chore: Release rosenpass version 0.1.2-rc.3

chore: Consistently use the term `Key Encapsulation Mechanism`

.github/workflows/nix.yaml

@@ -31,38 +31,37 @@ jobs:
       - name: Generate gitHeadInfo.gin for the whitepaper
         if: ${{ matrix.derivation == 'whitepaper' }}
         run: ( cd papers && ./tex/gitinfo2.sh && git add gitHeadInfo.gin )
-      - name: Build ${{ matrix.derivation }}
+      - name: Build ${{ matrix.derivation }}@${{ matrix.nix-system }}
         run: |
           # build the package
           nix build .#packages.${{ matrix.nix-system }}.${{ matrix.derivation }} --print-build-logs
 
           # copy over the results
           if [[ -f $(readlink --canonicalize result ) ]]; then
-            mkdir -- ${{ matrix.derivation }}
+            mkdir -- ${{ matrix.derivation }}-${{ matrix.nix-system }}
           fi
-          cp --recursive -- $(readlink --canonicalize -- result) ${{ matrix.derivation }}
-          chmod --recursive -- ug+rw ${{ matrix.derivation }}
+          cp --recursive -- $(readlink --canonicalize result) ${{ matrix.derivation }}-${{ matrix.nix-system }}
+          chmod --recursive ug+rw -- ${{ matrix.derivation }}-${{ matrix.nix-system }}
 
           # add version information
-          git rev-parse --abbrev-ref HEAD > ${{ matrix.derivation }}/git-version
-          git rev-parse HEAD > ${{ matrix.derivation }}/git-sha
+          git rev-parse --abbrev-ref HEAD > ${{ matrix.derivation }}-${{ matrix.nix-system }}/git-version
+          git rev-parse HEAD > ${{ matrix.derivation }}-${{ matrix.nix-system }}/git-sha
 
           # override the `rp` script to keep compatible with non-nix systems
-          if [[ -f ${{ matrix.derivation }}/bin/rp ]]
-          then
-            cp --force rp ${{ matrix.derivation }}/bin/
+          if [[ -f ${{ matrix.derivation }}-${{ matrix.nix-system }}/bin/rp ]]; then
+            cp --force -- rp ${{ matrix.derivation }}-${{ matrix.nix-system }}/bin/
           fi
       - name: Upload build results
         uses: actions/upload-artifact@v3
         with:
-          name: ${{ matrix.derivation }}@${{ matrix.nix-system }}
-          path: ${{ matrix.derivation }}
+          name: ${{ matrix.derivation }}-${{ matrix.nix-system }}
+          path: ${{ matrix.derivation }}-${{ matrix.nix-system }}
       - name: Deploy PDF artifacts
         if: ${{ matrix.derivation == 'whitepaper' && github.ref == 'refs/heads/main' }}
         uses: peaceiris/actions-gh-pages@v3
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
-          publish_dir: whitepaper
+          publish_dir: ${{ matrix.derivation }}-${{ matrix.nix-system }}
           publish_branch: papers-pdf
           force_orphan: true
   checks:

.github/workflows/qc.yaml

@@ -0,0 +1,47 @@
+name: Quality Control
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+permissions:
+  checks: write
+  contents: read
+
+jobs:
+  prettier:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actionsx/prettier@v2
+        with:
+          args: --check .
+
+  cargo-clippy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cargo/bin/
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+            target/
+          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+      - run: rustup component add clippy
+      - name: Install xmllint
+        run: sudo apt-get install -y libsodium-dev
+      - uses: actions-rs/clippy-check@v1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          args: --all-features
+
+  cargo-audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - uses: actions-rs/audit-check@v1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yaml

@@ -0,0 +1,49 @@
+name: Release
+permissions:
+  contents: write
+on:
+  push:
+    tags: ["v*"]
+
+jobs:
+  release:
+    name: Release for ${{ matrix.nix-system }}
+    runs-on:
+      - nix
+      - ${{ matrix.nix-system }}
+    strategy:
+      matrix:
+        nix-system:
+          - x86_64-linux
+          # - aarch64-linux
+    steps:
+      - uses: actions/checkout@v3
+      - name: Build release-package for ${{ matrix.nix-system }}
+        run: nix build .#release-package --print-build-logs
+      - name: Release
+        uses: softprops/action-gh-release@v1
+        with:
+          draft: ${{ contains(github.ref_name, 'rc') }}
+          prerelease: ${{ contains(github.ref_name, 'alpha') || contains(github.ref_name, 'beta') }}
+          files: |
+            result/*
+
+          
+  release-darwin:
+    name: Release for x86_64-darwin
+    runs-on:
+      - macos-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: cachix/install-nix-action@v20
+        with:
+          github_access_token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build release-package for ${{ matrix.nix-system }}
+        run: nix build .#release-package --print-build-logs
+      - name: Release
+        uses: softprops/action-gh-release@v1
+        with:
+          draft: ${{ contains(github.ref_name, 'rc') }}
+          prerelease: ${{ contains(github.ref_name, 'alpha') || contains(github.ref_name, 'beta') }}
+          files: |
+            result/*

.prettierignore

@@ -0,0 +1,4 @@
+.direnv/
+papers/whitepaper.md
+target/
+src/usage.md

Cargo.lock

@@ -34,9 +34,9 @@ dependencies = [
 
 [[package]]
 name = "anyhow"
-version = "1.0.68"
+version = "1.0.69"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2cb2f989d18dd141ab8ae82f64d1a8cdd37e0840f73a406896cf5e99502fab61"
+checksum = "224afbd727c3d6e4b90103ece64b8d1b67fbb1973b1046c2281eed3f3803f800"
 dependencies = [
  "backtrace",
 ]
@@ -108,18 +108,6 @@ version = "1.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
 
-[[package]]
-name = "bstr"
-version = "0.2.17"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ba3569f383e8f1598449f1a423e72e99569137b47740b1da11ef19af3d5c3223"
-dependencies = [
- "lazy_static",
- "memchr",
- "regex-automata",
- "serde",
-]
-
 [[package]]
 name = "build-deps"
 version = "0.1.4"
@@ -131,9 +119,9 @@ dependencies = [
 
 [[package]]
 name = "bumpalo"
-version = "3.11.1"
+version = "3.12.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "572f695136211188308f16ad2ca5c851a712c464060ae6974944458eb83880ba"
+checksum = "0d261e256854913907f67ed06efbc3338dfe6179796deefc1ff763fc1aee5535"
 
 [[package]]
 name = "byteorder"
@@ -149,9 +137,9 @@ checksum = "37b2a672a2cb129a2e41c10b1224bb368f9f37a2b16b612598138befd7b37eb5"
 
 [[package]]
 name = "cc"
-version = "1.0.78"
+version = "1.0.79"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a20104e2335ce8a659d6dd92a51a767a0c062599c73b343fd152cb401e828c3d"
+checksum = "50d30906286121d95be3d479533b458f87493b30a4b5f79a607db8f5d11aa91f"
 
 [[package]]
 name = "cexpr"
@@ -170,9 +158,9 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
 
 [[package]]
 name = "clang-sys"
-version = "1.4.0"
+version = "1.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fa2e27ae6ab525c3d369ded447057bca5438d86dc3a68f6faafb8269ba82ebf3"
+checksum = "77ed9a53e5d4d9c573ae844bfac6872b159cb1d1585a83b29e7a64b7eef7332a"
 dependencies = [
  "glob",
  "libc",
@@ -314,13 +302,12 @@ dependencies = [
 
 [[package]]
 name = "csv"
-version = "1.1.6"
+version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "22813a6dc45b335f9bade10bf7271dc477e81113e89eb251a0bc2a8a81c536e1"
+checksum = "af91f40b7355f82b0a891f50e70399475945bb0b0da4f1700ce60761c9d3e359"
 dependencies = [
- "bstr",
  "csv-core",
- "itoa 0.4.8",
+ "itoa",
  "ryu",
  "serde",
 ]
@@ -336,9 +323,9 @@ dependencies = [
 
 [[package]]
 name = "either"
-version = "1.8.0"
+version = "1.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "90e5c1c8368803113bf0c9584fc495a58b86dc8a29edbf8fe877d21d9507e797"
+checksum = "7fcaabb2fef8c910e7f4c7ce9f67a1283a1715879a7c230ca9d6d1ae31f16d91"
 
 [[package]]
 name = "env_logger"
@@ -389,14 +376,14 @@ dependencies = [
 
 [[package]]
 name = "filetime"
-version = "0.2.19"
+version = "0.2.20"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4e884668cd0c7480504233e951174ddc3b382f7c2666e3b7310b5c4e7b0c37f9"
+checksum = "8a3de6e8d11b22ff9edc6d916f890800597d60f8b2da1caf2955c274638d6412"
 dependencies = [
  "cfg-if",
  "libc",
  "redox_syscall",
- "windows-sys 0.42.0",
+ "windows-sys",
 ]
 
 [[package]]
@@ -420,9 +407,9 @@ dependencies = [
 
 [[package]]
 name = "gimli"
-version = "0.27.0"
+version = "0.27.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dec7af912d60cdbd3677c1af9352ebae6fb8394d165568a2234df0fa00f87793"
+checksum = "ad0a93d233ebf96623465aad4046a8d3aa4da22d4f4beba5388838c8a434bbb4"
 
 [[package]]
 name = "glob"
@@ -499,19 +486,19 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1abeb7a0dd0f8181267ff8adc397075586500b81b28a73e8a0208b00fc170fb3"
 dependencies = [
  "libc",
- "windows-sys 0.45.0",
+ "windows-sys",
 ]
 
 [[package]]
 name = "is-terminal"
-version = "0.4.3"
+version = "0.4.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "22e18b0a45d56fe973d6db23972bf5bc46f988a4a2385deac9cc29572f09daef"
+checksum = "21b6b32576413a8e69b90e952e4a026476040d81017b80445deda5f2d3921857"
 dependencies = [
  "hermit-abi 0.3.1",
  "io-lifetimes",
  "rustix",
- "windows-sys 0.45.0",
+ "windows-sys",
 ]
 
 [[package]]
@@ -523,12 +510,6 @@ dependencies = [
  "either",
 ]
 
-[[package]]
-name = "itoa"
-version = "0.4.8"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b71991ff56294aa922b450139ee08b3bfc70982c6b2c7562771375cf73542dd4"
-
 [[package]]
 name = "itoa"
 version = "1.0.5"
@@ -537,9 +518,9 @@ checksum = "fad582f4b9e86b6caa621cabeb0963332d92eea04729ab12892c2533951e6440"
 
 [[package]]
 name = "js-sys"
-version = "0.3.60"
+version = "0.3.61"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "49409df3e3bf0856b916e2ceaca09ee28e6871cf7d9ce97a692cacfdb2a25a47"
+checksum = "445dde2150c55e483f3d8416706b97ec8e8237c307e5b7b4b8dd15e6af2a0730"
 dependencies = [
  "wasm-bindgen",
 ]
@@ -564,9 +545,9 @@ checksum = "201de327520df007757c1f0adce6e827fe8562fbc28bfd9c15571c66ca1f5f79"
 
 [[package]]
 name = "libflate"
-version = "1.2.0"
+version = "1.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "05605ab2bce11bcfc0e9c635ff29ef8b2ea83f29be257ee7d730cac3ee373093"
+checksum = "97822bf791bd4d5b403713886a5fbe8bf49520fe78e323b0dc480ca1a03e50b0"
 dependencies = [
  "adler32",
  "crc32fast",
@@ -575,9 +556,9 @@ dependencies = [
 
 [[package]]
 name = "libflate_lz77"
-version = "1.1.0"
+version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "39a734c0493409afcd49deee13c006a04e3586b9761a03543c6272c9c51f2f5a"
+checksum = "a52d3a8bfc85f250440e4424db7d857e241a3aebbbe301f3eb606ab15c39acbf"
 dependencies = [
  "rle-decode-fast",
 ]
@@ -677,9 +658,9 @@ dependencies = [
 
 [[package]]
 name = "nom"
-version = "7.1.2"
+version = "7.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e5507769c4919c998e69e49c839d9dc6e693ede4cc4290d6ad8b41d4f09c548c"
+checksum = "d273983c5a657a70a3e8f2a01329822f3b8c8172b73826411a55751e404a0a4a"
 dependencies = [
  "memchr",
  "minimal-lexical",
@@ -706,18 +687,18 @@ dependencies = [
 
 [[package]]
 name = "object"
-version = "0.30.1"
+version = "0.30.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8d864c91689fdc196779b98dba0aceac6118594c2df6ee5d943eb6a8df4d107a"
+checksum = "ea86265d3d3dcb6a27fc51bd29a4bf387fae9d2986b823079d4986af253eb439"
 dependencies = [
  "memchr",
 ]
 
 [[package]]
 name = "once_cell"
-version = "1.17.0"
+version = "1.17.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6f61fba1741ea2b3d6a1e3178721804bb716a68a6aeba1149b5d52e3d464ea66"
+checksum = "b7e5500299e16ebb147ae15a00a942af264cf3688f47923b8fc2cd5858f23ad3"
 
 [[package]]
 name = "oorandom"
@@ -797,9 +778,9 @@ dependencies = [
 
 [[package]]
 name = "proc-macro2"
-version = "1.0.49"
+version = "1.0.51"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "57a8eca9f9c4ffde41714334dee777596264c7825420f521abc92b5b5deb63a5"
+checksum = "5d727cae5b39d21da60fa540906919ad737832fe0b1c165da3a34d6548c849d6"
 dependencies = [
  "unicode-ident",
 ]
@@ -825,9 +806,9 @@ dependencies = [
 
 [[package]]
 name = "rayon-core"
-version = "1.10.1"
+version = "1.10.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cac410af5d00ab6884528b4ab69d1e8e146e8d471201800fa1b4524126de6ad3"
+checksum = "356a0625f1954f730c0201cdab48611198dc6ce21f4acff55089b5a78e6e835b"
 dependencies = [
  "crossbeam-channel",
  "crossbeam-deque",
@@ -846,21 +827,15 @@ dependencies = [
 
 [[package]]
 name = "regex"
-version = "1.7.0"
+version = "1.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e076559ef8e241f2ae3479e36f97bd5741c0330689e217ad51ce2c76808b868a"
+checksum = "48aaa5748ba571fb95cd2c85c09f629215d3a6ece942baa100950af03a34f733"
 dependencies = [
  "aho-corasick",
  "memchr",
  "regex-syntax",
 ]
 
-[[package]]
-name = "regex-automata"
-version = "0.1.10"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6c230d73fb8d8c1b9c0b3135c5142a8acee3a0558fb8db5cf1cb65f8d7862132"
-
 [[package]]
 name = "regex-syntax"
 version = "0.6.28"
@@ -890,7 +865,7 @@ checksum = "3582f63211428f83597b51b2ddb88e2a91a9d52d12831f9d08f5e624e8977422"
 
 [[package]]
 name = "rosenpass"
-version = "0.1.1-rc.1"
+version = "0.1.2-rc.3"
 dependencies = [
  "anyhow",
  "base64",
@@ -931,7 +906,7 @@ dependencies = [
  "io-lifetimes",
  "libc",
  "linux-raw-sys",
- "windows-sys 0.45.0",
+ "windows-sys",
 ]
 
 [[package]]
@@ -1006,11 +981,11 @@ dependencies = [
 
 [[package]]
 name = "serde_json"
-version = "1.0.91"
+version = "1.0.93"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "877c235533714907a8c2464236f5c4b2a17262ef1bd71f38f35ea592c8da6883"
+checksum = "cad406b69c91885b5107daf2c29572f6c8cdb3c66826821e286c533490c0bc76"
 dependencies = [
- "itoa 1.0.5",
+ "itoa",
  "ryu",
  "serde",
 ]
@@ -1041,9 +1016,9 @@ checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623"
 
 [[package]]
 name = "syn"
-version = "1.0.107"
+version = "1.0.109"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1f4064b5b16e03ae50984a5a8ed5d4f8803e6bc1fd170a3cda91a1be4b18e3f5"
+checksum = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -1063,9 +1038,9 @@ dependencies = [
 
 [[package]]
 name = "termcolor"
-version = "1.1.3"
+version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bab24d30b911b2376f3a13cc2cd443142f0c81dda04c118693e35b3835757755"
+checksum = "be55cf8942feac5c765c2c993422806843c9a9a45d4d5c407ad6dd2ea95eb9b6"
 dependencies = [
  "winapi-util",
 ]
@@ -1132,9 +1107,9 @@ dependencies = [
 
 [[package]]
 name = "tinyvec_macros"
-version = "0.1.0"
+version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cda74da7e1a664f795bb1f8a87ec406fb89a02522cf6e50620d016add6dbbf5c"
+checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
 
 [[package]]
 name = "unicode-bidi"
@@ -1214,9 +1189,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen"
-version = "0.2.83"
+version = "0.2.84"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eaf9f5aceeec8be17c128b2e93e031fb8a4d469bb9c4ae2d7dc1888b26887268"
+checksum = "31f8dcbc21f30d9b8f2ea926ecb58f6b91192c17e9d33594b3df58b2007ca53b"
 dependencies = [
  "cfg-if",
  "wasm-bindgen-macro",
@@ -1224,9 +1199,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-backend"
-version = "0.2.83"
+version = "0.2.84"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4c8ffb332579b0557b52d268b91feab8df3615f265d5270fec2a8c95b17c1142"
+checksum = "95ce90fd5bcc06af55a641a86428ee4229e44e07033963a2290a8e241607ccb9"
 dependencies = [
  "bumpalo",
  "log",
@@ -1239,9 +1214,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro"
-version = "0.2.83"
+version = "0.2.84"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "052be0f94026e6cbc75cdefc9bae13fd6052cdcaf532fa6c45e7ae33a1e6c810"
+checksum = "4c21f77c0bedc37fd5dc21f897894a5ca01e7bb159884559461862ae90c0b4c5"
 dependencies = [
  "quote",
  "wasm-bindgen-macro-support",
@@ -1249,9 +1224,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro-support"
-version = "0.2.83"
+version = "0.2.84"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "07bc0c051dc5f23e307b13285f9d75df86bfdf816c5721e573dec1f9b8aa193c"
+checksum = "2aff81306fcac3c7515ad4e177f521b5c9a15f2b08f4e32d823066102f35a5f6"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -1262,15 +1237,15 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-shared"
-version = "0.2.83"
+version = "0.2.84"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1c38c045535d93ec4f0b4defec448e4291638ee608530863b1e2ba115d4fff7f"
+checksum = "0046fef7e28c3804e5e38bfa31ea2a0f73905319b677e57ebe37e49358989b5d"
 
 [[package]]
 name = "web-sys"
-version = "0.3.60"
+version = "0.3.61"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bcda906d8be16e728fd5adc5b729afad4e444e106ab28cd1c7256e54fa61510f"
+checksum = "e33b99f4b23ba3eec1a53ac264e35a755f00e966e0065077d6027c0f575b0b97"
 dependencies = [
  "js-sys",
  "wasm-bindgen",
@@ -1297,9 +1272,9 @@ dependencies = [
 
 [[package]]
 name = "which"
-version = "4.3.0"
+version = "4.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1c831fbbee9e129a8cf93e7747a82da9d95ba8e16621cae60ec2cdc849bacb7b"
+checksum = "2441c784c52b289a054b7201fc93253e288f094e2f4be9058343127c4226a269"
 dependencies = [
  "either",
  "libc",
@@ -1337,21 +1312,6 @@ version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
 
-[[package]]
-name = "windows-sys"
-version = "0.42.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5a3e1820f08b8513f676f7ab6c1f99ff312fb97b553d30ff4dd86f9f15728aa7"
-dependencies = [
- "windows_aarch64_gnullvm",
- "windows_aarch64_msvc",
- "windows_i686_gnu",
- "windows_i686_msvc",
- "windows_x86_64_gnu",
- "windows_x86_64_gnullvm",
- "windows_x86_64_msvc",
-]
-
 [[package]]
 name = "windows-sys"
 version = "0.45.0"
@@ -1438,9 +1398,9 @@ dependencies = [
 
 [[package]]
 name = "zip"
-version = "0.6.3"
+version = "0.6.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "537ce7411d25e54e8ae21a7ce0b15840e7bfcff15b51d697ec3266cc76bdf080"
+checksum = "0445d0fbc924bb93539b4316c11afb121ea39296f99a3c4c9edad09e3658cdef"
 dependencies = [
  "byteorder",
  "crc32fast",

Cargo.toml

@@ -1,12 +1,13 @@
 [package]
 name = "rosenpass"
-version = "0.1.1-rc.1"
+version = "0.1.2-rc.3"
 authors = ["Karolin Varner <karo@cupdev.net>", "wucke13 <wucke13@gmail.com>"]
 edition = "2021"
 license = "MIT OR Apache-2.0"
 description = "Build post-quantum-secure VPNs with WireGuard!"
 homepage = "https://rosenpass.eu/"
 repository = "https://github.com/rosenpass/rosenpass"
+readme = "readme.md"
 
 [[bench]]
 name = "handshake"

flake.nix

@@ -132,8 +132,32 @@
               default = rosenpass;
               rosenpass = rpDerivation pkgs;
               rosenpass-oci-image = rosenpassOCI "rosenpass";
-            } // (if pkgs.stdenv.isLinux then rec {
+
               rosenpass-static = rpDerivation pkgs.pkgsStatic;
+
+              # derivation for the release
+              release-package =
+                let
+                  version = cargoToml.package.version;
+                  package =
+                    if pkgs.hostPlatform.isLinux then
+                      packages.rosenpass-static
+                    else packages.rosenpass-static;
+                  oci-image =
+                    if pkgs.hostPlatform.isLinux then
+                      packages.rosenpass-static-oci-image
+                    else packages.rosenpass-oci-image;
+                in
+                pkgs.runCommandNoCC "lace-result" { }
+                  ''
+                    mkdir {bin,$out}
+                    cp ${./.}/rp bin/
+                    tar -cvf $out/rosenpass-${system}-${version}.tar bin/rp \
+                      -C ${package} bin/rosenpass
+                    cp ${oci-image} \
+                      $out/rosenpass-oci-image-${system}-${version}.tar.gz
+                  '';
+            } // (if pkgs.stdenv.isLinux then rec {
               rosenpass-static-oci-image = rosenpassOCI "rosenpass-static";
             } else { });
           }
@@ -222,6 +246,7 @@
             nativeBuildInputs = with pkgs; [
               cargo-release
               clippy
+              nodePackages.prettier
               rustfmt
               packages.proverif-patched
             ];
@@ -241,7 +266,11 @@
             # '';
             nixpkgs-fmt = pkgs.runCommand "check-nixpkgs-fmt"
               { nativeBuildInputs = [ pkgs.nixpkgs-fmt ]; } ''
-              nixpkgs-fmt --check ${./.} > $out
+              nixpkgs-fmt --check ${./.} && touch $out
+            '';
+            prettier-check = pkgs.runCommand "check-with-prettier"
+              { nativeBuildInputs = [ pkgs.nodePackages.prettier ]; } ''
+              cd ${./.} && prettier --check . && touch $out
             '';
           };
         }))

papers/graphics/readme.md

@@ -0,0 +1,5 @@
+# Illustrations
+
+## License
+
+The graphics graphics (SVG, PDF, and PNG files) in this folder are released under the CC BY-SA 4.0 license.

papers/prftree.d2

@@ -1,218 +0,0 @@
-root: 0  { shape: text }
-PROTOCOL: "PROTOCOL"  { shape: text }
-
-protocol_comment: 'PROTOCOL = "rosenpass 1 rosenpass.eu aead=chachapoly1305 dprf=blake2s ekem=lightsaber skem=mceliece460896 xaead=xchachapoly1305"' { shape: text}
-
-ck_init: '"chaining key init"' { shape: text }
-ck_ext: '"chaining key extract"'  { shape: text }
-
-mac: '"mac"' { shape: text }
-mac_param: MAC_WIRE_DATA { shape: text }
-cookie: '"cookie"' { shape: text }
-cookie_param: COOKIE_WIRE_DATA { shape: text }
-peer_id: '"peer_id"' { shape: text }
-peer_id_p1: spkm { shape: text}
-peer_id_p2: spkt { shape: text}
-
-root -> PROTOCOL
-
-PROTOCOL -> mac -> mac_param
-PROTOCOL -> cookie -> cookie_param
-PROTOCOL -> peer_id -> peer_id_p1 -> peer_id_p2
-PROTOCOL -> ck_init
-PROTOCOL -> ck_ext
-
-mix: '"mix"' { shape: text }
-user: '"user"' { shape: text }
-rp_eu: '"rosenpass.eu"' { shape: text }
-wg_psk: '"wireguard psk"' { shape: text }
-hs_enc: '"handshake encryption"' { shape: text }
-ini_enc: '"initiator session encryption"' { shape: text }
-res_enc: '"responder session encryption"' { shape: text }
-
-ck_ext -> mix
-ck_ext -> user -> rp_eu -> wg_psk
-ck_ext -> hs_enc
-ck_ext -> ini_enc
-ck_ext -> res_enc
-
-# ck_init -> InitHello.start
-
-InitHello {
-  start   -> d0 \
-    -> m1 -> d1 \
-    -> m2 -> d2
-
-              d2 -> encaps_spkr.m1
-  encaps_spkr.d3 -> encrypt_ltk.m1
-  encaps_spkr.d3 -> encrypt_ltk.key
-  encrypt_ltk.d1 -> encrypt_auth.m1
-  encrypt_ltk.d1 -> encrypt_auth.key
-
-  m1: "mix" { shape: text }
-  m2: "mix" { shape: text }
-
-  start: '"chaining key init"' { shape: text }
-  d0: "spkr" { shape: circle }
-  d1: "sidi" { shape: circle }
-  d2: "epki" { shape: circle }
-
-  encaps_spkr {
-       m1 -> d1 \
-    -> m2 -> d2 \
-    -> m3 -> d3 \
-
-    m1: "mix" { shape: text }
-    m2: "mix" { shape: text }
-    m3: "mix" { shape: text }
-
-    d1: "spkr" { shape: circle }
-    d2: "sctr" { shape: circle }
-    d3: "sptr" { shape: circle }
-  }
-
-  encrypt_ltk {
-    m1 -> d1
-
-    encrypt: 'Aead::enc(peer_id(spkr, spki))'
-    key -> encrypt: {
-      target-arrowhead.label: key
-    }
-    data -> encrypt: {
-      target-arrowhead.label: data
-    }
-    encrypt -> d1: {
-      source-arrowhead.label: output
-    }
-
-    m1: "mix" { shape: text }
-    key: '"handshake encryption"' { shape: text }
-    data: 'ref from "peer id" branch after spkt' { shape: text }
-    d1: "ct" { shape: diamond }
-  }
-
-  encrypt_auth {
-    m1 -> d1
-
-    encrypt: 'Aead::enc(empty())'
-    key -> encrypt: {
-      target-arrowhead.label: key
-    }
-    encrypt -> d1: {
-      source-arrowhead.label: output
-    }
-
-    m1: "mix" { shape: text }
-    key: '"handshake encryption"' { shape: text }
-    d1: "ct" { shape: diamond }
-  }
-}
-
-RespHello {
-  start -> d0 -> m1 -> d1
-              d1 -> encaps_epki.m1
-  encaps_epki.d3 -> encaps_spki.m1
-  encaps_spki.d3 -> m2 -> d2
-  d2 -> encrypt_auth.m1
-
-  store_biscuit -> d2
-  "pidi" -> store_biscuit {
-    target-arrowhead.label: "field=peerid"
-  }
-  encaps_spki.d3 -> store_biscuit {
-    target-arrowhead.label: "field=ck"
-  }
-
-
-  m1: "mix" { shape: text }
-  m2: "mix" { shape: text }
-
-  start: '(state from InitHello)' { shape: text }
-  d0: "sidr" { shape: circle }
-  d1: "sidi" { shape: circle }
-  d2: "biscuit" { shape: diamond }
-
-  store_biscuit: "store_biscuit()"
-
-  encaps_epki {
-       m1 -> d1 \
-    -> m2 -> d2 \
-    -> m3 -> d3 \
-
-    m1: "mix" { shape: text }
-    m2: "mix" { shape: text }
-    m3: "mix" { shape: text }
-
-    d1: "epki" { shape: circle }
-    d2: "ecti" { shape: circle }
-    d3: "epti" { shape: circle }
-  }
-
-  encaps_spki {
-       m1 -> d1 \
-    -> m2 -> d2 \
-    -> m3 -> d3 \
-
-    m1: "mix" { shape: text }
-    m2: "mix" { shape: text }
-    m3: "mix" { shape: text }
-
-    d1: "spki" { shape: circle }
-    d2: "scti" { shape: circle }
-    d3: "spti" { shape: circle }
-  }
-
-  encrypt_auth {
-    m1 -> d1
-
-    encrypt: 'Aead::enc(empty())'
-    key -> encrypt: {
-      target-arrowhead.label: key
-    }
-    encrypt -> d1: {
-      source-arrowhead.label: output
-    }
-
-    m1: "mix" { shape: text }
-    key: '"handshake encryption"' { shape: text }
-    d1: "ct" { shape: diamond }
-  }
-}
-
-InitConf {
-  start -> d0 -> m1 -> d1 -> encrypt_auth.m1
-
-  encrypt_auth.d1 -> ol1 -> o1
-  encrypt_auth.d1 -> ol2 -> o2
-  encrypt_auth.d1 -> ol3 -> o3
-
-  m1: "mix" { shape: text }
-
-  start: '(state from RespHello)' { shape: text }
-  d0: "sidi" { shape: circle }
-  d1: "sidr" { shape: circle }
-
-  ol1: '"wireguard psk"' { shape: text }
-  ol2: '"initiator session encryption"' { shape: text }
-  ol3: '"responder session encryption"' { shape: text}
-                                                             o2: "" { shape: page }
-  o1: "" { shape: step }
-  o2: "" { shape: step }
-  o3: "" { shape: step }
-
-  encrypt_auth {
-    m1 -> d1
-
-    encrypt: 'Aead::enc(empty())'
-    key -> encrypt: {
-      target-arrowhead.label: key
-    }
-    encrypt -> d1: {
-      source-arrowhead.label: output
-    }
-
-    m1: "mix" { shape: text }
-    key: '"handshake encryption"' { shape: text }
-    d1: "ct" { shape: diamond }
-  }
-}

papers/readme.md

@@ -16,10 +16,14 @@ You can build the PDF files from Markdown using `latexmk`. Simply run
 latexmk -r tex/CI.rc
 ```
 
-inside `papers/`.  The PDF files will be located directly in `papers/`.
+inside `papers/`. The PDF files will be located directly in `papers/`.
 
 ## Add version info within the template-rosenpass files
 
 The version info is using gitinfo2. To use the setup one has to run the `papers/tex/gitinfo2.sh` script. In local copies it's also possible to add this as a post-checkout or post-commit hook to keep it automatically up to date.
 
-The version information in the footer automatically includes a “draft”. This can be removed by tagging a release version using `\jobname-release`, e.h. `whitepaper-release`  for the `whitepaper.md` file.
+The version information in the footer automatically includes a “draft”. This can be removed by tagging a release version using `\jobname-release`, e.h. `whitepaper-release` for the `whitepaper.md` file.
+
+## Licensing of assets
+
+The text files and graphics in this folder (i.e. whitepaper.md, the SVG, PDF, and PNG files in the graphics/ folder) are released under the CC BY-SA 4.0 license.

papers/sequencing.d2

@@ -1,81 +0,0 @@
-Protocol: {
-  shape: sequence_diagram
-  ini: "Initiator"
-  res: "Responder"
-  ini -> res: "InitHello"
-  res -> ini: "RespHello"
-  ini -> res: "InitConf"
-  res -> ini: "EmptyData"
-}
-
-Envelope: "Envelope" {
-  shape: class
-  type: "1"
-  '': 3
-  payload: variable
-  mac: 16
-  cookie: 16
-}
-
-Envelope.payload -> InitHello
-InitHello: "InitHello (type=0x81)" {
-  shape: class
-  sidi: 4
-  epki: 800
-  sctr: 188
-  peerid: 32 + 16 = 48
-  auth: 16
-}
-
-Envelope.payload -> RespHello
-RespHello: "RespHello (type=0x82)" {
-  shape: class
-  sidr: 4
-  sidi: 4
-  ecti: 768
-  scti: 188
-  biscuit: 76 + 24 + 16 = 116
-  auth: 16
-}
-
-Envelope.payload -> InitConf
-InitConf: "InitConf (type=0x83)" {
-  shape: class
-  sidi: 4
-  sidr: 4
-  biscuit: 76 + 24 +16 = 116
-  auth: 16
-}
-
-Envelope.payload -> EmptyData
-EmptyData: "EmptyData (type=0x84)" {
-  shape: class
-  sidx: 4
-  ctr: 8
-  auth: 16
-}
-
-Envelope.payload -> Data
-Data: "Data (type=0x85)" {
-  shape: class
-  sidx: 4
-  ctr: 8
-  data: variable + 16
-}
-
-Envelope.payload -> CookieReply
-CookieReply: "CookieReply (type=0x86)" {
-  shape: class
-  sidx: 4
-  nonce: 24
-  cookie: 16 + 16 = 32
-}
-
-RespHello.biscuit -> Biscuit
-InitConf.biscuit -> Biscuit
-Biscuit: "Biscuit" {
-  shape: class
-  peerid: 32
-  no: 12
-  ck: 32
-}

papers/tex/template-rosenpass.tex

@@ -130,7 +130,7 @@
 \bool_set_false:N \l_tmpa_bool
 \gitAbbrevHash{}~(\gitAuthorDate
 \clist_map_inline:Nn \gitTags {
-	\exp_args:Nx \str_if_eq:nnT {\jobname-release} {test-whitepaper}  {\bool_set_true:N \l_tmpa_bool\clist_map_break:}
+	\exp_args:Nx \str_if_eq:nnT {\jobname-release} {whitepaper-release}  {\bool_set_true:N \l_tmpa_bool\clist_map_break:}
 }
 \bool_if:NF \l_tmpa_bool {~--~draft}
 )

papers/whitepaper.md

@@ -33,7 +33,7 @@ abstract: |
 Rosenpass inherits most security properties from Post-Quantum WireGuard (PQWG). The security properties mentioned here are covered by the symbolic analysis in the Rosenpass repository. 
 
 ## Secrecy
-Three key encapsulations using the keypairs `sski`/`spki`, `sskr`/`spkr`, and `eski`/`epki` provide secrecy (see Section \ref{variables} for an introduction of the variables). Their respective ciphertexts are called `scti`, `sctr`, and `ectr` and the resulting keys are called `spti`, `sptr`, `epti`. A single secure encapsulation is sufficient to provide secrecy. We use two different KEMs (Key Encapsulation Methods; see section \ref{skem}): Kyber and Classic McEliece.
+Three key encapsulations using the keypairs `sski`/`spki`, `sskr`/`spkr`, and `eski`/`epki` provide secrecy (see Section \ref{variables} for an introduction of the variables). Their respective ciphertexts are called `scti`, `sctr`, and `ectr` and the resulting keys are called `spti`, `sptr`, `epti`. A single secure encapsulation is sufficient to provide secrecy. We use two different KEMs (Key Encapsulation Mechanisms; see section \ref{skem}): Kyber and Classic McEliece.
 
 ## Authenticity
 

readme.md

@@ -1,5 +1,10 @@
 # Rosenpass README
 
+![Nix](https://github.com/rosenpass/rosenpass/actions/workflows/nix.yaml/badge.svg)
+![QC](https://github.com/rosenpass/rosenpass/actions/workflows/qc.yaml/badge.svg)
+![crates.io](https://img.shields.io/crates/v/rosenpass.svg)
+![Libraries.io dependency status for latest release](https://img.shields.io/librariesio/release/cargo/rosenpass)
+
 This repository contains
 
 1. A description of the [Rosenpass protocol](https://github.com/rosenpass/rosenpass/raw/papers-pdf/whitepaper.pdf)
@@ -9,9 +14,7 @@ This repository contains
 
 ## Getting started
 
-[how to install nix]
-[how to build with nix]
-[how to build without nix]
+First, [install rosenpass](#Getting-Rosenpass). Then, check out the help funtions of `rp` & `rosenpass`:
 
 ```sh
 rp help
@@ -24,7 +27,7 @@ Follow [quickstart instructions](https://rosenpass.eu/#start) to get a VPN up an
 
 The [rosenpass tool](./src/) is written in Rust and uses liboqs[^liboqs] and libsodium[^libsodium]. The tool establishes a symmetric key and provides it to WireGuard. Since it supplies WireGuard with key through the PSK feature using Rosenpass+WireGuard is cryptographically no less secure than using WireGuard on its own ("hybrid security"). Rosenpass refreshes the symmetric key every two minutes.
 
-As with any application a small risk of critical security issues (such as buffer overflows, remote code execution)  exists; the Rosenpass application is written in the Rust programming language which is much less prone to such issues. Rosenpass can also write keys to files instead of supplying them to WireGuard With a bit of scripting the stand alone mode of the implementation can be used to run the application in a Container, VM or on another host. This mode can also be used to integrate tools other than WireGuard with Rosenpass.
+As with any application a small risk of critical security issues (such as buffer overflows, remote code execution) exists; the Rosenpass application is written in the Rust programming language which is much less prone to such issues. Rosenpass can also write keys to files instead of supplying them to WireGuard With a bit of scripting the stand alone mode of the implementation can be used to run the application in a Container, VM or on another host. This mode can also be used to integrate tools other than WireGuard with Rosenpass.
 
 The [`rp`](./rp) tool written in bash makes it easy to create a VPN using WireGuard and Rosenpass.
 
@@ -36,8 +39,8 @@ and Rosenpass private keys, takes control of the interface and works with exactl
 rp allocates two UDP ports; if port N is specified for rosenpass, it will allocate port N+1 for WireGuard.
 
 Like WireGuard, Rosenpass does not enforce any separation between clients and servers.
-If you do not specify the `listen` option, Rosenpass and WireGuard will choose random ports; this is *client mode*.
-If you do not specify `endpoint`, Rosenpass will not try to connect to the peer and instead wait for connections from peers. This is *server mode*.
+If you do not specify the `listen` option, Rosenpass and WireGuard will choose random ports; this is _client mode_.
+If you do not specify `endpoint`, Rosenpass will not try to connect to the peer and instead wait for connections from peers. This is _server mode_.
 You may specify both. Leaving out both is not forbidden but also not very useful.
 
 ## Security analysis
@@ -55,7 +58,19 @@ The analysis is implemented according to modern software engineering principles:
 The code uses a variety of optimizations to speed up analysis such as using secret functions to model trusted/malicious setup. We split the model into two separate entry points which can be analyzed in parallel. Each is much faster than both models combined.
 A wrapper script provides instant feedback about which queries execute as expected in color: A red cross if a query fails and a green check if it succeeds.
 
+[^liboqs]: https://openquantumsafe.org/liboqs/
+[^libsodium]: https://doc.libsodium.org/
 [^wg]: https://www.wireguard.com/
 [^pqwg]: https://eprint.iacr.org/2020/379
 [^pqwg-statedis]: Unless supplied with a pre-shared-key, but this defeates the purpose of a key exchange protocol
-[^wg-statedis]: https://lists.zx2c4.com/pipermail/wireguard/2021-August/006916.html
+[^wg-statedis]: https://lists.zx2c4.com/pipermail/wireguard/2021-August/006916.htmlA
+
+# Getting Rosenpass
+
+Rosenpass is packaged for more and more distros, maybe also for the distro of your choice?
+
+[![Packaging status](https://repology.org/badge/vertical-allrepos/rosenpass.svg)](https://repology.org/project/rosenpass/versions)
+
+# Supported by
+
+Funded through <a href="https://nlnet.nl/">NLNet</a> with financial support for the European Commission's <a href="https://nlnet.nl/assure">NGI Assure</a> program.

rp

@@ -123,7 +123,7 @@ fatal() {
 genkey() {
   usagestack+=("PRIVATE_KEYS_DIR")
   local skdir
-  skdir="${1/\//}"; shift || fatal "Required positional argument: PRIVATE_KEYS_DIR"
+  skdir="${1%/}"; shift || fatal "Required positional argument: PRIVATE_KEYS_DIR"
 
   while (( $# > 0 )); do
     local arg; arg="$1"; shift
@@ -149,8 +149,8 @@ genkey() {
 pubkey() {
   usagestack+=("PRIVATE_KEYS_DIR" "PUBLIC_KEYS_DIR")
   local skdir pkdir
-  skdir="${1/\//}"; shift || fatal "Required positional argument: PRIVATE_KEYS_DIR"
-  pkdir="${1/\//}"; shift || fatal "Required positional argument: PUBLIC_KEYS_DIR"
+  skdir="${1%/}"; shift || fatal "Required positional argument: PRIVATE_KEYS_DIR"
+  pkdir="${1%/}"; shift || fatal "Required positional argument: PUBLIC_KEYS_DIR"
 
   while (( $# > 0 )); do
     local arg; arg="$1"; shift
@@ -174,7 +174,7 @@ exchange() {
   usagestack+=("PRIVATE_KEYS_DIR" "[dev <device>]" "[listen <ip>:<port>]" "[peer PUBLIC_KEYS_DIR [endpoint <ip>:<port>] [persistent-keepalive <interval>] [allowed-ips <ip1>/<cidr1>[,<ip2>/<cidr2>]...]]...")
   local skdir dev lport
   dev="${project_name}0"
-  skdir="${1/\//}"; shift || fatal "Required positional argument: PRIVATE_KEYS_DIR"
+  skdir="${1%/}"; shift || fatal "Required positional argument: PRIVATE_KEYS_DIR"
 
   while (( $# > 0 )); do
     local arg; arg="$1"; shift
@@ -238,7 +238,7 @@ exchange() {
     shift; # Skip "peer" argument
 
     local peerdir ip port keepalive allowedips
-    peerdir="${1/\//}"; shift || fatal "Required peer argument: PUBLIC_KEYS_DIR"
+    peerdir="${1%/}"; shift || fatal "Required peer argument: PUBLIC_KEYS_DIR"
 
     while (( $# > 0 )); do
       local arg; arg="$1"; shift
@@ -282,6 +282,29 @@ exchange() {
   done
 }
 
+find_rosenpass_binary() {
+  local binary; binary=""
+  if [[ -n "${gitdir}" ]]; then
+    # If rp is run from the git repo, use the newest build artifact
+    binary=$(
+      find "${gitdir}/result/bin/${project_name}" \
+           "${gitdir}"/target/{release,debug}/"${project_name}" \
+           -printf "%T@ %p\n" 2>/dev/null \
+        | sort -nr \
+        | awk 'NR==1 { print($2) }'
+    )
+  elif [[ -n "${nixdir}" ]]; then
+    # If rp is run from nix, use the nix-installed rosenpass version
+    binary="${nixdir}/bin/${project_name}"
+  fi
+
+  if [[ -z "${binary}" ]]; then
+    binary="${project_name}"
+  fi
+
+  echo "${binary}"
+}
+
 main() {
   formatting_init
   cleanup_init
@@ -289,15 +312,11 @@ main() {
   frag_init
 
   project_name="rosenpass"
-  scriptdir="$(dirname "${script}")"
   verbose=0
-  binary="$(
-    find "${scriptdir}"/target/{release,debug}/"${project_name}" -printf "%T@ %p\n" 2>/dev/null \
-      | sort -nr \
-      | awk -v fallback="${project_name}" '
-          NR == 1 { print($2) }
-          END { if (NR == 0) print(fallback) }'
-  )"
+  scriptdir="$(dirname "${script}")"
+  gitdir="$(git -C "${scriptdir}" rev-parse --show-toplevel 2>/dev/null)" || true
+  nixdir="$(readlink -f result/bin/rp | grep -Pio '^/nix/store/[^/]+(?=/bin/[^/]+)')" || true
+  binary="$(find_rosenpass_binary)"
 
   # Parse command