ignatk/dstu.patch

## dstu.patch
diff --git a/Configure b/Configure
index f0fadaa..c6aed3c 100755
--- a/Configure
+++ b/Configure
@@ -1034,6 +1034,10 @@
 	$disabled{"ecdsa"} = "forced";
 	$disabled{"ecdh"} = "forced";
 	}
+if (defined($disabled{"ec2m"}))
+	{
+	$disabled{"dstu"} = "forced";
+	}

 # SSL 2.0 requires MD5 and RSA
 if (defined($disabled{"md5"}) || defined($disabled{"rsa"}))
@@ -1709,6 +1713,7 @@
         s/fips // if (/^DIRS=/ && !$fips);
         s/engines // if (/^DIRS=/ && $disabled{"engine"});
 	s/ccgost// if (/^ENGDIRS=/ && $disabled{"gost"});
+	s/uadstu// if (/^ENGDIRS=/ && $disabled{"dstu"});
 	s/^VERSION=.*/VERSION=$version/;
 	s/^MAJOR=.*/MAJOR=$major/;
 	s/^MINOR=.*/MINOR=$minor/;
diff --git a/Makefile.org b/Makefile.org
index e7f6e5b..a3d3dd9 100644
--- a/Makefile.org
+++ b/Makefile.org
@@ -138,7 +138,7 @@
 BASEADDR=

 DIRS=   crypto fips ssl engines apps test tools
-ENGDIRS= ccgost
+ENGDIRS= ccgost uadstu
 SHLIBDIRS= crypto ssl

 # dirs in crypto to build
diff --git a/crypto/engine/eng_all.c b/crypto/engine/eng_all.c
index 37ddcf9..882943c 100644
--- a/crypto/engine/eng_all.c
+++ b/crypto/engine/eng_all.c
@@ -110,6 +110,9 @@
 #ifndef OPENSSL_NO_GOST
 	ENGINE_load_gost();
 #endif
+#ifndef OPENSSL_NO_DSTU
+	ENGINE_load_dstu();
+#endif
 #ifndef OPENSSL_NO_GMP
 	ENGINE_load_gmp();
 #endif
diff --git a/crypto/engine/engine.h b/crypto/engine/engine.h
index f8be497..1313775 100644
--- a/crypto/engine/engine.h
+++ b/crypto/engine/engine.h
@@ -349,6 +349,9 @@
 #ifndef OPENSSL_NO_GOST
 void ENGINE_load_gost(void);
 #endif
+#ifndef OPENSSL_NO_DSTU
+void ENGINE_load_dstu(void);
+#endif
 #endif
 void ENGINE_load_cryptodev(void);
 void ENGINE_load_rsax(void);
diff --git a/crypto/objects/obj_xref.txt b/crypto/objects/obj_xref.txt
index 19c9422..cb07920 100644
--- a/crypto/objects/obj_xref.txt
+++ b/crypto/objects/obj_xref.txt
@@ -56,3 +56,6 @@
 dhSinglePass_cofactorDH_sha256kdf_scheme	sha256	dh_cofactor_kdf
 dhSinglePass_cofactorDH_sha384kdf_scheme	sha384	dh_cofactor_kdf
 dhSinglePass_cofactorDH_sha512kdf_scheme	sha512	dh_cofactor_kdf
+
+dstu4145le dstu34311 dstu4145le
+dstu4145be dstu34311 dstu4145be
diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
index b57aabb..1140e37 100644
--- a/crypto/objects/objects.txt
+++ b/crypto/objects/objects.txt
@@ -1348,3 +1348,29 @@
 1 3 6 1 4 1 311 60 2 1 1	: jurisdictionL		: jurisdictionLocalityName
 1 3 6 1 4 1 311 60 2 1 2	: jurisdictionST	: jurisdictionStateOrProvinceName
 1 3 6 1 4 1 311 60 2 1 3	: jurisdictionC		: jurisdictionCountryName
+
+# DSTU OIDs
+member-body 804		: ISO-UA
+ISO-UA 2 1 1 1		: ua-pki
+ua-pki 1 1 1		: dstu28147 : DSTU Gost 28147-2009
+dstu28147 2			: dstu28147-ofb : DSTU Gost 28147-2009 OFB mode
+dstu28147 3			: dstu28147-cfb : DSTU Gost 28147-2009 CFB mode
+dstu28147 5			: dstu28147-wrap : DSTU Gost 28147-2009 key wrap
+
+ua-pki 1 1 2		: hmacWithDstu34311 : HMAC DSTU Gost 34311-95
+ua-pki 1 2 1		: dstu34311 : DSTU Gost 34311-95
+
+ua-pki 1 3 1 1		: dstu4145le : DSTU 4145-2002 little endian
+dstu4145le 1 1      : dstu4145be : DSTU 4145-2002 big endian
+
+# DSTU named curves
+dstu4145le 1 2 0	: uacurve0 : DSTU curve 0
+dstu4145le 1 2 1	: uacurve1 : DSTU curve 1
+dstu4145le 1 2 2	: uacurve2 : DSTU curve 2
+dstu4145le 1 2 3	: uacurve3 : DSTU curve 3
+dstu4145le 1 2 4	: uacurve4 : DSTU curve 4
+dstu4145le 1 2 5	: uacurve5 : DSTU curve 5
+dstu4145le 1 2 6	: uacurve6 : DSTU curve 6
+dstu4145le 1 2 7	: uacurve7 : DSTU curve 7
+dstu4145le 1 2 8	: uacurve8 : DSTU curve 8
+dstu4145le 1 2 9	: uacurve9 : DSTU curve 9
diff --git a/crypto/x509/x509type.c b/crypto/x509/x509type.c
index 9702ec5..345bf40 100644
--- a/crypto/x509/x509type.c
+++ b/crypto/x509/x509type.c
@@ -96,6 +96,10 @@
 	case NID_id_GostR3410_2001:
 		ret=EVP_PKT_EXCH|EVP_PKT_SIGN;
 		break;
+	case NID_dstu4145le:
+	case NID_dstu4145be:
+		ret=EVP_PKT_SIGN;
+		break;
 	default:
 		break;
 		}
diff --git a/engines/Makefile b/engines/Makefile
index 4bad384..f107828 100644
--- a/engines/Makefile
+++ b/engines/Makefile
@@ -9,7 +9,7 @@
 CFLAG=-g
 MAKEFILE=	Makefile
 AR=		ar r
-ENGDIRS= ccgost
+ENGDIRS= ccgost uadstu

 RECURSIVE_MAKE=	[ -z "$(ENGDIRS)" ] || for i in $(ENGDIRS) ; do \
 		    (cd $$i && echo "making $$target in $(DIR)/$$i..." && \
@@ -148,6 +148,7 @@
 			-nostatic -staticloader -write e_$$l.c; \
 	done
 	(cd ccgost; $(MAKE) PERL=$(PERL) errors)
+	(cd uadstu; $(MAKE) PERL=$(PERL) errors)

 tests:

diff --git a/test/Makefile b/test/Makefile
index d4b6699..6531f91 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -85,6 +85,7 @@
 FIPS_TEST_SUITE=fips_test_suite
 FIPS_CMACTEST=	fips_cmactest
 FIPS_ALGVS=	fips_algvs
+DSTUTEST=	dstutest

 TESTS=		alltests

@@ -94,7 +95,7 @@
 	$(DESTEST)$(EXE_EXT) $(SHATEST)$(EXE_EXT) $(SHA1TEST)$(EXE_EXT) $(SHA256TEST)$(EXE_EXT) $(SHA512TEST)$(EXE_EXT) \
 	$(MDC2TEST)$(EXE_EXT) $(RMDTEST)$(EXE_EXT) \
 	$(RANDTEST)$(EXE_EXT) $(DHTEST)$(EXE_EXT) $(ENGINETEST)$(EXE_EXT) \
-	$(GOST2814789TEST)$(EXE_EXT) \
+	$(GOST2814789TEST)$(EXE_EXT) $(DSTUTEST)$(EXE_EXT) \
 	$(BFTEST)$(EXE_EXT) $(CASTTEST)$(EXE_EXT) $(SSLTEST)$(EXE_EXT) \
 	$(EXPTEST)$(EXE_EXT) $(DSATEST)$(EXE_EXT) $(RSATEST)$(EXE_EXT) \
 	$(EVPTEST)$(EXE_EXT) $(IGETEST)$(EXE_EXT) $(JPAKETEST)$(EXE_EXT) $(SRPTEST)$(EXE_EXT) \
@@ -127,7 +128,7 @@
 	$(FIPS_TEST_SUITE).o $(FIPS_DHVS).o $(FIPS_ECDSAVS).o \
 	$(FIPS_ECDHVS).o $(FIPS_CMACTEST).o $(FIPS_ALGVS).o \
 	$(EVPTEST).o $(IGETEST).o $(JPAKETEST).o $(V3NAMETEST).o \
-	$(GOST2814789TEST).o
+	$(GOST2814789TEST).o $(DSTUTEST).o
 SRC=	$(BNTEST).c $(ECTEST).c  $(ECDSATEST).c $(ECDHTEST).c $(IDEATEST).c \
 	$(MD2TEST).c  $(MD4TEST).c $(MD5TEST).c \
 	$(HMACTEST).c $(WPTEST).c \
@@ -142,7 +143,7 @@
 	$(FIPS_TEST_SUITE).c $(FIPS_DHVS).c $(FIPS_ECDSAVS).c \
 	$(FIPS_ECDHVS).c $(FIPS_CMACTEST).c $(FIPS_ALGVS).c \
 	$(EVPTEST).c $(IGETEST).c $(JPAKETEST).c $(V3NAMETEST).c \
-	$(GOST2814789TEST).c
+	$(GOST2814789TEST).c $(DSTUTEST).c

