Hello,
On 14.02.2023 17:07, Dmitry Belyavsky wrote:Which engine do you use? I'd strongly recommend using gost-engine (https://github.com/gost-engine/engine) loading it via config. Also I'm not sure that `streebog256` is supported - it's an alias, the name is `md_gost12_256` On Tue, Feb 14, 2023 at 1:01 PM Eugene M. Zheganin <eugene@xxxxxxxxx> wrote:My bad, this is indeed https://github.com/gost-engine/engine, I've just checked (phantom memories):
===Cut=== # git remote -v origin https://github.com/gost-engine/engine (fetch) origin https://github.com/gost-engine/engine (push)# git log | head -n 10 commit b2b4d629f100eaee9f5942a106b1ccefe85b8808 Author: Dmitry Belyavskiy <beldmit@xxxxxxxxx> Date: Sat May 21 20:20:20 2022 +0200 On unpacking key blob output buffer size should be fixed Related: CVE-2022-29242 commit 7df766124f87768b43b9e8947c5a01e17545772c Author: Dmitry Belyavskiy <beldmit@xxxxxxxxx>===Cut===
And I've also checked the md5 sum on gost.so, and it's compy in the build directory, so it's the same file:
# md5sum /home/emz/src/engine/build/bin/gost.so
3464035a7a21ba47f2e0120e0ffb4af8 /home/emz/src/engine/build/bin/gost.so
# md5sum /usr/local/openssl-3.0.7/lib64/engines-3/gost.so
3464035a7a21ba47f2e0120e0ffb4af8 /usr/local/openssl-3.0.7/lib64/engines-3/gost.s
===Cut===# /usr/local/libressl/bin/openssl req -newkey gost2001 -pkeyopt dgst:md_gost12_256 -pkeyopt paramset:A -md_gost12_256 -nodes \ -subj "/C=Some/ST=Some/O=FooBar LLC/CN=Jane Doe/emailaddress=doe@xxxxxxx" -keyout /tmp/key.pem -out /tmp/csr.pem -utf8 Key parameter error "dgst:md_gost12_256"# /usr/local/libressl/bin/openssl req -engine gost -engine_impl gost -newkey gost2001 -pkeyopt dgst:md_gost12_256 \ -pkeyopt paramset:A -md_gost12_256 -nodes -subj "/C=Some/ST=Some/O=FooBar LLC/CN=Jane Doe/emailaddress=doe@xxxxxxx" -keyout /tmp/key.pem -out /tmp/csr.pem -utf8 Engine "gost" set. req: Use -help for summary.# /usr/local/libressl/bin/openssl req -engine gost -newkey gost2001 -pkeyopt dgst:md_gost12_256 -pkeyopt paramset:A \ -md_gost12_256 -nodes -subj "/C=Some/ST=Some/O=FooBar LLC/CN=Jane Doe/emailaddress=doe@xxxxxxx" -keyout /tmp/key.pem -out /tmp/csr.pem -utf8Engine "gost" set.Key parameter error "dgst:md_gost12_256"===Cut===
So, the problem persists at least on it's version from May, 2022. Is there any chance these commands will work on more recent version of the engine or do I completely misunderstand how they should be called ?
Engine is plugged in as:
===Cut===
[openssl_init]
engines = engine_section
providers = provider_sect
[engine_section]
gost = gost_section
[gost_section]
engine_id = gost
dynamic_path = /usr/local/openssl-3.0.7/lib64/engines-3/gost.so
default_algorithms = ALL
===Cut===
Thanks.
Eugene.
If you specify gost2001, which is deprecated, you should use md_gost94 as a digest.
But normally it will pick the only allowed digest automatically.
On Wed, 15 Feb 2023, 07:59 Eugene M. Zheganin, <eugene@xxxxxxxxx> wrote:
