Revert "chore: Format all Cargo.toml files"

This reverts commit b0706354d3.

.github/workflows/nix.yaml

@@ -6,11 +6,6 @@ on:
   push:
     branches:
       - main
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
 jobs:
   i686-linux---default:
     name: Build i686-linux.default
@@ -246,30 +241,30 @@ jobs:
           authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
       - name: Build
         run: nix build .#packages.x86_64-linux.release-package --print-build-logs
-  # aarch64-linux---release-package:
-  #   name: Build aarch64-linux.release-package
-  #   runs-on:
-  #     - ubuntu-latest
-  #   needs:
-  #     - aarch64-linux---rosenpass-oci-image
-  #     - aarch64-linux---rosenpass
-  #     - aarch64-linux---rp
-  #   steps:
-  #     - run: |
-  #         DEBIAN_FRONTEND=noninteractive
-  #         sudo apt-get update -q -y && sudo apt-get install -q -y qemu-system-aarch64 qemu-efi binfmt-support qemu-user-static
-  #     - uses: actions/checkout@v3
-  #     - uses: cachix/install-nix-action@v22
-  #       with:
-  #         nix_path: nixpkgs=channel:nixos-unstable
-  #         extra_nix_config: |
-  #           system = aarch64-linux
-  #     - uses: cachix/cachix-action@v12
-  #       with:
-  #         name: rosenpass
-  #         authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
-  #     - name: Build
-  #       run: nix build .#packages.aarch64-linux.release-package --print-build-logs
+  aarch64-linux---release-package:
+    name: Build aarch64-linux.release-package
+    runs-on:
+      - ubuntu-latest
+    needs:
+      - aarch64-linux---rosenpass-oci-image
+      - aarch64-linux---rosenpass
+      - aarch64-linux---rp
+    steps:
+      - run: |
+          DEBIAN_FRONTEND=noninteractive
+          sudo apt-get update -q -y && sudo apt-get install -q -y qemu-system-aarch64 qemu-efi binfmt-support qemu-user-static
+      - uses: actions/checkout@v3
+      - uses: cachix/install-nix-action@v22
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+          extra_nix_config: |
+            system = aarch64-linux
+      - uses: cachix/cachix-action@v12
+        with:
+          name: rosenpass
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      - name: Build
+        run: nix build .#packages.aarch64-linux.release-package --print-build-logs
   x86_64-linux---rosenpass:
     name: Build x86_64-linux.rosenpass
     runs-on:

.github/workflows/qc.yaml

@@ -4,10 +4,6 @@ on:
   push:
     branches: [main]
 
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
 permissions:
   checks: write
   contents: read

.github/workflows/regressions.yml

@@ -1,13 +1,9 @@
-name: Regressions
+name: QC
 on:
   pull_request:
   push:
     branches: [main]
 
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
 permissions:
   checks: write
   contents: read

.prettierignore

@@ -1,5 +1,4 @@
 .direnv/
-flake.lock
 papers/whitepaper.md
-src/usage.md
 target/
+src/usage.md

Cargo.lock

@@ -381,9 +381,9 @@ dependencies = [
 
 [[package]]
 name = "clap"
-version = "4.5.19"
+version = "4.5.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7be5744db7978a28d9df86a214130d106a89ce49644cbc4e3f0c22c3fba30615"
+checksum = "b0956a43b323ac1afaffc053ed5c4b7c1f1800bacd1683c353aabbb752515dd3"
 dependencies = [
  "clap_builder",
  "clap_derive",
@@ -391,9 +391,9 @@ dependencies = [
 
 [[package]]
 name = "clap_builder"
-version = "4.5.19"
+version = "4.5.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a5fbc17d3ef8278f55b282b2a2e75ae6f6c7d4bb70ed3d0382375104bfafdb4b"
+checksum = "4d72166dd41634086d5803a47eb71ae740e61d84709c36f3c34110173db3961b"
 dependencies = [
  "anstream",
  "anstyle",
@@ -837,9 +837,9 @@ checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
 
 [[package]]
 name = "futures"
-version = "0.3.31"
+version = "0.3.30"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "65bc07b1a8bc7c85c5f2e110c476c7389b4554ba72af57d8445ea63a576b0876"
+checksum = "645c6916888f6cb6350d2550b80fb63e734897a8498abe35cfb732b6487804b0"
 dependencies = [
  "futures-channel",
  "futures-core",
@@ -852,9 +852,9 @@ dependencies = [
 
 [[package]]
 name = "futures-channel"
-version = "0.3.31"
+version = "0.3.30"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2dff15bf788c671c1934e366d07e30c1814a8ef514e1af724a602e8a2fbe1b10"
+checksum = "eac8f7d7865dcb88bd4373ab671c8cf4508703796caa2b1985a9ca867b3fcb78"
 dependencies = [
  "futures-core",
  "futures-sink",
@@ -862,15 +862,15 @@ dependencies = [
 
 [[package]]
 name = "futures-core"
-version = "0.3.31"
+version = "0.3.30"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "05f29059c0c2090612e8d742178b0580d2dc940c837851ad723096f87af6663e"
+checksum = "dfc6580bb841c5a68e9ef15c77ccc837b40a7504914d52e47b8b0e9bbda25a1d"
 
 [[package]]
 name = "futures-executor"
-version = "0.3.31"
+version = "0.3.30"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1e28d1d997f585e54aebc3f97d39e72338912123a67330d723fdbb564d646c9f"
+checksum = "a576fc72ae164fca6b9db127eaa9a9dda0d61316034f33a0a0d4eda41f02b01d"
 dependencies = [
  "futures-core",
  "futures-task",
@@ -879,15 +879,15 @@ dependencies = [
 
 [[package]]
 name = "futures-io"
-version = "0.3.31"
+version = "0.3.30"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9e5c1b78ca4aae1ac06c48a526a655760685149f0d465d21f37abfe57ce075c6"
+checksum = "a44623e20b9681a318efdd71c299b6b222ed6f231972bfe2f224ebad6311f0c1"
 
 [[package]]
 name = "futures-macro"
-version = "0.3.31"
+version = "0.3.30"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "162ee34ebcb7c64a8abebc059ce0fee27c2262618d7b60ed8faf72fef13c3650"
+checksum = "87750cf4b7a4c0625b1529e4c543c2182106e4dedc60a2a6455e00d212c489ac"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -896,21 +896,21 @@ dependencies = [
 
 [[package]]
 name = "futures-sink"
-version = "0.3.31"
+version = "0.3.30"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e575fab7d1e0dcb8d0c7bcf9a63ee213816ab51902e6d244a95819acacf1d4f7"
+checksum = "9fb8e00e87438d937621c1c6269e53f536c14d3fbd6a042bb24879e57d474fb5"
 
 [[package]]
 name = "futures-task"
-version = "0.3.31"
+version = "0.3.30"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f90f7dce0722e95104fcb095585910c0977252f286e354b5e3bd38902cd99988"
+checksum = "38d84fa142264698cdce1a9f9172cf383a0c82de1bddcf3092901442c4097004"
 
 [[package]]
 name = "futures-util"
-version = "0.3.31"
+version = "0.3.30"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9fa08315bb612088cc391249efdc3bc77536f16c91f6cf495e6fbe85b20a4a81"
+checksum = "3d6401deb83407ab3da39eba7e33987a73c3df0c82b4bb5813ee871c19c41d48"
 dependencies = [
  "futures-channel",
  "futures-core",
@@ -1804,7 +1804,7 @@ name = "rosenpass"
 version = "0.2.1"
 dependencies = [
  "anyhow",
- "clap 4.5.19",
+ "clap 4.5.18",
  "command-fds",
  "criterion",
  "derive_builder 0.20.1",
@@ -1941,7 +1941,7 @@ name = "rosenpass-wireguard-broker"
 version = "0.1.0"
 dependencies = [
  "anyhow",
- "clap 4.5.19",
+ "clap 4.5.18",
  "derive_builder 0.20.1",
  "env_logger",
  "libc",

Cargo.toml

@@ -32,7 +32,7 @@ rosenpass-secret-memory = { path = "secret-memory" }
 rosenpass-oqs = { path = "oqs" }
 rosenpass-wireguard-broker = { path = "wireguard-broker" }
 doc-comment = "0.3.3"
-base64ct = { version = "1.6.0", default-features = false }
+base64ct = {version = "1.6.0", default-features=false}
 zeroize = "1.8.1"
 memoffset = "0.9.1"
 thiserror = "1.0.64"
@@ -41,35 +41,33 @@ env_logger = "0.10.2"
 toml = "0.7.8"
 static_assertions = "1.1.0"
 allocator-api2 = "0.2.14"
-memsec = { git = "https://github.com/rosenpass/memsec.git", rev = "aceb9baee8aec6844125bd6612f92e9a281373df", features = [
-    "alloc_ext",
-] }
+memsec = { git="https://github.com/rosenpass/memsec.git" ,rev="aceb9baee8aec6844125bd6612f92e9a281373df", features = [ "alloc_ext", ] }
 rand = "0.8.5"
 typenum = "1.17.0"
 log = { version = "0.4.22" }
-clap = { version = "4.5.19", features = ["derive"] }
+clap = { version = "4.5.18", features = ["derive"] }
 serde = { version = "1.0.210", features = ["derive"] }
 arbitrary = { version = "1.3.2", features = ["derive"] }
 anyhow = { version = "1.0.89", features = ["backtrace", "std"] }
 mio = { version = "1.0.2", features = ["net", "os-poll"] }
 oqs-sys = { version = "0.9.1", default-features = false, features = [
-    'classic_mceliece',
-    'kyber',
+  'classic_mceliece',
+  'kyber',
 ] }
 blake2 = "0.10.6"
 chacha20poly1305 = { version = "0.10.1", default-features = false, features = [
-    "std",
-    "heapless",
+  "std",
+  "heapless",
 ] }
 zerocopy = { version = "0.7.35", features = ["derive"] }
 home = "0.5.9"
 derive_builder = "0.20.1"
 tokio = { version = "1.40", features = ["macros", "rt-multi-thread"] }
-postcard = { version = "1.0.10", features = ["alloc"] }
+postcard= {version = "1.0.10", features = ["alloc"]}
 libcrux = { version = "0.0.2-pre.2" }
 hex-literal = { version = "0.4.1" }
 hex = { version = "0.4.3" }
-heck = { version = "0.5.0" }
+heck = { version = "0.5.0"  }
 libc = { version = "0.2" }
 uds = { git = "https://github.com/rosenpass/uds" }
 
@@ -81,7 +79,7 @@ libfuzzer-sys = "0.4"
 test_bin = "0.4.0"
 criterion = "0.4.0"
 allocator-api2-tests = "0.2.15"
-procspawn = { version = "1.0.1", features = ["test-support"] }
+procspawn = {version = "1.0.1", features= ["test-support"]}
 
 
 #Broker dependencies (might need cleanup or changes)

ciphers/Cargo.toml

@@ -23,4 +23,4 @@ static_assertions = { workspace = true }
 zeroize = { workspace = true }
 chacha20poly1305 = { workspace = true }
 blake2 = { workspace = true }
-libcrux = { workspace = true, optional = true }
+libcrux = { workspace = true, optional = true } 

