libsodium’ encrypted stream in Rust

NaCl is one of the most used cryptography library around, and it is understandable: it is easy to use (it hides the crypto-magic used), portable (via the libsodium fork), and available in many languages. It is used by one of the project we are helping, drop, written in Rust, which we want to partially run in a browser via WebAssembly. Sadly, it uses the C version of the library, which isn’t ported to wasm, only to JS.

So we decided to reimplement the parts we used, namely crypto_secretstream (and crypto_kx but that’s for another day), in RustCrypto’s nacl-compat. And even though I was always told to “never roll your own crypto”, I kinda did, but in a safer way. First, it is tested against sodiumoxide, the most used Rust binding to libsodium. Second, it is way more documented that libsodium implementation, making it more readable and verifiable. Third, it uses other crates from RustCrypto, chacha20 and poly1305, the second having a security audit, both being heavily tested. As such, the crypto itself seems quite safe. The worst that can happen is that it fails to work.

It has been recently merged upstream. And now, we can use it in wasm. And drop is continuing its path to a working demonstrator. That is great.
Feel free to review the code yourself, raise issues, make PRs. Help to secure the open source community.