mirror of
https://abf.rosa.ru/djam/libressl.git
synced 2025-02-23 16:12:53 +00:00
211 lines
6.2 KiB
Diff
211 lines
6.2 KiB
Diff
From 2ed69ca1219dd8287476bed0d20d50750c010d11 Mon Sep 17 00:00:00 2001
|
|
From: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
|
Date: Wed, 1 Apr 2020 17:10:52 +0300
|
|
Subject: [PATCH 77/87] ssl: add defines for GOST CTR-OMAC ciphersuites
|
|
|
|
Add definitions for cipher, mac and KX used by GOST CTR-OMAC
|
|
ciphersuites (see draft-smyshlyaev-tls12-gost-suites-07).
|
|
|
|
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
|
---
|
|
src/lib/libssl/s3_lib.c | 32 ++++++++++++++++++++++++++++++++
|
|
src/lib/libssl/ssl.h | 3 +++
|
|
src/lib/libssl/ssl_ciph.c | 38 ++++++++++++++++++++++++++++++++++++++
|
|
src/lib/libssl/ssl_locl.h | 5 +++++
|
|
4 files changed, 78 insertions(+)
|
|
|
|
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
|
|
index 425420c4a..18b9ad62f 100644
|
|
--- a/src/lib/libssl/s3_lib.c
|
|
+++ b/src/lib/libssl/s3_lib.c
|
|
@@ -1305,6 +1305,38 @@ SSL_CIPHER ssl3_ciphers[] = {
|
|
.alg_bits = 256,
|
|
},
|
|
|
|
+ /* Cipher C100 */
|
|
+ {
|
|
+ .valid = 1,
|
|
+ .name = "GOST2012256-KUZNYECHIK-CTR-OMAC",
|
|
+ .id = 0x300c100,
|
|
+ .algorithm_mkey = SSL_kGOST_KDF,
|
|
+ .algorithm_auth = SSL_aGOST01,
|
|
+ .algorithm_enc = SSL_KUZNYECHIK_CTR_ACPKM,
|
|
+ .algorithm_mac = SSL_KUZNYECHIK_OMAC,
|
|
+ .algorithm_ssl = SSL_TLSV1_2,
|
|
+ .algo_strength = SSL_HIGH,
|
|
+ .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256,
|
|
+ .strength_bits = 256,
|
|
+ .alg_bits = 256
|
|
+ },
|
|
+
|
|
+ /* Cipher C101 */
|
|
+ {
|
|
+ .valid = 1,
|
|
+ .name = "GOST2012256-MAGMA-CTR-OMAC",
|
|
+ .id = 0x300c101,
|
|
+ .algorithm_mkey = SSL_kGOST_KDF,
|
|
+ .algorithm_auth = SSL_aGOST01,
|
|
+ .algorithm_enc = SSL_MAGMA_CTR_ACPKM,
|
|
+ .algorithm_mac = SSL_MAGMA_OMAC,
|
|
+ .algorithm_ssl = SSL_TLSV1_2,
|
|
+ .algo_strength = SSL_HIGH,
|
|
+ .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256,
|
|
+ .strength_bits = 256,
|
|
+ .alg_bits = 256
|
|
+ },
|
|
+
|
|
/* Cipher C102 */
|
|
{
|
|
.valid = 1,
|
|
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
|
|
index 4370c84cd..b11216b1e 100644
|
|
--- a/src/lib/libssl/ssl.h
|
|
+++ b/src/lib/libssl/ssl.h
|
|
@@ -246,6 +246,7 @@ extern "C" {
|
|
#define SSL_TXT_kEECDH "kEECDH"
|
|
#define SSL_TXT_kPSK "kPSK"
|
|
#define SSL_TXT_kGOST "kGOST"
|
|
+#define SSL_TXT_kGOST_KDF "kGOSTKDF"
|
|
#define SSL_TXT_kSRP "kSRP"
|
|
|
|
#define SSL_TXT_aRSA "aRSA"
|
|
@@ -299,6 +300,8 @@ extern "C" {
|
|
#define SSL_TXT_SHA384 "SHA384"
|
|
#define SSL_TXT_STREEBOG256 "STREEBOG256"
|
|
#define SSL_TXT_STREEBOG512 "STREEBOG512"
|
|
+#define SSL_TXT_KUZNYECHIK_OMAC "KUZNYECHIK-OMAC"
|
|
+#define SSL_TXT_MAGMA_OMAC "MAGMA-OMAC"
|
|
|
|
#define SSL_TXT_DTLS1 "DTLSv1"
|
|
#define SSL_TXT_SSLV2 "SSLv2"
|
|
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
|
|
index 37417efc0..9ef17e052 100644
|
|
--- a/src/lib/libssl/ssl_ciph.c
|
|
+++ b/src/lib/libssl/ssl_ciph.c
|
|
@@ -219,6 +219,11 @@ static const SSL_CIPHER cipher_aliases[] = {
|
|
.algorithm_mkey = SSL_kGOST,
|
|
},
|
|
|
|
+ {
|
|
+ .name = SSL_TXT_kGOST_KDF,
|
|
+ .algorithm_mkey = SSL_kGOST_KDF,
|
|
+ },
|
|
+
|
|
/* server authentication aliases */
|
|
{
|
|
.name = SSL_TXT_aRSA,
|
|
@@ -365,6 +370,14 @@ static const SSL_CIPHER cipher_aliases[] = {
|
|
.name = SSL_TXT_GOST89MAC,
|
|
.algorithm_mac = SSL_GOST89MAC,
|
|
},
|
|
+ {
|
|
+ .name = SSL_TXT_KUZNYECHIK_OMAC,
|
|
+ .algorithm_mac = SSL_KUZNYECHIK_OMAC,
|
|
+ },
|
|
+ {
|
|
+ .name = SSL_TXT_MAGMA_OMAC,
|
|
+ .algorithm_mac = SSL_MAGMA_OMAC,
|
|
+ },
|
|
{
|
|
.name = SSL_TXT_SHA256,
|
|
.algorithm_mac = SSL_SHA256,
|
|
@@ -1424,6 +1437,9 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
|
|
case SSL_kGOST:
|
|
kx = "GOST";
|
|
break;
|
|
+ case SSL_kGOST_KDF:
|
|
+ kx = "GOSTKDF";
|
|
+ break;
|
|
case SSL_kTLS1_3:
|
|
kx = "TLSv1.3";
|
|
break;
|
|
@@ -1489,6 +1505,12 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
|
|
case SSL_eGOST2814789CNT:
|
|
enc = "GOST-28178-89-CNT";
|
|
break;
|
|
+ case SSL_KUZNYECHIK_CTR_ACPKM:
|
|
+ enc = "KUZNYECHIK-CTR-ACPKM";
|
|
+ break;
|
|
+ case SSL_MAGMA_CTR_ACPKM:
|
|
+ enc = "MAGMA-CTR-ACPKM";
|
|
+ break;
|
|
default:
|
|
enc = "unknown";
|
|
break;
|
|
@@ -1519,6 +1541,12 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
|
|
case SSL_STREEBOG256:
|
|
mac = "STREEBOG256";
|
|
break;
|
|
+ case SSL_KUZNYECHIK_OMAC:
|
|
+ mac = "KUZNYECHIK-OMAC";
|
|
+ break;
|
|
+ case SSL_MAGMA_OMAC:
|
|
+ mac = "MAGMA-OMAC";
|
|
+ break;
|
|
default:
|
|
mac = "unknown";
|
|
break;
|
|
@@ -1613,6 +1641,10 @@ SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c)
|
|
return NID_rc4;
|
|
case SSL_eGOST2814789CNT:
|
|
return NID_gost89_cnt;
|
|
+ case SSL_KUZNYECHIK_CTR_ACPKM:
|
|
+ return NID_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm;
|
|
+ case SSL_MAGMA_CTR_ACPKM:
|
|
+ return NID_id_tc26_cipher_gostr3412_2015_magma_ctracpkm;
|
|
default:
|
|
return NID_undef;
|
|
}
|
|
@@ -1638,6 +1670,10 @@ SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c)
|
|
return NID_sha384;
|
|
case SSL_STREEBOG256:
|
|
return NID_id_tc26_gost3411_2012_256;
|
|
+ case SSL_KUZNYECHIK_OMAC:
|
|
+ return NID_kuznyechik_mac;
|
|
+ case SSL_MAGMA_OMAC:
|
|
+ return NID_magma_mac;
|
|
default:
|
|
return NID_undef;
|
|
}
|
|
@@ -1653,6 +1689,8 @@ SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c)
|
|
return NID_kx_ecdhe;
|
|
case SSL_kGOST:
|
|
return NID_kx_gost;
|
|
+ case SSL_kGOST_KDF:
|
|
+ return NID_kx_gost_kdf;
|
|
case SSL_kRSA:
|
|
return NID_kx_rsa;
|
|
default:
|
|
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
|
|
index bfc3c1ad9..72646fa8c 100644
|
|
--- a/src/lib/libssl/ssl_locl.h
|
|
+++ b/src/lib/libssl/ssl_locl.h
|
|
@@ -206,6 +206,7 @@ __BEGIN_HIDDEN_DECLS
|
|
#define SSL_kECDHE 0x00000080L /* ephemeral ECDH */
|
|
#define SSL_kGOST 0x00000200L /* GOST key exchange */
|
|
#define SSL_kTLS1_3 0x00000400L /* TLSv1.3 key exchange */
|
|
+#define SSL_kGOST_KDF 0x00000800L /* GOST KDF key exchange */
|
|
|
|
/* Bits for algorithm_auth (server authentication) */
|
|
#define SSL_aRSA 0x00000001L /* RSA auth */
|
|
@@ -229,6 +230,8 @@ __BEGIN_HIDDEN_DECLS
|
|
#define SSL_AES128GCM 0x00000400L
|
|
#define SSL_AES256GCM 0x00000800L
|
|
#define SSL_CHACHA20POLY1305 0x00001000L
|
|
+#define SSL_KUZNYECHIK_CTR_ACPKM 0x00002000L
|
|
+#define SSL_MAGMA_CTR_ACPKM 0x00004000L
|
|
|
|
#define SSL_AES (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM)
|
|
#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
|
|
@@ -245,6 +248,8 @@ __BEGIN_HIDDEN_DECLS
|
|
/* Not a real MAC, just an indication it is part of cipher */
|
|
#define SSL_AEAD 0x00000040L
|
|
#define SSL_STREEBOG256 0x00000080L
|
|
+#define SSL_KUZNYECHIK_OMAC 0x00000100L
|
|
+#define SSL_MAGMA_OMAC 0x00000200L
|
|
|
|
/* Bits for algorithm_ssl (protocol version) */
|
|
#define SSL_SSLV3 0x00000002L
|
|
--
|
|
2.17.1
|
|
|