]> wagner.pp.ru Git - openssl-gost/engine.git/blob - patches/openssl_111g.diff
initial unified impl magma/kuznetchik MGM mode
[openssl-gost/engine.git] / patches / openssl_111g.diff
1 Index: apps/cms.c
2 ===================================================================
3 --- apps/cms.c  (revision 14523)
4 +++ apps/cms.c  (working copy)
5 @@ -75,15 +75,16 @@
6      OPT_NOSIGS, OPT_NO_CONTENT_VERIFY, OPT_NO_ATTR_VERIFY, OPT_INDEF,
7      OPT_NOINDEF, OPT_CRLFEOL, OPT_NOOUT, OPT_RR_PRINT,
8      OPT_RR_ALL, OPT_RR_FIRST, OPT_RCTFORM, OPT_CERTFILE, OPT_CAFILE,
9 -    OPT_CAPATH, OPT_NOCAPATH, OPT_NOCAFILE,OPT_CONTENT, OPT_PRINT,
10 +    OPT_CAPATH, OPT_NOCAPATH, OPT_NOCAFILE,OPT_CONTENT, OPT_PRINT, OPT_NAMEOPT,
11      OPT_SECRETKEY, OPT_SECRETKEYID, OPT_PWRI_PASSWORD, OPT_ECONTENT_TYPE,
12      OPT_PASSIN, OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP,
13      OPT_CERTSOUT, OPT_MD, OPT_INKEY, OPT_KEYFORM, OPT_KEYOPT, OPT_RR_FROM,
14      OPT_RR_TO, OPT_AES128_WRAP, OPT_AES192_WRAP, OPT_AES256_WRAP,
15 -    OPT_3DES_WRAP, OPT_ENGINE,
16 +    OPT_3DES_WRAP, OPT_WRAP, OPT_ENGINE,
17      OPT_R_ENUM,
18      OPT_V_ENUM,
19 -    OPT_CIPHER
20 +    OPT_CIPHER,
21 +    OPT_ORIGINATOR
22  } OPTION_CHOICE;
23  
24  const OPTIONS cms_options[] = {
25 @@ -150,6 +151,8 @@
26       "Supply or override content for detached signature"},
27      {"print", OPT_PRINT, '-',
28       "For the -cmsout operation print out all fields of the CMS structure"},
29 +    {"nameopt", OPT_NAMEOPT, 's',
30 +     "For the -print option specifies various strings printing options"},
31      {"secretkey", OPT_SECRETKEY, 's'},
32      {"secretkeyid", OPT_SECRETKEYID, 's'},
33      {"pwri_password", OPT_PWRI_PASSWORD, 's'},
34 @@ -159,6 +162,7 @@
35      {"from", OPT_FROM, 's', "From address"},
36      {"subject", OPT_SUBJECT, 's', "Subject"},
37      {"signer", OPT_SIGNER, 's', "Signer certificate file"},
38 +    {"originator", OPT_ORIGINATOR, 's', "Originator certificate file"},
39      {"recip", OPT_RECIP, '<', "Recipient cert file for decryption"},
40      {"certsout", OPT_CERTSOUT, '>', "Certificate output file"},
41      {"md", OPT_MD, 's', "Digest algorithm to use when signing or resigning"},
42 @@ -177,6 +181,7 @@
43  # ifndef OPENSSL_NO_DES
44      {"des3-wrap", OPT_3DES_WRAP, '-', "Use 3DES-EDE to wrap key"},
45  # endif
46 +    {"wrap", OPT_WRAP, 's', "Any wrap cipher to wrap key"},
47  # ifndef OPENSSL_NO_ENGINE
48      {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
49  # endif
50 @@ -196,7 +201,7 @@
51      STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL;
52      STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL;
53      STACK_OF(X509) *encerts = NULL, *other = NULL;
54 -    X509 *cert = NULL, *recip = NULL, *signer = NULL;
55 +    X509 *cert = NULL, *recip = NULL, *signer = NULL, *originator = 0;
56      X509_STORE *store = NULL;
57      X509_VERIFY_PARAM *vpm = NULL;
58      char *certfile = NULL, *keyfile = NULL, *contfile = NULL;
59 @@ -204,7 +209,7 @@
60      char *certsoutfile = NULL;
61      int noCAfile = 0, noCApath = 0;
62      char *infile = NULL, *outfile = NULL, *rctfile = NULL;
63 -    char *passinarg = NULL, *passin = NULL, *signerfile = NULL, *recipfile = NULL;
64 +    char *passinarg = NULL, *passin = NULL, *signerfile = NULL, *originatorfile = NULL, *recipfile = NULL;
65      char *to = NULL, *from = NULL, *subject = NULL, *prog;
66      cms_key_param *key_first = NULL, *key_param = NULL;
67      int flags = CMS_DETACHED, noout = 0, print = 0, keyidx = -1, vpmtouched = 0;
68 @@ -406,6 +411,10 @@
69          case OPT_PRINT:
70              noout = print = 1;
71              break;
72 +        case OPT_NAMEOPT:
73 +            if (!set_nameopt(opt_arg()))
74 +                goto opthelp;
75 +            break;
76          case OPT_SECRETKEY:
77              if (secret_key != NULL) {
78                  BIO_printf(bio_err, "Invalid key (supplied twice) %s\n",
79 @@ -486,6 +495,9 @@
80              }
81              signerfile = opt_arg();
82              break;
83 +        case OPT_ORIGINATOR:
84 +             originatorfile = opt_arg();
85 +             break;
86          case OPT_INKEY:
87              /* If previous -inkey argument add signer to list */
88              if (keyfile != NULL) {
89 @@ -580,6 +592,10 @@
90          case OPT_AES256_WRAP:
91              wrap_cipher = EVP_aes_256_wrap();
92              break;
93 +        case OPT_WRAP:
94 +            if (!opt_cipher(opt_unknown(), &wrap_cipher))
95 +                goto end;
96 +            break;
97          }
98      }
99      argc = opt_num_rest();
100 @@ -687,11 +703,11 @@
101      }
102  
103      if (certfile != NULL) {
104 -        if (!load_certs(certfile, &other, FORMAT_PEM, NULL,
105 -                        "certificate file")) {
106 -            ERR_print_errors(bio_err);
107 -            goto end;
108 -        }
109 +         if (!load_certs(certfile, &other, FORMAT_PEM, NULL,
110 +              "certificate file")) {
111 +              ERR_print_errors(bio_err);
112 +              goto end;
113 +         }
114      }
115  
116      if (recipfile != NULL && (operation == SMIME_DECRYPT)) {
117 @@ -702,6 +718,15 @@
118          }
119      }
120  
121 +    if (originatorfile != NULL)
122 +    {
123 +         if ((originator = load_cert(originatorfile, FORMAT_PEM,
124 +              "originator certificate file")) == NULL) {
125 +              ERR_print_errors(bio_err);
126 +              goto end;
127 +         }
128 +    }
129 +
130      if (operation == SMIME_SIGN_RECEIPT) {
131          if ((signer = load_cert(signerfile, FORMAT_PEM,
132                                  "receipt signer certificate file")) == NULL) {
133 @@ -710,7 +735,8 @@
134          }
135      }
136  
137 -    if (operation == SMIME_DECRYPT) {
138 +    if (operation == SMIME_DECRYPT ||
139 +         operation == SMIME_ENCRYPT) {
140          if (keyfile == NULL)
141              keyfile = recipfile;
142      } else if ((operation == SMIME_SIGN) || (operation == SMIME_SIGN_RECEIPT)) {
143 @@ -819,23 +845,31 @@
144          for (i = 0; i < sk_X509_num(encerts); i++) {
145              CMS_RecipientInfo *ri;
146              cms_key_param *kparam;
147 -            int tflags = flags;
148 +            int tflags = flags | CMS_KEY_PARAM; /* This flag enforces allocating the EVP_PKEY_CTX for the recipient here */
149 +            EVP_PKEY_CTX *pctx;
150              X509 *x = sk_X509_value(encerts, i);
151 +            int res;
152 +
153              for (kparam = key_first; kparam; kparam = kparam->next) {
154                  if (kparam->idx == i) {
155 -                    tflags |= CMS_KEY_PARAM;
156                      break;
157                  }
158              }
159 -            ri = CMS_add1_recipient_cert(cms, x, tflags);
160 +            ri = CMS_add1_recipient(cms, x, key, originator, tflags);
161              if (ri == NULL)
162                  goto end;
163 +
164 +            pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
165              if (kparam != NULL) {
166 -                EVP_PKEY_CTX *pctx;
167 -                pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
168                  if (!cms_set_pkey_param(pctx, kparam->param))
169                      goto end;
170              }
171 +
172 +            res = EVP_PKEY_CTX_ctrl(pctx, -1, -1,
173 +                        EVP_PKEY_CTRL_CIPHER, EVP_CIPHER_nid(cipher), NULL);
174 +            if (res <= 0 && res != -2)
175 +                goto end;
176 +
177              if (CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_AGREE
178                  && wrap_cipher) {
179                  EVP_CIPHER_CTX *wctx;
180 @@ -981,7 +1015,7 @@
181          }
182  
183          if (key != NULL) {
184 -            if (!CMS_decrypt_set1_pkey(cms, key, recip)) {
185 +            if (!CMS_decrypt_set1_pkey_and_peer(cms, key, recip, originator)) {
186                  BIO_puts(bio_err, "Error decrypting CMS using private key\n");
187                  goto end;
188              }
189 @@ -1047,8 +1081,19 @@
190          }
191      } else {
192          if (noout) {
193 -            if (print)
194 -                CMS_ContentInfo_print_ctx(out, cms, 0, NULL);
195 +            if (print) {
196 +                ASN1_PCTX *pctx = NULL;
197 +                if (get_nameopt() != XN_FLAG_ONELINE) {
198 +                    pctx = ASN1_PCTX_new();
199 +                    if (pctx) { /* Print anyway if malloc failed */
200 +                        ASN1_PCTX_set_flags(pctx, ASN1_PCTX_FLAGS_SHOW_ABSENT);
201 +                        ASN1_PCTX_set_str_flags(pctx, get_nameopt());
202 +                        ASN1_PCTX_set_nm_flags(pctx, get_nameopt());
203 +                    }
204 +                }
205 +                 CMS_ContentInfo_print_ctx(out, cms, 0, pctx);
206 +                ASN1_PCTX_free(pctx);
207 +            }
208          } else if (outformat == FORMAT_SMIME) {
209              if (to)
210                  BIO_printf(out, "To: %s%s", to, mime_eol);
211 Index: apps/s_cb.c
212 ===================================================================
213 --- apps/s_cb.c (revision 14523)
214 +++ apps/s_cb.c (working copy)
215 @@ -684,7 +684,7 @@
216      {NULL}
217  };
218  
219 -/* from rfc8446 4.2.3. + gost (https://tools.ietf.org/id/draft-smyshlyaev-tls12-gost-suites-04.html) */
220 +/* from rfc8446 4.2.3. + GOST (https://tools.ietf.org/html/draft-smyshlyaev-tls13-gost-suites-01) */
221  static STRINT_PAIR signature_tls13_scheme_list[] = {
222      {"rsa_pkcs1_sha1",         0x0201 /* TLSEXT_SIGALG_rsa_pkcs1_sha1 */},
223      {"ecdsa_sha1",             0x0203 /* TLSEXT_SIGALG_ecdsa_sha1 */},
224 @@ -696,6 +696,13 @@
225      {"ecdsa_secp384r1_sha384", 0x0503 /* TLSEXT_SIGALG_ecdsa_secp384r1_sha384 */},
226      {"rsa_pkcs1_sha512",       0x0601 /* TLSEXT_SIGALG_rsa_pkcs1_sha512 */},
227      {"ecdsa_secp521r1_sha512", 0x0603 /* TLSEXT_SIGALG_ecdsa_secp521r1_sha512 */},
228 +    {"gostr34102012_256a",     0x0709 /* TLSEXT_SIGALG_gostr34102012_256a */},
229 +    {"gostr34102012_256b",     0x070A /* TLSEXT_SIGALG_gostr34102012_256b */},
230 +    {"gostr34102012_256c",     0x070B /* TLSEXT_SIGALG_gostr34102012_256c */},
231 +    {"gostr34102012_256d",     0x070C /* TLSEXT_SIGALG_gostr34102012_256d */},
232 +    {"gostr34102012_512a",     0x070D /* TLSEXT_SIGALG_gostr34102012_512a */},
233 +    {"gostr34102012_512b",     0x070E /* TLSEXT_SIGALG_gostr34102012_512b */},
234 +    {"gostr34102012_512c",     0x070F /* TLSEXT_SIGALG_gostr34102012_512c */},
235      {"rsa_pss_rsae_sha256",    0x0804 /* TLSEXT_SIGALG_rsa_pss_rsae_sha256 */},
236      {"rsa_pss_rsae_sha384",    0x0805 /* TLSEXT_SIGALG_rsa_pss_rsae_sha384 */},
237      {"rsa_pss_rsae_sha512",    0x0806 /* TLSEXT_SIGALG_rsa_pss_rsae_sha512 */},
238 @@ -704,9 +711,6 @@
239      {"rsa_pss_pss_sha256",     0x0809 /* TLSEXT_SIGALG_rsa_pss_pss_sha256 */},
240      {"rsa_pss_pss_sha384",     0x080a /* TLSEXT_SIGALG_rsa_pss_pss_sha384 */},
241      {"rsa_pss_pss_sha512",     0x080b /* TLSEXT_SIGALG_rsa_pss_pss_sha512 */},
242 -    {"gostr34102001",          0xeded /* TLSEXT_SIGALG_gostr34102001_gostr3411 */},
243 -    {"gostr34102012_256",      0xeeee /* TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256 */},
244 -    {"gostr34102012_512",      0xefef /* TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512 */},
245      {NULL}
246  };
247  
248 Index: crypto/objects/objects.txt
249 ===================================================================
250 --- crypto/objects/objects.txt  (revision 14523)
251 +++ crypto/objects/objects.txt  (working copy)
252 @@ -1321,6 +1321,14 @@
253  
254  # TC26 GOST OIDs
255  
256 +id-tc26 0              : id-tc26-modules: GOST TC26 ASN.1 modules
257 +
258 +id-tc26-modules 6 : id-tc26-cms: GOST TC26 SMS
259 +
260 +id-tc26-cms 1 : id-tc26-cms-attrs: GOST TC26 SMS attributes
261 +
262 +id-tc26-cms-attrs 1 : id-tc26-mac-attr: GOST TC26 SMS content-mac attribute
263 +
264  id-tc26 1              : id-tc26-algorithms
265  id-tc26-algorithms 1   : id-tc26-sign
266  !Cname id-GostR3410-2012-256
267 @@ -1344,11 +1352,11 @@
268  
269  id-tc26-algorithms 5   : id-tc26-cipher
270  id-tc26-cipher 1       :  id-tc26-cipher-gostr3412-2015-magma
271 -id-tc26-cipher-gostr3412-2015-magma 1  : id-tc26-cipher-gostr3412-2015-magma-ctracpkm
272 -id-tc26-cipher-gostr3412-2015-magma 2  : id-tc26-cipher-gostr3412-2015-magma-ctracpkm-omac
273 +id-tc26-cipher-gostr3412-2015-magma 1  : magma-ctr-acpkm
274 +id-tc26-cipher-gostr3412-2015-magma 2  : magma-ctr-acpkm-omac
275  id-tc26-cipher 2       :  id-tc26-cipher-gostr3412-2015-kuznyechik
276 -id-tc26-cipher-gostr3412-2015-kuznyechik 1     : id-tc26-cipher-gostr3412-2015-kuznyechik-ctracpkm
277 -id-tc26-cipher-gostr3412-2015-kuznyechik 2     : id-tc26-cipher-gostr3412-2015-kuznyechik-ctracpkm-omac
278 +id-tc26-cipher-gostr3412-2015-kuznyechik 1     : kuznyechik-ctr-acpkm
279 +id-tc26-cipher-gostr3412-2015-kuznyechik 2     : kuznyechik-ctr-acpkm-omac
280  
281  id-tc26-algorithms 6   : id-tc26-agreement
282  id-tc26-agreement 1    : id-tc26-agreement-gost-3410-2012-256
283 @@ -1356,9 +1364,9 @@
284  
285  id-tc26-algorithms 7   :       id-tc26-wrap
286  id-tc26-wrap 1 : id-tc26-wrap-gostr3412-2015-magma
287 -id-tc26-wrap-gostr3412-2015-magma 1    : id-tc26-wrap-gostr3412-2015-magma-kexp15
288 +id-tc26-wrap-gostr3412-2015-magma 1    : magma-kexp15
289  id-tc26-wrap 2 : id-tc26-wrap-gostr3412-2015-kuznyechik
290 -id-tc26-wrap-gostr3412-2015-kuznyechik 1       : id-tc26-wrap-gostr3412-2015-kuznyechik-kexp15
291 +id-tc26-wrap-gostr3412-2015-kuznyechik 1       : kuznyechik-kexp15
292  
293  id-tc26 2              : id-tc26-constants
294  
295 @@ -1382,16 +1390,25 @@
296  member-body 643 3 131 1 1      : INN   : INN
297  member-body 643 100 1          : OGRN  : OGRN
298  member-body 643 100 3          : SNILS : SNILS
299 +member-body 643 100 5          : OGRNIP        : OGRNIP
300  member-body 643 100 111        : subjectSignTool       : Signing Tool of Subject
301  member-body 643 100 112        : issuerSignTool        : Signing Tool of Issuer
302 +member-body 643 100 113  : classSignTool   : Class of Signing Tool
303 +member-body 643 100 113 1 : classSignToolKC1 : Class of Signing Tool KC1
304 +member-body 643 100 113 2 : classSignToolKC2 : Class of Signing Tool KC2
305 +member-body 643 100 113 3 : classSignToolKC3 : Class of Signing Tool KC3
306 +member-body 643 100 113 4 : classSignToolKB1 : Class of Signing Tool KB1
307 +member-body 643 100 113 5 : classSignToolKB2 : Class of Signing Tool KB2
308 +member-body 643 100 113 6 : classSignToolKA1 : Class of Signing Tool KA1
309  
310  #GOST R34.13-2015 Grasshopper "Kuznechik"
311 -                       : grasshopper-ecb
312 -                       : grasshopper-ctr
313 -                       : grasshopper-ofb
314 -                       : grasshopper-cbc
315 -                       : grasshopper-cfb
316 -                       : grasshopper-mac
317 +                       : kuznyechik-ecb
318 +                       : kuznyechik-ctr
319 +                       : kuznyechik-ofb
320 +                       : kuznyechik-cbc
321 +                       : kuznyechik-cfb
322 +                       : kuznyechik-mac
323 +                       : kuznyechik-mgm
324  
325  #GOST R34.13-2015 Magma
326                         : magma-ecb
327 @@ -1400,6 +1417,7 @@
328                         : magma-cbc
329                         : magma-cfb
330                         : magma-mac
331 +                       : magma-mgm
332  
333  # Definitions for Camellia cipher - CBC MODE
334  
335 Index: crypto/cms/cms_local.h
336 ===================================================================
337 --- crypto/cms/cms_local.h      (revision 14523)
338 +++ crypto/cms/cms_local.h      (working copy)
339 @@ -403,12 +403,13 @@
340  ASN1_OCTET_STRING *cms_encode_Receipt(CMS_SignerInfo *si);
341  
342  BIO *cms_EnvelopedData_init_bio(CMS_ContentInfo *cms);
343 +int cms_EnvelopedData_final(CMS_ContentInfo *cms, BIO *chain);
344  CMS_EnvelopedData *cms_get0_enveloped(CMS_ContentInfo *cms);
345  int cms_env_asn1_ctrl(CMS_RecipientInfo *ri, int cmd);
346  int cms_pkey_get_ri_type(EVP_PKEY *pk);
347 +int cms_pkey_is_ri_type_supported(EVP_PKEY *pk, int ri_type);
348  /* KARI routines */
349 -int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
350 -                                EVP_PKEY *pk, unsigned int flags);
351 +int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri,  X509 *recip, EVP_PKEY *recipPubKey, X509 * originator, EVP_PKEY *originatorPrivKey, unsigned int flags);
352  int cms_RecipientInfo_kari_encrypt(CMS_ContentInfo *cms,
353                                     CMS_RecipientInfo *ri);
354  
355 Index: crypto/cms/cms_lib.c
356 ===================================================================
357 --- crypto/cms/cms_lib.c        (revision 14523)
358 +++ crypto/cms/cms_lib.c        (working copy)
359 @@ -130,12 +130,14 @@
360      switch (OBJ_obj2nid(cms->contentType)) {
361  
362      case NID_pkcs7_data:
363 -    case NID_pkcs7_enveloped:
364      case NID_pkcs7_encrypted:
365      case NID_id_smime_ct_compressedData:
366          /* Nothing to do */
367          return 1;
368  
369 +    case NID_pkcs7_enveloped:
370 +        return cms_EnvelopedData_final(cms, cmsbio);
371 +
372      case NID_pkcs7_signed:
373          return cms_SignedData_final(cms, cmsbio);
374  
375 Index: crypto/cms/cms_smime.c
376 ===================================================================
377 --- crypto/cms/cms_smime.c      (revision 14523)
378 +++ crypto/cms/cms_smime.c      (working copy)
379 @@ -576,8 +576,8 @@
380      return NULL;
381  }
382  
383 -static int cms_kari_set1_pkey(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
384 -                              EVP_PKEY *pk, X509 *cert)
385 +static int cms_kari_set1_pkey_and_peer(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
386 +                              EVP_PKEY *pk, X509 *cert, X509 *peer)
387  {
388      int i;
389      STACK_OF(CMS_RecipientEncryptedKey) *reks;
390 @@ -588,7 +588,7 @@
391          rek = sk_CMS_RecipientEncryptedKey_value(reks, i);
392          if (cert != NULL && CMS_RecipientEncryptedKey_cert_cmp(rek, cert))
393              continue;
394 -        CMS_RecipientInfo_kari_set0_pkey(ri, pk);
395 +        CMS_RecipientInfo_kari_set0_pkey_and_peer(ri, pk, peer);
396          rv = CMS_RecipientInfo_kari_decrypt(cms, ri, rek);
397          CMS_RecipientInfo_kari_set0_pkey(ri, NULL);
398          if (rv > 0)
399 @@ -600,27 +600,35 @@
400  
401  int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
402  {
403 +     return CMS_decrypt_set1_pkey_and_peer(cms, pk, cert, NULL);
404 +}
405 +
406 +int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert, X509 *peer)
407 +{
408      STACK_OF(CMS_RecipientInfo) *ris;
409      CMS_RecipientInfo *ri;
410 -    int i, r, ri_type;
411 +    int i, r, cms_pkey_ri_type;
412      int debug = 0, match_ri = 0;
413      ris = CMS_get0_RecipientInfos(cms);
414      if (ris)
415          debug = cms->d.envelopedData->encryptedContentInfo->debug;
416 -    ri_type = cms_pkey_get_ri_type(pk);
417 -    if (ri_type == CMS_RECIPINFO_NONE) {
418 -        CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY,
419 -               CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
420 -        return 0;
421 +
422 +    cms_pkey_ri_type = cms_pkey_get_ri_type(pk);
423 +    if (cms_pkey_ri_type == CMS_RECIPINFO_NONE) {
424 +         CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY_AND_PEER,
425 +              CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
426 +         return 0;
427      }
428  
429      for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++) {
430 +        int ri_type;
431          ri = sk_CMS_RecipientInfo_value(ris, i);
432 -        if (CMS_RecipientInfo_type(ri) != ri_type)
433 -            continue;
434 +        ri_type = CMS_RecipientInfo_type(ri);
435 +/*        if (!cms_pkey_is_ri_type_supported(pk, ri_type))
436 +            continue; */
437          match_ri = 1;
438          if (ri_type == CMS_RECIPINFO_AGREE) {
439 -            r = cms_kari_set1_pkey(cms, ri, pk, cert);
440 +            r = cms_kari_set1_pkey_and_peer(cms, ri, pk, cert, peer);
441              if (r > 0)
442                  return 1;
443              if (r < 0)
444 @@ -640,13 +648,13 @@
445                   * If not debugging clear any error and return success to
446                   * avoid leaking of information useful to MMA
447                   */
448 -                if (!debug) {
449 +                if (!debug && cms_pkey_ri_type == CMS_RECIPINFO_TRANS) {
450                      ERR_clear_error();
451                      return 1;
452                  }
453                  if (r > 0)
454                      return 1;
455 -                CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY, CMS_R_DECRYPT_ERROR);
456 +                CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY_AND_PEER, CMS_R_DECRYPT_ERROR);
457                  return 0;
458              }
459              /*
460 @@ -654,17 +662,17 @@
461               * successful decrypt. Always attempt to decrypt all recipients
462               * to avoid leaking timing of a successful decrypt.
