Re: [PATCH v2 4/7] ima-evm-utils: Allow using Streebog hash function

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Mimi Zohar <zohar@linux.ibm.com>
To: Vitaly Chikunov <vt@altlinux.org>,
	Mimi Zohar <zohar@linux.vnet.ibm.com>,
	Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
	linux-integrity@vger.kernel.org
Subject: Re: [PATCH v2 4/7] ima-evm-utils: Allow using Streebog hash function
Date: Fri, 30 Nov 2018 14:21:23 -0500	[thread overview]
Message-ID: <1543605683.4216.71.camel@linux.ibm.com> (raw)
In-Reply-To: <20181128200610.21214-4-vt@altlinux.org>

On Wed, 2018-11-28 at 23:06 +0300, Vitaly Chikunov wrote:
> This patch will allow using GOST algorithms from OpenSSL's
> gost-engine[1] via config extension (which is the usual way).
> 
> [1] https://github.com/gost-engine/engine
> 
> Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
> ---
> Changes since v1:
> - "--engine" option is removed into separate patch.

Thanks!

> 
>  src/evmctl.c    |  6 +++---
>  src/imaevm.h    | 13 +++++++++++++
>  src/libimaevm.c | 15 +++++++++++----
>  3 files changed, 27 insertions(+), 7 deletions(-)
> 
> diff --git a/src/evmctl.c b/src/evmctl.c
> index 9cbc2cb..f4b2e7d 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -388,7 +388,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
> 
>  	md = EVP_get_digestbyname(params.hash_algo);
>  	if (!md) {
> -		log_err("EVP_get_digestbyname() failed\n");
> +		log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo);
>  		return 1;
>  	}
> 
> @@ -1064,7 +1064,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
> 
>  	md = EVP_get_digestbyname(params.hash_algo);
>  	if (!md) {
> -		log_err("EVP_get_digestbyname() failed\n");
> +		log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo);
>  		goto out;
>  	}
> 
> @@ -1653,7 +1653,7 @@ static void usage(void)
> 
>  	printf(
>  		"\n"
> -		"  -a, --hashalgo     sha1 (default), sha224, sha256, sha384, sha512\n"
> +		"  -a, --hashalgo     sha1 (default), sha224, sha256, sha384, sha512, streebog256, streebog512\n"
>  		"  -s, --imasig       make IMA signature\n"
>  		"  -d, --imahash      make IMA hash\n"
>  		"  -f, --sigfile      store IMA signature in .sig file instead of xattr\n"
> diff --git a/src/imaevm.h b/src/imaevm.h
> index 2ebe7e7..c81bf21 100644
> --- a/src/imaevm.h
> +++ b/src/imaevm.h
> @@ -152,6 +152,7 @@ struct signature_hdr {
>  	char mpi[0];
>  } __packed;
> 
> +/* reflect enum hash_algo from include/uapi/linux/hash_info.h */
>  enum pkey_hash_algo {
>  	PKEY_HASH_MD4,
>  	PKEY_HASH_MD5,
> @@ -161,6 +162,18 @@ enum pkey_hash_algo {
>  	PKEY_HASH_SHA384,
>  	PKEY_HASH_SHA512,
>  	PKEY_HASH_SHA224,
> +	PKEY_HASH_RIPE_MD_128,
> +	PKEY_HASH_RIPE_MD_256,
> +	PKEY_HASH_RIPE_MD_320,
> +	PKEY_HASH_WP_256,
> +	PKEY_HASH_WP_384,
> +	PKEY_HASH_WP_512,
> +	PKEY_HASH_TGR_128,
> +	PKEY_HASH_TGR_160,
> +	PKEY_HASH_TGR_192,
> +	PKEY_HASH_SM3_256,
> +	PKEY_HASH_STREEBOG_256,
> +	PKEY_HASH_STREEBOG_512,
>  	PKEY_HASH__LAST
>  };
> 
> diff --git a/src/libimaevm.c b/src/libimaevm.c
> index 34501ca..7b2b62c 100644
> --- a/src/libimaevm.c
> +++ b/src/libimaevm.c
> @@ -51,6 +51,7 @@
>  #include <stdio.h>
>  #include <assert.h>
> 
> +#include <openssl/crypto.h>
>  #include <openssl/pem.h>
>  #include <openssl/evp.h>
>  #include <openssl/x509.h>
> @@ -67,6 +68,8 @@ const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
>  	[PKEY_HASH_SHA384]	= "sha384",
>  	[PKEY_HASH_SHA512]	= "sha512",
>  	[PKEY_HASH_SHA224]	= "sha224",
> +	[PKEY_HASH_STREEBOG_256] = "streebog256",
> +	[PKEY_HASH_STREEBOG_512] = "streebog512",
>  };
> 
>  /*
> @@ -291,7 +294,7 @@ int ima_calc_hash(const char *file, uint8_t *hash)
> 
>  	md = EVP_get_digestbyname(params.hash_algo);
>  	if (!md) {
> -		log_err("EVP_get_digestbyname() failed\n");
> +		log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo);
>  		return 1;
>  	}
> 
> @@ -509,14 +512,16 @@ int verify_hash_v2(const char *file, const unsigned char *hash, int size,
>  	asn1 = &RSA_ASN1_templates[hdr->hash_algo];
> 
>  	if (len < asn1->size || memcmp(out, asn1->data, asn1->size)) {
> -		log_err("%s: verification failed: %d\n", file, err);
> +		log_err("%s: verification failed: %d (asn1 mismatch)\n",
> +			file, err);
>  		return -1;
>  	}
> 
>  	len -= asn1->size;
> 
>  	if (len != size || memcmp(out + asn1->size, hash, len)) {
> -		log_err("%s: verification failed: %d\n", file, err);
> +		log_err("%s: verification failed: %d (digest mismatch)\n",
> +			file, err);
>  		return -1;
>  	}
> 
> @@ -528,7 +533,8 @@ int get_hash_algo(const char *algo)
>  	int i;
> 
>  	for (i = 0; i < PKEY_HASH__LAST; i++)
> -		if (!strcmp(algo, pkey_hash_algo[i]))
> +		if (pkey_hash_algo[i] &&
> +		    !strcmp(algo, pkey_hash_algo[i]))
>  			return i;
> 
>  	return PKEY_HASH_SHA1;
> @@ -901,5 +907,6 @@ int sign_hash(const char *hashalgo, const unsigned char *hash, int size, const c
>  static void libinit()
>  {
>  	OpenSSL_add_all_algorithms();
> +	OPENSSL_add_all_algorithms_conf();
>  	ERR_load_crypto_strings();
>  }

next prev parent reply	other threads:[~2018-11-30 19:21 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-11-28 20:06 [PATCH v2 1/7] ima-evm-utils: Fix hash buffer overflow in verify_evm and hmac_evm Vitaly Chikunov
2018-11-28 20:06 ` [PATCH v2 2/7] ima-evm-utils: Define hash and sig buffer sizes and add asserts Vitaly Chikunov
2018-11-30 19:21   ` Mimi Zohar
2018-11-28 20:06 ` [PATCH v2 3/7] ima-evm-utils: Define the '--xattr-user' option for testing Vitaly Chikunov
2018-11-30 19:20   ` Mimi Zohar
2018-11-28 20:06 ` [PATCH v2 4/7] ima-evm-utils: Allow using Streebog hash function Vitaly Chikunov
2018-11-30 19:21   ` Mimi Zohar [this message]
2018-11-28 20:06 ` [PATCH v2 5/7] ima-evm-utils: Preload OpenSSL engine via '--engine' option Vitaly Chikunov
2018-11-30 19:21   ` Mimi Zohar
2018-12-01  3:01     ` Vitaly Chikunov
2018-12-02 14:47       ` Mimi Zohar
2018-11-28 20:06 ` [PATCH v2 6/7] ima-evm-utils: Extract digest algorithms from hash_info.h Vitaly Chikunov
2018-11-28 20:06 ` [PATCH v2 7/7] ima-evm-utils: Try to load digest by its alias Vitaly Chikunov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1543605683.4216.71.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=vt@altlinux.org \
    --cc=zohar@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.