2 ===================================================================
3 --- apps/cms.c (revision 14523)
4 +++ apps/cms.c (working copy)
6 OPT_NOSIGS, OPT_NO_CONTENT_VERIFY, OPT_NO_ATTR_VERIFY, OPT_INDEF,
7 OPT_NOINDEF, OPT_CRLFEOL, OPT_NOOUT, OPT_RR_PRINT,
8 OPT_RR_ALL, OPT_RR_FIRST, OPT_RCTFORM, OPT_CERTFILE, OPT_CAFILE,
9 - OPT_CAPATH, OPT_NOCAPATH, OPT_NOCAFILE,OPT_CONTENT, OPT_PRINT,
10 + OPT_CAPATH, OPT_NOCAPATH, OPT_NOCAFILE,OPT_CONTENT, OPT_PRINT, OPT_NAMEOPT,
11 OPT_SECRETKEY, OPT_SECRETKEYID, OPT_PWRI_PASSWORD, OPT_ECONTENT_TYPE,
12 OPT_PASSIN, OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP,
13 OPT_CERTSOUT, OPT_MD, OPT_INKEY, OPT_KEYFORM, OPT_KEYOPT, OPT_RR_FROM,
14 OPT_RR_TO, OPT_AES128_WRAP, OPT_AES192_WRAP, OPT_AES256_WRAP,
15 - OPT_3DES_WRAP, OPT_ENGINE,
16 + OPT_3DES_WRAP, OPT_WRAP, OPT_ENGINE,
24 const OPTIONS cms_options[] = {
26 "Supply or override content for detached signature"},
27 {"print", OPT_PRINT, '-',
28 "For the -cmsout operation print out all fields of the CMS structure"},
29 + {"nameopt", OPT_NAMEOPT, 's',
30 + "For the -print option specifies various strings printing options"},
31 {"secretkey", OPT_SECRETKEY, 's'},
32 {"secretkeyid", OPT_SECRETKEYID, 's'},
33 {"pwri_password", OPT_PWRI_PASSWORD, 's'},
35 {"from", OPT_FROM, 's', "From address"},
36 {"subject", OPT_SUBJECT, 's', "Subject"},
37 {"signer", OPT_SIGNER, 's', "Signer certificate file"},
38 + {"originator", OPT_ORIGINATOR, 's', "Originator certificate file"},
39 {"recip", OPT_RECIP, '<', "Recipient cert file for decryption"},
40 {"certsout", OPT_CERTSOUT, '>', "Certificate output file"},
41 {"md", OPT_MD, 's', "Digest algorithm to use when signing or resigning"},
43 # ifndef OPENSSL_NO_DES
44 {"des3-wrap", OPT_3DES_WRAP, '-', "Use 3DES-EDE to wrap key"},
46 + {"wrap", OPT_WRAP, 's', "Any wrap cipher to wrap key"},
47 # ifndef OPENSSL_NO_ENGINE
48 {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
51 STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL;
52 STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL;
53 STACK_OF(X509) *encerts = NULL, *other = NULL;
54 - X509 *cert = NULL, *recip = NULL, *signer = NULL;
55 + X509 *cert = NULL, *recip = NULL, *signer = NULL, *originator = 0;
56 X509_STORE *store = NULL;
57 X509_VERIFY_PARAM *vpm = NULL;
58 char *certfile = NULL, *keyfile = NULL, *contfile = NULL;
60 char *certsoutfile = NULL;
61 int noCAfile = 0, noCApath = 0;
62 char *infile = NULL, *outfile = NULL, *rctfile = NULL;
63 - char *passinarg = NULL, *passin = NULL, *signerfile = NULL, *recipfile = NULL;
64 + char *passinarg = NULL, *passin = NULL, *signerfile = NULL, *originatorfile = NULL, *recipfile = NULL;
65 char *to = NULL, *from = NULL, *subject = NULL, *prog;
66 cms_key_param *key_first = NULL, *key_param = NULL;
67 int flags = CMS_DETACHED, noout = 0, print = 0, keyidx = -1, vpmtouched = 0;
73 + if (!set_nameopt(opt_arg()))
77 if (secret_key != NULL) {
78 BIO_printf(bio_err, "Invalid key (supplied twice) %s\n",
81 signerfile = opt_arg();
83 + case OPT_ORIGINATOR:
84 + originatorfile = opt_arg();
87 /* If previous -inkey argument add signer to list */
88 if (keyfile != NULL) {
91 wrap_cipher = EVP_aes_256_wrap();
94 + if (!opt_cipher(opt_unknown(), &wrap_cipher))
99 argc = opt_num_rest();
100 @@ -687,11 +703,11 @@
103 if (certfile != NULL) {
104 - if (!load_certs(certfile, &other, FORMAT_PEM, NULL,
105 - "certificate file")) {
106 - ERR_print_errors(bio_err);
109 + if (!load_certs(certfile, &other, FORMAT_PEM, NULL,
110 + "certificate file")) {
111 + ERR_print_errors(bio_err);
116 if (recipfile != NULL && (operation == SMIME_DECRYPT)) {
121 + if (originatorfile != NULL)
123 + if ((originator = load_cert(originatorfile, FORMAT_PEM,
124 + "originator certificate file")) == NULL) {
125 + ERR_print_errors(bio_err);
130 if (operation == SMIME_SIGN_RECEIPT) {
131 if ((signer = load_cert(signerfile, FORMAT_PEM,
132 "receipt signer certificate file")) == NULL) {
137 - if (operation == SMIME_DECRYPT) {
138 + if (operation == SMIME_DECRYPT ||
139 + operation == SMIME_ENCRYPT) {
142 } else if ((operation == SMIME_SIGN) || (operation == SMIME_SIGN_RECEIPT)) {
143 @@ -819,23 +845,31 @@
144 for (i = 0; i < sk_X509_num(encerts); i++) {
145 CMS_RecipientInfo *ri;
146 cms_key_param *kparam;
147 - int tflags = flags;
148 + int tflags = flags | CMS_KEY_PARAM; /* This flag enforces allocating the EVP_PKEY_CTX for the recipient here */
149 + EVP_PKEY_CTX *pctx;
150 X509 *x = sk_X509_value(encerts, i);
153 for (kparam = key_first; kparam; kparam = kparam->next) {
154 if (kparam->idx == i) {
155 - tflags |= CMS_KEY_PARAM;
159 - ri = CMS_add1_recipient_cert(cms, x, tflags);
160 + ri = CMS_add1_recipient(cms, x, key, originator, tflags);
164 + pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
165 if (kparam != NULL) {
166 - EVP_PKEY_CTX *pctx;
167 - pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
168 if (!cms_set_pkey_param(pctx, kparam->param))
172 + res = EVP_PKEY_CTX_ctrl(pctx, -1, -1,
173 + EVP_PKEY_CTRL_CIPHER, EVP_CIPHER_nid(cipher), NULL);
174 + if (res <= 0 && res != -2)
177 if (CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_AGREE
179 EVP_CIPHER_CTX *wctx;
184 - if (!CMS_decrypt_set1_pkey(cms, key, recip)) {
185 + if (!CMS_decrypt_set1_pkey_and_peer(cms, key, recip, originator)) {
186 BIO_puts(bio_err, "Error decrypting CMS using private key\n");
189 @@ -1047,8 +1081,19 @@
194 - CMS_ContentInfo_print_ctx(out, cms, 0, NULL);
196 + ASN1_PCTX *pctx = NULL;
197 + if (get_nameopt() != XN_FLAG_ONELINE) {
198 + pctx = ASN1_PCTX_new();
199 + if (pctx) { /* Print anyway if malloc failed */
200 + ASN1_PCTX_set_flags(pctx, ASN1_PCTX_FLAGS_SHOW_ABSENT);
201 + ASN1_PCTX_set_str_flags(pctx, get_nameopt());
202 + ASN1_PCTX_set_nm_flags(pctx, get_nameopt());
205 + CMS_ContentInfo_print_ctx(out, cms, 0, pctx);
206 + ASN1_PCTX_free(pctx);
208 } else if (outformat == FORMAT_SMIME) {
210 BIO_printf(out, "To: %s%s", to, mime_eol);
212 ===================================================================
213 --- apps/s_cb.c (revision 14523)
214 +++ apps/s_cb.c (working copy)
219 -/* from rfc8446 4.2.3. + gost (https://tools.ietf.org/id/draft-smyshlyaev-tls12-gost-suites-04.html) */
220 +/* from rfc8446 4.2.3. + GOST (https://tools.ietf.org/html/draft-smyshlyaev-tls13-gost-suites-01) */
221 static STRINT_PAIR signature_tls13_scheme_list[] = {
222 {"rsa_pkcs1_sha1", 0x0201 /* TLSEXT_SIGALG_rsa_pkcs1_sha1 */},
223 {"ecdsa_sha1", 0x0203 /* TLSEXT_SIGALG_ecdsa_sha1 */},
225 {"ecdsa_secp384r1_sha384", 0x0503 /* TLSEXT_SIGALG_ecdsa_secp384r1_sha384 */},
226 {"rsa_pkcs1_sha512", 0x0601 /* TLSEXT_SIGALG_rsa_pkcs1_sha512 */},
227 {"ecdsa_secp521r1_sha512", 0x0603 /* TLSEXT_SIGALG_ecdsa_secp521r1_sha512 */},
228 + {"gostr34102012_256a", 0x0709 /* TLSEXT_SIGALG_gostr34102012_256a */},
229 + {"gostr34102012_256b", 0x070A /* TLSEXT_SIGALG_gostr34102012_256b */},
230 + {"gostr34102012_256c", 0x070B /* TLSEXT_SIGALG_gostr34102012_256c */},
231 + {"gostr34102012_256d", 0x070C /* TLSEXT_SIGALG_gostr34102012_256d */},
232 + {"gostr34102012_512a", 0x070D /* TLSEXT_SIGALG_gostr34102012_512a */},
233 + {"gostr34102012_512b", 0x070E /* TLSEXT_SIGALG_gostr34102012_512b */},
234 + {"gostr34102012_512c", 0x070F /* TLSEXT_SIGALG_gostr34102012_512c */},
235 {"rsa_pss_rsae_sha256", 0x0804 /* TLSEXT_SIGALG_rsa_pss_rsae_sha256 */},
236 {"rsa_pss_rsae_sha384", 0x0805 /* TLSEXT_SIGALG_rsa_pss_rsae_sha384 */},
237 {"rsa_pss_rsae_sha512", 0x0806 /* TLSEXT_SIGALG_rsa_pss_rsae_sha512 */},
239 {"rsa_pss_pss_sha256", 0x0809 /* TLSEXT_SIGALG_rsa_pss_pss_sha256 */},
240 {"rsa_pss_pss_sha384", 0x080a /* TLSEXT_SIGALG_rsa_pss_pss_sha384 */},
241 {"rsa_pss_pss_sha512", 0x080b /* TLSEXT_SIGALG_rsa_pss_pss_sha512 */},
242 - {"gostr34102001", 0xeded /* TLSEXT_SIGALG_gostr34102001_gostr3411 */},
243 - {"gostr34102012_256", 0xeeee /* TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256 */},
244 - {"gostr34102012_512", 0xefef /* TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512 */},
248 Index: crypto/objects/objects.txt
249 ===================================================================
250 --- crypto/objects/objects.txt (revision 14523)
251 +++ crypto/objects/objects.txt (working copy)
252 @@ -1321,6 +1321,14 @@
256 +id-tc26 0 : id-tc26-modules: GOST TC26 ASN.1 modules
258 +id-tc26-modules 6 : id-tc26-cms: GOST TC26 SMS
260 +id-tc26-cms 1 : id-tc26-cms-attrs: GOST TC26 SMS attributes
262 +id-tc26-cms-attrs 1 : id-tc26-mac-attr: GOST TC26 SMS content-mac attribute
264 id-tc26 1 : id-tc26-algorithms
265 id-tc26-algorithms 1 : id-tc26-sign
266 !Cname id-GostR3410-2012-256
267 @@ -1344,11 +1352,11 @@
269 id-tc26-algorithms 5 : id-tc26-cipher
270 id-tc26-cipher 1 : id-tc26-cipher-gostr3412-2015-magma
271 -id-tc26-cipher-gostr3412-2015-magma 1 : id-tc26-cipher-gostr3412-2015-magma-ctracpkm
272 -id-tc26-cipher-gostr3412-2015-magma 2 : id-tc26-cipher-gostr3412-2015-magma-ctracpkm-omac
273 +id-tc26-cipher-gostr3412-2015-magma 1 : magma-ctr-acpkm
274 +id-tc26-cipher-gostr3412-2015-magma 2 : magma-ctr-acpkm-omac
275 id-tc26-cipher 2 : id-tc26-cipher-gostr3412-2015-kuznyechik
276 -id-tc26-cipher-gostr3412-2015-kuznyechik 1 : id-tc26-cipher-gostr3412-2015-kuznyechik-ctracpkm
277 -id-tc26-cipher-gostr3412-2015-kuznyechik 2 : id-tc26-cipher-gostr3412-2015-kuznyechik-ctracpkm-omac
278 +id-tc26-cipher-gostr3412-2015-kuznyechik 1 : kuznyechik-ctr-acpkm
279 +id-tc26-cipher-gostr3412-2015-kuznyechik 2 : kuznyechik-ctr-acpkm-omac
281 id-tc26-algorithms 6 : id-tc26-agreement
282 id-tc26-agreement 1 : id-tc26-agreement-gost-3410-2012-256
283 @@ -1356,9 +1364,9 @@
285 id-tc26-algorithms 7 : id-tc26-wrap
286 id-tc26-wrap 1 : id-tc26-wrap-gostr3412-2015-magma
287 -id-tc26-wrap-gostr3412-2015-magma 1 : id-tc26-wrap-gostr3412-2015-magma-kexp15
288 +id-tc26-wrap-gostr3412-2015-magma 1 : magma-kexp15
289 id-tc26-wrap 2 : id-tc26-wrap-gostr3412-2015-kuznyechik
290 -id-tc26-wrap-gostr3412-2015-kuznyechik 1 : id-tc26-wrap-gostr3412-2015-kuznyechik-kexp15
291 +id-tc26-wrap-gostr3412-2015-kuznyechik 1 : kuznyechik-kexp15
293 id-tc26 2 : id-tc26-constants
295 @@ -1382,16 +1390,25 @@
296 member-body 643 3 131 1 1 : INN : INN
297 member-body 643 100 1 : OGRN : OGRN
298 member-body 643 100 3 : SNILS : SNILS
299 +member-body 643 100 5 : OGRNIP : OGRNIP
300 member-body 643 100 111 : subjectSignTool : Signing Tool of Subject
301 member-body 643 100 112 : issuerSignTool : Signing Tool of Issuer
302 +member-body 643 100 113 : classSignTool : Class of Signing Tool
303 +member-body 643 100 113 1 : classSignToolKC1 : Class of Signing Tool KC1
304 +member-body 643 100 113 2 : classSignToolKC2 : Class of Signing Tool KC2
305 +member-body 643 100 113 3 : classSignToolKC3 : Class of Signing Tool KC3
306 +member-body 643 100 113 4 : classSignToolKB1 : Class of Signing Tool KB1
307 +member-body 643 100 113 5 : classSignToolKB2 : Class of Signing Tool KB2
308 +member-body 643 100 113 6 : classSignToolKA1 : Class of Signing Tool KA1
310 #GOST R34.13-2015 Grasshopper "Kuznechik"
325 #GOST R34.13-2015 Magma
327 @@ -1400,6 +1417,7 @@
333 # Definitions for Camellia cipher - CBC MODE
335 Index: crypto/cms/cms_local.h
336 ===================================================================
337 --- crypto/cms/cms_local.h (revision 14523)
338 +++ crypto/cms/cms_local.h (working copy)
339 @@ -403,12 +403,13 @@
340 ASN1_OCTET_STRING *cms_encode_Receipt(CMS_SignerInfo *si);
342 BIO *cms_EnvelopedData_init_bio(CMS_ContentInfo *cms);
343 +int cms_EnvelopedData_final(CMS_ContentInfo *cms, BIO *chain);
344 CMS_EnvelopedData *cms_get0_enveloped(CMS_ContentInfo *cms);
345 int cms_env_asn1_ctrl(CMS_RecipientInfo *ri, int cmd);
346 int cms_pkey_get_ri_type(EVP_PKEY *pk);
347 +int cms_pkey_is_ri_type_supported(EVP_PKEY *pk, int ri_type);
349 -int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
350 - EVP_PKEY *pk, unsigned int flags);
351 +int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip, EVP_PKEY *recipPubKey, X509 * originator, EVP_PKEY *originatorPrivKey, unsigned int flags);
352 int cms_RecipientInfo_kari_encrypt(CMS_ContentInfo *cms,
353 CMS_RecipientInfo *ri);
355 Index: crypto/cms/cms_lib.c
356 ===================================================================
357 --- crypto/cms/cms_lib.c (revision 14523)
358 +++ crypto/cms/cms_lib.c (working copy)
359 @@ -130,12 +130,14 @@
360 switch (OBJ_obj2nid(cms->contentType)) {
363 - case NID_pkcs7_enveloped:
364 case NID_pkcs7_encrypted:
365 case NID_id_smime_ct_compressedData:
369 + case NID_pkcs7_enveloped:
370 + return cms_EnvelopedData_final(cms, cmsbio);
372 case NID_pkcs7_signed:
373 return cms_SignedData_final(cms, cmsbio);
375 Index: crypto/cms/cms_smime.c
376 ===================================================================
377 --- crypto/cms/cms_smime.c (revision 14523)
378 +++ crypto/cms/cms_smime.c (working copy)
383 -static int cms_kari_set1_pkey(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
384 - EVP_PKEY *pk, X509 *cert)
385 +static int cms_kari_set1_pkey_and_peer(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
386 + EVP_PKEY *pk, X509 *cert, X509 *peer)
389 STACK_OF(CMS_RecipientEncryptedKey) *reks;
391 rek = sk_CMS_RecipientEncryptedKey_value(reks, i);
392 if (cert != NULL && CMS_RecipientEncryptedKey_cert_cmp(rek, cert))
394 - CMS_RecipientInfo_kari_set0_pkey(ri, pk);
395 + CMS_RecipientInfo_kari_set0_pkey_and_peer(ri, pk, peer);
396 rv = CMS_RecipientInfo_kari_decrypt(cms, ri, rek);
397 CMS_RecipientInfo_kari_set0_pkey(ri, NULL);
399 @@ -600,27 +600,35 @@
401 int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
403 + return CMS_decrypt_set1_pkey_and_peer(cms, pk, cert, NULL);
406 +int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert, X509 *peer)
408 STACK_OF(CMS_RecipientInfo) *ris;
409 CMS_RecipientInfo *ri;
411 + int i, r, cms_pkey_ri_type;
412 int debug = 0, match_ri = 0;
413 ris = CMS_get0_RecipientInfos(cms);
415 debug = cms->d.envelopedData->encryptedContentInfo->debug;
416 - ri_type = cms_pkey_get_ri_type(pk);
417 - if (ri_type == CMS_RECIPINFO_NONE) {
418 - CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY,
419 - CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
422 + cms_pkey_ri_type = cms_pkey_get_ri_type(pk);
423 + if (cms_pkey_ri_type == CMS_RECIPINFO_NONE) {
424 + CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY_AND_PEER,
425 + CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
429 for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++) {
431 ri = sk_CMS_RecipientInfo_value(ris, i);
432 - if (CMS_RecipientInfo_type(ri) != ri_type)
434 + ri_type = CMS_RecipientInfo_type(ri);
435 +/* if (!cms_pkey_is_ri_type_supported(pk, ri_type))
438 if (ri_type == CMS_RECIPINFO_AGREE) {
439 - r = cms_kari_set1_pkey(cms, ri, pk, cert);
440 + r = cms_kari_set1_pkey_and_peer(cms, ri, pk, cert, peer);
444 @@ -640,13 +648,13 @@
445 * If not debugging clear any error and return success to
446 * avoid leaking of information useful to MMA
449 + if (!debug && cms_pkey_ri_type == CMS_RECIPINFO_TRANS) {
455 - CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY, CMS_R_DECRYPT_ERROR);
456 + CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY_AND_PEER, CMS_R_DECRYPT_ERROR);
460 @@ -654,17 +662,17 @@
461 * successful decrypt. Always attempt to decrypt all recipients
462 * to avoid leaking timing of a successful decrypt.