 EXHEADER=
 HEADER=	$(EXHEADER)
@@ -190,7 +191,7 @@
 	test_gen test_req test_pkcs7 test_verify test_dh test_dsa \
 	test_ss test_ca test_engine test_evp test_ssl test_tsa test_ige \
 	test_jpake test_srp test_cms test_v3name test_ocsp \
-	test_gost2814789
+	test_gost2814789 test_dstu

 test_evp: $(EVPTEST)$(EXE_EXT) evptests.txt
 	../util/shlib_wrap.sh ./$(EVPTEST) evptests.txt
@@ -248,6 +249,9 @@

 test_gost2814789: $(GOST2814789TEST)$(EXE_EXT)
 	../util/shlib_wrap.sh ./$(GOST2814789TEST)
+
+test_dstu: $(DSTUTEST)$(EXE_EXT)
+	../util/shlib_wrap.sh ./$(DSTUTEST)

 test_enc: ../apps/openssl$(EXE_EXT) testenc
 	@sh ./testenc
@@ -565,6 +569,9 @@

 $(GOST2814789TEST)$(EXE_EXT): $(GOST2814789TEST).o $(DLIBCRYPTO)
 	@target=$(GOST2814789TEST); $(BUILD_CMD)
+
+$(DSTUTEST)$(EXE_EXT): $(DSTUTEST).o $(DLIBCRYPTO)
+	@target=$(DSTUTEST); $(BUILD_CMD)

