Hello,
It’s my pleasure to announce a new release of the bytesrw set of ISC licensed libraries.
Bytesrw extends the OCaml Bytes module with composable, memory efficient, byte stream readers and writers compatible with effect-based concurrency.
Optional support for compressed, hashed and encrypted bytes depend, at your wish, on the C
zlib,libzstd,blake3,libmd,xxhashandmbedtlslibraries.
This release adds optional libraries to support for SHA-3 hashes, cryptographically secure pseudo-random bytes streams, TLS encrypted byte stream and low-level support for cryptographic operations on slices:
-
Bytesrw_sysrandomprovides pseudorandom byte streams and entropy directly sourced from your operating system primitives. -
Bytesrw_crypto.Psaprovides low-level cryptographic operations on byte slices via thin and safe bindings to the TF-PSA-Crypto C library distributed with Mbed TLS. This library is an implementation of the PSA Crypto API Specification. Its design is particularly suited if you care about key materiel not being seen by the OCaml GC (implementations also allow further degrees of isolation as can be read in the API’s design goals). Besides the API is nicely and thoroughly documented. It is quite bureaucratic to use but that’s what you likely want from a cryptographic library (e.g. key usages have to be declared upfront and are checked at runtime by cryptographic operations). -
Bytesrw_crypto(will) provides a few higher-level operations implemented over PSA. The module is rather shallow at the moment, more will be added in the future as we abstract over our usage of PSA Crypto. For now it mostly contains an API to access the hashes provided by PSA Crypto in the way otherbytesrwhashing modules expose their hashing service. This notably provides theSHA-3family of hashes which were not previously available in the set of optionalbytesrwlibraries. -
Bytesrw_tlsprovides support for TLS encrypted streams and the needed X.509 certificate management (including system lookups for trusted CAs). The backend is provided by the Mbed TLS C library. For now these streams are instantied over blocking fds, but this restriction will be lifted in the future. I also added a little tool calledcertownwhich you may find handy for dealing with certificates for localhost when you develop servers.
Note that the binding to PSA cryptography has been used to implement a few things (e.g. the horrific passkeys specification) but has not run in production yet. However the binding is pleasantly unsophisticated, the underlying C API is straightforward to bind to.
See the release notes for details about other changes.
This release was made possible thanks to a grant from the OCaml software foundation and to my donors.
Homepage: https://erratique.ch/software/bytesrw
Docs: https://erratique.ch/software/bytesrw/doc (or odig doc bytesrw)
Install: opam install bytesrw conf-… (opam pr)
P.S. Libraries that depend on Mbed TLS need the recent 4.0.0 version which is quite fresh and may take a bit of time to trickle in system package managers. If you trust me you can use my
distribution crutch opam repository to install it.