Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
OpenSSL and GOST engine issue (statically linked library )
791 views
Skip to first unread message
Abyss Lingvo
Jun 13, 2012, 9:21:50 AM6/13/12
to
Hi all !
This is my first mail to openssl mailing list.
I have a
problem with statically linked openSSL library and GOST crypto engine. Openssl 1.0.0g
I have
simple client/server application using GOST keys and certificates. It works
fine with GOST keys but only if I use dynamically linked version of openSSL
library. If I try to use statically linked openSSL I got an error message.
This is
how I initialized openSSL library:
OPENSSL_config("correct
config file path");
SSL_library_init();
SSL_load_error_strings();
When I try
to read certificate file I got an error.
SSL_CTX_use_certificate_chain_file(ctx,
CERTFILE)
Return
value here is not 1. So this is an error.
The human
readable error message is:
3084809868:error:0609E09C:digital
envelope routines:PKEY_SET_TYPE:unsupported algorithm:p_lib.c:239:
3084809868:error:0B07706F:x509 certificate routines:X509_PUBKEY_get:unsupported
algorithm:x_pubkey.c:155: 3084809868:error:140BF10C:SSL
routines:SSL_SET_CERT:x509 lib:ssl_rsa.c:402:
When I use
the same code with dynamically linked openSSL library with external GOST engine
library everything works fine. So what is the difference between static and dynamic
version? The only idea that I have at this time that my library initialization
sequence is wrong.
I checked
symbols in the compiled libcrypto.a library.
nm ./libcrypto.a | grep gost
This
command gave me output with many GOST function which were included to
libcrypto.a library. So I think that library was compiled properly and all GOST
engine functions were included in the static library.
"Unsupported
algorithm" error message means that GOST functions was not initialized
properly. The question is: how properly initialize engines with statically
linked openSSL?
Is it possible to use engines and statically linked openssl library in general?
Best Regards
Xidex
Xidex
Andrey Koltsov
Jun 14, 2012, 1:29:29 AM6/14/12
to
Hi.
I think you should add
OpenSSL_add_all_algorithms();
in your initialization part.
Best regards,
Andrey Koltsov
software developer
13.06.2012 17:21, Abyss Lingvo пїЅпїЅпїЅпїЅпїЅпїЅпїЅ:
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
I think you should add
OpenSSL_add_all_algorithms();
in your initialization part.
Best regards,
Andrey Koltsov
software developer
13.06.2012 17:21, Abyss Lingvo пїЅпїЅпїЅпїЅпїЅпїЅпїЅ:
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Abyss Lingvo
Jun 14, 2012, 7:25:53 AM6/14/12
to
I have added OpenSSL_add_all_algorithms(); function call to initialization part but without success.
The same behavior as before.
The same behavior as before.
What's more for dynamically linked version it works without
OpenSSL_add_all_algorithms() call.
Andrey Koltsov
Jun 14, 2012, 8:40:12 AM6/14/12
to
Do you have following sections in you openssl.cnf file?
[openssl_def]
engines = engine_section
[engine_section]
gost = gost_section
[gost_section]
engine_id = gost
default_algorithms = ALL
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
There should not be any dynamic_path parameter in gost_section.
Best regards,
Andrey Koltsov
software developer
14.06.2012 15:25, Abyss Lingvo написал:
[openssl_def]
engines = engine_section
[engine_section]
gost = gost_section
[gost_section]
engine_id = gost
default_algorithms = ALL
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
There should not be any dynamic_path parameter in gost_section.
Best regards,
Andrey Koltsov
software developer
> I have added OpenSSL_add_all_algorithms(); function call to initialization part but without success.
> The same behavior as before.
>
> What's more for dynamically linked version it works without OpenSSL_add_all_algorithms() call.
>
>
>
>
>
>
> The same behavior as before.
>
> What's more for dynamically linked version it works without OpenSSL_add_all_algorithms() call.
>
>
>
>
>
>
Abyss Lingvo
Jun 14, 2012, 8:56:01 AM6/14/12
to
>>Do you have following sections in you openssl.cnf file?
Yes I have these sections in my openssl.cnf, and no dynamic_path parameter.
It happens only if I use static linkage (with libssl.a and libcrypto.a) .
If I use dynamic linkage with openssl (with libssl.so and libcrypto.so) everything works fine.
От: Andrey Koltsov <kol...@cyberplat.com>
Кому: "openss...@openssl.org" <openss...@openssl.org>
Отправлено: четверг, 14 июня 2012 16:40
Тема: Re: OpenSSL and GOST engine issue (statically linked library )
Кому: "openss...@openssl.org" <openss...@openssl.org>
Отправлено: четверг, 14 июня 2012 16:40
Тема: Re: OpenSSL and GOST engine issue (statically linked library )
Vladimir Belov
Jun 14, 2012, 9:41:41 AM6/14/12
to
>>"Unsupported algorithm" error message means that GOST functions was not initialized properly. The question is: how
>>properly initialize engines with >>statically linked openSSL?
What next code show you:
//testing loading GOST engine with statically linked openssl library
ENGINE *e;
const char *engine_id = "gost";
ENGINE_load_openssl();
ENGINE_load_builtin_engines();
e = ENGINE_by_id(engine_id);
if(!e)
/* the engine isn't available */
ERR_print_errors(bf_log);
return 1;
if(!ENGINE_init(e)) {
/* the engine couldn't initialise, release 'e' */
ERR_print_errors(bf_log);
ENGINE_free(e);
return 1;
}
//if we here, seems to be initialization is ok
ENGINE_free(e);
ENGINE_cleanup();
-------------------------------------------------------------------------------------------------------
From: Abyss Lingvo
Sent: Wednesday, June 13, 2012 5:21 PM
To: openss...@openssl.org
Subject: OpenSSL and GOST engine issue (statically linked library )
Vladimir Belov
Jun 14, 2012, 10:01:13 AM6/14/12
to
I made a mistake in code and it is possible not to load all engines with ENGINE_load_builtin_engines :
What next code show you:
//testing loading GOST engine
ENGINE_load_gost();
What next code show you:
//testing loading GOST engine
ENGINE *e;
const char *engine_id = "gost";
ENGINE_load_openssl();
//ENGINE_load_builtin_engines();
const char *engine_id = "gost";
ENGINE_load_openssl();
ENGINE_load_gost();
e = ENGINE_by_id(engine_id);
if(!e)
{
/* the engine isn't available */
ERR_print_errors(bf_log);
return 1;
}
if(!ENGINE_init(e))
{
/* the engine couldn't initialise, release 'e' */
ERR_print_errors(bf_log);
ENGINE_free(e);
return 1;
}
--------------------------------------------------------------------------------------------------------
if(!e)
{
/* the engine isn't available */
ERR_print_errors(bf_log);
return 1;
}
if(!ENGINE_init(e))
{
/* the engine couldn't initialise, release 'e' */
ERR_print_errors(bf_log);
ENGINE_free(e);
return 1;
}
Abyss Lingvo
Jun 15, 2012, 2:34:48 AM6/15/12
to
Hi Vladimir,
I have inserted your code into my application between
OPENSSL_config("correct config file path");
SSL_library_init();
SSL_load_error_strings();
SSL_library_init();
SSL_load_error_strings();
and
SSL_CTX_use_certificate_chain_file(ctx, CERTFILE)
The code was executed without errors but SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) function call cause the same error: Unsupported algorithm.
As far as I understood the main idea of this code is to get engine and initialize it by ENGINE_init(e).
What is the further use of this ENGINE* pointer? It seems that i can "forget" about it.
Why ENGINE_init(e) call is not necessary for dynamic linkage?
I thought that everything should be the same because I pass correct configuration file path to
OPENSSL_config("correct config file path");
I read "Network security with openssl" book and CryptoKom documentation http://www.cryptocom.ru/products/cryptopacket.html#docs
Unfortunately both sources doesn't contain information how to handle with engines (especially in case of statically linkage).
От: Vladimir Belov <ml.vlad...@gmail.com>
Кому: openss...@openssl.org
Отправлено: четверг, 14 июня 2012 18:01
Тема: Re: OpenSSL and GOST engine issue (statically linked library )
Vladimir Belov
Jun 15, 2012, 8:13:22 AM6/15/12
to
>>As far as I understood the main idea of this code is to get engine and initialize it by ENGINE_init(e).
My code was only for testing of loading and initialization of specific ENGINE.
>>What is the further use of this ENGINE* pointer? It seems that i can "forget" about it
others.
>>The code was executed without errors but SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) function call cause the
>>same error: Unsupported algorithm.
SSL_load_error_strings();
ENGINE *e;
const char *engine_id = "gost";
ENGINE_load_openssl();
const char *engine_id = "gost";
ENGINE_load_openssl();
ENGINE_load_gost();
e = ENGINE_by_id(engine_id);
if(!e)
{
//the engine isn't available
e = ENGINE_by_id(engine_id);
if(!e)
{
ERR_print_errors(bf_log);
return 1;
}
ENGINE_register_complete(e);
OpenSSL_add_all_algorithms();
SSL_library_init();
//here is your code
//at the end of the program
ENGINE_free(e);
ENGINE_cleanup();
------------------------------------------------------------------------------------------------------------------------------------
From: Abyss Lingvo
Sent: Friday, June 15, 2012 10:34 AM
Hi Vladimir,
I have inserted your code into my application between
OPENSSL_config("correct config file path");
SSL_library_init();
SSL_load_error_strings();
and
SSL_CTX_use_certificate_chain_file(ctx, CERTFILE)
The code was executed without errors but SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) function call cause the same
error: Unsupported algorithm.
As far as I understood the main idea of this code is to get engine and initialize it by ENGINE_init(e).
What is the further use of this ENGINE* pointer? It seems that i can "forget" about it.
Why ENGINE_init(e) call is not necessary for dynamic linkage?
