From c458c8e4bc94797fdd12ce0a19e0ef8a7b29f4be Mon Sep 17 00:00:00 2001 From: Mikhail Mitskevich Date: Tue, 7 Apr 2026 09:08:52 +0300 Subject: [PATCH 1/7] Init patch for OpenSSL 3.5 --- btls/patch/openssl-3.5.5.patch | 1098 ++++++++++++++++++++++++++++++++ 1 file changed, 1098 insertions(+) create mode 100644 btls/patch/openssl-3.5.5.patch diff --git a/btls/patch/openssl-3.5.5.patch b/btls/patch/openssl-3.5.5.patch new file mode 100644 index 0000000..7d847e0 --- /dev/null +++ b/btls/patch/openssl-3.5.5.patch @@ -0,0 +1,1098 @@ +diff --git a/apps/include/apps.h b/apps/include/apps.h +index 06ba38a..335c002 100644 +--- a/apps/include/apps.h ++++ b/apps/include/apps.h +@@ -55,6 +55,9 @@ extern BIO *bio_out; + extern BIO *bio_err; + extern const unsigned char tls13_aes128gcmsha256_id[]; + extern const unsigned char tls13_aes256gcmsha384_id[]; ++extern const unsigned char tls13_beltche256hbelt_id[]; ++extern const unsigned char tls13_bashprg2561bash_id[]; ++extern const unsigned char* default_cipher; + extern BIO_ADDR *ourpeer; + + BIO *dup_bio_in(int format); +diff --git a/apps/s_client.c b/apps/s_client.c +index 3625f8f..64cea36 100644 +--- a/apps/s_client.c ++++ b/apps/s_client.c +@@ -199,6 +199,9 @@ out_err: + + const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 }; + const unsigned char tls13_aes256gcmsha384_id[] = { 0x13, 0x02 }; ++const unsigned char tls13_beltche256hbelt_id[] = { 0xFF, 0x1D }; ++const unsigned char tls13_bashprg2561bash_id[] = { 0xFF, 0x1E }; ++const unsigned char* default_cipher = tls13_aes128gcmsha256_id; + + static int psk_use_session_cb(SSL *s, const EVP_MD *md, + const unsigned char **id, size_t *idlen, +@@ -222,7 +225,7 @@ static int psk_use_session_cb(SSL *s, const EVP_MD *md, + } + + /* We default to SHA-256 */ +- cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id); ++ cipher = SSL_CIPHER_find(s, default_cipher); + if (cipher == NULL) { + BIO_printf(bio_err, "Error finding suitable ciphersuite\n"); + OPENSSL_free(key); +@@ -1215,6 +1218,17 @@ int s_client_main(int argc, char **argv) + BIO_printf(bio_err, "%s: Memory allocation failure\n", prog); + goto end; + } ++ if (!strcmp(opt_flag(), "-ciphersuites")) ++ { ++ if (!strcmp(opt_arg(), "TLS_BASH_PRG_AE2561_BASH256")) { ++ printf("Set default cipher %s\n", opt_arg()); ++ default_cipher = tls13_bashprg2561bash_id; ++ } ++ if (!strcmp(opt_arg(), "TLS_BELT_CHE256_BELT_HASH")) { ++ printf("Set default cipher %s\n", opt_arg()); ++ default_cipher = tls13_beltche256hbelt_id; ++ } ++ } + break; + case OPT_V_CASES: + if (!opt_verify(o, vpm)) +diff --git a/apps/s_server.c b/apps/s_server.c +index da8d001..a2294d3 100644 +--- a/apps/s_server.c ++++ b/apps/s_server.c +@@ -225,7 +225,7 @@ static int psk_find_session_cb(SSL *ssl, const unsigned char *identity, + } + + /* We default to SHA256 */ +- cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id); ++ cipher = SSL_CIPHER_find(ssl, default_cipher); + if (cipher == NULL) { + BIO_printf(bio_err, "Error finding suitable ciphersuite\n"); + OPENSSL_free(key); +@@ -1444,6 +1444,17 @@ int s_server_main(int argc, char *argv[]) + BIO_printf(bio_err, "%s: Memory allocation failure\n", prog); + goto end; + } ++ if (!strcmp(opt_flag(), "-ciphersuites")) ++ { ++ if (!strcmp(opt_arg(), "TLS_BASH_PRG_AE2561_BASH256")) { ++ printf("Set default cipher %s\n", opt_arg()); ++ default_cipher = tls13_bashprg2561bash_id; ++ } ++ if (!strcmp(opt_arg(), "TLS_BELT_CHE256_BELT_HASH")) { ++ printf("Set default cipher %s\n", opt_arg()); ++ default_cipher = tls13_beltche256hbelt_id; ++ } ++ } + break; + case OPT_V_CASES: + if (!opt_verify(o, vpm)) +diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c +index 388b5e0..b41b6ec 100644 +--- a/crypto/evp/ctrl_params_translate.c ++++ b/crypto/evp/ctrl_params_translate.c +@@ -2048,6 +2048,25 @@ static int fix_group_ecx(enum state state, + } + } + ++static int fix_bign_ecx(enum state state, ++ const struct translation_st *translation, ++ struct translation_ctx_st *ctx) ++{ ++ switch (state) { ++ case PRE_PARAMS_TO_CTRL: ++ if (!EVP_PKEY_CTX_IS_GEN_OP(ctx->pctx)) ++ return 0; ++ ctx->ctrl_cmd = EVP_PKEY_ALG_CTRL + 1; ++ ctx->p1 = OBJ_sn2nid(ctx->params->data); ++ return 1; ++ case POST_PARAMS_TO_CTRL: ++ ctx->p1 = 1; ++ return 1; ++ default: ++ return 0; ++ } ++} ++ + /*- + * The translation table itself + * ============================ +@@ -2426,6 +2445,11 @@ static const struct translation_st evp_pkey_ctx_translations[] = { + OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, fix_group_ecx }, + { OSSL_ACTION_SET, EVP_PKEY_X448, EVP_PKEY_X448, EVP_PKEY_OP_PARAMGEN, -1, NULL, NULL, + OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, fix_group_ecx }, ++ ++ { OSSL_ACTION_SET, NID_bign_pubkey, NID_bign_pubkey, EVP_PKEY_OP_PARAMGEN, -1, NULL, NULL, ++ OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, fix_bign_ecx }, ++ { OSSL_ACTION_SET, NID_bign_pubkey, NID_bign_pubkey, EVP_PKEY_OP_KEYGEN, -1, NULL, NULL, ++ OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, fix_bign_ecx }, + }; + + static const struct translation_st evp_pkey_translations[] = { +diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c +index e68df7f..7e1eae2 100644 +--- a/crypto/pem/pem_pkey.c ++++ b/crypto/pem/pem_pkey.c +@@ -182,8 +182,7 @@ static EVP_PKEY *pem_read_bio_key_legacy(BIO *bp, EVP_PKEY **x, + && (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { + /* Trying legacy PUBKEY decoding only if we do not want private key. */ + ret = ossl_d2i_PUBKEY_legacy(x, &p, len); +- } else if ((selection & EVP_PKEY_KEYPAIR) == 0 +- && (slen = ossl_pem_check_suffix(nm, "PARAMETERS")) > 0) { ++ } else if ((slen = ossl_pem_check_suffix(nm, "PARAMETERS")) > 0) { + /* Trying legacy params decoding only if we do not want a key. */ + ret = EVP_PKEY_new(); + if (ret == NULL) +diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h +index f35b6ea..b268055 100644 +--- a/include/openssl/ssl3.h ++++ b/include/openssl/ssl3.h +@@ -276,7 +276,7 @@ extern "C" { + * SSL3_CT_NUMBER is used to size arrays and it must be large enough to + * contain all of the cert types defined for *either* SSLv3 and TLSv1. + */ +-#define SSL3_CT_NUMBER 12 ++#define SSL3_CT_NUMBER 13 + + #if defined(TLS_CT_NUMBER) + #if TLS_CT_NUMBER != SSL3_CT_NUMBER +diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h +index 931ee79..1694ca3 100644 +--- a/include/openssl/tls1.h ++++ b/include/openssl/tls1.h +@@ -1164,7 +1164,7 @@ int SSL_CTX_set_tlsext_ticket_key_evp_cb(SSL_CTX *ctx, int (*fp)(SSL *, unsigned + * when correcting this number, correct also SSL3_CT_NUMBER in ssl3.h (see + * comment there) + */ +-#define TLS_CT_NUMBER 12 ++#define TLS_CT_NUMBER 13 + + #if defined(SSL3_CT_NUMBER) + #if TLS_CT_NUMBER != SSL3_CT_NUMBER +diff --git a/providers/common/capabilities.c b/providers/common/capabilities.c +index eb96627..e4d306c 100644 +--- a/providers/common/capabilities.c ++++ b/providers/common/capabilities.c +@@ -91,6 +91,9 @@ static const TLS_GROUP_CONSTANTS group_list[] = { + /* 41 */ { OSSL_TLS_GROUP_ID_X25519MLKEM768, ML_KEM_768_SECBITS, TLS1_3_VERSION, 0, -1, -1, 1 }, + /* 42 */ { OSSL_TLS_GROUP_ID_SecP256r1MLKEM768, ML_KEM_768_SECBITS, TLS1_3_VERSION, 0, -1, -1, 1 }, + /* 43 */ { OSSL_TLS_GROUP_ID_SecP384r1MLKEM1024, ML_KEM_1024_SECBITS, TLS1_3_VERSION, 0, -1, -1, 1 }, ++ { 0xFE01, 128, TLS1_2_VERSION, TLS1_3_VERSION, -1, -1, 0}, ++ { 0xFE02, 192, TLS1_2_VERSION, TLS1_3_VERSION, -1, -1, 0}, ++ { 0xFE03, 256, TLS1_2_VERSION, TLS1_3_VERSION, -1, -1, 0}, + }; + + #define TLS_GROUP_ENTRY(tlsname, realname, algorithm, idx) \ +@@ -254,6 +257,9 @@ static const OSSL_PARAM param_group_list[][11] = { + TLS_GROUP_ENTRY("secp256k1", "secp256k1", "EC", 21), + #endif + #endif /* !defined(OPENSSL_NO_TLS_DEPRECATED_EC) */ ++ TLS_GROUP_ENTRY("bign-curve256v1", "bign-curve256v1", "bign-curve256v1", 44), ++ TLS_GROUP_ENTRY("bign-curve384v1", "bign-curve384v1", "bign-curve384v1", 45), ++ TLS_GROUP_ENTRY("bign-curve512v1", "bign-curve512v1", "bign-curve512v1", 46), + }; + #endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ML_KEM) */ + +diff --git a/ssl/build.info b/ssl/build.info +index 7f4ecaa..5516070 100644 +--- a/ssl/build.info ++++ b/ssl/build.info +@@ -16,7 +16,7 @@ SOURCE[../libssl]=\ + bio_ssl.c ssl_err_legacy.c tls_srp.c t1_trce.c ssl_utst.c \ + statem/statem.c \ + ssl_cert_comp.c \ +- tls_depr.c ++ tls_depr.c btls.c + + # For shared builds we need to include the libcrypto packet.c and quic_vlint.c + # in libssl as well. +diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c +index 0e1445b..2de6dbe 100644 +--- a/ssl/s3_lib.c ++++ b/ssl/s3_lib.c +@@ -22,6 +22,7 @@ + #include + #include "internal/cryptlib.h" + #include "internal/ssl_unwrap.h" ++#include "btls.h" + + #define TLS13_NUM_CIPHERS OSSL_NELEM(tls13_ciphers) + #define SSL3_NUM_CIPHERS OSSL_NELEM(ssl3_ciphers) +@@ -163,7 +164,38 @@ static SSL_CIPHER tls13_ciphers[] = { + SSL_HANDSHAKE_MAC_SHA384, + 0, + 384, +- }, ++ }, ++ { ++ 1, ++ BTLS1_3_RFC_BELT_CHE256_BELT_HASH, ++ BTLS1_3_RFC_BELT_CHE256_BELT_HASH, ++ BTLS1_3_CK_BELT_CHE256_BELT_HASH, ++ SSL_kANY, ++ SSL_aANY, ++ SSL_BELTCHE, ++ SSL_AEAD, ++ TLS1_3_VERSION, TLS1_3_VERSION, ++ 0, 0, ++ SSL_HIGH, ++ SSL_HANDSHAKE_MAC_HBELT | TLS1_PRF_HBELT, ++ 256, ++ 256, ++ }, { ++ 1, ++ BTLS1_3_RFC_BASH_PRG_AE2561_BASH256, ++ BTLS1_3_RFC_BASH_PRG_AE2561_BASH256, ++ BTLS1_3_CK_BASH_PRG_AE256_BASH256, ++ SSL_kANY, ++ SSL_aANY, ++ SSL_BASHPRGAE, ++ SSL_AEAD, ++ TLS1_3_VERSION, TLS1_3_VERSION, ++ 0, 0, ++ SSL_HIGH, ++ SSL_HANDSHAKE_MAC_HBELT | TLS1_PRF_HBELT, ++ 256, ++ 256, ++ }, + #endif + }; + +@@ -3669,6 +3701,135 @@ static SSL_CIPHER ssl3_ciphers[] = { + 256, + 256, + }, ++ { ++ 1, ++ BTLS1_TXT_DHE_BIGN_WITH_BELT_CTR_MAC_HBELT, ++ BTLS1_RFC_DHE_BIGN_WITH_BELT_CTR_MAC_HBELT, ++ 0x0300ff15, ++ SSL_kBDHE, ++ SSL_aBIGN, ++ SSL_BELTCTR, ++ SSL_BELTMAC, ++ TLS1_2_VERSION, TLS1_2_VERSION, ++ 0, 0, ++ SSL_HIGH, ++ SSL_HANDSHAKE_MAC_HBELT | TLS1_PRF_HBELT, ++ 256, ++ 256, ++ }, ++ { ++ 1, ++ BTLS1_TXT_DHE_BIGN_WITH_BELT_DWP_HBELT, ++ BTLS1_RFC_DHE_BIGN_WITH_BELT_DWP_HBELT, ++ 0x0300ff16, ++ SSL_kBDHE, ++ SSL_aBIGN, ++ SSL_BELTDWP, ++ SSL_AEAD, ++ TLS1_2_VERSION, TLS1_2_VERSION, ++ 0, 0, ++ SSL_HIGH, ++ SSL_HANDSHAKE_MAC_HBELT | TLS1_PRF_HBELT, ++ 256, ++ 256, ++ }, ++ { ++ 1, ++ BTLS1_TXT_DHT_BIGN_WITH_BELT_CTR_MAC_HBELT, ++ BTLS1_RFC_DHT_BIGN_WITH_BELT_CTR_MAC_HBELT, ++ 0x0300ff17, ++ SSL_kBDHT, ++ SSL_aBIGN, ++ SSL_BELTCTR, ++ SSL_BELTMAC, ++ TLS1_2_VERSION, TLS1_2_VERSION, ++ 0, 0, ++ SSL_HIGH, ++ SSL_HANDSHAKE_MAC_HBELT | TLS1_PRF_HBELT, ++ 256, ++ 256, ++ }, ++ { ++ 1, ++ BTLS1_TXT_DHT_BIGN_WITH_BELT_DWP_HBELT, ++ BTLS1_RFC_DHT_BIGN_WITH_BELT_DWP_HBELT, ++ 0x0300ff18, ++ SSL_kBDHT, ++ SSL_aBIGN, ++ SSL_BELTDWP, ++ SSL_AEAD, ++ TLS1_2_VERSION, TLS1_2_VERSION, ++ 0, 0, ++ SSL_HIGH, ++ SSL_HANDSHAKE_MAC_HBELT | TLS1_PRF_HBELT, ++ 256, ++ 256, ++ }, ++ ++ { ++ 1, ++ BTLS1_TXT_DHE_PSK_BIGN_WITH_BELT_CTR_MAC_HBELT, ++ BTLS1_RFC_DHE_PSK_BIGN_WITH_BELT_CTR_MAC_HBELT, ++ 0x0300ff19, ++ SSL_kBDHEPSK, ++ SSL_aPSK, ++ SSL_BELTCTR, ++ SSL_BELTMAC, ++ TLS1_2_VERSION, TLS1_2_VERSION, ++ 0, 0, ++ SSL_HIGH, ++ SSL_HANDSHAKE_MAC_HBELT | TLS1_PRF_HBELT, ++ 256, ++ 256, ++ }, ++ { ++ 1, ++ BTLS1_TXT_DHE_PSK_BIGN_WITH_BELT_DWP_HBELT, ++ BTLS1_RFC_DHE_PSK_BIGN_WITH_BELT_DWP_HBELT, ++ 0x0300ff1a, ++ SSL_kBDHEPSK, ++ SSL_aPSK, ++ SSL_BELTDWP, ++ SSL_AEAD, ++ TLS1_2_VERSION, TLS1_2_VERSION, ++ 0, 0, ++ SSL_HIGH, ++ SSL_HANDSHAKE_MAC_HBELT | TLS1_PRF_HBELT, ++ 256, ++ 256, ++ }, ++ { ++ 1, ++ BTLS1_TXT_DHT_PSK_BIGN_WITH_BELT_CTR_MAC_HBELT, ++ BTLS1_RFC_DHT_PSK_BIGN_WITH_BELT_CTR_MAC_HBELT, ++ 0x0300ff1b, ++ SSL_kBDHTPSK, ++ SSL_aBIGN, ++ SSL_BELTCTR, ++ SSL_BELTMAC, ++ TLS1_2_VERSION, TLS1_2_VERSION, ++ 0, 0, ++ SSL_HIGH, ++ SSL_HANDSHAKE_MAC_HBELT | TLS1_PRF_HBELT, ++ 256, ++ 256, ++ }, ++ { ++ 1, ++ BTLS1_TXT_DHT_PSK_BIGN_WITH_BELT_DWP_HBELT, ++ BTLS1_RFC_DHT_PSK_BIGN_WITH_BELT_DWP_HBELT, ++ 0x0300ff1c, ++ SSL_kBDHTPSK, ++ SSL_aBIGN, ++ SSL_BELTDWP, ++ SSL_AEAD, ++ TLS1_2_VERSION, TLS1_2_VERSION, ++ 0, 0, ++ SSL_HIGH, ++ SSL_HANDSHAKE_MAC_HBELT | TLS1_PRF_HBELT, ++ 256, ++ 256, ++ }, + }; + + /* +@@ -4935,6 +5096,11 @@ int ssl3_get_req_cert_type(SSL_CONNECTION *s, WPACKET *pkt) + return 0; + #endif + ++ if (s->version >= TLS1_VERSION && (alg_k & SSL_kBDHE)) ++ return WPACKET_put_bytes_u8(pkt, TLS_CT_BIGN_SIGN); ++ if (s->version >= TLS1_VERSION && (alg_k & SSL_kBDHTPSK)) ++ return WPACKET_put_bytes_u8(pkt, TLS_CT_BIGN_SIGN); ++ + if ((s->version == SSL3_VERSION) && (alg_k & SSL_kDHE)) { + if (!WPACKET_put_bytes_u8(pkt, SSL3_CT_RSA_EPHEMERAL_DH)) + return 0; +diff --git a/ssl/ssl_cert_table.h b/ssl/ssl_cert_table.h +index f7fc984..3c4699b 100644 +--- a/ssl/ssl_cert_table.h ++++ b/ssl/ssl_cert_table.h +@@ -6,6 +6,7 @@ + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ ++#include "btls.h" + + /* + * Certificate table information. NB: table entries must match SSL_PKEY indices +@@ -19,5 +20,6 @@ static const SSL_CERT_LOOKUP ssl_cert_info[] = { + { NID_id_GostR3410_2012_256, SSL_aGOST12 }, /* SSL_PKEY_GOST12_256 */ + { NID_id_GostR3410_2012_512, SSL_aGOST12 }, /* SSL_PKEY_GOST12_512 */ + { EVP_PKEY_ED25519, SSL_aECDSA }, /* SSL_PKEY_ED25519 */ +- { EVP_PKEY_ED448, SSL_aECDSA } /* SSL_PKEY_ED448 */ ++ { EVP_PKEY_ED448, SSL_aECDSA }, /* SSL_PKEY_ED448 */ ++ { NID_bign_pubkey, SSL_aBIGN } /* SSL_PKEY_BIGN */ + }; +diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c +index 7dccec6..64e45fe 100644 +--- a/ssl/ssl_ciph.c ++++ b/ssl/ssl_ciph.c +@@ -23,6 +23,7 @@ + #include "internal/cryptlib.h" + #include "internal/comp.h" + #include "internal/ssl_unwrap.h" ++#include "btls.h" + + /* NB: make sure indices in these tables match values above */ + +@@ -57,6 +58,10 @@ static const ssl_cipher_table ssl_cipher_table_cipher[SSL_ENC_NUM_IDX] = { + { SSL_ARIA256GCM, NID_aria_256_gcm }, /* SSL_ENC_ARIA256GCM_IDX 21 */ + { SSL_MAGMA, NID_magma_ctr_acpkm }, /* SSL_ENC_MAGMA_IDX */ + { SSL_KUZNYECHIK, NID_kuznyechik_ctr_acpkm }, /* SSL_ENC_KUZNYECHIK_IDX */ ++ { SSL_BELTDWP, NID_belt_dwpt }, /* SSL_ENC_BELTDWP_IDX 24 */ ++ { SSL_BELTCTR, NID_belt_ctrt }, /* SSL_ENC_BELTCTR_IDX 25 */ ++ { SSL_BELTCHE, NID_belt_chet }, ++ { SSL_BASHPRGAE, NID_bash_prg_aet } + }; + + /* NB: make sure indices in this table matches values above */ +@@ -74,7 +79,11 @@ static const ssl_cipher_table ssl_cipher_table_mac[SSL_MD_NUM_IDX] = { + { 0, NID_sha224 }, /* SSL_MD_SHA224_IDX 10 */ + { 0, NID_sha512 }, /* SSL_MD_SHA512_IDX 11 */ + { SSL_MAGMAOMAC, NID_magma_mac }, /* sSL_MD_MAGMAOMAC_IDX */ +- { SSL_KUZNYECHIKOMAC, NID_kuznyechik_mac } /* SSL_MD_KUZNYECHIKOMAC_IDX */ ++ { SSL_KUZNYECHIKOMAC, NID_kuznyechik_mac }, /* SSL_MD_KUZNYECHIKOMAC_IDX */ ++ { SSL_BELTMAC, NID_belt_hash }, /* SSL_MD_BELTMAC_IDX 14 */ ++ { SSL_HBELT, NID_belt_hash }, /* SSL_MD_HBELT_IDX 15 */ ++ { SSL_BASH384, NID_bash384 }, /* SSL_MD_BASH384_IDX 16 */ ++ { SSL_BASH512, NID_bash512 } /* SSL_MD_BASH512_IDX 17 */ + }; + + /* *INDENT-OFF* */ +@@ -89,7 +98,11 @@ static const ssl_cipher_table ssl_cipher_table_kx[] = { + { SSL_kSRP, NID_kx_srp }, + { SSL_kGOST, NID_kx_gost }, + { SSL_kGOST18, NID_kx_gost18 }, +- { SSL_kANY, NID_kx_any } ++ { SSL_kANY, NID_kx_any }, ++ { SSL_kBDHE, NID_kxbdhe }, ++ { SSL_kBDHT, NID_kxbdht }, ++ { SSL_kBDHEPSK, NID_kxbdhe_psk }, ++ { SSL_kBDHTPSK, NID_kxbdht_psk } + }; + + static const ssl_cipher_table ssl_cipher_table_auth[] = { +@@ -133,7 +146,9 @@ static const int default_mac_pkey_id[SSL_MD_NUM_IDX] = { + /* GOST2012_512 */ + EVP_PKEY_HMAC, + /* MD5/SHA1, SHA224, SHA512, MAGMAOMAC, KUZNYECHIKOMAC */ +- NID_undef, NID_undef, NID_undef, NID_undef, NID_undef ++ NID_undef, NID_undef, NID_undef, NID_undef, NID_undef, ++ /* BELTMAC BELTHASH */ ++ NID_bign_pubkey, NID_bign_pubkey, NID_undef, NID_undef + }; + + #define CIPHER_ADD 1 +@@ -188,6 +203,10 @@ static const SSL_CIPHER cipher_aliases[] = { + { 0, SSL_TXT_kSRP, NULL, 0, SSL_kSRP }, + { 0, SSL_TXT_kGOST, NULL, 0, SSL_kGOST }, + { 0, SSL_TXT_kGOST18, NULL, 0, SSL_kGOST18 }, ++ { 0, SSL_TXT_kBDHE, NULL, 0, SSL_kBDHE }, ++ { 0, SSL_TXT_kBDHT, NULL, 0, SSL_kBDHT }, ++ { 0, SSL_TXT_kBDHEPSK, NULL, 0, SSL_kBDHEPSK }, ++ { 0, SSL_TXT_kBDHTPSK, NULL, 0, SSL_kBDHTPSK }, + + /* server authentication aliases */ + { 0, SSL_TXT_aRSA, NULL, 0, 0, SSL_aRSA }, +@@ -201,6 +220,7 @@ static const SSL_CIPHER cipher_aliases[] = { + { 0, SSL_TXT_aGOST12, NULL, 0, 0, SSL_aGOST12 }, + { 0, SSL_TXT_aGOST, NULL, 0, 0, SSL_aGOST01 | SSL_aGOST12 }, + { 0, SSL_TXT_aSRP, NULL, 0, 0, SSL_aSRP }, ++ { 0, SSL_TXT_aBIGN, NULL, 0, SSL_aBIGN }, + + /* aliases combining key exchange and server authentication */ + { 0, SSL_TXT_EDH, NULL, 0, SSL_kDHE, ~SSL_aNULL }, +@@ -243,6 +263,10 @@ static const SSL_CIPHER cipher_aliases[] = { + { 0, SSL_TXT_ARIA128, NULL, 0, 0, 0, SSL_ARIA128GCM }, + { 0, SSL_TXT_ARIA256, NULL, 0, 0, 0, SSL_ARIA256GCM }, + { 0, SSL_TXT_CBC, NULL, 0, 0, 0, SSL_CBC }, ++ { 0, SSL_TXT_BELTDWP, NULL, 0, 0, 0, SSL_BELTDWP }, ++ { 0, SSL_TXT_BELTCTR, NULL, 0, 0, 0, SSL_BELTCTR }, ++ { 0, SSL_TXT_BELTCHE, NULL, 0, 0, 0, SSL_BELTCHE }, ++ { 0, SSL_TXT_BASHPRGAE, NULL, 0, 0, 0, SSL_BASHPRGAE }, + + /* MAC aliases */ + { 0, SSL_TXT_MD5, NULL, 0, 0, 0, 0, SSL_MD5 }, +@@ -253,6 +277,7 @@ static const SSL_CIPHER cipher_aliases[] = { + { 0, SSL_TXT_SHA256, NULL, 0, 0, 0, 0, SSL_SHA256 }, + { 0, SSL_TXT_SHA384, NULL, 0, 0, 0, 0, SSL_SHA384 }, + { 0, SSL_TXT_GOST12, NULL, 0, 0, 0, 0, SSL_GOST12_256 }, ++ { 0, SSL_TXT_BELTMAC, NULL, 0, 0, 0, 0, SSL_BELTMAC }, + + /* protocol version aliases */ + { 0, SSL_TXT_SSLV3, NULL, 0, 0, 0, 0, 0, SSL3_VERSION }, +@@ -430,6 +455,16 @@ int ssl_load_ciphers(SSL_CTX *ctx) + if ((ctx->disabled_auth_mask & SSL_aGOST12) == SSL_aGOST12) + ctx->disabled_mkey_mask |= SSL_kGOST18; + ++ ctx->ssl_mac_pkey_id[SSL_MD_BELTMAC_IDX] = get_optional_pkey_id("belt-mac256"); ++ if (ctx->ssl_mac_pkey_id[SSL_MD_BELTMAC_IDX]) { ++ ctx->ssl_mac_secret_size[SSL_MD_BELTMAC_IDX] = 32; ++ } ++ ++ if (!get_optional_pkey_id("BIGN")){ ++ ctx->disabled_auth_mask |= SSL_aBIGN; ++ ctx->disabled_mkey_mask |= SSL_kBDHE | SSL_kBDHT | SSL_kBDHEPSK | SSL_kBDHTPSK; ++ } ++ + return 1; + } + +@@ -1708,6 +1743,18 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) + case SSL_kGOST18: + kx = "GOST18"; + break; ++ case SSL_kBDHE: ++ kx = "BDHE"; ++ break; ++ case SSL_kBDHT: ++ kx = "BDHT"; ++ break; ++ case SSL_kBDHEPSK: ++ kx = "BDHEPSK"; ++ break; ++ case SSL_kBDHTPSK: ++ kx = "BDHTPSK"; ++ break; + case SSL_kANY: + kx = "any"; + break; +@@ -1741,6 +1788,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) + case (SSL_aGOST12 | SSL_aGOST01): + au = "GOST12"; + break; ++ case SSL_aBIGN: ++ au = "BIGN"; ++ break; + case SSL_aANY: + au = "any"; + break; +@@ -1820,6 +1870,18 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) + case SSL_CHACHA20POLY1305: + enc = "CHACHA20/POLY1305(256)"; + break; ++ case SSL_BELTCTR: ++ enc = "BELTCTR"; ++ break; ++ case SSL_BELTDWP: ++ enc = "BELTDWP"; ++ break; ++ case SSL_BELTCHE: ++ enc = "BELCHE"; ++ break; ++ case SSL_BASHPRGAE: ++ enc = "BASHPRGAE"; ++ break; + default: + enc = "unknown"; + break; +@@ -1852,6 +1914,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) + case SSL_GOST12_512: + mac = "GOST2012"; + break; ++ case SSL_BELTMAC: ++ mac = "BELTMAC"; ++ break; + default: + mac = "unknown"; + break; +@@ -2234,5 +2299,7 @@ const char *OSSL_default_ciphersuites(void) + { + return "TLS_AES_256_GCM_SHA384:" + "TLS_CHACHA20_POLY1305_SHA256:" +- "TLS_AES_128_GCM_SHA256"; ++ "TLS_AES_128_GCM_SHA256:" ++ "TLS_BELT_CHE256_BELT_HASH:" ++ "TLS_BASH_PRG_AE2561_BASH256"; + } +diff --git a/ssl/ssl_init.c b/ssl/ssl_init.c +index 1e92658..3f00a54 100644 +--- a/ssl/ssl_init.c ++++ b/ssl/ssl_init.c +@@ -16,6 +16,7 @@ + #include "ssl_local.h" + #include "internal/thread_once.h" + #include "internal/rio_notifier.h" /* for ossl_wsa_cleanup() */ ++#include "btls.h" + + static int stopped; + +@@ -67,6 +68,9 @@ int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) + opts |= OPENSSL_INIT_LOAD_CONFIG; + #endif + ++ if (!btls_init()) ++ return 0; ++ + if (!OPENSSL_init_crypto(opts, settings)) + return 0; + +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index ac77faa..2a3ce21 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -32,6 +32,7 @@ + #include "internal/to_hex.h" + #include "internal/ssl_unwrap.h" + #include "quic/quic_local.h" ++#include "btls.h" + + #ifndef OPENSSL_NO_SSLKEYLOG + #include +@@ -4597,6 +4598,11 @@ void ssl_set_masks(SSL_CONNECTION *s) + } + #endif + ++ if (ssl_has_cert(s, SSL_PKEY_BIGN)){ ++ mask_k |= SSL_kBDHE | SSL_kBDHT | SSL_kBDHTPSK; ++ mask_a |= SSL_aBIGN; ++ } ++ + if (rsa_enc) + mask_k |= SSL_kRSA; + +@@ -4662,6 +4668,10 @@ void ssl_set_masks(SSL_CONNECTION *s) + + mask_k |= SSL_kECDHE; + ++#ifndef OPENSSL_NO_BDHE_PSK ++ mask_k |= SSL_kBDHEPSK; ++#endif ++ + #ifndef OPENSSL_NO_PSK + mask_k |= SSL_kPSK; + mask_a |= SSL_aPSK; +diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h +index 8fc8b64..e06c692 100644 +--- a/ssl/ssl_local.h ++++ b/ssl/ssl_local.h +@@ -41,6 +41,7 @@ + #include "record/record.h" + #include "internal/quic_predef.h" + #include "internal/quic_tls.h" ++#include "btls.h" + + #ifdef OPENSSL_BUILD_SHLIBSSL + #undef OPENSSL_EXTERN +@@ -98,8 +99,8 @@ + + /* all PSK */ + +-#define SSL_PSK (SSL_kPSK | SSL_kRSAPSK | SSL_kECDHEPSK | SSL_kDHEPSK) +- ++#define SSL_PSK (SSL_kPSK | SSL_kRSAPSK | SSL_kECDHEPSK | SSL_kDHEPSK | SSL_kBDHEPSK | SSL_kBDHTPSK) ++ + /* Any appropriate key exchange algorithm (for TLS 1.3 ciphersuites) */ + #define SSL_kANY 0x00000000U + +@@ -124,7 +125,7 @@ + #define SSL_aANY 0x00000000U + /* All bits requiring a certificate */ + #define SSL_aCERT \ +- (SSL_aRSA | SSL_aDSS | SSL_aECDSA | SSL_aGOST01 | SSL_aGOST12) ++ (SSL_aRSA | SSL_aDSS | SSL_aECDSA | SSL_aGOST01 | SSL_aGOST12 | SSL_aBIGN) + + /* Bits for algorithm_enc (symmetric encryption) */ + #define SSL_DES 0x00000001U +@@ -198,7 +199,7 @@ + #define SSL_MD_SHA512_IDX 11 + #define SSL_MD_MAGMAOMAC_IDX 12 + #define SSL_MD_KUZNYECHIKOMAC_IDX 13 +-#define SSL_MAX_DIGEST 14 ++#define SSL_MAX_DIGEST 18 + + #define SSL_MD_NUM_IDX SSL_MAX_DIGEST + +@@ -325,7 +326,7 @@ + #define SSL_PKEY_GOST12_512 6 + #define SSL_PKEY_ED25519 7 + #define SSL_PKEY_ED448 8 +-#define SSL_PKEY_NUM 9 ++#define SSL_PKEY_NUM 10 + + #define SSL_ENC_DES_IDX 0 + #define SSL_ENC_3DES_IDX 1 +@@ -351,7 +352,7 @@ + #define SSL_ENC_ARIA256GCM_IDX 21 + #define SSL_ENC_MAGMA_IDX 22 + #define SSL_ENC_KUZNYECHIK_IDX 23 +-#define SSL_ENC_NUM_IDX 24 ++#define SSL_ENC_NUM_IDX 28 + + /*- + * SSL_kRSA <- RSA_ENC +diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c +index 305ca4a..1a0e6e4 100644 +--- a/ssl/statem/extensions_clnt.c ++++ b/ssl/statem/extensions_clnt.c +@@ -156,7 +156,7 @@ static int use_ecc(SSL_CONNECTION *s, int min_version, int max_version) + + alg_k = c->algorithm_mkey; + alg_a = c->algorithm_auth; +- if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) ++ if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK | SSL_kBDHEPSK)) + || (alg_a & SSL_aECDSA) + || c->min_tls >= TLS1_3_VERSION) { + ret = 1; +diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c +index cdb914d..93078ed 100644 +--- a/ssl/statem/extensions_srvr.c ++++ b/ssl/statem/extensions_srvr.c +@@ -1871,7 +1871,8 @@ EXT_RETURN tls_construct_stoc_etm(SSL_CONNECTION *s, WPACKET *pkt, + || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT + || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12 + || s->s3.tmp.new_cipher->algorithm_enc == SSL_MAGMA +- || s->s3.tmp.new_cipher->algorithm_enc == SSL_KUZNYECHIK) { ++ || s->s3.tmp.new_cipher->algorithm_enc == SSL_KUZNYECHIK ++ || s->s3.tmp.new_cipher->algorithm_enc == SSL_BELTCTR) { + s->ext.use_etm = 0; + return EXT_RETURN_NOT_SENT; + } +diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c +index 0619fbd..4a80a08 100644 +--- a/ssl/statem/statem_clnt.c ++++ b/ssl/statem/statem_clnt.c +@@ -78,7 +78,8 @@ static int key_exchange_expected(SSL_CONNECTION *s) + * Can't skip server key exchange if this is an ephemeral + * ciphersuite or for SRP + */ +- if (alg_k & (SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK | SSL_kSRP)) { ++ if (alg_k & (SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK | ++ SSL_kSRP | SSL_kBDHE | SSL_kBDHEPSK | SSL_kBDHTPSK)) { + return 1; + } + +@@ -2463,7 +2464,7 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL_CONNECTION *s, PACKET *pkt) + } + + /* Nothing else to do for plain PSK or RSAPSK */ +- if (alg_k & (SSL_kPSK | SSL_kRSAPSK)) { ++ if (alg_k & (SSL_kPSK | SSL_kRSAPSK | SSL_kBDHTPSK)) { + } else if (alg_k & SSL_kSRP) { + if (!tls_process_ske_srp(s, pkt, &pkey)) { + /* SSLfatal() already called */ +@@ -2479,6 +2480,16 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL_CONNECTION *s, PACKET *pkt) + /* SSLfatal() already called */ + goto err; + } ++ } else if (alg_k & (SSL_kBDHE)) { ++ if (!btls_process_ske_bign_dhe(s, pkt, &pkey)) { ++ /* SSLfatal() already called */ ++ goto err; ++ } ++ } else if (alg_k & SSL_kBDHEPSK) { ++ if (!btls_process_ske_psk_bign_dhe(s, pkt, &pkey)) { ++ /* SSLfatal() already called */ ++ goto err; ++ } + } else if (alg_k) { + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); + goto err; +@@ -3602,6 +3613,12 @@ CON_FUNC_RETURN tls_construct_client_key_exchange(SSL_CONNECTION *s, + } else if (alg_k & SSL_kSRP) { + if (!tls_construct_cke_srp(s, pkt)) + goto err; ++ } else if (alg_k & (SSL_kBDHE | SSL_kBDHEPSK)) { ++ if (!tls_construct_cke_ecdhe(s, pkt)) ++ goto err; ++ } else if (alg_k & (SSL_kBDHT | SSL_kBDHTPSK)) { ++ if (!btls_construct_cke_bign_dht(s, pkt)) ++ goto err; + } else if (!(alg_k & SSL_kPSK)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); + goto err; +@@ -4007,6 +4024,10 @@ int ssl3_check_cert_and_algorithm(SSL_CONNECTION *s) + return 0; + } + ++ if ((alg_k & SSL_kBDHE) && (s->s3.peer_tmp == NULL)) { ++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); ++ return 0; ++ } + return 1; + } + +diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c +index 6079176..514390b 100644 +--- a/ssl/statem/statem_srvr.c ++++ b/ssl/statem/statem_srvr.c +@@ -366,16 +366,17 @@ static int send_server_key_exchange(SSL_CONNECTION *s) + * provided + */ + #ifndef OPENSSL_NO_PSK +- /* Only send SKE if we have identity hint for plain PSK */ +- || ((alg_k & (SSL_kPSK | SSL_kRSAPSK)) ++ /* Only send SKE if we have identity hint for plain PSK or BDHTPSK */ ++ || ((alg_k & (SSL_kPSK | SSL_kRSAPSK | SSL_kBDHTPSK)) + && s->cert->psk_identity_hint) + /* For other PSK always send SKE */ +- || (alg_k & (SSL_PSK & (SSL_kDHEPSK | SSL_kECDHEPSK))) ++ || (alg_k & (SSL_PSK & (SSL_kDHEPSK | SSL_kECDHEPSK | SSL_kBDHEPSK))) + #endif + #ifndef OPENSSL_NO_SRP + /* SRP: send ServerKeyExchange */ + || (alg_k & SSL_kSRP) + #endif ++ || (alg_k & SSL_kBDHE) + ) { + return 1; + } +@@ -2581,7 +2582,7 @@ CON_FUNC_RETURN tls_construct_server_key_exchange(SSL_CONNECTION *s, + r[0] = r[1] = r[2] = r[3] = NULL; + #ifndef OPENSSL_NO_PSK + /* Plain PSK or RSAPSK nothing to do */ +- if (type & (SSL_kPSK | SSL_kRSAPSK)) { ++ if (type & (SSL_kPSK | SSL_kRSAPSK | SSL_kBDHTPSK)) { + } else + #endif /* !OPENSSL_NO_PSK */ + if (type & (SSL_kDHE | SSL_kDHEPSK)) { +@@ -2682,6 +2683,12 @@ CON_FUNC_RETURN tls_construct_server_key_exchange(SSL_CONNECTION *s, + r[1] = NULL; + r[2] = NULL; + r[3] = NULL; ++ } else if (type & (SSL_kBDHE)) { ++ if(!btls_construct_ske_bign_dhe(s, pkt)) ++ goto err; ++ } else if (type & SSL_kBDHEPSK) { ++ if(!btls_construct_ske_psk_bign_dhe(s, pkt)) ++ goto err; + } else + #ifndef OPENSSL_NO_SRP + if (type & SSL_kSRP) { +@@ -2709,7 +2716,7 @@ CON_FUNC_RETURN tls_construct_server_key_exchange(SSL_CONNECTION *s, + } + + #ifndef OPENSSL_NO_PSK +- if (type & SSL_PSK) { ++ if ((type & SSL_PSK) && (s->s3.tmp.new_cipher->algorithm_mkey != SSL_kBDHEPSK)) { + size_t len = (s->cert->psk_identity_hint == NULL) + ? 0 + : strlen(s->cert->psk_identity_hint); +@@ -3473,6 +3480,16 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL_CONNECTION *s, + /* SSLfatal() already called */ + goto err; + } ++ } else if (alg_k & (SSL_kBDHE | SSL_kBDHEPSK)) { ++ if (!tls_process_cke_ecdhe(s, pkt)) { ++ /* SSLfatal() already called */ ++ goto err; ++ } ++ } else if (alg_k & (SSL_kBDHT | SSL_kBDHTPSK)) { ++ if (!btls_process_cke_bign_dht(s, pkt)) { ++ /* SSLfatal() already called */ ++ goto err; ++ } + } else { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_CIPHER_TYPE); + goto err; +diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c +index cd471a6..fcb777f 100644 +--- a/ssl/t1_lib.c ++++ b/ssl/t1_lib.c +@@ -28,6 +28,7 @@ + #include "ssl_local.h" + #include "quic/quic_local.h" + #include ++#include "btls.h" + + static const SIGALG_LOOKUP *find_sig_alg(SSL_CONNECTION *s, X509 *x, EVP_PKEY *pkey); + static int tls12_sigalg_allowed(const SSL_CONNECTION *s, int op, const SIGALG_LOOKUP *lu); +@@ -190,7 +191,10 @@ static const struct { + { NID_ffdhe3072, OSSL_TLS_GROUP_ID_ffdhe3072 }, + { NID_ffdhe4096, OSSL_TLS_GROUP_ID_ffdhe4096 }, + { NID_ffdhe6144, OSSL_TLS_GROUP_ID_ffdhe6144 }, +- { NID_ffdhe8192, OSSL_TLS_GROUP_ID_ffdhe8192 } ++ { NID_ffdhe8192, OSSL_TLS_GROUP_ID_ffdhe8192 }, ++ { NID_bign_curve256v1, 0xFE01 }, /* BIGN_CURVE256V1_ID */ ++ { NID_bign_curve384v1, 0xFE02 }, /* BIGN_CURVE384V1_ID */ ++ { NID_bign_curve512v1, 0xFE03 }, /* BIGN_CURVE512V1_ID */ + }; + + static const unsigned char ecformats_default[] = { +@@ -202,7 +206,7 @@ static const unsigned char ecformats_default[] = { + /* Group list string of the built-in pseudo group DEFAULT */ + #define DEFAULT_GROUP_NAME "DEFAULT" + #define TLS_DEFAULT_GROUP_LIST \ +- "?*X25519MLKEM768 / ?*X25519:?secp256r1 / ?X448:?secp384r1:?secp521r1 / ?ffdhe2048:?ffdhe3072" ++ "?*X25519MLKEM768 / ?*X25519:?secp256r1 / ?X448:?secp384r1:?secp521r1 / ?ffdhe2048:?ffdhe3072 / ?bign-curve256v1:?bign-curve384v1:?bign-curve512v1" + + static const uint16_t suiteb_curves[] = { + OSSL_TLS_GROUP_ID_secp256r1, +@@ -337,6 +341,9 @@ static int add_provider_groups(const OSSL_PARAM params[], void *data) + ctx->group_list_len++; + ginf = NULL; + EVP_KEYMGMT_free(keymgmt); ++ } else { ++ ctx->group_list_len++; ++ ginf = NULL; + } + ERR_pop_to_mark(); + err: +@@ -887,7 +894,8 @@ int tls_valid_group(SSL_CONNECTION *s, uint16_t group_id, + ret &= !isec + || strcmp(ginfo->algorithm, "EC") == 0 + || strcmp(ginfo->algorithm, "X25519") == 0 +- || strcmp(ginfo->algorithm, "X448") == 0; ++ || strcmp(ginfo->algorithm, "X448") == 0 ++ || strcmp(ginfo->algorithm, "bign") == 0; + + return ret; + } +@@ -1955,6 +1963,9 @@ static const uint16_t tls12_sigalgs[] = { + TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, + TLSEXT_SIGALG_gostr34102001_gostr3411, + #endif ++ TLSEXT_SIGALG_bign_sign_128, ++ TLSEXT_SIGALG_bign_sign_192, ++ TLSEXT_SIGALG_bign_sign_256 + }; + + static const uint16_t suiteb_sigalgs[] = { +@@ -2140,6 +2151,24 @@ static const SIGALG_LOOKUP sigalg_lookup_tbl[] = { + NID_undef, NID_undef, 1, 0, + TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION }, + #endif ++ { "bign128", ++ NULL, TLSEXT_SIGALG_bign_sign_128, ++ NID_belt_hash, SSL_MD_HBELT_IDX, ++ NID_bign_pubkey, SSL_PKEY_BIGN, ++ NID_bign_with_hbelt, NID_bign_curve256v1, 1, 0, ++ TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0}, ++ { "bign192", ++ NULL, TLSEXT_SIGALG_bign_sign_192, ++ NID_bash384, SSL_MD_BASH384_IDX, ++ NID_bign_pubkey, SSL_PKEY_BIGN, ++ NID_bign_with_bash384, NID_bign_curve384v1, 1, 0, ++ TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0}, ++ { "bign256", ++ NULL, TLSEXT_SIGALG_bign_sign_256, ++ NID_bash512, SSL_MD_BASH512_IDX, ++ NID_bign_pubkey, SSL_PKEY_BIGN, ++ NID_bign_with_bash512, NID_bign_curve512v1, 1, 0, ++ TLS1_2_VERSION, 0, DTLS1_2_VERSION, 0}, + }; + /* Legacy sigalgs for TLS < 1.2 RSA TLS signatures */ + static const SIGALG_LOOKUP legacy_rsa_sigalg = { +@@ -4262,6 +4291,7 @@ void tls1_set_cert_validity(SSL_CONNECTION *s) + tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512); + tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED25519); + tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED448); ++ tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_BIGN); + } + + /* User level utility function to check a chain is suitable */ +@@ -4472,6 +4502,12 @@ static int check_cert_usable(SSL_CONNECTION *s, const SIGALG_LOOKUP *sig, + const char *mdname = NULL; + SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); + ++ int default_mdnid = NID_undef; ++ ERR_set_mark(); ++ if (EVP_PKEY_get_default_digest_nid(pkey, &default_mdnid) == 2 && ++ sig->hash != default_mdnid) ++ return 0; ++ ERR_pop_to_mark(); + /* + * If the given EVP_PKEY cannot support signing with this digest, + * the answer is simply 'no'. +diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c +index e8075d0..cd52197 100644 +--- a/ssl/t1_trce.c ++++ b/ssl/t1_trce.c +@@ -453,6 +453,16 @@ static const ssl_trace_tbl ssl_ciphers_tbl[] = { + { 0xC100, "GOST2012-KUZNYECHIK-KUZNYECHIKOMAC" }, + { 0xC101, "GOST2012-MAGMA-MAGMAOMAC" }, + { 0xC102, "GOST2012-GOST8912-IANA" }, ++ { 0xFF15, "BDHE-BIGN_WITH-BELT-CTR-MAC-HBELT" }, ++ { 0xFF16, "BDHE-BIGN_WITH-BELT-DWP-HBELT" }, ++ { 0xFF17, "BDHT-BIGN_WITH-BELT-CTR-MAC-HBELT" }, ++ { 0xFF18, "BDHT-BIGN_WITH-BELT-DWP-HBELT" }, ++ { 0xFF19, "BDHE-PSK-BIGN_WITH-BELT-CTR-MAC-HBELT" }, ++ { 0xFF1A, "BDHE-PSK-BIGN_WITH-BELT-DWP-HBELT" }, ++ { 0xFF1B, "BDHT-PSK-BIGN_WITH-BELT-CTR-MAC-HBELT" }, ++ { 0xFF1C, "BDHT-PSK-BIGN_WITH-BELT-DWP-HBELT" }, ++ { 0xFF1D, "BELT-CHE256-BELT-HASH" }, ++ { 0xFF1E, "BASH-PRG_AE256-BASH256" }, + }; + + /* Compression methods */ +@@ -607,6 +617,9 @@ static const ssl_trace_tbl ssl_sigalg_tbl[] = { + { TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256, TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256_name }, + { TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384, TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384_name }, + { TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512, TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512_name }, ++ { TLSEXT_SIGALG_bign_sign_128, "bign_auth128" }, ++ { TLSEXT_SIGALG_bign_sign_192, "bign_auth192" }, ++ { TLSEXT_SIGALG_bign_sign_256, "bign_auth256" }, + /* + * Well known groups that we happen to know about, but only come from + * provider capability declarations (hence no macros for the +@@ -614,7 +627,7 @@ static const ssl_trace_tbl ssl_sigalg_tbl[] = { + */ + { 0x0904, "mldsa44" }, + { 0x0905, "mldsa65" }, +- { 0x0906, "mldsa87" } ++ { 0x0906, "mldsa87" }, + }; + + static const ssl_trace_tbl ssl_ctype_tbl[] = { +diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c +index de201d9..3b24105 100644 +--- a/ssl/tls13_enc.c ++++ b/ssl/tls13_enc.c +@@ -360,6 +360,7 @@ static int derive_secret_key_and_iv(SSL_CONNECTION *s, const EVP_MD *md, + int hashleni = EVP_MD_get_size(md); + size_t hashlen; + int mode, mac_mdleni; ++ uint32_t algenc; + + /* Ensure cast to size_t is safe */ + if (!ossl_assert(hashleni > 0)) { +@@ -390,23 +391,23 @@ static int derive_secret_key_and_iv(SSL_CONNECTION *s, const EVP_MD *md, + + *keylen = EVP_CIPHER_get_key_length(ciph); + ++ *ivlen = EVP_CCM_TLS_IV_LEN; ++ if (s->s3.tmp.new_cipher != NULL) { ++ algenc = s->s3.tmp.new_cipher->algorithm_enc; ++ } else if (s->session->cipher != NULL) { ++ /* We've not selected a cipher yet - we must be doing early data */ ++ algenc = s->session->cipher->algorithm_enc; ++ } else if (s->psksession != NULL && s->psksession->cipher != NULL) { ++ /* We must be doing early data with out-of-band PSK */ ++ algenc = s->psksession->cipher->algorithm_enc; ++ } else { ++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); ++ return 0; ++ } ++ + mode = EVP_CIPHER_get_mode(ciph); + if (mode == EVP_CIPH_CCM_MODE) { +- uint32_t algenc; +- +- *ivlen = EVP_CCM_TLS_IV_LEN; +- if (s->s3.tmp.new_cipher != NULL) { +- algenc = s->s3.tmp.new_cipher->algorithm_enc; +- } else if (s->session->cipher != NULL) { +- /* We've not selected a cipher yet - we must be doing early data */ +- algenc = s->session->cipher->algorithm_enc; +- } else if (s->psksession != NULL && s->psksession->cipher != NULL) { +- /* We must be doing early data with out-of-band PSK */ +- algenc = s->psksession->cipher->algorithm_enc; +- } else { +- SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); +- return 0; +- } ++ + if (algenc & (SSL_AES128CCM8 | SSL_AES256CCM8)) + *taglen = EVP_CCM8_TLS_TAG_LEN; + else +@@ -416,6 +417,10 @@ static int derive_secret_key_and_iv(SSL_CONNECTION *s, const EVP_MD *md, + + if (mode == EVP_CIPH_GCM_MODE) { + *taglen = EVP_GCM_TLS_TAG_LEN; ++ } else if (algenc & SSL_BELTCHE) { ++ *taglen = EVP_BELTCHE_TLS_TAG_LEN; ++ } else if (algenc & SSL_BASHPRGAE) { ++ *taglen = EVP_BASHPRGAE_TLS_TAG_LEN; + } else { + /* CHACHA20P-POLY1305 */ + *taglen = EVP_CHACHAPOLY_TLS_TAG_LEN; From f92dd8ef4e0176d117db94e8a99a79b0b6787b88 Mon Sep 17 00:00:00 2001 From: Mikhail Mitskevich Date: Tue, 7 Apr 2026 15:54:50 +0300 Subject: [PATCH 2/7] Add script for OpenSSL running --- scripts/openssl.sh | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 scripts/openssl.sh diff --git a/scripts/openssl.sh b/scripts/openssl.sh new file mode 100644 index 0000000..2b9c1b7 --- /dev/null +++ b/scripts/openssl.sh @@ -0,0 +1,15 @@ + +scripts_dir="$( dirname "${BASH_SOURCE[0]}" )" +bee2evp=$(cd $scripts_dir/../../bee2evp && pwd) +build_root=$bee2evp/build +local=${BEE2EVP_INSTALL_DIR:-$build_root/local} +lib_path=$local/lib + +run_bee2prv(){ + export PATH=$local/bin:$PATH + export OPENSSL_CONF=$local/openssl.cnf + export LD_LIBRARY_PATH="$lib_path:${LD_LIBRARY_PATH}" + echo "[-] run openssl" + $local/bin/openssl $@ +} +run_bee2prv $@ \ No newline at end of file From fb8d96fd781998465f1077584223449890d7a5ed Mon Sep 17 00:00:00 2001 From: Mikhail Mitskevich Date: Tue, 7 Apr 2026 17:29:38 +0300 Subject: [PATCH 3/7] Update patch for 3.5 --- btls/btls.c | 27 +++++++++++++++++++++++---- btls/patch/openssl-3.5.5.patch | 30 +++++++++++++----------------- 2 files changed, 36 insertions(+), 21 deletions(-) diff --git a/btls/btls.c b/btls/btls.c index aa66811..1362a4e 100644 --- a/btls/btls.c +++ b/btls/btls.c @@ -227,6 +227,22 @@ ssl/statem/statem_clnt.c (см. обработку флага SSL_kBDHEPSK). ******************************************************************************* */ +static int btls_shared_group(SSL_CONNECTION *s) +{ + int i = 0; + int num = tls1_shared_group(s, -1); + while (i < num) + { + int group_id = tls1_shared_group(s, i); + if (group_id == BIGN_CURVE256V1_ID || + group_id == BIGN_CURVE384V1_ID || + group_id == BIGN_CURVE512V1_ID) + return group_id; + i++; + } + return 0; +} + int btls_construct_ske_psk_bign_dhe(SSL_CONNECTION *s, WPACKET *pkt) { int ret = 0; @@ -249,12 +265,15 @@ int btls_construct_ske_psk_bign_dhe(SSL_CONNECTION *s, WPACKET *pkt) // загружен сертификат сервера? if (s->s3.tmp.pkey != NULL) goto err; - // клиент не высылал расширение supported_groups? + // сервер не сформировал расширение supported_groups? if (!s->ext.supportedgroups) - // ...используем первую кривую bign - curve_id = BIGN_CURVE256V1_ID; + // ...используем первую кривую bign + curve_id = BIGN_CURVE256V1_ID; + // клиент не высылал расширение supported_groups? + else if (!s->ext.peer_supportedgroups) + curve_id = BIGN_CURVE256V1_ID; // ... определяем подходящую кривую по стандартной схеме - else if (!(curve_id = tls1_shared_group(s, -2))) + else if (!(curve_id = btls_shared_group(s))) goto err; // определить oid(curve) SSL_CTX *CTX=s->session_ctx; diff --git a/btls/patch/openssl-3.5.5.patch b/btls/patch/openssl-3.5.5.patch index 7d847e0..fc50d6d 100644 --- a/btls/patch/openssl-3.5.5.patch +++ b/btls/patch/openssl-3.5.5.patch @@ -167,7 +167,7 @@ index 931ee79..1694ca3 100644 #if defined(SSL3_CT_NUMBER) #if TLS_CT_NUMBER != SSL3_CT_NUMBER diff --git a/providers/common/capabilities.c b/providers/common/capabilities.c -index eb96627..e4d306c 100644 +index eb96627..ed046f3 100644 --- a/providers/common/capabilities.c +++ b/providers/common/capabilities.c @@ -91,6 +91,9 @@ static const TLS_GROUP_CONSTANTS group_list[] = { @@ -204,7 +204,7 @@ index 7f4ecaa..5516070 100644 # For shared builds we need to include the libcrypto packet.c and quic_vlint.c # in libssl as well. diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c -index 0e1445b..2de6dbe 100644 +index 0e1445b..c25e047 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -22,6 +22,7 @@ @@ -215,12 +215,10 @@ index 0e1445b..2de6dbe 100644 #define TLS13_NUM_CIPHERS OSSL_NELEM(tls13_ciphers) #define SSL3_NUM_CIPHERS OSSL_NELEM(ssl3_ciphers) -@@ -163,7 +164,38 @@ static SSL_CIPHER tls13_ciphers[] = { - SSL_HANDSHAKE_MAC_SHA384, +@@ -164,6 +165,37 @@ static SSL_CIPHER tls13_ciphers[] = { 0, 384, -- }, -+ }, + }, + { + 1, + BTLS1_3_RFC_BELT_CHE256_BELT_HASH, @@ -424,7 +422,7 @@ index f7fc984..3c4699b 100644 + { NID_bign_pubkey, SSL_aBIGN } /* SSL_PKEY_BIGN */ }; diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c -index 7dccec6..64e45fe 100644 +index 7dccec6..dce04a2 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -23,6 +23,7 @@ @@ -663,7 +661,7 @@ index ac77faa..2a3ce21 100644 mask_k |= SSL_kPSK; mask_a |= SSL_aPSK; diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h -index 8fc8b64..e06c692 100644 +index 8fc8b64..1c30a2b 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -41,6 +41,7 @@ @@ -674,17 +672,15 @@ index 8fc8b64..e06c692 100644 #ifdef OPENSSL_BUILD_SHLIBSSL #undef OPENSSL_EXTERN -@@ -98,8 +99,8 @@ +@@ -98,7 +99,7 @@ /* all PSK */ -#define SSL_PSK (SSL_kPSK | SSL_kRSAPSK | SSL_kECDHEPSK | SSL_kDHEPSK) -- +#define SSL_PSK (SSL_kPSK | SSL_kRSAPSK | SSL_kECDHEPSK | SSL_kDHEPSK | SSL_kBDHEPSK | SSL_kBDHTPSK) -+ + /* Any appropriate key exchange algorithm (for TLS 1.3 ciphersuites) */ #define SSL_kANY 0x00000000U - @@ -124,7 +125,7 @@ #define SSL_aANY 0x00000000U /* All bits requiring a certificate */ @@ -722,7 +718,7 @@ index 8fc8b64..e06c692 100644 /*- * SSL_kRSA <- RSA_ENC diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c -index 305ca4a..1a0e6e4 100644 +index 305ca4a..dcd346f 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -156,7 +156,7 @@ static int use_ecc(SSL_CONNECTION *s, int min_version, int max_version) @@ -730,7 +726,7 @@ index 305ca4a..1a0e6e4 100644 alg_k = c->algorithm_mkey; alg_a = c->algorithm_auth; - if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) -+ if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK | SSL_kBDHEPSK)) ++ if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK | SSL_kBDHE | SSL_kBDHEPSK)) || (alg_a & SSL_aECDSA) || c->min_tls >= TLS1_3_VERSION) { ret = 1; @@ -749,7 +745,7 @@ index cdb914d..93078ed 100644 return EXT_RETURN_NOT_SENT; } diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c -index 0619fbd..4a80a08 100644 +index 0619fbd..e0ff94e 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -78,7 +78,8 @@ static int key_exchange_expected(SSL_CONNECTION *s) @@ -886,7 +882,7 @@ index 6079176..514390b 100644 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_CIPHER_TYPE); goto err; diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index cd471a6..fcb777f 100644 +index cd471a6..d5f6f23 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -28,6 +28,7 @@ @@ -934,7 +930,7 @@ index cd471a6..fcb777f 100644 || strcmp(ginfo->algorithm, "X25519") == 0 - || strcmp(ginfo->algorithm, "X448") == 0; + || strcmp(ginfo->algorithm, "X448") == 0 -+ || strcmp(ginfo->algorithm, "bign") == 0; ++ || strncmp(ginfo->algorithm, "bign", 4) == 0; return ret; } From 992afadd52a5d20974d860e08b1889c46432e005 Mon Sep 17 00:00:00 2001 From: Mikhail Mitskevich Date: Wed, 8 Apr 2026 13:21:02 +0300 Subject: [PATCH 4/7] Use bign curves in TLS 1.3 tests --- test/btls.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/btls.py b/test/btls.py index 6377763..26dc6a1 100644 --- a/test/btls.py +++ b/test/btls.py @@ -68,7 +68,7 @@ def btls_client(tmpdir, suite, is_tls13, curve, cert, psk): if psk: cmd = cmd + ' -psk 123456' - if not cert and curve != 'NULL': + if (not cert or is_tls13) and curve != 'NULL': cmd = cmd + ' -curves {}'.format(curve) # prepare output output = os.path.join(tmpdir, suite + curve + '.cli') From 4a20f5570acd90958596855a0d82d00daa52b170 Mon Sep 17 00:00:00 2001 From: Mikhail Mitskevich Date: Wed, 8 Apr 2026 13:32:20 +0300 Subject: [PATCH 5/7] Reuse private keys and certs in tests --- test/btls.py | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/test/btls.py b/test/btls.py index 26dc6a1..58985f3 100644 --- a/test/btls.py +++ b/test/btls.py @@ -3,7 +3,7 @@ # \project bee2evp [EVP-interfaces over bee2 / engine of OpenSSL] # \brief A python wrapper over STB 34.101.65 (btls) ciphersuites # \created 2019.12.09 -# \version 2024.06.03 +# \version 2026.04.08 # \copyright The Bee2evp authors # \license Licensed under the Apache License, Version 2.0 (see LICENSE.txt). # ***************************************************************************** @@ -31,10 +31,8 @@ def btls_server(tmpdir, suite, is_tls13, curve, cert, psk): cmd = 's_server -engine bee2evp -tls1_2 -rev'.format(suite) if cert: - privkey = os.path.join(tmpdir, suite + curve + '.sk') - cert = os.path.join(tmpdir, suite + curve + '.cert') - btls_gen_privkey(privkey, curve) - btls_issue_cert(cert, privkey) + privkey = os.path.join(tmpdir, curve + '.sk') + cert = os.path.join(tmpdir, curve + '.cert') cmd = cmd + ' -key {} -cert {}'.format(privkey, cert) else: cmd = cmd + ' -nocert' @@ -126,6 +124,12 @@ def btls_test(): 'bign-curve256v1:bign-curve512v1' ] + for curve in curves_shortlist: + privkey = os.path.join(tmpdir, curve + '.sk') + cert = os.path.join(tmpdir, curve + '.cert') + btls_gen_privkey(privkey, curve) + btls_issue_cert(cert, privkey) + for suite in ciphersuites: # psk? psk = suite.find('PSK') != -1 From a252db748e15c0b3f1fb32cef92e9eea8f2c054e Mon Sep 17 00:00:00 2001 From: Mikhail Mitskevich Date: Wed, 8 Apr 2026 13:37:13 +0300 Subject: [PATCH 6/7] Update bee2evp version --- CMakeLists.txt | 2 +- include/bee2evp/info.h | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 41c5042..bb6d68f 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1,6 +1,6 @@ cmake_minimum_required(VERSION 3.5...4.0) project(BEE2EVP - VERSION 1.2.0 + VERSION 1.2.2 LANGUAGES C ) diff --git a/include/bee2evp/info.h b/include/bee2evp/info.h index 4b7916d..fe165a1 100644 --- a/include/bee2evp/info.h +++ b/include/bee2evp/info.h @@ -24,7 +24,7 @@ #define BEE2EVP_NAME "Bee2evp" #define BEE2EVP_VERSION_MAJOR "1" #define BEE2EVP_VERSION_MINOR "2" -#define BEE2EVP_VERSION_PATCH "0" +#define BEE2EVP_VERSION_PATCH "2" #define BEE2EVP_VERSION \ BEE2EVP_VERSION_MAJOR "." BEE2EVP_VERSION_MINOR "." BEE2EVP_VERSION_PATCH @@ -36,7 +36,7 @@ ******************************************************************************* \mainpage Криптографический плагин Bee2evp для OpenSSL -\version 1.2.0 +\version 1.2.2 \section toc Содержание From a08580248edf51dd00c8b146236867436e739d49 Mon Sep 17 00:00:00 2001 From: Mikhail Mitskevich Date: Wed, 8 Apr 2026 13:46:38 +0300 Subject: [PATCH 7/7] Add Gitlab testing for OpenSSL 3.5.5 --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4ce69bf..d0e1d7e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -23,6 +23,8 @@ jobs: - tag: "OpenSSL_1_1_1i" - tag: "openssl-3.3.1" + + - tag: "openssl-3.5.5" env: BEE2_BRANCH: master local: ${{github.workspace}}/build/local