[PATCH 0/2] ima-evm-utils: rebase of digest algo resolving

[PATCH 0/2] ima-evm-utils: rebase of digest algo resolving

[Vitaly Chikunov]

This is rebase of the ima-evm-utils commits:

  0267fa1 ima-evm-utils: Try to load digest by its alias
  942d9f9 ima-evm-utils: Extract digest algorithms from hash_info.h

and should be applied over 07d799c ("ima-evm-utils: Preload OpenSSL
engine via '--engine' option").

Changes:

* ima-evm-utils: Extract digest algorithms from hash_info.h
- algocmp is removed.
- `hash_info.h` is parsed better to match algo names in the Kernel,
  thus simple strcmp could be used.

* ima-evm-utils: try to load digest by its alias
- digest name lookup is simplified by removing get_digestbyname
  and strmatch helpers.
- Kernel and OpenSSL algo names arrays are introduced to support
  alternative algo names for older OpenSLL.


*** BLURB HERE ***

Vitaly Chikunov (2):
  ima-evm-utils: Extract digest algorithms from hash_info.h
  ima-evm-utils: try to load digest by its alias

 configure.ac      |  6 ++++++
 src/Makefile.am   |  6 ++++++
 src/hash_info.gen | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 src/libimaevm.c   | 35 ++++++++++++++++++++++++++++++++++-
 4 files changed, 95 insertions(+), 1 deletion(-)
 create mode 100755 src/hash_info.gen

-- 
2.11.0

[PATCH 1/2] ima-evm-utils: Extract digest algorithms from hash_info.h

[Vitaly Chikunov]

If configured with "--with-kernel-headers=PATH" try to extract hash
algorithms from "hash_info.h" from the kernel source tree or
kernel-headers package located in the specified path. (Otherwise, it
will be tried to get from the installed kernel.)

This also introduces two algorithm lists, one is built-in and another is
from the kernel source. (They should never contain conflicting algorithm
IDs by their append-only nature.) If the digest is not found in the
built-in list it will be searched in the list from kernel's
"hash_info.h".

This patch will allow evmctl to be just recompiled to work with digest
algorithms introduced in the newer kernels.

Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
---
 configure.ac      |  6 ++++++
 src/Makefile.am   |  6 ++++++
 src/hash_info.gen | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 src/libimaevm.c   | 23 ++++++++++++++++++++++-
 4 files changed, 83 insertions(+), 1 deletion(-)
 create mode 100755 src/hash_info.gen

diff --git a/configure.ac b/configure.ac
index a5b4288..60f3684 100644
--- a/configure.ac
+++ b/configure.ac
@@ -27,12 +27,18 @@ AC_HEADER_STDC
 PKG_CHECK_MODULES(OPENSSL, [ openssl >= 0.9.8 ])
 AC_SUBST(OPENSSL_CFLAGS)
 AC_SUBST(OPENSSL_LIBS)
+AC_SUBST(KERNEL_HEADERS)
 AC_CHECK_HEADER(unistd.h)
 AC_CHECK_HEADERS(openssl/conf.h)
 
 AC_CHECK_HEADERS(sys/xattr.h, , [AC_MSG_ERROR([sys/xattr.h header not found. You need the c-library development package.])])
 AC_CHECK_HEADERS(keyutils.h, , [AC_MSG_ERROR([keyutils.h header not found. You need the libkeyutils development package.])])
 
+AC_ARG_WITH(kernel_headers, [AS_HELP_STRING([--with-kernel-headers=PATH],
+	    [specifies the Linux kernel-headers package location or kernel root directory you want to use])],
+	    [KERNEL_HEADERS="$withval"],
+	    [KERNEL_HEADERS=/lib/modules/$(uname -r)/source])
+
 #debug support - yes for a while
 PKG_ARG_ENABLE(debug, "yes", DEBUG, [Enable Debug support])
 if test $pkg_cv_enable_debug = yes; then
diff --git a/src/Makefile.am b/src/Makefile.am
index deb18fb..d74fc6f 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -9,6 +9,11 @@ libimaevm_la_LIBADD =  $(OPENSSL_LIBS)
 
 include_HEADERS = imaevm.h
 
+nodist_libimaevm_la_SOURCES = hash_info.h
+BUILT_SOURCES = hash_info.h
+hash_info.h: Makefile
+	./hash_info.gen $(KERNEL_HEADERS) >$@
+
 bin_PROGRAMS = evmctl
 
 evmctl_SOURCES = evmctl.c
@@ -18,5 +23,6 @@ evmctl_LDADD =  $(OPENSSL_LIBS) -lkeyutils libimaevm.la
 
 INCLUDES = -I$(top_srcdir) -include config.h
 
+CLEANFILES = hash_info.h
 DISTCLEANFILES = @DISTCLEANFILES@
 
diff --git a/src/hash_info.gen b/src/hash_info.gen
new file mode 100755
index 0000000..54532ca
--- /dev/null
+++ b/src/hash_info.gen
@@ -0,0 +1,49 @@
+#!/bin/sh
+#
+# Generate hash_info.h from kernel headers
+#
+# Copyright (C) 2018 <vt@altlinux.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+KERNEL_HEADERS=$1
+HASH_INFO_H=uapi/linux/hash_info.h
+HASH_INFO=$KERNEL_HEADERS/include/$HASH_INFO_H
+
+# Allow to specify kernel-headers past include/
+if [ ! -e $HASH_INFO ]; then
+  HASH_INFO2=$KERNEL_HEADERS/$HASH_INFO_H
+  if [ -e $HASH_INFO2 ]; then
+    HASH_INFO=$HASH_INFO2
+  fi
+fi
+
+if [ ! -e $HASH_INFO ]; then
+  echo "/* $HASH_INFO is not found */"
+  HASH_INFO=/dev/null
+else
+  echo "/* $HASH_INFO is found */"
+fi
+
+echo "enum hash_algo {"
+grep HASH_ALGO_.*, $HASH_INFO
+printf "\tHASH_ALGO__LAST\n"
+echo "};"
+
+echo "const char *const hash_algo_name[HASH_ALGO__LAST] = {"
+sed -n 's/HASH_ALGO_\(.*\),/\1 \L\1\E/p' $HASH_INFO | \
+  while read a b; do
+    # Normalize text hash name: if it contains underscore between
+    # digits replace it with a dash, other underscores are removed.
+    b=$(echo "$b" | sed "s/\([0-9]\)_\([0-9]\)/\1-\2/g;s/_//g")
+    printf '\t%-26s = "%s",\n' "[HASH_ALGO_$a]" "$b"
+  done
+echo "};"
diff --git a/src/libimaevm.c b/src/libimaevm.c
index ca77532..bc7be1e 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -50,6 +50,7 @@
 #include <string.h>
 #include <stdio.h>
 #include <assert.h>
+#include <ctype.h>
 
 #include <openssl/crypto.h>
 #include <openssl/pem.h>
@@ -58,6 +59,7 @@
 #include <openssl/err.h>
 
 #include "imaevm.h"
+#include "hash_info.h"
 
 const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
 	[PKEY_HASH_MD4]		= "md4",
@@ -153,6 +155,17 @@ void dump(const void *ptr, int len)
 	do_dump(stdout, ptr, len, true);
 }
 
+const char *get_hash_algo_by_id(int algo)
+{
+	if (algo < PKEY_HASH__LAST)
+		return pkey_hash_algo[algo];
+	if (algo < HASH_ALGO__LAST)
+		return hash_algo_name[algo];
+
+	log_err("digest %d not found\n", algo);
+	return "unknown";
+}
+
 int get_filesize(const char *filename)
 {
 	struct stat stats;
@@ -532,11 +545,19 @@ int get_hash_algo(const char *algo)
 {
 	int i;
 
+	/* first iterate over builtin algorithms */
 	for (i = 0; i < PKEY_HASH__LAST; i++)
 		if (pkey_hash_algo[i] &&
 		    !strcmp(algo, pkey_hash_algo[i]))
 			return i;
 
+	/* iterate over algorithms provided by kernel-headers */
+	for (i = 0; i < HASH_ALGO__LAST; i++)
+		if (hash_algo_name[i] &&
+		    !strcmp(algo, hash_algo_name[i]))
+			return i;
+
+	log_info("digest %s not found, fall back to sha1\n", algo);
 	return PKEY_HASH_SHA1;
 }
 
@@ -611,7 +632,7 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
 		return -1;
 	}
 	/* Use hash algorithm as retrieved from signature */
-	params.hash_algo = pkey_hash_algo[sig_hash_algo];
+	params.hash_algo = get_hash_algo_by_id(sig_hash_algo);
 
 	/*
 	 * Validate the signature based on the digest included in the
-- 
2.11.0

[PATCH 2/2] ima-evm-utils: try to load digest by its alias

[Vitaly Chikunov]

Primary names of the algorithms are different for OpenSSL and Kernel.
Allow to use both of them.

Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
---
 src/libimaevm.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/libimaevm.c b/src/libimaevm.c
index bc7be1e..6783110 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -61,6 +61,7 @@
 #include "imaevm.h"
 #include "hash_info.h"
 
+/* Names that are primary for OpenSSL. */
 const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
 	[PKEY_HASH_MD4]		= "md4",
 	[PKEY_HASH_MD5]		= "md5",
@@ -70,6 +71,12 @@ const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
 	[PKEY_HASH_SHA384]	= "sha384",
 	[PKEY_HASH_SHA512]	= "sha512",
 	[PKEY_HASH_SHA224]	= "sha224",
+	[PKEY_HASH_STREEBOG_256] = "md_gost12_256",
+	[PKEY_HASH_STREEBOG_512] = "md_gost12_512",
+};
+
+/* Names that are primary for the kernel. */
+const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = {
 	[PKEY_HASH_STREEBOG_256] = "streebog256",
 	[PKEY_HASH_STREEBOG_512] = "streebog512",
 };
@@ -551,6 +558,11 @@ int get_hash_algo(const char *algo)
 		    !strcmp(algo, pkey_hash_algo[i]))
 			return i;
 
+	for (i = 0; i < PKEY_HASH__LAST; i++)
+		if (pkey_hash_algo_kern[i] &&
+		    !strcmp(algo, pkey_hash_algo_kern[i]))
+			return i;
+
 	/* iterate over algorithms provided by kernel-headers */
 	for (i = 0; i < HASH_ALGO__LAST; i++)
 		if (hash_algo_name[i] &&
-- 
2.11.0

Re: [PATCH 2/2] ima-evm-utils: try to load digest by its alias

[Mimi Zohar]

On Sat, 2019-03-23 at 04:41 +0300, Vitaly Chikunov wrote:
> Primary names of the algorithms are different for OpenSSL and Kernel.
> Allow to use both of them.

Can we add a line here explaining the two names?  Perhaps something
like, "GOST R 34.11-2012 is the Russian national standard based on the
Streebog set of hash functions." 

> 
> Signed-off-by: Vitaly Chikunov <vt@altlinux.org>

Reviewed-by:  Mimi Zohar <zohar@linux.ibm.com>

> ---
>  src/libimaevm.c | 12 ++++++++++++
>  1 file changed, 12 insertions(+)
> 
> diff --git a/src/libimaevm.c b/src/libimaevm.c
> index bc7be1e..6783110 100644
> --- a/src/libimaevm.c
> +++ b/src/libimaevm.c
> @@ -61,6 +61,7 @@
>  #include "imaevm.h"
>  #include "hash_info.h"
> 
> +/* Names that are primary for OpenSSL. */
>  const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
>  	[PKEY_HASH_MD4]		= "md4",
>  	[PKEY_HASH_MD5]		= "md5",
> @@ -70,6 +71,12 @@ const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
>  	[PKEY_HASH_SHA384]	= "sha384",
>  	[PKEY_HASH_SHA512]	= "sha512",
>  	[PKEY_HASH_SHA224]	= "sha224",
> +	[PKEY_HASH_STREEBOG_256] = "md_gost12_256",
> +	[PKEY_HASH_STREEBOG_512] = "md_gost12_512",
> +};
> +
> +/* Names that are primary for the kernel. */
> +const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = {
>  	[PKEY_HASH_STREEBOG_256] = "streebog256",
>  	[PKEY_HASH_STREEBOG_512] = "streebog512",
>  };
> @@ -551,6 +558,11 @@ int get_hash_algo(const char *algo)
>  		    !strcmp(algo, pkey_hash_algo[i]))
>  			return i;
> 
> +	for (i = 0; i < PKEY_HASH__LAST; i++)
> +		if (pkey_hash_algo_kern[i] &&
> +		    !strcmp(algo, pkey_hash_algo_kern[i]))
> +			return i;
> +
>  	/* iterate over algorithms provided by kernel-headers */
>  	for (i = 0; i < HASH_ALGO__LAST; i++)
>  		if (hash_algo_name[i] &&

Re: [PATCH 2/2] ima-evm-utils: try to load digest by its alias

[Vitaly Chikunov]

Mimi,

On Wed, Apr 03, 2019 at 04:41:04PM -0400, Mimi Zohar wrote:
> On Sat, 2019-03-23 at 04:41 +0300, Vitaly Chikunov wrote:
> > Primary names of the algorithms are different for OpenSSL and Kernel.
> > Allow to use both of them.
> 
> Can we add a line here explaining the two names?  Perhaps something
> like, "GOST R 34.11-2012 is the Russian national standard based on the
> Streebog set of hash functions." 

