[Pkg-openssl-devel] Bug#611054: /usr/bin/openssl without gost engine

Dmitry Eremin-Solenikov dbaryshkov at gmail.com
Fri Jul 26 14:29:54 UTC 2013 

Package: libssl1.0.0
Version: 1.0.1e-3
Followup-For: Bug #611054

Hello,

I have tried the settings you have provided to enable GOST engine. Now I
surely can use GOST algorithms with openssl. E.g. I can securely connect
to www.cryptopro.ru:443 via s_client.

However this change (potentially) breaks other semi-unrelated packages.
First to name is dnsutils:

lumag at anuminas:/tmp/openssl-1.0.1e/crypto$ dig
GOST engine already loaded
26-Jul-2013 18:16:58.082 ENGINE_by_id failed
26-Jul-2013 18:16:58.082 error:260B606D:engine routines:DYNAMIC_LOAD:init failed:eng_dyn.c:521:
26-Jul-2013 18:16:58.083 error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:417:id=gost
dig: dst_lib_init: crypto failure

I tried to analyse this failure. Here are my findings.
libdns during initialization tries to load gost engine (correct
behaviour). It asks for ENGINE_by_id("gost") (again correct).
Then comes magic. It looks like OpenSSL's engine mechanism is broken at
this point. libgost.so was loaded when parsing config file. But it is
not added to the list of engines. Thus OpenSSL tries to load libgost
again. And then libgost detects that is was already initialized and
returns an error (look for "already loaded" in engines/ccgost/gost_eng.c).

Some more magic to demonstrate this behaviour:
# no special gost in openssl.cnf
$ openssl engine -vv 
(dynamic) Dynamic engine loading support
     SO_PATH: Specifies the path to the new ENGINE shared library
     NO_VCHECK: Specifies to continue even if version checking fails (boolean)
     ID: Specifies an ENGINE id name for loading
     LIST_ADD: Whether to add a loaded ENGINE to the internal list (0=no,1=yes,2=mandatory)
     DIR_LOAD: Specifies whether to load from 'DIR_ADD' directories (0=no,1=yes,2=mandatory)
     DIR_ADD: Adds a directory from which ENGINEs can be loaded
     LOAD: Load up the ENGINE specified by other settings
$ openssl engine -vv gost
(gost) Reference implementation of GOST engine
     CRYPT_PARAMS: OID of default GOST 28147-89 parameters
$ openssl engine -vv gost dynamic
(gost) Reference implementation of GOST engine
     CRYPT_PARAMS: OID of default GOST 28147-89 parameters
(dynamic) Dynamic engine loading support
     SO_PATH: Specifies the path to the new ENGINE shared library
     NO_VCHECK: Specifies to continue even if version checking fails (boolean)
     ID: Specifies an ENGINE id name for loading
     LIST_ADD: Whether to add a loaded ENGINE to the internal list (0=no,1=yes,2=mandatory)
     DIR_LOAD: Specifies whether to load from 'DIR_ADD' directories (0=no,1=yes,2=mandatory)
     DIR_ADD: Adds a directory from which ENGINEs can be loaded
     LOAD: Load up the ENGINE specified by other settings

# Added openssl gost configuration
$ openssl engine -vv
(dynamic) Dynamic engine loading support
     SO_PATH: Specifies the path to the new ENGINE shared library
     NO_VCHECK: Specifies to continue even if version checking fails (boolean)
     ID: Specifies an ENGINE id name for loading
     LIST_ADD: Whether to add a loaded ENGINE to the internal list (0=no,1=yes,2=mandatory)
     DIR_LOAD: Specifies whether to load from 'DIR_ADD' directories (0=no,1=yes,2=mandatory)
     DIR_ADD: Adds a directory from which ENGINEs can be loaded
     LOAD: Load up the ENGINE specified by other settings
$ openssl engine -vv gost
GOST engine already loaded
3073669384:error:260B606D:engine routines:DYNAMIC_LOAD:init failed:eng_dyn.c:521:
3073669384:error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:417:id=gost
$ openssl engine -vv gost dynamic
GOST engine already loaded
3074050312:error:260B606D:engine routines:DYNAMIC_LOAD:init failed:eng_dyn.c:521:
3074050312:error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:417:id=gost
(dynamic) Dynamic engine loading support
     SO_PATH: Specifies the path to the new ENGINE shared library
     NO_VCHECK: Specifies to continue even if version checking fails (boolean)
     ID: Specifies an ENGINE id name for loading
     LIST_ADD: Whether to add a loaded ENGINE to the internal list (0=no,1=yes,2=mandatory)
     DIR_LOAD: Specifies whether to load from 'DIR_ADD' directories (0=no,1=yes,2=mandatory)
     DIR_ADD: Adds a directory from which ENGINEs can be loaded
     LOAD: Load up the ENGINE specified by other settings


As you can see, engine is loaded, but not fully represented to the rest of OpenSSL.

Hope this helps.
-- 
With best wishes
Dmitry

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.9-1-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libssl1.0.0 depends on:
ii  debconf [debconf-2.0]  1.5.50
ii  libc6                  2.17-7
ii  multiarch-support      2.17-7
ii  zlib1g                 1:1.2.8.dfsg-1

libssl1.0.0 recommends no packages.

libssl1.0.0 suggests no packages.

-- debconf information excluded

More information about the Pkg-openssl-devel mailing list