> On 24 Aug 2022, at 00:17, Mark Reynolds <mareynol@xxxxxxxxxx> wrote: > > > On 8/23/22 9:58 AM, Trevor Vaughan wrote: >> How are you going to handle the FIPS build issues surrounding Rust right now? >> >> Are all crypto libraries going to build against the underlying OpenSSL (or something else certified)? > Correct all the Rust password storage scheme plugins use OpenSSL (not NSS), so we don't have these issues anymore. > > FYI we were able to get the NSS PBKDF2 version working in FIPS (in very recent versions), but the Rust version is much better and more secure. The other improvement of the OpenSSL version of PBKDF2 vs the NSS version, is that the NSS version uses a slower PBKDF2 construction which more than halves the number of rounds we can do which limits the ability to improve memory/time hardness on the password checks. So being able to use the OpenSSL version, which also benefits from being written in a memory safe language is fantastic to improve password handling security :) So I'm very excited about this change and that it will be a default soon :) -- Sincerely, William Brown Senior Software Engineer, Identity and Access Management SUSE Labs, Australia _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