Ok. But, "GOST R 34.11-2012" is not mentioned, and there is other
standards with Streebog, such as RFC 6986, ISO/IEC 10118-3:2018, GOST
34.11-2018.

Point of this patch is that Kernel calls this hash function by it's
proper name "StreebogX", but older version of OpenSSL reference it by
acronym "md_gost12_X". (While newer should support Streebog name too.)
And we try to be user friendly and allow to use both names.

> 
> > 
> > Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
> 
> Reviewed-by:  Mimi Zohar <zohar@linux.ibm.com>
> 
> > ---
> >  src/libimaevm.c | 12 ++++++++++++
> >  1 file changed, 12 insertions(+)
> > 
> > diff --git a/src/libimaevm.c b/src/libimaevm.c
> > index bc7be1e..6783110 100644
> > --- a/src/libimaevm.c
> > +++ b/src/libimaevm.c
> > @@ -61,6 +61,7 @@
> >  #include "imaevm.h"
> >  #include "hash_info.h"
> > 
> > +/* Names that are primary for OpenSSL. */
> >  const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
> >  	[PKEY_HASH_MD4]		= "md4",
> >  	[PKEY_HASH_MD5]		= "md5",
> > @@ -70,6 +71,12 @@ const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
> >  	[PKEY_HASH_SHA384]	= "sha384",
> >  	[PKEY_HASH_SHA512]	= "sha512",
> >  	[PKEY_HASH_SHA224]	= "sha224",
> > +	[PKEY_HASH_STREEBOG_256] = "md_gost12_256",
> > +	[PKEY_HASH_STREEBOG_512] = "md_gost12_512",
> > +};
> > +
> > +/* Names that are primary for the kernel. */
> > +const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = {
> >  	[PKEY_HASH_STREEBOG_256] = "streebog256",
> >  	[PKEY_HASH_STREEBOG_512] = "streebog512",
> >  };
> > @@ -551,6 +558,11 @@ int get_hash_algo(const char *algo)
> >  		    !strcmp(algo, pkey_hash_algo[i]))
> >  			return i;
> > 
> > +	for (i = 0; i < PKEY_HASH__LAST; i++)
> > +		if (pkey_hash_algo_kern[i] &&
> > +		    !strcmp(algo, pkey_hash_algo_kern[i]))
> > +			return i;
> > +
> >  	/* iterate over algorithms provided by kernel-headers */
> >  	for (i = 0; i < HASH_ALGO__LAST; i++)
> >  		if (hash_algo_name[i] &&

Re: [PATCH 2/2] ima-evm-utils: try to load digest by its alias

[Mimi Zohar]

On Thu, 2019-04-04 at 00:04 +0300, Vitaly Chikunov wrote:
> Mimi,
> 
> On Wed, Apr 03, 2019 at 04:41:04PM -0400, Mimi Zohar wrote:
> > On Sat, 2019-03-23 at 04:41 +0300, Vitaly Chikunov wrote:
> > > Primary names of the algorithms are different for OpenSSL and Kernel.
> > > Allow to use both of them.
> > 
> > Can we add a line here explaining the two names?  Perhaps something
> > like, "GOST R 34.11-2012 is the Russian national standard based on the
> > Streebog set of hash functions." 
> 
> Ok. But, "GOST R 34.11-2012" is not mentioned, and there is other
> standards with Streebog, such as RFC 6986, ISO/IEC 10118-3:2018, GOST
> 34.11-2018.
> 
> Point of this patch is that Kernel calls this hash function by it's
> proper name "StreebogX", but older version of OpenSSL reference it by
> acronym "md_gost12_X". (While newer should support Streebog name too.)
> And we try to be user friendly and allow to use both names.

If "Streebog" will be supported by OpenSSL, then why make md_gost12_x
the primary name, and the kernel name the alias?  Shouldn't it be the
reverse (eg. "pkey_hash_algo_alias")?

