style: changelog updates

.github/workflows/changelog.yml

@@ -0,0 +1,34 @@
+name: Changelog Update
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+
+jobs:
+  generate-changelog:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout the repository
+        uses: actions/checkout@v3
+
+      - name: Set up Rust
+        uses: actions/setup-rust@v1
+        with:
+          rust-version: stable
+
+      - name: Install git-cliff
+        run: cargo install git-cliff
+
+      - name: Generate Changelog
+        run: |
+          git-cliff --config cliff.toml > CHANGELOG.md
+          git add CHANGELOG.md
+
+      - name: Commit and Push Changes
+        run: |
+          git config --global user.email "action@github.com"
+          git config --global user.name "GitHub Action"
+          git commit -m "chore: update changelog" || echo "No changes to commit"
+          git push origin HEAD:${{ github.head_ref }}
+

.github/workflows/doc-upload.yml

@@ -46,4 +46,4 @@ jobs:
           author_email: actions@github.com
           message: Update docs
           cwd: rosenpass-website/static/docs
-          github_token: ${{ secrets.PRIVACC }
+          github_token: ${{ secrets.PRIVACC }}

.github/workflows/nix.yaml

@@ -6,11 +6,6 @@ on:
   push:
     branches:
       - main
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
 jobs:
   i686-linux---default:
     name: Build i686-linux.default
@@ -246,30 +241,30 @@ jobs:
           authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
       - name: Build
         run: nix build .#packages.x86_64-linux.release-package --print-build-logs
-  # aarch64-linux---release-package:
-  #   name: Build aarch64-linux.release-package
-  #   runs-on:
-  #     - ubuntu-latest
-  #   needs:
-  #     - aarch64-linux---rosenpass-oci-image
-  #     - aarch64-linux---rosenpass
-  #     - aarch64-linux---rp
-  #   steps:
-  #     - run: |
-  #         DEBIAN_FRONTEND=noninteractive
-  #         sudo apt-get update -q -y && sudo apt-get install -q -y qemu-system-aarch64 qemu-efi binfmt-support qemu-user-static
-  #     - uses: actions/checkout@v3
-  #     - uses: cachix/install-nix-action@v22
-  #       with:
-  #         nix_path: nixpkgs=channel:nixos-unstable
-  #         extra_nix_config: |
-  #           system = aarch64-linux
-  #     - uses: cachix/cachix-action@v12
-  #       with:
-  #         name: rosenpass
-  #         authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
-  #     - name: Build
-  #       run: nix build .#packages.aarch64-linux.release-package --print-build-logs
+  aarch64-linux---release-package:
+    name: Build aarch64-linux.release-package
+    runs-on:
+      - ubuntu-latest
+    needs:
+      - aarch64-linux---rosenpass-oci-image
+      - aarch64-linux---rosenpass
+      - aarch64-linux---rp
+    steps:
+      - run: |
+          DEBIAN_FRONTEND=noninteractive
+          sudo apt-get update -q -y && sudo apt-get install -q -y qemu-system-aarch64 qemu-efi binfmt-support qemu-user-static
+      - uses: actions/checkout@v3
+      - uses: cachix/install-nix-action@v22
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+          extra_nix_config: |
+            system = aarch64-linux
+      - uses: cachix/cachix-action@v12
+        with:
+          name: rosenpass
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      - name: Build
+        run: nix build .#packages.aarch64-linux.release-package --print-build-logs
   x86_64-linux---rosenpass:
     name: Build x86_64-linux.rosenpass
     runs-on:

.github/workflows/qc.yaml

@@ -4,10 +4,6 @@ on:
   push:
     branches: [main]
 
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
 permissions:
   checks: write
   contents: read

.github/workflows/regressions.yml

@@ -1,13 +1,9 @@
-name: Regressions
+name: QC
 on:
   pull_request:
   push:
     branches: [main]
 
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
 permissions:
   checks: write
   contents: read

.prettierignore

@@ -1,5 +1,4 @@
 .direnv/
-flake.lock
 papers/whitepaper.md
-src/usage.md
 target/
+src/usage.md

Cargo.lock

@@ -109,9 +109,9 @@ dependencies = [
 
 [[package]]
 name = "anyhow"
-version = "1.0.89"
+version = "1.0.86"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "86fdf8605db99b54d3cd748a44c6d04df638eb5dafb219b135d0149bd0db01f6"
+checksum = "b3d1d046238990b9cf5bcde22a3fb3584ee5cf65fb2765f454ed428c7a0063da"
 dependencies = [
  "backtrace",
 ]
@@ -381,9 +381,9 @@ dependencies = [
 
 [[package]]
 name = "clap"
-version = "4.5.19"
+version = "4.5.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7be5744db7978a28d9df86a214130d106a89ce49644cbc4e3f0c22c3fba30615"
+checksum = "ed6719fffa43d0d87e5fd8caeab59be1554fb028cd30edc88fc4369b17971019"
 dependencies = [
  "clap_builder",
  "clap_derive",
@@ -391,9 +391,9 @@ dependencies = [
 
 [[package]]
 name = "clap_builder"
-version = "4.5.19"
+version = "4.5.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a5fbc17d3ef8278f55b282b2a2e75ae6f6c7d4bb70ed3d0382375104bfafdb4b"
+checksum = "216aec2b177652e3846684cbfe25c9964d18ec45234f0f5da5157b207ed1aab6"
 dependencies = [
  "anstream",
  "anstyle",
@@ -403,9 +403,9 @@ dependencies = [
 
 [[package]]
 name = "clap_derive"
-version = "4.5.18"
+version = "4.5.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4ac6a0c7b1a9e9a5186361f67dfa1b88213572f427fb9ab038efb2bd8c582dab"
+checksum = "501d359d5f3dcaf6ecdeee48833ae73ec6e42723a1e52419c79abf9507eec0a0"
 dependencies = [
  "heck",
  "proc-macro2",
@@ -690,11 +690,11 @@ dependencies = [
 
 [[package]]
 name = "derive_builder"
-version = "0.20.1"
+version = "0.20.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cd33f37ee6a119146a1781d3356a7c26028f83d779b2e04ecd45fdc75c76877b"
+checksum = "0350b5cb0331628a5916d6c5c0b72e97393b8b6b03b47a9284f4e7f5a405ffd7"
 dependencies = [
- "derive_builder_macro 0.20.1",
+ "derive_builder_macro 0.20.0",
 ]
 
 [[package]]
@@ -711,9 +711,9 @@ dependencies = [
 
 [[package]]
 name = "derive_builder_core"
-version = "0.20.1"
+version = "0.20.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7431fa049613920234f22c47fdc33e6cf3ee83067091ea4277a3f8c4587aae38"
+checksum = "d48cda787f839151732d396ac69e3473923d54312c070ee21e9effcaa8ca0b1d"
 dependencies = [
  "darling 0.20.9",
  "proc-macro2",
@@ -733,11 +733,11 @@ dependencies = [
 
 [[package]]
 name = "derive_builder_macro"
-version = "0.20.1"
+version = "0.20.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4abae7035bf79b9877b779505d8cf3749285b80c43941eda66604841889451dc"
+checksum = "206868b8242f27cecce124c19fd88157fbd0dd334df2587f36417bafbc85097b"
 dependencies = [
- "derive_builder_core 0.20.1",
+ "derive_builder_core 0.20.0",
  "syn 2.0.66",
 ]
 
@@ -837,9 +837,9 @@ checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
 
 [[package]]
 name = "futures"
-version = "0.3.31"
+version = "0.3.30"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "65bc07b1a8bc7c85c5f2e110c476c7389b4554ba72af57d8445ea63a576b0876"
+checksum = "645c6916888f6cb6350d2550b80fb63e734897a8498abe35cfb732b6487804b0"
 dependencies = [
  "futures-channel",
  "futures-core",
@@ -852,9 +852,9 @@ dependencies = [
 
 [[package]]
 name = "futures-channel"
-version = "0.3.31"
+version = "0.3.30"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2dff15bf788c671c1934e366d07e30c1814a8ef514e1af724a602e8a2fbe1b10"
+checksum = "eac8f7d7865dcb88bd4373ab671c8cf4508703796caa2b1985a9ca867b3fcb78"
 dependencies = [
  "futures-core",
  "futures-sink",
@@ -862,15 +862,15 @@ dependencies = [
 
 [[package]]
 name = "futures-core"
-version = "0.3.31"
+version = "0.3.30"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "05f29059c0c2090612e8d742178b0580d2dc940c837851ad723096f87af6663e"
+checksum = "dfc6580bb841c5a68e9ef15c77ccc837b40a7504914d52e47b8b0e9bbda25a1d"
 
 [[package]]
 name = "futures-executor"
-version = "0.3.31"
+version = "0.3.30"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1e28d1d997f585e54aebc3f97d39e72338912123a67330d723fdbb564d646c9f"
+checksum = "a576fc72ae164fca6b9db127eaa9a9dda0d61316034f33a0a0d4eda41f02b01d"
 dependencies = [
  "futures-core",
  "futures-task",
@@ -879,15 +879,15 @@ dependencies = [
 
 [[package]]
 name = "futures-io"
-version = "0.3.31"
+version = "0.3.30"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9e5c1b78ca4aae1ac06c48a526a655760685149f0d465d21f37abfe57ce075c6"
+checksum = "a44623e20b9681a318efdd71c299b6b222ed6f231972bfe2f224ebad6311f0c1"
 
 [[package]]
 name = "futures-macro"
-version = "0.3.31"
+version = "0.3.30"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "162ee34ebcb7c64a8abebc059ce0fee27c2262618d7b60ed8faf72fef13c3650"
+checksum = "87750cf4b7a4c0625b1529e4c543c2182106e4dedc60a2a6455e00d212c489ac"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -896,21 +896,21 @@ dependencies = [
 
 [[package]]
 name = "futures-sink"
-version = "0.3.31"
+version = "0.3.30"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e575fab7d1e0dcb8d0c7bcf9a63ee213816ab51902e6d244a95819acacf1d4f7"
+checksum = "9fb8e00e87438d937621c1c6269e53f536c14d3fbd6a042bb24879e57d474fb5"
 
 [[package]]
 name = "futures-task"
-version = "0.3.31"
+version = "0.3.30"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f90f7dce0722e95104fcb095585910c0977252f286e354b5e3bd38902cd99988"
+checksum = "38d84fa142264698cdce1a9f9172cf383a0c82de1bddcf3092901442c4097004"
 
 [[package]]
 name = "futures-util"
-version = "0.3.31"
+version = "0.3.30"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9fa08315bb612088cc391249efdc3bc77536f16c91f6cf495e6fbe85b20a4a81"
+checksum = "3d6401deb83407ab3da39eba7e33987a73c3df0c82b4bb5813ee871c19c41d48"
 dependencies = [
  "futures-channel",
  "futures-core",
@@ -1186,9 +1186,9 @@ checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55"
 
 [[package]]
 name = "libc"
-version = "0.2.159"
+version = "0.2.158"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "561d97a539a36e26a9a5fad1ea11a3039a67714694aaa379433e580854bc3dc5"
+checksum = "d8adc4bb1803a324070e64a98ae98f38934d91957a99cfb3a43dcbc01bc56439"
 
 [[package]]
 name = "libcrux"
@@ -1804,10 +1804,10 @@ name = "rosenpass"
 version = "0.2.1"
 dependencies = [
  "anyhow",
- "clap 4.5.19",
+ "clap 4.5.16",
  "command-fds",
  "criterion",
- "derive_builder 0.20.1",
+ "derive_builder 0.20.0",
  "env_logger",
  "heck",
  "hex",
@@ -1941,8 +1941,8 @@ name = "rosenpass-wireguard-broker"
 version = "0.1.0"
 dependencies = [
  "anyhow",
- "clap 4.5.19",
- "derive_builder 0.20.1",
+ "clap 4.5.16",
+ "derive_builder 0.20.0",
  "env_logger",
  "libc",
  "log",
@@ -2028,9 +2028,9 @@ dependencies = [
 
 [[package]]
 name = "rustix"
-version = "0.38.37"
+version = "0.38.34"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8acb788b847c24f28525660c4d7758620a7210875711f79e7f663cc152726811"
+checksum = "70dc5ec042f7a43c4a73241207cecc9873a06d45debb38b329f8541d85c2730f"
 dependencies = [
  "bitflags 2.5.0",
  "errno",
@@ -2083,18 +2083,18 @@ checksum = "61697e0a1c7e512e84a621326239844a24d8207b4669b41bc18b32ea5cbf988b"
 
 [[package]]
 name = "serde"
-version = "1.0.210"
+version = "1.0.208"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c8e3592472072e6e22e0a54d5904d9febf8508f65fb8552499a1abc7d1078c3a"
+checksum = "cff085d2cb684faa248efb494c39b68e522822ac0de72ccf08109abde717cfb2"
 dependencies = [
  "serde_derive",
 ]
 
 [[package]]
 name = "serde_derive"
-version = "1.0.210"
+version = "1.0.208"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "243902eda00fad750862fc144cea25caca5e20d615af0a81bee94ca738f1df1f"
+checksum = "24008e81ff7613ed8e5ba0cfaf24e2c2f1e5b8a0495711e44fcd4882fca62bcf"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -2209,15 +2209,15 @@ checksum = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3"
 
 [[package]]
 name = "stacker"
-version = "0.1.17"
+version = "0.1.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "799c883d55abdb5e98af1a7b3f23b9b6de8ecada0ecac058672d7635eb48ca7b"
+checksum = "95a5daa25ea337c85ed954c0496e3bdd2c7308cc3b24cf7b50d04876654c579f"
 dependencies = [
  "cc",
  "cfg-if",
  "libc",
  "psm",
- "windows-sys 0.52.0",
+ "windows-sys 0.36.1",
 ]
 
 [[package]]
@@ -2308,18 +2308,18 @@ checksum = "23d434d3f8967a09480fb04132ebe0a3e088c173e6d0ee7897abbdf4eab0f8b9"
 
