Am Dienstag, den 13.03.2018, 10:11 +0100 schrieb Nikos
Mavrogiannopoulos:
On Wed, 2017-11-08 at 18:08 +0100, Björn 'besser82' Esser
wrote:
> Hello everyone,
>
> since there has been some discussion in the last time about removing
> libcrypt from glibc in some time [1,2,3,4] and splitting it out into
> a
> separate project which can evolve quicker, I'd like to hear your
> oppinion about replacing glibc's libcrypt with libxcrypt [5] for
> Fedora
> 29 (or 30).
A bit late, but thank you for driving that effort! It was time to move
to a better crypt lib.
You're welcome! =)
> Anyways, before this can happen, there is still some work to be
done
> with libxcrypt, like adding a FIPS mode or FIPS compliance in a
> different way.
I agree with Florian's comment on that.
Well, my current plan for bringing FIPS compliance to libxcrypt would be
to use the Linux Kernel Userspace Crypto API [1], which provides a large
variety of hashing and crypto-algorithms using hardware capabilities, if
supported / available on the system (software implementations
otherwise).
To archive that, I consider using libkcapi [2] (we already have that in
Fedora), which is written by Stephan Müller, who contributed most of the
important parts from interfaced (libxcrypt would need to interface it
anyways) Kernel Userspace API.
Using this implementation, we get the following benefits (and more)
almost for free:
* FIPS approved / certified hashing and crypto-algorithms from a FIPS
certified crypto-provider / device.
* When the Kernel runs in FIPS mode, libxcrypt cannot use any non-FIPS
algorithms and automatically behaves FIPS compliant.
* libxcrypt doesn't need an extra FIPS audit / cert, since it is just
a consumer of an already certified crypto-provider; hashing and
crypto happens in the Kernel directly.
* Less code to maintain, smaller binary size, architecture optimized
implementations.
* New, more secure, password hashing algorithms can be adapted as soon
as the Kernel supports them.
What are your thoughts on this?
Cheers
Björn
[1]
https://www.kernel.org/doc/html/v4.15/crypto/userspace-if.html
[2]
http://www.chronox.de/libkcapi.html