Bug 619878

Summary: Remove python-crypto's crypto implementations, rewriting in terms of libgcrypt
Product: Red Hat Enterprise Linux 6 Reporter: Dave Malcolm <dmalcolm>
Component: python-cryptoAssignee: Dave Malcolm <dmalcolm>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: low    
Version: 6.0CC: ddumas, jdennis, jrieden, mitr, rousseau, sgrubb, tmraz
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-26 21:25:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dave Malcolm 2010-07-30 18:46:16 UTC 
Description of problem:
python-crypto provides various API entrypoints relating to cryptography, and contains various implementations of cryptographic algorithms.

It is proposed to remove these implementations for certification reasons, rewriting the relevant API hooks in terms of libgcrypt.

Given that python-crypto occupies a particular place within the Python API namespace, we would need to replace all API hooks it provides with identical equivalents, or we run the risk of breaking things.

I have not yet checked to see if libgcrypt provides all of the algorithms that python-crypto implements.


Version-Release number of selected component (if applicable):
python-crypto-2.0.1-20.el6
Comment 22 Tomas Mraz 2010-12-06 20:09:35 UTC 
The certification of the python-crypto is probably not possible with the new revision of the FIPS-140 standard. But do we really need to have the python-crypto certified? If the only users of python-crypto are limited to some marginal functionality it could be probably kept out of the certified subset. As for the rewrite using some certified library - that's probably the only option if it is decided that we have to have all crypto certified. In that case it should be rewritten using the libncrypto which is a wrapper library for the kernel crypto algorithms.
Comment 23 Miloslav Trmač 2010-12-06 20:23:01 UTC 
I'll try to reply on other parts later, but

(In reply to comment #22)
> In that case
> it should be rewritten using the libncrypto which is a wrapper library for the
> kernel crypto algorithms.
I don't think libncrypto should be used by "ordinary" applications - we want to consolidate the libraries used by applications, not fragment them more.  Upstreams will probably not want to use a Linux-specific library anyway.
Comment 27 RHEL Program Management 2011-01-26 21:25:08 UTC 
Development Management has reviewed and declined this request.  You may appeal
this decision by reopening this request.
Comment 28 Dave Malcolm 2011-02-08 16:52:11 UTC 
See also bug 675708