openssl and pluggable engine digests

Dmitry Belyavsky beldmit at gmail.com
Wed Feb 15 07:38:11 UTC 2023


If you specify gost2001, which is deprecated, you should use md_gost94 as a
digest.

But normally it will pick the only allowed digest automatically.


On Wed, 15 Feb 2023, 07:59 Eugene M. Zheganin, <eugene at zhegan.in> wrote:

> Hello,
>
> On 14.02.2023 17:07, Dmitry Belyavsky wrote:
>
> Which engine do you use?
> I'd strongly recommend using gost-engine
> (https://github.com/gost-engine/engine) loading it via config.
> Also I'm not sure that `streebog256` is supported - it's an alias, the
> name is `md_gost12_256`
>
> On Tue, Feb 14, 2023 at 1:01 PM Eugene M. Zheganin <eugene at zhegan.in> <eugene at zhegan.in> wrote:
>
>
> My bad, this is indeed  https://github.com/gost-engine/engine, I've just
> checked (phantom memories):
>
> ===Cut===
> # git remote -v
> origin  https://github.com/gost-engine/engine (fetch)
> origin  https://github.com/gost-engine/engine (push)
>
> # git log | head -n 10
> commit b2b4d629f100eaee9f5942a106b1ccefe85b8808
>
> Author: Dmitry Belyavskiy <beldmit at gmail.com> <beldmit at gmail.com>
>
> Date:   Sat May 21 20:20:20 2022 +0200
>
>
>
>     On unpacking key blob output buffer size should be fixed
>
>
>     Related: CVE-2022-29242
>
>
>
> commit 7df766124f87768b43b9e8947c5a01e17545772c
>
> Author: Dmitry Belyavskiy <beldmit at gmail.com> <beldmit at gmail.com>
>
> ===Cut===
>
> And I've also checked the md5 sum on gost.so, and it's compy in the build
> directory, so it's the same file:
>
>
> # md5sum /home/emz/src/engine/build/bin/gost.so
> 3464035a7a21ba47f2e0120e0ffb4af8  /home/emz/src/engine/build/bin/gost.so
>
> # md5sum /usr/local/openssl-3.0.7/lib64/engines-3/gost.so
> 3464035a7a21ba47f2e0120e0ffb4af8
>  /usr/local/openssl-3.0.7/lib64/engines-3/gost.s
>
>
> ===Cut===
>
> # /usr/local/libressl/bin/openssl req -newkey gost2001 -pkeyopt dgst:md_gost12_256 -pkeyopt paramset:A -md_gost12_256 -nodes \
> -subj "/C=Some/ST=Some/O=FooBar LLC/CN=Jane Doe/emailaddress=doe at foo.bar" -keyout /tmp/key.pem -out /tmp/csr.pem -utf8
> Key parameter error "dgst:md_gost12_256"
>
> # /usr/local/libressl/bin/openssl req -engine gost -engine_impl gost -newkey gost2001 -pkeyopt dgst:md_gost12_256 \
> -pkeyopt paramset:A -md_gost12_256 -nodes -subj "/C=Some/ST=Some/O=FooBar LLC/CN=Jane Doe/emailaddress=doe at foo.bar" -keyout /tmp/key.pem -out /tmp/csr.pem -utf8
> Engine "gost" set.req: Use -help for summary.
>
> # /usr/local/libressl/bin/openssl req -engine gost -newkey gost2001 -pkeyopt dgst:md_gost12_256 -pkeyopt paramset:A \
> -md_gost12_256 -nodes -subj "/C=Some/ST=Some/O=FooBar LLC/CN=Jane Doe/emailaddress=doe at foo.bar" -keyout /tmp/key.pem -out /tmp/csr.pem -utf8
>
> Engine "gost" set.
>
> Key parameter error "dgst:md_gost12_256"
>
> ===Cut===
>
> So, the problem persists at least on it's version from May, 2022. Is there
> any chance these commands will work on more recent version of the engine or
> do I completely misunderstand how they should be called ?
>
> Engine is plugged in as:
>
> ===Cut===
>
>
> [openssl_init]
> engines = engine_section
> providers = provider_sect
>
> [engine_section]
> gost = gost_section
>
> [gost_section]
> engine_id = gost
> dynamic_path = /usr/local/openssl-3.0.7/lib64/engines-3/gost.so
> default_algorithms = ALL
>
> ===Cut===
>
> Thanks.
>
> Eugene.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230215/8d06ad19/attachment-0001.htm>


More information about the openssl-users mailing list