Russian version

Ask a question

SUPPORT OF THE RUSSIAN CRYPTOALGORITHMS IN THE OpenSSL OPENSOURCE PROJECT

SUPPORT OF THE RUSSIAN CRYPTOALGORITHMS IN THE OpenSSL OPENSOURCE PROJECT

The Cryptocom Company has solved the problem of adding Russian cryptoalgorithms to the OpenSource library OpenSSL.

Algorithms described in the RFC 4357 are fully supported.

Implemented support of S/MIME messages according to RFC 4490, PKI support according to RFC 4491 and GOST-based TLS ciphersuites according to draft-chudov-cryptopro-cptls.

Currently, there are two implemetations of this functionality:

Commercial product MagPro CryptoPack

This product is based on OpenSSL 0.9.8e. It includes modified OpenSSL libraries and loadable module with implementation of GOST algorithms, based on certified Cryptocom crypto library.

Certified commercial implementation doesn't support algorithms based on GOST R 34.10-94 because this standard has expired.

Description and source of modifications to OpenSSL which was needed to implement Russian algorithms can be found on a separate page. There are also sources of reference implementation (non-certified) of loadable module which provides Russian cryptoalgorithms.

Binary packages of modified OpenSSL and reference loadable module can be downloaded from the page (in Russian) of trial version of MagPro CryptoPack. From that page you can also download packages of some well-known open source applications rebuilt with MagPro CryptoPack libraries.

GOST support in the development version of OpenSSL

In the OpenSSL 1.0.0 (currently in the development status), GOST algorithms can be used without any modifications of OpenSSL core. Reference (non-certified) implementation of the GOST support module, developed by Cryptocom, is included into OpenSSL distribution as engines/ccgost directory.

MagPro CryptoPack and OpenSSL 1.0.0 are compatible by most high-level API (TLS, PKCS7 etc). Unfortunately, compatibility of low-level API such as key-pair generation is not achieved, because this functionality is implemented in 1.0.0 using new APIs which appeared in this version only.

It is not a problem for most applications, because typically OpenSSL applications do not generate keys and certificate requests (this is done using openssl command-line utility) and do not use their own signed document formats.

Developers of applications, which need to use such functionality are urged to use OpenSSL 1.0.0.

Sources of latest snapshot of OpenSSL 1.0.0 can be downloaded from ftp-site of OpenSSL project. Get most recent openssl-SNAP-XXXXXX.tar.gz.

Description of functionality supported by ccgost engine is in the README.gost file in the engines/ccgost directory.

Using modified OpenSSL in the applications

Due to considerable changes in the basic OpenSSL data structures required for support of arbitrary public key algorithms and dynamically added ciphersuites, the modified OpenSSL is not binary compatible with original one. OpenSSL 1.0.0 is not binary compatible with previous versions as well.

So all the applications to be used with the modified version must be recompiled. We recommend not to replace the system OpenSSL libraries by modified ones, but rather install the modified libraries in some other place of the filesystem and recompile only the applications taking advantage of this new functionality.

Public OpenSSL API is preserved as exactly as possible. But some programs access undocumented data structures directly. Such programs might need some modifications to work with modified OpenSSL. One of such applications is the mod_ssl for Apache web server.

In order to use loadable engines the application should either read the OpenSSL global configuration file or provide means to load engines from its own configuration.

Unfortunately, few applications support the OpenSSL configuration file by now, since this functionality was added into OpenSSL only in the 0.9.7 version.

In most cases it is enough to add the OPENSSL_config(NULL) call before SSL_library_init to make SSL application work with engines and, in particular, with GOST algorithms.

Below several exceptions from this rule are described.

Adding GOST support into some OpenSource applications

Apache/mod_ssl

Apache uses quite a complex technique to load engines and keys. So additional patches are needed to make Apache work with GOST public key algorithms.

Apache 1.3.x

The mod_ssl for Apache 1.3.x requires the patch(681bytes) to work with the modified OpenSSL and support GOST algorithms.

This patch adds support for MagPro CryptoPack implementation of GOST algortithms to mod_ssl 2.8.24 for Apache 1.3.x.

You should also use option --enable-rule=SSL_EXPERIMENTAL while configuring mod_ssl to enable the SSLCryptoDevice configuration directive.

Apache 2.0.x

Mod_ssl shipped with Apache 2.0 doesn't support the SSLCryptoDevice command, so it wouldn't work with engines. Use Apache 2.2 if you want 2.x features.

Apache 2.2.x

Mod_ssl shipped with Apache 2.2 requires this patch (561b) to work with MagPro CryptoPack.

If you are using OpenSSL 1.0.0, you should use another patch(2kb) which allows to work with all algorithms, supported by OpenSSL 1.0.0.

To use GOST ciphersuites with Apache you must specify the configuration file directive

SSLCryptoDevice gost

You can use GOST certificates on the same virtual host as RSA ones.

With the patched OpenSSL 0.9.8 all the ciphersiutes using DSA should be explicitly disabled and the GOST ciphersuites explicitly enabled for a virtual server that uses GOST keys. The OpenSSL 1.0.0 doesn't have this limitation.

OpenSSH

OpenSSH doesn't use TLS. It uses its own protocol. Now there is no RFC or draft specifying the use of GOST algorithms in the secure shell protocol, so OpenSSH doesn't support GOST with our modifications to OpenSSL. However OpenSSH can be built with the modified OpenSSL and retains all its functionality.

OpenVPN

OpenVPN has following problems which should be fixed to use Russian algorithms:

1. By default OpenVPN uses only CBC ciphers, but GOST 28147-89 allows only CFB and CNT modes. To enable these modes, openvpn should be compiled with preprocessor symbol ALLOW_NON_CBC_CIPHERS
2. Function openvpn_encrypt has assertion that last block size is same as initialization vector size. It is not true for CFB ciphers which have non-empty IV, but do not have last block which is returned only upon cipher finalization.
3. MAC algorithms other than HMAC, and in particular algorithms which key size is not equal to output size are not supported.

We have developed a patch which fixes second and third problems. To fix first problems run openvpn configure script with environment variable CFLAGS containing -DALLOW_NON_CBC_CIPHERS.

To use GOST in the openvpn built with this patch you should use following configuration file (or command line) options:

engine gost
cipher gost
auth gost-mac

These options are applicable both to preshared keys and tls-authentications modes. In the latter case add also

tls-cipher GOST2001-GOST89-GOST89

and use GOST R 34.10-2001 keys and certificates.

Stunnel 4.x

Stunnel supports loading engines via its own configuration file. So, no modifications required. However, it should be compiled with the configuration option --disable-rsa. Without this option Stunnel support RSA only. With this option Stunnel supports every algorithm supported by the underlying OpenSSL, including RSA.

PostgreSQL

Since version 8.3.0 PostgreSQL incorporates our patches, so it is just need to be recompiled with correct OpenSSL libraries.

The patch published on our PostgreSQL page contains everything required to use the GOST TLS in PostgreSQL and can be used for PostgreSQL 8.1.x and 8.2.x.

Tcltls

The TLS library for the Tcl programming language requires this patch (2.2K) to support OpenSSL configuration files and engine API. This patch is also available in the SourceForge request tracker.

This patch works both with MagPro CryptoPack and OpenSSL 1.0.0, but it doesn't extend key generation functionality, which presents in Tcl Tls, but is not documented, beyond just RSA keys.

Tcl applications which use this library should call ::tls::config.

Other application tested

Following appications were also tested with GOST TLS (patches are trivial but are provided for convinience):

• dovecot 1.0rc15 (patch, 441b)
• postfix 2.2.10 and 2.3.4 (patch, 467b) 2.5.5 and 2.6.0 (patch, 467b)
• netkit-telnetd and netkit-telnet 0.17.24 (patch, 355b)
• wget 1.9.1 and 1.10.2 (patch, 340b)
• lynx 2.8.5 (patch,466b)
• openldap 2.2.23 (patch, 361b)
• mutt 1.5.9 (patch, 337b)

These applications only require adding the OPENSSL_config(NULL) call. These patches would work with both MagPro CryptoPack and OpenSSL 1.0.0.

Interoperability with CryptoPro CSP 3.0

If the interoperability with windows applications using CryptoPro CSP 3.0 for TLS is requred, one should consider the following:

1. Usage of the GostR3410_2001_CryptoPro_XchA_ParamSet parameter set is required for server certificates. Use the -newkey gost2001cp:XA option for the openssl req command to create a server keypair. For GOST R 34.10-94 use GostR3410_94_CryptoPro_A_ParamSet (-newkey gost94cp:A)
2. Windows client machines should have the TLS 1.0 protocol enabled in the Internet Explorer options. The CryptoPro server is able to negotiate TLS 1.0 ciphersuites after recieving SSL 3.0 ClientHello, but this is a violation of the TLS protocol and is not supported by our patch.