flake.lock

@@ -2,17 +2,15 @@
   "nodes": {
     "fenix": {
       "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ],
+        "nixpkgs": ["nixpkgs"],
         "rust-analyzer-src": "rust-analyzer-src"
       },
       "locked": {
-        "lastModified": 1728282832,
-        "narHash": "sha256-I7AbcwGggf+CHqpyd/9PiAjpIBGTGx5woYHqtwxaV7I=",
+        "lastModified": 1712298178,
+        "narHash": "sha256-590fpCPXYAkaAeBz/V91GX4/KGzPObdYtqsTWzT6AhI=",
         "owner": "nix-community",
         "repo": "fenix",
-        "rev": "1ec71be1f4b8f3105c5d38da339cb061fefc43f4",
+        "rev": "569b5b5781395da08e7064e825953c548c26af76",
         "type": "github"
       },
       "original": {
@@ -26,11 +24,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1726560853,
-        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
         "type": "github"
       },
       "original": {
@@ -39,18 +37,36 @@
         "type": "github"
       }
     },
+    "naersk": {
+      "inputs": {
+        "nixpkgs": ["nixpkgs"]
+      },
+      "locked": {
+        "lastModified": 1698420672,
+        "narHash": "sha256-/TdeHMPRjjdJub7p7+w55vyABrsJlt5QkznPYy55vKA=",
+        "owner": "nix-community",
+        "repo": "naersk",
+        "rev": "aeb58d5e8faead8980a807c840232697982d47b9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "naersk",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1728193676,
-        "narHash": "sha256-PbDWAIjKJdlVg+qQRhzdSor04bAPApDqIv2DofTyynk=",
+        "lastModified": 1712168706,
+        "narHash": "sha256-XP24tOobf6GGElMd0ux90FEBalUtw6NkBSVh/RlA6ik=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ecbc1ca8ffd6aea8372ad16be9ebbb39889e55b6",
+        "rev": "1487bdea619e4a7a53a4590c475deabb5a9d1bfb",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-24.05",
+        "ref": "nixos-23.11",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -59,17 +75,18 @@
       "inputs": {
         "fenix": "fenix",
         "flake-utils": "flake-utils",
+        "naersk": "naersk",
         "nixpkgs": "nixpkgs"
       }
     },
     "rust-analyzer-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1728249780,
-        "narHash": "sha256-J269DvCI5dzBmPrXhAAtj566qt0b22TJtF3TIK+tMsI=",
+        "lastModified": 1712156296,
+        "narHash": "sha256-St7ZQrkrr5lmQX9wC1ZJAFxL8W7alswnyZk9d1se3Us=",
         "owner": "rust-lang",
         "repo": "rust-analyzer",
-        "rev": "2b750da1a1a2c1d2c70896108d7096089842d877",
+        "rev": "8e581ac348e223488622f4d3003cb2bd412bf27e",
         "type": "github"
       },
       "original": {

flake.nix

@@ -1,8 +1,12 @@
 {
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
     flake-utils.url = "github:numtide/flake-utils";
 
+    # for quicker rust builds
+    naersk.url = "github:nix-community/naersk";
+    naersk.inputs.nixpkgs.follows = "nixpkgs";
+
     # for rust nightly with llvm-tools-preview
     fenix.url = "github:nix-community/fenix";
     fenix.inputs.nixpkgs.follows = "nixpkgs";
@@ -11,15 +15,6 @@
   outputs = { self, nixpkgs, flake-utils, ... }@inputs:
     nixpkgs.lib.foldl (a: b: nixpkgs.lib.recursiveUpdate a b) { } [
 
-
-      #
-      ### Export the overlay.nix from this flake ###
-      #
-      {
-        overlays.default = import ./overlay.nix;
-      }
-
-
       #
       ### Actual Rosenpass Package and Docker Container Images ###
       #
@@ -35,39 +30,310 @@
       ]
         (system:
           let
+            scoped = (scope: scope.result);
+            lib = nixpkgs.lib;
+
             # normal nixpkgs
             pkgs = import nixpkgs {
               inherit system;
+            };
 
