From: Eugene Syromiatnikov <esyr@openssl.org>
Date: Fri, 11 Jul 2025 17:23:39 +0000 (+0200)
Subject: Document LEGACY_GOST_PKCS12 environment variable
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=133889218e239ddbb243fb75734be67e63c616b4;p=thirdparty%2Fopenssl.git

Document LEGACY_GOST_PKCS12 environment variable

Add its mention to doc/man7/openssl-env.pod and describe its semantics
in doc/man3/PKCS12_gen_mac.pod.

Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28025)
---

diff --git a/doc/man3/PKCS12_gen_mac.pod b/doc/man3/PKCS12_gen_mac.pod
index ebeee98f04e..2e8c9beab80 100644
--- a/doc/man3/PKCS12_gen_mac.pod
+++ b/doc/man3/PKCS12_gen_mac.pod
@@ -67,6 +67,28 @@ given passphrase. See L<passphrase-encoding(7)> for more information.
 
 All functions returning an integer return 1 on success and 0 if an error occurred.
 
+=head1 ENVIRONMENT
+
+=over 4
+
+=item B<LEGACY_GOST_PKCS12>
+
+=for comment
+https://tc26.ru/standarts/metodicheskie-rekomendatsii/transportnyy-klyuchevoy-konteyner.html section 5.1
+https://tc26.ru/standard/rs/%D0%A0%2050.1.112-2016.pdf section 5
+https://meganorm.ru/mega_doc/norm/prikaz/25/r_1323565_1_041-2022_rekomendatsii_po_standartizatsii.html section 7.1
+
+If this environment variable is set, MAC generation that utilises
+GOST R 34.11-94 or GOST 34.11-2012 hashing algorithms is performed the usual
+way and not in accordance with the specification provided in the methodical
+recommendation MP 26.2.002-2012 (or in its later versions, standartisation
+recommendation P 50.1.112-2016 or P 1323565.1.041-2022)
+of Technical Committee 26, that specifies that the key used for MAC
+generation should be the last 32 bytes of the 96-byte sequence generated
+by L<PKCS5_PBKDF2_HMAC(3)> and not the whole sequence.
+
+=back
+
 =head1 CONFORMING TO
 
 IETF RFC 7292 (L<https://tools.ietf.org/html/rfc7292>)
diff --git a/doc/man7/openssl-env.pod b/doc/man7/openssl-env.pod
index 2f4ea5f61c7..b9053e24693 100644
--- a/doc/man7/openssl-env.pod
+++ b/doc/man7/openssl-env.pod
@@ -23,6 +23,11 @@ See L<CTLOG_STORE_new(3)>.
 Specify a proxy hostname.
 See L<OSSL_HTTP_parse_url(3)>.
 
+=item B<LEGACY_GOST_PKCS12>
+
+Affects the way MAC is generated in PKCS#12 containers for GOST algorithms.
+See L<PKCS12_gen_mac(3)>.
+
 =item B<OPENSSL>
 
 Specifies the path to the B<openssl> executable. Used by