 [[package]]
 name = "thiserror"
-version = "1.0.64"
+version = "1.0.63"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d50af8abc119fb8bb6dbabcfa89656f46f84aa0ac7688088608076ad2b459a84"
+checksum = "c0342370b38b6a11b6cc11d6a805569958d54cfa061a29969c3b5ce2ea405724"
 dependencies = [
  "thiserror-impl",
 ]
 
 [[package]]
 name = "thiserror-impl"
-version = "1.0.64"
+version = "1.0.63"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "08904e7672f5eb876eaaf87e0ce17857500934f4981c4a0ab2b4aa98baac7fc3"
+checksum = "a4558b58466b9ad7ca0f102865eccc95938dca1a74a856f2b57b6629050da261"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -2338,9 +2338,9 @@ dependencies = [
 
 [[package]]
 name = "tokio"
-version = "1.40.0"
+version = "1.39.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e2b070231665d27ad9ec9b8df639893f46727666c6767db40317fbe920a5d998"
+checksum = "9babc99b9923bfa4804bd74722ff02c0381021eafa4db9949217e3be8e84fff5"
 dependencies = [
  "backtrace",
  "bytes",
@@ -2583,6 +2583,19 @@ dependencies = [
  "windows-targets 0.48.5",
 ]
 
+[[package]]
+name = "windows-sys"
+version = "0.36.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ea04155a16a59f9eab786fe12a4a450e75cdb175f9e0d80da1e17db09f55b8d2"
+dependencies = [
+ "windows_aarch64_msvc 0.36.1",
+ "windows_i686_gnu 0.36.1",
+ "windows_i686_msvc 0.36.1",
+ "windows_x86_64_gnu 0.36.1",
+ "windows_x86_64_msvc 0.36.1",
+]
+
 [[package]]
 name = "windows-sys"
 version = "0.45.0"
@@ -2674,6 +2687,12 @@ version = "0.52.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7088eed71e8b8dda258ecc8bac5fb1153c5cffaf2578fc8ff5d61e23578d3263"
 
+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.36.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9bb8c3fd39ade2d67e9874ac4f3db21f0d710bee00fe7cab16949ec184eeaa47"
+
 [[package]]
 name = "windows_aarch64_msvc"
 version = "0.42.2"
@@ -2692,6 +2711,12 @@ version = "0.52.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9985fd1504e250c615ca5f281c3f7a6da76213ebd5ccc9561496568a2752afb6"
 
+[[package]]
+name = "windows_i686_gnu"
+version = "0.36.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "180e6ccf01daf4c426b846dfc66db1fc518f074baa793aa7d9b9aaeffad6a3b6"
+
 [[package]]
 name = "windows_i686_gnu"
 version = "0.42.2"
@@ -2716,6 +2741,12 @@ version = "0.52.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "87f4261229030a858f36b459e748ae97545d6f1ec60e5e0d6a3d32e0dc232ee9"
 
+[[package]]
+name = "windows_i686_msvc"
+version = "0.36.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e2e7917148b2812d1eeafaeb22a97e4813dfa60a3f8f78ebe204bcc88f12f024"
+
 [[package]]
 name = "windows_i686_msvc"
 version = "0.42.2"
@@ -2734,6 +2765,12 @@ version = "0.52.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "db3c2bf3d13d5b658be73463284eaf12830ac9a26a90c717b7f771dfe97487bf"
 
+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.36.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4dcd171b8776c41b97521e5da127a2d86ad280114807d0b2ab1e462bc764d9e1"
+
 [[package]]
 name = "windows_x86_64_gnu"
 version = "0.42.2"
@@ -2770,6 +2807,12 @@ version = "0.52.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "852298e482cd67c356ddd9570386e2862b5673c85bd5f88df9ab6802b334c596"
 
+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.36.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c811ca4a8c853ef420abd8592ba53ddbbac90410fab6903b3e79972a631f7680"
+
 [[package]]
 name = "windows_x86_64_msvc"
 version = "0.42.2"

Cargo.toml

@@ -35,22 +35,20 @@ doc-comment = "0.3.3"
 base64ct = {version = "1.6.0", default-features=false}
 zeroize = "1.8.1"
 memoffset = "0.9.1"
-thiserror = "1.0.64"
+thiserror = "1.0.63"
 paste = "1.0.15"
 env_logger = "0.10.2"
 toml = "0.7.8"
 static_assertions = "1.1.0"
 allocator-api2 = "0.2.14"
-memsec = { git = "https://github.com/rosenpass/memsec.git", rev = "aceb9baee8aec6844125bd6612f92e9a281373df", features = [
-    "alloc_ext",
-] }
+memsec = { git="https://github.com/rosenpass/memsec.git" ,rev="aceb9baee8aec6844125bd6612f92e9a281373df", features = [ "alloc_ext", ] }
 rand = "0.8.5"
 typenum = "1.17.0"
 log = { version = "0.4.22" }
-clap = { version = "4.5.19", features = ["derive"] }
-serde = { version = "1.0.210", features = ["derive"] }
+clap = { version = "4.5.16", features = ["derive"] }
+serde = { version = "1.0.208", features = ["derive"] }
 arbitrary = { version = "1.3.2", features = ["derive"] }
-anyhow = { version = "1.0.89", features = ["backtrace", "std"] }
+anyhow = { version = "1.0.86", features = ["backtrace", "std"] }
 mio = { version = "1.0.2", features = ["net", "os-poll"] }
 oqs-sys = { version = "0.9.1", default-features = false, features = [
   'classic_mceliece',
@@ -63,8 +61,8 @@ chacha20poly1305 = { version = "0.10.1", default-features = false, features = [
 ] }
 zerocopy = { version = "0.7.35", features = ["derive"] }
 home = "0.5.9"
-derive_builder = "0.20.1"
-tokio = { version = "1.40", features = ["macros", "rt-multi-thread"] }
+derive_builder = "0.20.0"
+tokio = { version = "1.39", features = ["macros", "rt-multi-thread"] }
 postcard= {version = "1.0.10", features = ["alloc"]}
 libcrux = { version = "0.0.2-pre.2" }
 hex-literal = { version = "0.4.1" }
@@ -76,7 +74,7 @@ uds = { git = "https://github.com/rosenpass/uds" }
 #Dev dependencies
 serial_test = "3.1.1"
 tempfile = "3"
-stacker = "0.1.17"
+stacker = "0.1.16"
 libfuzzer-sys = "0.4"
 test_bin = "0.4.0"
 criterion = "0.4.0"
@@ -87,4 +85,4 @@ procspawn = { version = "1.0.1", features = ["test-support"] }
 #Broker dependencies (might need cleanup or changes)
 wireguard-uapi = { version = "3.0.0", features = ["xplatform"] }
 command-fds = "0.2.3"
-rustix = { version = "0.38.37", features = ["net", "fs"] }
+rustix = { version = "0.38.27", features = ["net", "fs"] }

