<div dir="auto"><div>If you specify gost2001, which is deprecated, you should use md_gost94 as a digest.<div dir="auto"><br></div><div dir="auto">But normally it will pick the only allowed digest automatically. </div><br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, 15 Feb 2023, 07:59 Eugene M. Zheganin, <<a href="mailto:eugene@zhegan.in">eugene@zhegan.in</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div>
    <div>Hello, <br>
    </div>
    <div><br>
    </div>
    <div>On 14.02.2023 17:07, Dmitry Belyavsky
      wrote:
    </div>
    <blockquote type="cite">
      <pre>Which engine do you use?
I'd strongly recommend using gost-engine
(<a href="https://github.com/gost-engine/engine" target="_blank" rel="noreferrer">https://github.com/gost-engine/engine</a>) loading it via config.
Also I'm not sure that `streebog256` is supported - it's an alias, the
name is `md_gost12_256`

On Tue, Feb 14, 2023 at 1:01 PM Eugene M. Zheganin <a href="mailto:eugene@zhegan.in" target="_blank" rel="noreferrer"><eugene@zhegan.in></a> wrote:

</pre>
    </blockquote>
    <p>My bad, this is indeed  <a href="https://github.com/gost-engine/engine" target="_blank" rel="noreferrer">https://github.com/gost-engine/engine</a>,
      I've just checked (phantom memories):</p>
    <pre><span style="font-family:monospace"><span style="color:#000000;background-color:#ffffff">===Cut===
# git remote -v</span><span style="color:#000000;background-color:#ffffff">
origin  <a href="https://github.com/gost-engine/engine" target="_blank" rel="noreferrer">https://github.com/gost-engine/engine</a> (fetch)</span>
origin  <a href="https://github.com/gost-engine/engine" target="_blank" rel="noreferrer">https://github.com/gost-engine/engine</a> (push) </span></pre>
    <pre><span style="font-family:monospace"><span style="color:#000000;background-color:#ffffff"># git log | head -n 10  </span>
commit b2b4d629f100eaee9f5942a106b1ccefe85b8808

Author: Dmitry Belyavskiy <a href="mailto:beldmit@gmail.com" target="_blank" rel="noreferrer"><beldmit@gmail.com></a>

Date:   Sat May 21 20:20:20 2022 +0200



    On unpacking key blob output buffer size should be fixed

     
    Related: CVE-2022-29242



commit 7df766124f87768b43b9e8947c5a01e17545772c

Author: Dmitry Belyavskiy <a href="mailto:beldmit@gmail.com" target="_blank" rel="noreferrer"><beldmit@gmail.com></a>
</span></pre>
    <p>===Cut===<br>
    </p>
    <p><span style="font-family:monospace"><span style="color:#000000;background-color:#ffffff">And I've also
          checked the md5 sum on gost.so, and it's compy in the build
          directory, so it's the same file:</span></span></p>
    <p><br>
      <span style="font-family:monospace"><span style="color:#000000;background-color:#ffffff"><span style="font-family:monospace"><span style="color:#000000;background-color:#ffffff"># md5sum
              /home/emz/src/engine/build/bin/gost.so  </span><br>
            3464035a7a21ba47f2e0120e0ffb4af8
             /home/emz/src/engine/build/bin/gost.so
            <br>
            <br>
            # md5sum /usr/local/openssl-3.0.7/lib64/engines-3/gost.so  <br>
            3464035a7a21ba47f2e0120e0ffb4af8
             /usr/local/openssl-3.0.7/lib64/engines-3/gost.s<br>
          </span></span></span></p>
    <p><br>
      <span style="font-family:monospace"><span style="color:#000000;background-color:#ffffff">===Cut===</span></span></p>
    <pre><span style="font-family:monospace"><span style="color:#000000;background-color:#ffffff"># /usr/local/libressl/bin/openssl req -newkey gost2001 -pkeyopt dgst:md_gost12_256 -pkeyopt paramse</span>t:A -md_gost12_256 -nodes \
-subj "/C=Some/ST=Some/O=FooBar LLC/CN=Jane <a href="mailto:Doe/emailaddress=doe@foo.bar" target="_blank" rel="noreferrer">Doe/emailaddress=doe@foo.bar</a>" -keyout /tmp/key.pem -out /tmp/csr.pem -utf8
Key parameter error "dgst:md_gost12_256" </span></pre>
    <pre><span style="font-family:monospace"><span style="color:#000000;background-color:#ffffff"># /usr/local/libressl/bin/openssl req -engine gost -engine_impl gost -newkey gost2001 -pkeyopt dgst</span>:md_gost12_256 \
-pkeyopt paramset:A -md_gost12_256 -nodes -subj </span><span style="font-family:monospace"><span style="font-family:monospace">"/C=Some/ST=Some/O=FooBar LLC/CN=Jane <a href="mailto:Doe/emailaddress=doe@foo.bar" target="_blank" rel="noreferrer">Doe/emailaddress=doe@foo.bar</a>"</span> -keyout /tmp/key.pem -out /tmp/csr.pem -utf8
Engine "gost" set.
</span><span style="font-family:monospace">req: Use -help for summary. </span></pre>
    <pre><span style="font-family:monospace"><span style="color:#000000;background-color:#ffffff"># /usr/local/libressl/bin/openssl req -engine gost -newkey gost2001 -pkeyopt dgst:md_gost12_256 -pk</span>eyopt paramset:A \
-md_gost12_256 -nodes -subj </span><span style="font-family:monospace"><span style="font-family:monospace">"/C=Some/ST=Some/O=FooBar LLC/CN=Jane <a href="mailto:Doe/emailaddress=doe@foo.bar" target="_blank" rel="noreferrer">Doe/emailaddress=doe@foo.bar</a>"</span> -keyout /tmp/key.pem -out /tmp/csr.pem -utf8                   </span></pre>
    <pre><span style="font-family:monospace">Engine "gost" set.
</span></pre>
    <pre><span style="font-family:monospace">Key parameter error "dgst:md_gost12_256"</span></pre>
    <p><span style="font-family:monospace">===Cut===</span></p>
    <p><span style="font-family:monospace">So, the problem persists at
        least on it's version from May, 2022. Is there any chance these
        commands will work on more recent version of the engine or do I
        completely misunderstand how they should be called ?<br>
      </span></p>
    <p><span style="font-family:monospace">Engine is plugged in as:</span></p>
    <p><span style="font-family:monospace">===Cut===</span></p>
    <p><br>
      <span style="font-family:monospace"><span style="font-family:monospace"><span style="color:#000000;background-color:#ffffff">[openssl_init]
          </span><br>
          engines = engine_section
          <br>
          providers = provider_sect
          <br>
          <br>
          [engine_section]
          <br>
          gost = gost_section
          <br>
          <br>
          [gost_section]
          <br>
          engine_id = gost
          <br>
          dynamic_path =
          /usr/local/openssl-3.0.7/lib64/engines-3/gost.so
          <br>
          default_algorithms = ALL<br>
        </span></span></p>
    <span style="font-family:monospace"><span style="font-family:monospace"><span style="color:#b2b2b2;background-color:#1818b2"></span></span></span><span style="font-family:monospace"><span style="font-family:monospace"></span></span>
    <p><span style="font-family:monospace">===Cut===<br>
      </span></p>
    <p><span style="font-family:monospace">Thanks.<br>
      </span></p>
    <p><span style="font-family:monospace">Eugene.<br>
      </span></p>
  </div>

</blockquote></div></div></div>