* [PATCH 0/2] ima-evm-utils: rebase of digest algo resolving @ 2019-03-23 1:41 Vitaly Chikunov 2019-03-23 1:41 ` [PATCH 1/2] ima-evm-utils: Extract digest algorithms from hash_info.h Vitaly Chikunov 2019-03-23 1:41 ` [PATCH 2/2] ima-evm-utils: try to load digest by its alias Vitaly Chikunov 0 siblings, 2 replies; 10+ messages in thread From: Vitaly Chikunov @ 2019-03-23 1:41 UTC (permalink / raw) To: Mimi Zohar, Dmitry Kasatkin, linux-integrity This is rebase of the ima-evm-utils commits: 0267fa1 ima-evm-utils: Try to load digest by its alias 942d9f9 ima-evm-utils: Extract digest algorithms from hash_info.h and should be applied over 07d799c ("ima-evm-utils: Preload OpenSSL engine via '--engine' option"). Changes: * ima-evm-utils: Extract digest algorithms from hash_info.h - algocmp is removed. - `hash_info.h` is parsed better to match algo names in the Kernel, thus simple strcmp could be used. * ima-evm-utils: try to load digest by its alias - digest name lookup is simplified by removing get_digestbyname and strmatch helpers. - Kernel and OpenSSL algo names arrays are introduced to support alternative algo names for older OpenSLL. *** BLURB HERE *** Vitaly Chikunov (2): ima-evm-utils: Extract digest algorithms from hash_info.h ima-evm-utils: try to load digest by its alias configure.ac | 6 ++++++ src/Makefile.am | 6 ++++++ src/hash_info.gen | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ src/libimaevm.c | 35 ++++++++++++++++++++++++++++++++++- 4 files changed, 95 insertions(+), 1 deletion(-) create mode 100755 src/hash_info.gen -- 2.11.0 ^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH 1/2] ima-evm-utils: Extract digest algorithms from hash_info.h 2019-03-23 1:41 [PATCH 0/2] ima-evm-utils: rebase of digest algo resolving Vitaly Chikunov @ 2019-03-23 1:41 ` Vitaly Chikunov 2019-03-23 1:41 ` [PATCH 2/2] ima-evm-utils: try to load digest by its alias Vitaly Chikunov 1 sibling, 0 replies; 10+ messages in thread From: Vitaly Chikunov @ 2019-03-23 1:41 UTC (permalink / raw) To: Mimi Zohar, Dmitry Kasatkin, linux-integrity; +Cc: Mimi Zohar If configured with "--with-kernel-headers=PATH" try to extract hash algorithms from "hash_info.h" from the kernel source tree or kernel-headers package located in the specified path. (Otherwise, it will be tried to get from the installed kernel.) This also introduces two algorithm lists, one is built-in and another is from the kernel source. (They should never contain conflicting algorithm IDs by their append-only nature.) If the digest is not found in the built-in list it will be searched in the list from kernel's "hash_info.h". This patch will allow evmctl to be just recompiled to work with digest algorithms introduced in the newer kernels. Suggested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Vitaly Chikunov <vt@altlinux.org> --- configure.ac | 6 ++++++ src/Makefile.am | 6 ++++++ src/hash_info.gen | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ src/libimaevm.c | 23 ++++++++++++++++++++++- 4 files changed, 83 insertions(+), 1 deletion(-) create mode 100755 src/hash_info.gen diff --git a/configure.ac b/configure.ac index a5b4288..60f3684 100644 --- a/configure.ac +++ b/configure.ac @@ -27,12 +27,18 @@ AC_HEADER_STDC PKG_CHECK_MODULES(OPENSSL, [ openssl >= 0.9.8 ]) AC_SUBST(OPENSSL_CFLAGS) AC_SUBST(OPENSSL_LIBS) +AC_SUBST(KERNEL_HEADERS) AC_CHECK_HEADER(unistd.h) AC_CHECK_HEADERS(openssl/conf.h) AC_CHECK_HEADERS(sys/xattr.h, , [AC_MSG_ERROR([sys/xattr.h header not found. You need the c-library development