linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Vitaly Chikunov <vt@altlinux.org>
Cc: Mimi Zohar <zohar@linux.ibm.com>,
	Mimi Zohar <zohar@linux.vnet.ibm.com>,
	Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
	linux-integrity@vger.kernel.org
Subject: Re: [PATCH] ima-evm-utils: remove redundant call to OpenSSL_add_all_algorithms
Date: Thu, 31 Jan 2019 12:29:28 -0800	[thread overview]
Message-ID: <1548966568.2876.19.camel@HansenPartnership.com> (raw)
In-Reply-To: <20190131092201.grymls3ocm3mmrmd@altlinux.org>

On Thu, 2019-01-31 at 12:22 +0300, Vitaly Chikunov wrote:
> On Wed, Jan 30, 2019 at 10:36:00AM -0800, James Bottomley wrote:
[...]
> > However, that's not how a casual non-Russian user would want it. 
> > They'd only want gost if they specified the streebog hash.  And if
> > we advertise the hash (as we do because you added it to the help)
> > they should have a reasonable expectation of its working easily.
> 
> It will. I support both methods of use. For occasional user there is
> option --engine and for the frequent user there is config trick.

OK, as long as users can use it without modifying the config file, I'm
happy.

[...]
> > > I implemented two methods of loading engine for evmctl (via
> > > config and via --engine option).  There is no problem with --
> > > engine option for Streebog, AFAIK.
> > 
> > Can you try it with a vanilla (non gost modified) openssl.cnf file
> > to verify?  I think you require the ENGINE_set_default() call but
> > it may be that a non-standard hash name will cause a search of the
> > engine added hashes.  OpenSSL has badly documented defaults, so I
> > usually chase that through the code, but in this case a simple
> > experiment will tell us.
> 
> Of course, I tried and tested that both ways are working
> independently. Just for Streebog ENGINE_set_default is not required,
> but to support GOST signatures (patch is RFCed) it will be required.

I agree, I tried it with the openssl gost engine and you get this weird
behaviour (I have to use md_gost94 because 1.0.2 gost doesn't have
streebog):

jejb@mulgrave:~/git/ima-evm-utils/src> ./evmctl -n --hashalgo md_gost94  ima_hash ~/tmp.ppt
01945d562c031c262563b026d8cc53e070140ad101
jejb@mulgrave:~/git/ima-evm-utils/src> ./evmctl -n --engine gost --hashalgo md_gost94  ima_hash ~/tmp.ppt
01a930a87289b548c2744fbb183a22196b1f651a727d84021d0eeb80cb4dddbb5d

Because IMA silently falls back on sha1 if it can't find the hash.  But
the test proves it will use the gost hash when the engine is provided
without ENGINE_set_default().

James



      reply	other threads:[~2019-01-31 20:29 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-27  2:39 [PATCH] ima-evm-utils: remove redundant call to OpenSSL_add_all_algorithms Vitaly Chikunov
2019-01-30 12:34 ` Mimi Zohar
2019-01-30 13:25   ` Vitaly Chikunov
2019-01-30 13:41     ` Mimi Zohar
2019-01-30 13:53       ` Vitaly Chikunov
2019-01-30 15:59         ` Petr Vorel
2019-01-30 15:35     ` James Bottomley
2019-01-30 16:12       ` Vitaly Chikunov
2019-01-30 16:44         ` James Bottomley
2019-01-30 17:54           ` Vitaly Chikunov
2019-01-30 18:36             ` James Bottomley
2019-01-31  9:22               ` Vitaly Chikunov
2019-01-31 20:29                 ` James Bottomley [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1548966568.2876.19.camel@HansenPartnership.com \
    --to=james.bottomley@hansenpartnership.com \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=vt@altlinux.org \
    --cc=zohar@linux.ibm.com \
    --cc=zohar@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).