--- /dev/null
+diff --git Configurations/unix-Makefile.tmpl Configurations/unix-Makefile.tmpl
+index 66617d6f..0a46a241 100644
+--- Configurations/unix-Makefile.tmpl
++++ Configurations/unix-Makefile.tmpl
+@@ -887,6 +887,7 @@ generate_crypto_objects:
+ crypto/objects/obj_mac.num \
+ crypto/objects/obj_xref.txt \
+ > crypto/objects/obj_xref.h )
++ ( cd $(SRCDIR); cat crypto/objects/obj_compat.h >> include/openssl/obj_mac.h )
+
+ generate_crypto_conf:
+ ( cd $(SRCDIR); $(PERL) crypto/conf/keysets.pl \
+diff --git apps/cms.c apps/cms.c
+index 71554037..7fe22a90 100644
+--- apps/cms.c
++++ apps/cms.c
+@@ -75,15 +75,16 @@ typedef enum OPTION_choice {
+ OPT_NOSIGS, OPT_NO_CONTENT_VERIFY, OPT_NO_ATTR_VERIFY, OPT_INDEF,
+ OPT_NOINDEF, OPT_CRLFEOL, OPT_NOOUT, OPT_RR_PRINT,
+ OPT_RR_ALL, OPT_RR_FIRST, OPT_RCTFORM, OPT_CERTFILE, OPT_CAFILE,
+- OPT_CAPATH, OPT_NOCAPATH, OPT_NOCAFILE,OPT_CONTENT, OPT_PRINT,
++ OPT_CAPATH, OPT_NOCAPATH, OPT_NOCAFILE,OPT_CONTENT, OPT_PRINT, OPT_NAMEOPT,
+ OPT_SECRETKEY, OPT_SECRETKEYID, OPT_PWRI_PASSWORD, OPT_ECONTENT_TYPE,
+ OPT_PASSIN, OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP,
+ OPT_CERTSOUT, OPT_MD, OPT_INKEY, OPT_KEYFORM, OPT_KEYOPT, OPT_RR_FROM,
+ OPT_RR_TO, OPT_AES128_WRAP, OPT_AES192_WRAP, OPT_AES256_WRAP,
+- OPT_3DES_WRAP, OPT_ENGINE,
++ OPT_3DES_WRAP, OPT_WRAP, OPT_ENGINE,
+ OPT_R_ENUM,
+ OPT_V_ENUM,
+- OPT_CIPHER
++ OPT_CIPHER,
++ OPT_ORIGINATOR
+ } OPTION_CHOICE;
+
+ const OPTIONS cms_options[] = {
+@@ -150,6 +151,8 @@ const OPTIONS cms_options[] = {
+ "Supply or override content for detached signature"},
+ {"print", OPT_PRINT, '-',
+ "For the -cmsout operation print out all fields of the CMS structure"},
++ {"nameopt", OPT_NAMEOPT, 's',
++ "For the -print option specifies various strings printing options"},
+ {"secretkey", OPT_SECRETKEY, 's'},
+ {"secretkeyid", OPT_SECRETKEYID, 's'},
+ {"pwri_password", OPT_PWRI_PASSWORD, 's'},
+@@ -159,6 +162,7 @@ const OPTIONS cms_options[] = {
+ {"from", OPT_FROM, 's', "From address"},
+ {"subject", OPT_SUBJECT, 's', "Subject"},
+ {"signer", OPT_SIGNER, 's', "Signer certificate file"},
++ {"originator", OPT_ORIGINATOR, 's', "Originator certificate file"},
+ {"recip", OPT_RECIP, '<', "Recipient cert file for decryption"},
+ {"certsout", OPT_CERTSOUT, '>', "Certificate output file"},
+ {"md", OPT_MD, 's', "Digest algorithm to use when signing or resigning"},
+@@ -177,6 +181,7 @@ const OPTIONS cms_options[] = {
+ # ifndef OPENSSL_NO_DES
+ {"des3-wrap", OPT_3DES_WRAP, '-', "Use 3DES-EDE to wrap key"},
+ # endif
++ {"wrap", OPT_WRAP, 's', "Any wrap cipher to wrap key"},
+ # ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
+ # endif
+@@ -196,7 +201,7 @@ int cms_main(int argc, char **argv)
+ STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL;
+ STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL;
+ STACK_OF(X509) *encerts = NULL, *other = NULL;
+- X509 *cert = NULL, *recip = NULL, *signer = NULL;
++ X509 *cert = NULL, *recip = NULL, *signer = NULL, *originator = 0;
+ X509_STORE *store = NULL;
+ X509_VERIFY_PARAM *vpm = NULL;
+ char *certfile = NULL, *keyfile = NULL, *contfile = NULL;
+@@ -204,7 +209,7 @@ int cms_main(int argc, char **argv)
+ char *certsoutfile = NULL;
+ int noCAfile = 0, noCApath = 0;
+ char *infile = NULL, *outfile = NULL, *rctfile = NULL;
+- char *passinarg = NULL, *passin = NULL, *signerfile = NULL, *recipfile = NULL;
++ char *passinarg = NULL, *passin = NULL, *signerfile = NULL, *originatorfile = NULL, *recipfile = NULL;
+ char *to = NULL, *from = NULL, *subject = NULL, *prog;
+ cms_key_param *key_first = NULL, *key_param = NULL;
+ int flags = CMS_DETACHED, noout = 0, print = 0, keyidx = -1, vpmtouched = 0;
+@@ -406,6 +411,10 @@ int cms_main(int argc, char **argv)
+ case OPT_PRINT:
+ noout = print = 1;
+ break;
++ case OPT_NAMEOPT:
++ if (!set_nameopt(opt_arg()))
++ goto opthelp;
++ break;
+ case OPT_SECRETKEY:
+ if (secret_key != NULL) {
+ BIO_printf(bio_err, "Invalid key (supplied twice) %s\n",
+@@ -486,6 +495,9 @@ int cms_main(int argc, char **argv)
+ }
+ signerfile = opt_arg();
+ break;
++ case OPT_ORIGINATOR:
++ originatorfile = opt_arg();
++ break;
+ case OPT_INKEY:
+ /* If previous -inkey argument add signer to list */
+ if (keyfile != NULL) {
+@@ -582,6 +594,10 @@ int cms_main(int argc, char **argv)
+ case OPT_AES256_WRAP:
+ wrap_cipher = EVP_aes_256_wrap();
+ break;
++ case OPT_WRAP:
++ if (!opt_cipher(opt_unknown(), &wrap_cipher))
++ goto end;
++ break;
+ }
+ }
+ argc = opt_num_rest();
+@@ -689,11 +705,11 @@ int cms_main(int argc, char **argv)
+ }
+
+ if (certfile != NULL) {
+- if (!load_certs(certfile, &other, FORMAT_PEM, NULL,
+- "certificate file")) {
+- ERR_print_errors(bio_err);
+- goto end;
+- }
++ if (!load_certs(certfile, &other, FORMAT_PEM, NULL,
++ "certificate file")) {
++ ERR_print_errors(bio_err);
++ goto end;
++ }
+ }
+
+ if (recipfile != NULL && (operation == SMIME_DECRYPT)) {
+@@ -704,6 +720,15 @@ int cms_main(int argc, char **argv)
+ }
+ }
+
++ if (originatorfile != NULL)
++ {
++ if ((originator = load_cert(originatorfile, FORMAT_PEM,
++ "originator certificate file")) == NULL) {
++ ERR_print_errors(bio_err);
++ goto end;
++ }
++ }
++
+ if (operation == SMIME_SIGN_RECEIPT) {
+ if ((signer = load_cert(signerfile, FORMAT_PEM,
+ "receipt signer certificate file")) == NULL) {
+@@ -712,7 +737,8 @@ int cms_main(int argc, char **argv)
+ }
+ }
+
+- if (operation == SMIME_DECRYPT) {
++ if (operation == SMIME_DECRYPT ||
++ operation == SMIME_ENCRYPT) {
+ if (keyfile == NULL)
+ keyfile = recipfile;
+ } else if ((operation == SMIME_SIGN) || (operation == SMIME_SIGN_RECEIPT)) {
+@@ -821,23 +847,31 @@ int cms_main(int argc, char **argv)
+ for (i = 0; i < sk_X509_num(encerts); i++) {
+ CMS_RecipientInfo *ri;
+ cms_key_param *kparam;
+- int tflags = flags;
++ int tflags = flags | CMS_KEY_PARAM; /* This flag enforces allocating the EVP_PKEY_CTX for the recipient here */
++ EVP_PKEY_CTX *pctx;
+ X509 *x = sk_X509_value(encerts, i);
++ int res;
++
+ for (kparam = key_first; kparam; kparam = kparam->next) {
+ if (kparam->idx == i) {
+- tflags |= CMS_KEY_PARAM;
+ break;
+ }
+ }
+- ri = CMS_add1_recipient_cert(cms, x, tflags);
++ ri = CMS_add1_recipient(cms, x, key, originator, tflags);
+ if (ri == NULL)
+ goto end;
++
++ pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
+ if (kparam != NULL) {
+- EVP_PKEY_CTX *pctx;
+- pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
+ if (!cms_set_pkey_param(pctx, kparam->param))
+ goto end;
+ }
++
++ res = EVP_PKEY_CTX_ctrl(pctx, -1, -1,
++ EVP_PKEY_CTRL_CIPHER, EVP_CIPHER_nid(cipher), NULL);
++ if (res <= 0 && res != -2)
++ goto end;
++
+ if (CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_AGREE
+ && wrap_cipher) {
+ EVP_CIPHER_CTX *wctx;
+@@ -983,7 +1017,7 @@ int cms_main(int argc, char **argv)
+ }
+
+ if (key != NULL) {
+- if (!CMS_decrypt_set1_pkey(cms, key, recip)) {
++ if (!CMS_decrypt_set1_pkey_and_peer(cms, key, recip, originator)) {
+ BIO_puts(bio_err, "Error decrypting CMS using private key\n");
+ goto end;
+ }
+@@ -1049,8 +1083,19 @@ int cms_main(int argc, char **argv)
+ }
+ } else {
+ if (noout) {
+- if (print)
+- CMS_ContentInfo_print_ctx(out, cms, 0, NULL);
++ if (print) {
++ ASN1_PCTX *pctx = NULL;
++ if (get_nameopt() != XN_FLAG_ONELINE) {
++ pctx = ASN1_PCTX_new();
++ if (pctx) { /* Print anyway if malloc failed */
++ ASN1_PCTX_set_flags(pctx, ASN1_PCTX_FLAGS_SHOW_ABSENT);
++ ASN1_PCTX_set_str_flags(pctx, get_nameopt());
++ ASN1_PCTX_set_nm_flags(pctx, get_nameopt());
++ }
++ }
++ CMS_ContentInfo_print_ctx(out, cms, 0, pctx);
++ ASN1_PCTX_free(pctx);
++ }
+ } else if (outformat == FORMAT_SMIME) {
+ if (to)
+ BIO_printf(out, "To: %s%s", to, mime_eol);
+diff --git apps/s_cb.c apps/s_cb.c
+index 2f94c133..841fc378 100644
+--- apps/s_cb.c
++++ apps/s_cb.c
+@@ -690,7 +690,7 @@ static STRINT_PAIR tlsext_types[] = {
+ {NULL}
+ };
+
+-/* from rfc8446 4.2.3. + gost (https://tools.ietf.org/id/draft-smyshlyaev-tls12-gost-suites-04.html) */
++/* from rfc8446 4.2.3. + GOST (https://tools.ietf.org/html/draft-smyshlyaev-tls13-gost-suites-01) */
+ static STRINT_PAIR signature_tls13_scheme_list[] = {
+ {"rsa_pkcs1_sha1", 0x0201 /* TLSEXT_SIGALG_rsa_pkcs1_sha1 */},
+ {"ecdsa_sha1", 0x0203 /* TLSEXT_SIGALG_ecdsa_sha1 */},
+@@ -702,6 +702,13 @@ static STRINT_PAIR signature_tls13_scheme_list[] = {
+ {"ecdsa_secp384r1_sha384", 0x0503 /* TLSEXT_SIGALG_ecdsa_secp384r1_sha384 */},
+ {"rsa_pkcs1_sha512", 0x0601 /* TLSEXT_SIGALG_rsa_pkcs1_sha512 */},
+ {"ecdsa_secp521r1_sha512", 0x0603 /* TLSEXT_SIGALG_ecdsa_secp521r1_sha512 */},
++ {"gostr34102012_256a", 0x0709 /* TLSEXT_SIGALG_gostr34102012_256a */},
++ {"gostr34102012_256b", 0x070A /* TLSEXT_SIGALG_gostr34102012_256b */},
++ {"gostr34102012_256c", 0x070B /* TLSEXT_SIGALG_gostr34102012_256c */},
++ {"gostr34102012_256d", 0x070C /* TLSEXT_SIGALG_gostr34102012_256d */},
++ {"gostr34102012_512a", 0x070D /* TLSEXT_SIGALG_gostr34102012_512a */},
++ {"gostr34102012_512b", 0x070E /* TLSEXT_SIGALG_gostr34102012_512b */},
++ {"gostr34102012_512c", 0x070F /* TLSEXT_SIGALG_gostr34102012_512c */},
+ {"rsa_pss_rsae_sha256", 0x0804 /* TLSEXT_SIGALG_rsa_pss_rsae_sha256 */},
+ {"rsa_pss_rsae_sha384", 0x0805 /* TLSEXT_SIGALG_rsa_pss_rsae_sha384 */},
+ {"rsa_pss_rsae_sha512", 0x0806 /* TLSEXT_SIGALG_rsa_pss_rsae_sha512 */},
+@@ -710,9 +717,6 @@ static STRINT_PAIR signature_tls13_scheme_list[] = {
+ {"rsa_pss_pss_sha256", 0x0809 /* TLSEXT_SIGALG_rsa_pss_pss_sha256 */},
+ {"rsa_pss_pss_sha384", 0x080a /* TLSEXT_SIGALG_rsa_pss_pss_sha384 */},
+ {"rsa_pss_pss_sha512", 0x080b /* TLSEXT_SIGALG_rsa_pss_pss_sha512 */},
+- {"gostr34102001", 0xeded /* TLSEXT_SIGALG_gostr34102001_gostr3411 */},
+- {"gostr34102012_256", 0xeeee /* TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256 */},
+- {"gostr34102012_512", 0xefef /* TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512 */},
+ {NULL}
+ };
+
+diff --git crypto/asn1/p8_pkey.c crypto/asn1/p8_pkey.c
+index ab509b1a..e90b3022 100644
+--- crypto/asn1/p8_pkey.c
++++ crypto/asn1/p8_pkey.c
+@@ -78,3 +78,18 @@ int PKCS8_pkey_add1_attr_by_NID(PKCS8_PRIV_KEY_INFO *p8, int nid, int type,
+ return 1;
+ return 0;
+ }
++
++int PKCS8_pkey_add1_attr_by_OBJ(PKCS8_PRIV_KEY_INFO *p8, const ASN1_OBJECT *obj, int type,
++ const unsigned char *bytes, int len)
++{
++ if (X509at_add1_attr_by_OBJ(&p8->attributes, obj, type, bytes, len) != NULL)
++ return 1;
++ return 0;
++}
++
++int PKCS8_pkey_add1_attr(PKCS8_PRIV_KEY_INFO *p8, X509_ATTRIBUTE *attr)
++{
++ if (X509at_add1_attr(&p8->attributes, attr) != NULL)
++ return 1;
++ return 0;
++}
+diff --git crypto/cms/cms_env.c crypto/cms/cms_env.c
+index 962a0137..4992f674 100644
+--- crypto/cms/cms_env.c
++++ crypto/cms/cms_env.c
+@@ -20,6 +20,8 @@
+
+ /* CMS EnvelopedData Utilities */
+
++static void cms_env_set_version(CMS_EnvelopedData *env);
++
+ CMS_EnvelopedData *cms_get0_enveloped(CMS_ContentInfo *cms)
+ {
+ if (OBJ_obj2nid(cms->contentType) != NID_pkcs7_enveloped) {
+@@ -121,6 +123,39 @@ CMS_ContentInfo *CMS_EnvelopedData_create(const EVP_CIPHER *cipher)
+ return NULL;
+ }
+
++int cms_EnvelopedData_final(CMS_ContentInfo *cms, BIO *chain)
++{
++ CMS_EnvelopedData *env = NULL;
++ EVP_CIPHER_CTX *ctx = NULL;
++ BIO *mbio = BIO_find_type(chain, BIO_TYPE_CIPHER);
++
++ env = cms_get0_enveloped(cms);
++ if (!env)
++ return 0;
++
++ if (!mbio) {
++ CMSerr(CMS_F_CMS_ENVELOPEDDATA_FINAL, CMS_R_CONTENT_NOT_FOUND);
++ return 0;
++ }
++
++ BIO_get_cipher_ctx(mbio, &ctx);
++
++ /*
++ * If the selected cipher supports unprotected attributes,
++ * deal with it using special ctrl function
++ */
++ if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_CIPHER_WITH_MAC) {
++ cms->d.envelopedData->unprotectedAttrs = sk_X509_ATTRIBUTE_new_null();
++ if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_PROCESS_UNPROTECTED, 1, env->unprotectedAttrs) <= 0) {
++ CMSerr(CMS_F_CMS_ENVELOPEDDATA_FINAL, CMS_R_CTRL_FAILURE);
++ return 0;
++ }
++ }
++ cms_env_set_version(cms->d.envelopedData);
++
++ return 1;
++}
++
+ /* Key Transport Recipient Info (KTRI) routines */
+
+ /* Initialise a ktri based on passed certificate and key */
+@@ -175,8 +210,8 @@ static int cms_RecipientInfo_ktri_init(CMS_RecipientInfo *ri, X509 *recip,
+ * Add a recipient certificate using appropriate type of RecipientInfo
+ */
+
+-CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms,
+- X509 *recip, unsigned int flags)
++CMS_RecipientInfo *CMS_add1_recipient(CMS_ContentInfo *cms, X509 *recip,
++ EVP_PKEY *originatorPrivKey, X509 * originator, unsigned int flags)
+ {
+ CMS_RecipientInfo *ri = NULL;
+ CMS_EnvelopedData *env;
+@@ -192,7 +227,7 @@ CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms,
+
+ pk = X509_get0_pubkey(recip);
+ if (!pk) {
+- CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT, CMS_R_ERROR_GETTING_PUBLIC_KEY);
++ CMSerr(CMS_F_CMS_ADD1_RECIPIENT, CMS_R_ERROR_GETTING_PUBLIC_KEY);
+ goto err;
+ }
+
+@@ -204,12 +239,12 @@ CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms,
+ break;
+
+ case CMS_RECIPINFO_AGREE:
+- if (!cms_RecipientInfo_kari_init(ri, recip, pk, flags))
++ if (!cms_RecipientInfo_kari_init(ri, recip, pk, originator, originatorPrivKey, flags))
+ goto err;
+ break;
+
+ default:
+- CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT,
++ CMSerr(CMS_F_CMS_ADD1_RECIPIENT,
+ CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
+ goto err;
+
+@@ -221,13 +256,19 @@ CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms,
+ return ri;
+
+ merr:
+- CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT, ERR_R_MALLOC_FAILURE);
++ CMSerr(CMS_F_CMS_ADD1_RECIPIENT, ERR_R_MALLOC_FAILURE);
+ err:
+ M_ASN1_free_of(ri, CMS_RecipientInfo);
+ return NULL;
+
+ }
+
++CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms,
++ X509 *recip, unsigned int flags)
++{
++ return CMS_add1_recipient(cms, recip, NULL, NULL, flags);
++}
++
+ int CMS_RecipientInfo_ktri_get0_algs(CMS_RecipientInfo *ri,
+ EVP_PKEY **pk, X509 **recip,
+ X509_ALGOR **palg)
+@@ -857,50 +898,88 @@ static void cms_env_set_version(CMS_EnvelopedData *env)
+ env->version = 0;
+ }
+
+-BIO *cms_EnvelopedData_init_bio(CMS_ContentInfo *cms)
++static BIO *cms_EnvelopedData_Decryption_init_bio(CMS_ContentInfo *cms)
+ {
+- CMS_EncryptedContentInfo *ec;
+- STACK_OF(CMS_RecipientInfo) *rinfos;
+- CMS_RecipientInfo *ri;
+- int i, ok = 0;
+- BIO *ret;
++ CMS_EncryptedContentInfo *ec = cms->d.envelopedData->encryptedContentInfo;
++ BIO *contentBio = cms_EncryptedContent_init_bio(ec);
++ EVP_CIPHER_CTX *ctx = NULL;
+
+- /* Get BIO first to set up key */
++ if (!contentBio)
++ return NULL;
+
+- ec = cms->d.envelopedData->encryptedContentInfo;
+- ret = cms_EncryptedContent_init_bio(ec);