> 
> > 
> > > 
> > > Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
> > 
> > Reviewed-by:  Mimi Zohar <zohar@linux.ibm.com>
> > 
> > > ---
> > >  src/libimaevm.c | 12 ++++++++++++
> > >  1 file changed, 12 insertions(+)
> > > 
> > > diff --git a/src/libimaevm.c b/src/libimaevm.c
> > > index bc7be1e..6783110 100644
> > > --- a/src/libimaevm.c
> > > +++ b/src/libimaevm.c
> > > @@ -61,6 +61,7 @@
> > >  #include "imaevm.h"
> > >  #include "hash_info.h"
> > > 
> > > +/* Names that are primary for OpenSSL. */
> > >  const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
> > >  	[PKEY_HASH_MD4]		= "md4",
> > >  	[PKEY_HASH_MD5]		= "md5",
> > > @@ -70,6 +71,12 @@ const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
> > >  	[PKEY_HASH_SHA384]	= "sha384",
> > >  	[PKEY_HASH_SHA512]	= "sha512",
> > >  	[PKEY_HASH_SHA224]	= "sha224",
> > > +	[PKEY_HASH_STREEBOG_256] = "md_gost12_256",
> > > +	[PKEY_HASH_STREEBOG_512] = "md_gost12_512",
> > > +};
> > > +
> > > +/* Names that are primary for the kernel. */
> > > +const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = {
> > >  	[PKEY_HASH_STREEBOG_256] = "streebog256",
> > >  	[PKEY_HASH_STREEBOG_512] = "streebog512",
> > >  };
> > > @@ -551,6 +558,11 @@ int get_hash_algo(const char *algo)
> > >  		    !strcmp(algo, pkey_hash_algo[i]))
> > >  			return i;
> > > 
> > > +	for (i = 0; i < PKEY_HASH__LAST; i++)
> > > +		if (pkey_hash_algo_kern[i] &&
> > > +		    !strcmp(algo, pkey_hash_algo_kern[i]))
> > > +			return i;
> > > +
> > >  	/* iterate over algorithms provided by kernel-headers */
> > >  	for (i = 0; i < HASH_ALGO__LAST; i++)
> > >  		if (hash_algo_name[i] &&
> 

Re: [PATCH 2/2] ima-evm-utils: try to load digest by its alias

[Vitaly Chikunov]

On Wed, Apr 03, 2019 at 05:10:20PM -0400, Mimi Zohar wrote:
> On Thu, 2019-04-04 at 00:04 +0300, Vitaly Chikunov wrote:
> > Mimi,
> > 
> > On Wed, Apr 03, 2019 at 04:41:04PM -0400, Mimi Zohar wrote:
> > > On Sat, 2019-03-23 at 04:41 +0300, Vitaly Chikunov wrote:
> > > > Primary names of the algorithms are different for OpenSSL and Kernel.
> > > > Allow to use both of them.
> > > 
> > > Can we add a line here explaining the two names?  Perhaps something
> > > like, "GOST R 34.11-2012 is the Russian national standard based on the
> > > Streebog set of hash functions." 
> > 
> > Ok. But, "GOST R 34.11-2012" is not mentioned, and there is other
> > standards with Streebog, such as RFC 6986, ISO/IEC 10118-3:2018, GOST
> > 34.11-2018.
> > 
> > Point of this patch is that Kernel calls this hash function by it's
> > proper name "StreebogX", but older version of OpenSSL reference it by
> > acronym "md_gost12_X". (While newer should support Streebog name too.)
> > And we try to be user friendly and allow to use both names.
> 
> If "Streebog" will be supported by OpenSSL, then why make md_gost12_x
> the primary name, and the kernel name the alias?  Shouldn't it be the
> reverse (eg. "pkey_hash_algo_alias")?

Because ima-evm-utils is using OpenSSL and not Kernel's Crypto API,
OpenSSL names are "primary" for ima-evm-utils. It's happened that most
names are the same for both APIs.

"md_gost12_X" is supported for years by more versions of OpenSSL. While
"StreebogX" name is just committed a few months ago to gost-engine. Thus,

  1) "md_gost12_x" name could be used on conservative distros. Users
   will not need to wait [possible] a few years when new name reach
   their distro.

  2) PKEY_HASH_STREEBOG_X is resolved to "md_gost12_X" names (to the
  names that are present in OpenSSL with much more probability).

`pkey_hash_algo_kern` only contains names that are different between
the Kernel and OpenSSL.

