support, new algorithms can be added even without recompilation of
OpenSSL and applications which use it.
+COMPILING AND INSTALLATION
+
+This engine is a drop-in replacement of the GOST engine included in openssl
+1.0.2. The original version does not support GOST2012 algorithms. To compile
+it, you MUST apply the required patches (from the patches/ folder) to the
+openssl 1.0.2 source tree and copy all files from the current directory to the
+openssl/engines/ccgost folder. After that you will be able to configure and
+build openssl using standard options.
+
ALGORITHMS SUPPORTED
-GOST R 34.10-94 and GOST R 34.10-2001 - digital signature algorithms.
+GOST R 34.10-2001 and GOST R 34.10-2012 - digital signature algorithms.
Also support key exchange based on public keys. See RFC 4357 for
details of VKO key exchange algorithm. These algorithms use
256 bit private keys. Public keys are 1024 bit for 94 and 512 bit for
2001 (which is elliptic-curve based). Key exchange algorithms
(VKO R 34.10) are supported on these keys too.
-GOST R 34.11-94 Message digest algorithm. 256-bit hash value
+GOST R 34.11-2012 Message digest algorithm. 256-bit hash value
GOST 28147-89 - Symmetric cipher with 256-bit key. Various modes are
defined in the standard, but only CFB and CNT modes are implemented
It has 256-bit symmetric key and only 32 bits of MAC value
(while HMAC has same key size and value size).
+ Really, this algorithm supports from 8 to 64 bits of the MAC value
+
It is implemented as combination of EVP_PKEY type and EVP_MD type.
USAGE OF THESE ALGORITHMS
implementation of this mac) and OpenSSL is clever enough to find out
this.
+ Following mac options are supported:
+
+ key:(32 bytes of key)
+
+ hexkey:(64 hexadecimal digits of key)
+
+ Engine support calculation of mac with size different from default 32
+ bits. You can set mac size to any value from 1 to 8 bytes using
+
+ -sigopt size:(number from 1 to 8 - mac size in bytes)
+
+ (dgst command uses different EVP_PKEY_CTX for initialization and for
+ finalization of MAC. Option of first are set via -macopt, and for
+ second via -sigopt. Key should be set during initialization and size
+ during finalization. If you use API functions
+ EVP_DigestSignInit/EVP_DigestSignFinal, you can set both options at
+ the same time).
+
Encryption with GOST 28147 CFB mode
openssl enc -gost89 -out encrypted-file -in plain-text-file -k <passphrase>
Encryption with GOST 28147 CNT mode
openssl enc -gost89-cnt -out encrypted-file -in plain-text-file -k <passphrase>
-
+ Encryption with GOST 28147 CBC mode
+ openssl enc -gost89-cbc -out encrypted-file -in plain-text-file -k <passphrase>
6. Encrypting private keys and PKCS12
openssl speed -evp gost89
openssl speed -evp gost89-cnt
+ openssl speed -evp gost89-cbc
PROGRAMMING INTERFACES DETAILS
projects / openssl-gost / engine.git / blobdiff