<div dir="auto"><div>If you specify gost2001, which is deprecated, you should use md_gost94 as a digest.<div dir="auto"><br></div><div dir="auto">But normally it will pick the only allowed digest automatically. </div><br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, 15 Feb 2023, 07:59 Eugene M. Zheganin, <<a href="mailto:eugene@zhegan.in">eugene@zhegan.in</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>Hello, <br>
</div>
<div><br>
</div>
<div>On 14.02.2023 17:07, Dmitry Belyavsky
wrote:
</div>
<blockquote type="cite">
<pre>Which engine do you use?
I'd strongly recommend using gost-engine
(<a href="https://github.com/gost-engine/engine" target="_blank" rel="noreferrer">https://github.com/gost-engine/engine</a>) loading it via config.
Also I'm not sure that `streebog256` is supported - it's an alias, the
name is `md_gost12_256`
On Tue, Feb 14, 2023 at 1:01 PM Eugene M. Zheganin <a href="mailto:eugene@zhegan.in" target="_blank" rel="noreferrer"><eugene@zhegan.in></a> wrote:
</pre>
</blockquote>
<p>My bad, this is indeed <a href="https://github.com/gost-engine/engine" target="_blank" rel="noreferrer">https://github.com/gost-engine/engine</a>,
I've just checked (phantom memories):</p>
<pre><span style="font-family:monospace"><span style="color:#000000;background-color:#ffffff">===Cut===
# git remote -v</span><span style="color:#000000;background-color:#ffffff">
origin <a href="https://github.com/gost-engine/engine" target="_blank" rel="noreferrer">https://github.com/gost-engine/engine</a> (fetch)</span>
origin <a href="https://github.com/gost-engine/engine" target="_blank" rel="noreferrer">https://github.com/gost-engine/engine</a> (push) </span></pre>
<pre><span style="font-family:monospace"><span style="color:#000000;background-color:#ffffff"># git log | head -n 10 </span>
commit b2b4d629f100eaee9f5942a106b1ccefe85b8808
Author: Dmitry Belyavskiy <a href="mailto:beldmit@gmail.com" target="_blank" rel="noreferrer"><beldmit@gmail.com></a>
Date: Sat May 21 20:20:20 2022 +0200
On unpacking key blob output buffer size should be fixed
Related: CVE-2022-29242
commit 7df766124f87768b43b9e8947c5a01e17545772c
Author: Dmitry Belyavskiy <a href="mailto:beldmit@gmail.com" target="_blank" rel="noreferrer"><beldmit@gmail.com></a>
</span></pre>
<p>===Cut===<br>
</p>
<p><span style="font-family:monospace"><span style="color:#000000;background-color:#ffffff">And I've also
checked the md5 sum on gost.so, and it's compy in the build
directory, so it's the same file:</span></span></p>
<p><br>
<span style="font-family:monospace"><span style="color:#000000;background-color:#ffffff"><span style="font-family:monospace"><span style="color:#000000;background-color:#ffffff"># md5sum
/home/emz/src/engine/build/bin/gost.so </span><br>
3464035a7a21ba47f2e0120e0ffb4af8
/home/emz/src/engine/build/bin/gost.so
<br>
<br>
# md5sum /usr/local/openssl-3.0.7/lib64/engines-3/gost.so <br>
3464035a7a21ba47f2e0120e0ffb4af8
/usr/local/openssl-3.0.7/lib64/engines-3/gost.s<br>
</span></span></span></p>
<p><br>
<span style="font-family:monospace"><span style="color:#000000;background-color:#ffffff">===Cut===</span></span></p>
<pre><span style="font-family:monospace"><span style="color:#000000;background-color:#ffffff"># /usr/local/libressl/bin/openssl req -newkey gost2001 -pkeyopt dgst:md_gost12_256 -pkeyopt paramse</span>t:A -md_gost12_256 -nodes \
-subj "/C=Some/ST=Some/O=FooBar LLC/CN=Jane <a href="mailto:Doe/emailaddress=doe@foo.bar" target="_blank" rel="noreferrer">Doe/emailaddress=doe@foo.bar</a>" -keyout /tmp/key.pem -out /tmp/csr.pem -utf8
Key parameter error "dgst:md_gost12_256" </span></pre>
<pre><span style="font-family:monospace"><span style="color:#000000;background-color:#ffffff"># /usr/local/libressl/bin/openssl req -engine gost -engine_impl gost -newkey gost2001 -pkeyopt dgst</span>:md_gost12_256 \
-pkeyopt paramset:A -md_gost12_256 -nodes -subj </span><span style="font-family:monospace"><span style="font-family:monospace">"/C=Some/ST=Some/O=FooBar LLC/CN=Jane <a href="mailto:Doe/emailaddress=doe@foo.bar" target="_blank" rel="noreferrer">Doe/emailaddress=doe@foo.bar</a>"</span> -keyout /tmp/key.pem -out /tmp/csr.pem -utf8
Engine "gost" set.
</span><span style="font-family:monospace">req: Use -help for summary. </span></pre>
<pre><span style="font-family:monospace"><span style="color:#000000;background-color:#ffffff"># /usr/local/libressl/bin/openssl req -engine gost -newkey gost2001 -pkeyopt dgst:md_gost12_256 -pk</span>eyopt paramset:A \
-md_gost12_256 -nodes -subj </span><span style="font-family:monospace"><span style="font-family:monospace">"/C=Some/ST=Some/O=FooBar LLC/CN=Jane <a href="mailto:Doe/emailaddress=doe@foo.bar" target="_blank" rel="noreferrer">Doe/emailaddress=doe@foo.bar</a>"</span> -keyout /tmp/key.pem -out /tmp/csr.pem -utf8 </span></pre>
<pre><span style="font-family:monospace">Engine "gost" set.
</span></pre>
<pre><span style="font-family:monospace">Key parameter error "dgst:md_gost12_256"</span></pre>
<p><span style="font-family:monospace">===Cut===</span></p>
<p><span style="font-family:monospace">So, the problem persists at
least on it's version from May, 2022. Is there any chance these
commands will work on more recent version of the engine or do I
completely misunderstand how they should be called ?<br>
</span></p>
<p><span style="font-family:monospace">Engine is plugged in as:</span></p>
<p><span style="font-family:monospace">===Cut===</span></p>
<p><br>
<span style="font-family:monospace"><span style="font-family:monospace"><span style="color:#000000;background-color:#ffffff">[openssl_init]
</span><br>
engines = engine_section
<br>
providers = provider_sect
<br>
<br>
[engine_section]
<br>
gost = gost_section
<br>
<br>
[gost_section]
<br>
engine_id = gost
<br>
dynamic_path =
/usr/local/openssl-3.0.7/lib64/engines-3/gost.so
<br>
default_algorithms = ALL<br>
</span></span></p>
<span style="font-family:monospace"><span style="font-family:monospace"><span style="color:#b2b2b2;background-color:#1818b2"></span></span></span><span style="font-family:monospace"><span style="font-family:monospace"></span></span>
<p><span style="font-family:monospace">===Cut===<br>
</span></p>
<p><span style="font-family:monospace">Thanks.<br>
</span></p>
<p><span style="font-family:monospace">Eugene.<br>
</span></p>
</div>
</blockquote></div></div></div>