Bug 619878 - Remove python-crypto's crypto implementations, rewriting in terms of libgcrypt
Summary: Remove python-crypto's crypto implementations, rewriting in terms of libgcrypt
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: python-crypto
Version: 6.0
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Dave Malcolm
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-07-30 18:46 UTC by Dave Malcolm
Modified: 2011-03-23 18:37 UTC (History)
7 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2011-01-26 21:25:08 UTC


Attachments (Terms of Use)

Description Dave Malcolm 2010-07-30 18:46:16 UTC
Description of problem:
python-crypto provides various API entrypoints relating to cryptography, and contains various implementations of cryptographic algorithms.

It is proposed to remove these implementations for certification reasons, rewriting the relevant API hooks in terms of libgcrypt.

Given that python-crypto occupies a particular place within the Python API namespace, we would need to replace all API hooks it provides with identical equivalents, or we run the risk of breaking things.

I have not yet checked to see if libgcrypt provides all of the algorithms that python-crypto implements.


Version-Release number of selected component (if applicable):
python-crypto-2.0.1-20.el6

Comment 22 Tomas Mraz 2010-12-06 20:09:35 UTC
The certification of the python-crypto is probably not possible with the new revision of the FIPS-140 standard. But do we really need to have the python-crypto certified? If the only users of python-crypto are limited to some marginal functionality it could be probably kept out of the certified subset. As for the rewrite using some certified library - that's probably the only option if it is decided that we have to have all crypto certified. In that case it should be rewritten using the libncrypto which is a wrapper library for the kernel crypto algorithms.

Comment 23 Miloslav Trmač 2010-12-06 20:23:01 UTC
I'll try to reply on other parts later, but

(In reply to comment #22)
> In that case
> it should be rewritten using the libncrypto which is a wrapper library for the
> kernel crypto algorithms.
I don't think libncrypto should be used by "ordinary" applications - we want to consolidate the libraries used by applications, not fragment them more.  Upstreams will probably not want to use a Linux-specific library anyway.

Comment 27 RHEL Product and Program Management 2011-01-26 21:25:08 UTC
Development Management has reviewed and declined this request.  You may appeal
this decision by reopening this request.

Comment 28 Dave Malcolm 2011-02-08 16:52:11 UTC
See also bug 675708


Note You need to log in before you can comment on or make changes to this bug.