unable to sign with external OpenSSL engine after usage of crypto.hash

[GauriSpears]

Version

v21.7.1

Platform

Linux debgis 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64 GNU/Linux

Subsystem

crypto

What steps will reproduce the bug?

1. Install gost-engine for OpenSSL 3.x from here: https://github.com/gost-engine/engine
   For Debian I use this script:

ENGINE_PATH=$(openssl version -a | grep -Po '(?<=ENGINESDIR: ")[^"]*')
rm -rf "/usr/local/src/engine" \
  && cd /usr/local/src \
  && git clone https://github.com/gost-engine/engine \
  && cd engine \
  && git submodule update --init \
  && mkdir -p build \
  && cd build \
  && cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_C_FLAGS='-I/usr/local/ssl/include -L/usr/local/ssl/lib' \
   -DOPENSSL_ROOT_DIR=/usr/local/ssl  -DOPENSSL_INCLUDE_DIR=/usr/local/ssl/include -DOPENSSL_LIBRARIES=/usr/local/ssl/lib -DOPENSSL_ENGINES_DIR=${ENGINE_PATH} .. \
  && cmake --build . --config Release \
  && cmake --build . --target install --config Release

2. Run the code:

const crypto = require('crypto');
const fs = require('fs');
//on some systems engine is successfully loaded by name, but on others you have to specify full path
try{
  crypto.setEngine('gost');
} catch(err){
  //look for engine path in "openssl version -a"
  const child_process = require('child_process');
  let Epath = child_process.execSync('openssl version -a').toString().match(/(?<=ENGINESDIR: ")[^"]*/);
  if (Epath==null) logger.info('ENGINESDIR not found in openssl version -a');
  Epath=Epath[0];
  crypto.setEngine(Epath+'/gost.so');
}

//without this string everything is OK
const hash=crypto.createHash('md_gost12_256');

const sign = crypto.createSign('md_gost12_256');
sign.update('this is test string');
const privateKey = fs.readFileSync('/home/key.pem'); //Just a private key, if you don't know how to generate one, I can provide it to you.
const SignatureValueT = sign.sign(privateKey,'base64');

How often does it reproduce? Is there a required condition?

Always

What is the expected behavior? Why is that the expected behavior?

Signature should be calculated without any errors.

What do you see instead?

node:internal/crypto/sig:128
  const ret = this[kHandle].sign(data, format, type, passphrase, rsaPadding,
                            ^

Error: error:0308010C:digital envelope routines::unsupported
    at Sign.sign (node:internal/crypto/sig:128:29)
    at Object.<anonymous> (/home/GKU-data/test/hashtest.js:21:30)
    at Module._compile (node:internal/modules/cjs/loader:1368:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1426:10)
    at Module.load (node:internal/modules/cjs/loader:1205:32)
    at Module._load (node:internal/modules/cjs/loader:1021:12)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:142:12)
    at node:internal/main/run_main_module:28:49 {
  library: 'digital envelope routines',
  reason: 'unsupported',
  code: 'ERR_OSSL_EVP_UNSUPPORTED'
}

Additional information

It looks like it's caused by #51044 or #51034
The given code works fine on v21.6.2 and before but breaks on v21.7.0 and v21.7.1.

[panva]

@joyeecheung