alt Hacker NewsRustls still outsources cryptographic primitives. I believe the currently supported providers of those are… drumroll… AWS-LC and Ring. The latter is a fork of BoringSSL. The article describes AWS-LC and BoringSSL as "Googled and Amazoned to death; they don't care about anyone but their own use cases".
The state of things sucks :-(
Replies
PunchyHamster • yesterday at 11:05 PM
The author also doesn't specify what that even means and what problems it causes
koakuma-chan • yesterday at 11:41 AM
there is https://github.com/RustCrypto/rustls-rustcrypto fwiw
➕ show 1 reply
LoganDark • today at 8:25 AM
What? Ring is not even close to a fork of BoringSSL; it merely borrows subroutines from BoringSSL.
➕ show 1 reply
The primitives aren't a problem. You can't write them in any vaguely modern high level language. And when I say "High level" I mean that the way K&R does when they describe their new C programming language as high level. The reason you can't write cryptographic primitives in a high level language is that optimising compilers love clever tricks which offer data dependent performance, across every layer of their design - but in cryptography we want constant execution time regardless of either the plaintext or keys used.
The problem with OpenSSL isn't these cryptographic primitives, that's why you will see basically the same primitives re-used in lots of different places. It's like finding out that the guy who was just arrested for murder also eats pizza. Yeah, people do that. The problem wasn't the pizza, it was the murder. OpenSSL's implementation of the AES cipher isn't broken, the problem is elsewhere.