ring VS rust-openssl

Again, this is just a temporary situation, and a matter of burning down a list of small tasks. Not that the OpenSSL license issue is a big deal for most anyway. Feel free to help; see this issue filed by Josh Triplett: https://github.com/briansmith/ring/issues/1318#issuecomment-...

Note also that rustls depends on ring, which has architecture-dependent code in it that is not as widely compatible as eg. OpenSSL/GnuTLS/Mbed-TLS. For example, MIPS is not supported by ring.

The AWS Rust library we were using as a dependency depended on a cryptography library called ring. This library leverages C and assembly code to implement its cryptographic primitives. Unfortunately, cross compiling when C is involved can add complexity to the build process. While it might've been possible to overcome these issues I decided that it wasn't worth digging into more.

That'd be great. Thanks Brian. Re: making ring portable to all platforms: IBM have been graciously maintaining a up to date patchset for Ring for years now and there's an outstanding PR here you may not have seen since they filed it in 2020... https://github.com/briansmith/ring/pull/1057

Beyond the simple matter of Rust being much newer than OpenSSL, one concern for some cryptographic primitives is the timing side-channel.

https://en.wikipedia.org/wiki/Timing_attack

In high level languages like Rust, the compiler does not prioritise trying to emit machine code which executes in constant time for all inputs. OpenSSL has implementations for some primitives which are known to be constant time, which can be important.

One option if you're working with Rust anyway would be use something like Ring:

https://github.com/briansmith/ring

Ring's primitives are just taken from BoringSSL which is Google's fork of OpenSSL, they're a mix of C and assembly language, it's possible (though fraught) to write some constant time algorithms in C if you know which compiler will be used, and of course it's possible (if you read the performance manuals carefully) to write constant time assembly in many cases.

In the C / assembly language code of course you do not have any safety benefits.

It can certainly make sense to do this very tricky primitive stuff in dangerous C or assembly, but then write all the higher level stuff in Rust, and that's the sort of thing Ring is intended for. BoringSSL for example includes code to do X.509 parsing and signature validation in C, but those things aren't sensitive, a timing attack on my X.509 parsing tells you nothing of value, and it's complicated to do correctly so Rust could make sense.

machine learning, neural networks, image processing, cryptography (though it is getting better), font shaping/rendering (though it is getting better), CPU/software rendering (though it is getting better)

I also studied this question on FFI several weeks ago in terms of "rewrite part of the system in Rust". Unexpected results could be semantic issues (e.g., different error handling methods) or security issues (FFI could be a soundness hole). I suggest going through the issues of libraries that have started rewriting work such as rust-openssl or rustls (This is the one trying to rewrite in whole rust rather than using FFI; however, you will not be able to find the mapping function in the C version and compare them). I hope this helps!

error: failed to run custom build command for `openssl-sys v0.9.76` Caused by: process didn't exit successfully: `/target/debug/build/openssl-sys-eaac1108fdec7ae2/build-script-main` (exit status: 101) --- stdout cargo:rustc-cfg=const_fn cargo:rustc-cfg=openssl cargo:rerun-if-env-changed=X86_64_UNKNOWN_LINUX_GNU_OPENSSL_LIB_DIR X86_64_UNKNOWN_LINUX_GNU_OPENSSL_LIB_DIR unset cargo:rerun-if-env-changed=OPENSSL_LIB_DIR OPENSSL_LIB_DIR unset cargo:rerun-if-env-changed=X86_64_UNKNOWN_LINUX_GNU_OPENSSL_INCLUDE_DIR X86_64_UNKNOWN_LINUX_GNU_OPENSSL_INCLUDE_DIR unset cargo:rerun-if-env-changed=OPENSSL_INCLUDE_DIR OPENSSL_INCLUDE_DIR unset cargo:rerun-if-env-changed=X86_64_UNKNOWN_LINUX_GNU_OPENSSL_DIR X86_64_UNKNOWN_LINUX_GNU_OPENSSL_DIR unset cargo:rerun-if-env-changed=OPENSSL_DIR OPENSSL_DIR unset cargo:rerun-if-env-changed=OPENSSL_NO_PKG_CONFIG cargo:rerun-if-env-changed=PKG_CONFIG_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG cargo:rerun-if-env-changed=PKG_CONFIG cargo:rerun-if-env-changed=OPENSSL_STATIC cargo:rerun-if-env-changed=OPENSSL_DYNAMIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_STATIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_DYNAMIC cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_PATH cargo:rerun-if-env-changed=PKG_CONFIG_PATH cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_LIBDIR cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_SYSROOT_DIR cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR cargo:rerun-if-env-changed=SYSROOT cargo:rerun-if-env-changed=OPENSSL_STATIC cargo:rerun-if-env-changed=OPENSSL_DYNAMIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_STATIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_DYNAMIC cargo:rustc-link-search=native=/usr/lib/aarch64-linux-gnu cargo:rustc-link-lib=ssl cargo:rustc-link-lib=crypto cargo:rerun-if-env-changed=PKG_CONFIG_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG cargo:rerun-if-env-changed=PKG_CONFIG cargo:rerun-if-env-changed=OPENSSL_STATIC cargo:rerun-if-env-changed=OPENSSL_DYNAMIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_STATIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_DYNAMIC cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_PATH cargo:rerun-if-env-changed=PKG_CONFIG_PATH cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_LIBDIR cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_SYSROOT_DIR cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR cargo:rerun-if-changed=build/expando.c OPT_LEVEL = Some("0") TARGET = Some("x86_64-unknown-linux-gnu") HOST = Some("x86_64-unknown-linux-gnu") CC_x86_64-unknown-linux-gnu = None CC_x86_64_unknown_linux_gnu = None HOST_CC = None CC = None CFLAGS_x86_64-unknown-linux-gnu = None CFLAGS_x86_64_unknown_linux_gnu = None HOST_CFLAGS = None CFLAGS = None CRATE_CC_NO_DEFAULTS = None DEBUG = Some("true") CARGO_CFG_TARGET_FEATURE = Some("fxsr,sse,sse2") running: "cc" "-O0" "-ffunction-sections" "-fdata-sections" "-fPIC" "-g" "-fno-omit-frame-pointer" "-m64" "-I" "/usr/include" "-Wall" "-Wextra" "-E" "build/expando.c" cargo:warning=build/expando.c:2:33: fatal error: openssl/opensslconf.h: No such file or directory cargo:warning=compilation terminated. exit status: 1 --- stderr thread 'main' panicked at ' Header expansion error: Error { kind: ToolExecError, message: "Command \"cc\" \"-O0\" \"-ffunction-sections\" \"-fdata-sections\" \"-fPIC\" \"-g\" \"-fno-omit-frame-pointer\" \"-m64\" \"-I\" \"/usr/include\" \"-Wall\" \"-Wextra\" \"-E\" \"build/expando.c\" with args \"cc\" did not execute successfully (status code exit status: 1)." } Failed to find OpenSSL development headers. You can try fixing this setting the `OPENSSL_DIR` environment variable pointing to your OpenSSL installation or installing OpenSSL headers package specific to your distribution: # On Ubuntu sudo apt-get install libssl-dev # On Arch Linux sudo pacman -S openssl # On Fedora sudo dnf install openssl-devel # On Alpine Linux apk add openssl-dev See rust-openssl README for more information: https://github.com/sfackler/rust-openssl#linux ', /cargo/registry/src/github.com-1ecc6299db9ec823/openssl-sys-0.9.76/build/main.rs:185:13 note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace warning: build failed, waiting for other jobs to finish...

There is also https://github.com/sfackler/rust-openssl but not sure should I use it or not.

If you're in a situation where you think the directory should be found automatically, please open a bug at https://github.com/sfackler/rust-openssl and include information about your system as well as this message.

