On Thu, 2019-01-31 at 12:22 +0300, Vitaly Chikunov wrote: > On Wed, Jan 30, 2019 at 10:36:00AM -0800, James Bottomley wrote: [...] > > However, that's not how a casual non-Russian user would want it. > > They'd only want gost if they specified the streebog hash. And if > > we advertise the hash (as we do because you added it to the help) > > they should have a reasonable expectation of its working easily. > > It will. I support both methods of use. For occasional user there is > option --engine and for the frequent user there is config trick. OK, as long as users can use it without modifying the config file, I'm happy. [...] > > > I implemented two methods of loading engine for evmctl (via > > > config and via --engine option). There is no problem with -- > > > engine option for Streebog, AFAIK. > > > > Can you try it with a vanilla (non gost modified) openssl.cnf file > > to verify? I think you require the ENGINE_set_default() call but > > it may be that a non-standard hash name will cause a search of the > > engine added hashes. OpenSSL has badly documented defaults, so I > > usually chase that through the code, but in this case a simple > > experiment will tell us. > > Of course, I tried and tested that both ways are working > independently. Just for Streebog ENGINE_set_default is not required, > but to support GOST signatures (patch is RFCed) it will be required. I agree, I tried it with the openssl gost engine and you get this weird behaviour (I have to use md_gost94 because 1.0.2 gost doesn't have streebog): jejb@mulgrave:~/git/ima-evm-utils/src> ./evmctl -n --hashalgo md_gost94 ima_hash ~/tmp.ppt 01945d562c031c262563b026d8cc53e070140ad101 jejb@mulgrave:~/git/ima-evm-utils/src> ./evmctl -n --engine gost --hashalgo md_gost94 ima_hash ~/tmp.ppt 01a930a87289b548c2744fbb183a22196b1f651a727d84021d0eeb80cb4dddbb5d Because IMA silently falls back on sha1 if it can't find the hash. But the test proves it will use the gost hash when the engine is provided without ENGINE_set_default(). James
