| Message ID | 20190323014152.14701-3-vt@altlinux.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ima-evm-utils: rebase of digest algo resolving | expand |
On Sat, 2019-03-23 at 04:41 +0300, Vitaly Chikunov wrote: > Primary names of the algorithms are different for OpenSSL and Kernel. > Allow to use both of them. Can we add a line here explaining the two names? Perhaps something like, "GOST R 34.11-2012 is the Russian national standard based on the Streebog set of hash functions." > > Signed-off-by: Vitaly Chikunov <vt@altlinux.org> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > --- > src/libimaevm.c | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > > diff --git a/src/libimaevm.c b/src/libimaevm.c > index bc7be1e..6783110 100644 > --- a/src/libimaevm.c > +++ b/src/libimaevm.c > @@ -61,6 +61,7 @@ > #include "imaevm.h" > #include "hash_info.h" > > +/* Names that are primary for OpenSSL. */ > const char *const pkey_hash_algo[PKEY_HASH__LAST] = { > [PKEY_HASH_MD4] = "md4", > [PKEY_HASH_MD5] = "md5", > @@ -70,6 +71,12 @@ const char *const pkey_hash_algo[PKEY_HASH__LAST] = { > [PKEY_HASH_SHA384] = "sha384", > [PKEY_HASH_SHA512] = "sha512", > [PKEY_HASH_SHA224] = "sha224", > + [PKEY_HASH_STREEBOG_256] = "md_gost12_256", > + [PKEY_HASH_STREEBOG_512] = "md_gost12_512", > +}; > + > +/* Names that are primary for the kernel. */ > +const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = { > [PKEY_HASH_STREEBOG_256] = "streebog256", > [PKEY_HASH_STREEBOG_512] = "streebog512", > }; > @@ -551,6 +558,11 @@ int get_hash_algo(const char *algo) > !strcmp(algo, pkey_hash_algo[i])) > return i; > > + for (i = 0; i < PKEY_HASH__LAST; i++) > + if (pkey_hash_algo_kern[i] && > + !strcmp(algo, pkey_hash_algo_kern[i])) > + return i; > + > /* iterate over algorithms provided by kernel-headers */ > for (i = 0; i < HASH_ALGO__LAST; i++) > if (hash_algo_name[i] &&
Mimi, On Wed, Apr 03, 2019 at 04:41:04PM -0400, Mimi Zohar wrote: > On Sat, 2019-03-23 at 04:41 +0300, Vitaly Chikunov wrote: > > Primary names of the algorithms are different for OpenSSL and Kernel. > > Allow to use both of them. > > Can we add a line here explaining the two names? Perhaps something > like, "GOST R 34.11-2012 is the Russian national standard based on the > Streebog set of hash functions." Ok. But, "GOST R 34.11-2012" is not mentioned, and there is other standards with Streebog, such as RFC 6986, ISO/IEC 10118-3:2018, GOST 34.11-2018. Point of this patch is that Kernel calls this hash function by it's proper name "StreebogX", but older version of OpenSSL reference it by acronym "md_gost12_X". (While newer should support Streebog name too.) And we try to be user friendly and allow to use both names. > > > > > Signed-off-by: Vitaly Chikunov <vt@altlinux.org> > > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > > > --- > > src/libimaevm.c | 12 ++++++++++++ > > 1 file changed, 12 insertions(+) > > > > diff --git a/src/libimaevm.c b/src/libimaevm.c > > index bc7be1e..6783110 100644 > > --- a/src/libimaevm.c > > +++ b/src/libimaevm.c > > @@ -61,6 +61,7 @@ > > #include "imaevm.h" > > #include "hash_info.h" > > > > +/* Names that are primary for OpenSSL. */ > > const char *const pkey_hash_algo[PKEY_HASH__LAST] = { > > [PKEY_HASH_MD4] = "md4", > > [PKEY_HASH_MD5] = "md5", > > @@ -70,6 +71,12 @@ const char *const pkey_hash_algo[PKEY_HASH__LAST] = { > > [PKEY_HASH_SHA384] = "sha384", > > [PKEY_HASH_SHA512] = "sha512", > > [PKEY_HASH_SHA224] = "sha224", > > + [PKEY_HASH_STREEBOG_256] = "md_gost12_256", > > + [PKEY_HASH_STREEBOG_512] = "md_gost12_512", > > +}; > > + > > +/* Names that are primary for the kernel. */ > > +const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = { > > [PKEY_HASH_STREEBOG_256] = "streebog256", > > [PKEY_HASH_STREEBOG_512] = "streebog512", > > }; > > @@ -551,6 +558,11 @@ int get_hash_algo(const char *algo) > > !strcmp(algo, pkey_hash_algo[i])) > > return i; > > > > + for (i = 0; i < PKEY_HASH__LAST; i++) > > + if (pkey_hash_algo_kern[i] && > > + !strcmp(algo, pkey_hash_algo_kern[i])) > > + return i; > > + > > /* iterate over algorithms provided by kernel-headers */ > > for (i = 0; i < HASH_ALGO__LAST; i++) > > if (hash_algo_name[i] &&
On Thu, 2019-04-04 at 00:04 +0300, Vitaly Chikunov wrote: > Mimi, > > On Wed, Apr 03, 2019 at 04:41:04PM -0400, Mimi Zohar wrote: > > On Sat, 2019-03-23 at 04:41 +0300, Vitaly Chikunov wrote: > > > Primary names of the algorithms are different for OpenSSL and Kernel. > > > Allow to use both of them. > > > > Can we add a line here explaining the two names? Perhaps something > > like, "GOST R 34.11-2012 is the Russian national standard based on the > > Streebog set of hash functions." > > Ok. But, "GOST R 34.11-2012" is not mentioned, and there is other > standards with Streebog, such as RFC 6986, ISO/IEC 10118-3:2018, GOST > 34.11-2018. > > Point of this patch is that Kernel calls this hash function by it's > proper name "StreebogX", but older version of OpenSSL reference it by > acronym "md_gost12_X". (While newer should support Streebog name too.) > And we try to be user friendly and allow to use both names. If "Streebog" will be supported by OpenSSL, then why make md_gost12_x the primary name, and the kernel name the alias? Shouldn't it be the reverse (eg. "pkey_hash_algo_alias")? > > > > > > > > > Signed-off-by: Vitaly Chikunov <vt@altlinux.org> > > > > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > > > > > --- > > > src/libimaevm.c | 12 ++++++++++++ > > > 1 file changed, 12 insertions(+) > > > > > > diff --git a/src/libimaevm.c b/src/libimaevm.c > > > index bc7be1e..6783110 100644 > > > --- a/src/libimaevm.c > > > +++ b/src/libimaevm.c > > > @@ -61,6 +61,7 @@ > > > #include "imaevm.h" > > > #include "hash_info.h" > > > > > > +/* Names that are primary for OpenSSL. */ > > > const char *const pkey_hash_algo[PKEY_HASH__LAST] = { > > > [PKEY_HASH_MD4] = "md4", > > > [PKEY_HASH_MD5] = "md5", > > > @@ -70,6 +71,12 @@ const char *const pkey_hash_algo[PKEY_HASH__LAST] = { > > > [PKEY_HASH_SHA384] = "sha384", > > > [PKEY_HASH_SHA512] = "sha512", > > > [PKEY_HASH_SHA224] = "sha224", > > > + [PKEY_HASH_STREEBOG_256] = "md_gost12_256", > > > + [PKEY_HASH_STREEBOG_512] = "md_gost12_512", > > > +}; > > > + > > > +/* Names that are primary for the kernel. */ > > > +const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = { > > > [PKEY_HASH_STREEBOG_256] = "streebog256", > > > [PKEY_HASH_STREEBOG_512] = "streebog512", > > > }; > > > @@ -551,6 +558,11 @@ int get_hash_algo(const char *algo) > > > !strcmp(algo, pkey_hash_algo[i])) > > > return i; > > > > > > + for (i = 0; i < PKEY_HASH__LAST; i++) > > > + if (pkey_hash_algo_kern[i] && > > > + !strcmp(algo, pkey_hash_algo_kern[i])) > > > + return i; > > > + > > > /* iterate over algorithms provided by kernel-headers */ > > > for (i = 0; i < HASH_ALGO__LAST; i++) > > > if (hash_algo_name[i] && >
On Wed, Apr 03, 2019 at 05:10:20PM -0400, Mimi Zohar wrote: > On Thu, 2019-04-04 at 00:04 +0300, Vitaly Chikunov wrote: > > Mimi, > > > > On Wed, Apr 03, 2019 at 04:41:04PM -0400, Mimi Zohar wrote: > > > On Sat, 2019-03-23 at 04:41 +0300, Vitaly Chikunov wrote: > > > > Primary names of the algorithms are different for OpenSSL and Kernel. > > > > Allow to use both of them. > > > > > > Can we add a line here explaining the two names? Perhaps something > > > like, "GOST R 34.11-2012 is the Russian national standard based on the > > > Streebog set of hash functions." > > > > Ok. But, "GOST R 34.11-2012" is not mentioned, and there is other > > standards with Streebog, such as RFC 6986, ISO/IEC 10118-3:2018, GOST > > 34.11-2018. > > > > Point of this patch is that Kernel calls this hash function by it's > > proper name "StreebogX", but older version of OpenSSL reference it by > > acronym "md_gost12_X". (While newer should support Streebog name too.) > > And we try to be user friendly and allow to use both names. > > If "Streebog" will be supported by OpenSSL, then why make md_gost12_x > the primary name, and the kernel name the alias? Shouldn't it be the > reverse (eg. "pkey_hash_algo_alias")? Because ima-evm-utils is using OpenSSL and not Kernel's Crypto API, OpenSSL names are "primary" for ima-evm-utils. It's happened that most names are the same for both APIs. "md_gost12_X" is supported for years by more versions of OpenSSL. While "StreebogX" name is just committed a few months ago to gost-engine. Thus, 1) "md_gost12_x" name could be used on conservative distros. Users will not need to wait [possible] a few years when new name reach their distro. 2) PKEY_HASH_STREEBOG_X is resolved to "md_gost12_X" names (to the names that are present in OpenSSL with much more probability). `pkey_hash_algo_kern` only contains names that are different between the Kernel and OpenSSL. I used "primary" for the both arrays so that no names are offended by being not-primary. > > > > Signed-off-by: Vitaly Chikunov <vt@altlinux.org> > > > > > > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > > > > > > > --- > > > > src/libimaevm.c | 12 ++++++++++++ > > > > 1 file changed, 12 insertions(+) > > > > > > > > diff --git a/src/libimaevm.c b/src/libimaevm.c > > > > index bc7be1e..6783110 100644 > > > > --- a/src/libimaevm.c > > > > +++ b/src/libimaevm.c > > > > @@ -61,6 +61,7 @@ > > > > #include "imaevm.h" > > > > #include "hash_info.h" > > > > > > > > +/* Names that are primary for OpenSSL. */ > > > > const char *const pkey_hash_algo[PKEY_HASH__LAST] = { > > > > [PKEY_HASH_MD4] = "md4", > > > > [PKEY_HASH_MD5] = "md5", > > > > @@ -70,6 +71,12 @@ const char *const pkey_hash_algo[PKEY_HASH__LAST] = { > > > > [PKEY_HASH_SHA384] = "sha384", > > > > [PKEY_HASH_SHA512] = "sha512", > > > > [PKEY_HASH_SHA224] = "sha224", > > > > + [PKEY_HASH_STREEBOG_256] = "md_gost12_256", > > > > + [PKEY_HASH_STREEBOG_512] = "md_gost12_512", > > > > +}; > > > > + > > > > +/* Names that are primary for the kernel. */ > > > > +const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = { > > > > [PKEY_HASH_STREEBOG_256] = "streebog256", > > > > [PKEY_HASH_STREEBOG_512] = "streebog512", > > > > }; > > > > @@ -551,6 +558,11 @@ int get_hash_algo(const char *algo) > > > > !strcmp(algo, pkey_hash_algo[i])) > > > > return i; > > > > > > > > + for (i = 0; i < PKEY_HASH__LAST; i++) > > > > + if (pkey_hash_algo_kern[i] && > > > > + !strcmp(algo, pkey_hash_algo_kern[i])) > > > > + return i; > > > > + > > > > /* iterate over algorithms provided by kernel-headers */ > > > > for (i = 0; i < HASH_ALGO__LAST; i++) > > > > if (hash_algo_name[i] && > >
On Thu, 2019-04-04 at 00:37 +0300, Vitaly Chikunov wrote: > On Wed, Apr 03, 2019 at 05:10:20PM -0400, Mimi Zohar wrote: > > On Thu, 2019-04-04 at 00:04 +0300, Vitaly Chikunov wrote: > > > Mimi, > > > > > > On Wed, Apr 03, 2019 at 04:41:04PM -0400, Mimi Zohar wrote: > > > > On Sat, 2019-03-23 at 04:41 +0300, Vitaly Chikunov wrote: > > > > > Primary names of the algorithms are different for OpenSSL and Kernel. > > > > > Allow to use both of them. > > > > > > > > Can we add a line here explaining the two names? Perhaps something > > > > like, "GOST R 34.11-2012 is the Russian national standard based on the > > > > Streebog set of hash functions." > > > > > > Ok. But, "GOST R 34.11-2012" is not mentioned, and there is other > > > standards with Streebog, such as RFC 6986, ISO/IEC 10118-3:2018, GOST > > > 34.11-2018. > > > > > > Point of this patch is that Kernel calls this hash function by it's > > > proper name "StreebogX", but older version of OpenSSL reference it by > > > acronym "md_gost12_X". (While newer should support Streebog name too.) > > > And we try to be user friendly and allow to use both names. > > > > If "Streebog" will be supported by OpenSSL, then why make md_gost12_x > > the primary name, and the kernel name the alias? Shouldn't it be the > > reverse (eg. "pkey_hash_algo_alias")? > > Because ima-evm-utils is using OpenSSL and not Kernel's Crypto API, > OpenSSL names are "primary" for ima-evm-utils. It's happened that most > names are the same for both APIs. > > "md_gost12_X" is supported for years by more versions of OpenSSL. While > "StreebogX" name is just committed a few months ago to gost-engine. Thus, > > 1) "md_gost12_x" name could be used on conservative distros. Users > will not need to wait [possible] a few years when new name reach > their distro. > > 2) PKEY_HASH_STREEBOG_X is resolved to "md_gost12_X" names (to the > names that are present in OpenSSL with much more probability). > > `pkey_hash_algo_kern` only contains names that are different between > the Kernel and OpenSSL. > > I used "primary" for the both arrays so that no names are offended by > being not-primary. Could you provide me with a single line or two, with an explanation for the two names. I'll add it to the commit patch description, before pushing out these patches. Thanks! Mimi
On Wed, Apr 03, 2019 at 05:40:43PM -0400, Mimi Zohar wrote: > On Thu, 2019-04-04 at 00:37 +0300, Vitaly Chikunov wrote: > > On Wed, Apr 03, 2019 at 05:10:20PM -0400, Mimi Zohar wrote: > > > On Thu, 2019-04-04 at 00:04 +0300, Vitaly Chikunov wrote: > > > > Mimi, > > > > > > > > On Wed, Apr 03, 2019 at 04:41:04PM -0400, Mimi Zohar wrote: > > > > > On Sat, 2019-03-23 at 04:41 +0300, Vitaly Chikunov wrote: > > > > > > Primary names of the algorithms are different for OpenSSL and Kernel. > > > > > > Allow to use both of them. > > > > > > > > > > Can we add a line here explaining the two names? Perhaps something > > > > > like, "GOST R 34.11-2012 is the Russian national standard based on the > > > > > Streebog set of hash functions." > > > > > > > > Ok. But, "GOST R 34.11-2012" is not mentioned, and there is other > > > > standards with Streebog, such as RFC 6986, ISO/IEC 10118-3:2018, GOST > > > > 34.11-2018. > > > > > > > > Point of this patch is that Kernel calls this hash function by it's > > > > proper name "StreebogX", but older version of OpenSSL reference it by > > > > acronym "md_gost12_X". (While newer should support Streebog name too.) > > > > And we try to be user friendly and allow to use both names. > > > > > > If "Streebog" will be supported by OpenSSL, then why make md_gost12_x > > > the primary name, and the kernel name the alias? Shouldn't it be the > > > reverse (eg. "pkey_hash_algo_alias")? > > > > Because ima-evm-utils is using OpenSSL and not Kernel's Crypto API, > > OpenSSL names are "primary" for ima-evm-utils. It's happened that most > > names are the same for both APIs. > > > > "md_gost12_X" is supported for years by more versions of OpenSSL. While > > "StreebogX" name is just committed a few months ago to gost-engine. Thus, > > > > 1) "md_gost12_x" name could be used on conservative distros. Users > > will not need to wait [possible] a few years when new name reach > > their distro. > > > > 2) PKEY_HASH_STREEBOG_X is resolved to "md_gost12_X" names (to the > > names that are present in OpenSSL with much more probability). > > > > `pkey_hash_algo_kern` only contains names that are different between > > the Kernel and OpenSSL. > > > > I used "primary" for the both arrays so that no names are offended by > > being not-primary. > > Could you provide me with a single line or two, with an explanation > for the two names. I'll add it to the commit patch description, > before pushing out these patches. Maybe this: "Streebog" is a name of the hash algorithm in the Kernel Crypto API. "md_gost12_X" is the name used by the most versions of OpenSSL, it's placed in pkey_hash_algo[] so that algo IDs are resolved to them. > > Thanks! > > Mimi
On Thu, 2019-04-04 at 00:57 +0300, Vitaly Chikunov wrote: > Maybe this: > > "Streebog" is a name of the hash algorithm in the Kernel Crypto API. > "md_gost12_X" is the name used by the most versions of OpenSSL, it's > placed in pkey_hash_algo[] so that algo IDs are resolved to them. Thank you!
diff --git a/src/libimaevm.c b/src/libimaevm.c index bc7be1e..6783110 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -61,6 +61,7 @@ #include "imaevm.h" #include "hash_info.h" +/* Names that are primary for OpenSSL. */ const char *const pkey_hash_algo[PKEY_HASH__LAST] = { [PKEY_HASH_MD4] = "md4", [PKEY_HASH_MD5] = "md5", @@ -70,6 +71,12 @@ const char *const pkey_hash_algo[PKEY_HASH__LAST] = { [PKEY_HASH_SHA384] = "sha384", [PKEY_HASH_SHA512] = "sha512", [PKEY_HASH_SHA224] = "sha224", + [PKEY_HASH_STREEBOG_256] = "md_gost12_256", + [PKEY_HASH_STREEBOG_512] = "md_gost12_512", +}; + +/* Names that are primary for the kernel. */ +const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = { [PKEY_HASH_STREEBOG_256] = "streebog256", [PKEY_HASH_STREEBOG_512] = "streebog512", }; @@ -551,6 +558,11 @@ int get_hash_algo(const char *algo) !strcmp(algo, pkey_hash_algo[i])) return i; + for (i = 0; i < PKEY_HASH__LAST; i++) + if (pkey_hash_algo_kern[i] && + !strcmp(algo, pkey_hash_algo_kern[i])) + return i; + /* iterate over algorithms provided by kernel-headers */ for (i = 0; i < HASH_ALGO__LAST; i++) if (hash_algo_name[i] &&
Primary names of the algorithms are different for OpenSSL and Kernel. Allow to use both of them. Signed-off-by: Vitaly Chikunov <vt@altlinux.org> --- src/libimaevm.c | 12 ++++++++++++ 1 file changed, 12 insertions(+)