 $(RANDTEST)$(EXE_EXT): $(RANDTEST).o $(DLIBCRYPTO)
 	@target=$(RANDTEST); $(BUILD_CMD)
diff --git a/util/mk1mf.pl b/util/mk1mf.pl
index 90ae84b..7a6d7a4 100755
--- a/util/mk1mf.pl
+++ b/util/mk1mf.pl
@@ -305,6 +305,7 @@
 $cflags.=" -DOPENSSL_NO_ECDSA" if $no_ecdsa;
 $cflags.=" -DOPENSSL_NO_ECDH" if $no_ecdh;
 $cflags.=" -DOPENSSL_NO_GOST" if $no_gost;
+$cflags.=" -DOPENSSL_NO_DSTU" if $no_dstu;
 $cflags.=" -DOPENSSL_NO_ENGINE"   if $no_engine;
 $cflags.=" -DOPENSSL_NO_HW"   if $no_hw;
 $cflags.=" -DOPENSSL_FIPS"    if $fips;
@@ -1066,6 +1067,7 @@
 	return("") if $no_dh   && $dir =~ /\/dh/;
 	return("") if $no_ec   && $dir =~ /\/ec/;
 	return("") if $no_gost   && $dir =~ /\/ccgost/;
+	return("") if $no_dstu   && $dir =~ /\/uadstu/;
 	return("") if $no_cms  && $dir =~ /\/cms/;
 	return("") if $no_jpake  && $dir =~ /\/jpake/;
 	return("") if !$fips   && $dir =~ /^fips/;
@@ -1431,6 +1433,7 @@
 		"no-ecdsa" => \$no_ecdsa,
 		"no-ecdh" => \$no_ecdh,
 		"no-gost" => \$no_gost,
+		"no-dstu" => \$no_dstu,
 		"no-engine" => \$no_engine,
 		"no-hw" => \$no_hw,
 		"just-ssl" =>
diff --git a/util/mkdef.pl b/util/mkdef.pl
index 8d74eaa..03baeea 100755
--- a/util/mkdef.pl
+++ b/util/mkdef.pl
@@ -86,7 +86,7 @@
 			 "CAST", "MD2", "MD4", "MD5", "SHA", "SHA0", "SHA1",
 			 "SHA256", "SHA512", "RIPEMD",
 			 "MDC2", "WHIRLPOOL", "RSA", "DSA", "DH", "EC", "ECDH", "ECDSA", "EC2M",
-			 "HMAC", "AES", "CAMELLIA", "SEED", "GOST",
+			 "HMAC", "AES", "CAMELLIA", "SEED", "GOST", "DSTU",
 			 # EC_NISTP_64_GCC_128
 			 "EC_NISTP_64_GCC_128",
 			 # Envelope "algorithms"
diff --git a/util/mkfiles.pl b/util/mkfiles.pl
index 7dff4a6..b5e16be 100755
--- a/util/mkfiles.pl
+++ b/util/mkfiles.pl
@@ -81,6 +81,7 @@
 "apps",
 "engines",
 "engines/ccgost",
+"engines/uadstu",
 "test",
 "tools"
 );
diff --git a/crypto/x509v3/v3_skey.c b/crypto/x509v3/v3_skey.c
index 0a984fb..ce95df1 100644
--- a/crypto/x509v3/v3_skey.c
+++ b/crypto/x509v3/v3_skey.c
@@ -105,6 +105,10 @@
 	ASN1_BIT_STRING *pk;
 	unsigned char pkey_dig[EVP_MAX_MD_SIZE];
 	unsigned int diglen;
+	EVP_MD_CTX md_ctx;
+	int pubkeynid = NID_undef;
+	EVP_PKEY *pkey = NULL;
+	X509_PUBKEY *pubkey = NULL;

 	if(strcmp(str, "hash")) return s2i_ASN1_OCTET_STRING(method, ctx, str);

@@ -120,17 +124,47 @@
 		goto err;
 	}

-	if(ctx->subject_req)
-		pk = ctx->subject_req->req_info->pubkey->public_key;
-	else pk = ctx->subject_cert->cert_info->key->public_key;
+	if(ctx->subject_req) {
+		pubkeynid = OBJ_obj2nid(ctx->subject_req->req_info->pubkey->algor->algorithm);
+		pubkey = ctx->subject_req->req_info->pubkey;
+	}
+	else {
+		pubkeynid = OBJ_obj2nid(ctx->subject_cert->cert_info->key->algor->algorithm);
+		pubkey = ctx->subject_cert->cert_info->key;
+	}
+
+	pk = pubkey->public_key;

 	if(!pk) {
 		X509V3err(X509V3_F_S2I_SKEY_ID,X509V3_R_NO_PUBLIC_KEY);
 		goto err;
 	}

-	if (!EVP_Digest(pk->data, pk->length, pkey_dig, &diglen, EVP_sha1(), NULL))
-		goto err;
+	if ((NID_dstu4145le == pubkeynid) || (NID_dstu4145be == pubkeynid)) {
+		pkey = X509_PUBKEY_get(pubkey);
+		if (!pkey)
+			goto err;
+
+		EVP_MD_CTX_init(&md_ctx);
+
+		/* This is to make digest use s-box from public key if it is not the default one */
+		if (!EVP_DigestSignInit(&md_ctx, NULL, EVP_get_digestbynid(NID_dstu34311), NULL, pkey)) {
+			EVP_PKEY_free(pkey);
+			goto err;
+		}
+
+		EVP_PKEY_free(pkey);
+
+		if (!EVP_DigestUpdate(&md_ctx, pk->data, pk->length))
+			goto err;
+
+		if (!EVP_DigestFinal(&md_ctx, pkey_dig, &diglen))
+			goto err;
+	}
+	else {
+		if (!EVP_Digest(pk->data, pk->length, pkey_dig, &diglen, EVP_sha1(), NULL))
+			goto err;
+	}

 	if(!M_ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) {
 		X509V3err(X509V3_F_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE);
	diff --git a/Configure b/Configure
	index f0fadaa..c6aed3c 100755
	--- a/Configure
	+++ b/Configure
	@@ -1034,6 +1034,10 @@
	$disabled{"ecdsa"} = "forced";
	$disabled{"ecdh"} = "forced";
	}
	+if (defined($disabled{"ec2m"}))
	+ {
	+ $disabled{"dstu"} = "forced";
	+ }

