summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--doc/Makefile.am1
-rw-r--r--lib/algorithms.h4
-rw-r--r--lib/algorithms/publickey.c6
-rw-r--r--lib/algorithms/secparams.c4
-rw-r--r--lib/crypto-backend.h13
-rw-r--r--lib/includes/gnutls/gnutls.h.in27
-rw-r--r--lib/pk.c1
-rw-r--r--lib/x509/common.h2
-rw-r--r--tests/cert-tests/data/gost-cert.pem2
-rw-r--r--tests/privkey-keygen.c6
10 files changed, 60 insertions, 6 deletions
diff --git a/doc/Makefile.am b/doc/Makefile.am
index e35e92ffd0..b38b1e84eb 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -552,6 +552,7 @@ ENUMS += enums/gnutls_ecc_curve_t
ENUMS += enums/gnutls_ext_flags_t
ENUMS += enums/gnutls_ext_parse_type_t
ENUMS += enums/gnutls_fips_mode_t
+ENUMS += enums/gnutls_gost_paramset_t
ENUMS += enums/gnutls_group_t
ENUMS += enums/gnutls_handshake_description_t
ENUMS += enums/gnutls_init_flags_t
diff --git a/lib/algorithms.h b/lib/algorithms.h
index 468a0c8e96..fead2c2ed6 100644
--- a/lib/algorithms.h
+++ b/lib/algorithms.h
@@ -34,6 +34,10 @@
#define GNUTLS_FALLBACK_SCSV_MAJOR 0x56
#define GNUTLS_FALLBACK_SCSV_MINOR 0x00
+#define IS_GOSTEC(x) (((x)==GNUTLS_PK_GOST_01) || \
+ ((x)==GNUTLS_PK_GOST_12_256)|| \
+ ((x)==GNUTLS_PK_GOST_12_512))
+
#define IS_EC(x) (((x)==GNUTLS_PK_ECDSA)||((x)==GNUTLS_PK_ECDH_X25519)||((x)==GNUTLS_PK_EDDSA_ED25519))
#define SIG_SEM_PRE_TLS12 (1<<1)
diff --git a/lib/algorithms/publickey.c b/lib/algorithms/publickey.c
index 677b969c96..0346520b7b 100644
--- a/lib/algorithms/publickey.c
+++ b/lib/algorithms/publickey.c
@@ -126,7 +126,11 @@ static const gnutls_pk_entry pk_algorithms[] = {
.curve = GNUTLS_ECC_CURVE_INVALID }, /* some other broken certificates set RSA with SHA1 as an indicator of RSA */
{ .name = "DSA", .oid = PK_DSA_OID, .id = GNUTLS_PK_DSA,
.curve = GNUTLS_ECC_CURVE_INVALID },
- { .name = "GOST R 34.10-2001", .oid = PK_GOST_R3410_2001_OID, .id = GNUTLS_PK_UNKNOWN,
+ { .name = "GOST R 34.10-2012-512", .oid = PK_GOST_R3410_2012_512_OID, .id = GNUTLS_PK_GOST_12_512,
+ .curve = GNUTLS_ECC_CURVE_INVALID },
+ { .name = "GOST R 34.10-2012-256", .oid = PK_GOST_R3410_2012_256_OID, .id = GNUTLS_PK_GOST_12_256,
+ .curve = GNUTLS_ECC_CURVE_INVALID },
+ { .name = "GOST R 34.10-2001", .oid = PK_GOST_R3410_2001_OID, .id = GNUTLS_PK_GOST_01,
.curve = GNUTLS_ECC_CURVE_INVALID },
{ .name = "GOST R 34.10-94", .oid = PK_GOST_R3410_94_OID, .id = GNUTLS_PK_UNKNOWN,
.curve = GNUTLS_ECC_CURVE_INVALID },
diff --git a/lib/algorithms/secparams.c b/lib/algorithms/secparams.c
index ec4e5e3ee4..47dc2aa8d1 100644
--- a/lib/algorithms/secparams.c
+++ b/lib/algorithms/secparams.c
@@ -88,7 +88,7 @@ gnutls_sec_param_to_pk_bits(gnutls_pk_algorithm_t algo,
if (p->sec_param == param) {
if (algo == GNUTLS_PK_DSA)
ret = p->dsa_bits;
- else if (IS_EC(algo))
