From 9e29188aa77e248cac3f76e0c308a76f285b10cc Mon Sep 17 00:00:00 2001 From: Norbert Pocs Date: Tue, 2 Dec 2025 11:58:07 +0100 Subject: [PATCH] Add GOST provider related docs GOST provider is in a good shape already, so keep the mentions rewritten to provider instead of the engine. Resolves: https://github.com/openssl/project/issues/1733 Signed-off-by: Norbert Pocs Reviewed-by: Viktor Dukhovni Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/29286) --- doc/man1/openssl-ciphers.pod.in | 12 +++++++----- doc/man1/openssl-dgst.pod.in | 5 +++-- doc/man1/openssl-req.pod.in | 6 +++++- 3 files changed, 15 insertions(+), 8 deletions(-) diff --git a/doc/man1/openssl-ciphers.pod.in b/doc/man1/openssl-ciphers.pod.in index 24852e2dc9b..217326d1221 100644 --- a/doc/man1/openssl-ciphers.pod.in +++ b/doc/man1/openssl-ciphers.pod.in @@ -359,7 +359,7 @@ Cipher suites using SHA256 or SHA384. =item B Cipher suites using GOST R 34.10 (either 2001 or 94) for authentication -(needs a provider supporting GOST algorithms). +(needs a provider that supports GOST algorithms). =item B @@ -512,8 +512,9 @@ is used. =head2 GOST cipher suites from draft-chudov-cryptopro-cptls, extending TLS v1.0 -Note: these ciphers require a GOST provider which isn't part of OpenSSL and a -3rd party implementation is a work in progress. +Note: these ciphers require a provider that supports GOST cryptographic +algorithms, such as the B provider, which isn't part of the OpenSSL +distribution. TLS_GOSTR341094_WITH_28147_CNT_IMIT GOST94-GOST89-GOST89 TLS_GOSTR341001_WITH_28147_CNT_IMIT GOST2001-GOST89-GOST89 @@ -522,8 +523,9 @@ Note: these ciphers require a GOST provider which isn't part of OpenSSL and a =head2 GOST cipher suites, extending TLS v1.2 -Note: these ciphers require a GOST provider which isn't part of OpenSSL and a -3rd party implementation is a work in progress. +Note: these ciphers require a provider that supports GOST cryptographic +algorithms, such as the B provider, which isn't part of the OpenSSL +distribution. TLS_GOSTR341112_256_WITH_28147_CNT_IMIT GOST2012-GOST8912-GOST8912 TLS_GOSTR341112_256_WITH_NULL_GOSTR3411 GOST2012-NULL-GOST12 diff --git a/doc/man1/openssl-dgst.pod.in b/doc/man1/openssl-dgst.pod.in index eaf332367db..8aa2cf79c19 100644 --- a/doc/man1/openssl-dgst.pod.in +++ b/doc/man1/openssl-dgst.pod.in @@ -190,8 +190,9 @@ option. Create MAC (keyed Message Authentication Code). The most popular MAC algorithm is HMAC (hash-based MAC), but there are other MAC algorithms -which are not based on hash. MAC keys and other options should be set -via B<-macopt> parameter. +which are not based on a digest algorithm, for instance the B +algorithm, supported by the B provider. MAC keys and other options +should be set via B<-macopt> parameter. Cannot be used together with -hmac, -hmac-env and -hmac-stdin. diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in index 8e3dea6a2c5..ae9724b16e3 100644 --- a/doc/man1/openssl-req.pod.in +++ b/doc/man1/openssl-req.pod.in @@ -202,7 +202,11 @@ any necessary parameters should be specified via the B<-pkeyopt> option. BI generates a DSA key using the parameters in the file I. BI generates EC key (usable both with -ECDSA or ECDH algorithms). +ECDSA or ECDH algorithms), BI, BI +and BI generate GOST R 34.10-2001 and GOST R 34.10-2012 +keys with a 256 and 512 bit modulus respectively (these require the B +provider). If just B is specified, a parameter set should be specified +by B<-pkeyopt> I. =item B<-pkeyopt> I:I -- 2.47.3