diff options
-rw-r--r-- | doc/Makefile.am | 1 | ||||
-rw-r--r-- | lib/algorithms.h | 4 | ||||
-rw-r--r-- | lib/algorithms/publickey.c | 6 | ||||
-rw-r--r-- | lib/algorithms/secparams.c | 4 | ||||
-rw-r--r-- | lib/crypto-backend.h | 13 | ||||
-rw-r--r-- | lib/includes/gnutls/gnutls.h.in | 27 | ||||
-rw-r--r-- | lib/pk.c | 1 | ||||
-rw-r--r-- | lib/x509/common.h | 2 | ||||
-rw-r--r-- | tests/cert-tests/data/gost-cert.pem | 2 | ||||
-rw-r--r-- | tests/privkey-keygen.c | 6 |
10 files changed, 60 insertions, 6 deletions
diff --git a/doc/Makefile.am b/doc/Makefile.am index e35e92ffd0..b38b1e84eb 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -552,6 +552,7 @@ ENUMS += enums/gnutls_ecc_curve_t ENUMS += enums/gnutls_ext_flags_t ENUMS += enums/gnutls_ext_parse_type_t ENUMS += enums/gnutls_fips_mode_t +ENUMS += enums/gnutls_gost_paramset_t ENUMS += enums/gnutls_group_t ENUMS += enums/gnutls_handshake_description_t ENUMS += enums/gnutls_init_flags_t diff --git a/lib/algorithms.h b/lib/algorithms.h index 468a0c8e96..fead2c2ed6 100644 --- a/lib/algorithms.h +++ b/lib/algorithms.h @@ -34,6 +34,10 @@ #define GNUTLS_FALLBACK_SCSV_MAJOR 0x56 #define GNUTLS_FALLBACK_SCSV_MINOR 0x00 +#define IS_GOSTEC(x) (((x)==GNUTLS_PK_GOST_01) || \ + ((x)==GNUTLS_PK_GOST_12_256)|| \ + ((x)==GNUTLS_PK_GOST_12_512)) + #define IS_EC(x) (((x)==GNUTLS_PK_ECDSA)||((x)==GNUTLS_PK_ECDH_X25519)||((x)==GNUTLS_PK_EDDSA_ED25519)) #define SIG_SEM_PRE_TLS12 (1<<1) diff --git a/lib/algorithms/publickey.c b/lib/algorithms/publickey.c index 677b969c96..0346520b7b 100644 --- a/lib/algorithms/publickey.c +++ b/lib/algorithms/publickey.c @@ -126,7 +126,11 @@ static const gnutls_pk_entry pk_algorithms[] = { .curve = GNUTLS_ECC_CURVE_INVALID }, /* some other broken certificates set RSA with SHA1 as an indicator of RSA */ { .name = "DSA", .oid = PK_DSA_OID, .id = GNUTLS_PK_DSA, .curve = GNUTLS_ECC_CURVE_INVALID }, - { .name = "GOST R 34.10-2001", .oid = PK_GOST_R3410_2001_OID, .id = GNUTLS_PK_UNKNOWN, + { .name = "GOST R 34.10-2012-512", .oid = PK_GOST_R3410_2012_512_OID, .id = GNUTLS_PK_GOST_12_512, + .curve = GNUTLS_ECC_CURVE_INVALID }, + { .name = "GOST R 34.10-2012-256", .oid = PK_GOST_R3410_2012_256_OID, .id = GNUTLS_PK_GOST_12_256, + .curve = GNUTLS_ECC_CURVE_INVALID }, + { .name = "GOST R 34.10-2001", .oid = PK_GOST_R3410_2001_OID, .id = GNUTLS_PK_GOST_01, .curve = GNUTLS_ECC_CURVE_INVALID }, { .name = "GOST R 34.10-94", .oid = PK_GOST_R3410_94_OID, .id = GNUTLS_PK_UNKNOWN, .curve = GNUTLS_ECC_CURVE_INVALID }, diff --git a/lib/algorithms/secparams.c b/lib/algorithms/secparams.c index ec4e5e3ee4..47dc2aa8d1 100644 --- a/lib/algorithms/secparams.c +++ b/lib/algorithms/secparams.c @@ -88,7 +88,7 @@ gnutls_sec_param_to_pk_bits(gnutls_pk_algorithm_t algo, if (p->sec_param == param) { if (algo == GNUTLS_PK_DSA) ret = p->dsa_bits; - else if (IS_EC(algo)) + else if (IS_EC(algo)||IS_GOSTEC(algo)) ret = p->ecc_bits; else ret = p->pk_bits; break; @@ -202,7 +202,7 @@ gnutls_pk_bits_to_sec_param(gnutls_pk_algorithm_t algo, unsigned int bits) if (bits == 0) return GNUTLS_SEC_PARAM_UNKNOWN; - if (IS_EC(algo)) { + if (IS_EC(algo)||IS_GOSTEC(algo)) { GNUTLS_SEC_PARAM_LOOP( if (p->ecc_bits > bits) { break; diff --git a/lib/crypto-backend.h b/lib/crypto-backend.h index 2930f055f5..e410af03e3 100644 --- a/lib/crypto-backend.h +++ b/lib/crypto-backend.h @@ -193,7 +193,8 @@ typedef struct { unsigned int params_nr; /* the number of parameters */ unsigned int pkflags; /* gnutls_pk_flag_t */ unsigned int qbits; /* GNUTLS_PK_DH */ - gnutls_ecc_curve_t curve; /* GNUTLS_PK_EC, GNUTLS_PK_ED25519 */ + gnutls_ecc_curve_t curve; /* GNUTLS_PK_EC, GNUTLS_PK_ED25519, GNUTLS_PK_GOST* */ + gnutls_gost_paramset_t gost_params; /* GNUTLS_PK_GOST_* */ gnutls_datum_t raw_pub; /* used by x25519 */ gnutls_datum_t raw_priv; @@ -230,6 +231,7 @@ void gnutls_pk_params_init(gnutls_pk_params_st * p); #define DH_PUBLIC_PARAMS 4 #define RSA_PUBLIC_PARAMS 2 #define ECC_PUBLIC_PARAMS 2 +#define GOST_PUBLIC_PARAMS 2 #define MAX_PRIV_PARAMS_SIZE GNUTLS_MAX_PK_PARAMS /* ok for RSA and DSA */ @@ -239,6 +241,7 @@ void gnutls_pk_params_init(gnutls_pk_params_st * p); #define DH_PRIVATE_PARAMS 5 #define RSA_PRIVATE_PARAMS 8 #define ECC_PRIVATE_PARAMS 3 +#define GOST_PRIVATE_PARAMS 3 #if MAX_PRIV_PARAMS_SIZE - RSA_PRIVATE_PARAMS < 0 #error INCREASE MAX_PRIV_PARAMS @@ -248,6 +251,10 @@ void gnutls_pk_params_init(gnutls_pk_params_st * p); #error INCREASE MAX_PRIV_PARAMS #endif +#if MAX_PRIV_PARAMS_SIZE - GOST_PRIVATE_PARAMS < 0 +#error INCREASE MAX_PRIV_PARAMS +#endif + #if MAX_PRIV_PARAMS_SIZE - DSA_PRIVATE_PARAMS < 0 #error INCREASE MAX_PRIV_PARAMS #endif @@ -292,6 +299,10 @@ void gnutls_pk_params_init(gnutls_pk_params_st * p); #define ECC_Y 1 #define ECC_K 2 +#define GOST_X 0 +#define GOST_Y 1 +#define GOST_K 2 + #define DSA_P 0 #define DSA_Q 1 #define DSA_G 2 diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index d80716dfdb..e95879a543 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -768,6 +768,9 @@ typedef enum gnutls_certificate_print_formats { * @GNUTLS_PK_ECDSA: Elliptic curve algorithm. These parameters are compatible with the ECDSA and ECDH algorithm. * @GNUTLS_PK_ECDH_X25519: Elliptic curve algorithm, restricted to ECDH as per rfc7748. * @GNUTLS_PK_EDDSA_ED25519: Edwards curve Digital signature algorithm. Used with SHA512 on signatures. + * @GNUTLS_PK_GOST_01: GOST R 34.10-2001 algorithm per rfc5832. + * @GNUTLS_PK_GOST_12_256: GOST R 34.10-2012 algorithm, 256-bit key per rfc7091. + * @GNUTLS_PK_GOST_12_512: GOST R 34.10-2012 algorithm, 512-bit key per rfc7091. * * Enumeration of different public-key algorithms. */ @@ -780,7 +783,10 @@ typedef enum { GNUTLS_PK_ECDH_X25519 = 5, GNUTLS_PK_RSA_PSS = 6, GNUTLS_PK_EDDSA_ED25519 = 7, - GNUTLS_PK_MAX = GNUTLS_PK_EDDSA_ED25519 + GNUTLS_PK_GOST_01 = 8, + GNUTLS_PK_GOST_12_256 = 9, + GNUTLS_PK_GOST_12_512 = 10, + GNUTLS_PK_MAX = GNUTLS_PK_GOST_12_512 } gnutls_pk_algorithm_t; @@ -1005,6 +1011,25 @@ typedef enum { GNUTLS_CB_TLS_UNIQUE } gnutls_channel_binding_t; +/** + * gnutls_gost_paramset_t: + * @GNUTLS_GOST_PARAMSET_UNKNOWN: Unknown/default parameter set + * @GNUTLS_GOST_PARAMSET_TC26_Z: Specified by TC26, see rfc7836 + * @GNUTLS_GOST_PARAMSET_CP_A: CryptoPro-A, see rfc4357 + * @GNUTLS_GOST_PARAMSET_CP_B: CryptoPro-B, see rfc4357 + * @GNUTLS_GOST_PARAMSET_CP_C: CryptoPro-C, see rfc4357 + * @GNUTLS_GOST_PARAMSET_CP_D: CryptoPro-D, see rfc4357 + * + * Enumeration of different GOST 28147 parameter sets. + */ +typedef enum { + GNUTLS_GOST_PARAMSET_UNKNOWN = 0, + GNUTLS_GOST_PARAMSET_TC26_Z, + GNUTLS_GOST_PARAMSET_CP_A, + GNUTLS_GOST_PARAMSET_CP_B, + GNUTLS_GOST_PARAMSET_CP_C, + GNUTLS_GOST_PARAMSET_CP_D +} gnutls_gost_paramset_t; /* If you want to change this, then also change the define in * gnutls_int.h, and recompile. @@ -310,6 +310,7 @@ int _gnutls_pk_params_copy(gnutls_pk_params_st * dst, dst->pkflags = src->pkflags; dst->curve = src->curve; + dst->gost_params = src->gost_params; dst->qbits = src->qbits; dst->algo = src->algo; diff --git a/lib/x509/common.h b/lib/x509/common.h index 1a27666076..b7ce879e10 100644 --- a/lib/x509/common.h +++ b/lib/x509/common.h @@ -56,6 +56,8 @@ #define PK_DSA_OID "1.2.840.10040.4.1" #define PK_GOST_R3410_94_OID "1.2.643.2.2.20" #define PK_GOST_R3410_2001_OID "1.2.643.2.2.19" +#define PK_GOST_R3410_2012_256_OID "1.2.643.7.1.1.1.1" +#define PK_GOST_R3410_2012_512_OID "1.2.643.7.1.1.1.2" /* signature OIDs */ diff --git a/tests/cert-tests/data/gost-cert.pem b/tests/cert-tests/data/gost-cert.pem index edcdb9e8a6..8e6a5203e4 100644 --- a/tests/cert-tests/data/gost-cert.pem +++ b/tests/cert-tests/data/gost-cert.pem @@ -6,7 +6,7 @@ X.509 Certificate Information: Not Before: Fri Aug 17 06:47:36 UTC 2012 Not After: Sat Aug 17 06:47:36 UTC 2013 Subject: CN=SuperTerm0000001,OU=SuperPlat Terminals,O=SuperPlat,L=Moscow,ST=Russia,C=RU - Subject Public Key Algorithm: 1.2.643.2.2.19 + Subject Public Key Algorithm: GOST R 34.10-2001 Extensions: Basic Constraints (not critical): Certificate Authority (CA): FALSE diff --git a/tests/privkey-keygen.c b/tests/privkey-keygen.c index 885cf58e57..7762938dcf 100644 --- a/tests/privkey-keygen.c +++ b/tests/privkey-keygen.c @@ -119,6 +119,12 @@ void doit(void) algorithm == GNUTLS_PK_ECDH_X25519) continue; + /* Unsupported for now */ + if (algorithm == GNUTLS_PK_GOST_01 || + algorithm == GNUTLS_PK_GOST_12_256 || + algorithm == GNUTLS_PK_GOST_12_512) + continue; + ret = gnutls_x509_privkey_init(&pkey); if (ret < 0) { fail("gnutls_x509_privkey_init: %d\n", |