	# SSL 2.0 requires MD5 and RSA
	if (defined($disabled{"md5"}) \|\| defined($disabled{"rsa"}))
	@@ -1709,6 +1713,7 @@
	s/fips // if (/^DIRS=/ && !$fips);
	s/engines // if (/^DIRS=/ && $disabled{"engine"});
	s/ccgost// if (/^ENGDIRS=/ && $disabled{"gost"});
	+ s/uadstu// if (/^ENGDIRS=/ && $disabled{"dstu"});
	s/^VERSION=.*/VERSION=$version/;
	s/^MAJOR=.*/MAJOR=$major/;
	s/^MINOR=.*/MINOR=$minor/;
	diff --git a/Makefile.org b/Makefile.org
	index e7f6e5b..a3d3dd9 100644
	--- a/Makefile.org
	+++ b/Makefile.org
	@@ -138,7 +138,7 @@
	BASEADDR=

	DIRS= crypto fips ssl engines apps test tools
	-ENGDIRS= ccgost
	+ENGDIRS= ccgost uadstu
	SHLIBDIRS= crypto ssl

	# dirs in crypto to build
	diff --git a/crypto/engine/eng_all.c b/crypto/engine/eng_all.c
	index 37ddcf9..882943c 100644
	--- a/crypto/engine/eng_all.c
	+++ b/crypto/engine/eng_all.c
	@@ -110,6 +110,9 @@
	#ifndef OPENSSL_NO_GOST
	ENGINE_load_gost();
	#endif
	+#ifndef OPENSSL_NO_DSTU
	+ ENGINE_load_dstu();
	+#endif
	#ifndef OPENSSL_NO_GMP
	ENGINE_load_gmp();
	#endif
	diff --git a/crypto/engine/engine.h b/crypto/engine/engine.h
	index f8be497..1313775 100644
	--- a/crypto/engine/engine.h
	+++ b/crypto/engine/engine.h
	@@ -349,6 +349,9 @@
	#ifndef OPENSSL_NO_GOST
	void ENGINE_load_gost(void);
	#endif
	+#ifndef OPENSSL_NO_DSTU
	+void ENGINE_load_dstu(void);
	+#endif
	#endif
	void ENGINE_load_cryptodev(void);
	void ENGINE_load_rsax(void);
	diff --git a/crypto/objects/obj_xref.txt b/crypto/objects/obj_xref.txt
	index 19c9422..cb07920 100644
	--- a/crypto/objects/obj_xref.txt
	+++ b/crypto/objects/obj_xref.txt
	@@ -56,3 +56,6 @@
	dhSinglePass_cofactorDH_sha256kdf_scheme sha256 dh_cofactor_kdf
	dhSinglePass_cofactorDH_sha384kdf_scheme sha384 dh_cofactor_kdf
	dhSinglePass_cofactorDH_sha512kdf_scheme sha512 dh_cofactor_kdf
	+
	+dstu4145le dstu34311 dstu4145le
	+dstu4145be dstu34311 dstu4145be
	diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
	index b57aabb..1140e37 100644
	--- a/crypto/objects/objects.txt
	+++ b/crypto/objects/objects.txt
	@@ -1348,3 +1348,29 @@
	1 3 6 1 4 1 311 60 2 1 1 : jurisdictionL : jurisdictionLocalityName
	1 3 6 1 4 1 311 60 2 1 2 : jurisdictionST : jurisdictionStateOrProvinceName
	1 3 6 1 4 1 311 60 2 1 3 : jurisdictionC : jurisdictionCountryName
	+
	+# DSTU OIDs
	+member-body 804 : ISO-UA
	+ISO-UA 2 1 1 1 : ua-pki
	+ua-pki 1 1 1 : dstu28147 : DSTU Gost 28147-2009
	+dstu28147 2 : dstu28147-ofb : DSTU Gost 28147-2009 OFB mode
	+dstu28147 3 : dstu28147-cfb : DSTU Gost 28147-2009 CFB mode
	+dstu28147 5 : dstu28147-wrap : DSTU Gost 28147-2009 key wrap
	+
	+ua-pki 1 1 2 : hmacWithDstu34311 : HMAC DSTU Gost 34311-95
	+ua-pki 1 2 1 : dstu34311 : DSTU Gost 34311-95
	+
	+ua-pki 1 3 1 1 : dstu4145le : DSTU 4145-2002 little endian
	+dstu4145le 1 1 : dstu4145be : DSTU 4145-2002 big endian
	+
	+# DSTU named curves
	+dstu4145le 1 2 0 : uacurve0 : DSTU curve 0
	+dstu4145le 1 2 1 : uacurve1 : DSTU curve 1
	+dstu4145le 1 2 2 : uacurve2 : DSTU curve 2
	+dstu4145le 1 2 3 : uacurve3 : DSTU curve 3
	+dstu4145le 1 2 4 : uacurve4 : DSTU curve 4
	+dstu4145le 1 2 5 : uacurve5 : DSTU curve 5
	+dstu4145le 1 2 6 : uacurve6 : DSTU curve 6
	+dstu4145le 1 2 7 : uacurve7 : DSTU curve 7
	+dstu4145le 1 2 8 : uacurve8 : DSTU curve 8
	+dstu4145le 1 2 9 : uacurve9 : DSTU curve 9
	diff --git a/crypto/x509/x509type.c b/crypto/x509/x509type.c
	index 9702ec5..345bf40 100644
	--- a/crypto/x509/x509type.c
	+++ b/crypto/x509/x509type.c
	@@ -96,6 +96,10 @@
	case NID_id_GostR3410_2001:
	ret=EVP_PKT_EXCH\|EVP_PKT_SIGN;
	break;
	+ case NID_dstu4145le:
	+ case NID_dstu4145be:
	+ ret=EVP_PKT_SIGN;
	+ break;
	default:
	break;
	}
	diff --git a/engines/Makefile b/engines/Makefile
	index 4bad384..f107828 100644
	--- a/engines/Makefile
	+++ b/engines/Makefile
	@@ -9,7 +9,7 @@
	CFLAG=-g
	MAKEFILE= Makefile
	AR= ar r
	-ENGDIRS= ccgost
	+ENGDIRS= ccgost uadstu

