gost-engine · chipitsine · Apr 13, 2026 · Mar 31, 2026
diff --git a/.github/before_script.sh b/.github/before_script.sh
@@ -14,6 +14,8 @@ fi
 git clone --depth 1 -b $OPENSSL_BRANCH https://github.com/openssl/openssl.git
 if [ "${PATCH_OPENSSL}" == "1" ]; then
     git apply patches/openssl-tls1.3.patch
+    git apply patches/openssl-asn1_item_verify_ctx.patch
+    git apply patches/openssl-x509_sig_info_init.patch
 fi
 cd openssl
 git describe --always --long

diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
@@ -24,6 +24,8 @@ jobs:
             - name: Apply patches
               run: |
                   git apply patches/openssl-tls1.3.patch
+                  git apply patches/openssl-asn1_item_verify_ctx.patch
+                  git apply patches/openssl-x509_sig_info_init.patch
             - uses: ilammy/msvc-dev-cmd@v1
             - name: Build OpenSSL
               if: steps.cache.outputs.cache-hit != 'true'

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -180,6 +180,7 @@ set(GOST_CORE_SOURCE_FILES
         gost_keyexpimp.c
         gost_digest.c
         gost_digest_ctx.c
+        gost_cipher.c
         )
 
 set(GOST_EC_SOURCE_FILES
@@ -211,6 +212,8 @@ set(GOST_ENGINE_SOURCE_FILES
         gost_eng.c
         gost_eng_digest.c
         gost_eng_digest_define.c
+        gost_eng_cipher.c
+        gost_cipher_ctx_evp.c
         )
 
 set(GOST_PROV_SOURCE_FILES
@@ -226,6 +229,7 @@ set(GOST_PROV_SOURCE_FILES
         gost_prov_keyexch.c
         gost_prov_tls.c
         gost_prov_tls.h
+        gost_cipher_ctx.c
         )
 
 set(TEST_ENVIRONMENT_COMMON
@@ -270,13 +274,13 @@ set_tests_properties(ciphers-with-provider
 # test_curves is an internals testing program, it doesn't need a test env
 
 add_executable(test_ecdhe test_ecdhe.c)
-target_link_libraries(test_ecdhe gost_core gost_err)
+target_link_libraries(test_ecdhe gost_core gost_core_additional_for_unittests gost_err)
 add_test(NAME ecdhe COMMAND test_ecdhe)
 set_tests_properties(ecdhe
   PROPERTIES ENVIRONMENT "${TEST_ENVIRONMENT_ENGINE}")
 
 add_executable(test_curves test_curves.c)
-target_link_libraries(test_curves gost_core gost_err)
+target_link_libraries(test_curves gost_core gost_core_additional_for_unittests gost_err)
 add_test(NAME curves COMMAND test_curves)
 
 add_executable(test_params test_params.c)
@@ -370,7 +374,7 @@ endif()
 
 if(NOT MSVC)
   add_executable(sign benchmark/sign.c)
-  target_link_libraries(sign gost_core gost_err ${CLOCK_GETTIME_LIB})
+  target_link_libraries(sign gost_core gost_core_additional_for_unittests gost_err ${CLOCK_GETTIME_LIB})
 endif()
 
 # All that may need to load just built engine will have path to it defined.
@@ -411,6 +415,9 @@ add_library(gost_core STATIC ${GOST_LIB_SOURCE_FILES})
 set_target_properties(gost_core PROPERTIES POSITION_INDEPENDENT_CODE ON)
 target_link_libraries(gost_core PRIVATE OpenSSL::Crypto gost89 gosthash gosthash2012 gosttls12additional)
 
+add_library(gost_core_additional_for_unittests STATIC gost_cipher_ctx.c)
+set_target_properties(gost_core_additional_for_unittests PROPERTIES POSITION_INDEPENDENT_CODE ON)
+
 add_library(gost_err STATIC ${GOST_ERR_SOURCE_FILES})
 set_target_properties(gost_err PROPERTIES POSITION_INDEPENDENT_CODE ON)
 target_link_libraries(gost_err PRIVATE OpenSSL::Crypto)
@@ -438,7 +445,7 @@ add_subdirectory(libprov)
 
 # The GOST provider in module form
 add_library(gost_prov MODULE
-  ${GOST_PROV_SOURCE_FILES} ${GOST_ENGINE_SOURCE_FILES}
+  ${GOST_PROV_SOURCE_FILES}
   )
 set_target_properties(gost_prov PROPERTIES
   PREFIX "" OUTPUT_NAME "gostprov" SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX}
@@ -449,7 +456,7 @@ target_link_libraries(gost_prov PRIVATE gost_core libprov)
 if (NOT MSVC)
 # The GOST provider in library form
 add_library(lib_gost_prov SHARED
-  ${GOST_PROV_SOURCE_FILES} ${GOST_ENGINE_SOURCE_FILES}
+  ${GOST_PROV_SOURCE_FILES}
   )
 set_target_properties(lib_gost_prov PROPERTIES
   OUTPUT_NAME "gostprov"

