TLS: Some work on GOST support (RFC 9189)

Author: peterdettman

tls/src/main/java/org/bouncycastle/tls/CipherSuite.java

@@ -452,7 +452,7 @@ public static boolean isSCSV(int cipherSuite)
     public static final int TLS_SM4_CCM_SM3 = 0x00C7;
 
     /*
-     * draft-smyshlyaev-tls12-gost-suites-10
+     * RFC 9189
      */
     public static final int TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC = 0xC100;
     public static final int TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC = 0xC101;

tls/src/main/java/org/bouncycastle/tls/ClientCertificateType.java

@@ -21,7 +21,7 @@ public class ClientCertificateType
     public static final short ecdsa_fixed_ecdh = 66;
 
     /*
-     * draft-smyshlyaev-tls12-gost-suites-10
+     * RFC 9189
      */
     public static final short gost_sign256 = 67;
     public static final short gost_sign512 = 68;

tls/src/main/java/org/bouncycastle/tls/EncryptionAlgorithm.java

@@ -77,4 +77,11 @@ public class EncryptionAlgorithm
      * GMT 0024-2014
      */
     public static final int SM4_CBC = 28;
+
+    /*
+     * RFC 9189
+     */
+    public static final int KUZNYECHIK_CTR_OMAC = 29;
+    public static final int MAGMA_CTR_OMAC = 30;
+    public static final int _28147_CNT_IMIT = 31;
 }

tls/src/main/java/org/bouncycastle/tls/KeyExchangeAlgorithm.java

@@ -59,6 +59,11 @@ public class KeyExchangeAlgorithm
      */
     public static final int SM2 = 25;
 
+    /*
+     * RFC 9189
+     */
+    public static final int GOSTR341112_256 = 26;
+
     public static boolean isAnonymous(int keyExchangeAlgorithm)
     {
         switch (keyExchangeAlgorithm)

tls/src/main/java/org/bouncycastle/tls/NamedGroup.java

@@ -61,7 +61,7 @@ public class NamedGroup
     public static final int brainpoolP512r1tls13 = 33;
 
     /*
-     * draft-smyshlyaev-tls12-gost-suites-10
+     * RFC 9189
      */
     public static final int GC256A = 34;
     public static final int GC256B = 35;

tls/src/main/java/org/bouncycastle/tls/PRFAlgorithm.java

@@ -16,6 +16,7 @@ public class PRFAlgorithm
     public static final int tls13_hkdf_sha384 = 5;
 //    public static final int tls13_hkdf_sha512 = 6;
     public static final int tls13_hkdf_sm3 = 7;
+    public static final int tls_prf_gostr3411_2012_256 = 8;
 
     public static String getName(int prfAlgorithm)
     {
@@ -35,6 +36,8 @@ public static String getName(int prfAlgorithm)
             return "tls13_hkdf_sha384";
         case tls13_hkdf_sm3:
             return "tls13_hkdf_sm3";
+        case tls_prf_gostr3411_2012_256:
+            return "tls_prf_gostr3411_2012_256";
         default:
             return "UNKNOWN";
         }

tls/src/main/java/org/bouncycastle/tls/SignatureAlgorithm.java

@@ -35,7 +35,7 @@ public class SignatureAlgorithm
     public static final short ecdsa_brainpoolP512r1tls13_sha512 = 28;
 
     /*
-     * draft-smyshlyaev-tls12-gost-suites-10
+     * RFC 9189
      */
     public static final short gostr34102012_256 = 64;
     public static final short gostr34102012_512 = 65;

tls/src/main/java/org/bouncycastle/tls/TlsECCUtils.java

@@ -40,6 +40,7 @@ public static boolean isECCCipherSuite(int cipherSuite)
         case KeyExchangeAlgorithm.ECDHE_ECDSA:
         case KeyExchangeAlgorithm.ECDHE_PSK:
         case KeyExchangeAlgorithm.ECDHE_RSA:
+        case KeyExchangeAlgorithm.GOSTR341112_256:
             return true;
 
         default:

tls/src/main/java/org/bouncycastle/tls/TlsUtils.java

@@ -2219,6 +2219,17 @@ static int getPRFAlgorithm(SecurityParameters securityParameters, int cipherSuit
             throw new TlsFatalAlert(AlertDescription.illegal_parameter);
         }
 
+        case CipherSuite.TLS_GOSTR341112_256_WITH_28147_CNT_IMIT:
+        case CipherSuite.TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC:
+        case CipherSuite.TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC:
+        {
+            if (isTLSv12Exactly)
+            {
+                return PRFAlgorithm.tls_prf_gostr3411_2012_256;
+            }
+            throw new TlsFatalAlert(AlertDescription.illegal_parameter);
+        }
+
         case CipherSuite.TLS_DHE_PSK_WITH_AES_256_CBC_SHA384:
         case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384:
         case CipherSuite.TLS_DHE_PSK_WITH_NULL_SHA384:
@@ -2707,6 +2718,9 @@ public static int getEncryptionAlgorithm(int cipherSuite)
     {
         switch (cipherSuite)
         {
+        case CipherSuite.TLS_GOSTR341112_256_WITH_28147_CNT_IMIT:
+            return EncryptionAlgorithm._28147_CNT_IMIT;
+
         case CipherSuite.TLS_DH_anon_WITH_3DES_EDE_CBC_SHA:
         case CipherSuite.TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA:
         case CipherSuite.TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA:
@@ -3007,6 +3021,12 @@ public static int getEncryptionAlgorithm(int cipherSuite)
         case CipherSuite.TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256:
             return EncryptionAlgorithm.CHACHA20_POLY1305;
 
+        case CipherSuite.TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC:
+            return EncryptionAlgorithm.KUZNYECHIK_CTR_OMAC;
+
+        case CipherSuite.TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC:
+            return EncryptionAlgorithm.MAGMA_CTR_OMAC;
+
         case CipherSuite.TLS_DHE_PSK_WITH_NULL_SHA:
         case CipherSuite.TLS_ECDH_anon_WITH_NULL_SHA:
         case CipherSuite.TLS_ECDH_ECDSA_WITH_NULL_SHA:
@@ -3085,6 +3105,9 @@ public static int getEncryptionAlgorithmType(int encryptionAlgorithm)
         case EncryptionAlgorithm.SM4_CBC:
             return CipherType.block;
 
+        case EncryptionAlgorithm._28147_CNT_IMIT:
+        case EncryptionAlgorithm.KUZNYECHIK_CTR_OMAC:
+        case EncryptionAlgorithm.MAGMA_CTR_OMAC:
         case EncryptionAlgorithm.NULL:
         case EncryptionAlgorithm.RC4_40:
         case EncryptionAlgorithm.RC4_128:
@@ -3332,6 +3355,11 @@ public static int getKeyExchangeAlgorithm(int cipherSuite)
         case CipherSuite.TLS_ECDHE_RSA_WITH_NULL_SHA:
             return KeyExchangeAlgorithm.ECDHE_RSA;
 
+        case CipherSuite.TLS_GOSTR341112_256_WITH_28147_CNT_IMIT:
+        case CipherSuite.TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC:
+        case CipherSuite.TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC:
+            return KeyExchangeAlgorithm.GOSTR341112_256;
+
         case CipherSuite.TLS_AES_128_CCM_8_SHA256:
         case CipherSuite.TLS_AES_128_CCM_SHA256:
         case CipherSuite.TLS_AES_128_GCM_SHA256:
@@ -3905,6 +3933,9 @@ public static ProtocolVersion getMinimumVersion(int cipherSuite)
         case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384:
         case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384:
         case CipherSuite.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
+        case CipherSuite.TLS_GOSTR341112_256_WITH_28147_CNT_IMIT:
+        case CipherSuite.TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC:
+        case CipherSuite.TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC:
         case CipherSuite.TLS_PSK_DHE_WITH_AES_128_CCM_8:
         case CipherSuite.TLS_PSK_DHE_WITH_AES_256_CCM_8:
         case CipherSuite.TLS_PSK_WITH_AES_128_CCM:
@@ -4090,8 +4121,6 @@ static boolean isValidKeyShareSelection(ProtocolVersion negotiatedVersion, int[]
 
     static boolean isValidSignatureAlgorithmForServerKeyExchange(short signatureAlgorithm, int keyExchangeAlgorithm)
     {
-        // TODO[tls13]
-
         switch (keyExchangeAlgorithm)
         {
         case KeyExchangeAlgorithm.DHE_RSA:
@@ -4129,6 +4158,7 @@ static boolean isValidSignatureAlgorithmForServerKeyExchange(short signatureAlgo
         case KeyExchangeAlgorithm.NULL:
             return SignatureAlgorithm.anonymous != signatureAlgorithm;
 
+        case KeyExchangeAlgorithm.GOSTR341112_256:
         default:
             return false;
         }
@@ -4411,6 +4441,9 @@ public static boolean isSupportedKeyExchange(TlsCrypto crypto, int keyExchangeAl
             return crypto.hasSRPAuthentication()
                 && hasAnyRSASigAlgs(crypto);
 
+        // TODO[RFC 9189]
+        case KeyExchangeAlgorithm.GOSTR341112_256:
+
         default:
             return false;
         }
@@ -5620,9 +5653,32 @@ static void negotiatedCipherSuite(SecurityParameters securityParameters, int cip
         {
             securityParameters.verifyDataLength = securityParameters.getPRFHashLength();
         }
+        else if (negotiatedVersion.isSSL())
+        {
+            securityParameters.verifyDataLength = 36;
+        }
         else
         {
-            securityParameters.verifyDataLength = negotiatedVersion.isSSL() ? 36 : 12;
+            /*
+             * RFC 9189 4.2.6. The verify_data_length value is equal to 32 for the CTR_OMAC cipher
+             * suites and is equal to 12 for the CNT_IMIT cipher suite.
+             */
+            switch (cipherSuite)
+            {
+            case CipherSuite.TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC:
+            case CipherSuite.TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC:
+            {
+                securityParameters.verifyDataLength = 32;
+                break;
+            }
+
+            case CipherSuite.TLS_GOSTR341112_256_WITH_28147_CNT_IMIT:
+            default:
+            {
+                securityParameters.verifyDataLength = 12;
+                break;
+            }
+            }
         }
     }
 

tls/src/main/java/org/bouncycastle/tls/crypto/CryptoHashAlgorithm.java

@@ -9,4 +9,5 @@ public abstract class CryptoHashAlgorithm
     public static final int sha384 = 5;
     public static final int sha512 = 6;
     public static final int sm3 = 7;
+    public static final int gostr3411_2012_256 = 8;
 }