I thought that everything should be the same because I pass correct configuration file path to OPENSSL_config("correct
config file path");
I read "Network security with openssl" book and CryptoKom documentation
http://www.cryptocom.ru/products/cryptopacket.html#docs
Unfortunately both sources doesn't contain information how to handle with engines (especially in case of statically
linkage).
I have inserted your code into my application between
OPENSSL_config("correct config file path");
SSL_library_init();
SSL_load_error_strings();
and
SSL_CTX_use_certificate_chain_file(ctx, CERTFILE)
The code was executed without errors but SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) function call cause the same
error: Unsupported algorithm.
As far as I understood the main idea of this code is to get engine and initialize it by ENGINE_init(e).
What is the further use of this ENGINE* pointer? It seems that i can "forget" about it.
Why ENGINE_init(e) call is not necessary for dynamic linkage?
I thought that everything should be the same because I pass correct configuration file path to OPENSSL_config("correct
config file path");
I read "Network security with openssl" book and CryptoKom documentation
http://www.cryptocom.ru/products/cryptopacket.html#docs
Unfortunately both sources doesn't contain information how to handle with engines (especially in case of statically
linkage).
Alexandre Aufrere
Jun 15, 2012, 11:16:47 AM6/15/12
to
Hello,
IIRC, when you do dynamic linkage, the conf file is parsed and engine initiated as per conf file, not when you do static linkage. Hence your issue.
More generally, it's a bad idea to link statically in the context of GOST use: if at one point you need to use FSB certified GOST, you'll run into trouble (there are chances, depending how you use it, that you'll need to submit your code for certification).
Regards,
Alexandre
IIRC, when you do dynamic linkage, the conf file is parsed and engine initiated as per conf file, not when you do static linkage. Hence your issue.
More generally, it's a bad idea to link statically in the context of GOST use: if at one point you need to use FSB certified GOST, you'll run into trouble (there are chances, depending how you use it, that you'll need to submit your code for certification).
Regards,
Alexandre
Le 15/06/2012 08:34, Abyss Lingvo a écrit :
Hi Vladimir,
I have inserted your code into my application between
OPENSSL_config("correct config file path");
SSL_library_init();
SSL_load_error_strings();
and
SSL_CTX_use_certificate_chain_file(ctx, CERTFILE)
The code was executed without errors but SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) function call cause the same error: Unsupported algorithm.
As far as I understood the main idea of this code is to get engine and initialize it by ENGINE_init(e).What is the further use of this ENGINE* pointer? It seems that i can "forget" about it.
Why ENGINE_init(e) call is not necessary for dynamic linkage?I thought that everything should be the same because I pass correct configuration file path to OPENSSL_config("correct config file path");
I read "Network security with openssl" book and CryptoKom documentation http://www.cryptocom.ru/products/cryptopacket.html#docsUnfortunately both sources doesn't contain information how to handle with engines (especially in case of statically linkage).
Abyss Lingvo
Jun 16, 2012, 2:28:29 PM6/16/12
to
>>IIRC, when you do dynamic linkage, the conf file is parsed and
engine initiated as per conf file, not when you do static linkage.
Hence your issue.
The question is how to initialize this engine programmatically.
I called OPENSSL_config("correct config file path") with correct config file path. It doesn't work.
>>More generally, it's a bad idea to link statically in the context of
GOST use.
I can't change it. Static linkage is requirement.
Best Regards
Vladislav
Vladislav
От: Alexandre Aufrere <alexandr...@opentrust.com>
Кому: openss...@openssl.org
Копия: Abyss Lingvo <xide...@yahoo.com>
Отправлено: пятница, 15 июня 2012 18:16
Abyss Lingvo
Jun 19, 2012, 2:24:56 AM6/19/12
to
Hi All,
My OPENSSL_config(const char *config_name) call was incorrect.
I thought that config_name is the path to configuration file.
But it is config name.
As usual it is impossible to understand what config_name is it using openssl documentation.
So OPENSSL_config get configuration from default openssl.cnf location.
My default file did not contain proper GOST configuration lines( [gost_section] , engine_id, CRYPT_PARAMS e.t.c.).
I add needed configuration lines to default configuration file for static version of openSSL library.
Now my application crashed on
SSL_library_init() call with SIGSEGV.
(I got more details from gdb. Crash is situated in the file lhash.c line 292 (openssl vers 1.0.0g : func_arg(a->data, arg); )
What can it be? What is wrong?
Best Regards
Abyss Lingvo
Jun 21, 2012, 7:00:07 AM6/21/12
to
I am in doubt about possibility of using engine (any engine) with statically linked openssl.
Does anybody have real experience with gost engine and statically linked openssl or expirience with using any engine and
statically linked openssl
?
Best Regards
Vladislav
Vladislav
От: Alexandre Aufrere <alexandr...@opentrust.com>
Кому: openss...@openssl.org
Копия: Abyss Lingvo <xide...@yahoo.com>
Отправлено: пятница, 15 июня 2012 19:16
0 new messages