Received: by 2002:ac0:8845:0:0:0:0:0 with SMTP id g63csp513589img; Tue, 26 Feb 2019 04:09:17 -0800 (PST) X-Google-Smtp-Source: AHgI3IYsnWTxL1bUGLfoFUggRjJvI4x+oTToTu8D8gB7T2JrOAIqa6w1TG8NIGKqzHSEhvgkJzYO X-Received: by 2002:a63:4509:: with SMTP id s9mr23905496pga.420.1551182957449; Tue, 26 Feb 2019 04:09:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551182957; cv=none; d=google.com; s=arc-20160816; b=nc+X1S9pd6KTjVpTh+7hBdr+tpsGkkWKxOdi4eZ2xWSD8ElHUHlEJgB6dssG3hTSdF gUjQsPQbS95tmaEaTHQP7k5v/mAF5qohWjFiviMJVbgBwV0x9DPuXGJmhwtdTTLfKq3N v2FdhLLn68yrtYaVPp1xBzi6l+Y2jRfLFb5dEdAlXCmbhFod/zzBEadVU76r/hramV1G ZjXZA//l4/qfbHUgsuVRylxQuMmoetBVSCSMk+SSmPe395qFFoSol3/F1ga0Vpha/2O2 PR61Tm4wqyTi2N9mW+aGSxYDv5hbCur7is3gjtYhAkRepMS8FV0CZpbJEpJzJV3ZGeDh BYVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :mime-version:references:in-reply-to:date:cc:to:from:subject; bh=ogemPjVJtWPRR6qoob91hhcPdK9yDXEtRCuiNZdyqz0=; b=07csQc1z43BjUatJf6pISAt44hIg4wWL2xRPRwqb+NHiKpPqIfryea1RTo1gwxuV0T qHsMZZxhs2Znx35Ie3Te9slWrfE9e5crQ+rkYcc5mlYj5PmYQx5BqSV6JZ0n9lM3MPGb wyYr8yom+hHoY5DbyOPGhC1H3cPhRROVXWsHKXwAhP7k7Kv8SZPd6/ViZVWpRXnqGxvS CIz9fckquCV+R5VGg3nMv9qBMVApGkAjEIEldB8obQtA/EqfwIy8DuLMwENWQGWgE0Nh orcfh2u3m5iQe/UlHr1lox6wOxHUJGA3ZX1LOTfgels5XufB6IPNvj/J7cwp8TajkslO yAMQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s20si12128169plr.14.2019.02.26.04.09.02; Tue, 26 Feb 2019 04:09:17 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726762AbfBZMIF (ORCPT + 99 others); Tue, 26 Feb 2019 07:08:05 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:43826 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726721AbfBZMIE (ORCPT ); Tue, 26 Feb 2019 07:08:04 -0500 Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x1QC2vIC131029 for ; Tue, 26 Feb 2019 07:08:03 -0500 Received: from e06smtp04.uk.ibm.com (e06smtp04.uk.ibm.com [195.75.94.100]) by mx0a-001b2d01.pphosted.com with ESMTP id 2qw48wka59-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 26 Feb 2019 07:08:02 -0500 Received: from localhost by e06smtp04.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 26 Feb 2019 12:08:00 -0000 Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195) by e06smtp04.uk.ibm.com (192.168.101.134) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Tue, 26 Feb 2019 12:07:56 -0000 Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x1QC7tQC56754208 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 26 Feb 2019 12:07:55 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A805DAE055; Tue, 26 Feb 2019 12:07:55 +0000 (GMT) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 846BAAE053; Tue, 26 Feb 2019 12:07:54 +0000 (GMT) Received: from localhost.localdomain (unknown [9.80.108.64]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP; Tue, 26 Feb 2019 12:07:54 +0000 (GMT) Subject: Re: [PATCH v5 10/10] integrity: support EC-RDSA signatures for asymmetric_verify From: Mimi Zohar To: Vitaly Chikunov , Thiago Jung Bauermann Cc: Herbert Xu , David Howells , linux-integrity@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, Dmitry Kasatkin Date: Tue, 26 Feb 2019 07:07:43 -0500 In-Reply-To: <20190226042546.czh6me47f7xldgk2@altlinux.org> References: <20190224060828.2527-1-vt@altlinux.org> <20190224060828.2527-11-vt@altlinux.org> <874l8rr2dq.fsf@morokweng.localdomain> <20190226042546.czh6me47f7xldgk2@altlinux.org> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 19022612-0016-0000-0000-0000025B106D X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19022612-0017-0000-0000-000032B5727C Message-Id: <1551182863.27819.62.camel@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-02-26_08:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1902260090 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > > > diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c > > > index d775e03fbbcc..c4a3313e0210 100644 > > > --- a/security/integrity/digsig_asymmetric.c > > > +++ b/security/integrity/digsig_asymmetric.c > > > @@ -104,9 +104,14 @@ int asymmetric_verify(struct key *keyring, const char *sig, > > > > > > memset(&pks, 0, sizeof(pks)); > > > > > > - pks.pkey_algo = "rsa"; > > > pks.hash_algo = hash_algo_name[hdr->hash_algo]; > > > - pks.encoding = "pkcs1"; > > > + if (!strncmp(pks.hash_algo, "streebog", 8)) { > > > > Is it possible to test hdr->hash_algo instead of pkcs.hash_algo? IMHO if > > an integer value is available it's preferable to check it rather than > > doing a string comparison. > > Yes. But we have long tradition of comparing by the name too: > > --linux$ git grep str.*cmp.*'"sha[12]' > drivers/crypto/mxs-dcp.c: if (strcmp(halg->base.cra_name, "sha1") == 0) > drivers/crypto/talitos.c: (!strcmp(alg->cra_name, "sha224") || > net/sctp/sysctl.c: if (!strncmp(tmp, "sha1", 4)) { > scripts/sign-file.c: if (strcmp(hash_algo, "sha1") != 0) { sign_file.c is a userspace program used for signing kernel modules.  This example is not applicable. > security/integrity/ima/ima_main.c: if (strncmp(str, "sha1", 4) == 0) In the ima_main.c example, it is used in an __init function to set up crypto defaults.  The code also predates the enumerations defined in crypto/hash_info.c. Mimi