	RECURSIVE_MAKE= [ -z "$(ENGDIRS)" ] \|\| for i in $(ENGDIRS) ; do \
	(cd $$i && echo "making $$target in $(DIR)/$$i..." && \
	@@ -148,6 +148,7 @@
	-nostatic -staticloader -write e_$$l.c; \
	done
	(cd ccgost; $(MAKE) PERL=$(PERL) errors)
	+ (cd uadstu; $(MAKE) PERL=$(PERL) errors)

	tests:

	diff --git a/test/Makefile b/test/Makefile
	index d4b6699..6531f91 100644
	--- a/test/Makefile
	+++ b/test/Makefile
	@@ -85,6 +85,7 @@
	FIPS_TEST_SUITE=fips_test_suite
	FIPS_CMACTEST= fips_cmactest
	FIPS_ALGVS= fips_algvs
	+DSTUTEST= dstutest

	TESTS= alltests

	@@ -94,7 +95,7 @@
	$(DESTEST)$(EXE_EXT) $(SHATEST)$(EXE_EXT) $(SHA1TEST)$(EXE_EXT) $(SHA256TEST)$(EXE_EXT) $(SHA512TEST)$(EXE_EXT) \
	$(MDC2TEST)$(EXE_EXT) $(RMDTEST)$(EXE_EXT) \
	$(RANDTEST)$(EXE_EXT) $(DHTEST)$(EXE_EXT) $(ENGINETEST)$(EXE_EXT) \
	- $(GOST2814789TEST)$(EXE_EXT) \
	+ $(GOST2814789TEST)$(EXE_EXT) $(DSTUTEST)$(EXE_EXT) \
	$(BFTEST)$(EXE_EXT) $(CASTTEST)$(EXE_EXT) $(SSLTEST)$(EXE_EXT) \
	$(EXPTEST)$(EXE_EXT) $(DSATEST)$(EXE_EXT) $(RSATEST)$(EXE_EXT) \
	$(EVPTEST)$(EXE_EXT) $(IGETEST)$(EXE_EXT) $(JPAKETEST)$(EXE_EXT) $(SRPTEST)$(EXE_EXT) \
	@@ -127,7 +128,7 @@
	$(FIPS_TEST_SUITE).o $(FIPS_DHVS).o $(FIPS_ECDSAVS).o \
	$(FIPS_ECDHVS).o $(FIPS_CMACTEST).o $(FIPS_ALGVS).o \
	$(EVPTEST).o $(IGETEST).o $(JPAKETEST).o $(V3NAMETEST).o \
	- $(GOST2814789TEST).o
	+ $(GOST2814789TEST).o $(DSTUTEST).o
	SRC= $(BNTEST).c $(ECTEST).c $(ECDSATEST).c $(ECDHTEST).c $(IDEATEST).c \
	$(MD2TEST).c $(MD4TEST).c $(MD5TEST).c \
	$(HMACTEST).c $(WPTEST).c \
	@@ -142,7 +143,7 @@
	$(FIPS_TEST_SUITE).c $(FIPS_DHVS).c $(FIPS_ECDSAVS).c \
	$(FIPS_ECDHVS).c $(FIPS_CMACTEST).c $(FIPS_ALGVS).c \
	$(EVPTEST).c $(IGETEST).c $(JPAKETEST).c $(V3NAMETEST).c \
	- $(GOST2814789TEST).c
	+ $(GOST2814789TEST).c $(DSTUTEST).c

