Re: OpenSSL and GOST engine issue (statically linked library )

Fri, 15 Jun 2012 08:27:25 -0700 

Hello,
IIRC, when you do dynamic linkage, the conf file is parsed and engine initiated as per conf file, not when you do static linkage. Hence your issue. 


More generally, it's a bad idea to link statically in the context of 
GOST use: if at one point you need to use FSB certified GOST, you'll run 
into trouble (there are chances, depending how you use it, that you'll 
need to submit your code for certification).


Regards,
Alexandre

Le 15/06/2012 08:34, Abyss Lingvo a écrit :

Hi Vladimir,

I have inserted your code into my application between

OPENSSL_config("correct config file path");
SSL_library_init();
SSL_load_error_strings();

and

SSL_CTX_use_certificate_chain_file(ctx, CERTFILE)


The code was executed without errors but 
SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) function call cause 
the same error: Unsupported algorithm.



As far as I understood the main idea of this code is to get engine and 
initialize it by ENGINE_init(e).
What is the further use of this ENGINE* pointer?   It seems that i can 
"forget" about it.


Why  ENGINE_init(e) call is not necessary for dynamic linkage?

I thought that everything should be the same because I pass correct 
configuration file path to  OPENSSL_config("correct config file path");




I read "Network security with openssl" book and CryptoKom 
documentation http://www.cryptocom.ru/products/cryptopacket.html#docs
Unfortunately both sources doesn't contain information how to handle 
with engines (especially in case of statically linkage).




------------------------------------------------------------------------
*От:* Vladimir Belov <ml.vladimbe...@gmail.com>
*Кому:* openssl-users@openssl.org
*Отправлено:* четверг, 14 июня 2012 18:01
*Тема:* Re: OpenSSL and GOST engine issue (statically linked library )


I made a mistake in code and it is possible not to load all engines 
with ENGINE_load_builtin_engines :


What next code show you:

  //testing loading GOST engine
  ENGINE *e;
  const char *engine_id = "gost";
  ENGINE_load_openssl();
  //ENGINE_load_builtin_engines();
  ENGINE_load_gost();
  e = ENGINE_by_id(engine_id);
  if(!e)
  {
    /* the engine isn't available */
    ERR_print_errors(bf_log);
    return 1;
  }
  if(!ENGINE_init(e))
  {
    /* the engine couldn't initialise, release 'e' */
    ERR_print_errors(bf_log);
    ENGINE_free(e);
    return 1;
  }



--------------------------------------------------------------------------------------------------------
From: Abyss Lingvo
Sent: Wednesday, June 13, 2012 5:21 PM
To: openssl-users@openssl.org <mailto:openssl-users@openssl.org>
Subject: OpenSSL and GOST engine issue (statically linked library )
Hi all !



This is my first mail to openssl mailing list.




I have a problem with statically linked openSSL library and GOST 
crypto engine.  Openssl 1.0.0g



I have simple client/server application using GOST keys and 
certificates. It works fine with GOST keys but only if I use 
dynamically linked version of openSSL library. If I try to use 
statically linked openSSL I got an error message.


This is how I initialized openSSL library:

OPENSSL_config("correct config file path");

SSL_library_init();

SSL_load_error_strings();

When I try to read certificate file I got an error.

SSL_CTX_use_certificate_chain_file(ctx, CERTFILE)

Return value here is not 1. So this is an error.

The human readable error message is:


3084809868:error:0609E09C:digital envelope 
routines:PKEY_SET_TYPE:unsupported algorithm:p_lib.c:239: 
3084809868:error:0B07706F:x509 certificate 
routines:X509_PUBKEY_get:unsupported algorithm:x_pubkey.c:155: 
3084809868:error:140BF10C:SSL routines:SSL_SET_CERT:x509 
lib:ssl_rsa.c:402:



When I use the same code with dynamically linked openSSL library with 
external GOST engine library everything works fine. So what is the 
difference between static and dynamic version? The only idea that I 
have at this time that my library initialization sequence is wrong.


I checked symbols in the compiled libcrypto.a library.

nm ./libcrypto.a | grep gost


This command gave me output with many GOST function which were 
included to libcrypto.a library. So I think that library was compiled 
properly and all GOST engine functions were included in the static 
library.



"Unsupported algorithm" error message means that GOST functions was 
not initialized properly. The question is: how properly initialize 
engines with statically linked openSSL?




Is it possible to use engines and statically linked openssl library in 
general?



Best Regards
Xidex
______________________________________________________________________
OpenSSL Project http://www.openssl.org <http://www.openssl.org/>

User Support Mailing List openssl-users@openssl.org 
<mailto:openssl-users@openssl.org>
Automated List Manager majord...@openssl.org 
<mailto:majord...@openssl.org>

























					Reply via email to