I used "primary" for the both arrays so that no names are offended by
being not-primary.

> > > > Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
> > > 
> > > Reviewed-by:  Mimi Zohar <zohar@linux.ibm.com>
> > > 
> > > > ---
> > > >  src/libimaevm.c | 12 ++++++++++++
> > > >  1 file changed, 12 insertions(+)
> > > > 
> > > > diff --git a/src/libimaevm.c b/src/libimaevm.c
> > > > index bc7be1e..6783110 100644
> > > > --- a/src/libimaevm.c
> > > > +++ b/src/libimaevm.c
> > > > @@ -61,6 +61,7 @@
> > > >  #include "imaevm.h"
> > > >  #include "hash_info.h"
> > > > 
> > > > +/* Names that are primary for OpenSSL. */
> > > >  const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
> > > >  	[PKEY_HASH_MD4]		= "md4",
> > > >  	[PKEY_HASH_MD5]		= "md5",
> > > > @@ -70,6 +71,12 @@ const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
> > > >  	[PKEY_HASH_SHA384]	= "sha384",
> > > >  	[PKEY_HASH_SHA512]	= "sha512",
> > > >  	[PKEY_HASH_SHA224]	= "sha224",
> > > > +	[PKEY_HASH_STREEBOG_256] = "md_gost12_256",
> > > > +	[PKEY_HASH_STREEBOG_512] = "md_gost12_512",
> > > > +};
> > > > +
> > > > +/* Names that are primary for the kernel. */
> > > > +const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = {
> > > >  	[PKEY_HASH_STREEBOG_256] = "streebog256",
> > > >  	[PKEY_HASH_STREEBOG_512] = "streebog512",
> > > >  };
> > > > @@ -551,6 +558,11 @@ int get_hash_algo(const char *algo)
> > > >  		    !strcmp(algo, pkey_hash_algo[i]))
> > > >  			return i;
> > > > 
> > > > +	for (i = 0; i < PKEY_HASH__LAST; i++)
> > > > +		if (pkey_hash_algo_kern[i] &&
> > > > +		    !strcmp(algo, pkey_hash_algo_kern[i]))
> > > > +			return i;
> > > > +
> > > >  	/* iterate over algorithms provided by kernel-headers */
> > > >  	for (i = 0; i < HASH_ALGO__LAST; i++)
> > > >  		if (hash_algo_name[i] &&
> > 

Re: [PATCH 2/2] ima-evm-utils: try to load digest by its alias

[Mimi Zohar]

On Thu, 2019-04-04 at 00:37 +0300, Vitaly Chikunov wrote:
> On Wed, Apr 03, 2019 at 05:10:20PM -0400, Mimi Zohar wrote:
> > On Thu, 2019-04-04 at 00:04 +0300, Vitaly Chikunov wrote:
> > > Mimi,
> > > 
> > > On Wed, Apr 03, 2019 at 04:41:04PM -0400, Mimi Zohar wrote:
> > > > On Sat, 2019-03-23 at 04:41 +0300, Vitaly Chikunov wrote:
> > > > > Primary names of the algorithms are different for OpenSSL and Kernel.
> > > > > Allow to use both of them.
> > > > 
> > > > Can we add a line here explaining the two names?  Perhaps something
> > > > like, "GOST R 34.11-2012 is the Russian national standard based on the
> > > > Streebog set of hash functions." 
> > > 
> > > Ok. But, "GOST R 34.11-2012" is not mentioned, and there is other
> > > standards with Streebog, such as RFC 6986, ISO/IEC 10118-3:2018, GOST
> > > 34.11-2018.
> > > 
> > > Point of this patch is that Kernel calls this hash function by it's
> > > proper name "StreebogX", but older version of OpenSSL reference it by
> > > acronym "md_gost12_X". (While newer should support Streebog name too.)
> > > And we try to be user friendly and allow to use both names.
> > 
> > If "Streebog" will be supported by OpenSSL, then why make md_gost12_x
> > the primary name, and the kernel name the alias?  Shouldn't it be the
> > reverse (eg. "pkey_hash_algo_alias")?
> 
> Because ima-evm-utils is using OpenSSL and not Kernel's Crypto API,
> OpenSSL names are "primary" for ima-evm-utils. It's happened that most
> names are the same for both APIs.
> 
> "md_gost12_X" is supported for years by more versions of OpenSSL. While
> "StreebogX" name is just committed a few months ago to gost-engine. Thus,
> 
>   1) "md_gost12_x" name could be used on conservative distros. Users
>    will not need to wait [possible] a few years when new name reach
>    their distro.
> 
>   2) PKEY_HASH_STREEBOG_X is resolved to "md_gost12_X" names (to the
>   names that are present in OpenSSL with much more probability).
> 
> `pkey_hash_algo_kern` only contains names that are different between
> the Kernel and OpenSSL.
> 
> I used "primary" for the both arrays so that no names are offended by
> being not-primary.

Could you provide me with a single line or two, with an explanation
for the two names.  I'll add it to the commit patch description,
before pushing out these patches.

Thanks!

Mimi

Re: [PATCH 2/2] ima-evm-utils: try to load digest by its alias

[Vitaly Chikunov]

On Wed, Apr 03, 2019 at 05:40:43PM -0400, Mimi Zohar wrote:
> On Thu, 2019-04-04 at 00:37 +0300, Vitaly Chikunov wrote:
> > On Wed, Apr 03, 2019 at 05:10:20PM -0400, Mimi Zohar wrote:
> > > On Thu, 2019-04-04 at 00:04 +0300, Vitaly Chikunov wrote:
> > > > Mimi,
> > > > 
> > > > On Wed, Apr 03, 2019 at 04:41:04PM -0400, Mimi Zohar wrote:
> > > > > On Sat, 2019-03-23 at 04:41 +0300, Vitaly Chikunov wrote:
> > > > > > Primary names of the algorithms are different for OpenSSL and Kernel.
> > > > > > Allow to use both of them.
> > > > > 
> > > > > Can we add a line here explaining the two names?  Perhaps something
> > > > > like, "GOST R 34.11-2012 is the Russian national standard based on the
> > > > > Streebog set of hash functions." 
> > > > 
> > > > Ok. But, "GOST R 34.11-2012" is not mentioned, and there is other
> > > > standards with Streebog, such as RFC 6986, ISO/IEC 10118-3:2018, GOST
> > > > 34.11-2018.
> > > > 
> > > > Point of this patch is that Kernel calls this hash function by it's
> > > > proper name "StreebogX", but older version of OpenSSL reference it by
> > > > acronym "md_gost12_X". (While newer should support Streebog name too.)
> > > > And we try to be user friendly and allow to use both names.
> > > 
> > > If "Streebog" will be supported by OpenSSL, then why make md_gost12_x
> > > the primary name, and the kernel name the alias?  Shouldn't it be the
> > > reverse (eg. "pkey_hash_algo_alias")?
> > 
> > Because ima-evm-utils is using OpenSSL and not Kernel's Crypto API,
> > OpenSSL names are "primary" for ima-evm-utils. It's happened that most
> > names are the same for both APIs.
> > 
> > "md_gost12_X" is supported for years by more versions of OpenSSL. While
> > "StreebogX" name is just committed a few months ago to gost-engine. Thus,
> > 
> >   1) "md_gost12_x" name could be used on conservative distros. Users
> >    will not need to wait [possible] a few years when new name reach
> >    their distro.
> > 
> >   2) PKEY_HASH_STREEBOG_X is resolved to "md_gost12_X" names (to the
> >   names that are present in OpenSSL with much more probability).
> > 
> > `pkey_hash_algo_kern` only contains names that are different between
> > the Kernel and OpenSSL.
> > 
> > I used "primary" for the both arrays so that no names are offended by
> > being not-primary.
> 
> Could you provide me with a single line or two, with an explanation
> for the two names.  I'll add it to the commit patch description,
> before pushing out these patches.

Maybe this:

  "Streebog" is a name of the hash algorithm in the Kernel Crypto API.
  "md_gost12_X" is the name used by the most versions of OpenSSL, it's
  placed in pkey_hash_algo[] so that algo IDs are resolved to them.

> 
> Thanks!
> 
> Mimi

Re: [PATCH 2/2] ima-evm-utils: try to load digest by its alias

[Mimi Zohar]

On Thu, 2019-04-04 at 00:57 +0300, Vitaly Chikunov wrote:

> Maybe this:
> 
>   "Streebog" is a name of the hash algorithm in the Kernel Crypto API.
>   "md_gost12_X" is the name used by the most versions of OpenSSL, it's
>   placed in pkey_hash_algo[] so that algo IDs are resolved to them.

Thank you!