--- /dev/null
+diff -Nuar openssl-1.0.2d/crypto/evp/evp_pbe.c openssl-work/crypto/evp/evp_pbe.c
+--- openssl-1.0.2d/crypto/evp/evp_pbe.c 2015-07-09 15:53:21.000000000 +0400
++++ openssl-work/crypto/evp/evp_pbe.c 2015-03-26 13:00:21.000000000 +0400
+@@ -121,6 +121,10 @@
+ {EVP_PBE_TYPE_PRF, NID_hmacWithSHA384, -1, NID_sha384, 0},
+ {EVP_PBE_TYPE_PRF, NID_hmacWithSHA512, -1, NID_sha512, 0},
+ {EVP_PBE_TYPE_PRF, NID_id_HMACGostR3411_94, -1, NID_id_GostR3411_94, 0},
++ {EVP_PBE_TYPE_PRF, NID_id_tc26_hmac_gost_3411_2012_256, -1,
++ NID_id_GostR3411_2012_256, 0},
++ {EVP_PBE_TYPE_PRF, NID_id_tc26_hmac_gost_3411_2012_512, -1,
++ NID_id_GostR3411_2012_512, 0},
+ };
+
+ #ifdef TEST
+diff -Nuar openssl-1.0.2d/crypto/pkcs12/p12_mutl.c openssl-work/crypto/pkcs12/p12_mutl.c
+--- openssl-1.0.2d/crypto/pkcs12/p12_mutl.c 2015-07-09 15:53:21.000000000 +0400
++++ openssl-work/crypto/pkcs12/p12_mutl.c 2015-06-17 14:48:18.000000000 +0400
+@@ -65,6 +65,28 @@
+ # include <openssl/rand.h>
+ # include <openssl/pkcs12.h>
+
++# define TK26_MAC_KEY_LEN 32
++
++static int PKCS12_gen_gost_mac_key(const char *pass, int passlen,
++ const unsigned char *salt, int saltlen,
++ int iter, const EVP_MD *digest, int keylen,
++ unsigned char *key)
++{
++ unsigned char out[96];
++
++ if (keylen != TK26_MAC_KEY_LEN) {
++ return 0;
++ }
++
++ if (!PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, iter,
++ digest, 96, out)) {
++ return 0;
++ }
++ memcpy(key, out + 64, TK26_MAC_KEY_LEN);
++ OPENSSL_cleanse(out, 96);
++ return 1;
++}
++
+ /* Generate a MAC */
+ int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
+ unsigned char *mac, unsigned int *maclen)
+@@ -73,7 +95,7 @@
+ HMAC_CTX hmac;
+ unsigned char key[EVP_MAX_MD_SIZE], *salt;
+ int saltlen, iter;
+- int md_size;
++ int md_size = 0;
+
+ if (!PKCS7_type_is_data(p12->authsafes)) {
+ PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_CONTENT_TYPE_NOT_DATA);
+@@ -93,8 +115,19 @@
+ md_size = EVP_MD_size(md_type);
+ if (md_size < 0)
+ return 0;
+- if (!PKCS12_key_gen(pass, passlen, salt, saltlen, PKCS12_MAC_ID, iter,
+- md_size, key, md_type)) {
++ if ((md_type->type == NID_id_GostR3411_94
++ || md_type->type == NID_id_GostR3411_2012_256
++ || md_type->type == NID_id_GostR3411_2012_512)
++ && !getenv("LEGACY_GOST_PKCS12")) {
++ md_size = TK26_MAC_KEY_LEN;
++ if (!PKCS12_gen_gost_mac_key(pass, passlen, salt, saltlen, iter,
++ md_type, md_size, key)) {
++ PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_KEY_GEN_ERROR);
++ return 0;
++ }
++ } else
++ if (!PKCS12_key_gen(pass, passlen, salt, saltlen, PKCS12_MAC_ID, iter,
++ md_size, key, md_type)) {
+ PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_KEY_GEN_ERROR);
+ return 0;
+ }
+