add control socket serde code

- add new, optional configuration parameter to the config file, `control_socket`
- enhance debug and trace logging in `app_server.rs`
- add optional attribute `maybe_control_socket` to `AppServer`
- registers the uds (if present) in mio, so that one `mio::poll` call can both check on control commands and normal handshake traffic
- sprinkle a little more documentation over `app_server.rs`
- inject control socket handling skeleton code to `AppServer::try_recv`
  - control socket is always processed first, then incoming traffic

.ci/gen-workflow-files.nu

@@ -33,7 +33,7 @@ let systems_map = {
   # aarch64-linux
   
   i686-linux: ubuntu-latest,
-  x86_64-darwin: macos-latest,
+  x86_64-darwin: macos-13,
   x86_64-linux: ubuntu-latest
 }
 
@@ -64,7 +64,7 @@ let runner_setup = [
     uses: "actions/checkout@v3"
   }
   {
-    uses: "cachix/install-nix-action@v21",
+    uses: "cachix/install-nix-action@v22",
     with: { nix_path: "nixpkgs=channel:nixos-unstable" }
   }
   {

.github/workflows/nix.yaml

@@ -15,7 +15,7 @@ jobs:
       - i686-linux---rosenpass
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -31,7 +31,7 @@ jobs:
     needs: []
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -48,7 +48,7 @@ jobs:
       - i686-linux---rosenpass
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -63,7 +63,7 @@ jobs:
       - ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -75,12 +75,12 @@ jobs:
   x86_64-darwin---default:
     name: Build x86_64-darwin.default
     runs-on:
-      - macos-latest
+      - macos-13
     needs:
       - x86_64-darwin---rosenpass
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -92,13 +92,13 @@ jobs:
   x86_64-darwin---release-package:
     name: Build x86_64-darwin.release-package
     runs-on:
-      - macos-latest
+      - macos-13
     needs:
       - x86_64-darwin---rosenpass
       - x86_64-darwin---rosenpass-oci-image
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -110,11 +110,11 @@ jobs:
   x86_64-darwin---rosenpass:
     name: Build x86_64-darwin.rosenpass
     runs-on:
-      - macos-latest
+      - macos-13
     needs: []
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -126,12 +126,12 @@ jobs:
   x86_64-darwin---rosenpass-oci-image:
     name: Build x86_64-darwin.rosenpass-oci-image
     runs-on:
-      - macos-latest
+      - macos-13
     needs:
       - x86_64-darwin---rosenpass
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -143,10 +143,10 @@ jobs:
   x86_64-darwin---check:
     name: Run Nix checks on x86_64-darwin
     runs-on:
-      - macos-latest
+      - macos-13
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -163,7 +163,7 @@ jobs:
       - x86_64-linux---rosenpass
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -180,7 +180,7 @@ jobs:
       - x86_64-linux---proverif-patched
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -196,7 +196,7 @@ jobs:
     needs: []
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -210,11 +210,11 @@ jobs:
     runs-on:
       - ubuntu-latest
     needs:
-      - x86_64-linux---rosenpass-static
       - x86_64-linux---rosenpass-static-oci-image
+      - x86_64-linux---rosenpass-static
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -230,7 +230,7 @@ jobs:
     needs: []
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -247,7 +247,7 @@ jobs:
       - x86_64-linux---rosenpass
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -263,7 +263,7 @@ jobs:
     needs: []
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -280,7 +280,7 @@ jobs:
       - x86_64-linux---rosenpass-static
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -296,7 +296,7 @@ jobs:
     needs: []
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -311,7 +311,7 @@ jobs:
       - ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -326,7 +326,7 @@ jobs:
     if: ${{ github.ref == 'refs/heads/main' }}
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12

.github/workflows/qc.yaml

@@ -17,6 +17,14 @@ jobs:
         with:
           args: --check .
 
