diff mbox series

[v5,10/10] integrity: support EC-RDSA signatures for asymmetric_verify

Message ID 20190224060828.2527-11-vt@altlinux.org (mailing list archive)
State Changes Requested
Delegated to: Herbert Xu
Headers show
Series crypto: add EC-RDSA (GOST 34.10) algorithm | expand

Commit Message

Vitaly Chikunov Feb. 24, 2019, 6:08 a.m. UTC 
Allow to use EC-RDSA signatures for IMA by determining signature type by
the hash algorithm name. This works good for EC-RDSA since Streebog and
EC-RDSA should always be used together.

Cc: Mimi Zohar <zohar@linux.ibm.com>
Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Cc: linux-integrity@vger.kernel.org
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
---
 security/integrity/digsig_asymmetric.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

Comments

Thiago Jung Bauermann Feb. 25, 2019, 9:20 p.m. UTC | #1 
Hello Vitaly,

Vitaly Chikunov <vt@altlinux.org> writes:

> Allow to use EC-RDSA signatures for IMA by determining signature type by
> the hash algorithm name. This works good for EC-RDSA since Streebog and
> EC-RDSA should always be used together.
>
> Cc: Mimi Zohar <zohar@linux.ibm.com>
> Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
> Cc: linux-integrity@vger.kernel.org
> Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
> ---
>  security/integrity/digsig_asymmetric.c | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
> index d775e03fbbcc..c4a3313e0210 100644
> --- a/security/integrity/digsig_asymmetric.c
> +++ b/security/integrity/digsig_asymmetric.c
> @@ -104,9 +104,14 @@ int asymmetric_verify(struct key *keyring, const char *sig,
>
>  	memset(&pks, 0, sizeof(pks));
>
> -	pks.pkey_algo = "rsa";
>  	pks.hash_algo = hash_algo_name[hdr->hash_algo];
> -	pks.encoding = "pkcs1";
> +	if (!strncmp(pks.hash_algo, "streebog", 8)) {

Is it possible to test hdr->hash_algo instead of pkcs.hash_algo? IMHO if
an integer value is available it's preferable to check it rather than
doing a string comparison.

Also, it would be good to have a comment here mentioning that Streebog
and EC-RDSA should always be used together

> +		pks.pkey_algo = "ecrdsa";
> +		pks.encoding = "raw";
> +	} else {
> +		pks.pkey_algo = "rsa";
> +		pks.encoding = "pkcs1";
> +	}
>  	pks.digest = (u8 *)data;
>  	pks.digest_size = datalen;
>  	pks.s = hdr->sig;

--
Thiago Jung Bauermann
IBM Linux Technology Center
Vitaly Chikunov Feb. 26, 2019, 4:25 a.m. UTC | #2 
Thiago,

On Mon, Feb 25, 2019 at 06:20:49PM -0300, Thiago Jung Bauermann wrote:
> Vitaly Chikunov <vt@altlinux.org> writes:
> 
> > Allow to use EC-RDSA signatures for IMA by determining signature type by
> > the hash algorithm name. This works good for EC-RDSA since Streebog and
> > EC-RDSA should always be used together.
> >
> > Cc: Mimi Zohar <zohar@linux.ibm.com>
> > Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
> > Cc: linux-integrity@vger.kernel.org
> > Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
> > ---
> >  security/integrity/digsig_asymmetric.c | 9 +++++++--
> >  1 file changed, 7 insertions(+), 2 deletions(-)
> >
> > diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
> > index d775e03fbbcc..c4a3313e0210 100644
> > --- a/security/integrity/digsig_asymmetric.c
> > +++ b/security/integrity/digsig_asymmetric.c
> > @@ -104,9 +104,14 @@ int asymmetric_verify(struct key *keyring, const char *sig,
> >
> >  	memset(&pks, 0, sizeof(pks));
> >
> > -	pks.pkey_algo = "rsa";
> >  	pks.hash_algo = hash_algo_name[hdr->hash_algo];
> > -	pks.encoding = "pkcs1";
> > +	if (!strncmp(pks.hash_algo, "streebog", 8)) {
> 
> Is it possible to test hdr->hash_algo instead of pkcs.hash_algo? IMHO if
> an integer value is available it's preferable to check it rather than
> doing a string comparison.

Yes. But we have long tradition of comparing by the name too:

  --linux$ git grep str.*cmp.*'"sha[12]'
  drivers/crypto/mxs-dcp.c:       if (strcmp(halg->base.cra_name, "sha1") == 0)
  drivers/crypto/talitos.c:                   (!strcmp(alg->cra_name, "sha224") ||
  net/sctp/sysctl.c:              if (!strncmp(tmp, "sha1", 4)) {
  scripts/sign-file.c:    if (strcmp(hash_algo, "sha1") != 0) {
  security/integrity/ima/ima_main.c:              if (strncmp(str, "sha1", 4) == 0)
  --linux$ git grep str.*cmp.*hash_algo
  fs/ubifs/sb.c:  if (strcmp(hash_algo_name[hash_algo], c->auth_hash_name)) {
  scripts/sign-file.c:    if (strcmp(hash_algo, "sha1") != 0) {
  security/integrity/ima/ima_main.c:      if (error && strcmp(hash_algo_name[ima_hash_algo],
  security/keys/trusted.c:                                if (!strcmp(args[0].from, hash_algo_name[i])) {
  --linux$ git grep str.*cmp.*cra_name
  crypto/adiantum.c:      if (strcmp(streamcipher_alg->base.cra_name, "xchacha12") != 0 &&
  crypto/adiantum.c:          strcmp(streamcipher_alg->base.cra_name, "xchacha20") != 0)
  crypto/adiantum.c:      if (strcmp(hash_alg->base.cra_name, "nhpoly1305") != 0)
  crypto/algapi.c:                if (!strcmp(q->cra_driver_name, alg->cra_name) ||
  crypto/algapi.c:                    !strcmp(q->cra_name, alg->cra_driver_name))
  crypto/algapi.c:                        if (strcmp(alg->cra_name, q->cra_name) &&
  crypto/algapi.c:                            strcmp(alg->cra_driver_name, q->cra_name))
  crypto/algapi.c:                if (strcmp(alg->cra_name, q->cra_name))
  crypto/api.c:           fuzzy = !strcmp(q->cra_name, name);
  crypto/crypto_user_base.c:                      match = !strcmp(q->cra_name, p->cru_name);
  crypto/cts.c:   if (strncmp(alg->base.cra_name, "cbc(", 4))
  crypto/simd.c:          WARN_ON(strncmp(algs[i].base.cra_name, "__", 2));
  drivers/crypto/mxs-dcp.c:       if (strcmp(halg->base.cra_name, "sha1") == 0)
  drivers/crypto/talitos.c:                   !strncmp(alg->cra_name, "authenc(hmac(sha224)", 20)) {
  drivers/crypto/talitos.c:               if (!strncmp(alg->cra_name, "hmac", 4))
  drivers/crypto/talitos.c:                   !strncmp(alg->cra_name, "hmac", 4)) {
  drivers/crypto/talitos.c:                   (!strcmp(alg->cra_name, "sha224") ||
  drivers/crypto/talitos.c:                    !strcmp(alg->cra_name, "hmac(sha224)"))) {
  lib/crc-t10dif.c:           strncmp(alg->cra_name, CRC_T10DIF_STRING, strlen(CRC_T10DIF_STRING)))


After all pkey_algo, hash_algo, cra_name are set to strings to be used
somewhere. So both ways looks equal to me.

[I more wonder if we should leave algo names to be used as they are in
x509_note_signature() (to check for "rsa" and "ecrdsa"), since there are
no other pkey_algo's set in x509_note_pkey_algo().]

> Also, it would be good to have a comment here mentioning that Streebog
> and EC-RDSA should always be used together

Thanks,

> > +		pks.pkey_algo = "ecrdsa";
> > +		pks.encoding = "raw";
> > +	} else {
> > +		pks.pkey_algo = "rsa";
> > +		pks.encoding = "pkcs1";
> > +	}
> >  	pks.digest = (u8 *)data;
> >  	pks.digest_size = datalen;
> >  	pks.s = hdr->sig;
> 
> --
> Thiago Jung Bauermann
> IBM Linux Technology Center
Mimi Zohar Feb. 26, 2019, 12:07 p.m. UTC | #3 
> > > diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
> > > index d775e03fbbcc..c4a3313e0210 100644
> > > --- a/security/integrity/digsig_asymmetric.c
> > > +++ b/security/integrity/digsig_asymmetric.c
> > > @@ -104,9 +104,14 @@ int asymmetric_verify(struct key *keyring, const char *sig,
> > >
> > >  	memset(&pks, 0, sizeof(pks));
> > >
> > > -	pks.pkey_algo = "rsa";
> > >  	pks.hash_algo = hash_algo_name[hdr->hash_algo];
> > > -	pks.encoding = "pkcs1";
> > > +	if (!strncmp(pks.hash_algo, "streebog", 8)) {
> > 
> > Is it possible to test hdr->hash_algo instead of pkcs.hash_algo? IMHO if
> > an integer value is available it's preferable to check it rather than
> > doing a string comparison.
> 
> Yes. But we have long tradition of comparing by the name too:
> 
>   --linux$ git grep str.*cmp.*'"sha[12]'
>   drivers/crypto/mxs-dcp.c:       if (strcmp(halg->base.cra_name, "sha1") == 0)
>   drivers/crypto/talitos.c:                   (!strcmp(alg->cra_name, "sha224") ||
>   net/sctp/sysctl.c:              if (!strncmp(tmp, "sha1", 4)) {
>   scripts/sign-file.c:    if (strcmp(hash_algo, "sha1") != 0) {

sign_file.c is a userspace program used for signing kernel modules.
 This example is not applicable.

>   security/integrity/ima/ima_main.c:              if (strncmp(str, "sha1", 4) == 0)

In the ima_main.c example, it is used in an __init function to set up
crypto defaults.  The code also predates the enumerations defined in
crypto/hash_info.c.

Mimi
diff mbox series

Patch

diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
index d775e03fbbcc..c4a3313e0210 100644
--- a/security/integrity/digsig_asymmetric.c
+++ b/security/integrity/digsig_asymmetric.c
@@ -104,9 +104,14 @@  int asymmetric_verify(struct key *keyring, const char *sig,
 
 	memset(&pks, 0, sizeof(pks));
 
-	pks.pkey_algo = "rsa";
 	pks.hash_algo = hash_algo_name[hdr->hash_algo];
-	pks.encoding = "pkcs1";
+	if (!strncmp(pks.hash_algo, "streebog", 8)) {
+		pks.pkey_algo = "ecrdsa";
+		pks.encoding = "raw";
+	} else {
+		pks.pkey_algo = "rsa";
+		pks.encoding = "pkcs1";
+	}
 	pks.digest = (u8 *)data;
 	pks.digest_size = datalen;
 	pks.s = hdr->sig;