cliff.toml

@@ -0,0 +1,99 @@
+
+
+# https://git-cliff.org/docs/configuration
+
+[changelog]
+# template for the changelog header
+header = """
+---
+title: ""
+linkTitle: "Changelog"
+weight: 5
+menu: false
+type: docs
+---
+
+<script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.slim.min.js" integrity="sha384-DfXdz2htPH0lsSSs5nCTpuj/zy4C+OGpamoFVy38MVBnE+IbbVYUew+OrCXaRkfj" crossorigin="anonymous"></script>
+<script src="https://cdn.jsdelivr.net/npm/bootstrap@4.6.2/dist/js/bootstrap.bundle.min.js" integrity="sha384-Fy6S3B9q64WdZWQUiU+q4/2Lc9npb8tCaSX9FK7E8HnRr0Jz8D6OP9dO5Vg3Q9ct" crossorigin="anonymous"></script>
+
+"""
+# template for the changelog body
+# https://keats.github.io/tera/docs/#introduction
+body = """
+{% if version %}\
+<div class="changelog-container card card-body">
+    <div class="h3 changelog-release">• {{ version | trim_start_matches(pat="v") }} <span class="text-muted">{{ timestamp | date(format="%Y-%m-%d") }}<span> &nbsp;-&nbsp; <a href="{{ commit_id}}" class="">{{ commit_id | truncate(length=7, end="") }}</a></div>\
+{% else %}\
+<div class="changelog-container card card-body">
+    <div class="h3 changelog-release">• unreleased / untagged</div>
+{% endif %}\
+
+{% for group, commits in commits | group_by(attribute="group") %}
+  <p>
+    <button class="btn btn-primary changelog" type="button" data-toggle="collapse" data-target="#{{ group | reverse| truncate(length=5, end="") }}{{ timestamp }}" aria-expanded="false" aria-controls="{{ group | reverse | truncate(length=5, end="") }}{{ timestamp }}">
+      <div class="h4"> {{ group | upper_first }} <i class="fa-solid fa-sort-down"></i></div>
+    </button>
+  </p>
+    <div class="collapse changelog" id="{{ group | reverse | truncate(length=5, end="") }}{{ timestamp }}">
+      <div class="card card-body">
+        {% for commit in commits %}
+            <div class="changelog-commit row">
+            <div class="col-4 col-sm-3 col-lg-2 commit-id"> - <a href="https://github.com/rosenpass/rosenpass/commit/{{ commit.id }}">{{ commit.id | truncate(length=7, end="") }}</a></div><div class="col-8 col-md-8 commit-message"> {{ commit.message | upper_first }}</div>
+            </div>
+        {% endfor %}\
+        </div>
+      </div>
+{% endfor %}\n
+</div>
+"""
+# template for the changelog footer
+footer = """
+<!-- generated by git-cliff -->
+"""
+# remove the leading and trailing whitespace from the templates
+trim = true
+
+[git]
+# parse the commits based on https://www.conventionalcommits.org
+conventional_commits = true
+# filter out the commits that are not conventional
+filter_unconventional = true
+# process each line of a commit as an individual commit
+split_commits = false
+# regex for parsing and grouping commits
+commit_parsers = [
+  { message = "Release rosenpass version", group = "<!-- 0 -->📝 Release" },
+  { message = "^feat", group = "<!-- 0 -->🚀 Features" },
+  { message = "^fix", group = "<!-- 1 -->🐛 Bug Fixes" },
+  { message = "^doc|Documentation|Doc", group = "<!-- 3 -->📚 Documentation" },
+  { message = "^perf", group = "<!-- 4 -->⚡ Performance" },
+  { message = "^refactor", group = "<!-- 2 -->🚜 Refactor" },
+  { message = "^style", group = "<!-- 5 -->🎨 Styling" },
+  { message = "^test", group = "<!-- 6 -->🧪 Testing" },
+  { field = "author.name", pattern = "dependabot", skip = true },
+  { message = "^chore\\(release\\): prepare for", skip = true },
+  { message = "^chore\\(deps.*\\)", skip = true },
+  { message = "^chore\\(pr\\)", skip = true },
+  { message = "^chore\\(pull\\)", skip = true },
+  { message = "^chore: update changelog", skip = true },  # New rule to skip changelog commits
+  { body = ".*security", group = "<!-- 7 -->🛡️ Security" },
+  { message = "^revert", group = "<!-- 8 -->◀️ Revert" },
+  # Catch-all for uncategorized commits
+  { message = ".*", group = "<!-- 9 -->📦 Miscellaneous Tasks" },
+]
+
+# protect breaking changes from being skipped due to matching a skipping commit_parser
+protect_breaking_commits = false
+# filter out the commits that are not matched by commit parsers
+filter_commits = false
+# regex for matching git tags
+tag_pattern = "v[0-9].*"
+# regex for skipping tags
+skip_tags = "v0.1.0-beta.1"
+# regex for ignoring tags
+ignore_tags = ""
+# sort the tags topologically
+topo_order = false
+# sort the commits inside sections by oldest/newest order
+sort_commits = "newest"
+

flake.lock

@@ -2,17 +2,15 @@
   "nodes": {
     "fenix": {
       "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ],
+        "nixpkgs": ["nixpkgs"],
         "rust-analyzer-src": "rust-analyzer-src"
       },
       "locked": {
-        "lastModified": 1728282832,
-        "narHash": "sha256-I7AbcwGggf+CHqpyd/9PiAjpIBGTGx5woYHqtwxaV7I=",
+        "lastModified": 1712298178,
+        "narHash": "sha256-590fpCPXYAkaAeBz/V91GX4/KGzPObdYtqsTWzT6AhI=",
         "owner": "nix-community",
         "repo": "fenix",
-        "rev": "1ec71be1f4b8f3105c5d38da339cb061fefc43f4",
+        "rev": "569b5b5781395da08e7064e825953c548c26af76",
         "type": "github"
       },
       "original": {
@@ -26,11 +24,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1726560853,
-        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
         "type": "github"
       },
       "original": {
@@ -39,18 +37,36 @@
         "type": "github"
       }
     },
+    "naersk": {
+      "inputs": {
+        "nixpkgs": ["nixpkgs"]
+      },
+      "locked": {
+        "lastModified": 1698420672,
+        "narHash": "sha256-/TdeHMPRjjdJub7p7+w55vyABrsJlt5QkznPYy55vKA=",
+        "owner": "nix-community",
+        "repo": "naersk",
+        "rev": "aeb58d5e8faead8980a807c840232697982d47b9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "naersk",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1728193676,
-        "narHash": "sha256-PbDWAIjKJdlVg+qQRhzdSor04bAPApDqIv2DofTyynk=",
+        "lastModified": 1712168706,
+        "narHash": "sha256-XP24tOobf6GGElMd0ux90FEBalUtw6NkBSVh/RlA6ik=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ecbc1ca8ffd6aea8372ad16be9ebbb39889e55b6",
+        "rev": "1487bdea619e4a7a53a4590c475deabb5a9d1bfb",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-24.05",
+        "ref": "nixos-23.11",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -59,17 +75,18 @@
       "inputs": {
         "fenix": "fenix",
         "flake-utils": "flake-utils",
+        "naersk": "naersk",
         "nixpkgs": "nixpkgs"
       }
     },
     "rust-analyzer-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1728249780,
-        "narHash": "sha256-J269DvCI5dzBmPrXhAAtj566qt0b22TJtF3TIK+tMsI=",
+        "lastModified": 1712156296,
+        "narHash": "sha256-St7ZQrkrr5lmQX9wC1ZJAFxL8W7alswnyZk9d1se3Us=",
         "owner": "rust-lang",
         "repo": "rust-analyzer",
-        "rev": "2b750da1a1a2c1d2c70896108d7096089842d877",
+        "rev": "8e581ac348e223488622f4d3003cb2bd412bf27e",
         "type": "github"
       },
       "original": {

flake.nix

@@ -1,8 +1,12 @@
 {
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
     flake-utils.url = "github:numtide/flake-utils";
 