463               */
464 -            else if (r > 0 && debug)
465 +            else if (r > 0 && (debug || cms_pkey_ri_type != CMS_RECIPINFO_TRANS))
466                  return 1;
467          }
468      }
469      /* If no cert, key transport and not debugging always return success */
470 -    if (cert == NULL && ri_type == CMS_RECIPINFO_TRANS && match_ri && !debug) {
471 +    if (cert == NULL && cms_pkey_ri_type == CMS_RECIPINFO_TRANS && match_ri && !debug) {
472          ERR_clear_error();
473          return 1;
474      }
475  
476 -    CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY, CMS_R_NO_MATCHING_RECIPIENT);
477 +    CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY_AND_PEER, CMS_R_NO_MATCHING_RECIPIENT);
478      return 0;
479  
480  }
481 Index: crypto/cms/cms_kari.c
482 ===================================================================
483 --- crypto/cms/cms_kari.c       (revision 14523)
484 +++ crypto/cms/cms_kari.c       (working copy)
485 @@ -152,7 +152,7 @@
486          return -1;
487  }
488  
489 -int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk)
490 +int CMS_RecipientInfo_kari_set0_pkey_and_peer(CMS_RecipientInfo *ri, EVP_PKEY *pk, X509 *peer)
491  {
492      EVP_PKEY_CTX *pctx;
493      CMS_KeyAgreeRecipientInfo *kari = ri->d.kari;
494 @@ -164,6 +164,16 @@
495      pctx = EVP_PKEY_CTX_new(pk, NULL);
496      if (!pctx || EVP_PKEY_derive_init(pctx) <= 0)
497          goto err;
498 +
499 +    if (peer)
500 +    {
501 +         EVP_PKEY *pub_pkey = X509_get0_pubkey(peer);
502 +         if (0 >= EVP_PKEY_derive_set_peer(pctx, pub_pkey))
503 +         {
504 +              goto err;
505 +         }
506 +    }
507 +
508      kari->pctx = pctx;
509      return 1;
510   err:
511 @@ -171,6 +181,11 @@
512      return 0;
513  }
514  
515 +int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk)
516 +{
517 +     return CMS_RecipientInfo_kari_set0_pkey_and_peer(ri, pk, NULL);
518 +}
519 +
520  EVP_CIPHER_CTX *CMS_RecipientInfo_kari_get0_ctx(CMS_RecipientInfo *ri)
521  {
522      if (ri->type == CMS_RECIPINFO_AGREE)
523 @@ -282,10 +297,27 @@
524      return rv;
525  }
526  
527 +/* Set originator private key and initialise context based on it */
528 +static int cms_kari_set_originator_private_key(CMS_KeyAgreeRecipientInfo *kari, EVP_PKEY *originatorPrivKey )
529 +{
530 +     EVP_PKEY_CTX *pctx = NULL;
531 +     int rv = 0;
532 +     pctx = EVP_PKEY_CTX_new(originatorPrivKey, NULL);
533 +     if (!pctx)
534 +          goto err;
535 +     if (EVP_PKEY_derive_init(pctx) <= 0)
536 +          goto err;
537 +     kari->pctx = pctx;
538 +     rv = 1;
539 +err:
540 +     if (!rv)
541 +          EVP_PKEY_CTX_free(pctx);
542 +     return rv;
543 +}
544 +
545  /* Initialise a kari based on passed certificate and key */
546  
547 -int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
548 -                                EVP_PKEY *pk, unsigned int flags)
549 +int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri,  X509 *recip, EVP_PKEY *recipPubKey, X509 * originator, EVP_PKEY *originatorPrivKey, unsigned int flags)
550  {
551      CMS_KeyAgreeRecipientInfo *kari;
552      CMS_RecipientEncryptedKey *rek = NULL;
553 @@ -320,12 +352,45 @@
554              return 0;
555      }
556  
557 -    /* Create ephemeral key */
558 -    if (!cms_kari_create_ephemeral_key(kari, pk))
559 -        return 0;
560 +    if (!originatorPrivKey && !originator)
561 +    {
562 +         /* Create ephemeral key */
563 +         if (!cms_kari_create_ephemeral_key(kari, recipPubKey))
564 +              return 0;
565 +    }
566 +    else
567 +    {
568 +         /* Use originator key */
569 +         CMS_OriginatorIdentifierOrKey *oik = ri->d.kari->originator;
570  
571 -    EVP_PKEY_up_ref(pk);
572 -    rek->pkey = pk;
573 +         if (!originatorPrivKey && !originator)
574 +         {
575 +              return 0;
576 +         }
577 +
578 +         if (flags & CMS_USE_ORIGINATOR_KEYID) {
579 +              //kari->originator->issuerAndSerialNumber
580 +              oik->type = CMS_OIK_KEYIDENTIFIER;
581 +              oik->d.subjectKeyIdentifier = ASN1_OCTET_STRING_new();
582 +              if (oik->d.subjectKeyIdentifier == NULL)
583 +                   return 0;
584 +              if (!cms_set1_keyid(&oik->d.subjectKeyIdentifier, originator))
585 +                   return 0;
586 +         }
587 +         else {
588 +              oik->type = CMS_REK_ISSUER_SERIAL;
589 +              if (!cms_set1_ias(&oik->d.issuerAndSerialNumber, originator))
590 +                   return 0;
591 +         }
592 +
593 +         if (!cms_kari_set_originator_private_key(kari, originatorPrivKey))
594 +         {
595 +              return 0;
596 +         }
597 +    }
598 +
599 +    EVP_PKEY_up_ref(recipPubKey);
600 +    rek->pkey = recipPubKey;
601      return 1;
602  }
603  
604 @@ -335,14 +400,35 @@
605      EVP_CIPHER_CTX *ctx = kari->ctx;
606      const EVP_CIPHER *kekcipher;
607      int keylen = EVP_CIPHER_key_length(cipher);
608 +    int ret;
609      /* If a suitable wrap algorithm is already set nothing to do */
610      kekcipher = EVP_CIPHER_CTX_cipher(ctx);
611  
612 -    if (kekcipher) {
613 -        if (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_WRAP_MODE)
614 -            return 0;
615 -        return 1;
616 +    if (kekcipher)
617 +    {
618 +         if (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_WRAP_MODE)
619 +              return 0;
620 +         return 1;
621      }
622 +               /* Here the Infotecs patch begins */
623 +    else if (cipher && (EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_GET_WRAP_CIPHER))
624 +    {
625 +         ret = EVP_CIPHER_meth_get_ctrl(cipher)(NULL, EVP_CTRL_GET_WRAP_CIPHER, 0, &kekcipher);
626 +         if (0 >= ret)
627 +         {
628 +              return 0;
629 +         }
630 +
631 +         if (kekcipher)
632 +         {
633 +              if (EVP_CIPHER_mode(kekcipher) != EVP_CIPH_WRAP_MODE)
634 +                   return 0;
635 +
636 +              return EVP_EncryptInit_ex(ctx, kekcipher, NULL, NULL, NULL);
637 +         }
638 +    }
639 +               /* Here the Infotecs patch ends */
640 +
641      /*
642       * Pick a cipher based on content encryption cipher. If it is DES3 use
643       * DES3 wrap otherwise use AES wrap similar to key size.
644 Index: crypto/cms/cms_env.c
645 ===================================================================
646 --- crypto/cms/cms_env.c        (revision 14523)
647 +++ crypto/cms/cms_env.c        (working copy)
648 @@ -20,6 +20,8 @@
649  
650  /* CMS EnvelopedData Utilities */
651  
652 +static void cms_env_set_version(CMS_EnvelopedData *env);
653 +
654  CMS_EnvelopedData *cms_get0_enveloped(CMS_ContentInfo *cms)
655  {
656      if (OBJ_obj2nid(cms->contentType) != NID_pkcs7_enveloped) {
657 @@ -121,6 +123,39 @@
658      return NULL;
659  }
660  
661 +int cms_EnvelopedData_final(CMS_ContentInfo *cms, BIO *chain)
662 +{
663 +    CMS_EnvelopedData *env = NULL;
664 +    EVP_CIPHER_CTX *ctx = NULL;
665 +    BIO *mbio = BIO_find_type(chain, BIO_TYPE_CIPHER);
666 +
667 +    env = cms_get0_enveloped(cms);
668 +    if (!env)
669 +        return 0;
670 +
671 +    if (!mbio) {
672 +        CMSerr(CMS_F_CMS_ENVELOPEDDATA_FINAL, CMS_R_CONTENT_NOT_FOUND);
673 +        return 0;
674 +    }
675 +
676 +    BIO_get_cipher_ctx(mbio, &ctx);
677 +
678 +    /*
679 +     * If the selected cipher supports unprotected attributes,
680 +     * deal with it using special ctrl function
681 +     */
682 +    if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_CIPHER_WITH_MAC) {
683 +      cms->d.envelopedData->unprotectedAttrs = sk_X509_ATTRIBUTE_new_null();
684 +      if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_PROCESS_UNPROTECTED, 1, env->unprotectedAttrs) <= 0) {
685 +        CMSerr(CMS_F_CMS_ENVELOPEDDATA_FINAL, CMS_R_CTRL_FAILURE);
686 +        return 0;
687 +      }
688 +    }
689 +    cms_env_set_version(cms->d.envelopedData);
690 +
691 +    return 1;
692 +}
693 +
694  /* Key Transport Recipient Info (KTRI) routines */
695  
696  /* Initialise a ktri based on passed certificate and key */
697 @@ -175,8 +210,8 @@
698   * Add a recipient certificate using appropriate type of RecipientInfo
699   */
700  
701 -CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms,
702 -                                           X509 *recip, unsigned int flags)
703 +CMS_RecipientInfo *CMS_add1_recipient(CMS_ContentInfo *cms, X509 *recip,
704 +          EVP_PKEY *originatorPrivKey, X509 * originator, unsigned int flags)
705  {
706      CMS_RecipientInfo *ri = NULL;
707      CMS_EnvelopedData *env;
708 @@ -192,7 +227,7 @@
709  
710      pk = X509_get0_pubkey(recip);
711      if (!pk) {
712 -        CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT, CMS_R_ERROR_GETTING_PUBLIC_KEY);
713 +        CMSerr(CMS_F_CMS_ADD1_RECIPIENT, CMS_R_ERROR_GETTING_PUBLIC_KEY);
714          goto err;
715      }
716  
717 @@ -204,12 +239,12 @@
718          break;
719  
720      case CMS_RECIPINFO_AGREE:
721 -        if (!cms_RecipientInfo_kari_init(ri, recip, pk, flags))
722 +        if (!cms_RecipientInfo_kari_init(ri, recip, pk, originator, originatorPrivKey, flags))
723              goto err;
724          break;
725  
726      default:
727 -        CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT,
728 +        CMSerr(CMS_F_CMS_ADD1_RECIPIENT,
729                 CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
730          goto err;
731  
732 @@ -221,7 +256,7 @@
733      return ri;
734  
735   merr:
736 -    CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT, ERR_R_MALLOC_FAILURE);
737 +    CMSerr(CMS_F_CMS_ADD1_RECIPIENT, ERR_R_MALLOC_FAILURE);
738   err:
739      M_ASN1_free_of(ri, CMS_RecipientInfo);
740      return NULL;
741 @@ -228,6 +263,12 @@
742  
743  }
744  
745 +CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms,
746 +     X509 *recip, unsigned int flags)
747 +{
748 +     return CMS_add1_recipient(cms, recip, NULL, NULL, flags);
749 +}
750 +
751  int CMS_RecipientInfo_ktri_get0_algs(CMS_RecipientInfo *ri,
752                                       EVP_PKEY **pk, X509 **recip,
753                                       X509_ALGOR **palg)
754 @@ -856,52 +897,90 @@
755      env->version = 0;
756  }
757  
758 -BIO *cms_EnvelopedData_init_bio(CMS_ContentInfo *cms)
759 +static BIO *cms_EnvelopedData_Decryption_init_bio(CMS_ContentInfo *cms)
760  {
761 -    CMS_EncryptedContentInfo *ec;
762 -    STACK_OF(CMS_RecipientInfo) *rinfos;
763 -    CMS_RecipientInfo *ri;
764 -    int i, ok = 0;
765 -    BIO *ret;
766 +    CMS_EncryptedContentInfo *ec = cms->d.envelopedData->encryptedContentInfo;
767 +    BIO *contentBio = cms_EncryptedContent_init_bio(ec);
768 +    EVP_CIPHER_CTX *ctx = NULL;
769  
770 -    /* Get BIO first to set up key */
771 +    if (!contentBio)
772 +        return NULL;
773  
774 -    ec = cms->d.envelopedData->encryptedContentInfo;
775 -    ret = cms_EncryptedContent_init_bio(ec);
776 +    BIO_get_cipher_ctx(contentBio, &ctx);
777 +    if (ctx == NULL) {
778 +        BIO_free(contentBio);
779 +        return NULL;
780 +               }
781 +/* 
782 + * If the selected cipher supports unprotected attributes,
783 + * deal with it using special ctrl function
784 + */
785 +               if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_CIPHER_WITH_MAC &&
786 +        EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_PROCESS_UNPROTECTED, 0, cms->d.envelopedData->unprotectedAttrs) <= 0) {
787 +        BIO_free(contentBio);
788 +        return NULL;
789 +               }
790 +    return contentBio;
791 +}
792  
793 -    /* If error or no cipher end of processing */
794 +static BIO *cms_EnvelopedData_Encryption_init_bio(CMS_ContentInfo *cms)
795 +{
796 +     CMS_EncryptedContentInfo *ec;
797 +     STACK_OF(CMS_RecipientInfo) *rinfos;
798 +     CMS_RecipientInfo *ri;
799 +     int i, ok = 0;
800 +     BIO *ret;
801  
802 -    if (!ret || !ec->cipher)
803 -        return ret;
804 +     /* Get BIO first to set up key */
805  
806 -    /* Now encrypt content key according to each RecipientInfo type */
807 +     ec = cms->d.envelopedData->encryptedContentInfo;
808 +     ret = cms_EncryptedContent_init_bio(ec);
809  
810 -    rinfos = cms->d.envelopedData->recipientInfos;
811 +     /* If error or no cipher end of processing */
812  
813 -    for (i = 0; i < sk_CMS_RecipientInfo_num(rinfos); i++) {
814 -        ri = sk_CMS_RecipientInfo_value(rinfos, i);
815 -        if (CMS_RecipientInfo_encrypt(cms, ri) <= 0) {
816 -            CMSerr(CMS_F_CMS_ENVELOPEDDATA_INIT_BIO,
817 -                   CMS_R_ERROR_SETTING_RECIPIENTINFO);
818 -            goto err;
819 -        }
820 -    }
821 -    cms_env_set_version(cms->d.envelopedData);
822 +     if (!ret)
823 +          return ret;
824  
825 -    ok = 1;
826 +     /* Now encrypt content key according to each RecipientInfo type */
827  
828 - err:
829 -    ec->cipher = NULL;
830 -    OPENSSL_clear_free(ec->key, ec->keylen);
831 -    ec->key = NULL;
832 -    ec->keylen = 0;
833 -    if (ok)
834 -        return ret;
835 -    BIO_free(ret);
836 -    return NULL;
837 +     rinfos = cms->d.envelopedData->recipientInfos;
838  
839 +     for (i = 0; i < sk_CMS_RecipientInfo_num(rinfos); i++) {
840 +          ri = sk_CMS_RecipientInfo_value(rinfos, i);
841 +          if (CMS_RecipientInfo_encrypt(cms, ri) <= 0) {
842 +               CMSerr(CMS_F_CMS_ENVELOPEDDATA_ENCRYPTION_INIT_BIO,
843 +                    CMS_R_ERROR_SETTING_RECIPIENTINFO);
844 +               goto err;
845 +          }
846 +     }
847 +     cms_env_set_version(cms->d.envelopedData); /* FIXME move lower? */
848 +
849 +     ok = 1;
850 +
851 +err:
852 +     ec->cipher = NULL;
853 +     OPENSSL_clear_free(ec->key, ec->keylen);
854 +     ec->key = NULL;
855 +     ec->keylen = 0;
856 +     if (ok)
857 +          return ret;
858 +     BIO_free(ret);
859 +     return NULL;
860 +
861  }
862  
863 +BIO *cms_EnvelopedData_init_bio(CMS_ContentInfo *cms)
864 +{
865 +     if (cms->d.envelopedData->encryptedContentInfo->cipher)
866 +     {
867 +          //If cipher is set it's encrypting
868 +          return cms_EnvelopedData_Encryption_init_bio(cms);
869 +     }
870 +
871 +     //If cipher is not set it's decrypting
872 +     return cms_EnvelopedData_Decryption_init_bio(cms);
873 +}
874 +
875  /*
876   * Get RecipientInfo type (if any) supported by a key (public or private). To
877   * retain compatibility with previous behaviour if the ctrl value isn't
878 @@ -917,3 +996,25 @@
879      }
880      return CMS_RECIPINFO_TRANS;
881  }
882 +
883 +int cms_pkey_is_ri_type_supported(EVP_PKEY *pk, int ri_type)
884 +{
885 +     if (pk->ameth && pk->ameth->pkey_ctrl)
886 +     {
887 +          int i, r;
888 +          i = pk->ameth->pkey_ctrl(pk, ASN1_PKEY_CTRL_CMS_IS_RI_TYPE_SUPPORTED, ri_type, &r);
889 +          if (i > 0)
890 +               return r;
891 +     }
892 +
893 +     //if ASN1_PKEY_CTRL_CMS_IS_RI_TYPE_SUPPORTED not supported
894 +
895 +     int supportedRiType = cms_pkey_get_ri_type(pk);
896 +
897 +     if (supportedRiType < 0)
898 +     {
899 +          return 0;
900 +     }
901 +
902 +     return (supportedRiType == ri_type);
903 +}
904 Index: crypto/cms/cms_err.c
905 ===================================================================
906 --- crypto/cms/cms_err.c        (revision 14523)
907 +++ crypto/cms/cms_err.c        (working copy)
908 @@ -22,6 +22,7 @@
909       "CMS_add0_recipient_password"},
910      {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ADD1_RECEIPTREQUEST, 0),
911       "CMS_add1_ReceiptRequest"},
912 +    {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ADD1_RECIPIENT, 0), "CMS_add1_recipient"},
913      {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ADD1_RECIPIENT_CERT, 0),
914       "CMS_add1_recipient_cert"},
915      {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ADD1_SIGNER, 0), "CMS_add1_signer"},
916 @@ -45,6 +46,8 @@
917       "CMS_decrypt_set1_password"},
918      {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_DECRYPT_SET1_PKEY, 0),
919       "CMS_decrypt_set1_pkey"},
920 +    {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_DECRYPT_SET1_PKEY_AND_PEER, 0),
921 +     "CMS_decrypt_set1_pkey_and_peer"},
922      {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_DIGESTALGORITHM_FIND_CTX, 0),
923       "cms_DigestAlgorithm_find_ctx"},
924      {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_DIGESTALGORITHM_INIT_BIO, 0),
925 @@ -66,6 +69,12 @@
926       "CMS_EncryptedData_set1_key"},
927      {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ENVELOPEDDATA_CREATE, 0),
928       "CMS_EnvelopedData_create"},
929 +    {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ENVELOPEDDATA_DECRYPTION_INIT_BIO, 0),
930 +     "cms_EnvelopedData_Decryption_init_bio"},
931 +    {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ENVELOPEDDATA_ENCRYPTION_INIT_BIO, 0),
932 +     "cms_EnvelopedData_Encryption_init_bio"},
933 +    {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ENVELOPEDDATA_FINAL, 0),
934 +     "cms_EnvelopedData_final"},
935      {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ENVELOPEDDATA_INIT_BIO, 0),
936       "cms_EnvelopedData_init_bio"},
937      {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ENVELOPED_DATA_INIT, 0),
938 Index: crypto/x509v3/standard_exts.h
939 ===================================================================
940 --- crypto/x509v3/standard_exts.h       (revision 14523)
941 +++ crypto/x509v3/standard_exts.h       (working copy)
942 @@ -68,6 +68,8 @@
943      &v3_ct_scts[1],
944      &v3_ct_scts[2],
945  #endif
946 +    &v3_subject_sign_tool,
947 +    &v3_issuer_sign_tool,
948      &v3_tls_feature,
949      &v3_ext_admission
950  };
951 Index: crypto/x509v3/v3err.c
952 ===================================================================
953 --- crypto/x509v3/v3err.c       (revision 14523)
954 +++ crypto/x509v3/v3err.c       (working copy)
955 @@ -1,6 +1,6 @@
956  /*
957   * Generated by util/mkerr.pl DO NOT EDIT
958 - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
959 + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
960   *
961   * Licensed under the OpenSSL license (the "License").  You may not use
962   * this file except in compliance with the License.  You can obtain a copy
963 @@ -37,6 +37,8 @@
964       "i2s_ASN1_IA5STRING"},
965      {ERR_PACK(ERR_LIB_X509V3, X509V3_F_I2S_ASN1_INTEGER, 0),
966       "i2s_ASN1_INTEGER"},
967 +    {ERR_PACK(ERR_LIB_X509V3, X509V3_F_I2S_ASN1_UTF8STRING, 0),
968 +     "i2s_ASN1_UTF8STRING"},
969      {ERR_PACK(ERR_LIB_X509V3, X509V3_F_I2V_AUTHORITY_INFO_ACCESS, 0),
970       "i2v_AUTHORITY_INFO_ACCESS"},
971      {ERR_PACK(ERR_LIB_X509V3, X509V3_F_LEVEL_ADD_NODE, 0), "level_add_node"},
972 @@ -58,6 +60,8 @@
973       "s2i_ASN1_INTEGER"},
974      {ERR_PACK(ERR_LIB_X509V3, X509V3_F_S2I_ASN1_OCTET_STRING, 0),
975       "s2i_ASN1_OCTET_STRING"},
976 +    {ERR_PACK(ERR_LIB_X509V3, X509V3_F_S2I_ASN1_UTF8STRING, 0),
977 +     "s2i_ASN1_UTF8STRING"},
978      {ERR_PACK(ERR_LIB_X509V3, X509V3_F_S2I_SKEY_ID, 0), "s2i_skey_id"},
979      {ERR_PACK(ERR_LIB_X509V3, X509V3_F_SET_DIST_POINT_NAME, 0),
980       "set_dist_point_name"},
981 Index: crypto/x509v3/build.info
982 ===================================================================
983 --- crypto/x509v3/build.info    (revision 14523)
984 +++ crypto/x509v3/build.info    (working copy)
985 @@ -5,4 +5,4 @@
986    v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c \
987    v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c v3_pcia.c v3_pci.c \
988    pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c \
989 -  v3_asid.c v3_addr.c v3_tlsf.c v3_admis.c
990 +  v3_asid.c v3_addr.c v3_tlsf.c v3_admis.c v3_rus.c
991 Index: crypto/x509v3/v3_alt.c
992 ===================================================================
993 --- crypto/x509v3/v3_alt.c      (revision 14523)
994 +++ crypto/x509v3/v3_alt.c      (working copy)
995 @@ -24,13 +24,46 @@
996  static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
997  static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
998  
999 +static int i2r_GENERAL_NAMES(X509V3_EXT_METHOD *method,
1000 +                                        GENERAL_NAMES *gens, BIO *out,
1001 +                                        int indent);
1002 +
1003 +static int GENERAL_NAME_oneline_ex(char *name, GENERAL_NAME *gen, int len)
1004 +{
1005 +       int i;
1006 +       BIO *mem = NULL;
1007 +       BUF_MEM *bptr;
1008 +
1009 +       mem = BIO_new(BIO_s_mem());
1010 +       if (mem == 0)
1011 +               return 0;
1012 +
1013 +       switch (gen->type) {
1014 +               case GEN_DIRNAME:
1015 +                       X509_NAME_print_ex(mem, gen->d.dirn, 0, XN_FLAG_SEP_COMMA_PLUS | ASN1_STRFLGS_UTF8_CONVERT);
1016 +                       break;
1017 +       }
1018 +
1019 +       BIO_get_mem_ptr(mem, &bptr);
1020 +       i = BIO_set_close(mem, BIO_NOCLOSE);
1021 +       BIO_free(mem); 
1022 +       if (i<=0) 
1023 +               return 0;
1024 +
1025 +       if(bptr->length < len)
1026 +               strncpy(name, bptr->data, bptr->length);
1027 +       else
1028 +               strncpy(name, bptr->data, len);
1029 +       return 1;
1030 +}
1031 +
1032  const X509V3_EXT_METHOD v3_alt[3] = {
1033      {NID_subject_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
1034       0, 0, 0, 0,
1035       0, 0,
1036 -     (X509V3_EXT_I2V) i2v_GENERAL_NAMES,
1037 +     NULL, /* (X509V3_EXT_I2V) i2v_GENERAL_NAMES, */
1038       (X509V3_EXT_V2I)v2i_subject_alt,
1039 -     NULL, NULL, NULL},
1040 +     (X509V3_EXT_I2R)i2r_GENERAL_NAMES, NULL, NULL},
1041  
1042      {NID_issuer_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
1043       0, 0, 0, 0,
1044 @@ -37,13 +70,13 @@
1045       0, 0,
1046       (X509V3_EXT_I2V) i2v_GENERAL_NAMES,
1047       (X509V3_EXT_V2I)v2i_issuer_alt,
1048 -     NULL, NULL, NULL},
1049 +     (X509V3_EXT_I2R)i2r_GENERAL_NAMES/*NULL*/, NULL, NULL},
1050  
1051      {NID_certificate_issuer, 0, ASN1_ITEM_ref(GENERAL_NAMES),
1052       0, 0, 0, 0,
1053       0, 0,
1054       (X509V3_EXT_I2V) i2v_GENERAL_NAMES,
1055 -     NULL, NULL, NULL, NULL},
1056 +     NULL, (X509V3_EXT_I2R)i2r_GENERAL_NAMES/*NULL*/, NULL, NULL},
1057  };
1058  
1059  STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
1060 @@ -79,7 +112,7 @@
1061                                         STACK_OF(CONF_VALUE) *ret)
1062  {
1063      unsigned char *p;
1064 -    char oline[256], htmp[5];
1065 +    char oline[1024], htmp[5];
1066      int i;
1067  
1068      switch (gen->type) {
1069 @@ -114,7 +147,7 @@
1070          break;
1071  
1072      case GEN_DIRNAME:
1073 -        if (X509_NAME_oneline(gen->d.dirn, oline, sizeof(oline)) == NULL
1074 +        if (GENERAL_NAME_oneline_ex(oline, gen, sizeof(oline)) <= 0
1075                  || !X509V3_add_value("DirName", oline, &ret))
1076              return NULL;
1077          break;
1078 @@ -151,6 +184,96 @@
1079      return ret;
1080  }
1081  
1082 +/* beldmit */
1083 +int i2r_GENERAL_NAME(X509V3_EXT_METHOD *method,
1084 +                                       GENERAL_NAME *gen, BIO *out,
1085 +                                       int indent)
1086 +{
1087 +    unsigned char *p;
1088 +    char oline[256], htmp[5];
1089 +    int i;
1090 +               BIO_printf(out, "%*s", indent, "");
1091 +    switch (gen->type) {
1092 +    case GEN_OTHERNAME:
1093 +        BIO_write(out, "othername: <unsupported>", 24);
1094 +        break;
1095 +
1096 +    case GEN_X400:
1097 +        BIO_write(out, "X400Name: <unsupported>", 24);
1098 +        break;
1099 +
1100 +    case GEN_EDIPARTY:
1101 +        BIO_write(out, "EdiPartyName: <unsupported>", 28);
1102 +        break;
1103 +
1104 +    case GEN_EMAIL:
1105 +        BIO_write(out, "email: ", 7); 
1106 +                               BIO_write(out, gen->d.ia5->data, gen->d.ia5->length);
1107 +        break;
1108 +
1109 +    case GEN_DNS:
1110 +        BIO_write(out, "DNS: ", 5);
1111 +                               BIO_write(out, gen->d.ia5->data, gen->d.ia5->length);
1112 +        break;
1113 +
1114 +    case GEN_URI:
1115 +        BIO_write(out, "URI: ", 5);
1116 +                               BIO_write(out, gen->d.ia5->data, gen->d.ia5->length);
1117 +        break;
1118 +
1119 +    case GEN_DIRNAME:
1120 +        BIO_write(out, "DirName: ", 9); 
1121 +                               X509_NAME_print_ex(out, gen->d.dirn, 0, XN_FLAG_SEP_COMMA_PLUS|ASN1_STRFLGS_UTF8_CONVERT);
1122 +        break;
1123 +
1124 +    case GEN_IPADD:
1125 +        p = gen->d.ip->data;
1126 +        if (gen->d.ip->length == 4)
1127 +            BIO_snprintf(oline, sizeof oline,
1128 +                         "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
1129 +        else if (gen->d.ip->length == 16) {
1130 +            oline[0] = 0;
1131 +            for (i = 0; i < 8; i++) {
1132 +                BIO_snprintf(htmp, sizeof htmp, "%X", p[0] << 8 | p[1]);
1133 +                p += 2;
1134 +                strcat(oline, htmp);
1135 +                if (i != 7)
1136 +                    strcat(oline, ":");
1137 +            }
1138 +        } else {
1139 +            BIO_write(out, "IP Address: <invalid>", 22);
1140 +            break;
1141 +        }
1142 +        BIO_write(out, "IP Address: ", 12);
1143 +                               BIO_write(out, oline, strlen(oline));
1144 +        break;
1145 +
1146 +    case GEN_RID:
1147 +        i2t_ASN1_OBJECT(oline, 256, gen->d.rid);
1148 +        BIO_write(out, "Registered ID: ", 15);
1149 +                               BIO_write(out, oline, strlen(oline));
1150 +        break;
1151 +    }
1152 +               BIO_write(out, "\n", 1);
1153 +    return 1;
1154 +}
1155 +
1156 +int i2r_GENERAL_NAMES(X509V3_EXT_METHOD *method,
1157 +                                        GENERAL_NAMES *gens, BIO *out,
1158 +                                        int indent)
1159 +{
1160 +    int i;
1161 +    GENERAL_NAME *gen;
1162 +    for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
1163 +        gen = sk_GENERAL_NAME_value(gens, i);
1164 +        if (!i2r_GENERAL_NAME(method, gen, out, indent))
1165 +                                       return 0;
1166 +    }
1167 +    return 1;
1168 +}
1169 +
1170 +/* beldmit */
1171 +
1172  int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
1173  {
1174      unsigned char *p;
1175 Index: crypto/x509v3/ext_dat.h
1176 ===================================================================
1177 --- crypto/x509v3/ext_dat.h     (revision 14523)
1178 +++ crypto/x509v3/ext_dat.h     (working copy)
1179 @@ -21,5 +21,6 @@
1180  extern const X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
1181  extern const X509V3_EXT_METHOD v3_addr, v3_asid;
1182  extern const X509V3_EXT_METHOD v3_ct_scts[3];
1183 +extern const X509V3_EXT_METHOD v3_subject_sign_tool, v3_issuer_sign_tool;
1184  extern const X509V3_EXT_METHOD v3_tls_feature;
1185  extern const X509V3_EXT_METHOD v3_ext_admission;
1186 Index: crypto/x509v3/v3_rus.c
1187 ===================================================================
1188 --- crypto/x509v3/v3_rus.c      (nonexistent)
1189 +++ crypto/x509v3/v3_rus.c      (revision 14744)
1190 @@ -0,0 +1,168 @@
1191 +/* v3_rus.c */
1192 +/*
1193 + * Written by Dmitry Belyavskiy for the OpenSSL project
1194 + * 2015.
1195 + */
1196 +/* ====================================================================
1197 + * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
1198 + *
1199 + * Redistribution and use in source and binary forms, with or without
1200 + * modification, are permitted provided that the following conditions
1201 + * are met:
1202 + *
1203 + * 1. Redistributions of source code must retain the above copyright
1204 + *    notice, this list of conditions and the following disclaimer.
1205 + *
1206 + * 2. Redistributions in binary form must reproduce the above copyright
1207 + *    notice, this list of conditions and the following disclaimer in
1208 + *    the documentation and/or other materials provided with the
1209 + *    distribution.
1210 + *
1211 + * 3. All advertising materials mentioning features or use of this
1212 + *    software must display the following acknowledgment:
1213 + *    "This product includes software developed by the OpenSSL Project
1214 + *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
1215 + *
1216 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
1217 + *    endorse or promote products derived from this software without
1218 + *    prior written permission. For written permission, please contact
1219 + *    licensing@OpenSSL.org.
1220 + *
1221 + * 5. Products derived from this software may not be called "OpenSSL"
1222 + *    nor may "OpenSSL" appear in their names without prior written
1223 + *    permission of the OpenSSL Project.
1224 + *
1225 + * 6. Redistributions of any form whatsoever must retain the following
1226 + *    acknowledgment:
1227 + *    "This product includes software developed by the OpenSSL Project
1228 + *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
1229 + *
1230 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
1231 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1232 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
1233 + * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
1234 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
1235 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1236 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
1237 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1238 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
1239 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
1240 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
1241 + * OF THE POSSIBILITY OF SUCH DAMAGE.
1242 + * ====================================================================
1243 + *
1244 + * This product includes cryptographic software written by Eric Young
1245 + * (eay@cryptsoft.com).  This product includes software written by Tim
1246 + * Hudson (tjh@cryptsoft.com).
1247 + *
1248 + */
1249 +
1250 +#include <stdio.h>
1251 +#include <string.h>
1252 +#include <openssl/asn1t.h>
1253 +#include <openssl/err.h>
1254 +#include <openssl/x509v3.h>
1255 +
1256 +static char *i2s_ASN1_UTF8STRING(const X509V3_EXT_METHOD *method,
1257 +                                ASN1_UTF8STRING *utf8str)
1258 +{
1259 +    char *tmp;
1260 +    if (!utf8str || !utf8str->length)
1261 +        return NULL;
1262 +    if (!(tmp = OPENSSL_malloc(utf8str->length + 1))) {
1263 +        X509V3err(X509V3_F_I2S_ASN1_UTF8STRING, ERR_R_MALLOC_FAILURE);
1264 +        return NULL;
1265 +    }
1266 +    memcpy(tmp, utf8str->data, utf8str->length);
1267 +    tmp[utf8str->length] = 0;
1268 +    return tmp;
1269 +}
1270 +
1271 +static ASN1_UTF8STRING *s2i_ASN1_UTF8STRING(X509V3_EXT_METHOD *method,
1272 +                                          X509V3_CTX *ctx, char *str)
1273 +{
1274 +    ASN1_UTF8STRING *utf8str;
1275 +    if (!str) {
1276 +        X509V3err(X509V3_F_S2I_ASN1_UTF8STRING,
1277 +                  X509V3_R_INVALID_NULL_ARGUMENT);
1278 +        return NULL;
1279 +    }
1280 +    if (!(utf8str = ASN1_STRING_type_new(V_ASN1_UTF8STRING)))
1281 +        goto err;
1282 +    if (!ASN1_STRING_set((ASN1_STRING *)utf8str, (unsigned char *)str,
1283 +                         strlen(str))) {
1284 +        ASN1_STRING_free(utf8str);
1285 +        goto err;
1286 +    }
1287 +#ifdef CHARSET_EBCDIC
1288 +    ebcdic2ascii(utf8str->data, utf8str->data, utf8str->length);
1289 +#endif                          /* CHARSET_EBCDIC */
1290 +    return utf8str;
1291 + err:
1292 +    X509V3err(X509V3_F_S2I_ASN1_UTF8STRING, ERR_R_MALLOC_FAILURE);
1293 +    return NULL;
1294 +}
1295 +
1296 +const X509V3_EXT_METHOD v3_subject_sign_tool = {
1297 +    NID_subjectSignTool, 0, ASN1_ITEM_ref(ASN1_UTF8STRING),
1298 +    0, 0, 0, 0,
1299 +    (X509V3_EXT_I2S)i2s_ASN1_UTF8STRING,
1300 +    (X509V3_EXT_S2I)s2i_ASN1_UTF8STRING,
1301 +    0, 0, 0, 0, NULL
1302 +};
1303 +
1304 +typedef struct ISSUER_SIGN_TOOL_st {
1305 +    ASN1_UTF8STRING *signTool;
1306 +    ASN1_UTF8STRING *cATool;
1307 +    ASN1_UTF8STRING *signToolCert;
1308 +    ASN1_UTF8STRING *cAToolCert;
1309 +} ISSUER_SIGN_TOOL;
1310 +
1311 +ASN1_SEQUENCE(ISSUER_SIGN_TOOL) = {
1312 +        ASN1_SIMPLE(ISSUER_SIGN_TOOL, signTool, ASN1_UTF8STRING),
1313 +        ASN1_SIMPLE(ISSUER_SIGN_TOOL, cATool, ASN1_UTF8STRING),
1314 +        ASN1_SIMPLE(ISSUER_SIGN_TOOL, signToolCert, ASN1_UTF8STRING),
1315 +        ASN1_SIMPLE(ISSUER_SIGN_TOOL, cAToolCert, ASN1_UTF8STRING)
1316 +} ASN1_SEQUENCE_END(ISSUER_SIGN_TOOL)
1317 +
1318 +IMPLEMENT_ASN1_FUNCTIONS(ISSUER_SIGN_TOOL)
1319 +
1320 +static int i2r_ISSUER_SIGN_TOOL(X509V3_EXT_METHOD *method,
1321 +                                 ISSUER_SIGN_TOOL *ist, BIO *out,
1322 +                                 int indent)
1323 +{
1324 +    if (ist->signTool) {
1325 +               BIO_printf(out, "%*s", indent, "");
1326 +        BIO_write(out, "signTool:     ", 14);
1327 +                               BIO_write(out, ist->signTool->data, ist->signTool->length);
1328 +                               BIO_write(out, "\n", 1);
1329 +    }
1330 +    if (ist->cATool) {
1331 +               BIO_printf(out, "%*s", indent, "");
1332 +        BIO_write(out, "cATool:       ", 14);
1333 +                               BIO_write(out, ist->cATool->data, ist->cATool->length);
1334 +                               BIO_write(out, "\n", 1);
1335 +    }
1336 +    if (ist->signToolCert) {
1337 +               BIO_printf(out, "%*s", indent, "");
1338 +        BIO_write(out, "signToolCert: ", 14);
1339 +                               BIO_write(out, ist->signToolCert->data, ist->signToolCert->length);
1340 +                               BIO_write(out, "\n", 1);
1341 +    }
1342 +    if (ist->cAToolCert) {
1343 +               BIO_printf(out, "%*s", indent, "");
1344 +        BIO_write(out, "cAToolCert:   ", 14);
1345 +                               BIO_write(out, ist->cAToolCert->data, ist->cAToolCert->length);
1346 +                               BIO_write(out, "\n", 1);
1347 +    }
1348 +    return 1;
1349 +}
1350 +
1351 +const X509V3_EXT_METHOD v3_issuer_sign_tool = {
1352 +    NID_issuerSignTool, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(ISSUER_SIGN_TOOL),
1353 +    0, 0, 0, 0,
1354 +               0, 0,
1355 +    0, /*(X509V3_EXT_I2V)i2v_ISSUER_SIGN_TOOL,*/
1356 +    0,
1357 +    (X509V3_EXT_I2R)i2r_ISSUER_SIGN_TOOL, 0, NULL
1358 +};
1359 Index: crypto/err/openssl.txt
1360 ===================================================================
1361 --- crypto/err/openssl.txt      (revision 14523)
1362 +++ crypto/err/openssl.txt      (working copy)
1363 @@ -239,6 +239,7 @@
1364  CMS_F_CMS_ADD0_RECIPIENT_KEY:100:CMS_add0_recipient_key
1365  CMS_F_CMS_ADD0_RECIPIENT_PASSWORD:165:CMS_add0_recipient_password
1366  CMS_F_CMS_ADD1_RECEIPTREQUEST:158:CMS_add1_ReceiptRequest
1367 +CMS_F_CMS_ADD1_RECIPIENT:181:CMS_add1_recipient
1368  CMS_F_CMS_ADD1_RECIPIENT_CERT:101:CMS_add1_recipient_cert
1369  CMS_F_CMS_ADD1_SIGNER:102:CMS_add1_signer
1370  CMS_F_CMS_ADD1_SIGNINGTIME:103:cms_add1_signingTime
1371 @@ -254,6 +255,7 @@
1372  CMS_F_CMS_DECRYPT_SET1_KEY:113:CMS_decrypt_set1_key
1373  CMS_F_CMS_DECRYPT_SET1_PASSWORD:166:CMS_decrypt_set1_password
1374  CMS_F_CMS_DECRYPT_SET1_PKEY:114:CMS_decrypt_set1_pkey
1375 +CMS_F_CMS_DECRYPT_SET1_PKEY_AND_PEER:182:CMS_decrypt_set1_pkey_and_peer
1376  CMS_F_CMS_DIGESTALGORITHM_FIND_CTX:115:cms_DigestAlgorithm_find_ctx
1377  CMS_F_CMS_DIGESTALGORITHM_INIT_BIO:116:cms_DigestAlgorithm_init_bio
1378  CMS_F_CMS_DIGESTEDDATA_DO_FINAL:117:cms_DigestedData_do_final
1379 @@ -266,6 +268,11 @@
1380  CMS_F_CMS_ENCRYPTEDDATA_ENCRYPT:122:CMS_EncryptedData_encrypt
1381  CMS_F_CMS_ENCRYPTEDDATA_SET1_KEY:123:CMS_EncryptedData_set1_key
1382  CMS_F_CMS_ENVELOPEDDATA_CREATE:124:CMS_EnvelopedData_create
1383 +CMS_F_CMS_ENVELOPEDDATA_DECRYPTION_INIT_BIO:184:\
1384 +       cms_EnvelopedData_Decryption_init_bio
1385 +CMS_F_CMS_ENVELOPEDDATA_ENCRYPTION_INIT_BIO:185:\
1386 +       cms_EnvelopedData_Encryption_init_bio
1387 +CMS_F_CMS_ENVELOPEDDATA_FINAL:186:cms_EnvelopedData_final
1388  CMS_F_CMS_ENVELOPEDDATA_INIT_BIO:125:cms_EnvelopedData_init_bio
1389  CMS_F_CMS_ENVELOPED_DATA_INIT:126:cms_enveloped_data_init
1390  CMS_F_CMS_ENV_ASN1_CTRL:171:cms_env_asn1_ctrl
1391 @@ -1180,7 +1187,7 @@
1392  SSL_F_OSSL_STATEM_SERVER_POST_PROCESS_MESSAGE:601:\
1393         ossl_statem_server_post_process_message
1394  SSL_F_OSSL_STATEM_SERVER_POST_WORK:602:ossl_statem_server_post_work
1395 -SSL_F_OSSL_STATEM_SERVER_PRE_WORK:640:
1396 +SSL_F_OSSL_STATEM_SERVER_PRE_WORK:640:ossl_statem_server_pre_work
1397  SSL_F_OSSL_STATEM_SERVER_PROCESS_MESSAGE:603:ossl_statem_server_process_message
1398  SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION:418:ossl_statem_server_read_transition
1399  SSL_F_OSSL_STATEM_SERVER_WRITE_TRANSITION:604:\
1400 @@ -1395,6 +1402,7 @@
1401  SSL_F_TLS_CONSTRUCT_CKE_DHE:404:tls_construct_cke_dhe
1402  SSL_F_TLS_CONSTRUCT_CKE_ECDHE:405:tls_construct_cke_ecdhe
1403  SSL_F_TLS_CONSTRUCT_CKE_GOST:406:tls_construct_cke_gost
1404 +SSL_F_TLS_CONSTRUCT_CKE_GOST18:639:tls_construct_cke_gost18
1405  SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE:407:tls_construct_cke_psk_preamble
1406  SSL_F_TLS_CONSTRUCT_CKE_RSA:409:tls_construct_cke_rsa
1407  SSL_F_TLS_CONSTRUCT_CKE_SRP:410:tls_construct_cke_srp
1408 @@ -1526,6 +1534,7 @@
1409  SSL_F_TLS_PROCESS_CKE_DHE:411:tls_process_cke_dhe
1410  SSL_F_TLS_PROCESS_CKE_ECDHE:412:tls_process_cke_ecdhe
1411  SSL_F_TLS_PROCESS_CKE_GOST:413:tls_process_cke_gost
1412 +SSL_F_TLS_PROCESS_CKE_GOST18:641:tls_process_cke_gost18
1413  SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE:414:tls_process_cke_psk_preamble
1414  SSL_F_TLS_PROCESS_CKE_RSA:415:tls_process_cke_rsa
1415  SSL_F_TLS_PROCESS_CKE_SRP:416:tls_process_cke_srp
1416 @@ -1648,6 +1657,7 @@
1417  X509V3_F_I2S_ASN1_ENUMERATED:121:i2s_ASN1_ENUMERATED
1418  X509V3_F_I2S_ASN1_IA5STRING:149:i2s_ASN1_IA5STRING
1419  X509V3_F_I2S_ASN1_INTEGER:120:i2s_ASN1_INTEGER
1420 +X509V3_F_I2S_ASN1_UTF8STRING:173:i2s_ASN1_UTF8STRING
1421  X509V3_F_I2V_AUTHORITY_INFO_ACCESS:138:i2v_AUTHORITY_INFO_ACCESS
1422  X509V3_F_LEVEL_ADD_NODE:168:level_add_node
1423  X509V3_F_NOTICE_SECTION:132:notice_section
1424 @@ -1662,6 +1672,7 @@
1425  X509V3_F_S2I_ASN1_IA5STRING:100:s2i_ASN1_IA5STRING
1426  X509V3_F_S2I_ASN1_INTEGER:108:s2i_ASN1_INTEGER
1427  X509V3_F_S2I_ASN1_OCTET_STRING:112:s2i_ASN1_OCTET_STRING
1428 +X509V3_F_S2I_ASN1_UTF8STRING:174:s2i_ASN1_UTF8STRING
1429  X509V3_F_S2I_SKEY_ID:115:s2i_skey_id
1430  X509V3_F_SET_DIST_POINT_NAME:158:set_dist_point_name
1431  X509V3_F_SXNET_ADD_ID_ASC:125:SXNET_add_id_asc
1432 Index: crypto/asn1/p8_pkey.c
1433 ===================================================================
1434 --- crypto/asn1/p8_pkey.c       (revision 14523)
1435 +++ crypto/asn1/p8_pkey.c       (working copy)
1436 @@ -78,3 +78,18 @@
1437          return 1;
1438      return 0;
1439  }
1440 +
1441 +int PKCS8_pkey_add1_attr_by_OBJ(PKCS8_PRIV_KEY_INFO *p8, const ASN1_OBJECT *obj, int type,
1442 +                                const unsigned char *bytes, int len)
1443 +{
1444 +    if (X509at_add1_attr_by_OBJ(&p8->attributes, obj, type, bytes, len) != NULL)
1445 +        return 1;
1446 +    return 0;
1447 +}
1448 +
1449 +int PKCS8_pkey_add1_attr(PKCS8_PRIV_KEY_INFO *p8, X509_ATTRIBUTE *attr)
1450 +{
1451 +    if (X509at_add1_attr(&p8->attributes, attr) != NULL)
1452 +        return 1;
1453 +    return 0;
1454 +}
1455 Index: include/openssl/sslerr.h
1456 ===================================================================
1457 --- include/openssl/sslerr.h    (revision 14523)
1458 +++ include/openssl/sslerr.h    (working copy)
1459 @@ -11,9 +11,7 @@
1460  #ifndef HEADER_SSLERR_H
1461  # define HEADER_SSLERR_H
1462  
1463 -# ifndef HEADER_SYMHACKS_H
1464 -#  include <openssl/symhacks.h>
1465 -# endif
1466 +# include <openssl/symhacks.h>
1467  
1468  # ifdef  __cplusplus
1469  extern "C"
1470 @@ -296,6 +294,7 @@
1471  # define SSL_F_TLS_CONSTRUCT_CKE_DHE                      404
1472  # define SSL_F_TLS_CONSTRUCT_CKE_ECDHE                    405
1473  # define SSL_F_TLS_CONSTRUCT_CKE_GOST                     406
1474 +# define SSL_F_TLS_CONSTRUCT_CKE_GOST18                   639
1475  # define SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE             407
1476  # define SSL_F_TLS_CONSTRUCT_CKE_RSA                      409
1477  # define SSL_F_TLS_CONSTRUCT_CKE_SRP                      410
1478 @@ -420,6 +419,7 @@
1479  # define SSL_F_TLS_PROCESS_CKE_DHE                        411
1480  # define SSL_F_TLS_PROCESS_CKE_ECDHE                      412
1481  # define SSL_F_TLS_PROCESS_CKE_GOST                       413
1482 +# define SSL_F_TLS_PROCESS_CKE_GOST18                     641
1483  # define SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE               414
1484  # define SSL_F_TLS_PROCESS_CKE_RSA                        415
1485  # define SSL_F_TLS_PROCESS_CKE_SRP                        416
1486 Index: include/openssl/x509.h
1487 ===================================================================
1488 --- include/openssl/x509.h      (revision 14523)
1489 +++ include/openssl/x509.h      (working copy)
1490 @@ -1020,8 +1020,11 @@
1491  
1492  const STACK_OF(X509_ATTRIBUTE) *
1493  PKCS8_pkey_get0_attrs(const PKCS8_PRIV_KEY_INFO *p8);
1494 +int PKCS8_pkey_add1_attr(PKCS8_PRIV_KEY_INFO *p8, X509_ATTRIBUTE *attr);
1495  int PKCS8_pkey_add1_attr_by_NID(PKCS8_PRIV_KEY_INFO *p8, int nid, int type,
1496                                  const unsigned char *bytes, int len);
1497 +int PKCS8_pkey_add1_attr_by_OBJ(PKCS8_PRIV_KEY_INFO *p8, const ASN1_OBJECT *obj,
1498 +                                int type, const unsigned char *bytes, int len);
1499  
1500  int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *aobj,
1501                             int ptype, void *pval,
1502 Index: include/openssl/cms.h
1503 ===================================================================
1504 --- include/openssl/cms.h       (revision 14523)
1505 +++ include/openssl/cms.h       (working copy)
1506 @@ -73,6 +73,7 @@
1507  # define CMS_DEBUG_DECRYPT               0x20000
1508  # define CMS_KEY_PARAM                   0x40000
1509  # define CMS_ASCIICRLF                   0x80000
1510 +# define CMS_USE_ORIGINATOR_KEYID        0x100000
1511  
1512  const ASN1_OBJECT *CMS_get0_type(const CMS_ContentInfo *cms);
1513  
1514 @@ -143,6 +144,7 @@
1515                  BIO *dcont, BIO *out, unsigned int flags);
1516  
1517  int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert);
1518 +int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert, X509 *peer);
1519  int CMS_decrypt_set1_key(CMS_ContentInfo *cms,
1520                           unsigned char *key, size_t keylen,
1521                           const unsigned char *id, size_t idlen);
1522 @@ -155,6 +157,8 @@
1523  CMS_ContentInfo *CMS_EnvelopedData_create(const EVP_CIPHER *cipher);
1524  CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms,
1525                                             X509 *recip, unsigned int flags);
1526 +CMS_RecipientInfo *CMS_add1_recipient(CMS_ContentInfo *cms, X509 *recip, 
1527 +     EVP_PKEY *originatorPrivKey, X509 * originator, unsigned int flags);
1528  int CMS_RecipientInfo_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pkey);
1529  int CMS_RecipientInfo_ktri_cert_cmp(CMS_RecipientInfo *ri, X509 *cert);
1530  int CMS_RecipientInfo_ktri_get0_algs(CMS_RecipientInfo *ri,
1531 @@ -319,6 +323,7 @@
1532  int CMS_RecipientEncryptedKey_cert_cmp(CMS_RecipientEncryptedKey *rek,
1533                                         X509 *cert);
1534  int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk);
1535 +int CMS_RecipientInfo_kari_set0_pkey_and_peer(CMS_RecipientInfo *ri, EVP_PKEY *pk, X509 *peer);
1536  EVP_CIPHER_CTX *CMS_RecipientInfo_kari_get0_ctx(CMS_RecipientInfo *ri);
1537  int CMS_RecipientInfo_kari_decrypt(CMS_ContentInfo *cms,
1538                                     CMS_RecipientInfo *ri,
1539 Index: include/openssl/tls1.h
1540 ===================================================================
1541 --- include/openssl/tls1.h      (revision 14523)
1542 +++ include/openssl/tls1.h      (working copy)
1543 @@ -613,6 +613,12 @@
1544  # define TLS1_3_CK_AES_128_CCM_SHA256                     0x03001304
1545  # define TLS1_3_CK_AES_128_CCM_8_SHA256                   0x03001305
1546  
1547 +/* https://tools.ietf.org/html/draft-smyshlyaev-tls13-gost-suites */
1548 +# define TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L        0x0300C103
1549 +# define TLS_GOSTR341112_256_WITH_MAGMA_MGM_L             0x0300C104
1550 +# define TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S        0x0300C105
1551 +# define TLS_GOSTR341112_256_WITH_MAGMA_MGM_S             0x0300C106
1552 +
1553  /* Aria ciphersuites from RFC6209 */
1554  # define TLS1_CK_RSA_WITH_ARIA_128_GCM_SHA256             0x0300C050
1555  # define TLS1_CK_RSA_WITH_ARIA_256_GCM_SHA384             0x0300C051
1556 @@ -1135,8 +1141,10 @@
1557  # define TLS_CT_RSA_FIXED_ECDH           65
1558  # define TLS_CT_ECDSA_FIXED_ECDH         66
1559  # define TLS_CT_GOST01_SIGN              22
1560 -# define TLS_CT_GOST12_SIGN              238
1561 -# define TLS_CT_GOST12_512_SIGN          239
1562 +# define TLS_CT_GOST12_SIGN              67 
1563 +# define TLS_CT_GOST12_512_SIGN          68
1564 +# define TLS_CT_GOST12_SIGN_LEGACY       238
1565 +# define TLS_CT_GOST12_512_SIGN_LEGACY   239
1566  
1567  /*
1568   * when correcting this number, correct also SSL3_CT_NUMBER in ssl3.h (see
1569 Index: include/openssl/ssl.h
1570 ===================================================================
1571 --- include/openssl/ssl.h       (revision 14523)
1572 +++ include/openssl/ssl.h       (working copy)
1573 @@ -81,6 +81,7 @@
1574  # define SSL_TXT_kECDHEPSK       "kECDHEPSK"
1575  # define SSL_TXT_kDHEPSK         "kDHEPSK"
1576  # define SSL_TXT_kGOST           "kGOST"
1577 +# define SSL_TXT_kGOST18         "kGOST18"
1578  # define SSL_TXT_kSRP            "kSRP"
1579  
1580  # define SSL_TXT_aRSA            "aRSA"
1581 @@ -908,6 +909,8 @@
1582  
1583  # define SSL_MAC_FLAG_READ_MAC_STREAM 1
1584  # define SSL_MAC_FLAG_WRITE_MAC_STREAM 2
1585 +# define SSL_MAC_FLAG_READ_MAC_TLSTREE 4
1586 +# define SSL_MAC_FLAG_WRITE_MAC_TLSTREE 8
1587  
1588  /*
1589   * A callback for logging out TLS key material. This callback should log out
1590 Index: include/openssl/obj_mac.h
1591 ===================================================================
1592 --- include/openssl/obj_mac.h   (revision 14523)
1593 +++ include/openssl/obj_mac.h   (working copy)
1594 @@ -4162,6 +4162,26 @@
1595  #define NID_id_GostR3410_2001_ParamSet_cc               854
1596  #define OBJ_id_GostR3410_2001_ParamSet_cc               OBJ_cryptocom,1L,8L,1L
1597  
1598 +#define SN_id_tc26_modules              "id-tc26-modules"
1599 +#define LN_id_tc26_modules              "GOST TC26 ASN.1 modules"
1600 +#define NID_id_tc26_modules             1203
1601 +#define OBJ_id_tc26_modules             OBJ_id_tc26,0L
1602 +
1603 +#define SN_id_tc26_cms          "id-tc26-cms"
1604 +#define LN_id_tc26_cms          "GOST TC26 SMS"
1605 +#define NID_id_tc26_cms         1204
1606 +#define OBJ_id_tc26_cms         OBJ_id_tc26_modules,6L
1607 +
1608 +#define SN_id_tc26_cms_attrs            "id-tc26-cms-attrs"
1609 +#define LN_id_tc26_cms_attrs            "GOST TC26 SMS attributes"
1610 +#define NID_id_tc26_cms_attrs           1205
1611 +#define OBJ_id_tc26_cms_attrs           OBJ_id_tc26_cms,1L
1612 +
1613 +#define SN_id_tc26_mac_attr             "id-tc26-mac-attr"
1614 +#define LN_id_tc26_mac_attr             "GOST TC26 SMS content-mac attribute"
1615 +#define NID_id_tc26_mac_attr            1206
1616 +#define OBJ_id_tc26_mac_attr            OBJ_id_tc26_cms_attrs,1L
1617 +
1618  #define SN_id_tc26_algorithms           "id-tc26-algorithms"
1619  #define NID_id_tc26_algorithms          977
1620  #define OBJ_id_tc26_algorithms          OBJ_id_tc26,1L
1621 @@ -4230,25 +4250,25 @@
1622  #define NID_id_tc26_cipher_gostr3412_2015_magma         1173
1623  #define OBJ_id_tc26_cipher_gostr3412_2015_magma         OBJ_id_tc26_cipher,1L
1624  
1625 -#define SN_id_tc26_cipher_gostr3412_2015_magma_ctracpkm         "id-tc26-cipher-gostr3412-2015-magma-ctracpkm"
1626 -#define NID_id_tc26_cipher_gostr3412_2015_magma_ctracpkm                1174
1627 -#define OBJ_id_tc26_cipher_gostr3412_2015_magma_ctracpkm                OBJ_id_tc26_cipher_gostr3412_2015_magma,1L
1628 +#define SN_magma_ctr_acpkm              "magma-ctr-acpkm"
1629 +#define NID_magma_ctr_acpkm             1174
1630 +#define OBJ_magma_ctr_acpkm             OBJ_id_tc26_cipher_gostr3412_2015_magma,1L
1631  
1632 -#define SN_id_tc26_cipher_gostr3412_2015_magma_ctracpkm_omac            "id-tc26-cipher-gostr3412-2015-magma-ctracpkm-omac"
1633 -#define NID_id_tc26_cipher_gostr3412_2015_magma_ctracpkm_omac           1175
1634 -#define OBJ_id_tc26_cipher_gostr3412_2015_magma_ctracpkm_omac           OBJ_id_tc26_cipher_gostr3412_2015_magma,2L
1635 +#define SN_magma_ctr_acpkm_omac         "magma-ctr-acpkm-omac"
1636 +#define NID_magma_ctr_acpkm_omac                1175
1637 +#define OBJ_magma_ctr_acpkm_omac                OBJ_id_tc26_cipher_gostr3412_2015_magma,2L
1638  
1639  #define SN_id_tc26_cipher_gostr3412_2015_kuznyechik             "id-tc26-cipher-gostr3412-2015-kuznyechik"
1640  #define NID_id_tc26_cipher_gostr3412_2015_kuznyechik            1176
1641  #define OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik            OBJ_id_tc26_cipher,2L
1642  
1643 -#define SN_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm            "id-tc26-cipher-gostr3412-2015-kuznyechik-ctracpkm"
1644 -#define NID_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm           1177
1645 -#define OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm           OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik,1L
1646 +#define SN_kuznyechik_ctr_acpkm         "kuznyechik-ctr-acpkm"
1647 +#define NID_kuznyechik_ctr_acpkm                1177
1648 +#define OBJ_kuznyechik_ctr_acpkm                OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik,1L
1649  
1650 -#define SN_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm_omac               "id-tc26-cipher-gostr3412-2015-kuznyechik-ctracpkm-omac"
1651 -#define NID_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm_omac              1178
1652 -#define OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm_omac              OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik,2L
1653 +#define SN_kuznyechik_ctr_acpkm_omac            "kuznyechik-ctr-acpkm-omac"
1654 +#define NID_kuznyechik_ctr_acpkm_omac           1178
1655 +#define OBJ_kuznyechik_ctr_acpkm_omac           OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik,2L
1656  
1657  #define SN_id_tc26_agreement            "id-tc26-agreement"
1658  #define NID_id_tc26_agreement           991
1659 @@ -4270,17 +4290,17 @@
1660  #define NID_id_tc26_wrap_gostr3412_2015_magma           1180
1661  #define OBJ_id_tc26_wrap_gostr3412_2015_magma           OBJ_id_tc26_wrap,1L
1662  
1663 -#define SN_id_tc26_wrap_gostr3412_2015_magma_kexp15             "id-tc26-wrap-gostr3412-2015-magma-kexp15"
1664 -#define NID_id_tc26_wrap_gostr3412_2015_magma_kexp15            1181
1665 -#define OBJ_id_tc26_wrap_gostr3412_2015_magma_kexp15            OBJ_id_tc26_wrap_gostr3412_2015_magma,1L
1666 +#define SN_magma_kexp15         "magma-kexp15"
1667 +#define NID_magma_kexp15                1181
1668 +#define OBJ_magma_kexp15                OBJ_id_tc26_wrap_gostr3412_2015_magma,1L
1669  
1670  #define SN_id_tc26_wrap_gostr3412_2015_kuznyechik               "id-tc26-wrap-gostr3412-2015-kuznyechik"
1671  #define NID_id_tc26_wrap_gostr3412_2015_kuznyechik              1182
1672  #define OBJ_id_tc26_wrap_gostr3412_2015_kuznyechik              OBJ_id_tc26_wrap,2L
1673  
1674 -#define SN_id_tc26_wrap_gostr3412_2015_kuznyechik_kexp15                "id-tc26-wrap-gostr3412-2015-kuznyechik-kexp15"
1675 -#define NID_id_tc26_wrap_gostr3412_2015_kuznyechik_kexp15               1183
1676 -#define OBJ_id_tc26_wrap_gostr3412_2015_kuznyechik_kexp15               OBJ_id_tc26_wrap_gostr3412_2015_kuznyechik,1L
1677 +#define SN_kuznyechik_kexp15            "kuznyechik-kexp15"
1678 +#define NID_kuznyechik_kexp15           1183
1679 +#define OBJ_kuznyechik_kexp15           OBJ_id_tc26_wrap_gostr3412_2015_kuznyechik,1L
1680  
1681  #define SN_id_tc26_constants            "id-tc26-constants"
1682  #define NID_id_tc26_constants           994
1683 @@ -4370,6 +4390,11 @@
1684  #define NID_SNILS               1006
1685  #define OBJ_SNILS               OBJ_member_body,643L,100L,3L
1686  
1687 +#define SN_OGRNIP               "OGRNIP"
1688 +#define LN_OGRNIP               "OGRNIP"
1689 +#define NID_OGRNIP              1195
1690 +#define OBJ_OGRNIP              OBJ_member_body,643L,100L,5L
1691 +
1692  #define SN_subjectSignTool              "subjectSignTool"
1693  #define LN_subjectSignTool              "Signing Tool of Subject"
1694  #define NID_subjectSignTool             1007
1695 @@ -4380,24 +4405,62 @@
1696  #define NID_issuerSignTool              1008
1697  #define OBJ_issuerSignTool              OBJ_member_body,643L,100L,112L
1698  
1699 -#define SN_grasshopper_ecb              "grasshopper-ecb"
1700 -#define NID_grasshopper_ecb             1012
1701 +#define SN_classSignTool                "classSignTool"
1702 +#define LN_classSignTool                "Class of Signing Tool"
1703 +#define NID_classSignTool               1196
1704 +#define OBJ_classSignTool               OBJ_member_body,643L,100L,113L
1705  
1706 -#define SN_grasshopper_ctr              "grasshopper-ctr"
1707 -#define NID_grasshopper_ctr             1013
1708 +#define SN_classSignToolKC1             "classSignToolKC1"
1709 +#define LN_classSignToolKC1             "Class of Signing Tool KC1"
1710 +#define NID_classSignToolKC1            1197
1711 +#define OBJ_classSignToolKC1            OBJ_member_body,643L,100L,113L,1L
1712  
1713 -#define SN_grasshopper_ofb              "grasshopper-ofb"
1714 -#define NID_grasshopper_ofb             1014
1715 +#define SN_classSignToolKC2             "classSignToolKC2"
1716 +#define LN_classSignToolKC2             "Class of Signing Tool KC2"
1717 +#define NID_classSignToolKC2            1198
1718 +#define OBJ_classSignToolKC2            OBJ_member_body,643L,100L,113L,2L
1719  
1720 -#define SN_grasshopper_cbc              "grasshopper-cbc"
1721 -#define NID_grasshopper_cbc             1015
1722 +#define SN_classSignToolKC3             "classSignToolKC3"
1723 +#define LN_classSignToolKC3             "Class of Signing Tool KC3"
1724 +#define NID_classSignToolKC3            1199
1725 +#define OBJ_classSignToolKC3            OBJ_member_body,643L,100L,113L,3L
1726  
1727 -#define SN_grasshopper_cfb              "grasshopper-cfb"
1728 -#define NID_grasshopper_cfb             1016
1729 +#define SN_classSignToolKB1             "classSignToolKB1"
1730 +#define LN_classSignToolKB1             "Class of Signing Tool KB1"
1731 +#define NID_classSignToolKB1            1200
1732 +#define OBJ_classSignToolKB1            OBJ_member_body,643L,100L,113L,4L
1733  
1734 -#define SN_grasshopper_mac              "grasshopper-mac"
1735 -#define NID_grasshopper_mac             1017
1736 +#define SN_classSignToolKB2             "classSignToolKB2"
1737 +#define LN_classSignToolKB2             "Class of Signing Tool KB2"
1738 +#define NID_classSignToolKB2            1201
1739 +#define OBJ_classSignToolKB2            OBJ_member_body,643L,100L,113L,5L
1740  
1741 +#define SN_classSignToolKA1             "classSignToolKA1"
1742 +#define LN_classSignToolKA1             "Class of Signing Tool KA1"
1743 +#define NID_classSignToolKA1            1202
1744 +#define OBJ_classSignToolKA1            OBJ_member_body,643L,100L,113L,6L
1745 +
1746 +#define SN_kuznyechik_ecb               "kuznyechik-ecb"
1747 +#define NID_kuznyechik_ecb              1012
1748 +
1749 +#define SN_kuznyechik_ctr               "kuznyechik-ctr"
1750 +#define NID_kuznyechik_ctr              1013
1751 +
1752 +#define SN_kuznyechik_ofb               "kuznyechik-ofb"
1753 +#define NID_kuznyechik_ofb              1014
1754 +
1755 +#define SN_kuznyechik_cbc               "kuznyechik-cbc"
1756 +#define NID_kuznyechik_cbc              1015
1757 +
1758 +#define SN_kuznyechik_cfb               "kuznyechik-cfb"
1759 +#define NID_kuznyechik_cfb              1016
1760 +
1761 +#define SN_kuznyechik_mac               "kuznyechik-mac"
1762 +#define NID_kuznyechik_mac              1017
1763 +
1764 +#define SN_kuznyechik_mgm               "kuznyechik-mgm"
1765 +#define NID_kuznyechik_mgm              1207
1766 +
1767  #define SN_magma_ecb            "magma-ecb"
1768  #define NID_magma_ecb           1187
1769  
1770 @@ -4416,6 +4479,9 @@
1771  #define SN_magma_mac            "magma-mac"
1772  #define NID_magma_mac           1192
1773  
1774 +#define SN_magma_mgm            "magma-mgm"
1775 +#define NID_magma_mgm           1208
1776 +
1777  #define SN_camellia_128_cbc             "CAMELLIA-128-CBC"
1778  #define LN_camellia_128_cbc             "camellia-128-cbc"
1779  #define NID_camellia_128_cbc            751
1780 @@ -5196,3 +5262,49 @@
1781  #define LN_uacurve9             "DSTU curve 9"
1782  #define NID_uacurve9            1169
1783  #define OBJ_uacurve9            OBJ_dstu4145le,2L,9L
1784 +
1785 +#ifndef OPENSSL_NO_DEPRECATED_3_0
1786 +
1787 +#define SN_id_tc26_cipher_gostr3412_2015_magma_ctracpkm                 SN_magma_ctr_acpkm
1788 +#define NID_id_tc26_cipher_gostr3412_2015_magma_ctracpkm                NID_magma_ctr_acpkm
1789 +#define OBJ_id_tc26_cipher_gostr3412_2015_magma_ctracpkm                OBJ_magma_ctr_acpkm
1790 +
1791 +#define SN_id_tc26_cipher_gostr3412_2015_magma_ctracpkm_omac            SN_magma_ctr_acpkm_omac
1792 +#define NID_id_tc26_cipher_gostr3412_2015_magma_ctracpkm_omac           NID_magma_ctr_acpkm_omac
1793 +#define OBJ_id_tc26_cipher_gostr3412_2015_magma_ctracpkm_omac           OBJ_magma_ctr_acpkm_omac
1794 +
1795 +#define SN_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm            SN_kuznyechik_ctr_acpkm
1796 +#define NID_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm           NID_kuznyechik_ctr_acpkm
1797 +#define OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm           OBJ_kuznyechik_ctr_acpkm
1798 +
1799 +#define SN_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm_omac               SN_kuznyechik_ctr_acpkm_omac
1800 +#define NID_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm_omac              NID_kuznyechik_ctr_acpkm_omac
1801 +#define OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm_omac              OBJ_kuznyechik_ctr_acpkm_omac
1802 +
1803 +#define SN_id_tc26_wrap_gostr3412_2015_magma_kexp15             SN_magma_kexp15
1804 +#define NID_id_tc26_wrap_gostr3412_2015_magma_kexp15            NID_magma_kexp15
1805 +#define OBJ_id_tc26_wrap_gostr3412_2015_magma_kexp15            OBJ_magma_kexp15
1806 +
1807 +#define SN_id_tc26_wrap_gostr3412_2015_kuznyechik_kexp15                SN_kuznyechik_kexp15
1808 +#define NID_id_tc26_wrap_gostr3412_2015_kuznyechik_kexp15               NID_kuznyechik_kexp15
1809 +#define OBJ_id_tc26_wrap_gostr3412_2015_kuznyechik_kexp15               OBJ_kuznyechik_kexp15
1810 +
1811 +#define SN_grasshopper_ecb              SN_kuznyechik_ecb
1812 +#define NID_grasshopper_ecb             NID_kuznyechik_ecb
1813 +
1814 +#define SN_grasshopper_ctr              SN_kuznyechik_ctr
1815 +#define NID_grasshopper_ctr             NID_kuznyechik_ctr
1816 +
1817 +#define SN_grasshopper_ofb              SN_kuznyechik_ofb
1818 +#define NID_grasshopper_ofb             NID_kuznyechik_ofb
1819 +
1820 +#define SN_grasshopper_cbc              SN_kuznyechik_cbc
1821 +#define NID_grasshopper_cbc             NID_kuznyechik_cbc
1822 +
1823 +#define SN_grasshopper_cfb              SN_kuznyechik_cfb
1824 +#define NID_grasshopper_cfb             NID_kuznyechik_cfb
1825 +
1826 +#define SN_grasshopper_mac              SN_kuznyechik_mac
1827 +#define NID_grasshopper_mac             NID_kuznyechik_mac
1828 +
1829 +#endif
1830 Index: include/openssl/evp.h
1831 ===================================================================
1832 --- include/openssl/evp.h       (revision 14523)
1833 +++ include/openssl/evp.h       (working copy)
1834 @@ -20,7 +20,10 @@
1835  # define EVP_MAX_KEY_LENGTH              64
1836  # define EVP_MAX_IV_LENGTH               16
1837  # define EVP_MAX_BLOCK_LENGTH            32
1838 +# define EVP_MAX_AEAD_TAG_LEN            16/* longest known AEAD tag size */
1839  
1840 +#define EVP_MAX_MAC_SIZE EVP_MAX_AEAD_TAG_LEN
1841 +
1842  # define PKCS5_SALT_LEN                  8
1843  /* Default PKCS#5 iteration count */
1844  # define PKCS5_DEFAULT_ITER              2048
1845 @@ -139,6 +142,7 @@
1846  #  define EVP_MD_CTRL_DIGALGID                    0x1
1847  #  define EVP_MD_CTRL_MICALG                      0x2
1848  #  define EVP_MD_CTRL_XOF_LEN                     0x3
1849 +#  define EVP_MD_CTRL_TLSTREE                     0x4
1850  
1851  /* Minimum Algorithm specific ctrl value */
1852  
1853 @@ -277,8 +281,9 @@
1854  # define         EVP_CIPH_FLAG_AEAD_CIPHER       0x200000
1855  # define         EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK 0x400000
1856  /* Cipher can handle pipeline operations */
1857 -# define         EVP_CIPH_FLAG_PIPELINE          0X800000
1858 -
1859 +# define         EVP_CIPH_FLAG_PIPELINE          0x800000
1860 +# define         EVP_CIPH_FLAG_CIPHER_WITH_MAC  0x1000000
1861 +# define         EVP_CIPH_FLAG_GET_WRAP_CIPHER     0X4000000
1862  /*
1863   * Cipher context flag to indicate we can handle wrap mode: if allowed in
1864   * older applications it could overflow buffers.
1865 @@ -352,7 +357,21 @@
1866  # define         EVP_CTRL_SET_PIPELINE_INPUT_LENS        0x24
1867  
1868  # define         EVP_CTRL_GET_IVLEN                      0x25
1869 +/* Indicates TLSTREE key diversification during TLS processing */
1870 +# define         EVP_CTRL_TLSTREE                        0x26
1871  
1872 +#define          EVP_CTRL_AEAD_MAX_TAG_LEN               0x27
1873 +# define         EVP_CTRL_GET_WRAP_CIPHER                0X28
1874 +
1875 +# define         EVP_CTRL_GET_MAC_LEN                    EVP_CTRL_AEAD_MAX_TAG_LEN
1876 +# define         EVP_CTRL_GET_MAC                        EVP_CTRL_AEAD_GET_TAG
1877 +# define         EVP_CTRL_SET_EXPECTED_MAC               EVP_CTRL_AEAD_SET_TAG
1878 +/* GOST CMS requires processing unprotected attributes in some cases*/
1879 +# define         EVP_CTRL_PROCESS_UNPROTECTED            0x29
1880 +/* Set GOST TLSTREE params */
1881 +# define         EVP_CTRL_SET_TLSTREE_PARAMS             0x2A
1882 +
1883 +
1884  /* Padding modes */
1885  #define EVP_PADDING_PKCS7       1
1886  #define EVP_PADDING_ISO7816_4   2
1887 @@ -390,6 +409,10 @@
1888  /* Length of CCM8 tag for TLS */
1889  # define EVP_CCM8_TLS_TAG_LEN                            8
1890  
1891 +/* GOST TLS 1.3 tag lengths */
1892 +# define EVP_MAGMA_TLS_TAG_LEN                           8
1893 +# define EVP_KUZNYECHIK_TLS_TAG_LEN                      16
1894 +
1895  /* Length of tag for TLS */
1896  # define EVP_CHACHAPOLY_TLS_TAG_LEN                      16
1897  
1898 @@ -1142,6 +1165,10 @@
1899  # define ASN1_PKEY_CTRL_SET1_TLS_ENCPT   0x9
1900  # define ASN1_PKEY_CTRL_GET1_TLS_ENCPT   0xa
1901  
1902 +// This control use for decryption 
1903 +// when algorithm support multiple ri types
1904 +# define ASN1_PKEY_CTRL_CMS_IS_RI_TYPE_SUPPORTED      0xb
1905 +
1906  int EVP_PKEY_asn1_get_count(void);
1907  const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_get0(int idx);
1908  const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_find(ENGINE **pe, int type);
1909 Index: include/openssl/cmserr.h
1910 ===================================================================
1911 --- include/openssl/cmserr.h    (revision 14523)
1912 +++ include/openssl/cmserr.h    (working copy)
1913 @@ -11,9 +11,7 @@
1914  #ifndef HEADER_CMSERR_H
1915  # define HEADER_CMSERR_H
1916  
1917 -# ifndef HEADER_SYMHACKS_H
1918 -#  include <openssl/symhacks.h>
1919 -# endif
1920 +# include <openssl/symhacks.h>
1921  
1922  # include <openssl/opensslconf.h>
1923  
1924 @@ -32,6 +30,7 @@
1925  #  define CMS_F_CMS_ADD0_RECIPIENT_KEY                     100
1926  #  define CMS_F_CMS_ADD0_RECIPIENT_PASSWORD                165
1927  #  define CMS_F_CMS_ADD1_RECEIPTREQUEST                    158
1928 +#  define CMS_F_CMS_ADD1_RECIPIENT                         181
1929  #  define CMS_F_CMS_ADD1_RECIPIENT_CERT                    101
1930  #  define CMS_F_CMS_ADD1_SIGNER                            102
1931  #  define CMS_F_CMS_ADD1_SIGNINGTIME                       103
1932 @@ -47,6 +46,7 @@
1933  #  define CMS_F_CMS_DECRYPT_SET1_KEY                       113
1934  #  define CMS_F_CMS_DECRYPT_SET1_PASSWORD                  166
1935  #  define CMS_F_CMS_DECRYPT_SET1_PKEY                      114
1936 +#  define CMS_F_CMS_DECRYPT_SET1_PKEY_AND_PEER             182
1937  #  define CMS_F_CMS_DIGESTALGORITHM_FIND_CTX               115
1938  #  define CMS_F_CMS_DIGESTALGORITHM_INIT_BIO               116
1939  #  define CMS_F_CMS_DIGESTEDDATA_DO_FINAL                  117
1940 @@ -59,6 +59,9 @@
1941  #  define CMS_F_CMS_ENCRYPTEDDATA_ENCRYPT                  122
1942  #  define CMS_F_CMS_ENCRYPTEDDATA_SET1_KEY                 123
1943  #  define CMS_F_CMS_ENVELOPEDDATA_CREATE                   124
1944 +#  define CMS_F_CMS_ENVELOPEDDATA_DECRYPTION_INIT_BIO      184
1945 +#  define CMS_F_CMS_ENVELOPEDDATA_ENCRYPTION_INIT_BIO      185
1946 +#  define CMS_F_CMS_ENVELOPEDDATA_FINAL                    186
1947  #  define CMS_F_CMS_ENVELOPEDDATA_INIT_BIO                 125
1948  #  define CMS_F_CMS_ENVELOPED_DATA_INIT                    126
1949  #  define CMS_F_CMS_ENV_ASN1_CTRL                          171
1950 Index: include/openssl/x509v3err.h
1951 ===================================================================
1952 --- include/openssl/x509v3err.h (revision 14523)
1953 +++ include/openssl/x509v3err.h (working copy)
1954 @@ -37,6 +37,7 @@
1955  # define X509V3_F_I2S_ASN1_ENUMERATED                     121
1956  # define X509V3_F_I2S_ASN1_IA5STRING                      149
1957  # define X509V3_F_I2S_ASN1_INTEGER                        120
1958 +# define X509V3_F_I2S_ASN1_UTF8STRING                     173
1959  # define X509V3_F_I2V_AUTHORITY_INFO_ACCESS               138
1960  # define X509V3_F_LEVEL_ADD_NODE                          168
1961  # define X509V3_F_NOTICE_SECTION                          132
1962 @@ -51,6 +52,7 @@
1963  # define X509V3_F_S2I_ASN1_IA5STRING                      100
1964  # define X509V3_F_S2I_ASN1_INTEGER                        108
1965  # define X509V3_F_S2I_ASN1_OCTET_STRING                   112
1966 +# define X509V3_F_S2I_ASN1_UTF8STRING                     174
1967  # define X509V3_F_S2I_SKEY_ID                             115
1968  # define X509V3_F_SET_DIST_POINT_NAME                     158
1969  # define X509V3_F_SXNET_ADD_ID_ASC                        125
1970 Index: Configurations/unix-Makefile.tmpl
1971 ===================================================================
1972 --- Configurations/unix-Makefile.tmpl   (revision 14523)
1973 +++ Configurations/unix-Makefile.tmpl   (working copy)
1974 @@ -888,6 +888,7 @@
1975                                 crypto/objects/obj_mac.num \
1976                                 crypto/objects/obj_xref.txt \
1977                                 > crypto/objects/obj_xref.h )
1978 +       ( cd $(SRCDIR); cat crypto/objects/obj_compat.h >> include/openssl/obj_mac.h )
1979  
1980  generate_crypto_conf:
1981         ( cd $(SRCDIR); $(PERL) crypto/conf/keysets.pl \
1982 Index: ssl/t1_trce.c
1983 ===================================================================
1984 --- ssl/t1_trce.c       (revision 14523)
1985 +++ ssl/t1_trce.c       (working copy)
1986 @@ -443,6 +443,9 @@
1987      {0xFEFF, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"},
1988      {0xFF85, "GOST2012-GOST8912-GOST8912"},
1989      {0xFF87, "GOST2012-NULL-GOST12"},
1990 +    {0xC100, "GOST2012-KUZNYECHIK-KUZNYECHIKOMAC"},
1991 +    {0xC101, "GOST2012-MAGMA-MAGMAOMAC"},
1992 +    {0xC102, "GOST2012-GOST8912-IANA"},
1993  };
1994  
1995  /* Compression methods */
1996 @@ -522,6 +525,13 @@
1997      {28, "brainpoolP512r1"},
1998      {29, "ecdh_x25519"},
1999      {30, "ecdh_x448"},
2000 +    {34, "GC256A"},
2001 +    {35, "GC256B"},
2002 +    {36, "GC256C"},
2003 +    {37, "GC256D"},
2004 +    {38, "GC512A"},
2005 +    {39, "GC512B"},
2006 +    {40, "GC512C"},
2007      {256, "ffdhe2048"},
2008      {257, "ffdhe3072"},
2009      {258, "ffdhe4096"},
2010 @@ -571,6 +581,8 @@
2011      {TLSEXT_SIGALG_dsa_sha1, "dsa_sha1"},
2012      {TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, "gost2012_256"},
2013      {TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, "gost2012_512"},
2014 +    {TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256_legacy, "gost2012_256"},
2015 +    {TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512_legacy, "gost2012_512"},
2016      {TLSEXT_SIGALG_gostr34102001_gostr3411, "gost2001_gost94"},
2017  };
2018  
2019 @@ -584,7 +596,9 @@
2020      {20, "fortezza_dms"},
2021      {64, "ecdsa_sign"},
2022      {65, "rsa_fixed_ecdh"},
2023 -    {66, "ecdsa_fixed_ecdh"}
2024 +    {66, "ecdsa_fixed_ecdh"},
2025 +    {67, "gost_sign256"},
2026 +    {68, "gost_sign512"},
2027  };
2028  
2029  static const ssl_trace_tbl ssl_psk_kex_modes_tbl[] = {
2030 @@ -1072,6 +1086,10 @@
2031          *pname = "GOST";
2032          return SSL_kGOST;
2033      }
2034 +    if (alg_k & SSL_kGOST18) {
2035 +        *pname = "GOST18";
2036 +        return SSL_kGOST18;
2037 +    }
2038      *pname = "UNKNOWN";
2039      return 0;
2040  }
2041 @@ -1114,7 +1132,16 @@
2042          if (!ssl_print_hexbuf(bio, indent + 2, "ecdh_Yc", 1, &msg, &msglen))
2043              return 0;
2044          break;
2045 -
2046 +#ifndef OPENSSL_NO_GOST
2047 +    case SSL_kGOST:
2048 +        ssl_print_hex(bio, indent + 2, "GOST-wrapped PreMasterSecret", msg, msglen);
2049 +        break;
2050 +    case SSL_kGOST18:
2051 +            ssl_print_hex(bio, indent + 2,
2052 +                                "GOST-wrapped PreMasterSecret", msg, msglen);
2053 +                return 0;
2054 +        break;
2055 +#endif
2056      }
2057  
2058      return !msglen;
2059 Index: ssl/ssl_err.c
2060 ===================================================================
2061 --- ssl/ssl_err.c       (revision 14523)
2062 +++ ssl/ssl_err.c       (working copy)
2063 @@ -1,6 +1,6 @@
2064  /*
2065   * Generated by util/mkerr.pl DO NOT EDIT
2066 - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
2067 + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
2068   *
2069   * Licensed under the OpenSSL license (the "License").  You may not use
2070   * this file except in compliance with the License.  You can obtain a copy
2071 @@ -112,6 +112,8 @@
2072       "ossl_statem_server_post_process_message"},
2073      {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_SERVER_POST_WORK, 0),
2074       "ossl_statem_server_post_work"},
2075 +    {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_SERVER_PRE_WORK, 0),
2076 +     "ossl_statem_server_pre_work"},
2077      {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_SERVER_PROCESS_MESSAGE, 0),
2078       "ossl_statem_server_process_message"},
2079      {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION, 0),
2080 @@ -437,6 +439,8 @@
2081       "tls_construct_cke_ecdhe"},
2082      {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CKE_GOST, 0),
2083       "tls_construct_cke_gost"},
2084 +    {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CKE_GOST18, 0),
2085 +     "tls_construct_cke_gost18"},
2086      {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, 0),
2087       "tls_construct_cke_psk_preamble"},
2088      {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CKE_RSA, 0),
2089 @@ -664,6 +668,8 @@
2090       "tls_process_cke_ecdhe"},
2091      {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_CKE_GOST, 0),
2092       "tls_process_cke_gost"},
2093 +    {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_CKE_GOST18, 0),
2094 +     "tls_process_cke_gost18"},
2095      {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, 0),
2096       "tls_process_cke_psk_preamble"},
2097      {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_CKE_RSA, 0),
2098 Index: ssl/t1_lib.c
2099 ===================================================================
2100 --- ssl/t1_lib.c        (revision 14523)
2101 +++ ssl/t1_lib.c        (working copy)
2102 @@ -169,6 +169,18 @@
2103      {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
2104      {EVP_PKEY_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */
2105      {EVP_PKEY_X448, 224, TLS_CURVE_CUSTOM}, /* X448 (30) */
2106 +#ifndef OPENSSL_NO_GOST
2107 +    {NID_undef, 0, TLS_CURVE_CUSTOM}, /* 31 */
2108 +    {NID_undef, 0, TLS_CURVE_CUSTOM}, /* 32 */
2109 +    {NID_undef, 0, TLS_CURVE_CUSTOM}, /* 33 */
2110 +    {NID_id_tc26_gost_3410_2012_256_paramSetA, 128, TLS_CURVE_GOST},
2111 +    {NID_id_tc26_gost_3410_2012_256_paramSetB, 128, TLS_CURVE_GOST},
2112 +    {NID_id_tc26_gost_3410_2012_256_paramSetC, 128, TLS_CURVE_GOST},
2113 +    {NID_id_tc26_gost_3410_2012_256_paramSetD, 128, TLS_CURVE_GOST},
2114 +    {NID_id_tc26_gost_3410_2012_512_paramSetA, 256, TLS_CURVE_GOST},
2115 +    {NID_id_tc26_gost_3410_2012_512_paramSetB, 256, TLS_CURVE_GOST},
2116 +    {NID_id_tc26_gost_3410_2012_512_paramSetC, 256, TLS_CURVE_GOST},
2117 +#endif
2118  };
2119  
2120  static const unsigned char ecformats_default[] = {
2121 @@ -184,6 +196,15 @@
2122      30,                      /* X448 (30) */
2123      25,                      /* secp521r1 (25) */
2124      24,                      /* secp384r1 (24) */
2125 +#ifndef OPENSSL_NO_GOST
2126 +    34,
2127 +    35,
2128 +    36,
2129 +    37,
2130 +    38,
2131 +    39,
2132 +    40,
2133 +#endif
2134  };
2135  
2136  static const uint16_t suiteb_curves[] = {
2137 @@ -196,6 +217,8 @@
2138      /* ECC curves from RFC 4492 and RFC 7027 */
2139      if (group_id < 1 || group_id > OSSL_NELEM(nid_list))
2140          return NULL;
2141 +    if (nid_list[group_id - 1].nid == NID_undef)
2142 +        return NULL;
2143      return &nid_list[group_id - 1];
2144  }
2145  
2146 @@ -380,6 +403,33 @@
2147      int nid_arr[MAX_CURVELIST];
2148  } nid_cb_st;
2149  
2150 +#ifndef OPENSSL_NO_GOST
2151 +typedef struct {
2152 +    const char *name;           /* Name of GOST curve */
2153 +    int nid;                    /* Curve NID */
2154 +} EC_GOST_NAME;
2155 +
2156 +static EC_GOST_NAME gost_curves[] = {
2157 +    {"GC256A", NID_id_tc26_gost_3410_2012_256_paramSetA},
2158 +    {"GC256B", NID_id_tc26_gost_3410_2012_256_paramSetB},
2159 +    {"GC256C", NID_id_tc26_gost_3410_2012_256_paramSetC},
2160 +    {"GC256D", NID_id_tc26_gost_3410_2012_256_paramSetD},
2161 +    {"GC512A", NID_id_tc26_gost_3410_2012_512_paramSetA},
2162 +    {"GC512B", NID_id_tc26_gost_3410_2012_512_paramSetB},
2163 +    {"GC512C", NID_id_tc26_gost_3410_2012_512_paramSetC},
2164 +};
2165 +
2166 +int GOST_curve2nid(const char *name)
2167 +{
2168 +    size_t i;
2169 +    for (i = 0; i < OSSL_NELEM(gost_curves); i++) {
2170 +        if (strcmp(gost_curves[i].name, name) == 0)
2171 +            return gost_curves[i].nid;
2172 +    }
2173 +    return NID_undef;
2174 +}
2175 +#endif
2176 +
2177  static int nid_cb(const char *elem, int len, void *arg)
2178  {
2179      nid_cb_st *narg = arg;
2180 @@ -395,7 +445,12 @@
2181      memcpy(etmp, elem, len);
2182      etmp[len] = 0;
2183      nid = EC_curve_nist2nid(etmp);
2184 +#ifndef OPENSSL_NO_GOST
2185 +               /* FIXME beldmit */
2186      if (nid == NID_undef)
2187 +        nid = GOST_curve2nid(etmp);
2188 +#endif
2189 +    if (nid == NID_undef)
2190          nid = OBJ_sn2nid(etmp);
2191      if (nid == NID_undef)
2192          nid = OBJ_ln2nid(etmp);
2193 @@ -670,8 +725,17 @@
2194      TLSEXT_SIGALG_dsa_sha512,
2195  #endif
2196  #ifndef OPENSSL_NO_GOST
2197 +    TLSEXT_SIGALG_gostr34102012_256a,
2198 +    TLSEXT_SIGALG_gostr34102012_256b,
2199 +    TLSEXT_SIGALG_gostr34102012_256c,
2200 +    TLSEXT_SIGALG_gostr34102012_256d,
2201 +    TLSEXT_SIGALG_gostr34102012_512a,
2202 +    TLSEXT_SIGALG_gostr34102012_512b,
2203 +    TLSEXT_SIGALG_gostr34102012_512c,
2204      TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
2205      TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512,
2206 +    TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256_legacy,
2207 +    TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512_legacy,
2208      TLSEXT_SIGALG_gostr34102001_gostr3411,
2209  #endif
2210  };
2211 @@ -758,6 +822,34 @@
2212       NID_dsaWithSHA1, NID_undef},
2213  #endif
2214  #ifndef OPENSSL_NO_GOST
2215 +    {"gostr34102012_256a", TLSEXT_SIGALG_gostr34102012_256a,
2216 +     NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
2217 +     NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
2218 +     NID_undef, NID_undef},
2219 +    {"gostr34102012_256b", TLSEXT_SIGALG_gostr34102012_256b,
2220 +     NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
2221 +     NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
2222 +     NID_undef, NID_undef},
2223 +    {"gostr34102012_256c", TLSEXT_SIGALG_gostr34102012_256c,
2224 +     NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
2225 +     NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
2226 +     NID_undef, NID_undef},
2227 +    {"gostr34102012_256d", TLSEXT_SIGALG_gostr34102012_256d,
2228 +     NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
2229 +     NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
2230 +     NID_undef, NID_undef},
2231 +    {"gostr34102012_512a", TLSEXT_SIGALG_gostr34102012_512a,
2232 +     NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
2233 +     NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
2234 +     NID_undef, NID_undef},
2235 +    {"gostr34102012_512b", TLSEXT_SIGALG_gostr34102012_512b,
2236 +     NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
2237 +     NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
2238 +     NID_undef, NID_undef},
2239 +    {"gostr34102012_512c", TLSEXT_SIGALG_gostr34102012_512c,
2240 +     NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
2241 +     NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
2242 +     NID_undef, NID_undef},
2243      {NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
2244       NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
2245       NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
2246 @@ -766,6 +858,14 @@
2247       NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
2248       NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
2249       NID_undef, NID_undef},
2250 +    {NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256_legacy,
2251 +     NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
2252 +     NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
2253 +     NID_undef, NID_undef},
2254 +    {NULL, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512_legacy,
2255 +     NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
2256 +     NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
2257 +     NID_undef, NID_undef},
2258      {NULL, TLSEXT_SIGALG_gostr34102001_gostr3411,
2259       NID_id_GostR3411_94, SSL_MD_GOST94_IDX,
2260       NID_id_GostR3410_2001, SSL_PKEY_GOST01,
2261 @@ -886,6 +986,24 @@
2262                      }
2263                  }
2264              }
2265 +            /*
2266 +             * Here is another fallback: when broken implementations did not sent
2267 +             * proper signature_algorithm extension, we try to use this function.
2268 +             *
2269 +             * As both SSL_PKEY_GOST12_512 and SSL_PKEY_GOST12_256 indices can be used
2270 +             * with new (aGOST12-only) ciphersuites, we should find out which one is available really.
2271 +             * */
2272 +            else if (idx == SSL_PKEY_GOST12_256) {
2273 +                int real_idx;
2274 +
2275 +                for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST12_256;
2276 +                     real_idx--) {
2277 +                    if (s->cert->pkeys[real_idx].privatekey != NULL) {
2278 +                        idx = real_idx;
2279 +                        break;
2280 +                    }
2281 +                }
2282 +            }
2283          } else {
2284              idx = s->cert->key - s->cert->pkeys;
2285          }
2286 @@ -1612,10 +1730,8 @@
2287      if (ssl_cert_is_disabled(lu->sig_idx))
2288          return 0;
2289  
2290 -    if (lu->sig == NID_id_GostR3410_2012_256
2291 -            || lu->sig == NID_id_GostR3410_2012_512
2292 -            || lu->sig == NID_id_GostR3410_2001) {
2293 -        /* We never allow GOST sig algs on the server with TLSv1.3 */
2294 +    if (lu->sig == NID_id_GostR3410_2001) {
2295 +        /* GOST sig algs on the server with TLSv1.3 are allowed for GOST2012 */
2296          if (s->server && SSL_IS_TLS13(s))
2297              return 0;
2298          if (!s->server
2299 @@ -1643,7 +1759,7 @@
2300                  if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0))
2301                      continue;
2302  
2303 -                if ((c->algorithm_mkey & SSL_kGOST) != 0)
2304 +                if ((c->algorithm_mkey & (SSL_kGOST | SSL_kGOST18)) != 0)
2305                      break;
2306              }
2307              if (i == num)
2308 Index: ssl/ssl_local.h
2309 ===================================================================
2310 --- ssl/ssl_local.h     (revision 14523)
2311 +++ ssl/ssl_local.h     (working copy)
2312 @@ -176,6 +176,8 @@
2313  # define SSL_kRSAPSK             0x00000040U
2314  # define SSL_kECDHEPSK           0x00000080U
2315  # define SSL_kDHEPSK             0x00000100U
2316 +/* GOST KDF key exchange, draft-smyshlyaev-tls12-gost-suites */
2317 +# define SSL_kGOST18             0x00000200U
2318  
2319  /* all PSK */
2320  
2321 @@ -230,6 +232,10 @@
2322  # define SSL_CHACHA20POLY1305    0x00080000U
2323  # define SSL_ARIA128GCM          0x00100000U
2324  # define SSL_ARIA256GCM          0x00200000U
2325 +# define SSL_MAGMA               0x00400000U
2326 +# define SSL_KUZNYECHIK          0x00800000U
2327 +# define SSL_MAGMA_MGM           0x01000000U
2328 +# define SSL_KUZNYECHIK_MGM      0x02000000U
2329  
2330  # define SSL_AESGCM              (SSL_AES128GCM | SSL_AES256GCM)
2331  # define SSL_AESCCM              (SSL_AES128CCM | SSL_AES256CCM | SSL_AES128CCM8 | SSL_AES256CCM8)
2332 @@ -252,6 +258,8 @@
2333  # define SSL_GOST12_256          0x00000080U
2334  # define SSL_GOST89MAC12         0x00000100U
2335  # define SSL_GOST12_512          0x00000200U
2336 +# define SSL_MAGMAOMAC           0x00000400U
2337 +# define SSL_KUZNYECHIKOMAC      0x00000800U
2338  
2339  /*
2340   * When adding new digest in the ssl_ciph.c and increment SSL_MD_NUM_IDX make
2341 @@ -270,7 +278,9 @@
2342  # define SSL_MD_MD5_SHA1_IDX 9
2343  # define SSL_MD_SHA224_IDX 10
2344  # define SSL_MD_SHA512_IDX 11
2345 -# define SSL_MAX_DIGEST 12
2346 +# define SSL_MD_MAGMAOMAC_IDX 12
2347 +# define SSL_MD_KUZNYECHIKOMAC_IDX 13
2348 +# define SSL_MAX_DIGEST 14
2349  
2350  /* Bits for algorithm2 (handshake digests and other extra flags) */
2351  
2352 @@ -299,6 +309,13 @@
2353   * goes into algorithm2)
2354   */
2355  # define TLS1_STREAM_MAC 0x10000
2356 +/*
2357 + * TLSTREE cipher/mac key derivation used for GOST TLS 1.2/1.3 ciphersuites 
2358 + * (currently this also goes into algorithm2)
2359 + */
2360 +# define TLS1_TLSTREE    0x20000
2361 +# define TLS1_TLSTREE_S  0x40000
2362 +# define TLS1_TLSTREE_L  0x80000
2363  
2364  # define SSL_STRONG_MASK         0x0000001FU
2365  # define SSL_DEFAULT_MASK        0X00000020U
2366 @@ -1512,10 +1529,11 @@
2367  } TLS_GROUP_INFO;
2368  
2369  /* flags values */
2370 -# define TLS_CURVE_TYPE          0x3 /* Mask for group type */
2371 +# define TLS_CURVE_TYPE          0x7 /* Mask for group type */
2372  # define TLS_CURVE_PRIME         0x0
2373  # define TLS_CURVE_CHAR2         0x1
2374  # define TLS_CURVE_CUSTOM        0x2
2375 +# define TLS_CURVE_GOST          0x4
2376  
2377  typedef struct cert_pkey_st CERT_PKEY;
2378  
2379 @@ -2043,8 +2061,17 @@
2380  #define TLSEXT_SIGALG_dsa_sha512                                0x0602
2381  #define TLSEXT_SIGALG_dsa_sha224                                0x0302
2382  #define TLSEXT_SIGALG_dsa_sha1                                  0x0202
2383 -#define TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256       0xeeee
2384 -#define TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512       0xefef
2385 +#define TLSEXT_SIGALG_gostr34102012_256a                        0x0709
2386 +#define TLSEXT_SIGALG_gostr34102012_256b                        0x070A
2387 +#define TLSEXT_SIGALG_gostr34102012_256c                        0x070B
2388 +#define TLSEXT_SIGALG_gostr34102012_256d                        0x070C
2389 +#define TLSEXT_SIGALG_gostr34102012_512a                        0x070D
2390 +#define TLSEXT_SIGALG_gostr34102012_512b                        0x070E
2391 +#define TLSEXT_SIGALG_gostr34102012_512c                        0x070F
2392 +#define TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256       0x0840
2393 +#define TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512       0x0841
2394 +#define TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256_legacy 0xeeee
2395 +#define TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512_legacy 0xefef
2396  #define TLSEXT_SIGALG_gostr34102001_gostr3411                   0xeded
2397  
2398  #define TLSEXT_SIGALG_ed25519                                   0x0807
2399 Index: ssl/ssl_lib.c
2400 ===================================================================
2401 --- ssl/ssl_lib.c       (revision 14523)
2402 +++ ssl/ssl_lib.c       (working copy)
2403 @@ -3327,11 +3327,11 @@
2404  
2405  #ifndef OPENSSL_NO_GOST
2406      if (ssl_has_cert(s, SSL_PKEY_GOST12_512)) {
2407 -        mask_k |= SSL_kGOST;
2408 +        mask_k |= SSL_kGOST | SSL_kGOST18;
2409          mask_a |= SSL_aGOST12;
2410      }
2411      if (ssl_has_cert(s, SSL_PKEY_GOST12_256)) {
2412 -        mask_k |= SSL_kGOST;
2413 +        mask_k |= SSL_kGOST | SSL_kGOST18;
2414          mask_a |= SSL_aGOST12;
2415      }
2416      if (ssl_has_cert(s, SSL_PKEY_GOST01)) {
2417 Index: ssl/tls13_enc.c
2418 ===================================================================
2419 --- ssl/tls13_enc.c     (revision 14523)
2420 +++ ssl/tls13_enc.c     (working copy)
2421 @@ -421,6 +421,21 @@
2422          goto err;
2423      }
2424  
2425 +    if (s->s3->tmp.new_cipher->algorithm2 & TLS1_TLSTREE) {
2426 +      int res = 0;
2427 +      if (s->s3->tmp.new_cipher->algorithm2 & TLS1_TLSTREE_S) {
2428 +          res = EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_SET_TLSTREE_PARAMS, 0, "short");
2429 +      } else if (s->s3->tmp.new_cipher->algorithm2 & TLS1_TLSTREE_L) {
2430 +          res = EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_SET_TLSTREE_PARAMS, 0, "long");
2431 +      }
2432 +
2433 +      if (res <= 0) {
2434 +          SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV,
2435 +                   ERR_R_EVP_LIB);
2436 +          goto err;
2437 +      }
2438 +    }
2439 +
2440      return 1;
2441   err:
2442      OPENSSL_cleanse(key, sizeof(key));
2443 Index: ssl/record/ssl3_record.c
2444 ===================================================================
2445 --- ssl/record/ssl3_record.c    (revision 14523)
2446 +++ ssl/record/ssl3_record.c    (working copy)
2447 @@ -944,6 +944,8 @@
2448      unsigned char padval;
2449      int imac_size;
2450      const EVP_CIPHER *enc;
2451 +    int tlstree_enc = (sending ? (s->mac_flags & SSL_MAC_FLAG_WRITE_MAC_TLSTREE)
2452 +                      : (s->mac_flags & SSL_MAC_FLAG_READ_MAC_TLSTREE));
2453  
2454      if (n_recs == 0) {
2455          SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
2456 @@ -1036,7 +1038,6 @@
2457  
2458                  seq = sending ? RECORD_LAYER_get_write_sequence(&s->rlayer)
2459                      : RECORD_LAYER_get_read_sequence(&s->rlayer);
2460 -
2461                  if (SSL_IS_DTLS(s)) {
2462                      /* DTLS does not support pipelining */
2463                      unsigned char dtlsseq[9], *p = dtlsseq;
2464 @@ -1122,6 +1123,27 @@
2465              }
2466          }
2467  
2468 +        if (!SSL_IS_DTLS(s) && tlstree_enc) {
2469 +          unsigned char *seq;
2470 +          int decrement_seq = 0;
2471 +          /*
2472 +           * When sending, seq is incremented after MAC calculation.
2473 +           * So if we are in ETM mode, we use seq 'as is' in the ctrl-function.
2474 +           * Otherwise we have to decrease it in the implementation
2475 +           */
2476 +          if (sending && !SSL_WRITE_ETM(s))
2477 +              decrement_seq = 1;
2478 +
2479 +          seq = sending ? RECORD_LAYER_get_write_sequence(&s->rlayer)
2480 +            : RECORD_LAYER_get_read_sequence(&s->rlayer);
2481 +          if(EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_TLSTREE, decrement_seq, seq) <= 0)
2482 +          {
2483 +            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
2484 +                ERR_R_INTERNAL_ERROR);
2485 +            return -1;
2486 +          }
2487 +        }
2488 +
2489          /* TODO(size_t): Convert this call */
2490          tmpr = EVP_Cipher(ds, recs[0].data, recs[0].input,
2491                            (unsigned int)reclen[0]);
2492 @@ -1287,6 +1309,8 @@
2493      unsigned char header[13];
2494      int stream_mac = (sending ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM)
2495                        : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM));
2496 +    int tlstree_mac = (sending ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_TLSTREE)
2497 +                      : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_TLSTREE));
2498      int t;
2499  
2500      if (sending) {
2501 @@ -1314,6 +1338,11 @@
2502          mac_ctx = hmac;
2503      }
2504  
2505 +    if (!SSL_IS_DTLS(ssl) && tlstree_mac && EVP_MD_CTX_ctrl(mac_ctx, EVP_MD_CTRL_TLSTREE, 0, seq) <= 0) {
2506 +      EVP_MD_CTX_free(hmac);
2507 +      return 0;
2508 +    }
2509 +
2510      if (SSL_IS_DTLS(ssl)) {
2511          unsigned char dtlsseq[8], *p = dtlsseq;
2512  
2513 Index: ssl/record/ssl3_record_tls13.c
2514 ===================================================================
2515 --- ssl/record/ssl3_record_tls13.c      (revision 14523)
2516 +++ ssl/record/ssl3_record_tls13.c      (working copy)
2517 @@ -107,6 +107,10 @@
2518          taglen = EVP_GCM_TLS_TAG_LEN;
2519      } else if (alg_enc & SSL_CHACHA20) {
2520          taglen = EVP_CHACHAPOLY_TLS_TAG_LEN;
2521 +    } else if (alg_enc & SSL_MAGMA_MGM) {
2522 +        taglen = EVP_MAGMA_TLS_TAG_LEN;
2523 +    } else if (alg_enc & SSL_KUZNYECHIK_MGM) {
2524 +        taglen = EVP_KUZNYECHIK_TLS_TAG_LEN;
2525      } else {
2526          SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC,
2527                   ERR_R_INTERNAL_ERROR);
2528 @@ -135,6 +139,15 @@
2529      for (loop = 0; loop < SEQ_NUM_SIZE; loop++)
2530          iv[offset + loop] = staticiv[offset + loop] ^ seq[loop];
2531  
2532 +    if (s->s3->tmp.new_cipher->algorithm2 & TLS1_TLSTREE) {
2533 +        if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_TLSTREE,
2534 +                                0, seq) <= 0) {
2535 +            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC,
2536 +                     ERR_R_INTERNAL_ERROR);
2537 +            return -1;
2538 +        }
2539 +    }
2540 +
2541      /* Increment the sequence counter */
2542      for (loop = SEQ_NUM_SIZE; loop > 0; loop--) {
2543          ++seq[loop - 1];
2544 Index: ssl/ssl_ciph.c
2545 ===================================================================
2546 --- ssl/ssl_ciph.c      (revision 14523)
2547 +++ ssl/ssl_ciph.c      (working copy)
2548 @@ -43,7 +43,11 @@
2549  #define SSL_ENC_CHACHA_IDX      19
2550  #define SSL_ENC_ARIA128GCM_IDX  20
2551  #define SSL_ENC_ARIA256GCM_IDX  21
2552 -#define SSL_ENC_NUM_IDX         22
2553 +#define SSL_ENC_MAGMA_IDX       22
2554 +#define SSL_ENC_KUZNYECHIK_IDX  23
2555 +#define SSL_ENC_MAGMA_MGM_IDX       24
2556 +#define SSL_ENC_KUZNYECHIK_MGM_IDX  25
2557 +#define SSL_ENC_NUM_IDX         26
2558  
2559  /* NB: make sure indices in these tables match values above */
2560  
2561 @@ -76,6 +80,10 @@
2562      {SSL_CHACHA20POLY1305, NID_chacha20_poly1305}, /* SSL_ENC_CHACHA_IDX 19 */
2563      {SSL_ARIA128GCM, NID_aria_128_gcm}, /* SSL_ENC_ARIA128GCM_IDX 20 */
2564      {SSL_ARIA256GCM, NID_aria_256_gcm}, /* SSL_ENC_ARIA256GCM_IDX 21 */
2565 +    {SSL_MAGMA, NID_magma_ctr_acpkm}, /* SSL_ENC_MAGMA_IDX */
2566 +    {SSL_KUZNYECHIK, NID_kuznyechik_ctr_acpkm}, /* SSL_ENC_KUZNYECHIK_IDX */
2567 +    {SSL_MAGMA_MGM, NID_magma_mgm}, /* SSL_ENC_MAGMA_MGM_IDX */
2568 +    {SSL_KUZNYECHIK_MGM, NID_kuznyechik_mgm}, /* SSL_ENC_KUZNYECHIK_MGM_IDX */
2569  };
2570  
2571  static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX];
2572 @@ -110,11 +118,13 @@
2573      {SSL_GOST12_512, NID_id_GostR3411_2012_512}, /* SSL_MD_GOST12_512_IDX 8 */
2574      {0, NID_md5_sha1},          /* SSL_MD_MD5_SHA1_IDX 9 */
2575      {0, NID_sha224},            /* SSL_MD_SHA224_IDX 10 */
2576 -    {0, NID_sha512}             /* SSL_MD_SHA512_IDX 11 */
2577 +    {0, NID_sha512},            /* SSL_MD_SHA512_IDX 11 */
2578 +    {SSL_MAGMAOMAC, NID_magma_mac}, /* SSL_MD_MAGMAOMAC_IDX */
2579 +    {SSL_KUZNYECHIKOMAC, NID_kuznyechik_mac}, /* SSL_MD_KUZNYECHIKOMAC_IDX */
2580  };
2581  
2582  static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX] = {
2583 -    NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
2584 +    NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
2585  };
2586  
2587  /* *INDENT-OFF* */
2588 @@ -128,6 +138,7 @@
2589      {SSL_kPSK,      NID_kx_psk},
2590      {SSL_kSRP,      NID_kx_srp},
2591      {SSL_kGOST,     NID_kx_gost},
2592 +    {SSL_kGOST18,   NID_kx_gost},/* FIXME beldmit */
2593      {SSL_kANY,      NID_kx_any}
2594  };
2595  
2596 @@ -171,8 +182,8 @@
2597      EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, NID_undef,
2598      /* GOST2012_512 */
2599      EVP_PKEY_HMAC,
2600 -    /* MD5/SHA1, SHA224, SHA512 */
2601 -    NID_undef, NID_undef, NID_undef
2602 +    /* MD5/SHA1, SHA224, SHA512, MAGMAOMAC, KUZNYECHIKOMAC */
2603 +    NID_undef, NID_undef, NID_undef, NID_undef, NID_undef
2604  };
2605  
2606  static size_t ssl_mac_secret_size[SSL_MD_NUM_IDX];
2607 @@ -228,6 +239,7 @@
2608      {0, SSL_TXT_kDHEPSK, NULL, 0, SSL_kDHEPSK},
2609      {0, SSL_TXT_kSRP, NULL, 0, SSL_kSRP},
2610      {0, SSL_TXT_kGOST, NULL, 0, SSL_kGOST},
2611 +    {0, SSL_TXT_kGOST18, NULL, 0, SSL_kGOST18},
2612  
2613      /* server authentication aliases */
2614      {0, SSL_TXT_aRSA, NULL, 0, 0, SSL_aRSA},
2615 @@ -261,7 +273,7 @@
2616      {0, SSL_TXT_IDEA, NULL, 0, 0, 0, SSL_IDEA},
2617      {0, SSL_TXT_SEED, NULL, 0, 0, 0, SSL_SEED},
2618      {0, SSL_TXT_eNULL, NULL, 0, 0, 0, SSL_eNULL},
2619 -    {0, SSL_TXT_GOST, NULL, 0, 0, 0, SSL_eGOST2814789CNT | SSL_eGOST2814789CNT12},
2620 +    {0, SSL_TXT_GOST, NULL, 0, 0, 0, SSL_eGOST2814789CNT | SSL_eGOST2814789CNT12 | SSL_MAGMA | SSL_KUZNYECHIK},
2621      {0, SSL_TXT_AES128, NULL, 0, 0, 0,
2622       SSL_AES128 | SSL_AES128GCM | SSL_AES128CCM | SSL_AES128CCM8},
2623      {0, SSL_TXT_AES256, NULL, 0, 0, 0,
2624 @@ -419,7 +431,7 @@
2625       * Check for presence of GOST 34.10 algorithms, and if they are not
2626       * present, disable appropriate auth and key exchange
2627       */
2628 -    ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX] = get_optional_pkey_id("gost-mac");
2629 +    ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX] = get_optional_pkey_id(SN_id_Gost28147_89_MAC);
2630      if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX])
2631          ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX] = 32;
2632      else
2633 @@ -426,17 +438,31 @@
2634          disabled_mac_mask |= SSL_GOST89MAC;
2635  
2636      ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX] =
2637 -        get_optional_pkey_id("gost-mac-12");
2638 +        get_optional_pkey_id(SN_gost_mac_12);
2639      if (ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX])
2640          ssl_mac_secret_size[SSL_MD_GOST89MAC12_IDX] = 32;
2641      else
2642          disabled_mac_mask |= SSL_GOST89MAC12;
2643  
2644 -    if (!get_optional_pkey_id("gost2001"))
2645 +    ssl_mac_pkey_id[SSL_MD_MAGMAOMAC_IDX] =
2646 +        get_optional_pkey_id(SN_magma_mac);
2647 +    if (ssl_mac_pkey_id[SSL_MD_MAGMAOMAC_IDX])
2648 +        ssl_mac_secret_size[SSL_MD_MAGMAOMAC_IDX] = 32;
2649 +    else
2650 +        disabled_mac_mask |= SSL_MAGMAOMAC;
2651 +
2652 +    ssl_mac_pkey_id[SSL_MD_KUZNYECHIKOMAC_IDX] =
2653 +        get_optional_pkey_id(SN_kuznyechik_mac);
2654 +    if (ssl_mac_pkey_id[SSL_MD_KUZNYECHIKOMAC_IDX])
2655 +        ssl_mac_secret_size[SSL_MD_KUZNYECHIKOMAC_IDX] = 32;
2656 +    else
2657 +        disabled_mac_mask |= SSL_KUZNYECHIKOMAC;
2658 +
2659 +    if (!get_optional_pkey_id(SN_id_GostR3410_2001))
2660          disabled_auth_mask |= SSL_aGOST01 | SSL_aGOST12;
2661 -    if (!get_optional_pkey_id("gost2012_256"))
2662 +    if (!get_optional_pkey_id(SN_id_GostR3410_2012_256))
2663          disabled_auth_mask |= SSL_aGOST12;
2664 -    if (!get_optional_pkey_id("gost2012_512"))
2665 +    if (!get_optional_pkey_id(SN_id_GostR3410_2012_512))
2666          disabled_auth_mask |= SSL_aGOST12;
2667      /*
2668       * Disable GOST key exchange if no GOST signature algs are available *
2669 @@ -445,6 +471,9 @@
2670          (SSL_aGOST01 | SSL_aGOST12))
2671          disabled_mkey_mask |= SSL_kGOST;
2672  
2673 +    if ((disabled_auth_mask & SSL_aGOST12) ==  SSL_aGOST12)
2674 +        disabled_mkey_mask |= SSL_kGOST18;
2675 +
2676      return 1;
2677  }
2678  
2679 @@ -1686,6 +1715,9 @@
2680      case SSL_kGOST:
2681          kx = "GOST";
2682          break;
2683 +    case SSL_kGOST18:
2684 +        kx = "GOST18";
2685 +        break;
2686      case SSL_kANY:
2687          kx = "any";
2688          break;
2689 @@ -1789,6 +1821,14 @@
2690      case SSL_eGOST2814789CNT12:
2691          enc = "GOST89(256)";
2692          break;
2693 +    case SSL_MAGMA:
2694 +    case SSL_MAGMA_MGM:
2695 +        enc = "MAGMA";
2696 +        break;
2697 +    case SSL_KUZNYECHIK:
2698 +    case SSL_KUZNYECHIK_MGM:
2699 +        enc = "KUZNYECHIK";
2700 +        break;
2701      case SSL_CHACHA20POLY1305:
2702          enc = "CHACHA20/POLY1305(256)";
2703          break;
2704 Index: ssl/t1_enc.c
2705 ===================================================================
2706 --- ssl/t1_enc.c        (revision 14523)
2707 +++ ssl/t1_enc.c        (working copy)
2708 @@ -113,6 +113,11 @@
2709          else
2710              s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM;
2711  
2712 +        if (s->s3->tmp.new_cipher->algorithm2 & TLS1_TLSTREE)
2713 +            s->mac_flags |= SSL_MAC_FLAG_READ_MAC_TLSTREE;
2714 +        else
2715 +            s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_TLSTREE;
2716 +
2717          if (s->enc_read_ctx != NULL) {
2718              reuse_dd = 1;
2719          } else if ((s->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL) {
2720 @@ -160,6 +165,11 @@
2721              s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
2722          else
2723              s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
2724 +
2725 +        if (s->s3->tmp.new_cipher->algorithm2 & TLS1_TLSTREE)
2726 +            s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_TLSTREE;
2727 +        else
2728 +            s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_TLSTREE;
2729          if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s)) {
2730              reuse_dd = 1;
2731          } else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL) {
2732 @@ -298,11 +308,11 @@
2733              goto err;
2734          }
2735      } else {
2736 -        if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) {
2737 -            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE,
2738 -                     ERR_R_INTERNAL_ERROR);
2739 -            goto err;
2740 -        }
2741 +      if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) {
2742 +        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE,
2743 +            ERR_R_INTERNAL_ERROR);
2744 +        goto err;
2745 +      }
2746      }
2747      /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
2748      if ((EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size
2749 @@ -438,7 +448,11 @@
2750  {
2751      size_t hashlen;
2752      unsigned char hash[EVP_MAX_MD_SIZE];
2753 +    size_t finished_size = TLS1_FINISH_MAC_LENGTH;
2754  
2755 +    if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kGOST18)
2756 +        finished_size = 32;
2757 +
2758      if (!ssl3_digest_cached_records(s, 0)) {
2759          /* SSLfatal() already called */
2760          return 0;
2761 @@ -451,12 +465,12 @@
2762  
2763      if (!tls1_PRF(s, str, slen, hash, hashlen, NULL, 0, NULL, 0, NULL, 0,
2764                    s->session->master_key, s->session->master_key_length,
2765 -                  out, TLS1_FINISH_MAC_LENGTH, 1)) {
2766 +                  out, finished_size, 1)) {
2767          /* SSLfatal() already called */
2768          return 0;
2769      }
2770      OPENSSL_cleanse(hash, hashlen);
2771 -    return TLS1_FINISH_MAC_LENGTH;
2772 +    return finished_size;
2773  }
2774  
2775  int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
2776 Index: ssl/s3_lib.c
2777 ===================================================================
2778 --- ssl/s3_lib.c        (revision 14523)
2779 +++ ssl/s3_lib.c        (working copy)
2780 @@ -111,7 +111,74 @@
2781          SSL_HANDSHAKE_MAC_SHA256,
2782          128,
2783          128,
2784 -    }
2785 +    },
2786 +#ifndef OPENSSL_NO_GOST
2787 +/* https://tools.ietf.org/html/draft-smyshlyaev-tls13-gost-suites */
2788 +    {
2789 +        1,
2790 +        "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L", /* FIXME */
2791 +        "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L", /* FIXME */
2792 +        TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L,
2793 +        SSL_kANY,
2794 +        SSL_aANY,
2795 +        SSL_KUZNYECHIK_MGM,
2796 +        SSL_AEAD,
2797 +        TLS1_3_VERSION, TLS1_3_VERSION,
2798 +        0, 0,
2799 +        SSL_HIGH,
2800 +        SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_TLSTREE | TLS1_TLSTREE_L,
2801 +        256,
2802 +        256,
2803 +    },
2804 +    {
2805 +        1,
2806 +        "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L", /* FIXME */
2807 +        "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L", /* FIXME */
2808 +        TLS_GOSTR341112_256_WITH_MAGMA_MGM_L,
2809 +        SSL_kANY,
2810 +        SSL_aANY,
2811 +        SSL_MAGMA_MGM,
2812 +        SSL_AEAD,
2813 +        TLS1_3_VERSION, TLS1_3_VERSION,
2814 +        0, 0,
2815 +        SSL_HIGH,
2816 +        SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_TLSTREE | TLS1_TLSTREE_L,
2817 +        256,
2818 +        256,
2819 +    },
2820 +    {
2821 +        1,
2822 +        "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S", /* FIXME */
2823 +        "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S", /* FIXME */
2824 +        TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S,
2825 +        SSL_kANY,
2826 +        SSL_aANY,
2827 +        SSL_KUZNYECHIK_MGM,
2828 +        SSL_AEAD,
2829 +        TLS1_3_VERSION, TLS1_3_VERSION,
2830 +        0, 0,
2831 +        SSL_HIGH,
2832 +        SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_TLSTREE | TLS1_TLSTREE_S,
2833 +        256,
2834 +        256,
2835 +    },
2836 +    {
2837 +        1,
2838 +        "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S", /* FIXME */
2839 +        "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S", /* FIXME */
2840 +        TLS_GOSTR341112_256_WITH_MAGMA_MGM_S,
2841 +        SSL_kANY,
2842 +        SSL_aANY,
2843 +        SSL_MAGMA_MGM,
2844 +        SSL_AEAD,
2845 +        TLS1_3_VERSION, TLS1_3_VERSION,
2846 +        0, 0,
2847 +        SSL_HIGH,
2848 +        SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_TLSTREE | TLS1_TLSTREE_S,
2849 +        256,
2850 +        256,
2851 +    },
2852 +#endif
2853  };
2854  
2855  /*
2856 @@ -2665,6 +2732,54 @@
2857       0,
2858       0,
2859       },
2860 +    {
2861 +     1,
2862 +     "GOST2012-KUZNYECHIK-KUZNYECHIKOMAC",
2863 +     NULL,
2864 +     0x0300C100,
2865 +     SSL_kGOST18,
2866 +     SSL_aGOST12,
2867 +     SSL_KUZNYECHIK,
2868 +     SSL_KUZNYECHIKOMAC,
2869 +     TLS1_2_VERSION, TLS1_2_VERSION,
2870 +     0, 0,
2871 +     SSL_HIGH,
2872 +     SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_TLSTREE,
2873 +     256,
2874 +     256,
2875 +     },
2876 +    {
2877 +     1,
2878 +     "GOST2012-MAGMA-MAGMAOMAC",
2879 +     NULL,
2880 +     0x0300C101,
2881 +     SSL_kGOST18,
2882 +     SSL_aGOST12,
2883 +     SSL_MAGMA,
2884 +     SSL_MAGMAOMAC,
2885 +     TLS1_2_VERSION, TLS1_2_VERSION,
2886 +     0, 0,
2887 +     SSL_HIGH,
2888 +     SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_TLSTREE,
2889 +     256,
2890 +     256,
2891 +     },
2892 +    {
2893 +     1,
2894 +     "GOST2012-GOST8912-IANA",
2895 +     NULL,
2896 +     0x0300C102,
2897 +     SSL_kGOST,
2898 +     SSL_aGOST12 | SSL_aGOST01,
2899 +     SSL_eGOST2814789CNT12,
2900 +     SSL_GOST89MAC12,
2901 +     TLS1_VERSION, TLS1_2_VERSION,
2902 +     0, 0,
2903 +     SSL_HIGH,
2904 +     SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC,
2905 +     256,
2906 +     256,
2907 +     },
2908  #endif                          /* OPENSSL_NO_GOST */
2909  
2910  #ifndef OPENSSL_NO_IDEA
2911 @@ -4348,6 +4463,11 @@
2912      if (s->version >= TLS1_VERSION && (alg_k & SSL_kGOST))
2913              return WPACKET_put_bytes_u8(pkt, TLS_CT_GOST01_SIGN)
2914                      && WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_SIGN)
2915 +                    && WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_512_SIGN)
2916 +                    && WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_SIGN_LEGACY)
2917 +                    && WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_512_SIGN_LEGACY);
2918 +    if (s->version >= TLS1_2_VERSION && (alg_k & SSL_kGOST18))
2919 +            return WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_SIGN)
2920                      && WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_512_SIGN);
2921  #endif
2922  
2923 @@ -4695,6 +4815,52 @@
2924      return pkey;
2925  }
2926  #ifndef OPENSSL_NO_EC
2927 +#ifndef OPENSSL_NO_GOST
2928 +
2929 +typedef struct tls_gost_group_param_st {
2930 +    int nid;                    /* Curve params NID */
2931 +    int alg_nid;                /* GOST algorithm nid */
2932 +    const char *params;         /* GOST paramset mnemonics */
2933 +} TLS_GOST_GROUP_PARAM;
2934 +
2935 +TLS_GOST_GROUP_PARAM gost_param[] = {
2936 +    {NID_id_tc26_gost_3410_2012_256_paramSetA, NID_id_GostR3410_2012_256, "TCA"},
2937 +    {NID_id_tc26_gost_3410_2012_256_paramSetB, NID_id_GostR3410_2012_256, "TCB"},
2938 +    {NID_id_tc26_gost_3410_2012_256_paramSetC, NID_id_GostR3410_2012_256, "TCC"},
2939 +    {NID_id_tc26_gost_3410_2012_256_paramSetD, NID_id_GostR3410_2012_256, "TCD"},
2940 +    {NID_id_tc26_gost_3410_2012_512_paramSetA, NID_id_GostR3410_2012_512, "A"},
2941 +    {NID_id_tc26_gost_3410_2012_512_paramSetB, NID_id_GostR3410_2012_512, "B"},
2942 +    {NID_id_tc26_gost_3410_2012_512_paramSetC, NID_id_GostR3410_2012_512, "C"},
2943 +};
2944 +
2945 +static EVP_PKEY_CTX *gost_pkey_nid2ctx(int nid)
2946 +{
2947 +       int i = 0;
2948 +       TLS_GOST_GROUP_PARAM *pGostParam = NULL;
2949 +  EVP_PKEY_CTX *pctx = NULL;
2950 +
2951 +       for (i = 0; i < OSSL_NELEM(gost_param); i++) {
2952 +               if (gost_param[i].nid == nid) {
2953 +                       pGostParam = gost_param + i;
2954 +                       break;
2955 +               }
2956 +       }
2957 +
2958 +       if (pGostParam == NULL) {
2959 +               return NULL;
2960 +       }
2961 +
2962 +       pctx = EVP_PKEY_CTX_new_id(pGostParam->alg_nid, NULL);
2963 +       if (pctx == NULL
2964 +                       || EVP_PKEY_CTX_ctrl_str(pctx, "paramset", pGostParam->params) <= 0) {
2965 +    EVP_PKEY_CTX_free(pctx);
2966 +    return NULL;
2967 +       }
2968 +
2969 +       return pctx;
2970 +}
2971 +
2972 +#endif
2973  /* Generate a private key from a group ID */
2974  EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id)
2975  {
2976 @@ -4711,8 +4877,13 @@
2977      gtype = ginf->flags & TLS_CURVE_TYPE;
2978      if (gtype == TLS_CURVE_CUSTOM)
2979          pctx = EVP_PKEY_CTX_new_id(ginf->nid, NULL);
2980 +#ifndef OPENSSL_NO_GOST
2981 +    else if (gtype == TLS_CURVE_GOST)
2982 +                   pctx = gost_pkey_nid2ctx(ginf->nid);
2983 +#endif
2984      else
2985          pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
2986 +
2987      if (pctx == NULL) {
2988          SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP,
2989                   ERR_R_MALLOC_FAILURE);
2990 @@ -4723,7 +4894,7 @@
2991                   ERR_R_EVP_LIB);
2992          goto err;
2993      }
2994 -    if (gtype != TLS_CURVE_CUSTOM
2995 +    if (gtype != TLS_CURVE_CUSTOM && gtype != TLS_CURVE_GOST
2996              && EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, ginf->nid) <= 0) {
2997          SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP,
2998                   ERR_R_EVP_LIB);
2999 @@ -4761,13 +4932,21 @@
3000          return NULL;
3001      }
3002  
3003 +#ifndef OPENSSL_NO_GOST
3004 +    if ((ginf->flags & TLS_CURVE_TYPE) == TLS_CURVE_GOST)
3005 +         pctx = gost_pkey_nid2ctx(ginf->nid);
3006 +    else
3007 +#endif
3008      pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
3009 +
3010      if (pctx == NULL)
3011          goto err;
3012      if (EVP_PKEY_paramgen_init(pctx) <= 0)
3013          goto err;
3014 -    if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, ginf->nid) <= 0)
3015 +    if ((ginf->flags & TLS_CURVE_TYPE) != TLS_CURVE_GOST) {
3016 +      if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, ginf->nid) <= 0)
3017          goto err;
3018 +    }
3019      if (EVP_PKEY_paramgen(pctx, &pkey) <= 0) {
3020          EVP_PKEY_free(pkey);
3021          pkey = NULL;
3022 Index: ssl/statem/statem_lib.c
3023 ===================================================================
3024 --- ssl/statem/statem_lib.c     (revision 14523)
3025 +++ ssl/statem/statem_lib.c     (working copy)
3026 @@ -410,7 +410,6 @@
3027                  md == NULL ? "n/a" : EVP_MD_name(md));
3028  #endif
3029  
3030 -    /* Check for broken implementations of GOST ciphersuites */
3031      /*
3032       * If key is GOST and len is exactly 64 or 128, it is signature without
3033       * length field (CryptoPro implementations at least till TLS 1.2)
3034 @@ -1527,8 +1526,6 @@
3035          switch (i) {
3036          case SSL_PKEY_DSA_SIGN:
3037          case SSL_PKEY_GOST01:
3038 -        case SSL_PKEY_GOST12_256:
3039 -        case SSL_PKEY_GOST12_512:
3040              continue;
3041          default:
3042              break;
3043 Index: ssl/statem/statem_srvr.c
3044 ===================================================================
3045 --- ssl/statem/statem_srvr.c    (revision 14523)
3046 +++ ssl/statem/statem_srvr.c    (working copy)
3047 @@ -3446,6 +3446,93 @@
3048  #endif
3049  }
3050  
3051 +static int tls_process_cke_gost18(SSL *s, PACKET *pkt)
3052 +{/* FIXME beldmit - function id to be renamed either*/
3053 +#ifndef OPENSSL_NO_GOST
3054 +       unsigned char rnd_dgst[32];
3055 +       EVP_PKEY_CTX *pkey_ctx = NULL;
3056 +       EVP_PKEY *pk = NULL;
3057 +       unsigned char premaster_secret[32];
3058 +       const unsigned char *start = NULL;
3059 +       size_t outlen = 32, inlen = 0;
3060 +       int ret = 0;
3061 +  int cipher_nid = gost18_cke_cipher_nid(s);
3062 +
3063 +  if (cipher_nid == NID_undef) {
3064 +      SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
3065 +               ERR_R_INTERNAL_ERROR);
3066 +      return 0;
3067 +  }
3068 +
3069 +       if (gost_ukm(s, rnd_dgst) <= 0) {
3070 +      SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
3071 +               ERR_R_INTERNAL_ERROR);
3072 +      goto err;
3073 +  }
3074 +
3075 +       /* Get our certificate private key */
3076 +       pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey
3077 +               ? s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey : s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey;
3078 +       if (pk == NULL) {
3079 +               SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
3080 +                               SSL_R_BAD_HANDSHAKE_STATE);
3081 +               return 0;
3082 +       }
3083 +
3084 +       pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
3085 +       if (pkey_ctx == NULL) {
3086 +               SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
3087 +                               ERR_R_MALLOC_FAILURE);
3088 +               return 0;
3089 +       }
3090 +       if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
3091 +               SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
3092 +                               ERR_R_INTERNAL_ERROR);
3093 +               return 0;
3094 +       }
3095 +       /* 
3096 +        * Reuse EVP_PKEY_CTRL_SET_IV, make choice in engine code depending on size
3097 +        * */
3098 +       if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_DECRYPT,
3099 +                               EVP_PKEY_CTRL_SET_IV, 32, rnd_dgst) < 0) {
3100 +               SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
3101 +                               SSL_R_LIBRARY_BUG);
3102 +               goto err;
3103 +       }
3104 +
3105 +       if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_DECRYPT,
3106 +                               EVP_PKEY_CTRL_CIPHER, cipher_nid, NULL) < 0) {
3107 +               SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
3108 +                               SSL_R_LIBRARY_BUG);
3109 +               goto err;
3110 +       }
3111 +       inlen = PACKET_remaining(pkt);
3112 +       start = PACKET_data(pkt);
3113 +
3114 +       if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start,
3115 +                               inlen) <= 0) {
3116 +               SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
3117 +                               SSL_R_DECRYPTION_FAILED);
3118 +               goto err;
3119 +       }
3120 +       /* Generate master secret */
3121 +       if (!ssl_generate_master_secret(s, premaster_secret,
3122 +                               sizeof(premaster_secret), 0)) {
3123 +               /* SSLfatal() already called */
3124 +               goto err;
3125 +       }
3126 +       ret = 1;
3127 +err:
3128 +       EVP_PKEY_CTX_free(pkey_ctx);
3129 +       return ret;
3130 +#else
3131 +       /* Should never happen */
3132 +       SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
3133 +                       ERR_R_INTERNAL_ERROR);
3134 +       return 0;
3135 +#endif
3136 +}
3137 +
3138  MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
3139  {
3140      unsigned long alg_k;
3141 @@ -3496,6 +3583,11 @@
3142              /* SSLfatal() already called */
3143              goto err;
3144          }
3145 +    } else if (alg_k & SSL_kGOST18) {
3146 +        if (!tls_process_cke_gost18(s, pkt)) {
3147 +            /* SSLfatal() already called */
3148 +            goto err;
3149 +        }
3150      } else {
3151          SSLfatal(s, SSL_AD_INTERNAL_ERROR,
3152                   SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
3153 Index: ssl/statem/extensions_srvr.c
3154 ===================================================================
3155 --- ssl/statem/extensions_srvr.c        (revision 14523)
3156 +++ ssl/statem/extensions_srvr.c        (working copy)
3157 @@ -624,7 +624,7 @@
3158  
3159      if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
3160          return 1;
3161 -
3162 +/* FIXME beldmit GOST */
3163      /* Sanity check */
3164      if (s->s3->peer_tmp != NULL) {
3165          SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
3166 @@ -1623,7 +1623,9 @@
3167      if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
3168          || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
3169          || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
3170 -        || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
3171 +        || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12
3172 +        || s->s3->tmp.new_cipher->algorithm_enc == SSL_MAGMA
3173 +        || s->s3->tmp.new_cipher->algorithm_enc == SSL_KUZNYECHIK) {
3174          s->ext.use_etm = 0;
3175          return EXT_RETURN_NOT_SENT;
3176      }
3177 @@ -1682,6 +1684,7 @@
3178                                          unsigned int context, X509 *x,
3179                                          size_t chainidx)
3180  {
3181 +/* FIXME beldmit GOST */
3182  #ifndef OPENSSL_NO_TLS1_3
3183      unsigned char *encodedPoint;
3184      size_t encoded_pt_len = 0;
3185 Index: ssl/statem/statem_local.h
3186 ===================================================================
3187 --- ssl/statem/statem_local.h   (revision 14523)
3188 +++ ssl/statem/statem_local.h   (working copy)
3189 @@ -153,6 +153,11 @@
3190  __owur int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt);
3191  MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt);
3192  
3193 +#ifndef OPENSSL_NO_GOST
3194 +/* These functions are used in GOST18 CKE, both for client and server */
3195 +int gost18_cke_cipher_nid(const SSL *s);
3196 +int gost_ukm(const SSL *s, unsigned char *dgst_buf);
3197 +#endif
3198  
3199  /* Extension processing */
3200  
3201 Index: ssl/statem/statem_clnt.c
3202 ===================================================================
3203 --- ssl/statem/statem_clnt.c    (revision 14523)
3204 +++ ssl/statem/statem_clnt.c    (working copy)
3205 @@ -3280,6 +3280,144 @@
3206  #endif
3207  }
3208  
3209 +#ifndef OPENSSL_NO_GOST
3210 +int gost18_cke_cipher_nid(const SSL *s)
3211 +{
3212 +    if ((s->s3->tmp.new_cipher->algorithm_enc & SSL_MAGMA) != 0)
3213 +        return NID_magma_ctr;
3214 +    else if ((s->s3->tmp.new_cipher->algorithm_enc & SSL_KUZNYECHIK) != 0)
3215 +        return NID_kuznyechik_ctr;
3216 +
3217 +    return NID_undef;
3218 +}
3219 +
3220 +int gost_ukm(const SSL *s, unsigned char *dgst_buf)
3221 +{
3222 +    EVP_MD_CTX * hash = NULL;
3223 +    unsigned int md_len;
3224 +
3225 +    hash = EVP_MD_CTX_new();
3226 +    if (hash == NULL
3227 +        || EVP_DigestInit(hash, EVP_get_digestbynid(NID_id_GostR3411_2012_256)) <= 0
3228 +        || EVP_DigestUpdate(hash, s->s3->client_random, SSL3_RANDOM_SIZE) <= 0
3229 +        || EVP_DigestUpdate(hash, s->s3->server_random, SSL3_RANDOM_SIZE) <= 0
3230 +        || EVP_DigestFinal_ex(hash, dgst_buf, &md_len) <= 0) {
3231 +        EVP_MD_CTX_free(hash);
3232 +        return 0;
3233 +    } else {
3234 +        EVP_MD_CTX_free(hash);
3235 +        return 1;
3236 +    }
3237 +}
3238 +#endif
3239 +
3240 +static int tls_construct_cke_gost18(SSL *s, WPACKET *pkt)
3241 +{
3242 +#ifndef OPENSSL_NO_GOST
3243 +    /* GOST 2018 key exchange message creation */
3244 +    unsigned char rnd_dgst[32], tmp[255];
3245 +    EVP_PKEY_CTX *pkey_ctx = NULL;
3246 +    X509 *peer_cert;
3247 +    unsigned char *pms = NULL;
3248 +    size_t pmslen = 0;
3249 +    size_t msglen;
3250 +    int cipher_nid = gost18_cke_cipher_nid(s);
3251 +
3252 +    if (cipher_nid == NID_undef) {
3253 +        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
3254 +                 ERR_R_INTERNAL_ERROR);
3255 +        return 0;
3256 +    }
3257 +
3258 +               if (gost_ukm(s, rnd_dgst) <= 0) {
3259 +        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
3260 +                 ERR_R_INTERNAL_ERROR);
3261 +        goto err;
3262 +    }
3263 +
3264 +    /* Pre-master secret - random bytes */
3265 +    pmslen = 32;
3266 +    pms = OPENSSL_malloc(pmslen);
3267 +    if (pms == NULL) {
3268 +        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
3269 +                 ERR_R_MALLOC_FAILURE);
3270 +        goto err;
3271 +    }
3272 +
3273 +    if (RAND_bytes(pms, (int)pmslen) <= 0) {
3274 +        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
3275 +                 ERR_R_INTERNAL_ERROR);
3276 +        goto err;
3277 +    }
3278 +
3279 +    /*
3280 +     * Get server certificate PKEY and create ctx from it
3281 +     */
3282 +    peer_cert = s->session->peer;
3283 +    if (!peer_cert) {
3284 +        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
3285 +               SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
3286 +        return 0;
3287 +    }
3288 +
3289 +    pkey_ctx = EVP_PKEY_CTX_new(X509_get0_pubkey(peer_cert), NULL);
3290 +    if (pkey_ctx == NULL) {
3291 +        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
3292 +                 ERR_R_MALLOC_FAILURE);
3293 +        return 0;
3294 +    }
3295 +
3296 +    if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0 ) {
3297 +        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
3298 +                 ERR_R_INTERNAL_ERROR);
3299 +        goto err;
3300 +    };
3301 +
3302 + /* 
3303 +  * Reuse EVP_PKEY_CTRL_SET_IV, make choice in engine code
3304 +  * */
3305 +    if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
3306 +                          EVP_PKEY_CTRL_SET_IV, 32, rnd_dgst) < 0) {
3307 +        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
3308 +                 SSL_R_LIBRARY_BUG);
3309 +        goto err;
3310 +    }
3311 +
3312 +    if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
3313 +                          EVP_PKEY_CTRL_CIPHER, cipher_nid, NULL) < 0) {
3314 +        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
3315 +                 SSL_R_LIBRARY_BUG);
3316 +        goto err;
3317 +    }
3318 +
3319 +    msglen = 255;
3320 +    if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, pms, pmslen) <= 0) {
3321 +        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
3322 +                 SSL_R_LIBRARY_BUG);
3323 +        goto err;
3324 +    }
3325 +
3326 +    if (!WPACKET_memcpy(pkt, tmp, msglen)) {
3327 +        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
3328 +                 ERR_R_INTERNAL_ERROR);
3329 +        goto err;
3330 +    }
3331 +
3332 +    EVP_PKEY_CTX_free(pkey_ctx);
3333 +    s->s3->tmp.pms = pms;
3334 +    s->s3->tmp.pmslen = pmslen;
3335 +               return 1;
3336 + err:
3337 +    EVP_PKEY_CTX_free(pkey_ctx);
3338 +    OPENSSL_clear_free(pms, pmslen);
3339 +    return 0;
3340 +#else
3341 +    SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
3342 +             ERR_R_INTERNAL_ERROR);
3343 +    return 0;
3344 +#endif
3345 +}
3346 +
3347  static int tls_construct_cke_srp(SSL *s, WPACKET *pkt)
3348  {
3349  #ifndef OPENSSL_NO_SRP
3350 @@ -3336,6 +3474,9 @@
3351      } else if (alg_k & SSL_kGOST) {
3352          if (!tls_construct_cke_gost(s, pkt))
3353              goto err;
3354 +    } else if (alg_k & SSL_kGOST18) {
3355 +        if (!tls_construct_cke_gost18(s, pkt))
3356 +            goto err;
3357      } else if (alg_k & SSL_kSRP) {
3358          if (!tls_construct_cke_srp(s, pkt))
3359              goto err;
3360 Index: util/libcrypto.num
3361 ===================================================================
3362 --- util/libcrypto.num  (revision 14523)
3363 +++ util/libcrypto.num  (working copy)
3364 @@ -4587,3 +4587,8 @@
3365  EVP_PKEY_meth_get_digestverify          4541   1_1_1e  EXIST::FUNCTION:
3366  EVP_PKEY_meth_get_digestsign            4542   1_1_1e  EXIST::FUNCTION:
3367  RSA_get0_pss_params                     4543   1_1_1e  EXIST::FUNCTION:RSA
3368 +CMS_add1_recipient                      4544   1_1_1g  EXIST::FUNCTION:CMS
3369 +PKCS8_pkey_add1_attr                    4545   1_1_1g  EXIST::FUNCTION:
3370 +PKCS8_pkey_add1_attr_by_OBJ             4546   1_1_1g  EXIST::FUNCTION:
3371 +CMS_decrypt_set1_pkey_and_peer          4547   1_1_1g  EXIST::FUNCTION:CMS
3372 +CMS_RecipientInfo_kari_set0_pkey_and_peer 4548 1_1_1g  EXIST::FUNCTION:CMS