Hacker News new | ask | show | jobs
by jaas 392 days ago
In Rustls, TLS is implemented entirely in Rust. It uses aws-lc-rs [1] for cryptography, and aws-lc-rs uses assembly for core cryptographic routines, which are wrapped in some C code, which then exposes a Rust API which Rustls uses.

It's not practical right now to write high performance cryptographic code in a secure way (e.g. without side channels) in anything other than assembly.

[1] https://github.com/aws/aws-lc-rs
3 comments
robmor 392 days ago
Is that right?

From the AWS-LC README: https://github.com/aws/aws-lc

> A portable C implementation of all algorithms is included and optimized assembly implementations of select algorithms is included for some x86 and Arm CPUs.

It also states that it kind of forked BoringSSL and OpenSSL.

You’re right though that most of the memory safety attack surface has been replaced with Rust.

link
jaas 392 days ago
I think what you're quoting says what I was saying - assembly with some C around it, wrapped in a Rust API. At least for the "select" (read: most important) algorithms. The details of the C/asm boundary in aws-lc are hard to summarize.

Ideally the C would eventually move to Rust, but I think aws-lc needs to work in many contexts where a Rust toolchain is not available so it might be a while.

Graviola is an interesting option under development, in part because it gets rid of the C:

https://github.com/ctz/graviola

link
toast0 392 days ago
TLS in X, cryptography from OpenSSL (in C and assembly) is a common, useful pattern for integrating TLS in other languages.

TLS is the protocol generation and parsing, hopefully (but not always) including certificate parsing.

Crypto tends to have clear, fixed buffer sizes, and OpenSSL tends to have good implementations of it with reasonable interfaces.

Protocol parsing and certificate parsing and validation are where many more problems happen that memory safety can reduce. High profile crypto problems are generally information leaks from non-constant time algorithms leaking information; although information leaks also happen from protocol code too.

link
rastignack 392 days ago
In rust with some C code, ok. How is the DER format parsed for example ?

Regarding crypto operations, I know as of now for rust projects assembly is a must to have constant time guarantees.

Maybe there could be a way with intrinsics and a constant-time marker, similar to unsafe, to use pure rust.

In the meantime I think there still is too much C code.

It’s a great step in the good direction by the way.

link
jaas 392 days ago
In Rustls, DER, and all certificate parsing and validation in general, is done in Rust.

https://github.com/rustls/webpki

link
PoignardAzur 392 days ago
I wonder if it would be possible to implement a safe_asm macro in Rust?

Even if unrestricted asm is inherently unsafe, there's got to be a subset of instructions and operand types you can guarantee is safe if called a certain way.

link