464 - else if (r > 0 && debug)
465 + else if (r > 0 && (debug || cms_pkey_ri_type != CMS_RECIPINFO_TRANS))
469 /* If no cert, key transport and not debugging always return success */
470 - if (cert == NULL && ri_type == CMS_RECIPINFO_TRANS && match_ri && !debug) {
471 + if (cert == NULL && cms_pkey_ri_type == CMS_RECIPINFO_TRANS && match_ri && !debug) {
476 - CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY, CMS_R_NO_MATCHING_RECIPIENT);
477 + CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY_AND_PEER, CMS_R_NO_MATCHING_RECIPIENT);
481 Index: crypto/cms/cms_kari.c
482 ===================================================================
483 --- crypto/cms/cms_kari.c (revision 14523)
484 +++ crypto/cms/cms_kari.c (working copy)
489 -int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk)
490 +int CMS_RecipientInfo_kari_set0_pkey_and_peer(CMS_RecipientInfo *ri, EVP_PKEY *pk, X509 *peer)
493 CMS_KeyAgreeRecipientInfo *kari = ri->d.kari;
495 pctx = EVP_PKEY_CTX_new(pk, NULL);
496 if (!pctx || EVP_PKEY_derive_init(pctx) <= 0)
501 + EVP_PKEY *pub_pkey = X509_get0_pubkey(peer);
502 + if (0 >= EVP_PKEY_derive_set_peer(pctx, pub_pkey))
515 +int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk)
517 + return CMS_RecipientInfo_kari_set0_pkey_and_peer(ri, pk, NULL);
520 EVP_CIPHER_CTX *CMS_RecipientInfo_kari_get0_ctx(CMS_RecipientInfo *ri)
522 if (ri->type == CMS_RECIPINFO_AGREE)
523 @@ -282,10 +297,27 @@
527 +/* Set originator private key and initialise context based on it */
528 +static int cms_kari_set_originator_private_key(CMS_KeyAgreeRecipientInfo *kari, EVP_PKEY *originatorPrivKey )
530 + EVP_PKEY_CTX *pctx = NULL;
532 + pctx = EVP_PKEY_CTX_new(originatorPrivKey, NULL);
535 + if (EVP_PKEY_derive_init(pctx) <= 0)
541 + EVP_PKEY_CTX_free(pctx);
545 /* Initialise a kari based on passed certificate and key */
547 -int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
548 - EVP_PKEY *pk, unsigned int flags)
549 +int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip, EVP_PKEY *recipPubKey, X509 * originator, EVP_PKEY *originatorPrivKey, unsigned int flags)
551 CMS_KeyAgreeRecipientInfo *kari;
552 CMS_RecipientEncryptedKey *rek = NULL;
553 @@ -320,12 +352,45 @@
557 - /* Create ephemeral key */
558 - if (!cms_kari_create_ephemeral_key(kari, pk))
560 + if (!originatorPrivKey && !originator)
562 + /* Create ephemeral key */
563 + if (!cms_kari_create_ephemeral_key(kari, recipPubKey))
568 + /* Use originator key */
569 + CMS_OriginatorIdentifierOrKey *oik = ri->d.kari->originator;
571 - EVP_PKEY_up_ref(pk);
573 + if (!originatorPrivKey && !originator)
578 + if (flags & CMS_USE_ORIGINATOR_KEYID) {
579 + //kari->originator->issuerAndSerialNumber
580 + oik->type = CMS_OIK_KEYIDENTIFIER;
581 + oik->d.subjectKeyIdentifier = ASN1_OCTET_STRING_new();
582 + if (oik->d.subjectKeyIdentifier == NULL)
584 + if (!cms_set1_keyid(&oik->d.subjectKeyIdentifier, originator))
588 + oik->type = CMS_REK_ISSUER_SERIAL;
589 + if (!cms_set1_ias(&oik->d.issuerAndSerialNumber, originator))
593 + if (!cms_kari_set_originator_private_key(kari, originatorPrivKey))
599 + EVP_PKEY_up_ref(recipPubKey);
600 + rek->pkey = recipPubKey;
604 @@ -335,14 +400,35 @@
605 EVP_CIPHER_CTX *ctx = kari->ctx;
606 const EVP_CIPHER *kekcipher;
607 int keylen = EVP_CIPHER_key_length(cipher);
609 /* If a suitable wrap algorithm is already set nothing to do */
610 kekcipher = EVP_CIPHER_CTX_cipher(ctx);
613 - if (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_WRAP_MODE)
618 + if (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_WRAP_MODE)
622 + /* Here the Infotecs patch begins */
623 + else if (cipher && (EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_GET_WRAP_CIPHER))
625 + ret = EVP_CIPHER_meth_get_ctrl(cipher)(NULL, EVP_CTRL_GET_WRAP_CIPHER, 0, &kekcipher);
633 + if (EVP_CIPHER_mode(kekcipher) != EVP_CIPH_WRAP_MODE)
636 + return EVP_EncryptInit_ex(ctx, kekcipher, NULL, NULL, NULL);
639 + /* Here the Infotecs patch ends */
642 * Pick a cipher based on content encryption cipher. If it is DES3 use
643 * DES3 wrap otherwise use AES wrap similar to key size.
644 Index: crypto/cms/cms_env.c
645 ===================================================================
646 --- crypto/cms/cms_env.c (revision 14523)
647 +++ crypto/cms/cms_env.c (working copy)
650 /* CMS EnvelopedData Utilities */
652 +static void cms_env_set_version(CMS_EnvelopedData *env);
654 CMS_EnvelopedData *cms_get0_enveloped(CMS_ContentInfo *cms)
656 if (OBJ_obj2nid(cms->contentType) != NID_pkcs7_enveloped) {
661 +int cms_EnvelopedData_final(CMS_ContentInfo *cms, BIO *chain)
663 + CMS_EnvelopedData *env = NULL;
664 + EVP_CIPHER_CTX *ctx = NULL;
665 + BIO *mbio = BIO_find_type(chain, BIO_TYPE_CIPHER);
667 + env = cms_get0_enveloped(cms);
672 + CMSerr(CMS_F_CMS_ENVELOPEDDATA_FINAL, CMS_R_CONTENT_NOT_FOUND);
676 + BIO_get_cipher_ctx(mbio, &ctx);
679 + * If the selected cipher supports unprotected attributes,
680 + * deal with it using special ctrl function
682 + if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_CIPHER_WITH_MAC) {
683 + cms->d.envelopedData->unprotectedAttrs = sk_X509_ATTRIBUTE_new_null();
684 + if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_PROCESS_UNPROTECTED, 1, env->unprotectedAttrs) <= 0) {
685 + CMSerr(CMS_F_CMS_ENVELOPEDDATA_FINAL, CMS_R_CTRL_FAILURE);
689 + cms_env_set_version(cms->d.envelopedData);
694 /* Key Transport Recipient Info (KTRI) routines */
696 /* Initialise a ktri based on passed certificate and key */
698 * Add a recipient certificate using appropriate type of RecipientInfo
701 -CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms,
702 - X509 *recip, unsigned int flags)
703 +CMS_RecipientInfo *CMS_add1_recipient(CMS_ContentInfo *cms, X509 *recip,
704 + EVP_PKEY *originatorPrivKey, X509 * originator, unsigned int flags)
706 CMS_RecipientInfo *ri = NULL;
707 CMS_EnvelopedData *env;
710 pk = X509_get0_pubkey(recip);
712 - CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT, CMS_R_ERROR_GETTING_PUBLIC_KEY);
713 + CMSerr(CMS_F_CMS_ADD1_RECIPIENT, CMS_R_ERROR_GETTING_PUBLIC_KEY);
717 @@ -204,12 +239,12 @@
720 case CMS_RECIPINFO_AGREE:
721 - if (!cms_RecipientInfo_kari_init(ri, recip, pk, flags))
722 + if (!cms_RecipientInfo_kari_init(ri, recip, pk, originator, originatorPrivKey, flags))
727 - CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT,
728 + CMSerr(CMS_F_CMS_ADD1_RECIPIENT,
729 CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
736 - CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT, ERR_R_MALLOC_FAILURE);
737 + CMSerr(CMS_F_CMS_ADD1_RECIPIENT, ERR_R_MALLOC_FAILURE);
739 M_ASN1_free_of(ri, CMS_RecipientInfo);
745 +CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms,
746 + X509 *recip, unsigned int flags)
748 + return CMS_add1_recipient(cms, recip, NULL, NULL, flags);
751 int CMS_RecipientInfo_ktri_get0_algs(CMS_RecipientInfo *ri,
752 EVP_PKEY **pk, X509 **recip,
754 @@ -856,52 +897,90 @@
758 -BIO *cms_EnvelopedData_init_bio(CMS_ContentInfo *cms)
759 +static BIO *cms_EnvelopedData_Decryption_init_bio(CMS_ContentInfo *cms)
761 - CMS_EncryptedContentInfo *ec;
762 - STACK_OF(CMS_RecipientInfo) *rinfos;
763 - CMS_RecipientInfo *ri;
766 + CMS_EncryptedContentInfo *ec = cms->d.envelopedData->encryptedContentInfo;
767 + BIO *contentBio = cms_EncryptedContent_init_bio(ec);
768 + EVP_CIPHER_CTX *ctx = NULL;
770 - /* Get BIO first to set up key */
774 - ec = cms->d.envelopedData->encryptedContentInfo;
775 - ret = cms_EncryptedContent_init_bio(ec);
776 + BIO_get_cipher_ctx(contentBio, &ctx);
778 + BIO_free(contentBio);
782 + * If the selected cipher supports unprotected attributes,
783 + * deal with it using special ctrl function
785 + if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_CIPHER_WITH_MAC &&
786 + EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_PROCESS_UNPROTECTED, 0, cms->d.envelopedData->unprotectedAttrs) <= 0) {
787 + BIO_free(contentBio);
793 - /* If error or no cipher end of processing */
794 +static BIO *cms_EnvelopedData_Encryption_init_bio(CMS_ContentInfo *cms)
796 + CMS_EncryptedContentInfo *ec;
797 + STACK_OF(CMS_RecipientInfo) *rinfos;
798 + CMS_RecipientInfo *ri;
802 - if (!ret || !ec->cipher)
804 + /* Get BIO first to set up key */
806 - /* Now encrypt content key according to each RecipientInfo type */
807 + ec = cms->d.envelopedData->encryptedContentInfo;
808 + ret = cms_EncryptedContent_init_bio(ec);
810 - rinfos = cms->d.envelopedData->recipientInfos;
811 + /* If error or no cipher end of processing */
813 - for (i = 0; i < sk_CMS_RecipientInfo_num(rinfos); i++) {
814 - ri = sk_CMS_RecipientInfo_value(rinfos, i);
815 - if (CMS_RecipientInfo_encrypt(cms, ri) <= 0) {
816 - CMSerr(CMS_F_CMS_ENVELOPEDDATA_INIT_BIO,
817 - CMS_R_ERROR_SETTING_RECIPIENTINFO);
821 - cms_env_set_version(cms->d.envelopedData);
826 + /* Now encrypt content key according to each RecipientInfo type */
830 - OPENSSL_clear_free(ec->key, ec->keylen);
837 + rinfos = cms->d.envelopedData->recipientInfos;
839 + for (i = 0; i < sk_CMS_RecipientInfo_num(rinfos); i++) {
840 + ri = sk_CMS_RecipientInfo_value(rinfos, i);
841 + if (CMS_RecipientInfo_encrypt(cms, ri) <= 0) {
842 + CMSerr(CMS_F_CMS_ENVELOPEDDATA_ENCRYPTION_INIT_BIO,
843 + CMS_R_ERROR_SETTING_RECIPIENTINFO);
847 + cms_env_set_version(cms->d.envelopedData); /* FIXME move lower? */
853 + OPENSSL_clear_free(ec->key, ec->keylen);
863 +BIO *cms_EnvelopedData_init_bio(CMS_ContentInfo *cms)
865 + if (cms->d.envelopedData->encryptedContentInfo->cipher)
867 + //If cipher is set it's encrypting
868 + return cms_EnvelopedData_Encryption_init_bio(cms);
871 + //If cipher is not set it's decrypting
872 + return cms_EnvelopedData_Decryption_init_bio(cms);
876 * Get RecipientInfo type (if any) supported by a key (public or private). To
877 * retain compatibility with previous behaviour if the ctrl value isn't
880 return CMS_RECIPINFO_TRANS;
883 +int cms_pkey_is_ri_type_supported(EVP_PKEY *pk, int ri_type)
885 + if (pk->ameth && pk->ameth->pkey_ctrl)
888 + i = pk->ameth->pkey_ctrl(pk, ASN1_PKEY_CTRL_CMS_IS_RI_TYPE_SUPPORTED, ri_type, &r);
893 + //if ASN1_PKEY_CTRL_CMS_IS_RI_TYPE_SUPPORTED not supported
895 + int supportedRiType = cms_pkey_get_ri_type(pk);
897 + if (supportedRiType < 0)
902 + return (supportedRiType == ri_type);
904 Index: crypto/cms/cms_err.c
905 ===================================================================
906 --- crypto/cms/cms_err.c (revision 14523)
907 +++ crypto/cms/cms_err.c (working copy)
909 "CMS_add0_recipient_password"},
910 {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ADD1_RECEIPTREQUEST, 0),
911 "CMS_add1_ReceiptRequest"},
912 + {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ADD1_RECIPIENT, 0), "CMS_add1_recipient"},
913 {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ADD1_RECIPIENT_CERT, 0),
914 "CMS_add1_recipient_cert"},
915 {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ADD1_SIGNER, 0), "CMS_add1_signer"},
917 "CMS_decrypt_set1_password"},
918 {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_DECRYPT_SET1_PKEY, 0),
919 "CMS_decrypt_set1_pkey"},
920 + {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_DECRYPT_SET1_PKEY_AND_PEER, 0),
921 + "CMS_decrypt_set1_pkey_and_peer"},
922 {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_DIGESTALGORITHM_FIND_CTX, 0),
923 "cms_DigestAlgorithm_find_ctx"},
924 {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_DIGESTALGORITHM_INIT_BIO, 0),
926 "CMS_EncryptedData_set1_key"},
927 {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ENVELOPEDDATA_CREATE, 0),
928 "CMS_EnvelopedData_create"},
929 + {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ENVELOPEDDATA_DECRYPTION_INIT_BIO, 0),
930 + "cms_EnvelopedData_Decryption_init_bio"},
931 + {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ENVELOPEDDATA_ENCRYPTION_INIT_BIO, 0),
