fix(rosenpass): Prevent duplicate osk issue on handshake

Issue reported by: Paul Spooren <mail@aparcar.org>

.ci/gen-workflow-files.nu

@@ -33,7 +33,7 @@ let systems_map = {
   # aarch64-linux
   
   i686-linux: ubuntu-latest,
-  x86_64-darwin: macos-latest,
+  x86_64-darwin: macos-13,
   x86_64-linux: ubuntu-latest
 }
 
@@ -64,7 +64,7 @@ let runner_setup = [
     uses: "actions/checkout@v3"
   }
   {
-    uses: "cachix/install-nix-action@v21",
+    uses: "cachix/install-nix-action@v22",
     with: { nix_path: "nixpkgs=channel:nixos-unstable" }
   }
   {

.github/workflows/nix.yaml

@@ -15,7 +15,7 @@ jobs:
       - i686-linux---rosenpass
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -31,7 +31,7 @@ jobs:
     needs: []
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -48,7 +48,7 @@ jobs:
       - i686-linux---rosenpass
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -63,7 +63,7 @@ jobs:
       - ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -75,12 +75,12 @@ jobs:
   x86_64-darwin---default:
     name: Build x86_64-darwin.default
     runs-on:
-      - macos-latest
+      - macos-13
     needs:
       - x86_64-darwin---rosenpass
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -92,13 +92,13 @@ jobs:
   x86_64-darwin---release-package:
     name: Build x86_64-darwin.release-package
     runs-on:
-      - macos-latest
+      - macos-13
     needs:
       - x86_64-darwin---rosenpass
       - x86_64-darwin---rosenpass-oci-image
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -110,11 +110,11 @@ jobs:
   x86_64-darwin---rosenpass:
     name: Build x86_64-darwin.rosenpass
     runs-on:
-      - macos-latest
+      - macos-13
     needs: []
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -126,12 +126,12 @@ jobs:
   x86_64-darwin---rosenpass-oci-image:
     name: Build x86_64-darwin.rosenpass-oci-image
     runs-on:
-      - macos-latest
+      - macos-13
     needs:
       - x86_64-darwin---rosenpass
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -143,10 +143,10 @@ jobs:
   x86_64-darwin---check:
     name: Run Nix checks on x86_64-darwin
     runs-on:
-      - macos-latest
+      - macos-13
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -163,7 +163,7 @@ jobs:
       - x86_64-linux---rosenpass
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -180,7 +180,7 @@ jobs:
       - x86_64-linux---proverif-patched
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -196,7 +196,7 @@ jobs:
     needs: []
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -210,11 +210,11 @@ jobs:
     runs-on:
       - ubuntu-latest
     needs:
-      - x86_64-linux---rosenpass-static
       - x86_64-linux---rosenpass-static-oci-image
+      - x86_64-linux---rosenpass-static
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -230,7 +230,7 @@ jobs:
     needs: []
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -247,7 +247,7 @@ jobs:
       - x86_64-linux---rosenpass
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -263,7 +263,7 @@ jobs:
     needs: []
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -280,7 +280,7 @@ jobs:
       - x86_64-linux---rosenpass-static
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -296,7 +296,7 @@ jobs:
     needs: []
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -311,7 +311,7 @@ jobs:
       - ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -326,7 +326,7 @@ jobs:
     if: ${{ github.ref == 'refs/heads/main' }}
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12

.github/workflows/qc.yaml

@@ -17,6 +17,14 @@ jobs:
         with:
           args: --check .
 
+  shellcheck:
+    name: Shellcheck
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Run ShellCheck
+        uses: ludeeus/action-shellcheck@master
+
   cargo-audit:
     runs-on: ubuntu-latest
     steps:
@@ -66,3 +74,46 @@ jobs:
       # - https://github.com/rosenpass/rosenpass/issues/62
       # - https://github.com/rust-lang/rust/issues/108378
       - run: RUSTDOCFLAGS="-D warnings" cargo doc --no-deps --document-private-items
+
+  cargo-test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cargo/bin/
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+            target/
+          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+      - name: Install libsodium
+        run: sudo apt-get install -y libsodium-dev
+        # liboqs requires quite a lot of stack memory, thus we adjust
+        # the default stack size picked for new threads (which is used
+        # by `cargo test`) to be _big enough_. Setting it to 8 MiB
+      - run: RUST_MIN_STACK=8388608 cargo test
+
+  cargo-test-nix-devshell-x86_64-linux:
+    runs-on:
+      - ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cargo/bin/
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+            target/
+          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+      - uses: cachix/install-nix-action@v21
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+      - uses: cachix/cachix-action@v12
+        with:
+          name: rosenpass
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      - run: nix develop --command cargo test

.github/workflows/release.yaml

@@ -12,7 +12,7 @@ jobs:
       - ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -30,10 +30,10 @@ jobs:
   x86_64-darwin---release:
     name: Build release artifacts for x86_64-darwin
     runs-on:
-      - macos-latest
+      - macos-13
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12
@@ -54,7 +54,7 @@ jobs:
       - ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - uses: cachix/cachix-action@v12

.gitlab-ci.yml

@@ -0,0 +1,17 @@
+# TODO use CI_JOB_TOKEN once https://gitlab.com/groups/gitlab-org/-/epics/6310 is fixed
+pull-from-gh:
+  only: ["schedules"]
+  variables:
+    REMOTE: "https://github.com/rosenpass/rosenpass.git"
+    LOCAL: " git@gitlab.com:rosenpass/rosenpass.git"
+    GIT_STRATEGY: none
+  before_script:
+    - mkdir ~/.ssh/
+    - echo "$SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts
+    - echo "$REPO_SSH_KEY" > ~/.ssh/id_ed25519
+    - chmod 600 --recursive ~/.ssh/
+    - git config --global user.email "ci@gitlab.com"
+    - git config --global user.name "CI"
+  script:
+    - git clone --mirror $REMOTE rosenpass
+    - cd rosenpass && git push --mirror $LOCAL

Cargo.toml

@@ -1,41 +1,10 @@
-[package]
+[workspace]
-name = "rosenpass"
+resolver = "2"
-version = "0.1.2-rc.4"
-authors = ["Karolin Varner <karo@cupdev.net>", "wucke13 <wucke13@gmail.com>"]
-edition = "2021"
-license = "MIT OR Apache-2.0"
-description = "Build post-quantum-secure VPNs with WireGuard!"
-homepage = "https://rosenpass.eu/"
-repository = "https://github.com/rosenpass/rosenpass"
-readme = "readme.md"
 
-[[bench]]
+members = [
-name = "handshake"
+    "rosenpass",
-harness = false
+]
 
-[dependencies]
+[workspace.metadata.release]
-anyhow = { version = "1.0.71", features = ["backtrace"] }
+# ensure that adding `--package` as argument to `cargo release` still creates version tags in the form of `vx.y.z`
-base64 = "0.21.1"
+tag-prefix = ""
-static_assertions = "1.1.0"
-memoffset = "0.9.0"
-libsodium-sys-stable = { version = "1.19.28", features = ["use-pkg-config"] }
-oqs-sys = { version = "0.7.2", default-features = false, features = ['classic_mceliece', 'kyber'] }
-lazy_static = "1.4.0"
-thiserror = "1.0.40"
-paste = "1.0.12"
-log = { version = "0.4.17", optional = true }
-env_logger = { version = "0.10.0", optional = true }
-serde = { version = "1.0.163", features = ["derive"] }
-toml = "0.7.4"
-clap = { version = "4.3.0", features = ["derive"] }
-mio = { version = "0.8.6", features = ["net", "os-poll"] }
-
-[build-dependencies]
-anyhow = "1.0.71"
-
-[dev-dependencies]
-criterion = "0.4.0"
-test_bin = "0.4.0"
-
-[features]
-default = ["log", "env_logger"]

doc/rosenpass.1

@@ -12,13 +12,13 @@
 .Sh DESCRIPTION
 .Nm
 performs cryptographic key exchanges that are secure against quantum-computers
-and outputs the keys.
+and then outputs the keys.
-These keys can then be passed to various services such as wireguard or other
+These keys can then be passed to various services, such as wireguard or other
-vpn services as pre-shared-keys to achieve security against attackers with
+vpn services, as pre-shared-keys to achieve security against attackers with
 quantum computers.
 .Pp
 This is a research project and quantum computers are not thought to become
-practical in less than ten years.
+practical in fewer than ten years.
 If you are not specifically tasked with developing post-quantum secure systems,
 you probably do not need this tool.
 .Ss COMMANDS
@@ -31,7 +31,7 @@ file secret!
 Start a process to exchange keys with the specified peers.
 You should specify at least one peer.
 .Pp
-It's
+Its
 .Ar OPTIONS
 are as follows:
 .Bl -tag -width Ds
@@ -39,7 +39,7 @@ are as follows:
 Instructs
 .Nm
 to listen on the specified interface and port.
-By default
+By default,
 .Nm
 will listen on all interfaces and select a random port.
 .It Ar verbose

doc/rp.1

@@ -59,6 +59,10 @@ listening on the provided IP and port combination, allowing connections from
 .Sh EXIT STATUS
 .Ex -std
 .Sh EXAMPLES
+In this example, we will assume that the server has an interface bound to
+192.168.0.1, that accepts incoming connections on port 9999/UDP for Rosenpass
+and port 10000/UDP for WireGuard.
+.Pp
 To create a VPN connection, start by generating secret keys on both hosts.
 .Bd -literal -offset indent
 rp genkey server.rosenpass-secret

flake.lock

@@ -8,11 +8,11 @@
         "rust-analyzer-src": "rust-analyzer-src"
       },
       "locked": {
-        "lastModified": 1686291735,
+        "lastModified": 1699770036,
-        "narHash": "sha256-mpq2m6TN3ImqqUqA4u93NvkZu5vH//3spqjmPRbRlvA=",
+        "narHash": "sha256-bZmI7ytPAYLpyFNgj5xirDkKuAniOkj1xHdv5aIJ5GM=",
         "owner": "nix-community",
         "repo": "fenix",
-        "rev": "6e6a94c4d0cac4821b6452fbae46609b89a8ddcf",
+        "rev": "81ab0b4f7ae9ebb57daa0edf119c4891806e4d3a",
         "type": "github"
       },
       "original": {
@@ -26,11 +26,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1685518550,
+        "lastModified": 1694529238,
-        "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=",
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
         "type": "github"
       },
       "original": {
@@ -46,11 +46,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1679567394,
+        "lastModified": 1698420672,
-        "narHash": "sha256-ZvLuzPeARDLiQUt6zSZFGOs+HZmE+3g4QURc8mkBsfM=",
+        "narHash": "sha256-/TdeHMPRjjdJub7p7+w55vyABrsJlt5QkznPYy55vKA=",
         "owner": "nix-community",
         "repo": "naersk",
-        "rev": "88cd22380154a2c36799fe8098888f0f59861a15",
+        "rev": "aeb58d5e8faead8980a807c840232697982d47b9",
         "type": "github"
       },
       "original": {
@@ -61,11 +61,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1686237827,
+        "lastModified": 1698846319,
-        "narHash": "sha256-fAZB+Zkcmc+qlauiFnIH9+2qgwM0NO/ru5pWEw3tDow=",
+        "narHash": "sha256-4jyW/dqFBVpWFnhl0nvP6EN4lP7/ZqPxYRjl6var0Oc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "81ed90058a851eb73be835c770e062c6938c8a9e",
+        "rev": "34bdaaf1f0b7fb6d9091472edc968ff10a8c2857",
         "type": "github"
       },
       "original": {
@@ -84,11 +84,11 @@
     "rust-analyzer-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1686239338,
+        "lastModified": 1699715108,
-        "narHash": "sha256-c6Mm7UnDf3j3akY3YB3rELFA76QRbB8ttSBsh00LWi0=",
+        "narHash": "sha256-yPozsobJU55gj+szgo4Lpcg1lHvGQYAT6Y4MrC80mWE=",
         "owner": "rust-lang",
         "repo": "rust-analyzer",
-        "rev": "9c03aa1ac2e67051db83a85baf3cfee902e4dd84",
+        "rev": "5fcf5289e726785d20d3aa4d13d90a43ed248e83",
         "type": "github"
       },
       "original": {

flake.nix

@@ -55,14 +55,13 @@
             };
 
             # parsed Cargo.toml
-            cargoToml = builtins.fromTOML (builtins.readFile ./Cargo.toml);
+            cargoToml = builtins.fromTOML (builtins.readFile ./rosenpass/Cargo.toml);
 
             # source files relevant for rust
-            src = pkgs.lib.sourceByRegex ./. [
+            src = pkgs.lib.sources.sourceFilesBySuffices ./. [
-              "Cargo\\.(toml|lock)"
+              ".lock"
-              "build.rs"
+              ".rs"
-              "(src|benches)(/.*\\.(rs|md))?"
+              ".toml"
-              "rp"
             ];
 
             # builds a bin path for all dependencies for the `rp` shellscript
@@ -112,6 +111,9 @@
                   version = cargoToml.package.version;
                   inherit src;
 
+                  cargoBuildOptions = x: x ++ [ "-p" "rosenpass" ];
+                  cargoTestOptions = x: x ++ [ "-p" "rosenpass" ];
+
                   doCheck = true;
 
                   nativeBuildInputs = with pkgs; [
@@ -157,11 +159,6 @@
                     '';
                   };
 
-                  # liboqs requires quite a lot of stack memory, thus we adjust
-                  # the default stack size picked for new threads (which is used
-                  # by `cargo test`) to be _big enough_
-                  RUST_MIN_STACK = 8 * 1024 * 1024; # 8 MiB
-
                   # We want to build for a specific target...
                   CARGO_BUILD_TARGET = target;
 
@@ -290,7 +287,7 @@
           packages.proof-proverif = pkgs.stdenv.mkDerivation {
             name = "rosenpass-proverif-proof";
             version = "unstable";
-            src = pkgs.lib.sourceByRegex ./. [
+            src = pkgs.lib.sources.sourceByRegex ./. [
               "analyze.sh"
               "marzipan(/marzipan.awk)?"
               "analysis(/.*)?"
@@ -309,9 +306,9 @@
           #
           devShells.default = pkgs.mkShell {
             inherit (packages.proof-proverif) CRYPTOVERIF_LIB;
-            inherit (packages.rosenpass) RUST_MIN_STACK;
             inputsFrom = [ packages.default ];
             nativeBuildInputs = with pkgs; [
+              cmake # override the fakecmake from the main step above
               cargo-release
               clippy
               nodePackages.prettier
@@ -321,7 +318,6 @@
           };
           devShells.coverage = pkgs.mkShell {
             inputsFrom = [ packages.default ];
-            inherit (packages.rosenpass) RUST_MIN_STACK;
             nativeBuildInputs = with pkgs; [ inputs.fenix.packages.${system}.complete.toolchain cargo-llvm-cov ];
           };
 

readme.md

@@ -71,6 +71,13 @@ Rosenpass is packaged for more and more distributions, maybe also for the distri
 
 [![Packaging status](https://repology.org/badge/vertical-allrepos/rosenpass.svg)](https://repology.org/project/rosenpass/versions)
 
+# Mirrors
+
+Don't want to use GitHub or only have an IPv6 connection? Rosenpass has set up two mirrors for this:
+
+- [NotABug](https://notabug.org/rosenpass/rosenpass)
+- [GitLab](https://gitlab.com/rosenpass/rosenpass/)
+
 # Supported by
 
 Funded through <a href="https://nlnet.nl/">NLNet</a> with financial support for the European Commission's <a href="https://nlnet.nl/assure">NGI Assure</a> program.

rosenpass/Cargo.toml

@@ -0,0 +1,42 @@
+[package]
+name = "rosenpass"
+version = "0.2.2"
+authors = ["Karolin Varner <karo@cupdev.net>", "wucke13 <wucke13@gmail.com>"]
+edition = "2021"
+license = "MIT OR Apache-2.0"
+description = "Build post-quantum-secure VPNs with WireGuard!"
+homepage = "https://rosenpass.eu/"
+repository = "https://github.com/rosenpass/rosenpass"
+readme = "readme.md"
+
+[[bench]]
+name = "handshake"
+harness = false
+
+[dependencies]
+anyhow = { version = "1.0.71", features = ["backtrace"] }
+base64 = "0.21.1"
+static_assertions = "1.1.0"
+memoffset = "0.9.0"
+libsodium-sys-stable = { version = "1.19.28", features = ["use-pkg-config"] }
+oqs-sys = { version = "0.8", default-features = false, features = ['classic_mceliece', 'kyber'] }
+lazy_static = "1.4.0"
+thiserror = "1.0.40"
+paste = "1.0.12"
+log = { version = "0.4.17", optional = true }
+env_logger = { version = "0.10.0", optional = true }
+serde = { version = "1.0.163", features = ["derive"] }
+toml = "0.7.4"
+clap = { version = "4.3.0", features = ["derive"] }
+mio = { version = "0.8.6", features = ["net", "os-poll"] }
+
+[build-dependencies]
+anyhow = "1.0.71"
+
+[dev-dependencies]
+criterion = "0.4.0"
+test_bin = "0.4.0"
+stacker = "0.1.15"
+
+[features]
+default = ["log", "env_logger"]

rosenpass/benches/handshake.rs

@@ -1,7 +1,8 @@
 use anyhow::Result;
+use rosenpass::pqkem::KEM;
 use rosenpass::{
-    pqkem::{EphemeralKEM, CCAKEM},
+    pqkem::StaticKEM,
-    protocol::{CcaPk, CcaSk, CryptoServer, HandleMsgResult, MsgBuf, PeerPtr, SymKey},
+    protocol::{CryptoServer, HandleMsgResult, MsgBuf, PeerPtr, SPk, SSk, SymKey},
     sodium::sodium_init,
 };
 
@@ -38,9 +39,9 @@ fn hs(ini: &mut CryptoServer, res: &mut CryptoServer) -> Result<()> {
     Ok(())
 }
 
-fn keygen() -> Result<(CcaSk, CcaPk)> {
+fn keygen() -> Result<(SSk, SPk)> {
-    let (mut sk, mut pk) = (CcaSk::zero(), CcaPk::zero());
+    let (mut sk, mut pk) = (SSk::zero(), SPk::zero());
-    CCAKEM::keygen(sk.secret_mut(), pk.secret_mut())?;
+    StaticKEM::keygen(sk.secret_mut(), pk.secret_mut())?;
     Ok((sk, pk))
 }
 
@@ -61,12 +62,12 @@ fn criterion_benchmark(c: &mut Criterion) {
     let (mut a, mut b) = make_server_pair().unwrap();
     c.bench_function("cca_secret_alloc", |bench| {
         bench.iter(|| {
-            CcaSk::zero();
+            SSk::zero();
         })
     });
     c.bench_function("cca_public_alloc", |bench| {
         bench.iter(|| {
-            CcaPk::zero();
+            SPk::zero();
         })
     });
     c.bench_function("keygen", |bench| {

rosenpass/build.rs

@@ -21,13 +21,13 @@ fn generate_man() -> String {
     // This function is purposely stupid and redundant
 
     let man = render_man("mandoc", "./doc/rosenpass.1");
-    if man.is_ok() {
+    if let Ok(man) = man {
-        return man.unwrap();
+        return man;
     }
 
     let man = render_man("groff", "./doc/rosenpass.1");
-    if man.is_ok() {
+    if let Ok(man) = man {
-        return man.unwrap();
+        return man;
     }
 
     // TODO: Link to online manual here

rosenpass/readme.md

@@ -0,0 +1 @@
+../readme.md

rosenpass/src/app_server.rs

@@ -1,7 +1,7 @@
 use anyhow::bail;
 
 use anyhow::Result;
-use log::{error, info, warn};
+use log::{debug, error, info, warn};
 use mio::Interest;
 use mio::Token;
 
@@ -19,6 +19,7 @@ use std::path::PathBuf;
 use std::process::Command;
 use std::process::Stdio;
 use std::slice;
+use std::thread;
 use std::time::Duration;
 
 use crate::util::fopen_w;
@@ -99,7 +100,7 @@ impl SocketPtr {
     }
 
     pub fn send_to(&self, srv: &AppServer, buf: &[u8], addr: SocketAddr) -> anyhow::Result<()> {
-        self.get(srv).send_to(&buf, addr)?;
+        self.get(srv).send_to(buf, addr)?;
         Ok(())
     }
 }
@@ -294,13 +295,13 @@ impl HostPathDiscoveryEndpoint {
     pub fn send_scouting(&self, srv: &AppServer, buf: &[u8]) -> anyhow::Result<()> {
         let (addr_off, sock_off) = self.scouting_state.get();
 
-        let mut addrs = (&self.addresses)
+        let mut addrs = (self.addresses)
             .iter()
             .enumerate()
             .cycle()
             .skip(addr_off)
             .take(self.addresses.len());
-        let mut sockets = (&srv.sockets)
+        let mut sockets = (srv.sockets)
             .iter()
             .enumerate()
             .cycle()
@@ -524,9 +525,11 @@ impl AppServer {
             use AppPollResult::*;
             use KeyOutputReason::*;
             match self.poll(&mut *rx)? {
+                #[allow(clippy::redundant_closure_call)]
                 SendInitiation(peer) => tx_maybe_with!(peer, || self
                     .crypt
                     .initiate_handshake(peer.lower(), &mut *tx))?,
+                #[allow(clippy::redundant_closure_call)]
                 SendRetransmission(peer) => tx_maybe_with!(peer, || self
                     .crypt
                     .retransmit_handshake(peer.lower(), &mut *tx))?,
@@ -620,7 +623,7 @@ impl AppServer {
         }
 
         if let Some(owg) = ap.outwg.as_ref() {
-            let child = Command::new("wg")
+            let mut child = Command::new("wg")
                 .arg("set")
                 .arg(&owg.dev)
                 .arg("peer")
@@ -630,7 +633,21 @@ impl AppServer {
                 .stdin(Stdio::piped())
                 .args(&owg.extra_params)
                 .spawn()?;
-            b64_writer(child.stdin.unwrap()).write_all(key.secret())?;
+            b64_writer(child.stdin.take().unwrap()).write_all(key.secret())?;
+
+            thread::spawn(move || {
+                let status = child.wait();
+
+                if let Ok(status) = status {
+                    if status.success() {
+                        debug!("successfully passed psk to wg")
+                    } else {
+                        error!("could not pass psk to wg {:?}", status)
+                    }
+                } else {
+                    error!("wait failed: {:?}", status)
+                }
+            });
         }
 
         Ok(())

rosenpass/src/cli.rs

@@ -104,9 +104,13 @@ impl Cli {
         use Cli::*;
         match cli {
             Man => {
-                let _man_cmd = std::process::Command::new("man")
+                let man_cmd = std::process::Command::new("man")
                     .args(["1", "rosenpass"])
                     .status();
+
+                if !(man_cmd.is_ok() && man_cmd.unwrap().success()) {
+                    println!(include_str!(env!("ROSENPASS_MAN")));
+                }
             }
             GenConfig { config_file, force } => {
                 ensure!(
@@ -160,12 +164,10 @@ impl Cli {
                 // generate the keys and store them in files
                 let mut ssk = crate::protocol::SSk::random();
                 let mut spk = crate::protocol::SPk::random();
+                StaticKEM::keygen(ssk.secret_mut(), spk.secret_mut())?;
 
-                unsafe {
+                ssk.store_secret(skf)?;
-                    StaticKEM::keygen(ssk.secret_mut(), spk.secret_mut())?;
+                spk.store_secret(pkf)?;
-                    ssk.store_secret(skf)?;
-                    spk.store_secret(pkf)?;
-                }
             }
 
             ExchangeConfig { config_file } => {
@@ -248,11 +250,11 @@ impl Cli {
 }
 
 trait StoreSecret {
-    unsafe fn store_secret<P: AsRef<Path>>(&self, path: P) -> anyhow::Result<()>;
+    fn store_secret<P: AsRef<Path>>(&self, path: P) -> anyhow::Result<()>;
 }
 
 impl<const N: usize> StoreSecret for Secret<N> {
-    unsafe fn store_secret<P: AsRef<Path>>(&self, path: P) -> anyhow::Result<()> {
+    fn store_secret<P: AsRef<Path>>(&self, path: P) -> anyhow::Result<()> {
         std::fs::write(path, self.secret())?;
         Ok(())
     }

rosenpass/src/config.rs

@@ -55,6 +55,8 @@ pub struct RosenpassPeer {
 pub struct WireGuard {
     pub device: String,
     pub peer: String,
+
+    #[serde(default)]
     pub extra_params: Vec<String>,
 }
 

rosenpass/src/labeled_prf.rs

@@ -21,12 +21,12 @@ macro_rules! prflabel {
     }
 }
 
-prflabel!(protocol, mac,        "mac");
+prflabel!(protocol, mac, "mac");
-prflabel!(protocol, cookie,     "cookie");
+prflabel!(protocol, cookie, "cookie");
-prflabel!(protocol, peerid,     "peer id");
+prflabel!(protocol, peerid, "peer id");
 prflabel!(protocol, biscuit_ad, "biscuit additional data");
-prflabel!(protocol, ckinit,     "chaining key init");
+prflabel!(protocol, ckinit, "chaining key init");
-prflabel!(protocol, _ckextract,  "chaining key extract");
+prflabel!(protocol, _ckextract, "chaining key extract");
 
 macro_rules! prflabel_leaf {
     ($base:ident, $name:ident, $($lbl:expr),* ) => {
@@ -38,10 +38,10 @@ macro_rules! prflabel_leaf {
     }
 }
 
-prflabel_leaf!(_ckextract, mix,        "mix");
+prflabel_leaf!(_ckextract, mix, "mix");
-prflabel_leaf!(_ckextract, hs_enc,     "handshake encryption");
+prflabel_leaf!(_ckextract, hs_enc, "handshake encryption");
-prflabel_leaf!(_ckextract, ini_enc,    "initiator handshake encryption");
+prflabel_leaf!(_ckextract, ini_enc, "initiator handshake encryption");
-prflabel_leaf!(_ckextract, res_enc,    "responder handshake encryption");
+prflabel_leaf!(_ckextract, res_enc, "responder handshake encryption");
 
 prflabel!(_ckextract, _user, "user");
 prflabel!(_user, _rp, "rosenpass.eu");

rosenpass/src/lib.rs

@@ -19,7 +19,7 @@ pub enum RosenpassError {
     Oqs,
     #[error("error from external library while calling OQS")]
     OqsExternalLib,
-    #[error("buffer size mismatch, required {required_size} but only found {actual_size}")]
+    #[error("buffer size mismatch, required {required_size} but found {actual_size}")]
     BufferSizeMismatch {
         required_size: usize,
         actual_size: usize,

rosenpass/src/lprf.rs

@@ -6,7 +6,7 @@
 //! This is a generalization of a PRF operating
 //! on a sequence of inputs instead of a single input.
 //!
-//! Like a Dec function the Iprf features efficient 
+//! Like a Dec function the Iprf features efficient
 //! incrementability.
 //!
 //! You can also think of an Iprf as a Dec function with
@@ -27,7 +27,7 @@ pub fn prf_into(out: &mut [u8], key: &[u8], data: &[u8]) {
     hmac_into(out, key, data).unwrap()
 }
 
-pub fn prf(key: &[u8], data: &[u8]) -> [u8; KEY_SIZE]{
+pub fn prf(key: &[u8], data: &[u8]) -> [u8; KEY_SIZE] {
     mutating([0u8; KEY_SIZE], |r| prf_into(r, key, data))
 }
 
@@ -40,11 +40,11 @@ impl Iprf {
         IprfBranch(self.0)
     }
 
-    // TODO: Protocol! Use domain separation to ensure that 
+    // TODO: Protocol! Use domain separation to ensure that
     fn mix(self, v: &[u8]) -> Self {
         Self(prf(&self.0, v))
     }
-    
+
     fn mix_secret<const N: usize>(self, v: Secret<N>) -> SecretIprf {
         SecretIprf::prf_invoc(&self.0, v.secret())
     }
@@ -70,8 +70,9 @@ impl IprfBranch {
 
 impl SecretIprf {
     fn prf_invoc(k: &[u8], d: &[u8]) -> SecretIprf {
-        mutating(SecretIprf(Secret::zero()), |r|
+        mutating(SecretIprf(Secret::zero()), |r| {
-            prf_into(k, d, r.secret_mut()))
+            prf_into(k, d, r.secret_mut())
+        })
     }
 
     fn from_key(k: Secret<N>) -> SecretIprf {

rosenpass/src/msgs.rs

@@ -131,9 +131,6 @@ macro_rules! data_lense(
 
         impl<__ContainerType $(, $( $generic: LenseView ),+ )? > $type<__ContainerType $(, $( $generic ),+ )? >{
             $(
-            /// Size in bytes of the field `
-            #[doc = !($field)]
-            /// `
             pub const fn [< $field _len >]() -> usize{
                 $len
             }
@@ -143,7 +140,7 @@ macro_rules! data_lense(
             pub fn check_size(len: usize) -> Result<(), RosenpassError>{
                 let required_size = $( $len + )+ 0;
                 let actual_size = len;
-                if required_size < actual_size {
+                if required_size != actual_size {
                     Err(RosenpassError::BufferSizeMismatch {
                         required_size,
                         actual_size,
@@ -199,23 +196,53 @@ macro_rules! data_lense(
             type __ContainerType;
 
             /// Create a lense to the byte slice
-            fn [< $type:snake >] $(< $($generic),* >)? (self) -> Result< $type<Self::__ContainerType, $( $($generic),+ )? >, RosenpassError>;
+            fn [< $type:snake >] $(< $($generic : LenseView),* >)? (self) -> Result< $type<Self::__ContainerType, $( $($generic),+ )? >, RosenpassError>;
+
+            /// Create a lense to the byte slice, automatically truncating oversized buffers
+            fn [< $type:snake _ truncating >] $(< $($generic : LenseView),* >)? (self) -> Result< $type<Self::__ContainerType, $( $($generic),+ )? >, RosenpassError>;
         }
 
         impl<'a> [< $type Ext >] for &'a [u8] {
             type __ContainerType = &'a [u8];
 
-            fn [< $type:snake >] $(< $($generic),* >)? (self) -> Result< $type<Self::__ContainerType, $( $($generic),+ )? >, RosenpassError> {
+            fn [< $type:snake >] $(< $($generic : LenseView),* >)? (self) -> Result< $type<Self::__ContainerType, $( $($generic),+ )? >, RosenpassError> {
+                $type::<Self::__ContainerType, $( $($generic),+ )? >::check_size(self.len())?;
                 Ok($type ( self, $( $( ::core::marker::PhantomData::<$generic>  ),+ )? ))
             }
+
+            fn [< $type:snake _ truncating >] $(< $($generic : LenseView),* >)? (self) -> Result< $type<Self::__ContainerType, $( $($generic),+ )? >, RosenpassError> {
+                let required_size = $( $len + )+ 0;
+                let actual_size = self.len();
+                if actual_size < required_size {
+                    return Err(RosenpassError::BufferSizeMismatch {
+                        required_size,
+                        actual_size,
+                    });
+                }
+
+                [< $type Ext >]::[< $type:snake >](&self[..required_size])
+            }
         }
 
         impl<'a> [< $type Ext >] for &'a mut [u8] {
             type __ContainerType = &'a mut [u8];
-
+            fn [< $type:snake >] $(< $($generic : LenseView),* >)? (self) -> Result< $type<Self::__ContainerType, $( $($generic),+ )? >, RosenpassError> {
-            fn [< $type:snake >] $(< $($generic),* >)? (self) -> Result< $type<Self::__ContainerType, $( $($generic),+ )? >, RosenpassError> {
+                $type::<Self::__ContainerType, $( $($generic),+ )? >::check_size(self.len())?;
                 Ok($type ( self, $( $( ::core::marker::PhantomData::<$generic>  ),+ )? ))
             }
+
+            fn [< $type:snake _ truncating >] $(< $($generic : LenseView),* >)? (self) -> Result< $type<Self::__ContainerType, $( $($generic),+ )? >, RosenpassError> {
+                let required_size = $( $len + )+ 0;
+                let actual_size = self.len();
+                if actual_size < required_size {
+                    return Err(RosenpassError::BufferSizeMismatch {
+                        required_size,
+                        actual_size,
+                    });
+                }
+
+                [< $type Ext >]::[< $type:snake >](&mut self[..required_size])
+            }
         }
     });
 );

rosenpass/src/protocol.rs

@@ -23,10 +23,10 @@
 //!     pqkem::{StaticKEM, KEM},
 //!     protocol::{SSk, SPk, MsgBuf, PeerPtr, CryptoServer, SymKey},
 //! };
-//! # fn main() -> Result<(), rosenpass::RosenpassError> {
+//! # fn main() -> anyhow::Result<()> {
 //!
 //! // always init libsodium before anything
-//! rosenpass::sodium::sodium_init().unwrap();
+//! rosenpass::sodium::sodium_init()?;
 //!
 //! // initialize secret and public key for peer a ...
 //! let (mut peer_a_sk, mut peer_a_pk) = (SSk::zero(), SPk::zero());
@@ -42,25 +42,26 @@
 //! let mut b = CryptoServer::new(peer_b_sk, peer_b_pk.clone());
 //!
 //! // introduce peers to each other
-//! a.add_peer(Some(psk.clone()), peer_b_pk).unwrap();
+//! a.add_peer(Some(psk.clone()), peer_b_pk)?;
-//! b.add_peer(Some(psk), peer_a_pk).unwrap();
+//! b.add_peer(Some(psk), peer_a_pk)?;
 //!
 //! // declare buffers for message exchange
 //! let (mut a_buf, mut b_buf) = (MsgBuf::zero(), MsgBuf::zero());
 //!
 //! // let a initiate a handshake
-//! let length = a.initiate_handshake(PeerPtr(0), a_buf.as_mut_slice());
+//! let mut maybe_len = Some(a.initiate_handshake(PeerPtr(0), a_buf.as_mut_slice())?);
 //!
-//! // let b respond to a and a respond to b, in two rounds
+//! // let a and b communicate
-//! for _ in 0..2 {
+//! while let Some(len) = maybe_len {
-//!    b.handle_msg(&a_buf[..], &mut b_buf[..]);
+//!    maybe_len = b.handle_msg(&a_buf[..len], &mut b_buf[..])?.resp;
-//!    a.handle_msg(&b_buf[..], &mut a_buf[..]);
+//!    std::mem::swap(&mut a, &mut b);
+//!    std::mem::swap(&mut a_buf, &mut b_buf);
 //! }
 //!
 //! // all done! Extract the shared keys and ensure they are identical
-//! let a_key = a.osk(PeerPtr(0));
+//! let a_key = a.osk(PeerPtr(0))?;
-//! let b_key = b.osk(PeerPtr(0));
+//! let b_key = b.osk(PeerPtr(0))?;
-//! assert_eq!(a_key.unwrap().secret(), b_key.unwrap().secret(),
+//! assert_eq!(a_key.secret(), b_key.secret(),
 //!     "the key exchanged failed to establish a shared secret");
 //! # Ok(())
 //! # }
@@ -736,7 +737,7 @@ impl CryptoServer {
     // TODO remove unnecessary copying between global tx_buf and per-peer buf
     // TODO move retransmission storage to io server
     pub fn initiate_handshake(&mut self, peer: PeerPtr, tx_buf: &mut [u8]) -> Result<usize> {
-        let mut msg = tx_buf.envelope::<InitHello<()>>()?; // Envelope::<InitHello>::default(); // TODO
+        let mut msg = tx_buf.envelope_truncating::<InitHello<()>>()?; // Envelope::<InitHello>::default(); // TODO
         self.handle_initiation(peer, msg.payload_mut().init_hello()?)?;
         let len = self.seal_and_commit_msg(peer, MsgType::InitHello, msg)?;
         peer.hs()
@@ -793,7 +794,7 @@ impl CryptoServer {
                 let msg_in = rx_buf.envelope::<InitHello<&[u8]>>()?;
                 ensure!(msg_in.check_seal(self)?, seal_broken);
 
-                let mut msg_out = tx_buf.envelope::<RespHello<&mut [u8]>>()?;
+                let mut msg_out = tx_buf.envelope_truncating::<RespHello<&mut [u8]>>()?;
                 let peer = self.handle_init_hello(
                     msg_in.payload().init_hello()?,
                     msg_out.payload_mut().resp_hello()?,
@@ -805,7 +806,7 @@ impl CryptoServer {
                 let msg_in = rx_buf.envelope::<RespHello<&[u8]>>()?;
                 ensure!(msg_in.check_seal(self)?, seal_broken);
 
-                let mut msg_out = tx_buf.envelope::<InitConf<&mut [u8]>>()?;
+                let mut msg_out = tx_buf.envelope_truncating::<InitConf<&mut [u8]>>()?;
                 let peer = self.handle_resp_hello(
                     msg_in.payload().resp_hello()?,
                     msg_out.payload_mut().init_conf()?,
@@ -820,13 +821,13 @@ impl CryptoServer {
                 let msg_in = rx_buf.envelope::<InitConf<&[u8]>>()?;
                 ensure!(msg_in.check_seal(self)?, seal_broken);
 
-                let mut msg_out = tx_buf.envelope::<EmptyData<&mut [u8]>>()?;
+                let mut msg_out = tx_buf.envelope_truncating::<EmptyData<&mut [u8]>>()?;
-                let peer = self.handle_init_conf(
+                let (peer, if_exchanged) = self.handle_init_conf(
                     msg_in.payload().init_conf()?,
                     msg_out.payload_mut().empty_data()?,
                 )?;
                 len = self.seal_and_commit_msg(peer, MsgType::EmptyData, msg_out)?;
-                exchanged = true;
+                exchanged = if_exchanged;
                 peer
             }
             Ok(MsgType::EmptyData) => {
@@ -1613,7 +1614,8 @@ impl CryptoServer {
         &mut self,
         ic: InitConf<&[u8]>,
         mut rc: EmptyData<&mut [u8]>,
-    ) -> Result<PeerPtr> {
+    ) -> Result<(PeerPtr, bool)> {
+        let mut exchanged = false;
         // (peer, bn) ← LoadBiscuit(InitConf.biscuit)
         // ICR1
         let (peer, biscuit_no, mut core) = HandshakeState::load_biscuit(
@@ -1643,6 +1645,9 @@ impl CryptoServer {
             // TODO: This should be part of the protocol specification.
             // Abort any ongoing handshake from initiator role
             peer.hs().take(self);
+
+            // Only exchange key on a new biscuit number
+            exchanged = true;
         }
 
         // TODO: Implementing RP should be possible without touching the live session stuff
@@ -1682,7 +1687,7 @@ impl CryptoServer {
         let k = ses.txkm.secret();
         aead_enc_into(rc.auth_mut(), k, &n, &NOTHING, &NOTHING)?; // ct, k, n, ad, pt
 
-        Ok(peer)
+        Ok((peer, exchanged))
     }
 
     pub fn handle_resp_conf(&mut self, rc: EmptyData<&[u8]>) -> Result<PeerPtr> {
@@ -1733,27 +1738,94 @@ impl CryptoServer {
 mod test {
     use super::*;
 
-    fn init_crypto_server() -> CryptoServer {
+    #[test]
-        // always init libsodium before anything
+    /// Ensure that the protocol implementation can deal with truncated
+    /// messages and with overlong messages.
+    ///
+    /// This test performs a complete handshake between two randomly generated
+    /// servers; instead of delivering the message correctly at first messages
+    /// of length zero through about 1.2 times the correct message size are delivered.
+    ///
+    /// Producing an error is expected on each of these messages.
+    ///
+    /// Finally the correct message is delivered and the same process
+    /// starts again in the other direction.
+    ///
+    /// Through all this, the handshake should still successfully terminate;
+    /// i.e. an exchanged key must be produced in both servers.
+    fn handles_incorrect_size_messages() {
         crate::sodium::sodium_init().unwrap();
 
-        // initialize secret and public key for the crypto server
+        stacker::grow(8 * 1024 * 1024, || {
-        let (mut sk, mut pk) = (SSk::zero(), SPk::zero());
+            const OVERSIZED_MESSAGE: usize = ((MAX_MESSAGE_LEN as f32) * 1.2) as usize;
-        StaticKEM::keygen(sk.secret_mut(), pk.secret_mut()).expect("unable to generate keys");
+            type MsgBufPlus = Public<OVERSIZED_MESSAGE>;
 
-        CryptoServer::new(sk, pk)
+            const PEER0: PeerPtr = PeerPtr(0);
+
+            let (mut me, mut they) = make_server_pair().unwrap();
+            let (mut msgbuf, mut resbuf) = (MsgBufPlus::zero(), MsgBufPlus::zero());
+
+            // Process the entire handshake
+            let mut msglen = Some(me.initiate_handshake(PEER0, &mut *resbuf).unwrap());
+            loop {
+                if let Some(l) = msglen {
+                    std::mem::swap(&mut me, &mut they);
+                    std::mem::swap(&mut msgbuf, &mut resbuf);
+                    msglen = test_incorrect_sizes_for_msg(&mut me, &*msgbuf, l, &mut *resbuf);
+                } else {
+                    break;
+                }
+            }
+
+            assert_eq!(
+                me.osk(PEER0).unwrap().secret(),
+                they.osk(PEER0).unwrap().secret()
+            );
+        });
     }
 
-    /// The determination of the message type relies on reading the first byte of the message. Only
+    /// Used in handles_incorrect_size_messages() to first deliver many truncated
-    /// after that the length of the message is checked against the specified message type. This
+    /// and overlong messages, finally the correct message is delivered and the response
-    /// test ensures that nothing breaks in the case of an empty message.
+    /// returned.
-    #[test]
+    fn test_incorrect_sizes_for_msg(
-    #[should_panic = "called `Result::unwrap()` on an `Err` value: received empty message, ignoring it"]
+        srv: &mut CryptoServer,
-    fn handle_empty_message() {
+        msgbuf: &[u8],
-        let mut crypt = init_crypto_server();
+        msglen: usize,
-        let empty_rx_buf = [0u8; 0];
+        resbuf: &mut [u8],
-        let mut tx_buf = [0u8; 0];
+    ) -> Option<usize> {
+        resbuf.fill(0);
 
-        crypt.handle_msg(&empty_rx_buf, &mut tx_buf).unwrap();
+        for l in 0..(((msglen as f32) * 1.2) as usize) {
+            if l == msglen {
+                continue;
+            }
+
+            let res = srv.handle_msg(&msgbuf[..l], resbuf);
+            assert!(matches!(res, Err(_))); // handle_msg should raise an error
+            assert!(!resbuf.iter().find(|x| **x != 0).is_some()); // resbuf should not have been changed
+        }
+
+        // Apply the proper handle_msg operation
+        srv.handle_msg(&msgbuf[..msglen], resbuf).unwrap().resp
+    }
+
+    fn keygen() -> Result<(SSk, SPk)> {
+        // TODO: Copied from the benchmark; deduplicate
+        let (mut sk, mut pk) = (SSk::zero(), SPk::zero());
+        StaticKEM::keygen(sk.secret_mut(), pk.secret_mut())?;
+        Ok((sk, pk))
+    }
+
+    fn make_server_pair() -> Result<(CryptoServer, CryptoServer)> {
+        // TODO: Copied from the benchmark; deduplicate
+        let psk = SymKey::random();
+        let ((ska, pka), (skb, pkb)) = (keygen()?, keygen()?);
+        let (mut a, mut b) = (
+            CryptoServer::new(ska, pka.clone()),
+            CryptoServer::new(skb, pkb.clone()),
+        );
+        a.add_peer(Some(psk.clone()), pkb)?;
+        b.add_peer(Some(psk), pka)?;
+        Ok((a, b))
     }
 }

rosenpass/src/util.rs

@@ -15,6 +15,17 @@ use std::{
 
 use crate::coloring::{Public, Secret};
 
+/// Xors a and b element-wise and writes the result into a.
+///
+/// # Examples
+///
+/// ```
+/// use rosenpass::util::xor_into;
+/// let mut a = String::from("hello").into_bytes();
+/// let b = b"world";
+/// xor_into(&mut a, b);
+/// assert_eq!(&a, b"\x1f\n\x1e\x00\x0b");
+/// ```
 #[inline]
 pub fn xor_into(a: &mut [u8], b: &[u8]) {
     assert!(a.len() == b.len());
@@ -172,11 +183,11 @@ trait StoreValue {
 }
 
 trait StoreSecret {
-    unsafe fn store_secret<P: AsRef<Path>>(&self, path: P) -> Result<()>;
+    fn store_secret<P: AsRef<Path>>(&self, path: P) -> Result<()>;
 }
 
 impl<T: StoreValue> StoreSecret for T {
-    unsafe fn store_secret<P: AsRef<Path>>(&self, path: P) -> Result<()> {
+    fn store_secret<P: AsRef<Path>>(&self, path: P) -> Result<()> {
         self.store(path)
     }
 }
@@ -211,7 +222,7 @@ impl<const N: usize> LoadValueB64 for Secret<N> {
 }
 
 impl<const N: usize> StoreSecret for Secret<N> {
-    unsafe fn store_secret<P: AsRef<Path>>(&self, path: P) -> Result<()> {
+    fn store_secret<P: AsRef<Path>>(&self, path: P) -> Result<()> {
         std::fs::write(path, self.secret())?;
         Ok(())
     }

rp

@@ -197,7 +197,7 @@ exchange() {
         lip="${listen%:*}";
         lport="${listen/*:/}";
         if [[ "$lip" = "$lport" ]]; then
-          lip="[0::0]"
+          lip="[::]"
         fi
         shift;;
       -h | -help | --help | help) usage; return 0;;
@@ -209,15 +209,41 @@ exchange() {
     fatal "Needs at least one peer specified"
   fi
 
-  frag "
+  # os dependent setup
-    # Create the Wireguard interface
+  case "$OSTYPE" in
-    ip link add dev $(enquote "${dev}") type wireguard || true"
+    linux-*) # could be linux-gnu or linux-musl
+      frag "
+        # Create the WireGuard interface
+        ip link add dev $(enquote "${dev}") type wireguard || true"
 
-  cleanup "
+      cleanup "
-    ip link del dev $(enquote "${dev}") || true"
+        ip link del dev $(enquote "${dev}") || true"
 
-  frag "
+      frag "
-    ip link set dev $(enquote "${dev}") up"
+        ip link set dev $(enquote "${dev}") up"
+      ;;
+
+    freebsd*)
+      frag "
+        # load the WireGuard kernel module
+        kldload -n if_wg || fatal 'Cannot load if_wg kernel module'"
+
+      frag "
+        # Create the WireGuard interface
+        ifconfig wg create name $(enquote "${dev}") || true"
+
+      cleanup "
+        ifconfig $(enquote "${dev}") destroy || true"
+
+      frag "
+        ifconfig $(enquote "${dev}") up"
+      ;;
+
+    *)
+      fatal "Your system $OSTYPE is not yet supported. We are happy to receive patches to address this :)"
+      ;;
+
+  esac
 
   frag "
     # Deploy the classic wireguard private key
@@ -255,7 +281,7 @@ exchange() {
       local arg; arg="$1"; shift
       case "${arg}" in
         peer) set -- "peer" "$@"; break;; # Next peer
-        endpoint) ip="${1%:*}"; port="${1/*:/}"; shift;;
+        endpoint) ip="${1%:*}"; port="${1##*:}"; shift;;
         persistent-keepalive) keepalive="${1}"; shift;;
         allowed-ips) allowedips="${1}"; shift;;
         -h | -help | --help | help) usage; return 0;;
@@ -326,7 +352,9 @@ main() {
   verbose=0
   scriptdir="$(dirname "${script}")"
   gitdir="$(detect_git_dir)" || true
-  nixdir="$(readlink -f result/bin/rp | grep -Pio '^/nix/store/[^/]+(?=/bin/[^/]+)')" || true
+  if [[ -d /nix ]]; then
+    nixdir="$(readlink -f result/bin/rp | grep -Pio '^/nix/store/[^/]+(?=/bin/[^/]+)')" || true
+  fi
   binary="$(find_rosenpass_binary)"
 
   # Parse command