Hello,
Jan Just Keijser wrote:
Martin Paljak wrote:
On Apr 16, 2010, at 09:51 , Aleksey Samsonov wrote:
I commented out the OPENSSL_config(NULL) and now it works ...
should this added as a patch? the FIXME seems to be to *remove* the
explicit call to OPENSSL_config; I can confirm that this works for
both openssl-1.0.0-beta4 and the official openssl-1.0.0 release
The FIXME means that call OPENSSL_config(NULL) may have problems and
needs more cleanup solution for loading GOST algorithms' implementation.
Does this mean that a fix in OpenSC is not needed and the problem lies
in OpenSSL land?
the problem is not in openssl land but in the way the GOST engine is
loaded by the pkcs11 software. The GOST engine requires a section in the
openssl.cnf file to load the appropriate shared library. The problem
(with openssl) is , is that you cannot register an engine twice. So when
a program loads and parses an openssl.cnf file which contains engine
definitions then the second attempt to register that enginte will cause
a failure.
I've built the GOST engine myself and did *NOT* specify an openssl.cnf
file : the gost engine still loads, but I am not sure if it is
functional. So the real question becomes: is this openssl.cnf section
still necessary?
Yes, this section is necessary for using GOST engine.
is it still required to run
OPENSSL_config()
during opensc initialisation?
Another solution might be to not call
OPENSSL_config()
but call
OPENSSL_config( "gost" )
instead; this will cause the openssl library to only parse the GOST
section (provided there is one) which should solve the problem as well.
Thank you! It works.
Could you please test attached patch?
However, what happens if the "gost" section is missing?
I think error must be ignored.
Finally, I also noticed that the behaviour of loading the
engine_pkcs11+opensc-pkcs11 is different when a card is present or not:
without a card the library initialized just fine (without patching
opensc , that is) . If I insert a card and then try to run
openssl engine -vvv -t -c
then I get the error reported previously . The same is true for trying
to sign a certificate request using a card.
cheers,
JJK
Index: src/pkcs11/openssl.c
===================================================================
--- src/pkcs11/openssl.c (revision 4246)
+++ src/pkcs11/openssl.c (working copy)
@@ -186,8 +186,8 @@
sc_pkcs11_register_openssl_mechanisms(struct sc_pkcs11_card *card)
{
#if OPENSSL_VERSION_NUMBER >= 0x10000000L
- /* FIXME: see openssl-1.0.0-beta3/engines/ccgost/README.gost */
- OPENSSL_config(NULL);
+ /* see openssl-1.0.0/engines/ccgost/README.gost */
+ OPENSSL_config("gost");
#endif
openssl_sha1_mech.mech_data = EVP_sha1();
sc_pkcs11_register_mechanism(card, &openssl_sha1_mech);
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