package.])]) AC_CHECK_HEADERS(keyutils.h, , [AC_MSG_ERROR([keyutils.h header not found. You need the libkeyutils development package.])]) +AC_ARG_WITH(kernel_headers, [AS_HELP_STRING([--with-kernel-headers=PATH], + [specifies the Linux kernel-headers package location or kernel root directory you want to use])], + [KERNEL_HEADERS="$withval"], + [KERNEL_HEADERS=/lib/modules/$(uname -r)/source]) + #debug support - yes for a while PKG_ARG_ENABLE(debug, "yes", DEBUG, [Enable Debug support]) if test $pkg_cv_enable_debug = yes; then diff --git a/src/Makefile.am b/src/Makefile.am index deb18fb..d74fc6f 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -9,6 +9,11 @@ libimaevm_la_LIBADD = $(OPENSSL_LIBS) include_HEADERS = imaevm.h +nodist_libimaevm_la_SOURCES = hash_info.h +BUILT_SOURCES = hash_info.h +hash_info.h: Makefile + ./hash_info.gen $(KERNEL_HEADERS) >$@ + bin_PROGRAMS = evmctl evmctl_SOURCES = evmctl.c @@ -18,5 +23,6 @@ evmctl_LDADD = $(OPENSSL_LIBS) -lkeyutils libimaevm.la INCLUDES = -I$(top_srcdir) -include config.h +CLEANFILES = hash_info.h DISTCLEANFILES = @DISTCLEANFILES@ diff --git a/src/hash_info.gen b/src/hash_info.gen new file mode 100755 index 0000000..54532ca --- /dev/null +++ b/src/hash_info.gen @@ -0,0 +1,49 @@ +#!/bin/sh +# +# Generate hash_info.h from kernel headers +# +# Copyright (C) 2018 <vt@altlinux.org> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2, or (at your option) +# any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +KERNEL_HEADERS=$1 +HASH_INFO_H=uapi/linux/hash_info.h +HASH_INFO=$KERNEL_HEADERS/include/$HASH_INFO_H + +# Allow to specify kernel-headers past include/ +if [ ! -e $HASH_INFO ]; then + HASH_INFO2=$KERNEL_HEADERS/$HASH_INFO_H + if [ -e $HASH_INFO2 ]; then + HASH_INFO=$HASH_INFO2 + fi +fi + +if [ ! -e $HASH_INFO ]; then + echo "/* $HASH_INFO is not found */" + HASH_INFO=/dev/null +else + echo "/* $HASH_INFO is found */" +fi + +echo "enum hash_algo {" +grep HASH_ALGO_.*, $HASH_INFO +printf "\tHASH_ALGO__LAST\n" +echo "};" + +echo "const char *const hash_algo_name[HASH_ALGO__LAST] = {" +sed -n 's/HASH_ALGO_\(.*\),/\1 \L\1\E/p' $HASH_INFO | \ + while read a b; do + # Normalize text hash name: if it contains underscore between + # digits replace it with a dash, other underscores are removed. + b=$(echo "$b" | sed "s/\([0-9]\)_\([0-9]\)/\1-\2/g;s/_//g") + printf '\t%-26s = "%s",\n' "[HASH_ALGO_$a]" "$b" + done +echo "};" diff --git a/src/libimaevm.c b/src/libimaevm.c index ca77532..bc7be1e 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -50,6 +50,7 @@ #include <string.h> #include <stdio.h> #include <assert.h> +#include <ctype.h> #include <openssl/crypto.h> #include <openssl/pem.h> @@ -58,6 +59,7 @@ #include <openssl/err.h> #include "imaevm.h" +#include "hash_info.h" const char *const pkey_hash_algo[PKEY_HASH__LAST] = { [PKEY_HASH_MD4] = "md4", @@ -153,6 +155,17 @@ void dump(const void *ptr, int len) do_dump(stdout, ptr, len, true); } +const char *get_hash_algo_by_id(int algo) +{ + if (algo < PKEY_HASH__LAST) + return pkey_hash_algo[algo]; + if (algo < HASH_ALGO__LAST) + return hash_algo_name[algo]; + + log_err("digest %d not found\n", algo); + return "unknown"; +} + int get_filesize(const char *filename) { struct stat stats; @@ -532,11 +545,19 @@ int get_hash_algo(const char *algo) { int i; + /* first iterate over builtin algorithms */ for (i = 0; i < PKEY_HASH__LAST; i++) if (pkey_hash_algo[i] && !strcmp(algo, pkey_hash_algo[i])) return i; + /* iterate over algorithms provided by kernel-headers */ + for (i = 0; i < HASH_ALGO__LAST; i++) + if (hash_algo_name[i] && + !strcmp(algo, hash_algo_name[i])) + return