diff --git a/Cargo.toml b/Cargo.toml index bb8274d..8583095 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -2,17 +2,17 @@ resolver = "2" members = [ - "rosenpass", - "cipher-traits", - "ciphers", - "util", - "constant-time", - "oqs", - "to", - "fuzz", - "secret-memory", - "rp", - "wireguard-broker", + "rosenpass", + "cipher-traits", + "ciphers", + "util", + "constant-time", + "oqs", + "to", + "fuzz", + "secret-memory", + "rp", + "wireguard-broker", ] default-members = ["rosenpass", "rp", "wireguard-broker"] @@ -42,7 +42,7 @@ toml = "0.7.8" static_assertions = "1.1.0" allocator-api2 = "0.2.14" memsec = { git = "https://github.com/rosenpass/memsec.git", rev = "aceb9baee8aec6844125bd6612f92e9a281373df", features = [ - "alloc_ext", + "alloc_ext", ] } rand = "0.8.5" typenum = "1.17.0" @@ -55,14 +55,14 @@ arbitrary = { version = "1.4.1", features = ["derive"] } anyhow = { version = "1.0.95", features = ["backtrace", "std"] } mio = { version = "1.0.3", features = ["net", "os-poll"] } oqs-sys = { version = "0.9.1", default-features = false, features = [ - 'classic_mceliece', - 'kyber', + 'classic_mceliece', + 'kyber', ] } blake2 = "0.10.6" sha3 = "0.10.8" chacha20poly1305 = { version = "0.10.1", default-features = false, features = [ - "std", - "heapless", + "std", + "heapless", ] } zerocopy = { version = "0.7.35", features = ["derive"] } home = "=0.5.9" # 5.11 requires rustc 1.81 @@ -72,7 +72,7 @@ postcard = { version = "1.1.1", features = ["alloc"] } libcrux = { version = "0.0.2-pre.2" } libcrux-chacha20poly1305 = { version = "0.0.2-beta.3" } libcrux-ml-kem = { version = "0.0.2-beta.3" } -libcrux-blake2 = { git = "https://github.com/cryspen/libcrux.git", rev = "10ce653e9476"} +libcrux-blake2 = { git = "https://github.com/cryspen/libcrux.git", rev = "10ce653e9476" } hex-literal = { version = "0.4.1" } hex = { version = "0.4.3" } heck = { version = "0.5.0" } @@ -90,7 +90,6 @@ criterion = "0.5.1" allocator-api2-tests = "0.2.15" procspawn = { version = "1.0.1", features = ["test-support"] } - #Broker dependencies (might need cleanup or changes) wireguard-uapi = { version = "3.0.0", features = ["xplatform"] } command-fds = "0.2.3" diff --git a/ciphers/Cargo.toml b/ciphers/Cargo.toml index 9e34a08..cee798c 100644 --- a/ciphers/Cargo.toml +++ b/ciphers/Cargo.toml @@ -12,16 +12,16 @@ rust-version = "1.77" [features] experiment_libcrux_all = [ - "experiment_libcrux_blake2", - "experiment_libcrux_chachapoly", - "experiment_libcrux_chachapoly_test", - "experiment_libcrux_kyber", + "experiment_libcrux_blake2", + "experiment_libcrux_chachapoly", + "experiment_libcrux_chachapoly_test", + "experiment_libcrux_kyber", ] experiment_libcrux_blake2 = ["dep:libcrux-blake2", "dep:thiserror"] experiment_libcrux_chachapoly = ["dep:libcrux-chacha20poly1305"] experiment_libcrux_chachapoly_test = [ - "experiment_libcrux_chachapoly", - "dep:libcrux", + "experiment_libcrux_chachapoly", + "dep:libcrux", ] experiment_libcrux_kyber = ["dep:libcrux-ml-kem", "dep:rand"] diff --git a/deny.toml b/deny.toml index c39fc94..794f7ee 100644 --- a/deny.toml +++ b/deny.toml @@ -24,11 +24,7 @@ feature-depth = 1 [advisories] # A list of advisory IDs to ignore. Note that ignored advisories will still # output a note when they are encountered. -ignore = [ - "RUSTSEC-2024-0370", - "RUSTSEC-2024-0436", - "RUSTSEC-2023-0089", -] +ignore = ["RUSTSEC-2024-0370", "RUSTSEC-2024-0436", "RUSTSEC-2023-0089"] # If this is true, then cargo deny will use the git executable to fetch advisory database. # If this is false, then it uses a built-in git library. # Setting this to true can be helpful if you have special authentication requirements that cargo-deny does not support. @@ -43,11 +39,11 @@ ignore = [ # See https://spdx.org/licenses/ for list of possible licenses # [possible values: any SPDX 3.11 short identifier (+ optional exception)]. allow = [ - "MIT", - "Apache-2.0", - "Apache-2.0 WITH LLVM-exception", - "BSD-3-Clause", - "ISC", + "MIT", + "Apache-2.0", + "Apache-2.0 WITH LLVM-exception", + "BSD-3-Clause", + "ISC", ] # The confidence threshold for detecting a license from license text. # The higher the value, the more closely the license text must be to the @@ -57,10 +53,10 @@ confidence-threshold = 0.8 # Allow 1 or more licenses on a per-crate basis, so that particular licenses # aren't accepted for every possible crate as with the normal allow list exceptions = [ - # Each entry is the crate and version constraint, and its specific allow - # list - { allow = ["Unicode-DFS-2016", "Unicode-3.0"], crate = "unicode-ident" }, - { allow = ["NCSA"], crate = "libfuzzer-sys" }, + # Each entry is the crate and version constraint, and its specific allow + # list + { allow = ["Unicode-DFS-2016", "Unicode-3.0"], crate = "unicode-ident" }, + { allow = ["NCSA"], crate = "libfuzzer-sys" }, ] @@ -94,15 +90,11 @@ workspace-default-features = "allow" # on a crate-by-crate basis if desired. external-default-features = "allow" # List of crates that are allowed. Use with care! -allow = [ -] +allow = [] # List of crates to deny -deny = [ -] +deny = [] -skip-tree = [ - -] +skip-tree = [] # This section is considered when running `cargo deny check sources`. # More documentation about the 'sources' section can be found here: diff --git a/flake.nix b/flake.nix index 2686434..6031bb3 100644 --- a/flake.nix +++ b/flake.nix @@ -15,32 +15,38 @@ treefmt-nix.inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = { self, nixpkgs, flake-utils, nix-vm-test, treefmt-nix, ... }@inputs: + outputs = + { + self, + nixpkgs, + flake-utils, + nix-vm-test, + treefmt-nix, + ... + }@inputs: nixpkgs.lib.foldl (a: b: nixpkgs.lib.recursiveUpdate a b) { } [ - # ### Export the overlay.nix from this flake ### # - { - overlays.default = import ./overlay.nix; - } - + { overlays.default = import ./overlay.nix; } # ### Actual Rosenpass Package and Docker Container Images ### # - (flake-utils.lib.eachSystem [ - "x86_64-linux" - "aarch64-linux" + (flake-utils.lib.eachSystem + [ + "x86_64-linux" + "aarch64-linux" - # unsuported best-effort - "i686-linux" - "x86_64-darwin" - "aarch64-darwin" - # "x86_64-windows" - ] - (system: + # unsuported best-effort + "i686-linux" + "x86_64-darwin" + "aarch64-darwin" + # "x86_64-windows" + ] + ( + system: let # normal nixpkgs pkgs = import nixpkgs { @@ -51,121 +57,131 @@ }; in { - packages = { - default = pkgs.rosenpass; - rosenpass = pkgs.rosenpass; - rosenpass-oci-image = pkgs.rosenpass-oci-image; - rp = pkgs.rp; + packages = + { + default = pkgs.rosenpass; + rosenpass = pkgs.rosenpass; + rosenpass-oci-image = pkgs.rosenpass-oci-image; + rp = pkgs.rp; - release-package = pkgs.release-package; + release-package = pkgs.release-package; - # for good measure, we also offer to cross compile to Linux on Arm - aarch64-linux-rosenpass-static = - pkgs.pkgsCross.aarch64-multiplatform.pkgsStatic.rosenpass; - aarch64-linux-rp-static = pkgs.pkgsCross.aarch64-multiplatform.pkgsStatic.rp; - } - // - # We only offer static builds for linux, as this is not supported on OS X - (nixpkgs.lib.attrsets.optionalAttrs pkgs.stdenv.isLinux { - rosenpass-static = pkgs.pkgsStatic.rosenpass; - rosenpass-static-oci-image = pkgs.pkgsStatic.rosenpass-oci-image; - rp-static = pkgs.pkgsStatic.rp; - }); + # for good measure, we also offer to cross compile to Linux on Arm + aarch64-linux-rosenpass-static = pkgs.pkgsCross.aarch64-multiplatform.pkgsStatic.rosenpass; + aarch64-linux-rp-static = pkgs.pkgsCross.aarch64-multiplatform.pkgsStatic.rp; + } + // + # We only offer static builds for linux, as this is not supported on OS X + (nixpkgs.lib.attrsets.optionalAttrs pkgs.stdenv.isLinux { + rosenpass-static = pkgs.pkgsStatic.rosenpass; + rosenpass-static-oci-image = pkgs.pkgsStatic.rosenpass-oci-image; + rp-static = pkgs.pkgsStatic.rp; + }); } - )) - + ) + ) # ### Linux specifics ### # - (flake-utils.lib.eachSystem [ "x86_64-linux" "aarch64-linux" ] (system: - let - pkgs = import nixpkgs { - inherit system; + (flake-utils.lib.eachSystem + [ + "x86_64-linux" + "aarch64-linux" + ] + ( + system: + let + pkgs = import nixpkgs { + inherit system; - # apply our own overlay, overriding/inserting our packages as defined in ./pkgs - overlays = [ - self.overlays.default - nix-vm-test.overlays.default - ]; - }; + # apply our own overlay, overriding/inserting our packages as defined in ./pkgs + overlays = [ + self.overlays.default + nix-vm-test.overlays.default + ]; + }; - treefmtEval = treefmt-nix.lib.evalModule pkgs ./treefmt.nix; - in - { - packages.package-deb = pkgs.callPackage ./pkgs/package-deb.nix { - rosenpass = pkgs.pkgsStatic.rosenpass; - }; - packages.package-rpm = pkgs.callPackage ./pkgs/package-rpm.nix { - rosenpass = pkgs.pkgsStatic.rosenpass; - }; + treefmtEval = treefmt-nix.lib.evalModule pkgs ./treefmt.nix; + in + { + packages.package-deb = pkgs.callPackage ./pkgs/package-deb.nix { + rosenpass = pkgs.pkgsStatic.rosenpass; + }; + packages.package-rpm = pkgs.callPackage ./pkgs/package-rpm.nix { + rosenpass = pkgs.pkgsStatic.rosenpass; + }; - # - ### Reading materials ### - # - packages.whitepaper = pkgs.whitepaper; + # + ### Reading materials ### + # + packages.whitepaper = pkgs.whitepaper; - # - ### Proof and Proof Tools ### - # - packages.proverif-patched = pkgs.proverif-patched; - packages.proof-proverif = pkgs.proof-proverif; + # + ### Proof and Proof Tools ### + # + packages.proverif-patched = pkgs.proverif-patched; + packages.proof-proverif = pkgs.proof-proverif; + # + ### Devshells ### + # + devShells.default = pkgs.mkShell { + inherit (pkgs.proof-proverif) CRYPTOVERIF_LIB; + inputsFrom = [ pkgs.rosenpass ]; + nativeBuildInputs = with pkgs; [ + cargo-release + clippy + rustfmt + nodePackages.prettier + nushell # for the .ci/gen-workflow-files.nu script + proverif-patched + ]; + }; + # TODO: Write this as a patched version of the default environment + devShells.fullEnv = pkgs.mkShell { + inherit (pkgs.proof-proverif) CRYPTOVERIF_LIB; + inputsFrom = [ pkgs.rosenpass ]; + nativeBuildInputs = with pkgs; [ + cargo-audit + cargo-release + cargo-msrv + rustfmt + nodePackages.prettier + nushell # for the .ci/gen-workflow-files.nu script + proverif-patched + inputs.fenix.packages.${system}.complete.toolchain + pkgs.cargo-llvm-cov + pkgs.grcov + ]; + }; + devShells.coverage = pkgs.mkShell { + inputsFrom = [ pkgs.rosenpass ]; + nativeBuildInputs = [ + inputs.fenix.packages.${system}.complete.toolchain + pkgs.cargo-llvm-cov + pkgs.grcov + ]; + }; - # - ### Devshells ### - # - devShells.default = pkgs.mkShell { - inherit (pkgs.proof-proverif) CRYPTOVERIF_LIB; - inputsFrom = [ pkgs.rosenpass ]; - nativeBuildInputs = with pkgs; [ - cargo-release - clippy - rustfmt - nodePackages.prettier - nushell # for the .ci/gen-workflow-files.nu script - proverif-patched - ]; - }; - # TODO: Write this as a patched version of the default environment - devShells.fullEnv = pkgs.mkShell { - inherit (pkgs.proof-proverif) CRYPTOVERIF_LIB; - inputsFrom = [ pkgs.rosenpass ]; - nativeBuildInputs = with pkgs; [ - cargo-audit - cargo-release - cargo-msrv - rustfmt - nodePackages.prettier - nushell # for the .ci/gen-workflow-files.nu script - proverif-patched - inputs.fenix.packages.${system}.complete.toolchain - pkgs.cargo-llvm-cov - pkgs.grcov - ]; - }; - devShells.coverage = pkgs.mkShell { - inputsFrom = [ pkgs.rosenpass ]; - nativeBuildInputs = [ - inputs.fenix.packages.${system}.complete.toolchain - pkgs.cargo-llvm-cov - pkgs.grcov - ]; - }; + checks = + { + systemd-rosenpass = pkgs.testers.runNixOSTest ./tests/systemd/rosenpass.nix; + systemd-rp = pkgs.testers.runNixOSTest ./tests/systemd/rp.nix; + formatting = treefmtEval.config.build.check self; + } + // pkgs.lib.optionalAttrs (system == "x86_64-linux") ( + import ./tests/legacy-distro-packaging.nix { + inherit pkgs; + rosenpass-deb = self.packages.${system}.package-deb; + rosenpass-rpm = self.packages.${system}.package-rpm; + } + ); - - checks = { - systemd-rosenpass = pkgs.testers.runNixOSTest ./tests/systemd/rosenpass.nix; - systemd-rp = pkgs.testers.runNixOSTest ./tests/systemd/rp.nix; - formatting = treefmtEval.config.build.check self; - } // pkgs.lib.optionalAttrs (system == "x86_64-linux") (import ./tests/legacy-distro-packaging.nix { - inherit pkgs; - rosenpass-deb = self.packages.${system}.package-deb; - rosenpass-rpm = self.packages.${system}.package-rpm; - }); - - # for `nix fmt` - formatter = treefmtEval.config.build.wrapper; - })) + # for `nix fmt` + formatter = treefmtEval.config.build.wrapper; + } + ) + ) ]; } diff --git a/overlay.nix b/overlay.nix index 5e98dfc..2550528 100644 --- a/overlay.nix +++ b/overlay.nix @@ -1,6 +1,5 @@ final: prev: { - # ### Actual rosenpass software ### # @@ -27,7 +26,10 @@ final: prev: { "marzipan(/marzipan.awk)?" "analysis(/.*)?" ]; - nativeBuildInputs = [ final.proverif final.graphviz ]; + nativeBuildInputs = [ + final.proverif + final.graphviz + ]; CRYPTOVERIF_LIB = final.proverif-patched + "/lib/cryptoverif.pvl"; installPhase = '' mkdir -p $out diff --git a/pkgs/package-deb.nix b/pkgs/package-deb.nix index d7194d6..c3db31e 100644 --- a/pkgs/package-deb.nix +++ b/pkgs/package-deb.nix @@ -1,4 +1,8 @@ -{ runCommand, dpkg, rosenpass }: +{ + runCommand, + dpkg, + rosenpass, +}: let inherit (rosenpass) version; diff --git a/pkgs/package-rpm.nix b/pkgs/package-rpm.nix index f446bfc..b60269a 100644 --- a/pkgs/package-rpm.nix +++ b/pkgs/package-rpm.nix @@ -1,12 +1,15 @@ -{ lib, system, runCommand, rosenpass, rpm }: +{ + lib, + system, + runCommand, + rosenpass, + rpm, +}: let splitVersion = lib.strings.splitString "-" rosenpass.version; version = builtins.head splitVersion; - release = - if builtins.length splitVersion != 2 - then "release" - else builtins.elemAt splitVersion 1; + release = if builtins.length splitVersion != 2 then "release" else builtins.elemAt splitVersion 1; arch = builtins.head (builtins.split "-" system); in diff --git a/pkgs/release-package.nix b/pkgs/release-package.nix index 2de6029..f147c75 100644 --- a/pkgs/release-package.nix +++ b/pkgs/release-package.nix @@ -1,21 +1,24 @@ -{ lib, stdenvNoCC, runCommandNoCC, pkgsStatic, rosenpass, rosenpass-oci-image, rp } @ args: +{ + lib, + stdenvNoCC, + runCommandNoCC, + pkgsStatic, + rosenpass, + rosenpass-oci-image, + rp, +}@args: let version = rosenpass.version; # select static packages on Linux, default packages otherwise - package = - if stdenvNoCC.hostPlatform.isLinux then - pkgsStatic.rosenpass - else args.rosenpass; - rp = - if stdenvNoCC.hostPlatform.isLinux then - pkgsStatic.rp - else args.rp; + package = if stdenvNoCC.hostPlatform.isLinux then pkgsStatic.rosenpass else args.rosenpass; + rp = if stdenvNoCC.hostPlatform.isLinux then pkgsStatic.rp else args.rp; oci-image = if stdenvNoCC.hostPlatform.isLinux then pkgsStatic.rosenpass-oci-image - else args.rosenpass-oci-image; + else + args.rosenpass-oci-image; in runCommandNoCC "lace-result" { } '' mkdir {bin,$out} diff --git a/pkgs/rosenpass-oci-image.nix b/pkgs/rosenpass-oci-image.nix index f68e037..3008e7a 100644 --- a/pkgs/rosenpass-oci-image.nix +++ b/pkgs/rosenpass-oci-image.nix @@ -1,4 +1,8 @@ -{ dockerTools, buildEnv, rosenpass }: +{ + dockerTools, + buildEnv, + rosenpass, +}: dockerTools.buildImage { name = rosenpass.name + "-oci"; diff --git a/pkgs/rosenpass.nix b/pkgs/rosenpass.nix index 37b467d..30f560f 100644 --- a/pkgs/rosenpass.nix +++ b/pkgs/rosenpass.nix @@ -1,4 +1,13 @@ -{ lib, stdenv, rustPlatform, cmake, mandoc, removeReferencesTo, bash, package ? "rosenpass" }: +{ + lib, + stdenv, + rustPlatform, + cmake, + mandoc, + removeReferencesTo, + bash, + package ? "rosenpass", +}: let # whether we want to build a statically linked binary @@ -17,24 +26,30 @@ let "toml" ]; # Files to explicitly include - files = [ - "to/README.md" - ]; + files = [ "to/README.md" ]; src = ../.; - filter = (path: type: scoped rec { - inherit (lib) any id removePrefix hasSuffix; - anyof = (any id); + filter = ( + path: type: + scoped rec { + inherit (lib) + any + id + removePrefix + hasSuffix + ; + anyof = (any id); - basename = baseNameOf (toString path); - relative = removePrefix (toString src + "/") (toString path); + basename = baseNameOf (toString path); + relative = removePrefix (toString src + "/") (toString path); - result = anyof [ - (type == "directory") - (any (ext: hasSuffix ".${ext}" basename) extensions) - (any (file: file == relative) files) - ]; - }); + result = anyof [ + (type == "directory") + (any (ext: hasSuffix ".${ext}" basename) extensions) + (any (file: file == relative) files) + ]; + } + ); result = lib.sources.cleanSourceWith { inherit src filter; }; }; @@ -47,8 +62,14 @@ rustPlatform.buildRustPackage { version = cargoToml.package.version; inherit src; - cargoBuildOptions = [ "--package" package ]; - cargoTestOptions = [ "--package" package ]; + cargoBuildOptions = [ + "--package" + package + ]; + cargoTestOptions = [ + "--package" + package + ]; doCheck = true; @@ -81,7 +102,10 @@ rustPlatform.buildRustPackage { meta = { inherit (cargoToml.package) description homepage; - license = with lib.licenses; [ mit asl20 ]; + license = with lib.licenses; [ + mit + asl20 + ]; maintainers = [ lib.maintainers.wucke13 ]; platforms = lib.platforms.all; }; diff --git a/pkgs/whitepaper.nix b/pkgs/whitepaper.nix index 558e967..b01f802 100644 --- a/pkgs/whitepaper.nix +++ b/pkgs/whitepaper.nix @@ -1,13 +1,52 @@ -{ stdenvNoCC, texlive, ncurses, python3Packages, which }: +{ + stdenvNoCC, + texlive, + ncurses, + python3Packages, + which, +}: let - customTexLiveSetup = (texlive.combine { - inherit (texlive) acmart amsfonts biber biblatex biblatex-software - biblatex-trad ccicons csquotes csvsimple doclicense eso-pic fancyvrb - fontspec gitinfo2 gobble ifmtarg koma-script latexmk lm lualatex-math - markdown mathtools minted noto nunito paralist pgf scheme-basic soul - unicode-math upquote xifthen xkeyval xurl; - }); + customTexLiveSetup = ( + texlive.combine { + inherit (texlive) + acmart + amsfonts + biber + biblatex + biblatex-software + biblatex-trad + ccicons + csquotes + csvsimple + doclicense + eso-pic + fancyvrb + fontspec + gitinfo2 + gobble + ifmtarg + koma-script + latexmk + lm + lualatex-math + markdown + mathtools + minted + noto + nunito + paralist + pgf + scheme-basic + soul + unicode-math + upquote + xifthen + xkeyval + xurl + ; + } + ); in stdenvNoCC.mkDerivation { name = "whitepaper"; diff --git a/rosenpass/Cargo.toml b/rosenpass/Cargo.toml index 2e65b95..d967e52 100644 --- a/rosenpass/Cargo.toml +++ b/rosenpass/Cargo.toml @@ -30,9 +30,9 @@ required-features = ["experiment_api", "internal_testing"] [[test]] name = "gen-ipc-msg-types" required-features = [ - "experiment_api", - "internal_testing", - "internal_bin_gen_ipc_msg_types", + "experiment_api", + "internal_testing", + "internal_bin_gen_ipc_msg_types", ] [[bench]] @@ -92,16 +92,16 @@ experiment_memfd_secret = ["rosenpass-wireguard-broker/experiment_memfd_secret"] experiment_libcrux_all = ["rosenpass-ciphers/experiment_libcrux_all"] experiment_libcrux_blake2 = ["rosenpass-ciphers/experiment_libcrux_blake2"] experiment_libcrux_chachapoly = [ - "rosenpass-ciphers/experiment_libcrux_chachapoly", + "rosenpass-ciphers/experiment_libcrux_chachapoly", ] experiment_libcrux_kyber = ["rosenpass-ciphers/experiment_libcrux_kyber"] experiment_api = [ - "hex-literal", - "uds", - "command-fds", - "rustix", - "rosenpass-util/experiment_file_descriptor_passing", - "rosenpass-wireguard-broker/experiment_api", + "hex-literal", + "uds", + "command-fds", + "rustix", + "rosenpass-util/experiment_file_descriptor_passing", + "rosenpass-wireguard-broker/experiment_api", ] internal_signal_handling_for_coverage_reports = ["signal-hook"] internal_testing = [] diff --git a/tests/legacy-distro-packaging.nix b/tests/legacy-distro-packaging.nix index 1d35806..619dbfa 100644 --- a/tests/legacy-distro-packaging.nix +++ b/tests/legacy-distro-packaging.nix @@ -1,4 +1,8 @@ -{ pkgs, rosenpass-deb, rosenpass-rpm }: +{ + pkgs, + rosenpass-deb, + rosenpass-rpm, +}: let wg-deb = pkgs.fetchurl { @@ -23,31 +27,38 @@ let cp ${./prepare-test.sh} $out/prepare-test.sh ''; - test = { tester, installPrefix, suffix, source }: (tester { - sharedDirs.share = { - inherit source; - target = "/mnt/share"; - }; - testScript = '' - vm.wait_for_unit("multi-user.target") - vm.succeed("${installPrefix} /mnt/share/wireguard.${suffix}") - vm.succeed("${installPrefix} /mnt/share/rosenpass.${suffix}") - vm.succeed("bash /mnt/share/prepare-test.sh") + test = + { + tester, + installPrefix, + suffix, + source, + }: + (tester { + sharedDirs.share = { + inherit source; + target = "/mnt/share"; + }; + testScript = '' + vm.wait_for_unit("multi-user.target") + vm.succeed("${installPrefix} /mnt/share/wireguard.${suffix}") + vm.succeed("${installPrefix} /mnt/share/rosenpass.${suffix}") + vm.succeed("bash /mnt/share/prepare-test.sh") - vm.succeed(f"systemctl start rp@server") - vm.succeed(f"systemctl start rp@client") + vm.succeed(f"systemctl start rp@server") + vm.succeed(f"systemctl start rp@client") - vm.wait_for_unit("rp@server.service") - vm.wait_for_unit("rp@client.service") + vm.wait_for_unit("rp@server.service") + vm.wait_for_unit("rp@client.service") - vm.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5); + vm.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5); - psk_server = vm.succeed("wg show rp-server preshared-keys").strip().split()[-1] - psk_client = vm.succeed("wg show rp-client preshared-keys").strip().split()[-1] + psk_server = vm.succeed("wg show rp-server preshared-keys").strip().split()[-1] + psk_client = vm.succeed("wg show rp-client preshared-keys").strip().split()[-1] - assert psk_server == psk_client, "preshared-key exchange must be successful" - ''; - }).sandboxed; + assert psk_server == psk_client, "preshared-key exchange must be successful" + ''; + }).sandboxed; in { package-deb-debian-13 = test { diff --git a/tests/systemd/rosenpass.nix b/tests/systemd/rosenpass.nix index 18ca5d1..d1eddf8 100644 --- a/tests/systemd/rosenpass.nix +++ b/tests/systemd/rosenpass.nix @@ -32,29 +32,33 @@ let public_key = "/etc/rosenpass/rp0/pqpk"; secret_key = "/run/credentials/rosenpass@rp0.service/pqsk"; verbosity = "Verbose"; - peers = [{ - device = "rp0"; - peer = client.wg.public; - public_key = "/etc/rosenpass/rp0/peers/client/pqpk"; - }]; + peers = [ + { + device = "rp0"; + peer = client.wg.public; + public_key = "/etc/rosenpass/rp0/peers/client/pqpk"; + } + ]; }; client_config = { listen = [ ]; public_key = "/etc/rosenpass/rp0/pqpk"; secret_key = "/run/credentials/rosenpass@rp0.service/pqsk"; verbosity = "Verbose"; - peers = [{ - device = "rp0"; - peer = server.wg.public; - public_key = "/etc/rosenpass/rp0/peers/server/pqpk"; - endpoint = "${server.ip4}:9999"; - }]; + peers = [ + { + device = "rp0"; + peer = server.wg.public; + public_key = "/etc/rosenpass/rp0/peers/server/pqpk"; + endpoint = "${server.ip4}:9999"; + } + ]; }; config = pkgs.runCommand "config" { } '' mkdir -pv $out - cp -v ${(pkgs.formats.toml {}).generate "rp0.toml" server_config} $out/server - cp -v ${(pkgs.formats.toml {}).generate "rp0.toml" client_config} $out/client + cp -v ${(pkgs.formats.toml { }).generate "rp0.toml" server_config} $out/server + cp -v ${(pkgs.formats.toml { }).generate "rp0.toml" client_config} $out/client ''; in { @@ -62,50 +66,71 @@ in nodes = let - shared = peer: { config, modulesPath, pkgs, ... }: { - # Need to work around a problem in recent systemd changes. - # It won't be necessary in other distros (for which the systemd file was designed), this is NixOS specific - # https://github.com/NixOS/nixpkgs/issues/258371#issuecomment-1925672767 - # This can potentially be removed in future nixpkgs updates - systemd.packages = [ - (pkgs.runCommand "rosenpass" { } '' - mkdir -p $out/lib/systemd/system - < ${pkgs.rosenpass}/lib/systemd/system/rosenpass.target > $out/lib/systemd/system/rosenpass.target - < ${pkgs.rosenpass}/lib/systemd/system/rosenpass@.service \ - sed 's@^\(\[Service]\)$@\1\nEnvironment=PATH=${pkgs.wireguard-tools}/bin@' | - sed 's@^ExecStartPre=envsubst @ExecStartPre='"${pkgs.envsubst}"'/bin/envsubst @' | - sed 's@^ExecStart=rosenpass @ExecStart='"${pkgs.rosenpass}"'/bin/rosenpass @' > $out/lib/systemd/system/rosenpass@.service - '') - ]; - networking.wireguard = { - enable = true; - interfaces.rp0 = { - ips = [ "${peer.wg.ip4}/32" "${peer.wg.ip6}/128" ]; - privateKeyFile = "/etc/wireguard/wgsk"; + shared = + peer: + { + config, + modulesPath, + pkgs, + ... + }: + { + # Need to work around a problem in recent systemd changes. + # It won't be necessary in other distros (for which the systemd file was designed), this is NixOS specific + # https://github.com/NixOS/nixpkgs/issues/258371#issuecomment-1925672767 + # This can potentially be removed in future nixpkgs updates + systemd.packages = [ + (pkgs.runCommand "rosenpass" { } '' + mkdir -p $out/lib/systemd/system + < ${pkgs.rosenpass}/lib/systemd/system/rosenpass.target > $out/lib/systemd/system/rosenpass.target + < ${pkgs.rosenpass}/lib/systemd/system/rosenpass@.service \ + sed 's@^\(\[Service]\)$@\1\nEnvironment=PATH=${pkgs.wireguard-tools}/bin@' | + sed 's@^ExecStartPre=envsubst @ExecStartPre='"${pkgs.envsubst}"'/bin/envsubst @' | + sed 's@^ExecStart=rosenpass @ExecStart='"${pkgs.rosenpass}"'/bin/rosenpass @' > $out/lib/systemd/system/rosenpass@.service + '') + ]; + networking.wireguard = { + enable = true; + interfaces.rp0 = { + ips = [ + "${peer.wg.ip4}/32" + "${peer.wg.ip6}/128" + ]; + privateKeyFile = "/etc/wireguard/wgsk"; + }; + }; + environment.etc."wireguard/wgsk".text = peer.wg.secret; + networking.interfaces.eth1 = { + ipv4.addresses = [ + { + address = peer.ip4; + prefixLength = 24; + } + ]; + ipv6.addresses = [ + { + address = peer.ip6; + prefixLength = 64; + } + ]; }; }; - environment.etc."wireguard/wgsk".text = peer.wg.secret; - networking.interfaces.eth1 = { - ipv4.addresses = [{ - address = peer.ip4; - prefixLength = 24; - }]; - ipv6.addresses = [{ - address = peer.ip6; - prefixLength = 64; - }]; - }; - }; in { server = { imports = [ (shared server) ]; - networking.firewall.allowedUDPPorts = [ 9999 server.wg.listen ]; + networking.firewall.allowedUDPPorts = [ + 9999 + server.wg.listen + ]; networking.wireguard.interfaces.rp0 = { listenPort = server.wg.listen; peers = [ { - allowedIPs = [ client.wg.ip4 client.wg.ip6 ]; + allowedIPs = [ + client.wg.ip4 + client.wg.ip6 + ]; publicKey = client.wg.public; } ]; @@ -116,7 +141,10 @@ in networking.wireguard.interfaces.rp0 = { peers = [ { - allowedIPs = [ "10.23.42.0/24" "fc00::/64" ]; + allowedIPs = [ + "10.23.42.0/24" + "fc00::/64" + ]; publicKey = server.wg.public; endpoint = "${server.ip4}:${toString server.wg.listen}"; } @@ -124,60 +152,62 @@ in }; }; }; - testScript = { ... }: '' - from os import system - rosenpass = "${pkgs.rosenpass}/bin/rosenpass" + testScript = + { ... }: + '' + from os import system + rosenpass = "${pkgs.rosenpass}/bin/rosenpass" - start_all() - - for machine in [server, client]: - machine.wait_for_unit("multi-user.target") - machine.wait_for_unit("network-online.target") - - with subtest("Key, Config, and Service Setup"): - for name, machine, remote in [("server", server, client), ("client", client, server)]: - # generate all the keys - system(f"{rosenpass} gen-keys --public-key {name}-pqpk --secret-key {name}-pqsk") - - # copy private keys to our side - machine.copy_from_host(f"{name}-pqsk", "/etc/rosenpass/rp0/pqsk") - machine.copy_from_host(f"{name}-pqpk", "/etc/rosenpass/rp0/pqpk") - - # copy public keys to other side - remote.copy_from_host(f"{name}-pqpk", f"/etc/rosenpass/rp0/peers/{name}/pqpk") - - machine.copy_from_host(f"${config}/{name}", "/etc/rosenpass/rp0.toml") + start_all() for machine in [server, client]: - machine.wait_for_unit("wireguard-rp0.service") + machine.wait_for_unit("multi-user.target") + machine.wait_for_unit("network-online.target") - with subtest("wg network test"): - client.succeed("wg show all preshared-keys | grep none", timeout=5); - client.succeed("ping -c5 ${server.wg.ip4}") - server.succeed("ping -c5 ${client.wg.ip6}") + with subtest("Key, Config, and Service Setup"): + for name, machine, remote in [("server", server, client), ("client", client, server)]: + # generate all the keys + system(f"{rosenpass} gen-keys --public-key {name}-pqpk --secret-key {name}-pqsk") - with subtest("Set up rosenpass"): - for machine in [server, client]: - machine.succeed("systemctl start rosenpass@rp0.service") + # copy private keys to our side + machine.copy_from_host(f"{name}-pqsk", "/etc/rosenpass/rp0/pqsk") + machine.copy_from_host(f"{name}-pqpk", "/etc/rosenpass/rp0/pqpk") - for machine in [server, client]: - machine.wait_for_unit("rosenpass@rp0.service") + # copy public keys to other side + remote.copy_from_host(f"{name}-pqpk", f"/etc/rosenpass/rp0/peers/{name}/pqpk") + + machine.copy_from_host(f"${config}/{name}", "/etc/rosenpass/rp0.toml") + + for machine in [server, client]: + machine.wait_for_unit("wireguard-rp0.service") + + with subtest("wg network test"): + client.succeed("wg show all preshared-keys | grep none", timeout=5); + client.succeed("ping -c5 ${server.wg.ip4}") + server.succeed("ping -c5 ${client.wg.ip6}") + + with subtest("Set up rosenpass"): + for machine in [server, client]: + machine.succeed("systemctl start rosenpass@rp0.service") + + for machine in [server, client]: + machine.wait_for_unit("rosenpass@rp0.service") - with subtest("compare preshared keys"): - client.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5); - server.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5); + with subtest("compare preshared keys"): + client.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5); + server.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5); - def get_psk(m): - psk = m.succeed("wg show rp0 preshared-keys | awk '{print $2}'") - psk = psk.strip() - assert len(psk.split()) == 1, "Only one PSK" - return psk + def get_psk(m): + psk = m.succeed("wg show rp0 preshared-keys | awk '{print $2}'") + psk = psk.strip() + assert len(psk.split()) == 1, "Only one PSK" + return psk - assert get_psk(client) == get_psk(server), "preshared keys need to match" + assert get_psk(client) == get_psk(server), "preshared keys need to match" - with subtest("rosenpass network test"): - client.succeed("ping -c5 ${server.wg.ip4}") - server.succeed("ping -c5 ${client.wg.ip6}") - ''; + with subtest("rosenpass network test"): + client.succeed("ping -c5 ${server.wg.ip4}") + server.succeed("ping -c5 ${client.wg.ip6}") + ''; } diff --git a/tests/systemd/rp.nix b/tests/systemd/rp.nix index 7218d15..c0acdb8 100644 --- a/tests/systemd/rp.nix +++ b/tests/systemd/rp.nix @@ -24,27 +24,31 @@ let verbose = true; dev = "test-rp-device0"; ip = "fc00::1/64"; - peers = [{ - public_keys_dir = "/etc/rosenpass/test-rp-device0/peers/client"; - allowed_ips = "fc00::2"; - }]; + peers = [ + { + public_keys_dir = "/etc/rosenpass/test-rp-device0/peers/client"; + allowed_ips = "fc00::2"; + } + ]; }; client_config = { private_keys_dir = "/run/credentials/rp@test-rp-device0.service"; verbose = true; dev = "test-rp-device0"; ip = "fc00::2/128"; - peers = [{ - public_keys_dir = "/etc/rosenpass/test-rp-device0/peers/server"; - endpoint = "${server.ip4}:9999"; - allowed_ips = "fc00::/64"; - }]; + peers = [ + { + public_keys_dir = "/etc/rosenpass/test-rp-device0/peers/server"; + endpoint = "${server.ip4}:9999"; + allowed_ips = "fc00::/64"; + } + ]; }; config = pkgs.runCommand "config" { } '' mkdir -pv $out - cp -v ${(pkgs.formats.toml {}).generate "test-rp-device0.toml" server_config} $out/server - cp -v ${(pkgs.formats.toml {}).generate "test-rp-device0.toml" client_config} $out/client + cp -v ${(pkgs.formats.toml { }).generate "test-rp-device0.toml" server_config} $out/server + cp -v ${(pkgs.formats.toml { }).generate "test-rp-device0.toml" client_config} $out/client ''; in { @@ -52,88 +56,105 @@ in nodes = let - shared = peer: { config, modulesPath, pkgs, ... }: { - # Need to work around a problem in recent systemd changes. - # It won't be necessary in other distros (for which the systemd file was designed), this is NixOS specific - # https://github.com/NixOS/nixpkgs/issues/258371#issuecomment-1925672767 - # This can potentially be removed in future nixpkgs updates - systemd.packages = [ - (pkgs.runCommand "rp@.service" { } '' - mkdir -p $out/lib/systemd/system - < ${pkgs.rosenpass}/lib/systemd/system/rosenpass.target > $out/lib/systemd/system/rosenpass.target - < ${pkgs.rosenpass}/lib/systemd/system/rp@.service \ - sed 's@^\(\[Service]\)$@\1\nEnvironment=PATH=${pkgs.iproute2}/bin:${pkgs.wireguard-tools}/bin@' | - sed 's@^ExecStartPre=envsubst @ExecStartPre='"${pkgs.envsubst}"'/bin/envsubst @' | - sed 's@^ExecStart=rp @ExecStart='"${pkgs.rosenpass}"'/bin/rp @' > $out/lib/systemd/system/rp@.service - '') - ]; - environment.systemPackages = [ pkgs.wireguard-tools ]; - networking.interfaces.eth1 = { - ipv4.addresses = [{ - address = peer.ip4; - prefixLength = 24; - }]; - ipv6.addresses = [{ - address = peer.ip6; - prefixLength = 64; - }]; + shared = + peer: + { + config, + modulesPath, + pkgs, + ... + }: + { + # Need to work around a problem in recent systemd changes. + # It won't be necessary in other distros (for which the systemd file was designed), this is NixOS specific + # https://github.com/NixOS/nixpkgs/issues/258371#issuecomment-1925672767 + # This can potentially be removed in future nixpkgs updates + systemd.packages = [ + (pkgs.runCommand "rp@.service" { } '' + mkdir -p $out/lib/systemd/system + < ${pkgs.rosenpass}/lib/systemd/system/rosenpass.target > $out/lib/systemd/system/rosenpass.target + < ${pkgs.rosenpass}/lib/systemd/system/rp@.service \ + sed 's@^\(\[Service]\)$@\1\nEnvironment=PATH=${pkgs.iproute2}/bin:${pkgs.wireguard-tools}/bin@' | + sed 's@^ExecStartPre=envsubst @ExecStartPre='"${pkgs.envsubst}"'/bin/envsubst @' | + sed 's@^ExecStart=rp @ExecStart='"${pkgs.rosenpass}"'/bin/rp @' > $out/lib/systemd/system/rp@.service + '') + ]; + environment.systemPackages = [ pkgs.wireguard-tools ]; + networking.interfaces.eth1 = { + ipv4.addresses = [ + { + address = peer.ip4; + prefixLength = 24; + } + ]; + ipv6.addresses = [ + { + address = peer.ip6; + prefixLength = 64; + } + ]; + }; }; - }; in { server = { imports = [ (shared server) ]; - networking.firewall.allowedUDPPorts = [ 9999 server.wg.listen ]; + networking.firewall.allowedUDPPorts = [ + 9999 + server.wg.listen + ]; }; client = { imports = [ (shared client) ]; }; }; - testScript = { ... }: '' - from os import system - rp = "${pkgs.rosenpass}/bin/rp" + testScript = + { ... }: + '' + from os import system + rp = "${pkgs.rosenpass}/bin/rp" - start_all() - - for machine in [server, client]: - machine.wait_for_unit("multi-user.target") - machine.wait_for_unit("network-online.target") - - with subtest("Key, Config, and Service Setup"): - for name, machine, remote in [("server", server, client), ("client", client, server)]: - # create all the keys - system(f"{rp} genkey {name}-sk") - system(f"{rp} pubkey {name}-sk {name}-pk") - - # copy secret keys to our side - for file in ["pqpk", "pqsk", "wgsk"]: - machine.copy_from_host(f"{name}-sk/{file}", f"/etc/rosenpass/test-rp-device0/{file}") - # copy public keys to other side - for file in ["pqpk", "wgpk"]: - remote.copy_from_host(f"{name}-pk/{file}", f"/etc/rosenpass/test-rp-device0/peers/{name}/{file}") - - machine.copy_from_host(f"${config}/{name}", "/etc/rosenpass/test-rp-device0.toml") + start_all() for machine in [server, client]: - machine.succeed("systemctl start rp@test-rp-device0.service") + machine.wait_for_unit("multi-user.target") + machine.wait_for_unit("network-online.target") - for machine in [server, client]: - machine.wait_for_unit("rp@test-rp-device0.service") + with subtest("Key, Config, and Service Setup"): + for name, machine, remote in [("server", server, client), ("client", client, server)]: + # create all the keys + system(f"{rp} genkey {name}-sk") + system(f"{rp} pubkey {name}-sk {name}-pk") - with subtest("compare preshared keys"): - client.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5); - server.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5); + # copy secret keys to our side + for file in ["pqpk", "pqsk", "wgsk"]: + machine.copy_from_host(f"{name}-sk/{file}", f"/etc/rosenpass/test-rp-device0/{file}") + # copy public keys to other side + for file in ["pqpk", "wgpk"]: + remote.copy_from_host(f"{name}-pk/{file}", f"/etc/rosenpass/test-rp-device0/peers/{name}/{file}") - def get_psk(m): - psk = m.succeed("wg show test-rp-device0 preshared-keys | awk '{print $2}'") - psk = psk.strip() - assert len(psk.split()) == 1, "Only one PSK" - return psk + machine.copy_from_host(f"${config}/{name}", "/etc/rosenpass/test-rp-device0.toml") - assert get_psk(client) == get_psk(server), "preshared keys need to match" + for machine in [server, client]: + machine.succeed("systemctl start rp@test-rp-device0.service") - with subtest("network test"): - client.succeed("ping -c5 ${server.wg.ip6}") - server.succeed("ping -c5 ${client.wg.ip6}") - ''; + for machine in [server, client]: + machine.wait_for_unit("rp@test-rp-device0.service") + + with subtest("compare preshared keys"): + client.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5); + server.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5); + + def get_psk(m): + psk = m.succeed("wg show test-rp-device0 preshared-keys | awk '{print $2}'") + psk = psk.strip() + assert len(psk.split()) == 1, "Only one PSK" + return psk + + assert get_psk(client) == get_psk(server), "preshared keys need to match" + + with subtest("network test"): + client.succeed("ping -c5 ${server.wg.ip6}") + server.succeed("ping -c5 ${client.wg.ip6}") + ''; } diff --git a/treefmt.nix b/treefmt.nix index a79c8f3..49e6c73 100644 --- a/treefmt.nix +++ b/treefmt.nix @@ -17,9 +17,7 @@ "*.yaml" "*.yml" ]; - excludes = [ - "supply-chain/*" - ]; + excludes = [ "supply-chain/*" ]; settings = { plugins = [ "${pkgs.nodePackages.prettier-plugin-toml}/lib/node_modules/prettier-plugin-toml/lib/index.js" diff --git a/util/Cargo.toml b/util/Cargo.toml index 49d66fb..273c0c8 100644 --- a/util/Cargo.toml +++ b/util/Cargo.toml @@ -25,6 +25,5 @@ mio = { workspace = true } tempfile = { workspace = true } uds = { workspace = true, optional = true, features = ["mio_1xx"] } - [features] experiment_file_descriptor_passing = ["uds"]