Failed to find OpenSSL development headers. You can try fixing this setting the `OPENSSL_DIR` environment variable pointing to your OpenSSL installation or installing OpenSSL headers package specific to your distribution: # On Ubuntu sudo apt-get install libssl-dev # On Arch Linux sudo pacman -S openssl # On Fedora sudo dnf install openssl-devel See rust-openssl README for more information: https://github.com/sfackler/rust-openssl#linux

$ cargo install rates Updating crates.io index Downloaded rates v0.2.0 Downloaded 1 crate (11.8 KB) in 0.70s Installing rates v0.2.0 Downloaded chrono v0.4.19 Downloaded futures-io v0.3.13 Downloaded futures-sink v0.3.13 Downloaded directories v3.0.1 Downloaded futures-channel v0.3.13 Downloaded futures-task v0.3.13 Downloaded futures-util v0.3.13 Downloaded hashbrown v0.9.1 Downloaded http-body v0.4.0 Downloaded httpdate v0.3.2 Downloaded httparse v1.3.5 Downloaded http v0.2.3 Downloaded hyper v0.14.4 Downloaded indexmap v1.6.1 Downloaded form_urlencoded v1.0.1 Downloaded h2 v0.3.1 Downloaded log v0.4.14 Downloaded num-traits v0.2.14 Downloaded openssl v0.10.32 Downloaded pin-utils v0.1.0 Downloaded openssl-sys v0.9.60 Downloaded pin-project-internal v1.0.5 Downloaded reqwest v0.11.1 Downloaded serde v1.0.123 Downloaded serde_urlencoded v0.7.0 Downloaded tinyvec_macros v0.1.0 Downloaded tinyvec v1.1.1 Downloaded tokio-native-tls v0.3.0 Downloaded syn v1.0.60 Downloaded url v2.2.1 Downloaded bytes v1.0.1 Downloaded tower-service v0.3.1 Downloaded tokio-util v0.6.3 Downloaded ipnet v2.3.0 Downloaded socket2 v0.3.19 Downloaded base64 v0.13.0 Downloaded want v0.3.0 Downloaded cc v1.0.67 Downloaded unicode-normalization v0.1.17 Downloaded mio v0.7.9 Downloaded tracing-core v0.1.17 Downloaded quote v1.0.9 Downloaded pin-project v1.0.5 Downloaded pin-project-lite v0.2.4 Downloaded try-lock v0.2.3 Downloaded serde_json v1.0.64 Downloaded native-tls v0.2.7 Downloaded num-integer v0.1.44 Downloaded hyper-tls v0.5.0 Downloaded futures-core v0.3.13 Downloaded tracing v0.1.25 Downloaded tokio v1.2.0 Downloaded idna v0.2.2 Downloaded libc v0.2.86 Downloaded encoding_rs v0.8.28 Downloaded 55 crates (5.4 MB) in 1.77s (largest was `encoding_rs` at 1.4 MB) Compiling autocfg v1.0.1 Compiling libc v0.2.86 Compiling cfg-if v1.0.0 Compiling log v0.4.14 Compiling pkg-config v0.3.19 Compiling cc v1.0.67 Compiling memchr v2.3.4 Compiling pin-project-lite v0.2.4 Compiling proc-macro2 v1.0.24 Compiling lazy_static v1.4.0 Compiling bytes v1.0.1 Compiling itoa v0.4.7 Compiling bitflags v1.2.1 Compiling unicode-xid v0.2.1 Compiling syn v1.0.60 Compiling futures-core v0.3.13 Compiling foreign-types-shared v0.1.1 Compiling fnv v1.0.7 Compiling openssl v0.10.32 Compiling matches v0.1.8 Compiling tinyvec_macros v0.1.0 Compiling hashbrown v0.9.1 Compiling futures-task v0.3.13 Compiling native-tls v0.2.7 Compiling slab v0.4.2 Compiling pin-utils v0.1.0 Compiling serde v1.0.123 Compiling ryu v1.0.5 Compiling futures-sink v0.3.13 Compiling futures-io v0.3.13 Compiling httparse v1.3.5 Compiling percent-encoding v2.1.0 Compiling try-lock v0.2.3 Compiling openssl-probe v0.1.2 Compiling httpdate v0.3.2 Compiling serde_json v1.0.64 Compiling encoding_rs v0.8.28 Compiling tower-service v0.3.1 Compiling unicode-width v0.1.8 Compiling strsim v0.8.0 Compiling base64 v0.13.0 Compiling vec_map v0.8.2 Compiling ipnet v2.3.0 Compiling mime v0.3.16 Compiling ansi_term v0.11.0 Compiling tokio v1.2.0 Compiling indexmap v1.6.1 Compiling num-traits v0.2.14 Compiling num-integer v0.1.44 Compiling tracing-core v0.1.17 Compiling futures-channel v0.3.13 Compiling foreign-types v0.3.2 Compiling http v0.2.3 Compiling unicode-bidi v0.3.4 Compiling tinyvec v1.1.1 Compiling openssl-sys v0.9.60 Compiling form_urlencoded v1.0.1 Compiling textwrap v0.11.0 Compiling tracing v0.1.25 Compiling http-body v0.4.0 Compiling unicode-normalization v0.1.17 Compiling num_cpus v1.13.0 Compiling socket2 v0.3.19 Compiling atty v0.2.14 Compiling dirs-sys v0.3.5 Compiling time v0.1.43 Compiling mio v0.7.9 Compiling want v0.3.0 error: failed to run custom build command for `openssl-sys v0.9.60` Caused by: process didn't exit successfully: `/tmp/cargo-installbxN90K/release/build/openssl-sys-704dca09387a20ed/build-script-main` (exit code: 101) --- stdout cargo:rustc-cfg=const_fn cargo:rerun-if-env-changed=X86_64_UNKNOWN_LINUX_GNU_OPENSSL_LIB_DIR X86_64_UNKNOWN_LINUX_GNU_OPENSSL_LIB_DIR unset cargo:rerun-if-env-changed=OPENSSL_LIB_DIR OPENSSL_LIB_DIR unset cargo:rerun-if-env-changed=X86_64_UNKNOWN_LINUX_GNU_OPENSSL_INCLUDE_DIR X86_64_UNKNOWN_LINUX_GNU_OPENSSL_INCLUDE_DIR unset cargo:rerun-if-env-changed=OPENSSL_INCLUDE_DIR OPENSSL_INCLUDE_DIR unset cargo:rerun-if-env-changed=X86_64_UNKNOWN_LINUX_GNU_OPENSSL_DIR X86_64_UNKNOWN_LINUX_GNU_OPENSSL_DIR unset cargo:rerun-if-env-changed=OPENSSL_DIR OPENSSL_DIR unset cargo:rerun-if-env-changed=OPENSSL_NO_PKG_CONFIG cargo:rerun-if-env-changed=PKG_CONFIG cargo:rerun-if-env-changed=OPENSSL_STATIC cargo:rerun-if-env-changed=OPENSSL_DYNAMIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_STATIC cargo:rerun-if-env-changed=PKG_CONFIG_ALL_DYNAMIC cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_PATH cargo:rerun-if-env-changed=PKG_CONFIG_PATH cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_LIBDIR cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64-unknown-linux-gnu cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64_unknown_linux_gnu cargo:rerun-if-env-changed=HOST_PKG_CONFIG_SYSROOT_DIR cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR run pkg_config fail: "`\"pkg-config\" \"--libs\" \"--cflags\" \"openssl\"` did not exit successfully: exit code: 1\n--- stderr\nPackage openssl was not found in the pkg-config search path.\nPerhaps you should add the directory containing `openssl.pc\'\nto the PKG_CONFIG_PATH environment variable\nNo package \'openssl\' found\n" --- stderr thread 'main' panicked at ' Could not find directory of OpenSSL installation, and this `-sys` crate cannot proceed without this knowledge. If OpenSSL is installed and this crate had trouble finding it, you can set the `OPENSSL_DIR` environment variable for the compilation process. Make sure you also have the development packages of openssl installed. For example, `libssl-dev` on Ubuntu or `openssl-devel` on Fedora. If you're in a situation where you think the directory *should* be found automatically, please open a bug at https://github.com/sfackler/rust-openssl and include information about your system as well as this message. $HOST = x86_64-unknown-linux-gnu $TARGET = x86_64-unknown-linux-gnu openssl-sys = 0.9.60 ', /home/myusr/.cargo/registry/src/github.com-1ecc6299db9ec823/openssl-sys-0.9.60/build/find_normal.rs:173:5 note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace warning: build failed, waiting for other jobs to finish... error: failed to compile `rates v0.2.0`, intermediate artifacts can be found at `/tmp/cargo-installbxN90K` Caused by: build failed

Second, https://github.com/sfackler/rust-openssl/issues/987 was solved over 2 years ago, and the fix was released in openssl v0.10. Since reqwest uses openssl v0.10.x, it definitely includes this fix.