Re: [RFC] Replace glibc's libcrypt with libxcrypt for Fedora 29/30

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Am Dienstag, den 13.03.2018, 10:11 +0100 schrieb Nikos
Mavrogiannopoulos:
> On Wed, 2017-11-08 at 18:08 +0100, Björn 'besser82' Esser wrote:
> > Hello everyone,
> > 
> > since there has been some discussion in the last time about removing
> > libcrypt from glibc in some time [1,2,3,4] and splitting it out into
> > a
> > separate project which can evolve quicker, I'd like to hear your
> > oppinion about replacing glibc's libcrypt with libxcrypt [5] for
> > Fedora
> > 29 (or 30).
> 
> A bit late, but thank you for driving that effort! It was time to move
> to a better crypt lib.

You're welcome!  =)

> > Anyways, before this can happen, there is still some work to be done
> > with libxcrypt, like adding a FIPS mode or FIPS compliance in a
> > different way.
> 
> I agree with Florian's comment on that.

Well, my current plan for bringing FIPS compliance to libxcrypt would be
to use the Linux Kernel Userspace Crypto API [1], which provides a large
variety of hashing and crypto-algorithms using hardware capabilities, if
supported / available on the system (software implementations
otherwise).

To archive that, I consider using libkcapi [2] (we already have that in
Fedora), which is written by Stephan Müller, who contributed most of the
important parts from interfaced (libxcrypt would need to interface it
anyways) Kernel Userspace API.

Using this implementation, we get the following benefits (and more)
almost for free:

  * FIPS approved / certified hashing and crypto-algorithms from a FIPS
    certified crypto-provider / device.
  * When the Kernel runs in FIPS mode, libxcrypt cannot use any non-FIPS
    algorithms and automatically behaves FIPS compliant.
  * libxcrypt doesn't need an extra FIPS audit / cert, since it is just
    a consumer of an already certified crypto-provider;  hashing and
    crypto happens in the Kernel directly.
  * Less code to maintain, smaller binary size, architecture optimized
    implementations.
  * New, more secure, password hashing algorithms can be adapted as soon
    as the Kernel supports them.

What are your thoughts on this?

Cheers
  Björn


[1]  https://www.kernel.org/doc/html/v4.15/crypto/userspace-if.html
[2]  http://www.chronox.de/libkcapi.html

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux