Ciphers provided by engine not accessible...?

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Mon Jul 22 19:17:01 UTC 2019 

Turned out the failure was my misconfiguration - but the "config" man page doesn't seem to describe the *exact* order of the statements/sections.

What I found experimentally, was:

1. "openssl_conf = openssl_init" line must be the first non-comment line in the openssl.cnf file, otherwise engines won't be loaded.

2. "[openssl_init]\n engines = engine_section" lines must *both* be at the end of the openssl.cnf file, just before the "[engine_section]" section.

These are the errors I get if the above order is violated:

$ openssl engine -t gost pkcs11 rdrand
(gost) Reference implementation of GOST engine
     [ available ]
(pkcs11) pkcs11 engine
     [ available ]
(rdrand) Intel RDRAND engine
     [ available ]
4566365632:error:25066067:DSO support routines:dlfcn_load:could not load the shared library:crypto/dso/dso_dlfcn.c:119:filename(libHOME.dylib): dlopen(libHOME.dylib, 2): image not found
4566365632:error:25070067:DSO support routines:DSO_load:could not load the shared library:crypto/dso/dso_lib.c:162:
4566365632:error:0E07506E:configuration file routines:module_load_dso:error loading dso:crypto/conf/conf_mod.c:224:module=HOME, path=HOME
4566365632:error:0E076071:configuration file routines:module_run:unknown module name:crypto/conf/conf_mod.c:165:module=HOME
$ ll /opt/local/lib/engines-1.1/pkcs11.dylib
-rwxr-xr-x  1 root  admin  79952 Jun 12 09:37 /opt/local/lib/engines-1.1/pkcs11.dylib*
$ /Library/OpenSC/lib/opensc-pkcs11.so
-bash: /Library/OpenSC/lib/opensc-pkcs11.so: cannot execute binary file
$ ll /Library/OpenSC/lib/opensc-pkcs11.so
-rwxr-xr-x  1 root  wheel  1666552 Jul 22 12:35 /Library/OpenSC/lib/opensc-pkcs11.so*
$

Here's the *current* openssl.cnf (I removed the middle part that deals with the certificate parameters, as it seems irrelevant to this issue) - your comments are welcome:

# Note that you can include other files from the main configuration
# file using the .include directive.
#.include filename

openssl_conf = openssl_init

# This definition stops the following lines choking if HOME isn't
# defined.
HOME                    = .

# Extra OBJECT IDENTIFIER info:
#oid_file               = $ENV::HOME/.oid
oid_section             = new_oids

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions            =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]
. . . . .
[openssl_init]
engines = engine_section

#################################
[engine_section]
pkcs11 = pkcs11_section
gost   = gost_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /opt/local/lib/engines-1.1/pkcs11.dylib
MODULE_PATH  = /Library/OpenSC/lib/opensc-pkcs11.so
init = 0

[gost_section]
engine_id = gost
dynamic_path = /opt/local/lib/engines-1.1/gost.dylib
default_algorithms = ALL
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet

#################################


On 7/19/19, 2:10 PM, "openssl-users on behalf of Blumenthal, Uri - 0553 - MITLL" <openssl-users-bounces at openssl.org on behalf of uri at ll.mit.edu> wrote:

    MacOS Mojave 10.14.5, OpenSSL-1.1.1c (Macports-installed).
    
    Engines defined in the openssl.cnf file:
    
    #############
    [engine_section]
    pkcs11 = pkcs11_section
    gost   = gost_section
    
    [pkcs11_section]
    engine_id = pkcs11
    dynamic_path = /opt/local/lib/engines-1.1/libpkcs11.so
    MODULE_PATH  = /Library/OpenSC/lib/opensc-pkcs11.so
    init = 0
    
    [gost_section]
    engine_id = gost
    dynamic_path = /opt/local/lib/engines-1.1/gost.dylib
    default_algorithms = ALL
    CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
    init = 1
    #############
    
    Note, whether the above has "init = 1" or not, does not alter the outcome.
    
    Engine in question is "gost". 
    
    First, the engine does not load automatically/dynamically. For "openssl dgst" I have to specify it explicitly, otherwise the algorithms it provides, are not available:
    
    $ openssl dgst -md_gost94 ~/LastTest.log
    dgst: Unrecognized flag md_gost94
    dgst: Use -help for summary.
    $ openssl dgst -engine gost -md_gost94 ~/LastTest.log
    engine "gost" set.
    md_gost94(/Users/ur20980/LastTest.log)= e82e6e515c86851498eac606722b50b724b1f95952d4edb7202029f127751816
    $
    
    Second - even when I explicitly specify the engine, "openssl speed" refuses to recognize the ciphers provided by it, though "openssl enc" shows that it can access them:
    
    $ openssl speed -engine gost -evp gost89-cbc
    speed: gost89-cbc is an unknown cipher or digest
    $ openssl enc -engine gost -ciphers
    engine "gost" set.
    Supported ciphers:
    -aes-128-cbc               -aes-128-cfb               -aes-128-cfb1             
    -aes-128-cfb8              -aes-128-ctr               -aes-128-ecb       
    . . . . .
    -des3-wrap                 -desx                      -desx-cbc                 
    -gost89                    -gost89-cbc                -gost89-cnt               
    -gost89-cnt-12             -grasshopper-cbc           -grasshopper-cfb          
    -grasshopper-ctr           -grasshopper-ecb           -grasshopper-ofb          
    -id-aes128-wrap            -id-aes128-wrap-pad        -id-aes192-wrap
    
    
    Seems like a bug...?
    -- 
    Regards,
    Uri
    
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5249 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190722/8c4e1fd8/attachment.bin>

More information about the openssl-users mailing list