+ else if (IS_EC(algo)||IS_GOSTEC(algo))
ret = p->ecc_bits;
else
ret = p->pk_bits; break;
@@ -202,7 +202,7 @@ gnutls_pk_bits_to_sec_param(gnutls_pk_algorithm_t algo, unsigned int bits)
if (bits == 0)
return GNUTLS_SEC_PARAM_UNKNOWN;
- if (IS_EC(algo)) {
+ if (IS_EC(algo)||IS_GOSTEC(algo)) {
GNUTLS_SEC_PARAM_LOOP(
if (p->ecc_bits > bits) {
break;
diff --git a/lib/crypto-backend.h b/lib/crypto-backend.h
index 2930f055f5..e410af03e3 100644
--- a/lib/crypto-backend.h
+++ b/lib/crypto-backend.h
@@ -193,7 +193,8 @@ typedef struct {
unsigned int params_nr; /* the number of parameters */
unsigned int pkflags; /* gnutls_pk_flag_t */
unsigned int qbits; /* GNUTLS_PK_DH */
- gnutls_ecc_curve_t curve; /* GNUTLS_PK_EC, GNUTLS_PK_ED25519 */
+ gnutls_ecc_curve_t curve; /* GNUTLS_PK_EC, GNUTLS_PK_ED25519, GNUTLS_PK_GOST* */
+ gnutls_gost_paramset_t gost_params; /* GNUTLS_PK_GOST_* */
gnutls_datum_t raw_pub; /* used by x25519 */
gnutls_datum_t raw_priv;
@@ -230,6 +231,7 @@ void gnutls_pk_params_init(gnutls_pk_params_st * p);
#define DH_PUBLIC_PARAMS 4
#define RSA_PUBLIC_PARAMS 2
#define ECC_PUBLIC_PARAMS 2
+#define GOST_PUBLIC_PARAMS 2
#define MAX_PRIV_PARAMS_SIZE GNUTLS_MAX_PK_PARAMS /* ok for RSA and DSA */
@@ -239,6 +241,7 @@ void gnutls_pk_params_init(gnutls_pk_params_st * p);
#define DH_PRIVATE_PARAMS 5
#define RSA_PRIVATE_PARAMS 8
#define ECC_PRIVATE_PARAMS 3
+#define GOST_PRIVATE_PARAMS 3
#if MAX_PRIV_PARAMS_SIZE - RSA_PRIVATE_PARAMS < 0
#error INCREASE MAX_PRIV_PARAMS
@@ -248,6 +251,10 @@ void gnutls_pk_params_init(gnutls_pk_params_st * p);
#error INCREASE MAX_PRIV_PARAMS
#endif
+#if MAX_PRIV_PARAMS_SIZE - GOST_PRIVATE_PARAMS < 0
+#error INCREASE MAX_PRIV_PARAMS
+#endif
+
#if MAX_PRIV_PARAMS_SIZE - DSA_PRIVATE_PARAMS < 0
#error INCREASE MAX_PRIV_PARAMS
#endif
@@ -292,6 +299,10 @@ void gnutls_pk_params_init(gnutls_pk_params_st * p);
#define ECC_Y 1
#define ECC_K 2
+#define GOST_X 0
+#define GOST_Y 1
+#define GOST_K 2
+
#define DSA_P 0
#define DSA_Q 1
#define DSA_G 2
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index d80716dfdb..e95879a543 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -768,6 +768,9 @@ typedef enum gnutls_certificate_print_formats {
* @GNUTLS_PK_ECDSA: Elliptic curve algorithm. These parameters are compatible with the ECDSA and ECDH algorithm.
* @GNUTLS_PK_ECDH_X25519: Elliptic curve algorithm, restricted to ECDH as per rfc7748.
* @GNUTLS_PK_EDDSA_ED25519: Edwards curve Digital signature algorithm. Used with SHA512 on signatures.
+ * @GNUTLS_PK_GOST_01: GOST R 34.10-2001 algorithm per rfc5832.
+ * @GNUTLS_PK_GOST_12_256: GOST R 34.10-2012 algorithm, 256-bit key per rfc7091.
+ * @GNUTLS_PK_GOST_12_512: GOST R 34.10-2012 algorithm, 512-bit key per rfc7091.
*
* Enumeration of different public-key algorithms.
