Ciphers provided by engine not accessible...?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Ciphers provided by engine not accessible...?

Blumenthal, Uri - 0553 - MITLL
MacOS Mojave 10.14.5, OpenSSL-1.1.1c (Macports-installed).

Engines defined in the openssl.cnf file:

#############
[engine_section]
pkcs11 = pkcs11_section
gost   = gost_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /opt/local/lib/engines-1.1/libpkcs11.so
MODULE_PATH  = /Library/OpenSC/lib/opensc-pkcs11.so
init = 0

[gost_section]
engine_id = gost
dynamic_path = /opt/local/lib/engines-1.1/gost.dylib
default_algorithms = ALL
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
init = 1
#############

Note, whether the above has "init = 1" or not, does not alter the outcome.

Engine in question is "gost".

First, the engine does not load automatically/dynamically. For "openssl dgst" I have to specify it explicitly, otherwise the algorithms it provides, are not available:

$ openssl dgst -md_gost94 ~/LastTest.log
dgst: Unrecognized flag md_gost94
dgst: Use -help for summary.
$ openssl dgst -engine gost -md_gost94 ~/LastTest.log
engine "gost" set.
md_gost94(/Users/ur20980/LastTest.log)= e82e6e515c86851498eac606722b50b724b1f95952d4edb7202029f127751816
$

Second - even when I explicitly specify the engine, "openssl speed" refuses to recognize the ciphers provided by it, though "openssl enc" shows that it can access them:

$ openssl speed -engine gost -evp gost89-cbc
speed: gost89-cbc is an unknown cipher or digest
$ openssl enc -engine gost -ciphers
engine "gost" set.
Supported ciphers:
-aes-128-cbc               -aes-128-cfb               -aes-128-cfb1            
-aes-128-cfb8              -aes-128-ctr               -aes-128-ecb      
. . . . .
-des3-wrap                 -desx                      -desx-cbc                
-gost89                    -gost89-cbc                -gost89-cnt              
-gost89-cnt-12             -grasshopper-cbc           -grasshopper-cfb          
-grasshopper-ctr           -grasshopper-ecb           -grasshopper-ofb          
-id-aes128-wrap            -id-aes128-wrap-pad        -id-aes192-wrap


Seems like a bug...?
--
Regards,
Uri

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Ciphers provided by engine not accessible...?

Dmitry Belyavsky-3
Dear Uri,

Is this a full configuration file?

пт, 19 июля 2019 г., 21:09 Blumenthal, Uri - 0553 - MITLL <[hidden email]>:
MacOS Mojave 10.14.5, OpenSSL-1.1.1c (Macports-installed).

Engines defined in the openssl.cnf file:

#############
[engine_section]
pkcs11 = pkcs11_section
gost   = gost_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /opt/local/lib/engines-1.1/libpkcs11.so
MODULE_PATH  = /Library/OpenSC/lib/opensc-pkcs11.so
init = 0

[gost_section]
engine_id = gost
dynamic_path = /opt/local/lib/engines-1.1/gost.dylib
default_algorithms = ALL
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
init = 1
#############

Note, whether the above has "init = 1" or not, does not alter the outcome.

Engine in question is "gost".

First, the engine does not load automatically/dynamically. For "openssl dgst" I have to specify it explicitly, otherwise the algorithms it provides, are not available:

$ openssl dgst -md_gost94 ~/LastTest.log
dgst: Unrecognized flag md_gost94
dgst: Use -help for summary.
$ openssl dgst -engine gost -md_gost94 ~/LastTest.log
engine "gost" set.
md_gost94(/Users/ur20980/LastTest.log)= e82e6e515c86851498eac606722b50b724b1f95952d4edb7202029f127751816
$

Second - even when I explicitly specify the engine, "openssl speed" refuses to recognize the ciphers provided by it, though "openssl enc" shows that it can access them:

$ openssl speed -engine gost -evp gost89-cbc
speed: gost89-cbc is an unknown cipher or digest
$ openssl enc -engine gost -ciphers
engine "gost" set.
Supported ciphers:
-aes-128-cbc               -aes-128-cfb               -aes-128-cfb1             
-aes-128-cfb8              -aes-128-ctr               -aes-128-ecb       
. . . . .
-des3-wrap                 -desx                      -desx-cbc                 
-gost89                    -gost89-cbc                -gost89-cnt               
-gost89-cnt-12             -grasshopper-cbc           -grasshopper-cfb         
-grasshopper-ctr           -grasshopper-ecb           -grasshopper-ofb         
-id-aes128-wrap            -id-aes128-wrap-pad        -id-aes192-wrap


Seems like a bug...?
--
Regards,
Uri
Reply | Threaded
Open this post in threaded view
|

Re: Ciphers provided by engine not accessible...?

Blumenthal, Uri - 0553 - MITLL

Is this a full configuration file?

 

It certainly isn’t – but I figured I’d post only the relevant part of it, rather than “crowding” the mailing list with something unnecessary.

 

Are there any other parts of the openssl.cnf that could be related to this issue, or help diagnose it’s cause?

 

 

 

пт, 19 июля 2019 г., 21:09 Blumenthal, Uri - 0553 - MITLL <[hidden email]>:

MacOS Mojave 10.14.5, OpenSSL-1.1.1c (Macports-installed).

Engines defined in the openssl.cnf file:

#############
[engine_section]
pkcs11 = pkcs11_section
gost   = gost_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /opt/local/lib/engines-1.1/libpkcs11.so
MODULE_PATH  = /Library/OpenSC/lib/opensc-pkcs11.so
init = 0

[gost_section]
engine_id = gost
dynamic_path = /opt/local/lib/engines-1.1/gost.dylib
default_algorithms = ALL
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
init = 1
#############

Note, whether the above has "init = 1" or not, does not alter the outcome.

Engine in question is "gost".

First, the engine does not load automatically/dynamically. For "openssl dgst" I have to specify it explicitly, otherwise the algorithms it provides, are not available:

$ openssl dgst -md_gost94 ~/LastTest.log
dgst: Unrecognized flag md_gost94
dgst: Use -help for summary.
$ openssl dgst -engine gost -md_gost94 ~/LastTest.log
engine "gost" set.
md_gost94(/Users/ur20980/LastTest.log)= e82e6e515c86851498eac606722b50b724b1f95952d4edb7202029f127751816
$

Second - even when I explicitly specify the engine, "openssl speed" refuses to recognize the ciphers provided by it, though "openssl enc" shows that it can access them:

$ openssl speed -engine gost -evp gost89-cbc
speed: gost89-cbc is an unknown cipher or digest
$ openssl enc -engine gost -ciphers
engine "gost" set.
Supported ciphers:
-aes-128-cbc               -aes-128-cfb               -aes-128-cfb1             
-aes-128-cfb8              -aes-128-ctr               -aes-128-ecb       
. . . . .
-des3-wrap                 -desx                      -desx-cbc                 
-gost89                    -gost89-cbc                -gost89-cnt               
-gost89-cnt-12             -grasshopper-cbc           -grasshopper-cfb         
-grasshopper-ctr           -grasshopper-ecb           -grasshopper-ofb         
-id-aes128-wrap            -id-aes128-wrap-pad        -id-aes192-wrap


Seems like a bug...?
--
Regards,
Uri


smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Ciphers provided by engine not accessible...?

Dmitry Belyavsky-3
Hello, 

пн, 22 июля 2019 г., 19:58 Blumenthal, Uri - 0553 - MITLL <[hidden email]>:

Is this a full configuration file?

 

It certainly isn’t – but I figured I’d post only the relevant part of it, rather than “crowding” the mailing list with something unnecessary.

 

Are there any other parts of the openssl.cnf that could be related to this issue, or help diagnose it’s cause?

 


Does your configuration file contain a header similar to described in the Gost engine documentation? If no, the gost section is not processed. 

I don't remember any significant changes in 1.1.1 engine processing, and it works with 1.0.2

Sorry for brevity, I'll be able to look in more details only at the beginning of August. 

 

 

пт, 19 июля 2019 г., 21:09 Blumenthal, Uri - 0553 - MITLL <[hidden email]>:

MacOS Mojave 10.14.5, OpenSSL-1.1.1c (Macports-installed).

Engines defined in the openssl.cnf file:

#############
[engine_section]
pkcs11 = pkcs11_section
gost   = gost_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /opt/local/lib/engines-1.1/libpkcs11.so
MODULE_PATH  = /Library/OpenSC/lib/opensc-pkcs11.so
init = 0

[gost_section]
engine_id = gost
dynamic_path = /opt/local/lib/engines-1.1/gost.dylib
default_algorithms = ALL
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
init = 1
#############

Note, whether the above has "init = 1" or not, does not alter the outcome.