++ BIO_get_cipher_ctx(contentBio, &ctx);
++ if (ctx == NULL) {
++ BIO_free(contentBio);
++ return NULL;
++ }
++/*
++ * If the selected cipher supports unprotected attributes,
++ * deal with it using special ctrl function
++ */
++ if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_CIPHER_WITH_MAC &&
++ EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_PROCESS_UNPROTECTED, 0, cms->d.envelopedData->unprotectedAttrs) <= 0) {
++ BIO_free(contentBio);
++ return NULL;
++ }
++ return contentBio;
++}
+
+- /* If error or no cipher end of processing */
++static BIO *cms_EnvelopedData_Encryption_init_bio(CMS_ContentInfo *cms)
++{
++ CMS_EncryptedContentInfo *ec;
++ STACK_OF(CMS_RecipientInfo) *rinfos;
++ CMS_RecipientInfo *ri;
++ int i, ok = 0;
++ BIO *ret;
+
+- if (!ret || !ec->cipher)
+- return ret;
++ /* Get BIO first to set up key */
+
+- /* Now encrypt content key according to each RecipientInfo type */
++ ec = cms->d.envelopedData->encryptedContentInfo;
++ ret = cms_EncryptedContent_init_bio(ec);
+
+- rinfos = cms->d.envelopedData->recipientInfos;
++ /* If error or no cipher end of processing */
+
+- for (i = 0; i < sk_CMS_RecipientInfo_num(rinfos); i++) {
+- ri = sk_CMS_RecipientInfo_value(rinfos, i);
+- if (CMS_RecipientInfo_encrypt(cms, ri) <= 0) {
+- CMSerr(CMS_F_CMS_ENVELOPEDDATA_INIT_BIO,
+- CMS_R_ERROR_SETTING_RECIPIENTINFO);
+- goto err;
+- }
+- }
+- cms_env_set_version(cms->d.envelopedData);
++ if (!ret)
++ return ret;
+
+- ok = 1;
++ /* Now encrypt content key according to each RecipientInfo type */
+
+- err:
+- ec->cipher = NULL;
+- OPENSSL_clear_free(ec->key, ec->keylen);
+- ec->key = NULL;
+- ec->keylen = 0;
+- if (ok)
+- return ret;
+- BIO_free(ret);
+- return NULL;
++ rinfos = cms->d.envelopedData->recipientInfos;
+
++ for (i = 0; i < sk_CMS_RecipientInfo_num(rinfos); i++) {
++ ri = sk_CMS_RecipientInfo_value(rinfos, i);
++ if (CMS_RecipientInfo_encrypt(cms, ri) <= 0) {
++ CMSerr(CMS_F_CMS_ENVELOPEDDATA_ENCRYPTION_INIT_BIO,
++ CMS_R_ERROR_SETTING_RECIPIENTINFO);
++ goto err;
++ }
++ }
++ cms_env_set_version(cms->d.envelopedData); /* FIXME move lower? */
++
++ ok = 1;
++
++err:
++ ec->cipher = NULL;
++ OPENSSL_clear_free(ec->key, ec->keylen);
++ ec->key = NULL;
++ ec->keylen = 0;
++ if (ok)
++ return ret;
++ BIO_free(ret);
++ return NULL;
++
++}
++
++BIO *cms_EnvelopedData_init_bio(CMS_ContentInfo *cms)
++{
++ if (cms->d.envelopedData->encryptedContentInfo->cipher)
++ {
++ /* If cipher is set it's encrypting */
++ return cms_EnvelopedData_Encryption_init_bio(cms);
++ }
++
++ /* If cipher is not set it's decrypting */
++ return cms_EnvelopedData_Decryption_init_bio(cms);
+ }
+
+ /*
+@@ -918,3 +997,25 @@ int cms_pkey_get_ri_type(EVP_PKEY *pk)
+ }
+ return CMS_RECIPINFO_TRANS;
+ }
++
++int cms_pkey_is_ri_type_supported(EVP_PKEY *pk, int ri_type)
++{
++ if (pk->ameth && pk->ameth->pkey_ctrl)
++ {
++ int i, r;
++ i = pk->ameth->pkey_ctrl(pk, ASN1_PKEY_CTRL_CMS_IS_RI_TYPE_SUPPORTED, ri_type, &r);
++ if (i > 0)
++ return r;
++ }
++
++ /* if ASN1_PKEY_CTRL_CMS_IS_RI_TYPE_SUPPORTED not supported */
++
++ int supportedRiType = cms_pkey_get_ri_type(pk);
++
++ if (supportedRiType < 0)
++ {
++ return 0;
++ }
++
++ return (supportedRiType == ri_type);
++}
+diff --git crypto/cms/cms_err.c crypto/cms/cms_err.c
+index a211f495..6bc8a3af 100644
+--- crypto/cms/cms_err.c
++++ crypto/cms/cms_err.c
+@@ -22,6 +22,7 @@ static const ERR_STRING_DATA CMS_str_functs[] = {
+ "CMS_add0_recipient_password"},
+ {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ADD1_RECEIPTREQUEST, 0),
+ "CMS_add1_ReceiptRequest"},
++ {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ADD1_RECIPIENT, 0), "CMS_add1_recipient"},
+ {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ADD1_RECIPIENT_CERT, 0),
+ "CMS_add1_recipient_cert"},
+ {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ADD1_SIGNER, 0), "CMS_add1_signer"},
+@@ -45,6 +46,8 @@ static const ERR_STRING_DATA CMS_str_functs[] = {
+ "CMS_decrypt_set1_password"},
+ {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_DECRYPT_SET1_PKEY, 0),
+ "CMS_decrypt_set1_pkey"},
++ {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_DECRYPT_SET1_PKEY_AND_PEER, 0),
++ "CMS_decrypt_set1_pkey_and_peer"},
+ {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_DIGESTALGORITHM_FIND_CTX, 0),
+ "cms_DigestAlgorithm_find_ctx"},
+ {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_DIGESTALGORITHM_INIT_BIO, 0),
+@@ -66,6 +69,12 @@ static const ERR_STRING_DATA CMS_str_functs[] = {
+ "CMS_EncryptedData_set1_key"},
+ {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ENVELOPEDDATA_CREATE, 0),
+ "CMS_EnvelopedData_create"},
++ {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ENVELOPEDDATA_DECRYPTION_INIT_BIO, 0),
++ "cms_EnvelopedData_Decryption_init_bio"},
++ {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ENVELOPEDDATA_ENCRYPTION_INIT_BIO, 0),
++ "cms_EnvelopedData_Encryption_init_bio"},
++ {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ENVELOPEDDATA_FINAL, 0),
++ "cms_EnvelopedData_final"},
+ {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ENVELOPEDDATA_INIT_BIO, 0),
+ "cms_EnvelopedData_init_bio"},
+ {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ENVELOPED_DATA_INIT, 0),
+diff --git crypto/cms/cms_kari.c crypto/cms/cms_kari.c
+index cafc3040..94dc25ec 100644
+--- crypto/cms/cms_kari.c
++++ crypto/cms/cms_kari.c
+@@ -152,7 +152,7 @@ int CMS_RecipientEncryptedKey_cert_cmp(CMS_RecipientEncryptedKey *rek,
+ return -1;
+ }
+
+-int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk)
++int CMS_RecipientInfo_kari_set0_pkey_and_peer(CMS_RecipientInfo *ri, EVP_PKEY *pk, X509 *peer)
+ {
+ EVP_PKEY_CTX *pctx;
+ CMS_KeyAgreeRecipientInfo *kari = ri->d.kari;
+@@ -164,6 +164,16 @@ int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk)
+ pctx = EVP_PKEY_CTX_new(pk, NULL);
+ if (!pctx || EVP_PKEY_derive_init(pctx) <= 0)
+ goto err;
++
++ if (peer)
++ {
++ EVP_PKEY *pub_pkey = X509_get0_pubkey(peer);
++ if (0 >= EVP_PKEY_derive_set_peer(pctx, pub_pkey))
++ {
++ goto err;
++ }
++ }
++
+ kari->pctx = pctx;
+ return 1;
+ err:
+@@ -171,6 +181,11 @@ int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk)
+ return 0;
+ }
+
++int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk)
++{
++ return CMS_RecipientInfo_kari_set0_pkey_and_peer(ri, pk, NULL);
++}
++
+ EVP_CIPHER_CTX *CMS_RecipientInfo_kari_get0_ctx(CMS_RecipientInfo *ri)
+ {
+ if (ri->type == CMS_RECIPINFO_AGREE)
+@@ -282,10 +297,27 @@ static int cms_kari_create_ephemeral_key(CMS_KeyAgreeRecipientInfo *kari,
+ return rv;
+ }
+
++/* Set originator private key and initialise context based on it */
++static int cms_kari_set_originator_private_key(CMS_KeyAgreeRecipientInfo *kari, EVP_PKEY *originatorPrivKey )
++{
++ EVP_PKEY_CTX *pctx = NULL;
++ int rv = 0;
++ pctx = EVP_PKEY_CTX_new(originatorPrivKey, NULL);
++ if (!pctx)
++ goto err;
++ if (EVP_PKEY_derive_init(pctx) <= 0)
++ goto err;
++ kari->pctx = pctx;
++ rv = 1;
++err:
++ if (!rv)
++ EVP_PKEY_CTX_free(pctx);
++ return rv;
++}
++
+ /* Initialise a kari based on passed certificate and key */
+
+-int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
+- EVP_PKEY *pk, unsigned int flags)
++int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip, EVP_PKEY *recipPubKey, X509 * originator, EVP_PKEY *originatorPrivKey, unsigned int flags)
+ {
+ CMS_KeyAgreeRecipientInfo *kari;
+ CMS_RecipientEncryptedKey *rek = NULL;
+@@ -320,12 +352,45 @@ int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
+ return 0;
+ }
+
+- /* Create ephemeral key */
+- if (!cms_kari_create_ephemeral_key(kari, pk))
+- return 0;
++ if (!originatorPrivKey && !originator)
++ {
++ /* Create ephemeral key */
++ if (!cms_kari_create_ephemeral_key(kari, recipPubKey))
++ return 0;
++ }
++ else
++ {
++ /* Use originator key */
++ CMS_OriginatorIdentifierOrKey *oik = ri->d.kari->originator;
++
++ if (!originatorPrivKey && !originator)
++ {
++ return 0;
++ }
++
++ if (flags & CMS_USE_ORIGINATOR_KEYID) {
++ /* kari->originator->issuerAndSerialNumber */
++ oik->type = CMS_OIK_KEYIDENTIFIER;
++ oik->d.subjectKeyIdentifier = ASN1_OCTET_STRING_new();
++ if (oik->d.subjectKeyIdentifier == NULL)
++ return 0;
++ if (!cms_set1_keyid(&oik->d.subjectKeyIdentifier, originator))
++ return 0;
++ }
++ else {
++ oik->type = CMS_REK_ISSUER_SERIAL;
++ if (!cms_set1_ias(&oik->d.issuerAndSerialNumber, originator))
++ return 0;
++ }
++
++ if (!cms_kari_set_originator_private_key(kari, originatorPrivKey))
++ {
++ return 0;
++ }
++ }
+
+- EVP_PKEY_up_ref(pk);
+- rek->pkey = pk;
++ EVP_PKEY_up_ref(recipPubKey);
++ rek->pkey = recipPubKey;
+ return 1;
+ }
+
+@@ -335,14 +400,35 @@ static int cms_wrap_init(CMS_KeyAgreeRecipientInfo *kari,
+ EVP_CIPHER_CTX *ctx = kari->ctx;
+ const EVP_CIPHER *kekcipher;
+ int keylen = EVP_CIPHER_key_length(cipher);
++ int ret;
+ /* If a suitable wrap algorithm is already set nothing to do */
+ kekcipher = EVP_CIPHER_CTX_cipher(ctx);
+
+- if (kekcipher) {
+- if (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_WRAP_MODE)
+- return 0;
+- return 1;
++ if (kekcipher)
++ {
++ if (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_WRAP_MODE)
++ return 0;
++ return 1;
+ }
++ /* Here the Infotecs patch begins */
++ else if (cipher && (EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_GET_WRAP_CIPHER))
++ {
++ ret = EVP_CIPHER_meth_get_ctrl(cipher)(NULL, EVP_CTRL_GET_WRAP_CIPHER, 0, &kekcipher);
++ if (0 >= ret)
++ {
++ return 0;
++ }
++
++ if (kekcipher)
++ {
++ if (EVP_CIPHER_mode(kekcipher) != EVP_CIPH_WRAP_MODE)
++ return 0;
++
++ return EVP_EncryptInit_ex(ctx, kekcipher, NULL, NULL, NULL);
++ }
++ }
++ /* Here the Infotecs patch ends */
++
+ /*
+ * Pick a cipher based on content encryption cipher. If it is DES3 use
+ * DES3 wrap otherwise use AES wrap similar to key size.
+diff --git crypto/cms/cms_lib.c crypto/cms/cms_lib.c
+index be4c2c70..8cce75ea 100644
+--- crypto/cms/cms_lib.c
++++ crypto/cms/cms_lib.c
+@@ -131,12 +131,14 @@ int CMS_dataFinal(CMS_ContentInfo *cms, BIO *cmsbio)
+ switch (OBJ_obj2nid(cms->contentType)) {
+
+ case NID_pkcs7_data:
+- case NID_pkcs7_enveloped:
+ case NID_pkcs7_encrypted:
+ case NID_id_smime_ct_compressedData:
+ /* Nothing to do */
+ return 1;
+
++ case NID_pkcs7_enveloped:
++ return cms_EnvelopedData_final(cms, cmsbio);
++
+ case NID_pkcs7_signed:
+ return cms_SignedData_final(cms, cmsbio);
+
+diff --git crypto/cms/cms_local.h crypto/cms/cms_local.h
+index a0ce4448..27261b77 100644
+--- crypto/cms/cms_local.h
++++ crypto/cms/cms_local.h
+@@ -403,12 +403,13 @@ int cms_msgSigDigest_add1(CMS_SignerInfo *dest, CMS_SignerInfo *src);
+ ASN1_OCTET_STRING *cms_encode_Receipt(CMS_SignerInfo *si);
+
+ BIO *cms_EnvelopedData_init_bio(CMS_ContentInfo *cms);
++int cms_EnvelopedData_final(CMS_ContentInfo *cms, BIO *chain);
+ CMS_EnvelopedData *cms_get0_enveloped(CMS_ContentInfo *cms);
+ int cms_env_asn1_ctrl(CMS_RecipientInfo *ri, int cmd);
+ int cms_pkey_get_ri_type(EVP_PKEY *pk);
++int cms_pkey_is_ri_type_supported(EVP_PKEY *pk, int ri_type);
+ /* KARI routines */
+-int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
+- EVP_PKEY *pk, unsigned int flags);
++int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip, EVP_PKEY *recipPubKey, X509 * originator, EVP_PKEY *originatorPrivKey, unsigned int flags);
+ int cms_RecipientInfo_kari_encrypt(CMS_ContentInfo *cms,
+ CMS_RecipientInfo *ri);
+
+diff --git crypto/cms/cms_smime.c crypto/cms/cms_smime.c
+index 6e7dbc4d..b7d457d3 100644
+--- crypto/cms/cms_smime.c
++++ crypto/cms/cms_smime.c
+@@ -576,8 +576,8 @@ CMS_ContentInfo *CMS_encrypt(STACK_OF(X509) *certs, BIO *data,
+ return NULL;
+ }
+
+-static int cms_kari_set1_pkey(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
+- EVP_PKEY *pk, X509 *cert)
++static int cms_kari_set1_pkey_and_peer(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
++ EVP_PKEY *pk, X509 *cert, X509 *peer)
+ {
+ int i;
+ STACK_OF(CMS_RecipientEncryptedKey) *reks;
+@@ -588,7 +588,7 @@ static int cms_kari_set1_pkey(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
+ rek = sk_CMS_RecipientEncryptedKey_value(reks, i);
+ if (cert != NULL && CMS_RecipientEncryptedKey_cert_cmp(rek, cert))
+ continue;
+- CMS_RecipientInfo_kari_set0_pkey(ri, pk);
++ CMS_RecipientInfo_kari_set0_pkey_and_peer(ri, pk, peer);
+ rv = CMS_RecipientInfo_kari_decrypt(cms, ri, rek);
+ CMS_RecipientInfo_kari_set0_pkey(ri, NULL);
+ if (rv > 0)
+@@ -599,28 +599,36 @@ static int cms_kari_set1_pkey(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
+ }
+
+ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
++{
++ return CMS_decrypt_set1_pkey_and_peer(cms, pk, cert, NULL);
++}
++
++int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert, X509 *peer)
+ {
+ STACK_OF(CMS_RecipientInfo) *ris;
+ CMS_RecipientInfo *ri;
+- int i, r, ri_type;
++ int i, r, cms_pkey_ri_type;
+ int debug = 0, match_ri = 0;
+ ris = CMS_get0_RecipientInfos(cms);
+ if (ris)
+ debug = cms->d.envelopedData->encryptedContentInfo->debug;
+- ri_type = cms_pkey_get_ri_type(pk);
+- if (ri_type == CMS_RECIPINFO_NONE) {
+- CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY,
+- CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
+- return 0;
++
++ cms_pkey_ri_type = cms_pkey_get_ri_type(pk);
++ if (cms_pkey_ri_type == CMS_RECIPINFO_NONE) {
++ CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY_AND_PEER,
++ CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
++ return 0;
+ }
+
+ for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++) {
++ int ri_type;
+ ri = sk_CMS_RecipientInfo_value(ris, i);
+- if (CMS_RecipientInfo_type(ri) != ri_type)
+- continue;
++ ri_type = CMS_RecipientInfo_type(ri);
++/* if (!cms_pkey_is_ri_type_supported(pk, ri_type))
++ continue; */
+ match_ri = 1;
+ if (ri_type == CMS_RECIPINFO_AGREE) {
+- r = cms_kari_set1_pkey(cms, ri, pk, cert);
++ r = cms_kari_set1_pkey_and_peer(cms, ri, pk, cert, peer);
+ if (r > 0)
+ return 1;
+ if (r < 0)
+@@ -640,13 +648,13 @@ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
+ * If not debugging clear any error and return success to
+ * avoid leaking of information useful to MMA
+ */
+- if (!debug) {
++ if (!debug && cms_pkey_ri_type == CMS_RECIPINFO_TRANS) {
+ ERR_clear_error();
+ return 1;
+ }
+ if (r > 0)
+ return 1;
+- CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY, CMS_R_DECRYPT_ERROR);
++ CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY_AND_PEER, CMS_R_DECRYPT_ERROR);
+ return 0;
+ }
+ /*
+@@ -654,17 +662,17 @@ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
+ * successful decrypt. Always attempt to decrypt all recipients
+ * to avoid leaking timing of a successful decrypt.
+ */
+- else if (r > 0 && debug)
++ else if (r > 0 && (debug || cms_pkey_ri_type != CMS_RECIPINFO_TRANS))
+ return 1;
+ }
+ }
+ /* If no cert, key transport and not debugging always return success */
+- if (cert == NULL && ri_type == CMS_RECIPINFO_TRANS && match_ri && !debug) {
++ if (cert == NULL && cms_pkey_ri_type == CMS_RECIPINFO_TRANS && match_ri && !debug) {
+ ERR_clear_error();
+ return 1;
+ }
+
+- CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY, CMS_R_NO_MATCHING_RECIPIENT);
++ CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY_AND_PEER, CMS_R_NO_MATCHING_RECIPIENT);
+ return 0;
+
+ }
+diff --git crypto/err/openssl.txt crypto/err/openssl.txt
+index 902e97b8..7fef6807 100644
+--- crypto/err/openssl.txt
++++ crypto/err/openssl.txt
+@@ -240,6 +240,7 @@ CMS_F_CMS_ADD0_CERT:164:CMS_add0_cert
+ CMS_F_CMS_ADD0_RECIPIENT_KEY:100:CMS_add0_recipient_key
+ CMS_F_CMS_ADD0_RECIPIENT_PASSWORD:165:CMS_add0_recipient_password
+ CMS_F_CMS_ADD1_RECEIPTREQUEST:158:CMS_add1_ReceiptRequest
++CMS_F_CMS_ADD1_RECIPIENT:181:CMS_add1_recipient
+ CMS_F_CMS_ADD1_RECIPIENT_CERT:101:CMS_add1_recipient_cert
+ CMS_F_CMS_ADD1_SIGNER:102:CMS_add1_signer
+ CMS_F_CMS_ADD1_SIGNINGTIME:103:cms_add1_signingTime
+@@ -255,6 +256,7 @@ CMS_F_CMS_DECRYPT:112:CMS_decrypt
+ CMS_F_CMS_DECRYPT_SET1_KEY:113:CMS_decrypt_set1_key
+ CMS_F_CMS_DECRYPT_SET1_PASSWORD:166:CMS_decrypt_set1_password
+ CMS_F_CMS_DECRYPT_SET1_PKEY:114:CMS_decrypt_set1_pkey
++CMS_F_CMS_DECRYPT_SET1_PKEY_AND_PEER:182:CMS_decrypt_set1_pkey_and_peer
+ CMS_F_CMS_DIGESTALGORITHM_FIND_CTX:115:cms_DigestAlgorithm_find_ctx
+ CMS_F_CMS_DIGESTALGORITHM_INIT_BIO:116:cms_DigestAlgorithm_init_bio
+ CMS_F_CMS_DIGESTEDDATA_DO_FINAL:117:cms_DigestedData_do_final
+@@ -267,6 +269,11 @@ CMS_F_CMS_ENCRYPTEDDATA_DECRYPT:121:CMS_EncryptedData_decrypt
+ CMS_F_CMS_ENCRYPTEDDATA_ENCRYPT:122:CMS_EncryptedData_encrypt
+ CMS_F_CMS_ENCRYPTEDDATA_SET1_KEY:123:CMS_EncryptedData_set1_key
+ CMS_F_CMS_ENVELOPEDDATA_CREATE:124:CMS_EnvelopedData_create
++CMS_F_CMS_ENVELOPEDDATA_DECRYPTION_INIT_BIO:184:\
++ cms_EnvelopedData_Decryption_init_bio
++CMS_F_CMS_ENVELOPEDDATA_ENCRYPTION_INIT_BIO:185:\
++ cms_EnvelopedData_Encryption_init_bio
++CMS_F_CMS_ENVELOPEDDATA_FINAL:186:cms_EnvelopedData_final
+ CMS_F_CMS_ENVELOPEDDATA_INIT_BIO:125:cms_EnvelopedData_init_bio
+ CMS_F_CMS_ENVELOPED_DATA_INIT:126:cms_enveloped_data_init
+ CMS_F_CMS_ENV_ASN1_CTRL:171:cms_env_asn1_ctrl
+@@ -1184,7 +1191,7 @@ SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE:431:*
+ SSL_F_OSSL_STATEM_SERVER_POST_PROCESS_MESSAGE:601:\
+ ossl_statem_server_post_process_message
+ SSL_F_OSSL_STATEM_SERVER_POST_WORK:602:ossl_statem_server_post_work
+-SSL_F_OSSL_STATEM_SERVER_PRE_WORK:640:
++SSL_F_OSSL_STATEM_SERVER_PRE_WORK:640:ossl_statem_server_pre_work
+ SSL_F_OSSL_STATEM_SERVER_PROCESS_MESSAGE:603:ossl_statem_server_process_message
+ SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION:418:ossl_statem_server_read_transition
+ SSL_F_OSSL_STATEM_SERVER_WRITE_TRANSITION:604:\
+@@ -1399,6 +1406,7 @@ SSL_F_TLS_CONSTRUCT_CHANGE_CIPHER_SPEC:427:tls_construct_change_cipher_spec
+ SSL_F_TLS_CONSTRUCT_CKE_DHE:404:tls_construct_cke_dhe
+ SSL_F_TLS_CONSTRUCT_CKE_ECDHE:405:tls_construct_cke_ecdhe
+ SSL_F_TLS_CONSTRUCT_CKE_GOST:406:tls_construct_cke_gost
++SSL_F_TLS_CONSTRUCT_CKE_GOST18:642:tls_construct_cke_gost18
+ SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE:407:tls_construct_cke_psk_preamble
+ SSL_F_TLS_CONSTRUCT_CKE_RSA:409:tls_construct_cke_rsa
+ SSL_F_TLS_CONSTRUCT_CKE_SRP:410:tls_construct_cke_srp
+@@ -1530,6 +1538,7 @@ SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC:363:tls_process_change_cipher_spec
+ SSL_F_TLS_PROCESS_CKE_DHE:411:tls_process_cke_dhe
+ SSL_F_TLS_PROCESS_CKE_ECDHE:412:tls_process_cke_ecdhe
+ SSL_F_TLS_PROCESS_CKE_GOST:413:tls_process_cke_gost
++SSL_F_TLS_PROCESS_CKE_GOST18:641:tls_process_cke_gost18
+ SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE:414:tls_process_cke_psk_preamble
+ SSL_F_TLS_PROCESS_CKE_RSA:415:tls_process_cke_rsa
+ SSL_F_TLS_PROCESS_CKE_SRP:416:tls_process_cke_srp
+@@ -1652,6 +1661,7 @@ X509V3_F_GNAMES_FROM_SECTNAME:156:gnames_from_sectname
+ X509V3_F_I2S_ASN1_ENUMERATED:121:i2s_ASN1_ENUMERATED
+ X509V3_F_I2S_ASN1_IA5STRING:149:i2s_ASN1_IA5STRING
+ X509V3_F_I2S_ASN1_INTEGER:120:i2s_ASN1_INTEGER
++X509V3_F_I2S_ASN1_UTF8STRING:175:i2s_ASN1_UTF8STRING
+ X509V3_F_I2V_AUTHORITY_INFO_ACCESS:138:i2v_AUTHORITY_INFO_ACCESS
+ X509V3_F_I2V_AUTHORITY_KEYID:173:i2v_AUTHORITY_KEYID
+ X509V3_F_LEVEL_ADD_NODE:168:level_add_node
+@@ -1667,6 +1677,7 @@ X509V3_F_R2I_PCI:155:r2i_pci
+ X509V3_F_S2I_ASN1_IA5STRING:100:s2i_ASN1_IA5STRING
+ X509V3_F_S2I_ASN1_INTEGER:108:s2i_ASN1_INTEGER
+ X509V3_F_S2I_ASN1_OCTET_STRING:112:s2i_ASN1_OCTET_STRING
++X509V3_F_S2I_ASN1_UTF8STRING:176:s2i_ASN1_UTF8STRING
+ X509V3_F_S2I_SKEY_ID:115:s2i_skey_id
+ X509V3_F_SET_DIST_POINT_NAME:158:set_dist_point_name
+ X509V3_F_SXNET_ADD_ID_ASC:125:SXNET_add_id_asc
+diff --git crypto/objects/objects.txt crypto/objects/objects.txt
+index c49d4c56..00444c40 100644
+--- crypto/objects/objects.txt
++++ crypto/objects/objects.txt
+@@ -1321,6 +1321,14 @@ cryptocom 1 8 1 : id-GostR3410-2001-ParamSet-cc : GOST R 3410-2001 Parameter Se
+
+ # TC26 GOST OIDs
+
++id-tc26 0 : id-tc26-modules: GOST TC26 ASN.1 modules
++
++id-tc26-modules 6 : id-tc26-cms: GOST TC26 SMS
++
++id-tc26-cms 1 : id-tc26-cms-attrs: GOST TC26 SMS attributes
++
++id-tc26-cms-attrs 1 : id-tc26-mac-attr: GOST TC26 SMS content-mac attribute
++
+ id-tc26 1 : id-tc26-algorithms
+ id-tc26-algorithms 1 : id-tc26-sign
+ !Cname id-GostR3410-2012-256
+@@ -1344,11 +1352,11 @@ id-tc26-mac 2 : id-tc26-hmac-gost-3411-2012-512 : HMAC GOST 34.11-2012 512 bit
+
+ id-tc26-algorithms 5 : id-tc26-cipher
+ id-tc26-cipher 1 : id-tc26-cipher-gostr3412-2015-magma
+-id-tc26-cipher-gostr3412-2015-magma 1 : id-tc26-cipher-gostr3412-2015-magma-ctracpkm
+-id-tc26-cipher-gostr3412-2015-magma 2 : id-tc26-cipher-gostr3412-2015-magma-ctracpkm-omac
++id-tc26-cipher-gostr3412-2015-magma 1 : magma-ctr-acpkm
++id-tc26-cipher-gostr3412-2015-magma 2 : magma-ctr-acpkm-omac
+ id-tc26-cipher 2 : id-tc26-cipher-gostr3412-2015-kuznyechik
+-id-tc26-cipher-gostr3412-2015-kuznyechik 1 : id-tc26-cipher-gostr3412-2015-kuznyechik-ctracpkm
+-id-tc26-cipher-gostr3412-2015-kuznyechik 2 : id-tc26-cipher-gostr3412-2015-kuznyechik-ctracpkm-omac
++id-tc26-cipher-gostr3412-2015-kuznyechik 1 : kuznyechik-ctr-acpkm
++id-tc26-cipher-gostr3412-2015-kuznyechik 2 : kuznyechik-ctr-acpkm-omac
+
+ id-tc26-algorithms 6 : id-tc26-agreement
+ id-tc26-agreement 1 : id-tc26-agreement-gost-3410-2012-256
+@@ -1356,9 +1364,9 @@ id-tc26-agreement 2 : id-tc26-agreement-gost-3410-2012-512
+
+ id-tc26-algorithms 7 : id-tc26-wrap
+ id-tc26-wrap 1 : id-tc26-wrap-gostr3412-2015-magma
+-id-tc26-wrap-gostr3412-2015-magma 1 : id-tc26-wrap-gostr3412-2015-magma-kexp15
++id-tc26-wrap-gostr3412-2015-magma 1 : magma-kexp15
+ id-tc26-wrap 2 : id-tc26-wrap-gostr3412-2015-kuznyechik
+-id-tc26-wrap-gostr3412-2015-kuznyechik 1 : id-tc26-wrap-gostr3412-2015-kuznyechik-kexp15
++id-tc26-wrap-gostr3412-2015-kuznyechik 1 : kuznyechik-kexp15
+
+ id-tc26 2 : id-tc26-constants
+
+@@ -1382,16 +1390,25 @@ id-tc26-gost-28147-constants 1 : id-tc26-gost-28147-param-Z : GOST 28147-89 TC26
+ member-body 643 3 131 1 1 : INN : INN
+ member-body 643 100 1 : OGRN : OGRN
+ member-body 643 100 3 : SNILS : SNILS
++member-body 643 100 5 : OGRNIP : OGRNIP
+ member-body 643 100 111 : subjectSignTool : Signing Tool of Subject
+ member-body 643 100 112 : issuerSignTool : Signing Tool of Issuer
++member-body 643 100 113 : classSignTool : Class of Signing Tool
++member-body 643 100 113 1 : classSignToolKC1 : Class of Signing Tool KC1
++member-body 643 100 113 2 : classSignToolKC2 : Class of Signing Tool KC2
++member-body 643 100 113 3 : classSignToolKC3 : Class of Signing Tool KC3
++member-body 643 100 113 4 : classSignToolKB1 : Class of Signing Tool KB1
++member-body 643 100 113 5 : classSignToolKB2 : Class of Signing Tool KB2
++member-body 643 100 113 6 : classSignToolKA1 : Class of Signing Tool KA1
+
+ #GOST R34.13-2015 Grasshopper "Kuznechik"
+- : grasshopper-ecb
+- : grasshopper-ctr
+- : grasshopper-ofb
+- : grasshopper-cbc
+- : grasshopper-cfb
+- : grasshopper-mac
++ : kuznyechik-ecb
++ : kuznyechik-ctr
++ : kuznyechik-ofb
++ : kuznyechik-cbc
++ : kuznyechik-cfb
++ : kuznyechik-mac
++ : kuznyechik-mgm
+
+ #GOST R34.13-2015 Magma
+ : magma-ecb
+@@ -1400,6 +1417,7 @@ member-body 643 100 112 : issuerSignTool : Signing Tool of Issuer
+ : magma-cbc
+ : magma-cfb
+ : magma-mac
++ : magma-mgm
+
+ # Definitions for Camellia cipher - CBC MODE
+
+diff --git crypto/x509v3/build.info crypto/x509v3/build.info
+index 4ab64884..322a1212 100644
+--- crypto/x509v3/build.info
++++ crypto/x509v3/build.info
+@@ -5,4 +5,4 @@ SOURCE[../../libcrypto]=\
+ v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c \
+ v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c v3_pcia.c v3_pci.c \
+ pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c \
+- v3_asid.c v3_addr.c v3_tlsf.c v3_admis.c
++ v3_asid.c v3_addr.c v3_tlsf.c v3_admis.c v3_rus.c
+diff --git crypto/x509v3/ext_dat.h crypto/x509v3/ext_dat.h
+index 762e264b..022816e2 100644
+--- crypto/x509v3/ext_dat.h
++++ crypto/x509v3/ext_dat.h
+@@ -21,5 +21,6 @@ extern const X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
+ extern const X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
+ extern const X509V3_EXT_METHOD v3_addr, v3_asid;
+ extern const X509V3_EXT_METHOD v3_ct_scts[3];
++extern const X509V3_EXT_METHOD v3_subject_sign_tool, v3_issuer_sign_tool;
+ extern const X509V3_EXT_METHOD v3_tls_feature;
+ extern const X509V3_EXT_METHOD v3_ext_admission;
+diff --git crypto/x509v3/standard_exts.h crypto/x509v3/standard_exts.h
+index 944f4de0..536b3d25 100644
+--- crypto/x509v3/standard_exts.h
++++ crypto/x509v3/standard_exts.h
+@@ -68,6 +68,8 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
+ &v3_ct_scts[1],
+ &v3_ct_scts[2],
+ #endif
++ &v3_subject_sign_tool,
++ &v3_issuer_sign_tool,
+ &v3_tls_feature,
+ &v3_ext_admission
+ };
+diff --git crypto/x509v3/v3_alt.c crypto/x509v3/v3_alt.c
+index 7c32d403..91846eb3 100644
+--- crypto/x509v3/v3_alt.c
++++ crypto/x509v3/v3_alt.c
+@@ -25,26 +25,59 @@ static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens);
+ static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
+ static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
+
++static int i2r_GENERAL_NAMES(X509V3_EXT_METHOD *method,
++ GENERAL_NAMES *gens, BIO *out,
++ int indent);
++
++static int GENERAL_NAME_oneline_ex(char *name, GENERAL_NAME *gen, int len)
++{
++ int i;
++ BIO *mem = NULL;
++ BUF_MEM *bptr;
++
++ mem = BIO_new(BIO_s_mem());
++ if (mem == 0)
++ return 0;
++
++ switch (gen->type) {
++ case GEN_DIRNAME:
++ X509_NAME_print_ex(mem, gen->d.dirn, 0, XN_FLAG_SEP_COMMA_PLUS | ASN1_STRFLGS_UTF8_CONVERT);
++ break;
++ }
++
++ BIO_get_mem_ptr(mem, &bptr);
++ i = BIO_set_close(mem, BIO_NOCLOSE);
++ BIO_free(mem);
++ if (i<=0)
++ return 0;
++
++ if(bptr->length < len)
++ strncpy(name, bptr->data, bptr->length);
++ else
++ strncpy(name, bptr->data, len);
++ return 1;
++}
++
+ const X509V3_EXT_METHOD v3_alt[3] = {
+ {NID_subject_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
+ 0, 0, 0, 0,
+ 0, 0,
+- (X509V3_EXT_I2V) i2v_GENERAL_NAMES,
++ NULL, /* (X509V3_EXT_I2V) i2v_GENERAL_NAMES, */
+ (X509V3_EXT_V2I)v2i_subject_alt,
+- NULL, NULL, NULL},
++ (X509V3_EXT_I2R)i2r_GENERAL_NAMES, NULL, NULL},
+
+ {NID_issuer_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
+ 0, 0, 0, 0,
+ 0, 0,
+ (X509V3_EXT_I2V) i2v_GENERAL_NAMES,
+ (X509V3_EXT_V2I)v2i_issuer_alt,
+- NULL, NULL, NULL},
++ (X509V3_EXT_I2R)i2r_GENERAL_NAMES/*NULL*/, NULL, NULL},
+
+ {NID_certificate_issuer, 0, ASN1_ITEM_ref(GENERAL_NAMES),
+ 0, 0, 0, 0,
+ 0, 0,
+ (X509V3_EXT_I2V) i2v_GENERAL_NAMES,
+- NULL, NULL, NULL, NULL},
++ NULL, (X509V3_EXT_I2R)i2r_GENERAL_NAMES/*NULL*/, NULL, NULL},
+ };
+
+ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
+@@ -80,7 +113,7 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
+ STACK_OF(CONF_VALUE) *ret)
+ {
+ unsigned char *p;
+- char oline[256], htmp[5];
++ char oline[1024], htmp[5];
+ int i;
+
+ switch (gen->type) {
+@@ -118,7 +151,7 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
+ break;
+
+ case GEN_DIRNAME:
+- if (X509_NAME_oneline(gen->d.dirn, oline, sizeof(oline)) == NULL
++ if (GENERAL_NAME_oneline_ex(oline, gen, sizeof(oline)) <= 0
+ || !X509V3_add_value("DirName", oline, &ret))
+ return NULL;
+ break;
+@@ -155,6 +188,96 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
+ return ret;
+ }
+
++/* beldmit */
++int i2r_GENERAL_NAME(X509V3_EXT_METHOD *method,
++ GENERAL_NAME *gen, BIO *out,
++ int indent)
++{
++ unsigned char *p;
++ char oline[256], htmp[5];
++ int i;
++ BIO_printf(out, "%*s", indent, "");
++ switch (gen->type) {
++ case GEN_OTHERNAME:
++ BIO_write(out, "othername: <unsupported>", 24);
++ break;
++
++ case GEN_X400:
++ BIO_write(out, "X400Name: <unsupported>", 24);
++ break;
++
++ case GEN_EDIPARTY:
++ BIO_write(out, "EdiPartyName: <unsupported>", 28);
++ break;
++
++ case GEN_EMAIL:
++ BIO_write(out, "email: ", 7);
++ BIO_write(out, gen->d.ia5->data, gen->d.ia5->length);
++ break;
++
++ case GEN_DNS:
++ BIO_write(out, "DNS: ", 5);
++ BIO_write(out, gen->d.ia5->data, gen->d.ia5->length);
++ break;
++
++ case GEN_URI:
++ BIO_write(out, "URI: ", 5);
++ BIO_write(out, gen->d.ia5->data, gen->d.ia5->length);
++ break;
++
++ case GEN_DIRNAME:
++ BIO_write(out, "DirName: ", 9);
++ X509_NAME_print_ex(out, gen->d.dirn, 0, XN_FLAG_SEP_COMMA_PLUS|ASN1_STRFLGS_UTF8_CONVERT);
++ break;
++
++ case GEN_IPADD:
++ p = gen->d.ip->data;
++ if (gen->d.ip->length == 4)
++ BIO_snprintf(oline, sizeof oline,
++ "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
++ else if (gen->d.ip->length == 16) {
++ oline[0] = 0;
++ for (i = 0; i < 8; i++) {
++ BIO_snprintf(htmp, sizeof htmp, "%X", p[0] << 8 | p[1]);
++ p += 2;
++ strcat(oline, htmp);
++ if (i != 7)
++ strcat(oline, ":");
++ }
++ } else {
++ BIO_write(out, "IP Address: <invalid>", 22);
++ break;
++ }
++ BIO_write(out, "IP Address: ", 12);
++ BIO_write(out, oline, strlen(oline));
++ break;
++
++ case GEN_RID:
++ i2t_ASN1_OBJECT(oline, 256, gen->d.rid);
++ BIO_write(out, "Registered ID: ", 15);
++ BIO_write(out, oline, strlen(oline));
++ break;
++ }
++ BIO_write(out, "\n", 1);
++ return 1;
++}
++
++int i2r_GENERAL_NAMES(X509V3_EXT_METHOD *method,
++ GENERAL_NAMES *gens, BIO *out,
++ int indent)
++{
++ int i;
++ GENERAL_NAME *gen;
++ for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
++ gen = sk_GENERAL_NAME_value(gens, i);
++ if (!i2r_GENERAL_NAME(method, gen, out, indent))
++ return 0;
++ }
++ return 1;
++}
++
++/* beldmit */
++
+ int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
+ {
+ unsigned char *p;
+diff --git crypto/x509v3/v3_rus.c crypto/x509v3/v3_rus.c
+new file mode 100644
+index 00000000..415c9165
+--- /dev/null
++++ crypto/x509v3/v3_rus.c
+@@ -0,0 +1,168 @@
++/* v3_rus.c */
++/*
++ * Written by Dmitry Belyavskiy for the OpenSSL project
++ * 2015.
++ */
++/* ====================================================================
++ * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ * This product includes cryptographic software written by Eric Young
++ * (eay@cryptsoft.com). This product includes software written by Tim
++ * Hudson (tjh@cryptsoft.com).
++ *
++ */
++
++#include <stdio.h>
++#include <string.h>
++#include <openssl/asn1t.h>
++#include <openssl/err.h>
++#include <openssl/x509v3.h>
++
++static char *i2s_ASN1_UTF8STRING(const X509V3_EXT_METHOD *method,
++ ASN1_UTF8STRING *utf8str)
++{
++ char *tmp;
++ if (!utf8str || !utf8str->length)
++ return NULL;
++ if (!(tmp = OPENSSL_malloc(utf8str->length + 1))) {
++ X509V3err(X509V3_F_I2S_ASN1_UTF8STRING, ERR_R_MALLOC_FAILURE);
++ return NULL;
++ }
++ memcpy(tmp, utf8str->data, utf8str->length);
++ tmp[utf8str->length] = 0;
++ return tmp;
++}
++
++static ASN1_UTF8STRING *s2i_ASN1_UTF8STRING(X509V3_EXT_METHOD *method,
++ X509V3_CTX *ctx, char *str)
++{
++ ASN1_UTF8STRING *utf8str;
++ if (!str) {
++ X509V3err(X509V3_F_S2I_ASN1_UTF8STRING,
++ X509V3_R_INVALID_NULL_ARGUMENT);
++ return NULL;
++ }
++ if (!(utf8str = ASN1_STRING_type_new(V_ASN1_UTF8STRING)))
++ goto err;
++ if (!ASN1_STRING_set((ASN1_STRING *)utf8str, (unsigned char *)str,
++ strlen(str))) {
++ ASN1_STRING_free(utf8str);
++ goto err;
++ }
++#ifdef CHARSET_EBCDIC
++ ebcdic2ascii(utf8str->data, utf8str->data, utf8str->length);
++#endif /* CHARSET_EBCDIC */
++ return utf8str;
++ err:
++ X509V3err(X509V3_F_S2I_ASN1_UTF8STRING, ERR_R_MALLOC_FAILURE);
++ return NULL;
++}
++
++const X509V3_EXT_METHOD v3_subject_sign_tool = {
++ NID_subjectSignTool, 0, ASN1_ITEM_ref(ASN1_UTF8STRING),
++ 0, 0, 0, 0,
++ (X509V3_EXT_I2S)i2s_ASN1_UTF8STRING,
++ (X509V3_EXT_S2I)s2i_ASN1_UTF8STRING,
++ 0, 0, 0, 0, NULL
++};
++
++typedef struct ISSUER_SIGN_TOOL_st {
++ ASN1_UTF8STRING *signTool;
++ ASN1_UTF8STRING *cATool;
++ ASN1_UTF8STRING *signToolCert;
++ ASN1_UTF8STRING *cAToolCert;
++} ISSUER_SIGN_TOOL;
++
++ASN1_SEQUENCE(ISSUER_SIGN_TOOL) = {
++ ASN1_SIMPLE(ISSUER_SIGN_TOOL, signTool, ASN1_UTF8STRING),
++ ASN1_SIMPLE(ISSUER_SIGN_TOOL, cATool, ASN1_UTF8STRING),
++ ASN1_SIMPLE(ISSUER_SIGN_TOOL, signToolCert, ASN1_UTF8STRING),
++ ASN1_SIMPLE(ISSUER_SIGN_TOOL, cAToolCert, ASN1_UTF8STRING)
++} ASN1_SEQUENCE_END(ISSUER_SIGN_TOOL)
++
++IMPLEMENT_ASN1_FUNCTIONS(ISSUER_SIGN_TOOL)
++
++static int i2r_ISSUER_SIGN_TOOL(X509V3_EXT_METHOD *method,
++ ISSUER_SIGN_TOOL *ist, BIO *out,
++ int indent)
++{
++ if (ist->signTool) {
++ BIO_printf(out, "%*s", indent, "");
++ BIO_write(out, "signTool: ", 14);
++ BIO_write(out, ist->signTool->data, ist->signTool->length);
++ BIO_write(out, "\n", 1);
++ }
++ if (ist->cATool) {
++ BIO_printf(out, "%*s", indent, "");
++ BIO_write(out, "cATool: ", 14);
++ BIO_write(out, ist->cATool->data, ist->cATool->length);
++ BIO_write(out, "\n", 1);
++ }
++ if (ist->signToolCert) {
++ BIO_printf(out, "%*s", indent, "");
++ BIO_write(out, "signToolCert: ", 14);
++ BIO_write(out, ist->signToolCert->data, ist->signToolCert->length);
++ BIO_write(out, "\n", 1);
++ }
++ if (ist->cAToolCert) {
++ BIO_printf(out, "%*s", indent, "");
++ BIO_write(out, "cAToolCert: ", 14);
++ BIO_write(out, ist->cAToolCert->data, ist->cAToolCert->length);
++ BIO_write(out, "\n", 1);
++ }
++ return 1;
++}
++
++const X509V3_EXT_METHOD v3_issuer_sign_tool = {
++ NID_issuerSignTool, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(ISSUER_SIGN_TOOL),
++ 0, 0, 0, 0,
++ 0, 0,
++ 0, /*(X509V3_EXT_I2V)i2v_ISSUER_SIGN_TOOL,*/
++ 0,
++ (X509V3_EXT_I2R)i2r_ISSUER_SIGN_TOOL, 0, NULL
++};
+diff --git crypto/x509v3/v3err.c crypto/x509v3/v3err.c
+index 8b2918a6..3c9f2332 100644
+--- crypto/x509v3/v3err.c
++++ crypto/x509v3/v3err.c
+@@ -37,6 +37,8 @@ static const ERR_STRING_DATA X509V3_str_functs[] = {
+ "i2s_ASN1_IA5STRING"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_I2S_ASN1_INTEGER, 0),
+ "i2s_ASN1_INTEGER"},
++ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_I2S_ASN1_UTF8STRING, 0),
++ "i2s_ASN1_UTF8STRING"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_I2V_AUTHORITY_INFO_ACCESS, 0),
+ "i2v_AUTHORITY_INFO_ACCESS"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_I2V_AUTHORITY_KEYID, 0),
+@@ -60,6 +62,8 @@ static const ERR_STRING_DATA X509V3_str_functs[] = {
+ "s2i_ASN1_INTEGER"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_S2I_ASN1_OCTET_STRING, 0),
+ "s2i_ASN1_OCTET_STRING"},
++ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_S2I_ASN1_UTF8STRING, 0),
++ "s2i_ASN1_UTF8STRING"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_S2I_SKEY_ID, 0), "s2i_skey_id"},
+ {ERR_PACK(ERR_LIB_X509V3, X509V3_F_SET_DIST_POINT_NAME, 0),
+ "set_dist_point_name"},
+diff --git include/openssl/cms.h include/openssl/cms.h
+index c7627968..c90a01fa 100644
+--- include/openssl/cms.h
++++ include/openssl/cms.h
+@@ -73,6 +73,7 @@ DECLARE_ASN1_PRINT_FUNCTION(CMS_ContentInfo)
+ # define CMS_DEBUG_DECRYPT 0x20000
+ # define CMS_KEY_PARAM 0x40000
+ # define CMS_ASCIICRLF 0x80000
++# define CMS_USE_ORIGINATOR_KEYID 0x100000
+
+ const ASN1_OBJECT *CMS_get0_type(const CMS_ContentInfo *cms);
+
+@@ -143,6 +144,7 @@ int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pkey, X509 *cert,
+ BIO *dcont, BIO *out, unsigned int flags);
+
+ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert);
++int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert, X509 *peer);
+ int CMS_decrypt_set1_key(CMS_ContentInfo *cms,
+ unsigned char *key, size_t keylen,
+ const unsigned char *id, size_t idlen);
+@@ -155,6 +157,8 @@ EVP_PKEY_CTX *CMS_RecipientInfo_get0_pkey_ctx(CMS_RecipientInfo *ri);
+ CMS_ContentInfo *CMS_EnvelopedData_create(const EVP_CIPHER *cipher);
+ CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms,
+ X509 *recip, unsigned int flags);
++CMS_RecipientInfo *CMS_add1_recipient(CMS_ContentInfo *cms, X509 *recip,
++ EVP_PKEY *originatorPrivKey, X509 * originator, unsigned int flags);
+ int CMS_RecipientInfo_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pkey);
+ int CMS_RecipientInfo_ktri_cert_cmp(CMS_RecipientInfo *ri, X509 *cert);
+ int CMS_RecipientInfo_ktri_get0_algs(CMS_RecipientInfo *ri,
+@@ -319,6 +323,7 @@ int CMS_RecipientEncryptedKey_get0_id(CMS_RecipientEncryptedKey *rek,
+ int CMS_RecipientEncryptedKey_cert_cmp(CMS_RecipientEncryptedKey *rek,
+ X509 *cert);
+ int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk);
++int CMS_RecipientInfo_kari_set0_pkey_and_peer(CMS_RecipientInfo *ri, EVP_PKEY *pk, X509 *peer);
+ EVP_CIPHER_CTX *CMS_RecipientInfo_kari_get0_ctx(CMS_RecipientInfo *ri);
+ int CMS_RecipientInfo_kari_decrypt(CMS_ContentInfo *cms,
+ CMS_RecipientInfo *ri,
+diff --git include/openssl/cmserr.h include/openssl/cmserr.h
+index 7dbc13dc..9131e075 100644
+--- include/openssl/cmserr.h
++++ include/openssl/cmserr.h
+@@ -11,9 +11,7 @@
+ #ifndef HEADER_CMSERR_H
+ # define HEADER_CMSERR_H
+
+-# ifndef HEADER_SYMHACKS_H
+-# include <openssl/symhacks.h>
+-# endif
++# include <openssl/symhacks.h>
+
+ # include <openssl/opensslconf.h>
+
+@@ -32,6 +30,7 @@ int ERR_load_CMS_strings(void);
+ # define CMS_F_CMS_ADD0_RECIPIENT_KEY 100
+ # define CMS_F_CMS_ADD0_RECIPIENT_PASSWORD 165
+ # define CMS_F_CMS_ADD1_RECEIPTREQUEST 158
++# define CMS_F_CMS_ADD1_RECIPIENT 181
+ # define CMS_F_CMS_ADD1_RECIPIENT_CERT 101
+ # define CMS_F_CMS_ADD1_SIGNER 102
+ # define CMS_F_CMS_ADD1_SIGNINGTIME 103
+@@ -47,6 +46,7 @@ int ERR_load_CMS_strings(void);
+ # define CMS_F_CMS_DECRYPT_SET1_KEY 113
+ # define CMS_F_CMS_DECRYPT_SET1_PASSWORD 166
+ # define CMS_F_CMS_DECRYPT_SET1_PKEY 114
++# define CMS_F_CMS_DECRYPT_SET1_PKEY_AND_PEER 182
+ # define CMS_F_CMS_DIGESTALGORITHM_FIND_CTX 115
+ # define CMS_F_CMS_DIGESTALGORITHM_INIT_BIO 116
+ # define CMS_F_CMS_DIGESTEDDATA_DO_FINAL 117
+@@ -59,6 +59,9 @@ int ERR_load_CMS_strings(void);
+ # define CMS_F_CMS_ENCRYPTEDDATA_ENCRYPT 122
+ # define CMS_F_CMS_ENCRYPTEDDATA_SET1_KEY 123
+ # define CMS_F_CMS_ENVELOPEDDATA_CREATE 124
++# define CMS_F_CMS_ENVELOPEDDATA_DECRYPTION_INIT_BIO 184
++# define CMS_F_CMS_ENVELOPEDDATA_ENCRYPTION_INIT_BIO 185
++# define CMS_F_CMS_ENVELOPEDDATA_FINAL 186
+ # define CMS_F_CMS_ENVELOPEDDATA_INIT_BIO 125
+ # define CMS_F_CMS_ENVELOPED_DATA_INIT 126
+ # define CMS_F_CMS_ENV_ASN1_CTRL 171
+diff --git include/openssl/evp.h include/openssl/evp.h
+index a411f3f2..e0ce8482 100644
+--- include/openssl/evp.h
++++ include/openssl/evp.h
+@@ -20,6 +20,9 @@
+ # define EVP_MAX_KEY_LENGTH 64
+ # define EVP_MAX_IV_LENGTH 16
+ # define EVP_MAX_BLOCK_LENGTH 32
++# define EVP_MAX_AEAD_TAG_LEN 16/* longest known AEAD tag size */
++
++#define EVP_MAX_MAC_SIZE EVP_MAX_AEAD_TAG_LEN
+
+ # define PKCS5_SALT_LEN 8
+ /* Default PKCS#5 iteration count */
+@@ -139,6 +142,7 @@ int (*EVP_MD_meth_get_ctrl(const EVP_MD *md))(EVP_MD_CTX *ctx, int cmd,
+ # define EVP_MD_CTRL_DIGALGID 0x1
+ # define EVP_MD_CTRL_MICALG 0x2
+ # define EVP_MD_CTRL_XOF_LEN 0x3
++# define EVP_MD_CTRL_TLSTREE 0x4
+
+ /* Minimum Algorithm specific ctrl value */
+
+@@ -277,8 +281,9 @@ int (*EVP_CIPHER_meth_get_ctrl(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *,
+ # define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000
+ # define EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK 0x400000
+ /* Cipher can handle pipeline operations */
+-# define EVP_CIPH_FLAG_PIPELINE 0X800000
+-
++# define EVP_CIPH_FLAG_PIPELINE 0x800000
++# define EVP_CIPH_FLAG_CIPHER_WITH_MAC 0x1000000
++# define EVP_CIPH_FLAG_GET_WRAP_CIPHER 0X4000000
+ /*
+ * Cipher context flag to indicate we can handle wrap mode: if allowed in
+ * older applications it could overflow buffers.
+@@ -352,6 +357,20 @@ int (*EVP_CIPHER_meth_get_ctrl(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *,
+ # define EVP_CTRL_SET_PIPELINE_INPUT_LENS 0x24
+
+ # define EVP_CTRL_GET_IVLEN 0x25
++/* Indicates TLSTREE key diversification during TLS processing */
++# define EVP_CTRL_TLSTREE 0x26
++
++#define EVP_CTRL_AEAD_MAX_TAG_LEN 0x27
++# define EVP_CTRL_GET_WRAP_CIPHER 0X28
++
++# define EVP_CTRL_GET_MAC_LEN EVP_CTRL_AEAD_MAX_TAG_LEN
++# define EVP_CTRL_GET_MAC EVP_CTRL_AEAD_GET_TAG
++# define EVP_CTRL_SET_EXPECTED_MAC EVP_CTRL_AEAD_SET_TAG
++/* GOST CMS requires processing unprotected attributes in some cases*/
++# define EVP_CTRL_PROCESS_UNPROTECTED 0x29
++/* Set GOST TLSTREE params */
++# define EVP_CTRL_SET_TLSTREE_PARAMS 0x2A
++
+
+ /* Padding modes */
+ #define EVP_PADDING_PKCS7 1
+@@ -390,6 +409,10 @@ typedef struct {
+ /* Length of CCM8 tag for TLS */
+ # define EVP_CCM8_TLS_TAG_LEN 8
+
++/* GOST TLS 1.3 tag lengths */
++# define EVP_MAGMA_TLS_TAG_LEN 8
++# define EVP_KUZNYECHIK_TLS_TAG_LEN 16
++
+ /* Length of tag for TLS */
+ # define EVP_CHACHAPOLY_TLS_TAG_LEN 16
+
+@@ -1142,6 +1165,10 @@ int EVP_PBE_get(int *ptype, int *ppbe_nid, size_t num);
+ # define ASN1_PKEY_CTRL_SET1_TLS_ENCPT 0x9
+ # define ASN1_PKEY_CTRL_GET1_TLS_ENCPT 0xa
+
++/* This control use for decryption */
++/* when algorithm support multiple ri types */
++# define ASN1_PKEY_CTRL_CMS_IS_RI_TYPE_SUPPORTED 0xb
++
+ int EVP_PKEY_asn1_get_count(void);
+ const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_get0(int idx);
+ const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_find(ENGINE **pe, int type);
+diff --git include/openssl/obj_mac.h include/openssl/obj_mac.h
+index 53516a06..b66436e5 100644
+--- include/openssl/obj_mac.h
++++ include/openssl/obj_mac.h
+@@ -4162,6 +4162,26 @@
+ #define NID_id_GostR3410_2001_ParamSet_cc 854
+ #define OBJ_id_GostR3410_2001_ParamSet_cc OBJ_cryptocom,1L,8L,1L
+
++#define SN_id_tc26_modules "id-tc26-modules"
++#define LN_id_tc26_modules "GOST TC26 ASN.1 modules"
++#define NID_id_tc26_modules 1203
++#define OBJ_id_tc26_modules OBJ_id_tc26,0L
++
++#define SN_id_tc26_cms "id-tc26-cms"
++#define LN_id_tc26_cms "GOST TC26 SMS"
++#define NID_id_tc26_cms 1204
++#define OBJ_id_tc26_cms OBJ_id_tc26_modules,6L
++
++#define SN_id_tc26_cms_attrs "id-tc26-cms-attrs"
++#define LN_id_tc26_cms_attrs "GOST TC26 SMS attributes"
++#define NID_id_tc26_cms_attrs 1205
++#define OBJ_id_tc26_cms_attrs OBJ_id_tc26_cms,1L
++
++#define SN_id_tc26_mac_attr "id-tc26-mac-attr"
++#define LN_id_tc26_mac_attr "GOST TC26 SMS content-mac attribute"
++#define NID_id_tc26_mac_attr 1206
++#define OBJ_id_tc26_mac_attr OBJ_id_tc26_cms_attrs,1L
++
+ #define SN_id_tc26_algorithms "id-tc26-algorithms"
+ #define NID_id_tc26_algorithms 977
+ #define OBJ_id_tc26_algorithms OBJ_id_tc26,1L
+@@ -4230,25 +4250,25 @@
+ #define NID_id_tc26_cipher_gostr3412_2015_magma 1173
+ #define OBJ_id_tc26_cipher_gostr3412_2015_magma OBJ_id_tc26_cipher,1L
+
+-#define SN_id_tc26_cipher_gostr3412_2015_magma_ctracpkm "id-tc26-cipher-gostr3412-2015-magma-ctracpkm"
+-#define NID_id_tc26_cipher_gostr3412_2015_magma_ctracpkm 1174
+-#define OBJ_id_tc26_cipher_gostr3412_2015_magma_ctracpkm OBJ_id_tc26_cipher_gostr3412_2015_magma,1L
++#define SN_magma_ctr_acpkm "magma-ctr-acpkm"
++#define NID_magma_ctr_acpkm 1174
++#define OBJ_magma_ctr_acpkm OBJ_id_tc26_cipher_gostr3412_2015_magma,1L
+
+-#define SN_id_tc26_cipher_gostr3412_2015_magma_ctracpkm_omac "id-tc26-cipher-gostr3412-2015-magma-ctracpkm-omac"
+-#define NID_id_tc26_cipher_gostr3412_2015_magma_ctracpkm_omac 1175
+-#define OBJ_id_tc26_cipher_gostr3412_2015_magma_ctracpkm_omac OBJ_id_tc26_cipher_gostr3412_2015_magma,2L
++#define SN_magma_ctr_acpkm_omac "magma-ctr-acpkm-omac"
++#define NID_magma_ctr_acpkm_omac 1175
++#define OBJ_magma_ctr_acpkm_omac OBJ_id_tc26_cipher_gostr3412_2015_magma,2L
+
+ #define SN_id_tc26_cipher_gostr3412_2015_kuznyechik "id-tc26-cipher-gostr3412-2015-kuznyechik"
+ #define NID_id_tc26_cipher_gostr3412_2015_kuznyechik 1176
+ #define OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik OBJ_id_tc26_cipher,2L
+
+-#define SN_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm "id-tc26-cipher-gostr3412-2015-kuznyechik-ctracpkm"
+-#define NID_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm 1177
+-#define OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik,1L
++#define SN_kuznyechik_ctr_acpkm "kuznyechik-ctr-acpkm"
++#define NID_kuznyechik_ctr_acpkm 1177
++#define OBJ_kuznyechik_ctr_acpkm OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik,1L
+
+-#define SN_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm_omac "id-tc26-cipher-gostr3412-2015-kuznyechik-ctracpkm-omac"
+-#define NID_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm_omac 1178
+-#define OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm_omac OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik,2L
++#define SN_kuznyechik_ctr_acpkm_omac "kuznyechik-ctr-acpkm-omac"
++#define NID_kuznyechik_ctr_acpkm_omac 1178
++#define OBJ_kuznyechik_ctr_acpkm_omac OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik,2L
+
+ #define SN_id_tc26_agreement "id-tc26-agreement"
+ #define NID_id_tc26_agreement 991
+@@ -4270,17 +4290,17 @@
+ #define NID_id_tc26_wrap_gostr3412_2015_magma 1180
+ #define OBJ_id_tc26_wrap_gostr3412_2015_magma OBJ_id_tc26_wrap,1L
+
+-#define SN_id_tc26_wrap_gostr3412_2015_magma_kexp15 "id-tc26-wrap-gostr3412-2015-magma-kexp15"
+-#define NID_id_tc26_wrap_gostr3412_2015_magma_kexp15 1181
+-#define OBJ_id_tc26_wrap_gostr3412_2015_magma_kexp15 OBJ_id_tc26_wrap_gostr3412_2015_magma,1L
++#define SN_magma_kexp15 "magma-kexp15"
++#define NID_magma_kexp15 1181
++#define OBJ_magma_kexp15 OBJ_id_tc26_wrap_gostr3412_2015_magma,1L
+
+ #define SN_id_tc26_wrap_gostr3412_2015_kuznyechik "id-tc26-wrap-gostr3412-2015-kuznyechik"
+ #define NID_id_tc26_wrap_gostr3412_2015_kuznyechik 1182
+ #define OBJ_id_tc26_wrap_gostr3412_2015_kuznyechik OBJ_id_tc26_wrap,2L
+
+-#define SN_id_tc26_wrap_gostr3412_2015_kuznyechik_kexp15 "id-tc26-wrap-gostr3412-2015-kuznyechik-kexp15"
+-#define NID_id_tc26_wrap_gostr3412_2015_kuznyechik_kexp15 1183
+-#define OBJ_id_tc26_wrap_gostr3412_2015_kuznyechik_kexp15 OBJ_id_tc26_wrap_gostr3412_2015_kuznyechik,1L
++#define SN_kuznyechik_kexp15 "kuznyechik-kexp15"
++#define NID_kuznyechik_kexp15 1183
++#define OBJ_kuznyechik_kexp15 OBJ_id_tc26_wrap_gostr3412_2015_kuznyechik,1L
+
+ #define SN_id_tc26_constants "id-tc26-constants"
+ #define NID_id_tc26_constants 994
+@@ -4370,6 +4390,11 @@
+ #define NID_SNILS 1006
+ #define OBJ_SNILS OBJ_member_body,643L,100L,3L
+
++#define SN_OGRNIP "OGRNIP"
++#define LN_OGRNIP "OGRNIP"
++#define NID_OGRNIP 1195
++#define OBJ_OGRNIP OBJ_member_body,643L,100L,5L
++
+ #define SN_subjectSignTool "subjectSignTool"
+ #define LN_subjectSignTool "Signing Tool of Subject"
+ #define NID_subjectSignTool 1007
+@@ -4380,23 +4405,61 @@
+ #define NID_issuerSignTool 1008
+ #define OBJ_issuerSignTool OBJ_member_body,643L,100L,112L
+
+-#define SN_grasshopper_ecb "grasshopper-ecb"
+-#define NID_grasshopper_ecb 1012
++#define SN_classSignTool "classSignTool"
++#define LN_classSignTool "Class of Signing Tool"
++#define NID_classSignTool 1196
++#define OBJ_classSignTool OBJ_member_body,643L,100L,113L
++
++#define SN_classSignToolKC1 "classSignToolKC1"
++#define LN_classSignToolKC1 "Class of Signing Tool KC1"
++#define NID_classSignToolKC1 1197
++#define OBJ_classSignToolKC1 OBJ_member_body,643L,100L,113L,1L
++
++#define SN_classSignToolKC2 "classSignToolKC2"
++#define LN_classSignToolKC2 "Class of Signing Tool KC2"
++#define NID_classSignToolKC2 1198
++#define OBJ_classSignToolKC2 OBJ_member_body,643L,100L,113L,2L
++
++#define SN_classSignToolKC3 "classSignToolKC3"
++#define LN_classSignToolKC3 "Class of Signing Tool KC3"
++#define NID_classSignToolKC3 1199
++#define OBJ_classSignToolKC3 OBJ_member_body,643L,100L,113L,3L
++
++#define SN_classSignToolKB1 "classSignToolKB1"
++#define LN_classSignToolKB1 "Class of Signing Tool KB1"
++#define NID_classSignToolKB1 1200
++#define OBJ_classSignToolKB1 OBJ_member_body,643L,100L,113L,4L
++
++#define SN_classSignToolKB2 "classSignToolKB2"
++#define LN_classSignToolKB2 "Class of Signing Tool KB2"
++#define NID_classSignToolKB2 1201
++#define OBJ_classSignToolKB2 OBJ_member_body,643L,100L,113L,5L
+
+-#define SN_grasshopper_ctr "grasshopper-ctr"
+-#define NID_grasshopper_ctr 1013
++#define SN_classSignToolKA1 "classSignToolKA1"
++#define LN_classSignToolKA1 "Class of Signing Tool KA1"
++#define NID_classSignToolKA1 1202
++#define OBJ_classSignToolKA1 OBJ_member_body,643L,100L,113L,6L
+
+-#define SN_grasshopper_ofb "grasshopper-ofb"
+-#define NID_grasshopper_ofb 1014
++#define SN_kuznyechik_ecb "kuznyechik-ecb"
++#define NID_kuznyechik_ecb 1012
+
+-#define SN_grasshopper_cbc "grasshopper-cbc"
+-#define NID_grasshopper_cbc 1015
++#define SN_kuznyechik_ctr "kuznyechik-ctr"
++#define NID_kuznyechik_ctr 1013
+
+-#define SN_grasshopper_cfb "grasshopper-cfb"
+-#define NID_grasshopper_cfb 1016
++#define SN_kuznyechik_ofb "kuznyechik-ofb"
++#define NID_kuznyechik_ofb 1014
+
+-#define SN_grasshopper_mac "grasshopper-mac"
+-#define NID_grasshopper_mac 1017
++#define SN_kuznyechik_cbc "kuznyechik-cbc"
++#define NID_kuznyechik_cbc 1015
++
++#define SN_kuznyechik_cfb "kuznyechik-cfb"
++#define NID_kuznyechik_cfb 1016
++
++#define SN_kuznyechik_mac "kuznyechik-mac"
++#define NID_kuznyechik_mac 1017
++
++#define SN_kuznyechik_mgm "kuznyechik-mgm"
++#define NID_kuznyechik_mgm 1207
+
+ #define SN_magma_ecb "magma-ecb"
+ #define NID_magma_ecb 1187
+@@ -4416,6 +4479,9 @@
+ #define SN_magma_mac "magma-mac"
+ #define NID_magma_mac 1192
+
++#define SN_magma_mgm "magma-mgm"
++#define NID_magma_mgm 1208
++
+ #define SN_camellia_128_cbc "CAMELLIA-128-CBC"
+ #define LN_camellia_128_cbc "camellia-128-cbc"
+ #define NID_camellia_128_cbc 751
+@@ -5196,3 +5262,49 @@
+ #define LN_uacurve9 "DSTU curve 9"
+ #define NID_uacurve9 1169
+ #define OBJ_uacurve9 OBJ_dstu4145le,2L,9L
++
++#ifndef OPENSSL_NO_DEPRECATED_3_0
++
++#define SN_id_tc26_cipher_gostr3412_2015_magma_ctracpkm SN_magma_ctr_acpkm
++#define NID_id_tc26_cipher_gostr3412_2015_magma_ctracpkm NID_magma_ctr_acpkm
++#define OBJ_id_tc26_cipher_gostr3412_2015_magma_ctracpkm OBJ_magma_ctr_acpkm
++
++#define SN_id_tc26_cipher_gostr3412_2015_magma_ctracpkm_omac SN_magma_ctr_acpkm_omac
++#define NID_id_tc26_cipher_gostr3412_2015_magma_ctracpkm_omac NID_magma_ctr_acpkm_omac
++#define OBJ_id_tc26_cipher_gostr3412_2015_magma_ctracpkm_omac OBJ_magma_ctr_acpkm_omac
++
++#define SN_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm SN_kuznyechik_ctr_acpkm
++#define NID_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm NID_kuznyechik_ctr_acpkm
++#define OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm OBJ_kuznyechik_ctr_acpkm
++
++#define SN_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm_omac SN_kuznyechik_ctr_acpkm_omac
++#define NID_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm_omac NID_kuznyechik_ctr_acpkm_omac
++#define OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm_omac OBJ_kuznyechik_ctr_acpkm_omac
++
++#define SN_id_tc26_wrap_gostr3412_2015_magma_kexp15 SN_magma_kexp15
++#define NID_id_tc26_wrap_gostr3412_2015_magma_kexp15 NID_magma_kexp15
++#define OBJ_id_tc26_wrap_gostr3412_2015_magma_kexp15 OBJ_magma_kexp15
++
++#define SN_id_tc26_wrap_gostr3412_2015_kuznyechik_kexp15 SN_kuznyechik_kexp15
++#define NID_id_tc26_wrap_gostr3412_2015_kuznyechik_kexp15 NID_kuznyechik_kexp15
++#define OBJ_id_tc26_wrap_gostr3412_2015_kuznyechik_kexp15 OBJ_kuznyechik_kexp15
++
++#define SN_grasshopper_ecb SN_kuznyechik_ecb
++#define NID_grasshopper_ecb NID_kuznyechik_ecb
++
++#define SN_grasshopper_ctr SN_kuznyechik_ctr
++#define NID_grasshopper_ctr NID_kuznyechik_ctr
++
++#define SN_grasshopper_ofb SN_kuznyechik_ofb
++#define NID_grasshopper_ofb NID_kuznyechik_ofb
++
++#define SN_grasshopper_cbc SN_kuznyechik_cbc
++#define NID_grasshopper_cbc NID_kuznyechik_cbc
++
++#define SN_grasshopper_cfb SN_kuznyechik_cfb
++#define NID_grasshopper_cfb NID_kuznyechik_cfb
++
++#define SN_grasshopper_mac SN_kuznyechik_mac
++#define NID_grasshopper_mac NID_kuznyechik_mac
++
++#endif
+diff --git include/openssl/ssl.h include/openssl/ssl.h
+index 9af0c899..f94c7131 100644
+--- include/openssl/ssl.h
++++ include/openssl/ssl.h
+@@ -81,6 +81,7 @@ extern "C" {
+ # define SSL_TXT_kECDHEPSK "kECDHEPSK"
+ # define SSL_TXT_kDHEPSK "kDHEPSK"
+ # define SSL_TXT_kGOST "kGOST"
++# define SSL_TXT_kGOST18 "kGOST18"
+ # define SSL_TXT_kSRP "kSRP"
+
+ # define SSL_TXT_aRSA "aRSA"
+@@ -908,6 +909,8 @@ __owur int SSL_extension_supported(unsigned int ext_type);
+
+ # define SSL_MAC_FLAG_READ_MAC_STREAM 1
+ # define SSL_MAC_FLAG_WRITE_MAC_STREAM 2
++# define SSL_MAC_FLAG_READ_MAC_TLSTREE 4
++# define SSL_MAC_FLAG_WRITE_MAC_TLSTREE 8
+
+ /*
+ * A callback for logging out TLS key material. This callback should log out
+diff --git include/openssl/sslerr.h include/openssl/sslerr.h
+index 701d61c6..36cacab3 100644
+--- include/openssl/sslerr.h
++++ include/openssl/sslerr.h
+@@ -11,9 +11,7 @@
+ #ifndef HEADER_SSLERR_H
+ # define HEADER_SSLERR_H
+
+-# ifndef HEADER_SYMHACKS_H
+-# include <openssl/symhacks.h>
+-# endif
++# include <openssl/symhacks.h>
+
+ # ifdef __cplusplus
+ extern "C"
+@@ -297,6 +295,7 @@ int ERR_load_SSL_strings(void);
+ # define SSL_F_TLS_CONSTRUCT_CKE_DHE 404
+ # define SSL_F_TLS_CONSTRUCT_CKE_ECDHE 405
+ # define SSL_F_TLS_CONSTRUCT_CKE_GOST 406
++# define SSL_F_TLS_CONSTRUCT_CKE_GOST18 642
+ # define SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE 407
+ # define SSL_F_TLS_CONSTRUCT_CKE_RSA 409
+ # define SSL_F_TLS_CONSTRUCT_CKE_SRP 410
+@@ -421,6 +420,7 @@ int ERR_load_SSL_strings(void);
+ # define SSL_F_TLS_PROCESS_CKE_DHE 411
+ # define SSL_F_TLS_PROCESS_CKE_ECDHE 412
+ # define SSL_F_TLS_PROCESS_CKE_GOST 413
++# define SSL_F_TLS_PROCESS_CKE_GOST18 641
+ # define SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE 414
+ # define SSL_F_TLS_PROCESS_CKE_RSA 415
+ # define SSL_F_TLS_PROCESS_CKE_SRP 416
+diff --git include/openssl/tls1.h include/openssl/tls1.h
+index 76d9fda4..6b6442f3 100644
+--- include/openssl/tls1.h
++++ include/openssl/tls1.h
+@@ -613,6 +613,12 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
+ # define TLS1_3_CK_AES_128_CCM_SHA256 0x03001304
+ # define TLS1_3_CK_AES_128_CCM_8_SHA256 0x03001305
+
++/* https://tools.ietf.org/html/draft-smyshlyaev-tls13-gost-suites */
++# define TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L 0x0300C103
++# define TLS_GOSTR341112_256_WITH_MAGMA_MGM_L 0x0300C104
++# define TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S 0x0300C105
++# define TLS_GOSTR341112_256_WITH_MAGMA_MGM_S 0x0300C106
++
+ /* Aria ciphersuites from RFC6209 */
+ # define TLS1_CK_RSA_WITH_ARIA_128_GCM_SHA256 0x0300C050
+ # define TLS1_CK_RSA_WITH_ARIA_256_GCM_SHA384 0x0300C051
+@@ -1135,8 +1141,10 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
+ # define TLS_CT_RSA_FIXED_ECDH 65
+ # define TLS_CT_ECDSA_FIXED_ECDH 66
+ # define TLS_CT_GOST01_SIGN 22
+-# define TLS_CT_GOST12_SIGN 238
+-# define TLS_CT_GOST12_512_SIGN 239
++# define TLS_CT_GOST12_SIGN 67
++# define TLS_CT_GOST12_512_SIGN 68
++# define TLS_CT_GOST12_SIGN_LEGACY 238
++# define TLS_CT_GOST12_512_SIGN_LEGACY 239
+
+ /*
+ * when correcting this number, correct also SSL3_CT_NUMBER in ssl3.h (see
+diff --git include/openssl/x509.h include/openssl/x509.h
+index 3ff86ec7..cdca4f5f 100644
+--- include/openssl/x509.h
++++ include/openssl/x509.h
+@@ -1023,8 +1023,11 @@ int PKCS8_pkey_get0(const ASN1_OBJECT **ppkalg,
+
+ const STACK_OF(X509_ATTRIBUTE) *
+ PKCS8_pkey_get0_attrs(const PKCS8_PRIV_KEY_INFO *p8);
++int PKCS8_pkey_add1_attr(PKCS8_PRIV_KEY_INFO *p8, X509_ATTRIBUTE *attr);
+ int PKCS8_pkey_add1_attr_by_NID(PKCS8_PRIV_KEY_INFO *p8, int nid, int type,
+ const unsigned char *bytes, int len);
++int PKCS8_pkey_add1_attr_by_OBJ(PKCS8_PRIV_KEY_INFO *p8, const ASN1_OBJECT *obj,
++ int type, const unsigned char *bytes, int len);
+
+ int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *aobj,
+ int ptype, void *pval,
+diff --git include/openssl/x509v3err.h include/openssl/x509v3err.h
+index 3b9f7139..48f7a558 100644
+--- include/openssl/x509v3err.h
++++ include/openssl/x509v3err.h
+@@ -37,6 +37,7 @@ int ERR_load_X509V3_strings(void);
+ # define X509V3_F_I2S_ASN1_ENUMERATED 121
+ # define X509V3_F_I2S_ASN1_IA5STRING 149
+ # define X509V3_F_I2S_ASN1_INTEGER 120
++# define X509V3_F_I2S_ASN1_UTF8STRING 175
+ # define X509V3_F_I2V_AUTHORITY_INFO_ACCESS 138
+ # define X509V3_F_I2V_AUTHORITY_KEYID 173
+ # define X509V3_F_LEVEL_ADD_NODE 168
+@@ -52,6 +53,7 @@ int ERR_load_X509V3_strings(void);
+ # define X509V3_F_S2I_ASN1_IA5STRING 100
+ # define X509V3_F_S2I_ASN1_INTEGER 108
+ # define X509V3_F_S2I_ASN1_OCTET_STRING 112
++# define X509V3_F_S2I_ASN1_UTF8STRING 176
+ # define X509V3_F_S2I_SKEY_ID 115
+ # define X509V3_F_SET_DIST_POINT_NAME 158
+ # define X509V3_F_SXNET_ADD_ID_ASC 125
+diff --git ssl/record/ssl3_record.c ssl/record/ssl3_record.c
+index 47c7369e..ee737c4c 100644
+--- ssl/record/ssl3_record.c
++++ ssl/record/ssl3_record.c
+@@ -944,6 +944,8 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending)
+ unsigned char padval;
+ int imac_size;
+ const EVP_CIPHER *enc;
++ int tlstree_enc = (sending ? (s->mac_flags & SSL_MAC_FLAG_WRITE_MAC_TLSTREE)
++ : (s->mac_flags & SSL_MAC_FLAG_READ_MAC_TLSTREE));
+
+ if (n_recs == 0) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
+@@ -1036,7 +1038,6 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending)
+
+ seq = sending ? RECORD_LAYER_get_write_sequence(&s->rlayer)
+ : RECORD_LAYER_get_read_sequence(&s->rlayer);
+-
+ if (SSL_IS_DTLS(s)) {
+ /* DTLS does not support pipelining */
+ unsigned char dtlsseq[8], *p = dtlsseq;
+@@ -1122,6 +1123,27 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending)
+ }
+ }
+
++ if (!SSL_IS_DTLS(s) && tlstree_enc) {
++ unsigned char *seq;
++ int decrement_seq = 0;
++ /*
++ * When sending, seq is incremented after MAC calculation.
++ * So if we are in ETM mode, we use seq 'as is' in the ctrl-function.
++ * Otherwise we have to decrease it in the implementation
++ */
++ if (sending && !SSL_WRITE_ETM(s))
++ decrement_seq = 1;
++
++ seq = sending ? RECORD_LAYER_get_write_sequence(&s->rlayer)
++ : RECORD_LAYER_get_read_sequence(&s->rlayer);
++ if(EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_TLSTREE, decrement_seq, seq) <= 0)
++ {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
++ ERR_R_INTERNAL_ERROR);
++ return -1;
++ }
++ }
++
+ /* TODO(size_t): Convert this call */
+ tmpr = EVP_Cipher(ds, recs[0].data, recs[0].input,
+ (unsigned int)reclen[0]);
+@@ -1287,6 +1309,8 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending)
+ unsigned char header[13];
+ int stream_mac = (sending ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM)
+ : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM));
++ int tlstree_mac = (sending ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_TLSTREE)
++ : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_TLSTREE));
+ int t;
+
+ if (sending) {
+@@ -1314,6 +1338,11 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending)
+ mac_ctx = hmac;
+ }
+
++ if (!SSL_IS_DTLS(ssl) && tlstree_mac && EVP_MD_CTX_ctrl(mac_ctx, EVP_MD_CTRL_TLSTREE, 0, seq) <= 0) {
++ EVP_MD_CTX_free(hmac);
++ return 0;
++ }
++
+ if (SSL_IS_DTLS(ssl)) {
+ unsigned char dtlsseq[8], *p = dtlsseq;
+
+diff --git ssl/record/ssl3_record_tls13.c ssl/record/ssl3_record_tls13.c
+index ab50e376..2373c9b3 100644
+--- ssl/record/ssl3_record_tls13.c
++++ ssl/record/ssl3_record_tls13.c
+@@ -107,6 +107,10 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending)
+ taglen = EVP_GCM_TLS_TAG_LEN;
+ } else if (alg_enc & SSL_CHACHA20) {
+ taglen = EVP_CHACHAPOLY_TLS_TAG_LEN;
++ } else if (alg_enc & SSL_MAGMA_MGM) {
++ taglen = EVP_MAGMA_TLS_TAG_LEN;
++ } else if (alg_enc & SSL_KUZNYECHIK_MGM) {
++ taglen = EVP_KUZNYECHIK_TLS_TAG_LEN;
+ } else {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC,
+ ERR_R_INTERNAL_ERROR);
+@@ -135,6 +139,16 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending)
+ for (loop = 0; loop < SEQ_NUM_SIZE; loop++)
+ iv[offset + loop] = staticiv[offset + loop] ^ seq[loop];
+
++ if (s->s3->tmp.new_cipher != NULL
++ && s->s3->tmp.new_cipher->algorithm2 & TLS1_TLSTREE) {
++ if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_TLSTREE,
++ 0, seq) <= 0) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC,
++ ERR_R_INTERNAL_ERROR);
++ return -1;
++ }
++ }
++
+ /* Increment the sequence counter */
+ for (loop = SEQ_NUM_SIZE; loop > 0; loop--) {
+ ++seq[loop - 1];
+diff --git ssl/s3_lib.c ssl/s3_lib.c
+index 32f9b257..8fdf208a 100644
+--- ssl/s3_lib.c
++++ ssl/s3_lib.c
+@@ -111,7 +111,74 @@ static SSL_CIPHER tls13_ciphers[] = {
+ SSL_HANDSHAKE_MAC_SHA256,
+ 128,
+ 128,
+- }
++ },
++#ifndef OPENSSL_NO_GOST
++/* https://tools.ietf.org/html/draft-smyshlyaev-tls13-gost-suites */
++ {
++ 1,
++ "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L", /* FIXME */
++ "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L", /* FIXME */
++ TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L,
++ SSL_kANY,
++ SSL_aANY,
++ SSL_KUZNYECHIK_MGM,
++ SSL_AEAD,
++ TLS1_3_VERSION, TLS1_3_VERSION,
++ 0, 0,
++ SSL_HIGH,
++ SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_TLSTREE | TLS1_TLSTREE_L,
++ 256,
++ 256,
++ },
++ {
++ 1,
++ "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L", /* FIXME */
++ "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L", /* FIXME */
++ TLS_GOSTR341112_256_WITH_MAGMA_MGM_L,
++ SSL_kANY,
++ SSL_aANY,
++ SSL_MAGMA_MGM,
++ SSL_AEAD,
++ TLS1_3_VERSION, TLS1_3_VERSION,
++ 0, 0,
++ SSL_HIGH,
++ SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_TLSTREE | TLS1_TLSTREE_L,
++ 256,
++ 256,
++ },
++ {
++ 1,
++ "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S", /* FIXME */
++ "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S", /* FIXME */
++ TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S,
++ SSL_kANY,
++ SSL_aANY,
++ SSL_KUZNYECHIK_MGM,
++ SSL_AEAD,
++ TLS1_3_VERSION, TLS1_3_VERSION,
++ 0, 0,
++ SSL_HIGH,
++ SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_TLSTREE | TLS1_TLSTREE_S,
++ 256,
++ 256,
++ },
++ {
++ 1,
++ "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S", /* FIXME */
++ "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S", /* FIXME */
++ TLS_GOSTR341112_256_WITH_MAGMA_MGM_S,
++ SSL_kANY,
++ SSL_aANY,
++ SSL_MAGMA_MGM,
++ SSL_AEAD,
++ TLS1_3_VERSION, TLS1_3_VERSION,
++ 0, 0,
++ SSL_HIGH,
++ SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_TLSTREE | TLS1_TLSTREE_S,
++ 256,
++ 256,
++ },
++#endif
+ };
+
+ /*
+@@ -2665,6 +2732,54 @@ static SSL_CIPHER ssl3_ciphers[] = {
+ 0,
+ 0,
+ },
++ {
++ 1,
++ "GOST2012-KUZNYECHIK-KUZNYECHIKOMAC",
++ NULL,
++ 0x0300C100,
++ SSL_kGOST18,
++ SSL_aGOST12,
++ SSL_KUZNYECHIK,
++ SSL_KUZNYECHIKOMAC,
++ TLS1_2_VERSION, TLS1_2_VERSION,
++ 0, 0,
++ SSL_HIGH,
++ SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_TLSTREE,
++ 256,
++ 256,
++ },
++ {
++ 1,
++ "GOST2012-MAGMA-MAGMAOMAC",
++ NULL,
++ 0x0300C101,
++ SSL_kGOST18,
++ SSL_aGOST12,
++ SSL_MAGMA,
++ SSL_MAGMAOMAC,
++ TLS1_2_VERSION, TLS1_2_VERSION,
++ 0, 0,
++ SSL_HIGH,
++ SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_TLSTREE,
++ 256,
++ 256,
++ },
++ {
++ 1,
++ "GOST2012-GOST8912-IANA",
++ NULL,
++ 0x0300C102,
++ SSL_kGOST,
++ SSL_aGOST12 | SSL_aGOST01,
++ SSL_eGOST2814789CNT12,
++ SSL_GOST89MAC12,
++ TLS1_VERSION, TLS1_2_VERSION,
++ 0, 0,
++ SSL_HIGH,
++ SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC,
++ 256,
++ 256,
++ },
+ #endif /* OPENSSL_NO_GOST */
+
+ #ifndef OPENSSL_NO_IDEA
+@@ -4351,6 +4466,11 @@ int ssl3_get_req_cert_type(SSL *s, WPACKET *pkt)
+ if (s->version >= TLS1_VERSION && (alg_k & SSL_kGOST))
+ return WPACKET_put_bytes_u8(pkt, TLS_CT_GOST01_SIGN)
+ && WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_SIGN)
++ && WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_512_SIGN)
++ && WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_SIGN_LEGACY)
++ && WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_512_SIGN_LEGACY);
++ if (s->version >= TLS1_2_VERSION && (alg_k & SSL_kGOST18))
++ return WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_SIGN)
+ && WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_512_SIGN);
+ #endif
+
+@@ -4701,6 +4821,52 @@ EVP_PKEY *ssl_generate_pkey(EVP_PKEY *pm)
+ return pkey;
+ }
+ #ifndef OPENSSL_NO_EC
++#ifndef OPENSSL_NO_GOST
++
++typedef struct tls_gost_group_param_st {
++ int nid; /* Curve params NID */
++ int alg_nid; /* GOST algorithm nid */
++ const char *params; /* GOST paramset mnemonics */
++} TLS_GOST_GROUP_PARAM;
++
++TLS_GOST_GROUP_PARAM gost_param[] = {
++ {NID_id_tc26_gost_3410_2012_256_paramSetA, NID_id_GostR3410_2012_256, "TCA"},
++ {NID_id_tc26_gost_3410_2012_256_paramSetB, NID_id_GostR3410_2012_256, "TCB"},
++ {NID_id_tc26_gost_3410_2012_256_paramSetC, NID_id_GostR3410_2012_256, "TCC"},
++ {NID_id_tc26_gost_3410_2012_256_paramSetD, NID_id_GostR3410_2012_256, "TCD"},
++ {NID_id_tc26_gost_3410_2012_512_paramSetA, NID_id_GostR3410_2012_512, "A"},
++ {NID_id_tc26_gost_3410_2012_512_paramSetB, NID_id_GostR3410_2012_512, "B"},
++ {NID_id_tc26_gost_3410_2012_512_paramSetC, NID_id_GostR3410_2012_512, "C"},
++};
++
++static EVP_PKEY_CTX *gost_pkey_nid2ctx(int nid)
++{
++ int i = 0;
++ TLS_GOST_GROUP_PARAM *pGostParam = NULL;
++ EVP_PKEY_CTX *pctx = NULL;
++
++ for (i = 0; i < OSSL_NELEM(gost_param); i++) {
++ if (gost_param[i].nid == nid) {
++ pGostParam = gost_param + i;
++ break;
++ }
++ }
++
++ if (pGostParam == NULL) {
++ return NULL;
++ }
++
++ pctx = EVP_PKEY_CTX_new_id(pGostParam->alg_nid, NULL);
++ if (pctx == NULL
++ || EVP_PKEY_CTX_ctrl_str(pctx, "paramset", pGostParam->params) <= 0) {
++ EVP_PKEY_CTX_free(pctx);
++ return NULL;
++ }
++
++ return pctx;
++}
++
++#endif
+ /* Generate a private key from a group ID */
+ EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id)
+ {
+@@ -4717,8 +4883,13 @@ EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id)
+ gtype = ginf->flags & TLS_CURVE_TYPE;
+ if (gtype == TLS_CURVE_CUSTOM)
+ pctx = EVP_PKEY_CTX_new_id(ginf->nid, NULL);
++#ifndef OPENSSL_NO_GOST
++ else if (gtype == TLS_CURVE_GOST)
++ pctx = gost_pkey_nid2ctx(ginf->nid);
++#endif
+ else
+ pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
++
+ if (pctx == NULL) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP,
+ ERR_R_MALLOC_FAILURE);
+@@ -4729,7 +4900,7 @@ EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id)
+ ERR_R_EVP_LIB);
+ goto err;
+ }
+- if (gtype != TLS_CURVE_CUSTOM
++ if (gtype != TLS_CURVE_CUSTOM && gtype != TLS_CURVE_GOST
+ && EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, ginf->nid) <= 0) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP,
+ ERR_R_EVP_LIB);
+@@ -4767,13 +4938,21 @@ EVP_PKEY *ssl_generate_param_group(uint16_t id)
+ return NULL;
+ }
+
++#ifndef OPENSSL_NO_GOST
++ if ((ginf->flags & TLS_CURVE_TYPE) == TLS_CURVE_GOST)
++ pctx = gost_pkey_nid2ctx(ginf->nid);
++ else
++#endif
+ pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
++
+ if (pctx == NULL)
+ goto err;
+ if (EVP_PKEY_paramgen_init(pctx) <= 0)
+ goto err;
+- if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, ginf->nid) <= 0)
++ if ((ginf->flags & TLS_CURVE_TYPE) != TLS_CURVE_GOST) {
++ if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, ginf->nid) <= 0)
+ goto err;
++ }
+ if (EVP_PKEY_paramgen(pctx, &pkey) <= 0) {
+ EVP_PKEY_free(pkey);
+ pkey = NULL;
+diff --git ssl/ssl_ciph.c ssl/ssl_ciph.c
+index 55f919fc..87a41b15 100644
+--- ssl/ssl_ciph.c
++++ ssl/ssl_ciph.c
+@@ -43,7 +43,11 @@
+ #define SSL_ENC_CHACHA_IDX 19
+ #define SSL_ENC_ARIA128GCM_IDX 20
+ #define SSL_ENC_ARIA256GCM_IDX 21
+-#define SSL_ENC_NUM_IDX 22
++#define SSL_ENC_MAGMA_IDX 22
++#define SSL_ENC_KUZNYECHIK_IDX 23
++#define SSL_ENC_MAGMA_MGM_IDX 24
++#define SSL_ENC_KUZNYECHIK_MGM_IDX 25
++#define SSL_ENC_NUM_IDX 26
+
+ /* NB: make sure indices in these tables match values above */
+
+@@ -76,6 +80,10 @@ static const ssl_cipher_table ssl_cipher_table_cipher[SSL_ENC_NUM_IDX] = {
+ {SSL_CHACHA20POLY1305, NID_chacha20_poly1305}, /* SSL_ENC_CHACHA_IDX 19 */
+ {SSL_ARIA128GCM, NID_aria_128_gcm}, /* SSL_ENC_ARIA128GCM_IDX 20 */
+ {SSL_ARIA256GCM, NID_aria_256_gcm}, /* SSL_ENC_ARIA256GCM_IDX 21 */
++ {SSL_MAGMA, NID_magma_ctr_acpkm}, /* SSL_ENC_MAGMA_IDX */
++ {SSL_KUZNYECHIK, NID_kuznyechik_ctr_acpkm}, /* SSL_ENC_KUZNYECHIK_IDX */
++ {SSL_MAGMA_MGM, NID_magma_mgm}, /* SSL_ENC_MAGMA_MGM_IDX */
++ {SSL_KUZNYECHIK_MGM, NID_kuznyechik_mgm}, /* SSL_ENC_KUZNYECHIK_MGM_IDX */
+ };
+
+ static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX];
+@@ -110,11 +118,13 @@ static const ssl_cipher_table ssl_cipher_table_mac[SSL_MD_NUM_IDX] = {
+ {SSL_GOST12_512, NID_id_GostR3411_2012_512}, /* SSL_MD_GOST12_512_IDX 8 */
+ {0, NID_md5_sha1}, /* SSL_MD_MD5_SHA1_IDX 9 */
+ {0, NID_sha224}, /* SSL_MD_SHA224_IDX 10 */
+- {0, NID_sha512} /* SSL_MD_SHA512_IDX 11 */
++ {0, NID_sha512}, /* SSL_MD_SHA512_IDX 11 */
++ {SSL_MAGMAOMAC, NID_magma_mac}, /* SSL_MD_MAGMAOMAC_IDX */
++ {SSL_KUZNYECHIKOMAC, NID_kuznyechik_mac}, /* SSL_MD_KUZNYECHIKOMAC_IDX */
+ };
+
+ static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX] = {
+- NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
++ NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
+ };
+
+ /* *INDENT-OFF* */
+@@ -128,6 +138,7 @@ static const ssl_cipher_table ssl_cipher_table_kx[] = {
+ {SSL_kPSK, NID_kx_psk},
+ {SSL_kSRP, NID_kx_srp},
+ {SSL_kGOST, NID_kx_gost},
++ {SSL_kGOST18, NID_kx_gost},/* FIXME beldmit */
+ {SSL_kANY, NID_kx_any}
+ };
+
+@@ -171,8 +182,8 @@ static int ssl_mac_pkey_id[SSL_MD_NUM_IDX] = {
+ EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, NID_undef,
+ /* GOST2012_512 */
+ EVP_PKEY_HMAC,
+- /* MD5/SHA1, SHA224, SHA512 */
+- NID_undef, NID_undef, NID_undef
++ /* MD5/SHA1, SHA224, SHA512, MAGMAOMAC, KUZNYECHIKOMAC */
++ NID_undef, NID_undef, NID_undef, NID_undef, NID_undef
+ };
+
+ static size_t ssl_mac_secret_size[SSL_MD_NUM_IDX];
+@@ -228,6 +239,7 @@ static const SSL_CIPHER cipher_aliases[] = {
+ {0, SSL_TXT_kDHEPSK, NULL, 0, SSL_kDHEPSK},
+ {0, SSL_TXT_kSRP, NULL, 0, SSL_kSRP},
+ {0, SSL_TXT_kGOST, NULL, 0, SSL_kGOST},
++ {0, SSL_TXT_kGOST18, NULL, 0, SSL_kGOST18},
+
+ /* server authentication aliases */
+ {0, SSL_TXT_aRSA, NULL, 0, 0, SSL_aRSA},
+@@ -261,7 +273,7 @@ static const SSL_CIPHER cipher_aliases[] = {
+ {0, SSL_TXT_IDEA, NULL, 0, 0, 0, SSL_IDEA},
+ {0, SSL_TXT_SEED, NULL, 0, 0, 0, SSL_SEED},
+ {0, SSL_TXT_eNULL, NULL, 0, 0, 0, SSL_eNULL},
+- {0, SSL_TXT_GOST, NULL, 0, 0, 0, SSL_eGOST2814789CNT | SSL_eGOST2814789CNT12},
++ {0, SSL_TXT_GOST, NULL, 0, 0, 0, SSL_eGOST2814789CNT | SSL_eGOST2814789CNT12 | SSL_MAGMA | SSL_KUZNYECHIK},
+ {0, SSL_TXT_AES128, NULL, 0, 0, 0,
+ SSL_AES128 | SSL_AES128GCM | SSL_AES128CCM | SSL_AES128CCM8},
+ {0, SSL_TXT_AES256, NULL, 0, 0, 0,
+@@ -419,24 +431,38 @@ int ssl_load_ciphers(void)
+ * Check for presence of GOST 34.10 algorithms, and if they are not
+ * present, disable appropriate auth and key exchange
+ */
+- ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX] = get_optional_pkey_id("gost-mac");
++ ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX] = get_optional_pkey_id(SN_id_Gost28147_89_MAC);
+ if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX])
+ ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX] = 32;
+ else
+ disabled_mac_mask |= SSL_GOST89MAC;
+
+ ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX] =
+- get_optional_pkey_id("gost-mac-12");
++ get_optional_pkey_id(SN_gost_mac_12);
+ if (ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX])
+ ssl_mac_secret_size[SSL_MD_GOST89MAC12_IDX] = 32;
+ else
+ disabled_mac_mask |= SSL_GOST89MAC12;
+
+- if (!get_optional_pkey_id("gost2001"))
++ ssl_mac_pkey_id[SSL_MD_MAGMAOMAC_IDX] =
++ get_optional_pkey_id(SN_magma_mac);
++ if (ssl_mac_pkey_id[SSL_MD_MAGMAOMAC_IDX])
++ ssl_mac_secret_size[SSL_MD_MAGMAOMAC_IDX] = 32;
++ else
++ disabled_mac_mask |= SSL_MAGMAOMAC;
++
++ ssl_mac_pkey_id[SSL_MD_KUZNYECHIKOMAC_IDX] =
++ get_optional_pkey_id(SN_kuznyechik_mac);
++ if (ssl_mac_pkey_id[SSL_MD_KUZNYECHIKOMAC_IDX])
++ ssl_mac_secret_size[SSL_MD_KUZNYECHIKOMAC_IDX] = 32;
++ else
++ disabled_mac_mask |= SSL_KUZNYECHIKOMAC;
++
++ if (!get_optional_pkey_id(SN_id_GostR3410_2001))
+ disabled_auth_mask |= SSL_aGOST01 | SSL_aGOST12;
+- if (!get_optional_pkey_id("gost2012_256"))
++ if (!get_optional_pkey_id(SN_id_GostR3410_2012_256))
+ disabled_auth_mask |= SSL_aGOST12;
+- if (!get_optional_pkey_id("gost2012_512"))
++ if (!get_optional_pkey_id(SN_id_GostR3410_2012_512))
+ disabled_auth_mask |= SSL_aGOST12;
+ /*
+ * Disable GOST key exchange if no GOST signature algs are available *
+@@ -445,6 +471,9 @@ int ssl_load_ciphers(void)
+ (SSL_aGOST01 | SSL_aGOST12))
+ disabled_mkey_mask |= SSL_kGOST;
+
++ if ((disabled_auth_mask & SSL_aGOST12) == SSL_aGOST12)
++ disabled_mkey_mask |= SSL_kGOST18;
++
+ return 1;
+ }
+
+@@ -1687,6 +1716,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
+ case SSL_kGOST:
+ kx = "GOST";
+ break;
++ case SSL_kGOST18:
++ kx = "GOST18";
++ break;
+ case SSL_kANY:
+ kx = "any";
+ break;
+@@ -1790,6 +1822,14 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
+ case SSL_eGOST2814789CNT12:
+ enc = "GOST89(256)";
+ break;
++ case SSL_MAGMA:
++ case SSL_MAGMA_MGM:
++ enc = "MAGMA";
++ break;
++ case SSL_KUZNYECHIK:
++ case SSL_KUZNYECHIK_MGM:
++ enc = "KUZNYECHIK";
++ break;
+ case SSL_CHACHA20POLY1305:
+ enc = "CHACHA20/POLY1305(256)";
+ break;
+diff --git ssl/ssl_err.c ssl/ssl_err.c
+index 324f2ccb..df16a616 100644
+--- ssl/ssl_err.c
++++ ssl/ssl_err.c
+@@ -113,6 +113,8 @@ static const ERR_STRING_DATA SSL_str_functs[] = {
+ "ossl_statem_server_post_process_message"},
+ {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_SERVER_POST_WORK, 0),
+ "ossl_statem_server_post_work"},
++ {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_SERVER_PRE_WORK, 0),
++ "ossl_statem_server_pre_work"},
+ {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_SERVER_PROCESS_MESSAGE, 0),
+ "ossl_statem_server_process_message"},
+ {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION, 0),
+@@ -438,6 +440,8 @@ static const ERR_STRING_DATA SSL_str_functs[] = {
+ "tls_construct_cke_ecdhe"},
+ {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CKE_GOST, 0),
+ "tls_construct_cke_gost"},
++ {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CKE_GOST18, 0),
++ "tls_construct_cke_gost18"},
+ {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, 0),
+ "tls_construct_cke_psk_preamble"},
+ {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CKE_RSA, 0),
+@@ -665,6 +669,8 @@ static const ERR_STRING_DATA SSL_str_functs[] = {
+ "tls_process_cke_ecdhe"},
+ {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_CKE_GOST, 0),
+ "tls_process_cke_gost"},
++ {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_CKE_GOST18, 0),
++ "tls_process_cke_gost18"},
+ {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, 0),
+ "tls_process_cke_psk_preamble"},
+ {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_CKE_RSA, 0),
+diff --git ssl/ssl_lib.c ssl/ssl_lib.c
+index 47adc321..30e511bf 100644
+--- ssl/ssl_lib.c
++++ ssl/ssl_lib.c
+@@ -3397,11 +3397,11 @@ void ssl_set_masks(SSL *s)
+
+ #ifndef OPENSSL_NO_GOST
+ if (ssl_has_cert(s, SSL_PKEY_GOST12_512)) {
+- mask_k |= SSL_kGOST;
++ mask_k |= SSL_kGOST | SSL_kGOST18;
+ mask_a |= SSL_aGOST12;
+ }
+ if (ssl_has_cert(s, SSL_PKEY_GOST12_256)) {
+- mask_k |= SSL_kGOST;
++ mask_k |= SSL_kGOST | SSL_kGOST18;
+ mask_a |= SSL_aGOST12;
+ }
+ if (ssl_has_cert(s, SSL_PKEY_GOST01)) {
+diff --git ssl/ssl_local.h ssl/ssl_local.h
+index 5c792154..2a11472b 100644
+--- ssl/ssl_local.h
++++ ssl/ssl_local.h
+@@ -176,6 +176,8 @@
+ # define SSL_kRSAPSK 0x00000040U
+ # define SSL_kECDHEPSK 0x00000080U
+ # define SSL_kDHEPSK 0x00000100U
++/* GOST KDF key exchange, draft-smyshlyaev-tls12-gost-suites */
++# define SSL_kGOST18 0x00000200U
+
+ /* all PSK */
+
+@@ -230,6 +232,10 @@
+ # define SSL_CHACHA20POLY1305 0x00080000U
+ # define SSL_ARIA128GCM 0x00100000U
+ # define SSL_ARIA256GCM 0x00200000U
++# define SSL_MAGMA 0x00400000U
++# define SSL_KUZNYECHIK 0x00800000U
++# define SSL_MAGMA_MGM 0x01000000U
++# define SSL_KUZNYECHIK_MGM 0x02000000U
+
+ # define SSL_AESGCM (SSL_AES128GCM | SSL_AES256GCM)
+ # define SSL_AESCCM (SSL_AES128CCM | SSL_AES256CCM | SSL_AES128CCM8 | SSL_AES256CCM8)
+@@ -252,6 +258,8 @@
+ # define SSL_GOST12_256 0x00000080U
+ # define SSL_GOST89MAC12 0x00000100U
+ # define SSL_GOST12_512 0x00000200U
++# define SSL_MAGMAOMAC 0x00000400U
++# define SSL_KUZNYECHIKOMAC 0x00000800U
+
+ /*
+ * When adding new digest in the ssl_ciph.c and increment SSL_MD_NUM_IDX make
+@@ -270,7 +278,9 @@
+ # define SSL_MD_MD5_SHA1_IDX 9
+ # define SSL_MD_SHA224_IDX 10
+ # define SSL_MD_SHA512_IDX 11
+-# define SSL_MAX_DIGEST 12
++# define SSL_MD_MAGMAOMAC_IDX 12
++# define SSL_MD_KUZNYECHIKOMAC_IDX 13
++# define SSL_MAX_DIGEST 14
+
+ /* Bits for algorithm2 (handshake digests and other extra flags) */
+
+@@ -299,6 +309,13 @@
+ * goes into algorithm2)
+ */
+ # define TLS1_STREAM_MAC 0x10000
++/*
++ * TLSTREE cipher/mac key derivation used for GOST TLS 1.2/1.3 ciphersuites
++ * (currently this also goes into algorithm2)
++ */
++# define TLS1_TLSTREE 0x20000
++# define TLS1_TLSTREE_S 0x40000
++# define TLS1_TLSTREE_L 0x80000
+
+ # define SSL_STRONG_MASK 0x0000001FU
+ # define SSL_DEFAULT_MASK 0X00000020U
+@@ -1511,10 +1528,11 @@ typedef struct tls_group_info_st {
+ } TLS_GROUP_INFO;
+
+ /* flags values */
+-# define TLS_CURVE_TYPE 0x3 /* Mask for group type */
++# define TLS_CURVE_TYPE 0x7 /* Mask for group type */
+ # define TLS_CURVE_PRIME 0x0
+ # define TLS_CURVE_CHAR2 0x1
+ # define TLS_CURVE_CUSTOM 0x2
++# define TLS_CURVE_GOST 0x4
+
+ typedef struct cert_pkey_st CERT_PKEY;
+
+@@ -2042,8 +2060,17 @@ typedef enum downgrade_en {
+ #define TLSEXT_SIGALG_dsa_sha512 0x0602
+ #define TLSEXT_SIGALG_dsa_sha224 0x0302
+ #define TLSEXT_SIGALG_dsa_sha1 0x0202
+-#define TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256 0xeeee
+-#define TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512 0xefef
++#define TLSEXT_SIGALG_gostr34102012_256a 0x0709
++#define TLSEXT_SIGALG_gostr34102012_256b 0x070A
++#define TLSEXT_SIGALG_gostr34102012_256c 0x070B
++#define TLSEXT_SIGALG_gostr34102012_256d 0x070C
++#define TLSEXT_SIGALG_gostr34102012_512a 0x070D
++#define TLSEXT_SIGALG_gostr34102012_512b 0x070E
++#define TLSEXT_SIGALG_gostr34102012_512c 0x070F
++#define TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256 0x0840
++#define TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512 0x0841
++#define TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256_legacy 0xeeee
++#define TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512_legacy 0xefef
+ #define TLSEXT_SIGALG_gostr34102001_gostr3411 0xeded
+
+ #define TLSEXT_SIGALG_ed25519 0x0807
+diff --git ssl/statem/extensions_srvr.c ssl/statem/extensions_srvr.c
+index 47541101..18040421 100644
+--- ssl/statem/extensions_srvr.c
++++ ssl/statem/extensions_srvr.c
+@@ -624,7 +624,7 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+
+ if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
+ return 1;
+-
++/* FIXME beldmit GOST */
+ /* Sanity check */
+ if (s->s3->peer_tmp != NULL) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
+@@ -1622,7 +1622,9 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
+ if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
+ || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
+ || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
+- || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
++ || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12
++ || s->s3->tmp.new_cipher->algorithm_enc == SSL_MAGMA
++ || s->s3->tmp.new_cipher->algorithm_enc == SSL_KUZNYECHIK) {
+ s->ext.use_etm = 0;
+ return EXT_RETURN_NOT_SENT;
+ }
+@@ -1681,6 +1683,7 @@ EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx)
+ {
++/* FIXME beldmit GOST */
+ #ifndef OPENSSL_NO_TLS1_3
+ unsigned char *encodedPoint;
+ size_t encoded_pt_len = 0;
+diff --git ssl/statem/statem_clnt.c ssl/statem/statem_clnt.c
+index d19c44e8..d39a18d0 100644
+--- ssl/statem/statem_clnt.c
++++ ssl/statem/statem_clnt.c
+@@ -3290,6 +3290,144 @@ static int tls_construct_cke_gost(SSL *s, WPACKET *pkt)
+ #endif
+ }
+
++#ifndef OPENSSL_NO_GOST
++int gost18_cke_cipher_nid(const SSL *s)
++{
++ if ((s->s3->tmp.new_cipher->algorithm_enc & SSL_MAGMA) != 0)
++ return NID_magma_ctr;
++ else if ((s->s3->tmp.new_cipher->algorithm_enc & SSL_KUZNYECHIK) != 0)
++ return NID_kuznyechik_ctr;
++
++ return NID_undef;
++}
++
++int gost_ukm(const SSL *s, unsigned char *dgst_buf)
++{
++ EVP_MD_CTX * hash = NULL;
++ unsigned int md_len;
++
++ hash = EVP_MD_CTX_new();
++ if (hash == NULL
++ || EVP_DigestInit(hash, EVP_get_digestbynid(NID_id_GostR3411_2012_256)) <= 0
++ || EVP_DigestUpdate(hash, s->s3->client_random, SSL3_RANDOM_SIZE) <= 0
++ || EVP_DigestUpdate(hash, s->s3->server_random, SSL3_RANDOM_SIZE) <= 0
++ || EVP_DigestFinal_ex(hash, dgst_buf, &md_len) <= 0) {
++ EVP_MD_CTX_free(hash);
++ return 0;
++ } else {
++ EVP_MD_CTX_free(hash);
++ return 1;
++ }
++}
++#endif
++
++static int tls_construct_cke_gost18(SSL *s, WPACKET *pkt)
++{
++#ifndef OPENSSL_NO_GOST
++ /* GOST 2018 key exchange message creation */
++ unsigned char rnd_dgst[32], tmp[255];
++ EVP_PKEY_CTX *pkey_ctx = NULL;
++ X509 *peer_cert;
++ unsigned char *pms = NULL;
++ size_t pmslen = 0;
++ size_t msglen;
++ int cipher_nid = gost18_cke_cipher_nid(s);
++
++ if (cipher_nid == NID_undef) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
++ ERR_R_INTERNAL_ERROR);
++ return 0;
++ }
++
++ if (gost_ukm(s, rnd_dgst) <= 0) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
++ ERR_R_INTERNAL_ERROR);
++ goto err;
++ }
++
++ /* Pre-master secret - random bytes */
++ pmslen = 32;
++ pms = OPENSSL_malloc(pmslen);
++ if (pms == NULL) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
++ ERR_R_MALLOC_FAILURE);
++ goto err;
++ }
++
++ if (RAND_bytes(pms, (int)pmslen) <= 0) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
++ ERR_R_INTERNAL_ERROR);
++ goto err;
++ }
++
++ /*
++ * Get server certificate PKEY and create ctx from it
++ */
++ peer_cert = s->session->peer;
++ if (!peer_cert) {
++ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
++ SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
++ return 0;
++ }
++
++ pkey_ctx = EVP_PKEY_CTX_new(X509_get0_pubkey(peer_cert), NULL);
++ if (pkey_ctx == NULL) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
++ ERR_R_MALLOC_FAILURE);
++ return 0;
++ }
++
++ if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0 ) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
++ ERR_R_INTERNAL_ERROR);
++ goto err;
++ };
++
++ /*
++ * Reuse EVP_PKEY_CTRL_SET_IV, make choice in engine code
++ * */
++ if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
++ EVP_PKEY_CTRL_SET_IV, 32, rnd_dgst) < 0) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
++ SSL_R_LIBRARY_BUG);
++ goto err;
++ }
++
++ if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
++ EVP_PKEY_CTRL_CIPHER, cipher_nid, NULL) < 0) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
++ SSL_R_LIBRARY_BUG);
++ goto err;
++ }
++
++ msglen = 255;
++ if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, pms, pmslen) <= 0) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
++ SSL_R_LIBRARY_BUG);
++ goto err;
++ }
++
++ if (!WPACKET_memcpy(pkt, tmp, msglen)) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
++ ERR_R_INTERNAL_ERROR);
++ goto err;
++ }
++
++ EVP_PKEY_CTX_free(pkey_ctx);
++ s->s3->tmp.pms = pms;
++ s->s3->tmp.pmslen = pmslen;
++ return 1;
++ err:
++ EVP_PKEY_CTX_free(pkey_ctx);
++ OPENSSL_clear_free(pms, pmslen);
++ return 0;
++#else
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST18,
++ ERR_R_INTERNAL_ERROR);
++ return 0;
++#endif
++}
++
+ static int tls_construct_cke_srp(SSL *s, WPACKET *pkt)
+ {
+ #ifndef OPENSSL_NO_SRP
+@@ -3346,6 +3484,9 @@ int tls_construct_client_key_exchange(SSL *s, WPACKET *pkt)
+ } else if (alg_k & SSL_kGOST) {
+ if (!tls_construct_cke_gost(s, pkt))
+ goto err;
++ } else if (alg_k & SSL_kGOST18) {
++ if (!tls_construct_cke_gost18(s, pkt))
++ goto err;
+ } else if (alg_k & SSL_kSRP) {
+ if (!tls_construct_cke_srp(s, pkt))
+ goto err;
+diff --git ssl/statem/statem_lib.c ssl/statem/statem_lib.c
+index 695caab3..004b452b 100644
+--- ssl/statem/statem_lib.c
++++ ssl/statem/statem_lib.c
+@@ -410,7 +410,6 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
+ md == NULL ? "n/a" : EVP_MD_name(md));
+ #endif
+
+- /* Check for broken implementations of GOST ciphersuites */
+ /*
+ * If key is GOST and len is exactly 64 or 128, it is signature without
+ * length field (CryptoPro implementations at least till TLS 1.2)
+@@ -1539,8 +1538,6 @@ static int is_tls13_capable(const SSL *s)
+ switch (i) {
+ case SSL_PKEY_DSA_SIGN:
+ case SSL_PKEY_GOST01:
+- case SSL_PKEY_GOST12_256:
+- case SSL_PKEY_GOST12_512:
+ continue;
+ default:
+ break;
+diff --git ssl/statem/statem_local.h ssl/statem/statem_local.h
+index eae88053..50f6bfe4 100644
+--- ssl/statem/statem_local.h
++++ ssl/statem/statem_local.h
+@@ -155,6 +155,11 @@ __owur MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt);
+ __owur int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt);
+ MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt);
+
++#ifndef OPENSSL_NO_GOST
++/* These functions are used in GOST18 CKE, both for client and server */
++int gost18_cke_cipher_nid(const SSL *s);
++int gost_ukm(const SSL *s, unsigned char *dgst_buf);
++#endif
+
+ /* Extension processing */
+
+diff --git ssl/statem/statem_srvr.c ssl/statem/statem_srvr.c
+index 43f77a58..4882ab8e 100644
+--- ssl/statem/statem_srvr.c
++++ ssl/statem/statem_srvr.c
+@@ -3455,6 +3455,93 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt)
+ #endif
+ }
+
++static int tls_process_cke_gost18(SSL *s, PACKET *pkt)
++{/* FIXME beldmit - function id to be renamed either*/
++#ifndef OPENSSL_NO_GOST
++ unsigned char rnd_dgst[32];
++ EVP_PKEY_CTX *pkey_ctx = NULL;
++ EVP_PKEY *pk = NULL;
++ unsigned char premaster_secret[32];
++ const unsigned char *start = NULL;
++ size_t outlen = 32, inlen = 0;
++ int ret = 0;
++ int cipher_nid = gost18_cke_cipher_nid(s);
++
++ if (cipher_nid == NID_undef) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
++ ERR_R_INTERNAL_ERROR);
++ return 0;
++ }
++
++ if (gost_ukm(s, rnd_dgst) <= 0) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
++ ERR_R_INTERNAL_ERROR);
++ goto err;
++ }
++
++ /* Get our certificate private key */
++ pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey
++ ? s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey : s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey;
++ if (pk == NULL) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
++ SSL_R_BAD_HANDSHAKE_STATE);
++ return 0;
++ }
++
++ pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
++ if (pkey_ctx == NULL) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
++ ERR_R_MALLOC_FAILURE);
++ return 0;
++ }
++ if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
++ ERR_R_INTERNAL_ERROR);
++ return 0;
++ }
++ /*
++ * Reuse EVP_PKEY_CTRL_SET_IV, make choice in engine code depending on size
++ * */
++ if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_DECRYPT,
++ EVP_PKEY_CTRL_SET_IV, 32, rnd_dgst) < 0) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
++ SSL_R_LIBRARY_BUG);
++ goto err;
++ }
++
++ if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_DECRYPT,
++ EVP_PKEY_CTRL_CIPHER, cipher_nid, NULL) < 0) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
++ SSL_R_LIBRARY_BUG);
++ goto err;
++ }
++ inlen = PACKET_remaining(pkt);
++ start = PACKET_data(pkt);
++
++ if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start,
++ inlen) <= 0) {
++ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
++ SSL_R_DECRYPTION_FAILED);
++ goto err;
++ }
++ /* Generate master secret */
++ if (!ssl_generate_master_secret(s, premaster_secret,
++ sizeof(premaster_secret), 0)) {
++ /* SSLfatal() already called */
++ goto err;
++ }
++ ret = 1;
++err:
++ EVP_PKEY_CTX_free(pkey_ctx);
++ return ret;
++#else
++ /* Should never happen */
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST18,
++ ERR_R_INTERNAL_ERROR);
++ return 0;
++#endif
++}
++
+ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
+ {
+ unsigned long alg_k;
+@@ -3505,6 +3592,11 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
+ /* SSLfatal() already called */
+ goto err;
+ }
++ } else if (alg_k & SSL_kGOST18) {
++ if (!tls_process_cke_gost18(s, pkt)) {
++ /* SSLfatal() already called */
++ goto err;
++ }
+ } else {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR,
+ SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
+diff --git ssl/t1_enc.c ssl/t1_enc.c
+index f8e53d4e..946c3651 100644
+--- ssl/t1_enc.c
++++ ssl/t1_enc.c
+@@ -113,6 +113,11 @@ int tls1_change_cipher_state(SSL *s, int which)
+ else
+ s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM;
+
++ if (s->s3->tmp.new_cipher->algorithm2 & TLS1_TLSTREE)
++ s->mac_flags |= SSL_MAC_FLAG_READ_MAC_TLSTREE;
++ else
++ s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_TLSTREE;
++
+ if (s->enc_read_ctx != NULL) {
+ reuse_dd = 1;
+ } else if ((s->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL) {
+@@ -160,6 +165,11 @@ int tls1_change_cipher_state(SSL *s, int which)
+ s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
+ else
+ s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
++
++ if (s->s3->tmp.new_cipher->algorithm2 & TLS1_TLSTREE)
++ s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_TLSTREE;
++ else
++ s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_TLSTREE;
+ if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s)) {
+ reuse_dd = 1;
+ } else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL) {
+@@ -298,11 +308,11 @@ int tls1_change_cipher_state(SSL *s, int which)
+ goto err;
+ }
+ } else {
+- if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) {
+- SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE,
+- ERR_R_INTERNAL_ERROR);
+- goto err;
+- }
++ if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE,
++ ERR_R_INTERNAL_ERROR);
++ goto err;
++ }
+ }
+ /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
+ if ((EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size
+@@ -438,6 +448,10 @@ size_t tls1_final_finish_mac(SSL *s, const char *str, size_t slen,
+ {
+ size_t hashlen;
+ unsigned char hash[EVP_MAX_MD_SIZE];
++ size_t finished_size = TLS1_FINISH_MAC_LENGTH;
++
++ if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kGOST18)
++ finished_size = 32;
+
+ if (!ssl3_digest_cached_records(s, 0)) {
+ /* SSLfatal() already called */
+@@ -451,12 +465,12 @@ size_t tls1_final_finish_mac(SSL *s, const char *str, size_t slen,
+
+ if (!tls1_PRF(s, str, slen, hash, hashlen, NULL, 0, NULL, 0, NULL, 0,
+ s->session->master_key, s->session->master_key_length,
+- out, TLS1_FINISH_MAC_LENGTH, 1)) {
++ out, finished_size, 1)) {
+ /* SSLfatal() already called */
+ return 0;
+ }
+ OPENSSL_cleanse(hash, hashlen);
+- return TLS1_FINISH_MAC_LENGTH;
++ return finished_size;
+ }
+
+ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
+diff --git ssl/t1_lib.c ssl/t1_lib.c
+index 5f657f88..0ef8dc06 100644
+--- ssl/t1_lib.c
++++ ssl/t1_lib.c
+@@ -169,6 +169,18 @@ static const TLS_GROUP_INFO nid_list[] = {
+ {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
+ {EVP_PKEY_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */
+ {EVP_PKEY_X448, 224, TLS_CURVE_CUSTOM}, /* X448 (30) */
++#ifndef OPENSSL_NO_GOST
++ {NID_undef, 0, TLS_CURVE_CUSTOM}, /* 31 */
++ {NID_undef, 0, TLS_CURVE_CUSTOM}, /* 32 */
++ {NID_undef, 0, TLS_CURVE_CUSTOM}, /* 33 */
++ {NID_id_tc26_gost_3410_2012_256_paramSetA, 128, TLS_CURVE_GOST},
++ {NID_id_tc26_gost_3410_2012_256_paramSetB, 128, TLS_CURVE_GOST},
++ {NID_id_tc26_gost_3410_2012_256_paramSetC, 128, TLS_CURVE_GOST},
++ {NID_id_tc26_gost_3410_2012_256_paramSetD, 128, TLS_CURVE_GOST},
++ {NID_id_tc26_gost_3410_2012_512_paramSetA, 256, TLS_CURVE_GOST},
++ {NID_id_tc26_gost_3410_2012_512_paramSetB, 256, TLS_CURVE_GOST},
++ {NID_id_tc26_gost_3410_2012_512_paramSetC, 256, TLS_CURVE_GOST},
++#endif
+ };
+
+ static const unsigned char ecformats_default[] = {
+@@ -184,6 +196,15 @@ static const uint16_t eccurves_default[] = {
+ 30, /* X448 (30) */
+ 25, /* secp521r1 (25) */
+ 24, /* secp384r1 (24) */
++#ifndef OPENSSL_NO_GOST
++ 34,
++ 35,
++ 36,
++ 37,
++ 38,
++ 39,
++ 40,
++#endif
+ };
+
+ static const uint16_t suiteb_curves[] = {
+@@ -196,6 +217,8 @@ const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t group_id)
+ /* ECC curves from RFC 4492 and RFC 7027 */
+ if (group_id < 1 || group_id > OSSL_NELEM(nid_list))
+ return NULL;
++ if (nid_list[group_id - 1].nid == NID_undef)
++ return NULL;
+ return &nid_list[group_id - 1];
+ }
+
+@@ -380,6 +403,33 @@ typedef struct {
+ int nid_arr[MAX_CURVELIST];
+ } nid_cb_st;
+
++#ifndef OPENSSL_NO_GOST
++typedef struct {
++ const char *name; /* Name of GOST curve */
++ int nid; /* Curve NID */
++} EC_GOST_NAME;
++
++static EC_GOST_NAME gost_curves[] = {
++ {"GC256A", NID_id_tc26_gost_3410_2012_256_paramSetA},
++ {"GC256B", NID_id_tc26_gost_3410_2012_256_paramSetB},
++ {"GC256C", NID_id_tc26_gost_3410_2012_256_paramSetC},
++ {"GC256D", NID_id_tc26_gost_3410_2012_256_paramSetD},
++ {"GC512A", NID_id_tc26_gost_3410_2012_512_paramSetA},
++ {"GC512B", NID_id_tc26_gost_3410_2012_512_paramSetB},
++ {"GC512C", NID_id_tc26_gost_3410_2012_512_paramSetC},
++};
++
++int GOST_curve2nid(const char *name)
++{
++ size_t i;
++ for (i = 0; i < OSSL_NELEM(gost_curves); i++) {
++ if (strcmp(gost_curves[i].name, name) == 0)
++ return gost_curves[i].nid;
++ }
++ return NID_undef;
++}
++#endif
++
+ static int nid_cb(const char *elem, int len, void *arg)
+ {
+ nid_cb_st *narg = arg;
+@@ -395,6 +445,11 @@ static int nid_cb(const char *elem, int len, void *arg)
+ memcpy(etmp, elem, len);
+ etmp[len] = 0;
+ nid = EC_curve_nist2nid(etmp);
++#ifndef OPENSSL_NO_GOST
++ /* FIXME beldmit */
++ if (nid == NID_undef)
++ nid = GOST_curve2nid(etmp);
++#endif
+ if (nid == NID_undef)
+ nid = OBJ_sn2nid(etmp);
+ if (nid == NID_undef)
+@@ -670,8 +725,17 @@ static const uint16_t tls12_sigalgs[] = {
+ TLSEXT_SIGALG_dsa_sha512,
+ #endif
+ #ifndef OPENSSL_NO_GOST
++ TLSEXT_SIGALG_gostr34102012_256a,
++ TLSEXT_SIGALG_gostr34102012_256b,
++ TLSEXT_SIGALG_gostr34102012_256c,
++ TLSEXT_SIGALG_gostr34102012_256d,
++ TLSEXT_SIGALG_gostr34102012_512a,
++ TLSEXT_SIGALG_gostr34102012_512b,
++ TLSEXT_SIGALG_gostr34102012_512c,
+ TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
+ TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512,
++ TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256_legacy,
++ TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512_legacy,
+ TLSEXT_SIGALG_gostr34102001_gostr3411,
+ #endif
+ };
+@@ -758,6 +822,34 @@ static const SIGALG_LOOKUP sigalg_lookup_tbl[] = {
+ NID_dsaWithSHA1, NID_undef},
+ #endif
+ #ifndef OPENSSL_NO_GOST
++ {"gostr34102012_256a", TLSEXT_SIGALG_gostr34102012_256a,
++ NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
++ NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
++ NID_undef, NID_undef},
++ {"gostr34102012_256b", TLSEXT_SIGALG_gostr34102012_256b,
++ NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
++ NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
++ NID_undef, NID_undef},
++ {"gostr34102012_256c", TLSEXT_SIGALG_gostr34102012_256c,
++ NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
++ NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
++ NID_undef, NID_undef},
++ {"gostr34102012_256d", TLSEXT_SIGALG_gostr34102012_256d,
++ NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
++ NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
++ NID_undef, NID_undef},
++ {"gostr34102012_512a", TLSEXT_SIGALG_gostr34102012_512a,
++ NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
++ NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
++ NID_undef, NID_undef},
++ {"gostr34102012_512b", TLSEXT_SIGALG_gostr34102012_512b,
++ NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
++ NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
++ NID_undef, NID_undef},
++ {"gostr34102012_512c", TLSEXT_SIGALG_gostr34102012_512c,
++ NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
++ NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
++ NID_undef, NID_undef},
+ {NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256,
+ NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
+ NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
+@@ -766,6 +858,14 @@ static const SIGALG_LOOKUP sigalg_lookup_tbl[] = {
+ NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
+ NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
+ NID_undef, NID_undef},
++ {NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256_legacy,
++ NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,
++ NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256,
++ NID_undef, NID_undef},
++ {NULL, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512_legacy,
++ NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX,
++ NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512,
++ NID_undef, NID_undef},
+ {NULL, TLSEXT_SIGALG_gostr34102001_gostr3411,
+ NID_id_GostR3411_94, SSL_MD_GOST94_IDX,
+ NID_id_GostR3410_2001, SSL_PKEY_GOST01,
+@@ -886,6 +986,24 @@ static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx)
+ }
+ }
+ }
++ /*
++ * Here is another fallback: when broken implementations did not sent
++ * proper signature_algorithm extension, we try to use this function.
++ *
++ * As both SSL_PKEY_GOST12_512 and SSL_PKEY_GOST12_256 indices can be used
++ * with new (aGOST12-only) ciphersuites, we should find out which one is available really.
++ * */
++ else if (idx == SSL_PKEY_GOST12_256) {
++ int real_idx;
++
++ for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST12_256;
++ real_idx--) {
++ if (s->cert->pkeys[real_idx].privatekey != NULL) {
++ idx = real_idx;
++ break;
++ }
++ }
++ }
+ } else {
+ idx = s->cert->key - s->cert->pkeys;
+ }
+@@ -1612,10 +1730,8 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
+ if (ssl_cert_is_disabled(lu->sig_idx))
+ return 0;
+
+- if (lu->sig == NID_id_GostR3410_2012_256
+- || lu->sig == NID_id_GostR3410_2012_512
+- || lu->sig == NID_id_GostR3410_2001) {
+- /* We never allow GOST sig algs on the server with TLSv1.3 */
++ if (lu->sig == NID_id_GostR3410_2001) {
++ /* GOST sig algs on the server with TLSv1.3 are allowed for GOST2012 */
+ if (s->server && SSL_IS_TLS13(s))
+ return 0;
+ if (!s->server
+@@ -1643,7 +1759,7 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
+ if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0))
+ continue;
+
+- if ((c->algorithm_mkey & SSL_kGOST) != 0)
++ if ((c->algorithm_mkey & (SSL_kGOST | SSL_kGOST18)) != 0)
+ break;
+ }
+ if (i == num)
+diff --git ssl/t1_trce.c ssl/t1_trce.c
+index e2c397b7..9d7341da 100644
+--- ssl/t1_trce.c
++++ ssl/t1_trce.c
+@@ -443,6 +443,9 @@ static const ssl_trace_tbl ssl_ciphers_tbl[] = {
+ {0xFEFF, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"},
+ {0xFF85, "GOST2012-GOST8912-GOST8912"},
+ {0xFF87, "GOST2012-NULL-GOST12"},
++ {0xC100, "GOST2012-KUZNYECHIK-KUZNYECHIKOMAC"},
++ {0xC101, "GOST2012-MAGMA-MAGMAOMAC"},
++ {0xC102, "GOST2012-GOST8912-IANA"},
+ };
+
+ /* Compression methods */
+@@ -522,6 +525,13 @@ static const ssl_trace_tbl ssl_groups_tbl[] = {
+ {28, "brainpoolP512r1"},
+ {29, "ecdh_x25519"},
+ {30, "ecdh_x448"},
++ {34, "GC256A"},
++ {35, "GC256B"},
++ {36, "GC256C"},
++ {37, "GC256D"},
++ {38, "GC512A"},
++ {39, "GC512B"},
++ {40, "GC512C"},
+ {256, "ffdhe2048"},
+ {257, "ffdhe3072"},
+ {258, "ffdhe4096"},
+@@ -571,6 +581,8 @@ static const ssl_trace_tbl ssl_sigalg_tbl[] = {
+ {TLSEXT_SIGALG_dsa_sha1, "dsa_sha1"},
+ {TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, "gost2012_256"},
+ {TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, "gost2012_512"},
++ {TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256_legacy, "gost2012_256"},
++ {TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512_legacy, "gost2012_512"},
+ {TLSEXT_SIGALG_gostr34102001_gostr3411, "gost2001_gost94"},
+ };
+
+@@ -584,7 +596,9 @@ static const ssl_trace_tbl ssl_ctype_tbl[] = {
+ {20, "fortezza_dms"},
+ {64, "ecdsa_sign"},
+ {65, "rsa_fixed_ecdh"},
+- {66, "ecdsa_fixed_ecdh"}
++ {66, "ecdsa_fixed_ecdh"},
++ {67, "gost_sign256"},
++ {68, "gost_sign512"},
+ };
+
+ static const ssl_trace_tbl ssl_psk_kex_modes_tbl[] = {
+@@ -1077,6 +1091,10 @@ static int ssl_get_keyex(const char **pname, const SSL *ssl)
+ *pname = "GOST";
+ return SSL_kGOST;
+ }
++ if (alg_k & SSL_kGOST18) {
++ *pname = "GOST18";
++ return SSL_kGOST18;
++ }
+ *pname = "UNKNOWN";
+ return 0;
+ }
+@@ -1119,7 +1137,16 @@ static int ssl_print_client_keyex(BIO *bio, int indent, const SSL *ssl,
+ if (!ssl_print_hexbuf(bio, indent + 2, "ecdh_Yc", 1, &msg, &msglen))
+ return 0;
+ break;
+-
++#ifndef OPENSSL_NO_GOST
++ case SSL_kGOST:
++ ssl_print_hex(bio, indent + 2, "GOST-wrapped PreMasterSecret", msg, msglen);
++ break;
++ case SSL_kGOST18:
++ ssl_print_hex(bio, indent + 2,
++ "GOST-wrapped PreMasterSecret", msg, msglen);
++ return 0;
++ break;
++#endif
+ }
+
+ return !msglen;
+diff --git ssl/tls13_enc.c ssl/tls13_enc.c
+index ff85df44..6ba9d4a4 100644
+--- ssl/tls13_enc.c
++++ ssl/tls13_enc.c
+@@ -429,6 +429,22 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md,
+ goto err;
+ }
+
++ if (s->s3->tmp.new_cipher != NULL
++ && s->s3->tmp.new_cipher->algorithm2 & TLS1_TLSTREE) {
++ int res = 0;
++ if (s->s3->tmp.new_cipher->algorithm2 & TLS1_TLSTREE_S) {
++ res = EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_SET_TLSTREE_PARAMS, 0, "short");
++ } else if (s->s3->tmp.new_cipher->algorithm2 & TLS1_TLSTREE_L) {
++ res = EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_SET_TLSTREE_PARAMS, 0, "long");
++ }
++
++ if (res <= 0) {
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV,
++ ERR_R_EVP_LIB);
++ goto err;
++ }
++ }
++
+ return 1;
+ err:
+ OPENSSL_cleanse(key, sizeof(key));
+diff --git util/libcrypto.num util/libcrypto.num
+index 436f799b..021d60aa 100644
+--- util/libcrypto.num
++++ util/libcrypto.num
+@@ -4591,3 +4591,8 @@ X509_ALGOR_copy 4544 1_1_1h EXIST::FUNCTION:
+ X509_REQ_set0_signature 4545 1_1_1h EXIST::FUNCTION:
+ X509_REQ_set1_signature_algo 4546 1_1_1h EXIST::FUNCTION:
+ EC_KEY_decoded_from_explicit_params 4547 1_1_1h EXIST::FUNCTION:EC
++CMS_RecipientInfo_kari_set0_pkey_and_peer 4548 1_1_1m EXIST::FUNCTION:CMS
++PKCS8_pkey_add1_attr 4549 1_1_1m EXIST::FUNCTION:
++CMS_decrypt_set1_pkey_and_peer 4550 1_1_1m EXIST::FUNCTION:CMS
++PKCS8_pkey_add1_attr_by_OBJ 4551 1_1_1m EXIST::FUNCTION:
++CMS_add1_recipient 4552 1_1_1m EXIST::FUNCTION:CMS
projects / openssl-gost / engine.git / blobdiff