From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SPF_PASS,USER_AGENT_NEOMUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id AD846C282D7 for ; Wed, 30 Jan 2019 16:12:13 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 821B82084C for ; Wed, 30 Jan 2019 16:12:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728008AbfA3QMM (ORCPT ); Wed, 30 Jan 2019 11:12:12 -0500 Received: from vmicros1.altlinux.org ([194.107.17.57]:34534 "EHLO vmicros1.altlinux.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727359AbfA3QMM (ORCPT ); Wed, 30 Jan 2019 11:12:12 -0500 Received: from imap.altlinux.org (imap.altlinux.org [194.107.17.38]) by vmicros1.altlinux.org (Postfix) with ESMTP id B343372CC6D; Wed, 30 Jan 2019 19:12:09 +0300 (MSK) Received: from altlinux.org (sole.flsd.net [185.75.180.6]) by imap.altlinux.org (Postfix) with ESMTPSA id 9FFB94A4A16; Wed, 30 Jan 2019 19:12:09 +0300 (MSK) Date: Wed, 30 Jan 2019 19:12:08 +0300 From: Vitaly Chikunov To: James Bottomley Cc: Mimi Zohar , Mimi Zohar , Dmitry Kasatkin , linux-integrity@vger.kernel.org Subject: Re: [PATCH] ima-evm-utils: remove redundant call to OpenSSL_add_all_algorithms Message-ID: <20190130161208.vpbk3v74l7cf5a4t@altlinux.org> References: <20190127023916.2425-1-vt@altlinux.org> <1548851697.20210.91.camel@linux.ibm.com> <20190130132521.edhtrv54labxlbyc@altlinux.org> <1548862549.3037.18.camel@HansenPartnership.com> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <1548862549.3037.18.camel@HansenPartnership.com> User-Agent: NeoMutt/20171215-106-ac61c7 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org On Wed, Jan 30, 2019 at 07:35:49AM -0800, James Bottomley wrote: > On Wed, 2019-01-30 at 16:25 +0300, Vitaly Chikunov wrote: > > On Wed, Jan 30, 2019 at 07:34:57AM -0500, Mimi Zohar wrote: > > > On Sun, 2019-01-27 at 05:39 +0300, Vitaly Chikunov wrote: > > > > Because of call to OPENSSL_add_all_algorithms_conf() calling > > > > OpenSSL_add_all_algorithms() is not needed. There was not be any > > > > problems though because double initialization is permitted. > > > > --- > > > > src/libimaevm.c | 1 - > > > > 1 file changed, 1 deletion(-) > > > > > > > > diff --git a/src/libimaevm.c b/src/libimaevm.c > > > > index 7501303..b038d0c 100644 > > > > --- a/src/libimaevm.c > > > > +++ b/src/libimaevm.c > > > > @@ -995,7 +995,6 @@ int sign_hash(const char *hashalgo, const > > > > unsigned char *hash, int size, const c > > > > > > > > static void libinit() > > > > { > > > > - OpenSSL_add_all_algorithms(); > > > > OPENSSL_add_all_algorithms_conf(); > > > > ERR_load_crypto_strings(); > > > > } > > > > > > The only difference between the two calls seems to be reading the > > > system openssl.cnf file. In the original call that is dependent on > > > OPENSSL_LOAD_CONF being defined. Calling > > > OPENSSL_add_all_algorithms_conf(), forces reading the system > > > openssl.cnf. > > > > Yes. OPENSSL_LOAD_CONF is per application define, which is by default > > undefined. And instead of defining it, we could just call > > OPENSSL_add_all_algorithms_conf(), which is required for GOST > > support. > > Otherwise enabling Streebog via OPENSSL_CONF will not work. > > It will if you call There is preferred "easy" method of [system wide] loading of gost-engine "by default" just by changing openssl.cnf like this: https://github.com/gost-engine/engine/blob/master/example.conf After that change all openssl (and linked) tools understand GOST algorithms without needing options like `-engine gost`. This works unless tool is compiled without OPENSSL_LOAD_CONF and it calls OpenSSL_add_all_algorithms() instead of OPENSSL_add_all_algorithms_conf(). Which is frequently the default, (because there is too much methods of openssl initialization and people may not understand all intrications for all options.) In that case we try to persuade tool author to change the way openssl is initialized. > > ENGINE_set_default(e, ENGINE_METHOD_ALL); > > after ENGINE_init > > That's all the conf file is covering up for. > > James >