Submitted by: "Victor B. Wagner" <vitus@cryptocom.ru>

 Changes between 0.9.8j and 0.9.9  [xx XXX xxxx]

  *) Update Gost ENGINE to support parameter files.

     [Victor B. Wagner <vitus@cryptocom.ru>]

  *) Support GeneralizedTime in ca utility. 

     [Oliver Martin <oliver@volatilevoid.net>, Steve Henson]

Where engine_id parameter specifies name of engine (should be "gost").

dynamic_path is a location of the loadable shared library implementing the

engine. If the engine is compiled statically or is located in the OpenSSL

engines directory, this line can be omitted. But as of October 2007 there is

some bug in OpenSSL engine initialization code which prevents engine from

correct initialization if it is loaded without explicit dynamic_path.

engines directory, this line can be omitted. 

default_algorithms parameter specifies that all algorithms, provided by

engine, should be used.

There are no algorithm-specific things with generation of certificate

request once you have a private key.

2. S/MIME operations

2. Generation of certificate request along with private/public keypar

   openssl req -newkey gost2001 -pkeyopt paramset:A

   Syntax of -pkeyopt parameter is identical with genpkey command.

   You can also use oldstyle syntax -newkey gost2001:paramfile, but in

   this case you should create parameter file first. 

   It can be created with

   openssl genpkey -genparam -algorithm gost2001 -pkeyopt paramset:A\

      -out paramfile.

3. S/MIME operations

If you want to send encrypted mail using GOST algorithms, don't forget

to specify -gost89 as encryption algorithm for OpenSSL smime command.

must be used for digital signing with GOST private key, it have no way

to derive symmetric encryption algorithm from key exchange keys.

3. TLS operations

4. TLS operations

OpenSSL supports all four ciphersuites defined in the IETF draft.

Once you've loaded GOST key and certificate into your TLS server,

This allows creation of TLS servers which use GOST ciphersuites for

Russian clients and RSA/DSA ciphersuites for foreign clients.

4. Calculation of digests and symmetric encryption

5. Calculation of digests and symmetric encryption

 OpenSSL provides specific commands (like sha1, aes etc) for calculation

 of digests and symmetric encryption. Since such commands cannot be

 added dynamically, no such commands are provided for GOST algorithms.

 openssl enc -gost89-cnt -out encrypted-file -in plain-text-file -k <passphrase>

5. Encrypting private keys and PKCS12

6. Encrypting private keys and PKCS12

To produce PKCS12 files compatible with MagPro CSP, you need to use

GOST algorithm for encryption of PKCS12 file and also GOST R 34.11-94

openssl pksc12 -export -inkey gost.pem -in gost_cert.pem -keypbe gost89\

   -certpbe gost89 -macalg md_gost94

7. Testing speed of symmetric ciphers.

To test performance of GOST symmetric ciphers you should use -evp switch

of the openssl speed command. Engine-provided ciphers couldn't be

accessed by cipher-specific functions, only via generic evp interface

 openssl speed -evp gost89

 openssl speed -evp gost89-cnt

PROGRAMMING INTERFACES DETAILS

/* e_gost_err.c */

/* ====================================================================

 * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.

 * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.

 *

 * Redistribution and use in source and binary forms, with or without

 * modification, are permitted provided that the following conditions

{ERR_FUNC(GOST_F_PKEY_GOST01CP_DECRYPT),	"PKEY_GOST01CP_DECRYPT"},

{ERR_FUNC(GOST_F_PKEY_GOST01CP_ENCRYPT),	"PKEY_GOST01CP_ENCRYPT"},

{ERR_FUNC(GOST_F_PKEY_GOST01CP_KEYGEN),	"PKEY_GOST01CP_KEYGEN"},

{ERR_FUNC(GOST_F_PKEY_GOST01_PARAMGEN),	"PKEY_GOST01_PARAMGEN"},

{ERR_FUNC(GOST_F_PKEY_GOST2001_DERIVE),	"PKEY_GOST2001_DERIVE"},

{ERR_FUNC(GOST_F_PKEY_GOST94CP_DECRYPT),	"PKEY_GOST94CP_DECRYPT"},

{ERR_FUNC(GOST_F_PKEY_GOST94CP_ENCRYPT),	"PKEY_GOST94CP_ENCRYPT"},

{ERR_FUNC(GOST_F_PKEY_GOST94CP_KEYGEN),	"PKEY_GOST94CP_KEYGEN"},

{ERR_FUNC(GOST_F_PKEY_GOST94_PARAMGEN),	"PKEY_GOST94_PARAMGEN"},

{ERR_FUNC(GOST_F_PKEY_GOST_CTRL),	"PKEY_GOST_CTRL"},

{ERR_FUNC(GOST_F_PKEY_GOST_CTRL01_STR),	"PKEY_GOST_CTRL01_STR"},

{ERR_FUNC(GOST_F_PKEY_GOST_CTRL94_STR),	"PKEY_GOST_CTRL94_STR"},

#define GOST_F_PKEY_GOST01CP_DECRYPT			 118

#define GOST_F_PKEY_GOST01CP_ENCRYPT			 119

#define GOST_F_PKEY_GOST01CP_KEYGEN			 120

#define GOST_F_PKEY_GOST01_PARAMGEN			 138

#define GOST_F_PKEY_GOST2001_DERIVE			 121

#define GOST_F_PKEY_GOST94CP_DECRYPT			 122

#define GOST_F_PKEY_GOST94CP_ENCRYPT			 123

#define GOST_F_PKEY_GOST94CP_KEYGEN			 124

#define GOST_F_PKEY_GOST94_PARAMGEN			 139

#define GOST_F_PKEY_GOST_CTRL				 125

#define GOST_F_PKEY_GOST_CTRL01_STR			 126

#define GOST_F_PKEY_GOST_CTRL94_STR			 127

		}

	return -2;

}	

int gost94_param_encode(const EVP_PKEY *pkey, unsigned char **pder) 

{

   int nid=gost94_nid_by_params(EVP_PKEY_get0((EVP_PKEY *)pkey));

   return i2d_ASN1_OBJECT(OBJ_nid2obj(nid),pder);

}

int gost2001_param_encode(const EVP_PKEY *pkey, unsigned char **pder) 

{

   int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(EVP_PKEY_get0((EVP_PKEY *)pkey)));

   return i2d_ASN1_OBJECT(OBJ_nid2obj(nid),pder);

}

int gost94_param_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen)

{

	ASN1_OBJECT *obj=NULL;

	DSA *dsa = EVP_PKEY_get0(pkey);

	int nid;

	if (d2i_ASN1_OBJECT(&obj,pder,derlen)==NULL) {

		return 0;

	}

	nid = OBJ_obj2nid(obj);

	ASN1_OBJECT_free(obj);

	if (!dsa) 

		{

		dsa=DSA_new();

		if (!EVP_PKEY_assign(pkey,NID_id_GostR3410_94,dsa)) return 0;

		}

	if (!fill_GOST94_params(dsa,nid)) return 0;

	return 1;

}	

int gost2001_param_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen) {

	ASN1_OBJECT *obj=NULL;

	int nid;

	EC_KEY *ec = EVP_PKEY_get0(pkey);

	if (d2i_ASN1_OBJECT(&obj,pder,derlen)==NULL) {

		return 0;

	}

	nid = OBJ_obj2nid(obj);

	ASN1_OBJECT_free(obj);

	if (!ec) 

		{

		ec = EC_KEY_new();

		if (!EVP_PKEY_assign(pkey,NID_id_GostR3410_2001,ec)) return 0;

		}	

	if (!fill_GOST2001_params(ec, nid)) return 0;

	return 1;

}	

/* ----------------------------------------------------------------------*/

int register_ameth_gost (int nid, EVP_PKEY_ASN1_METHOD **ameth, const char* pemstr, const char* info) 

	{

				priv_decode_gost, priv_encode_gost, 

				priv_print_gost94);

			EVP_PKEY_asn1_set_param (*ameth, 0, 0,

			EVP_PKEY_asn1_set_param (*ameth, 

				gost94_param_decode, gost94_param_encode,

				param_missing_gost94, param_copy_gost94, 

				param_cmp_gost94,param_print_gost94 );

			EVP_PKEY_asn1_set_public (*ameth,

				priv_decode_gost, priv_encode_gost, 

				priv_print_gost01);

			EVP_PKEY_asn1_set_param (*ameth, 0, 0,

			EVP_PKEY_asn1_set_param (*ameth, 

				gost2001_param_decode, gost2001_param_encode,

				param_missing_gost01, param_copy_gost01, 

				param_cmp_gost01, param_print_gost01);

			EVP_PKEY_asn1_set_public (*ameth,