1 files changed, 58 insertions, 3 deletions

diff --git a/crypto/src/tls/TlsUtilities.cs b/crypto/src/tls/TlsUtilities.cs
index c6c4a052a..d1160e372 100644
--- a/crypto/src/tls/TlsUtilities.cs
+++ b/crypto/src/tls/TlsUtilities.cs
@@ -2059,6 +2059,16 @@ namespace Org.BouncyCastle.Tls
                 throw new TlsFatalAlert(AlertDescription.illegal_parameter);
             }
 
+            case CipherSuite.TLS_GOSTR341112_256_WITH_28147_CNT_IMIT:
+            case CipherSuite.TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC:
+            case CipherSuite.TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC:
+            {
+                if (isTlsV12Exactly)
+                    return PrfAlgorithm.tls_prf_gostr3411_2012_256;
+
+                throw new TlsFatalAlert(AlertDescription.illegal_parameter);
+            }
+
             case CipherSuite.TLS_DHE_PSK_WITH_AES_256_CBC_SHA384:
             case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384:
             case CipherSuite.TLS_DHE_PSK_WITH_NULL_SHA384:
@@ -2543,6 +2553,9 @@ namespace Org.BouncyCastle.Tls
         {
             switch (cipherSuite)
             {
+            case CipherSuite.TLS_GOSTR341112_256_WITH_28147_CNT_IMIT:
+                return EncryptionAlgorithm.cls_28147_CNT_IMIT;
+
             case CipherSuite.TLS_DH_anon_WITH_3DES_EDE_CBC_SHA:
             case CipherSuite.TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA:
             case CipherSuite.TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA:
@@ -2843,6 +2856,12 @@ namespace Org.BouncyCastle.Tls
             case CipherSuite.TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256:
                 return EncryptionAlgorithm.CHACHA20_POLY1305;
 
+            case CipherSuite.TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC:
+                return EncryptionAlgorithm.KUZNYECHIK_CTR_OMAC;
+
+            case CipherSuite.TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC:
+                return EncryptionAlgorithm.MAGMA_CTR_OMAC;
+
             case CipherSuite.TLS_DHE_PSK_WITH_NULL_SHA:
             case CipherSuite.TLS_ECDH_anon_WITH_NULL_SHA:
             case CipherSuite.TLS_ECDH_ECDSA_WITH_NULL_SHA:
@@ -2925,6 +2944,9 @@ namespace Org.BouncyCastle.Tls
             case EncryptionAlgorithm.SM4_CBC:
                 return CipherType.block;
 
+            case EncryptionAlgorithm.cls_28147_CNT_IMIT:
+            case EncryptionAlgorithm.KUZNYECHIK_CTR_OMAC:
+            case EncryptionAlgorithm.MAGMA_CTR_OMAC:
             case EncryptionAlgorithm.NULL:
             case EncryptionAlgorithm.RC4_40:
             case EncryptionAlgorithm.RC4_128:
@@ -3172,6 +3194,11 @@ namespace Org.BouncyCastle.Tls
             case CipherSuite.TLS_ECDHE_RSA_WITH_NULL_SHA:
                 return KeyExchangeAlgorithm.ECDHE_RSA;
 
+            case CipherSuite.TLS_GOSTR341112_256_WITH_28147_CNT_IMIT:
+            case CipherSuite.TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC:
+            case CipherSuite.TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC:
+                return KeyExchangeAlgorithm.GOSTR341112_256;
+
             case CipherSuite.TLS_AES_128_CCM_8_SHA256:
             case CipherSuite.TLS_AES_128_CCM_SHA256:
             case CipherSuite.TLS_AES_128_GCM_SHA256:
@@ -3751,6 +3778,9 @@ namespace Org.BouncyCastle.Tls
             case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384:
             case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384:
             case CipherSuite.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
+            case CipherSuite.TLS_GOSTR341112_256_WITH_28147_CNT_IMIT:
+            case CipherSuite.TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC:
+            case CipherSuite.TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC:
             case CipherSuite.TLS_PSK_DHE_WITH_AES_128_CCM_8:
             case CipherSuite.TLS_PSK_DHE_WITH_AES_256_CCM_8:
             case CipherSuite.TLS_PSK_WITH_AES_128_CCM:
@@ -3919,8 +3949,6 @@ namespace Org.BouncyCastle.Tls
         internal static bool IsValidSignatureAlgorithmForServerKeyExchange(short signatureAlgorithm,
             int keyExchangeAlgorithm)
         {
-            // TODO[tls13]
-
             switch (keyExchangeAlgorithm)
             {
             case KeyExchangeAlgorithm.DHE_RSA:
@@ -3958,6 +3986,7 @@ namespace Org.BouncyCastle.Tls
             case KeyExchangeAlgorithm.NULL:
                 return SignatureAlgorithm.anonymous != signatureAlgorithm;
 
+            case KeyExchangeAlgorithm.GOSTR341112_256:
             default:
                 return false;
             }
@@ -4220,6 +4249,9 @@ namespace Org.BouncyCastle.Tls
                 return crypto.HasSrpAuthentication()
                     && HasAnyRsaSigAlgs(crypto);
 
+            // TODO[RFC 9189]
+            case KeyExchangeAlgorithm.GOSTR341112_256:
+
             default:
                 return false;
             }
@@ -5275,9 +5307,32 @@ namespace Org.BouncyCastle.Tls
             {
                 securityParameters.m_verifyDataLength = securityParameters.PrfHashLength;
             }
+            else if (negotiatedVersion.IsSsl)
+            {
+                securityParameters.m_verifyDataLength = 36;
+            }
             else
             {
-                securityParameters.m_verifyDataLength = negotiatedVersion.IsSsl ? 36 : 12;
+                /*
+                 * RFC 9189 4.2.6. The verify_data_length value is equal to 32 for the CTR_OMAC cipher
+                 * suites and is equal to 12 for the CNT_IMIT cipher suite.
+                 */
+                switch (cipherSuite)
+                {
+                case CipherSuite.TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC:
+                case CipherSuite.TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC:
+                {
+                    securityParameters.m_verifyDataLength = 32;
+                    break;
+                }
+
+                case CipherSuite.TLS_GOSTR341112_256_WITH_28147_CNT_IMIT:
+                default:
+                {
+                    securityParameters.m_verifyDataLength = 12;
+                    break;
+                }
+                }
             }
         }