i; + + log_info("digest %s not found, fall back to sha1\n", algo); return PKEY_HASH_SHA1; } @@ -611,7 +632,7 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen, return -1; } /* Use hash algorithm as retrieved from signature */ - params.hash_algo = pkey_hash_algo[sig_hash_algo]; + params.hash_algo = get_hash_algo_by_id(sig_hash_algo); /* * Validate the signature based on the digest included in the -- 2.11.0 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 2/2] ima-evm-utils: try to load digest by its alias 2019-03-23 1:41 [PATCH 0/2] ima-evm-utils: rebase of digest algo resolving Vitaly Chikunov 2019-03-23 1:41 ` [PATCH 1/2] ima-evm-utils: Extract digest algorithms from hash_info.h Vitaly Chikunov @ 2019-03-23 1:41 ` Vitaly Chikunov 2019-04-03 20:41 ` Mimi Zohar 1 sibling, 1 reply; 10+ messages in thread From: Vitaly Chikunov @ 2019-03-23 1:41 UTC (permalink / raw) To: Mimi Zohar, Dmitry Kasatkin, linux-integrity Primary names of the algorithms are different for OpenSSL and Kernel. Allow to use both of them. Signed-off-by: Vitaly Chikunov <vt@altlinux.org> --- src/libimaevm.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/libimaevm.c b/src/libimaevm.c index bc7be1e..6783110 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -61,6 +61,7 @@ #include "imaevm.h" #include "hash_info.h" +/* Names that are primary for OpenSSL. */ const char *const pkey_hash_algo[PKEY_HASH__LAST] = { [PKEY_HASH_MD4] = "md4", [PKEY_HASH_MD5] = "md5", @@ -70,6 +71,12 @@ const char *const pkey_hash_algo[PKEY_HASH__LAST] = { [PKEY_HASH_SHA384] = "sha384", [PKEY_HASH_SHA512] = "sha512", [PKEY_HASH_SHA224] = "sha224", + [PKEY_HASH_STREEBOG_256] = "md_gost12_256", + [PKEY_HASH_STREEBOG_512] = "md_gost12_512", +}; + +/* Names that are primary for the kernel. */ +const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = { [PKEY_HASH_STREEBOG_256] = "streebog256", [PKEY_HASH_STREEBOG_512] = "streebog512", }; @@ -551,6 +558,11 @@ int get_hash_algo(const char *algo) !strcmp(algo, pkey_hash_algo[i])) return i; + for (i = 0; i < PKEY_HASH__LAST; i++) + if (pkey_hash_algo_kern[i] && + !strcmp(algo, pkey_hash_algo_kern[i])) + return i; + /* iterate over algorithms provided by kernel-headers */ for (i = 0; i < HASH_ALGO__LAST; i++) if (hash_algo_name[i] && -- 2.11.0 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH 2/2] ima-evm-utils: try to load digest by its alias 2019-03-23 1:41 ` [PATCH 2/2] ima-evm-utils: try to load digest by its alias Vitaly Chikunov @ 2019-04-03 20:41 ` Mimi Zohar 2019-04-03 21:04 ` Vitaly Chikunov 0 siblings, 1 reply; 10+ messages in thread From: Mimi Zohar @ 2019-04-03 20:41 UTC (permalink / raw) To: Vitaly Chikunov, Mimi Zohar, Dmitry Kasatkin, linux-integrity On Sat, 2019-03-23 at 04:41 +0300, Vitaly Chikunov wrote: > Primary names of the algorithms are different for OpenSSL and Kernel. > Allow to use both of them. Can we add a line here explaining the two names? Perhaps something like, "GOST R 34.11-2012 is the Russian national standard based on the Streebog set of hash functions." > > Signed-off-by: Vitaly Chikunov <vt@altlinux.org> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > --- > src/libimaevm.c | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > > diff --git a/src/libimaevm.c b/src/libimaevm.c > index bc7be1e..6783110 100644 > --- a/src/libimaevm.c > +++ b/src/libimaevm.c > @@ -61,6 +61,7 @@ > #include "imaevm.h" > #include "hash_info.h" > > +/* Names that are primary for OpenSSL. */ > const char *const