Engine in question is "gost".

First, the engine does not load automatically/dynamically. For "openssl dgst" I have to specify it explicitly, otherwise the algorithms it provides, are not available:

$ openssl dgst -md_gost94 ~/LastTest.log
dgst: Unrecognized flag md_gost94
dgst: Use -help for summary.
$ openssl dgst -engine gost -md_gost94 ~/LastTest.log
engine "gost" set.
md_gost94(/Users/ur20980/LastTest.log)= e82e6e515c86851498eac606722b50b724b1f95952d4edb7202029f127751816
$

Second - even when I explicitly specify the engine, "openssl speed" refuses to recognize the ciphers provided by it, though "openssl enc" shows that it can access them:

$ openssl speed -engine gost -evp gost89-cbc
speed: gost89-cbc is an unknown cipher or digest
$ openssl enc -engine gost -ciphers
engine "gost" set.
Supported ciphers:
-aes-128-cbc               -aes-128-cfb               -aes-128-cfb1             
-aes-128-cfb8              -aes-128-ctr               -aes-128-ecb       
. . . . .
-des3-wrap                 -desx                      -desx-cbc                 
-gost89                    -gost89-cbc                -gost89-cnt               
-gost89-cnt-12             -grasshopper-cbc           -grasshopper-cfb         
-grasshopper-ctr           -grasshopper-ecb           -grasshopper-ofb         
-id-aes128-wrap            -id-aes128-wrap-pad        -id-aes192-wrap


Seems like a bug...?
--
Regards,
Uri

Reply | Threaded
Open this post in threaded view
|

Re: Ciphers provided by engine not accessible...?

Blumenthal, Uri - 0553 - MITLL
Are there any other parts of the openssl.cnf that could be related to this issue, or help diagnose it’s cause?
Does your configuration file contain a header similar to described in the Gost engine documentation? If no, the gost section is not processed. 

I don't remember any significant changes in 1.1.1 engine processing, and it works with 1.0.2

Sorry for brevity, I'll be able to look in more details only at the beginning of August. 

Darn… You were right – that header (openssl_conf = openssl_def) was NOT present. Adding it resulted in success (with some error messages):

