms_main(int argc, char **argv)
133 + if (originatorfile != NULL)
135 + if ((originator = load_cert(originatorfile, FORMAT_PEM,
136 + "originator certificate file")) == NULL) {
137 + ERR_print_errors(bio_err);
142 if (operation == SMIME_SIGN_RECEIPT) {
143 if ((signer = load_cert(signerfile, FORMAT_PEM,
144 "receipt signer certificate file")) == NULL) {
145 @@ -712,7 +737,8 @@ int cms_main(int argc, char **argv)
149 - if (operation == SMIME_DECRYPT) {
150 + if (operation == SMIME_DECRYPT ||
151 + operation == SMIME_ENCRYPT) {
154 } else if ((operation == SMIME_SIGN) || (operation == SMIME_SIGN_RECEIPT)) {
155 @@ -821,23 +847,31 @@ int cms_main(int argc, char **argv)
156 for (i = 0; i < sk_X509_num(encerts); i++) {
157 CMS_RecipientInfo *ri;
158 cms_key_param *kparam;
159 - int tflags = flags;
160 + int tflags = flags | CMS_KEY_PARAM; /* This flag enforces allocating the EVP_PKEY_CTX for the recipient here */
161 + EVP_PKEY_CTX *pctx;
162 X509 *x = sk_X509_value(encerts, i);
165 for (kparam = key_first; kparam; kparam = kparam->next) {
166 if (kparam->idx == i) {
167 - tflags |= CMS_KEY_PARAM;
171 - ri = CMS_add1_recipient_cert(cms, x, tflags);
172 + ri = CMS_add1_recipient(cms, x, key, originator, tflags);
176 + pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
177 if (kparam != NULL) {
178 - EVP_PKEY_CTX *pctx;
179 - pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
180 if (!cms_set_pkey_param(pctx, kparam->param))
184 + res = EVP_PKEY_CTX_ctrl(pctx, -1, -1,
185 + EVP_PKEY_CTRL_CIPHER, EVP_CIPHER_nid(cipher), NULL);
186 + if (res <= 0 && res != -2)
189 if (CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_AGREE
191 EVP_CIPHER_CTX *wctx;
192 @@ -983,7 +1017,7 @@ int cms_main(int argc, char **argv)
196 - if (!CMS_decrypt_set1_pkey(cms, key, recip)) {
197 + if (!CMS_decrypt_set1_pkey_and_peer(cms, key, recip, originator)) {
198 BIO_puts(bio_err, "Error decrypting CMS using private key\n");
201 @@ -1049,8 +1083,19 @@ int cms_main(int argc, char **argv)
206 - CMS_ContentInfo_print_ctx(out, cms, 0, NULL);
208 + ASN1_PCTX *pctx = NULL;
209 + if (get_nameopt() != XN_FLAG_ONELINE) {
210 + pctx = ASN1_PCTX_new();
211 + if (pctx) { /* Print anyway if malloc failed */
212 + ASN1_PCTX_set_flags(pctx, ASN1_PCTX_FLAGS_SHOW_ABSENT);
213 + ASN1_PCTX_set_str_flags(pctx, get_nameopt());
214 + ASN1_PCTX_set_nm_flags(pctx, get_nameopt());
217 + CMS_ContentInfo_print_ctx(out, cms, 0, pctx);
218 + ASN1_PCTX_free(pctx);
220 } else if (outformat == FORMAT_SMIME) {
222 BIO_printf(out, "To: %s%s", to, mime_eol);
223 diff --git apps/s_cb.c apps/s_cb.c
224 index d066a423..23575ed1 100644
227 @@ -684,7 +684,7 @@ static STRINT_PAIR tlsext_types[] = {
231 -/* from rfc8446 4.2.3. + gost (https://tools.ietf.org/id/draft-smyshlyaev-tls12-gost-suites-04.html) */
232 +/* from rfc8446 4.2.3. + GOST (https://tools.ietf.org/html/draft-smyshlyaev-tls13-gost-suites-01) */
233 static STRINT_PAIR signature_tls13_scheme_list[] = {
234 {"rsa_pkcs1_sha1", 0x0201 /* TLSEXT_SIGALG_rsa_pkcs1_sha1 */},
235 {"ecdsa_sha1", 0x0203 /* TLSEXT_SIGALG_ecdsa_sha1 */},
236 @@ -696,6 +696,13 @@ static STRINT_PAIR signature_tls13_scheme_list[] = {
237 {"ecdsa_secp384r1_sha384", 0x0503 /* TLSEXT_SIGALG_ecdsa_secp384r1_sha384 */},
238 {"rsa_pkcs1_sha512", 0x0601 /* TLSEXT_SIGALG_rsa_pkcs1_sha512 */},
239 {"ecdsa_secp521r1_sha512", 0x0603 /* TLSEXT_SIGALG_ecdsa_secp521r1_sha512 */},
240 + {"gostr34102012_256a", 0x0709 /* TLSEXT_SIGALG_gostr34102012_256a */},
241 + {"gostr34102012_256b", 0x070A /* TLSEXT_SIGALG_gostr34102012_256b */},
242 + {"gostr34102012_256c", 0x070B /* TLSEXT_SIGALG_gostr34102012_256c */},
243 + {"gostr34102012_256d", 0x070C /* TLSEXT_SIGALG_gostr34102012_256d */},
244 + {"gostr34102012_512a", 0x070D /* TLSEXT_SIGALG_gostr34102012_512a */},
245 + {"gostr34102012_512b", 0x070E /* TLSEXT_SIGALG_gostr34102012_512b */},
246 + {"gostr34102012_512c", 0x070F /* TLSEXT_SIGALG_gostr34102012_512c */},
247 {"rsa_pss_rsae_sha256", 0x0804 /* TLSEXT_SIGALG_rsa_pss_rsae_sha256 */},
248 {"rsa_pss_rsae_sha384", 0x0805 /* TLSEXT_SIGALG_rsa_pss_rsae_sha384 */},
249 {"rsa_pss_rsae_sha512", 0x0806 /* TLSEXT_SIGALG_rsa_pss_rsae_sha512 */},
250 @@ -704,9 +711,6 @@ static STRINT_PAIR signature_tls13_scheme_list[] = {
251 {"rsa_pss_pss_sha256", 0x0809 /* TLSEXT_SIGALG_rsa_pss_pss_sha256 */},
252 {"rsa_pss_pss_sha384", 0x080a /* TLSEXT_SIGALG_rsa_pss_pss_sha384 */},
253 {"rsa_pss_pss_sha512", 0x080b /* TLSEXT_SIGALG_rsa_pss_pss_sha512 */},
254 - {"gostr34102001", 0xeded /* TLSEXT_SIGALG_gostr34102001_gostr3411 */},
255 - {"gostr34102012_256", 0xeeee /* TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256 */},
256 - {"gostr34102012_512", 0xefef /* TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512 */},
260 diff --git crypto/asn1/p8_pkey.c crypto/asn1/p8_pkey.c
261 index ab509b1a..e90b3022 100644
262 --- crypto/asn1/p8_pkey.c
263 +++ crypto/asn1/p8_pkey.c
264 @@ -78,3 +78,18 @@ int PKCS8_pkey_add1_attr_by_NID(PKCS8_PRIV_KEY_INFO *p8, int nid, int type,
269 +int PKCS8_pkey_add1_attr_by_OBJ(PKCS8_PRIV_KEY_INFO *p8, const ASN1_OBJECT *obj, int type,
270 + const unsigned char *bytes, int len)
272 + if (X509at_add1_attr_by_OBJ(&p8->attributes, obj, type, bytes, len) != NULL)
277 +int PKCS8_pkey_add1_attr(PKCS8_PRIV_KEY_INFO *p8, X509_ATTRIBUTE *attr)
279 + if (X509at_add1_attr(&p8->attributes, attr) != NULL)
283 diff --git crypto/cms/cms_env.c crypto/cms/cms_env.c
284 index 962a0137..249e4753 100644
285 --- crypto/cms/cms_env.c
286 +++ crypto/cms/cms_env.c
289 /* CMS EnvelopedData Utilities */
291 +static void cms_env_set_version(CMS_EnvelopedData *env);
293 CMS_EnvelopedData *cms_get0_enveloped(CMS_ContentInfo *cms)
295 if (OBJ_obj2nid(cms->contentType) != NID_pkcs7_enveloped) {
296 @@ -121,6 +123,39 @@ CMS_ContentInfo *CMS_EnvelopedData_create(const EVP_CIPHER *cipher)
300 +int cms_EnvelopedData_final(CMS_ContentInfo *cms, BIO *chain)
302 + CMS_EnvelopedData *env = NULL;
303 + EVP_CIPHER_CTX *ctx = NULL;
304 + BIO *mbio = BIO_find_type(chain, BIO_TYPE_CIPHER);
306 + env = cms_get0_enveloped(cms);
311 + CMSerr(CMS_F_CMS_ENVELOPEDDATA_FINAL, CMS_R_CONTENT_NOT_FOUND);
315 + BIO_get_cipher_ctx(mbio, &ctx);
318 + * If the selected cipher supports unprotected attributes,
319 + * deal with it using special ctrl function
321 + if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_CIPHER_WITH_MAC) {
322 + cms->d.envelopedData->unprotectedAttrs = sk_X509_ATTRIBUTE_new_null();
323 + if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_PROCESS_UNPROTECTED, 1, env->unprotectedAttrs) <= 0) {
324 + CMSerr(CMS_F_CMS_ENVELOPEDDATA_FINAL, CMS_R_CTRL_FAILURE);
328 + cms_env_set_version(cms->d.envelopedData);
333 /* Key Transport Recipient Info (KTRI) routines */
335 /* Initialise a ktri based on passed certificate and key */
336 @@ -175,8 +210,8 @@ static int cms_RecipientInfo_ktri_init(CMS_RecipientInfo *ri, X509 *recip,
337 * Add a recipient certificate using appropriate type of RecipientInfo
340 -CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms,
341 - X509 *recip, unsigned int flags)
342 +CMS_RecipientInfo *CMS_add1_recipient(CMS_ContentInfo *cms, X509 *recip,
343 + EVP_PKEY *originatorPrivKey, X509 * originator, unsigned int flags)
345 CMS_RecipientInfo *ri = NULL;
346 CMS_EnvelopedData *env;
347 @@ -192,7 +227,7 @@ CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms,
349 pk = X509_get0_pubkey(recip);
351 - CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT, CMS_R_ERROR_GETTING_PUBLIC_KEY);
352 + CMSerr(CMS_F_CMS_ADD1_RECIPIENT, CMS_R_ERROR_GETTING_PUBLIC_KEY);
356 @@ -204,12 +239,12 @@ CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms,
359 case CMS_RECIPINFO_AGREE:
360 - if (!cms_RecipientInfo_kari_init(ri, recip, pk, flags))
361 + if (!cms_RecipientInfo_kari_init(ri, recip, pk, originator, originatorPrivKey, flags))
366 - CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT,
367 + CMSerr(CMS_F_CMS_ADD1_RECIPIENT,
368 CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
371 @@ -221,13 +256,19 @@ CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms,
375 - CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT, ERR_R_MALLOC_FAILURE);
376 + CMSerr(CMS_F_CMS_ADD1_RECIPIENT, ERR_R_MALLOC_FAILURE);
378 M_ASN1_free_of(ri, CMS_RecipientInfo);
383 +CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms,
384 + X509 *recip, unsigned int flags)
386 + return CMS_add1_recipient(cms, recip, NULL, NULL, flags);
389 int CMS_RecipientInfo_ktri_get0_algs(CMS_RecipientInfo *ri,
390 EVP_PKEY **pk, X509 **recip,
392 @@ -857,50 +898,88 @@ static void cms_env_set_version(CMS_EnvelopedData *env)
396 -BIO *cms_EnvelopedData_init_bio(CMS_ContentInfo *cms)
397 +static BIO *cms_EnvelopedData_Decryption_init_bio(CMS_ContentInfo *cms)
399 - CMS_EncryptedContentInfo *ec;
400 - STACK_OF(CMS_RecipientInfo) *rinfos;
401 - CMS_RecipientInfo *ri;
404 + CMS_EncryptedContentInfo *ec = cms->d.envelopedData->encryptedContentInfo;
405 + BIO *contentBio = cms_EncryptedContent_init_bio(ec);
406 + EVP_CIPHER_CTX *ctx = NULL;
408 - /* Get BIO first to set up key */
412 - ec = cms->d.envelopedData->encryptedContentInfo;
413 - ret = cms_EncryptedContent_init_bio(ec);
414 + BIO_get_cipher_ctx(contentBio, &ctx);
416 + BIO_free(contentBio);
420 + * If the selected cipher supports unprotected attributes,
421 + * deal with it using special ctrl function
423 + if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_CIPHER_WITH_MAC &&
424 + EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_PROCESS_UNPROTECTED, 0, cms->d.envelopedData->unprotectedAttrs) <= 0) {
425 + BIO_free(contentBio);
431 - /* If error or no cipher end of processing */
432 +static BIO *cms_EnvelopedData_Encryption_init_bio(CMS_ContentInfo *cms)
434 + CMS_EncryptedContentInfo *ec;
435 + STACK_OF(CMS_RecipientInfo) *rinfos;
436 + CMS_RecipientInfo *ri;
440 - if (!ret || !ec->cipher)
442 + /* Get BIO first to set up key */
444 - /* Now encrypt content key according to each RecipientInfo type */
445 + ec = cms->d.envelopedData->encryptedContentInfo;
446 + ret = cms_EncryptedContent_init_bio(ec);
448 - rinfos = cms->d.envelopedData->recipientInfos;
449 + /* If error or no cipher end of processing */
451 - for (i = 0; i < sk_CMS_RecipientInfo_num(rinfos); i++) {
452 - ri = sk_CMS_RecipientInfo_value(rinfos, i);
453 - if (CMS_RecipientInfo_encrypt(cms, ri) <= 0) {
454 - CMSerr(CMS_F_CMS_ENVELOPEDDATA_INIT_BIO,
455 - CMS_R_ERROR_SETTING_RECIPIENTINFO);
459 - cms_env_set_version(cms->d.envelopedData);
464 + /* Now encrypt content key according to each RecipientInfo type */
468 - OPENSSL_clear_free(ec->key, ec->keylen);
475 + rinfos = cms->d.envelopedData->recipientInfos;
477 + for (i = 0; i < sk_CMS_RecipientInfo_num(rinfos); i++) {
478 + ri = sk_CMS_RecipientInfo_value(rinfos, i);
479 + if (CMS_RecipientInfo_encrypt(cms, ri) <= 0) {
480 + CMSerr(CMS_F_CMS_ENVELOPEDDATA_ENCRYPTION_INIT_BIO,
481 + CMS_R_ERROR_SETTING_RECIPIENTINFO);
485 + cms_env_set_version(cms->d.envelopedData); /* FIXME move lower? */
491 + OPENSSL_clear_free(ec->key, ec->keylen);
501 +BIO *cms_EnvelopedData_init_bio(CMS_ContentInfo *cms)
503 + if (cms->d.envelopedData->encryptedContentInfo->cipher)
505 + /* If cipher is set it's encrypting */
506 + return cms_EnvelopedData_Encryption_init_bio(cms);
509 + /* If cipher is not set it's decrypting */
510 + return cms_EnvelopedData_Decryption_init_bio(cms);
514 @@ -918,3 +997,25 @@ int cms_pkey_get_ri_type(EVP_PKEY *pk)
516 return CMS_RECIPINFO_TRANS;
519 +int cms_pkey_is_ri_type_supported(EVP_PKEY *pk, int ri_type)
521 + if (pk->ameth && pk->ameth->pkey_ctrl)
524 + i = pk->ameth->pkey_ctrl(pk, ASN1_PKEY_CTRL_CMS_IS_RI_TYPE_SUPPORTED, ri_type, &r);
529 + /* if ASN1_PKEY_CTRL_CMS_IS_RI_TYPE_SUPPORTED not supported */
531 + int supportedRiType = cms_pkey_get_ri_type(pk);
533 + if (supportedRiType < 0)
538 + return (supportedRiType == ri_type);
540 diff --git crypto/cms/cms_err.c crypto/cms/cms_err.c
541 index a211f495..6bc8a3af 100644
542 --- crypto/cms/cms_err.c
543 +++ crypto/cms/cms_err.c
544 @@ -22,6 +22,7 @@ static const ERR_STRING_DATA CMS_str_functs[] = {
545 "CMS_add0_recipient_password"},
546 {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ADD1_RECEIPTREQUEST, 0),
547 "CMS_add1_ReceiptRequest"},
548 + {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ADD1_RECIPIENT, 0), "CMS_add1_recipient"},
549 {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ADD1_RECIPIENT_CERT, 0),
550 "CMS_add1_recipient_cert"},
551 {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ADD1_SIGNER, 0), "CMS_add1_signer"},
552 @@ -45,6 +46,8 @@ static const ERR_STRING_DATA CMS_str_functs[] = {
553 "CMS_decrypt_set1_password"},
554 {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_DECRYPT_SET1_PKEY, 0),
555 "CMS_decrypt_set1_pkey"},
556 + {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_DECRYPT_SET1_PKEY_AND_PEER, 0),
557 + "CMS_decrypt_set1_pkey_and_peer"},
558 {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_DIGESTALGORITHM_FIND_CTX, 0),
559 "cms_DigestAlgorithm_find_ctx"},
560 {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_DIGESTALGORITHM_INIT_BIO, 0),
561 @@ -66,6 +69,12 @@ static const ERR_STRING_DATA CMS_str_functs[] = {
562 "CMS_EncryptedData_set1_key"},
563 {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ENVELOPEDDATA_CREATE, 0),
564 "CMS_EnvelopedData_create"},
565 + {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ENVELOPEDDATA_DECRYPTION_INIT_BIO, 0),
566 + "cms_EnvelopedData_Decryption_init_bio"},
567 + {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ENVELOPEDDATA_ENCRYPTION_INIT_BIO, 0),
568 + "cms_EnvelopedData_Encryption_init_bio"},
569 + {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ENVELOPEDDATA_FINAL, 0),
570 + "cms_EnvelopedData_final"},
571 {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ENVELOPEDDATA_INIT_BIO, 0),
572 "cms_EnvelopedData_init_bio"},
573 {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ENVELOPED_DATA_INIT, 0),
574 diff --git crypto/cms/cms_kari.c crypto/cms/cms_kari.c
575 index cafc3040..eb11e428 100644
576 --- crypto/cms/cms_kari.c
577 +++ crypto/cms/cms_kari.c
578 @@ -152,7 +152,7 @@ int CMS_RecipientEncryptedKey_cert_cmp(CMS_RecipientEncryptedKey *rek,
582 -int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk)
583 +int CMS_RecipientInfo_kari_set0_pkey_and_peer(CMS_RecipientInfo *ri, EVP_PKEY *pk, X509 *peer)
586 CMS_KeyAgreeRecipientInfo *kari = ri->d.kari;
587 @@ -164,6 +164,16 @@ int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk)
588 pctx = EVP_PKEY_CTX_new(pk, NULL);
589 if (!pctx || EVP_PKEY_derive_init(pctx) <= 0)
594 + EVP_PKEY *pub_pkey = X509_get0_pubkey(peer);
595 + if (0 >= EVP_PKEY_derive_set_peer(pctx, pub_pkey))
604 @@ -171,6 +181,11 @@ int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk)
608 +int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk)
610 + return CMS_RecipientInfo_kari_set0_pkey_and_peer(ri, pk, NULL);
613 EVP_CIPHER_CTX *CMS_RecipientInfo_kari_get0_ctx(CMS_RecipientInfo *ri)
615 if (ri->type == CMS_RECIPINFO_AGREE)
616 @@ -282,10 +297,27 @@ static int cms_kari_create_ephemeral_key(CMS_KeyAgreeRecipientInfo *kari,
620 +/* Set originator private key and initialise context based on it */
621 +static int cms_kari_set_originator_private_key(CMS_KeyAgreeRecipientInfo *kari, EVP_PKEY *originatorPrivKey )
623 + EVP_PKEY_CTX *pctx = NULL;
625 + pctx = EVP_PKEY_CTX_new(originatorPrivKey, NULL);
628 + if (EVP_PKEY_derive_init(pctx) <= 0)
634 + EVP_PKEY_CTX_free(pctx);
638 /* Initialise a kari based on passed certificate and key */
640 -int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
641 - EVP_PKEY *pk, unsigned int flags)
642 +int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip, EVP_PKEY *recipPubKey, X509 * originator, EVP_PKEY *originatorPrivKey, unsigned int flags)
644 CMS_KeyAgreeRecipientInfo *kari;
645 CMS_RecipientEncryptedKey *rek = NULL;
646 @@ -320,12 +352,45 @@ int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
650 - /* Create ephemeral key */
651 - if (!cms_kari_create_ephemeral_key(kari, pk))
653 + if (!originatorPrivKey && !originator)
655 + /* Create ephemeral key */
656 + if (!cms_kari_create_ephemeral_key(kari, recipPubKey))
661 + /* Use originator key */
662 + CMS_OriginatorIdentifierOrKey *oik = ri->d.kari->originator;
664 + if (!originatorPrivKey && !originator)
669 + if (flags & CMS_USE_ORIGINATOR_KEYID) {
670 + /* kari->originator->issuerAndSerialNumber */
671 + oik->type = CMS_OIK_KEYIDENTIFIER;
672 + oik->d.subjectKeyIdentifier = ASN1_OCTET_STRING_new();
673 + if (oik->d.subjectKeyIdentifier == NULL)
675 + if (!cms_set1_keyid(&oik->d.subjectKeyIdentifier, originator))
679 + oik->type = CMS_REK_ISSUER_SERIAL;
680 + if (!cms_set1_ias(&oik->d.issuerAndSerialNumber, originator))
684 + if (!cms_kari_set_originator_private_key(kari, originatorPrivKey))
690 - EVP_PKEY_up_ref(pk);
692 + EVP_PKEY_up_ref(recipPubKey);
693 + rek->pkey = recipPubKey;
697 @@ -335,14 +400,35 @@ static int cms_wrap_init(CMS_KeyAgreeRecipientInfo *kari,
698 EVP_CIPHER_CTX *ctx = kari->ctx;
699 const EVP_CIPHER *kekcipher;
700 int keylen = EVP_CIPHER_key_length(cipher);
702 /* If a suitable wrap algorithm is already set nothing to do */
703 kekcipher = EVP_CIPHER_CTX_cipher(ctx);
706 - if (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_WRAP_MODE)
711 + if (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_WRAP_MODE)
715 + /* Here the Infotecs patch begins */
716 + else if (cipher && (EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_GET_WRAP_CIPHER))
718 + ret = EVP_CIPHER_meth_get_ctrl(cipher)(NULL, EVP_CTRL_GET_WRAP_CIPHER, 0, &kekcipher);
726 + if (EVP_CIPHER_mode(kekcipher) != EVP_CIPH_WRAP_MODE)
729 + return EVP_EncryptInit_ex(ctx, kekcipher, NULL, NULL, NULL);
732 + /* Here the Infotecs patch ends */
735 * Pick a cipher based on content encryption cipher. If it is DES3 use
736 * DES3 wrap otherwise use AES wrap similar to key size.
737 diff --git crypto/cms/cms_lib.c crypto/cms/cms_lib.c
738 index be4c2c70..8cce75ea 100644
739 --- crypto/cms/cms_lib.c
740 +++ crypto/cms/cms_lib.c
741 @@ -131,12 +131,14 @@ int CMS_dataFinal(CMS_ContentInfo *cms, BIO *cmsbio)
742 switch (OBJ_obj2nid(cms->contentType)) {
745 - case NID_pkcs7_enveloped:
746 case NID_pkcs7_encrypted:
747 case NID_id_smime_ct_compressedData:
751 + case NID_pkcs7_enveloped:
752 + return cms_EnvelopedData_final(cms, cmsbio);
754 case NID_pkcs7_signed:
755 return cms_SignedData_final(cms, cmsbio);
757 diff --git crypto/cms/cms_local.h crypto/cms/cms_local.h
758 index a0ce4448..27261b77 100644
759 --- crypto/cms/cms_local.h
760 +++ crypto/cms/cms_local.h
761 @@ -403,12 +403,13 @@ int cms_msgSigDigest_add1(CMS_SignerInfo *dest, CMS_SignerInfo *src);
762 ASN1_OCTET_STRING *cms_encode_Receipt(CMS_SignerInfo *si);
764 BIO *cms_EnvelopedData_init_bio(CMS_ContentInfo *cms);
765 +int cms_EnvelopedData_final(CMS_ContentInfo *cms, BIO *chain);
766 CMS_EnvelopedData *cms_get0_enveloped(CMS_ContentInfo *cms);
767 int cms_env_asn1_ctrl(CMS_RecipientInfo *ri, int cmd);
768 int cms_pkey_get_ri_type(EVP_PKEY *pk);
769 +int cms_pkey_is_ri_type_supported(EVP_PKEY *pk, int ri_type);
771 -int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
772 - EVP_PKEY *pk, unsigned int flags);
773 +int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip, EVP_PKEY *recipPubKey, X509 * originator, EVP_PKEY *originatorPrivKey, unsigned int flags);
774 int cms_RecipientInfo_kari_encrypt(CMS_ContentInfo *cms,
775 CMS_RecipientInfo *ri);
777 diff --git crypto/cms/cms_smime.c crypto/cms/cms_smime.c
778 index 6e7dbc4d..b7d457d3 100644
779 --- crypto/cms/cms_smime.c
780 +++ crypto/cms/cms_smime.c
781 @@ -576,8 +576,8 @@ CMS_ContentInfo *CMS_encrypt(STACK_OF(X509) *certs, BIO *data,
785 -static int cms_kari_set1_pkey(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
786 - EVP_PKEY *pk, X509 *cert)
787 +static int cms_kari_set1_pkey_and_peer(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
788 + EVP_PKEY *pk, X509 *cert, X509 *peer)
791 STACK_OF(CMS_RecipientEncryptedKey) *reks;
792 @@ -588,7 +588,7 @@ static int cms_kari_set1_pkey(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
793 rek = sk_CMS_RecipientEncryptedKey_value(reks, i);
794 if (cert != NULL && CMS_RecipientEncryptedKey_cert_cmp(rek, cert))
796 - CMS_RecipientInfo_kari_set0_pkey(ri, pk);
797 + CMS_RecipientInfo_kari_set0_pkey_and_peer(ri, pk, peer);
798 rv = CMS_RecipientInfo_kari_decrypt(cms, ri, rek);
799 CMS_RecipientInfo_kari_set0_pkey(ri, NULL);
801 @@ -599,28 +599,36 @@ static int cms_kari_set1_pkey(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
804 int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
806 + return CMS_decrypt_set1_pkey_and_peer(cms, pk, cert, NULL);
809 +int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert, X509 *peer)
811 STACK_OF(CMS_RecipientInfo) *ris;
812 CMS_RecipientInfo *ri;
814 + int i, r, cms_pkey_ri_type;
815 int debug = 0, match_ri = 0;
816 ris = CMS_get0_RecipientInfos(cms);
818 debug = cms->d.envelopedData->encryptedContentInfo->debug;
819 - ri_type = cms_pkey_get_ri_type(pk);
820 - if (ri_type == CMS_RECIPINFO_NONE) {
821 - CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY,
822 - CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
825 + cms_pkey_ri_type = cms_pkey_get_ri_type(pk);
826 + if (cms_pkey_ri_type == CMS_RECIPINFO_NONE) {
827 + CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY_AND_PEER,
828 + CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
832 for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++) {
834 ri = sk_CMS_RecipientInfo_value(ris, i);
835 - if (CMS_RecipientInfo_type(ri) != ri_type)
837 + ri_type = CMS_RecipientInfo_type(ri);
838 +/* if (!cms_pkey_is_ri_type_supported(pk, ri_type))
841 if (ri_type == CMS_RECIPINFO_AGREE) {
842 - r = cms_kari_set1_pkey(cms, ri, pk, cert);
843 + r = cms_kari_set1_pkey_and_peer(cms, ri, pk, cert, peer);
847 @@ -640,13 +648,13 @@ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
848 * If not debugging clear any error and return success to
849 * avoid leaking of information useful to MMA
852 + if (!debug && cms_pkey_ri_type == CMS_RECIPINFO_TRANS) {
858 - CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY, CMS_R_DECRYPT_ERROR);
859 + CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY_AND_PEER, CMS_R_DECRYPT_ERROR);
863 @@ -654,17 +662,17 @@ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
864 * successful decrypt. Always attempt to decrypt all recipients
865 * to avoid leaking timing of a successful decrypt.
867 - else if (r > 0 && debug)
868 + else if (r > 0 && (debug || cms_pkey_ri_type != CMS_RECIPINFO_TRANS))
872 /* If no cert, key transport and not debugging always return success */
873 - if (cert == NULL && ri_type == CMS_RECIPINFO_TRANS && match_ri && !debug) {
874 + if (cert == NULL && cms_pkey_ri_type == CMS_RECIPINFO_TRANS && match_ri && !debug) {
879 - CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY, CMS_R_NO_MATCHING_RECIPIENT);
880 + CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY_AND_PEER, CMS_R_NO_MATCHING_RECIPIENT);
884 diff --git crypto/err/openssl.txt crypto/err/openssl.txt
885 index 902e97b8..7fef6807 100644
886 --- crypto/err/openssl.txt
887 +++ crypto/err/openssl.txt
888 @@ -240,6 +240,7 @@ CMS_F_CMS_ADD0_CERT:164:CMS_add0_cert
889 CMS_F_CMS_ADD0_RECIPIENT_KEY:100:CMS_add0_recipient_key
890 CMS_F_CMS_ADD0_RECIPIENT_PASSWORD:165:CMS_add0_recipient_password
891 CMS_F_CMS_ADD1_RECEIPTREQUEST:158:CMS_add1_ReceiptRequest
892 +CMS_F_CMS_ADD1_RECIPIENT:181:CMS_add1_recipient
893 CMS_F_CMS_ADD1_RECIPIENT_CERT:101:CMS_add1_recipient_cert
894 CMS_F_CMS_ADD1_SIGNER:102:CMS_add1_signer
895 CMS_F_CMS_ADD1_SIGNINGTIME:103:cms_add1_signingTime
896 @@ -255,6 +256,7 @@ CMS_F_CMS_DECRYPT:112:CMS_decrypt
897 CMS_F_CMS_DECRYPT_SET1_KEY:113:CMS_decrypt_set1_key
898 CMS_F_CMS_DECRYPT_SET1_PASSWORD:166:CMS_decrypt_set1_password
899 CMS_F_CMS_DECRYPT_SET1_PKEY:114:CMS_decrypt_set1_pkey
900 +CMS_F_CMS_DECRYPT_SET1_PKEY_AND_PEER:182:CMS_decrypt_set1_pkey_and_peer
901 CMS_F_CMS_DIGESTALGORITHM_FIND_CTX:115:cms_DigestAlgorithm_find_ctx
902 CMS_F_CMS_DIGESTALGORITHM_INIT_BIO:116:cms_DigestAlgorithm_init_bio
903 CMS_F_CMS_DIGESTEDDATA_DO_FINAL:117:cms_DigestedData_do_final
904 @@ -267,6 +269,11 @@ CMS_F_CMS_ENCRYPTEDDATA_DECRYPT:121:CMS_EncryptedData_decrypt
905 CMS_F_CMS_ENCRYPTEDDATA_ENCRYPT:122:CMS_EncryptedData_encrypt
906 CMS_F_CMS_ENCRYPTEDDATA_SET1_KEY:123:CMS_EncryptedData_set1_key
907 CMS_F_CMS_ENVELOPEDDATA_CREATE:124:CMS_EnvelopedData_create
908 +CMS_F_CMS_ENVELOPEDDATA_DECRYPTION_INIT_BIO:184:\
909 + cms_EnvelopedData_Decryption_init_bio
910 +CMS_F_CMS_ENVELOPEDDATA_ENCRYPTION_INIT_BIO:185:\
911 + cms_EnvelopedData_Encryption_init_bio
912 +CMS_F_CMS_ENVELOPEDDATA_FINAL:186:cms_EnvelopedData_final
913 CMS_F_CMS_ENVELOPEDDATA_INIT_BIO:125:cms_EnvelopedData_init_bio
914 CMS_F_CMS_ENVELOPED_DATA_INIT:126:cms_enveloped_data_init
915 CMS_F_CMS_ENV_ASN1_CTRL:171:cms_env_asn1_ctrl
916 @@ -1184,7 +1191,7 @@ SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE:431:*
917 SSL_F_OSSL_STATEM_SERVER_POST_PROCESS_MESSAGE:601:\
918 ossl_statem_server_post_process_message
919 SSL_F_OSSL_STATEM_SERVER_POST_WORK:602:ossl_statem_server_post_work
920 -SSL_F_OSSL_STATEM_SERVER_PRE_WORK:640:
921 +SSL_F_OSSL_STATEM_SERVER_PRE_WORK:640:ossl_statem_server_pre_work
922 SSL_F_OSSL_STATEM_SERVER_PROCESS_MESSAGE:603:ossl_statem_server_process_message
923 SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION:418:ossl_statem_server_read_transition
924 SSL_F_OSSL_STATEM_SERVER_WRITE_TRANSITION:604:\
925 @@ -1399,6 +1406,7 @@ SSL_F_TLS_CONSTRUCT_CHANGE_CIPHER_SPEC:427:tls_construct_change_cipher_spec
926 SSL_F_TLS_CONSTRUCT_CKE_DHE:404:tls_construct_cke_dhe
927 SSL_F_TLS_CONSTRUCT_CKE_ECDHE:405:tls_construct_cke_ecdhe
928 SSL_F_TLS_CONSTRUCT_CKE_GOST:406:tls_construct_cke_gost
929 +SSL_F_TLS_CONSTRUCT_CKE_GOST18:642:tls_construct_cke_gost18
930 SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE:407:tls_construct_cke_psk_preamble
931 SSL_F_TLS_CONSTRUCT_CKE_RSA:409:tls_construct_cke_rsa
932 SSL_F_TLS_CONSTRUCT_CKE_SRP:410:tls_construct_cke_srp
933 @@ -1530,6 +1538,7 @@ SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC:363:tls_process_change_cipher_spec
934 SSL_F_TLS_PROCESS_CKE_DHE:411:tls_process_cke_dhe
935 SSL_F_TLS_PROCESS_CKE_ECDHE:412:tls_process_cke_ecdhe
936 SSL_F_TLS_PROCESS_CKE_GOST:413:tls_process_cke_gost
937 +SSL_F_TLS_PROCESS_CKE_GOST18:641:tls_process_cke_gost18
938 SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE:414:tls_process_cke_psk_preamble
939 SSL_F_TLS_PROCESS_CKE_RSA:415:tls_process_cke_rsa
940 SSL_F_TLS_PROCESS_CKE_SRP:416:tls_process_cke_srp
941 @@ -1652,6 +1661,7 @@ X509V3_F_GNAMES_FROM_SECTNAME:156:gnames_from_sectname
942 X509V3_F_I2S_ASN1_ENUMERATED:121:i2s_ASN1_ENUMERATED
943 X509V3_F_I2S_ASN1_IA5STRING:149:i2s_ASN1_IA5STRING
944 X509V3_F_I2S_ASN1_INTEGER:120:i2s_ASN1_INTEGER
945 +X509V3_F_I2S_ASN1_UTF8STRING:175:i2s_ASN1_UTF8STRING
946 X509V3_F_I2V_AUTHORITY_INFO_ACCESS:138:i2v_AUTHORITY_INFO_ACCESS
947 X509V3_F_I2V_AUTHORITY_KEYID:173:i2v_AUTHORITY_KEYID
948 X509V3_F_LEVEL_ADD_NODE:168:level_add_node
949 @@ -1667,6 +1677,7 @@ X509V3_F_R2I_PCI:155:r2i_pci
950 X509V3_F_S2I_ASN1_IA5STRING:100:s2i_ASN1_IA5STRING
951 X509V3_F_S2I_ASN1_INTEGER:108:s2i_ASN1_INTEGER
952 X509V3_F_S2I_ASN1_OCTET_STRING:112:s2i_ASN1_OCTET_STRING
953 +X509V3_F_S2I_ASN1_UTF8STRING:176:s2i_ASN1_UTF8STRING
954 X509V3_F_S2I_SKEY_ID:115:s2i_skey_id
955 X509V3_F_SET_DIST_POINT_NAME:158:set_dist_point_name
956 X509V3_F_SXNET_ADD_ID_ASC:125:SXNET_add_id_asc
957 diff --git crypto/objects/objects.txt crypto/objects/objects.txt
958 index c49d4c56..00444c40 100644
959 --- crypto/objects/objects.txt
960 +++ crypto/objects/objects.txt
961 @@ -1321,6 +1321,14 @@ cryptocom 1 8 1 : id-GostR3410-2001-ParamSet-cc : GOST R 3410-2001 Parameter Se
965 +id-tc26 0 : id-tc26-modules: GOST TC26 ASN.1 modules
967 +id-tc26-modules 6 : id-tc26-cms: GOST TC26 SMS
969 +id-tc26-cms 1 : id-tc26-cms-attrs: GOST TC26 SMS attributes
971 +id-tc26-cms-attrs 1 : id-tc26-mac-attr: GOST TC26 SMS content-mac attribute
973 id-tc26 1 : id-tc26-algorithms
974 id-tc26-algorithms 1 : id-tc26-sign
975 !Cname id-GostR3410-2012-256
976 @@ -1344,11 +1352,11 @@ id-tc26-mac 2 : id-tc26-hmac-gost-3411-2012-512 : HMAC GOST 34.11-2012 512 bit
978 id-tc26-algorithms 5 : id-tc26-cipher
979 id-tc26-cipher 1 : id-tc26-cipher-gostr3412-2015-magma
980 -id-tc26-cipher-gostr3412-2015-magma 1 : id-tc26-cipher-gostr3412-2015-magma-ctracpkm
981 -id-tc26-cipher-gostr3412-2015-magma 2 : id-tc26-cipher-gostr3412-2015-magma-ctracpkm-omac
982 +id-tc26-cipher-gostr3412-2015-magma 1 : magma-ctr-acpkm