+    # for quicker rust builds
+    naersk.url = "github:nix-community/naersk";
+    naersk.inputs.nixpkgs.follows = "nixpkgs";
+
     # for rust nightly with llvm-tools-preview
     fenix.url = "github:nix-community/fenix";
     fenix.inputs.nixpkgs.follows = "nixpkgs";
@@ -11,15 +15,6 @@
   outputs = { self, nixpkgs, flake-utils, ... }@inputs:
     nixpkgs.lib.foldl (a: b: nixpkgs.lib.recursiveUpdate a b) { } [
 
-
-      #
-      ### Export the overlay.nix from this flake ###
-      #
-      {
-        overlays.default = import ./overlay.nix;
-      }
-
-
       #
       ### Actual Rosenpass Package and Docker Container Images ###
       #
@@ -35,39 +30,310 @@
       ]
         (system:
           let
+            scoped = (scope: scope.result);
+            lib = nixpkgs.lib;
+
             # normal nixpkgs
             pkgs = import nixpkgs {
               inherit system;
+            };
 
-              # apply our own overlay, overriding/inserting our packages as defined in ./pkgs
-              overlays = [ self.overlays.default ];
+            # parsed Cargo.toml
+            cargoToml = builtins.fromTOML (builtins.readFile ./rosenpass/Cargo.toml);
+
+            # source files relevant for rust
+            src = scoped rec {
+              # File suffices to include
+              extensions = [
+                "lock"
+                "rs"
+                "toml"
+              ];
+              # Files to explicitly include
+              files = [
+                "to/README.md"
+              ];
+
+              src = ./.;
+              filter = (path: type: scoped rec {
+                inherit (lib) any id removePrefix hasSuffix;
+                anyof = (any id);
+
+                basename = baseNameOf (toString path);
+                relative = removePrefix (toString src + "/") (toString path);
+
+                result = anyof [
+                  (type == "directory")
+                  (any (ext: hasSuffix ".${ext}" basename) extensions)
+                  (any (file: file == relative) files)
+                ];
+              });
+
+              result = pkgs.lib.sources.cleanSourceWith { inherit src filter; };
+            };
+
+            # a function to generate a nix derivation for rosenpass against any
+            # given set of nixpkgs
+            rosenpassDerivation = p:
+              let
+                # whether we want to build a statically linked binary
+                isStatic = p.targetPlatform.isStatic;
+
+                # the rust target of `p`
+                target = p.rust.toRustTargetSpec p.targetPlatform;
+
+                # convert a string to shout case
+                shout = string: builtins.replaceStrings [ "-" ] [ "_" ] (pkgs.lib.toUpper string);
+
+                # suitable Rust toolchain
+                toolchain = with inputs.fenix.packages.${system}; combine [
+                  stable.cargo
+                  stable.rustc
+                  targets.${target}.stable.rust-std
+                ];
+
+                # naersk with a custom toolchain
+                naersk = pkgs.callPackage inputs.naersk {
+                  cargo = toolchain;
+                  rustc = toolchain;
+                };
+
+                # used to trick the build.rs into believing that CMake was ran **again**
+                fakecmake = pkgs.writeScriptBin "cmake" ''
+                  #! ${pkgs.stdenv.shell} -e
+                  true
+                '';
+              in
+              naersk.buildPackage
+                {
+                  # metadata and source
+                  name = cargoToml.package.name;
+                  version = cargoToml.package.version;
+                  inherit src;
+
+                  cargoBuildOptions = x: x ++ [ "-p" "rosenpass" ];
+                  cargoTestOptions = x: x ++ [ "-p" "rosenpass" ];
+
+                  doCheck = true;
+
+                  nativeBuildInputs = with pkgs; [
+                    p.stdenv.cc
+                    cmake # for oqs build in the oqs-sys crate
+                    mandoc # for the built-in manual
+                    removeReferencesTo
+                    rustPlatform.bindgenHook # for C-bindings in the crypto libs
+                  ];
+                  buildInputs = with p; [ bash ];
+
+                  override = x: {
+                    preBuild =
+                      # nix defaults to building for aarch64 _without_ the armv8-a crypto
+                      # extensions, but liboqs depens on these
+                      (lib.optionalString (system == "aarch64-linux") ''
+                        NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -march=armv8-a+crypto"
+                      ''
+                      );
+
+                    # fortify is only compatible with dynamic linking
+                    hardeningDisable = lib.optional isStatic "fortify";
+                  };
+
+                  overrideMain = x: {
+                    # CMake detects that it was served a _foreign_ target dir, and CMake
+                    # would be executed again upon the second build step of naersk.
+                    # By adding our specially optimized CMake version, we reduce the cost
+                    # of recompilation by 99 % while, while avoiding any CMake errors.
+                    nativeBuildInputs = [ (lib.hiPrio fakecmake) ] ++ x.nativeBuildInputs;
+
+                    # make sure that libc is linked, under musl this is not the case per
+                    # default
+                    preBuild = (lib.optionalString isStatic ''
+                      NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -lc"
+                    '');
+                  };
+
+                  # We want to build for a specific target...
+                  CARGO_BUILD_TARGET = target;
+
+                  # ... which might require a non-default linker:
+                  "CARGO_TARGET_${shout target}_LINKER" =
+                    let
+                      inherit (p.stdenv) cc;
+                    in
+                    "${cc}/bin/${cc.targetPrefix}cc";
+
+                  meta = with pkgs.lib;
+                    {
+                      inherit (cargoToml.package) description homepage;
+                      license = with licenses; [ mit asl20 ];
+                      maintainers = [ maintainers.wucke13 ];
+                      platforms = platforms.all;
+                    };
+                } // (lib.mkIf isStatic {
+                # otherwise pkg-config tries to link non-existent dynamic libs
+                # documented here: https://docs.rs/pkg-config/latest/pkg_config/
+                PKG_CONFIG_ALL_STATIC = true;
+
+                # tell rust to build everything statically linked
+                CARGO_BUILD_RUSTFLAGS = "-C target-feature=+crt-static";
+              });
+            # a function to generate a nix derivation for the rp helper against any
+            # given set of nixpkgs
+            rpDerivation = p:
+              let
+                # whether we want to build a statically linked binary
+                isStatic = p.targetPlatform.isStatic;
+
+                # the rust target of `p`
+                target = p.rust.toRustTargetSpec p.targetPlatform;
+
+                # convert a string to shout case
+                shout = string: builtins.replaceStrings [ "-" ] [ "_" ] (pkgs.lib.toUpper string);
+
+                # suitable Rust toolchain
+                toolchain = with inputs.fenix.packages.${system}; combine [
+                  stable.cargo
+                  stable.rustc
+                  targets.${target}.stable.rust-std
+                ];
+
+                # naersk with a custom toolchain
+                naersk = pkgs.callPackage inputs.naersk {
+                  cargo = toolchain;
+                  rustc = toolchain;
+                };
+
+                # used to trick the build.rs into believing that CMake was ran **again**
+                fakecmake = pkgs.writeScriptBin "cmake" ''
+                  #! ${pkgs.stdenv.shell} -e
+                  true
+                '';
+              in
+              naersk.buildPackage
+                {
+                  # metadata and source
+                  name = cargoToml.package.name;
+                  version = cargoToml.package.version;
+                  inherit src;
+
+                  cargoBuildOptions = x: x ++ [ "-p" "rp" ];
+                  cargoTestOptions = x: x ++ [ "-p" "rp" ];
+
+                  doCheck = true;
+
+                  nativeBuildInputs = with pkgs; [
+                    p.stdenv.cc
+                    cmake # for oqs build in the oqs-sys crate
+                    mandoc # for the built-in manual
+                    removeReferencesTo
+                    rustPlatform.bindgenHook # for C-bindings in the crypto libs
+                  ];
+                  buildInputs = with p; [ bash ];
+
+                  override = x: {
+                    preBuild =
+                      # nix defaults to building for aarch64 _without_ the armv8-a crypto
+                      # extensions, but liboqs depens on these
+                      (lib.optionalString (system == "aarch64-linux") ''
+                        NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -march=armv8-a+crypto"
+                      ''
+                      );
+
+                    # fortify is only compatible with dynamic linking
+                    hardeningDisable = lib.optional isStatic "fortify";
+                  };
+
+                  overrideMain = x: {
+                    # CMake detects that it was served a _foreign_ target dir, and CMake
+                    # would be executed again upon the second build step of naersk.
+                    # By adding our specially optimized CMake version, we reduce the cost
+                    # of recompilation by 99 % while, while avoiding any CMake errors.
+                    nativeBuildInputs = [ (lib.hiPrio fakecmake) ] ++ x.nativeBuildInputs;
+
+                    # make sure that libc is linked, under musl this is not the case per
+                    # default
+                    preBuild = (lib.optionalString isStatic ''
+                      NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -lc"
+                    '');
+                  };
+
+                  # We want to build for a specific target...
+                  CARGO_BUILD_TARGET = target;
+
+                  # ... which might require a non-default linker:
+                  "CARGO_TARGET_${shout target}_LINKER" =
+                    let
+                      inherit (p.stdenv) cc;
+                    in
+                    "${cc}/bin/${cc.targetPrefix}cc";
+
+                  meta = with pkgs.lib;
+                    {
+                      inherit (cargoToml.package) description homepage;
+                      license = with licenses; [ mit asl20 ];
+                      maintainers = [ maintainers.wucke13 ];
+                      platforms = platforms.all;
+                    };
+                } // (lib.mkIf isStatic {
+                # otherwise pkg-config tries to link non-existent dynamic libs
+                # documented here: https://docs.rs/pkg-config/latest/pkg_config/
+                PKG_CONFIG_ALL_STATIC = true;
+
+                # tell rust to build everything statically linked
+                CARGO_BUILD_RUSTFLAGS = "-C target-feature=+crt-static";
+              });
+            # a function to generate a docker image based of rosenpass
+            rosenpassOCI = name: pkgs.dockerTools.buildImage rec {
+              inherit name;
+              copyToRoot = pkgs.buildEnv {
+                name = "image-root";
+                paths = [ self.packages.${system}.${name} ];
+                pathsToLink = [ "/bin" ];
+              };
+              config.Cmd = [ "/bin/rosenpass" ];
             };
           in
-          {
-            packages = {
-              default = pkgs.rosenpass;
-              rosenpass = pkgs.rosenpass;
-              rosenpass-oci-image = pkgs.rosenpass-oci-image;
-              rp = pkgs.rp;
+          rec {
+            packages = rec {
+              default = rosenpass;
+              rosenpass = rosenpassDerivation pkgs;
+              rp = rpDerivation pkgs;
+              rosenpass-oci-image = rosenpassOCI "rosenpass";
 
-              release-package = pkgs.release-package;
-
-              # for good measure, we also offer to cross compile to Linux on Arm
-              aarch64-linux-rosenpass-static =
-                pkgs.pkgsCross.aarch64-multiplatform.pkgsStatic.rosenpass;
-              aarch64-linux-rp-static = pkgs.pkgsCross.aarch64-multiplatform.pkgsStatic.rp;
-            }
-            //
-            # We only offer static builds for linux, as this is not supported on OS X
-            (nixpkgs.lib.attrsets.optionalAttrs pkgs.stdenv.isLinux {
-              rosenpass-static = pkgs.pkgsStatic.rosenpass;
-              rosenpass-static-oci-image = pkgs.pkgsStatic.rosenpass-oci-image;
-              rp-static = pkgs.pkgsStatic.rp;
-            });
+              # derivation for the release
+              release-package =
+                let
+                  version = cargoToml.package.version;
+                  package =
+                    if pkgs.hostPlatform.isLinux then
+                      packages.rosenpass-static
+                    else packages.rosenpass;
+                  rp =
+                    if pkgs.hostPlatform.isLinux then
+                      packages.rp-static
+                    else packages.rp;
+                  oci-image =
+                    if pkgs.hostPlatform.isLinux then
+                      packages.rosenpass-static-oci-image
+                    else packages.rosenpass-oci-image;
+                in
+                pkgs.runCommandNoCC "lace-result" { }
+                  ''
+                    mkdir {bin,$out}
+                    tar -cvf $out/rosenpass-${system}-${version}.tar \
+                      -C ${package} bin/rosenpass \
+                      -C ${rp} bin/rp
+                    cp ${oci-image} \
+                      $out/rosenpass-oci-image-${system}-${version}.tar.gz
+                  '';
+            } // (if pkgs.stdenv.isLinux then rec {
+              rosenpass-static = rosenpassDerivation pkgs.pkgsStatic;
+              rp-static = rpDerivation pkgs.pkgsStatic;
+              rosenpass-static-oci-image = rosenpassOCI "rosenpass-static";
+            } else { });
           }
         ))
 