	EXHEADER=
	HEADER= $(EXHEADER)
	@@ -190,7 +191,7 @@
	test_gen test_req test_pkcs7 test_verify test_dh test_dsa \
	test_ss test_ca test_engine test_evp test_ssl test_tsa test_ige \
	test_jpake test_srp test_cms test_v3name test_ocsp \
	- test_gost2814789
	+ test_gost2814789 test_dstu

	test_evp: $(EVPTEST)$(EXE_EXT) evptests.txt
	../util/shlib_wrap.sh ./$(EVPTEST) evptests.txt
	@@ -248,6 +249,9 @@

	test_gost2814789: $(GOST2814789TEST)$(EXE_EXT)
	../util/shlib_wrap.sh ./$(GOST2814789TEST)
	+
	+test_dstu: $(DSTUTEST)$(EXE_EXT)
	+ ../util/shlib_wrap.sh ./$(DSTUTEST)

	test_enc: ../apps/openssl$(EXE_EXT) testenc
	@sh ./testenc
	@@ -565,6 +569,9 @@

	$(GOST2814789TEST)$(EXE_EXT): $(GOST2814789TEST).o $(DLIBCRYPTO)
	@target=$(GOST2814789TEST); $(BUILD_CMD)
	+
	+$(DSTUTEST)$(EXE_EXT): $(DSTUTEST).o $(DLIBCRYPTO)
	+ @target=$(DSTUTEST); $(BUILD_CMD)

