我必须使用名为GOST的俄语密码标签进行opevpn工作。 我知道cryptocom现有的产品提供了这个机会。我查看了他们的网站,发现他们在演示版中使用了openssl 0.9.8版本。我试过演示。它可以工作,但是使用共享库和过时的openssl和opevpn版本。
现在实际的openssl版本是1.0.1c,我想使用静态libssl和libcripto(如果可能的话)。正如我在openssl changelog中所读到的,从版本1.0.0开始,库支持GOST加密,( fyi 由cryptocom实现)。
我已经像这样下载并编译了openssl-1.0.1c:
mkdir ~/test
cd ~/test
wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz
...
tar xzf openssl-1.0.1c.tar.gz
cd openssl-1.0.1c
./config enable-gost -fPIC no-shared
...
make
...
我写了配置文件以启用GOST加密算法〜/ test / openssl.cnf
openssl_conf = openssl_def
[openssl_def]
engines = engine_section
[engine_section]
gost = gost_section
[gost_section]
engine_id = gost
default_algorithms = ALL
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
# man ca(1SSL)
[ ca ]
default_ca = CA_default
# man ca(1SSL)
[ CA_default ]
dir = ./CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/ca.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
policy = policy_match
# man ca(1SSL)
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# man req(1SSL)
[ req ]
default_bits = 1024
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = utf8only
# man req(1SSL)
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = RU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Moscow
localityName = Locality Name (eg, city)
localityName_default = Moscow
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Company Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Organisation Unit
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
# man req(1SSL)
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
# man x509v3_config(5SSL)
[ usr_cert ]
basicConstraints = CA:FALSE
nsCertType = client, email, objsign
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
nsComment = "Some company OpenSSL Generated Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
# man x509v3_config(5SSL)
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true
然后我查看了支持的TLS密码:
OPENSSL_CONF=~/test/openssl.cnf ./apps/openssl ciphers -tls1
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:GOST2001-GOST89-GOST89:GOST94-GOST89-GOST89:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5
发现了GOST。
我想使用openssl API获取TLS密码列表(我的意思是libcripto和libssl)。我写了一个小程序输出TLS密码,openssl提供〜/ test / test.c :
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <stdio.h>
void show_available_tls_ciphers (void)
{
SSL_CTX *ctx;
SSL *ssl;
int i;
const char *cipher_name;
int priority = 0;
ctx = SSL_CTX_new(TLSv1_method());
if (!ctx) {
ERR_print_errors_fp(stderr);
return;
}
ssl = SSL_new (ctx);
if (!ssl) {
ERR_print_errors_fp(stderr);
SSL_CTX_free(ctx);
}
STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl);
if(!sk) {
ERR_print_errors_fp(stderr);
SSL_CTX_free(ctx);
SSL_free(ssl);
return;
}
for(i=0; i< sk_SSL_CIPHER_num(sk); ++i) {
printf("%s\n",sk_SSL_CIPHER_value(sk,i)->name);
}
printf ("\n");
SSL_free (ssl);
SSL_CTX_free (ctx);
}
int main(void) {
CRYPTO_malloc_init();
SSL_library_init();
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
ENGINE_load_builtin_engines();
OpenSSL_add_ssl_algorithms();
SSL_load_error_strings();
show_available_tls_ciphers();
return 0;
}
像那样编译
cd ~/test
gcc test.c -g -O0 -I~/test/openssl-1.0.1c/include -L~/test/openssl-1.0.1c -lssl -lcrypto -ldl
但我的结果与上面的OPENSSL_CONF=~/test/openssl.cnf ./apps/openssl ciphers -tls11输出不同,并且不包括GOST:
OPENSSL_CONF=~/test/openssl.cnf ./a.out
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
SRP-DSS-AES-256-CBC-SHA
SRP-RSA-AES-256-CBC-SHA
DHE-DSS-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
DHE-DSS-AES256-SHA256
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
DHE-RSA-CAMELLIA256-SHA
DHE-DSS-CAMELLIA256-SHA
ECDH-RSA-AES256-GCM-SHA384
ECDH-ECDSA-AES256-GCM-SHA384
ECDH-RSA-AES256-SHA384
ECDH-ECDSA-AES256-SHA384
ECDH-RSA-AES256-SHA
ECDH-ECDSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
CAMELLIA256-SHA
PSK-AES256-CBC-SHA
ECDHE-RSA-DES-CBC3-SHA
ECDHE-ECDSA-DES-CBC3-SHA
SRP-DSS-3DES-EDE-CBC-SHA
SRP-RSA-3DES-EDE-CBC-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
ECDH-RSA-DES-CBC3-SHA
ECDH-ECDSA-DES-CBC3-SHA
DES-CBC3-SHA
PSK-3DES-EDE-CBC-SHA
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
SRP-DSS-AES-128-CBC-SHA
SRP-RSA-AES-128-CBC-SHA
DHE-DSS-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-DSS-AES128-SHA256
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
DHE-RSA-SEED-SHA
DHE-DSS-SEED-SHA
DHE-RSA-CAMELLIA128-SHA
DHE-DSS-CAMELLIA128-SHA
ECDH-RSA-AES128-GCM-SHA256
ECDH-ECDSA-AES128-GCM-SHA256
ECDH-RSA-AES128-SHA256
ECDH-ECDSA-AES128-SHA256
ECDH-RSA-AES128-SHA
ECDH-ECDSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
SEED-SHA
CAMELLIA128-SHA
IDEA-CBC-SHA
PSK-AES128-CBC-SHA
ECDHE-RSA-RC4-SHA
ECDHE-ECDSA-RC4-SHA
ECDH-RSA-RC4-SHA
ECDH-ECDSA-RC4-SHA
RC4-SHA
RC4-MD5
PSK-RC4-SHA
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5
为了写这个,我使用了openssl-1.0.1c / apps / ciphers.c文件中的代码和openssl初始化顺序。
为什么我在a.out输出中看不到GOST,我做错了什么?我应该如何编写代码,正确使用openssl来查看测试程序输出中的GOST?
答案 0 :(得分:3)
简而言之 - 你没有调用设置配置的东西。
查看你提取的openssl包中的apps / open ssl.c的来源(chipers.c是基于你在'openssl ciphers'中运行的$ 0链接的代码)。
注意这一点:
p=getenv("OPENSSL_CONF");
if (p == NULL)
p=getenv("SSLEAY_CONF");
if (p == NULL)
p=to_free=make_config_name();
default_config_file=p;
然后再往下走:
config=NCONF_new(NULL);
i=NCONF_load(config,p,&errline);
if (i == 0) ...
这就是它在配置中糟透了。
DW传递。
答案 1 :(得分:1)
你应该在第一条加载默认配置的指令中调用它:
OPENSSL_config(NULL);
将加载所有密码,包括来自配置的gost。 你也可以在加载config后设置它:
'#define CIPHER_LIST "GOST2001-NULL-GOST94"//GOST2001-GOST89-GOST89 (chose one)
SSL_CTX_set_cipher_list(ctx, CIPHER_LIST)
你将只得到这个筹码。