-
       #
       ### Linux specifics ###
       #
@@ -75,46 +341,88 @@
         let
           pkgs = import nixpkgs {
             inherit system;
-
-            # apply our own overlay, overriding/inserting our packages as defined in ./pkgs
-            overlays = [ self.overlays.default ];
           };
+          packages = self.packages.${system};
         in
         {
+          #
+          ### Whitepaper ###
+          #
+          packages.whitepaper =
+            let
+              tlsetup = (pkgs.texlive.combine {
+                inherit (pkgs.texlive) scheme-basic acmart amsfonts ccicons
+                  csquotes csvsimple doclicense fancyvrb fontspec gobble
+                  koma-script ifmtarg latexmk lm markdown mathtools minted noto
+                  nunito pgf soul unicode-math lualatex-math paralist
+                  gitinfo2 eso-pic biblatex biblatex-trad biblatex-software
+                  xkeyval xurl xifthen biber;
+              });
+            in
+            pkgs.stdenvNoCC.mkDerivation {
+              name = "whitepaper";
+              src = ./papers;
+              nativeBuildInputs = with pkgs; [
+                ncurses # tput
+                python3Packages.pygments
+                tlsetup # custom tex live scheme
+                which
+              ];
+              buildPhase = ''
+                export HOME=$(mktemp -d)
+                latexmk -r tex/CI.rc
+              '';
+              installPhase = ''
+                mkdir -p $out
+                mv *.pdf readme.md $out/
+              '';
+            };
 
-          #
-          ### Reading materials ###
-          #
-          packages.whitepaper = pkgs.whitepaper;
 
           #
           ### Proof and Proof Tools ###
           #
-          packages.proverif-patched = pkgs.proverif-patched;
-          packages.proof-proverif = pkgs.proof-proverif;
+          packages.proverif-patched = pkgs.proverif.overrideAttrs (old: {
+            postInstall = ''
+              install -D -t $out/lib cryptoverif.pvl
+            '';
+          });
+          packages.proof-proverif = pkgs.stdenv.mkDerivation {
+            name = "rosenpass-proverif-proof";
+            version = "unstable";
+            src = pkgs.lib.sources.sourceByRegex ./. [
+              "analyze.sh"
+              "marzipan(/marzipan.awk)?"
+              "analysis(/.*)?"
+            ];
+            nativeBuildInputs = [ pkgs.proverif pkgs.graphviz ];
+            CRYPTOVERIF_LIB = packages.proverif-patched + "/lib/cryptoverif.pvl";
+            installPhase = ''
+              mkdir -p $out
+              bash analyze.sh -color -html $out
+            '';
+          };
 
 
           #
           ### Devshells ###
           #
           devShells.default = pkgs.mkShell {
-            inherit (pkgs.proof-proverif) CRYPTOVERIF_LIB;
-            inputsFrom = [ pkgs.rosenpass ];
+            inherit (packages.proof-proverif) CRYPTOVERIF_LIB;
+            inputsFrom = [ packages.default ];
             nativeBuildInputs = with pkgs; [
+              inputs.fenix.packages.${system}.complete.toolchain
+              cmake # override the fakecmake from the main step above
               cargo-release
               clippy
-              rustfmt
               nodePackages.prettier
               nushell # for the .ci/gen-workflow-files.nu script
-              proverif-patched
+              packages.proverif-patched
             ];
           };
           devShells.coverage = pkgs.mkShell {
-            inputsFrom = [ pkgs.rosenpass ];
-            nativeBuildInputs = [
-              inputs.fenix.packages.${system}.complete.toolchain
-              pkgs.cargo-llvm-cov
-            ];
+            inputsFrom = [ packages.default ];
+            nativeBuildInputs = with pkgs; [ inputs.fenix.packages.${system}.complete.toolchain cargo-llvm-cov ];
           };
 
 

overlay.nix

@@ -1,39 +0,0 @@
-final: prev: {
-
-
-  #
-  ### Actual rosenpass software ###
-  #
-  rosenpass = final.callPackage ./pkgs/rosenpass.nix { };
-  rosenpass-oci-image = final.callPackage ./pkgs/rosenpass-oci-image.nix { };
-  rp = final.callPackage ./pkgs/rosenpass.nix { package = "rp"; };
-
-  release-package = final.callPackage ./pkgs/release-package.nix { };
-
-  #
-  ### Appendix ###
-  #
-  proverif-patched = prev.proverif.overrideAttrs (old: {
-    postInstall = ''
-      install -D -t $out/lib cryptoverif.pvl
-    '';
-  });
-
-  proof-proverif = final.stdenv.mkDerivation {
-    name = "rosenpass-proverif-proof";
-    version = "unstable";
-    src = final.lib.sources.sourceByRegex ./. [
-      "analyze.sh"
-      "marzipan(/marzipan.awk)?"
-      "analysis(/.*)?"
-    ];
-    nativeBuildInputs = [ final.proverif final.graphviz ];
-    CRYPTOVERIF_LIB = final.proverif-patched + "/lib/cryptoverif.pvl";
-    installPhase = ''
-      mkdir -p $out
-      bash analyze.sh -color -html $out
-    '';
-  };
-
-  whitepaper = final.callPackage ./pkgs/whitepaper.nix { };
-}

pkgs/release-package.nix

@@ -1,27 +0,0 @@
-{ lib, stdenvNoCC, runCommandNoCC, pkgsStatic, rosenpass, rosenpass-oci-image, rp } @ args:
-
-let
-  version = rosenpass.version;
-
-  # select static packages on Linux, default packages otherwise
-  package =
-    if stdenvNoCC.hostPlatform.isLinux then
-      pkgsStatic.rosenpass
-    else args.rosenpass;
-  rp =
-    if stdenvNoCC.hostPlatform.isLinux then
-      pkgsStatic.rp
-    else args.rp;
-  oci-image =
-    if stdenvNoCC.hostPlatform.isLinux then
-      pkgsStatic.rosenpass-oci-image
-    else args.rosenpass-oci-image;
-in
-runCommandNoCC "lace-result" { } ''
-  mkdir {bin,$out}
-  tar -cvf $out/rosenpass-${stdenvNoCC.hostPlatform.system}-${version}.tar \
-    -C ${package} bin/rosenpass \
-    -C ${rp} bin/rp
-  cp ${oci-image} \
-    $out/rosenpass-oci-image-${stdenvNoCC.hostPlatform.system}-${version}.tar.gz
-''

pkgs/rosenpass-oci-image.nix

@@ -1,11 +0,0 @@
-{ dockerTools, buildEnv, rosenpass }:
-
-dockerTools.buildImage {
-  name = rosenpass.name + "-oci";
-  copyToRoot = buildEnv {
-    name = "image-root";
-    paths = [ rosenpass ];
-    pathsToLink = [ "/bin" ];
-  };
-  config.Cmd = [ "/bin/rosenpass" ];
-}

pkgs/rosenpass.nix

@@ -1,78 +0,0 @@
-{ lib, stdenv, rustPlatform, cmake, mandoc, removeReferencesTo, bash, package ? "rosenpass" }:
-
-let
-  # whether we want to build a statically linked binary
-  isStatic = stdenv.targetPlatform.isStatic;
-
-  scoped = (scope: scope.result);
-
-  # source files relevant for rust
-  src = scoped rec {
-    # File suffices to include
-    extensions = [
-      "lock"
-      "rs"
-      "toml"
-    ];
-    # Files to explicitly include
-    files = [
-      "to/README.md"
-    ];
-
-    src = ../.;
-    filter = (path: type: scoped rec {
-      inherit (lib) any id removePrefix hasSuffix;
-      anyof = (any id);
-
-      basename = baseNameOf (toString path);
-      relative = removePrefix (toString src + "/") (toString path);
-
-      result = anyof [
-        (type == "directory")
-        (any (ext: hasSuffix ".${ext}" basename) extensions)
-        (any (file: file == relative) files)
-      ];
-    });
-
-    result = lib.sources.cleanSourceWith { inherit src filter; };
-  };
-
-  # parsed Cargo.toml
-  cargoToml = builtins.fromTOML (builtins.readFile (src + "/rosenpass/Cargo.toml"));
-in
-rustPlatform.buildRustPackage {
-  name = cargoToml.package.name;
-  version = cargoToml.package.version;
-  inherit src;
-
-  cargoBuildOptions = [ "--package" package ];
-  cargoTestOptions = [ "--package" package ];
-
-  doCheck = true;
-
-  cargoLock = {
-    lockFile = src + "/Cargo.lock";
-    outputHashes = {
-      "memsec-0.6.3" = "sha256-4ri+IEqLd77cLcul3lZrmpDKj4cwuYJ8oPRAiQNGeLw=";
-      "uds-0.4.2" = "sha256-qlxr/iJt2AV4WryePIvqm/8/MK/iqtzegztNliR93W8=";
-    };
-  };
-
-  nativeBuildInputs = [
-    stdenv.cc
-    cmake # for oqs build in the oqs-sys crate
-    mandoc # for the built-in manual
-    removeReferencesTo
-    rustPlatform.bindgenHook # for C-bindings in the crypto libs
-  ];
-  buildInputs = [ bash ];
-
-  hardeningDisable = lib.optional isStatic "fortify";
-
-  meta = {
-    inherit (cargoToml.package) description homepage;
-    license = with lib.licenses; [ mit asl20 ];
-    maintainers = [ lib.maintainers.wucke13 ];
-    platforms = lib.platforms.all;
-  };
-}

pkgs/whitepaper.nix

@@ -1,29 +0,0 @@
-{ stdenvNoCC, texlive, ncurses, python3Packages, which }:
-
-let
-  customTexLiveSetup = (texlive.combine {
-    inherit (texlive) acmart amsfonts biber biblatex biblatex-software
-      biblatex-trad ccicons csquotes csvsimple doclicense eso-pic fancyvrb
-      fontspec gitinfo2 gobble ifmtarg koma-script latexmk lm lualatex-math
-      markdown mathtools minted noto nunito paralist pgf scheme-basic soul
-      unicode-math upquote xifthen xkeyval xurl;
-  });
-in
-stdenvNoCC.mkDerivation {
-  name = "whitepaper";
-  src = ../papers;
-  nativeBuildInputs = [
-    ncurses # tput
-    python3Packages.pygments
-    customTexLiveSetup # custom tex live scheme
-    which
-  ];
-  buildPhase = ''
-    export HOME=$(mktemp -d)
-    latexmk -r tex/CI.rc
-  '';
-  installPhase = ''
-    mkdir -p $out
-    mv *.pdf readme.md $out/
-  '';
-}

rosenpass/Cargo.toml

@@ -77,12 +77,6 @@ rustix = { workspace = true }
 default = ["experiment_api"]
 experiment_memfd_secret = ["rosenpass-wireguard-broker/experiment_memfd_secret"]
 experiment_libcrux = ["rosenpass-ciphers/experiment_libcrux"]
-experiment_api = [
-    "hex-literal",
-    "uds",
-    "command-fds",
-    "rosenpass-util/experiment_file_descriptor_passing",
-    "rosenpass-wireguard-broker/experiment_api",
-]
+experiment_api = ["hex-literal", "uds", "command-fds", "rosenpass-util/experiment_file_descriptor_passing", "rosenpass-wireguard-broker/experiment_api"]
 internal_testing  = []
 internal_bin_gen_ipc_msg_types = ["hex", "heck"]

rosenpass/src/protocol/protocol.rs

@@ -134,10 +134,11 @@ pub const PEER_COOKIE_VALUE_EPOCH: Timing = 120.0;
 // decryption for a second epoch
 pub const BISCUIT_EPOCH: Timing = 300.0;
 
-// Retransmission pub constants; will retransmit for up to _ABORT seconds;
-// starting with a delay of _DELAY_BEGIN seconds and increasing the delay
-// exponentially by a factor of _DELAY_GROWTH up to _DELAY_END.
-// An additional jitter factor of ±_DELAY_JITTER is added.
+// Retransmission pub constants; will retransmit for up to _ABORT ms; starting with a delay of
+// _DELAY_BEG ms and increasing the delay exponentially by a factor of
+// _DELAY_GROWTH up to _DELAY_END. An additional jitter factor of ±_DELAY_JITTER
+// is added.
+pub const RETRANSMIT_ABORT: Timing = 120.0;
 pub const RETRANSMIT_DELAY_GROWTH: Timing = 2.0;
 pub const RETRANSMIT_DELAY_BEGIN: Timing = 0.5;
 pub const RETRANSMIT_DELAY_END: Timing = 10.0;
@@ -1472,7 +1473,7 @@ impl IniHsPtr {
                         .min(ih.tx_count as f64),
                 )
                 * RETRANSMIT_DELAY_JITTER
-                * (rand::random::<f64>() + 1.0);
+                * (rand::random::<f64>() + 1.0); // TODO: Replace with the rand crate
         ih.tx_count += 1;
         Ok(())
     }
@@ -2009,7 +2010,8 @@ impl CryptoServer {
 
         // Send ack – Implementing sending the empty acknowledgement here
         // instead of a generic PeerPtr::send(&Server, Option<&[u8]>) -> Either<EmptyData, Data>
-        // because data transmission is a stub currently.
+        // because data transmission is a stub currently. This software is supposed to be used
+        // as a key exchange service feeding a PSK into some classical (i.e. non post quantum)
         let ses = peer
             .session()
             .get_mut(self)

wireguard-broker/Cargo.toml

@@ -19,7 +19,7 @@ wireguard-uapi = { workspace = true }
 
 # Socket handler only
 rosenpass-to = { workspace = true }
-tokio = { version = "1.40.0", features = ["sync", "full", "mio"] }
+tokio = { version = "1.39.3", features = ["sync", "full", "mio"] }
 anyhow = { workspace = true }
 clap = { workspace = true }
 env_logger = { workspace = true }
@@ -28,7 +28,7 @@ derive_builder = { workspace = true }
 postcard = {workspace = true}
 # Problem in CI, unknown reasons: dependency (libc) specified without providing a local path, Git repository, version, or workspace dependency to use
 # Maybe something about the combination of features and optional crates?
-rustix = { version = "0.38.37", optional = true }
+rustix = { version = "0.38.27", optional = true } 
 libc = { version = "0.2", optional = true } 
 
 # Mio broker client