$ openssl speed -engine gost -evp gost89-cbc
engine "gost" set.
Doing gost89-cbc for 3s on 16 size blocks: 13107440 gost89-cbc's in 2.99s
Doing gost89-cbc for 3s on 64 size blocks: 3383428 gost89-cbc's in 3.00s
Doing gost89-cbc for 3s on 256 size blocks: 849765 gost89-cbc's in 3.00s
Doing gost89-cbc for 3s on 1024 size blocks: 211166 gost89-cbc's in 3.00s
Doing gost89-cbc for 3s on 8192 size blocks: 26167 gost89-cbc's in 3.01s
Doing gost89-cbc for 3s on 16384 size blocks: 13338 gost89-cbc's in 3.00s
4571538880:error:8106A07A:lib(129):GOST_CIPHER_CTL:rng error:/Users/ur20980/src/engine/gost_crypt.c:671:
4571538880:error:0607C085:digital envelope routines:EVP_CIPHER_CTX_ctrl:ctrl operation not implemented:crypto/evp/evp_enc.c:628:
4571538880:error:8106A07A:lib(129):GOST_CIPHER_CTL:rng error:/Users/ur20980/src/engine/gost_crypt.c:671:
4571538880:error:0607C085:digital envelope routines:EVP_CIPHER_CTX_ctrl:ctrl operation not implemented:crypto/evp/evp_enc.c:628:
4571538880:error:8106A07A:lib(129):GOST_CIPHER_CTL:rng error:/Users/ur20980/src/engine/gost_crypt.c:671:
4571538880:error:0607C085:digital envelope routines:EVP_CIPHER_CTX_ctrl:ctrl operation not implemented:crypto/evp/evp_enc.c:628:
4571538880:error:8106A07A:lib(129):GOST_CIPHER_CTL:rng error:/Users/ur20980/src/engine/gost_crypt.c:671:
4571538880:error:0607C085:digital envelope routines:EVP_CIPHER_CTX_ctrl:ctrl operation not implemented:crypto/evp/evp_enc.c:628:
4571538880:error:8106A07A:lib(129):GOST_CIPHER_CTL:rng error:/Users/ur20980/src/engine/gost_crypt.c:671:
4571538880:error:0607C085:digital envelope routines:EVP_CIPHER_CTX_ctrl:ctrl operation not implemented:crypto/evp/evp_enc.c:628:
4571538880:error:8106A07A:lib(129):GOST_CIPHER_CTL:rng error:/Users/ur20980/src/engine/gost_crypt.c:671:
4571538880:error:0607C085:digital envelope routines:EVP_CIPHER_CTX_ctrl:ctrl operation not implemented:crypto/evp/evp_enc.c:628:
$ openssl speed -engine gost -evp grasshopper-cfb
engine "gost" set.
Doing grasshopper-cfb for 3s on 16 size blocks: 19210088 grasshopper-cfb's in 3.00s
Doing grasshopper-cfb for 3s on 64 size blocks: 5210373 grasshopper-cfb's in 3.00s
Doing grasshopper-cfb for 3s on 256 size blocks: 1320249 grasshopper-cfb's in 3.00s
Doing grasshopper-cfb for 3s on 1024 size blocks: 328343 grasshopper-cfb's in 3.00s
Doing grasshopper-cfb for 3s on 8192 size blocks: 41459 grasshopper-cfb's in 3.00s
Doing grasshopper-cfb for 3s on 16384 size blocks: 20488 grasshopper-cfb's in 3.00s
4541392320:error:8106A07A:lib(129):GOST_CIPHER_CTL:rng error:/Users/ur20980/src/engine/gost_grasshopper_cipher.c:558:
4541392320:error:0607C085:digital envelope routines:EVP_CIPHER_CTX_ctrl:ctrl operation not implemented:crypto/evp/evp_enc.c:628:
4541392320:error:8106A07A:lib(129):GOST_CIPHER_CTL:rng error:/Users/ur20980/src/engine/gost_grasshopper_cipher.c:558:
4541392320:error:0607C085:digital envelope routines:EVP_CIPHER_CTX_ctrl:ctrl operation not implemented:crypto/evp/evp_enc.c:628:
4541392320:error:8106A07A:lib(129):GOST_CIPHER_CTL:rng error:/Users/ur20980/src/engine/gost_grasshopper_cipher.c:558:
4541392320:error:0607C085:digital envelope routines:EVP_CIPHER_CTX_ctrl:ctrl operation not implemented:crypto/evp/evp_enc.c:628:
4541392320:error:8106A07A:lib(129):GOST_CIPHER_CTL:rng error:/Users/ur20980/src/engine/gost_grasshopper_cipher.c:558:
4541392320:error:0607C085:digital envelope routines:EVP_CIPHER_CTX_ctrl:ctrl operation not implemented:crypto/evp/evp_enc.c:628:
4541392320:error:8106A07A:lib(129):GOST_CIPHER_CTL:rng error:/Users/ur20980/src/engine/gost_grasshopper_cipher.c:558:
4541392320:error:0607C085:digital envelope routines:EVP_CIPHER_CTX_ctrl:ctrl operation not implemented:crypto/evp/evp_enc.c:628:
4541392320:error:8106A07A:lib(129):GOST_CIPHER_CTL:rng error:/Users/ur20980/src/engine/gost_grasshopper_cipher.c:558:
4541392320:error:0607C085:digital envelope routines:EVP_CIPHER_CTX_ctrl:ctrl operation not implemented:crypto/evp/evp_enc.c:628:
$




пт, 19 июля 2019 г., 21:09 Blumenthal, Uri - 0553 - MITLL <mailto:[hidden email]>:
MacOS Mojave 10.14.5, OpenSSL-1.1.1c (Macports-installed).

Engines defined in the openssl.cnf file:

#############
[engine_section]
pkcs11 = pkcs11_section
gost   = gost_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /opt/local/lib/engines-1.1/libpkcs11.so
MODULE_PATH  = /Library/OpenSC/lib/opensc-pkcs11.so
init = 0

[gost_section]
engine_id = gost
dynamic_path = /opt/local/lib/engines-1.1/gost.dylib
default_algorithms = ALL
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
init = 1
#############

Note, whether the above has "init = 1" or not, does not alter the outcome.

Engine in question is "gost".

