Find replacement for sodiumoxide crate (not urgent)

[bnewbold]

The sodiumoxide crate is marked as "archived" and will receive only security updates going forward: https://github.com/sodiumoxide/sodiumoxide

On the one hand, it should receive security updates, is stable, and is working fine for our needs, so there is no urgent need to update.

On the other hand, it would be good to be using something maintained going forward. If possible and secure, it would also be nice to use a pure-Rust library to reduce system dependencies and compile time, though it is nice to rely on the broadly-used known quantity that is libsodium (the underlying C library).

[dunxen]

Yeah, I think we're fine with sodiumoxide for now. We can ignore any "unmaintained" advisories we get for it currently.

It would be great to have a robust and audited pure Rust replacement! I don't see one thing we could easily swap it out for that offers the secretbox algo stuff and the HMAC stuff together. We can keep this issue open for suggestions.

[bnewbold]

Here is an additional advisory I found: https://rustsec.org/advisories/RUSTSEC-2021-0137

I think the combination of hmac, sha256, and xsalsa20poly1305 crates would work together. Probably worth verifying the impact on build size.

(not proposing we make any changes before the next release)