	$(RANDTEST)$(EXE_EXT): $(RANDTEST).o $(DLIBCRYPTO)
	@target=$(RANDTEST); $(BUILD_CMD)
	diff --git a/util/mk1mf.pl b/util/mk1mf.pl
	index 90ae84b..7a6d7a4 100755
	--- a/util/mk1mf.pl
	+++ b/util/mk1mf.pl
	@@ -305,6 +305,7 @@
	$cflags.=" -DOPENSSL_NO_ECDSA" if $no_ecdsa;
	$cflags.=" -DOPENSSL_NO_ECDH" if $no_ecdh;
	$cflags.=" -DOPENSSL_NO_GOST" if $no_gost;
	+$cflags.=" -DOPENSSL_NO_DSTU" if $no_dstu;
	$cflags.=" -DOPENSSL_NO_ENGINE" if $no_engine;
	$cflags.=" -DOPENSSL_NO_HW" if $no_hw;
	$cflags.=" -DOPENSSL_FIPS" if $fips;
	@@ -1066,6 +1067,7 @@
	return("") if $no_dh && $dir =~ /\/dh/;
	return("") if $no_ec && $dir =~ /\/ec/;
	return("") if $no_gost && $dir =~ /\/ccgost/;
	+ return("") if $no_dstu && $dir =~ /\/uadstu/;
	return("") if $no_cms && $dir =~ /\/cms/;
	return("") if $no_jpake && $dir =~ /\/jpake/;
	return("") if !$fips && $dir =~ /^fips/;
	@@ -1431,6 +1433,7 @@
	"no-ecdsa" => \$no_ecdsa,
	"no-ecdh" => \$no_ecdh,
	"no-gost" => \$no_gost,
	+ "no-dstu" => \$no_dstu,
	"no-engine" => \$no_engine,
	"no-hw" => \$no_hw,
	"just-ssl" =>
	diff --git a/util/mkdef.pl b/util/mkdef.pl
	index 8d74eaa..03baeea 100755
	--- a/util/mkdef.pl
	+++ b/util/mkdef.pl
	@@ -86,7 +86,7 @@
	"CAST", "MD2", "MD4", "MD5", "SHA", "SHA0", "SHA1",
	"SHA256", "SHA512", "RIPEMD",
	"MDC2", "WHIRLPOOL", "RSA", "DSA", "DH", "EC", "ECDH", "ECDSA", "EC2M",
	- "HMAC", "AES", "CAMELLIA", "SEED", "GOST",
	+ "HMAC", "AES", "CAMELLIA", "SEED", "GOST", "DSTU",
	# EC_NISTP_64_GCC_128
	"EC_NISTP_64_GCC_128",
	# Envelope "algorithms"
	diff --git a/util/mkfiles.pl b/util/mkfiles.pl
	index 7dff4a6..b5e16be 100755
	--- a/util/mkfiles.pl
	+++ b/util/mkfiles.pl
	@@ -81,6 +81,7 @@
	"apps",
	"engines",
	"engines/ccgost",
	+"engines/uadstu",
	"test",
	"tools"
	);
	diff --git a/crypto/x509v3/v3_skey.c b/crypto/x509v3/v3_skey.c
	index 0a984fb..ce95df1 100644
	--- a/crypto/x509v3/v3_skey.c
	+++ b/crypto/x509v3/v3_skey.c
	@@ -105,6 +105,10 @@
	ASN1_BIT_STRING *pk;
	unsigned char pkey_dig[EVP_MAX_MD_SIZE];
	unsigned int diglen;
	+ EVP_MD_CTX md_ctx;
	+ int pubkeynid = NID_undef;
	+ EVP_PKEY *pkey = NULL;
	+ X509_PUBKEY *pubkey = NULL;

	if(strcmp(str, "hash")) return s2i_ASN1_OCTET_STRING(method, ctx, str);

	@@ -120,17 +124,47 @@
	goto err;
	}

	- if(ctx->subject_req)
	- pk = ctx->subject_req->req_info->pubkey->public_key;
	- else pk = ctx->subject_cert->cert_info->key->public_key;
	+ if(ctx->subject_req) {
	+ pubkeynid = OBJ_obj2nid(ctx->subject_req->req_info->pubkey->algor->algorithm);
	+ pubkey = ctx->subject_req->req_info->pubkey;
	+ }
	+ else {
	+ pubkeynid = OBJ_obj2nid(ctx->subject_cert->cert_info->key->algor->algorithm);
	+ pubkey = ctx->subject_cert->cert_info->key;
	+ }
	+
	+ pk = pubkey->public_key;

	if(!pk) {
	X509V3err(X509V3_F_S2I_SKEY_ID,X509V3_R_NO_PUBLIC_KEY);
	goto err;
	}

	- if (!EVP_Digest(pk->data, pk->length, pkey_dig, &diglen, EVP_sha1(), NULL))
	- goto err;
	+ if ((NID_dstu4145le == pubkeynid) \|\| (NID_dstu4145be == pubkeynid)) {
	+ pkey = X509_PUBKEY_get(pubkey);
	+ if (!pkey)
	+ goto err;
	+
	+ EVP_MD_CTX_init(&md_ctx);
	+
	+ /* This is to make digest use s-box from public key if it is not the default one */
	+ if (!EVP_DigestSignInit(&md_ctx, NULL, EVP_get_digestbynid(NID_dstu34311), NULL, pkey)) {
	+ EVP_PKEY_free(pkey);
	+ goto err;
	+ }
	+
	+ EVP_PKEY_free(pkey);
	+
	+ if (!EVP_DigestUpdate(&md_ctx, pk->data, pk->length))
	+ goto err;
	+
	+ if (!EVP_DigestFinal(&md_ctx, pkey_dig, &diglen))
	+ goto err;
	+ }
	+ else {
	+ if (!EVP_Digest(pk->data, pk->length, pkey_dig, &diglen, EVP_sha1(), NULL))
	+ goto err;
	+ }

	if(!M_ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) {
	X509V3err(X509V3_F_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE);