From: Mimi Zohar <zohar@linux.ibm.com>
To: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>,
linux-integrity@vger.kernel.org
Subject: Re: [PATCH] ima-evm-utils: Fix compatibility with LibreSSL
Date: Tue, 25 Feb 2020 08:44:58 -0500 [thread overview]
Message-ID: <1582638298.10443.196.camel@linux.ibm.com> (raw)
In-Reply-To: <63ba8482-0085-f2d3-dbb9-70bb81990f07@rosalinux.ru>
On Sun, 2020-02-16 at 14:10 +0300, Mikhail Novosyolov wrote:
> LibreSSL in most cases can be used as a drop-in replacement of OpenSSL.
> Commit 07d799cb6c37 "ima-evm-utils: Preload OpenSSL engine via '--engine' option"
> added OpenSSL-specific functions: "engines" were removed from LibreSSL long ago.
> Instead of requiring to attach GOST support via an external library ("engine"),
> LibreSSL has build-in implementation of GOST.
OpenSSL had a builtin support for GOST, which was dropped. From the
OpenSSL news "Changes between 1.0.2h and 1.1.0":
The GOST engine was out of date and therefore it has been removed. An up
to date GOST engine is now being maintained in an external repository.
See: https://wiki.openssl.org/index.php/Binaries . Libssl still retains
support for GOST ciphersuites (these are only activated if a GOST engine
is present).
Please update the patch description to reflect the reason for OpenSSL
dropping GOST builtin support, while LibreSSL continues to build it
in.
> Commit ebbfc41ad6ba "ima-evm-utils: try to load digest by its alias" is also not OK
> for LibreSSL because LibreSSL uses different digest names:
> md_gost12_256 -> streebog256
> md_gost12_512 -> streebog512
>
> Example how it works when linked with LibreSSL:
> $ libressl dgst -streebog256 testfile
> streebog256(a)= 04123f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
> $ evmctl -v ima_hash -a streebog256 testfile
> hash(streebog256): 04123f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
> $ evmctl -v ima_hash -a md_gost12_256 testfile
> EVP_get_digestbyname(md_gost12_256) failed
Removing "engine support" is one logical change. This sounds like it
is a separate issue and should be addressed in its own patch.
>
> TODO: it would be nice to map
> md_gost12_256 <-> streebog256
> md_gost12_512 <-> streebog512
> in evmctl CLI arguements to make the same commands work on systems both
> where evmctl is linked with LibreSSL and with OpenSSL.
>
> Fixes: 07d799cb6c37 ("ima-evm-utils: Preload OpenSSL engine via '--engine' option")
> Fixes: ebbfc41ad6ba ("ima-evm-utils: try to load digest by its alias")
> Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
> ---
> README | 2 +-
> src/evmctl.c | 15 ++++++++++++++-
> src/libimaevm.c | 2 ++
> 3 files changed, 17 insertions(+), 2 deletions(-)
>
> diff --git a/README b/README
> index 3603ae8..f843bbe 100644
> --- a/README
> +++ b/README
> @@ -58,7 +58,7 @@ OPTIONS
> --smack use extra SMACK xattrs for EVM
> --m32 force EVM hmac/signature for 32 bit target system
> --m64 force EVM hmac/signature for 64 bit target system
> - --engine e preload OpenSSL engine e (such as: gost)
> + --engine e preload OpenSSL engine e (such as: gost) (not valid for LibreSSL)
> -v increase verbosity level
> -h, --help display this help and exit
>
> diff --git a/src/evmctl.c b/src/evmctl.c
> index 3d2a10b..f6507c1 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -62,7 +62,10 @@
> #include <openssl/hmac.h>
> #include <openssl/err.h>
> #include <openssl/rsa.h>
> +/* LibreSSL removed engines */
> +#ifndef LIBRESSL_VERSION_NUMBER
> #include <openssl/engine.h>
> +#endif
According to the LibreSSL wiki, both OpenSSL and LibreSSL may be
installed on the same system in separate directories. Instead of
using LIBRESSL_VERSION_NUMBER, consider defining an autotools option.
thanks,
Mimi
>
> #ifndef XATTR_APPAARMOR_SUFFIX
> #define XATTR_APPARMOR_SUFFIX "apparmor"
> @@ -1849,7 +1852,9 @@ static void usage(void)
> " --selinux use custom Selinux label for EVM\n"
> " --caps use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n"
> " --list measurement list verification\n"
> +#ifndef LIBRESSL_VERSION_NUMBER /* LibreSSL removed engines */
> " --engine e preload OpenSSL engine e (such as: gost)\n"
> +#endif
> " -v increase verbosity level\n"
> " -h, --help display this help and exit\n"
> "\n");
> @@ -1902,7 +1907,9 @@ static struct option opts[] = {
> {"selinux", 1, 0, 136},
> {"caps", 2, 0, 137},
> {"list", 0, 0, 138},
> +#ifndef LIBRESSL_VERSION_NUMBER
> {"engine", 1, 0, 139},
> +#endif
> {"xattr-user", 0, 0, 140},
> {}
>
> @@ -1947,7 +1954,9 @@ static char *get_password(void)
> int main(int argc, char *argv[])
> {
> int err = 0, c, lind;
> +#ifndef LIBRESSL_VERSION_NUMBER
> ENGINE *eng = NULL;
> +#endif
>
> #if !(OPENSSL_VERSION_NUMBER < 0x10100000)
> OPENSSL_init_crypto(
> @@ -2065,7 +2074,8 @@ int main(int argc, char *argv[])
> case 138:
> measurement_list = 1;
> break;
> - case 139: /* --engine e */
> +#ifndef LIBRESSL_VERSION_NUMBER
> + case 139: /* --engine e, only in OpenSSL, not in LibreSSL */
> eng = ENGINE_by_id(optarg);
> if (!eng) {
> log_err("engine %s isn't available\n", optarg);
> @@ -2078,6 +2088,7 @@ int main(int argc, char *argv[])
> }
> ENGINE_set_default(eng, ENGINE_METHOD_ALL);
> break;
> +#endif
> case 140: /* --xattr-user */
> xattr_ima = "user.ima";
> xattr_evm = "user.evm";
> @@ -2108,6 +2119,7 @@ int main(int argc, char *argv[])
> }
> }
>
> +#ifndef LIBRESSL_VERSION_NUMBER
> if (eng) {
> ENGINE_finish(eng);
> ENGINE_free(eng);
> @@ -2115,6 +2127,7 @@ int main(int argc, char *argv[])
> ENGINE_cleanup();
> #endif
> }
> +#endif
> ERR_free_strings();
> EVP_cleanup();
> BIO_free(NULL);
> diff --git a/src/libimaevm.c b/src/libimaevm.c
> index 7c17bf4..050ea78 100644
> --- a/src/libimaevm.c
> +++ b/src/libimaevm.c
> @@ -71,8 +71,10 @@ static const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
> [PKEY_HASH_SHA384] = "sha384",
> [PKEY_HASH_SHA512] = "sha512",
> [PKEY_HASH_SHA224] = "sha224",
> +#ifndef LIBRESSL_VERSION_NUMBER
> [PKEY_HASH_STREEBOG_256] = "md_gost12_256",
> [PKEY_HASH_STREEBOG_512] = "md_gost12_512",
> +#endif
> };
>
> /* Names that are primary for the kernel. */
next prev parent reply other threads:[~2020-02-25 13:45 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-16 11:10 [PATCH] ima-evm-utils: Fix compatibility with LibreSSL Mikhail Novosyolov
2020-02-25 12:11 ` Mimi Zohar
2020-02-25 13:44 ` Mimi Zohar [this message]
2020-02-26 9:51 ` Mikhail Novosyolov
2020-02-27 4:28 ` Mimi Zohar
2020-02-27 15:38 ` Vitaly Chikunov
2020-02-27 20:36 ` Mimi Zohar
-- strict thread matches above, loose matches on Subject: below --
2019-12-03 22:41 Mikhail Novosyolov
2020-03-24 21:05 ` Mimi Zohar
2020-03-24 22:17 ` Mikhail Novosyolov
2020-03-25 0:48 ` Mimi Zohar
2020-03-25 22:44 ` Mimi Zohar
2020-05-20 16:30 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1582638298.10443.196.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=m.novosyolov@rosalinux.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.