| ▲ | weinzierl a day ago |
| rustls is there. It has TLS in the name, it is good and there is a C FFI wrapper. |
|
| ▲ | dwedge a day ago | parent | next [-] |
| A c wrapper to rust feels like we've gone full circle |
| |
|
| ▲ | gspr a day ago | parent | prev | next [-] |
| Rustls still outsources cryptographic primitives. I believe the currently supported providers of those are… drumroll… AWS-LC and Ring. The latter is a fork of BoringSSL. The article describes AWS-LC and BoringSSL as "Googled and Amazoned to death; they don't care about anyone but their own use cases". The state of things sucks :-( |
| |
| ▲ | tialaramex 8 hours ago | parent | next [-] | | The primitives aren't a problem. You can't write them in any vaguely modern high level language. And when I say "High level" I mean that the way K&R does when they describe their new C programming language as high level. The reason you can't write cryptographic primitives in a high level language is that optimising compilers love clever tricks which offer data dependent performance, across every layer of their design - but in cryptography we want constant execution time regardless of either the plaintext or keys used. The problem with OpenSSL isn't these cryptographic primitives, that's why you will see basically the same primitives re-used in lots of different places. It's like finding out that the guy who was just arrested for murder also eats pizza. Yeah, people do that. The problem wasn't the pizza, it was the murder. OpenSSL's implementation of the AES cipher isn't broken, the problem is elsewhere. | |
| ▲ | PunchyHamster 10 hours ago | parent | prev | next [-] | | The author also doesn't specify what that even means and what problems it causes | |
| ▲ | LoganDark an hour ago | parent | prev | next [-] | | What? Ring is not even close to a fork of BoringSSL; it merely borrows subroutines from BoringSSL. | | |
| ▲ | gspr 24 minutes ago | parent [-] | | Ok, maybe not a fork outright. But the project description says: Most of the C and assembly language code in ring comes from BoringSSL. |
| |
| ▲ | koakuma-chan a day ago | parent | prev [-] | | there is https://github.com/RustCrypto/rustls-rustcrypto fwiw | | |
| ▲ | gspr 15 hours ago | parent [-] | | It's a great effort, but it's far from usable: > USE THIS AT YOUR OWN RISK! DO NOT USE THIS IN PRODUCTION |
|
|
|
| ▲ | koakuma-chan a day ago | parent | prev [-] |
| rustls doesn't have its own implementation of cryptography, you have to choose a provider like openssl or aws lc |
| |
| ▲ | SAI_Peregrinus 17 hours ago | parent [-] | | Or rustcrypto. Rustls is a TLS layer that can wrap any cryptography layer providing the necessary primitives. |
|
