lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 10 Feb 2021 08:01:30 +0000
From:   David Woodhouse <dwmw2@...radead.org>
To:     Yang Song <songyang@...ux.alibaba.com>, dhowells@...hat.com,
        keyrings@...r.kernel.org, linux-kernel@...r.kernel.org
CC:     zhang.jia@...ux.alibaba.com, tianjia.zhang@...ux.alibaba.com,
        songyang@...ux.alibaba.com
Subject: Re: [PATCH] sign-file: add openssl engine support



On 10 February 2021 07:45:54 GMT, Yang Song <songyang@...ux.alibaba.com> wrote:
>Use a customized signature service supported by openssl engine
>to sign the kernel module.
>Add command line parameters that support engine for sign-file
>to use the customized openssl engine service to sign kernel modules.
>
>Signed-off-by: Yang Song <songyang@...ux.alibaba.com>

Aren't engines already obsolete in the latest versions of OpenSSL, as well as being an implementation detail of one particular crypto library? They aren't really a concept we should be exposing in *our* user interface.

Better to make sign-file automatically recognise RFC7512 PKCS#11 URIs and handle them by automatically loading the PKCS#11 engine.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