932 + "cms_EnvelopedData_Encryption_init_bio"},
933 + {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ENVELOPEDDATA_FINAL, 0),
934 + "cms_EnvelopedData_final"},
935 {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ENVELOPEDDATA_INIT_BIO, 0),
936 "cms_EnvelopedData_init_bio"},
937 {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ENVELOPED_DATA_INIT, 0),
938 Index: crypto/x509v3/standard_exts.h
939 ===================================================================
940 --- crypto/x509v3/standard_exts.h (revision 14523)
941 +++ crypto/x509v3/standard_exts.h (working copy)
946 + &v3_subject_sign_tool,
947 + &v3_issuer_sign_tool,
951 Index: crypto/x509v3/v3err.c
952 ===================================================================
953 --- crypto/x509v3/v3err.c (revision 14523)
954 +++ crypto/x509v3/v3err.c (working copy)
957 * Generated by util/mkerr.pl DO NOT EDIT
958 - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
959 + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
961 * Licensed under the OpenSSL license (the "License"). You may not use
962 * this file except in compliance with the License. You can obtain a copy
964 "i2s_ASN1_IA5STRING"},
965 {ERR_PACK(ERR_LIB_X509V3, X509V3_F_I2S_ASN1_INTEGER, 0),
967 + {ERR_PACK(ERR_LIB_X509V3, X509V3_F_I2S_ASN1_UTF8STRING, 0),
968 + "i2s_ASN1_UTF8STRING"},
969 {ERR_PACK(ERR_LIB_X509V3, X509V3_F_I2V_AUTHORITY_INFO_ACCESS, 0),
970 "i2v_AUTHORITY_INFO_ACCESS"},
971 {ERR_PACK(ERR_LIB_X509V3, X509V3_F_LEVEL_ADD_NODE, 0), "level_add_node"},
974 {ERR_PACK(ERR_LIB_X509V3, X509V3_F_S2I_ASN1_OCTET_STRING, 0),
975 "s2i_ASN1_OCTET_STRING"},
976 + {ERR_PACK(ERR_LIB_X509V3, X509V3_F_S2I_ASN1_UTF8STRING, 0),
977 + "s2i_ASN1_UTF8STRING"},
978 {ERR_PACK(ERR_LIB_X509V3, X509V3_F_S2I_SKEY_ID, 0), "s2i_skey_id"},
979 {ERR_PACK(ERR_LIB_X509V3, X509V3_F_SET_DIST_POINT_NAME, 0),
980 "set_dist_point_name"},
981 Index: crypto/x509v3/build.info
982 ===================================================================
983 --- crypto/x509v3/build.info (revision 14523)
984 +++ crypto/x509v3/build.info (working copy)
986 v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c \
987 v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c v3_pcia.c v3_pci.c \
988 pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c \
989 - v3_asid.c v3_addr.c v3_tlsf.c v3_admis.c
990 + v3_asid.c v3_addr.c v3_tlsf.c v3_admis.c v3_rus.c
991 Index: crypto/x509v3/v3_alt.c
992 ===================================================================
993 --- crypto/x509v3/v3_alt.c (revision 14523)
994 +++ crypto/x509v3/v3_alt.c (working copy)
996 static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
997 static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
999 +static int i2r_GENERAL_NAMES(X509V3_EXT_METHOD *method,
1000 + GENERAL_NAMES *gens, BIO *out,
1003 +static int GENERAL_NAME_oneline_ex(char *name, GENERAL_NAME *gen, int len)
1009 + mem = BIO_new(BIO_s_mem());
1013 + switch (gen->type) {
1015 + X509_NAME_print_ex(mem, gen->d.dirn, 0, XN_FLAG_SEP_COMMA_PLUS | ASN1_STRFLGS_UTF8_CONVERT);
1019 + BIO_get_mem_ptr(mem, &bptr);
1020 + i = BIO_set_close(mem, BIO_NOCLOSE);
1025 + if(bptr->length < len)
1026 + strncpy(name, bptr->data, bptr->length);
1028 + strncpy(name, bptr->data, len);
1032 const X509V3_EXT_METHOD v3_alt[3] = {
1033 {NID_subject_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
1036 - (X509V3_EXT_I2V) i2v_GENERAL_NAMES,
1037 + NULL, /* (X509V3_EXT_I2V) i2v_GENERAL_NAMES, */
1038 (X509V3_EXT_V2I)v2i_subject_alt,
1039 - NULL, NULL, NULL},
1040 + (X509V3_EXT_I2R)i2r_GENERAL_NAMES, NULL, NULL},
1042 {NID_issuer_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
1046 (X509V3_EXT_I2V) i2v_GENERAL_NAMES,
1047 (X509V3_EXT_V2I)v2i_issuer_alt,
1048 - NULL, NULL, NULL},
1049 + (X509V3_EXT_I2R)i2r_GENERAL_NAMES/*NULL*/, NULL, NULL},
1051 {NID_certificate_issuer, 0, ASN1_ITEM_ref(GENERAL_NAMES),
1054 (X509V3_EXT_I2V) i2v_GENERAL_NAMES,
1055 - NULL, NULL, NULL, NULL},
1056 + NULL, (X509V3_EXT_I2R)i2r_GENERAL_NAMES/*NULL*/, NULL, NULL},
1059 STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
1061 STACK_OF(CONF_VALUE) *ret)
1064 - char oline[256], htmp[5];
1065 + char oline[1024], htmp[5];
1068 switch (gen->type) {
1073 - if (X509_NAME_oneline(gen->d.dirn, oline, sizeof(oline)) == NULL
1074 + if (GENERAL_NAME_oneline_ex(oline, gen, sizeof(oline)) <= 0
1075 || !X509V3_add_value("DirName", oline, &ret))
1078 @@ -151,6 +184,96 @@
1083 +int i2r_GENERAL_NAME(X509V3_EXT_METHOD *method,
1084 + GENERAL_NAME *gen, BIO *out,
1088 + char oline[256], htmp[5];
1090 + BIO_printf(out, "%*s", indent, "");
1091 + switch (gen->type) {
1092 + case GEN_OTHERNAME:
1093 + BIO_write(out, "othername: <unsupported>", 24);
1097 + BIO_write(out, "X400Name: <unsupported>", 24);
1100 + case GEN_EDIPARTY:
1101 + BIO_write(out, "EdiPartyName: <unsupported>", 28);
1105 + BIO_write(out, "email: ", 7);
1106 + BIO_write(out, gen->d.ia5->data, gen->d.ia5->length);
1110 + BIO_write(out, "DNS: ", 5);
1111 + BIO_write(out, gen->d.ia5->data, gen->d.ia5->length);
1115 + BIO_write(out, "URI: ", 5);
1116 + BIO_write(out, gen->d.ia5->data, gen->d.ia5->length);
1120 + BIO_write(out, "DirName: ", 9);
1121 + X509_NAME_print_ex(out, gen->d.dirn, 0, XN_FLAG_SEP_COMMA_PLUS|ASN1_STRFLGS_UTF8_CONVERT);
1125 + p = gen->d.ip->data;
1126 + if (gen->d.ip->length == 4)
1127 + BIO_snprintf(oline, sizeof oline,
1128 + "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
1129 + else if (gen->d.ip->length == 16) {
1131 + for (i = 0; i < 8; i++) {
1132 + BIO_snprintf(htmp, sizeof htmp, "%X", p[0] << 8 | p[1]);
1134 + strcat(oline, htmp);
1136 + strcat(oline, ":");
1139 + BIO_write(out, "IP Address: <invalid>", 22);
1142 + BIO_write(out, "IP Address: ", 12);
1143 + BIO_write(out, oline, strlen(oline));
1147 + i2t_ASN1_OBJECT(oline, 256, gen->d.rid);
1148 + BIO_write(out, "Registered ID: ", 15);
1149 + BIO_write(out, oline, strlen(oline));
1152 + BIO_write(out, "\n", 1);
1156 +int i2r_GENERAL_NAMES(X509V3_EXT_METHOD *method,
1157 + GENERAL_NAMES *gens, BIO *out,
1161 + GENERAL_NAME *gen;
1162 + for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
1163 + gen = sk_GENERAL_NAME_value(gens, i);
1164 + if (!i2r_GENERAL_NAME(method, gen, out, indent))
1172 int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
1175 Index: crypto/x509v3/ext_dat.h
1176 ===================================================================
1177 --- crypto/x509v3/ext_dat.h (revision 14523)
1178 +++ crypto/x509v3/ext_dat.h (working copy)
1180 extern const X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
1181 extern const X509V3_EXT_METHOD v3_addr, v3_asid;
1182 extern const X509V3_EXT_METHOD v3_ct_scts[3];
1183 +extern const X509V3_EXT_METHOD v3_subject_sign_tool, v3_issuer_sign_tool;
1184 extern const X509V3_EXT_METHOD v3_tls_feature;
1185 extern const X509V3_EXT_METHOD v3_ext_admission;
1186 Index: crypto/x509v3/v3_rus.c
1187 ===================================================================
1188 --- crypto/x509v3/v3_rus.c (nonexistent)
1189 +++ crypto/x509v3/v3_rus.c (revision 14744)
1193 + * Written by Dmitry Belyavskiy for the OpenSSL project
1196 +/* ====================================================================
1197 + * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
1199 + * Redistribution and use in source and binary forms, with or without
1200 + * modification, are permitted provided that the following conditions
1203 + * 1. Redistributions of source code must retain the above copyright
1204 + * notice, this list of conditions and the following disclaimer.
1206 + * 2. Redistributions in binary form must reproduce the above copyright
1207 + * notice, this list of conditions and the following disclaimer in
1208 + * the documentation and/or other materials provided with the
1211 + * 3. All advertising materials mentioning features or use of this
1212 + * software must display the following acknowledgment:
1213 + * "This product includes software developed by the OpenSSL Project
1214 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
1216 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
1217 + * endorse or promote products derived from this software without
1218 + * prior written permission. For written permission, please contact
1219 + * licensing@OpenSSL.org.
1221 + * 5. Products derived from this software may not be called "OpenSSL"
1222 + * nor may "OpenSSL" appear in their names without prior written
1223 + * permission of the OpenSSL Project.
1225 + * 6. Redistributions of any form whatsoever must retain the following
1227 + * "This product includes software developed by the OpenSSL Project
1228 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
1230 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
1231 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1232 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
1233 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
1234 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
1235 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1236 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
1237 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1238 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
1239 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
1240 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
1241 + * OF THE POSSIBILITY OF SUCH DAMAGE.
1242 + * ====================================================================
1244 + * This product includes cryptographic software written by Eric Young
1245 + * (eay@cryptsoft.com). This product includes software written by Tim
1246 + * Hudson (tjh@cryptsoft.com).
1251 +#include <string.h>
1252 +#include <openssl/asn1t.h>
1253 +#include <openssl/err.h>
1254 +#include <openssl/x509v3.h>
1256 +static char *i2s_ASN1_UTF8STRING(const X509V3_EXT_METHOD *method,
1257 + ASN1_UTF8STRING *utf8str)
1260 + if (!utf8str || !utf8str->length)
1262 + if (!(tmp = OPENSSL_malloc(utf8str->length + 1))) {
1263 + X509V3err(X509V3_F_I2S_ASN1_UTF8STRING, ERR_R_MALLOC_FAILURE);
1266 + memcpy(tmp, utf8str->data, utf8str->length);
1267 + tmp[utf8str->length] = 0;
1271 +static ASN1_UTF8STRING *s2i_ASN1_UTF8STRING(X509V3_EXT_METHOD *method,
1272 + X509V3_CTX *ctx, char *str)
1274 + ASN1_UTF8STRING *utf8str;
1276 + X509V3err(X509V3_F_S2I_ASN1_UTF8STRING,
1277 + X509V3_R_INVALID_NULL_ARGUMENT);
1280 + if (!(utf8str = ASN1_STRING_type_new(V_ASN1_UTF8STRING)))
1282 + if (!ASN1_STRING_set((ASN1_STRING *)utf8str, (unsigned char *)str,
1284 + ASN1_STRING_free(utf8str);
1287 +#ifdef CHARSET_EBCDIC
1288 + ebcdic2ascii(utf8str->data, utf8str->data, utf8str->length);
1289 +#endif /* CHARSET_EBCDIC */
1292 + X509V3err(X509V3_F_S2I_ASN1_UTF8STRING, ERR_R_MALLOC_FAILURE);
1296 +const X509V3_EXT_METHOD v3_subject_sign_tool = {
1297 + NID_subjectSignTool, 0, ASN1_ITEM_ref(ASN1_UTF8STRING),
1299 + (X509V3_EXT_I2S)i2s_ASN1_UTF8STRING,
1300 + (X509V3_EXT_S2I)s2i_ASN1_UTF8STRING,
1304 +typedef struct ISSUER_SIGN_TOOL_st {
1305 + ASN1_UTF8STRING *signTool;
1306 + ASN1_UTF8STRING *cATool;
1307 + ASN1_UTF8STRING *signToolCert;
1308 + ASN1_UTF8STRING *cAToolCert;
1309 +} ISSUER_SIGN_TOOL;
1311 +ASN1_SEQUENCE(ISSUER_SIGN_TOOL) = {
1312 + ASN1_SIMPLE(ISSUER_SIGN_TOOL, signTool, ASN1_UTF8STRING),
1313 + ASN1_SIMPLE(ISSUER_SIGN_TOOL, cATool, ASN1_UTF8STRING),
1314 + ASN1_SIMPLE(ISSUER_SIGN_TOOL, signToolCert, ASN1_UTF8STRING),
1315 + ASN1_SIMPLE(ISSUER_SIGN_TOOL, cAToolCert, ASN1_UTF8STRING)
1316 +} ASN1_SEQUENCE_END(ISSUER_SIGN_TOOL)
1318 +IMPLEMENT_ASN1_FUNCTIONS(ISSUER_SIGN_TOOL)
1320 +static int i2r_ISSUER_SIGN_TOOL(X509V3_EXT_METHOD *method,
1321 + ISSUER_SIGN_TOOL *ist, BIO *out,
1324 + if (ist->signTool) {
1325 + BIO_printf(out, "%*s", indent, "");
1326 + BIO_write(out, "signTool: ", 14);
1327 + BIO_write(out, ist->signTool->data, ist->signTool->length);
1328 + BIO_write(out, "\n", 1);
1330 + if (ist->cATool) {
1331 + BIO_printf(out, "%*s", indent, "");
1332 + BIO_write(out, "cATool: ", 14);
1333 + BIO_write(out, ist->cATool->data, ist->cATool->length);
1334 + BIO_write(out, "\n", 1);
1336 + if (ist->signToolCert) {
1337 + BIO_printf(out, "%*s", indent, "");
1338 + BIO_write(out, "signToolCert: ", 14);
1339 + BIO_write(out, ist->signToolCert->data, ist->signToolCert->length);
1340 + BIO_write(out, "\n", 1);
1342 + if (ist->cAToolCert) {
1343 + BIO_printf(out, "%*s", indent, "");
1344 + BIO_write(out, "cAToolCert: ", 14);
1345 + BIO_write(out, ist->cAToolCert->data, ist->cAToolCert->length);
1346 + BIO_write(out, "\n", 1);
1351 +const X509V3_EXT_METHOD v3_issuer_sign_tool = {
1352 + NID_issuerSignTool, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(ISSUER_SIGN_TOOL),
1355 + 0, /*(X509V3_EXT_I2V)i2v_ISSUER_SIGN_TOOL,*/
1357 + (X509V3_EXT_I2R)i2r_ISSUER_SIGN_TOOL, 0, NULL
1359 Index: crypto/err/openssl.txt
1360 ===================================================================
1361 --- crypto/err/openssl.txt (revision 14523)
1362 +++ crypto/err/openssl.txt (working copy)
1364 CMS_F_CMS_ADD0_RECIPIENT_KEY:100:CMS_add0_recipient_key
1365 CMS_F_CMS_ADD0_RECIPIENT_PASSWORD:165:CMS_add0_recipient_password
1366 CMS_F_CMS_ADD1_RECEIPTREQUEST:158:CMS_add1_ReceiptRequest
1367 +CMS_F_CMS_ADD1_RECIPIENT:181:CMS_add1_recipient
1368 CMS_F_CMS_ADD1_RECIPIENT_CERT:101:CMS_add1_recipient_cert
1369 CMS_F_CMS_ADD1_SIGNER:102:CMS_add1_signer
1370 CMS_F_CMS_ADD1_SIGNINGTIME:103:cms_add1_signingTime
1372 CMS_F_CMS_DECRYPT_SET1_KEY:113:CMS_decrypt_set1_key
1373 CMS_F_CMS_DECRYPT_SET1_PASSWORD:166:CMS_decrypt_set1_password
1374 CMS_F_CMS_DECRYPT_SET1_PKEY:114:CMS_decrypt_set1_pkey
1375 +CMS_F_CMS_DECRYPT_SET1_PKEY_AND_PEER:182:CMS_decrypt_set1_pkey_and_peer
1376 CMS_F_CMS_DIGESTALGORITHM_FIND_CTX:115:cms_DigestAlgorithm_find_ctx
1377 CMS_F_CMS_DIGESTALGORITHM_INIT_BIO:116:cms_DigestAlgorithm_init_bio
1378 CMS_F_CMS_DIGESTEDDATA_DO_FINAL:117:cms_DigestedData_do_final
1379 @@ -266,6 +268,11 @@
1380 CMS_F_CMS_ENCRYPTEDDATA_ENCRYPT:122:CMS_EncryptedData_encrypt
1381 CMS_F_CMS_ENCRYPTEDDATA_SET1_KEY:123:CMS_EncryptedData_set1_key
1382 CMS_F_CMS_ENVELOPEDDATA_CREATE:124:CMS_EnvelopedData_create
1383 +CMS_F_CMS_ENVELOPEDDATA_DECRYPTION_INIT_BIO:184:\
1384 + cms_EnvelopedData_Decryption_init_bio
1385 +CMS_F_CMS_ENVELOPEDDATA_ENCRYPTION_INIT_BIO:185:\
1386 + cms_EnvelopedData_Encryption_init_bio
1387 +CMS_F_CMS_ENVELOPEDDATA_FINAL:186:cms_EnvelopedData_final
1388 CMS_F_CMS_ENVELOPEDDATA_INIT_BIO:125:cms_EnvelopedData_init_bio
1389 CMS_F_CMS_ENVELOPED_DATA_INIT:126:cms_enveloped_data_init
1390 CMS_F_CMS_ENV_ASN1_CTRL:171:cms_env_asn1_ctrl
1391 @@ -1180,7 +1187,7 @@
1392 SSL_F_OSSL_STATEM_SERVER_POST_PROCESS_MESSAGE:601:\
1393 ossl_statem_server_post_process_message
1394 SSL_F_OSSL_STATEM_SERVER_POST_WORK:602:ossl_statem_server_post_work
1395 -SSL_F_OSSL_STATEM_SERVER_PRE_WORK:640:
1396 +SSL_F_OSSL_STATEM_SERVER_PRE_WORK:640:ossl_statem_server_pre_work
1397 SSL_F_OSSL_STATEM_SERVER_PROCESS_MESSAGE:603:ossl_statem_server_process_message
1398 SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION:418:ossl_statem_server_read_transition
1399 SSL_F_OSSL_STATEM_SERVER_WRITE_TRANSITION:604:\
1400 @@ -1395,6 +1402,7 @@
1401 SSL_F_TLS_CONSTRUCT_CKE_DHE:404:tls_construct_cke_dhe
1402 SSL_F_TLS_CONSTRUCT_CKE_ECDHE:405:tls_construct_cke_ecdhe
1403 SSL_F_TLS_CONSTRUCT_CKE_GOST:406:tls_construct_cke_gost
1404 +SSL_F_TLS_CONSTRUCT_CKE_GOST18:639:tls_construct_cke_gost18
1405 SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE:407:tls_construct_cke_psk_preamble
1406 SSL_F_TLS_CONSTRUCT_CKE_RSA:409:tls_construct_cke_rsa
1407 SSL_F_TLS_CONSTRUCT_CKE_SRP:410:tls_construct_cke_srp
1408 @@ -1526,6 +1534,7 @@
1409 SSL_F_TLS_PROCESS_CKE_DHE:411:tls_process_cke_dhe
1410 SSL_F_TLS_PROCESS_CKE_ECDHE:412:tls_process_cke_ecdhe
1411 SSL_F_TLS_PROCESS_CKE_GOST:413:tls_process_cke_gost
1412 +SSL_F_TLS_PROCESS_CKE_GOST18:641:tls_process_cke_gost18
1413 SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE:414:tls_process_cke_psk_preamble
1414 SSL_F_TLS_PROCESS_CKE_RSA:415:tls_process_cke_rsa
1415 SSL_F_TLS_PROCESS_CKE_SRP:416:tls_process_cke_srp
1416 @@ -1648,6 +1657,7 @@
1417 X509V3_F_I2S_ASN1_ENUMERATED:121:i2s_ASN1_ENUMERATED
1418 X509V3_F_I2S_ASN1_IA5STRING:149:i2s_ASN1_IA5STRING
1419 X509V3_F_I2S_ASN1_INTEGER:120:i2s_ASN1_INTEGER
1420 +X509V3_F_I2S_ASN1_UTF8STRING:173:i2s_ASN1_UTF8STRING
1421 X509V3_F_I2V_AUTHORITY_INFO_ACCESS:138:i2v_AUTHORITY_INFO_ACCESS
1422 X509V3_F_LEVEL_ADD_NODE:168:level_add_node
1423 X509V3_F_NOTICE_SECTION:132:notice_section
1424 @@ -1662,6 +1672,7 @@
1425 X509V3_F_S2I_ASN1_IA5STRING:100:s2i_ASN1_IA5STRING
1426 X509V3_F_S2I_ASN1_INTEGER:108:s2i_ASN1_INTEGER
1427 X509V3_F_S2I_ASN1_OCTET_STRING:112:s2i_ASN1_OCTET_STRING
1428 +X509V3_F_S2I_ASN1_UTF8STRING:174:s2i_ASN1_UTF8STRING
1429 X509V3_F_S2I_SKEY_ID:115:s2i_skey_id
1430 X509V3_F_SET_DIST_POINT_NAME:158:set_dist_point_name
1431 X509V3_F_SXNET_ADD_ID_ASC:125:SXNET_add_id_asc
1432 Index: crypto/asn1/p8_pkey.c
1433 ===================================================================
1434 --- crypto/asn1/p8_pkey.c (revision 14523)
1435 +++ crypto/asn1/p8_pkey.c (working copy)
1441 +int PKCS8_pkey_add1_attr_by_OBJ(PKCS8_PRIV_KEY_INFO *p8, const ASN1_OBJECT *obj, int type,
1442 + const unsigned char *bytes, int len)
1444 + if (X509at_add1_attr_by_OBJ(&p8->attributes, obj, type, bytes, len) != NULL)
1449 +int PKCS8_pkey_add1_attr(PKCS8_PRIV_KEY_INFO *p8, X509_ATTRIBUTE *attr)
1451 + if (X509at_add1_attr(&p8->attributes, attr) != NULL)
1455 Index: include/openssl/sslerr.h
1456 ===================================================================
1457 --- include/openssl/sslerr.h (revision 14523)
1458 +++ include/openssl/sslerr.h (working copy)
1460 #ifndef HEADER_SSLERR_H
1461 # define HEADER_SSLERR_H
1463 -# ifndef HEADER_SYMHACKS_H
1464 -# include <openssl/symhacks.h>
1466 +# include <openssl/symhacks.h>
1471 # define SSL_F_TLS_CONSTRUCT_CKE_DHE 404
1472 # define SSL_F_TLS_CONSTRUCT_CKE_ECDHE 405
1473 # define SSL_F_TLS_CONSTRUCT_CKE_GOST 406
1474 +# define SSL_F_TLS_CONSTRUCT_CKE_GOST18 639
1475 # define SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE 407
1476 # define SSL_F_TLS_CONSTRUCT_CKE_RSA 409
1477 # define SSL_F_TLS_CONSTRUCT_CKE_SRP 410
1479 # define SSL_F_TLS_PROCESS_CKE_DHE 411
1480 # define SSL_F_TLS_PROCESS_CKE_ECDHE 412
1481 # define SSL_F_TLS_PROCESS_CKE_GOST 413
1482 +# define SSL_F_TLS_PROCESS_CKE_GOST18 641
1483 # define SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE 414
1484 # define SSL_F_TLS_PROCESS_CKE_RSA 415
1485 # define SSL_F_TLS_PROCESS_CKE_SRP 416
1486 Index: include/openssl/x509.h
1487 ===================================================================
1488 --- include/openssl/x509.h (revision 14523)
1489 +++ include/openssl/x509.h (working copy)
1490 @@ -1020,8 +1020,11 @@
1492 const STACK_OF(X509_ATTRIBUTE) *
1493 PKCS8_pkey_get0_attrs(const PKCS8_PRIV_KEY_INFO *p8);
1494 +int PKCS8_pkey_add1_attr(PKCS8_PRIV_KEY_INFO *p8, X509_ATTRIBUTE *attr);
1495 int PKCS8_pkey_add1_attr_by_NID(PKCS8_PRIV_KEY_INFO *p8, int nid, int type,
1496 const unsigned char *bytes, int len);
1497 +int PKCS8_pkey_add1_attr_by_OBJ(PKCS8_PRIV_KEY_INFO *p8, const ASN1_OBJECT *obj,
1498 + int type, const unsigned char *bytes, int len);
1500 int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *aobj,
1501 int ptype, void *pval,
1502 Index: include/openssl/cms.h
1503 ===================================================================
1504 --- include/openssl/cms.h (revision 14523)
1505 +++ include/openssl/cms.h (working copy)
1507 # define CMS_DEBUG_DECRYPT 0x20000
1508 # define CMS_KEY_PARAM 0x40000
1509 # define CMS_ASCIICRLF 0x80000
1510 +# define CMS_USE_ORIGINATOR_KEYID 0x100000
1512 const ASN1_OBJECT *CMS_get0_type(const CMS_ContentInfo *cms);
1515 BIO *dcont, BIO *out, unsigned int flags);
1517 int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert);
1518 +int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert, X509 *peer);
1519 int CMS_decrypt_set1_key(CMS_ContentInfo *cms,
1520 unsigned char *key, size_t keylen,
1521 const unsigned char *id, size_t idlen);
1523 CMS_ContentInfo *CMS_EnvelopedData_create(const EVP_CIPHER *cipher);
1524 CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms,
1525 X509 *recip, unsigned int flags);
1526 +CMS_RecipientInfo *CMS_add1_recipient(CMS_ContentInfo *cms, X509 *recip,
1527 + EVP_PKEY *originatorPrivKey, X509 * originator, unsigned int flags);
1528 int CMS_RecipientInfo_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pkey);
1529 int CMS_RecipientInfo_ktri_cert_cmp(CMS_RecipientInfo *ri, X509 *cert);
1530 int CMS_RecipientInfo_ktri_get0_algs(CMS_RecipientInfo *ri,
1532 int CMS_RecipientEncryptedKey_cert_cmp(CMS_RecipientEncryptedKey *rek,
1534 int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk);
1535 +int CMS_RecipientInfo_kari_set0_pkey_and_peer(CMS_RecipientInfo *ri, EVP_PKEY *pk, X509 *peer);
1536 EVP_CIPHER_CTX *CMS_RecipientInfo_kari_get0_ctx(CMS_RecipientInfo *ri);
1537 int CMS_RecipientInfo_kari_decrypt(CMS_ContentInfo *cms,
1538 CMS_RecipientInfo *ri,
1539 Index: include/openssl/tls1.h
1540 ===================================================================
1541 --- include/openssl/tls1.h (revision 14523)
1542 +++ include/openssl/tls1.h (working copy)
1543 @@ -613,6 +613,12 @@
1544 # define TLS1_3_CK_AES_128_CCM_SHA256 0x03001304
1545 # define TLS1_3_CK_AES_128_CCM_8_SHA256 0x03001305
1547 +/* https://tools.ietf.org/html/draft-smyshlyaev-tls13-gost-suites */
1548 +# define TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L 0x0300C103
1549 +# define TLS_GOSTR341112_256_WITH_MAGMA_MGM_L 0x0300C104
1550 +# define TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S 0x0300C105
1551 +# define TLS_GOSTR341112_256_WITH_MAGMA_MGM_S 0x0300C106
1553 /* Aria ciphersuites from RFC6209 */
1554 # define TLS1_CK_RSA_WITH_ARIA_128_GCM_SHA256 0x0300C050
1555 # define TLS1_CK_RSA_WITH_ARIA_256_GCM_SHA384 0x0300C051
1556 @@ -1135,8 +1141,10 @@
1557 # define TLS_CT_RSA_FIXED_ECDH 65
1558 # define TLS_CT_ECDSA_FIXED_ECDH 66
1559 # define TLS_CT_GOST01_SIGN 22
1560 -# define TLS_CT_GOST12_SIGN 238
1561 -# define TLS_CT_GOST12_512_SIGN 239
1562 +# define TLS_CT_GOST12_SIGN 67
1563 +# define TLS_CT_GOST12_512_SIGN 68
1564 +# define TLS_CT_GOST12_SIGN_LEGACY 238
1565 +# define TLS_CT_GOST12_512_SIGN_LEGACY 239
1568 * when correcting this number, correct also SSL3_CT_NUMBER in ssl3.h (see
1569 Index: include/openssl/ssl.h
1570 ===================================================================
1571 --- include/openssl/ssl.h (revision 14523)
1572 +++ include/openssl/ssl.h (working copy)
1574 # define SSL_TXT_kECDHEPSK "kECDHEPSK"
1575 # define SSL_TXT_kDHEPSK "kDHEPSK"
1576 # define SSL_TXT_kGOST "kGOST"
1577 +# define SSL_TXT_kGOST18 "kGOST18"
1578 # define SSL_TXT_kSRP "kSRP"
1580 # define SSL_TXT_aRSA "aRSA"
1583 # define SSL_MAC_FLAG_READ_MAC_STREAM 1
1584 # define SSL_MAC_FLAG_WRITE_MAC_STREAM 2
1585 +# define SSL_MAC_FLAG_READ_MAC_TLSTREE 4
1586 +# define SSL_MAC_FLAG_WRITE_MAC_TLSTREE 8
1589 * A callback for logging out TLS key material. This callback should log out
1590 Index: include/openssl/obj_mac.h
1591 ===================================================================
1592 --- include/openssl/obj_mac.h (revision 14523)
1593 +++ include/openssl/obj_mac.h (working copy)
1594 @@ -4162,6 +4162,26 @@
1595 #define NID_id_GostR3410_2001_ParamSet_cc 854
1596 #define OBJ_id_GostR3410_2001_ParamSet_cc OBJ_cryptocom,1L,8L,1L
1598 +#define SN_id_tc26_modules "id-tc26-modules"
1599 +#define LN_id_tc26_modules "GOST TC26 ASN.1 modules"
1600 +#define NID_id_tc26_modules 1203
1601 +#define OBJ_id_tc26_modules OBJ_id_tc26,0L
1603 +#define SN_id_tc26_cms "id-tc26-cms"
1604 +#define LN_id_tc26_cms "GOST TC26 SMS"
1605 +#define NID_id_tc26_cms 1204
1606 +#define OBJ_id_tc26_cms OBJ_id_tc26_modules,6L
1608 +#define SN_id_tc26_cms_attrs "id-tc26-cms-attrs"
1609 +#define LN_id_tc26_cms_attrs "GOST TC26 SMS attributes"
1610 +#define NID_id_tc26_cms_attrs 1205
1611 +#define OBJ_id_tc26_cms_attrs OBJ_id_tc26_cms,1L
1613 +#define SN_id_tc26_mac_attr "id-tc26-mac-attr"
1614 +#define LN_id_tc26_mac_attr "GOST TC26 SMS content-mac attribute"
1615 +#define NID_id_tc26_mac_attr 1206
1616 +#define OBJ_id_tc26_mac_attr OBJ_id_tc26_cms_attrs,1L
1618 #define SN_id_tc26_algorithms "id-tc26-algorithms"
1619 #define NID_id_tc26_algorithms 977
1620 #define OBJ_id_tc26_algorithms OBJ_id_tc26,1L
1621 @@ -4230,25 +4250,25 @@
1622 #define NID_id_tc26_cipher_gostr3412_2015_magma 1173
1623 #define OBJ_id_tc26_cipher_gostr3412_2015_magma OBJ_id_tc26_cipher,1L
1625 -#define SN_id_tc26_cipher_gostr3412_2015_magma_ctracpkm "id-tc26-cipher-gostr3412-2015-magma-ctracpkm"
1626 -#define NID_id_tc26_cipher_gostr3412_2015_magma_ctracpkm 1174
1627 -#define OBJ_id_tc26_cipher_gostr3412_2015_magma_ctracpkm OBJ_id_tc26_cipher_gostr3412_2015_magma,1L
1628 +#define SN_magma_ctr_acpkm "magma-ctr-acpkm"
1629 +#define NID_magma_ctr_acpkm 1174
1630 +#define OBJ_magma_ctr_acpkm OBJ_id_tc26_cipher_gostr3412_2015_magma,1L
1632 -#define SN_id_tc26_cipher_gostr3412_2015_magma_ctracpkm_omac "id-tc26-cipher-gostr3412-2015-magma-ctracpkm-omac"
1633 -#define NID_id_tc26_cipher_gostr3412_2015_magma_ctracpkm_omac 1175
1634 -#define OBJ_id_tc26_cipher_gostr3412_2015_magma_ctracpkm_omac OBJ_id_tc26_cipher_gostr3412_2015_magma,2L
1635 +#define SN_magma_ctr_acpkm_omac "magma-ctr-acpkm-omac"
1636 +#define NID_magma_ctr_acpkm_omac 1175
1637 +#define OBJ_magma_ctr_acpkm_omac OBJ_id_tc26_cipher_gostr3412_2015_magma,2L
1639 #define SN_id_tc26_cipher_gostr3412_2015_kuznyechik "id-tc26-cipher-gostr3412-2015-kuznyechik"
1640 #define NID_id_tc26_cipher_gostr3412_2015_kuznyechik 1176
1641 #define OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik OBJ_id_tc26_cipher,2L
1643 -#define SN_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm "id-tc26-cipher-gostr3412-2015-kuznyechik-ctracpkm"
1644 -#define NID_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm 1177
1645 -#define OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik,1L
1646 +#define SN_kuznyechik_ctr_acpkm "kuznyechik-ctr-acpkm"
1647 +#define NID_kuznyechik_ctr_acpkm 1177
1648 +#define OBJ_kuznyechik_ctr_acpkm OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik,1L
1650 -#define SN_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm_omac "id-tc26-cipher-gostr3412-2015-kuznyechik-ctracpkm-omac"
1651 -#define NID_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm_omac 1178
1652 -#define OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm_omac OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik,2L
1653 +#define SN_kuznyechik_ctr_acpkm_omac "kuznyechik-ctr-acpkm-omac"
1654 +#define NID_kuznyechik_ctr_acpkm_omac 1178
1655 +#define OBJ_kuznyechik_ctr_acpkm_omac OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik,2L
1657 #define SN_id_tc26_agreement "id-tc26-agreement"
1658 #define NID_id_tc26_agreement 991
1659 @@ -4270,17 +4290,17 @@
1660 #define NID_id_tc26_wrap_gostr3412_2015_magma 1180
1661 #define OBJ_id_tc26_wrap_gostr3412_2015_magma OBJ_id_tc26_wrap,1L
1663 -#define SN_id_tc26_wrap_gostr3412_2015_magma_kexp15 "id-tc26-wrap-gostr3412-2015-magma-kexp15"
1664 -#define NID_id_tc26_wrap_gostr3412_2015_magma_kexp15 1181
1665 -#define OBJ_id_tc26_wrap_gostr3412_2015_magma_kexp15 OBJ_id_tc26_wrap_gostr3412_2015_magma,1L
1666 +#define SN_magma_kexp15 "magma-kexp15"
1667 +#define NID_magma_kexp15 1181
1668 +#define OBJ_magma_kexp15 OBJ_id_tc26_wrap_gostr3412_2015_magma,1L
1670 #define SN_id_tc26_wrap_gostr3412_2015_kuznyechik "id-tc26-wrap-gostr3412-2015-kuznyechik"
1671 #define NID_id_tc26_wrap_gostr3412_2015_kuznyechik 1182
1672 #define OBJ_id_tc26_wrap_gostr3412_2015_kuznyechik OBJ_id_tc26_wrap,2L
1674 -#define SN_id_tc26_wrap_gostr3412_2015_kuznyechik_kexp15 "id-tc26-wrap-gostr3412-2015-kuznyechik-kexp15"
1675 -#define NID_id_tc26_wrap_gostr3412_2015_kuznyechik_kexp15 1183
1676 -#define OBJ_id_tc26_wrap_gostr3412_2015_kuznyechik_kexp15 OBJ_id_tc26_wrap_gostr3412_2015_kuznyechik,1L
1677 +#define SN_kuznyechik_kexp15 "kuznyechik-kexp15"
1678 +#define NID_kuznyechik_kexp15 1183
1679 +#define OBJ_kuznyechik_kexp15 OBJ_id_tc26_wrap_gostr3412_2015_kuznyechik,1L
1681 #define SN_id_tc26_constants "id-tc26-constants"
1682 #define NID_id_tc26_constants 994
1683 @@ -4370,6 +4390,11 @@
1684 #define NID_SNILS 1006
1685 #define OBJ_SNILS OBJ_member_body,643L,100L,3L
1687 +#define SN_OGRNIP "OGRNIP"
1688 +#define LN_OGRNIP "OGRNIP"
1689 +#define NID_OGRNIP 1195
1690 +#define OBJ_OGRNIP OBJ_member_body,643L,100L,5L
1692 #define SN_subjectSignTool "subjectSignTool"
1693 #define LN_subjectSignTool "Signing Tool of Subject"
1694 #define NID_subjectSignTool 1007
1695 @@ -4380,24 +4405,62 @@
1696 #define NID_issuerSignTool 1008
1697 #define OBJ_issuerSignTool OBJ_member_body,643L,100L,112L
1699 -#define SN_grasshopper_ecb "grasshopper-ecb"
1700 -#define NID_grasshopper_ecb 1012
1701 +#define SN_classSignTool "classSignTool"
1702 +#define LN_classSignTool "Class of Signing Tool"
1703 +#define NID_classSignTool 1196
1704 +#define OBJ_classSignTool OBJ_member_body,643L,100L,113L
1706 -#define SN_grasshopper_ctr "grasshopper-ctr"
1707 -#define NID_grasshopper_ctr 1013
1708 +#define SN_classSignToolKC1 "classSignToolKC1"
1709 +#define LN_classSignToolKC1 "Class of Signing Tool KC1"
1710 +#define NID_classSignToolKC1 1197
1711 +#define OBJ_classSignToolKC1 OBJ_member_body,643L,100L,113L,1L
1713 -#define SN_grasshopper_ofb "grasshopper-ofb"
1714 -#define NID_grasshopper_ofb 1014
1715 +#define SN_classSignToolKC2 "classSignToolKC2"
1716 +#define LN_classSignToolKC2 "Class of Signing Tool KC2"
1717 +#define NID_classSignToolKC2 1198
1718 +#define OBJ_classSignToolKC2 OBJ_member_body,643L,100L,113L,2L
1720 -#define SN_grasshopper_cbc "grasshopper-cbc"
1721 -#define NID_grasshopper_cbc 1015
1722 +#define SN_classSignToolKC3 "classSignToolKC3"
1723 +#define LN_classSignToolKC3 "Class of Signing Tool KC3"
1724 +#define NID_classSignToolKC3 1199
1725 +#define OBJ_classSignToolKC3 OBJ_member_body,643L,100L,113L,3L
1727 -#define SN_grasshopper_cfb "grasshopper-cfb"
1728 -#define NID_grasshopper_cfb 1016
1729 +#define SN_classSignToolKB1 "classSignToolKB1"
1730 +#define LN_classSignToolKB1 "Class of Signing Tool KB1"
1731 +#define NID_classSignToolKB1 1200
1732 +#define OBJ_classSignToolKB1 OBJ_member_body,643L,100L,113L,4L
1734 -#define SN_grasshopper_mac "grasshopper-mac"
1735 -#define NID_grasshopper_mac 1017
1736 +#define SN_classSignToolKB2 "classSignToolKB2"
1737 +#define LN_classSignToolKB2 "Class of Signing Tool KB2"
1738 +#define NID_classSignToolKB2 1201
1739 +#define OBJ_classSignToolKB2 OBJ_member_body,643L,100L,113L,5L
1741 +#define SN_classSignToolKA1 "classSignToolKA1"
1742 +#define LN_classSignToolKA1 "Class of Signing Tool KA1"
1743 +#define NID_classSignToolKA1 1202
1744 +#define OBJ_classSignToolKA1 OBJ_member_body,643L,100L,113L,6L
1746 +#define SN_kuznyechik_ecb "kuznyechik-ecb"
1747 +#define NID_kuznyechik_ecb 1012
1749 +#define SN_kuznyechik_ctr "kuznyechik-ctr"
1750 +#define NID_kuznyechik_ctr 1013
1752 +#define SN_kuznyechik_ofb "kuznyechik-ofb"
1753 +#define NID_kuznyechik_ofb 1014
1755 +#define SN_kuznyechik_cbc "kuznyechik-cbc"
1756 +#define NID_kuznyechik_cbc 1015
1758 +#define SN_kuznyechik_cfb "kuznyechik-cfb"
1759 +#define NID_kuznyechik_cfb 1016
1761 +#define SN_kuznyechik_mac "kuznyechik-mac"
1762 +#define NID_kuznyechik_mac 1017
1764 +#define SN_kuznyechik_mgm "kuznyechik-mgm"
1765 +#define NID_kuznyechik_mgm 1207
1767 #define SN_magma_ecb "magma-ecb"
1768 #define NID_magma_ecb 1187
1770 @@ -4416,6 +4479,9 @@
1771 #define SN_magma_mac "magma-mac"
1772 #define NID_magma_mac 1192
1774 +#define SN_magma_mgm "magma-mgm"
1775 +#define NID_magma_mgm 1208
1777 #define SN_camellia_128_cbc "CAMELLIA-128-CBC"
1778 #define LN_camellia_128_cbc "camellia-128-cbc"
1779 #define NID_camellia_128_cbc 751
1780 @@ -5196,3 +5262,49 @@
1781 #define LN_uacurve9 "DSTU curve 9"
1782 #define NID_uacurve9 1169
1783 #define OBJ_uacurve9 OBJ_dstu4145le,2L,9L
1785 +#ifndef OPENSSL_NO_DEPRECATED_3_0
1787 +#define SN_id_tc26_cipher_gostr3412_2015_magma_ctracpkm SN_magma_ctr_acpkm
1788 +#define NID_id_tc26_cipher_gostr3412_2015_magma_ctracpkm NID_magma_ctr_acpkm
1789 +#define OBJ_id_tc26_cipher_gostr3412_2015_magma_ctracpkm OBJ_magma_ctr_acpkm
1791 +#define SN_id_tc26_cipher_gostr3412_2015_magma_ctracpkm_omac SN_magma_ctr_acpkm_omac
1792 +#define NID_id_tc26_cipher_gostr3412_2015_magma_ctracpkm_omac NID_magma_ctr_acpkm_omac
1793 +#define OBJ_id_tc26_cipher_gostr3412_2015_magma_ctracpkm_omac OBJ_magma_ctr_acpkm_omac
1795 +#define SN_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm SN_kuznyechik_ctr_acpkm
1796 +#define NID_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm NID_kuznyechik_ctr_acpkm
1797 +#define OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm OBJ_kuznyechik_ctr_acpkm
1799 +#define SN_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm_omac SN_kuznyechik_ctr_acpkm_omac
1800 +#define NID_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm_omac NID_kuznyechik_ctr_acpkm_omac
1801 +#define OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm_omac OBJ_kuznyechik_ctr_acpkm_omac
1803 +#define SN_id_tc26_wrap_gostr3412_2015_magma_kexp15 SN_magma_kexp15
1804 +#define NID_id_tc26_wrap_gostr3412_2015_magma_kexp15 NID_magma_kexp15
1805 +#define OBJ_id_tc26_wrap_gostr3412_2015_magma_kexp15 OBJ_magma_kexp15
1807 +#define SN_id_tc26_wrap_gostr3412_2015_kuznyechik_kexp15 SN_kuznyechik_kexp15
1808 +#define NID_id_tc26_wrap_gostr3412_2015_kuznyechik_kexp15 NID_kuznyechik_kexp15
1809 +#define OBJ_id_tc26_wrap_gostr3412_2015_kuznyechik_kexp15 OBJ_kuznyechik_kexp15
1811 +#define SN_grasshopper_ecb SN_kuznyechik_ecb
1812 +#define NID_grasshopper_ecb NID_kuznyechik_ecb
1814 +#define SN_grasshopper_ctr SN_kuznyechik_ctr
1815 +#define NID_grasshopper_ctr NID_kuznyechik_ctr
1817 +#define SN_grasshopper_ofb SN_kuznyechik_ofb
1818 +#define NID_grasshopper_ofb NID_kuznyechik_ofb
1820 +#define SN_grasshopper_cbc SN_kuznyechik_cbc
1821 +#define NID_grasshopper_cbc NID_kuznyechik_cbc
1823 +#define SN_grasshopper_cfb SN_kuznyechik_cfb
1824 +#define NID_grasshopper_cfb NID_kuznyechik_cfb
1826 +#define SN_grasshopper_mac SN_kuznyechik_mac
1827 +#define NID_grasshopper_mac NID_kuznyechik_mac
1830 Index: include/openssl/evp.h
1831 ===================================================================
1832 --- include/openssl/evp.h (revision 14523)
1833 +++ include/openssl/evp.h (working copy)
1835 # define EVP_MAX_KEY_LENGTH 64
1836 # define EVP_MAX_IV_LENGTH 16
1837 # define EVP_MAX_BLOCK_LENGTH 32
1838 +# define EVP_MAX_AEAD_TAG_LEN 16/* longest known AEAD tag size */
1840 +#define EVP_MAX_MAC_SIZE EVP_MAX_AEAD_TAG_LEN
1842 # define PKCS5_SALT_LEN 8
1843 /* Default PKCS#5 iteration count */
1844 # define PKCS5_DEFAULT_ITER 2048
1846 # define EVP_MD_CTRL_DIGALGID 0x1
1847 # define EVP_MD_CTRL_MICALG 0x2
1848 # define EVP_MD_CTRL_XOF_LEN 0x3
1849 +# define EVP_MD_CTRL_TLSTREE 0x4
1851 /* Minimum Algorithm specific ctrl value */
1854 # define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000
1855 # define EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK 0x400000
1856 /* Cipher can handle pipeline operations */
1857 -# define EVP_CIPH_FLAG_PIPELINE 0X800000
1859 +# define EVP_CIPH_FLAG_PIPELINE 0x800000
1860 +# define EVP_CIPH_FLAG_CIPHER_WITH_MAC 0x1000000
1861 +# define EVP_CIPH_FLAG_GET_WRAP_CIPHER 0X4000000
1863 * Cipher context flag to indicate we can handle wrap mode: if allowed in
1864 * older applications it could overflow buffers.
1865 @@ -352,7 +357,21 @@
1866 # define EVP_CTRL_SET_PIPELINE_INPUT_LENS 0x24
1868 # define EVP_CTRL_GET_IVLEN 0x25
1869 +/* Indicates TLSTREE key diversification during TLS processing */
1870 +# define EVP_CTRL_TLSTREE 0x26
1872 +#define EVP_CTRL_AEAD_MAX_TAG_LEN 0x27
1873 +# define EVP_CTRL_GET_WRAP_CIPHER 0X28
1875 +# define EVP_CTRL_GET_MAC_LEN EVP_CTRL_AEAD_MAX_TAG_LEN
1876 +# define EVP_CTRL_GET_MAC EVP_CTRL_AEAD_GET_TAG
1877 +# define EVP_CTRL_SET_EXPECTED_MAC EVP_CTRL_AEAD_SET_TAG
1878 +/* GOST CMS requires processing unprotected attributes in some cases*/
1879 +# define EVP_CTRL_PROCESS_UNPROTECTED 0x29
1880 +/* Set GOST TLSTREE params */
1881 +# define EVP_CTRL_SET_TLSTREE_PARAMS 0x2A
1885 #define EVP_PADDING_PKCS7 1
1886 #define EVP_PADDING_ISO7816_4 2
1887 @@ -390,6 +409,10 @@
1888 /* Length of CCM8 tag for TLS */
1889 # define EVP_CCM8_TLS_TAG_LEN 8
1891 +/* GOST TLS 1.3 tag lengths */
1892 +# define EVP_MAGMA_TLS_TAG_LEN 8
1893 +# define EVP_KUZNYECHIK_TLS_TAG_LEN 16
1895 /* Length of tag for TLS */
1896 # define EVP_CHACHAPOLY_TLS_TAG_LEN 16
1898 @@ -1142,6 +1165,10 @@
1899 # define ASN1_PKEY_CTRL_SET1_TLS_ENCPT 0x9
1900 # define ASN1_PKEY_CTRL_GET1_TLS_ENCPT 0xa
1902 +// This control use for decryption
1903 +// when algorithm support multiple ri types
1904 +# define ASN1_PKEY_CTRL_CMS_IS_RI_TYPE_SUPPORTED 0xb
1906 int EVP_PKEY_asn1_get_count(void);
1907 const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_get0(int idx);
1908 const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_find(ENGINE **pe, int type);
1909 Index: include/openssl/cmserr.h
1910 ===================================================================
1911 --- include/openssl/cmserr.h (revision 14523)
1912 +++ include/openssl/cmserr.h (working copy)
1914 #ifndef HEADER_CMSERR_H
1915 # define HEADER_CMSERR_H
1917 -# ifndef HEADER_SYMHACKS_H
1918 -# include <openssl/symhacks.h>
1920 +# include <openssl/symhacks.h>
1922 # include <openssl/opensslconf.h>
1925 # define CMS_F_CMS_ADD0_RECIPIENT_KEY 100
1926 # define CMS_F_CMS_ADD0_RECIPIENT_PASSWORD 165
1927 # define CMS_F_CMS_ADD1_RECEIPTREQUEST 158
1928 +# define CMS_F_CMS_ADD1_RECIPIENT 181
1929 # define CMS_F_CMS_ADD1_RECIPIENT_CERT 101
1930 # define CMS_F_CMS_ADD1_SIGNER 102
1931 # define CMS_F_CMS_ADD1_SIGNINGTIME 103
1933 # define CMS_F_CMS_DECRYPT_SET1_KEY 113
1934 # define CMS_F_CMS_DECRYPT_SET1_PASSWORD 166
1935 # define CMS_F_CMS_DECRYPT_SET1_PKEY 114
1936 +# define CMS_F_CMS_DECRYPT_SET1_PKEY_AND_PEER 182
1937 # define CMS_F_CMS_DIGESTALGORITHM_FIND_CTX 115
1938 # define CMS_F_CMS_DIGESTALGORITHM_INIT_BIO 116
1939 # define CMS_F_CMS_DIGESTEDDATA_DO_FINAL 117
1941 # define CMS_F_CMS_ENCRYPTEDDATA_ENCRYPT 122
1942 # define CMS_F_CMS_ENCRYPTEDDATA_SET1_KEY 123
1943 # define CMS_F_CMS_ENVELOPEDDATA_CREATE 124
1944 +# define CMS_F_CMS_ENVELOPEDDATA_DECRYPTION_INIT_BIO 184
1945 +# define CMS_F_CMS_ENVELOPEDDATA_ENCRYPTION_INIT_BIO 185
1946 +# define CMS_F_CMS_ENVELOPEDDATA_FINAL 186
1947 # define CMS_F_CMS_ENVELOPEDDATA_INIT_BIO 125
1948 # define CMS_F_CMS_ENVELOPED_DATA_INIT 126
1949 # define CMS_F_CMS_ENV_ASN1_CTRL 171
1950 Index: include/openssl/x509v3err.h
1951 ===================================================================
1952 --- include/openssl/x509v3err.h (revision 14523)
1953 +++ include/openssl/x509v3err.h (working copy)
1955 # define X509V3_F_I2S_ASN1_ENUMERATED 121
1956 # define X509V3_F_I2S_ASN1_IA5STRING 149
1957 # define X509V3_F_I2S_ASN1_INTEGER 120
1958 +# define X509V3_F_I2S_ASN1_UTF8STRING 173
1959 # define X509V3_F_I2V_AUTHORITY_INFO_ACCESS 138
1960 # define X509V3_F_LEVEL_ADD_NODE 168
1961 # define X509V3_F_NOTICE_SECTION 132
1963 # define X509V3_F_S2I_ASN1_IA5STRING 100
1964 # define X509V3_F_S2I_ASN1_INTEGER 108
1965 # define X509V3_F_S2I_ASN1_OCTET_STRING 112
1966 +# define X509V3_F_S2I_ASN1_UTF8STRING 174
1967 # define X509V3_F_S2I_SKEY_ID 115
1968 # define X509V3_F_SET_DIST_POINT_NAME 158
1969 # define X509V3_F_SXNET_ADD_ID_ASC 125
1970 Index: Configurations/unix-Makefile.tmpl
1971 ===================================================================
1972 --- Configurations/unix-Makefile.tmpl (revision 14523)
1973 +++ Configurations/unix-Makefile.tmpl (working copy)
1975 crypto/objects/obj_mac.num \
1976 crypto/objects/obj_xref.txt \
1977 > crypto/objects/obj_xref.h )
1978 + ( cd $(SRCDIR); cat crypto/objects/obj_compat.h >> include/openssl/obj_mac.h )
1980 generate_crypto_conf:
1981 ( cd $(SRCDIR); $(PERL) crypto/conf/keysets.pl \
1982 Index: ssl/t1_trce.c
1983 ===================================================================
1984 --- ssl/t1_trce.c (revision 14523)
1985 +++ ssl/t1_trce.c (working copy)
1987 {0xFEFF, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"},
1988 {0xFF85, "GOST2012-GOST8912-GOST8912"},
1989 {0xFF87, "GOST2012-NULL-GOST12"},
1990 + {0xC100, "GOST2012-KUZNYECHIK-KUZNYECHIKOMAC"},
1991 + {0xC101, "GOST2012-MAGMA-MAGMAOMAC"},
1992 + {0xC102, "GOST2012-GOST8912-IANA"},
1995 /* Compression methods */
1996 @@ -522,6 +525,13 @@
1997 {28, "brainpoolP512r1"},
1998 {29, "ecdh_x25519"},
2011 {TLSEXT_SIGALG_dsa_sha1, "dsa_sha1"},
2012 {TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, "gost2012_256"},
2013 {TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, "gost2012_512"},
2014 + {TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256_legacy, "gost2012_256"},
2015 + {TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512_legacy, "gost2012_512"},
2016 {TLSEXT_SIGALG_gostr34102001_gostr3411, "gost2001_gost94"},
2020 {20, "fortezza_dms"},
2022 {65, "rsa_fixed_ecdh"},
2023 - {66, "ecdsa_fixed_ecdh"}
2024 + {66, "ecdsa_fixed_ecdh"},
2025 + {67, "gost_sign256"},
2026 + {68, "gost_sign512"},
2029 static const ssl_trace_tbl ssl_psk_kex_modes_tbl[] = {
2030 @@ -1072,6 +1086,10 @@
2034 + if (alg_k & SSL_kGOST18) {
2035 + *pname = "GOST18";
2036 + return SSL_kGOST18;
2041 @@ -1114,7 +1132,16 @@
2042 if (!ssl_print_hexbuf(bio, indent + 2, "ecdh_Yc", 1, &msg, &msglen))
2046 +#ifndef OPENSSL_NO_GOST
2048 + ssl_print_hex(bio, indent + 2, "GOST-wrapped PreMasterSecret", msg, msglen);
2051 + ssl_print_hex(bio, indent + 2,
2052 + "GOST-wrapped PreMasterSecret", msg, msglen);
2059 Index: ssl/ssl_err.c
2060 ===================================================================
2061 --- ssl/ssl_err.c (revision 14523)
2062 +++ ssl/ssl_err.c (working copy)
2065 * Generated by util/mkerr.pl DO NOT EDIT
2066 - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
2067 + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
2069 * Licensed under the OpenSSL license (the "License"). You may not use
2070 * this file except in compliance with the License. You can obtain a copy
2072 "ossl_statem_server_post_process_message"},
2073 {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_SERVER_POST_WORK, 0),
2074 "ossl_statem_server_post_work"},
2075 + {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_SERVER_PRE_WORK, 0),
2076 + "ossl_statem_server_pre_work"},
2077 {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_SERVER_PROCESS_MESSAGE, 0),
2078 "ossl_statem_server_process_message"},
2079 {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION, 0),
2081 "tls_construct_cke_ecdhe"},
2082 {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CKE_GOST, 0),
2083 "tls_construct_cke_gost"},
2084 + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CKE_GOST18, 0),
2085 + "tls_construct_cke_gost18"},
2086 {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, 0),
2087 "tls_construct_cke_psk_preamble"},
2088 {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CKE_RSA, 0),
2090 "tls_process_cke_ecdhe"},
2091 {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_CKE_GOST, 0),
2092 "tls_process_cke_gost"},
2093 + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_CKE_GOST18, 0),
2094 + "tls_process_cke_gost18"},
2095 {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, 0),
2096 "tls_process_cke_psk_preamble"},
2097 {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_CKE_RSA, 0),
2099 ===================================================================
2100 --- ssl/t1_lib.c (revision 14523)
2101 +++ ssl/t1_lib.c (working copy)
2102 @@ -169,6 +169,18 @@
2103 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
2104 {EVP_PKEY_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */
2105 {EVP_PKEY_X448, 224, TLS_CURVE_CUSTOM}, /* X448 (30) */
2106 +#ifndef OPENSSL_NO_GOST
2107 + {NID_undef, 0, TLS_CURVE_CUSTOM}, /* 31 */
2108 + {NID_undef, 0, TLS_CURVE_CUSTOM}, /* 32 */
2109 + {NID_undef, 0, TLS_CURVE_CUSTOM}, /* 33 */
2110 + {NID_id_tc26_gost_3410_2012_256_paramSetA, 128, TLS_CURVE_GOST},
2111 + {NID_id_tc26_gost_3410_2012_256_paramSetB, 128, TLS_CURVE_GOST},
2112 + {NID_id_tc26_gost_3410_2012_256_paramSetC, 128, TLS_CURVE_GOST},
2113 + {NID_id_tc26_gost_3410_2012_256_paramSetD, 128, TLS_CURVE_GOST},
2114 + {NID_id_tc26_gost_3410_2012_512_paramSetA, 256, TLS_CURVE_GOST},
2115 + {NID_id_tc26_gost_3410_2012_512_paramSetB, 256, TLS_CURVE_GOST},
2116 + {NID_id_tc26_gost_3410_2012_512_paramSetC, 256, TLS_CURVE_GOST},
2120 static const unsigned char ecformats_default[] = {
2121 @@ -184,6 +196,15 @@
2123 25, /* secp521r1 (25) */
2124 24, /* secp384r1 (24) */
2125 +#ifndef OPENSSL_NO_GOST
2136 static const uint16_t suiteb_curves[] = {
2138 /* ECC curves from RFC 4492 and RFC 7027 */
2139 if (group_id < 1 || group_id > OSSL_NELEM(nid_list))
2141 + if (nid_list[group_id - 1].nid == NID_undef)
2143 return &nid_list[group_id - 1];
2146 @@ -380,6 +403,33 @@
2147 int nid_arr[MAX_CURVELIST];
2150 +#ifndef OPENSSL_NO_GOST
2152 + const char *name; /* Name of GOST curve */
2153 + int nid; /* Curve NID */
2156 +static EC_GOST_NAME gost_curves[] = {
2157 + {"GC256A", NID_id_tc26_gost_3410_2012_256_paramSetA},
2158 + {"GC256B", NID_id_tc26_gost_3410_2012_256_paramSetB},
2159 + {"GC256C", NID_id_tc26_gost_3410_2012_256_paramSetC},
2160 + {"GC256D", NID_id_tc26_gost_3410_2012_256_paramSetD},
2161 + {"GC512A", NID_id_tc26_gost_3410_2012_512_paramSetA},
2162 + {"GC512B", NID_id_tc26_gost_3410_2012_512_paramSetB},
2163 + {"GC512C", NID_id_tc26_gost_3410_2012_512_paramSetC},
2166 +int GOST_curve2nid(const char *name)
2169 + for (i = 0; i < OSSL_NELEM(gost_curves); i++) {
2170 + if (strcmp(gost_curves[i].name, name) == 0)
2171 + return gost_curves[i].nid;
2177 static int nid_cb(const char *elem, int len, void *arg)
2179 nid_cb_st *narg = arg;
2180 @@ -395,7 +445,12 @@
2181 memcpy(etmp, elem, len);
2183 nid = EC_curve_nist2nid(etmp);
2184 +#ifndef OPENSSL_NO_GOST
2185 + /* FIXME beldmit */
2186 if (nid == NID_undef)
2187 + nid = GOST_curve2nid(etmp);
2189 + if (nid == NID_undef)
2190 nid = OBJ_sn2nid(etmp);
2191 if (nid == NID_undef)
2192 nid = OBJ_ln2nid(etmp);
2193 @@ -670,8 +725,17 @@
2194 TLSEXT_SIGALG_dsa_sha512,
2196 #ifndef OPENSSL_NO_GOST
2197 + TLSEXT_SIGALG_gostr34102012_256a,
2198 + TLSEXT_SIGALG_gostr34102012_256b,
2199 + TLSEXT_SIGALG_gostr34102012_256c,
2200 + TLSEXT_SIGALG_gostr34102012_256d,
2201 + TLSEXT_SIGALG_gostr34102012_512a,
2202 + TLSEXT_SIGALG_gostr34102012_512b,
2203 + TLSEXT_SIGALG_gostr34102012_512c,
2204 TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
2205 TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512,
2206 + TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256_legacy,
2207 + TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512_legacy,
2208 TLSEXT_SIGALG_gostr34102001_gostr3411,
2211 @@ -758,6 +822,34 @@
2212 NID_dsaWithSHA1, NID_undef},
2214 #ifndef OPENSSL_NO_GOST
2215 + {"gostr34102012_256a", TLSEXT_SIGALG_gostr34102012_256a,
2216 + NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
2217 + NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
2218 + NID_undef, NID_undef},
2219 + {"gostr34102012_256b", TLSEXT_SIGALG_gostr34102012_256b,
2220 + NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
2221 + NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
2222 + NID_undef, NID_undef},
2223 + {"gostr34102012_256c", TLSEXT_SIGALG_gostr34102012_256c,
2224 + NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
2225 + NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
2226 + NID_undef, NID_undef},
2227 + {"gostr34102012_256d", TLSEXT_SIGALG_gostr34102012_256d,
2228 + NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
2229 + NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
2230 + NID_undef, NID_undef},
2231 + {"gostr34102012_512a", TLSEXT_SIGALG_gostr34102012_512a,
2232 + NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
2233 + NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
2234 + NID_undef, NID_undef},
2235 + {"gostr34102012_512b", TLSEXT_SIGALG_gostr34102012_512b,
2236 + NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
2237 + NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
2238 + NID_undef, NID_undef},
2239 + {"gostr34102012_512c", TLSEXT_SIGALG_gostr34102012_512c,
2240 + NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
2241 + NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
2242 + NID_undef, NID_undef},
2243 {NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
2244 NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
2245 NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
2246 @@ -766,6 +858,14 @@
2247 NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
2248 NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
2249 NID_undef, NID_undef},
2250 + {NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256_legacy,
2251 + NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
2252 + NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
2253 + NID_undef, NID_undef},
2254 + {NULL, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512_legacy,
2255 + NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
2256 + NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
2257 + NID_undef, NID_undef},
2258 {NULL, TLSEXT_SIGALG_gostr34102001_gostr3411,
2259 NID_id_GostR3411_94, SSL_MD_GOST94_IDX,
2260 NID_id_GostR3410_2001, SSL_PKEY_GOST01,
2261 @@ -886,6 +986,24 @@
2266 + * Here is another fallback: when broken implementations did not sent
2267 + * proper signature_algorithm extension, we try to use this function.
2269 + * As both SSL_PKEY_GOST12_512 and SSL_PKEY_GOST12_256 indices can be used
2270 + * with new (aGOST12-only) ciphersuites, we should find out which one is available really.
2272 + else if (idx == SSL_PKEY_GOST12_256) {
2275 + for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST12_256;
2277 + if (s->cert->pkeys[real_idx].privatekey != NULL) {
2284 idx = s->cert->key - s->cert->pkeys;
2286 @@ -1612,10 +1730,8 @@
2287 if (ssl_cert_is_disabled(lu->sig_idx))
2290 - if (lu->sig == NID_id_GostR3410_2012_256
2291 - || lu->sig == NID_id_GostR3410_2012_512
2292 - || lu->sig == NID_id_GostR3410_2001) {
2293 - /* We never allow GOST sig algs on the server with TLSv1.3 */
2294 + if (lu->sig == NID_id_GostR3410_2001) {
2295 + /* GOST sig algs on the server with TLSv1.3 are allowed for GOST2012 */
2296 if (s->server && SSL_IS_TLS13(s))
2299 @@ -1643,7 +1759,7 @@
2300 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0))
2303 - if ((c->algorithm_mkey & SSL_kGOST) != 0)
2304 + if ((c->algorithm_mkey & (SSL_kGOST | SSL_kGOST18)) != 0)
2308 Index: ssl/ssl_local.h
2309 ===================================================================
2310 --- ssl/ssl_local.h (revision 14523)
2311 +++ ssl/ssl_local.h (working copy)
2313 # define SSL_kRSAPSK 0x00000040U
2314 # define SSL_kECDHEPSK 0x00000080U
2315 # define SSL_kDHEPSK 0x00000100U
2316 +/* GOST KDF key exchange, draft-smyshlyaev-tls12-gost-suites */
2317 +# define SSL_kGOST18 0x00000200U
2321 @@ -230,6 +232,10 @@
2322 # define SSL_CHACHA20POLY1305 0x00080000U
2323 # define SSL_ARIA128GCM 0x00100000U
2324 # define SSL_ARIA256GCM 0x00200000U
2325 +# define SSL_MAGMA 0x00400000U
2326 +# define SSL_KUZNYECHIK 0x00800000U
2327 +# define SSL_MAGMA_MGM 0x01000000U
2328 +# define SSL_KUZNYECHIK_MGM 0x02000000U
2330 # define SSL_AESGCM (SSL_AES128GCM | SSL_AES256GCM)
2331 # define SSL_AESCCM (SSL_AES128CCM | SSL_AES256CCM | SSL_AES128CCM8 | SSL_AES256CCM8)
2333 # define SSL_GOST12_256 0x00000080U
2334 # define SSL_GOST89MAC12 0x00000100U
2335 # define SSL_GOST12_512 0x00000200U
2336 +# define SSL_MAGMAOMAC 0x00000400U
2337 +# define SSL_KUZNYECHIKOMAC 0x00000800U
2340 * When adding new digest in the ssl_ciph.c and increment SSL_MD_NUM_IDX make
2342 # define SSL_MD_MD5_SHA1_IDX 9
2343 # define SSL_MD_SHA224_IDX 10
2344 # define SSL_MD_SHA512_IDX 11
2345 -# define SSL_MAX_DIGEST 12
2346 +# define SSL_MD_MAGMAOMAC_IDX 12
2347 +# define SSL_MD_KUZNYECHIKOMAC_IDX 13
2348 +# define SSL_MAX_DIGEST 14
2350 /* Bits for algorithm2 (handshake digests and other extra flags) */
2352 @@ -299,6 +309,13 @@
2353 * goes into algorithm2)
2355 # define TLS1_STREAM_MAC 0x10000
2357 + * TLSTREE cipher/mac key derivation used for GOST TLS 1.2/1.3 ciphersuites
2358 + * (currently this also goes into algorithm2)
2360 +# define TLS1_TLSTREE 0x20000
2361 +# define TLS1_TLSTREE_S 0x40000
2362 +# define TLS1_TLSTREE_L 0x80000
2364 # define SSL_STRONG_MASK 0x0000001FU
2365 # define SSL_DEFAULT_MASK 0X00000020U
2366 @@ -1512,10 +1529,11 @@
2370 -# define TLS_CURVE_TYPE 0x3 /* Mask for group type */
2371 +# define TLS_CURVE_TYPE 0x7 /* Mask for group type */
2372 # define TLS_CURVE_PRIME 0x0
2373 # define TLS_CURVE_CHAR2 0x1
2374 # define TLS_CURVE_CUSTOM 0x2
2375 +# define TLS_CURVE_GOST 0x4
2377 typedef struct cert_pkey_st CERT_PKEY;
2379 @@ -2043,8 +2061,17 @@
2380 #define TLSEXT_SIGALG_dsa_sha512 0x0602
2381 #define TLSEXT_SIGALG_dsa_sha224 0x0302
2382 #define TLSEXT_SIGALG_dsa_sha1 0x0202
2383 -#define TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256 0xeeee
2384 -#define TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512 0xefef
2385 +#define TLSEXT_SIGALG_gostr34102012_256a 0x0709
2386 +#define TLSEXT_SIGALG_gostr34102012_256b 0x070A
2387 +#define TLSEXT_SIGALG_gostr34102012_256c 0x070B
2388 +#define TLSEXT_SIGALG_gostr34102012_256d 0x070C
2389 +#define TLSEXT_SIGALG_gostr34102012_512a 0x070D
2390 +#define TLSEXT_SIGALG_gostr34102012_512b 0x070E
2391 +#define TLSEXT_SIGALG_gostr34102012_512c 0x070F
2392 +#define TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256 0x0840
2393 +#define TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512 0x0841
2394 +#define TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256_legacy 0xeeee
2395 +#define TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512_legacy 0xefef
2396 #define TLSEXT_SIGALG_gostr34102001_gostr3411 0xeded
2398 #define TLSEXT_SIGALG_ed25519 0x0807
2399 Index: ssl/ssl_lib.c
2400 ===================================================================
2401 --- ssl/ssl_lib.c (revision 14523)
2402 +++ ssl/ssl_lib.c (working copy)
2403 @@ -3327,11 +3327,11 @@
2405 #ifndef OPENSSL_NO_GOST
2406 if (ssl_has_cert(s, SSL_PKEY_GOST12_512)) {
2407 - mask_k |= SSL_kGOST;
2408 + mask_k |= SSL_kGOST | SSL_kGOST18;
2409 mask_a |= SSL_aGOST12;
2411 if (ssl_has_cert(s, SSL_PKEY_GOST12_256)) {
2412 - mask_k |= SSL_kGOST;
2413 + mask_k |= SSL_kGOST | SSL_kGOST18;
2414 mask_a |= SSL_aGOST12;
2416 if (ssl_has_cert(s, SSL_PKEY_GOST01)) {
2417 Index: ssl/tls13_enc.c
2418 ===================================================================
2419 --- ssl/tls13_enc.c (revision 14523)
2420 +++ ssl/tls13_enc.c (working copy)
2421 @@ -421,6 +421,21 @@
2425 + if (s->s3->tmp.new_cipher->algorithm2 & TLS1_TLSTREE) {
2427 + if (s->s3->tmp.new_cipher->algorithm2 & TLS1_TLSTREE_S) {
2428 + res = EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_SET_TLSTREE_PARAMS, 0, "short");
2429 + } else if (s->s3->tmp.new_cipher->algorithm2 & TLS1_TLSTREE_L) {
2430 + res = EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_SET_TLSTREE_PARAMS, 0, "long");
2434 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV,
2442 OPENSSL_cleanse(key, sizeof(key));
2443 Index: ssl/record/ssl3_record.c
2444 ===================================================================
2445 --- ssl/record/ssl3_record.c (revision 14523)
2446 +++ ssl/record/ssl3_record.c (working copy)
2448 unsigned char padval;
2450 const EVP_CIPHER *enc;
2451 + int tlstree_enc = (sending ? (s->mac_flags & SSL_MAC_FLAG_WRITE_MAC_TLSTREE)
2452 + : (s->mac_flags & SSL_MAC_FLAG_READ_MAC_TLSTREE));
2455 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
2456 @@ -1036,7 +1038,6 @@
2458 seq = sending ? RECORD_LAYER_get_write_sequence(&s->rlayer)
2459 : RECORD_LAYER_get_read_sequence(&s->rlayer);
2461 if (SSL_IS_DTLS(s)) {
2462 /* DTLS does not support pipelining */
2463 unsigned char dtlsseq[9], *p = dtlsseq;
2464 @@ -1122,6 +1123,27 @@
2468 + if (!SSL_IS_DTLS(s) && tlstree_enc) {
2469 + unsigned char *seq;
2470 + int decrement_seq = 0;
2472 + * When sending, seq is incremented after MAC calculation.