983 +id-tc26-cipher-gostr3412-2015-magma 2 : magma-ctr-acpkm-omac
984 id-tc26-cipher 2 : id-tc26-cipher-gostr3412-2015-kuznyechik
985 -id-tc26-cipher-gostr3412-2015-kuznyechik 1 : id-tc26-cipher-gostr3412-2015-kuznyechik-ctracpkm
986 -id-tc26-cipher-gostr3412-2015-kuznyechik 2 : id-tc26-cipher-gostr3412-2015-kuznyechik-ctracpkm-omac
987 +id-tc26-cipher-gostr3412-2015-kuznyechik 1 : kuznyechik-ctr-acpkm
988 +id-tc26-cipher-gostr3412-2015-kuznyechik 2 : kuznyechik-ctr-acpkm-omac
990 id-tc26-algorithms 6 : id-tc26-agreement
991 id-tc26-agreement 1 : id-tc26-agreement-gost-3410-2012-256
992 @@ -1356,9 +1364,9 @@ id-tc26-agreement 2 : id-tc26-agreement-gost-3410-2012-512
994 id-tc26-algorithms 7 : id-tc26-wrap
995 id-tc26-wrap 1 : id-tc26-wrap-gostr3412-2015-magma
996 -id-tc26-wrap-gostr3412-2015-magma 1 : id-tc26-wrap-gostr3412-2015-magma-kexp15
997 +id-tc26-wrap-gostr3412-2015-magma 1 : magma-kexp15
998 id-tc26-wrap 2 : id-tc26-wrap-gostr3412-2015-kuznyechik
999 -id-tc26-wrap-gostr3412-2015-kuznyechik 1 : id-tc26-wrap-gostr3412-2015-kuznyechik-kexp15
1000 +id-tc26-wrap-gostr3412-2015-kuznyechik 1 : kuznyechik-kexp15
1002 id-tc26 2 : id-tc26-constants
1004 @@ -1382,16 +1390,25 @@ id-tc26-gost-28147-constants 1 : id-tc26-gost-28147-param-Z : GOST 28147-89 TC26
1005 member-body 643 3 131 1 1 : INN : INN
1006 member-body 643 100 1 : OGRN : OGRN
1007 member-body 643 100 3 : SNILS : SNILS
1008 +member-body 643 100 5 : OGRNIP : OGRNIP
1009 member-body 643 100 111 : subjectSignTool : Signing Tool of Subject
1010 member-body 643 100 112 : issuerSignTool : Signing Tool of Issuer
1011 +member-body 643 100 113 : classSignTool : Class of Signing Tool
1012 +member-body 643 100 113 1 : classSignToolKC1 : Class of Signing Tool KC1
1013 +member-body 643 100 113 2 : classSignToolKC2 : Class of Signing Tool KC2
1014 +member-body 643 100 113 3 : classSignToolKC3 : Class of Signing Tool KC3
1015 +member-body 643 100 113 4 : classSignToolKB1 : Class of Signing Tool KB1
1016 +member-body 643 100 113 5 : classSignToolKB2 : Class of Signing Tool KB2
1017 +member-body 643 100 113 6 : classSignToolKA1 : Class of Signing Tool KA1
1019 #GOST R34.13-2015 Grasshopper "Kuznechik"
1034 #GOST R34.13-2015 Magma
1036 @@ -1400,6 +1417,7 @@ member-body 643 100 112 : issuerSignTool : Signing Tool of Issuer
1042 # Definitions for Camellia cipher - CBC MODE
1044 diff --git crypto/x509v3/build.info crypto/x509v3/build.info
1045 index 4ab64884..322a1212 100644
1046 --- crypto/x509v3/build.info
1047 +++ crypto/x509v3/build.info
1048 @@ -5,4 +5,4 @@ SOURCE[../../libcrypto]=\
1049 v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c \
1050 v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c v3_pcia.c v3_pci.c \
1051 pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c \
1052 - v3_asid.c v3_addr.c v3_tlsf.c v3_admis.c
1053 + v3_asid.c v3_addr.c v3_tlsf.c v3_admis.c v3_rus.c
1054 diff --git crypto/x509v3/ext_dat.h crypto/x509v3/ext_dat.h
1055 index 762e264b..022816e2 100644
1056 --- crypto/x509v3/ext_dat.h
1057 +++ crypto/x509v3/ext_dat.h
1058 @@ -21,5 +21,6 @@ extern const X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
1059 extern const X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
1060 extern const X509V3_EXT_METHOD v3_addr, v3_asid;
1061 extern const X509V3_EXT_METHOD v3_ct_scts[3];
1062 +extern const X509V3_EXT_METHOD v3_subject_sign_tool, v3_issuer_sign_tool;
1063 extern const X509V3_EXT_METHOD v3_tls_feature;
1064 extern const X509V3_EXT_METHOD v3_ext_admission;
1065 diff --git crypto/x509v3/standard_exts.h crypto/x509v3/standard_exts.h
1066 index 944f4de0..536b3d25 100644
1067 --- crypto/x509v3/standard_exts.h
1068 +++ crypto/x509v3/standard_exts.h
1069 @@ -68,6 +68,8 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
1073 + &v3_subject_sign_tool,
1074 + &v3_issuer_sign_tool,
1078 diff --git crypto/x509v3/v3_alt.c crypto/x509v3/v3_alt.c
1079 index 7c32d403..91846eb3 100644
1080 --- crypto/x509v3/v3_alt.c
1081 +++ crypto/x509v3/v3_alt.c
1082 @@ -25,26 +25,59 @@ static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens);
1083 static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
1084 static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
1086 +static int i2r_GENERAL_NAMES(X509V3_EXT_METHOD *method,
1087 + GENERAL_NAMES *gens, BIO *out,
1090 +static int GENERAL_NAME_oneline_ex(char *name, GENERAL_NAME *gen, int len)
1096 + mem = BIO_new(BIO_s_mem());
1100 + switch (gen->type) {
1102 + X509_NAME_print_ex(mem, gen->d.dirn, 0, XN_FLAG_SEP_COMMA_PLUS | ASN1_STRFLGS_UTF8_CONVERT);
1106 + BIO_get_mem_ptr(mem, &bptr);
1107 + i = BIO_set_close(mem, BIO_NOCLOSE);
1112 + if(bptr->length < len)
1113 + strncpy(name, bptr->data, bptr->length);
1115 + strncpy(name, bptr->data, len);
1119 const X509V3_EXT_METHOD v3_alt[3] = {
1120 {NID_subject_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
1123 - (X509V3_EXT_I2V) i2v_GENERAL_NAMES,
1124 + NULL, /* (X509V3_EXT_I2V) i2v_GENERAL_NAMES, */
1125 (X509V3_EXT_V2I)v2i_subject_alt,
1126 - NULL, NULL, NULL},
1127 + (X509V3_EXT_I2R)i2r_GENERAL_NAMES, NULL, NULL},
1129 {NID_issuer_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
1132 (X509V3_EXT_I2V) i2v_GENERAL_NAMES,
1133 (X509V3_EXT_V2I)v2i_issuer_alt,
1134 - NULL, NULL, NULL},
1135 + (X509V3_EXT_I2R)i2r_GENERAL_NAMES/*NULL*/, NULL, NULL},
1137 {NID_certificate_issuer, 0, ASN1_ITEM_ref(GENERAL_NAMES),
1140 (X509V3_EXT_I2V) i2v_GENERAL_NAMES,
1141 - NULL, NULL, NULL, NULL},
1142 + NULL, (X509V3_EXT_I2R)i2r_GENERAL_NAMES/*NULL*/, NULL, NULL},
1145 STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
1146 @@ -80,7 +113,7 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
1147 STACK_OF(CONF_VALUE) *ret)
1150 - char oline[256], htmp[5];
1151 + char oline[1024], htmp[5];
1154 switch (gen->type) {
1155 @@ -118,7 +151,7 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
1159 - if (X509_NAME_oneline(gen->d.dirn, oline, sizeof(oline)) == NULL
1160 + if (GENERAL_NAME_oneline_ex(oline, gen, sizeof(oline)) <= 0
1161 || !X509V3_add_value("DirName", oline, &ret))
1164 @@ -155,6 +188,96 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
1169 +int i2r_GENERAL_NAME(X509V3_EXT_METHOD *method,
1170 + GENERAL_NAME *gen, BIO *out,
1174 + char oline[256], htmp[5];
1176 + BIO_printf(out, "%*s", indent, "");
1177 + switch (gen->type) {
1178 + case GEN_OTHERNAME:
1179 + BIO_write(out, "othername: <unsupported>", 24);
1183 + BIO_write(out, "X400Name: <unsupported>", 24);
1186 + case GEN_EDIPARTY:
1187 + BIO_write(out, "EdiPartyName: <unsupported>", 28);
1191 + BIO_write(out, "email: ", 7);
1192 + BIO_write(out, gen->d.ia5->data, gen->d.ia5->length);
1196 + BIO_write(out, "DNS: ", 5);
1197 + BIO_write(out, gen->d.ia5->data, gen->d.ia5->length);
1201 + BIO_write(out, "URI: ", 5);
1202 + BIO_write(out, gen->d.ia5->data, gen->d.ia5->length);
1206 + BIO_write(out, "DirName: ", 9);
1207 + X509_NAME_print_ex(out, gen->d.dirn, 0, XN_FLAG_SEP_COMMA_PLUS|ASN1_STRFLGS_UTF8_CONVERT);
1211 + p = gen->d.ip->data;
1212 + if (gen->d.ip->length == 4)
1213 + BIO_snprintf(oline, sizeof oline,
1214 + "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
1215 + else if (gen->d.ip->length == 16) {
1217 + for (i = 0; i < 8; i++) {
1218 + BIO_snprintf(htmp, sizeof htmp, "%X", p[0] << 8 | p[1]);
1220 + strcat(oline, htmp);
1222 + strcat(oline, ":");
1225 + BIO_write(out, "IP Address: <invalid>", 22);
1228 + BIO_write(out, "IP Address: ", 12);
1229 + BIO_write(out, oline, strlen(oline));
1233 + i2t_ASN1_OBJECT(oline, 256, gen->d.rid);
1234 + BIO_write(out, "Registered ID: ", 15);
1235 + BIO_write(out, oline, strlen(oline));
1238 + BIO_write(out, "\n", 1);
1242 +int i2r_GENERAL_NAMES(X509V3_EXT_METHOD *method,
1243 + GENERAL_NAMES *gens, BIO *out,
1247 + GENERAL_NAME *gen;
1248 + for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
1249 + gen = sk_GENERAL_NAME_value(gens, i);
1250 + if (!i2r_GENERAL_NAME(method, gen, out, indent))
1258 int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
1261 diff --git crypto/x509v3/v3_rus.c crypto/x509v3/v3_rus.c
1262 new file mode 100644
1263 index 00000000..415c9165
1265 +++ crypto/x509v3/v3_rus.c
1269 + * Written by Dmitry Belyavskiy for the OpenSSL project
1272 +/* ====================================================================
1273 + * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
1275 + * Redistribution and use in source and binary forms, with or without
1276 + * modification, are permitted provided that the following conditions
1279 + * 1. Redistributions of source code must retain the above copyright
1280 + * notice, this list of conditions and the following disclaimer.
1282 + * 2. Redistributions in binary form must reproduce the above copyright
1283 + * notice, this list of conditions and the following disclaimer in
1284 + * the documentation and/or other materials provided with the
1287 + * 3. All advertising materials mentioning features or use of this
1288 + * software must display the following acknowledgment:
1289 + * "This product includes software developed by the OpenSSL Project
1290 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
1292 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
1293 + * endorse or promote products derived from this software without
1294 + * prior written permission. For written permission, please contact
1295 + * licensing@OpenSSL.org.
1297 + * 5. Products derived from this software may not be called "OpenSSL"
1298 + * nor may "OpenSSL" appear in their names without prior written
1299 + * permission of the OpenSSL Project.
1301 + * 6. Redistributions of any form whatsoever must retain the following
1303 + * "This product includes software developed by the OpenSSL Project
1304 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
1306 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
1307 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1308 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
1309 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
1310 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
1311 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1312 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
1313 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1314 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
1315 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
1316 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
1317 + * OF THE POSSIBILITY OF SUCH DAMAGE.
1318 + * ====================================================================
1320 + * This product includes cryptographic software written by Eric Young
1321 + * (eay@cryptsoft.com). This product includes software written by Tim
1322 + * Hudson (tjh@cryptsoft.com).
1327 +#include <string.h>
1328 +#include <openssl/asn1t.h>
1329 +#include <openssl/err.h>
1330 +#include <openssl/x509v3.h>
1332 +static char *i2s_ASN1_UTF8STRING(const X509V3_EXT_METHOD *method,
1333 + ASN1_UTF8STRING *utf8str)
1336 + if (!utf8str || !utf8str->length)
1338 + if (!(tmp = OPENSSL_malloc(utf8str->length + 1))) {
1339 + X509V3err(X509V3_F_I2S_ASN1_UTF8STRING, ERR_R_MALLOC_FAILURE);
1342 + memcpy(tmp, utf8str->data, utf8str->length);
1343 + tmp[utf8str->length] = 0;
1347 +static ASN1_UTF8STRING *s2i_ASN1_UTF8STRING(X509V3_EXT_METHOD *method,
1348 + X509V3_CTX *ctx, char *str)
1350 + ASN1_UTF8STRING *utf8str;
1352 + X509V3err(X509V3_F_S2I_ASN1_UTF8STRING,
1353 + X509V3_R_INVALID_NULL_ARGUMENT);
1356 + if (!(utf8str = ASN1_STRING_type_new(V_ASN1_UTF8STRING)))
1358 + if (!ASN1_STRING_set((ASN1_STRING *)utf8str, (unsigned char *)str,
1360 + ASN1_STRING_free(utf8str);
1363 +#ifdef CHARSET_EBCDIC
1364 + ebcdic2ascii(utf8str->data, utf8str->data, utf8str->length);
1365 +#endif /* CHARSET_EBCDIC */
1368 + X509V3err(X509V3_F_S2I_ASN1_UTF8STRING, ERR_R_MALLOC_FAILURE);
1372 +const X509V3_EXT_METHOD v3_subject_sign_tool = {
1373 + NID_subjectSignTool, 0, ASN1_ITEM_ref(ASN1_UTF8STRING),
1375 + (X509V3_EXT_I2S)i2s_ASN1_UTF8STRING,
1376 + (X509V3_EXT_S2I)s2i_ASN1_UTF8STRING,
1380 +typedef struct ISSUER_SIGN_TOOL_st {
1381 + ASN1_UTF8STRING *signTool;
1382 + ASN1_UTF8STRING *cATool;
1383 + ASN1_UTF8STRING *signToolCert;
1384 + ASN1_UTF8STRING *cAToolCert;
1385 +} ISSUER_SIGN_TOOL;
1387 +ASN1_SEQUENCE(ISSUER_SIGN_TOOL) = {
1388 + ASN1_SIMPLE(ISSUER_SIGN_TOOL, signTool, ASN1_UTF8STRING),
1389 + ASN1_SIMPLE(ISSUER_SIGN_TOOL, cATool, ASN1_UTF8STRING),
1390 + ASN1_SIMPLE(ISSUER_SIGN_TOOL, signToolCert, ASN1_UTF8STRING),
1391 + ASN1_SIMPLE(ISSUER_SIGN_TOOL, cAToolCert, ASN1_UTF8STRING)
1392 +} ASN1_SEQUENCE_END(ISSUER_SIGN_TOOL)
1394 +IMPLEMENT_ASN1_FUNCTIONS(ISSUER_SIGN_TOOL)
1396 +static int i2r_ISSUER_SIGN_TOOL(X509V3_EXT_METHOD *method,
1397 + ISSUER_SIGN_TOOL *ist, BIO *out,
1400 + if (ist->signTool) {
1401 + BIO_printf(out, "%*s", indent, "");
1402 + BIO_write(out, "signTool: ", 14);
1403 + BIO_write(out, ist->signTool->data, ist->signTool->length);
1404 + BIO_write(out, "\n", 1);
1406 + if (ist->cATool) {
1407 + BIO_printf(out, "%*s", indent, "");
1408 + BIO_write(out, "cATool: ", 14);
1409 + BIO_write(out, ist->cATool->data, ist->cATool->length);
1410 + BIO_write(out, "\n", 1);
1412 + if (ist->signToolCert) {
1413 + BIO_printf(out, "%*s", indent, "");
1414 + BIO_write(out, "signToolCert: ", 14);
1415 + BIO_write(out, ist->signToolCert->data, ist->signToolCert->length);
1416 + BIO_write(out, "\n", 1);
1418 + if (ist->cAToolCert) {
1419 + BIO_printf(out, "%*s", indent, "");
1420 + BIO_write(out, "cAToolCert: ", 14);
1421 + BIO_write(out, ist->cAToolCert->data, ist->cAToolCert->length);
1422 + BIO_write(out, "\n", 1);
1427 +const X509V3_EXT_METHOD v3_issuer_sign_tool = {
1428 + NID_issuerSignTool, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(ISSUER_SIGN_TOOL),
1431 + 0, /*(X509V3_EXT_I2V)i2v_ISSUER_SIGN_TOOL,*/
1433 + (X509V3_EXT_I2R)i2r_ISSUER_SIGN_TOOL, 0, NULL
1435 diff --git crypto/x509v3/v3err.c crypto/x509v3/v3err.c
1436 index 8b2918a6..3c9f2332 100644
1437 --- crypto/x509v3/v3err.c
1438 +++ crypto/x509v3/v3err.c
1439 @@ -37,6 +37,8 @@ static const ERR_STRING_DATA X509V3_str_functs[] = {
1440 "i2s_ASN1_IA5STRING"},
1441 {ERR_PACK(ERR_LIB_X509V3, X509V3_F_I2S_ASN1_INTEGER, 0),
1442 "i2s_ASN1_INTEGER"},
1443 + {ERR_PACK(ERR_LIB_X509V3, X509V3_F_I2S_ASN1_UTF8STRING, 0),
1444 + "i2s_ASN1_UTF8STRING"},
1445 {ERR_PACK(ERR_LIB_X509V3, X509V3_F_I2V_AUTHORITY_INFO_ACCESS, 0),
1446 "i2v_AUTHORITY_INFO_ACCESS"},
1447 {ERR_PACK(ERR_LIB_X509V3, X509V3_F_I2V_AUTHORITY_KEYID, 0),
1448 @@ -60,6 +62,8 @@ static const ERR_STRING_DATA X509V3_str_functs[] = {
1449 "s2i_ASN1_INTEGER"},
1450 {ERR_PACK(ERR_LIB_X509V3, X509V3_F_S2I_ASN1_OCTET_STRING, 0),
1451 "s2i_ASN1_OCTET_STRING"},
1452 + {ERR_PACK(ERR_LIB_X509V3, X509V3_F_S2I_ASN1_UTF8STRING, 0),
1453 + "s2i_ASN1_UTF8STRING"},
1454 {ERR_PACK(ERR_LIB_X509V3, X509V3_F_S2I_SKEY_ID, 0), "s2i_skey_id"},
1455 {ERR_PACK(ERR_LIB_X509V3, X509V3_F_SET_DIST_POINT_NAME, 0),
1456 "set_dist_point_name"},
1457 diff --git include/openssl/cms.h include/openssl/cms.h
1458 index c7627968..c90a01fa 100644
1459 --- include/openssl/cms.h
1460 +++ include/openssl/cms.h
1461 @@ -73,6 +73,7 @@ DECLARE_ASN1_PRINT_FUNCTION(CMS_ContentInfo)
1462 # define CMS_DEBUG_DECRYPT 0x20000
1463 # define CMS_KEY_PARAM 0x40000
1464 # define CMS_ASCIICRLF 0x80000
1465 +# define CMS_USE_ORIGINATOR_KEYID 0x100000
1467 const ASN1_OBJECT *CMS_get0_type(const CMS_ContentInfo *cms);
1469 @@ -143,6 +144,7 @@ int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pkey, X509 *cert,
1470 BIO *dcont, BIO *out, unsigned int flags);
1472 int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert);
1473 +int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert, X509 *peer);
1474 int CMS_decrypt_set1_key(CMS_ContentInfo *cms,
1475 unsigned char *key, size_t keylen,
1476 const unsigned char *id, size_t idlen);
1477 @@ -155,6 +157,8 @@ EVP_PKEY_CTX *CMS_RecipientInfo_get0_pkey_ctx(CMS_RecipientInfo *ri);
1478 CMS_ContentInfo *CMS_EnvelopedData_create(const EVP_CIPHER *cipher);
1479 CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms,
1480 X509 *recip, unsigned int flags);
1481 +CMS_RecipientInfo *CMS_add1_recipient(CMS_ContentInfo *cms, X509 *recip,
1482 + EVP_PKEY *originatorPrivKey, X509 * originator, unsigned int flags);
1483 int CMS_RecipientInfo_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pkey);
1484 int CMS_RecipientInfo_ktri_cert_cmp(CMS_RecipientInfo *ri, X509 *cert);
1485 int CMS_RecipientInfo_ktri_get0_algs(CMS_RecipientInfo *ri,
1486 @@ -319,6 +323,7 @@ int CMS_RecipientEncryptedKey_get0_id(CMS_RecipientEncryptedKey *rek,
1487 int CMS_RecipientEncryptedKey_cert_cmp(CMS_RecipientEncryptedKey *rek,
1489 int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk);
1490 +int CMS_RecipientInfo_kari_set0_pkey_and_peer(CMS_RecipientInfo *ri, EVP_PKEY *pk, X509 *peer);
1491 EVP_CIPHER_CTX *CMS_RecipientInfo_kari_get0_ctx(CMS_RecipientInfo *ri);
1492 int CMS_RecipientInfo_kari_decrypt(CMS_ContentInfo *cms,
1493 CMS_RecipientInfo *ri,
1494 diff --git include/openssl/cmserr.h include/openssl/cmserr.h
1495 index 7dbc13dc..9131e075 100644
1496 --- include/openssl/cmserr.h
1497 +++ include/openssl/cmserr.h
1499 #ifndef HEADER_CMSERR_H
1500 # define HEADER_CMSERR_H
1502 -# ifndef HEADER_SYMHACKS_H
1503 -# include <openssl/symhacks.h>
1505 +# include <openssl/symhacks.h>
1507 # include <openssl/opensslconf.h>
1509 @@ -32,6 +30,7 @@ int ERR_load_CMS_strings(void);
1510 # define CMS_F_CMS_ADD0_RECIPIENT_KEY 100
1511 # define CMS_F_CMS_ADD0_RECIPIENT_PASSWORD 165
1512 # define CMS_F_CMS_ADD1_RECEIPTREQUEST 158
1513 +# define CMS_F_CMS_ADD1_RECIPIENT 181
1514 # define CMS_F_CMS_ADD1_RECIPIENT_CERT 101
1515 # define CMS_F_CMS_ADD1_SIGNER 102
1516 # define CMS_F_CMS_ADD1_SIGNINGTIME 103
1517 @@ -47,6 +46,7 @@ int ERR_load_CMS_strings(void);
1518 # define CMS_F_CMS_DECRYPT_SET1_KEY 113
1519 # define CMS_F_CMS_DECRYPT_SET1_PASSWORD 166
1520 # define CMS_F_CMS_DECRYPT_SET1_PKEY 114
1521 +# define CMS_F_CMS_DECRYPT_SET1_PKEY_AND_PEER 182
1522 # define CMS_F_CMS_DIGESTALGORITHM_FIND_CTX 115
1523 # define CMS_F_CMS_DIGESTALGORITHM_INIT_BIO 116
1524 # define CMS_F_CMS_DIGESTEDDATA_DO_FINAL 117
1525 @@ -59,6 +59,9 @@ int ERR_load_CMS_strings(void);
1526 # define CMS_F_CMS_ENCRYPTEDDATA_ENCRYPT 122
1527 # define CMS_F_CMS_ENCRYPTEDDATA_SET1_KEY 123
1528 # define CMS_F_CMS_ENVELOPEDDATA_CREATE 124
1529 +# define CMS_F_CMS_ENVELOPEDDATA_DECRYPTION_INIT_BIO 184
1530 +# define CMS_F_CMS_ENVELOPEDDATA_ENCRYPTION_INIT_BIO 185
1531 +# define CMS_F_CMS_ENVELOPEDDATA_FINAL 186
1532 # define CMS_F_CMS_ENVELOPEDDATA_INIT_BIO 125
1533 # define CMS_F_CMS_ENVELOPED_DATA_INIT 126
1534 # define CMS_F_CMS_ENV_ASN1_CTRL 171
1535 diff --git include/openssl/evp.h include/openssl/evp.h
1536 index a411f3f2..8172316e 100644
1537 --- include/openssl/evp.h
1538 +++ include/openssl/evp.h
1540 # define EVP_MAX_KEY_LENGTH 64
1541 # define EVP_MAX_IV_LENGTH 16
1542 # define EVP_MAX_BLOCK_LENGTH 32
1543 +# define EVP_MAX_AEAD_TAG_LEN 16/* longest known AEAD tag size */
1545 +#define EVP_MAX_MAC_SIZE EVP_MAX_AEAD_TAG_LEN
1547 # define PKCS5_SALT_LEN 8
1548 /* Default PKCS#5 iteration count */
1549 @@ -139,6 +142,7 @@ int (*EVP_MD_meth_get_ctrl(const EVP_MD *md))(EVP_MD_CTX *ctx, int cmd,
1550 # define EVP_MD_CTRL_DIGALGID 0x1
1551 # define EVP_MD_CTRL_MICALG 0x2
1552 # define EVP_MD_CTRL_XOF_LEN 0x3
1553 +# define EVP_MD_CTRL_TLSTREE 0x4
1555 /* Minimum Algorithm specific ctrl value */
1557 @@ -277,8 +281,9 @@ int (*EVP_CIPHER_meth_get_ctrl(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *,
1558 # define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000
1559 # define EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK 0x400000
1560 /* Cipher can handle pipeline operations */
1561 -# define EVP_CIPH_FLAG_PIPELINE 0X800000
1563 +# define EVP_CIPH_FLAG_PIPELINE 0x800000
1564 +# define EVP_CIPH_FLAG_CIPHER_WITH_MAC 0x1000000
1565 +# define EVP_CIPH_FLAG_GET_WRAP_CIPHER 0X4000000
1567 * Cipher context flag to indicate we can handle wrap mode: if allowed in
1568 * older applications it could overflow buffers.
1569 @@ -352,6 +357,20 @@ int (*EVP_CIPHER_meth_get_ctrl(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *,
1570 # define EVP_CTRL_SET_PIPELINE_INPUT_LENS 0x24
1572 # define EVP_CTRL_GET_IVLEN 0x25
1573 +/* Indicates TLSTREE key diversification during TLS processing */
1574 +# define EVP_CTRL_TLSTREE 0x26
1576 +#define EVP_CTRL_AEAD_MAX_TAG_LEN 0x27
1577 +# define EVP_CTRL_GET_WRAP_CIPHER 0X28
1579 +# define EVP_CTRL_GET_MAC_LEN EVP_CTRL_AEAD_MAX_TAG_LEN
1580 +# define EVP_CTRL_GET_MAC EVP_CTRL_AEAD_GET_TAG
1581 +# define EVP_CTRL_SET_EXPECTED_MAC EVP_CTRL_AEAD_SET_TAG
1582 +/* GOST CMS requires processing unprotected attributes in some cases*/
1583 +# define EVP_CTRL_PROCESS_UNPROTECTED 0x29
1584 +/* Set GOST TLSTREE params */
1585 +# define EVP_CTRL_SET_TLSTREE_PARAMS 0x2A
1589 #define EVP_PADDING_PKCS7 1
1590 @@ -390,6 +409,10 @@ typedef struct {
1591 /* Length of CCM8 tag for TLS */
1592 # define EVP_CCM8_TLS_TAG_LEN 8
1594 +/* GOST TLS 1.3 tag lengths */
1595 +# define EVP_MAGMA_TLS_TAG_LEN 8
1596 +# define EVP_KUZNYECHIK_TLS_TAG_LEN 16
1598 /* Length of tag for TLS */
1599 # define EVP_CHACHAPOLY_TLS_TAG_LEN 16
1601 @@ -1142,6 +1165,10 @@ int EVP_PBE_get(int *ptype, int *ppbe_nid, size_t num);
1602 # define ASN1_PKEY_CTRL_SET1_TLS_ENCPT 0x9
1603 # define ASN1_PKEY_CTRL_GET1_TLS_ENCPT 0xa
1605 +/* This control use for decryption */
1606 +/* when algorithm support multiple ri types */
1607 +# define ASN1_PKEY_CTRL_CMS_IS_RI_TYPE_SUPPORTED 0xb
1609 int EVP_PKEY_asn1_get_count(void);
1610 const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_get0(int idx);
1611 const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_find(ENGINE **pe, int type);
1612 diff --git include/openssl/obj_mac.h include/openssl/obj_mac.h
1613 index eb812ed1..260357b1 100644
1614 --- include/openssl/obj_mac.h
1615 +++ include/openssl/obj_mac.h
1616 @@ -4162,6 +4162,26 @@
1617 #define NID_id_GostR3410_2001_ParamSet_cc 854
1618 #define OBJ_id_GostR3410_2001_ParamSet_cc OBJ_cryptocom,1L,8L,1L
1620 +#define SN_id_tc26_modules "id-tc26-modules"
1621 +#define LN_id_tc26_modules "GOST TC26 ASN.1 modules"
1622 +#define NID_id_tc26_modules 1203
1623 +#define OBJ_id_tc26_modules OBJ_id_tc26,0L
1625 +#define SN_id_tc26_cms "id-tc26-cms"
1626 +#define LN_id_tc26_cms "GOST TC26 SMS"
1627 +#define NID_id_tc26_cms 1204
1628 +#define OBJ_id_tc26_cms OBJ_id_tc26_modules,6L
1630 +#define SN_id_tc26_cms_attrs "id-tc26-cms-attrs"
1631 +#define LN_id_tc26_cms_attrs "GOST TC26 SMS attributes"
1632 +#define NID_id_tc26_cms_attrs 1205
1633 +#define OBJ_id_tc26_cms_attrs OBJ_id_tc26_cms,1L
1635 +#define SN_id_tc26_mac_attr "id-tc26-mac-attr"
1636 +#define LN_id_tc26_mac_attr "GOST TC26 SMS content-mac attribute"
1637 +#define NID_id_tc26_mac_attr 1206
1638 +#define OBJ_id_tc26_mac_attr OBJ_id_tc26_cms_attrs,1L
1640 #define SN_id_tc26_algorithms "id-tc26-algorithms"
1641 #define NID_id_tc26_algorithms 977
1642 #define OBJ_id_tc26_algorithms OBJ_id_tc26,1L
1643 @@ -4230,25 +4250,25 @@
1644 #define NID_id_tc26_cipher_gostr3412_2015_magma 1173
1645 #define OBJ_id_tc26_cipher_gostr3412_2015_magma OBJ_id_tc26_cipher,1L
1647 -#define SN_id_tc26_cipher_gostr3412_2015_magma_ctracpkm "id-tc26-cipher-gostr3412-2015-magma-ctracpkm"
1648 -#define NID_id_tc26_cipher_gostr3412_2015_magma_ctracpkm 1174
1649 -#define OBJ_id_tc26_cipher_gostr3412_2015_magma_ctracpkm OBJ_id_tc26_cipher_gostr3412_2015_magma,1L
1650 +#define SN_magma_ctr_acpkm "magma-ctr-acpkm"
1651 +#define NID_magma_ctr_acpkm 1174
1652 +#define OBJ_magma_ctr_acpkm OBJ_id_tc26_cipher_gostr3412_2015_magma,1L
1654 -#define SN_id_tc26_cipher_gostr3412_2015_magma_ctracpkm_omac "id-tc26-cipher-gostr3412-2015-magma-ctracpkm-omac"
1655 -#define NID_id_tc26_cipher_gostr3412_2015_magma_ctracpkm_omac 1175
1656 -#define OBJ_id_tc26_cipher_gostr3412_2015_magma_ctracpkm_omac OBJ_id_tc26_cipher_gostr3412_2015_magma,2L
1657 +#define SN_magma_ctr_acpkm_omac "magma-ctr-acpkm-omac"
1658 +#define NID_magma_ctr_acpkm_omac 1175
1659 +#define OBJ_magma_ctr_acpkm_omac OBJ_id_tc26_cipher_gostr3412_2015_magma,2L
1661 #define SN_id_tc26_cipher_gostr3412_2015_kuznyechik "id-tc26-cipher-gostr3412-2015-kuznyechik"
1662 #define NID_id_tc26_cipher_gostr3412_2015_kuznyechik 1176
1663 #define OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik OBJ_id_tc26_cipher,2L
1665 -#define SN_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm "id-tc26-cipher-gostr3412-2015-kuznyechik-ctracpkm"
1666 -#define NID_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm 1177
1667 -#define OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik,1L
1668 +#define SN_kuznyechik_ctr_acpkm "kuznyechik-ctr-acpkm"
1669 +#define NID_kuznyechik_ctr_acpkm 1177
1670 +#define OBJ_kuznyechik_ctr_acpkm OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik,1L
1672 -#define SN_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm_omac "id-tc26-cipher-gostr3412-2015-kuznyechik-ctracpkm-omac"
1673 -#define NID_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm_omac 1178
1674 -#define OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm_omac OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik,2L
1675 +#define SN_kuznyechik_ctr_acpkm_omac "kuznyechik-ctr-acpkm-omac"
1676 +#define NID_kuznyechik_ctr_acpkm_omac 1178
1677 +#define OBJ_kuznyechik_ctr_acpkm_omac OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik,2L
1679 #define SN_id_tc26_agreement "id-tc26-agreement"
1680 #define NID_id_tc26_agreement 991
1681 @@ -4270,17 +4290,17 @@
1682 #define NID_id_tc26_wrap_gostr3412_2015_magma 1180
1683 #define OBJ_id_tc26_wrap_gostr3412_2015_magma OBJ_id_tc26_wrap,1L
1685 -#define SN_id_tc26_wrap_gostr3412_2015_magma_kexp15 "id-tc26-wrap-gostr3412-2015-magma-kexp15"
1686 -#define NID_id_tc26_wrap_gostr3412_2015_magma_kexp15 1181
1687 -#define OBJ_id_tc26_wrap_gostr3412_2015_magma_kexp15 OBJ_id_tc26_wrap_gostr3412_2015_magma,1L
1688 +#define SN_magma_kexp15 "magma-kexp15"
1689 +#define NID_magma_kexp15 1181
1690 +#define OBJ_magma_kexp15 OBJ_id_tc26_wrap_gostr3412_2015_magma,1L
1692 #define SN_id_tc26_wrap_gostr3412_2015_kuznyechik "id-tc26-wrap-gostr3412-2015-kuznyechik"
1693 #define NID_id_tc26_wrap_gostr3412_2015_kuznyechik 1182
1694 #define OBJ_id_tc26_wrap_gostr3412_2015_kuznyechik OBJ_id_tc26_wrap,2L
1696 -#define SN_id_tc26_wrap_gostr3412_2015_kuznyechik_kexp15 "id-tc26-wrap-gostr3412-2015-kuznyechik-kexp15"
1697 -#define NID_id_tc26_wrap_gostr3412_2015_kuznyechik_kexp15 1183
1698 -#define OBJ_id_tc26_wrap_gostr3412_2015_kuznyechik_kexp15 OBJ_id_tc26_wrap_gostr3412_2015_kuznyechik,1L
1699 +#define SN_kuznyechik_kexp15 "kuznyechik-kexp15"
1700 +#define NID_kuznyechik_kexp15 1183
1701 +#define OBJ_kuznyechik_kexp15 OBJ_id_tc26_wrap_gostr3412_2015_kuznyechik,1L
1703 #define SN_id_tc26_constants "id-tc26-constants"
1704 #define NID_id_tc26_constants 994
1705 @@ -4370,6 +4390,11 @@
1706 #define NID_SNILS 1006
1707 #define OBJ_SNILS OBJ_member_body,643L,100L,3L
1709 +#define SN_OGRNIP "OGRNIP"
1710 +#define LN_OGRNIP "OGRNIP"
1711 +#define NID_OGRNIP 1195
1712 +#define OBJ_OGRNIP OBJ_member_body,643L,100L,5L
1714 #define SN_subjectSignTool "subjectSignTool"
1715 #define LN_subjectSignTool "Signing Tool of Subject"
1716 #define NID_subjectSignTool 1007
1717 @@ -4380,23 +4405,61 @@
1718 #define NID_issuerSignTool 1008
1719 #define OBJ_issuerSignTool OBJ_member_body,643L,100L,112L
1721 -#define SN_grasshopper_ecb "grasshopper-ecb"
1722 -#define NID_grasshopper_ecb 1012
1723 +#define SN_classSignTool "classSignTool"
1724 +#define LN_classSignTool "Class of Signing Tool"
1725 +#define NID_classSignTool 1196
1726 +#define OBJ_classSignTool OBJ_member_body,643L,100L,113L
1728 +#define SN_classSignToolKC1 "classSignToolKC1"
1729 +#define LN_classSignToolKC1 "Class of Signing Tool KC1"
1730 +#define NID_classSignToolKC1 1197
1731 +#define OBJ_classSignToolKC1 OBJ_member_body,643L,100L,113L,1L
1733 +#define SN_classSignToolKC2 "classSignToolKC2"
1734 +#define LN_classSignToolKC2 "Class of Signing Tool KC2"
1735 +#define NID_classSignToolKC2 1198
1736 +#define OBJ_classSignToolKC2 OBJ_member_body,643L,100L,113L,2L
1738 +#define SN_classSignToolKC3 "classSignToolKC3"
1739 +#define LN_classSignToolKC3 "Class of Signing Tool KC3"
1740 +#define NID_classSignToolKC3 1199
1741 +#define OBJ_classSignToolKC3 OBJ_member_body,643L,100L,113L,3L
1743 +#define SN_classSignToolKB1 "classSignToolKB1"
1744 +#define LN_classSignToolKB1 "Class of Signing Tool KB1"
1745 +#define NID_classSignToolKB1 1200
1746 +#define OBJ_classSignToolKB1 OBJ_member_body,643L,100L,113L,4L
1748 +#define SN_classSignToolKB2 "classSignToolKB2"
1749 +#define LN_classSignToolKB2 "Class of Signing Tool KB2"
1750 +#define NID_classSignToolKB2 1201
1751 +#define OBJ_classSignToolKB2 OBJ_member_body,643L,100L,113L,5L
1753 -#define SN_grasshopper_ctr "grasshopper-ctr"
1754 -#define NID_grasshopper_ctr 1013
1755 +#define SN_classSignToolKA1 "classSignToolKA1"
1756 +#define LN_classSignToolKA1 "Class of Signing Tool KA1"
1757 +#define NID_classSignToolKA1 1202
1758 +#define OBJ_classSignToolKA1 OBJ_member_body,643L,100L,113L,6L
1760 -#define SN_grasshopper_ofb "grasshopper-ofb"
1761 -#define NID_grasshopper_ofb 1014
1762 +#define SN_kuznyechik_ecb "kuznyechik-ecb"
1763 +#define NID_kuznyechik_ecb 1012
1765 -#define SN_grasshopper_cbc "grasshopper-cbc"
1766 -#define NID_grasshopper_cbc 1015
1767 +#define SN_kuznyechik_ctr "kuznyechik-ctr"
1768 +#define NID_kuznyechik_ctr 1013
1770 -#define SN_grasshopper_cfb "grasshopper-cfb"
1771 -#define NID_grasshopper_cfb 1016
1772 +#define SN_kuznyechik_ofb "kuznyechik-ofb"
1773 +#define NID_kuznyechik_ofb 1014
1775 -#define SN_grasshopper_mac "grasshopper-mac"
1776 -#define NID_grasshopper_mac 1017
1777 +#define SN_kuznyechik_cbc "kuznyechik-cbc"
1778 +#define NID_kuznyechik_cbc 1015
1780 +#define SN_kuznyechik_cfb "kuznyechik-cfb"
1781 +#define NID_kuznyechik_cfb 1016
1783 +#define SN_kuznyechik_mac "kuznyechik-mac"
1784 +#define NID_kuznyechik_mac 1017
1786 +#define SN_kuznyechik_mgm "kuznyechik-mgm"
1787 +#define NID_kuznyechik_mgm 1207
1789 #define SN_magma_ecb "magma-ecb"
1790 #define NID_magma_ecb 1187
1791 @@ -4416,6 +4479,9 @@
1792 #define SN_magma_mac "magma-mac"
1793 #define NID_magma_mac 1192
1795 +#define SN_magma_mgm "magma-mgm"
1796 +#define NID_magma_mgm 1208
1798 #define SN_camellia_128_cbc "CAMELLIA-128-CBC"
1799 #define LN_camellia_128_cbc "camellia-128-cbc"
1800 #define NID_camellia_128_cbc 751
1801 @@ -5196,3 +5262,49 @@
1802 #define LN_uacurve9 "DSTU curve 9"
1803 #define NID_uacurve9 1169
1804 #define OBJ_uacurve9 OBJ_dstu4145le,2L,9L
1806 +#ifndef OPENSSL_NO_DEPRECATED_3_0
1808 +#define SN_id_tc26_cipher_gostr3412_2015_magma_ctracpkm SN_magma_ctr_acpkm
1809 +#define NID_id_tc26_cipher_gostr3412_2015_magma_ctracpkm NID_magma_ctr_acpkm
1810 +#define OBJ_id_tc26_cipher_gostr3412_2015_magma_ctracpkm OBJ_magma_ctr_acpkm
1812 +#define SN_id_tc26_cipher_gostr3412_2015_magma_ctracpkm_omac SN_magma_ctr_acpkm_omac
1813 +#define NID_id_tc26_cipher_gostr3412_2015_magma_ctracpkm_omac NID_magma_ctr_acpkm_omac
1814 +#define OBJ_id_tc26_cipher_gostr3412_2015_magma_ctracpkm_omac OBJ_magma_ctr_acpkm_omac
1816 +#define SN_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm SN_kuznyechik_ctr_acpkm
1817 +#define NID_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm NID_kuznyechik_ctr_acpkm
1818 +#define OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm OBJ_kuznyechik_ctr_acpkm
1820 +#define SN_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm_omac SN_kuznyechik_ctr_acpkm_omac
1821 +#define NID_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm_omac NID_kuznyechik_ctr_acpkm_omac
1822 +#define OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm_omac OBJ_kuznyechik_ctr_acpkm_omac
1824 +#define SN_id_tc26_wrap_gostr3412_2015_magma_kexp15 SN_magma_kexp15
1825 +#define NID_id_tc26_wrap_gostr3412_2015_magma_kexp15 NID_magma_kexp15
1826 +#define OBJ_id_tc26_wrap_gostr3412_2015_magma_kexp15 OBJ_magma_kexp15
1828 +#define SN_id_tc26_wrap_gostr3412_2015_kuznyechik_kexp15 SN_kuznyechik_kexp15
1829 +#define NID_id_tc26_wrap_gostr3412_2015_kuznyechik_kexp15 NID_kuznyechik_kexp15
1830 +#define OBJ_id_tc26_wrap_gostr3412_2015_kuznyechik_kexp15 OBJ_kuznyechik_kexp15
1832 +#define SN_grasshopper_ecb SN_kuznyechik_ecb
1833 +#define NID_grasshopper_ecb NID_kuznyechik_ecb
1835 +#define SN_grasshopper_ctr SN_kuznyechik_ctr
1836 +#define NID_grasshopper_ctr NID_kuznyechik_ctr
1838 +#define SN_grasshopper_ofb SN_kuznyechik_ofb
1839 +#define NID_grasshopper_ofb NID_kuznyechik_ofb
1841 +#define SN_grasshopper_cbc SN_kuznyechik_cbc
1842 +#define NID_grasshopper_cbc NID_kuznyechik_cbc
1844 +#define SN_grasshopper_cfb SN_kuznyechik_cfb
1845 +#define NID_grasshopper_cfb NID_kuznyechik_cfb
1847 +#define SN_grasshopper_mac SN_kuznyechik_mac
1848 +#define NID_grasshopper_mac NID_kuznyechik_mac
1851 diff --git include/openssl/ssl.h include/openssl/ssl.h
1852 index fd0c5a99..5ec06487 100644
1853 --- include/openssl/ssl.h
1854 +++ include/openssl/ssl.h
1855 @@ -81,6 +81,7 @@ extern "C" {
1856 # define SSL_TXT_kECDHEPSK "kECDHEPSK"
1857 # define SSL_TXT_kDHEPSK "kDHEPSK"
1858 # define SSL_TXT_kGOST "kGOST"
1859 +# define SSL_TXT_kGOST18 "kGOST18"
1860 # define SSL_TXT_kSRP "kSRP"
1862 # define SSL_TXT_aRSA "aRSA"
1863 @@ -908,6 +909,8 @@ __owur int SSL_extension_supported(unsigned int ext_type);
1865 # define SSL_MAC_FLAG_READ_MAC_STREAM 1
1866 # define SSL_MAC_FLAG_WRITE_MAC_STREAM 2
1867 +# define SSL_MAC_FLAG_READ_MAC_TLSTREE 4
1868 +# define SSL_MAC_FLAG_WRITE_MAC_TLSTREE 8
1871 * A callback for logging out TLS key material. This callback should log out
1872 diff --git include/openssl/sslerr.h include/openssl/sslerr.h
1873 index 701d61c6..36cacab3 100644
1874 --- include/openssl/sslerr.h
1875 +++ include/openssl/sslerr.h
1877 #ifndef HEADER_SSLERR_H
1878 # define HEADER_SSLERR_H
1880 -# ifndef HEADER_SYMHACKS_H
1881 -# include <openssl/symhacks.h>
1883 +# include <openssl/symhacks.h>
1887 @@ -297,6 +295,7 @@ int ERR_load_SSL_strings(void);
1888 # define SSL_F_TLS_CONSTRUCT_CKE_DHE 404
1889 # define SSL_F_TLS_CONSTRUCT_CKE_ECDHE 405
1890 # define SSL_F_TLS_CONSTRUCT_CKE_GOST 406
1891 +# define SSL_F_TLS_CONSTRUCT_CKE_GOST18 642
1892 # define SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE 407
1893 # define SSL_F_TLS_CONSTRUCT_CKE_RSA 409
1894 # define SSL_F_TLS_CONSTRUCT_CKE_SRP 410
1895 @@ -421,6 +420,7 @@ int ERR_load_SSL_strings(void);
1896 # define SSL_F_TLS_PROCESS_CKE_DHE 411
1897 # define SSL_F_TLS_PROCESS_CKE_ECDHE 412
1898 # define SSL_F_TLS_PROCESS_CKE_GOST 413
1899 +# define SSL_F_TLS_PROCESS_CKE_GOST18 641
1900 # define SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE 414
1901 # define SSL_F_TLS_PROCESS_CKE_RSA 415
1902 # define SSL_F_TLS_PROCESS_CKE_SRP 416
1903 diff --git include/openssl/tls1.h include/openssl/tls1.h
1904 index 76d9fda4..6b6442f3 100644
1905 --- include/openssl/tls1.h
1906 +++ include/openssl/tls1.h
1907 @@ -613,6 +613,12 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
1908 # define TLS1_3_CK_AES_128_CCM_SHA256 0x03001304
1909 # define TLS1_3_CK_AES_128_CCM_8_SHA256 0x03001305
1911 +/* https://tools.ietf.org/html/draft-smyshlyaev-tls13-gost-suites */
1912 +# define TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L 0x0300C103
1913 +# define TLS_GOSTR341112_256_WITH_MAGMA_MGM_L 0x0300C104
1914 +# define TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S 0x0300C105
1915 +# define TLS_GOSTR341112_256_WITH_MAGMA_MGM_S 0x0300C106
1917 /* Aria ciphersuites from RFC6209 */
1918 # define TLS1_CK_RSA_WITH_ARIA_128_GCM_SHA256 0x0300C050
1919 # define TLS1_CK_RSA_WITH_ARIA_256_GCM_SHA384 0x0300C051
1920 @@ -1135,8 +1141,10 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
1921 # define TLS_CT_RSA_FIXED_ECDH 65
1922 # define TLS_CT_ECDSA_FIXED_ECDH 66
1923 # define TLS_CT_GOST01_SIGN 22
1924 -# define TLS_CT_GOST12_SIGN 238
1925 -# define TLS_CT_GOST12_512_SIGN 239
1926 +# define TLS_CT_GOST12_SIGN 67
1927 +# define TLS_CT_GOST12_512_SIGN 68
1928 +# define TLS_CT_GOST12_SIGN_LEGACY 238
1929 +# define TLS_CT_GOST12_512_SIGN_LEGACY 239
1932 * when correcting this number, correct also SSL3_CT_NUMBER in ssl3.h (see
1933 diff --git include/openssl/x509.h include/openssl/x509.h
1934 index 3ff86ec7..cdca4f5f 100644
1935 --- include/openssl/x509.h
1936 +++ include/openssl/x509.h
1937 @@ -1023,8 +1023,11 @@ int PKCS8_pkey_get0(const ASN1_OBJECT **ppkalg,
1939 const STACK_OF(X509_ATTRIBUTE) *
1940 PKCS8_pkey_get0_attrs(const PKCS8_PRIV_KEY_INFO *p8);
1941 +int PKCS8_pkey_add1_attr(PKCS8_PRIV_KEY_INFO *p8, X509_ATTRIBUTE *attr);
1942 int PKCS8_pkey_add1_attr_by_NID(PKCS8_PRIV_KEY_INFO *p8, int nid, int type,
1943 const unsigned char *bytes, int len);
1944 +int PKCS8_pkey_add1_attr_by_OBJ(PKCS8_PRIV_KEY_INFO *p8, const ASN1_OBJECT *obj,
1945 + int type, const unsigned char *bytes, int len);
1947 int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *aobj,
1948 int ptype, void *pval,
1949 diff --git include/openssl/x509v3err.h include/openssl/x509v3err.h
1950 index 3b9f7139..48f7a558 100644
1951 --- include/openssl/x509v3err.h
1952 +++ include/openssl/x509v3err.h
1953 @@ -37,6 +37,7 @@ int ERR_load_X509V3_strings(void);
1954 # define X509V3_F_I2S_ASN1_ENUMERATED 121
1955 # define X509V3_F_I2S_ASN1_IA5STRING 149
1956 # define X509V3_F_I2S_ASN1_INTEGER 120
1957 +# define X509V3_F_I2S_ASN1_UTF8STRING 175
1958 # define X509V3_F_I2V_AUTHORITY_INFO_ACCESS 138
1959 # define X509V3_F_I2V_AUTHORITY_KEYID 173
1960 # define X509V3_F_LEVEL_ADD_NODE 168
1961 @@ -52,6 +53,7 @@ int ERR_load_X509V3_strings(void);
1962 # define X509V3_F_S2I_ASN1_IA5STRING 100
1963 # define X509V3_F_S2I_ASN1_INTEGER 108
1964 # define X509V3_F_S2I_ASN1_OCTET_STRING 112
1965 +# define X509V3_F_S2I_ASN1_UTF8STRING 176
1966 # define X509V3_F_S2I_SKEY_ID 115
1967 # define X509V3_F_SET_DIST_POINT_NAME 158
1968 # define X509V3_F_SXNET_ADD_ID_ASC 125
1969 diff --git ssl/record/ssl3_record.c ssl/record/ssl3_record.c
1970 index f1585447..b4ed24fd 100644
1971 --- ssl/record/ssl3_record.c
1972 +++ ssl/record/ssl3_record.c
1973 @@ -944,6 +944,8 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending)
1974 unsigned char padval;
1976 const EVP_CIPHER *enc;
1977 + int tlstree_enc = (sending ? (s->mac_flags & SSL_MAC_FLAG_WRITE_MAC_TLSTREE)
1978 + : (s->mac_flags & SSL_MAC_FLAG_READ_MAC_TLSTREE));
1981 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
1982 @@ -1036,7 +1038,6 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending)
1984 seq = sending ? RECORD_LAYER_get_write_sequence(&s->rlayer)
1985 : RECORD_LAYER_get_read_sequence(&s->rlayer);
1987 if (SSL_IS_DTLS(s)) {
1988 /* DTLS does not support pipelining */
1989 unsigned char dtlsseq[8], *p = dtlsseq;
1990 @@ -1122,6 +1123,27 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending)
1994 + if (!SSL_IS_DTLS(s) && tlstree_enc) {
1995 + unsigned char *seq;
1996 + int decrement_seq = 0;
1998 + * When sending, seq is incremented after MAC calculation.
