Bug 619878 - Remove python-crypto's crypto implementations, rewriting in terms of libgcrypt
Remove python-crypto's crypto implementations, rewriting in terms of libgcrypt
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: python-crypto (Show other bugs)
6.0
All Linux
low Severity medium
: rc
: ---
Assigned To: Dave Malcolm
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-30 14:46 EDT by Dave Malcolm
Modified: 2011-03-23 14:37 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-01-26 16:25:08 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dave Malcolm 2010-07-30 14:46:16 EDT
Description of problem:
python-crypto provides various API entrypoints relating to cryptography, and contains various implementations of cryptographic algorithms.

It is proposed to remove these implementations for certification reasons, rewriting the relevant API hooks in terms of libgcrypt.

Given that python-crypto occupies a particular place within the Python API namespace, we would need to replace all API hooks it provides with identical equivalents, or we run the risk of breaking things.

I have not yet checked to see if libgcrypt provides all of the algorithms that python-crypto implements.


Version-Release number of selected component (if applicable):
python-crypto-2.0.1-20.el6
Comment 22 Tomas Mraz 2010-12-06 15:09:35 EST
The certification of the python-crypto is probably not possible with the new revision of the FIPS-140 standard. But do we really need to have the python-crypto certified? If the only users of python-crypto are limited to some marginal functionality it could be probably kept out of the certified subset. As for the rewrite using some certified library - that's probably the only option if it is decided that we have to have all crypto certified. In that case it should be rewritten using the libncrypto which is a wrapper library for the kernel crypto algorithms.
Comment 23 Miloslav Trmač 2010-12-06 15:23:01 EST
I'll try to reply on other parts later, but

(In reply to comment #22)
> In that case
> it should be rewritten using the libncrypto which is a wrapper library for the
> kernel crypto algorithms.
I don't think libncrypto should be used by "ordinary" applications - we want to consolidate the libraries used by applications, not fragment them more.  Upstreams will probably not want to use a Linux-specific library anyway.
Comment 27 RHEL Product and Program Management 2011-01-26 16:25:08 EST
Development Management has reviewed and declined this request.  You may appeal
this decision by reopening this request.
Comment 28 Dave Malcolm 2011-02-08 11:52:11 EST
See also bug 675708

Note You need to log in before you can comment on or make changes to this bug.