2473 + * So if we are in ETM mode, we use seq 'as is' in the ctrl-function.
2474 + * Otherwise we have to decrease it in the implementation
2476 + if (sending && !SSL_WRITE_ETM(s))
2477 + decrement_seq = 1;
2479 + seq = sending ? RECORD_LAYER_get_write_sequence(&s->rlayer)
2480 + : RECORD_LAYER_get_read_sequence(&s->rlayer);
2481 + if(EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_TLSTREE, decrement_seq, seq) <= 0)
2483 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
2484 + ERR_R_INTERNAL_ERROR);
2489 /* TODO(size_t): Convert this call */
2490 tmpr = EVP_Cipher(ds, recs[0].data, recs[0].input,
2491 (unsigned int)reclen[0]);
2492 @@ -1287,6 +1309,8 @@
2493 unsigned char header[13];
2494 int stream_mac = (sending ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM)
2495 : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM));
2496 + int tlstree_mac = (sending ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_TLSTREE)
2497 + : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_TLSTREE));
2501 @@ -1314,6 +1338,11 @@
2505 + if (!SSL_IS_DTLS(ssl) && tlstree_mac && EVP_MD_CTX_ctrl(mac_ctx, EVP_MD_CTRL_TLSTREE, 0, seq) <= 0) {
2506 + EVP_MD_CTX_free(hmac);
2510 if (SSL_IS_DTLS(ssl)) {
2511 unsigned char dtlsseq[8], *p = dtlsseq;
2513 Index: ssl/record/ssl3_record_tls13.c
2514 ===================================================================
2515 --- ssl/record/ssl3_record_tls13.c (revision 14523)
2516 +++ ssl/record/ssl3_record_tls13.c (working copy)
2517 @@ -107,6 +107,10 @@
2518 taglen = EVP_GCM_TLS_TAG_LEN;
2519 } else if (alg_enc & SSL_CHACHA20) {
2520 taglen = EVP_CHACHAPOLY_TLS_TAG_LEN;
2521 + } else if (alg_enc & SSL_MAGMA_MGM) {
2522 + taglen = EVP_MAGMA_TLS_TAG_LEN;
2523 + } else if (alg_enc & SSL_KUZNYECHIK_MGM) {
2524 + taglen = EVP_KUZNYECHIK_TLS_TAG_LEN;
2526 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC,
2527 ERR_R_INTERNAL_ERROR);
2528 @@ -135,6 +139,15 @@
2529 for (loop = 0; loop < SEQ_NUM_SIZE; loop++)
2530 iv[offset + loop] = staticiv[offset + loop] ^ seq[loop];
2532 + if (s->s3->tmp.new_cipher->algorithm2 & TLS1_TLSTREE) {
2533 + if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_TLSTREE,
2535 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC,
2536 + ERR_R_INTERNAL_ERROR);
2541 /* Increment the sequence counter */
2542 for (loop = SEQ_NUM_SIZE; loop > 0; loop--) {
2544 Index: ssl/ssl_ciph.c
2545 ===================================================================
2546 --- ssl/ssl_ciph.c (revision 14523)
2547 +++ ssl/ssl_ciph.c (working copy)
2549 #define SSL_ENC_CHACHA_IDX 19
2550 #define SSL_ENC_ARIA128GCM_IDX 20
2551 #define SSL_ENC_ARIA256GCM_IDX 21
2552 -#define SSL_ENC_NUM_IDX 22
2553 +#define SSL_ENC_MAGMA_IDX 22
2554 +#define SSL_ENC_KUZNYECHIK_IDX 23
2555 +#define SSL_ENC_MAGMA_MGM_IDX 24
2556 +#define SSL_ENC_KUZNYECHIK_MGM_IDX 25
2557 +#define SSL_ENC_NUM_IDX 26
2559 /* NB: make sure indices in these tables match values above */
2562 {SSL_CHACHA20POLY1305, NID_chacha20_poly1305}, /* SSL_ENC_CHACHA_IDX 19 */
2563 {SSL_ARIA128GCM, NID_aria_128_gcm}, /* SSL_ENC_ARIA128GCM_IDX 20 */
2564 {SSL_ARIA256GCM, NID_aria_256_gcm}, /* SSL_ENC_ARIA256GCM_IDX 21 */
2565 + {SSL_MAGMA, NID_magma_ctr_acpkm}, /* SSL_ENC_MAGMA_IDX */
2566 + {SSL_KUZNYECHIK, NID_kuznyechik_ctr_acpkm}, /* SSL_ENC_KUZNYECHIK_IDX */
2567 + {SSL_MAGMA_MGM, NID_magma_mgm}, /* SSL_ENC_MAGMA_MGM_IDX */
2568 + {SSL_KUZNYECHIK_MGM, NID_kuznyechik_mgm}, /* SSL_ENC_KUZNYECHIK_MGM_IDX */
2571 static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX];
2572 @@ -110,11 +118,13 @@
2573 {SSL_GOST12_512, NID_id_GostR3411_2012_512}, /* SSL_MD_GOST12_512_IDX 8 */
2574 {0, NID_md5_sha1}, /* SSL_MD_MD5_SHA1_IDX 9 */
2575 {0, NID_sha224}, /* SSL_MD_SHA224_IDX 10 */
2576 - {0, NID_sha512} /* SSL_MD_SHA512_IDX 11 */
2577 + {0, NID_sha512}, /* SSL_MD_SHA512_IDX 11 */
2578 + {SSL_MAGMAOMAC, NID_magma_mac}, /* SSL_MD_MAGMAOMAC_IDX */
2579 + {SSL_KUZNYECHIKOMAC, NID_kuznyechik_mac}, /* SSL_MD_KUZNYECHIKOMAC_IDX */
2582 static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX] = {
2583 - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
2584 + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
2589 {SSL_kPSK, NID_kx_psk},
2590 {SSL_kSRP, NID_kx_srp},
2591 {SSL_kGOST, NID_kx_gost},
2592 + {SSL_kGOST18, NID_kx_gost},/* FIXME beldmit */
2593 {SSL_kANY, NID_kx_any}
2597 EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, NID_undef,
2600 - /* MD5/SHA1, SHA224, SHA512 */
2601 - NID_undef, NID_undef, NID_undef
2602 + /* MD5/SHA1, SHA224, SHA512, MAGMAOMAC, KUZNYECHIKOMAC */
2603 + NID_undef, NID_undef, NID_undef, NID_undef, NID_undef
2606 static size_t ssl_mac_secret_size[SSL_MD_NUM_IDX];
2608 {0, SSL_TXT_kDHEPSK, NULL, 0, SSL_kDHEPSK},
2609 {0, SSL_TXT_kSRP, NULL, 0, SSL_kSRP},
2610 {0, SSL_TXT_kGOST, NULL, 0, SSL_kGOST},
2611 + {0, SSL_TXT_kGOST18, NULL, 0, SSL_kGOST18},
2613 /* server authentication aliases */
2614 {0, SSL_TXT_aRSA, NULL, 0, 0, SSL_aRSA},
2616 {0, SSL_TXT_IDEA, NULL, 0, 0, 0, SSL_IDEA},
2617 {0, SSL_TXT_SEED, NULL, 0, 0, 0, SSL_SEED},
2618 {0, SSL_TXT_eNULL, NULL, 0, 0, 0, SSL_eNULL},
2619 - {0, SSL_TXT_GOST, NULL, 0, 0, 0, SSL_eGOST2814789CNT | SSL_eGOST2814789CNT12},
2620 + {0, SSL_TXT_GOST, NULL, 0, 0, 0, SSL_eGOST2814789CNT | SSL_eGOST2814789CNT12 | SSL_MAGMA | SSL_KUZNYECHIK},
2621 {0, SSL_TXT_AES128, NULL, 0, 0, 0,
2622 SSL_AES128 | SSL_AES128GCM | SSL_AES128CCM | SSL_AES128CCM8},
2623 {0, SSL_TXT_AES256, NULL, 0, 0, 0,
2625 * Check for presence of GOST 34.10 algorithms, and if they are not
2626 * present, disable appropriate auth and key exchange
2628 - ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX] = get_optional_pkey_id("gost-mac");
2629 + ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX] = get_optional_pkey_id(SN_id_Gost28147_89_MAC);
2630 if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX])
2631 ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX] = 32;
2633 @@ -426,17 +438,31 @@
2634 disabled_mac_mask |= SSL_GOST89MAC;
2636 ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX] =
2637 - get_optional_pkey_id("gost-mac-12");
2638 + get_optional_pkey_id(SN_gost_mac_12);
2639 if (ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX])
2640 ssl_mac_secret_size[SSL_MD_GOST89MAC12_IDX] = 32;
2642 disabled_mac_mask |= SSL_GOST89MAC12;
2644 - if (!get_optional_pkey_id("gost2001"))
2645 + ssl_mac_pkey_id[SSL_MD_MAGMAOMAC_IDX] =
2646 + get_optional_pkey_id(SN_magma_mac);
2647 + if (ssl_mac_pkey_id[SSL_MD_MAGMAOMAC_IDX])
2648 + ssl_mac_secret_size[SSL_MD_MAGMAOMAC_IDX] = 32;
2650 + disabled_mac_mask |= SSL_MAGMAOMAC;
2652 + ssl_mac_pkey_id[SSL_MD_KUZNYECHIKOMAC_IDX] =
2653 + get_optional_pkey_id(SN_kuznyechik_mac);
2654 + if (ssl_mac_pkey_id[SSL_MD_KUZNYECHIKOMAC_IDX])
2655 + ssl_mac_secret_size[SSL_MD_KUZNYECHIKOMAC_IDX] = 32;
2657 + disabled_mac_mask |= SSL_KUZNYECHIKOMAC;
2659 + if (!get_optional_pkey_id(SN_id_GostR3410_2001))
2660 disabled_auth_mask |= SSL_aGOST01 | SSL_aGOST12;
2661 - if (!get_optional_pkey_id("gost2012_256"))
2662 + if (!get_optional_pkey_id(SN_id_GostR3410_2012_256))
2663 disabled_auth_mask |= SSL_aGOST12;
2664 - if (!get_optional_pkey_id("gost2012_512"))
2665 + if (!get_optional_pkey_id(SN_id_GostR3410_2012_512))
2666 disabled_auth_mask |= SSL_aGOST12;
2668 * Disable GOST key exchange if no GOST signature algs are available *
2670 (SSL_aGOST01 | SSL_aGOST12))
2671 disabled_mkey_mask |= SSL_kGOST;
2673 + if ((disabled_auth_mask & SSL_aGOST12) == SSL_aGOST12)
2674 + disabled_mkey_mask |= SSL_kGOST18;
2679 @@ -1686,6 +1715,9 @@
2689 @@ -1789,6 +1821,14 @@
2690 case SSL_eGOST2814789CNT12:
2691 enc = "GOST89(256)";
2694 + case SSL_MAGMA_MGM:
2697 + case SSL_KUZNYECHIK:
2698 + case SSL_KUZNYECHIK_MGM:
2699 + enc = "KUZNYECHIK";
2701 case SSL_CHACHA20POLY1305:
2702 enc = "CHACHA20/POLY1305(256)";
2705 ===================================================================
2706 --- ssl/t1_enc.c (revision 14523)
2707 +++ ssl/t1_enc.c (working copy)
2708 @@ -113,6 +113,11 @@
2710 s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM;
2712 + if (s->s3->tmp.new_cipher->algorithm2 & TLS1_TLSTREE)
2713 + s->mac_flags |= SSL_MAC_FLAG_READ_MAC_TLSTREE;
2715 + s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_TLSTREE;
2717 if (s->enc_read_ctx != NULL) {
2719 } else if ((s->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL) {
2720 @@ -160,6 +165,11 @@
2721 s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
2723 s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
2725 + if (s->s3->tmp.new_cipher->algorithm2 & TLS1_TLSTREE)
2726 + s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_TLSTREE;
2728 + s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_TLSTREE;
2729 if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s)) {
2731 } else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL) {
2732 @@ -298,11 +308,11 @@
2736 - if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) {
2737 - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE,
2738 - ERR_R_INTERNAL_ERROR);
2741 + if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) {
2742 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE,
2743 + ERR_R_INTERNAL_ERROR);
2747 /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
2748 if ((EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size
2749 @@ -438,7 +448,11 @@
2752 unsigned char hash[EVP_MAX_MD_SIZE];
2753 + size_t finished_size = TLS1_FINISH_MAC_LENGTH;
2755 + if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kGOST18)
2756 + finished_size = 32;
2758 if (!ssl3_digest_cached_records(s, 0)) {
2759 /* SSLfatal() already called */
2761 @@ -451,12 +465,12 @@
2763 if (!tls1_PRF(s, str, slen, hash, hashlen, NULL, 0, NULL, 0, NULL, 0,
2764 s->session->master_key, s->session->master_key_length,
2765 - out, TLS1_FINISH_MAC_LENGTH, 1)) {
2766 + out, finished_size, 1)) {
2767 /* SSLfatal() already called */
2770 OPENSSL_cleanse(hash, hashlen);
2771 - return TLS1_FINISH_MAC_LENGTH;
2772 + return finished_size;
2775 int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
2777 ===================================================================
2778 --- ssl/s3_lib.c (revision 14523)
2779 +++ ssl/s3_lib.c (working copy)
2780 @@ -111,7 +111,74 @@
2781 SSL_HANDSHAKE_MAC_SHA256,
2786 +#ifndef OPENSSL_NO_GOST
2787 +/* https://tools.ietf.org/html/draft-smyshlyaev-tls13-gost-suites */
2790 + "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L", /* FIXME */
2791 + "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L", /* FIXME */
2792 + TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L,
2795 + SSL_KUZNYECHIK_MGM,
2797 + TLS1_3_VERSION, TLS1_3_VERSION,
2800 + SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_TLSTREE | TLS1_TLSTREE_L,
2806 + "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L", /* FIXME */
2807 + "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L", /* FIXME */
2808 + TLS_GOSTR341112_256_WITH_MAGMA_MGM_L,
2813 + TLS1_3_VERSION, TLS1_3_VERSION,
2816 + SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_TLSTREE | TLS1_TLSTREE_L,
2822 + "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S", /* FIXME */
2823 + "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S", /* FIXME */
2824 + TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S,
2827 + SSL_KUZNYECHIK_MGM,
2829 + TLS1_3_VERSION, TLS1_3_VERSION,
2832 + SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_TLSTREE | TLS1_TLSTREE_S,
2838 + "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S", /* FIXME */
2839 + "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S", /* FIXME */
2840 + TLS_GOSTR341112_256_WITH_MAGMA_MGM_S,
2845 + TLS1_3_VERSION, TLS1_3_VERSION,
2848 + SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_TLSTREE | TLS1_TLSTREE_S,
2856 @@ -2665,6 +2732,54 @@
2862 + "GOST2012-KUZNYECHIK-KUZNYECHIKOMAC",
2868 + SSL_KUZNYECHIKOMAC,
2869 + TLS1_2_VERSION, TLS1_2_VERSION,
2872 + SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_TLSTREE,
2878 + "GOST2012-MAGMA-MAGMAOMAC",
2885 + TLS1_2_VERSION, TLS1_2_VERSION,
2888 + SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_TLSTREE,
2894 + "GOST2012-GOST8912-IANA",
2898 + SSL_aGOST12 | SSL_aGOST01,
2899 + SSL_eGOST2814789CNT12,
2901 + TLS1_VERSION, TLS1_2_VERSION,
2904 + SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC,
2908 #endif /* OPENSSL_NO_GOST */
2910 #ifndef OPENSSL_NO_IDEA
2911 @@ -4348,6 +4463,11 @@
2912 if (s->version >= TLS1_VERSION && (alg_k & SSL_kGOST))
2913 return WPACKET_put_bytes_u8(pkt, TLS_CT_GOST01_SIGN)
2914 && WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_SIGN)
2915 + && WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_512_SIGN)
2916 + && WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_SIGN_LEGACY)
2917 + && WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_512_SIGN_LEGACY);
2918 + if (s->version >= TLS1_2_VERSION && (alg_k & SSL_kGOST18))
2919 + return WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_SIGN)
2920 && WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_512_SIGN);
2923 @@ -4695,6 +4815,52 @@
2926 #ifndef OPENSSL_NO_EC
2927 +#ifndef OPENSSL_NO_GOST
2929 +typedef struct tls_gost_group_param_st {
2930 + int nid; /* Curve params NID */
2931 + int alg_nid; /* GOST algorithm nid */
2932 + const char *params; /* GOST paramset mnemonics */
2933 +} TLS_GOST_GROUP_PARAM;
2935 +TLS_GOST_GROUP_PARAM gost_param[] = {
2936 + {NID_id_tc26_gost_3410_2012_256_paramSetA, NID_id_GostR3410_2012_256, "TCA"},
2937 + {NID_id_tc26_gost_3410_2012_256_paramSetB, NID_id_GostR3410_2012_256, "TCB"},
2938 + {NID_id_tc26_gost_3410_2012_256_paramSetC, NID_id_GostR3410_2012_256, "TCC"},
2939 + {NID_id_tc26_gost_3410_2012_256_paramSetD, NID_id_GostR3410_2012_256, "TCD"},
2940 + {NID_id_tc26_gost_3410_2012_512_paramSetA, NID_id_GostR3410_2012_512, "A"},
2941 + {NID_id_tc26_gost_3410_2012_512_paramSetB, NID_id_GostR3410_2012_512, "B"},
2942 + {NID_id_tc26_gost_3410_2012_512_paramSetC, NID_id_GostR3410_2012_512, "C"},
2945 +static EVP_PKEY_CTX *gost_pkey_nid2ctx(int nid)
2948 + TLS_GOST_GROUP_PARAM *pGostParam = NULL;
2949 + EVP_PKEY_CTX *pctx = NULL;
2951 + for (i = 0; i < OSSL_NELEM(gost_param); i++) {
2952 + if (gost_param[i].nid == nid) {
2953 + pGostParam = gost_param + i;
2958 + if (pGostParam == NULL) {
2962 + pctx = EVP_PKEY_CTX_new_id(pGostParam->alg_nid, NULL);
2964 + || EVP_PKEY_CTX_ctrl_str(pctx, "paramset", pGostParam->params) <= 0) {
2965 + EVP_PKEY_CTX_free(pctx);
2973 /* Generate a private key from a group ID */
2974 EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id)
2976 @@ -4711,8 +4877,13 @@
2977 gtype = ginf->flags & TLS_CURVE_TYPE;
2978 if (gtype == TLS_CURVE_CUSTOM)
2979 pctx = EVP_PKEY_CTX_new_id(ginf->nid, NULL);
2980 +#ifndef OPENSSL_NO_GOST
2981 + else if (gtype == TLS_CURVE_GOST)
2982 + pctx = gost_pkey_nid2ctx(ginf->nid);
2985 pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
2988 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP,
2989 ERR_R_MALLOC_FAILURE);
2990 @@ -4723,7 +4894,7 @@
2994 - if (gtype != TLS_CURVE_CUSTOM
2995 + if (gtype != TLS_CURVE_CUSTOM && gtype != TLS_CURVE_GOST
2996 && EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, ginf->nid) <= 0) {
2997 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP,
2999 @@ -4761,13 +4932,21 @@
3003 +#ifndef OPENSSL_NO_GOST
3004 + if ((ginf->flags & TLS_CURVE_TYPE) == TLS_CURVE_GOST)
3005 + pctx = gost_pkey_nid2ctx(ginf->nid);
3008 pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
3012 if (EVP_PKEY_paramgen_init(pctx) <= 0)
3014 - if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, ginf->nid) <= 0)
3015 + if ((ginf->flags & TLS_CURVE_TYPE) != TLS_CURVE_GOST) {
3016 + if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, ginf->nid) <= 0)
3019 if (EVP_PKEY_paramgen(pctx, &pkey) <= 0) {
3020 EVP_PKEY_free(pkey);
3022 Index: ssl/statem/statem_lib.c
3023 ===================================================================
3024 --- ssl/statem/statem_lib.c (revision 14523)
3025 +++ ssl/statem/statem_lib.c (working copy)
3027 md == NULL ? "n/a" : EVP_MD_name(md));
3030 - /* Check for broken implementations of GOST ciphersuites */
3032 * If key is GOST and len is exactly 64 or 128, it is signature without
3033 * length field (CryptoPro implementations at least till TLS 1.2)
3034 @@ -1527,8 +1526,6 @@
3036 case SSL_PKEY_DSA_SIGN:
3037 case SSL_PKEY_GOST01:
3038 - case SSL_PKEY_GOST12_256:
3039 - case SSL_PKEY_GOST12_512:
3043 Index: ssl/statem/statem_srvr.c
3044 ===================================================================
3045 --- ssl/statem/statem_srvr.c (revision 14523)
3046 +++ ssl/statem/statem_srvr.c (working copy)
3047 @@ -3446,6 +3446,93 @@
3051 +static int tls_process_cke_gost18(SSL *s, PACKET *pkt)
3052 +{/* FIXME beldmit - function id to be renamed either*/
3053 +#ifndef OPENSSL_NO_GOST
3054 + unsigned char rnd_dgst[32];
3055 + EVP_PKEY_CTX *pkey_ctx = NULL;
3056 + EVP_PKEY *pk = NULL;
3057 + unsigned char premaster_secret[32];
3058 + const unsigned char *start = NULL;
3059 + size_t outlen = 32, inlen = 0;
3061 + int cipher_nid = gost18_cke_cipher_nid(s);
3063 + if (cipher_nid == NID_undef) {
3064 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
3065 + ERR_R_INTERNAL_ERROR);
3069 + if (gost_ukm(s, rnd_dgst) <= 0) {
3070 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
3071 + ERR_R_INTERNAL_ERROR);
3075 + /* Get our certificate private key */
3076 + pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey
3077 + ? s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey : s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey;
3079 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
3080 + SSL_R_BAD_HANDSHAKE_STATE);
3084 + pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
3085 + if (pkey_ctx == NULL) {
3086 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
3087 + ERR_R_MALLOC_FAILURE);
3090 + if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
3091 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
3092 + ERR_R_INTERNAL_ERROR);
3096 + * Reuse EVP_PKEY_CTRL_SET_IV, make choice in engine code depending on size
3098 + if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_DECRYPT,
3099 + EVP_PKEY_CTRL_SET_IV, 32, rnd_dgst) < 0) {
3100 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
3101 + SSL_R_LIBRARY_BUG);
3105 + if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_DECRYPT,
3106 + EVP_PKEY_CTRL_CIPHER, cipher_nid, NULL) < 0) {
3107 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
3108 + SSL_R_LIBRARY_BUG);
3111 + inlen = PACKET_remaining(pkt);
3112 + start = PACKET_data(pkt);
3114 + if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start,
3116 + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
3117 + SSL_R_DECRYPTION_FAILED);
3120 + /* Generate master secret */
3121 + if (!ssl_generate_master_secret(s, premaster_secret,
3122 + sizeof(premaster_secret), 0)) {
3123 + /* SSLfatal() already called */
3128 + EVP_PKEY_CTX_free(pkey_ctx);
3131 + /* Should never happen */
3132 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
3133 + ERR_R_INTERNAL_ERROR);
3138 MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
3140 unsigned long alg_k;
3141 @@ -3496,6 +3583,11 @@
3142 /* SSLfatal() already called */
3145 + } else if (alg_k & SSL_kGOST18) {
3146 + if (!tls_process_cke_gost18(s, pkt)) {
3147 + /* SSLfatal() already called */
3151 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
3152 SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
3153 Index: ssl/statem/extensions_srvr.c
3154 ===================================================================
3155 --- ssl/statem/extensions_srvr.c (revision 14523)
3156 +++ ssl/statem/extensions_srvr.c (working copy)
3159 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
3162 +/* FIXME beldmit GOST */
3164 if (s->s3->peer_tmp != NULL) {
3165 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
3166 @@ -1623,7 +1623,9 @@
3167 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
3168 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
3169 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
3170 - || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
3171 + || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12
3172 + || s->s3->tmp.new_cipher->algorithm_enc == SSL_MAGMA
3173 + || s->s3->tmp.new_cipher->algorithm_enc == SSL_KUZNYECHIK) {
3175 return EXT_RETURN_NOT_SENT;
3177 @@ -1682,6 +1684,7 @@
3178 unsigned int context, X509 *x,
3181 +/* FIXME beldmit GOST */
3182 #ifndef OPENSSL_NO_TLS1_3
3183 unsigned char *encodedPoint;
3184 size_t encoded_pt_len = 0;
3185 Index: ssl/statem/statem_local.h
3186 ===================================================================
3187 --- ssl/statem/statem_local.h (revision 14523)
3188 +++ ssl/statem/statem_local.h (working copy)
3189 @@ -153,6 +153,11 @@
3190 __owur int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt);
3191 MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt);
3193 +#ifndef OPENSSL_NO_GOST
3194 +/* These functions are used in GOST18 CKE, both for client and server */
3195 +int gost18_cke_cipher_nid(const SSL *s);
3196 +int gost_ukm(const SSL *s, unsigned char *dgst_buf);
3199 /* Extension processing */
3201 Index: ssl/statem/statem_clnt.c
3202 ===================================================================
3203 --- ssl/statem/statem_clnt.c (revision 14523)
3204 +++ ssl/statem/statem_clnt.c (working copy)
3205 @@ -3280,6 +3280,144 @@
3209 +#ifndef OPENSSL_NO_GOST
3210 +int gost18_cke_cipher_nid(const SSL *s)
3212 + if ((s->s3->tmp.new_cipher->algorithm_enc & SSL_MAGMA) != 0)
3213 + return NID_magma_ctr;
3214 + else if ((s->s3->tmp.new_cipher->algorithm_enc & SSL_KUZNYECHIK) != 0)
3215 + return NID_kuznyechik_ctr;
3220 +int gost_ukm(const SSL *s, unsigned char *dgst_buf)
3222 + EVP_MD_CTX * hash = NULL;
3223 + unsigned int md_len;
3225 + hash = EVP_MD_CTX_new();
3227 + || EVP_DigestInit(hash, EVP_get_digestbynid(NID_id_GostR3411_2012_256)) <= 0
3228 + || EVP_DigestUpdate(hash, s->s3->client_random, SSL3_RANDOM_SIZE) <= 0
3229 + || EVP_DigestUpdate(hash, s->s3->server_random, SSL3_RANDOM_SIZE) <= 0
3230 + || EVP_DigestFinal_ex(hash, dgst_buf, &md_len) <= 0) {
3231 + EVP_MD_CTX_free(hash);
3234 + EVP_MD_CTX_free(hash);
3240 +static int tls_construct_cke_gost18(SSL *s, WPACKET *pkt)
3242 +#ifndef OPENSSL_NO_GOST
3243 + /* GOST 2018 key exchange message creation */
3244 + unsigned char rnd_dgst[32], tmp[255];
3245 + EVP_PKEY_CTX *pkey_ctx = NULL;
3247 + unsigned char *pms = NULL;
3248 + size_t pmslen = 0;
3250 + int cipher_nid = gost18_cke_cipher_nid(s);
3252 + if (cipher_nid == NID_undef) {
3253 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
3254 + ERR_R_INTERNAL_ERROR);
3258 + if (gost_ukm(s, rnd_dgst) <= 0) {
3259 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
3260 + ERR_R_INTERNAL_ERROR);
3264 + /* Pre-master secret - random bytes */
3266 + pms = OPENSSL_malloc(pmslen);
3267 + if (pms == NULL) {
3268 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
3269 + ERR_R_MALLOC_FAILURE);
3273 + if (RAND_bytes(pms, (int)pmslen) <= 0) {
3274 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
3275 + ERR_R_INTERNAL_ERROR);
3280 + * Get server certificate PKEY and create ctx from it
3282 + peer_cert = s->session->peer;
3284 + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
3285 + SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
3289 + pkey_ctx = EVP_PKEY_CTX_new(X509_get0_pubkey(peer_cert), NULL);
3290 + if (pkey_ctx == NULL) {
3291 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
3292 + ERR_R_MALLOC_FAILURE);
3296 + if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0 ) {
3297 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
3298 + ERR_R_INTERNAL_ERROR);
3303 + * Reuse EVP_PKEY_CTRL_SET_IV, make choice in engine code
3305 + if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
3306 + EVP_PKEY_CTRL_SET_IV, 32, rnd_dgst) < 0) {
3307 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
3308 + SSL_R_LIBRARY_BUG);
3312 + if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
3313 + EVP_PKEY_CTRL_CIPHER, cipher_nid, NULL) < 0) {
3314 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
3315 + SSL_R_LIBRARY_BUG);
3320 + if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, pms, pmslen) <= 0) {
3321 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
3322 + SSL_R_LIBRARY_BUG);
3326 + if (!WPACKET_memcpy(pkt, tmp, msglen)) {
3327 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
3328 + ERR_R_INTERNAL_ERROR);
3332 + EVP_PKEY_CTX_free(pkey_ctx);
3333 + s->s3->tmp.pms = pms;
3334 + s->s3->tmp.pmslen = pmslen;
3337 + EVP_PKEY_CTX_free(pkey_ctx);
3338 + OPENSSL_clear_free(pms, pmslen);
3341 + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
3342 + ERR_R_INTERNAL_ERROR);
3347 static int tls_construct_cke_srp(SSL *s, WPACKET *pkt)
3349 #ifndef OPENSSL_NO_SRP
3350 @@ -3336,6 +3474,9 @@
3351 } else if (alg_k & SSL_kGOST) {
3352 if (!tls_construct_cke_gost(s, pkt))
3354 + } else if (alg_k & SSL_kGOST18) {
3355 + if (!tls_construct_cke_gost18(s, pkt))
3357 } else if (alg_k & SSL_kSRP) {
3358 if (!tls_construct_cke_srp(s, pkt))
3360 Index: util/libcrypto.num
3361 ===================================================================
3362 --- util/libcrypto.num (revision 14523)
3363 +++ util/libcrypto.num (working copy)
3364 @@ -4587,3 +4587,8 @@
3365 EVP_PKEY_meth_get_digestverify 4541 1_1_1e EXIST::FUNCTION:
3366 EVP_PKEY_meth_get_digestsign 4542 1_1_1e EXIST::FUNCTION:
3367 RSA_get0_pss_params 4543 1_1_1e EXIST::FUNCTION:RSA
3368 +CMS_add1_recipient 4544 1_1_1g EXIST::FUNCTION:CMS
3369 +PKCS8_pkey_add1_attr 4545 1_1_1g EXIST::FUNCTION:
3370 +PKCS8_pkey_add1_attr_by_OBJ 4546 1_1_1g EXIST::FUNCTION:
3371 +CMS_decrypt_set1_pkey_and_peer 4547 1_1_1g EXIST::FUNCTION:CMS
3372 +CMS_RecipientInfo_kari_set0_pkey_and_peer 4548 1_1_1g EXIST::FUNCTION:CMS
projects / openssl-gost / engine.git / blob