Re: [PATCH 2/2] ima-evm-utils: try to load digest by its alias

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2019-04-04 at 00:37 +0300, Vitaly Chikunov wrote:
> On Wed, Apr 03, 2019 at 05:10:20PM -0400, Mimi Zohar wrote:
> > On Thu, 2019-04-04 at 00:04 +0300, Vitaly Chikunov wrote:
> > > Mimi,
> > > 
> > > On Wed, Apr 03, 2019 at 04:41:04PM -0400, Mimi Zohar wrote:
> > > > On Sat, 2019-03-23 at 04:41 +0300, Vitaly Chikunov wrote:
> > > > > Primary names of the algorithms are different for OpenSSL and Kernel.
> > > > > Allow to use both of them.
> > > > 
> > > > Can we add a line here explaining the two names?  Perhaps something
> > > > like, "GOST R 34.11-2012 is the Russian national standard based on the
> > > > Streebog set of hash functions." 
> > > 
> > > Ok. But, "GOST R 34.11-2012" is not mentioned, and there is other
> > > standards with Streebog, such as RFC 6986, ISO/IEC 10118-3:2018, GOST
> > > 34.11-2018.
> > > 
> > > Point of this patch is that Kernel calls this hash function by it's
> > > proper name "StreebogX", but older version of OpenSSL reference it by
> > > acronym "md_gost12_X". (While newer should support Streebog name too.)
> > > And we try to be user friendly and allow to use both names.
> > 
> > If "Streebog" will be supported by OpenSSL, then why make md_gost12_x
> > the primary name, and the kernel name the alias?  Shouldn't it be the
> > reverse (eg. "pkey_hash_algo_alias")?
> 
> Because ima-evm-utils is using OpenSSL and not Kernel's Crypto API,
> OpenSSL names are "primary" for ima-evm-utils. It's happened that most
> names are the same for both APIs.
> 
> "md_gost12_X" is supported for years by more versions of OpenSSL. While
> "StreebogX" name is just committed a few months ago to gost-engine. Thus,
> 
>   1) "md_gost12_x" name could be used on conservative distros. Users
>    will not need to wait [possible] a few years when new name reach
>    their distro.
> 
>   2) PKEY_HASH_STREEBOG_X is resolved to "md_gost12_X" names (to the
>   names that are present in OpenSSL with much more probability).
> 
> `pkey_hash_algo_kern` only contains names that are different between
> the Kernel and OpenSSL.
> 
> I used "primary" for the both arrays so that no names are offended by
> being not-primary.

Could you provide me with a single line or two, with an explanation
for the two names.  I'll add it to the commit patch description,
before pushing out these patches.

Thanks!

Mimi




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux