Martin Paljak wrote: > On Apr 16, 2010, at 09:51 , Aleksey Samsonov wrote: > >> I commented out the OPENSSL_config(NULL) and now it works ... >> >>> should this added as a patch? the FIXME seems to be to *remove* the >>> explicit call to OPENSSL_config; I can confirm that this works for both >>> openssl-1.0.0-beta4 and the official openssl-1.0.0 release >>> >> The FIXME means that call OPENSSL_config(NULL) may have problems and >> needs more cleanup solution for loading GOST algorithms' implementation. >> > > Does this mean that a fix in OpenSC is not needed and the problem lies in > OpenSSL land? > > the problem is not in openssl land but in the way the GOST engine is loaded by the pkcs11 software. The GOST engine requires a section in the openssl.cnf file to load the appropriate shared library. The problem (with openssl) is , is that you cannot register an engine twice. So when a program loads and parses an openssl.cnf file which contains engine definitions then the second attempt to register that enginte will cause a failure.
I've built the GOST engine myself and did *NOT* specify an openssl.cnf file : the gost engine still loads, but I am not sure if it is functional. So the real question becomes: is this openssl.cnf section still necessary? is it still required to run OPENSSL_config() during opensc initialisation? Another solution might be to not call OPENSSL_config() but call OPENSSL_config( "gost" ) instead; this will cause the openssl library to only parse the GOST section (provided there is one) which should solve the problem as well. However, what happens if the "gost" section is missing? Finally, I also noticed that the behaviour of loading the engine_pkcs11+opensc-pkcs11 is different when a card is present or not: without a card the library initialized just fine (without patching opensc , that is) . If I insert a card and then try to run openssl engine -vvv -t -c then I get the error reported previously . The same is true for trying to sign a certificate request using a card. cheers, JJK _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
