1

如何使用 API 并正确初始化 openssl?

我必须让 opevpn 与称为 GOST 的俄罗斯加密标准一起工作。我知道cryptocom的现有产品提供了这个机会。我浏览了他们的网站,发现他们在演示版中使用了 openssl 0.9.8 版。我试过演示。它可以工作,但使用共享库和过时的 openssl 和 opevpn 版本。

到目前为止,实际的 openssl 版本是1.0.1c,我想使用静态 libssl 和 libcripto(如果可能的话)。正如我在 openssl changelog中所读到的,从 1.0.0 版开始,库支持 GOST 加密(仅供参考,由cryptocom实现)。

我做了什么

我已经像这样下载并编译了 openssl-1.0.1c:

mkdir ~/test
cd ~/test
wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz
...
tar xzf openssl-1.0.1c.tar.gz
cd openssl-1.0.1c
./config enable-gost -fPIC no-shared
...
make
...

我已经编写了配置文件来启用 GOST 加密算法~/test/openssl.cnf

openssl_conf = openssl_def
[openssl_def]
engines = engine_section

[engine_section]
gost = gost_section

[gost_section]
engine_id = gost
default_algorithms = ALL
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet

# man ca(1SSL)
[ ca ]
default_ca  = CA_default

# man ca(1SSL)
[ CA_default ]
dir             = ./CA                    # Where everything is kept
certs           = $dir/certs              # Where the issued certs are kept
crl_dir         = $dir/crl                # Where the issued crl are kept
database        = $dir/index.txt          # database index file.
new_certs_dir   = $dir/newcerts           # default place for new certs.
certificate     = $dir/ca.pem             # The CA certificate
serial          = $dir/serial             # The current serial number
crlnumber       = $dir/crlnumber          # the current crl number
crl             = $dir/crl.pem            # The current CRL
private_key     = $dir/private/cakey.pem  # The private key
RANDFILE        = $dir/private/.rand      # private random number file
x509_extensions = usr_cert                # The extentions to add to the cert
name_opt        = ca_default              # Subject Name options
cert_opt        = ca_default              # Certificate field options
default_days    = 365                     # how long to certify for
default_crl_days= 30                      # how long before next CRL
default_md      = default                 # use public key default MD
preserve        = no                      # keep passed DN ordering
policy          = policy_match

# man ca(1SSL)
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

# man req(1SSL)
[ req ]
default_bits        = 1024
distinguished_name  = req_distinguished_name
attributes          = req_attributes
x509_extensions     = v3_ca 
string_mask         = utf8only

# man req(1SSL)
[ req_distinguished_name ] 
countryName                     = Country Name (2 letter code)
countryName_default             = RU
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Moscow
localityName                    = Locality Name (eg, city)
localityName_default            = Moscow
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Company Ltd
organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Organisation Unit
commonName                      = Common Name (e.g. server FQDN or YOUR name)
commonName_max                  = 64
emailAddress                    = Email Address
emailAddress_max                = 64

# man req(1SSL)
[ req_attributes ]
challengePassword     = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName      = An optional company name

# man x509v3_config(5SSL)
[ usr_cert ]
basicConstraints       = CA:FALSE
nsCertType             = client, email, objsign
keyUsage               = nonRepudiation, digitalSignature, keyEncipherment
nsComment              = "Some company OpenSSL Generated Certificate"
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer

# man x509v3_config(5SSL)
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true

然后我查看了支持的 TLS 密码:

OPENSSL_CONF=~/test/openssl.cnf ./apps/openssl ciphers -tls1
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:GOST2001-GOST89-GOST89:GOST94-GOST89-GOST89:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5

并找到了 GOST。

我的问题是什么:

我想使用 openssl API(我的意思是 libcripto 和 libssl)获取 TLS 密码列表。我写了一个小程序,它输出 openssl 提供的 TLS 密码~/test/test.c

#include <openssl/ssl.h>
#include <openssl/err.h>
#include <stdio.h>

void show_available_tls_ciphers (void)
{
  SSL_CTX *ctx;
  SSL *ssl;
  int i;
  const char *cipher_name;
  int priority = 0;

  ctx = SSL_CTX_new(TLSv1_method());
  if (!ctx) {
    ERR_print_errors_fp(stderr);    
    return;
  }

  ssl = SSL_new (ctx);
  if (!ssl) {
    ERR_print_errors_fp(stderr);
    SSL_CTX_free(ctx);
  }

  STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl);
  if(!sk) {
    ERR_print_errors_fp(stderr);
    SSL_CTX_free(ctx);
    SSL_free(ssl);
    return;
  }

  for(i=0; i< sk_SSL_CIPHER_num(sk); ++i) {
    printf("%s\n",sk_SSL_CIPHER_value(sk,i)->name);
  }

  printf ("\n");

  SSL_free (ssl);
  SSL_CTX_free (ctx);
}


int main(void) {
  CRYPTO_malloc_init();
  SSL_library_init();
  ERR_load_crypto_strings();

  OpenSSL_add_all_algorithms();
  ENGINE_load_builtin_engines();
  OpenSSL_add_ssl_algorithms();

  SSL_load_error_strings();
  show_available_tls_ciphers();
  return 0;
}

编译成这样

cd ~/test
gcc test.c  -g -O0 -I~/test/openssl-1.0.1c/include -L~/test/openssl-1.0.1c -lssl -lcrypto -ldl

但我的结果与OPENSSL_CONF=~/test/openssl.cnf ./apps/openssl ciphers -tls11上面的输出不同,不包括 GOST:

OPENSSL_CONF=~/test/openssl.cnf ./a.out
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
SRP-DSS-AES-256-CBC-SHA
SRP-RSA-AES-256-CBC-SHA
DHE-DSS-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
DHE-DSS-AES256-SHA256
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
DHE-RSA-CAMELLIA256-SHA
DHE-DSS-CAMELLIA256-SHA
ECDH-RSA-AES256-GCM-SHA384
ECDH-ECDSA-AES256-GCM-SHA384
ECDH-RSA-AES256-SHA384
ECDH-ECDSA-AES256-SHA384
ECDH-RSA-AES256-SHA
ECDH-ECDSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
CAMELLIA256-SHA
PSK-AES256-CBC-SHA
ECDHE-RSA-DES-CBC3-SHA
ECDHE-ECDSA-DES-CBC3-SHA
SRP-DSS-3DES-EDE-CBC-SHA
SRP-RSA-3DES-EDE-CBC-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
ECDH-RSA-DES-CBC3-SHA
ECDH-ECDSA-DES-CBC3-SHA
DES-CBC3-SHA
PSK-3DES-EDE-CBC-SHA
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
SRP-DSS-AES-128-CBC-SHA
SRP-RSA-AES-128-CBC-SHA
DHE-DSS-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-DSS-AES128-SHA256
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
DHE-RSA-SEED-SHA
DHE-DSS-SEED-SHA
DHE-RSA-CAMELLIA128-SHA
DHE-DSS-CAMELLIA128-SHA
ECDH-RSA-AES128-GCM-SHA256
ECDH-ECDSA-AES128-GCM-SHA256
ECDH-RSA-AES128-SHA256
ECDH-ECDSA-AES128-SHA256
ECDH-RSA-AES128-SHA
ECDH-ECDSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
SEED-SHA
CAMELLIA128-SHA
IDEA-CBC-SHA
PSK-AES128-CBC-SHA
ECDHE-RSA-RC4-SHA
ECDHE-ECDSA-RC4-SHA
ECDH-RSA-RC4-SHA
ECDH-ECDSA-RC4-SHA
RC4-SHA
RC4-MD5
PSK-RC4-SHA
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5

为了写这篇文章,我使用了 openssl-1.0.1c/apps/ciphers.c 文件中的代码和 openssl 初始化顺序。

为什么我在输出中看不到 GOST,a.out我做错了什么?我应该如何编写代码才能正确使用 openssl 以在我的测试程序的输出中查看 GOST?

4

2 回答 2

3

简而言之 - 你没有调用设置配置的东西。

查看您获取的 openssl 包中的 apps/open ssl.c 的来源(chipers.c 是基于您在“openssl ciphers”中运行的 $0 链接到它的代码)。

请注意以下内容:

    p=getenv("OPENSSL_CONF");
    if (p == NULL)
            p=getenv("SSLEAY_CONF");
    if (p == NULL)
            p=to_free=make_config_name();

    default_config_file=p;

然后再往下:

    config=NCONF_new(NULL);
    i=NCONF_load(config,p,&errline);
    if (i == 0) ...

这就是它吸收配置的方式。

德。

于 2012-09-13T17:53:16.693 回答
1

您应该在第一条指令中调用它来加载默认配置:

OPENSSL_config(NULL);

将加载所有密码,包括配置中的 gost。您也可以在加载配置后设置:

'#define CIPHER_LIST "GOST2001-NULL-GOST94"//GOST2001-GOST89-GOST89 (chose one)

SSL_CTX_set_cipher_list(ctx, CIPHER_LIST)

你只会得到这个芯片。

于 2012-11-27T08:00:17.760 回答