pkey_hash_algo[PKEY_HASH__LAST] = { > [PKEY_HASH_MD4] = "md4", > [PKEY_HASH_MD5] = "md5", > @@ -70,6 +71,12 @@ const char *const pkey_hash_algo[PKEY_HASH__LAST] = { > [PKEY_HASH_SHA384] = "sha384", > [PKEY_HASH_SHA512] = "sha512", > [PKEY_HASH_SHA224] = "sha224", > + [PKEY_HASH_STREEBOG_256] = "md_gost12_256", > + [PKEY_HASH_STREEBOG_512] = "md_gost12_512", > +}; > + > +/* Names that are primary for the kernel. */ > +const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = { > [PKEY_HASH_STREEBOG_256] = "streebog256", > [PKEY_HASH_STREEBOG_512] = "streebog512", > }; > @@ -551,6 +558,11 @@ int get_hash_algo(const char *algo) > !strcmp(algo, pkey_hash_algo[i])) > return i; > > + for (i = 0; i < PKEY_HASH__LAST; i++) > + if (pkey_hash_algo_kern[i] && > + !strcmp(algo, pkey_hash_algo_kern[i])) > + return i; > + > /* iterate over algorithms provided by kernel-headers */ > for (i = 0; i < HASH_ALGO__LAST; i++) > if (hash_algo_name[i] && ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 2/2] ima-evm-utils: try to load digest by its alias 2019-04-03 20:41 ` Mimi Zohar @ 2019-04-03 21:04 ` Vitaly Chikunov 2019-04-03 21:10 ` Mimi Zohar 0 siblings, 1 reply; 10+ messages in thread From: Vitaly Chikunov @ 2019-04-03 21:04 UTC (permalink / raw) To: Mimi Zohar; +Cc: Mimi Zohar, Dmitry Kasatkin, linux-integrity Mimi, On Wed, Apr 03, 2019 at 04:41:04PM -0400, Mimi Zohar wrote: > On Sat, 2019-03-23 at 04:41 +0300, Vitaly Chikunov wrote: > > Primary names of the algorithms are different for OpenSSL and Kernel. > > Allow to use both of them. > > Can we add a line here explaining the two names? Perhaps something > like, "GOST R 34.11-2012 is the Russian national standard based on the > Streebog set of hash functions." Ok. But, "GOST R 34.11-2012" is not mentioned, and there is other standards with Streebog, such as RFC 6986, ISO/IEC 10118-3:2018, GOST 34.11-2018. Point of this patch is that Kernel calls this hash function by it's proper name "StreebogX", but older version of OpenSSL reference it by acronym "md_gost12_X". (While newer should support Streebog name too.) And we try to be user friendly and allow to use both names. > > > > > Signed-off-by: Vitaly Chikunov <vt@altlinux.org> > > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > > > --- > > src/libimaevm.c | 12 ++++++++++++ > > 1 file changed, 12 insertions(+) > > > > diff --git a/src/libimaevm.c b/src/libimaevm.c > > index bc7be1e..6783110 100644 > > --- a/src/libimaevm.c > > +++ b/src/libimaevm.c > > @@ -61,6 +61,7 @@ > > #include "imaevm.h" > > #include "hash_info.h" > > > > +/* Names that are primary for OpenSSL. */ > > const char *const pkey_hash_algo[PKEY_HASH__LAST] = { > > [PKEY_HASH_MD4] = "md4", > > [PKEY_HASH_MD5] = "md5", > > @@ -70,6 +71,12 @@ const char *const pkey_hash_algo[PKEY_HASH__LAST] = { > > [PKEY_HASH_SHA384] = "sha384", > > [PKEY_HASH_SHA512] = "sha512", > > [PKEY_HASH_SHA224] = "sha224", > > + [PKEY_HASH_STREEBOG_256] = "md_gost12_256", > > + [PKEY_HASH_STREEBOG_512] = "md_gost12_512", > > +}; > > + > > +/* Names that are primary for the kernel. */ > > +const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = { > > [PKEY_HASH_STREEBOG_256] = "streebog256", > > [PKEY_HASH_STREEBOG_512] = "streebog512", > > }; > > @@ -551,6 +558,11 @@ int get_hash_algo(const char *algo) > > !strcmp(algo, pkey_hash_algo[i])) > > return i; > > > > + for (i = 0; i < PKEY_HASH__LAST; i++) > > + if (pkey_hash_algo_kern[i] && > > + !strcmp(algo, pkey_hash_algo_kern[i])) > > + return i; > > + > > /* iterate over algorithms provided by kernel-headers */ > > for (i = 0; i < HASH_ALGO__LAST; i++) > > if (hash_algo_name[i] && ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 2/2] ima-evm-utils: try to load digest by its alias 2019-04-03 21:04 ` Vitaly Chikunov @ 2019-04-03 21:10 ` Mimi Zohar 2019-04-03 21:37 ` Vitaly Chikunov 0 siblings, 1 reply; 10+ messages in thread From: Mimi Zohar @ 2019-04-03 21:10 UTC (permalink / raw) To: Vitaly Chikunov; +Cc: Mimi Zohar, Dmitry Kasatkin, linux-integrity On Thu, 2019-04-04 at 00:04 +0300, Vitaly Chikunov wrote: > Mimi, > > On Wed, Apr 03, 2019 at 04:41:04PM -0400, Mimi Zohar wrote: > > On Sat, 2019-03-23 at 04:41 +0300, Vitaly Chikunov wrote: > > > Primary names of the algorithms are different for OpenSSL and Kernel. > > > Allow to use both of them. > > > > Can we add a line here explaining the two names? Perhaps something > > like, "GOST R 34.11-2012 is the Russian national standard based on the > > Streebog set of hash functions." > > Ok. But, "GOST R 34.11-2012" is not mentioned, and there is other > standards with Streebog, such as RFC 6986, ISO/IEC 10118-3:2018, GOST > 34.11-2018. > > Point of this patch is that Kernel calls this hash function by it's > proper name "StreebogX", but older version of OpenSSL reference it by > acronym "md_gost12_X". (While newer should support Streebog name too.) > And we try to be user friendly and allow to use both names. If "Streebog" will be supported by OpenSSL, then why make md_gost12_x the primary name, and the kernel name the alias? Shouldn't it be the reverse (eg. "pkey_hash_algo_alias")? > > > > > > > > > Signed-off-by: Vitaly Chikunov <vt@altlinux.org> > > > > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > > > > > --- > > > src/libimaevm.c | 12 ++++++++++++ > > > 1 file changed, 12 insertions(+) > > > > > > diff --git a/src/libimaevm.c b/src/libimaevm.c > > > index bc7be1e..6783110 100644 > > > --- a/src/libimaevm.c > > > +++ b/src/libimaevm.c > > > @@ -61,6 +61,7 @@ > > > #include "imaevm.h" > > > #include "hash_info.h" > > > > > > +/* Names that are primary for OpenSSL. */ > > > const char *const pkey_hash_algo[PKEY_HASH__LAST] = { > > > [PKEY_HASH_MD4] = "md4", > > > [PKEY_HASH_MD5] = "md5", > > > @@ -70,6 +71,12 @@ const char *const pkey_hash_algo[PKEY_HASH__LAST] = { > > > [PKEY_HASH_SHA384] = "sha384", > > > [PKEY_HASH_SHA512] = "sha512", > > > [PKEY_HASH_SHA224] = "sha224", > > > + [PKEY_HASH_STREEBOG_256] = "md_gost12_256", > > > + [PKEY_HASH_STREEBOG_512] = "md_gost12_512", > > > +}; > > > + > > > +/* Names that are primary for the kernel. */ > > > +const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = { > > > [PKEY_HASH_STREEBOG_256] = "streebog256", > > > [PKEY_HASH_STREEBOG_512] = "streebog512", > > > }; > > > @@ -551,6 +558,11 @@ int get_hash_algo(const char *algo) > > > !strcmp(algo, pkey_hash_algo[i])) > > > return i; > > > > > > + for (i = 0; i < PKEY_HASH__LAST; i++) > > > + if (pkey_hash_algo_kern[i] && > > > + !strcmp(algo, pkey_hash_algo_kern[i])) > > > + return i; > > > + > > > /* iterate over algorithms provided by kernel-headers */ > > > for (i = 0; i < HASH_ALGO__LAST; i++) > > > if (hash_algo_name[i] && > ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 2/2] ima-evm-utils: try to load digest by its alias 2019-04-03 21:10 ` Mimi Zohar @ 2019-04-03 21:37 ` Vitaly Chikunov 2019-04-03 21:40 ` Mimi Zohar 0 siblings, 1 reply; 10+ messages in thread From: Vitaly Chikunov @ 2019-04-03 21:37 UTC (permalink / raw) To: Mimi Zohar; +Cc: Mimi Zohar, Dmitry Kasatkin, linux-integrity On Wed, Apr 03, 2019 at 05:10:20PM -0400, Mimi Zohar wrote: > On Thu, 2019-04-04 at 00:04 +0300, Vitaly Chikunov wrote: > > Mimi, > > > > On Wed, Apr 03, 2019 at 04:41:04PM -0400, Mimi Zohar wrote: > > > On Sat, 2019-03-23 at 04:41 +0300, Vitaly Chikunov wrote: > > > > Primary names of the algorithms are different for OpenSSL and Kernel. > > > > Allow to use both of them. > > > > > > Can we add a line here explaining the two names? Perhaps something > > > like, "GOST R 34.11-2012 is the Russian national standard based on the > > > Streebog set of hash functions." > > > > Ok. But, "GOST R 34.11-2012" is not mentioned, and there is other > > standards with Streebog, such as RFC 6986, ISO/IEC 10118-3:2018, GOST > > 34.11-2018. > > > > Point of this patch is that Kernel calls this hash function by it's > > proper name "StreebogX", but older version of OpenSSL reference it by > > acronym "md_gost12_X". (While newer should support Streebog name too.) > > And we try to be user friendly and allow to use both names. > > If "Streebog" will be supported by OpenSSL, then why make md_gost12_x > the primary name, and the kernel name the alias? Shouldn't it be the > reverse (eg. "pkey_hash_algo_alias")? Because ima-evm-utils is using OpenSSL and not Kernel's Crypto API, OpenSSL names are "primary" for ima-evm-utils. It's happened that most names are the same for both APIs. "md_gost12_X" is supported for years by more versions of OpenSSL. While "StreebogX" name is just committed a few months ago to gost-engine. Thus, 1) "md_gost12_x" name could be used on conservative distros. Users will not need to wait [possible] a few years when new name reach their distro. 2) PKEY_HASH_STREEBOG_X is resolved to "md_gost12_X" names (to the names that are present in OpenSSL with much more probability). `pkey_hash_algo_kern` only contains names that are different between the Kernel and OpenSSL. I used "primary" for the both arrays so that no names are offended by being not-primary. > > > > Signed-off-by: Vitaly Chikunov <vt@altlinux.org> > > > > > > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > > > > > > > --- > > > > src/libimaevm.c | 12 ++++++++++++ > > > > 1 file changed, 12 insertions(+) > > > > > > > > diff --git a/src/libimaevm.c b/src/libimaevm.c > > > > index bc7be1e..6783110 100644 > > > > --- a/src/libimaevm.c > > > > +++ b/src/libimaevm.c > > > > @@ -61,6 +61,7 @@ > > > > #include "imaevm.h" > > > > #include "hash_info.h" > > > > > > > > +/* Names that are primary for OpenSSL. */ > > > > const char *const pkey_hash_algo[PKEY_HASH__LAST] = { > > > > [PKEY_HASH_MD4] = "md4", > > > > [PKEY_HASH_MD5] = "md5", > > > > @@ -70,6 +71,12 @@ const char *const pkey_hash_algo[PKEY_HASH__LAST] = { > > > > [PKEY_HASH_SHA384] = "sha384", > > > > [PKEY_HASH_SHA512] = "sha512", > > > > [PKEY_HASH_SHA224] = "sha224", > > > > + [PKEY_HASH_STREEBOG_256] = "md_gost12_256", > > > > + [PKEY_HASH_STREEBOG_512] = "md_gost12_512", > > > > +}; > > > > + > > > > +/* Names that are primary for the kernel. */ > > > > +const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = { > > > > [PKEY_HASH_STREEBOG_256] = "streebog256", > > > > [PKEY_HASH_STREEBOG_512] = "streebog512", > > > > }; > > > > @@ -551,6 +558,11 @@ int get_hash_algo(const char *algo) > > > > !strcmp(algo, pkey_hash_algo[i])) > > > > return i; > > > > > > > > + for (i = 0; i < PKEY_HASH__LAST; i++) > > > > + if (pkey_hash_algo_kern[i] && > > > > + !strcmp(algo, pkey_hash_algo_kern[i])) > > > > + return i; > > > > + > > > > /* iterate over algorithms provided by kernel-headers */ > > > > for (i = 0; i < HASH_ALGO__LAST; i++) > > > > if (hash_algo_name[i] && > > ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 2/2] ima-evm-utils: try to load digest by its alias 2019-04-03 21:37 ` Vitaly Chikunov @ 2019-04-03 21:40 ` Mimi Zohar 2019-04-03 21:57 ` Vitaly Chikunov 0 siblings, 1 reply; 10+ messages in thread From: Mimi Zohar @ 2019-04-03 21:40 UTC (permalink / raw) To: Vitaly Chikunov; +Cc: Mimi Zohar, Dmitry Kasatkin, linux-integrity On Thu, 2019-04-04 at 00:37 +0300, Vitaly Chikunov wrote: > On Wed, Apr 03, 2019 at 05:10:20PM -0400, Mimi Zohar wrote: > > On Thu, 2019-04-04 at 00:04 +0300, Vitaly Chikunov wrote: > > > Mimi, > > > > > > On Wed, Apr 03, 2019 at 04:41:04PM -0400, Mimi Zohar wrote: > > > > On Sat, 2019-03-23 at 04:41 +0300, Vitaly Chikunov wrote: > > > > > Primary names of the algorithms are different for OpenSSL and Kernel. > > > > > Allow to use both of them. > > > > > > > > Can we add a line here explaining the two names? Perhaps something > > > > like, "GOST R 34.11-2012 is the Russian national standard based on the > > > > Streebog set of hash functions." > > > > > > Ok. But, "GOST R 34.11-2012" is not mentioned, and there is other > > > standards with Streebog, such as RFC 6986, ISO/IEC 10118-3:2018, GOST > > > 34.11-2018. > > > > > > Point of this patch is that Kernel calls this hash function by it's > > > proper name "StreebogX", but older version of OpenSSL reference it by > > > acronym "md_gost12_X". (While newer should support Streebog name too.) > > > And we try to be user friendly and allow to use both names. > > > > If "Streebog" will be supported by OpenSSL, then why make md_gost12_x > > the primary name, and the kernel name the alias? Shouldn't it be the > > reverse (eg. "pkey_hash_algo_alias")? > > Because ima-evm-utils is using OpenSSL and not Kernel's Crypto API, > OpenSSL names are "primary" for ima-evm-utils. It's happened that most > names are the same for both APIs. > > "md_gost12_X" is supported for years by more versions of OpenSSL. While > "StreebogX" name is just committed a few months ago to gost-engine. Thus, > > 1) "md_gost12_x" name could be used on conservative distros. Users > will not need to wait [possible] a few years when new name reach > their distro. > > 2) PKEY_HASH_STREEBOG_X is resolved to "md_gost12_X" names (to the > names that are present in OpenSSL with much more probability). > > `pkey_hash_algo_kern` only contains names that are different between > the Kernel and OpenSSL. > > I used "primary" for the both arrays so that no names are offended by > being not-primary. Could you provide me with a single line or two, with an explanation for the two names. I'll add it to the commit patch description, before pushing out these patches. Thanks! Mimi ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 2/2] ima-evm-utils: try to load digest by its alias 2019-04-03 21:40 ` Mimi Zohar @ 2019-04-03 21:57 ` Vitaly Chikunov 2019-04-03 21:59 ` Mimi Zohar 0 siblings, 1 reply; 10+ messages in thread From: Vitaly Chikunov @ 2019-04-03 21:57 UTC (permalink / raw) To: Mimi Zohar; +Cc: Mimi Zohar, Dmitry Kasatkin, linux-integrity On Wed, Apr 03, 2019 at 05:40:43PM -0400, Mimi Zohar wrote: > On Thu, 2019-04-04 at 00:37 +0300, Vitaly Chikunov wrote: > > On Wed, Apr 03, 2019 at 05:10:20PM -0400, Mimi Zohar wrote: > > > On Thu, 2019-04-04 at 00:04 +0300, Vitaly Chikunov wrote: > > > > Mimi, > > > > > > > > On Wed, Apr 03, 2019 at 04:41:04PM -0400, Mimi Zohar wrote: > > > > > On Sat, 2019-03-23 at 04:41 +0300, Vitaly Chikunov wrote: > > > > > > Primary names of the algorithms are different for OpenSSL