Re: [PATCH 2/2] ima-evm-utils: try to load digest by its alias

[Vitaly Chikunov <vt@altlinux.org>]

On Wed, Apr 03, 2019 at 05:10:20PM -0400, Mimi Zohar wrote:
> On Thu, 2019-04-04 at 00:04 +0300, Vitaly Chikunov wrote:
> > Mimi,
> > 
> > On Wed, Apr 03, 2019 at 04:41:04PM -0400, Mimi Zohar wrote:
> > > On Sat, 2019-03-23 at 04:41 +0300, Vitaly Chikunov wrote:
> > > > Primary names of the algorithms are different for OpenSSL and Kernel.
> > > > Allow to use both of them.
> > > 
> > > Can we add a line here explaining the two names?  Perhaps something
> > > like, "GOST R 34.11-2012 is the Russian national standard based on the
> > > Streebog set of hash functions." 
> > 
> > Ok. But, "GOST R 34.11-2012" is not mentioned, and there is other
> > standards with Streebog, such as RFC 6986, ISO/IEC 10118-3:2018, GOST
> > 34.11-2018.
> > 
> > Point of this patch is that Kernel calls this hash function by it's
> > proper name "StreebogX", but older version of OpenSSL reference it by
> > acronym "md_gost12_X". (While newer should support Streebog name too.)
> > And we try to be user friendly and allow to use both names.
> 
> If "Streebog" will be supported by OpenSSL, then why make md_gost12_x
> the primary name, and the kernel name the alias?  Shouldn't it be the
> reverse (eg. "pkey_hash_algo_alias")?

Because ima-evm-utils is using OpenSSL and not Kernel's Crypto API,
OpenSSL names are "primary" for ima-evm-utils. It's happened that most
names are the same for both APIs.

"md_gost12_X" is supported for years by more versions of OpenSSL. While
"StreebogX" name is just committed a few months ago to gost-engine. Thus,

  1) "md_gost12_x" name could be used on conservative distros. Users
   will not need to wait [possible] a few years when new name reach
   their distro.

  2) PKEY_HASH_STREEBOG_X is resolved to "md_gost12_X" names (to the
  names that are present in OpenSSL with much more probability).

`pkey_hash_algo_kern` only contains names that are different between
the Kernel and OpenSSL.

I used "primary" for the both arrays so that no names are offended by
being not-primary.

> > > > Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
> > > 
> > > Reviewed-by:  Mimi Zohar <zohar@linux.ibm.com>
> > > 
> > > > ---
> > > >  src/libimaevm.c | 12 ++++++++++++
> > > >  1 file changed, 12 insertions(+)
> > > > 
> > > > diff --git a/src/libimaevm.c b/src/libimaevm.c
> > > > index bc7be1e..6783110 100644
> > > > --- a/src/libimaevm.c
> > > > +++ b/src/libimaevm.c
> > > > @@ -61,6 +61,7 @@
> > > >  #include "imaevm.h"
> > > >  #include "hash_info.h"
> > > > 
> > > > +/* Names that are primary for OpenSSL. */
> > > >  const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
> > > >  	[PKEY_HASH_MD4]		= "md4",
> > > >  	[PKEY_HASH_MD5]		= "md5",
> > > > @@ -70,6 +71,12 @@ const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
> > > >  	[PKEY_HASH_SHA384]	= "sha384",
> > > >  	[PKEY_HASH_SHA512]	= "sha512",
> > > >  	[PKEY_HASH_SHA224]	= "sha224",
> > > > +	[PKEY_HASH_STREEBOG_256] = "md_gost12_256",
> > > > +	[PKEY_HASH_STREEBOG_512] = "md_gost12_512",
> > > > +};
> > > > +
> > > > +/* Names that are primary for the kernel. */
> > > > +const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = {
> > > >  	[PKEY_HASH_STREEBOG_256] = "streebog256",
> > > >  	[PKEY_HASH_STREEBOG_512] = "streebog512",
> > > >  };
> > > > @@ -551,6 +558,11 @@ int get_hash_algo(const char *algo)
> > > >  		    !strcmp(algo, pkey_hash_algo[i]))
> > > >  			return i;
> > > > 
> > > > +	for (i = 0; i < PKEY_HASH__LAST; i++)
> > > > +		if (pkey_hash_algo_kern[i] &&
> > > > +		    !strcmp(algo, pkey_hash_algo_kern[i]))
> > > > +			return i;
> > > > +
> > > >  	/* iterate over algorithms provided by kernel-headers */
> > > >  	for (i = 0; i < HASH_ALGO__LAST; i++)
> > > >  		if (hash_algo_name[i] &&
> >