ring
hyper
Our great sponsors
ring | hyper | |
---|---|---|
28 | 97 | |
3,541 | 13,684 | |
- | 2.2% | |
9.8 | 9.2 | |
6 days ago | 1 day ago | |
Assembly | Rust | |
GNU General Public License v3.0 or later | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
ring
-
AWS Libcrypto for Rust
Again, this is just a temporary situation, and a matter of burning down a list of small tasks. Not that the OpenSSL license issue is a big deal for most anyway. Feel free to help; see this issue filed by Josh Triplett: https://github.com/briansmith/ring/issues/1318#issuecomment-...
- Boletín AWS Open Source, Christmas Edition
- Libsodium: A modern, portable, easy to use crypto library
-
A brief guide to choosing TLS crates
Note also that rustls depends on ring, which has architecture-dependent code in it that is not as widely compatible as eg. OpenSSL/GnuTLS/Mbed-TLS. For example, MIPS is not supported by ring.
- Data-driven performance optimization with Rust and Miri
-
Releasing Rust Binaries with GitHub Actions - Part 2
The AWS Rust library we were using as a dependency depended on a cryptography library called ring. This library leverages C and assembly code to implement its cryptographic primitives. Unfortunately, cross compiling when C is involved can add complexity to the build process. While it might've been possible to overcome these issues I decided that it wasn't worth digging into more.
-
Urgent Upcoming OpenSSL release patches critical vulnerability
Ring, unfortunately, has quite toxic project leadership with a history of making hostile decisions towards their contributors and userbase ( see https://github.com/briansmith/ring/issues/774 for one example ). Something to be aware of if you're considering building with it.
That'd be great. Thanks Brian. Re: making ring portable to all platforms: IBM have been graciously maintaining a up to date patchset for Ring for years now and there's an outstanding PR here you may not have seen since they filed it in 2020... https://github.com/briansmith/ring/pull/1057
-
OpenSSL Security Advisory [5 July 2022]
Beyond the simple matter of Rust being much newer than OpenSSL, one concern for some cryptographic primitives is the timing side-channel.
https://en.wikipedia.org/wiki/Timing_attack
In high level languages like Rust, the compiler does not prioritise trying to emit machine code which executes in constant time for all inputs. OpenSSL has implementations for some primitives which are known to be constant time, which can be important.
One option if you're working with Rust anyway would be use something like Ring:
https://github.com/briansmith/ring
Ring's primitives are just taken from BoringSSL which is Google's fork of OpenSSL, they're a mix of C and assembly language, it's possible (though fraught) to write some constant time algorithms in C if you know which compiler will be used, and of course it's possible (if you read the performance manuals carefully) to write constant time assembly in many cases.
In the C / assembly language code of course you do not have any safety benefits.
It can certainly make sense to do this very tricky primitive stuff in dangerous C or assembly, but then write all the higher level stuff in Rust, and that's the sort of thing Ring is intended for. BoringSSL for example includes code to do X.509 parsing and signature validation in C, but those things aren't sensitive, a timing attack on my X.509 parsing tells you nothing of value, and it's complicated to do correctly so Rust could make sense.
-
Rust's Option and Result. In Python.
machine learning, neural networks, image processing, cryptography (though it is getting better), font shaping/rendering (though it is getting better), CPU/software rendering (though it is getting better)
hyper
-
The Linux Kernel Prepares for Rust 1.77 Upgrade
> If you are equally picky and constrain yourself to parts of the ecosystem which care about binary size, you still have more options and can avoid size issues.
What's an example of this for, say, libcurl? On my system it has a tiny number of recursive dependencies, around a dozen. [0] Furthermore if I want to write a C program that uses libcurl I have to download zero bytes of data ... because it's a shared library that is already installed on my system, since so many programs already use it.
I don't really know the appropriate comparison for Rust. reqwest seems roughly comparable, but it's an HTTP client library, and not a general purpose network client like curl. Obviously curl can do a lot more. Even the list of direct dependencies for reqwest is quite long [1], and it's built on top of another http library [2] that has its own long list of dependencies, a list that includes tokio, no small library itself.
In terms of final binary size, the installed size of the curl package on my system, which includes both the command line tool and development dependencies for libcurl, is 1875.03 KiB.
[0] I'm excluding the dependency on the ca-certificates package, since this only provides the certificate chain for TLS and lots of programs rely on it.
-
json-responder 1.1: dynamic path resolution
hyper-based HTTP server generating JSON responses. Written in Rust.
-
I pre-released my project "json-responder" written in Rust
tokio / hyper / toml / serde / serde_json / json5 / console
- How Turborepo is porting from Go to Rust
-
Signway - a pre-signed URLs gateway written in rust, specifically designed for allowing LLM based client apps to directly query OpenAI's api securely.
Using Rust here was immensely helpful, using libraries made by the community like https://github.com/hyperium/hyper really powered up the development of Signway, so glad to see this kind of awesome crates made public. Hope that it continues to be like that despite the current controversies.
-
Problem with YouTube embed thumbnail...
- Discord sends a slightly weird request by specifying content length (a bug in hyper we've not yet upgraded to fix, https://github.com/hyperium/hyper/commit/fb90d30c02d8f7cdc9a643597d5c4ca7a123f3dd)
- Hyper – A fast and correct HTTP implementation for Rust
-
A CVE has been issued for hyper. Denial of Service possible
I'm sorry but are you saying that this repro doesn't work? https://github.com/hyperium/hyper/issues/2877 I mean ther is an actual repro in the very first comment?
The fact that this issue was open for almost a year doesn't indicate much attention to security. There are also some other issues issue open which look like the would enable simmilar attacks.
The OP in https://github.com/hyperium/hyper/issues/2877 demonstrated the vulnerability with steps to take.
What are some alternatives?
reqwest - An easy and powerful Rust HTTP Client
tokio - A runtime for writing reliable asynchronous applications with Rust. Provides I/O, networking, scheduling, timers, ...
Warp - Warp is a modern, Rust-based terminal with AI built in so you and your team can build great software, faster.
actix-web - Actix Web is a powerful, pragmatic, and extremely fast web framework for Rust.
Rocket - A web framework for Rust.
rust-crypto - A (mostly) pure-Rust implementation of various cryptographic algorithms.
curl-rust - Rust bindings to libcurl
warp - A super-easy, composable, web server framework for warp speeds.
ed25519-dalek - Fast and efficient ed25519 signing and verification in Rust.
rust-openssl - OpenSSL bindings for Rust
tower - async fn(Request) -> Result<Response, Error>
orion - Usable, easy and safe pure-Rust crypto [Moved to: https://github.com/orion-rs/orion]