WIP support for the Hermit microkernel.

A whole bunch of close-to-the-metal crates are yielding compiler errors
upon compilation with --target x86_64-unknown-hermit. MIO is not.

Using hermit might necessitate relying on threads for IO instead of
using MIO.

https://github.com/hermit-os/kernel/issues/1043

.github/workflows/qc.yaml

@@ -25,6 +25,34 @@ jobs:
       - name: Run ShellCheck
         uses: ludeeus/action-shellcheck@master
 
+  rustfmt:
+    name: Rust Format
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Run Rust Formatting Script
+        run: bash format_rust_code.sh --mode check
+
+  cargo-bench:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cargo/bin/
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+            target/
+          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+      - name: Install libsodium
+        run: sudo apt-get install -y libsodium-dev
+        # liboqs requires quite a lot of stack memory, thus we adjust
+        # the default stack size picked for new threads (which is used
+        # by `cargo test`) to be _big enough_. Setting it to 8 MiB
+      - run: RUST_MIN_STACK=8388608 cargo bench --no-run --workspace
+
   cargo-audit:
     runs-on: ubuntu-latest
     steps:
@@ -93,7 +121,7 @@ jobs:
         # liboqs requires quite a lot of stack memory, thus we adjust
         # the default stack size picked for new threads (which is used
         # by `cargo test`) to be _big enough_. Setting it to 8 MiB
-      - run: RUST_MIN_STACK=8388608 cargo test
+      - run: RUST_MIN_STACK=8388608 cargo test --workspace
 
   cargo-test-nix-devshell-x86_64-linux:
     runs-on:
@@ -116,7 +144,7 @@ jobs:
         with:
           name: rosenpass
           authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
-      - run: nix develop --command cargo test
+      - run: nix develop --command cargo test --workspace
 
   cargo-fuzz:
     runs-on: ubuntu-latest
@@ -146,5 +174,5 @@ jobs:
           cargo fuzz run fuzz_handle_msg -- -max_total_time=5
           ulimit -s 8192000 && RUST_MIN_STACK=33554432000 && cargo fuzz run fuzz_kyber_encaps -- -max_total_time=5
           cargo fuzz run fuzz_mceliece_encaps -- -max_total_time=5
-          cargo fuzz run fuzz_box_sodium_alloc -- -max_total_time=5
-          cargo fuzz run fuzz_vec_sodium_alloc -- -max_total_time=5
+          cargo fuzz run fuzz_box_secret_alloc -- -max_total_time=5
+          cargo fuzz run fuzz_vec_secret_alloc -- -max_total_time=5

Cargo.lock

@@ -18,21 +18,14 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe"
 
 [[package]]
-name = "adler32"
-version = "1.2.0"
+name = "aead"
+version = "0.5.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "aae1277d39aeec15cb388266ecc24b11c80469deae6067e17a1a7aa9e5c1f234"
-
-[[package]]
-name = "ahash"
-version = "0.8.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "91429305e9f0a25f6205c5b8e0d2db09e0708a7a6df0f42212bb56c32c8ac97a"
+checksum = "d122413f284cf2d62fb1b7db97e02edb8cda96d769b16e443a4f6195e35662b0"
 dependencies = [
- "cfg-if",
- "once_cell",
- "version_check",
- "zerocopy",
+ "crypto-common",
+ "generic-array",
+ "heapless",
 ]
 
 [[package]]
@@ -46,9 +39,18 @@ dependencies = [
 
 [[package]]
 name = "allocator-api2"
-version = "0.2.16"
+version = "0.2.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0942ffc6dcaadf03badf6e6a2d0228460359d5e34b57ccdc720b7382dfbd5ec5"
+checksum = "c4f263788a35611fba42eb41ff811c5d0360c58b97402570312a350736e2542e"
+
+[[package]]
+name = "allocator-api2-tests"
+version = "0.2.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "82e6d832cc75b9841b21c847420f1334645387f088324f34eac923a98efa3d89"
+dependencies = [
+ "allocator-api2",
+]
 
 [[package]]
 name = "anes"
@@ -122,6 +124,15 @@ dependencies = [
  "derive_arbitrary",
 ]
 
+[[package]]
+name = "atomic-polyfill"
+version = "1.0.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8cf2bce30dfe09ef0bfaef228b9d414faaf7e563035494d7fe092dba54b300f4"
+dependencies = [
+ "critical-section",
+]
+
 [[package]]
 name = "atty"
 version = "0.2.14"
@@ -179,7 +190,7 @@ dependencies = [
  "regex",
  "rustc-hash",
  "shlex",
- "syn",
+ "syn 2.0.39",
  "which",
 ]
 
@@ -195,6 +206,24 @@ version = "2.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "327762f6e5a765692301e5bb513e0d9fef63be86bbc14528052b1cd3e6f03e07"
 
+[[package]]
+name = "blake2"
+version = "0.10.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "46502ad458c9a52b69d4d4d32775c788b7a1b85e8bc9d482d92250fc0e3f8efe"
+dependencies = [
+ "digest",
+]
+
+[[package]]
+name = "block-buffer"
+version = "0.10.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71"
+dependencies = [
+ "generic-array",
+]
+
 [[package]]
 name = "build-deps"
 version = "0.1.4"
@@ -247,6 +276,30 @@ version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
 
+[[package]]
+name = "chacha20"
+version = "0.9.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c3613f74bd2eac03dad61bd53dbe620703d4371614fe0bc3b9f04dd36fe4e818"
+dependencies = [
+ "cfg-if",
+ "cipher",
+ "cpufeatures",
+]
+
+[[package]]
+name = "chacha20poly1305"
+version = "0.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "10cd79432192d1c0f4e1a0fef9527696cc039165d729fb41b3f4f4f354c2dc35"
+dependencies = [
+ "aead",
+ "chacha20",
+ "cipher",
+ "poly1305",
+ "zeroize",
+]
+
 [[package]]
 name = "ciborium"
 version = "0.2.1"
@@ -274,6 +327,17 @@ dependencies = [
  "half",
 ]
 
+[[package]]
+name = "cipher"
+version = "0.4.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "773f3b9af64447d2ce9850330c473515014aa235e6a783b02db81ff39e4a3dad"
+dependencies = [
+ "crypto-common",
+ "inout",
+ "zeroize",
+]
+
 [[package]]
 name = "clang-sys"
 version = "1.6.1"
@@ -328,7 +392,7 @@ dependencies = [
  "heck",
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.39",
 ]
 
 [[package]]
@@ -362,12 +426,12 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "acbf1af155f9b9ef647e42cdc158db4b64a1b61f743629225fde6f3e0be2a7c7"
 
 [[package]]
-name = "core2"
-version = "0.4.0"
+name = "cpufeatures"
+version = "0.2.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b49ba7ef1ad6107f8824dbe97de947cbaac53c44e7f9756a1fba0d37c1eec505"
+checksum = "53fe5e26ff1b7aef8bca9c6080520cfb8d9333c7568e1829cef191a9723e5504"
 dependencies = [
- "memchr",
+ "libc",
 ]
 
 [[package]]
@@ -415,6 +479,12 @@ dependencies = [
  "itertools",
 ]
 
+[[package]]
+name = "critical-section"
+version = "1.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7059fff8937831a9ae6f0fe4d658ffabf58f2ca96aa9dec1c889f936f705f216"
+
 [[package]]
 name = "crossbeam-deque"
 version = "0.8.3"
@@ -449,10 +519,49 @@ dependencies = [
 ]
 
 [[package]]
-name = "dary_heap"
-version = "0.3.6"
+name = "crypto-common"
+version = "0.1.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7762d17f1241643615821a8455a0b2c3e803784b058693d990b11f2dce25a0ca"
+checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3"
+dependencies = [
+ "generic-array",
+ "typenum",
+]
+
+[[package]]
+name = "darling"
+version = "0.12.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5f2c43f534ea4b0b049015d00269734195e6d3f0f6635cb692251aca6f9f8b3c"
+dependencies = [
+ "darling_core",
+ "darling_macro",
+]
+
+[[package]]
+name = "darling_core"
+version = "0.12.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e91455b86830a1c21799d94524df0845183fa55bafd9aa137b01c7d1065fa36"
+dependencies = [
+ "fnv",
+ "ident_case",
+ "proc-macro2",
+ "quote",
+ "strsim",
+ "syn 1.0.109",
+]
+
+[[package]]
+name = "darling_macro"
+version = "0.12.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "29b5acf0dea37a7f66f7b25d2c5e93fd46f8f6968b1a5d7a3e02e97768afc95a"
+dependencies = [
+ "darling_core",
+ "quote",
+ "syn 1.0.109",
+]
 
 [[package]]
 name = "derive_arbitrary"
@@ -462,7 +571,49 @@ checksum = "67e77553c4162a157adbf834ebae5b415acbecbeafc7a74b0e886657506a7611"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.39",
+]
+
+[[package]]
+name = "derive_builder"
+version = "0.10.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d13202debe11181040ae9063d739fa32cfcaaebe2275fe387703460ae2365b30"
+dependencies = [
+ "derive_builder_macro",
+]
+
+[[package]]
+name = "derive_builder_core"
+version = "0.10.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "66e616858f6187ed828df7c64a6d71720d83767a7f19740b2d1b6fe6327b36e5"
+dependencies = [
+ "darling",
+ "proc-macro2",
+ "quote",
+ "syn 1.0.109",
+]
+
+[[package]]
+name = "derive_builder_macro"
+version = "0.10.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "58a94ace95092c5acb1e97a7e846b310cfbd499652f72297da7493f618a98d73"
+dependencies = [
+ "derive_builder_core",
+ "syn 1.0.109",
+]
+
+[[package]]
+name = "digest"
+version = "0.10.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
+dependencies = [
+ "block-buffer",
+ "crypto-common",
+ "subtle",
 ]
 
 [[package]]
@@ -508,14 +659,14 @@ dependencies = [
 
 [[package]]
 name = "filetime"
-version = "0.2.22"
+version = "0.2.23"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d4029edd3e734da6fe05b6cd7bd2960760a616bd2ddd0d59a0124746d6272af0"
+checksum = "1ee447700ac8aa0b2f2bd7bc4462ad686ba06baa6727ac149a2d6277f0d240fd"
 dependencies = [
  "cfg-if",
  "libc",
  "redox_syscall",
- "windows-sys 0.48.0",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -528,6 +679,12 @@ dependencies = [
  "miniz_oxide",
 ]
 
+[[package]]
+name = "fnv"
+version = "1.0.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
+
 [[package]]
 name = "form_urlencoded"
 version = "1.2.1"
@@ -537,6 +694,16 @@ dependencies = [
  "percent-encoding",
 ]
 
+[[package]]
+name = "generic-array"
+version = "0.14.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
+dependencies = [
+ "typenum",
+ "version_check",
+]
+
 [[package]]
 name = "getrandom"
 version = "0.2.11"
@@ -566,33 +733,57 @@ version = "1.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "eabb4a44450da02c90444cf74558da904edde8fb4e9035a9a6a4e15445af0bd7"
 
+[[package]]
+name = "hash32"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b0c35f58762feb77d74ebe43bdbc3210f09be9fe6742234d573bacc26ed92b67"
+dependencies = [
+ "byteorder",
+]
+
 [[package]]
 name = "hashbrown"
 version = "0.12.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888"
 
-[[package]]
-name = "hashbrown"
-version = "0.13.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "43a3c133739dddd0d2990f9a4bdf8eb4b21ef50e4851ca85ab661199821d510e"
-dependencies = [
- "ahash",
-]
-
 [[package]]
 name = "hashbrown"
 version = "0.14.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "290f1a1d9242c78d09ce40a5e87e7554ee637af1351968159f4952f028f75604"
 
+[[package]]
+name = "heapless"
+version = "0.7.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cdc6457c0eb62c71aac4bc17216026d8410337c4126773b9c5daba343f17964f"
+dependencies = [
+ "atomic-polyfill",
+ "hash32",
+ "rustc_version",
+ "spin",
+ "stable_deref_trait",
+]
+
 [[package]]
 name = "heck"
 version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8"
 
+[[package]]
+name = "hermit"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0f54046de71e77899abc5fee9a9ada4b6299e0829cf26cf47cdfe2163be3d33a"
+dependencies = [
+ "flate2",
+ "tar",
+ "ureq",
+]
+
 [[package]]
 name = "hermit-abi"
 version = "0.1.19"
@@ -623,6 +814,12 @@ version = "2.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9a3a5bfb195931eeb336b2a7b4d761daec841b97f947d34394601737a7bba5e4"
 
+[[package]]
+name = "ident_case"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39"
+
 [[package]]
 name = "idna"
 version = "0.5.0"
@@ -653,6 +850,15 @@ dependencies = [
  "hashbrown 0.14.3",
 ]
 
+[[package]]
+name = "inout"
+version = "0.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a0c10553d664a4d0bcff9f4215d0aac67a639cc68ef660840afe309b807bc9f5"
+dependencies = [
+ "generic-array",
+]
+
 [[package]]
 name = "is-terminal"
 version = "0.4.9"
@@ -715,30 +921,6 @@ version = "0.2.150"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "89d92a4743f9a61002fae18374ed11e7973f530cb3a3255fb354818118b2203c"
 
-[[package]]
-name = "libflate"
-version = "2.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9f7d5654ae1795afc7ff76f4365c2c8791b0feb18e8996a96adad8ffd7c3b2bf"
-dependencies = [
- "adler32",
- "core2",
- "crc32fast",
- "dary_heap",
- "libflate_lz77",
-]
-
-[[package]]
-name = "libflate_lz77"
-version = "2.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "be5f52fb8c451576ec6b79d3f4deb327398bc05bbdbd99021a6e77a4c855d524"
-dependencies = [
- "core2",
- "hashbrown 0.13.2",
- "rle-decode-fast",
-]
-
 [[package]]
 name = "libfuzzer-sys"
 version = "0.4.7"
@@ -760,29 +942,22 @@ dependencies = [
  "winapi",
 ]
 
-[[package]]
-name = "libsodium-sys-stable"
-version = "1.20.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d1d164bc6f9139c5f95efb4f0be931b2bd5a9edf7e4e3c945d26b95ab8fa669b"
-dependencies = [
- "cc",
- "libc",
- "libflate",
- "minisign-verify",
- "pkg-config",
- "tar",
- "ureq",
- "vcpkg",
- "zip",
-]
-
 [[package]]
 name = "linux-raw-sys"
 version = "0.4.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c4cd1a83af159aa67994778be9070f0ae1bd732942279cabb14f86f986a21456"
 
+[[package]]
+name = "lock_api"
+version = "0.4.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3c168f8615b12bc01f9c17e2eb0cc07dcae1940121185446edc3744920e8ef45"
+dependencies = [
+ "autocfg",
+ "scopeguard",
+]
+
 [[package]]
 name = "log"
 version = "0.4.20"
@@ -810,12 +985,6 @@ version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
 
-[[package]]
-name = "minisign-verify"
-version = "0.2.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "933dca44d65cdd53b355d0b73d380a2ff5da71f87f036053188bf1eab6a19881"
-
 [[package]]
 name = "miniz_oxide"
 version = "0.7.1"
@@ -837,6 +1006,31 @@ dependencies = [
  "windows-sys 0.48.0",
 ]
 
+[[package]]
+name = "neli"
+version = "0.6.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a1805440578ced23f85145d00825c0a831e43c587132a90e100552172543ae30"
+dependencies = [
+ "byteorder",
+ "libc",
+ "log",
+ "neli-proc-macros",
+]
+
+[[package]]
+name = "neli-proc-macros"
+version = "0.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c168194d373b1e134786274020dae7fc5513d565ea2ebb9bc9ff17ffb69106d4"
+dependencies = [
+ "either",
+ "proc-macro2",
+ "quote",
+ "serde",
+ "syn 1.0.109",
+]
+
 [[package]]
 name = "nom"
 version = "7.1.3"
@@ -877,6 +1071,12 @@ version = "11.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0ab1bc2a289d34bd04a330323ac98a1b4bc82c9d9fcb1e66b63caa84da26b575"
 
+[[package]]
+name = "opaque-debug"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5"
+
 [[package]]
 name = "oqs-sys"
 version = "0.8.0"
@@ -913,12 +1113,6 @@ version = "2.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e"
 
-[[package]]
-name = "pkg-config"
-version = "0.3.27"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "26072860ba924cbfa98ea39c8c19b4dd6a4a25423dbdf219c1eca91aa0cf6964"
-
 [[package]]
 name = "plotters"
 version = "0.3.5"
@@ -947,6 +1141,17 @@ dependencies = [
  "plotters-backend",
 ]
 
+[[package]]
+name = "poly1305"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8159bd90725d2df49889a078b54f4f79e87f1f8a8444194cdca81d38f5393abf"
+dependencies = [
+ "cpufeatures",
+ "opaque-debug",
+ "universal-hash",
+]
+
 [[package]]
 name = "ppv-lite86"
 version = "0.2.17"
@@ -960,7 +1165,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ae005bd773ab59b4725093fd7df83fd7892f7d8eafb48dbd7de6e024e4215f9d"
 dependencies = [
  "proc-macro2",
- "syn",
+ "syn 2.0.39",
 ]
 
 [[package]]
@@ -1042,9 +1247,9 @@ dependencies = [
 
 [[package]]
 name = "redox_syscall"
-version = "0.3.5"
+version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "567664f262709473930a4bf9e51bf2ebf3348f2e748ccc50dea20646858f8f29"
+checksum = "4722d768eff46b75989dd134e5c353f0d6296e5aaa3132e776cbdb56be7731aa"
 dependencies = [
  "bitflags 1.3.2",
 ]
@@ -1080,9 +1285,9 @@ checksum = "c08c74e62047bb2de4ff487b251e4a92e24f48745648451635cec7d591162d9f"
 
 [[package]]
 name = "ring"
-version = "0.17.6"
+version = "0.17.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "684d5e6e18f669ccebf64a92236bb7db9a34f07be010e3627368182027180866"
+checksum = "688c63d65483050968b2a8937f7995f443e27041a0f7700aa59b0822aedebb74"
 dependencies = [
  "cc",
  "getrandom",
@@ -1092,12 +1297,6 @@ dependencies = [
  "windows-sys 0.48.0",
 ]
 
-[[package]]
-name = "rle-decode-fast"
-version = "1.0.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3582f63211428f83597b51b2ddb88e2a91a9d52d12831f9d08f5e624e8977422"
-
 [[package]]
 name = "rosenpass"
 version = "0.2.1"
@@ -1106,7 +1305,7 @@ dependencies = [
  "clap 4.4.10",
  "criterion",
  "env_logger",
- "libsodium-sys-stable",
+ "hermit",
  "log",
  "memoffset",
  "mio",
@@ -1117,9 +1316,9 @@ dependencies = [
  "rosenpass-constant-time",
  "rosenpass-lenses",
  "rosenpass-secret-memory",
- "rosenpass-sodium",
  "rosenpass-to",
  "rosenpass-util",
+ "rosenpass-wireguard-broker",
  "serde",
  "stacker",
  "static_assertions",
@@ -1137,11 +1336,13 @@ name = "rosenpass-ciphers"
 version = "0.1.0"
 dependencies = [
  "anyhow",
+ "blake2",
+ "chacha20poly1305",
  "rosenpass-constant-time",
  "rosenpass-oqs",
  "rosenpass-secret-memory",
- "rosenpass-sodium",
  "rosenpass-to",
+ "rosenpass-util",
  "static_assertions",
  "zeroize",
 ]
@@ -1163,7 +1364,6 @@ dependencies = [
  "rosenpass-cipher-traits",
  "rosenpass-ciphers",
  "rosenpass-secret-memory",
- "rosenpass-sodium",
  "rosenpass-to",
  "stacker",
 ]
@@ -1190,28 +1390,16 @@ dependencies = [
 name = "rosenpass-secret-memory"
 version = "0.1.0"
 dependencies = [
+ "allocator-api2",
+ "allocator-api2-tests",
  "anyhow",
- "lazy_static",
- "libsodium-sys-stable",
+ "log",
  "rand",
- "rosenpass-sodium",
  "rosenpass-to",
  "rosenpass-util",
  "zeroize",
 ]
 
-[[package]]
-name = "rosenpass-sodium"
-version = "0.1.0"
-dependencies = [
- "allocator-api2",
- "anyhow",
- "libsodium-sys-stable",
- "log",
- "rosenpass-to",
- "rosenpass-util",
-]
-
 [[package]]
 name = "rosenpass-to"
 version = "0.1.0"
@@ -1225,6 +1413,25 @@ version = "0.1.0"
 dependencies = [
  "anyhow",
  "base64",
+ "static_assertions",
+ "typenum",
+]
+
+[[package]]
+name = "rosenpass-wireguard-broker"
+version = "0.1.0"
+dependencies = [
+ "anyhow",
+ "clap 4.4.10",
+ "env_logger",
+ "log",
+ "mio",
+ "paste",
+ "rosenpass-lenses",
+ "rosenpass-to",
+ "rosenpass-util",
+ "thiserror",
+ "wireguard-uapi",
 ]
 
 [[package]]
@@ -1240,10 +1447,19 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2"
 
 [[package]]
-name = "rustix"
-version = "0.38.26"
+name = "rustc_version"
+version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9470c4bf8246c8daf25f9598dca807fb6510347b1e1cfa55749113850c79d88a"
+checksum = "bfa0f585226d2e68097d4f95d113b15b83a82e819ab25717ec0590d9584ef366"
+dependencies = [
+ "semver",
+]
+
+[[package]]
+name = "rustix"
+version = "0.38.27"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bfeae074e687625746172d639330f1de242a178bf3189b51e35a7a21573513ac"
 dependencies = [
  "bitflags 2.4.1",
  "errno",
@@ -1254,9 +1470,9 @@ dependencies = [
 
 [[package]]
 name = "rustls"
-version = "0.21.9"
+version = "0.21.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "629648aced5775d558af50b2b4c7b02983a04b312126d45eeead26e7caa498b9"
+checksum = "f9d5a6813c0759e4609cd494e8e725babae6a2ca7b62a5536a13daaec6fcb7ba"
 dependencies = [
  "log",
  "ring",
@@ -1305,6 +1521,12 @@ dependencies = [
  "untrusted",
 ]
 
+[[package]]
+name = "semver"
+version = "1.0.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b97ed7a9823b74f99c7742f5336af7be5ecd3eeafcb1507d1fa93347b1d589b0"
+
 [[package]]
 name = "serde"
 version = "1.0.193"
@@ -1322,7 +1544,7 @@ checksum = "43576ca501357b9b071ac53cdc7da8ef0cbd9493d8df094cd821777ea6e894d3"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.39",
 ]
 
 [[package]]
@@ -1356,6 +1578,15 @@ name = "spin"
 version = "0.9.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67"
+dependencies = [
+ "lock_api",
+]
+
+[[package]]
+name = "stable_deref_trait"
+version = "1.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3"
 
 [[package]]
 name = "stacker"
@@ -1382,6 +1613,23 @@ version = "0.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623"
 
+[[package]]
+name = "subtle"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "81cdd64d312baedb58e21336b31bc043b77e01cc99033ce76ef539f78e965ebc"
+
+[[package]]
+name = "syn"
+version = "1.0.109"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
+]
+
 [[package]]
 name = "syn"
 version = "2.0.39"
@@ -1442,7 +1690,7 @@ checksum = "266b2e40bc00e5a6c09c3584011e08b06f123c00362c92b975ba9843aaaa14b8"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.39",
 ]
 
 [[package]]
@@ -1505,10 +1753,16 @@ dependencies = [
 ]
 