1999 + * So if we are in ETM mode, we use seq 'as is' in the ctrl-function.
2000 + * Otherwise we have to decrease it in the implementation
2002 + if (sending && !SSL_WRITE_ETM(s))
2003 + decrement_seq = 1;
2005 + seq = sending ? RECORD_LAYER_get_write_sequence(&s->rlayer)
2006 + : RECORD_LAYER_get_read_sequence(&s->rlayer);
2007 + if(EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_TLSTREE, decrement_seq, seq) <= 0)
2009 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
2010 + ERR_R_INTERNAL_ERROR);
2015 /* TODO(size_t): Convert this call */
2016 tmpr = EVP_Cipher(ds, recs[0].data, recs[0].input,
2017 (unsigned int)reclen[0]);
2018 @@ -1287,6 +1309,8 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending)
2019 unsigned char header[13];
2020 int stream_mac = (sending ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM)
2021 : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM));
2022 + int tlstree_mac = (sending ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_TLSTREE)
2023 + : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_TLSTREE));
2027 @@ -1314,6 +1338,11 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending)
2031 + if (!SSL_IS_DTLS(ssl) && tlstree_mac && EVP_MD_CTX_ctrl(mac_ctx, EVP_MD_CTRL_TLSTREE, 0, seq) <= 0) {
2032 + EVP_MD_CTX_free(hmac);
2036 if (SSL_IS_DTLS(ssl)) {
2037 unsigned char dtlsseq[8], *p = dtlsseq;
2039 diff --git ssl/record/ssl3_record_tls13.c ssl/record/ssl3_record_tls13.c
2040 index ab50e376..4f78474e 100644
2041 --- ssl/record/ssl3_record_tls13.c
2042 +++ ssl/record/ssl3_record_tls13.c
2043 @@ -107,6 +107,10 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending)
2044 taglen = EVP_GCM_TLS_TAG_LEN;
2045 } else if (alg_enc & SSL_CHACHA20) {
2046 taglen = EVP_CHACHAPOLY_TLS_TAG_LEN;
2047 + } else if (alg_enc & SSL_MAGMA_MGM) {
2048 + taglen = EVP_MAGMA_TLS_TAG_LEN;
2049 + } else if (alg_enc & SSL_KUZNYECHIK_MGM) {
2050 + taglen = EVP_KUZNYECHIK_TLS_TAG_LEN;
2052 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC,
2053 ERR_R_INTERNAL_ERROR);
2054 @@ -135,6 +139,15 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending)
2055 for (loop = 0; loop < SEQ_NUM_SIZE; loop++)
2056 iv[offset + loop] = staticiv[offset + loop] ^ seq[loop];
2058 + if (s->s3->tmp.new_cipher->algorithm2 & TLS1_TLSTREE) {
2059 + if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_TLSTREE,
2061 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC,
2062 + ERR_R_INTERNAL_ERROR);
2067 /* Increment the sequence counter */
2068 for (loop = SEQ_NUM_SIZE; loop > 0; loop--) {
2070 diff --git ssl/s3_lib.c ssl/s3_lib.c
2071 index b256a4b9..bc9ba357 100644
2074 @@ -111,7 +111,74 @@ static SSL_CIPHER tls13_ciphers[] = {
2075 SSL_HANDSHAKE_MAC_SHA256,
2080 +#ifndef OPENSSL_NO_GOST
2081 +/* https://tools.ietf.org/html/draft-smyshlyaev-tls13-gost-suites */
2084 + "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L", /* FIXME */
2085 + "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L", /* FIXME */
2086 + TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L,
2089 + SSL_KUZNYECHIK_MGM,
2091 + TLS1_3_VERSION, TLS1_3_VERSION,
2094 + SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_TLSTREE | TLS1_TLSTREE_L,
2100 + "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L", /* FIXME */
2101 + "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L", /* FIXME */
2102 + TLS_GOSTR341112_256_WITH_MAGMA_MGM_L,
2107 + TLS1_3_VERSION, TLS1_3_VERSION,
2110 + SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_TLSTREE | TLS1_TLSTREE_L,
2116 + "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S", /* FIXME */
2117 + "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S", /* FIXME */
2118 + TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S,
2121 + SSL_KUZNYECHIK_MGM,
2123 + TLS1_3_VERSION, TLS1_3_VERSION,
2126 + SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_TLSTREE | TLS1_TLSTREE_S,
2132 + "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S", /* FIXME */
2133 + "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S", /* FIXME */
2134 + TLS_GOSTR341112_256_WITH_MAGMA_MGM_S,
2139 + TLS1_3_VERSION, TLS1_3_VERSION,
2142 + SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_TLSTREE | TLS1_TLSTREE_S,
2150 @@ -2665,6 +2732,54 @@ static SSL_CIPHER ssl3_ciphers[] = {
2156 + "GOST2012-KUZNYECHIK-KUZNYECHIKOMAC",
2162 + SSL_KUZNYECHIKOMAC,
2163 + TLS1_2_VERSION, TLS1_2_VERSION,
2166 + SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_TLSTREE,
2172 + "GOST2012-MAGMA-MAGMAOMAC",
2179 + TLS1_2_VERSION, TLS1_2_VERSION,
2182 + SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_TLSTREE,
2188 + "GOST2012-GOST8912-IANA",
2192 + SSL_aGOST12 | SSL_aGOST01,
2193 + SSL_eGOST2814789CNT12,
2195 + TLS1_VERSION, TLS1_2_VERSION,
2198 + SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC,
2202 #endif /* OPENSSL_NO_GOST */
2204 #ifndef OPENSSL_NO_IDEA
2205 @@ -4339,6 +4454,11 @@ int ssl3_get_req_cert_type(SSL *s, WPACKET *pkt)
2206 if (s->version >= TLS1_VERSION && (alg_k & SSL_kGOST))
2207 return WPACKET_put_bytes_u8(pkt, TLS_CT_GOST01_SIGN)
2208 && WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_SIGN)
2209 + && WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_512_SIGN)
2210 + && WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_SIGN_LEGACY)
2211 + && WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_512_SIGN_LEGACY);
2212 + if (s->version >= TLS1_2_VERSION && (alg_k & SSL_kGOST18))
2213 + return WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_SIGN)
2214 && WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_512_SIGN);
2217 @@ -4689,6 +4809,52 @@ EVP_PKEY *ssl_generate_pkey(EVP_PKEY *pm)
2220 #ifndef OPENSSL_NO_EC
2221 +#ifndef OPENSSL_NO_GOST
2223 +typedef struct tls_gost_group_param_st {
2224 + int nid; /* Curve params NID */
2225 + int alg_nid; /* GOST algorithm nid */
2226 + const char *params; /* GOST paramset mnemonics */
2227 +} TLS_GOST_GROUP_PARAM;
2229 +TLS_GOST_GROUP_PARAM gost_param[] = {
2230 + {NID_id_tc26_gost_3410_2012_256_paramSetA, NID_id_GostR3410_2012_256, "TCA"},
2231 + {NID_id_tc26_gost_3410_2012_256_paramSetB, NID_id_GostR3410_2012_256, "TCB"},
2232 + {NID_id_tc26_gost_3410_2012_256_paramSetC, NID_id_GostR3410_2012_256, "TCC"},
2233 + {NID_id_tc26_gost_3410_2012_256_paramSetD, NID_id_GostR3410_2012_256, "TCD"},
2234 + {NID_id_tc26_gost_3410_2012_512_paramSetA, NID_id_GostR3410_2012_512, "A"},
2235 + {NID_id_tc26_gost_3410_2012_512_paramSetB, NID_id_GostR3410_2012_512, "B"},
2236 + {NID_id_tc26_gost_3410_2012_512_paramSetC, NID_id_GostR3410_2012_512, "C"},
2239 +static EVP_PKEY_CTX *gost_pkey_nid2ctx(int nid)
2242 + TLS_GOST_GROUP_PARAM *pGostParam = NULL;
2243 + EVP_PKEY_CTX *pctx = NULL;
2245 + for (i = 0; i < OSSL_NELEM(gost_param); i++) {
2246 + if (gost_param[i].nid == nid) {
2247 + pGostParam = gost_param + i;
2252 + if (pGostParam == NULL) {
2256 + pctx = EVP_PKEY_CTX_new_id(pGostParam->alg_nid, NULL);
2258 + || EVP_PKEY_CTX_ctrl_str(pctx, "paramset", pGostParam->params) <= 0) {
2259 + EVP_PKEY_CTX_free(pctx);
2267 /* Generate a private key from a group ID */
2268 EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id)
2270 @@ -4705,8 +4871,13 @@ EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id)
2271 gtype = ginf->flags & TLS_CURVE_TYPE;
2272 if (gtype == TLS_CURVE_CUSTOM)
2273 pctx = EVP_PKEY_CTX_new_id(ginf->nid, NULL);
2274 +#ifndef OPENSSL_NO_GOST
2275 + else if (gtype == TLS_CURVE_GOST)
2276 + pctx = gost_pkey_nid2ctx(ginf->nid);
2279 pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
2282 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP,
2283 ERR_R_MALLOC_FAILURE);
2284 @@ -4717,7 +4888,7 @@ EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id)
2288 - if (gtype != TLS_CURVE_CUSTOM
2289 + if (gtype != TLS_CURVE_CUSTOM && gtype != TLS_CURVE_GOST
2290 && EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, ginf->nid) <= 0) {
2291 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP,
2293 @@ -4755,13 +4926,21 @@ EVP_PKEY *ssl_generate_param_group(uint16_t id)
2297 +#ifndef OPENSSL_NO_GOST
2298 + if ((ginf->flags & TLS_CURVE_TYPE) == TLS_CURVE_GOST)
2299 + pctx = gost_pkey_nid2ctx(ginf->nid);
2302 pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
2306 if (EVP_PKEY_paramgen_init(pctx) <= 0)
2308 - if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, ginf->nid) <= 0)
2309 + if ((ginf->flags & TLS_CURVE_TYPE) != TLS_CURVE_GOST) {
2310 + if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, ginf->nid) <= 0)
2313 if (EVP_PKEY_paramgen(pctx, &pkey) <= 0) {
2314 EVP_PKEY_free(pkey);
2316 diff --git ssl/ssl_ciph.c ssl/ssl_ciph.c
2317 index 55f919fc..87a41b15 100644
2321 #define SSL_ENC_CHACHA_IDX 19
2322 #define SSL_ENC_ARIA128GCM_IDX 20
2323 #define SSL_ENC_ARIA256GCM_IDX 21
2324 -#define SSL_ENC_NUM_IDX 22
2325 +#define SSL_ENC_MAGMA_IDX 22
2326 +#define SSL_ENC_KUZNYECHIK_IDX 23
2327 +#define SSL_ENC_MAGMA_MGM_IDX 24
2328 +#define SSL_ENC_KUZNYECHIK_MGM_IDX 25
2329 +#define SSL_ENC_NUM_IDX 26
2331 /* NB: make sure indices in these tables match values above */
2333 @@ -76,6 +80,10 @@ static const ssl_cipher_table ssl_cipher_table_cipher[SSL_ENC_NUM_IDX] = {
2334 {SSL_CHACHA20POLY1305, NID_chacha20_poly1305}, /* SSL_ENC_CHACHA_IDX 19 */
2335 {SSL_ARIA128GCM, NID_aria_128_gcm}, /* SSL_ENC_ARIA128GCM_IDX 20 */
2336 {SSL_ARIA256GCM, NID_aria_256_gcm}, /* SSL_ENC_ARIA256GCM_IDX 21 */
2337 + {SSL_MAGMA, NID_magma_ctr_acpkm}, /* SSL_ENC_MAGMA_IDX */
2338 + {SSL_KUZNYECHIK, NID_kuznyechik_ctr_acpkm}, /* SSL_ENC_KUZNYECHIK_IDX */
2339 + {SSL_MAGMA_MGM, NID_magma_mgm}, /* SSL_ENC_MAGMA_MGM_IDX */
2340 + {SSL_KUZNYECHIK_MGM, NID_kuznyechik_mgm}, /* SSL_ENC_KUZNYECHIK_MGM_IDX */
2343 static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX];
2344 @@ -110,11 +118,13 @@ static const ssl_cipher_table ssl_cipher_table_mac[SSL_MD_NUM_IDX] = {
2345 {SSL_GOST12_512, NID_id_GostR3411_2012_512}, /* SSL_MD_GOST12_512_IDX 8 */
2346 {0, NID_md5_sha1}, /* SSL_MD_MD5_SHA1_IDX 9 */
2347 {0, NID_sha224}, /* SSL_MD_SHA224_IDX 10 */
2348 - {0, NID_sha512} /* SSL_MD_SHA512_IDX 11 */
2349 + {0, NID_sha512}, /* SSL_MD_SHA512_IDX 11 */
2350 + {SSL_MAGMAOMAC, NID_magma_mac}, /* SSL_MD_MAGMAOMAC_IDX */
2351 + {SSL_KUZNYECHIKOMAC, NID_kuznyechik_mac}, /* SSL_MD_KUZNYECHIKOMAC_IDX */
2354 static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX] = {
2355 - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
2356 + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
2360 @@ -128,6 +138,7 @@ static const ssl_cipher_table ssl_cipher_table_kx[] = {
2361 {SSL_kPSK, NID_kx_psk},
2362 {SSL_kSRP, NID_kx_srp},
2363 {SSL_kGOST, NID_kx_gost},
2364 + {SSL_kGOST18, NID_kx_gost},/* FIXME beldmit */
2365 {SSL_kANY, NID_kx_any}
2368 @@ -171,8 +182,8 @@ static int ssl_mac_pkey_id[SSL_MD_NUM_IDX] = {
2369 EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, NID_undef,
2372 - /* MD5/SHA1, SHA224, SHA512 */
2373 - NID_undef, NID_undef, NID_undef
2374 + /* MD5/SHA1, SHA224, SHA512, MAGMAOMAC, KUZNYECHIKOMAC */
2375 + NID_undef, NID_undef, NID_undef, NID_undef, NID_undef
2378 static size_t ssl_mac_secret_size[SSL_MD_NUM_IDX];
2379 @@ -228,6 +239,7 @@ static const SSL_CIPHER cipher_aliases[] = {
2380 {0, SSL_TXT_kDHEPSK, NULL, 0, SSL_kDHEPSK},
2381 {0, SSL_TXT_kSRP, NULL, 0, SSL_kSRP},
2382 {0, SSL_TXT_kGOST, NULL, 0, SSL_kGOST},
2383 + {0, SSL_TXT_kGOST18, NULL, 0, SSL_kGOST18},
2385 /* server authentication aliases */
2386 {0, SSL_TXT_aRSA, NULL, 0, 0, SSL_aRSA},
2387 @@ -261,7 +273,7 @@ static const SSL_CIPHER cipher_aliases[] = {
2388 {0, SSL_TXT_IDEA, NULL, 0, 0, 0, SSL_IDEA},
2389 {0, SSL_TXT_SEED, NULL, 0, 0, 0, SSL_SEED},
2390 {0, SSL_TXT_eNULL, NULL, 0, 0, 0, SSL_eNULL},
2391 - {0, SSL_TXT_GOST, NULL, 0, 0, 0, SSL_eGOST2814789CNT | SSL_eGOST2814789CNT12},
2392 + {0, SSL_TXT_GOST, NULL, 0, 0, 0, SSL_eGOST2814789CNT | SSL_eGOST2814789CNT12 | SSL_MAGMA | SSL_KUZNYECHIK},
2393 {0, SSL_TXT_AES128, NULL, 0, 0, 0,
2394 SSL_AES128 | SSL_AES128GCM | SSL_AES128CCM | SSL_AES128CCM8},
2395 {0, SSL_TXT_AES256, NULL, 0, 0, 0,
2396 @@ -419,24 +431,38 @@ int ssl_load_ciphers(void)
2397 * Check for presence of GOST 34.10 algorithms, and if they are not
2398 * present, disable appropriate auth and key exchange
2400 - ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX] = get_optional_pkey_id("gost-mac");
2401 + ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX] = get_optional_pkey_id(SN_id_Gost28147_89_MAC);
2402 if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX])
2403 ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX] = 32;
2405 disabled_mac_mask |= SSL_GOST89MAC;
2407 ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX] =
2408 - get_optional_pkey_id("gost-mac-12");
2409 + get_optional_pkey_id(SN_gost_mac_12);
2410 if (ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX])
2411 ssl_mac_secret_size[SSL_MD_GOST89MAC12_IDX] = 32;
2413 disabled_mac_mask |= SSL_GOST89MAC12;
2415 - if (!get_optional_pkey_id("gost2001"))
2416 + ssl_mac_pkey_id[SSL_MD_MAGMAOMAC_IDX] =
2417 + get_optional_pkey_id(SN_magma_mac);
2418 + if (ssl_mac_pkey_id[SSL_MD_MAGMAOMAC_IDX])
2419 + ssl_mac_secret_size[SSL_MD_MAGMAOMAC_IDX] = 32;
2421 + disabled_mac_mask |= SSL_MAGMAOMAC;
2423 + ssl_mac_pkey_id[SSL_MD_KUZNYECHIKOMAC_IDX] =
2424 + get_optional_pkey_id(SN_kuznyechik_mac);
2425 + if (ssl_mac_pkey_id[SSL_MD_KUZNYECHIKOMAC_IDX])
2426 + ssl_mac_secret_size[SSL_MD_KUZNYECHIKOMAC_IDX] = 32;
2428 + disabled_mac_mask |= SSL_KUZNYECHIKOMAC;
2430 + if (!get_optional_pkey_id(SN_id_GostR3410_2001))
2431 disabled_auth_mask |= SSL_aGOST01 | SSL_aGOST12;
2432 - if (!get_optional_pkey_id("gost2012_256"))
2433 + if (!get_optional_pkey_id(SN_id_GostR3410_2012_256))
2434 disabled_auth_mask |= SSL_aGOST12;
2435 - if (!get_optional_pkey_id("gost2012_512"))
2436 + if (!get_optional_pkey_id(SN_id_GostR3410_2012_512))
2437 disabled_auth_mask |= SSL_aGOST12;
2439 * Disable GOST key exchange if no GOST signature algs are available *
2440 @@ -445,6 +471,9 @@ int ssl_load_ciphers(void)
2441 (SSL_aGOST01 | SSL_aGOST12))
2442 disabled_mkey_mask |= SSL_kGOST;
2444 + if ((disabled_auth_mask & SSL_aGOST12) == SSL_aGOST12)
2445 + disabled_mkey_mask |= SSL_kGOST18;
2450 @@ -1687,6 +1716,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
2460 @@ -1790,6 +1822,14 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
2461 case SSL_eGOST2814789CNT12:
2462 enc = "GOST89(256)";
2465 + case SSL_MAGMA_MGM:
2468 + case SSL_KUZNYECHIK:
2469 + case SSL_KUZNYECHIK_MGM:
2470 + enc = "KUZNYECHIK";
2472 case SSL_CHACHA20POLY1305:
2473 enc = "CHACHA20/POLY1305(256)";
2475 diff --git ssl/ssl_err.c ssl/ssl_err.c
2476 index 324f2ccb..df16a616 100644
2479 @@ -113,6 +113,8 @@ static const ERR_STRING_DATA SSL_str_functs[] = {
2480 "ossl_statem_server_post_process_message"},
2481 {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_SERVER_POST_WORK, 0),
2482 "ossl_statem_server_post_work"},
2483 + {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_SERVER_PRE_WORK, 0),
2484 + "ossl_statem_server_pre_work"},
2485 {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_SERVER_PROCESS_MESSAGE, 0),
2486 "ossl_statem_server_process_message"},
2487 {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION, 0),
2488 @@ -438,6 +440,8 @@ static const ERR_STRING_DATA SSL_str_functs[] = {
2489 "tls_construct_cke_ecdhe"},
2490 {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CKE_GOST, 0),
2491 "tls_construct_cke_gost"},
2492 + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CKE_GOST18, 0),
2493 + "tls_construct_cke_gost18"},
2494 {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, 0),
2495 "tls_construct_cke_psk_preamble"},
2496 {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CKE_RSA, 0),
2497 @@ -665,6 +669,8 @@ static const ERR_STRING_DATA SSL_str_functs[] = {
2498 "tls_process_cke_ecdhe"},
2499 {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_CKE_GOST, 0),
2500 "tls_process_cke_gost"},
2501 + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_CKE_GOST18, 0),
2502 + "tls_process_cke_gost18"},
2503 {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, 0),
2504 "tls_process_cke_psk_preamble"},
2505 {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_CKE_RSA, 0),
2506 diff --git ssl/ssl_lib.c ssl/ssl_lib.c
2507 index 9c411a32..51bd2d3a 100644
2510 @@ -3382,11 +3382,11 @@ void ssl_set_masks(SSL *s)
2512 #ifndef OPENSSL_NO_GOST
2513 if (ssl_has_cert(s, SSL_PKEY_GOST12_512)) {
2514 - mask_k |= SSL_kGOST;
2515 + mask_k |= SSL_kGOST | SSL_kGOST18;
2516 mask_a |= SSL_aGOST12;
2518 if (ssl_has_cert(s, SSL_PKEY_GOST12_256)) {
2519 - mask_k |= SSL_kGOST;
2520 + mask_k |= SSL_kGOST | SSL_kGOST18;
2521 mask_a |= SSL_aGOST12;
2523 if (ssl_has_cert(s, SSL_PKEY_GOST01)) {
2524 diff --git ssl/ssl_local.h ssl/ssl_local.h
2525 index 9f346e30..b23d3433 100644
2529 # define SSL_kRSAPSK 0x00000040U
2530 # define SSL_kECDHEPSK 0x00000080U
2531 # define SSL_kDHEPSK 0x00000100U
2532 +/* GOST KDF key exchange, draft-smyshlyaev-tls12-gost-suites */
2533 +# define SSL_kGOST18 0x00000200U
2537 @@ -230,6 +232,10 @@
2538 # define SSL_CHACHA20POLY1305 0x00080000U
2539 # define SSL_ARIA128GCM 0x00100000U
2540 # define SSL_ARIA256GCM 0x00200000U
2541 +# define SSL_MAGMA 0x00400000U
2542 +# define SSL_KUZNYECHIK 0x00800000U
2543 +# define SSL_MAGMA_MGM 0x01000000U
2544 +# define SSL_KUZNYECHIK_MGM 0x02000000U
2546 # define SSL_AESGCM (SSL_AES128GCM | SSL_AES256GCM)
2547 # define SSL_AESCCM (SSL_AES128CCM | SSL_AES256CCM | SSL_AES128CCM8 | SSL_AES256CCM8)
2549 # define SSL_GOST12_256 0x00000080U
2550 # define SSL_GOST89MAC12 0x00000100U
2551 # define SSL_GOST12_512 0x00000200U
2552 +# define SSL_MAGMAOMAC 0x00000400U
2553 +# define SSL_KUZNYECHIKOMAC 0x00000800U
2556 * When adding new digest in the ssl_ciph.c and increment SSL_MD_NUM_IDX make
2558 # define SSL_MD_MD5_SHA1_IDX 9
2559 # define SSL_MD_SHA224_IDX 10
2560 # define SSL_MD_SHA512_IDX 11
2561 -# define SSL_MAX_DIGEST 12
2562 +# define SSL_MD_MAGMAOMAC_IDX 12
2563 +# define SSL_MD_KUZNYECHIKOMAC_IDX 13
2564 +# define SSL_MAX_DIGEST 14
2566 /* Bits for algorithm2 (handshake digests and other extra flags) */
2568 @@ -299,6 +309,13 @@
2569 * goes into algorithm2)
2571 # define TLS1_STREAM_MAC 0x10000
2573 + * TLSTREE cipher/mac key derivation used for GOST TLS 1.2/1.3 ciphersuites
2574 + * (currently this also goes into algorithm2)
2576 +# define TLS1_TLSTREE 0x20000
2577 +# define TLS1_TLSTREE_S 0x40000
2578 +# define TLS1_TLSTREE_L 0x80000
2580 # define SSL_STRONG_MASK 0x0000001FU
2581 # define SSL_DEFAULT_MASK 0X00000020U
2582 @@ -1511,10 +1528,11 @@ typedef struct tls_group_info_st {
2586 -# define TLS_CURVE_TYPE 0x3 /* Mask for group type */
2587 +# define TLS_CURVE_TYPE 0x7 /* Mask for group type */
2588 # define TLS_CURVE_PRIME 0x0
2589 # define TLS_CURVE_CHAR2 0x1
2590 # define TLS_CURVE_CUSTOM 0x2
2591 +# define TLS_CURVE_GOST 0x4
2593 typedef struct cert_pkey_st CERT_PKEY;
2595 @@ -2042,8 +2060,17 @@ typedef enum downgrade_en {
2596 #define TLSEXT_SIGALG_dsa_sha512 0x0602
2597 #define TLSEXT_SIGALG_dsa_sha224 0x0302
2598 #define TLSEXT_SIGALG_dsa_sha1 0x0202
2599 -#define TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256 0xeeee
2600 -#define TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512 0xefef
2601 +#define TLSEXT_SIGALG_gostr34102012_256a 0x0709
2602 +#define TLSEXT_SIGALG_gostr34102012_256b 0x070A
2603 +#define TLSEXT_SIGALG_gostr34102012_256c 0x070B
2604 +#define TLSEXT_SIGALG_gostr34102012_256d 0x070C
2605 +#define TLSEXT_SIGALG_gostr34102012_512a 0x070D
2606 +#define TLSEXT_SIGALG_gostr34102012_512b 0x070E
2607 +#define TLSEXT_SIGALG_gostr34102012_512c 0x070F
2608 +#define TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256 0x0840
2609 +#define TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512 0x0841
2610 +#define TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256_legacy 0xeeee
2611 +#define TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512_legacy 0xefef
2612 #define TLSEXT_SIGALG_gostr34102001_gostr3411 0xeded
2614 #define TLSEXT_SIGALG_ed25519 0x0807
2615 diff --git ssl/statem/extensions_srvr.c ssl/statem/extensions_srvr.c
2616 index 04f64f81..25e4e8ec 100644
2617 --- ssl/statem/extensions_srvr.c
2618 +++ ssl/statem/extensions_srvr.c
2619 @@ -624,7 +624,7 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
2621 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
2624 +/* FIXME beldmit GOST */
2626 if (s->s3->peer_tmp != NULL) {
2627 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
2628 @@ -1623,7 +1623,9 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
2629 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
2630 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
2631 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
2632 - || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
2633 + || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12
2634 + || s->s3->tmp.new_cipher->algorithm_enc == SSL_MAGMA
2635 + || s->s3->tmp.new_cipher->algorithm_enc == SSL_KUZNYECHIK) {
2637 return EXT_RETURN_NOT_SENT;
2639 @@ -1682,6 +1684,7 @@ EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
2640 unsigned int context, X509 *x,
2643 +/* FIXME beldmit GOST */
2644 #ifndef OPENSSL_NO_TLS1_3
2645 unsigned char *encodedPoint;
2646 size_t encoded_pt_len = 0;
2647 diff --git ssl/statem/statem_clnt.c ssl/statem/statem_clnt.c
2648 index d1a39698..428536b8 100644
2649 --- ssl/statem/statem_clnt.c
2650 +++ ssl/statem/statem_clnt.c
2651 @@ -3285,6 +3285,144 @@ static int tls_construct_cke_gost(SSL *s, WPACKET *pkt)
2655 +#ifndef OPENSSL_NO_GOST
2656 +int gost18_cke_cipher_nid(const SSL *s)
2658 + if ((s->s3->tmp.new_cipher->algorithm_enc & SSL_MAGMA) != 0)
2659 + return NID_magma_ctr;
2660 + else if ((s->s3->tmp.new_cipher->algorithm_enc & SSL_KUZNYECHIK) != 0)
2661 + return NID_kuznyechik_ctr;
2666 +int gost_ukm(const SSL *s, unsigned char *dgst_buf)
2668 + EVP_MD_CTX * hash = NULL;
2669 + unsigned int md_len;
2671 + hash = EVP_MD_CTX_new();
2673 + || EVP_DigestInit(hash, EVP_get_digestbynid(NID_id_GostR3411_2012_256)) <= 0
2674 + || EVP_DigestUpdate(hash, s->s3->client_random, SSL3_RANDOM_SIZE) <= 0
2675 + || EVP_DigestUpdate(hash, s->s3->server_random, SSL3_RANDOM_SIZE) <= 0
2676 + || EVP_DigestFinal_ex(hash, dgst_buf, &md_len) <= 0) {
2677 + EVP_MD_CTX_free(hash);
2680 + EVP_MD_CTX_free(hash);
2686 +static int tls_construct_cke_gost18(SSL *s, WPACKET *pkt)
2688 +#ifndef OPENSSL_NO_GOST
2689 + /* GOST 2018 key exchange message creation */
2690 + unsigned char rnd_dgst[32], tmp[255];
2691 + EVP_PKEY_CTX *pkey_ctx = NULL;
2693 + unsigned char *pms = NULL;
2694 + size_t pmslen = 0;
2696 + int cipher_nid = gost18_cke_cipher_nid(s);
2698 + if (cipher_nid == NID_undef) {
2699 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
2700 + ERR_R_INTERNAL_ERROR);
2704 + if (gost_ukm(s, rnd_dgst) <= 0) {
2705 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
2706 + ERR_R_INTERNAL_ERROR);
2710 + /* Pre-master secret - random bytes */
2712 + pms = OPENSSL_malloc(pmslen);
2713 + if (pms == NULL) {
2714 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
2715 + ERR_R_MALLOC_FAILURE);
2719 + if (RAND_bytes(pms, (int)pmslen) <= 0) {
2720 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
2721 + ERR_R_INTERNAL_ERROR);
2726 + * Get server certificate PKEY and create ctx from it
2728 + peer_cert = s->session->peer;
2730 + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
2731 + SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
2735 + pkey_ctx = EVP_PKEY_CTX_new(X509_get0_pubkey(peer_cert), NULL);
2736 + if (pkey_ctx == NULL) {
2737 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
2738 + ERR_R_MALLOC_FAILURE);
2742 + if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0 ) {
2743 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
2744 + ERR_R_INTERNAL_ERROR);
2749 + * Reuse EVP_PKEY_CTRL_SET_IV, make choice in engine code
2751 + if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
2752 + EVP_PKEY_CTRL_SET_IV, 32, rnd_dgst) < 0) {
2753 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
2754 + SSL_R_LIBRARY_BUG);
2758 + if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
2759 + EVP_PKEY_CTRL_CIPHER, cipher_nid, NULL) < 0) {
2760 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
2761 + SSL_R_LIBRARY_BUG);
2766 + if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, pms, pmslen) <= 0) {
2767 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
2768 + SSL_R_LIBRARY_BUG);
2772 + if (!WPACKET_memcpy(pkt, tmp, msglen)) {
2773 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
2774 + ERR_R_INTERNAL_ERROR);
2778 + EVP_PKEY_CTX_free(pkey_ctx);
2779 + s->s3->tmp.pms = pms;
2780 + s->s3->tmp.pmslen = pmslen;
2783 + EVP_PKEY_CTX_free(pkey_ctx);
2784 + OPENSSL_clear_free(pms, pmslen);
2787 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
2788 + ERR_R_INTERNAL_ERROR);
2793 static int tls_construct_cke_srp(SSL *s, WPACKET *pkt)
2795 #ifndef OPENSSL_NO_SRP
2796 @@ -3341,6 +3479,9 @@ int tls_construct_client_key_exchange(SSL *s, WPACKET *pkt)
2797 } else if (alg_k & SSL_kGOST) {
2798 if (!tls_construct_cke_gost(s, pkt))
2800 + } else if (alg_k & SSL_kGOST18) {
2801 + if (!tls_construct_cke_gost18(s, pkt))
2803 } else if (alg_k & SSL_kSRP) {
2804 if (!tls_construct_cke_srp(s, pkt))
2806 diff --git ssl/statem/statem_lib.c ssl/statem/statem_lib.c
2807 index 695caab3..004b452b 100644
2808 --- ssl/statem/statem_lib.c
2809 +++ ssl/statem/statem_lib.c
2810 @@ -410,7 +410,6 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
2811 md == NULL ? "n/a" : EVP_MD_name(md));
2814 - /* Check for broken implementations of GOST ciphersuites */
2816 * If key is GOST and len is exactly 64 or 128, it is signature without
2817 * length field (CryptoPro implementations at least till TLS 1.2)
2818 @@ -1539,8 +1538,6 @@ static int is_tls13_capable(const SSL *s)
2820 case SSL_PKEY_DSA_SIGN:
2821 case SSL_PKEY_GOST01:
2822 - case SSL_PKEY_GOST12_256:
2823 - case SSL_PKEY_GOST12_512:
2827 diff --git ssl/statem/statem_local.h ssl/statem/statem_local.h
2828 index eae88053..50f6bfe4 100644
2829 --- ssl/statem/statem_local.h
2830 +++ ssl/statem/statem_local.h
2831 @@ -155,6 +155,11 @@ __owur MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt);
2832 __owur int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt);
2833 MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt);
2835 +#ifndef OPENSSL_NO_GOST
2836 +/* These functions are used in GOST18 CKE, both for client and server */
2837 +int gost18_cke_cipher_nid(const SSL *s);
2838 +int gost_ukm(const SSL *s, unsigned char *dgst_buf);
2841 /* Extension processing */
2843 diff --git ssl/statem/statem_srvr.c ssl/statem/statem_srvr.c
2844 index d701c46b..5765c279 100644
2845 --- ssl/statem/statem_srvr.c
2846 +++ ssl/statem/statem_srvr.c
2847 @@ -3455,6 +3455,93 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt)
2851 +static int tls_process_cke_gost18(SSL *s, PACKET *pkt)
2852 +{/* FIXME beldmit - function id to be renamed either*/
2853 +#ifndef OPENSSL_NO_GOST
2854 + unsigned char rnd_dgst[32];
2855 + EVP_PKEY_CTX *pkey_ctx = NULL;
2856 + EVP_PKEY *pk = NULL;
2857 + unsigned char premaster_secret[32];
2858 + const unsigned char *start = NULL;
2859 + size_t outlen = 32, inlen = 0;
2861 + int cipher_nid = gost18_cke_cipher_nid(s);
2863 + if (cipher_nid == NID_undef) {
2864 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
2865 + ERR_R_INTERNAL_ERROR);
2869 + if (gost_ukm(s, rnd_dgst) <= 0) {
2870 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
2871 + ERR_R_INTERNAL_ERROR);
2875 + /* Get our certificate private key */
2876 + pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey
2877 + ? s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey : s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey;
2879 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
2880 + SSL_R_BAD_HANDSHAKE_STATE);
2884 + pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
2885 + if (pkey_ctx == NULL) {
2886 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
2887 + ERR_R_MALLOC_FAILURE);
2890 + if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
2891 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
2892 + ERR_R_INTERNAL_ERROR);
2896 + * Reuse EVP_PKEY_CTRL_SET_IV, make choice in engine code depending on size
2898 + if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_DECRYPT,
2899 + EVP_PKEY_CTRL_SET_IV, 32, rnd_dgst) < 0) {
2900 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
2901 + SSL_R_LIBRARY_BUG);
2905 + if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_DECRYPT,
2906 + EVP_PKEY_CTRL_CIPHER, cipher_nid, NULL) < 0) {
2907 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
2908 + SSL_R_LIBRARY_BUG);
2911 + inlen = PACKET_remaining(pkt);
2912 + start = PACKET_data(pkt);
2914 + if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start,
2916 + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
2917 + SSL_R_DECRYPTION_FAILED);
2920 + /* Generate master secret */
2921 + if (!ssl_generate_master_secret(s, premaster_secret,
2922 + sizeof(premaster_secret), 0)) {
2923 + /* SSLfatal() already called */
2928 + EVP_PKEY_CTX_free(pkey_ctx);
2931 + /* Should never happen */
2932 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
2933 + ERR_R_INTERNAL_ERROR);
2938 MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
2940 unsigned long alg_k;
2941 @@ -3505,6 +3592,11 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
2942 /* SSLfatal() already called */
2945 + } else if (alg_k & SSL_kGOST18) {
2946 + if (!tls_process_cke_gost18(s, pkt)) {
2947 + /* SSLfatal() already called */
2951 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2952 SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2953 diff --git ssl/t1_enc.c ssl/t1_enc.c
2954 index c85c0b03..eb366883 100644
2957 @@ -113,6 +113,11 @@ int tls1_change_cipher_state(SSL *s, int which)
2959 s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM;
2961 + if (s->s3->tmp.new_cipher->algorithm2 & TLS1_TLSTREE)
2962 + s->mac_flags |= SSL_MAC_FLAG_READ_MAC_TLSTREE;
2964 + s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_TLSTREE;
2966 if (s->enc_read_ctx != NULL) {
2968 } else if ((s->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL) {
2969 @@ -160,6 +165,11 @@ int tls1_change_cipher_state(SSL *s, int which)
2970 s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
2972 s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
2974 + if (s->s3->tmp.new_cipher->algorithm2 & TLS1_TLSTREE)
2975 + s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_TLSTREE;
2977 + s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_TLSTREE;
2978 if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s)) {
2980 } else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL) {
2981 @@ -298,11 +308,11 @@ int tls1_change_cipher_state(SSL *s, int which)
2985 - if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) {
2986 - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE,
2987 - ERR_R_INTERNAL_ERROR);
2990 + if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) {
2991 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE,
2992 + ERR_R_INTERNAL_ERROR);
2996 /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
2997 if ((EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size
2998 @@ -438,6 +448,10 @@ size_t tls1_final_finish_mac(SSL *s, const char *str, size_t slen,
3001 unsigned char hash[EVP_MAX_MD_SIZE];
3002 + size_t finished_size = TLS1_FINISH_MAC_LENGTH;
3004 + if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kGOST18)
3005 + finished_size = 32;
3007 if (!ssl3_digest_cached_records(s, 0)) {
3008 /* SSLfatal() already called */
3009 @@ -451,12 +465,12 @@ size_t tls1_final_finish_mac(SSL *s, const char *str, size_t slen,
3011 if (!tls1_PRF(s, str, slen, hash, hashlen, NULL, 0, NULL, 0, NULL, 0,
3012 s->session->master_key, s->session->master_key_length,
3013 - out, TLS1_FINISH_MAC_LENGTH, 1)) {
3014 + out, finished_size, 1)) {
3015 /* SSLfatal() already called */
3018 OPENSSL_cleanse(hash, hashlen);
3019 - return TLS1_FINISH_MAC_LENGTH;
3020 + return finished_size;
3023 int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
3024 diff --git ssl/t1_lib.c ssl/t1_lib.c
3025 index b1d3add1..72cfc450 100644
3028 @@ -169,6 +169,18 @@ static const TLS_GROUP_INFO nid_list[] = {
3029 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
3030 {EVP_PKEY_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */
3031 {EVP_PKEY_X448, 224, TLS_CURVE_CUSTOM}, /* X448 (30) */
3032 +#ifndef OPENSSL_NO_GOST
3033 + {NID_undef, 0, TLS_CURVE_CUSTOM}, /* 31 */
3034 + {NID_undef, 0, TLS_CURVE_CUSTOM}, /* 32 */
3035 + {NID_undef, 0, TLS_CURVE_CUSTOM}, /* 33 */
3036 + {NID_id_tc26_gost_3410_2012_256_paramSetA, 128, TLS_CURVE_GOST},
3037 + {NID_id_tc26_gost_3410_2012_256_paramSetB, 128, TLS_CURVE_GOST},
3038 + {NID_id_tc26_gost_3410_2012_256_paramSetC, 128, TLS_CURVE_GOST},
3039 + {NID_id_tc26_gost_3410_2012_256_paramSetD, 128, TLS_CURVE_GOST},
3040 + {NID_id_tc26_gost_3410_2012_512_paramSetA, 256, TLS_CURVE_GOST},
3041 + {NID_id_tc26_gost_3410_2012_512_paramSetB, 256, TLS_CURVE_GOST},
3042 + {NID_id_tc26_gost_3410_2012_512_paramSetC, 256, TLS_CURVE_GOST},
3046 static const unsigned char ecformats_default[] = {
3047 @@ -184,6 +196,15 @@ static const uint16_t eccurves_default[] = {
3049 25, /* secp521r1 (25) */
3050 24, /* secp384r1 (24) */
3051 +#ifndef OPENSSL_NO_GOST
3062 static const uint16_t suiteb_curves[] = {
3063 @@ -196,6 +217,8 @@ const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t group_id)
3064 /* ECC curves from RFC 4492 and RFC 7027 */
3065 if (group_id < 1 || group_id > OSSL_NELEM(nid_list))
3067 + if (nid_list[group_id - 1].nid == NID_undef)
3069 return &nid_list[group_id - 1];
3072 @@ -380,6 +403,33 @@ typedef struct {
3073 int nid_arr[MAX_CURVELIST];
3076 +#ifndef OPENSSL_NO_GOST
3078 + const char *name; /* Name of GOST curve */
3079 + int nid; /* Curve NID */
3082 +static EC_GOST_NAME gost_curves[] = {
3083 + {"GC256A", NID_id_tc26_gost_3410_2012_256_paramSetA},
3084 + {"GC256B", NID_id_tc26_gost_3410_2012_256_paramSetB},
3085 + {"GC256C", NID_id_tc26_gost_3410_2012_256_paramSetC},
3086 + {"GC256D", NID_id_tc26_gost_3410_2012_256_paramSetD},
3087 + {"GC512A", NID_id_tc26_gost_3410_2012_512_paramSetA},
3088 + {"GC512B", NID_id_tc26_gost_3410_2012_512_paramSetB},
3089 + {"GC512C", NID_id_tc26_gost_3410_2012_512_paramSetC},
3092 +int GOST_curve2nid(const char *name)
3095 + for (i = 0; i < OSSL_NELEM(gost_curves); i++) {
3096 + if (strcmp(gost_curves[i].name, name) == 0)
3097 + return gost_curves[i].nid;
3103 static int nid_cb(const char *elem, int len, void *arg)
3105 nid_cb_st *narg = arg;
3106 @@ -395,6 +445,11 @@ static int nid_cb(const char *elem, int len, void *arg)
3107 memcpy(etmp, elem, len);
3109 nid = EC_curve_nist2nid(etmp);
3110 +#ifndef OPENSSL_NO_GOST
3111 + /* FIXME beldmit */
3112 + if (nid == NID_undef)
3113 + nid = GOST_curve2nid(etmp);
3115 if (nid == NID_undef)
3116 nid = OBJ_sn2nid(etmp);
3117 if (nid == NID_undef)
3118 @@ -670,8 +725,17 @@ static const uint16_t tls12_sigalgs[] = {
3119 TLSEXT_SIGALG_dsa_sha512,
3121 #ifndef OPENSSL_NO_GOST
3122 + TLSEXT_SIGALG_gostr34102012_256a,
3123 + TLSEXT_SIGALG_gostr34102012_256b,
3124 + TLSEXT_SIGALG_gostr34102012_256c,
3125 + TLSEXT_SIGALG_gostr34102012_256d,
3126 + TLSEXT_SIGALG_gostr34102012_512a,
3127 + TLSEXT_SIGALG_gostr34102012_512b,
3128 + TLSEXT_SIGALG_gostr34102012_512c,
3129 TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
3130 TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512,
3131 + TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256_legacy,
3132 + TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512_legacy,
3133 TLSEXT_SIGALG_gostr34102001_gostr3411,
3136 @@ -758,6 +822,34 @@ static const SIGALG_LOOKUP sigalg_lookup_tbl[] = {
3137 NID_dsaWithSHA1, NID_undef},
3139 #ifndef OPENSSL_NO_GOST
3140 + {"gostr34102012_256a", TLSEXT_SIGALG_gostr34102012_256a,
3141 + NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
3142 + NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
3143 + NID_undef, NID_undef},
3144 + {"gostr34102012_256b", TLSEXT_SIGALG_gostr34102012_256b,
3145 + NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
3146 + NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
3147 + NID_undef, NID_undef},
3148 + {"gostr34102012_256c", TLSEXT_SIGALG_gostr34102012_256c,
3149 + NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
3150 + NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
3151 + NID_undef, NID_undef},
3152 + {"gostr34102012_256d", TLSEXT_SIGALG_gostr34102012_256d,
3153 + NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
3154 + NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
3155 + NID_undef, NID_undef},
3156 + {"gostr34102012_512a", TLSEXT_SIGALG_gostr34102012_512a,
3157 + NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
3158 + NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
3159 + NID_undef, NID_undef},
3160 + {"gostr34102012_512b", TLSEXT_SIGALG_gostr34102012_512b,
3161 + NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
3162 + NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
3163 + NID_undef, NID_undef},
3164 + {"gostr34102012_512c", TLSEXT_SIGALG_gostr34102012_512c,
3165 + NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
3166 + NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
3167 + NID_undef, NID_undef},
3168 {NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
3169 NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
3170 NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
3171 @@ -766,6 +858,14 @@ static const SIGALG_LOOKUP sigalg_lookup_tbl[] = {
3172 NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
3173 NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
3174 NID_undef, NID_undef},
3175 + {NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256_legacy,
3176 + NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
3177 + NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
3178 + NID_undef, NID_undef},
3179 + {NULL, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512_legacy,
3180 + NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
3181 + NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
3182 + NID_undef, NID_undef},
3183 {NULL, TLSEXT_SIGALG_gostr34102001_gostr3411,
3184 NID_id_GostR3411_94, SSL_MD_GOST94_IDX,
3185 NID_id_GostR3410_2001, SSL_PKEY_GOST01,
3186 @@ -886,6 +986,24 @@ static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx)
3191 + * Here is another fallback: when broken implementations did not sent
3192 + * proper signature_algorithm extension, we try to use this function.
3194 + * As both SSL_PKEY_GOST12_512 and SSL_PKEY_GOST12_256 indices can be used
3195 + * with new (aGOST12-only) ciphersuites, we should find out which one is available really.
3197 + else if (idx == SSL_PKEY_GOST12_256) {
3200 + for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST12_256;
3202 + if (s->cert->pkeys[real_idx].privatekey != NULL) {
3209 idx = s->cert->key - s->cert->pkeys;
3211 @@ -1612,10 +1730,8 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
3212 if (ssl_cert_is_disabled(lu->sig_idx))
3215 - if (lu->sig == NID_id_GostR3410_2012_256
3216 - || lu->sig == NID_id_GostR3410_2012_512
3217 - || lu->sig == NID_id_GostR3410_2001) {
3218 - /* We never allow GOST sig algs on the server with TLSv1.3 */
3219 + if (lu->sig == NID_id_GostR3410_2001) {
3220 + /* GOST sig algs on the server with TLSv1.3 are allowed for GOST2012 */
3221 if (s->server && SSL_IS_TLS13(s))
3224 @@ -1643,7 +1759,7 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
3225 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0))
3228 - if ((c->algorithm_mkey & SSL_kGOST) != 0)
3229 + if ((c->algorithm_mkey & (SSL_kGOST | SSL_kGOST18)) != 0)
3233 diff --git ssl/t1_trce.c ssl/t1_trce.c
3234 index e2c397b7..9d7341da 100644
3237 @@ -443,6 +443,9 @@ static const ssl_trace_tbl ssl_ciphers_tbl[] = {
3238 {0xFEFF, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"},
3239 {0xFF85, "GOST2012-GOST8912-GOST8912"},
3240 {0xFF87, "GOST2012-NULL-GOST12"},
3241 + {0xC100, "GOST2012-KUZNYECHIK-KUZNYECHIKOMAC"},
3242 + {0xC101, "GOST2012-MAGMA-MAGMAOMAC"},
3243 + {0xC102, "GOST2012-GOST8912-IANA"},
3246 /* Compression methods */
3247 @@ -522,6 +525,13 @@ static const ssl_trace_tbl ssl_groups_tbl[] = {
3248 {28, "brainpoolP512r1"},
3249 {29, "ecdh_x25519"},
3261 @@ -571,6 +581,8 @@ static const ssl_trace_tbl ssl_sigalg_tbl[] = {
3262 {TLSEXT_SIGALG_dsa_sha1, "dsa_sha1"},
3263 {TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, "gost2012_256"},
3264 {TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, "gost2012_512"},
3265 + {TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256_legacy, "gost2012_256"},
3266 + {TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512_legacy, "gost2012_512"},
3267 {TLSEXT_SIGALG_gostr34102001_gostr3411, "gost2001_gost94"},
3270 @@ -584,7 +596,9 @@ static const ssl_trace_tbl ssl_ctype_tbl[] = {
3271 {20, "fortezza_dms"},
3273 {65, "rsa_fixed_ecdh"},
3274 - {66, "ecdsa_fixed_ecdh"}
3275 + {66, "ecdsa_fixed_ecdh"},
3276 + {67, "gost_sign256"},
3277 + {68, "gost_sign512"},
3280 static const ssl_trace_tbl ssl_psk_kex_modes_tbl[] = {
3281 @@ -1077,6 +1091,10 @@ static int ssl_get_keyex(const char **pname, const SSL *ssl)
3285 + if (alg_k & SSL_kGOST18) {
3286 + *pname = "GOST18";
3287 + return SSL_kGOST18;
3292 @@ -1119,7 +1137,16 @@ static int ssl_print_client_keyex(BIO *bio, int indent, const SSL *ssl,
3293 if (!ssl_print_hexbuf(bio, indent + 2, "ecdh_Yc", 1, &msg, &msglen))
3297 +#ifndef OPENSSL_NO_GOST
3299 + ssl_print_hex(bio, indent + 2, "GOST-wrapped PreMasterSecret", msg, msglen);
3302 + ssl_print_hex(bio, indent + 2,
3303 + "GOST-wrapped PreMasterSecret", msg, msglen);
3310 diff --git ssl/tls13_enc.c ssl/tls13_enc.c
3311 index b8fb07f2..50e9aa3a 100644
3314 @@ -428,6 +428,21 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md,
3318 + if (s->s3->tmp.new_cipher->algorithm2 & TLS1_TLSTREE) {
3320 + if (s->s3->tmp.new_cipher->algorithm2 & TLS1_TLSTREE_S) {
3321 + res = EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_SET_TLSTREE_PARAMS, 0, "short");
3322 + } else if (s->s3->tmp.new_cipher->algorithm2 & TLS1_TLSTREE_L) {
3323 + res = EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_SET_TLSTREE_PARAMS, 0, "long");
3327 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV,
3335 OPENSSL_cleanse(key, sizeof(key));
3336 diff --git util/libcrypto.num util/libcrypto.num
3337 index 436f799b..021d60aa 100644
3338 --- util/libcrypto.num
3339 +++ util/libcrypto.num
3340 @@ -4591,3 +4591,8 @@ X509_ALGOR_copy 4544 1_1_1h EXIST::FUNCTION:
3341 X509_REQ_set0_signature 4545 1_1_1h EXIST::FUNCTION:
3342 X509_REQ_set1_signature_algo 4546 1_1_1h EXIST::FUNCTION:
3343 EC_KEY_decoded_from_explicit_params 4547 1_1_1h EXIST::FUNCTION:EC
3344 +CMS_RecipientInfo_kari_set0_pkey_and_peer 4548 1_1_1m EXIST::FUNCTION:CMS
3345 +PKCS8_pkey_add1_attr 4549 1_1_1m EXIST::FUNCTION:
3346 +CMS_decrypt_set1_pkey_and_peer 4550 1_1_1m EXIST::FUNCTION:CMS
3347 +PKCS8_pkey_add1_attr_by_OBJ 4551 1_1_1m EXIST::FUNCTION:
3348 +CMS_add1_recipient 4552 1_1_1m EXIST::FUNCTION:CMS