gitea-mirror/rosenpass
1
0
Fork 0
mirror of https://github.com/rosenpass/rosenpass.git synced 2025-12-05 20:40:02 -08:00
Code Issues Packages Projects Releases Wiki Activity

chore: format everything

Browse Source 
This implicates a change from nixpkgs-fmt to nixfmt. Nixfmt will become
the new standard on nix formatting, sanctioned by the nixpkgs. To verify
that these changes are purely in whitespace, but not semantic:

git diff --ignore-all-space -w HEAD^!

That will only show newline changes, make the diffing somewhat easier.

Signed-off-by: wucke13 <wucke13+github@gmail.com>
This commit is contained in:
wucke13
2025-04-13 12:57:57 +02:00
committed by Karolin Varner
parent a45812b2cd
commit 22b980a61f
17 changed files with 558 additions and 413 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
Cargo.toml
View File

@@ -2,17 +2,17 @@
resolver = "2"
members = [
"rosenpass",
"cipher-traits",
"ciphers",
"util",
"constant-time",
"oqs",
"to",
"fuzz",
"secret-memory",
"rp",
"wireguard-broker",
"rosenpass",
"cipher-traits",
"ciphers",
"util",
"constant-time",
"oqs",
"to",
"fuzz",
"secret-memory",
"rp",
"wireguard-broker",
]
default-members = ["rosenpass", "rp", "wireguard-broker"]
@@ -42,7 +42,7 @@ toml = "0.7.8"
static_assertions = "1.1.0"
allocator-api2 = "0.2.14"
memsec = { git = "https://github.com/rosenpass/memsec.git", rev = "aceb9baee8aec6844125bd6612f92e9a281373df", features = [
"alloc_ext",
"alloc_ext",
] }
rand = "0.8.5"
typenum = "1.17.0"
@@ -55,14 +55,14 @@ arbitrary = { version = "1.4.1", features = ["derive"] }
anyhow = { version = "1.0.95", features = ["backtrace", "std"] }
mio = { version = "1.0.3", features = ["net", "os-poll"] }
oqs-sys = { version = "0.9.1", default-features = false, features = [
'classic_mceliece',
'kyber',
'classic_mceliece',
'kyber',
] }
blake2 = "0.10.6"
sha3 = "0.10.8"
chacha20poly1305 = { version = "0.10.1", default-features = false, features = [
"std",
"heapless",
"std",
"heapless",
] }
zerocopy = { version = "0.7.35", features = ["derive"] }
home = "=0.5.9" # 5.11 requires rustc 1.81
@@ -72,7 +72,7 @@ postcard = { version = "1.1.1", features = ["alloc"] }
libcrux = { version = "0.0.2-pre.2" }
libcrux-chacha20poly1305 = { version = "0.0.2-beta.3" }
libcrux-ml-kem = { version = "0.0.2-beta.3" }
libcrux-blake2 = { git = "https://github.com/cryspen/libcrux.git", rev = "10ce653e9476"}
libcrux-blake2 = { git = "https://github.com/cryspen/libcrux.git", rev = "10ce653e9476" }
hex-literal = { version = "0.4.1" }
hex = { version = "0.4.3" }
heck = { version = "0.5.0" }
@@ -90,7 +90,6 @@ criterion = "0.5.1"
allocator-api2-tests = "0.2.15"
procspawn = { version = "1.0.1", features = ["test-support"] }
#Broker dependencies (might need cleanup or changes)
wireguard-uapi = { version = "3.0.0", features = ["xplatform"] }
command-fds = "0.2.3"

12
ciphers/Cargo.toml
View File

@@ -12,16 +12,16 @@ rust-version = "1.77"
[features]
experiment_libcrux_all = [
"experiment_libcrux_blake2",
"experiment_libcrux_chachapoly",
"experiment_libcrux_chachapoly_test",
"experiment_libcrux_kyber",
"experiment_libcrux_blake2",
"experiment_libcrux_chachapoly",
"experiment_libcrux_chachapoly_test",
"experiment_libcrux_kyber",
]
experiment_libcrux_blake2 = ["dep:libcrux-blake2", "dep:thiserror"]
experiment_libcrux_chachapoly = ["dep:libcrux-chacha20poly1305"]
experiment_libcrux_chachapoly_test = [
"experiment_libcrux_chachapoly",
"dep:libcrux",
"experiment_libcrux_chachapoly",
"dep:libcrux",
]
experiment_libcrux_kyber = ["dep:libcrux-ml-kem", "dep:rand"]

34
deny.toml
View File

@@ -24,11 +24,7 @@ feature-depth = 1
[advisories]
# A list of advisory IDs to ignore. Note that ignored advisories will still
# output a note when they are encountered.
ignore = [
"RUSTSEC-2024-0370",
"RUSTSEC-2024-0436",
"RUSTSEC-2023-0089",
]
ignore = ["RUSTSEC-2024-0370", "RUSTSEC-2024-0436", "RUSTSEC-2023-0089"]
# If this is true, then cargo deny will use the git executable to fetch advisory database.
# If this is false, then it uses a built-in git library.
# Setting this to true can be helpful if you have special authentication requirements that cargo-deny does not support.
@@ -43,11 +39,11 @@ ignore = [
# See https://spdx.org/licenses/ for list of possible licenses
# [possible values: any SPDX 3.11 short identifier (+ optional exception)].
allow = [
"MIT",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"BSD-3-Clause",
"ISC",
"MIT",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"BSD-3-Clause",
"ISC",
]
# The confidence threshold for detecting a license from license text.
# The higher the value, the more closely the license text must be to the
@@ -57,10 +53,10 @@ confidence-threshold = 0.8
# Allow 1 or more licenses on a per-crate basis, so that particular licenses
# aren't accepted for every possible crate as with the normal allow list
exceptions = [
# Each entry is the crate and version constraint, and its specific allow
# list
{ allow = ["Unicode-DFS-2016", "Unicode-3.0"], crate = "unicode-ident" },
{ allow = ["NCSA"], crate = "libfuzzer-sys" },
# Each entry is the crate and version constraint, and its specific allow
# list
{ allow = ["Unicode-DFS-2016", "Unicode-3.0"], crate = "unicode-ident" },
{ allow = ["NCSA"], crate = "libfuzzer-sys" },
]
@@ -94,15 +90,11 @@ workspace-default-features = "allow"
# on a crate-by-crate basis if desired.
external-default-features = "allow"
# List of crates that are allowed. Use with care!
allow = [
]
allow = []
# List of crates to deny
deny = [
]
deny = []
skip-tree = [
]
skip-tree = []
# This section is considered when running `cargo deny check sources`.
# More documentation about the 'sources' section can be found here:

252
flake.nix
View File

@@ -15,32 +15,38 @@
treefmt-nix.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = { self, nixpkgs, flake-utils, nix-vm-test, treefmt-nix, ... }@inputs:
outputs =
{
self,
nixpkgs,
flake-utils,
nix-vm-test,
treefmt-nix,
...
}@inputs:
nixpkgs.lib.foldl (a: b: nixpkgs.lib.recursiveUpdate a b) { } [
#
### Export the overlay.nix from this flake ###
#
{
overlays.default = import ./overlay.nix;
}
{ overlays.default = import ./overlay.nix; }
#
### Actual Rosenpass Package and Docker Container Images ###
#
(flake-utils.lib.eachSystem [
"x86_64-linux"
"aarch64-linux"
(flake-utils.lib.eachSystem
[
"x86_64-linux"
"aarch64-linux"
# unsuported best-effort
"i686-linux"
"x86_64-darwin"
"aarch64-darwin"
# "x86_64-windows"
]
(system:
# unsuported best-effort
"i686-linux"
"x86_64-darwin"
"aarch64-darwin"
# "x86_64-windows"
]
(
system:
let
# normal nixpkgs
pkgs = import nixpkgs {
@@ -51,121 +57,131 @@
};
in
{
packages = {
default = pkgs.rosenpass;
rosenpass = pkgs.rosenpass;
rosenpass-oci-image = pkgs.rosenpass-oci-image;
rp = pkgs.rp;
packages =
{
default = pkgs.rosenpass;
rosenpass = pkgs.rosenpass;
rosenpass-oci-image = pkgs.rosenpass-oci-image;
rp = pkgs.rp;
release-package = pkgs.release-package;
release-package = pkgs.release-package;
# for good measure, we also offer to cross compile to Linux on Arm
aarch64-linux-rosenpass-static =
pkgs.pkgsCross.aarch64-multiplatform.pkgsStatic.rosenpass;
aarch64-linux-rp-static = pkgs.pkgsCross.aarch64-multiplatform.pkgsStatic.rp;
}
//
# We only offer static builds for linux, as this is not supported on OS X
(nixpkgs.lib.attrsets.optionalAttrs pkgs.stdenv.isLinux {
rosenpass-static = pkgs.pkgsStatic.rosenpass;
rosenpass-static-oci-image = pkgs.pkgsStatic.rosenpass-oci-image;
rp-static = pkgs.pkgsStatic.rp;
});
# for good measure, we also offer to cross compile to Linux on Arm
aarch64-linux-rosenpass-static = pkgs.pkgsCross.aarch64-multiplatform.pkgsStatic.rosenpass;
aarch64-linux-rp-static = pkgs.pkgsCross.aarch64-multiplatform.pkgsStatic.rp;
}
//
# We only offer static builds for linux, as this is not supported on OS X
(nixpkgs.lib.attrsets.optionalAttrs pkgs.stdenv.isLinux {
rosenpass-static = pkgs.pkgsStatic.rosenpass;
rosenpass-static-oci-image = pkgs.pkgsStatic.rosenpass-oci-image;
rp-static = pkgs.pkgsStatic.rp;
});
}
))
)
)
#
### Linux specifics ###
#
(flake-utils.lib.eachSystem [ "x86_64-linux" "aarch64-linux" ] (system:
let
pkgs = import nixpkgs {
inherit system;
(flake-utils.lib.eachSystem
[
"x86_64-linux"
"aarch64-linux"
]
(
system:
let
pkgs = import nixpkgs {
inherit system;
# apply our own overlay, overriding/inserting our packages as defined in ./pkgs
overlays = [
self.overlays.default
nix-vm-test.overlays.default
];
};
# apply our own overlay, overriding/inserting our packages as defined in ./pkgs
overlays = [
self.overlays.default
nix-vm-test.overlays.default
];
};
treefmtEval = treefmt-nix.lib.evalModule pkgs ./treefmt.nix;
in
{
packages.package-deb = pkgs.callPackage ./pkgs/package-deb.nix {
rosenpass = pkgs.pkgsStatic.rosenpass;
};
packages.package-rpm = pkgs.callPackage ./pkgs/package-rpm.nix {
rosenpass = pkgs.pkgsStatic.rosenpass;
};
treefmtEval = treefmt-nix.lib.evalModule pkgs ./treefmt.nix;
in
{
packages.package-deb = pkgs.callPackage ./pkgs/package-deb.nix {
rosenpass = pkgs.pkgsStatic.rosenpass;
};
packages.package-rpm = pkgs.callPackage ./pkgs/package-rpm.nix {
rosenpass = pkgs.pkgsStatic.rosenpass;
};
#
### Reading materials ###
#
packages.whitepaper = pkgs.whitepaper;
#
### Reading materials ###
#
packages.whitepaper = pkgs.whitepaper;
#
### Proof and Proof Tools ###
#
packages.proverif-patched = pkgs.proverif-patched;
packages.proof-proverif = pkgs.proof-proverif;
#
### Proof and Proof Tools ###
#
packages.proverif-patched = pkgs.proverif-patched;
packages.proof-proverif = pkgs.proof-proverif;
#
### Devshells ###
#
devShells.default = pkgs.mkShell {
inherit (pkgs.proof-proverif) CRYPTOVERIF_LIB;
inputsFrom = [ pkgs.rosenpass ];
nativeBuildInputs = with pkgs; [
cargo-release
clippy
rustfmt
nodePackages.prettier
nushell # for the .ci/gen-workflow-files.nu script
proverif-patched
];
};
# TODO: Write this as a patched version of the default environment
devShells.fullEnv = pkgs.mkShell {
inherit (pkgs.proof-proverif) CRYPTOVERIF_LIB;
inputsFrom = [ pkgs.rosenpass ];
nativeBuildInputs = with pkgs; [
cargo-audit
cargo-release
cargo-msrv
rustfmt
nodePackages.prettier
nushell # for the .ci/gen-workflow-files.nu script
proverif-patched
inputs.fenix.packages.${system}.complete.toolchain
pkgs.cargo-llvm-cov
pkgs.grcov
];
};
devShells.coverage = pkgs.mkShell {
inputsFrom = [ pkgs.rosenpass ];
nativeBuildInputs = [
inputs.fenix.packages.${system}.complete.toolchain
pkgs.cargo-llvm-cov
pkgs.grcov
];
};
#
### Devshells ###
#
devShells.default = pkgs.mkShell {
inherit (pkgs.proof-proverif) CRYPTOVERIF_LIB;
inputsFrom = [ pkgs.rosenpass ];
nativeBuildInputs = with pkgs; [
cargo-release
clippy
rustfmt
nodePackages.prettier
nushell # for the .ci/gen-workflow-files.nu script
proverif-patched
];
};
# TODO: Write this as a patched version of the default environment
devShells.fullEnv = pkgs.mkShell {
inherit (pkgs.proof-proverif) CRYPTOVERIF_LIB;
inputsFrom = [ pkgs.rosenpass ];
nativeBuildInputs = with pkgs; [
cargo-audit
cargo-release
cargo-msrv
rustfmt
nodePackages.prettier
nushell # for the .ci/gen-workflow-files.nu script
proverif-patched
inputs.fenix.packages.${system}.complete.toolchain
pkgs.cargo-llvm-cov
pkgs.grcov
];
};
devShells.coverage = pkgs.mkShell {
inputsFrom = [ pkgs.rosenpass ];
nativeBuildInputs = [
inputs.fenix.packages.${system}.complete.toolchain
pkgs.cargo-llvm-cov
pkgs.grcov
];
};
checks =
{
systemd-rosenpass = pkgs.testers.runNixOSTest ./tests/systemd/rosenpass.nix;
systemd-rp = pkgs.testers.runNixOSTest ./tests/systemd/rp.nix;
formatting = treefmtEval.config.build.check self;
}
// pkgs.lib.optionalAttrs (system == "x86_64-linux") (
import ./tests/legacy-distro-packaging.nix {
inherit pkgs;
rosenpass-deb = self.packages.${system}.package-deb;
rosenpass-rpm = self.packages.${system}.package-rpm;
}
);
checks = {
systemd-rosenpass = pkgs.testers.runNixOSTest ./tests/systemd/rosenpass.nix;
systemd-rp = pkgs.testers.runNixOSTest ./tests/systemd/rp.nix;
formatting = treefmtEval.config.build.check self;
} // pkgs.lib.optionalAttrs (system == "x86_64-linux") (import ./tests/legacy-distro-packaging.nix {
inherit pkgs;
rosenpass-deb = self.packages.${system}.package-deb;
rosenpass-rpm = self.packages.${system}.package-rpm;
});
# for `nix fmt`
formatter = treefmtEval.config.build.wrapper;
}))
# for `nix fmt`
formatter = treefmtEval.config.build.wrapper;
}
)
)
];
}

6
overlay.nix
View File

@@ -1,6 +1,5 @@
final: prev: {
#
### Actual rosenpass software ###
#
@@ -27,7 +26,10 @@ final: prev: {
"marzipan(/marzipan.awk)?"
"analysis(/.*)?"
];
nativeBuildInputs = [ final.proverif final.graphviz ];
nativeBuildInputs = [
final.proverif
final.graphviz
];
CRYPTOVERIF_LIB = final.proverif-patched + "/lib/cryptoverif.pvl";
installPhase = ''
mkdir -p $out

6
pkgs/package-deb.nix
View File

@@ -1,4 +1,8 @@
{ runCommand, dpkg, rosenpass }:
{
runCommand,
dpkg,
rosenpass,
}:
let
inherit (rosenpass) version;

13
pkgs/package-rpm.nix
View File

@@ -1,12 +1,15 @@
{ lib, system, runCommand, rosenpass, rpm }:
{
lib,
system,
runCommand,
rosenpass,
rpm,
}:
let
splitVersion = lib.strings.splitString "-" rosenpass.version;
version = builtins.head splitVersion;
release =
if builtins.length splitVersion != 2
then "release"
else builtins.elemAt splitVersion 1;
release = if builtins.length splitVersion != 2 then "release" else builtins.elemAt splitVersion 1;
arch = builtins.head (builtins.split "-" system);
in

23
pkgs/release-package.nix
View File

@@ -1,21 +1,24 @@
{ lib, stdenvNoCC, runCommandNoCC, pkgsStatic, rosenpass, rosenpass-oci-image, rp } @ args:
{
lib,
stdenvNoCC,
runCommandNoCC,
pkgsStatic,
rosenpass,
rosenpass-oci-image,
rp,
}@args:
let
version = rosenpass.version;
# select static packages on Linux, default packages otherwise
package =
if stdenvNoCC.hostPlatform.isLinux then
pkgsStatic.rosenpass
else args.rosenpass;
rp =
if stdenvNoCC.hostPlatform.isLinux then
pkgsStatic.rp
else args.rp;
package = if stdenvNoCC.hostPlatform.isLinux then pkgsStatic.rosenpass else args.rosenpass;
rp = if stdenvNoCC.hostPlatform.isLinux then pkgsStatic.rp else args.rp;
oci-image =
if stdenvNoCC.hostPlatform.isLinux then
pkgsStatic.rosenpass-oci-image
else args.rosenpass-oci-image;
else
args.rosenpass-oci-image;
in
runCommandNoCC "lace-result" { } ''
mkdir {bin,$out}

6
pkgs/rosenpass-oci-image.nix
View File

@@ -1,4 +1,8 @@
{ dockerTools, buildEnv, rosenpass }:
{
dockerTools,
buildEnv,
rosenpass,
}:
dockerTools.buildImage {
name = rosenpass.name + "-oci";

60
pkgs/rosenpass.nix
View File

@@ -1,4 +1,13 @@
{ lib, stdenv, rustPlatform, cmake, mandoc, removeReferencesTo, bash, package ? "rosenpass" }:
{
lib,
stdenv,
rustPlatform,
cmake,
mandoc,
removeReferencesTo,
bash,
package ? "rosenpass",
}:
let
# whether we want to build a statically linked binary
@@ -17,24 +26,30 @@ let
"toml"
];
# Files to explicitly include
files = [
"to/README.md"
];
files = [ "to/README.md" ];
src = ../.;
filter = (path: type: scoped rec {
inherit (lib) any id removePrefix hasSuffix;
anyof = (any id);
filter = (
path: type:
scoped rec {
inherit (lib)
any
id
removePrefix
hasSuffix
;
anyof = (any id);
basename = baseNameOf (toString path);
relative = removePrefix (toString src + "/") (toString path);
basename = baseNameOf (toString path);
relative = removePrefix (toString src + "/") (toString path);
result = anyof [
(type == "directory")
(any (ext: hasSuffix ".${ext}" basename) extensions)
(any (file: file == relative) files)
];
});
result = anyof [
(type == "directory")
(any (ext: hasSuffix ".${ext}" basename) extensions)
(any (file: file == relative) files)
];
}
);
result = lib.sources.cleanSourceWith { inherit src filter; };
};
@@ -47,8 +62,14 @@ rustPlatform.buildRustPackage {
version = cargoToml.package.version;
inherit src;
cargoBuildOptions = [ "--package" package ];
cargoTestOptions = [ "--package" package ];
cargoBuildOptions = [
"--package"
package
];
cargoTestOptions = [
"--package"
package
];
doCheck = true;
@@ -81,7 +102,10 @@ rustPlatform.buildRustPackage {
meta = {
inherit (cargoToml.package) description homepage;
license = with lib.licenses; [ mit asl20 ];
license = with lib.licenses; [
mit
asl20
];
maintainers = [ lib.maintainers.wucke13 ];
platforms = lib.platforms.all;
};

55
pkgs/whitepaper.nix
View File

@@ -1,13 +1,52 @@
{ stdenvNoCC, texlive, ncurses, python3Packages, which }:
{
stdenvNoCC,
texlive,
ncurses,
python3Packages,
which,
}:
let
customTexLiveSetup = (texlive.combine {
inherit (texlive) acmart amsfonts biber biblatex biblatex-software
biblatex-trad ccicons csquotes csvsimple doclicense eso-pic fancyvrb
fontspec gitinfo2 gobble ifmtarg koma-script latexmk lm lualatex-math
markdown mathtools minted noto nunito paralist pgf scheme-basic soul
unicode-math upquote xifthen xkeyval xurl;
});
customTexLiveSetup = (
texlive.combine {
inherit (texlive)
acmart
amsfonts
biber
biblatex
biblatex-software
biblatex-trad
ccicons
csquotes
csvsimple
doclicense
eso-pic
fancyvrb
fontspec
gitinfo2
gobble
ifmtarg
koma-script
latexmk
lm
lualatex-math
markdown
mathtools
minted
noto
nunito
paralist
pgf
scheme-basic
soul
unicode-math
upquote
xifthen
xkeyval
xurl
;
}
);
in
stdenvNoCC.mkDerivation {
name = "whitepaper";

20
rosenpass/Cargo.toml
View File

@@ -30,9 +30,9 @@ required-features = ["experiment_api", "internal_testing"]
[[test]]
name = "gen-ipc-msg-types"
required-features = [
"experiment_api",
"internal_testing",
"internal_bin_gen_ipc_msg_types",
"experiment_api",
"internal_testing",
"internal_bin_gen_ipc_msg_types",
]
[[bench]]
@@ -92,16 +92,16 @@ experiment_memfd_secret = ["rosenpass-wireguard-broker/experiment_memfd_secret"]
experiment_libcrux_all = ["rosenpass-ciphers/experiment_libcrux_all"]
experiment_libcrux_blake2 = ["rosenpass-ciphers/experiment_libcrux_blake2"]
experiment_libcrux_chachapoly = [
"rosenpass-ciphers/experiment_libcrux_chachapoly",
"rosenpass-ciphers/experiment_libcrux_chachapoly",
]
experiment_libcrux_kyber = ["rosenpass-ciphers/experiment_libcrux_kyber"]
experiment_api = [
"hex-literal",
"uds",
"command-fds",
"rustix",
"rosenpass-util/experiment_file_descriptor_passing",
"rosenpass-wireguard-broker/experiment_api",
"hex-literal",
"uds",
"command-fds",
"rustix",
"rosenpass-util/experiment_file_descriptor_passing",
"rosenpass-wireguard-broker/experiment_api",
]
internal_signal_handling_for_coverage_reports = ["signal-hook"]
internal_testing = []

53
tests/legacy-distro-packaging.nix
View File

@@ -1,4 +1,8 @@
{ pkgs, rosenpass-deb, rosenpass-rpm }:
{
pkgs,
rosenpass-deb,
rosenpass-rpm,
}:
let
wg-deb = pkgs.fetchurl {
@@ -23,31 +27,38 @@ let
cp ${./prepare-test.sh} $out/prepare-test.sh
'';
test = { tester, installPrefix, suffix, source }: (tester {
sharedDirs.share = {
inherit source;
target = "/mnt/share";
};
testScript = ''
vm.wait_for_unit("multi-user.target")
vm.succeed("${installPrefix} /mnt/share/wireguard.${suffix}")
vm.succeed("${installPrefix} /mnt/share/rosenpass.${suffix}")
vm.succeed("bash /mnt/share/prepare-test.sh")
test =
{
tester,
installPrefix,
suffix,
source,
}:
(tester {
sharedDirs.share = {
inherit source;
target = "/mnt/share";
};
testScript = ''
vm.wait_for_unit("multi-user.target")
vm.succeed("${installPrefix} /mnt/share/wireguard.${suffix}")
vm.succeed("${installPrefix} /mnt/share/rosenpass.${suffix}")
vm.succeed("bash /mnt/share/prepare-test.sh")
vm.succeed(f"systemctl start rp@server")
vm.succeed(f"systemctl start rp@client")
vm.succeed(f"systemctl start rp@server")
vm.succeed(f"systemctl start rp@client")
vm.wait_for_unit("rp@server.service")
vm.wait_for_unit("rp@client.service")
vm.wait_for_unit("rp@server.service")
vm.wait_for_unit("rp@client.service")
vm.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5);
vm.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5);
psk_server = vm.succeed("wg show rp-server preshared-keys").strip().split()[-1]
psk_client = vm.succeed("wg show rp-client preshared-keys").strip().split()[-1]
psk_server = vm.succeed("wg show rp-server preshared-keys").strip().split()[-1]
psk_client = vm.succeed("wg show rp-client preshared-keys").strip().split()[-1]
assert psk_server == psk_client, "preshared-key exchange must be successful"
'';
}).sandboxed;
assert psk_server == psk_client, "preshared-key exchange must be successful"
'';
}).sandboxed;
in
{
package-deb-debian-13 = test {

216
tests/systemd/rosenpass.nix
View File

@@ -32,29 +32,33 @@ let
public_key = "/etc/rosenpass/rp0/pqpk";
secret_key = "/run/credentials/rosenpass@rp0.service/pqsk";
verbosity = "Verbose";
peers = [{
device = "rp0";
peer = client.wg.public;
public_key = "/etc/rosenpass/rp0/peers/client/pqpk";
}];
peers = [
{
device = "rp0";
peer = client.wg.public;
public_key = "/etc/rosenpass/rp0/peers/client/pqpk";
}
];
};
client_config = {
listen = [ ];
public_key = "/etc/rosenpass/rp0/pqpk";
secret_key = "/run/credentials/rosenpass@rp0.service/pqsk";
verbosity = "Verbose";
peers = [{
device = "rp0";
peer = server.wg.public;
public_key = "/etc/rosenpass/rp0/peers/server/pqpk";
endpoint = "${server.ip4}:9999";
}];
peers = [
{
device = "rp0";
peer = server.wg.public;
public_key = "/etc/rosenpass/rp0/peers/server/pqpk";
endpoint = "${server.ip4}:9999";
}
];
};
config = pkgs.runCommand "config" { } ''
mkdir -pv $out
cp -v ${(pkgs.formats.toml {}).generate "rp0.toml" server_config} $out/server
cp -v ${(pkgs.formats.toml {}).generate "rp0.toml" client_config} $out/client
cp -v ${(pkgs.formats.toml { }).generate "rp0.toml" server_config} $out/server
cp -v ${(pkgs.formats.toml { }).generate "rp0.toml" client_config} $out/client
'';
in
{
@@ -62,50 +66,71 @@ in
nodes =
let
shared = peer: { config, modulesPath, pkgs, ... }: {
# Need to work around a problem in recent systemd changes.
# It won't be necessary in other distros (for which the systemd file was designed), this is NixOS specific
# https://github.com/NixOS/nixpkgs/issues/258371#issuecomment-1925672767
# This can potentially be removed in future nixpkgs updates
systemd.packages = [
(pkgs.runCommand "rosenpass" { } ''
mkdir -p $out/lib/systemd/system
< ${pkgs.rosenpass}/lib/systemd/system/rosenpass.target > $out/lib/systemd/system/rosenpass.target
< ${pkgs.rosenpass}/lib/systemd/system/rosenpass@.service \
sed 's@^\(\[Service]\)$@\1\nEnvironment=PATH=${pkgs.wireguard-tools}/bin@' |
sed 's@^ExecStartPre=envsubst @ExecStartPre='"${pkgs.envsubst}"'/bin/envsubst @' |
sed 's@^ExecStart=rosenpass @ExecStart='"${pkgs.rosenpass}"'/bin/rosenpass @' > $out/lib/systemd/system/rosenpass@.service
'')
];
networking.wireguard = {
enable = true;
interfaces.rp0 = {
ips = [ "${peer.wg.ip4}/32" "${peer.wg.ip6}/128" ];
privateKeyFile = "/etc/wireguard/wgsk";
shared =
peer:
{
config,
modulesPath,
pkgs,
...
}:
{
# Need to work around a problem in recent systemd changes.
# It won't be necessary in other distros (for which the systemd file was designed), this is NixOS specific
# https://github.com/NixOS/nixpkgs/issues/258371#issuecomment-1925672767
# This can potentially be removed in future nixpkgs updates
systemd.packages = [
(pkgs.runCommand "rosenpass" { } ''
mkdir -p $out/lib/systemd/system
< ${pkgs.rosenpass}/lib/systemd/system/rosenpass.target > $out/lib/systemd/system/rosenpass.target
< ${pkgs.rosenpass}/lib/systemd/system/rosenpass@.service \
sed 's@^\(\[Service]\)$@\1\nEnvironment=PATH=${pkgs.wireguard-tools}/bin@' |
sed 's@^ExecStartPre=envsubst @ExecStartPre='"${pkgs.envsubst}"'/bin/envsubst @' |
sed 's@^ExecStart=rosenpass @ExecStart='"${pkgs.rosenpass}"'/bin/rosenpass @' > $out/lib/systemd/system/rosenpass@.service
'')
];
networking.wireguard = {
enable = true;
interfaces.rp0 = {
ips = [
"${peer.wg.ip4}/32"
"${peer.wg.ip6}/128"
];
privateKeyFile = "/etc/wireguard/wgsk";
};
};
environment.etc."wireguard/wgsk".text = peer.wg.secret;
networking.interfaces.eth1 = {
ipv4.addresses = [
{
address = peer.ip4;
prefixLength = 24;
}
];
ipv6.addresses = [
{
address = peer.ip6;
prefixLength = 64;
}
];
};
};
environment.etc."wireguard/wgsk".text = peer.wg.secret;
networking.interfaces.eth1 = {
ipv4.addresses = [{
address = peer.ip4;
prefixLength = 24;
}];
ipv6.addresses = [{
address = peer.ip6;
prefixLength = 64;
}];
};
};
in
{
server = {
imports = [ (shared server) ];
networking.firewall.allowedUDPPorts = [ 9999 server.wg.listen ];
networking.firewall.allowedUDPPorts = [
9999
server.wg.listen
];
networking.wireguard.interfaces.rp0 = {
listenPort = server.wg.listen;
peers = [
{
allowedIPs = [ client.wg.ip4 client.wg.ip6 ];
allowedIPs = [
client.wg.ip4
client.wg.ip6
];
publicKey = client.wg.public;
}
];
@@ -116,7 +141,10 @@ in
networking.wireguard.interfaces.rp0 = {
peers = [
{
allowedIPs = [ "10.23.42.0/24" "fc00::/64" ];
allowedIPs = [
"10.23.42.0/24"
"fc00::/64"
];
publicKey = server.wg.public;
endpoint = "${server.ip4}:${toString server.wg.listen}";
}
@@ -124,60 +152,62 @@ in
};
};
};
testScript = { ... }: ''
from os import system
rosenpass = "${pkgs.rosenpass}/bin/rosenpass"
testScript =
{ ... }:
''
from os import system
rosenpass = "${pkgs.rosenpass}/bin/rosenpass"
start_all()
for machine in [server, client]:
machine.wait_for_unit("multi-user.target")
machine.wait_for_unit("network-online.target")
with subtest("Key, Config, and Service Setup"):
for name, machine, remote in [("server", server, client), ("client", client, server)]:
# generate all the keys
system(f"{rosenpass} gen-keys --public-key {name}-pqpk --secret-key {name}-pqsk")
# copy private keys to our side
machine.copy_from_host(f"{name}-pqsk", "/etc/rosenpass/rp0/pqsk")
machine.copy_from_host(f"{name}-pqpk", "/etc/rosenpass/rp0/pqpk")
# copy public keys to other side
remote.copy_from_host(f"{name}-pqpk", f"/etc/rosenpass/rp0/peers/{name}/pqpk")
machine.copy_from_host(f"${config}/{name}", "/etc/rosenpass/rp0.toml")
start_all()
for machine in [server, client]:
machine.wait_for_unit("wireguard-rp0.service")
machine.wait_for_unit("multi-user.target")
machine.wait_for_unit("network-online.target")
with subtest("wg network test"):
client.succeed("wg show all preshared-keys | grep none", timeout=5);
client.succeed("ping -c5 ${server.wg.ip4}")
server.succeed("ping -c5 ${client.wg.ip6}")
with subtest("Key, Config, and Service Setup"):
for name, machine, remote in [("server", server, client), ("client", client, server)]:
# generate all the keys
system(f"{rosenpass} gen-keys --public-key {name}-pqpk --secret-key {name}-pqsk")
with subtest("Set up rosenpass"):
for machine in [server, client]:
machine.succeed("systemctl start rosenpass@rp0.service")
# copy private keys to our side
machine.copy_from_host(f"{name}-pqsk", "/etc/rosenpass/rp0/pqsk")
machine.copy_from_host(f"{name}-pqpk", "/etc/rosenpass/rp0/pqpk")
for machine in [server, client]:
machine.wait_for_unit("rosenpass@rp0.service")
# copy public keys to other side
remote.copy_from_host(f"{name}-pqpk", f"/etc/rosenpass/rp0/peers/{name}/pqpk")
machine.copy_from_host(f"${config}/{name}", "/etc/rosenpass/rp0.toml")
for machine in [server, client]:
machine.wait_for_unit("wireguard-rp0.service")
with subtest("wg network test"):
client.succeed("wg show all preshared-keys | grep none", timeout=5);
client.succeed("ping -c5 ${server.wg.ip4}")
server.succeed("ping -c5 ${client.wg.ip6}")
with subtest("Set up rosenpass"):
for machine in [server, client]:
machine.succeed("systemctl start rosenpass@rp0.service")
for machine in [server, client]:
machine.wait_for_unit("rosenpass@rp0.service")
with subtest("compare preshared keys"):
client.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5);
server.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5);
with subtest("compare preshared keys"):
client.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5);
server.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5);
def get_psk(m):
psk = m.succeed("wg show rp0 preshared-keys | awk '{print $2}'")
psk = psk.strip()
assert len(psk.split()) == 1, "Only one PSK"
return psk
def get_psk(m):
psk = m.succeed("wg show rp0 preshared-keys | awk '{print $2}'")
psk = psk.strip()
assert len(psk.split()) == 1, "Only one PSK"
return psk
assert get_psk(client) == get_psk(server), "preshared keys need to match"
assert get_psk(client) == get_psk(server), "preshared keys need to match"
with subtest("rosenpass network test"):
client.succeed("ping -c5 ${server.wg.ip4}")
server.succeed("ping -c5 ${client.wg.ip6}")
'';
with subtest("rosenpass network test"):
client.succeed("ping -c5 ${server.wg.ip4}")
server.succeed("ping -c5 ${client.wg.ip6}")
'';
}

175
tests/systemd/rp.nix
View File

@@ -24,27 +24,31 @@ let
verbose = true;
dev = "test-rp-device0";
ip = "fc00::1/64";
peers = [{
public_keys_dir = "/etc/rosenpass/test-rp-device0/peers/client";
allowed_ips = "fc00::2";
}];
peers = [
{
public_keys_dir = "/etc/rosenpass/test-rp-device0/peers/client";
allowed_ips = "fc00::2";
}
];
};
client_config = {
private_keys_dir = "/run/credentials/rp@test-rp-device0.service";
verbose = true;
dev = "test-rp-device0";
ip = "fc00::2/128";
peers = [{
public_keys_dir = "/etc/rosenpass/test-rp-device0/peers/server";
endpoint = "${server.ip4}:9999";
allowed_ips = "fc00::/64";
}];
peers = [
{
public_keys_dir = "/etc/rosenpass/test-rp-device0/peers/server";
endpoint = "${server.ip4}:9999";
allowed_ips = "fc00::/64";
}
];
};
config = pkgs.runCommand "config" { } ''
mkdir -pv $out
cp -v ${(pkgs.formats.toml {}).generate "test-rp-device0.toml" server_config} $out/server
cp -v ${(pkgs.formats.toml {}).generate "test-rp-device0.toml" client_config} $out/client
cp -v ${(pkgs.formats.toml { }).generate "test-rp-device0.toml" server_config} $out/server
cp -v ${(pkgs.formats.toml { }).generate "test-rp-device0.toml" client_config} $out/client
'';
in
{
@@ -52,88 +56,105 @@ in
nodes =
let
shared = peer: { config, modulesPath, pkgs, ... }: {
# Need to work around a problem in recent systemd changes.
# It won't be necessary in other distros (for which the systemd file was designed), this is NixOS specific
# https://github.com/NixOS/nixpkgs/issues/258371#issuecomment-1925672767
# This can potentially be removed in future nixpkgs updates
systemd.packages = [
(pkgs.runCommand "rp@.service" { } ''
mkdir -p $out/lib/systemd/system
< ${pkgs.rosenpass}/lib/systemd/system/rosenpass.target > $out/lib/systemd/system/rosenpass.target
< ${pkgs.rosenpass}/lib/systemd/system/rp@.service \
sed 's@^\(\[Service]\)$@\1\nEnvironment=PATH=${pkgs.iproute2}/bin:${pkgs.wireguard-tools}/bin@' |
sed 's@^ExecStartPre=envsubst @ExecStartPre='"${pkgs.envsubst}"'/bin/envsubst @' |
sed 's@^ExecStart=rp @ExecStart='"${pkgs.rosenpass}"'/bin/rp @' > $out/lib/systemd/system/rp@.service
'')
];
environment.systemPackages = [ pkgs.wireguard-tools ];
networking.interfaces.eth1 = {
ipv4.addresses = [{
address = peer.ip4;
prefixLength = 24;
}];
ipv6.addresses = [{
address = peer.ip6;
prefixLength = 64;
}];
shared =
peer:
{
config,
modulesPath,
pkgs,
...
}:
{
# Need to work around a problem in recent systemd changes.
# It won't be necessary in other distros (for which the systemd file was designed), this is NixOS specific
# https://github.com/NixOS/nixpkgs/issues/258371#issuecomment-1925672767
# This can potentially be removed in future nixpkgs updates
systemd.packages = [
(pkgs.runCommand "rp@.service" { } ''
mkdir -p $out/lib/systemd/system
< ${pkgs.rosenpass}/lib/systemd/system/rosenpass.target > $out/lib/systemd/system/rosenpass.target
< ${pkgs.rosenpass}/lib/systemd/system/rp@.service \
sed 's@^\(\[Service]\)$@\1\nEnvironment=PATH=${pkgs.iproute2}/bin:${pkgs.wireguard-tools}/bin@' |
sed 's@^ExecStartPre=envsubst @ExecStartPre='"${pkgs.envsubst}"'/bin/envsubst @' |
sed 's@^ExecStart=rp @ExecStart='"${pkgs.rosenpass}"'/bin/rp @' > $out/lib/systemd/system/rp@.service
'')
];
environment.systemPackages = [ pkgs.wireguard-tools ];
networking.interfaces.eth1 = {
ipv4.addresses = [
{
address = peer.ip4;
prefixLength = 24;
}
];
ipv6.addresses = [
{
address = peer.ip6;
prefixLength = 64;
}
];
};
};
};
in
{
server = {
imports = [ (shared server) ];
networking.firewall.allowedUDPPorts = [ 9999 server.wg.listen ];
networking.firewall.allowedUDPPorts = [
9999
server.wg.listen
];
};
client = {
imports = [ (shared client) ];
};
};
testScript = { ... }: ''
from os import system
rp = "${pkgs.rosenpass}/bin/rp"
testScript =
{ ... }:
''
from os import system
rp = "${pkgs.rosenpass}/bin/rp"
start_all()
for machine in [server, client]:
machine.wait_for_unit("multi-user.target")
machine.wait_for_unit("network-online.target")
with subtest("Key, Config, and Service Setup"):
for name, machine, remote in [("server", server, client), ("client", client, server)]:
# create all the keys
system(f"{rp} genkey {name}-sk")
system(f"{rp} pubkey {name}-sk {name}-pk")
# copy secret keys to our side
for file in ["pqpk", "pqsk", "wgsk"]:
machine.copy_from_host(f"{name}-sk/{file}", f"/etc/rosenpass/test-rp-device0/{file}")
# copy public keys to other side
for file in ["pqpk", "wgpk"]:
remote.copy_from_host(f"{name}-pk/{file}", f"/etc/rosenpass/test-rp-device0/peers/{name}/{file}")
machine.copy_from_host(f"${config}/{name}", "/etc/rosenpass/test-rp-device0.toml")
start_all()
for machine in [server, client]:
machine.succeed("systemctl start rp@test-rp-device0.service")
machine.wait_for_unit("multi-user.target")
machine.wait_for_unit("network-online.target")
for machine in [server, client]:
machine.wait_for_unit("rp@test-rp-device0.service")
with subtest("Key, Config, and Service Setup"):
for name, machine, remote in [("server", server, client), ("client", client, server)]:
# create all the keys
system(f"{rp} genkey {name}-sk")
system(f"{rp} pubkey {name}-sk {name}-pk")
with subtest("compare preshared keys"):
client.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5);
server.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5);
# copy secret keys to our side
for file in ["pqpk", "pqsk", "wgsk"]:
machine.copy_from_host(f"{name}-sk/{file}", f"/etc/rosenpass/test-rp-device0/{file}")
# copy public keys to other side
for file in ["pqpk", "wgpk"]:
remote.copy_from_host(f"{name}-pk/{file}", f"/etc/rosenpass/test-rp-device0/peers/{name}/{file}")
def get_psk(m):
psk = m.succeed("wg show test-rp-device0 preshared-keys | awk '{print $2}'")
psk = psk.strip()
assert len(psk.split()) == 1, "Only one PSK"
return psk
machine.copy_from_host(f"${config}/{name}", "/etc/rosenpass/test-rp-device0.toml")
assert get_psk(client) == get_psk(server), "preshared keys need to match"
for machine in [server, client]:
machine.succeed("systemctl start rp@test-rp-device0.service")
with subtest("network test"):
client.succeed("ping -c5 ${server.wg.ip6}")
server.succeed("ping -c5 ${client.wg.ip6}")
'';
for machine in [server, client]:
machine.wait_for_unit("rp@test-rp-device0.service")
with subtest("compare preshared keys"):
client.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5);
server.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5);
def get_psk(m):
psk = m.succeed("wg show test-rp-device0 preshared-keys | awk '{print $2}'")
psk = psk.strip()
assert len(psk.split()) == 1, "Only one PSK"
return psk
assert get_psk(client) == get_psk(server), "preshared keys need to match"
with subtest("network test"):
client.succeed("ping -c5 ${server.wg.ip6}")
server.succeed("ping -c5 ${client.wg.ip6}")
'';
}

4
treefmt.nix
View File

@@ -17,9 +17,7 @@
"*.yaml"
"*.yml"
];
excludes = [
"supply-chain/*"
];
excludes = [ "supply-chain/*" ];
settings = {
plugins = [
"${pkgs.nodePackages.prettier-plugin-toml}/lib/node_modules/prettier-plugin-toml/lib/index.js"

1
util/Cargo.toml
View File

@@ -25,6 +25,5 @@ mio = { workspace = true }
tempfile = { workspace = true }
uds = { workspace = true, optional = true, features = ["mio_1xx"] }
[features]
experiment_file_descriptor_passing = ["uds"]