 [[package]]
-name = "unicode-bidi"
-version = "0.3.13"
+name = "typenum"
+version = "1.17.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "92888ba5573ff080736b3648696b70cafad7d250551175acbaa4e0385b3e1460"
+checksum = "42ff0bf0c66b8238c6f3b578df37d0b7848e55df8577b3f74f92a69acceeb825"
+
+[[package]]
+name = "unicode-bidi"
+version = "0.3.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "08f95100a766bf4f8f28f90d77e0a5461bbdb219042e7679bebe79004fed8d75"
 
 [[package]]
 name = "unicode-ident"
@@ -1525,6 +1779,16 @@ dependencies = [
  "tinyvec",
 ]
 
+[[package]]
+name = "universal-hash"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fc1de2c688dc15305988b563c3854064043356019f97a4b46276fe734c4f07ea"
+dependencies = [
+ "crypto-common",
+ "subtle",
+]
+
 [[package]]
 name = "untrusted"
 version = "0.9.0"
@@ -1538,6 +1802,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f8cdd25c339e200129fe4de81451814e5228c9b771d57378817d6117cc2b3f97"
 dependencies = [
  "base64",
+ "flate2",
  "log",
  "once_cell",
  "rustls",
@@ -1563,12 +1828,6 @@ version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "711b9620af191e0cdc7468a8d14e709c3dcdb115b36f838e601583af800a370a"
 
-[[package]]
-name = "vcpkg"
-version = "0.2.15"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426"
-
 [[package]]
 name = "version_check"
 version = "0.9.4"
@@ -1612,7 +1871,7 @@ dependencies = [
  "once_cell",
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.39",
  "wasm-bindgen-shared",
 ]
 
@@ -1634,7 +1893,7 @@ checksum = "c5353b8dab669f5e10f5bd76df26a9360c748f054f862ff5f3f8aae0c7fb3907"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.39",
  "wasm-bindgen-backend",
  "wasm-bindgen-shared",
 ]
@@ -1846,48 +2105,28 @@ dependencies = [
 ]
 
 [[package]]
-name = "xattr"
-version = "1.0.1"
+name = "wireguard-uapi"
+version = "3.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f4686009f71ff3e5c4dbcf1a282d0a44db3f021ba69350cd42086b3e5f1c6985"
+checksum = "89ba4e9811befc20af3b6efb15924a7238ee5e8e8706a196576462a00b9f1af1"
+dependencies = [
+ "derive_builder",
+ "libc",
+ "neli",
+ "thiserror",
+]
+
+[[package]]
+name = "xattr"
+version = "1.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fbc6ab6ec1907d1a901cdbcd2bd4cb9e7d64ce5c9739cbb97d3c391acd8c7fae"
 dependencies = [
  "libc",
 ]
 
-[[package]]
-name = "zerocopy"
-version = "0.7.25"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8cd369a67c0edfef15010f980c3cbe45d7f651deac2cd67ce097cd801de16557"
-dependencies = [
- "zerocopy-derive",
-]
-
-[[package]]
-name = "zerocopy-derive"
-version = "0.7.25"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c2f140bda219a26ccc0cdb03dba58af72590c53b22642577d88a927bc5c87d6b"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
-]
-
 [[package]]
 name = "zeroize"
 version = "1.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "525b4ec142c6b68a2d10f01f7bbf6755599ca3f81ea53b8431b7dd348f5fdb2d"
-
-[[package]]
-name = "zip"
-version = "0.6.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "760394e246e4c28189f19d488c058bf16f564016aefac5d32bb1f3b51d5e9261"
-dependencies = [
- "byteorder",
- "crc32fast",
- "crossbeam-utils",
- "flate2",
-]

Cargo.toml

@@ -7,16 +7,17 @@ members = [
     "ciphers",
     "util",
     "constant-time",
-    "sodium",
     "oqs",
     "to",
     "fuzz",
     "secret-memory",
     "lenses",
+    "wireguard-broker",
 ]
 
 default-members = [
-    "rosenpass"
+    "rosenpass",
+    "wireguard-broker"
 ]
 
 [workspace.metadata.release]
@@ -27,13 +28,13 @@ tag-prefix = ""
 rosenpass = { path = "rosenpass" }
 rosenpass-util = { path = "util" }
 rosenpass-constant-time = { path = "constant-time" }
-rosenpass-sodium = { path = "sodium" }
 rosenpass-cipher-traits = { path = "cipher-traits" }
 rosenpass-ciphers = { path = "ciphers" }
 rosenpass-to = { path = "to" }
 rosenpass-secret-memory = { path = "secret-memory" }
 rosenpass-oqs = { path = "oqs" }
 rosenpass-lenses = { path = "lenses" }
+rosenpass-wireguard-broker = { path = "wireguard-broker" }
 criterion = "0.4.0"
 test_bin = "0.4.0"
 libfuzzer-sys = "0.4"
@@ -42,19 +43,22 @@ doc-comment = "0.3.3"
 base64 = "0.21.5"
 zeroize = "1.7.0"
 memoffset = "0.9.0"
-lazy_static = "1.4.0"
 thiserror = "1.0.50"
 paste = "1.0.14"
 env_logger = "0.10.1"
 toml = "0.7.8"
 static_assertions = "1.1.0"
-allocator-api2 = "0.2.16"
+allocator-api2 = "0.2.14"
+allocator-api2-tests = "0.2.14"
 rand = "0.8.5"
+wireguard-uapi = "3.0.0"
+typenum = "1.17.0"
 log = { version = "0.4.20" }
 clap = { version = "4.4.10", features = ["derive"] }
 serde = { version = "1.0.193", features = ["derive"] }
 arbitrary = { version = "1.3.2", features = ["derive"] }
 anyhow = { version = "1.0.75", features = ["backtrace", "std"] }
-mio = { version = "0.8.9", features = ["net", "os-poll"] }
-libsodium-sys-stable= { version = "1.20.4", features = ["use-pkg-config"] }
+mio = { version = "0.8.9", features = ["net"] }
 oqs-sys = { version = "0.8", default-features = false, features = ['classic_mceliece', 'kyber']  }
+blake2 = "0.10.6"
+chacha20poly1305 = { version = "0.10.1", default-features = false, features = [ "std", "heapless" ] }

analysis/03_identity_hiding.entry.mpv

@@ -0,0 +1,121 @@
+/*
+  This identity hiding process tests whether the rosenpass protocol is able to protect the identity of an initiator or responder.
+  The participants in the test are trusted initiators, trusted responders and compromised initiators and responders.
+  The test consists of two phases. In the first phase all of the participants can communicate with each other using the rosenpass protocol.
+  An attacker observes the first phase and is able to intercept and modify messages and choose participants to communicate with each other
+
+  In the second phase if the anonymity of an initiator is being tested then one of two trusted initiators is chosen.
+  The chosen initiator communicates directly with a trusted responder.
+  If an attacker can determine which initiator was chosen then the anonymity of the initiator has been compromised.
+  Otherwise the protocol has successfully protected the initiators’ identity.
+
+  If the anonymity of a responder is being tested then one of two trusted responders is chosen instead.
+  Then an initiator communicates directly with the chosen responder.
+  If an attacker can determine which responder was chosen then the anonymity of the responder is compromised.
+  Otherwise the protocol successfully protects the identity of a responder.
+
+  The Proverif code treats the public key as synonymous with identity.
+  In the above test when a responder or initiator is chosen what is actually chosen is the public/private key pair to use for communication.
+  Traditionally when a responder or initiator is chosen they would be chosen randomly.
+  The way Proverif makes a "choice" is by simulating multiple processes, one process per choice
+  Then the processes are compared and if an association between a public key and a process can be made the test fails.
+  As the choice is at least as bad as choosing the worst possible option the credibility of the test is maintained.
+  The drawback is that Proverif is only able to tell if the identity can be brute forced but misses any probabilistic associations.
+  As usual Proverif also assumes perfect encryption and in particular assumes encryption cannot be linked to identity.
+
+  One of the tradeoffs made here is that the choice function in Proverif is slow but this is in favour of being able to write more precise tests.
+  Another issue is the choice function does not work with queries so a test needs to be run for each set of assumptions.
+  In this case the test uses secure rng and a fresh secure biscuit key.
+*/
+
+
+#include "config.mpv"
+
+#define CHAINING_KEY_EVENTS 1
+#define MESSAGE_TRANSMISSION_EVENTS 1
+#define SESSION_START_EVENTS 0
+#define RANDOMIZED_CALL_IDS 0
+#undef FULL_MODEL
+#undef SIMPLE_MODEL
+#define SIMPLE_MODEL 1
+
+#include "prelude/basic.mpv"
+#include "crypto/key.mpv"
+#include "rosenpass/oracles.mpv"
+#include "crypto/kem.mpv"
+
+#define INITIATOR_TEST
+#define NEW_TRUSTED_SEED(name)            \
+  new MCAT(name, _secret_seed):seed_prec; \
+  name <- make_trusted_seed(MCAT(name, _secret_seed)); \
+
+free D:channel [private].
+free secure_biscuit_no:Atom [private].
+free secure_sidi,secure_sidr:SessionId [private].
+free secure_psk:key [private].
+free initiator1, initiator2:kem_sk_prec.
+free responder1, responder2:kem_sk_prec.
+
+let secure_init_hello(initiator: kem_sk_tmpl, sidi : SessionId, psk: key_tmpl, responder: kem_sk_tmpl) =
+  NEW_TRUSTED_SEED(seski_trusted_seed)
+  NEW_TRUSTED_SEED(ssptr_trusted_seed)
+  Oinitiator_inner(sidi, initiator, psk, responder, seski_trusted_seed, ssptr_trusted_seed, D).
+
+let secure_resp_hello(initiator: kem_sk_tmpl, responder: kem_sk_tmpl, sidr:SessionId, sidi:SessionId, biscuit_no:Atom, psk:key_tmpl) =
+  in(D, Envelope(k, IH2b(InitHello(=sidi, epki, sctr, pidiC, auth))));
+  ih <- InitHello(sidi, epki, sctr, pidiC, auth);
+  NEW_TRUSTED_SEED(septi_trusted_seed)
+  NEW_TRUSTED_SEED(sspti_trusted_seed)
+  Oinit_hello_inner(sidr, biscuit_no, responder, psk, initiator, septi_trusted_seed, sspti_trusted_seed, ih, D).
+
+let secure_init_conf(initiator: kem_sk_tmpl, responder: kem_sk_tmpl, psk:key_tmpl, sidi:SessionId, sidr:SessionId) =
+  in(D, Envelope(k3, IC2b(InitConf(=sidi, =sidr, biscuit, auth3))));
+  ic <- InitConf(sidi,sidr,biscuit, auth3);
+  NEW_TRUSTED_SEED(seski_trusted_seed)
+  NEW_TRUSTED_SEED(ssptr_trusted_seed)
+  Oinit_conf_inner(initiator, psk, responder, ic).
+
+let secure_communication(initiator: kem_sk_tmpl, responder:kem_sk_tmpl) =
+  secure_key <- prepare_key(secure_psk);
+  (!secure_init_hello(initiator, secure_sidi, secure_key, responder))
+  | !secure_resp_hello(initiator, responder, secure_sidr, secure_sidi, secure_biscuit_no, secure_key)
+  | !(secure_init_conf(initiator, responder, secure_key, secure_sidi, secure_sidr)).
+
+let pipeChannel(D:channel, C:channel) =
+  in(D, b:bits);
+  out(C, b).
+
+fun kem_private(kem_pk): kem_sk
+  reduc forall sk_tmpl:kem_sk;
+    kem_private(kem_pub(sk_tmpl)) = sk_tmpl[private].
+
+let secretCommunication() =
+#ifdef INITIATOR_TEST
+  initiator_pk <- choice[setup_kem_pk(make_trusted_kem_sk(initiator1)), setup_kem_pk(make_trusted_kem_sk(initiator2))];
+  initiator_seed <- prepare_kem_sk(kem_private(initiator_pk)); 
+#else
+  initiator_seed <- prepare_kem_sk(trusted_kem_sk(initiator1));
+#endif
+#ifdef RESPONDER_TEST
+  responder_pk <- choice[setup_kem_pk(make_trusted_kem_sk(responder1)), setup_kem_pk(make_trusted_kem_sk(responder2))];
+  responder_seed <- prepare_kem_sk(kem_private(responder_pk));
+#else
+  responder_seed <- prepare_kem_sk(trusted_kem_sk(responder1));
+#endif
+  secure_communication(initiator_seed, responder_seed) | !pipeChannel(D, C).
+
+let reveal_pks() =
+  out(C, setup_kem_pk(make_trusted_kem_sk(responder1)));
+  out(C, setup_kem_pk(make_trusted_kem_sk(responder2)));
+  out(C, setup_kem_pk(make_trusted_kem_sk(initiator1)));
+  out(C, setup_kem_pk(make_trusted_kem_sk(initiator2))).
+
+let rosenpass_main2() = 
+  REP(INITIATOR_BOUND, Oinitiator)
+  | REP(RESPONDER_BOUND, Oinit_hello)
+  | REP(RESPONDER_BOUND, Oinit_conf).
+
+let identity_hiding_main() = 
+  0 | reveal_pks() |  rosenpass_main2() | phase 1; secretCommunication().
+
+let main = identity_hiding_main.

analysis/rosenpass/oracles.mpv

@@ -47,14 +47,16 @@ CK_EV(  event OskOinit_conf(key, key). )
 MTX_EV( event ICRjct(InitConf_t, key, kem_sk, kem_pk). )
 SES_EV( event ResponderSession(InitConf_t, key). )
 event ConsumeBiscuit(Atom, kem_sk, kem_pk, Atom).
-let Oinit_conf() = 
-  in(C, Cinit_conf(Ssskm, Spsk, Sspkt, ic));
+
+let Oinit_conf_inner(Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, ic:InitConf_t) =
 #if RANDOMIZED_CALL_IDS
   new call:Atom;
 #else
   call <- Cinit_conf(Ssskm, Spsk, Sspkt, ic);
 #endif
+
   SETUP_HANDSHAKE_STATE()
+
   eski <- kem_sk0;
   epki <- kem_pk0;
   let try_ = (
@@ -72,6 +74,10 @@ let Oinit_conf() =
     0
 #endif
   ).
+  
+let Oinit_conf() = 
+  in(C, Cinit_conf(Ssskm, Spsk, Sspkt, ic));
+  Oinit_conf_inner(Ssskm, Spsk, Sspkt, ic).
 
 restriction biscuit_no:Atom, sskm:kem_sk, spkr:kem_pk, ad1:Atom, ad2:Atom;
   event(ConsumeBiscuit(biscuit_no, sskm, spkr, ad1)) && event(ConsumeBiscuit(biscuit_no, sskm, spkr, ad2))
@@ -85,8 +91,8 @@ CK_EV(  event OskOresp_hello(key, key, key). )
 MTX_EV( event RHRjct(RespHello_t, key, kem_sk, kem_pk). )
 MTX_EV( event ICSent(RespHello_t, InitConf_t, key, kem_sk, kem_pk). )
 SES_EV( event InitiatorSession(RespHello_t, key). )
-let Oresp_hello(HS_DECL_ARGS) =
-  in(C, Cresp_hello(RespHello(sidr, =sidi, ecti, scti, biscuit, auth)));
+let Oresp_hello(HS_DECL_ARGS, C_in:channel) =
+  in(C_in, Cresp_hello(RespHello(sidr, =sidi, ecti, scti, biscuit, auth)));
   rh <- RespHello(sidr, sidi, ecti, scti, biscuit, auth);
   /* try */ let ic = (
     ck_ini <- ck;
@@ -98,7 +104,7 @@ let Oresp_hello(HS_DECL_ARGS) =
     SES_EV( event InitiatorSession(rh, osk); )
     ic
   /* success */ ) in (
-    out(C, ic)
+    out(C_in, Envelope(create_mac(spkt, IC2b(ic)), IC2b(ic)))
   /* fail */ ) else (
 #if MESSAGE_TRANSMISSION_EVENTS
     event RHRjct(rh, psk, sski, spkr)
@@ -116,8 +122,8 @@ MTX_EV( event IHRjct(InitHello_t, key, kem_sk, kem_pk). )
 MTX_EV( event RHSent(InitHello_t, RespHello_t, key, kem_sk, kem_pk). )
 event ConsumeSidr(SessionId, Atom).
 event ConsumeBn(Atom, kem_sk, kem_pk, Atom).
-let Oinit_hello() = 
-  in(C, Cinit_hello(sidr, biscuit_no, Ssskm, Spsk, Sspkt, Septi, Sspti, ih));
+
+let Oinit_hello_inner(sidm:SessionId, biscuit_no:Atom, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt: kem_sk_tmpl, Septi: seed_tmpl, Sspti: seed_tmpl, ih: InitHello_t, C_out:channel) = 
 #if RANDOMIZED_CALL_IDS
   new call:Atom;
 #else
@@ -125,14 +131,19 @@ let Oinit_hello() =
 #endif
   // TODO: This is ugly
   let InitHello(sidi, epki, sctr, pidiC, auth) = ih in
+
   SETUP_HANDSHAKE_STATE()
+
   eski <- kem_sk0;
-  epti <- rng_key(setup_seed(Septi)); // RHR4
-  spti <- rng_key(setup_seed(Sspti)); // RHR5
+
   event ConsumeBn(biscuit_no, sskm, spkt, call);
   event ConsumeSidr(sidr, call);
+
+  epti <- rng_key(setup_seed(Septi)); // RHR4
+  spti <- rng_key(setup_seed(Sspti)); // RHR5
   event ConsumeSeed(Epti, setup_seed(Septi), call);
   event ConsumeSeed(Spti, setup_seed(Sspti), call);
+
   let rh = (
     INITHELLO_CONSUME()
     ck_ini <- ck;
@@ -141,7 +152,8 @@ let Oinit_hello() =
     MTX_EV( event RHSent(ih, rh, psk, sskr, spki); )
     rh
   /* success */ ) in (
-    out(C, rh)
+    out(C_out, Envelope(create_mac(spkt, RH2b(rh)), RH2b(rh)))
+
   /* fail */ ) else (
 #if MESSAGE_TRANSMISSION_EVENTS
     event IHRjct(ih, psk, sskr, spki)
@@ -150,6 +162,10 @@ let Oinit_hello() =
 #endif
   ).
 
+let Oinit_hello() = 
+  in(C, Cinit_hello(sidr, biscuit_no, Ssskm, Spsk, Sspkt, Septi, Sspti, ih));
+  Oinit_hello_inner(sidr, biscuit_no, Ssskm, Spsk, Sspkt, Septi, Sspti, ih, C).
+
 restriction sid:SessionId, ad1:Atom, ad2:Atom;
   event(ConsumeSidr(sid, ad1)) && event(ConsumeSidr(sid, ad2))
     ==> ad1 = ad2.
@@ -167,26 +183,34 @@ CK_EV( event OskOinitiator_ck(key). )
 CK_EV( event OskOinitiator(key, key, kem_sk, kem_pk, key). )
 MTX_EV( event IHSent(InitHello_t, key, kem_sk, kem_pk). )
 event ConsumeSidi(SessionId, Atom).
+
+let Oinitiator_inner(sidi: SessionId, Ssskm: kem_sk_tmpl, Spsk: key_tmpl, Sspkt: kem_sk_tmpl, Seski: seed_tmpl, Ssptr: seed_tmpl, C_out:channel) =
+  #if RANDOMIZED_CALL_IDS
+    new call:Atom;
+  #else
+    call <- Cinitiator(sidi, Ssskm, Spsk, Sspkt, Seski, Ssptr);
+  #endif
+
+    SETUP_HANDSHAKE_STATE()
+
+    sidr <- sid0;
+
+    RNG_KEM_PAIR(eski, epki, Seski) // IHI3
+    sptr <- rng_key(setup_seed(Ssptr)); // IHI5
+    event ConsumeSidi(sidi, call);
+    event ConsumeSeed(Sptr, setup_seed(Ssptr), call);
+    event ConsumeSeed(Eski, setup_seed(Seski), call);
+
+    INITHELLO_PRODUCE()
+    CK_EV( event OskOinitiator_ck(ck); ) 
+    CK_EV( event OskOinitiator(ck, psk, sski, spkr, sptr); )
+    MTX_EV( event IHSent(ih, psk, sski, spkr); )
+    out(C_out, Envelope(create_mac(spkt, IH2b(ih)), IH2b(ih)));
+    Oresp_hello(HS_PASS_ARGS, C_out).
+
 let Oinitiator() =
   in(C, Cinitiator(sidi, Ssskm, Spsk, Sspkt, Seski, Ssptr));
-#if RANDOMIZED_CALL_IDS
-  new call:Atom;
-#else
-  call <- Cinitiator(sidi, Ssskm, Spsk, Sspkt, Seski, Ssptr);
-#endif
-  SETUP_HANDSHAKE_STATE()
-  RNG_KEM_PAIR(eski, epki, Seski) // IHI3
-  sidr <- sid0;
-  sptr <- rng_key(setup_seed(Ssptr)); // IHI5
-  event ConsumeSidi(sidi, call);
-  event ConsumeSeed(Sptr, setup_seed(Ssptr), call);
-  event ConsumeSeed(Eski, setup_seed(Seski), call);
-  INITHELLO_PRODUCE()
-  CK_EV( event OskOinitiator_ck(ck); ) 
-  CK_EV( event OskOinitiator(ck, psk, sski, spkr, sptr); )
-  MTX_EV( event IHSent(ih, psk, sski, spkr); )
-  out(C, ih);
-  Oresp_hello(HS_PASS_ARGS).
+  Oinitiator_inner(sidi, Ssskm, Spsk, Sspkt, Seski, Ssptr, C).
 
 restriction sid:SessionId, ad1:Atom, ad2:Atom;
   event(ConsumeSidi(sid, ad1)) && event(ConsumeSidi(sid, ad2))

analysis/rosenpass/protocol.mpv

@@ -2,6 +2,12 @@
 #include "crypto/kem.mpv"
 #include "rosenpass/handshake_state.mpv"
 
+fun Envelope(
+  key,
+  bits
+): bits [data].
+letfun create_mac(pk:kem_pk, payload:bits) = lprf2(MAC, kem_pk2b(pk), payload).
+
 type InitHello_t.
 fun InitHello(
   SessionId, // sidi
@@ -11,6 +17,8 @@ fun InitHello(
   bits       // auth
 ) : InitHello_t [data].
 
+fun IH2b(InitHello_t) : bitstring [typeConverter].
+
 #define INITHELLO_PRODUCE()       \
   ck <- lprf1(CK_INIT, kem_pk2b(spkr)); /* IHI1 */ \
   /* not handled here */                /* IHI2 */ \
@@ -41,7 +49,9 @@ fun RespHello(
     bits       // auth
 ) : RespHello_t [data].
 
-#define RESPHELLO_PRODUCE()                   \
+fun RH2b(RespHello_t) : bitstring [typeConverter].
+
+#define RESPHELLO_PRODUCE()  \
   /* not handled here */           /* RHR1 */ \
   MIX2(sid2b(sidr), sid2b(sidi))   /* RHR3 */ \
   ENCAPS_AND_MIX(ecti, epki, epti) /* RHR4 */ \
@@ -67,6 +77,8 @@ fun InitConf(
     bits       // auth
 ) : InitConf_t [data].
 
+fun IC2b(InitConf_t) : bitstring [typeConverter].
+
 #define INITCONF_PRODUCE()                  \
   MIX2(sid2b(sidi), sid2b(sidr)) /* ICI3 */ \
   ENCRYPT_AND_MIX(auth, empty)   /* ICI4 */ \

ciphers/Cargo.toml

@@ -11,10 +11,12 @@ readme = "readme.md"
 
 [dependencies]
 anyhow = { workspace = true }
-rosenpass-sodium = { workspace = true }
 rosenpass-to = { workspace = true }
 rosenpass-constant-time = { workspace = true }
 rosenpass-secret-memory = { workspace = true }
 rosenpass-oqs = { workspace = true }
+rosenpass-util = { workspace = true }
 static_assertions = { workspace = true }
 zeroize = { workspace = true }
+chacha20poly1305 = { workspace = true }
+blake2 = { workspace = true }

ciphers/src/lib.rs

@@ -9,14 +9,12 @@ const_assert!(KEY_LEN == hash_domain::KEY_LEN);
 
 /// Authenticated encryption with associated data
 pub mod aead {
-    pub use rosenpass_sodium::aead::chacha20poly1305_ietf::{
-        decrypt, encrypt, KEY_LEN, NONCE_LEN, TAG_LEN,
-    };
+    pub use crate::subtle::chacha20poly1305_ietf::{decrypt, encrypt, KEY_LEN, NONCE_LEN, TAG_LEN};
 }
 
 /// Authenticated encryption with associated data with a constant nonce
 pub mod xaead {
-    pub use rosenpass_sodium::aead::xchacha20poly1305_ietf::{
+    pub use crate::subtle::xchacha20poly1305_ietf::{
         decrypt, encrypt, KEY_LEN, NONCE_LEN, TAG_LEN,
     };
 }

ciphers/src/subtle/blake2b.rs

@@ -0,0 +1,42 @@
+use zeroize::Zeroizing;
+
+use blake2::digest::crypto_common::generic_array::GenericArray;
+use blake2::digest::crypto_common::typenum::U32;
+use blake2::digest::crypto_common::KeySizeUser;
+use blake2::digest::{FixedOutput, Mac, OutputSizeUser};
+use blake2::Blake2bMac;
+
+use rosenpass_to::{ops::copy_slice, with_destination, To};
+use rosenpass_util::typenum2const;
+
+type Impl = Blake2bMac<U32>;
+
+type KeyLen = <Impl as KeySizeUser>::KeySize;
+type OutLen = <Impl as OutputSizeUser>::OutputSize;
+
+const KEY_LEN: usize = typenum2const! { KeyLen };
+const OUT_LEN: usize = typenum2const! { OutLen };
+
+pub const KEY_MIN: usize = KEY_LEN;
+pub const KEY_MAX: usize = KEY_LEN;
+pub const OUT_MIN: usize = OUT_LEN;
+pub const OUT_MAX: usize = OUT_LEN;
+
+#[inline]
+pub fn hash<'a>(key: &'a [u8], data: &'a [u8]) -> impl To<[u8], anyhow::Result<()>> + 'a {
+    with_destination(|out: &mut [u8]| {
+        let mut h = Impl::new_from_slice(key)?;
+        h.update(data);
+
+        // Jesus christ, blake2 crate, your usage of GenericArray might be nice and fancy
+        // but it introduces a ton of complexity. This cost me half an hour just to figure
+        // out the right way to use the imports while allowing for zeroization.
+        // An API based on slices might actually be simpler.
+        let mut tmp = Zeroizing::new([0u8; OUT_LEN]);
+        let mut tmp = GenericArray::from_mut_slice(tmp.as_mut());
+        h.finalize_into(&mut tmp);
+        copy_slice(tmp.as_ref()).to(out);
+
+        Ok(())
+    })
+}

ciphers/src/subtle/chacha20poly1305_ietf.rs

@@ -0,0 +1,43 @@
+use rosenpass_to::ops::copy_slice;
+use rosenpass_to::To;
+use rosenpass_util::typenum2const;
+
+use chacha20poly1305::aead::generic_array::GenericArray;
+use chacha20poly1305::ChaCha20Poly1305 as AeadImpl;
+use chacha20poly1305::{AeadCore, AeadInPlace, KeyInit, KeySizeUser};
+
+pub const KEY_LEN: usize = typenum2const! { <AeadImpl as KeySizeUser>::KeySize };
+pub const TAG_LEN: usize = typenum2const! { <AeadImpl as AeadCore>::TagSize };
+pub const NONCE_LEN: usize = typenum2const! { <AeadImpl as AeadCore>::NonceSize };
+
+#[inline]
+pub fn encrypt(
+    ciphertext: &mut [u8],
+    key: &[u8],
+    nonce: &[u8],
+    ad: &[u8],
+    plaintext: &[u8],
+) -> anyhow::Result<()> {
+    let nonce = GenericArray::from_slice(nonce);
+    let (ct, mac) = ciphertext.split_at_mut(ciphertext.len() - TAG_LEN);
+    copy_slice(plaintext).to(ct);
+    let mac_value = AeadImpl::new_from_slice(key)?.encrypt_in_place_detached(&nonce, ad, ct)?;
+    copy_slice(&mac_value[..]).to(mac);
+    Ok(())
+}
+
+#[inline]
+pub fn decrypt(
+    plaintext: &mut [u8],
+    key: &[u8],
+    nonce: &[u8],
+    ad: &[u8],
+    ciphertext: &[u8],
+) -> anyhow::Result<()> {
+    let nonce = GenericArray::from_slice(nonce);
+    let (ct, mac) = ciphertext.split_at(ciphertext.len() - TAG_LEN);
+    let tag = GenericArray::from_slice(mac);
+    copy_slice(ct).to(plaintext);
+    AeadImpl::new_from_slice(key)?.decrypt_in_place_detached(&nonce, ad, plaintext, tag)?;
+    Ok(())
+}

ciphers/src/subtle/incorrect_hmac_blake2b.rs

@@ -1,9 +1,11 @@
 use anyhow::ensure;
-use rosenpass_constant_time::xor;
-use rosenpass_sodium::hash::blake2b;
-use rosenpass_to::{ops::copy_slice, with_destination, To};
 use zeroize::Zeroizing;
 
+use rosenpass_constant_time::xor;
+use rosenpass_to::{ops::copy_slice, with_destination, To};
+
+use crate::subtle::blake2b;
+
 pub const KEY_LEN: usize = 32;
 pub const KEY_MIN: usize = KEY_LEN;
 pub const KEY_MAX: usize = KEY_LEN;

ciphers/src/subtle/mod.rs

@@ -1 +1,4 @@
+pub mod blake2b;
+pub mod chacha20poly1305_ietf;
 pub mod incorrect_hmac_blake2b;
+pub mod xchacha20poly1305_ietf;

ciphers/src/subtle/xchacha20poly1305_ietf.rs

@@ -0,0 +1,45 @@
+use rosenpass_to::ops::copy_slice;
+use rosenpass_to::To;
+use rosenpass_util::typenum2const;
+
+use chacha20poly1305::aead::generic_array::GenericArray;
+use chacha20poly1305::XChaCha20Poly1305 as AeadImpl;
+use chacha20poly1305::{AeadCore, AeadInPlace, KeyInit, KeySizeUser};
+
+pub const KEY_LEN: usize = typenum2const! { <AeadImpl as KeySizeUser>::KeySize };
+pub const TAG_LEN: usize = typenum2const! { <AeadImpl as AeadCore>::TagSize };
+pub const NONCE_LEN: usize = typenum2const! { <AeadImpl as AeadCore>::NonceSize };
+
+#[inline]
+pub fn encrypt(
+    ciphertext: &mut [u8],
+    key: &[u8],
+    nonce: &[u8],
+    ad: &[u8],
+    plaintext: &[u8],
+) -> anyhow::Result<()> {
+    let nonce = GenericArray::from_slice(nonce);
+    let (n, ct_mac) = ciphertext.split_at_mut(NONCE_LEN);
+    let (ct, mac) = ct_mac.split_at_mut(ct_mac.len() - TAG_LEN);
+    copy_slice(nonce).to(n);
+    copy_slice(plaintext).to(ct);
+    let mac_value = AeadImpl::new_from_slice(key)?.encrypt_in_place_detached(&nonce, ad, ct)?;
+    copy_slice(&mac_value[..]).to(mac);
+    Ok(())
+}
+
+#[inline]
+pub fn decrypt(
+    plaintext: &mut [u8],
+    key: &[u8],
+    ad: &[u8],
+    ciphertext: &[u8],
+) -> anyhow::Result<()> {
+    let (n, ct_mac) = ciphertext.split_at(NONCE_LEN);
+    let (ct, mac) = ct_mac.split_at(ct_mac.len() - TAG_LEN);
+    let nonce = GenericArray::from_slice(n);
+    let tag = GenericArray::from_slice(mac);
+    copy_slice(ct).to(plaintext);
+    AeadImpl::new_from_slice(key)?.decrypt_in_place_detached(&nonce, ad, plaintext, tag)?;
+    Ok(())
+}

constant-time/src/lib.rs

@@ -1,3 +1,5 @@
+use core::hint::black_box;
+
 use rosenpass_to::{with_destination, To};
 
 /// Xors the source into the destination
@@ -16,11 +18,61 @@ use rosenpass_to::{with_destination, To};
 ///
 /// If source and destination are of different sizes.
 #[inline]
-pub fn xor<'a>(src: &'a [u8]) -> impl To<[u8], ()> + 'a {
+pub fn xor(src: &[u8]) -> impl To<[u8], ()> + '_ {
     with_destination(|dst: &mut [u8]| {
-        assert!(src.len() == dst.len());
+        assert!(black_box(src.len()) == black_box(dst.len()));
         for (dv, sv) in dst.iter_mut().zip(src.iter()) {
-            *dv ^= *sv;
+            *black_box(dv) ^= black_box(*sv);
         }
     })
 }
+
+#[inline]
+pub fn memcmp(a: &[u8], b: &[u8]) -> bool {
+    a == b
+}
+
+#[inline]
+pub fn compare(a: &[u8], b: &[u8]) -> i32 {
+    assert!(a.len() == b.len());
+    a.cmp(b) as i32
+}
+
+/// Interpret the given slice as a little-endian unsigned integer
+/// and increment that integer.
+///
+/// # Examples
+///
+/// ```
+/// use rosenpass_constant_time::increment as inc;
+/// use rosenpass_to::To;
+///
+/// fn testcase(v: &[u8], correct: &[u8]) {
+///   let mut v = v.to_owned();
+///   inc(&mut v);
+///   assert_eq!(&v, correct);
+/// }
+///
+/// testcase(b"", b"");
+/// testcase(b"\x00", b"\x01");
+/// testcase(b"\x01", b"\x02");
+/// testcase(b"\xfe", b"\xff");
+/// testcase(b"\xff", b"\x00");
+/// testcase(b"\x00\x00", b"\x01\x00");
+/// testcase(b"\x01\x00", b"\x02\x00");
+/// testcase(b"\xfe\x00", b"\xff\x00");
+/// testcase(b"\xff\x00", b"\x00\x01");
+/// testcase(b"\x00\x00\x00\x00\x00\x00", b"\x01\x00\x00\x00\x00\x00");
+/// testcase(b"\x00\xa3\x00\x77\x00\x00", b"\x01\xa3\x00\x77\x00\x00");
+/// testcase(b"\xff\xa3\x00\x77\x00\x00", b"\x00\xa4\x00\x77\x00\x00");
+/// testcase(b"\xff\xff\xff\x77\x00\x00", b"\x00\x00\x00\x78\x00\x00");
+/// ```
+#[inline]
+pub fn increment(v: &mut [u8]) {
+    let mut carry = 1u8;
+    for val in v.iter_mut() {
+        let (v, c) = black_box(*val).overflowing_add(black_box(carry));
+        *black_box(val) = v;
+        *black_box(&mut carry) = black_box(black_box(c) as u8);
+    }
+}

doc/rosenpass.1

@@ -23,7 +23,7 @@ If you are not specifically tasked with developing post-quantum secure systems,
 you probably do not need this tool.
 .Ss COMMANDS
 .Bl -tag -width Ds
-.It Ar keygen private-key <file-path> public-key <file-path>
+.It Ar gen-keys --secret-key <file-path> --public-key <file-path>
 Generate a keypair to use in the exchange command later.
 Send the public-key file to your communication partner and keep the private-key
 file secret!

flake.nix

@@ -291,7 +291,6 @@
               ];
               buildPhase = ''
                 export HOME=$(mktemp -d)
-                export OSFONTDIR="$(kpsewhich --var-value TEXMF)/fonts/{opentype/public/nunito,truetype/google/noto}"
                 latexmk -r tex/CI.rc
               '';
               installPhase = ''

format_rust_code.sh

@@ -0,0 +1,115 @@
+#!/usr/bin/env bash
+
+# Parse command line options
+while [[ $# -gt 0 ]]; do
+    case "$1" in
+        --mode)
+            mode="$2"
+            shift 2
+            ;;
+        *)
+            echo "Unknown option: $1"
+            exit 1
+            ;;
+    esac
+done
+
+# Check if mode is specified
+if [ -z "$mode" ]; then
+    echo "Please specify the mode using --mode option. Valid modes are 'check' and 'fix'."
+    exit 1
+fi
+
+# Find all Markdown files in the current directory and its subdirectories
+mapfile -t md_files < <(find . -type f -name "*.md")
+
+count=0
+# Iterate through each Markdown file
+for file in "${md_files[@]}"; do
+    # Use awk to extract Rust code blocks enclosed within triple backticks
+    rust_code_blocks=$(awk '/```rust/{flag=1; next}/```/{flag=0} flag' "$file")
+
+    # Count the number of Rust code blocks
+    num_fences=$(awk '/```rust/{f=1} f{if(/```/){f=0; count++}} END{print count}' "$file")
+
+    if [ -n "$rust_code_blocks" ]; then
+        echo "Processing Rust code in $file"
+        # Iterate through each Rust code block
+        for ((i=1; i <= num_fences ; i++)); do
+            # Extract individual Rust code block using awk
+            current_rust_block=$(awk -v i="$i" '/```rust/{f=1; if (++count == i) next} f&&/```/{f=0;next} f' "$file")
+            # Variable to check if we have added the main function
+            add_main=0  
+            # Check if the Rust code block is already inside a function
+            if ! echo "$current_rust_block" | grep -q "fn main()"; then
+                # If not, wrap it in a main function
+                current_rust_block=$'fn main() {\n'"$current_rust_block"$'\n}'
+                add_main=1
+            fi
+            if [ "$mode" == "check" ]; then
+                # Apply changes to the Rust code block
+                formatted_rust_code=$(echo "$current_rust_block" | rustfmt)
+                # Use rustfmt to format the Rust code block, remove first and last lines, and remove the first 4 spaces if added  main function
+                if [ "$add_main" == 1 ]; then
+                    formatted_rust_code=$(echo "$formatted_rust_code" | sed '1d;$d' | sed 's/^    //')
+                    current_rust_block=$(echo "$current_rust_block" | sed '1d;')
+                    current_rust_block=$(echo "$current_rust_block" | sed '$d')
+                fi
+                if [ "$formatted_rust_code" == "$current_rust_block" ]; then
+                    echo "No changes needed in Rust code block $i in $file"
+                else
+                    echo -e "\nChanges needed in Rust code block $i in $file:\n"
+                    echo "$formatted_rust_code"
+                    count=+1
+                fi
+
+            elif [ "$mode" == "fix" ]; then
+                # Replace current_rust_block with formatted_rust_code in the file
+                formatted_rust_code=$(echo "$current_rust_block" | rustfmt)
+                # Use rustfmt to format the Rust code block, remove first and last lines, and remove the first 4 spaces if added  main function
+                if [ "$add_main" == 1 ]; then
+                    formatted_rust_code=$(echo "$formatted_rust_code" | sed '1d;$d' | sed 's/^    //')
+                    current_rust_block=$(echo "$current_rust_block" | sed '1d;')
+                    current_rust_block=$(echo "$current_rust_block" | sed '$d')
+                fi
+                # Check if the formatted code is the same as the current Rust code block
+                if [ "$formatted_rust_code" == "$current_rust_block" ]; then
+                    echo "No changes needed in Rust code block $i in $file"
+                else
+                    echo "Formatting Rust code block $i in $file"
+                    # Replace current_rust_block with formatted_rust_code in the file
+                    # Use awk to find the line number of the pattern
+
+                    start_line=$(grep -n "^\`\`\`rust" "$file" | sed -n "${i}p" | cut -d: -f1)
+                    end_line=$(grep -n "^\`\`\`" "$file" | awk -F: -v start_line="$start_line" '$1 > start_line {print $1; exit;}')
+
+                    if [ -n "$start_line" ] && [ -n "$end_line" ]; then
+                        # Print lines before the Rust code block
+                        head -n "$((start_line - 1))" "$file"
+
+                        # Print the formatted Rust code block
+                        echo "\`\`\`rust"
+                        echo "$formatted_rust_code"
+                        echo "\`\`\`"
+
+                        # Print lines after the Rust code block
+                        tail -n +"$((end_line + 1))" "$file"
+                    else
+                        # Rust code block not found or end line not found
+                        cat "$file"
+                    fi > tmpfile && mv tmpfile "$file"
+
+                fi
+            else  
+                echo "Unknown mode: $mode. Valid modes are 'check' and 'fix'."
+                exit 1
+            fi
+        done
+    fi
+done
+
+# CI failure if changes are needed
+if [ $count -gt 0 ]; then
+    echo "CI failed: Changes needed in Rust code blocks."
+    exit 1
+fi

fuzz/Cargo.toml

@@ -12,7 +12,6 @@ arbitrary = { workspace = true }
 libfuzzer-sys = { workspace = true }
 stacker = { workspace = true }
 rosenpass-secret-memory = { workspace = true }
-rosenpass-sodium = { workspace = true }
 rosenpass-ciphers = { workspace = true }
 rosenpass-cipher-traits = { workspace = true }
 rosenpass-to = { workspace = true }
@@ -49,13 +48,13 @@ test = false
 doc = false
 
 [[bin]]
-name = "fuzz_box_sodium_alloc"
-path = "fuzz_targets/box_sodium_alloc.rs"
+name = "fuzz_box_secret_alloc"
+path = "fuzz_targets/box_secret_alloc.rs"
 test = false
 doc = false
 
 [[bin]]
-name = "fuzz_vec_sodium_alloc"
-path = "fuzz_targets/vec_sodium_alloc.rs"
+name = "fuzz_vec_secret_alloc"
+path = "fuzz_targets/vec_secret_alloc.rs"
 test = false
 doc = false

fuzz/fuzz_targets/aead_enc_into.rs

@@ -5,7 +5,6 @@ extern crate rosenpass;
 use libfuzzer_sys::fuzz_target;
 
 use rosenpass_ciphers::aead;
-use rosenpass_sodium::init as sodium_init;
 
 #[derive(arbitrary::Arbitrary, Debug)]
 pub struct Input {
@@ -16,8 +15,6 @@ pub struct Input {
 }
 
 fuzz_target!(|input: Input| {
-    sodium_init().unwrap();
-
     let mut ciphertext: Vec<u8> = Vec::with_capacity(input.plaintext.len() + 16);
     ciphertext.resize(input.plaintext.len() + 16, 0);
 

fuzz/fuzz_targets/blake2b.rs

@@ -4,7 +4,7 @@ extern crate rosenpass;
 
 use libfuzzer_sys::fuzz_target;
 
-use rosenpass_sodium::{hash::blake2b, init as sodium_init};
+use rosenpass_ciphers::subtle::blake2b;
 use rosenpass_to::To;
 
 #[derive(arbitrary::Arbitrary, Debug)]
@@ -14,8 +14,6 @@ pub struct Blake2b {
 }
 
 fuzz_target!(|input: Blake2b| {
-    sodium_init().unwrap();
-
     let mut out = [0u8; 32];
 
     blake2b::hash(&input.key, &input.data).to(&mut out).unwrap();

fuzz/fuzz_targets/box_secret_alloc.rs

@@ -0,0 +1,8 @@
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+use rosenpass_secret_memory::alloc::secret_box;
+
+fuzz_target!(|data: &[u8]| {
+    let _ = secret_box(data);
+});

fuzz/fuzz_targets/box_sodium_alloc.rs

@@ -1,12 +0,0 @@
-#![no_main]
-
-use libfuzzer_sys::fuzz_target;
-use rosenpass_sodium::{
-    alloc::{Alloc as SodiumAlloc, Box as SodiumBox},
-    init,
-};
-
-fuzz_target!(|data: &[u8]| {
-    let _ = init();
-    let _ = SodiumBox::new_in(data, SodiumAlloc::new());
-});

fuzz/fuzz_targets/handle_msg.rs

@@ -5,11 +5,8 @@ use libfuzzer_sys::fuzz_target;
 
 use rosenpass::protocol::CryptoServer;
 use rosenpass_secret_memory::Secret;
-use rosenpass_sodium::init as sodium_init;
 
 fuzz_target!(|rx_buf: &[u8]| {
-    sodium_init().unwrap();
-
     let sk = Secret::from_slice(&[0; 13568]);
     let pk = Secret::from_slice(&[0; 524160]);
 

fuzz/fuzz_targets/vec_secret_alloc.rs

@@ -0,0 +1,9 @@
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+use rosenpass_secret_memory::alloc::secret_vec;
+
+fuzz_target!(|data: &[u8]| {
+    let mut vec = secret_vec();
+    vec.extend_from_slice(data);
+});

fuzz/fuzz_targets/vec_sodium_alloc.rs

@@ -1,13 +0,0 @@
-#![no_main]
-
-use libfuzzer_sys::fuzz_target;
-use rosenpass_sodium::{
-    alloc::{Alloc as SodiumAlloc, Vec as SodiumVec},
-    init,
-};
-
-fuzz_target!(|data: &[u8]| {
-    let _ = init();
-    let mut vec = SodiumVec::new_in(SodiumAlloc::new());
-    vec.extend_from_slice(data);
-});

rosenpass/Cargo.toml

@@ -1,10 +1,10 @@
 [package]
 name = "rosenpass"
+description = "Build post-quantum-secure VPNs with WireGuard!"
 version = "0.2.1"
 authors = ["Karolin Varner <karo@cupdev.net>", "wucke13 <wucke13@gmail.com>"]
 edition = "2021"
 license = "MIT OR Apache-2.0"
-description = "Build post-quantum-secure VPNs with WireGuard!"
 homepage = "https://rosenpass.eu/"
 repository = "https://github.com/rosenpass/rosenpass"
 readme = "readme.md"
@@ -16,16 +16,15 @@ harness = false
 [dependencies]
 rosenpass-util = { workspace = true }
 rosenpass-constant-time = { workspace = true }
-rosenpass-sodium = { workspace = true }
 rosenpass-ciphers = { workspace = true }
 rosenpass-cipher-traits = { workspace = true }
 rosenpass-to = { workspace = true }
 rosenpass-secret-memory = { workspace = true }
 rosenpass-lenses = { workspace = true }
+rosenpass-wireguard-broker = { workspace = true }
 anyhow = { workspace = true }
 static_assertions = { workspace = true }
 memoffset = { workspace = true }
-libsodium-sys-stable = { workspace = true }
 thiserror = { workspace = true }
 paste = { workspace = true }
 log = { workspace = true }
@@ -36,6 +35,9 @@ clap = { workspace = true }
 mio = { workspace = true }
 rand = { workspace = true }
 
+[target.'cfg(target_os = "hermit")'.dependencies]
+hermit = { version = "0.8", features = ["pci", "pci-ids", "acpi", "fsgsbase", "tcp", "rtl8139"]}
+
 [build-dependencies]
 anyhow = { workspace = true }
 

rosenpass/benches/handshake.rs

@@ -1,10 +1,8 @@
 use anyhow::Result;
-use rosenpass::pqkem::KEM;
-use rosenpass::{
-    pqkem::StaticKEM,
-    protocol::{CryptoServer, HandleMsgResult, MsgBuf, PeerPtr, SPk, SSk, SymKey},
-    sodium::sodium_init,
-};
+use rosenpass::protocol::{CryptoServer, HandleMsgResult, MsgBuf, PeerPtr, SPk, SSk, SymKey};
+
+use rosenpass_cipher_traits::Kem;
+use rosenpass_ciphers::kem::StaticKem;
 
 use criterion::{black_box, criterion_group, criterion_main, Criterion};
 
@@ -41,7 +39,7 @@ fn hs(ini: &mut CryptoServer, res: &mut CryptoServer) -> Result<()> {
 
 fn keygen() -> Result<(SSk, SPk)> {
     let (mut sk, mut pk) = (SSk::zero(), SPk::zero());
-    StaticKEM::keygen(sk.secret_mut(), pk.secret_mut())?;
+    StaticKem::keygen(sk.secret_mut(), pk.secret_mut())?;
     Ok((sk, pk))
 }
 
@@ -58,7 +56,6 @@ fn make_server_pair() -> Result<(CryptoServer, CryptoServer)> {
 }
 
 fn criterion_benchmark(c: &mut Criterion) {
-    sodium_init().unwrap();
     let (mut a, mut b) = make_server_pair().unwrap();
     c.bench_function("cca_secret_alloc", |bench| {
         bench.iter(|| {

rosenpass/src/app_server.rs

@@ -1,38 +1,25 @@
-use anyhow::bail;
-
-use anyhow::Result;
-use log::{debug, error, info, warn};
-use mio::Interest;
-use mio::Token;
-use rosenpass_util::file::fopen_w;
-
-use std::cell::Cell;
-use std::io::Write;
-
-use std::io::ErrorKind;
-use std::net::Ipv4Addr;
-use std::net::Ipv6Addr;
-use std::net::SocketAddr;
-use std::net::SocketAddrV4;
-use std::net::SocketAddrV6;
-use std::net::ToSocketAddrs;
+use std::cell::{Cell, RefCell};
+use std::io::{ErrorKind, Write};
+use std::net::{Ipv4Addr, Ipv6Addr, SocketAddr, SocketAddrV4, SocketAddrV6, ToSocketAddrs, TcpStream};
 use std::path::PathBuf;
-use std::process::Command;
-use std::process::Stdio;
 use std::slice;
-use std::thread;
 use std::time::Duration;
 
-use crate::{
-    config::Verbosity,
-    protocol::{CryptoServer, MsgBuf, PeerPtr, SPk, SSk, SymKey, Timing},
-};
-use rosenpass_util::attempt;
+use anyhow::{bail, Result};
+use log::{error, info, warn};
+use mio::{Interest, Token};
+
+use rosenpass_secret_memory::Public;
 use rosenpass_util::b64::{b64_writer, fmt_b64};
+use rosenpass_util::{attempt, file::fopen_w};
+use rosenpass_wireguard_broker::api::mio_client::MioBrokerClient as PskBroker;
+use rosenpass_wireguard_broker::WireGuardBroker;
+
+use crate::config::Verbosity;
+use crate::protocol::{CryptoServer, MsgBuf, PeerPtr, SPk, SSk, SymKey, Timing};
 
 const IPV4_ANY_ADDR: Ipv4Addr = Ipv4Addr::new(0, 0, 0, 0);
 const IPV6_ANY_ADDR: Ipv6Addr = Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 0);
-
 fn ipv4_any_binding() -> SocketAddr {
     // addr, port
     SocketAddr::V4(SocketAddrV4::new(IPV4_ANY_ADDR, 0))
@@ -43,6 +30,19 @@ fn ipv6_any_binding() -> SocketAddr {
     SocketAddr::V6(SocketAddrV6::new(IPV6_ANY_ADDR, 0, 0, 0))
 }
 
+#[derive(Default)]
+struct MioTokenDispenser {
+    counter: usize,
+}
+
+impl MioTokenDispenser {
+    fn get_token(&mut self) -> Token {
+        let r = self.counter;
+        self.counter += 1;
+        Token(r)
+    }
+}
+
 #[derive(Default, Debug)]
 pub struct AppPeer {
     pub outfile: Option<PathBuf>,
@@ -59,14 +59,24 @@ impl AppPeer {
     }
 }
 
-#[derive(Default, Debug)]
+#[derive(Debug)]
 pub struct WireguardOut {
     // impl KeyOutput
     pub dev: String,
-    pub pk: String,
+    pub pk: Public<32>,
     pub extra_params: Vec<String>,
 }
 
+impl Default for WireguardOut {
+    fn default() -> Self {
+        Self {
+            dev: Default::default(),
+            pk: Public::zero(),
+            extra_params: Default::default(),
+        }
+    }
+}
+
 /// Holds the state of the application, namely the external IO
 ///
 /// Responsible for file IO, network IO
@@ -77,6 +87,7 @@ pub struct AppServer {
     pub sockets: Vec<mio::net::UdpSocket>,
     pub events: mio::Events,
     pub mio_poll: mio::Poll,
+    pub psk_broker: RefCell<PskBroker>,
     pub peers: Vec<AppPeer>,
     pub verbosity: Verbosity,
     pub all_sockets_drained: bool,
@@ -341,11 +352,24 @@ impl AppServer {
         sk: SSk,
         pk: SPk,
         addrs: Vec<SocketAddr>,
+        psk_broker_socket: TcpStream,
         verbosity: Verbosity,
     ) -> anyhow::Result<Self> {
         // setup mio
         let mio_poll = mio::Poll::new()?;
         let events = mio::Events::with_capacity(8);
+        let mut dispenser = MioTokenDispenser::default();
+
+        // Create the Wireguard broker connection
+        let psk_broker = {
+            let mut sock = mio::net::TcpStream::from_std(psk_broker_socket);
+            mio_poll.registry().register(
+                &mut sock,
+                dispenser.get_token(),
+                Interest::READABLE | Interest::WRITABLE,
+            )?;
+            PskBroker::new(sock)
+        };
 
         // bind each SocketAddr to a socket
         let maybe_sockets: Result<Vec<_>, _> =
@@ -430,6 +454,7 @@ impl AppServer {
         Ok(Self {
             crypt: CryptoServer::new(sk, pk),
             peers: Vec::new(),
+            psk_broker: RefCell::new(psk_broker),
             verbosity,
             sockets,
             events,
@@ -624,31 +649,9 @@ impl AppServer {
         }
 
         if let Some(owg) = ap.outwg.as_ref() {
-            let mut child = Command::new("wg")
-                .arg("set")
-                .arg(&owg.dev)
-                .arg("peer")
-                .arg(&owg.pk)
-                .arg("preshared-key")
-                .arg("/dev/stdin")
-                .stdin(Stdio::piped())
-                .args(&owg.extra_params)
-                .spawn()?;
-            b64_writer(child.stdin.take().unwrap()).write_all(key.secret())?;
-
-            thread::spawn(move || {
-                let status = child.wait();
-
-                if let Ok(status) = status {
-                    if status.success() {
-                        debug!("successfully passed psk to wg")
-                    } else {
-                        error!("could not pass psk to wg {:?}", status)
-                    }
-                } else {
-                    error!("wait failed: {:?}", status)
-                }
-            });
+            self.psk_broker
+                .borrow_mut()
+                .set_psk(&owg.dev, owg.pk.value, *key.secret())?;
         }
 
         Ok(())
@@ -706,9 +709,16 @@ impl AppServer {
 
         // only poll if we drained all sockets before
         if self.all_sockets_drained {
-            self.mio_poll.poll(&mut self.events, Some(timeout))?;
+            self.mio_poll
+                .poll(&mut self.events, Some(timeout))
+                .or_else(|e| match e.kind() {
+                    ErrorKind::Interrupted | ErrorKind::WouldBlock => Ok(()),
+                    _ => Err(e),
+                })?;
         }
 
+        self.psk_broker.get_mut().poll()?;
+
         let mut would_block_count = 0;
         for (sock_no, socket) in self.sockets.iter_mut().enumerate() {
             match socket.recv_from(buf) {

rosenpass/src/cli.rs

@@ -1,10 +1,16 @@
-use anyhow::{bail, ensure};
+use std::io::{BufReader, Read};
+use std::net::TcpStream;
+use std::path::PathBuf;
+
+use anyhow::{bail, ensure, Context};
 use clap::Parser;
+
 use rosenpass_cipher_traits::Kem;
 use rosenpass_ciphers::kem::StaticKem;
 use rosenpass_secret_memory::file::StoreSecret;
+use rosenpass_secret_memory::Public;
+use rosenpass_util::b64::b64_reader;
 use rosenpass_util::file::{LoadValue, LoadValueB64};
-use std::path::PathBuf;
 
 use crate::app_server;
 use crate::app_server::AppServer;
@@ -62,6 +68,7 @@ pub enum Cli {
         config_file: PathBuf,
 
         /// Forcefully overwrite existing config file
+        /// - [ ] Janepie
         #[clap(short, long)]
         force: bool,
     },
@@ -87,6 +94,15 @@ pub enum Cli {
         force: bool,
     },
 
+    /// Deprecated - use gen-keys instead
+    #[allow(rustdoc::broken_intra_doc_links)]
+    #[allow(rustdoc::invalid_html_tags)]
+    Keygen {
+        // NOTE yes, the legacy keygen argument initially really accepted "privet-key", not "secret-key"!
+        /// public-key <PATH> private-key <PATH>
+        args: Vec<String>,
+    },
+
     /// Validate a configuration
     Validate { config_files: Vec<PathBuf> },
 
@@ -119,6 +135,40 @@ impl Cli {
                 config::Rosenpass::example_config().store(config_file)?;
             }
 
+            // Deprecated - use gen-keys instead
+            Keygen { args } => {
+                log::warn!("The 'keygen' command is deprecated. Please use the 'gen-keys' command instead.");
+
+                let mut public_key: Option<PathBuf> = None;
+                let mut secret_key: Option<PathBuf> = None;
+
+                // Manual arg parsing, since clap wants to prefix flags with "--"
+                let mut args = args.into_iter();
+                loop {
+                    match (args.next().as_deref(), args.next()) {
+                        (Some("private-key"), Some(opt)) | (Some("secret-key"), Some(opt)) => {
+                            secret_key = Some(opt.into());
+                        }
+                        (Some("public-key"), Some(opt)) => {
+                            public_key = Some(opt.into());
+                        }
+                        (Some(flag), _) => {
+                            bail!("Unknown option `{}`", flag);
+                        }
+                        (_, _) => break,
+                    };
+                }
+
+                if secret_key.is_none() {
+                    bail!("private-key is required");
+                }
+                if public_key.is_none() {
+                    bail!("public-key is required");
+                }
+
+                generate_and_save_keypair(secret_key.unwrap(), public_key.unwrap())?;
+            }
+
             GenKeys {
                 config_file,
                 public_key,
@@ -160,12 +210,7 @@ impl Cli {
                 }
 
                 // generate the keys and store them in files
-                let mut ssk = crate::protocol::SSk::random();
-                let mut spk = crate::protocol::SPk::random();
-                StaticKem::keygen(ssk.secret_mut(), spk.secret_mut())?;
-
-                ssk.store_secret(skf)?;
-                spk.store_secret(pkf)?;
+                generate_and_save_keypair(skf, pkf)?;
             }
 
             ExchangeConfig { config_file } => {
@@ -220,11 +265,14 @@ impl Cli {
         let sk = SSk::load(&config.secret_key)?;
         let pk = SPk::load(&config.public_key)?;
 
+        // Spawn the psk broker and use socketpair(2) to connect with them
+        let psk_broker_socket = TcpStream::connect("127.0.0.1:8001")?;
         // start an application server
         let mut srv = std::boxed::Box::<AppServer>::new(AppServer::new(
             sk,
             pk,
             config.listen,
+            psk_broker_socket,
             config.verbosity,
         )?);
 
@@ -234,11 +282,24 @@ impl Cli {
                 cfg_peer.pre_shared_key.map(SymKey::load_b64).transpose()?,
                 SPk::load(&cfg_peer.public_key)?,
                 cfg_peer.key_out,
-                cfg_peer.wg.map(|cfg| app_server::WireguardOut {
-                    dev: cfg.device,
-                    pk: cfg.peer,
-                    extra_params: cfg.extra_params,
-                }),
+                cfg_peer
+                    .wg
+                    .map(|cfg| -> anyhow::Result<_> {
+                        let b64pk = &cfg.peer;
+                        let mut pk = Public::zero();
+                        b64_reader(BufReader::new(b64pk.as_bytes()))
+                            .read_exact(&mut pk.value)
+                            .with_context(|| {
+                                format!("Could not decode base64 public key: '{b64pk}'")
+                            })?;
+
+                        Ok(app_server::WireguardOut {
+                            pk,
+                            dev: cfg.device,
+                            extra_params: cfg.extra_params,
+                        })
+                    })
+                    .transpose()?,
                 cfg_peer.endpoint.clone(),
             )?;
         }
@@ -246,3 +307,12 @@ impl Cli {
         srv.event_loop()
     }
 }
+
+/// generate secret and public keys, store in files according to the paths passed as arguments
+fn generate_and_save_keypair(secret_key: PathBuf, public_key: PathBuf) -> anyhow::Result<()> {
+    let mut ssk = crate::protocol::SSk::random();
+    let mut spk = crate::protocol::SPk::random();
+    StaticKem::keygen(ssk.secret_mut(), spk.secret_mut())?;
+    ssk.store_secret(secret_key)?;
+    spk.store_secret(public_key)
+}

rosenpass/src/config.rs

@@ -374,7 +374,7 @@ mod test {
     use super::*;
 
     fn split_str(s: &str) -> Vec<String> {
-        s.split(" ").map(|s| s.to_string()).collect()
+        s.split(' ').map(|s| s.to_string()).collect()
     }
 
     #[test]

rosenpass/src/main.rs

@@ -1,18 +1,16 @@
 use log::error;
 use rosenpass::cli::Cli;
-use rosenpass_util::attempt;
 use std::process::exit;
 
+#[cfg(target_os = "hermit")]
+use hermit as _;
+
 /// Catches errors, prints them through the logger, then exits
 pub fn main() {
-    env_logger::init();
+    // default to displaying warning and error log messages only
+    env_logger::Builder::from_env(env_logger::Env::default().default_filter_or("warn")).init();
 
-    let res = attempt!({
-        rosenpass_sodium::init()?;
-        Cli::run()
-    });
-
-    match res {
+    match Cli::run() {
         Ok(_) => {}
         Err(e) => {
             error!("{e}");

rosenpass/src/protocol.rs

@@ -26,9 +26,6 @@
 //! };
 //! # fn main() -> anyhow::Result<()> {
 //!
-//! // always initialize libsodium before anything
-//! rosenpass_sodium::init()?;
-//!
 //! // initialize secret and public key for peer a ...
 //! let (mut peer_a_sk, mut peer_a_pk) = (SSk::zero(), SPk::zero());
 //! StaticKem::keygen(peer_a_sk.secret_mut(), peer_a_pk.secret_mut())?;
@@ -68,21 +65,25 @@
 //! # }
 //! ```
 
-use crate::{hash_domains, msgs::*};
-use anyhow::{bail, ensure, Context, Result};
-use rosenpass_cipher_traits::Kem;
-use rosenpass_ciphers::hash_domain::{SecretHashDomain, SecretHashDomainNamespace};
-use rosenpass_ciphers::kem::{EphemeralKem, StaticKem};
-use rosenpass_ciphers::{aead, xaead, KEY_LEN};
-use rosenpass_lenses::LenseView;
-use rosenpass_secret_memory::{Public, Secret};
-use rosenpass_util::{cat, mem::cpy_min, ord::max_usize, time::Timebase};
 use std::collections::hash_map::{
     Entry::{Occupied, Vacant},
     HashMap,
 };
 use std::convert::Infallible;
 
+use anyhow::{bail, ensure, Context, Result};
+
+use rosenpass_cipher_traits::Kem;
+use rosenpass_ciphers::hash_domain::{SecretHashDomain, SecretHashDomainNamespace};
+use rosenpass_ciphers::kem::{EphemeralKem, StaticKem};
+use rosenpass_ciphers::{aead, xaead, KEY_LEN};
+use rosenpass_constant_time as constant_time;
+use rosenpass_lenses::LenseView;
+use rosenpass_secret_memory::{Public, Secret};
+use rosenpass_util::{cat, mem::cpy_min, ord::max_usize, time::Timebase};
+
+use crate::{hash_domains, msgs::*};
+
 // CONSTANTS & SETTINGS //////////////////////////
 
 /// Size required to fit any message in binary form
@@ -1193,7 +1194,7 @@ where
         let expected = hash_domains::mac()?
             .mix(srv.spkm.secret())?
             .mix(self.until_mac())?;
-        Ok(rosenpass_sodium::helpers::memcmp(
+        Ok(constant_time::memcmp(
             self.mac(),
             &expected.into_value()[..16],
         ))
@@ -1300,7 +1301,7 @@ impl HandshakeState {
             .into_value();
 
         // consume biscuit no
-        rosenpass_sodium::helpers::increment(&mut *srv.biscuit_ctr);
+        constant_time::increment(&mut *srv.biscuit_ctr);
 
         // The first bit of the nonce indicates which biscuit key was used
         // TODO: This is premature optimization. Remove!
@@ -1363,8 +1364,7 @@ impl HandshakeState {
         // indicates retransmission
         // TODO: Handle retransmissions without involving the crypto code
         ensure!(
-            rosenpass_sodium::helpers::compare(biscuit.biscuit_no(), &*peer.get(srv).biscuit_used)
-                >= 0,
+            constant_time::compare(biscuit.biscuit_no(), &*peer.get(srv).biscuit_used) >= 0,
             "Rejecting biscuit: Outdated biscuit number"
         );
 
@@ -1641,7 +1641,7 @@ impl CryptoServer {
         core.decrypt_and_mix(&mut [0u8; 0], ic.auth())?;
 
         // ICR5
-        if rosenpass_sodium::helpers::compare(&*biscuit_no, &*peer.get(self).biscuit_used) > 0 {
+        if constant_time::compare(&*biscuit_no, &*peer.get(self).biscuit_used) > 0 {
             // ICR6
             peer.get_mut(self).biscuit_used = biscuit_no;
 
@@ -1757,8 +1757,6 @@ mod test {
     /// Through all this, the handshake should still successfully terminate;
     /// i.e. an exchanged key must be produced in both servers.
     fn handles_incorrect_size_messages() {
-        rosenpass_sodium::init().unwrap();
-
         stacker::grow(8 * 1024 * 1024, || {
             const OVERSIZED_MESSAGE: usize = ((MAX_MESSAGE_LEN as f32) * 1.2) as usize;
             type MsgBufPlus = Public<OVERSIZED_MESSAGE>;
@@ -1770,14 +1768,10 @@ mod test {
 
             // Process the entire handshake
             let mut msglen = Some(me.initiate_handshake(PEER0, &mut *resbuf).unwrap());
-            loop {
-                if let Some(l) = msglen {
-                    std::mem::swap(&mut me, &mut they);
-                    std::mem::swap(&mut msgbuf, &mut resbuf);
-                    msglen = test_incorrect_sizes_for_msg(&mut me, &*msgbuf, l, &mut *resbuf);
-                } else {
-                    break;
-                }
+            while let Some(l) = msglen {
+                std::mem::swap(&mut me, &mut they);
+                std::mem::swap(&mut msgbuf, &mut resbuf);
+                msglen = test_incorrect_sizes_for_msg(&mut me, &*msgbuf, l, &mut *resbuf);
             }
 
             assert_eq!(
@@ -1804,8 +1798,8 @@ mod test {
             }
 
             let res = srv.handle_msg(&msgbuf[..l], resbuf);
-            assert!(matches!(res, Err(_))); // handle_msg should raise an error
-            assert!(!resbuf.iter().find(|x| **x != 0).is_some()); // resbuf should not have been changed
+            assert!(res.is_err()); // handle_msg should raise an error
+            assert!(!resbuf.iter().any(|x| *x != 0)); // resbuf should not have been changed
         }
 
         // Apply the proper handle_msg operation

rosenpass/tests/integration_test.rs

@@ -30,11 +30,8 @@ fn generate_keys() {
 
 fn find_udp_socket() -> u16 {
     for port in 1025..=u16::MAX {
-        match UdpSocket::bind(("127.0.0.1", port)) {
-            Ok(_) => {
-                return port;
-            }
-            _ => {}
+        if UdpSocket::bind(("127.0.0.1", port)).is_ok() {
+            return port;
         }
     }
     panic!("no free UDP port found");
@@ -54,9 +51,9 @@ fn check_exchange() {
     for (secret_key_path, pub_key_path) in secret_key_paths.iter().zip(public_key_paths.iter()) {
         let output = test_bin::get_test_bin(BIN)
             .args(["gen-keys", "--secret-key"])
-            .arg(&secret_key_path)
+            .arg(secret_key_path)
             .arg("--public-key")
-            .arg(&pub_key_path)
+            .arg(pub_key_path)
             .output()
             .expect("Failed to start {BIN}");
 

rust-toolchain.toml

@@ -0,0 +1,2 @@
+[toolchain]
+channel = "1.74.1"

secret-memory/Cargo.toml

@@ -12,9 +12,11 @@ readme = "readme.md"
 [dependencies]
 anyhow = { workspace = true }
 rosenpass-to = { workspace = true }
-rosenpass-sodium = { workspace = true }
 rosenpass-util = { workspace = true }
-libsodium-sys-stable = { workspace = true }
-lazy_static = { workspace = true }
 zeroize = { workspace = true }
 rand = { workspace = true }
+allocator-api2 = { workspace = true }
+log = { workspace = true }
+
+[dev-dependencies]
+allocator-api2-tests = { workspace = true }

secret-memory/src/alloc/memsec.rs

@@ -0,0 +1,86 @@
+use std::fmt;
+use std::ptr::NonNull;
+
+use allocator_api2::alloc::{AllocError, Allocator, Layout, Global};
+
+#[derive(Copy, Clone, Default)]
+struct MemsecAllocatorContents;
+
+/// Memory allocation using using the memsec crate
+#[derive(Copy, Clone, Default)]
+pub struct MemsecAllocator {
+    global: Global
+}
+
+/// A box backed by the memsec allocator
+pub type MemsecBox<T> = allocator_api2::boxed::Box<T, MemsecAllocator>;
+
+/// A vector backed by the memsec allocator
+pub type MemsecVec<T> = allocator_api2::vec::Vec<T, MemsecAllocator>;
+
+pub fn memsec_box<T>(x: T) -> MemsecBox<T> {
+    MemsecBox::<T>::new_in(x, MemsecAllocator::new())
+}
+
+pub fn memsec_vec<T>() -> MemsecVec<T> {
+    MemsecVec::<T>::new_in(MemsecAllocator::new())
+}
+
+impl MemsecAllocator {
+    pub fn new() -> Self {
+        Self {
+            global: Global
+        }
+    }
+}
+
+unsafe impl Allocator for MemsecAllocator {
+    fn allocate(&self, layout: Layout) -> Result<NonNull<[u8]>, AllocError> {
+        self.global.allocate(layout)
+    }
+
+    unsafe fn deallocate(&self, ptr: NonNull<u8>, _layout: Layout) {
+        unsafe { self.global.deallocate(ptr, _layout) }
+    }
+}
+
+impl fmt::Debug for MemsecAllocator {
+    fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result {
+        fmt.write_str("<memsec based Rust allocator>")
+    }
+}
+
+#[cfg(test)]
+mod test {
+    use allocator_api2_tests::make_test;
+
+    use super::*;
+
+    make_test! { test_sizes(MemsecAllocator::new()) }
+    make_test! { test_vec(MemsecAllocator::new()) }
+    make_test! { test_many_boxes(MemsecAllocator::new()) }
+
+    #[test]
+    fn memsec_allocation() {
+        let alloc = MemsecAllocator::new();
+        memsec_allocation_impl::<0>(&alloc);
+        memsec_allocation_impl::<7>(&alloc);
+        memsec_allocation_impl::<8>(&alloc);
+        memsec_allocation_impl::<64>(&alloc);
+        memsec_allocation_impl::<999>(&alloc);
+    }
+
+    fn memsec_allocation_impl<const N: usize>(alloc: &MemsecAllocator) {
+        let layout = Layout::new::<[u8; N]>();
+        let mem = alloc.allocate(layout).unwrap();
+
+        // https://libsodium.gitbook.io/doc/memory_management#guarded-heap-allocations
+        // promises us that allocated memory is initialized with the magic byte 0xDB
+        // and memsec promises to provide a reimplementation of the libsodium mechanism;
+        // it uses the magic value 0xD0 though
+        assert_eq!(unsafe { mem.as_ref() }, &[0xD0u8; N]);
+
+        let mem = NonNull::new(mem.as_ptr() as *mut u8).unwrap();
+        unsafe { alloc.deallocate(mem, layout) };
+    }
+}

secret-memory/src/alloc/mod.rs

@@ -0,0 +1,6 @@
+pub mod memsec;
+
+pub use crate::alloc::memsec::{
+    memsec_box as secret_box, memsec_vec as secret_vec, MemsecAllocator as SecretAllocator,
+    MemsecBox as SecretBox, MemsecVec as SecretVec,
+};

secret-memory/src/lib.rs

@@ -2,6 +2,8 @@ pub mod debug;
 pub mod file;
 pub mod rand;
 
+pub mod alloc;
+
 mod public;
 pub use crate::public::Public;
 

secret-memory/src/public.rs

@@ -20,7 +20,7 @@ pub struct Public<const N: usize> {
 impl<const N: usize> Public<N> {
     /// Create a new [Public] from a byte slice
     pub fn from_slice(value: &[u8]) -> Self {
-        copy_slice(value).to_this(|| Self::zero())
+        copy_slice(value).to_this(Self::zero)
     }
 
     /// Create a new [Public] from a byte array

secret-memory/src/secret.rs

@@ -1,21 +1,96 @@
-use crate::file::StoreSecret;
+use std::cell::RefCell;
+use std::collections::HashMap;
+use std::convert::TryInto;
+use std::fmt;
+use std::ops::{Deref, DerefMut};
+use std::path::Path;
+
 use anyhow::Context;
-use lazy_static::lazy_static;
 use rand::{Fill as Randomize, Rng};
-use rosenpass_sodium::alloc::{Alloc as SodiumAlloc, Box as SodiumBox, Vec as SodiumVec};
-use rosenpass_util::{
-    b64::b64_reader,
-    file::{fopen_r, LoadValue, LoadValueB64, ReadExactToEnd},
-    functional::mutating,
-};
-use std::{collections::HashMap, convert::TryInto, fmt, path::Path, sync::Mutex};
 use zeroize::{Zeroize, ZeroizeOnDrop};
 
+use rosenpass_util::b64::b64_reader;
+use rosenpass_util::file::{fopen_r, LoadValue, LoadValueB64, ReadExactToEnd};
+use rosenpass_util::functional::mutating;
+
+use crate::alloc::{secret_box, SecretBox, SecretVec};
+use crate::file::StoreSecret;
+
 // This might become a problem in library usage; it's effectively a memory
 // leak which probably isn't a problem right now because most memory will
 // be reused…
-lazy_static! {
-    static ref SECRET_CACHE: Mutex<SecretMemoryPool> = Mutex::new(SecretMemoryPool::new());
+thread_local! {
+    static SECRET_CACHE: RefCell<SecretMemoryPool> = RefCell::new(SecretMemoryPool::new());
+}
+
+fn with_secret_memory_pool<Fn, R>(mut f: Fn) -> R
+where
+    Fn: FnMut(Option<&mut SecretMemoryPool>) -> R,
+{
+    // This acquires the SECRET_CACHE
+    SECRET_CACHE
+        .try_with(|cell| {
+            // And acquires the inner reference
+            cell.try_borrow_mut()
+                .as_deref_mut()
+                // To call the given function
+                .map(|pool| f(Some(pool)))
+                .ok()
+        })
+        .ok()
+        .flatten()
+        // Failing that, the given function is called with None
+        .unwrap_or_else(|| f(None))
+}
+
+// Wrapper around SecretBox that applies automatic zeroization
+#[derive(Debug)]
+struct ZeroizingSecretBox<T: Zeroize + ?Sized>(Option<SecretBox<T>>);
+
+impl<T: Zeroize> ZeroizingSecretBox<T> {
+    fn new(boxed: T) -> Self {
+        ZeroizingSecretBox(Some(secret_box(boxed)))
+    }
+}
+
+impl<T: Zeroize + ?Sized> ZeroizingSecretBox<T> {
+    fn from_secret_box(inner: SecretBox<T>) -> Self {
+        Self(Some(inner))
+    }
+
+    fn take(mut self) -> SecretBox<T> {
+        self.0.take().unwrap()
+    }
+}
+
+impl<T: Zeroize + ?Sized> ZeroizeOnDrop for ZeroizingSecretBox<T> {}
+impl<T: Zeroize + ?Sized> Zeroize for ZeroizingSecretBox<T> {
+    fn zeroize(&mut self) {
+        if let Some(inner) = &mut self.0 {
+            let inner: &mut SecretBox<T> = inner; // type annotation
+            inner.zeroize()
+        }
+    }
+}
+
+impl<T: Zeroize + ?Sized> Drop for ZeroizingSecretBox<T> {
+    fn drop(&mut self) {
+        self.zeroize()
+    }
+}
+
+impl<T: Zeroize + ?Sized> Deref for ZeroizingSecretBox<T> {
+    type Target = T;
+
+    fn deref(&self) -> &T {
+        self.0.as_ref().unwrap()
+    }
+}
+
+impl<T: Zeroize + ?Sized> DerefMut for ZeroizingSecretBox<T> {
+    fn deref_mut(&mut self) -> &mut T {
+        self.0.as_mut().unwrap()
+    }
 }
 
 /// Pool that stores secret memory allocations
@@ -23,12 +98,9 @@ lazy_static! {
 /// Allocation of secret memory is expensive. Thus, this struct provides a
 /// pool of secret memory, readily available to yield protected, slices of
 /// memory.
-///
-/// Further information about the protection in place can be found in in the
-/// [libsodium documentation](https://libsodium.gitbook.io/doc/memory_management#guarded-heap-allocations)
 #[derive(Debug)] // TODO check on Debug derive, is that clever
 struct SecretMemoryPool {
-    pool: HashMap<usize, Vec<SodiumBox<[u8]>>>,
+    pool: HashMap<usize, Vec<ZeroizingSecretBox<[u8]>>>,
 }
 
 impl SecretMemoryPool {
@@ -41,33 +113,37 @@ impl SecretMemoryPool {
     }
 
     /// Return secret back to the pool for future re-use
-    pub fn release<const N: usize>(&mut self, mut sec: SodiumBox<[u8; N]>) {
+    pub fn release<const N: usize>(&mut self, mut sec: ZeroizingSecretBox<[u8; N]>) {
         sec.zeroize();
 
         // This conversion sequence is weird but at least it guarantees
         // that the heap allocation is preserved according to the docs
-        let sec: SodiumVec<u8> = sec.into();
-        let sec: SodiumBox<[u8]> = sec.into();
+        let sec: SecretVec<u8> = sec.take().into();
+        let sec: SecretBox<[u8]> = sec.into();
 
-        self.pool.entry(N).or_default().push(sec);
+        self.pool
+            .entry(N)
+            .or_default()
+            .push(ZeroizingSecretBox::from_secret_box(sec));
     }
 
     /// Take protected memory from the pool, allocating new one if no suitable
     /// chunk is found in the inventory.
     ///
     /// The secret is guaranteed to be full of nullbytes
-    pub fn take<const N: usize>(&mut self) -> SodiumBox<[u8; N]> {
+    pub fn take<const N: usize>(&mut self) -> ZeroizingSecretBox<[u8; N]> {
         let entry = self.pool.entry(N).or_default();
-        match entry.pop() {
-            None => SodiumBox::new_in([0u8; N], SodiumAlloc::default()),
-            Some(sec) => sec.try_into().unwrap(),
-        }
+        let inner = match entry.pop() {
+            None => secret_box([0u8; N]),
+            Some(sec) => sec.take().try_into().unwrap(),
+        };
+        ZeroizingSecretBox::from_secret_box(inner)
     }
 }
 
-/// Storeage for a secret backed by [rosenpass_sodium::alloc::Alloc]
+/// Storage for secret data
 pub struct Secret<const N: usize> {
-    storage: Option<SodiumBox<[u8; N]>>,
+    storage: Option<ZeroizingSecretBox<[u8; N]>>,
 }
 
 impl<const N: usize> Secret<N> {
@@ -81,9 +157,12 @@ impl<const N: usize> Secret<N> {
     pub fn zero() -> Self {
         // Using [SecretMemoryPool] here because this operation is expensive,
         // yet it is used in hot loops
-        Self {
-            storage: Some(SECRET_CACHE.lock().unwrap().take()),
-        }
+        let buf = with_secret_memory_pool(|pool| {
+            pool.map(|p| p.take())
+                .unwrap_or_else(|| ZeroizingSecretBox::new([0u8; N]))
+        });
+
+        Self { storage: Some(buf) }
     }
 
     /// Returns a new [Secret] that is randomized
@@ -107,13 +186,6 @@ impl<const N: usize> Secret<N> {
     }
 }
 
-impl<const N: usize> ZeroizeOnDrop for Secret<N> {}
-impl<const N: usize> Zeroize for Secret<N> {
-    fn zeroize(&mut self) {
-        self.secret_mut().zeroize();
-    }
-}
-
 impl<const N: usize> Randomize for Secret<N> {
     fn try_fill<R: Rng + ?Sized>(&mut self, rng: &mut R) -> Result<(), rand::Error> {
         // Zeroize self first just to make sure the barriers from the zeroize create take
@@ -124,11 +196,26 @@ impl<const N: usize> Randomize for Secret<N> {
     }
 }
 
+impl<const N: usize> ZeroizeOnDrop for Secret<N> {}
+impl<const N: usize> Zeroize for Secret<N> {
+    fn zeroize(&mut self) {
+        if let Some(inner) = &mut self.storage {
+            inner.zeroize()
+        }
+    }
+}
+
 impl<const N: usize> Drop for Secret<N> {
     fn drop(&mut self) {
-        self.storage
-            .take()
-            .map(|sec| SECRET_CACHE.lock().unwrap().release(sec));
+        with_secret_memory_pool(|pool| {
+            if let Some((pool, secret)) = pool.zip(self.storage.take()) {
+                pool.release(secret);
+            }
+        });
+
+        // This should be unnecessary: The pool has one item – the inner secret – which
+        // zeroizes itself on drop. Calling it should not do any harm though…
+        self.zeroize()
     }
 }
 
@@ -197,20 +284,18 @@ mod test {
     /// check that we can alloc using the magic pool
     #[test]
     fn secret_memory_pool_take() {
-        rosenpass_sodium::init().unwrap();
         const N: usize = 0x100;
         let mut pool = SecretMemoryPool::new();
-        let secret: SodiumBox<[u8; N]> = pool.take();
+        let secret: ZeroizingSecretBox<[u8; N]> = pool.take();
         assert_eq!(secret.as_ref(), &[0; N]);
     }
 
     /// check that a secrete lives, even if its [SecretMemoryPool] is deleted
     #[test]
     fn secret_memory_pool_drop() {
-        rosenpass_sodium::init().unwrap();
         const N: usize = 0x100;
         let mut pool = SecretMemoryPool::new();
-        let secret: SodiumBox<[u8; N]> = pool.take();
+        let secret: ZeroizingSecretBox<[u8; N]> = pool.take();
         std::mem::drop(pool);
         assert_eq!(secret.as_ref(), &[0; N]);
     }
@@ -218,17 +303,16 @@ mod test {
     /// check that a secrete can be reborn, freshly initialized with zero
     #[test]
     fn secret_memory_pool_release() {
-        rosenpass_sodium::init().unwrap();
         const N: usize = 1;
         let mut pool = SecretMemoryPool::new();
-        let mut secret: SodiumBox<[u8; N]> = pool.take();
+        let mut secret: ZeroizingSecretBox<[u8; N]> = pool.take();
         let old_secret_ptr = secret.as_ref().as_ptr();
 
         secret.as_mut()[0] = 0x13;
         pool.release(secret);
 
         // now check that we get the same ptr
-        let new_secret: SodiumBox<[u8; N]> = pool.take();
+        let new_secret: ZeroizingSecretBox<[u8; N]> = pool.take();
         assert_eq!(old_secret_ptr, new_secret.as_ref().as_ptr());
 
         // and that the secret was zeroized

sodium/Cargo.toml

@@ -1,18 +0,0 @@
-[package]
-name = "rosenpass-sodium"
-authors = ["Karolin Varner <karo@cupdev.net>", "wucke13 <wucke13@gmail.com>"]
-version = "0.1.0"
-edition = "2021"
-license = "MIT OR Apache-2.0"
-description = "Rosenpass internal bindings to libsodium"
-homepage = "https://rosenpass.eu/"
-repository = "https://github.com/rosenpass/rosenpass"
-readme = "readme.md"
-
-[dependencies]
-rosenpass-util = { workspace = true }
-rosenpass-to = { workspace = true }
-anyhow = { workspace = true }
-libsodium-sys-stable = { workspace = true }
-log = { workspace = true }
-allocator-api2 = { workspace = true }

sodium/readme.md

@@ -1,5 +0,0 @@
-# Rosenpass internal libsodium bindings
-
-Rosenpass internal library providing bindings to libsodium.
-
-This is an internal library; not guarantee is made about its API at this point in time.

sodium/src/aead/chacha20poly1305_ietf.rs

@@ -1,63 +0,0 @@
-use libsodium_sys as libsodium;
-use std::ffi::c_ulonglong;
-use std::ptr::{null, null_mut};
-
-pub const KEY_LEN: usize = libsodium::crypto_aead_chacha20poly1305_IETF_KEYBYTES as usize;
-pub const TAG_LEN: usize = libsodium::crypto_aead_chacha20poly1305_IETF_ABYTES as usize;
-pub const NONCE_LEN: usize = libsodium::crypto_aead_chacha20poly1305_IETF_NPUBBYTES as usize;
-
-#[inline]
-pub fn encrypt(
-    ciphertext: &mut [u8],
-    key: &[u8],
-    nonce: &[u8],
-    ad: &[u8],
-    plaintext: &[u8],
-) -> anyhow::Result<()> {
-    assert!(ciphertext.len() == plaintext.len() + TAG_LEN);
-    assert!(key.len() == KEY_LEN);
-    assert!(nonce.len() == NONCE_LEN);
-    let mut clen: u64 = 0;
-    sodium_call!(
-        crypto_aead_chacha20poly1305_ietf_encrypt,
-        ciphertext.as_mut_ptr(),
-        &mut clen,
-        plaintext.as_ptr(),
-        plaintext.len() as c_ulonglong,
-        ad.as_ptr(),
-        ad.len() as c_ulonglong,
-        null(), // nsec is not used
-        nonce.as_ptr(),
-        key.as_ptr()
-    )?;
-    assert!(clen as usize == ciphertext.len());
-    Ok(())
-}
-
-#[inline]
-pub fn decrypt(
-    plaintext: &mut [u8],
-    key: &[u8],
-    nonce: &[u8],
-    ad: &[u8],
-    ciphertext: &[u8],
-) -> anyhow::Result<()> {
-    assert!(ciphertext.len() == plaintext.len() + TAG_LEN);
-    assert!(key.len() == KEY_LEN);
-    assert!(nonce.len() == NONCE_LEN);
-    let mut mlen: u64 = 0;
-    sodium_call!(
-        crypto_aead_chacha20poly1305_ietf_decrypt,
-        plaintext.as_mut_ptr(),
-        &mut mlen as *mut c_ulonglong,
-        null_mut(), // nsec is not used
-        ciphertext.as_ptr(),
-        ciphertext.len() as c_ulonglong,
-        ad.as_ptr(),
-        ad.len() as c_ulonglong,
-        nonce.as_ptr(),
-        key.as_ptr()
-    )?;
-    assert!(mlen as usize == plaintext.len());
-    Ok(())
-}

sodium/src/aead/mod.rs

@@ -1,2 +0,0 @@
-pub mod chacha20poly1305_ietf;
-pub mod xchacha20poly1305_ietf;

sodium/src/aead/xchacha20poly1305_ietf.rs

@@ -1,63 +0,0 @@
-use libsodium_sys as libsodium;
-use std::ffi::c_ulonglong;
-use std::ptr::{null, null_mut};
-
-pub const KEY_LEN: usize = libsodium::crypto_aead_xchacha20poly1305_IETF_KEYBYTES as usize;
-pub const TAG_LEN: usize = libsodium::crypto_aead_xchacha20poly1305_ietf_ABYTES as usize;
-pub const NONCE_LEN: usize = libsodium::crypto_aead_xchacha20poly1305_IETF_NPUBBYTES as usize;
-
-#[inline]
-pub fn encrypt(
-    ciphertext: &mut [u8],
-    key: &[u8],
-    nonce: &[u8],
-    ad: &[u8],
-    plaintext: &[u8],
-) -> anyhow::Result<()> {
-    assert!(ciphertext.len() == plaintext.len() + NONCE_LEN + TAG_LEN);
-    assert!(key.len() == libsodium::crypto_aead_xchacha20poly1305_IETF_KEYBYTES as usize);
-    let (n, ct) = ciphertext.split_at_mut(NONCE_LEN);
-    n.copy_from_slice(nonce);
-    let mut clen: u64 = 0;
-    sodium_call!(
-        crypto_aead_xchacha20poly1305_ietf_encrypt,
-        ct.as_mut_ptr(),
-        &mut clen,
-        plaintext.as_ptr(),
-        plaintext.len() as c_ulonglong,
-        ad.as_ptr(),
-        ad.len() as c_ulonglong,
-        null(), // nsec is not used
-        nonce.as_ptr(),
-        key.as_ptr()
-    )?;
-    assert!(clen as usize == ct.len());
-    Ok(())
-}
-
-#[inline]
-pub fn decrypt(
-    plaintext: &mut [u8],
-    key: &[u8],
-    ad: &[u8],
-    ciphertext: &[u8],
-) -> anyhow::Result<()> {
-    assert!(ciphertext.len() == plaintext.len() + NONCE_LEN + TAG_LEN);
-    assert!(key.len() == KEY_LEN);
-    let (n, ct) = ciphertext.split_at(NONCE_LEN);
-    let mut mlen: u64 = 0;
-    sodium_call!(
-        crypto_aead_xchacha20poly1305_ietf_decrypt,
-        plaintext.as_mut_ptr(),
-        &mut mlen as *mut c_ulonglong,
-        null_mut(), // nsec is not used
-        ct.as_ptr(),
-        ct.len() as c_ulonglong,
-        ad.as_ptr(),
-        ad.len() as c_ulonglong,
-        n.as_ptr(),
-        key.as_ptr()
-    )?;
-    assert!(mlen as usize == plaintext.len());
-    Ok(())
-}

sodium/src/alloc/allocator.rs

@@ -1,95 +0,0 @@
-use allocator_api2::alloc::{AllocError, Allocator, Layout};
-use libsodium_sys as libsodium;
-use std::fmt;
-use std::os::raw::c_void;
-use std::ptr::NonNull;
-
-#[derive(Clone, Default)]
-struct AllocatorContents;
-
-/// Memory allocation using sodium_malloc/sodium_free
-#[derive(Clone, Default)]
-pub struct Alloc {
-    _dummy_private_data: AllocatorContents,
-}
-
-impl Alloc {
-    pub fn new() -> Self {
-        Alloc {
-            _dummy_private_data: AllocatorContents,
-        }
-    }
-}
-
-unsafe impl Allocator for Alloc {
-    fn allocate(&self, layout: Layout) -> Result<NonNull<[u8]>, AllocError> {
-        // Call sodium allocator
-        let ptr = unsafe { libsodium::sodium_malloc(layout.size()) };
-
-        // Ensure the right allocation is used
-        let off = ptr.align_offset(layout.align());
-        if off != 0 {
-            log::error!("Allocation {layout:?} was requested but libsodium returned allocation \
-                with offset {off} from the requested alignment. Libsodium always allocates values \
-                at the end of a memory page for security reasons, custom alignments are not supported. \
-                You could try allocating an oversized value.");
-            return Err(AllocError);
-        }
-
-        // Convert to a pointer size
-        let ptr = core::ptr::slice_from_raw_parts_mut(ptr as *mut u8, layout.size());
-
-        // Conversion to a *const u8, then to a &[u8]
-        match NonNull::new(ptr) {
-            None => {
-                log::error!(
-                    "Allocation {layout:?} was requested but libsodium returned a null pointer"
-                );
-                Err(AllocError)
-            }
-            Some(ret) => Ok(ret),
-        }
-    }
-
-    unsafe fn deallocate(&self, ptr: NonNull<u8>, _layout: Layout) {
-        unsafe {
-            libsodium::sodium_free(ptr.as_ptr() as *mut c_void);
-        }
-    }
-}
-
-impl fmt::Debug for Alloc {
-    fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result {
-        fmt.write_str("<libsodium based Rust allocator>")
-    }
-}
-
-#[cfg(test)]
-mod test {
-    use super::*;
-
-    /// checks that the can malloc with libsodium
-    #[test]
-    fn sodium_allocation() {
-        crate::init().unwrap();
-        let alloc = Alloc::new();
-        sodium_allocation_impl::<0>(&alloc);
-        sodium_allocation_impl::<7>(&alloc);
-        sodium_allocation_impl::<8>(&alloc);
-        sodium_allocation_impl::<64>(&alloc);
-        sodium_allocation_impl::<999>(&alloc);
-    }
-
-    fn sodium_allocation_impl<const N: usize>(alloc: &Alloc) {
-        crate::init().unwrap();
-        let layout = Layout::new::<[u8; N]>();
-        let mem = alloc.allocate(layout).unwrap();
-
-        // https://libsodium.gitbook.io/doc/memory_management#guarded-heap-allocations
-        // promises us that allocated memory is initialized with the magic byte 0xDB
-        assert_eq!(unsafe { mem.as_ref() }, &[0xDBu8; N]);
-
-        let mem = NonNull::new(mem.as_ptr() as *mut u8).unwrap();
-        unsafe { alloc.deallocate(mem, layout) };
-    }
-}

sodium/src/alloc/mod.rs

@@ -1,10 +0,0 @@
-//! Access to sodium_malloc/sodium_free
-
-mod allocator;
-pub use allocator::Alloc;
-
-/// A box backed by sodium_malloc
-pub type Box<T> = allocator_api2::boxed::Box<T, Alloc>;
-
-/// A vector backed by sodium_malloc
-pub type Vec<T> = allocator_api2::vec::Vec<T, Alloc>;

sodium/src/hash/blake2b.rs

@@ -1,31 +0,0 @@
-use libsodium_sys as libsodium;
-use rosenpass_to::{with_destination, To};
-use std::ffi::c_ulonglong;
-use std::ptr::null;
-
-pub const KEY_MIN: usize = libsodium::crypto_generichash_blake2b_KEYBYTES_MIN as usize;
-pub const KEY_MAX: usize = libsodium::crypto_generichash_blake2b_KEYBYTES_MAX as usize;
-pub const OUT_MIN: usize = libsodium::crypto_generichash_blake2b_BYTES_MIN as usize;
-pub const OUT_MAX: usize = libsodium::crypto_generichash_blake2b_BYTES_MAX as usize;
-
-#[inline]
-pub fn hash<'a>(key: &'a [u8], data: &'a [u8]) -> impl To<[u8], anyhow::Result<()>> + 'a {
-    with_destination(|out: &mut [u8]| {
-        assert!(key.is_empty() || (KEY_MIN <= key.len() && key.len() <= KEY_MAX));
-        assert!(OUT_MIN <= out.len() && out.len() <= OUT_MAX);
-        let kptr = match key.len() {
-            // NULL key
-            0 => null(),
-            _ => key.as_ptr(),
-        };
-        sodium_call!(
-            crypto_generichash_blake2b,
-            out.as_mut_ptr(),
-            out.len(),
-            data.as_ptr(),
-            data.len() as c_ulonglong,
-            kptr,
-            key.len()
-        )
-    })
-}

sodium/src/hash/mod.rs

@@ -1 +0,0 @@
-pub mod blake2b;

sodium/src/helpers.rs

@@ -1,28 +0,0 @@
-use libsodium_sys as libsodium;
-use std::os::raw::c_void;
-
-#[inline]
-pub fn memcmp(a: &[u8], b: &[u8]) -> bool {
-    a.len() == b.len()
-        && unsafe {
-            let r = libsodium::sodium_memcmp(
-                a.as_ptr() as *const c_void,
-                b.as_ptr() as *const c_void,
-                a.len(),
-            );
-            r == 0
-        }
-}
-
-#[inline]
-pub fn compare(a: &[u8], b: &[u8]) -> i32 {
-    assert!(a.len() == b.len());
-    unsafe { libsodium::sodium_compare(a.as_ptr(), b.as_ptr(), a.len()) }
-}
-
-#[inline]
-pub fn increment(v: &mut [u8]) {
-    unsafe {
-        libsodium::sodium_increment(v.as_mut_ptr(), v.len());
-    }
-}

sodium/src/lib.rs

@@ -1,21 +0,0 @@
-use libsodium_sys as libsodium;
-
-macro_rules! sodium_call {
-    ($name:ident, $($args:expr),*) => { ::rosenpass_util::attempt!({
-        anyhow::ensure!(unsafe{libsodium::$name($($args),*)} > -1,
-            "Error in libsodium's {}.", stringify!($name));
-        Ok(())
-    })};
-    ($name:ident) => { sodium_call!($name, ) };
-}
-
-#[inline]
-pub fn init() -> anyhow::Result<()> {
-    log::trace!("initializing libsodium");
-    sodium_call!(sodium_init)
-}
-
-pub mod aead;
-pub mod alloc;
-pub mod hash;
-pub mod helpers;

to/README.md

@@ -12,15 +12,17 @@ The crate provides chained functions to simplify allocating the destination para
 For now this crate is experimental; patch releases are guaranteed not to contain any breaking changes, but minor releases may.
 
 ```rust
-use std::ops::BitXorAssign;
-use rosenpass_to::{To, to, with_destination};
 use rosenpass_to::ops::copy_array;
+use rosenpass_to::{to, with_destination, To};
+use std::ops::BitXorAssign;
 
 // Destination functions return some value that implements the To trait.
 // Unfortunately dealing with lifetimes is a bit more finicky than it would#
 // be without destination parameters
-fn xor_slice<'a, T>(src: &'a[T]) -> impl To<[T], ()> + 'a
-        where T: BitXorAssign + Clone {
+fn xor_slice<'a, T>(src: &'a [T]) -> impl To<[T], ()> + 'a
+where
+    T: BitXorAssign + Clone,
+{
     // Custom implementations of the to trait can be created, but the easiest
     with_destination(move |dst: &mut [T]| {
         assert!(src.len() == dst.len());
@@ -65,7 +67,7 @@ assert_eq!(&dst[..], &flip01[..]);
 // The builtin function copy_array supports to_value() since its
 // destination parameter is a fixed size array, which can be allocated
 // using default()
-let dst : [u8; 4] = copy_array(flip01).to_value();
+let dst: [u8; 4] = copy_array(flip01).to_value();
 assert_eq!(&dst, flip01);
 ```
 
@@ -84,7 +86,9 @@ Functions declared like this are more cumbersome to use when the destination par
 use std::ops::BitXorAssign;
 
 fn xor_slice<T>(dst: &mut [T], src: &[T])
-        where T: BitXorAssign + Clone {
+where
+    T: BitXorAssign + Clone,
+{
     assert!(src.len() == dst.len());
     for (d, s) in dst.iter_mut().zip(src.iter()) {
         *d ^= s.clone();
@@ -114,8 +118,8 @@ assert_eq!(&dst[..], &flip01[..]);
 There are a couple of ways to use a function with destination:
 
 ```rust
-use rosenpass_to::{to, To};
 use rosenpass_to::ops::{copy_array, copy_slice_least};
+use rosenpass_to::{to, To};
 
 let mut dst = b"           ".to_vec();
 
@@ -129,7 +133,8 @@ copy_slice_least(b"This is fin").to(&mut dst[..]);
 assert_eq!(&dst[..], b"This is fin");
 
 // You can allocate the destination variable on the fly using `.to_this(...)`
-let tmp = copy_slice_least(b"This is new---").to_this(|| b"This will be overwritten".to_owned());
+let tmp =
+    copy_slice_least(b"This is new---").to_this(|| b"This will be overwritten".to_owned());
 assert_eq!(&tmp[..], b"This is new---verwritten");
 
 // You can allocate the destination variable on the fly `.collect(..)` if it implements default
@@ -147,8 +152,11 @@ assert_eq!(&tmp[..], b"Fixed");
 The to crate provides basic functions with destination for copying data between slices and arrays.
 
 ```rust
+use rosenpass_to::ops::{
+    copy_array, copy_slice, copy_slice_least, copy_slice_least_src, try_copy_slice,
+    try_copy_slice_least_src,
+};
 use rosenpass_to::{to, To};
-use rosenpass_to::ops::{copy_array, copy_slice, copy_slice_least, copy_slice_least_src, try_copy_slice, try_copy_slice_least_src};
 
 let mut dst = b"           ".to_vec();
 
@@ -161,18 +169,33 @@ to(&mut dst[4..], copy_slice_least_src(b"!!!"));
 assert_eq!(&dst[..], b"Hell!!!orld");
 
 // Copy a slice, copying as many bytes as possible
-to(&mut dst[6..], copy_slice_least(b"xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"));
+to(
+    &mut dst[6..],
+    copy_slice_least(b"xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"),
+);
 assert_eq!(&dst[..], b"Hell!!xxxxx");
 
 // Copy a slice, will return None and abort if the sizes do not much
 assert_eq!(Some(()), to(&mut dst[..], try_copy_slice(b"Hello World")));
 assert_eq!(None, to(&mut dst[..], try_copy_slice(b"---")));
-assert_eq!(None, to(&mut dst[..], try_copy_slice(b"---------------------")));
+assert_eq!(
+    None,
+    to(&mut dst[..], try_copy_slice(b"---------------------"))
+);
 assert_eq!(&dst[..], b"Hello World");
 
 // Copy a slice, will return None and abort if source is longer than destination
-assert_eq!(Some(()), to(&mut dst[4..], try_copy_slice_least_src(b"!!!")));
-assert_eq!(None, to(&mut dst[4..], try_copy_slice_least_src(b"-------------------------")));
+assert_eq!(
+    Some(()),
+    to(&mut dst[4..], try_copy_slice_least_src(b"!!!"))
+);
+assert_eq!(
+    None,
+    to(
+        &mut dst[4..],
+        try_copy_slice_least_src(b"-------------------------")
+    )
+);
 assert_eq!(&dst[..], b"Hell!!!orld");
 
 // Copy fixed size arrays all at once
@@ -186,12 +209,14 @@ assert_eq!(&dst, b"Hello");
 The easiest way to declare a function with destination is to use the with_destination function.
 
 ```rust
-use rosenpass_to::{To, to, with_destination};
 use rosenpass_to::ops::copy_array;
+use rosenpass_to::{to, with_destination, To};
 
 /// Copy the given slice to the start of a vector, reusing its memory if possible
 fn copy_to_vec<'a, T>(src: &'a [T]) -> impl To<Vec<T>, ()> + 'a
-        where T: Clone {
+where
+    T: Clone,
+{
     with_destination(move |dst: &mut Vec<T>| {
         dst.clear();
         dst.extend_from_slice(src);
@@ -217,7 +242,9 @@ The same pattern can be implemented without `to`, at the cost of being slightly
 ```rust
 /// Copy the given slice to the start of a vector, reusing its memory if possible
 fn copy_to_vec<T>(dst: &mut Vec<T>, src: &[T])
-        where T: Clone {
+where
+    T: Clone,
+{
     dst.clear();
     dst.extend_from_slice(src);
 }
@@ -240,11 +267,11 @@ Alternative functions are returned, that return a `to::Beside` value, containing
 destination variable and the return value.
 
 ```rust
-use std::cmp::{min, max};
-use rosenpass_to::{To, to, with_destination, Beside};
+use rosenpass_to::{to, with_destination, Beside, To};
+use std::cmp::{max, min};
 
 /// Copy an array of floats and calculate the average
-pub fn copy_and_average<'a>(src: &'a[f64]) -> impl To<[f64], f64> + 'a {
+pub fn copy_and_average<'a>(src: &'a [f64]) -> impl To<[f64], f64> + 'a {
     with_destination(move |dst: &mut [f64]| {
         assert!(src.len() == dst.len());
         let mut sum = 0f64;
@@ -300,8 +327,8 @@ assert_eq!(tmp, Beside([42f64; 3], 42f64));
 When Beside values contain a `()`, `Option<()>`, or `Result<(), Error>` return value, they expose a special method called `.condense()`; this method consumes the Beside value and condenses destination and return value into one value.
 
 ```rust
+use rosenpass_to::Beside;
 use std::result::Result;
-use rosenpass_to::{Beside};
 
 assert_eq!((), Beside((), ()).condense());
 
@@ -318,8 +345,8 @@ assert_eq!(Err(()), Beside(42, err_unit).condense());
 When condense is implemented for a type, `.to_this(|| ...)`, `.to_value()`, and `.collect::<...>()` on the `To` trait can be used even with a return value:
 
 ```rust
+use rosenpass_to::ops::try_copy_slice;
 use rosenpass_to::To;
-use rosenpass_to::ops::try_copy_slice;;
 
 let tmp = try_copy_slice(b"Hello World").collect::<[u8; 11]>();
 assert_eq!(tmp, Some(*b"Hello World"));
@@ -337,8 +364,8 @@ assert_eq!(tmp, None);
 The same naturally also works for Results, but the example is a bit harder to motivate:
 
 ```rust
+use rosenpass_to::{to, with_destination, To};
 use std::result::Result;
-use rosenpass_to::{to, To, with_destination};
 
 #[derive(PartialEq, Eq, Debug, Default)]
 struct InvalidFloat;
@@ -380,8 +407,8 @@ Condensation is implemented through a trait called CondenseBeside ([local](Conde
 If you can not implement this trait because its for an external type (see [orphan rule](https://doc.rust-lang.org/book/ch10-02-traits.html#implementing-a-trait-on-a-type)), this crate welcomes contributions of new Condensation rules.
 
 ```rust
-use rosenpass_to::{To, with_destination, Beside, CondenseBeside};
 use rosenpass_to::ops::copy_slice;
+use rosenpass_to::{with_destination, Beside, CondenseBeside, To};
 
 #[derive(PartialEq, Eq, Debug, Default)]
 struct MyTuple<Left, Right>(Left, Right);
@@ -396,7 +423,10 @@ impl<Val, Right> CondenseBeside<Val> for MyTuple<(), Right> {
 }
 
 fn copy_slice_and_return_something<'a, T, U>(src: &'a [T], something: U) -> impl To<[T], U> + 'a
-        where T: Copy, U: 'a {
+where
+    T: Copy,
+    U: 'a,
+{
     with_destination(move |dst: &mut [T]| {
         copy_slice(src).to(dst);
         something
@@ -417,7 +447,7 @@ Using `with_destination(...)` is convenient, but since it uses closures it resul
 Implementing the ToTrait manual is the right choice for library use cases.
 
 ```rust
-use rosenpass_to::{to, To, with_destination};
+use rosenpass_to::{to, with_destination, To};
 
 struct TryCopySliceSource<'a, T: Copy> {
     src: &'a [T],
@@ -425,17 +455,20 @@ struct TryCopySliceSource<'a, T: Copy> {
 
 impl<'a, T: Copy> To<[T], Option<()>> for TryCopySliceSource<'a, T> {
     fn to(self, dst: &mut [T]) -> Option<()> {
-        (self.src.len() == dst.len())
-            .then(|| dst.copy_from_slice(self.src))
+        (self.src.len() == dst.len()).then(|| dst.copy_from_slice(self.src))
     }
 }
 
 fn try_copy_slice<'a, T>(src: &'a [T]) -> TryCopySliceSource<'a, T>
-        where T: Copy {
+where
+    T: Copy,
+{
     TryCopySliceSource { src }
 }
 
-let mut dst = try_copy_slice(b"Hello World").collect::<[u8; 11]>().unwrap();
+let mut dst = try_copy_slice(b"Hello World")
+    .collect::<[u8; 11]>()
+    .unwrap();
 assert_eq!(&dst[..], b"Hello World");
 assert_eq!(None, to(&mut dst[..], try_copy_slice(b"---")));
 ```
@@ -445,8 +478,8 @@ assert_eq!(None, to(&mut dst[..], try_copy_slice(b"---")));
 Destinations can also be used with methods. This example demonstrates using destinations in an extension trait for everything that implements `Borrow<[T]>` for any `T` and a concrete `To` trait implementation.
 
 ```rust
+use rosenpass_to::{to, with_destination, To};
 use std::borrow::Borrow;
-use rosenpass_to::{to, To, with_destination};
 
 struct TryCopySliceSource<'a, T: Copy> {
     src: &'a [T],
@@ -454,24 +487,24 @@ struct TryCopySliceSource<'a, T: Copy> {
 
 impl<'a, T: Copy> To<[T], Option<()>> for TryCopySliceSource<'a, T> {
     fn to(self, dst: &mut [T]) -> Option<()> {
-        (self.src.len() == dst.len())
-            .then(|| dst.copy_from_slice(self.src))
+        (self.src.len() == dst.len()).then(|| dst.copy_from_slice(self.src))
     }
 }
 
 trait TryCopySliceExt<'a, T: Copy> {
-    fn try_copy_slice(&'a self)  -> TryCopySliceSource<'a, T>;
+    fn try_copy_slice(&'a self) -> TryCopySliceSource<'a, T>;
 }
 
 impl<'a, T: 'a + Copy, Ref: 'a + Borrow<[T]>> TryCopySliceExt<'a, T> for Ref {
-    fn try_copy_slice(&'a self)  -> TryCopySliceSource<'a, T> {
-        TryCopySliceSource {
-            src: self.borrow()
-        }
+    fn try_copy_slice(&'a self) -> TryCopySliceSource<'a, T> {
+        TryCopySliceSource { src: self.borrow() }
     }
 }
 
-let mut dst = b"Hello World".try_copy_slice().collect::<[u8; 11]>().unwrap();
+let mut dst = b"Hello World"
+    .try_copy_slice()
+    .collect::<[u8; 11]>()
+    .unwrap();
 assert_eq!(&dst[..], b"Hello World");
 assert_eq!(None, to(&mut dst[..], b"---".try_copy_slice()));
 ```

to/src/ops.rs

@@ -8,7 +8,7 @@ use crate::{with_destination, To};
 /// # Panics
 ///
 /// This function will panic if the two slices have different lengths.
-pub fn copy_slice<'a, T>(origin: &'a [T]) -> impl To<[T], ()> + 'a
+pub fn copy_slice<T>(origin: &[T]) -> impl To<[T], ()> + '_
 where
     T: Copy,
 {
@@ -23,7 +23,7 @@ where
 /// # Panics
 ///
 /// This function will panic if destination is shorter than origin.
-pub fn copy_slice_least_src<'a, T>(origin: &'a [T]) -> impl To<[T], ()> + 'a
+pub fn copy_slice_least_src<T>(origin: &[T]) -> impl To<[T], ()> + '_
 where
     T: Copy,
 {
@@ -34,7 +34,7 @@ where
 /// destination.
 ///
 /// Copies as much data as is present in the shorter slice.
-pub fn copy_slice_least<'a, T>(origin: &'a [T]) -> impl To<[T], ()> + 'a
+pub fn copy_slice_least<T>(origin: &[T]) -> impl To<[T], ()> + '_
 where
     T: Copy,
 {
@@ -47,7 +47,7 @@ where
 /// Function with destination that attempts to copy data from origin into the destination.
 ///
 /// Will return None if the slices are of different lengths.
-pub fn try_copy_slice<'a, T>(origin: &'a [T]) -> impl To<[T], Option<()>> + 'a
+pub fn try_copy_slice<T>(origin: &[T]) -> impl To<[T], Option<()>> + '_
 where
     T: Copy,
 {
@@ -62,7 +62,7 @@ where
 /// Destination may be longer than origin.
 ///
 /// Will return None if the destination is shorter than origin.
-pub fn try_copy_slice_least_src<'a, T>(origin: &'a [T]) -> impl To<[T], Option<()>> + 'a
+pub fn try_copy_slice_least_src<T>(origin: &[T]) -> impl To<[T], Option<()>> + '_
 where
     T: Copy,
 {
@@ -72,7 +72,7 @@ where
 }
 
 /// Function with destination that copies all data between two array references.
-pub fn copy_array<'a, T, const N: usize>(origin: &'a [T; N]) -> impl To<[T; N], ()> + 'a
+pub fn copy_array<T, const N: usize>(origin: &[T; N]) -> impl To<[T; N], ()> + '_
 where
     T: Copy,
 {

util/Cargo.toml

@@ -14,3 +14,5 @@ readme = "readme.md"
 [dependencies]
 base64 = { workspace = true }
 anyhow = { workspace = true }
+typenum = { workspace = true }
+static_assertions = { workspace = true }

util/src/file.rs

@@ -6,21 +6,21 @@ use std::{fs::OpenOptions, path::Path};
 
 /// Open a file writable
 pub fn fopen_w<P: AsRef<Path>>(path: P) -> std::io::Result<File> {
-    Ok(OpenOptions::new()
+    OpenOptions::new()
         .read(false)
         .write(true)
         .create(true)
         .truncate(true)
-        .open(path)?)
+        .open(path)
 }
 /// Open a file readable
 pub fn fopen_r<P: AsRef<Path>>(path: P) -> std::io::Result<File> {
-    Ok(OpenOptions::new()
+    OpenOptions::new()
         .read(true)
         .write(false)
         .create(false)
         .truncate(false)
-        .open(path)?)
+        .open(path)
 }
 
 pub trait ReadExactToEnd {

util/src/lib.rs

@@ -1,7 +1,11 @@
+#![recursion_limit = "256"]
+
 pub mod b64;
+pub mod fd;
 pub mod file;
 pub mod functional;
 pub mod mem;
 pub mod ord;
 pub mod result;
 pub mod time;
+pub mod typenum;

util/src/result.rs

@@ -35,25 +35,30 @@ pub trait GuaranteedValue {
 /// ```
 /// use std::num::Wrapping;
 /// use std::result::Result;
-/// use std::convert::Infallible
+/// use std::convert::Infallible;
+/// use std::ops::Add;
 ///
-/// trait FailableAddition {
+/// use rosenpass_util::result::{Guaranteed, GuaranteedValue};
+///
+/// trait FailableAddition: Sized {
 ///   type Error;
 ///   fn failable_addition(&self, other: &Self) -> Result<Self, Self::Error>;
 /// }
 ///
+/// #[derive(Copy, Clone, Debug, Eq, PartialEq)]
 /// struct OverflowError;
 ///
-/// impl<T> FailableAddition for Wrapping<T> {
+/// impl<T> FailableAddition for Wrapping<T>
+///   where for <'a> &'a Wrapping<T>: Add<Output = Wrapping<T>> {
 ///   type Error = Infallible;
 ///   fn failable_addition(&self, other: &Self) -> Guaranteed<Self> {
-///     self + other
+///     Ok(self + other)
 ///   }
 /// }
 ///
-/// impl<T> FailableAddition for u32 {
-///   type Error = Infallible;
-///   fn failable_addition(&self, other: &Self) -> Guaranteed<Self> {
+/// impl FailableAddition for u32 {
+///   type Error = OverflowError;
+///   fn failable_addition(&self, other: &Self) -> Result<Self, Self::Error> {
 ///     match self.checked_add(*other) {
 ///         Some(v) => Ok(v),
 ///         None => Err(OverflowError),
@@ -64,10 +69,11 @@ pub trait GuaranteedValue {
 /// fn failable_multiply<T>(a: &T, b: u32)
 ///         -> Result<T, T::Error>
 ///     where
-///         T: FailableAddition<Error> {
+///         T: FailableAddition {
+///     assert!(b >= 2); // Acceptable only because this is for demonstration purposes
 ///     let mut accu = a.failable_addition(a)?;
-///     for _ in ..(b-1) {
-///         accu.failable_addition(a)?;
+///     for _ in 2..b {
+///         accu = accu.failable_addition(a)?;
 ///     }
 ///     Ok(accu)
 /// }
@@ -75,12 +81,12 @@ pub trait GuaranteedValue {
 /// // We can use .guaranteed() with Wrapping<u32>, since the operation uses
 /// // the Infallible error type.
 /// // We can also use unwrap which just happens to not raise an error.
-/// assert_eq!(failable_multiply(&Wrapping::new(42u32), 3).guaranteed(), 126);
-/// assert_eq!(failable_multiply(&Wrapping::new(42u32), 3).unwrap(), 126);
+/// assert_eq!(failable_multiply(&Wrapping(42u32), 3).guaranteed(), Wrapping(126));
+/// assert_eq!(failable_multiply(&Wrapping(42u32), 3).unwrap(), Wrapping(126));
 ///
 /// // We can not use .guaranteed() with u32, since there can be an error.
 /// // We can however use unwrap(), which may panic
-/// assert_eq!(failable_multiply(&42u32, 3).guaranteed(), 126); // COMPILER ERROR
+/// //assert_eq!(failable_multiply(&42u32, 3).guaranteed(), 126); // COMPILER ERROR
 /// assert_eq!(failable_multiply(&42u32, 3).unwrap(), 126);
 /// ```
 pub type Guaranteed<T> = Result<T, Infallible>;

util/src/typenum.rs

@@ -0,0 +1,341 @@
+use typenum::bit::{B0, B1};
+use typenum::int::{NInt, PInt, Z0};
+use typenum::marker_traits as markers;
+use typenum::uint::{UInt, UTerm};
+
+/// Convenience macro to convert type numbers to constant integers
+#[macro_export]
+macro_rules! typenum2const {
+    ($val:ty) => {
+        typenum2const!($val as _)
+    };
+    ($val:ty as $type:ty) => {
+        <$val as $crate::typenum::IntoConst<$type>>::VALUE
+    };
+}
+
+/// Trait implemented by constant integers to facilitate conversion to constant integers
+pub trait IntoConst<T> {
+    const VALUE: T;
+}
+
+struct ConstApplyNegSign<T: AssociatedUnsigned, Param: IntoConst<<T as AssociatedUnsigned>::Type>>(
+    *const T,
+    *const Param,
+);
+struct ConstApplyPosSign<T: AssociatedUnsigned, Param: IntoConst<<T as AssociatedUnsigned>::Type>>(
+    *const T,
+    *const Param,
+);
+struct ConstLshift<T, Param: IntoConst<T>, const SHIFT: i32>(*const T, *const Param); // impl IntoConst<T>
+struct ConstAdd<T, Lhs: IntoConst<T>, Rhs: IntoConst<T>>(*const T, *const Lhs, *const Rhs); // impl IntoConst<T>
+
+/// Assigns an unsigned type to a signed type
+trait AssociatedUnsigned {
+    type Type;
+}
+
+macro_rules! impl_into_const {
+    ( $from:ty as $to:ty := $impl:expr) => {
+        impl IntoConst<$to> for $from {
+            const VALUE: $to = $impl;
+        }
+    };
+}
+
+macro_rules! impl_numeric_into_const_common {
+    ($type:ty) => {
+        impl_into_const! { Z0 as $type := 0 }
+        impl_into_const! { B0 as $type := 0 }
+        impl_into_const! { B1 as $type := 1 }
+        impl_into_const! { UTerm as $type := 0 }
+
+        impl<Param: IntoConst<$type>, const SHIFT: i32> IntoConst<$type>
+            for ConstLshift<$type, Param, SHIFT>
+        {
+            const VALUE: $type = Param::VALUE << SHIFT;
+        }
+
+        impl<Lhs: IntoConst<$type>, Rhs: IntoConst<$type>> IntoConst<$type>
+            for ConstAdd<$type, Lhs, Rhs>
+        {
+            const VALUE: $type =
+                <Lhs as IntoConst<$type>>::VALUE + <Rhs as IntoConst<$type>>::VALUE;
+        }
+    };
+}
+
+macro_rules! impl_numeric_into_const_unsigned {
+    ($($to_list:ty),*) =>  {
+        $( impl_numeric_into_const_unsigned! { @impl $to_list } )*
+    };
+
+    (@impl $type:ty) =>  {
+        impl_numeric_into_const_common!{ $type }
+
+        impl AssociatedUnsigned for $type {
+            type Type = $type;
+        }
+
+        impl<Param: IntoConst<$type>> IntoConst<$type> for ConstApplyPosSign<$type, Param> {
+            const VALUE : $type = Param::VALUE;
+        }
+    };
+}
+
+macro_rules! impl_numeric_into_const_signed {
+    ($($to_list:ty : $unsigned_list:ty),*) =>  {
+        $( impl_numeric_into_const_signed! { @impl $to_list : $unsigned_list} )*
+    };
+
+    (@impl $type:ty : $unsigned:ty) =>  {
+        impl_numeric_into_const_common!{ $type }
+
+        impl AssociatedUnsigned for $type {
+            type Type = $unsigned;
+        }
+
+        impl<Param: IntoConst<$unsigned>> IntoConst<$type> for ConstApplyPosSign<$type, Param> {
+            const VALUE : $type = Param::VALUE as $type;
+        }
+
+        impl<Param: IntoConst<$unsigned>> IntoConst<$type> for ConstApplyNegSign<$type, Param> {
+            const VALUE : $type =
+                if Param::VALUE == (1 as $unsigned).rotate_right(1) {
+                    // Handle the negative value without an associated positive value (e.g. -128
+                    // for i8)
+                    < $type >::MIN
+                } else {
+                    -(Param::VALUE as $type)
+                };
+        }
+    };
+}
+
+impl_into_const! { B0 as bool := false }
+impl_into_const! { B1 as bool := true }
+impl_numeric_into_const_unsigned! { usize, u8, u16, u32, u64, u128 }
+impl_numeric_into_const_signed! { isize : usize, i8 : u8, i16 : u16, i32 : u32, i64 : u64, i128 : u128 }
+
+// Unsigned type numbers to const integers
+impl<Ret, Rest, Bit> IntoConst<Ret> for UInt<Rest, Bit>
+where
+    Rest: IntoConst<Ret>,
+    Bit: IntoConst<Ret>,
+    ConstLshift<Ret, Rest, 1>: IntoConst<Ret>,
+    ConstAdd<Ret, ConstLshift<Ret, Rest, 1>, Bit>: IntoConst<Ret>,
+{
+    const VALUE: Ret = <ConstAdd<Ret, ConstLshift<Ret, Rest, 1>, Bit> as IntoConst<Ret>>::VALUE;
+}
+
+// Signed type numbers with positive sign to const integers
+impl<Ret, Unsigned> IntoConst<Ret> for PInt<Unsigned>
+where
+    Ret: AssociatedUnsigned,
+    Unsigned: markers::Unsigned + markers::NonZero + IntoConst<<Ret as AssociatedUnsigned>::Type>,
+    ConstApplyPosSign<Ret, Unsigned>: IntoConst<Ret>,
+{
+    const VALUE: Ret = <ConstApplyPosSign<Ret, Unsigned> as IntoConst<Ret>>::VALUE;
+}
+
+// Signed type numbers with negative sign to const integers
+impl<Ret, Unsigned> IntoConst<Ret> for NInt<Unsigned>
+where
+    Ret: AssociatedUnsigned,
+    Unsigned: markers::Unsigned + markers::NonZero + IntoConst<<Ret as AssociatedUnsigned>::Type>,
+    ConstApplyNegSign<Ret, Unsigned>: IntoConst<Ret>,
+{
+    const VALUE: Ret = <ConstApplyNegSign<Ret, Unsigned> as IntoConst<Ret>>::VALUE;
+}
+
+mod test {
+    use static_assertions::const_assert_eq;
+    use typenum::consts::*;
+    use typenum::op;
+
+    macro_rules! test_const_conversion {
+        // Type groups
+
+        (($($typenum:ty),*) >= u7 = $const:expr $(; $($rest:tt)*)?) => {
+            $( test_const_conversion! { ($typenum) as (u8, u16, u32, u64, u128) = $const } )*
+            $( test_const_conversion! { ($typenum) as (i8, i16, i32, i64, i128) = $const } )*
+            $( test_const_conversion! { $($rest)* } )?
+        };
+
+        (($($typenum:ty),*) >= u8 = $const:expr $(; $($rest:tt)*)?) => {
+            $( test_const_conversion! { ($typenum) as (u8, u16, u32, u64, u128) = $const } )*
+            $( test_const_conversion! { ($typenum) as (    i16, i32, i64, i128) = $const } )*
+            $( test_const_conversion! { $($rest)* } )?
+        };
+
+        (($($typenum:ty),*) >= u15 = $const:expr $(; $($rest:tt)*)?) => {
+            $( test_const_conversion! { ($typenum) as (    u16, u32, u64, u128) = $const } )*
+            $( test_const_conversion! { ($typenum) as (    i16, i32, i64, i128) = $const } )*
+            $( test_const_conversion! { $($rest)* } )?
+        };
+
+        (($($typenum:ty),*) >= u16 = $const:expr $(; $($rest:tt)*)?) => {
+            $( test_const_conversion! { ($typenum) as (    u16, u32, u64, u128) = $const } )*
+            $( test_const_conversion! { ($typenum) as (         i32, i64, i128) = $const } )*
+            $( test_const_conversion! { $($rest)* } )?
+        };
+
+        (($($typenum:ty),*) >= u31 = $const:expr $(; $($rest:tt)*)?) => {
+            $( test_const_conversion! { ($typenum) as (         u32, u64, u128) = $const } )*
+            $( test_const_conversion! { ($typenum) as (         i32, i64, i128) = $const } )*
+            $( test_const_conversion! { $($rest)* } )?
+        };
+
+        (($($typenum:ty),*) >= u32 = $const:expr $(; $($rest:tt)*)?) => {
+            $( test_const_conversion! { ($typenum) as (         u32, u64, u128) = $const } )*
+            $( test_const_conversion! { ($typenum) as (              i64, i128) = $const } )*
+            $( test_const_conversion! { $($rest)* } )?
+        };
+
+        (($($typenum:ty),*) >= u63 = $const:expr $(; $($rest:tt)*)?) => {
+            $( test_const_conversion! { ($typenum) as (              u64, u128) = $const } )*
+            $( test_const_conversion! { ($typenum) as (              i64, i128) = $const } )*
+            $( test_const_conversion! { $($rest)* } )?
+        };
+
+        (($($typenum:ty),*) >= u64 = $const:expr $(; $($rest:tt)*)?) => {
+            $( test_const_conversion! { ($typenum) as (              u64, u128) = $const } )*
+            $( test_const_conversion! { ($typenum) as (                   i128) = $const } )*
+            $( test_const_conversion! { $($rest)* } )?
+        };
+
+        (($($typenum:ty),*) >= u127 = $const:expr $(; $($rest:tt)*)?) => {
+            $( test_const_conversion! { ($typenum) as (                   u128) = $const } )*
+            $( test_const_conversion! { ($typenum) as (                   i128) = $const } )*
+            $( test_const_conversion! { $($rest)* } )?
+        };
+
+        (($($typenum:ty),*) >= u128 = $const:expr $(; $($rest:tt)*)?) => {
+            $( test_const_conversion! { ($typenum) as (                   u128) = $const } )*
+            $( test_const_conversion! { ($typenum) as (                       ) = $const } )*
+            $( test_const_conversion! { $($rest)* } )?
+        };
+
+        (($($typenum:ty),*) >= i8 = $const:expr $(; $($rest:tt)*)?) => {
+            $( test_const_conversion! { ($typenum) as (i8, i16, i32, i64, i128) = $const } )*
+            $( test_const_conversion! { $($rest)* } )?
+        };
+
+        (($($typenum:ty),*) >= i16 = $const:expr $(; $($rest:tt)*)?) => {
+            $( test_const_conversion! { ($typenum) as (    i16, i32, i64, i128) = $const } )*
+            $( test_const_conversion! { $($rest)* } )?
+        };
+
+        (($($typenum:ty),*) >= i32 = $const:expr $(; $($rest:tt)*)?) => {
+            $( test_const_conversion! { ($typenum) as (         i32, i64, i128) = $const } )*
+            $( test_const_conversion! { $($rest)* } )?
+        };
+
+        (($($typenum:ty),*) >= i64 = $const:expr $(; $($rest:tt)*)?) => {
+            $( test_const_conversion! { ($typenum) as (              i64, i128) = $const } )*
+            $( test_const_conversion! { $($rest)* } )?
+        };
+
+        (($($typenum:ty),*) >= i128 = $const:expr $(; $($rest:tt)*)?) => {
+            $( test_const_conversion! { ($typenum) as (                   i128) = $const } )*
+            $( test_const_conversion! { $($rest)* } )?
+        };
+
+        // Basic operation
+
+        () => {};
+
+        (($($typenum:ty),*) as () = $const:expr $(; $($rest:tt)*)?) => {
+            $( test_const_conversion! { $($rest)* } )?
+        };
+
+        (($($typenum:ty),*) as ($type:ty) = $const:expr $(; $($rest:tt)*)?) => {
+            $( test_const_conversion! { @impl ($typenum) as ($type) = $const } )*
+            $( test_const_conversion! { $($rest)* } )?
+        };
+
+        (($($typenum:ty),*) as ($type_head:ty, $($type_tail:ty),*) = $const:expr $(; $($rest:tt)*)?) => {
+            $( test_const_conversion! { @impl ($typenum) as ($type_head) = $const } )*
+            test_const_conversion! { ($($typenum),*) as ($($type_tail),*) = $const }
+            $( test_const_conversion! { $($rest)* } )?
+        };
+
+        (@impl ($typenum:ty) as ($type:ty) = $const:expr $(; $($rest:tt)*)?) => {
+            const_assert_eq!(typenum2const!($typenum as $type), $const);
+            $( test_const_conversion!($($rest)*); )?
+        };
+    }
+
+    test_const_conversion! {
+        (B0, False) as (bool, bool) = false;
+
+        (B0, U0, Z0) >= u7 = 0;
+        (B1, U1, P1) >= u7 = 1;
+
+        (U2, P2) >= u7 = 2;
+        (B1, True) as (bool) = true;
+        (U3, P3) >= u7 = 3;
+        (U8, P8) >= u7 = 8;
+        (U127, P127) >= u7 = 127;
+        (U220, P220) >= u8 = 220;
+        (U255, P255) >= u8 = 255;
+        (U1000, P1000) >= u15 = 1000;
+        (U10000, P10000) >= u15 = 10000;
+        (U16384, P16384) >= u15 = 16384;
+        (U32768, P32768) >= u16 = 32768;
+        (U65536, P65536) >= u31 = 65536;
+        (U100000, P100000) >= u31 = 100000;
+        (U1000000000, P1000000000) >= u31 = 1000000000;
+        (U2147483648, P2147483648) >= u32 = 2147483648;
+        (U1000000000000000000, P1000000000000000000) >= u63 = 1000000000000000000;
+        (U1000000000000000000, P1000000000000000000) >= u63 = 1000000000000000000;
+
+        (U9223372036854775808) >= u64 = 9223372036854775808;
+        (U10000000000000000000) >= u64 = 10000000000000000000;
+
+        (N10000) >= i16 = -10000;
+        (N1000000) >= i32 = -1000000;
+        (N1000000000) >= i32 = -1000000000;
+        (N1000000000000) >= i64 = -1000000000000;
+    }
+
+    const_assert_eq!(127, (!(1u8.rotate_right(1)) - 0) as _);
+    const_assert_eq!(126, (!(1u8.rotate_right(1)) - 1) as _);
+    const_assert_eq!(255, (!(0u8.rotate_right(1)) - 0) as _);
+    const_assert_eq!(254, (!(0u8.rotate_right(1)) - 1) as _);
+
+    test_const_conversion! {
+        (op!(pow(U2, U7) - U1))   >= u7   = (!(1u8.rotate_right(1)) - 0) as _;
+        (op!(pow(U2, U7) - U2))   >= u7   = (!(1u8.rotate_right(1)) - 1) as _;
+        (op!(pow(U2, U15) - U1))  >= u15  = (!(1u16.rotate_right(1)) - 0) as _;
+        (op!(pow(U2, U15) - U2))  >= u15  = (!(1u16.rotate_right(1)) - 1) as _;
+        (op!(pow(U2, U31) - U1))  >= u31  = (!(1u32.rotate_right(1)) - 0) as _;
+        (op!(pow(U2, U31) - U2))  >= u31  = (!(1u32.rotate_right(1)) - 1) as _;
+        (op!(pow(U2, U63) - U1))  >= u63  = (!(1u64.rotate_right(1)) - 0) as _;
+        (op!(pow(U2, U63) - U2))  >= u63  = (!(1u64.rotate_right(1)) - 1) as _;
+        (op!(pow(U2, U127) - U1)) >= u127 = (!(1u128.rotate_right(1)) - 0) as _;
+        (op!(pow(U2, U127) - U2)) >= u127 = (!(1u128.rotate_right(1)) - 1) as _;
+
+        (op!(pow(U2, U8) - U1))   >= u8   = (u8::MAX - 0) as _;
+        (op!(pow(U2, U8) - U2))   >= u8   = (u8::MAX - 1) as _;
+        (op!(pow(U2, U16) - U1))  >= u16  = (u16::MAX - 0) as _;
+        (op!(pow(U2, U16) - U2))  >= u16  = (u16::MAX - 1) as _;
+        (op!(pow(U2, U32) - U1))  >= u32  = (u32::MAX - 0) as _;
+        (op!(pow(U2, U32) - U2))  >= u32  = (u32::MAX - 1) as _;
+        (op!(pow(U2, U64) - U1))  >= u64  = (u64::MAX - 0) as _;
+        (op!(pow(U2, U64) - U2))  >= u64  = (u64::MAX - 1) as _;
+        (op!(pow(U2, U128) - U1)) >= u128 = (u128::MAX - 0) as _;
+        (op!(pow(U2, U128) - U2)) >= u128 = (u128::MAX - 1) as _;
+
+        (op!(Z0 - pow(P2, P7) + Z0)) >= i8 = (i8::MIN + 0) as _;
+        (op!(Z0 - pow(P2, P7) + P1)) >= i8 = (i8::MIN + 1) as _;
+        (op!(Z0 - pow(P2, P15) + Z0)) >= i16 = (i16::MIN + 0) as _;
+        (op!(Z0 - pow(P2, P15) + P1)) >= i16 = (i16::MIN + 1) as _;
+        (op!(Z0 - pow(P2, P31) + Z0)) >= i32 = (i32::MIN + 0) as _;
+        (op!(Z0 - pow(P2, P31) + P1)) >= i32 = (i32::MIN + 1) as _;
+        (op!(Z0 - pow(P2, P63) + Z0)) >= i64 = (i64::MIN + 0) as _;
+        (op!(Z0 - pow(P2, P63) + P1)) >= i64 = (i64::MIN + 1) as _;
+        (op!(Z0 - pow(P2, P127) + Z0)) >= i128 = (i128::MIN + 0) as _;
+        (op!(Z0 - pow(P2, P127) + P1)) >= i128 = (i128::MIN + 1) as _;
+    }
+}

wireguard-broker/Cargo.toml

@@ -0,0 +1,41 @@
+[package]
+name = "rosenpass-wireguard-broker"
+authors = ["Karolin Varner <karo@cupdev.net>", "wucke13 <wucke13@gmail.com>"]
+version = "0.1.0"
+edition = "2021"
+license = "MIT OR Apache-2.0"
+description = "Rosenpass internal broker that runs as root and supplies exchanged keys to the kernel."
+homepage = "https://rosenpass.eu/"
+repository = "https://github.com/rosenpass/rosenpass"
+readme = "readme.md"
+
+[dependencies]
+thiserror = { workspace = true }
+rosenpass-lenses = { workspace = true }
+paste = { workspace = true } # TODO: Using lenses should not necessitate importing paste
+
+# Privileged only
+wireguard-uapi = { workspace = true }
+
+# Socket handler only
+rosenpass-to = { workspace = true }
+anyhow = { workspace = true }
+clap = { workspace = true }
+env_logger = { workspace = true }
+log = { workspace = true }
+
+# Mio broker client
+mio = { workspace = true }
+rosenpass-util = { workspace = true }
+
+[[bin]]
+name = "rosenpass-wireguard-broker-privileged"
+path = "src/bin/priviledged.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "rosenpass-wireguard-broker-socket-handler"
+test = false
+path = "src/bin/socket_handler.rs"
+doc = false

wireguard-broker/readme.md

@@ -0,0 +1,5 @@
+# Rosenpass internal broker supplying WireGuard with keys.
+
+This crate contains a small application purpose-built to supply WireGuard in the linux kernel with pre-shared keys.
+
+This is an internal library; not guarantee is made about its API at this point in time.

wireguard-broker/src/api/client.rs

@@ -0,0 +1,152 @@
+use std::{borrow::BorrowMut, marker::PhantomData};
+
+use rosenpass_lenses::LenseView;
+
+use crate::{
+    api::msgs::{self, EnvelopeExt, SetPskRequestExt, SetPskResponseExt},
+    WireGuardBroker,
+};
+
+#[derive(thiserror::Error, Debug, Clone, Eq, PartialEq)]
+pub enum BrokerClientPollResponseError<RecvError> {
+    #[error(transparent)]
+    IoError(RecvError),
+    #[error("Invalid message.")]
+    InvalidMessage,
+}
+
+impl<RecvError> From<msgs::InvalidMessageTypeError> for BrokerClientPollResponseError<RecvError> {
+    fn from(value: msgs::InvalidMessageTypeError) -> Self {
+        let msgs::InvalidMessageTypeError = value; // Assert that this is a unit type
+        BrokerClientPollResponseError::<RecvError>::InvalidMessage
+    }
+}
+
+fn io_pollerr<RecvError>(e: RecvError) -> BrokerClientPollResponseError<RecvError> {
+    BrokerClientPollResponseError::<RecvError>::IoError(e)
+}
+
+fn invalid_msg_pollerr<RecvError>() -> BrokerClientPollResponseError<RecvError> {
+    BrokerClientPollResponseError::<RecvError>::InvalidMessage
+}
+
+#[derive(thiserror::Error, Debug, Clone, Eq, PartialEq)]
+pub enum BrokerClientSetPskError<SendError> {
+    #[error(transparent)]
+    IoError(SendError),
+    #[error("Interface name out of bounds")]
+    IfaceOutOfBounds,
+}
+
+pub trait BrokerClientIo {
+    type SendError;
+    type RecvError;
+
+    fn send_msg(&mut self, buf: &[u8]) -> Result<(), Self::SendError>;
+    fn recv_msg(&mut self) -> Result<Option<&[u8]>, Self::RecvError>;
+}
+
+#[derive(Debug)]
+pub struct BrokerClient<'a, Io, IoRef>
+where
+    Io: BrokerClientIo,
+    IoRef: 'a + BorrowMut<Io>,
+{
+    io: IoRef,
+    _phantom_io: PhantomData<&'a mut Io>,
+}
+
+impl<'a, Io, IoRef> BrokerClient<'a, Io, IoRef>
+where
+    Io: BrokerClientIo,
+    IoRef: 'a + BorrowMut<Io>,
+{
+    pub fn new(io: IoRef) -> Self {
+        Self {
+            io,
+            _phantom_io: PhantomData,
+        }
+    }
+
+    pub fn io(&self) -> &IoRef {
+        &self.io
+    }
+
+    pub fn io_mut(&mut self) -> &mut IoRef {
+        &mut self.io
+    }
+
+    pub fn poll_response(
+        &mut self,
+    ) -> Result<Option<msgs::SetPskResult>, BrokerClientPollResponseError<Io::RecvError>> {
+        let res: &[u8] = match self.io.borrow_mut().recv_msg().map_err(io_pollerr)? {
+            Some(r) => r,
+            None => return Ok(None),
+        };
+
+        let typ = res.get(0).ok_or(invalid_msg_pollerr())?;
+        let typ = msgs::MsgType::try_from(*typ)?;
+        let msgs::MsgType::SetPsk = typ; // Assert type
+
+        let res: msgs::Envelope<_, msgs::SetPskResponse<&[u8]>> = res
+            .envelope_truncating()
+            .map_err(|_| invalid_msg_pollerr())?;
+        let res: msgs::SetPskResponse<&[u8]> = res
+            .payload()
+            .set_psk_response()
+            .map_err(|_| invalid_msg_pollerr())?;
+        let res: msgs::SetPskResponseReturnCode = res.return_code()[0]
+            .try_into()
+            .map_err(|_| invalid_msg_pollerr())?;
+        let res: msgs::SetPskResult = res.into();
+
+        Ok(Some(res))
+    }
+}
+
+impl<'a, Io, IoRef> WireGuardBroker for BrokerClient<'a, Io, IoRef>
+where
+    Io: BrokerClientIo,
+    IoRef: 'a + BorrowMut<Io>,
+{
+    type Error = BrokerClientSetPskError<Io::SendError>;
+
+    fn set_psk(
+        &mut self,
+        iface: &str,
+        peer_id: [u8; 32],
+        psk: [u8; 32],
+    ) -> Result<(), Self::Error> {
+        use BrokerClientSetPskError::*;
+        const BUF_SIZE: usize = <msgs::Envelope<(), msgs::SetPskRequest<()>> as LenseView>::LEN;
+
+        // Allocate message
+        let mut req = [0u8; BUF_SIZE];
+
+        // Construct message view
+        let mut req: msgs::Envelope<_, msgs::SetPskRequest<&mut [u8]>> =
+            (&mut req as &mut [u8]).envelope_truncating().unwrap();
+
+        // Populate envelope
+        req.msg_type_mut()
+            .copy_from_slice(&[msgs::MsgType::SetPsk as u8]);
+        {
+            // Derived payload
+            let mut req: msgs::SetPskRequest<&mut [u8]> =
+                req.payload_mut().set_psk_request().unwrap();
+
+            // Populate payload
+            req.peer_id_mut().copy_from_slice(&peer_id);
+            req.psk_mut().copy_from_slice(&psk);
+            req.set_iface(iface).ok_or(IfaceOutOfBounds)?;
+        }
+
+        // Send message
+        self.io
+            .borrow_mut()
+            .send_msg(req.all_bytes())
+            .map_err(IoError)?;
+
+        Ok(())
+    }
+}

wireguard-broker/src/api/mio_client.rs

@@ -0,0 +1,204 @@
+use std::collections::VecDeque;
+use std::io::{ErrorKind, Read, Write};
+
+use anyhow::{bail, ensure};
+
+use crate::WireGuardBroker;
+
+use super::client::{
+    BrokerClient, BrokerClientIo, BrokerClientPollResponseError, BrokerClientSetPskError,
+};
+use super::msgs;
+
+#[derive(Debug)]
+pub struct MioBrokerClient {
+    inner: BrokerClient<'static, MioBrokerClientIo, MioBrokerClientIo>,
+}
+
+#[derive(Debug)]
+struct MioBrokerClientIo {
+    socket: mio::net::TcpStream,
+    send_buf: VecDeque<u8>,
+    receiving_size: bool,
+    recv_buf: Vec<u8>,
+    recv_off: usize,
+}
+
+impl MioBrokerClient {
+    pub fn new(socket: mio::net::TcpStream) -> Self {
+        let io = MioBrokerClientIo {
+            socket,
+            send_buf: VecDeque::new(),
+            receiving_size: false,
+            recv_buf: Vec::new(),
+            recv_off: 0,
+        };
+        let inner = BrokerClient::new(io);
+        Self { inner }
+    }
+
+    pub fn poll(&mut self) -> anyhow::Result<Option<msgs::SetPskResult>> {
+        self.inner.io_mut().flush()?;
+
+        // This sucks
+        match self.inner.poll_response() {
+            Ok(res) => {
+                return Ok(res);
+            }
+            Err(BrokerClientPollResponseError::IoError(e)) => {
+                return Err(e);
+            }
+            Err(BrokerClientPollResponseError::InvalidMessage) => {
+                bail!("Invalid message");
+            }
+        };
+    }
+}
+
+impl WireGuardBroker for MioBrokerClient {
+    type Error = anyhow::Error;
+
+    fn set_psk(&mut self, iface: &str, peer_id: [u8; 32], psk: [u8; 32]) -> anyhow::Result<()> {
+        use BrokerClientSetPskError::*;
+        let e = self.inner.set_psk(iface, peer_id, psk);
+        match e {
+            Ok(()) => Ok(()),
+            Err(IoError(e)) => Err(e),
+            Err(IfaceOutOfBounds) => bail!("Interface name size is out of bounds."),
+        }
+    }
+}
+
+impl BrokerClientIo for MioBrokerClientIo {
+    type SendError = anyhow::Error;
+    type RecvError = anyhow::Error;
+
+    fn send_msg(&mut self, buf: &[u8]) -> Result<(), Self::SendError> {
+        self.flush()?;
+        self.send_or_buffer(&(buf.len() as u64).to_le_bytes())?;
+        self.send_or_buffer(&buf)?;
+        self.flush()?;
+
+        Ok(())
+    }
+
+    fn recv_msg(&mut self) -> Result<Option<&[u8]>, Self::RecvError> {
+        // Stale message in receive buffer. Reset!
+        if self.recv_off == self.recv_buf.len() {
+            self.receiving_size = true;
+            self.recv_off = 0;
+            self.recv_buf.resize(8, 0);
+        }
+
+        // Try filling the receive buffer
+        self.recv_off += raw_recv(&self.socket, &mut self.recv_buf[self.recv_off..])?;
+        if self.recv_off < self.recv_buf.len() {
+            return Ok(None);
+        }
+
+        // Received size, now start receiving
+        if self.receiving_size {
+            // Received the size
+            // Parse the received length
+            let len: &[u8; 8] = self.recv_buf[..].try_into().unwrap();
+            let len: usize = u64::from_le_bytes(*len) as usize;
+
+            ensure!(
+                len <= msgs::RESPONSE_MSG_BUFFER_SIZE,
+                "Oversized buffer ({len}) in psk buffer response."
+            );
+
+            // Prepare the message buffer for receiving an actual message of the given size
+            self.receiving_size = false;
+            self.recv_off = 0;
+            self.recv_buf.resize(len, 0);
+
+            // Try to receive the message
+            return self.recv_msg();
+        }
+
+        // Received an actual message
+        return Ok(Some(&self.recv_buf[..]));
+    }
+}
+
+impl MioBrokerClientIo {
+    fn flush(&mut self) -> anyhow::Result<()> {
+        let (fst, snd) = self.send_buf.as_slices();
+
+        let (written, res) = match raw_send(&self.socket, fst) {
+            Ok(w1) if w1 >= fst.len() => match raw_send(&self.socket, snd) {
+                Ok(w2) => (w1 + w2, Ok(())),
+                Err(e) => (w1, Err(e)),
+            },
+            Ok(w1) => (w1, Ok(())),
+            Err(e) => (0, Err(e)),
+        };
+
+        self.send_buf.drain(..written);
+
+        (&self.socket).try_io(|| (&self.socket).flush())?;
+
+        res
+    }
+
+    fn send_or_buffer(&mut self, buf: &[u8]) -> anyhow::Result<()> {
+        let mut off = 0;
+
+        if self.send_buf.is_empty() {
+            off += raw_send(&self.socket, buf)?;
+        }
+
+        self.send_buf.extend((&buf[off..]).iter());
+
+        Ok(())
+    }
+}
+
+fn raw_send(mut socket: &mio::net::TcpStream, data: &[u8]) -> anyhow::Result<usize> {
+    let mut off = 0;
+
+    socket.try_io(|| {
+        loop {
+            if off == data.len() {
+                return Ok(());
+            }
+            match socket.write(&data[off..]) {
+                Ok(n) => {
+                    off += n;
+                }
+                Err(e) if e.kind() == ErrorKind::Interrupted => {
+                    // pass – retry
+                }
+                Err(e) if off > 0 || e.kind() == ErrorKind::WouldBlock => return Ok(()),
+                Err(e) => return Err(e),
+            }
+        }
+    })?;
+
+    return Ok(off);
+}
+
+fn raw_recv(mut socket: &mio::net::TcpStream, out: &mut [u8]) -> anyhow::Result<usize> {
+    let mut off = 0;
+
+    socket.try_io(|| {
+        loop {
+            if off == out.len() {
+                return Ok(());
+            }
+            match socket.read(&mut out[off..]) {
+                Ok(n) => {
+                    off += n;
+                }
+                Err(e) if e.kind() == ErrorKind::Interrupted => {
+                    // pass – retry
+                }
+                Err(e) if off > 0 || e.kind() == ErrorKind::WouldBlock => return Ok(()),
+                Err(e) => return Err(e),
+            }
+        }
+    })?;
+
+    return Ok(off);
+}

wireguard-broker/src/api/mod.rs

@@ -0,0 +1,4 @@
+pub mod client;
+pub mod mio_client;
+pub mod msgs;
+pub mod server;

wireguard-broker/src/api/msgs.rs

@@ -0,0 +1,140 @@
+use std::result::Result;
+use std::str::{from_utf8, Utf8Error};
+
+use rosenpass_lenses::{lense, LenseView};
+
+pub const REQUEST_MSG_BUFFER_SIZE: usize = <Envelope<(), SetPskRequest<()>> as LenseView>::LEN;
+pub const RESPONSE_MSG_BUFFER_SIZE: usize = <Envelope<(), SetPskResponse<()>> as LenseView>::LEN;
+
+lense! { Envelope<M> :=
+    /// [MsgType] of this message
+    msg_type: 1,
+    /// Reserved for future use
+    reserved: 3,
+    /// The actual Paylod
+    payload: M::LEN
+}
+
+lense! { SetPskRequest :=
+    peer_id: 32,
+    psk: 32,
+    iface_size: 1, // TODO: We should have variable length strings in lenses
+    iface_buf: 255
+}
+
+impl SetPskRequest<&[u8]> {
+    pub fn iface_bin(&self) -> &[u8] {
+        let len = self.iface_size()[0] as usize;
+        &self.iface_buf()[..len]
+    }
+
+    pub fn iface(&self) -> Result<&str, Utf8Error> {
+        from_utf8(self.iface_bin())
+    }
+}
+
+impl SetPskRequest<&mut [u8]> {
+    pub fn set_iface_bin(&mut self, iface: &[u8]) -> Option<()> {
+        (iface.len() < 256).then_some(())?; // Assert iface.len() < 256
+
+        self.iface_size_mut()[0] = iface.len() as u8;
+
+        self.iface_buf_mut().fill(0);
+        (&mut self.iface_buf_mut()[..iface.len()]).copy_from_slice(iface);
+
+        Some(())
+    }
+
+    pub fn set_iface(&mut self, iface: &str) -> Option<()> {
+        self.set_iface_bin(iface.as_bytes())
+    }
+}
+
+lense! { SetPskResponse :=
+    return_code: 1
+}
+
+#[derive(thiserror::Error, Debug, Clone, Eq, PartialEq)]
+pub enum SetPskError {
+    #[error("The wireguard pre-shared-key assignment broker experienced an internal error.")]
+    InternalError,
+    #[error("The indicated wireguard interface does not exist")]
+    NoSuchInterface,
+    #[error("The indicated peer does not exist on the wireguard interface")]
+    NoSuchPeer,
+}
+
+pub type SetPskResult = Result<(), SetPskError>;
+
+#[repr(u8)]
+#[derive(Hash, PartialEq, Eq, PartialOrd, Ord, Debug, Clone, Copy)]
+pub enum SetPskResponseReturnCode {
+    Success = 0x00,
+    InternalError = 0x01,
+    NoSuchInterface = 0x02,
+    NoSuchPeer = 0x03,
+}
+
+#[derive(Eq, PartialEq, Debug, Clone)]
+pub struct InvalidSetPskResponseError;
+
+impl TryFrom<u8> for SetPskResponseReturnCode {
+    type Error = InvalidSetPskResponseError;
+
+    fn try_from(value: u8) -> Result<Self, Self::Error> {
+        use SetPskResponseReturnCode::*;
+        match value {
+            0x00 => Ok(Success),
+            0x01 => Ok(InternalError),
+            0x02 => Ok(NoSuchInterface),
+            0x03 => Ok(NoSuchPeer),
+            _ => Err(InvalidSetPskResponseError),
+        }
+    }
+}
+
+impl From<SetPskResponseReturnCode> for SetPskResult {
+    fn from(value: SetPskResponseReturnCode) -> Self {
+        use SetPskError as E;
+        use SetPskResponseReturnCode as C;
+        match value {
+            C::Success => Ok(()),
+            C::InternalError => Err(E::InternalError),
+            C::NoSuchInterface => Err(E::NoSuchInterface),
+            C::NoSuchPeer => Err(E::NoSuchPeer),
+        }
+    }
+}
+
+impl From<SetPskResult> for SetPskResponseReturnCode {
+    fn from(value: SetPskResult) -> Self {
+        use SetPskError as E;
+        use SetPskResponseReturnCode as C;
+        match value {
+            Ok(()) => C::Success,
+            Err(E::InternalError) => C::InternalError,
+            Err(E::NoSuchInterface) => C::NoSuchInterface,
+            Err(E::NoSuchPeer) => C::NoSuchPeer,
+        }
+    }
+}
+
+#[repr(u8)]
+#[derive(Hash, PartialEq, Eq, PartialOrd, Ord, Debug, Clone, Copy)]
+pub enum MsgType {
+    SetPsk = 0x01,
+}
+
+#[derive(Eq, PartialEq, Debug, Clone)]
+pub struct InvalidMessageTypeError;
+
+impl TryFrom<u8> for MsgType {
+    type Error = InvalidMessageTypeError;
+
+    fn try_from(value: u8) -> Result<Self, Self::Error> {
+        match value {
+            0x01 => Ok(MsgType::SetPsk),
+            _ => Err(InvalidMessageTypeError),
+        }
+    }
+}

wireguard-broker/src/api/server.rs

@@ -0,0 +1,99 @@
+use std::borrow::BorrowMut;
+use std::marker::PhantomData;
+use std::result::Result;
+
+use rosenpass_lenses::LenseError;
+
+use crate::api::msgs::{self, EnvelopeExt, SetPskRequestExt, SetPskResponseExt};
+use crate::WireGuardBroker;
+
+#[derive(thiserror::Error, Debug, Clone, Eq, PartialEq)]
+pub enum BrokerServerError {
+    #[error("No such request type: {}", .0)]
+    NoSuchRequestType(u8),
+    #[error("Invalid message received.")]
+    InvalidMessage,
+}
+
+impl From<LenseError> for BrokerServerError {
+    fn from(value: LenseError) -> Self {
+        use BrokerServerError as Be;
+        use LenseError as Le;
+        match value {
+            Le::BufferSizeMismatch => Be::InvalidMessage,
+        }
+    }
+}
+
+impl From<msgs::InvalidMessageTypeError> for BrokerServerError {
+    fn from(value: msgs::InvalidMessageTypeError) -> Self {
+        let msgs::InvalidMessageTypeError = value; // Assert that this is a unit type
+        BrokerServerError::InvalidMessage
+    }
+}
+
+pub struct BrokerServer<'a, Err, Inner, Ref>
+where
+    msgs::SetPskError: From<Err>,
+    Inner: WireGuardBroker<Error = Err>,
+    Ref: BorrowMut<Inner> + 'a,
+{
+    inner: Ref,
+    _phantom: PhantomData<&'a mut Inner>,
+}
+
+impl<'a, Err, Inner, Ref> BrokerServer<'a, Err, Inner, Ref>
+where
+    msgs::SetPskError: From<Err>,
+    Inner: WireGuardBroker<Error = Err>,
+    Ref: 'a + BorrowMut<Inner>,
+{
+    pub fn new(inner: Ref) -> Self {
+        Self {
+            inner,
+            _phantom: PhantomData,
+        }
+    }
+
+    pub fn handle_message(
+        &mut self,
+        req: &[u8],
+        res: &mut [u8; msgs::RESPONSE_MSG_BUFFER_SIZE],
+    ) -> Result<usize, BrokerServerError> {
+        use BrokerServerError::*;
+
+        let typ = req.get(0).ok_or(InvalidMessage)?;
+        let typ = msgs::MsgType::try_from(*typ)?;
+        let msgs::MsgType::SetPsk = typ; // Assert type
+
+        let req: msgs::Envelope<_, msgs::SetPskRequest<&[u8]>> = req.envelope_truncating()?;
+        let mut res: msgs::Envelope<_, msgs::SetPskResponse<&mut [u8]>> =
+            (res as &mut [u8]).envelope_truncating()?;
+        (&mut res).msg_type_mut()[0] = msgs::MsgType::SetPsk as u8;
+        self.handle_set_psk(
+            req.payload().set_psk_request()?,
+            res.payload_mut().set_psk_response()?,
+        )?;
+        Ok(res.all_bytes().len())
+    }
+
+    fn handle_set_psk(
+        &mut self,
+        req: msgs::SetPskRequest<&[u8]>,
+        mut res: msgs::SetPskResponse<&mut [u8]>,
+    ) -> Result<(), BrokerServerError> {
+        // Using unwrap here since lenses can not return fixed-size arrays
+        // TODO: Slices should give access to fixed size arrays
+        let r: Result<(), Err> = self.inner.borrow_mut().set_psk(
+            req.iface()
+                .map_err(|_e| BrokerServerError::InvalidMessage)?,
+            req.peer_id().try_into().unwrap(),
+            req.psk().try_into().unwrap(),
+        );
+        let r: msgs::SetPskResult = r.map_err(|e| e.into());
+        let r: msgs::SetPskResponseReturnCode = r.into();
+        res.return_code_mut()[0] = r as u8;
+
+        Ok(())
+    }
+}

wireguard-broker/src/bin/priviledged.rs

@@ -0,0 +1,56 @@
+use std::io::{stdin, stdout, Read, Write};
+use std::result::Result;
+
+use rosenpass_wireguard_broker::api::msgs;
+use rosenpass_wireguard_broker::api::server::BrokerServer;
+use rosenpass_wireguard_broker::netlink as wg;
+
+#[derive(thiserror::Error, Debug)]
+pub enum BrokerAppError {
+    #[error(transparent)]
+    IoError(#[from] std::io::Error),
+    #[error(transparent)]
+    WgConnectError(#[from] wg::ConnectError),
+    #[error(transparent)]
+    WgSetPskError(#[from] wg::SetPskError),
+    #[error("Oversized message {}; something about the request is fatally wrong", .0)]
+    OversizedMessage(u64),
+}
+
+fn main() -> Result<(), BrokerAppError> {
+    let mut broker = BrokerServer::new(wg::NetlinkWireGuardBroker::new()?);
+
+    let mut stdin = stdin().lock();
+    let mut stdout = stdout().lock();
+    loop {
+        // Read the message length
+        let mut len = [0u8; 8];
+        stdin.read_exact(&mut len)?;
+
+        // Parse the message length
+        let len = u64::from_le_bytes(len);
+        if (len as usize) > msgs::REQUEST_MSG_BUFFER_SIZE {
+            return Err(BrokerAppError::OversizedMessage(len));
+        }
+
+        // Read the message itself
+        let mut req_buf = [0u8; msgs::REQUEST_MSG_BUFFER_SIZE];
+        let req_buf = &mut req_buf[..(len as usize)];
+        stdin.read_exact(req_buf)?;
+
+        // Process the message
+        let mut res_buf = [0u8; msgs::RESPONSE_MSG_BUFFER_SIZE];
+        let res = match broker.handle_message(req_buf, &mut res_buf) {
+            Ok(len) => &res_buf[..len],
+            Err(e) => {
+                eprintln!("Error processing message for wireguard PSK broker: {e:?}");
+                continue;
+            }
+        };
+
+        // Write the response
+        stdout.write_all(&(res.len() as u64).to_le_bytes())?;
+        stdout.write_all(&res)?;
+        stdout.flush()?;
+    }
+}

wireguard-broker/src/bin/socket_handler.rs

@@ -0,0 +1,191 @@
+use std::process::Stdio;
+
+use tokio::io::{AsyncReadExt, AsyncWriteExt};
+use tokio::net::{UnixListener, UnixStream};
+use tokio::process::Command;
+use tokio::sync::{mpsc, oneshot};
+use tokio::task;
+
+use anyhow::{bail, ensure, Result};
+use clap::{ArgGroup, Parser};
+
+use rosenpass_util::fd::claim_fd;
+use rosenpass_wireguard_broker::api::msgs;
+
+#[derive(Parser, Debug)]
+#[command(author, version, about, long_about = None)]
+#[clap(group(
+            ArgGroup::new("socket")
+                .required(true)
+                .args(&["listen_path", "listen_fd", "stream_fd"]),
+        ))]
+struct Args {
+    /// Where in the file-system to create the unix socket this broker will be listening for
+    /// connections on
+    #[arg(long)]
+    listen_path: Option<String>,
+
+    /// When this broker is called from another process, the other process can open and bind the
+    /// unix socket to use themselves, passing it to this process. In Rust this can be achieved
+    /// using the [command-fds](https://docs.rs/command-fds/latest/command_fds/) crate.
+    #[arg(long)]
+    listen_fd: Option<i32>,
+
+    /// When this broker is called from another process, the other process can connect the unix socket
+    /// themselves, for instance using the `socketpair(2)` system call.
+    #[arg(long)]
+    stream_fd: Option<i32>,
+
+    /// The underlying broker, accepting commands through stdin and sending results through stdout.
+    #[arg(
+        last = true,
+        allow_hyphen_values = true,
+        default_value = "rosenpass-wireguard-broker-privileged"
+    )]
+    command: Vec<String>,
+}
+
+struct BrokerRequest {
+    reply_to: oneshot::Sender<BrokerResponse>,
+    request: Vec<u8>,
+}
+
+struct BrokerResponse {
+    response: Vec<u8>,
+}
+
+#[tokio::main]
+async fn main() -> Result<()> {
+    env_logger::init();
+
+    let args = Args::parse();
+
+    let (proc_tx, proc_rx) = mpsc::channel(100);
+
+    // Start the inner broker handler
+    task::spawn(async move {
+        if let Err(e) = direct_broker_process(proc_rx, args.command).await {
+            log::error!("Error in broker command handler: {e}");
+            panic!("Can not proceed without underlying broker process");
+        }
+    });
+
+    // Listen for incoming requests
+    if let Some(path) = args.listen_path {
+        let sock = UnixListener::bind(path)?;
+        listen_for_clients(proc_tx, sock).await
+    } else if let Some(fd) = args.listen_fd {
+        let sock = std::os::unix::net::UnixListener::from(claim_fd(fd)?);
+        sock.set_nonblocking(true)?;
+        listen_for_clients(proc_tx, UnixListener::from_std(sock)?).await
+    } else if let Some(fd) = args.stream_fd {
+        let stream = std::os::unix::net::UnixStream::from(claim_fd(fd)?);
+        stream.set_nonblocking(true)?;
+        on_accept(proc_tx, UnixStream::from_std(stream)?).await
+    } else {
+        unreachable!();
+    }
+}
+
+async fn direct_broker_process(
+    mut queue: mpsc::Receiver<BrokerRequest>,
+    cmd: Vec<String>,
+) -> Result<()> {
+    let proc = Command::new(&cmd[0])
+        .args(&cmd[1..])
+        .stdin(Stdio::piped())
+        .stdout(Stdio::piped())
+        .spawn()?;
+
+    let mut stdin = proc.stdin.unwrap();
+    let mut stdout = proc.stdout.unwrap();
+
+    loop {
+        let BrokerRequest { reply_to, request } = queue.recv().await.unwrap();
+
+        stdin
+            .write_all(&(request.len() as u64).to_le_bytes())
+            .await?;
+        stdin.write_all(&request[..]).await?;
+
+        // Read the response length
+        let mut len = [0u8; 8];
+        stdout.read_exact(&mut len).await?;
+
+        // Parse the response length
+        let len = u64::from_le_bytes(len) as usize;
+        ensure!(
+            len <= msgs::RESPONSE_MSG_BUFFER_SIZE,
+            "Oversized buffer ({len}) in broker stdout."
+        );
+
+        // Read the message itself
+        let mut res_buf = request; // Avoid allocating memory if we don't have to
+        res_buf.resize(len as usize, 0);
+        stdout.read_exact(&mut res_buf[..len]).await?;
+
+        // Return to the unix socket connection worker
+        reply_to
+            .send(BrokerResponse { response: res_buf })
+            .or_else(|_| bail!("Unable to send respnse to unix socket worker."))?;
+    }
+}
+
+async fn listen_for_clients(queue: mpsc::Sender<BrokerRequest>, sock: UnixListener) -> Result<()> {
+    loop {
+        let (stream, _addr) = sock.accept().await?;
+        let queue = queue.clone();
+        task::spawn(async move {
+            if let Err(e) = on_accept(queue, stream).await {
+                log::error!("Error during connection processing: {e}");
+            }
+        });
+    }
+
+    // NOTE: If loop can ever terminate we need to join the spawned tasks
+}
+
+async fn on_accept(queue: mpsc::Sender<BrokerRequest>, mut stream: UnixStream) -> Result<()> {
+    let mut req_buf = Vec::new();
+
+    loop {
+        stream.readable().await?;
+
+        // Read the message length
+        let mut len = [0u8; 8];
+        stream.read_exact(&mut len).await?;
+
+        // Parse the message length
+        let len = u64::from_le_bytes(len) as usize;
+        ensure!(
+            len <= msgs::REQUEST_MSG_BUFFER_SIZE,
+            "Oversized buffer ({len}) in unix socket input."
+        );
+
+        // Read the message itself
+        req_buf.resize(len as usize, 0);
+        stream.read_exact(&mut req_buf[..len]).await?;
+
+        // Handle the message
+        let (reply_tx, reply_rx) = oneshot::channel();
+        queue
+            .send(BrokerRequest {
+                reply_to: reply_tx,
+                request: req_buf,
+            })
+            .await?;
+
+        // Wait for the reply
+        let BrokerResponse { response } = reply_rx.await.unwrap();
+
+        // Write reply back to unix socket
+        stream
+            .write_all(&(response.len() as u64).to_le_bytes())
+            .await?;
+        stream.write_all(&response[..]).await?;
+        stream.flush().await?;
+
+        // Reuse the same memory for the next message
+        req_buf = response;
+    }
+}

wireguard-broker/src/lib.rs

@@ -0,0 +1,14 @@
+use std::result::Result;
+
+pub trait WireGuardBroker {
+    type Error;
+
+    fn set_psk(
+        &mut self,
+        interface: &str,
+        peer_id: [u8; 32],
+        psk: [u8; 32],
+    ) -> Result<(), Self::Error>;
+}
+
+pub mod api;