*/
@@ -780,7 +783,10 @@ typedef enum {
GNUTLS_PK_ECDH_X25519 = 5,
GNUTLS_PK_RSA_PSS = 6,
GNUTLS_PK_EDDSA_ED25519 = 7,
- GNUTLS_PK_MAX = GNUTLS_PK_EDDSA_ED25519
+ GNUTLS_PK_GOST_01 = 8,
+ GNUTLS_PK_GOST_12_256 = 9,
+ GNUTLS_PK_GOST_12_512 = 10,
+ GNUTLS_PK_MAX = GNUTLS_PK_GOST_12_512
} gnutls_pk_algorithm_t;
@@ -1005,6 +1011,25 @@ typedef enum {
GNUTLS_CB_TLS_UNIQUE
} gnutls_channel_binding_t;
+/**
+ * gnutls_gost_paramset_t:
+ * @GNUTLS_GOST_PARAMSET_UNKNOWN: Unknown/default parameter set
+ * @GNUTLS_GOST_PARAMSET_TC26_Z: Specified by TC26, see rfc7836
+ * @GNUTLS_GOST_PARAMSET_CP_A: CryptoPro-A, see rfc4357
+ * @GNUTLS_GOST_PARAMSET_CP_B: CryptoPro-B, see rfc4357
+ * @GNUTLS_GOST_PARAMSET_CP_C: CryptoPro-C, see rfc4357
+ * @GNUTLS_GOST_PARAMSET_CP_D: CryptoPro-D, see rfc4357
+ *
+ * Enumeration of different GOST 28147 parameter sets.
+ */
+typedef enum {
+ GNUTLS_GOST_PARAMSET_UNKNOWN = 0,
+ GNUTLS_GOST_PARAMSET_TC26_Z,
+ GNUTLS_GOST_PARAMSET_CP_A,
+ GNUTLS_GOST_PARAMSET_CP_B,
+ GNUTLS_GOST_PARAMSET_CP_C,
+ GNUTLS_GOST_PARAMSET_CP_D
+} gnutls_gost_paramset_t;
/* If you want to change this, then also change the define in
* gnutls_int.h, and recompile.
diff --git a/lib/pk.c b/lib/pk.c
index 3014396bc0..888cd64280 100644
--- a/lib/pk.c
+++ b/lib/pk.c
@@ -310,6 +310,7 @@ int _gnutls_pk_params_copy(gnutls_pk_params_st * dst,
dst->pkflags = src->pkflags;
dst->curve = src->curve;
+ dst->gost_params = src->gost_params;
dst->qbits = src->qbits;
dst->algo = src->algo;
diff --git a/lib/x509/common.h b/lib/x509/common.h
index 1a27666076..b7ce879e10 100644
--- a/lib/x509/common.h
+++ b/lib/x509/common.h
@@ -56,6 +56,8 @@
#define PK_DSA_OID "1.2.840.10040.4.1"
#define PK_GOST_R3410_94_OID "1.2.643.2.2.20"
#define PK_GOST_R3410_2001_OID "1.2.643.2.2.19"
+#define PK_GOST_R3410_2012_256_OID "1.2.643.7.1.1.1.1"
+#define PK_GOST_R3410_2012_512_OID "1.2.643.7.1.1.1.2"
/* signature OIDs
*/
diff --git a/tests/cert-tests/data/gost-cert.pem b/tests/cert-tests/data/gost-cert.pem
index edcdb9e8a6..8e6a5203e4 100644
--- a/tests/cert-tests/data/gost-cert.pem
+++ b/tests/cert-tests/data/gost-cert.pem
@@ -6,7 +6,7 @@ X.509 Certificate Information:
Not Before: Fri Aug 17 06:47:36 UTC 2012
Not After: Sat Aug 17 06:47:36 UTC 2013
Subject: CN=SuperTerm0000001,OU=SuperPlat Terminals,O=SuperPlat,L=Moscow,ST=Russia,C=RU
- Subject Public Key Algorithm: 1.2.643.2.2.19
+ Subject Public Key Algorithm: GOST R 34.10-2001
Extensions:
Basic Constraints (not critical):
Certificate Authority (CA): FALSE
diff --git a/tests/privkey-keygen.c b/tests/privkey-keygen.c
index 885cf58e57..7762938dcf 100644
--- a/tests/privkey-keygen.c
+++ b/tests/privkey-keygen.c
@@ -119,6 +119,12 @@ void doit(void)
algorithm == GNUTLS_PK_ECDH_X25519)
continue;
+ /* Unsupported for now */
+ if (algorithm == GNUTLS_PK_GOST_01 ||
+ algorithm == GNUTLS_PK_GOST_12_256 ||
+ algorithm == GNUTLS_PK_GOST_12_512)
+ continue;
+
ret = gnutls_x509_privkey_init(&pkey);
if (ret < 0) {
fail("gnutls_x509_privkey_init: %d\n",