First, the engine does not load automatically/dynamically. For "openssl dgst" I have to specify it explicitly, otherwise the algorithms it provides, are not available:

$ openssl dgst -md_gost94 ~/LastTest.log
dgst: Unrecognized flag md_gost94
dgst: Use -help for summary.
$ openssl dgst -engine gost -md_gost94 ~/LastTest.log
engine "gost" set.
md_gost94(/Users/ur20980/LastTest.log)= e82e6e515c86851498eac606722b50b724b1f95952d4edb7202029f127751816
$

Second - even when I explicitly specify the engine, "openssl speed" refuses to recognize the ciphers provided by it, though "openssl enc" shows that it can access them:

$ openssl speed -engine gost -evp gost89-cbc
speed: gost89-cbc is an unknown cipher or digest
$ openssl enc -engine gost -ciphers
engine "gost" set.
Supported ciphers:
-aes-128-cbc               -aes-128-cfb               -aes-128-cfb1             
-aes-128-cfb8              -aes-128-ctr               -aes-128-ecb       
. . . . .
-des3-wrap                 -desx                      -desx-cbc                 
-gost89                    -gost89-cbc                -gost89-cnt               
-gost89-cnt-12             -grasshopper-cbc           -grasshopper-cfb         
-grasshopper-ctr           -grasshopper-ecb           -grasshopper-ofb         
-id-aes128-wrap            -id-aes128-wrap-pad        -id-aes192-wrap


Seems like a bug...?
--
Regards,
Uri

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Ciphers provided by engine not accessible...?

Dmitry Belyavsky-3
Great!

The CBC implementation was rather limited. If you have any specific requirements, fill free to fill a bug report in the engine repo. 

пн, 22 июля 2019 г., 21:16 Blumenthal, Uri - 0553 - MITLL <[hidden email]>:
Are there any other parts of the openssl.cnf that could be related to this issue, or help diagnose it’s cause?
Does your configuration file contain a header similar to described in the Gost engine documentation? If no, the gost section is not processed. 

I don't remember any significant changes in 1.1.1 engine processing, and it works with 1.0.2

Sorry for brevity, I'll be able to look in more details only at the beginning of August. 

Darn… You were right – that header (openssl_conf = openssl_def) was NOT present. Adding it resulted in success (with some error messages):

$ openssl speed -engine gost -evp gost89-cbc
engine "gost" set.
Doing gost89-cbc for 3s on 16 size blocks: 13107440 gost89-cbc's in 2.99s
Doing gost89-cbc for 3s on 64 size blocks: 3383428 gost89-cbc's in 3.00s
Doing gost89-cbc for 3s on 256 size blocks: 849765 gost89-cbc's in 3.00s
Doing gost89-cbc for 3s on 1024 size blocks: 211166 gost89-cbc's in 3.00s
Doing gost89-cbc for 3s on 8192 size blocks: 26167 gost89-cbc's in 3.01s
Doing gost89-cbc for 3s on 16384 size blocks: 13338 gost89-cbc's in 3.00s
4571538880:error:8106A07A:lib(129):GOST_CIPHER_CTL:rng error:/Users/ur20980/src/engine/gost_crypt.c:671:
4571538880:error:0607C085:digital envelope routines:EVP_CIPHER_CTX_ctrl:ctrl operation not implemented:crypto/evp/evp_enc.c:628:
4571538880:error:8106A07A:lib(129):GOST_CIPHER_CTL:rng error:/Users/ur20980/src/engine/gost_crypt.c:671:
4571538880:error:0607C085:digital envelope routines:EVP_CIPHER_CTX_ctrl:ctrl operation not implemented:crypto/evp/evp_enc.c:628:
4571538880:error:8106A07A:lib(129):GOST_CIPHER_CTL:rng error:/Users/ur20980/src/engine/gost_crypt.c:671:
4571538880:error:0607C085:digital envelope routines:EVP_CIPHER_CTX_ctrl:ctrl operation not implemented:crypto/evp/evp_enc.c:628:
4571538880:error:8106A07A:lib(129):GOST_CIPHER_CTL:rng error:/Users/ur20980/src/engine/gost_crypt.c:671:
4571538880:error:0607C085:digital envelope routines:EVP_CIPHER_CTX_ctrl:ctrl operation not implemented:crypto/evp/evp_enc.c:628:
4571538880:error:8106A07A:lib(129):GOST_CIPHER_CTL:rng error:/Users/ur20980/src/engine/gost_crypt.c:671:
4571538880:error:0607C085:digital envelope routines:EVP_CIPHER_CTX_ctrl:ctrl operation not implemented:crypto/evp/evp_enc.c:628:
4571538880:error:8106A07A:lib(129):GOST_CIPHER_CTL:rng error:/Users/ur20980/src/engine/gost_crypt.c:671:
4571538880:error:0607C085:digital envelope routines:EVP_CIPHER_CTX_ctrl:ctrl operation not implemented:crypto/evp/evp_enc.c:628:
$ openssl speed -engine gost -evp grasshopper-cfb
engine "gost" set.
Doing grasshopper-cfb for 3s on 16 size blocks: 19210088 grasshopper-cfb's in 3.00s
Doing grasshopper-cfb for 3s on 64 size blocks: 5210373 grasshopper-cfb's in 3.00s
Doing grasshopper-cfb for 3s on 256 size blocks: 1320249 grasshopper-cfb's in 3.00s
Doing grasshopper-cfb for 3s on 1024 size blocks: 328343 grasshopper-cfb's in 3.00s
Doing grasshopper-cfb for 3s on 8192 size blocks: 41459 grasshopper-cfb's in 3.00s
Doing grasshopper-cfb for 3s on 16384 size blocks: 20488 grasshopper-cfb's in 3.00s
4541392320:error:8106A07A:lib(129):GOST_CIPHER_CTL:rng error:/Users/ur20980/src/engine/gost_grasshopper_cipher.c:558:
4541392320:error:0607C085:digital envelope routines:EVP_CIPHER_CTX_ctrl:ctrl operation not implemented:crypto/evp/evp_enc.c:628:
4541392320:error:8106A07A:lib(129):GOST_CIPHER_CTL:rng error:/Users/ur20980/src/engine/gost_grasshopper_cipher.c:558:
4541392320:error:0607C085:digital envelope routines:EVP_CIPHER_CTX_ctrl:ctrl operation not implemented:crypto/evp/evp_enc.c:628:
4541392320:error:8106A07A:lib(129):GOST_CIPHER_CTL:rng error:/Users/ur20980/src/engine/gost_grasshopper_cipher.c:558:
4541392320:error:0607C085:digital envelope routines:EVP_CIPHER_CTX_ctrl:ctrl operation not implemented:crypto/evp/evp_enc.c:628:
4541392320:error:8106A07A:lib(129):GOST_CIPHER_CTL:rng error:/Users/ur20980/src/engine/gost_grasshopper_cipher.c:558:
4541392320:error:0607C085:digital envelope routines:EVP_CIPHER_CTX_ctrl:ctrl operation not implemented:crypto/evp/evp_enc.c:628:
4541392320:error:8106A07A:lib(129):GOST_CIPHER_CTL:rng error:/Users/ur20980/src/engine/gost_grasshopper_cipher.c:558:
4541392320:error:0607C085:digital envelope routines:EVP_CIPHER_CTX_ctrl:ctrl operation not implemented:crypto/evp/evp_enc.c:628:
4541392320:error:8106A07A:lib(129):GOST_CIPHER_CTL:rng error:/Users/ur20980/src/engine/gost_grasshopper_cipher.c:558:
4541392320:error:0607C085:digital envelope routines:EVP_CIPHER_CTX_ctrl:ctrl operation not implemented:crypto/evp/evp_enc.c:628:
$




пт, 19 июля 2019 г., 21:09 Blumenthal, Uri - 0553 - MITLL <mailto:[hidden email]>:
MacOS Mojave 10.14.5, OpenSSL-1.1.1c (Macports-installed).

Engines defined in the openssl.cnf file:

#############
[engine_section]
pkcs11 = pkcs11_section
gost   = gost_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /opt/local/lib/engines-1.1/libpkcs11.so
MODULE_PATH  = /Library/OpenSC/lib/opensc-pkcs11.so
init = 0

[gost_section]
engine_id = gost
dynamic_path = /opt/local/lib/engines-1.1/gost.dylib
default_algorithms = ALL
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
init = 1
#############

Note, whether the above has "init = 1" or not, does not alter the outcome.

Engine in question is "gost".

First, the engine does not load automatically/dynamically. For "openssl dgst" I have to specify it explicitly, otherwise the algorithms it provides, are not available:

$ openssl dgst -md_gost94 ~/LastTest.log
dgst: Unrecognized flag md_gost94
dgst: Use -help for summary.
$ openssl dgst -engine gost -md_gost94 ~/LastTest.log
engine "gost" set.
md_gost94(/Users/ur20980/LastTest.log)= e82e6e515c86851498eac606722b50b724b1f95952d4edb7202029f127751816
$

Second - even when I explicitly specify the engine, "openssl speed" refuses to recognize the ciphers provided by it, though "openssl enc" shows that it can access them:

$ openssl speed -engine gost -evp gost89-cbc
speed: gost89-cbc is an unknown cipher or digest
$ openssl enc -engine gost -ciphers
engine "gost" set.
Supported ciphers:
-aes-128-cbc               -aes-128-cfb               -aes-128-cfb1             
-aes-128-cfb8              -aes-128-ctr               -aes-128-ecb       
. . . . .
-des3-wrap                 -desx                      -desx-cbc                 
-gost89                    -gost89-cbc                -gost89-cnt               
-gost89-cnt-12             -grasshopper-cbc           -grasshopper-cfb         
-grasshopper-ctr           -grasshopper-ecb           -grasshopper-ofb         
-id-aes128-wrap            -id-aes128-wrap-pad        -id-aes192-wrap


Seems like a bug...?
--
Regards,
Uri
Reply | Threaded
Open this post in threaded view
|

Re: Ciphers provided by engine not accessible...?

Blumenthal, Uri - 0553 - MITLL
In reply to this post by Blumenthal, Uri - 0553 - MITLL
Turned out the failure was my misconfiguration - but the "config" man page doesn't seem to describe the *exact* order of the statements/sections.

What I found experimentally, was:

1. "openssl_conf = openssl_init" line must be the first non-comment line in the openssl.cnf file, otherwise engines won't be loaded.

2. "[openssl_init]\n engines = engine_section" lines must *both* be at the end of the openssl.cnf file, just before the "[engine_section]" section.

These are the errors I get if the above order is violated:

$ openssl engine -t gost pkcs11 rdrand
(gost) Reference implementation of GOST engine
     [ available ]
(pkcs11) pkcs11 engine
     [ available ]
(rdrand) Intel RDRAND engine
     [ available ]
4566365632:error:25066067:DSO support routines:dlfcn_load:could not load the shared library:crypto/dso/dso_dlfcn.c:119:filename(libHOME.dylib): dlopen(libHOME.dylib, 2): image not found
4566365632:error:25070067:DSO support routines:DSO_load:could not load the shared library:crypto/dso/dso_lib.c:162:
4566365632:error:0E07506E:configuration file routines:module_load_dso:error loading dso:crypto/conf/conf_mod.c:224:module=HOME, path=HOME
4566365632:error:0E076071:configuration file routines:module_run:unknown module name:crypto/conf/conf_mod.c:165:module=HOME
$ ll /opt/local/lib/engines-1.1/pkcs11.dylib
-rwxr-xr-x  1 root  admin  79952 Jun 12 09:37 /opt/local/lib/engines-1.1/pkcs11.dylib*
$ /Library/OpenSC/lib/opensc-pkcs11.so
-bash: /Library/OpenSC/lib/opensc-pkcs11.so: cannot execute binary file
$ ll /Library/OpenSC/lib/opensc-pkcs11.so
-rwxr-xr-x  1 root  wheel  1666552 Jul 22 12:35 /Library/OpenSC/lib/opensc-pkcs11.so*
$

Here's the *current* openssl.cnf (I removed the middle part that deals with the certificate parameters, as it seems irrelevant to this issue) - your comments are welcome:

# Note that you can include other files from the main configuration
# file using the .include directive.
#.include filename

openssl_conf = openssl_init

# This definition stops the following lines choking if HOME isn't
# defined.
HOME                    = .

# Extra OBJECT IDENTIFIER info:
#oid_file               = $ENV::HOME/.oid
oid_section             = new_oids

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions            =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]
. . . . .
[openssl_init]
engines = engine_section

#################################
[engine_section]
pkcs11 = pkcs11_section
gost   = gost_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /opt/local/lib/engines-1.1/pkcs11.dylib
MODULE_PATH  = /Library/OpenSC/lib/opensc-pkcs11.so
init = 0

[gost_section]
engine_id = gost
dynamic_path = /opt/local/lib/engines-1.1/gost.dylib
default_algorithms = ALL
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet

#################################


On 7/19/19, 2:10 PM, "openssl-users on behalf of Blumenthal, Uri - 0553 - MITLL" <[hidden email] on behalf of [hidden email]> wrote:

    MacOS Mojave 10.14.5, OpenSSL-1.1.1c (Macports-installed).
   
    Engines defined in the openssl.cnf file:
   
    #############
    [engine_section]
    pkcs11 = pkcs11_section
    gost   = gost_section
   
    [pkcs11_section]
    engine_id = pkcs11
    dynamic_path = /opt/local/lib/engines-1.1/libpkcs11.so
    MODULE_PATH  = /Library/OpenSC/lib/opensc-pkcs11.so
    init = 0
   
    [gost_section]
    engine_id = gost
    dynamic_path = /opt/local/lib/engines-1.1/gost.dylib
    default_algorithms = ALL
    CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
    init = 1
    #############
   
    Note, whether the above has "init = 1" or not, does not alter the outcome.
   
    Engine in question is "gost".
   
    First, the engine does not load automatically/dynamically. For "openssl dgst" I have to specify it explicitly, otherwise the algorithms it provides, are not available:
   
    $ openssl dgst -md_gost94 ~/LastTest.log
    dgst: Unrecognized flag md_gost94
    dgst: Use -help for summary.
    $ openssl dgst -engine gost -md_gost94 ~/LastTest.log
    engine "gost" set.
    md_gost94(/Users/ur20980/LastTest.log)= e82e6e515c86851498eac606722b50b724b1f95952d4edb7202029f127751816
    $
   
    Second - even when I explicitly specify the engine, "openssl speed" refuses to recognize the ciphers provided by it, though "openssl enc" shows that it can access them:
   
    $ openssl speed -engine gost -evp gost89-cbc
    speed: gost89-cbc is an unknown cipher or digest
    $ openssl enc -engine gost -ciphers
    engine "gost" set.
    Supported ciphers:
    -aes-128-cbc               -aes-128-cfb               -aes-128-cfb1            
    -aes-128-cfb8              -aes-128-ctr               -aes-128-ecb      
    . . . . .
    -des3-wrap                 -desx                      -desx-cbc                
    -gost89                    -gost89-cbc                -gost89-cnt              
    -gost89-cnt-12             -grasshopper-cbc           -grasshopper-cfb          
    -grasshopper-ctr           -grasshopper-ecb           -grasshopper-ofb          
    -id-aes128-wrap            -id-aes128-wrap-pad        -id-aes192-wrap
   
   
    Seems like a bug...?
    --
    Regards,
    Uri
   

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Ciphers provided by engine not accessible...?

Richard Levitte - VMS Whacker-2
On Mon, 22 Jul 2019 21:17:01 +0200,
Blumenthal, Uri - 0553 - MITLL wrote:
>
> Turned out the failure was my misconfiguration - but the "config"
> man page doesn't seem to describe the *exact* order of the
> statements/sections.

It does, but perhaps not in a way you expected.  Here's a paragraph
from config(5), about the so called default section:

       The first section of a configuration file is special and is referred to
       as the default section. This section is usually unnamed and spans from
       the start of file until the first named section. When a name is being
       looked up it is first looked up in a named section (if any) and then
       the default section.

"start of the file until the first section" is key.  This is found
fairly early in the description.

And then, early in "OPENSSL_LIBRARY CONFIGURATION":

       To enable library configuration the default section needs to contain an
       appropriate line which points to the main configuration section. The
       default name is openssl_conf which is used by the openssl utility.
       Other applications may use an alternative name such as
       myapplication_conf.  All library configuration lines appear in the
       default section at the start of the configuration file.

"the default section" is key.

So the "openssl_conf = openssl_init" line must be early in the config
file.  The order of the different named sections doesn't (or
shouldn't) really matter.

Cheers,
Richard

--
Richard Levitte         [hidden email]
OpenSSL Project         http://www.openssl.org/~levitte/
Reply | Threaded
Open this post in threaded view
|

Re: Ciphers provided by engine not accessible...?

Blumenthal, Uri - 0553 - MITLL
On 7/22/19, 3:38 PM, "Richard Levitte" <[hidden email]> wrote:
   > > Turned out the failure was my misconfiguration - but the "config"
    > > man page doesn't seem to describe the *exact* order of the
    >  > statements/sections.
    >
    > It does, but perhaps not in a way you expected.

:-)
 
   >  So the "openssl_conf = openssl_init" line must be early in the config
   >  file.

Yep, as proven by my experience.

   >  The order of the different named sections doesn't (or
   >  shouldn't) really matter.

I agree with the "shouldn't", but in my experience it did. I had to move

[openssl_init]
engines = engine_section

to just above the [engine_section] itself - placing it in *any* other location in the file, including just after the "openssl_conf = " line, caused problems.
   
 

smime.p7s (7K) Download Attachment