OpenSSL and GOST engine issue (statically linked)

Question

I have a problem with statically linked openSSL library and GOST crypto engine.

I have simple client/server application using GOST keys and certificates. It works fine with GOST keys but only if I use dynamically linked version of openSSL library. If I try to use statically linked openSSL I got an error message.

This is openSSL library initialization calls:

OPENSSL_config("correct config file path");

SSL_library_init();

SSL_load_error_strings();

When I try to read certificate file I got an error.

SSL_CTX_use_certificate_chain_file(ctx, CERTFILE)

Return value here is not 1. So this is an error.

The human readable error message is:

3084809868:error:0609E09C:digital envelope routines:PKEY_SET_TYPE:unsupported algorithm:p_lib.c:239: 3084809868:error:0B07706F:x509 certificate routines:X509_PUBKEY_get:unsupported algorithm:x_pubkey.c:155: 3084809868:error:140BF10C:SSL routines:SSL_SET_CERT:x509 lib:ssl_rsa.c:402:

When I use the same code with dynamically linked openSSL library with external GOST engine library everything works fine. So what is the difference between static and dynamic version? The only idea that I have at this time that my library initialization sequence is wrong.

I checked symbols in the compiled libcrypto.a library.

nm ./libcrypto.a | grep gost

This command gave me output with many GOST function which were included to libcrypto.a library. So I think that library was compiled properly and all GOST engine functions were included in the static library.

"Unsupported algorithm" error message means that GOST functions was not initialized properly. The question is: how properly initialize engines with statically linked openSSL?

Answer 1

The correct solution for using GOST engine and statically linked openssl is:

Make sure that openssl.cnf is exists in default directory. (If we configure our library like this “./config –prefix = /gost-ssl-static” the default configuration library will be /gost-ssl-static/ssl) (See http://www.cryptocom.ru/opensource/openssl100.html for details) Make sure that openssl.cnf contains the following lines before first section with square brackets:

[openssl_def]
engines=engine_section

[engine_section]
gost=gost_section

[gost_section]
engine_id=gost
default_algorithms=ALL
CRYPT_PARAMS=id-Gost28147-89-CryptoPro-A-ParamSet

Init openSSL library and gost engine:

OPENSSL_config(NULL); 
SSL_library_init();
SSL_load_error_strings();

My mistake was incorrect OpenSSL initialization. My initialization code was much more complicated. Many unnecessary function calls interferes to each other and gost engine was initialized. Also I thought that the only parameter in OPENSSL_config(NULL) function means path to openssl.cnf file. It was wrong suggestion.