[rust-dev] 7 high priority Rust libraries that need to be written

Tony Arcieri bascule at gmail.com
Tue Jun 10 15:57:34 PDT 2014


On Wed, Jun 4, 2014 at 4:01 PM, Brian Anderson <banderson at mozilla.com>
wrote:

> # Crypto (https://github.com/mozilla/rust/issues/14655)
>
>  We've previously made the decision not to distribute any crypto with
> Rust at all, but this is probably not tenable since crypto is used
> everywhere. My current opinion is that we should not distribute any crypto *written
> in Rust*, but that distributing bindings to proven crypto is fine.
>
> Figure out a strategy here, build consensus, then start implementing a
> robust crypto library out of tree, with the goal of merging into the main
> distribution someday, and possibly - far in the future - reimplementing in
> Rust. There are some existing efforts along these lines that should be
> evaluated for this purpose
>
There's two directions to go on this. I will label them "short-term" and
"long-term".

Short-term, I think Rust should embrace wrappers around existing,
"well-audited" crypto libraries. To that end, projects like Rust OpenSSL
(despite OpenSSL's numerous and recently infamous problems) are probably
our best bet:

https://github.com/sfackler/rust-openssl

Long term, I would love to see pure-Rust crypto libraries, as I believe
Rust's safety is exactly what cryptography needs to protect us from
Heartbleed-style screw ups. The most complete one of these I've seen so far
is rust-crypto, however it's missing many common algorithms like RSA and
Diffie-Hellman:

https://github.com/DaGenix/rust-crypto

I'd probably suggest people use rust-openssl over rust-crypto for the time
being, as much more work has gone into OpenSSL at this point and there are
better chances that existing algorithm implementations will be constant
time.

I would love to see organizations who use Rust (*wink* *wink* *nudge*
*nudge* Mozilla) contribute to and help fund professional security audits
like rust-crypto! :D

Sidebar: I am also working on a Rust crypto library (ClearCrypt) but its
goals are somewhat orthogonal to the needs of your average Rust user
(modern/minimalistic, self-contained, C ABI, easily embeddable)

-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/rust-dev/attachments/20140610/fabde134/attachment.html>


More information about the Rust-dev mailing list