On Wed, Jun 4, 2014 at 4:01 PM, Brian Anderson <[email protected]> wrote:
> # Crypto (https://github.com/mozilla/rust/issues/14655) > > We've previously made the decision not to distribute any crypto with > Rust at all, but this is probably not tenable since crypto is used > everywhere. My current opinion is that we should not distribute any crypto > *written > in Rust*, but that distributing bindings to proven crypto is fine. > > Figure out a strategy here, build consensus, then start implementing a > robust crypto library out of tree, with the goal of merging into the main > distribution someday, and possibly - far in the future - reimplementing in > Rust. There are some existing efforts along these lines that should be > evaluated for this purpose > There's two directions to go on this. I will label them "short-term" and "long-term". Short-term, I think Rust should embrace wrappers around existing, "well-audited" crypto libraries. To that end, projects like Rust OpenSSL (despite OpenSSL's numerous and recently infamous problems) are probably our best bet: https://github.com/sfackler/rust-openssl Long term, I would love to see pure-Rust crypto libraries, as I believe Rust's safety is exactly what cryptography needs to protect us from Heartbleed-style screw ups. The most complete one of these I've seen so far is rust-crypto, however it's missing many common algorithms like RSA and Diffie-Hellman: https://github.com/DaGenix/rust-crypto I'd probably suggest people use rust-openssl over rust-crypto for the time being, as much more work has gone into OpenSSL at this point and there are better chances that existing algorithm implementations will be constant time. I would love to see organizations who use Rust (*wink* *wink* *nudge* *nudge* Mozilla) contribute to and help fund professional security audits like rust-crypto! :D Sidebar: I am also working on a Rust crypto library (ClearCrypt) but its goals are somewhat orthogonal to the needs of your average Rust user (modern/minimalistic, self-contained, C ABI, easily embeddable) -- Tony Arcieri
_______________________________________________ Rust-dev mailing list [email protected] https://mail.mozilla.org/listinfo/rust-dev