diff --git a/gost_cipher.c b/gost_cipher.c
@@ -0,0 +1,117 @@
+#include "gost_cipher_details.h"
+#include "gost_cipher_ctx.h"
+
+#define TPL_VAL(st, field) (((st) != NULL && (st)->template != NULL) \
+                            ? (st)->template->field : 0)
+
+int GOST_cipher_type(const GOST_cipher *c)
+{
+    return c != NULL ? c->nid : NID_undef;
+}
+
+int GOST_cipher_nid(const GOST_cipher *c)
+{
+    return GOST_cipher_type(c);
+}
+
+int GOST_cipher_flags(const GOST_cipher *c)
+{
+    return c != NULL ? (c->flags | TPL_VAL(c, flags)) : 0;
+}
+
+int GOST_cipher_key_length(const GOST_cipher *c)
+{
+    if (c == NULL)
+        return 0;
+
+    return c->key_len != 0 ? c->key_len : TPL_VAL(c, key_len);
+}
+
+int GOST_cipher_iv_length(const GOST_cipher *c)
+{
+    if (c == NULL)
+        return 0;
+
+    return c->iv_len != 0 ? c->iv_len : TPL_VAL(c, iv_len);
+}
+
+int GOST_cipher_block_size(const GOST_cipher *c)
+{
+    if (c == NULL)
+        return 0;
+
+    return c->block_size != 0 ? c->block_size : TPL_VAL(c, block_size);
+}
+
+int GOST_cipher_mode(const GOST_cipher *c)
+{
+    return c != NULL ? (c->flags & EVP_CIPH_MODE) : 0;
+}
+
+int GOST_cipher_ctx_size(const GOST_cipher *c)
+{
+    if (c == NULL)
+        return 0;
+
+    return c->ctx_size != 0 ? c->ctx_size : TPL_VAL(c, ctx_size);
+}
+
+int (*GOST_cipher_init_fn(const GOST_cipher *c))(GOST_cipher_ctx *ctx,
+                                                 const unsigned char *key,
+                                                 const unsigned char *iv,
+                                                 int enc)
+{
+    if (c == NULL)
+        return NULL;
+
+    return c->init != NULL ? c->init : TPL_VAL(c, init);
+}
+
+int (*GOST_cipher_set_asn1_parameters_fn(const GOST_cipher *c))(GOST_cipher_ctx *ctx,
+                                                                ASN1_TYPE *params)
+{
+    if (c == NULL)
+        return NULL;
+
+    return c->set_asn1_parameters != NULL
+        ? c->set_asn1_parameters : TPL_VAL(c, set_asn1_parameters);
+}
+
+int (*GOST_cipher_get_asn1_parameters_fn(const GOST_cipher *c))(GOST_cipher_ctx *ctx,
+                                                                ASN1_TYPE *params)
+{
+    if (c == NULL)
+        return NULL;
+
+    return c->get_asn1_parameters != NULL
+        ? c->get_asn1_parameters : TPL_VAL(c, get_asn1_parameters);
+}
+
+int (*GOST_cipher_do_cipher_fn(const GOST_cipher *c))(GOST_cipher_ctx *ctx,
+                                                      unsigned char *out,
+                                                      const unsigned char *in,
+                                                      size_t inl)
+{
+    if (c == NULL)
+        return NULL;
+
+    return c->do_cipher != NULL ? c->do_cipher : TPL_VAL(c, do_cipher);
+}
+
+int (*GOST_cipher_cleanup_fn(const GOST_cipher *c))(GOST_cipher_ctx *ctx)
+{
+    if (c == NULL)
+        return NULL;
+
+    return c->cleanup != NULL ? c->cleanup : TPL_VAL(c, cleanup);
+}
+
+int (*GOST_cipher_ctrl_fn(const GOST_cipher *c))(GOST_cipher_ctx *ctx,
+                                                 int type, int arg,
+                                                 void *ptr)
+{
+    if (c == NULL)
+        return NULL;
+
+    return c->ctrl != NULL ? c->ctrl : TPL_VAL(c, ctrl);
+}
diff --git a/gost_cipher.h b/gost_cipher.h
@@ -0,0 +1,35 @@
+#pragma once
+
+#include <stddef.h>
+#include <openssl/types.h>
+
+struct gost_cipher_ctx_st;
+struct gost_cipher_st;
+typedef struct gost_cipher_st GOST_cipher;
+
+int GOST_cipher_type(const GOST_cipher *c);
+int GOST_cipher_nid(const GOST_cipher *c);
+int GOST_cipher_flags(const GOST_cipher *c);
+int GOST_cipher_key_length(const GOST_cipher *c);
+int GOST_cipher_iv_length(const GOST_cipher *c);
+int GOST_cipher_block_size(const GOST_cipher *c);
+int GOST_cipher_mode(const GOST_cipher *c);
+int GOST_cipher_ctx_size(const GOST_cipher *c);
+int (*GOST_cipher_init_fn(const GOST_cipher *c))(struct gost_cipher_ctx_st *ctx,
+                                                 const unsigned char *key,
+                                                 const unsigned char *iv,
+                                                 int enc);
+// Fill ASN1_TYPE *params struct based on ctx
+int (*GOST_cipher_set_asn1_parameters_fn(const GOST_cipher *c))(struct gost_cipher_ctx_st *ctx,
+                                                                ASN1_TYPE *params);
+// Modify ctx based on ASN1_TYPE *params struct
+int (*GOST_cipher_get_asn1_parameters_fn(const GOST_cipher *c))(struct gost_cipher_ctx_st *ctx,
+                                                                ASN1_TYPE *params);
+int (*GOST_cipher_do_cipher_fn(const GOST_cipher *c))(struct gost_cipher_ctx_st *ctx,
+                                                      unsigned char *out,
+                                                      const unsigned char *in,
+                                                      size_t inl);
+int (*GOST_cipher_cleanup_fn(const GOST_cipher *c))(struct gost_cipher_ctx_st *ctx);
+int (*GOST_cipher_ctrl_fn(const GOST_cipher *c))(struct gost_cipher_ctx_st *ctx,
+                                                 int type, int arg,
+                                                 void *ptr);