+  shellcheck:
+    name: Shellcheck
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Run ShellCheck
+        uses: ludeeus/action-shellcheck@master
+
   cargo-audit:
     runs-on: ubuntu-latest
     steps:
@@ -66,3 +74,46 @@ jobs:
       # - https://github.com/rosenpass/rosenpass/issues/62
       # - https://github.com/rust-lang/rust/issues/108378
       - run: RUSTDOCFLAGS="-D warnings" cargo doc --no-deps --document-private-items
+
+  cargo-test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cargo/bin/
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+            target/
+          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+      - name: Install libsodium
+        run: sudo apt-get install -y libsodium-dev
+        # liboqs requires quite a lot of stack memory, thus we adjust
+        # the default stack size picked for new threads (which is used
+        # by `cargo test`) to be _big enough_. Setting it to 8 MiB
+      - run: RUST_MIN_STACK=8388608 cargo test
+
+  cargo-test-nix-devshell-x86_64-linux:
+    runs-on:
+      - ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cargo/bin/
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+            target/
+          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+      - uses: cachix/install-nix-action@v21
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+      - uses: cachix/cachix-action@v12
+        with:
+          name: rosenpass
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      - run: nix develop --command cargo test

.github/workflows/release.yaml

@@ -12,7 +12,7 @@ jobs:
       - ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -30,10 +30,10 @@ jobs:
   x86_64-darwin---release:
     name: Build release artifacts for x86_64-darwin
     runs-on:
-      - macos-latest
+      - macos-13
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -54,7 +54,7 @@ jobs:
       - ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12

.gitlab-ci.yml

@@ -0,0 +1,17 @@
+# TODO use CI_JOB_TOKEN once https://gitlab.com/groups/gitlab-org/-/epics/6310 is fixed
+pull-from-gh:
+  only: ["schedules"]
+  variables:
+    REMOTE: "https://github.com/rosenpass/rosenpass.git"
+    LOCAL: " git@gitlab.com:rosenpass/rosenpass.git"
+    GIT_STRATEGY: none
+  before_script:
+    - mkdir ~/.ssh/
+    - echo "$SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts
+    - echo "$REPO_SSH_KEY" > ~/.ssh/id_ed25519
+    - chmod 600 --recursive ~/.ssh/
+    - git config --global user.email "ci@gitlab.com"
+    - git config --global user.name "CI"
+  script:
+    - git clone --mirror $REMOTE rosenpass
+    - cd rosenpass && git push --mirror $LOCAL

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "rosenpass"
-version = "0.1.2-rc.4"
+version = "0.2.0"
 authors = ["Karolin Varner <karo@cupdev.net>", "wucke13 <wucke13@gmail.com>"]
 edition = "2021"
 license = "MIT OR Apache-2.0"
@@ -19,7 +19,7 @@ base64 = "0.21.1"
 static_assertions = "1.1.0"
 memoffset = "0.9.0"
 libsodium-sys-stable = { version = "1.19.28", features = ["use-pkg-config"] }
-oqs-sys = { version = "0.7.2", default-features = false, features = ['classic_mceliece', 'kyber'] }
+oqs-sys = { version = "0.8", default-features = false, features = ['classic_mceliece', 'kyber'] }
 lazy_static = "1.4.0"
 thiserror = "1.0.40"
 paste = "1.0.12"
@@ -36,6 +36,7 @@ anyhow = "1.0.71"
 [dev-dependencies]
 criterion = "0.4.0"
 test_bin = "0.4.0"
+stacker = "0.1.15"
 
 [features]
 default = ["log", "env_logger"]

build.rs

@@ -21,13 +21,13 @@ fn generate_man() -> String {
     // This function is purposely stupid and redundant
 
     let man = render_man("mandoc", "./doc/rosenpass.1");
-    if man.is_ok() {
+    if let Ok(man) = man {
-        return man.unwrap();
+        return man;
     }
 
     let man = render_man("groff", "./doc/rosenpass.1");
-    if man.is_ok() {
+    if let Ok(man) = man {
-        return man.unwrap();
+        return man;
     }
 
     // TODO: Link to online manual here

config-examples/peer-a-config.toml

@@ -2,6 +2,7 @@ public_key = "peer-a-public-key"
 secret_key = "peer-a-secret-key"
 listen = ["[::]:10001"]
 verbosity = "Quiet"
+control_socket = "rosenpassd.sock"
 
 [[peers]]
 public_key = "peer-b-public-key"

doc/rp.1

@@ -59,6 +59,10 @@ listening on the provided IP and port combination, allowing connections from
 .Sh EXIT STATUS
 .Ex -std
 .Sh EXAMPLES
+In this example, we will assume that the server has an interface bound to
+192.168.0.1, that accepts incoming connections on port 9999/UDP for Rosenpass
+and port 10000/UDP for WireGuard.
+.Pp
 To create a VPN connection, start by generating secret keys on both hosts.
 .Bd -literal -offset indent
 rp genkey server.rosenpass-secret

flake.lock

@@ -8,11 +8,11 @@
         "rust-analyzer-src": "rust-analyzer-src"
       },
       "locked": {
-        "lastModified": 1686291735,
+        "lastModified": 1692771621,
-        "narHash": "sha256-mpq2m6TN3ImqqUqA4u93NvkZu5vH//3spqjmPRbRlvA=",
+        "narHash": "sha256-W1qOIeOvzkJxdITGGWqSxmFbu9ob+ZP8lXNkkQi8UL4=",
         "owner": "nix-community",
         "repo": "fenix",
-        "rev": "6e6a94c4d0cac4821b6452fbae46609b89a8ddcf",
+        "rev": "add522038f2a32aa1263c8d3c81e1ea2265cc4e1",
         "type": "github"
       },
       "original": {
@@ -26,11 +26,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1685518550,
+        "lastModified": 1689068808,
-        "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=",
+        "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef",
+        "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
         "type": "github"
       },
       "original": {
@@ -46,11 +46,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1679567394,
+        "lastModified": 1692351612,
-        "narHash": "sha256-ZvLuzPeARDLiQUt6zSZFGOs+HZmE+3g4QURc8mkBsfM=",
+        "narHash": "sha256-KTGonidcdaLadRnv9KFgwSMh1ZbXoR/OBmPjeNMhFwU=",
         "owner": "nix-community",
         "repo": "naersk",
-        "rev": "88cd22380154a2c36799fe8098888f0f59861a15",
+        "rev": "78789c30d64dea2396c9da516bbcc8db3a475207",
         "type": "github"
       },
       "original": {
@@ -61,11 +61,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1686237827,
+        "lastModified": 1691522891,
-        "narHash": "sha256-fAZB+Zkcmc+qlauiFnIH9+2qgwM0NO/ru5pWEw3tDow=",
+        "narHash": "sha256-xqQqVryXKJoFQ/+RL0A7DihkLkev8dk6afM7B04TilU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "81ed90058a851eb73be835c770e062c6938c8a9e",
+        "rev": "78287547942dd8e8afff0ae47fb8e2553db79d7e",
         "type": "github"
       },
       "original": {
@@ -84,11 +84,11 @@
     "rust-analyzer-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1686239338,
+        "lastModified": 1692701491,
-        "narHash": "sha256-c6Mm7UnDf3j3akY3YB3rELFA76QRbB8ttSBsh00LWi0=",
+        "narHash": "sha256-Lz5GXi/CImvcIXtpBpQ9jVI9Ni9eU/4xk36PvKmjwJM=",
         "owner": "rust-lang",
         "repo": "rust-analyzer",
-        "rev": "9c03aa1ac2e67051db83a85baf3cfee902e4dd84",
+        "rev": "9e3bf69ad3c736893b285f47f4d014ae1aed1cb0",
         "type": "github"
       },
       "original": {

flake.nix

@@ -312,6 +312,7 @@
             inherit (packages.rosenpass) RUST_MIN_STACK;
             inputsFrom = [ packages.default ];
             nativeBuildInputs = with pkgs; [
+              cmake # override the fakecmake from the main step above
               cargo-release
               clippy
               nodePackages.prettier

readme.md

@@ -71,6 +71,13 @@ Rosenpass is packaged for more and more distributions, maybe also for the distri
 
 [![Packaging status](https://repology.org/badge/vertical-allrepos/rosenpass.svg)](https://repology.org/project/rosenpass/versions)
 
+# Mirrors
+
+Don't want to use GitHub or only have an IPv6 connection? Rosenpass has set up two mirrors for this:
+
+- [NotABug](https://notabug.org/rosenpass/rosenpass)
+- [GitLab](https://gitlab.com/rosenpass/rosenpass/)
+
 # Supported by
 
 Funded through <a href="https://nlnet.nl/">NLNet</a> with financial support for the European Commission's <a href="https://nlnet.nl/assure">NGI Assure</a> program.

rp

@@ -197,7 +197,7 @@ exchange() {
         lip="${listen%:*}";
         lport="${listen/*:/}";
         if [[ "$lip" = "$lport" ]]; then
-          lip="[0::0]"
+          lip="[::]"
         fi
         shift;;
       -h | -help | --help | help) usage; return 0;;
@@ -209,15 +209,41 @@ exchange() {
     fatal "Needs at least one peer specified"
   fi
 
-  frag "
+  # os dependent setup
-    # Create the Wireguard interface
+  case "$OSTYPE" in
-    ip link add dev $(enquote "${dev}") type wireguard || true"
+    linux-*) # could be linux-gnu or linux-musl
+      frag "
+        # Create the WireGuard interface
+        ip link add dev $(enquote "${dev}") type wireguard || true"
 
-  cleanup "
+      cleanup "
-    ip link del dev $(enquote "${dev}") || true"
+        ip link del dev $(enquote "${dev}") || true"
 
-  frag "
+      frag "
-    ip link set dev $(enquote "${dev}") up"
+        ip link set dev $(enquote "${dev}") up"
+      ;;
+
+    freebsd*)
+      frag "
+        # load the WireGuard kernel module
+        kldload -n if_wg || fatal 'Cannot load if_wg kernel module'"
+
+      frag "
+        # Create the WireGuard interface
+        ifconfig wg create name $(enquote "${dev}") || true"
+
+      cleanup "
+        ifconfig $(enquote "${dev}") destroy || true"
+
+      frag "
+        ifconfig $(enquote "${dev}") up"
+      ;;
+
+    *)
+      fatal "Your system $OSTYPE is not yet supported. We are happy to receive patches to address this :)"
+      ;;
+
+  esac
 
   frag "
     # Deploy the classic wireguard private key
@@ -255,7 +281,7 @@ exchange() {
       local arg; arg="$1"; shift
       case "${arg}" in
         peer) set -- "peer" "$@"; break;; # Next peer
-        endpoint) ip="${1%:*}"; port="${1/*:/}"; shift;;
+        endpoint) ip="${1%:*}"; port="${1##*:}"; shift;;
         persistent-keepalive) keepalive="${1}"; shift;;
         allowed-ips) allowedips="${1}"; shift;;
         -h | -help | --help | help) usage; return 0;;
@@ -326,7 +352,9 @@ main() {
   verbose=0
   scriptdir="$(dirname "${script}")"
   gitdir="$(detect_git_dir)" || true
-  nixdir="$(readlink -f result/bin/rp | grep -Pio '^/nix/store/[^/]+(?=/bin/[^/]+)')" || true
+  if [[ -d /nix ]]; then
+    nixdir="$(readlink -f result/bin/rp | grep -Pio '^/nix/store/[^/]+(?=/bin/[^/]+)')" || true
+  fi
   binary="$(find_rosenpass_binary)"
 
   # Parse command

src/app_server.rs

@@ -1,6 +1,8 @@
 use anyhow::bail;
 
 use anyhow::Result;
+use log::debug;
+use log::trace;
 use log::{error, info, warn};
 use mio::Interest;
 use mio::Token;
@@ -15,6 +17,7 @@ use std::net::SocketAddr;
 use std::net::SocketAddrV4;
 use std::net::SocketAddrV6;
 use std::net::ToSocketAddrs;
+use std::path::Path;
 use std::path::PathBuf;
 use std::process::Command;
 use std::process::Stdio;
@@ -30,6 +33,7 @@ use crate::{
 
 const IPV4_ANY_ADDR: Ipv4Addr = Ipv4Addr::new(0, 0, 0, 0);
 const IPV6_ANY_ADDR: Ipv6Addr = Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 0);
+const CONTROL_SOCKET_TOKEN: mio::Token = mio::Token(usize::MAX);
 
 fn ipv4_any_binding() -> SocketAddr {
     // addr, port
@@ -78,6 +82,9 @@ pub struct AppServer {
     pub peers: Vec<AppPeer>,
     pub verbosity: Verbosity,
     pub all_sockets_drained: bool,
+
+    /// Optional control socket to change the configuration of a running rosenpassd
+    pub maybe_control_socket: Option<mio::net::UnixDatagram>,
 }
 
 /// A socket pointer is an index assigned to a socket;
@@ -99,7 +106,7 @@ impl SocketPtr {
     }
 
     pub fn send_to(&self, srv: &AppServer, buf: &[u8], addr: SocketAddr) -> anyhow::Result<()> {
-        self.get(srv).send_to(&buf, addr)?;
+        self.get(srv).send_to(buf, addr)?;
         Ok(())
     }
 }
@@ -294,13 +301,13 @@ impl HostPathDiscoveryEndpoint {
     pub fn send_scouting(&self, srv: &AppServer, buf: &[u8]) -> anyhow::Result<()> {
         let (addr_off, sock_off) = self.scouting_state.get();
 
-        let mut addrs = (&self.addresses)
+        let mut addrs = (self.addresses)
             .iter()
             .enumerate()
             .cycle()
             .skip(addr_off)
             .take(self.addresses.len());
-        let mut sockets = (&srv.sockets)
+        let mut sockets = (srv.sockets)
             .iter()
             .enumerate()
             .cycle()
@@ -335,11 +342,13 @@ impl HostPathDiscoveryEndpoint {
 }
 
 impl AppServer {
-    pub fn new(
+    pub fn new<P: AsRef<Path> + core::fmt::Debug>(
+        // TODO @wucke13 check if requiring Debug breaks important types that otherwise fulfill AsRef<Path>
         sk: SSk,
         pk: SPk,
         addrs: Vec<SocketAddr>,
         verbosity: Verbosity,
+        uds: Option<P>,
     ) -> anyhow::Result<Self> {
         // setup mio
         let mio_poll = mio::Poll::new()?;
@@ -417,13 +426,31 @@ impl AppServer {
         }
 
         // register all sockets to mio
+        debug!("registering all UDP sockets to mio");
         for (i, socket) in sockets.iter_mut().enumerate() {
+            trace!("registering {socket:?}");
             mio_poll
                 .registry()
                 .register(socket, Token(i), Interest::READABLE)?;
         }
 
+        let mut maybe_control_socket = uds
+            .map(|p| {
+                debug!("binding control socket {p:?}");
+                mio::net::UnixDatagram::bind(p)
+            })
+            .transpose()?;
+        if let Some(control_socket) = &mut maybe_control_socket {
+            debug!("registering control socket to mio");
+            mio_poll.registry().register(
+                control_socket,
+                CONTROL_SOCKET_TOKEN,
+                Interest::READABLE,
+            )?;
+        }
+
         // TODO use mio::net::UnixStream together with std::os::unix::net::UnixStream for Linux
+        debug!("finalizing AppServer creation");
 
         Ok(Self {
             crypt: CryptoServer::new(sk, pk),
@@ -433,6 +460,7 @@ impl AppServer {
             events,
             mio_poll,
             all_sockets_drained: false,
+            maybe_control_socket,
         })
     }
 
@@ -524,9 +552,11 @@ impl AppServer {
             use AppPollResult::*;
             use KeyOutputReason::*;
             match self.poll(&mut *rx)? {
+                #[allow(clippy::redundant_closure_call)]
                 SendInitiation(peer) => tx_maybe_with!(peer, || self
                     .crypt
                     .initiate_handshake(peer.lower(), &mut *tx))?,
+                #[allow(clippy::redundant_closure_call)]
                 SendRetransmission(peer) => tx_maybe_with!(peer, || self
                     .crypt
                     .retransmit_handshake(peer.lower(), &mut *tx))?,
@@ -636,6 +666,7 @@ impl AppServer {
         Ok(())
     }
 
+    // Polls the crypto servers state machine for new actions
     pub fn poll(&mut self, rx_buf: &mut [u8]) -> anyhow::Result<AppPollResult> {
         use crate::protocol::PollResult as C;
         use AppPollResult as A;
@@ -652,7 +683,7 @@ impl AppServer {
         }
     }
 
-    /// Tries to receive a new message
+    /// Tries to receive a new control socket command or incoming message
     ///
     /// - might wait for an duration up to `timeout`
     /// - returns immediately if an error occurs
@@ -691,6 +722,27 @@ impl AppServer {
             self.mio_poll.poll(&mut self.events, Some(timeout))?;
         }
 
+        trace!("checking for new command on control socket");
+        // control socket always has priority
+        if let Some(control_socket) = &mut self.maybe_control_socket {
+            let mut buf = [0u8; 16];
+
+            match control_socket.recv(&mut buf) {
+                Ok(size) => {
+                    // TODO handle command
+                    // to send something here, use the following shell snippet:
+                    //
+                    // printf '\x7\' | nc -NuU rosenpassd.sock
+                    log::debug!("buf received {:?}", &buf[0..size]);
+                }
+                Err(e) if e.kind() == ErrorKind::WouldBlock => {
+                    trace!("no new commands on control socket")
+                }
+                Err(e) => return Err(e.into()),
+            }
+        }
+
+        // then normal traffic is processed
         let mut would_block_count = 0;
         for (sock_no, socket) in self.sockets.iter_mut().enumerate() {
             match socket.recv_from(buf) {

src/cli.rs

@@ -104,9 +104,13 @@ impl Cli {
         use Cli::*;
         match cli {
             Man => {
-                let _man_cmd = std::process::Command::new("man")
+                let man_cmd = std::process::Command::new("man")
                     .args(["1", "rosenpass"])
                     .status();
+
+                if !(man_cmd.is_ok() && man_cmd.unwrap().success()) {
+                    println!(include_str!(env!("ROSENPASS_MAN")));
+                }
             }
             GenConfig { config_file, force } => {
                 ensure!(
@@ -160,12 +164,10 @@ impl Cli {
                 // generate the keys and store them in files
                 let mut ssk = crate::protocol::SSk::random();
                 let mut spk = crate::protocol::SPk::random();
+                StaticKEM::keygen(ssk.secret_mut(), spk.secret_mut())?;
 
-                unsafe {
+                ssk.store_secret(skf)?;
-                    StaticKEM::keygen(ssk.secret_mut(), spk.secret_mut())?;
+                spk.store_secret(pkf)?;
-                    ssk.store_secret(skf)?;
-                    spk.store_secret(pkf)?;
-                }
             }
 
             ExchangeConfig { config_file } => {
@@ -226,6 +228,7 @@ impl Cli {
             pk,
             config.listen,
             config.verbosity,
+            config.control_socket.as_ref(),
         )?);
 
         for cfg_peer in config.peers {
@@ -248,11 +251,11 @@ impl Cli {
 }
 
 trait StoreSecret {
-    unsafe fn store_secret<P: AsRef<Path>>(&self, path: P) -> anyhow::Result<()>;
+    fn store_secret<P: AsRef<Path>>(&self, path: P) -> anyhow::Result<()>;
 }
 
 impl<const N: usize> StoreSecret for Secret<N> {
-    unsafe fn store_secret<P: AsRef<Path>>(&self, path: P) -> anyhow::Result<()> {
+    fn store_secret<P: AsRef<Path>>(&self, path: P) -> anyhow::Result<()> {
         std::fs::write(path, self.secret())?;
         Ok(())
     }

src/config.rs

@@ -25,6 +25,8 @@ pub struct Rosenpass {
 
     #[serde(skip)]
     pub config_file_path: PathBuf,
+
+    pub control_socket: Option<PathBuf>,
 }
 
 #[derive(Debug, PartialEq, Eq, Serialize, Deserialize)]
@@ -133,6 +135,7 @@ impl Rosenpass {
             verbosity: Verbosity::Quiet,
             peers: vec![],
             config_file_path: PathBuf::new(),
+            control_socket: None,
         }
     }
 

src/control_commands.rs

@@ -0,0 +1,38 @@
+//! Data structures representing the control messages going over the control socket
+//!
+//! This module uses the same de-/serialization mechanism as [crate::msgs].
+//! If you want to interface with `rosenpassd`, this is where you can look up the format
+//! of the messages that are accepted.
+
+use crate::{data_lense, msgs::LenseView, RosenpassError};
+
+data_lense! { ControlComand<C> :=
+    /// [MsgType] of this message
+    msg_type: 1
+}
+
+#[repr(u8)]
+#[derive(Hash, PartialEq, Eq, PartialOrd, Ord, Debug, Clone, Copy)]
+pub enum CommandType {
+    /// Add one peer
+    AddPeer = 0x10,
+
+    /// Remove all peers that match the given public key
+    RemovePeerPk = 0x11,
+
+    /// Remove all peers that match the given address
+    RemovePeerIp = 0x12,
+}
+
+impl TryFrom<u8> for CommandType {
+    type Error = RosenpassError;
+
+    fn try_from(value: u8) -> Result<Self, Self::Error> {
+        Ok(match value {
+            0x10 => CommandType::AddPeer,
+            0x11 => CommandType::RemovePeerPk,
+            0x12 => CommandType::RemovePeerIp,
+            _ => return Err(RosenpassError::InvalidMessageType(value)),
+        })
+    }
+}

src/lib.rs

@@ -8,6 +8,7 @@ pub mod labeled_prf;
 pub mod app_server;
 pub mod cli;
 pub mod config;
+pub mod control_commands;
 pub mod msgs;
 pub mod pqkem;
 pub mod prftree;
@@ -26,6 +27,9 @@ pub enum RosenpassError {
     },
     #[error("invalid message type")]
     InvalidMessageType(u8),
+
+    #[error("invalid command type")]
+    InvalidCommandType(u8),
 }
 
 impl RosenpassError {

src/protocol.rs

@@ -1739,7 +1739,11 @@ mod test {
 
         // initialize secret and public key for the crypto server
         let (mut sk, mut pk) = (SSk::zero(), SPk::zero());
-        StaticKEM::keygen(sk.secret_mut(), pk.secret_mut()).expect("unable to generate keys");
+
+        // Guranteed to have 16MB of stack size
+        stacker::grow(8 * 1024 * 1024, || {
+            StaticKEM::keygen(sk.secret_mut(), pk.secret_mut()).expect("unable to generate keys");
+        });
 
         CryptoServer::new(sk, pk)
     }

src/util.rs

@@ -172,11 +172,11 @@ trait StoreValue {
 }
 
 trait StoreSecret {
-    unsafe fn store_secret<P: AsRef<Path>>(&self, path: P) -> Result<()>;
+    fn store_secret<P: AsRef<Path>>(&self, path: P) -> Result<()>;
 }
 
 impl<T: StoreValue> StoreSecret for T {
-    unsafe fn store_secret<P: AsRef<Path>>(&self, path: P) -> Result<()> {
+    fn store_secret<P: AsRef<Path>>(&self, path: P) -> Result<()> {
         self.store(path)
     }
 }
@@ -211,7 +211,7 @@ impl<const N: usize> LoadValueB64 for Secret<N> {
 }
 
 impl<const N: usize> StoreSecret for Secret<N> {
-    unsafe fn store_secret<P: AsRef<Path>>(&self, path: P) -> Result<()> {
+    fn store_secret<P: AsRef<Path>>(&self, path: P) -> Result<()> {
         std::fs::write(path, self.secret())?;
         Ok(())
     }