and Kernel. > > > > > > Allow to use both of them. > > > > > > > > > > Can we add a line here explaining the two names? Perhaps something > > > > > like, "GOST R 34.11-2012 is the Russian national standard based on the > > > > > Streebog set of hash functions." > > > > > > > > Ok. But, "GOST R 34.11-2012" is not mentioned, and there is other > > > > standards with Streebog, such as RFC 6986, ISO/IEC 10118-3:2018, GOST > > > > 34.11-2018. > > > > > > > > Point of this patch is that Kernel calls this hash function by it's > > > > proper name "StreebogX", but older version of OpenSSL reference it by > > > > acronym "md_gost12_X". (While newer should support Streebog name too.) > > > > And we try to be user friendly and allow to use both names. > > > > > > If "Streebog" will be supported by OpenSSL, then why make md_gost12_x > > > the primary name, and the kernel name the alias? Shouldn't it be the > > > reverse (eg. "pkey_hash_algo_alias")? > > > > Because ima-evm-utils is using OpenSSL and not Kernel's Crypto API, > > OpenSSL names are "primary" for ima-evm-utils. It's happened that most > > names are the same for both APIs. > > > > "md_gost12_X" is supported for years by more versions of OpenSSL. While > > "StreebogX" name is just committed a few months ago to gost-engine. Thus, > > > > 1) "md_gost12_x" name could be used on conservative distros. Users > > will not need to wait [possible] a few years when new name reach > > their distro. > > > > 2) PKEY_HASH_STREEBOG_X is resolved to "md_gost12_X" names (to the > > names that are present in OpenSSL with much more probability). > > > > `pkey_hash_algo_kern` only contains names that are different between > > the Kernel and OpenSSL. > > > > I used "primary" for the both arrays so that no names are offended by > > being not-primary. > > Could you provide me with a single line or two, with an explanation > for the two names. I'll add it to the commit patch description, > before pushing out these patches. Maybe this: "Streebog" is a name of the hash algorithm in the Kernel Crypto API. "md_gost12_X" is the name used by the most versions of OpenSSL, it's placed in pkey_hash_algo[] so that algo IDs are resolved to them. > > Thanks! > > Mimi ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 2/2] ima-evm-utils: try to load digest by its alias 2019-04-03 21:57 ` Vitaly Chikunov @ 2019-04-03 21:59 ` Mimi Zohar 0 siblings, 0 replies; 10+ messages in thread From: Mimi Zohar @ 2019-04-03 21:59 UTC (permalink / raw) To: Vitaly Chikunov; +Cc: Mimi Zohar, Dmitry Kasatkin, linux-integrity On Thu, 2019-04-04 at 00:57 +0300, Vitaly Chikunov wrote: > Maybe this: > > "Streebog" is a name of the hash algorithm in the Kernel Crypto API. > "md_gost12_X" is the name used by the most versions of OpenSSL, it's > placed in pkey_hash_algo[] so that algo IDs are resolved to them. Thank you! ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2019-04-03 21:59 UTC | newest] Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-03-23 1:41 [PATCH 0/2] ima-evm-utils: rebase of digest algo resolving Vitaly Chikunov 2019-03-23 1:41 ` [PATCH 1/2] ima-evm-utils: Extract digest algorithms from hash_info.h Vitaly Chikunov 2019-03-23 1:41 ` [PATCH 2/2] ima-evm-utils: try to load digest by its alias Vitaly Chikunov 2019-04-03 20:41 ` Mimi Zohar 2019-04-03 21:04 ` Vitaly Chikunov 2019-04-03 21:10 ` Mimi Zohar 2019-04-03 21:37 ` Vitaly Chikunov 2019-04-03 21:40 ` Mimi Zohar 2019-04-03 21:57 ` Vitaly Chikunov 2019-04-03 21:59 ` Mimi Zohar
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).