1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
Building and Installation
=========================
How to Build
------------
To build and install OpenSSL GOST Engine, you will need
* OpenSSL 3.0 development version
* an ANSI C compiler
* CMake (3.0 or newer, 3.18 recommended)
Here is a quick build guide:
$ git clone https://github.com/gost-engine/engine
$ cd engine
$ git submodule update --init
$ mkdir build
$ cd build
$ cmake -DCMAKE_BUILD_TYPE=Release ..
$ cmake --build . --config Release
Instead of `Release` you can use `Debug`, `RelWithDebInfo` or `MinSizeRel` configuration.
See [cmake docs](https://cmake.org/cmake/help/latest/variable/CMAKE_BUILD_TYPE.html) for details.
You will find built binaries in `../bin` directory.
If you want to build against a specific OpenSSL instance (you will need it if
you have more than one OpenSSL instance for example), you can use the `cmake`
variable `OPENSSL_ROOT_DIR` to specify absolute path of the desirable OpenSSL
instance:
$ cmake -DOPENSSL_ROOT_DIR=/PATH/TO/OPENSSL/ ..
Building against OpenSSL 3.0 requires openssl detection module
(FindOpenSSL.cmake) from CMake 3.18 or higher. More earlier versions may have
problems with it.
If you use Visual Studio, you can also set `CMAKE_INSTALL_PREFIX` variable
to set install path, like this:
> cmake -G "Visual Studio 15 Win64" -DCMAKE_PREFIX_PATH=c:\OpenSSL\vc-win64a\ -DCMAKE_INSTALL_PREFIX=c:\OpenSSL\vc-win64a\ ..
Also instead of `cmake --build` tool you can just open `gost-engine.sln`
in Visual Studio, select configuration and call `Build Solution` manually.
Instructions how to build OpenSSL 1.1.0 with Microsoft Visual Studio
you can find [there](https://gist.github.com/terrillmoore/995421ea6171a9aa50552f6aa4be0998).
How to Install
--------------
To install GOST Engine you can call:
# cmake --build . --target install --config Release
or old plain and Unix only:
# make install
The engine library `gost.so` should be installed into OpenSSL engine directory.
To ensure that it is installed propery call:
$ openssl version -e
ENGINESDIR: "/usr/lib/i386-linux-gnu/engines-1.1"
Then check that `gost.so` there
# ls /usr/lib/i386-linux-gnu/engines-1.1
Finally, to start using GOST Engine through OpenSSL, you should edit
`openssl.cnf` configuration file as specified below.
How to Configure
----------------
The very minimal example of the configuration file is provided in this
distribution and named `example.conf`.
Configuration file should include following statement in the global
section, i.e. before first bracketed section header (see config(5) for details)
openssl_conf = openssl_def
where `openssl_def` is name of the section in configuration file which
describes global defaults.
This section should contain following statement:
[openssl_def]
engines = engine_section
which points to the section which describes list of the engines to be
loaded. This section should contain:
[engine_section]
gost = gost_section
And section which describes configuration of the engine should contain
[gost_section]
engine_id = gost
dynamic_path = /usr/lib/ssl/engines/libgost.so
default_algorithms = ALL
Various cryptoproviders (e.g. BouncyCastle) has some problems with private key
parsing from PrivateKeyInfo, so if you want to use old private key
representation format, which supported by BC, you will have to add:
GOST_PK_FORMAT = LEGACY_PK_WRAP
to `[gost_section]`.
Where `engine_id` parameter specifies name of engine (should be `gost`).
`dynamic_path is` a location of the loadable shared library implementing the
engine. If the engine is compiled statically or is located in the OpenSSL
engines directory, this line can be omitted.
`default_algorithms` parameter specifies that all algorithms, provided by
engine, should be used.
The `CRYPT_PARAMS` parameter is engine-specific. It allows the user to choose
between different parameter sets of symmetric cipher algorithm. [RFC 4357][1]
specifies several parameters for the GOST 28147-89 algorithm, but OpenSSL
doesn't provide user interface to choose one when encrypting. So use engine
configuration parameter instead. It SHOULD NOT be used nowadays because all
the parameters except the default one are deprecated now.
Value of this parameter can be either short name, defined in OpenSSL
`obj_dat.h` header file or numeric representation of OID, defined in
[RFC 4357][1].
[1]:https://tools.ietf.org/html/rfc4357 "RFC 4357"
|
