From: Mimi Zohar <zohar@linux.ibm.com>
To: Vitaly Chikunov <vt@altlinux.org>
Cc: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>,
linux-integrity@vger.kernel.org
Subject: Re: [PATCH] ima-evm-utils: Fix compatibility with LibreSSL
Date: Thu, 27 Feb 2020 15:36:37 -0500 [thread overview]
Message-ID: <1582835797.10443.318.camel@linux.ibm.com> (raw)
In-Reply-To: <20200227153825.ywas4clc3qa76rhc@altlinux.org>
Hi Vitaly,
On Thu, 2020-02-27 at 18:38 +0300, Vitaly Chikunov wrote:
> Mimi,
>
> On Wed, Feb 26, 2020 at 11:28:14PM -0500, Mimi Zohar wrote:
> > On Wed, 2020-02-26 at 12:51 +0300, Mikhail Novosyolov wrote:
> > > Hello Mimi, thanks for feedback.
> > > 25.02.2020 16:44, Mimi Zohar пишет:
> > > > On Sun, 2020-02-16 at 14:10 +0300, Mikhail Novosyolov wrote:
> > > >> LibreSSL in most cases can be used as a drop-in replacement of OpenSSL.
> > > >> Commit 07d799cb6c37 "ima-evm-utils: Preload OpenSSL engine via '--engine' option"
> > > >> added OpenSSL-specific functions: "engines" were removed from LibreSSL long ago.
> > > >> Instead of requiring to attach GOST support via an external library ("engine"),
> > > >> LibreSSL has build-in implementation of GOST.
> > > >
> > > > OpenSSL had a builtin support for GOST, which was dropped. From the
> > > > OpenSSL news "Changes between 1.0.2h and 1.1.0":
> > > >
> > > > The GOST engine was out of date and therefore it has been removed. An up
> > > > to date GOST engine is now being maintained in an external repository.
> > > > See: https://wiki.openssl.org/index.php/Binaries . Libssl still retains
> > > > support for GOST ciphersuites (these are only activated if a GOST engine
> > > > is present).
> > > >
> > > > Please update the patch description to reflect the reason for OpenSSL
> > > > dropping GOST builtin support, while LibreSSL continues to build it
> > > > in.
> >
> > > The reasons why OpenSSL decided to do it are out of my scope, I can
> > > just write that OpenSSL had GOST, then dropped it, then gost-engine
> > > appeared as an OpenSSL plugin and that LibreSSL has GOST built in
> > > and dropped engines API after forking from OpenSSL. Will it be OK?
> >
> > The question is whether LibreSSL is using the back level version of
> > GOST that OpenSSL dropped or has it been updated? The patch
> > description should be updated accordingly.
>
> AFAIK, LibreSSL is using independent implementation of Streebog. It
> wasn't exist in OpenSSL before split and different from what is in
> gost-engine (also having different authors).
Thank you for the explanation.
>
> I don't really understand reason to know implementation history, if,
> as library users, we should be enough to know they have compatible APIs.
The OpenSSL crypto team is way more experienced than me. If LibreSSL
was using the crypto version that OpenSSL deemed too old, why should
ima-evm-utils support it?
Last year you added OpenSSL "Engine" support. Now I'm being asked to
conditionally compile it out based on ifdefs. As much as possible, I
prefer avoiding ifdefs.
Mimi
next prev parent reply other threads:[~2020-02-27 20:36 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-16 11:10 [PATCH] ima-evm-utils: Fix compatibility with LibreSSL Mikhail Novosyolov
2020-02-25 12:11 ` Mimi Zohar
2020-02-25 13:44 ` Mimi Zohar
2020-02-26 9:51 ` Mikhail Novosyolov
2020-02-27 4:28 ` Mimi Zohar
2020-02-27 15:38 ` Vitaly Chikunov
2020-02-27 20:36 ` Mimi Zohar [this message]
-- strict thread matches above, loose matches on Subject: below --
2019-12-03 22:41 Mikhail Novosyolov
2020-03-24 21:05 ` Mimi Zohar
2020-03-24 22:17 ` Mikhail Novosyolov
2020-03-25 0:48 ` Mimi Zohar
2020-03-25 22:44 ` Mimi Zohar
2020-05-20 16:30 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1582835797.10443.318.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=m.novosyolov@rosalinux.ru \
--cc=vt@altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).