-              # apply our own overlay, overriding/inserting our packages as defined in ./pkgs
-              overlays = [ self.overlays.default ];
+            # parsed Cargo.toml
+            cargoToml = builtins.fromTOML (builtins.readFile ./rosenpass/Cargo.toml);
+
+            # source files relevant for rust
+            src = scoped rec {
+              # File suffices to include
+              extensions = [
+                "lock"
+                "rs"
+                "toml"
+              ];
+              # Files to explicitly include
+              files = [
+                "to/README.md"
+              ];
+
+              src = ./.;
+              filter = (path: type: scoped rec {
+                inherit (lib) any id removePrefix hasSuffix;
+                anyof = (any id);
+
+                basename = baseNameOf (toString path);
+                relative = removePrefix (toString src + "/") (toString path);
+
+                result = anyof [
+                  (type == "directory")
+                  (any (ext: hasSuffix ".${ext}" basename) extensions)
+                  (any (file: file == relative) files)
+                ];
+              });
+
+              result = pkgs.lib.sources.cleanSourceWith { inherit src filter; };
+            };
+
+            # a function to generate a nix derivation for rosenpass against any
+            # given set of nixpkgs
+            rosenpassDerivation = p:
+              let
+                # whether we want to build a statically linked binary
+                isStatic = p.targetPlatform.isStatic;
+
+                # the rust target of `p`
+                target = p.rust.toRustTargetSpec p.targetPlatform;
+
+                # convert a string to shout case
+                shout = string: builtins.replaceStrings [ "-" ] [ "_" ] (pkgs.lib.toUpper string);
+
+                # suitable Rust toolchain
+                toolchain = with inputs.fenix.packages.${system}; combine [
+                  stable.cargo
+                  stable.rustc
+                  targets.${target}.stable.rust-std
+                ];
+
+                # naersk with a custom toolchain
+                naersk = pkgs.callPackage inputs.naersk {
+                  cargo = toolchain;
+                  rustc = toolchain;
+                };
+
+                # used to trick the build.rs into believing that CMake was ran **again**
+                fakecmake = pkgs.writeScriptBin "cmake" ''
+                  #! ${pkgs.stdenv.shell} -e
+                  true
+                '';
+              in
+              naersk.buildPackage
+                {
+                  # metadata and source
+                  name = cargoToml.package.name;
+                  version = cargoToml.package.version;
+                  inherit src;
+
+                  cargoBuildOptions = x: x ++ [ "-p" "rosenpass" ];
+                  cargoTestOptions = x: x ++ [ "-p" "rosenpass" ];
+
+                  doCheck = true;
+
+                  nativeBuildInputs = with pkgs; [
+                    p.stdenv.cc
+                    cmake # for oqs build in the oqs-sys crate
+                    mandoc # for the built-in manual
+                    removeReferencesTo
+                    rustPlatform.bindgenHook # for C-bindings in the crypto libs
+                  ];
+                  buildInputs = with p; [ bash ];
+
+                  override = x: {
+                    preBuild =
+                      # nix defaults to building for aarch64 _without_ the armv8-a crypto
+                      # extensions, but liboqs depens on these
+                      (lib.optionalString (system == "aarch64-linux") ''
+                        NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -march=armv8-a+crypto"
+                      ''
+                      );
+
+                    # fortify is only compatible with dynamic linking
+                    hardeningDisable = lib.optional isStatic "fortify";
+                  };
+
+                  overrideMain = x: {
+                    # CMake detects that it was served a _foreign_ target dir, and CMake
+                    # would be executed again upon the second build step of naersk.
+                    # By adding our specially optimized CMake version, we reduce the cost
+                    # of recompilation by 99 % while, while avoiding any CMake errors.
+                    nativeBuildInputs = [ (lib.hiPrio fakecmake) ] ++ x.nativeBuildInputs;
+
+                    # make sure that libc is linked, under musl this is not the case per
+                    # default
+                    preBuild = (lib.optionalString isStatic ''
+                      NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -lc"
+                    '');
+                  };
+
+                  # We want to build for a specific target...
+                  CARGO_BUILD_TARGET = target;
+
+                  # ... which might require a non-default linker:
+                  "CARGO_TARGET_${shout target}_LINKER" =
+                    let
+                      inherit (p.stdenv) cc;
+                    in
+                    "${cc}/bin/${cc.targetPrefix}cc";
+
+                  meta = with pkgs.lib;
+                    {
+                      inherit (cargoToml.package) description homepage;
+                      license = with licenses; [ mit asl20 ];
+                      maintainers = [ maintainers.wucke13 ];
+                      platforms = platforms.all;
+                    };
+                } // (lib.mkIf isStatic {
+                # otherwise pkg-config tries to link non-existent dynamic libs
+                # documented here: https://docs.rs/pkg-config/latest/pkg_config/
+                PKG_CONFIG_ALL_STATIC = true;
+
+                # tell rust to build everything statically linked
+                CARGO_BUILD_RUSTFLAGS = "-C target-feature=+crt-static";
+              });
+            # a function to generate a nix derivation for the rp helper against any
+            # given set of nixpkgs
+            rpDerivation = p:
+              let
+                # whether we want to build a statically linked binary
+                isStatic = p.targetPlatform.isStatic;
+
+                # the rust target of `p`
+                target = p.rust.toRustTargetSpec p.targetPlatform;
+
+                # convert a string to shout case
+                shout = string: builtins.replaceStrings [ "-" ] [ "_" ] (pkgs.lib.toUpper string);
+
+                # suitable Rust toolchain
+                toolchain = with inputs.fenix.packages.${system}; combine [
+                  stable.cargo
+                  stable.rustc
+                  targets.${target}.stable.rust-std
+                ];
+
+                # naersk with a custom toolchain
+                naersk = pkgs.callPackage inputs.naersk {
+                  cargo = toolchain;
+                  rustc = toolchain;
+                };
+
+                # used to trick the build.rs into believing that CMake was ran **again**
+                fakecmake = pkgs.writeScriptBin "cmake" ''
+                  #! ${pkgs.stdenv.shell} -e
+                  true
+                '';
+              in
+              naersk.buildPackage
+                {
+                  # metadata and source
+                  name = cargoToml.package.name;
+                  version = cargoToml.package.version;
+                  inherit src;
+
+                  cargoBuildOptions = x: x ++ [ "-p" "rp" ];
+                  cargoTestOptions = x: x ++ [ "-p" "rp" ];
+
+                  doCheck = true;
+
+                  nativeBuildInputs = with pkgs; [
+                    p.stdenv.cc
+                    cmake # for oqs build in the oqs-sys crate
+                    mandoc # for the built-in manual
+                    removeReferencesTo
+                    rustPlatform.bindgenHook # for C-bindings in the crypto libs
+                  ];
+                  buildInputs = with p; [ bash ];
+
+                  override = x: {
+                    preBuild =
+                      # nix defaults to building for aarch64 _without_ the armv8-a crypto
+                      # extensions, but liboqs depens on these
+                      (lib.optionalString (system == "aarch64-linux") ''
+                        NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -march=armv8-a+crypto"
+                      ''
+                      );
+
+                    # fortify is only compatible with dynamic linking
+                    hardeningDisable = lib.optional isStatic "fortify";
+                  };
+
+                  overrideMain = x: {
+                    # CMake detects that it was served a _foreign_ target dir, and CMake
+                    # would be executed again upon the second build step of naersk.
+                    # By adding our specially optimized CMake version, we reduce the cost
+                    # of recompilation by 99 % while, while avoiding any CMake errors.
+                    nativeBuildInputs = [ (lib.hiPrio fakecmake) ] ++ x.nativeBuildInputs;
+
+                    # make sure that libc is linked, under musl this is not the case per
+                    # default
+                    preBuild = (lib.optionalString isStatic ''
+                      NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -lc"
+                    '');
+                  };
+
+                  # We want to build for a specific target...
+                  CARGO_BUILD_TARGET = target;
+
+                  # ... which might require a non-default linker:
+                  "CARGO_TARGET_${shout target}_LINKER" =
+                    let
+                      inherit (p.stdenv) cc;
+                    in
+                    "${cc}/bin/${cc.targetPrefix}cc";
+
+                  meta = with pkgs.lib;
+                    {
+                      inherit (cargoToml.package) description homepage;
+                      license = with licenses; [ mit asl20 ];
+                      maintainers = [ maintainers.wucke13 ];
+                      platforms = platforms.all;
+                    };
+                } // (lib.mkIf isStatic {
+                # otherwise pkg-config tries to link non-existent dynamic libs
+                # documented here: https://docs.rs/pkg-config/latest/pkg_config/
+                PKG_CONFIG_ALL_STATIC = true;
+
+                # tell rust to build everything statically linked
+                CARGO_BUILD_RUSTFLAGS = "-C target-feature=+crt-static";
+              });
+            # a function to generate a docker image based of rosenpass
+            rosenpassOCI = name: pkgs.dockerTools.buildImage rec {
+              inherit name;
+              copyToRoot = pkgs.buildEnv {
+                name = "image-root";
+                paths = [ self.packages.${system}.${name} ];
+                pathsToLink = [ "/bin" ];
+              };
+              config.Cmd = [ "/bin/rosenpass" ];
             };
           in
-          {
-            packages = {
-              default = pkgs.rosenpass;
-              rosenpass = pkgs.rosenpass;
-              rosenpass-oci-image = pkgs.rosenpass-oci-image;
-              rp = pkgs.rp;
+          rec {
+            packages = rec {
+              default = rosenpass;
+              rosenpass = rosenpassDerivation pkgs;
+              rp = rpDerivation pkgs;
+              rosenpass-oci-image = rosenpassOCI "rosenpass";
 
-              release-package = pkgs.release-package;
-
-              # for good measure, we also offer to cross compile to Linux on Arm
-              aarch64-linux-rosenpass-static =
-                pkgs.pkgsCross.aarch64-multiplatform.pkgsStatic.rosenpass;
-              aarch64-linux-rp-static = pkgs.pkgsCross.aarch64-multiplatform.pkgsStatic.rp;
-            }
-            //
-            # We only offer static builds for linux, as this is not supported on OS X
-            (nixpkgs.lib.attrsets.optionalAttrs pkgs.stdenv.isLinux {
-              rosenpass-static = pkgs.pkgsStatic.rosenpass;
-              rosenpass-static-oci-image = pkgs.pkgsStatic.rosenpass-oci-image;
-              rp-static = pkgs.pkgsStatic.rp;
-            });
+              # derivation for the release
+              release-package =
+                let
+                  version = cargoToml.package.version;
+                  package =
+                    if pkgs.hostPlatform.isLinux then
+                      packages.rosenpass-static
+                    else packages.rosenpass;
+                  rp =
+                    if pkgs.hostPlatform.isLinux then
+                      packages.rp-static
+                    else packages.rp;
+                  oci-image =
+                    if pkgs.hostPlatform.isLinux then
+                      packages.rosenpass-static-oci-image
+                    else packages.rosenpass-oci-image;
+                in
+                pkgs.runCommandNoCC "lace-result" { }
+                  ''
+                    mkdir {bin,$out}
+                    tar -cvf $out/rosenpass-${system}-${version}.tar \
+                      -C ${package} bin/rosenpass \
+                      -C ${rp} bin/rp
+                    cp ${oci-image} \
+                      $out/rosenpass-oci-image-${system}-${version}.tar.gz
+                  '';
+            } // (if pkgs.stdenv.isLinux then rec {
+              rosenpass-static = rosenpassDerivation pkgs.pkgsStatic;
+              rp-static = rpDerivation pkgs.pkgsStatic;
+              rosenpass-static-oci-image = rosenpassOCI "rosenpass-static";
+            } else { });
           }
         ))
 
-
       #
       ### Linux specifics ###
       #
@@ -75,46 +341,88 @@
         let
           pkgs = import nixpkgs {
             inherit system;
-
-            # apply our own overlay, overriding/inserting our packages as defined in ./pkgs
-            overlays = [ self.overlays.default ];
           };
+          packages = self.packages.${system};
         in
         {
+          #
+          ### Whitepaper ###
+          #
+          packages.whitepaper =
+            let
+              tlsetup = (pkgs.texlive.combine {
+                inherit (pkgs.texlive) scheme-basic acmart amsfonts ccicons
+                  csquotes csvsimple doclicense fancyvrb fontspec gobble
+                  koma-script ifmtarg latexmk lm markdown mathtools minted noto
+                  nunito pgf soul unicode-math lualatex-math paralist
+                  gitinfo2 eso-pic biblatex biblatex-trad biblatex-software
+                  xkeyval xurl xifthen biber;
+              });
+            in
+            pkgs.stdenvNoCC.mkDerivation {
+              name = "whitepaper";
+              src = ./papers;
+              nativeBuildInputs = with pkgs; [
+                ncurses # tput
+                python3Packages.pygments
+                tlsetup # custom tex live scheme
+                which
+              ];
+              buildPhase = ''
+                export HOME=$(mktemp -d)
+                latexmk -r tex/CI.rc
+              '';
+              installPhase = ''
+                mkdir -p $out
+                mv *.pdf readme.md $out/
+              '';
+            };
 
-          #
-          ### Reading materials ###
-          #
-          packages.whitepaper = pkgs.whitepaper;
 
           #
           ### Proof and Proof Tools ###
           #
-          packages.proverif-patched = pkgs.proverif-patched;
-          packages.proof-proverif = pkgs.proof-proverif;
+          packages.proverif-patched = pkgs.proverif.overrideAttrs (old: {
+            postInstall = ''
+              install -D -t $out/lib cryptoverif.pvl
+            '';
+          });
+          packages.proof-proverif = pkgs.stdenv.mkDerivation {
+            name = "rosenpass-proverif-proof";
+            version = "unstable";
+            src = pkgs.lib.sources.sourceByRegex ./. [
+              "analyze.sh"
+              "marzipan(/marzipan.awk)?"
+              "analysis(/.*)?"
+            ];
+            nativeBuildInputs = [ pkgs.proverif pkgs.graphviz ];
+            CRYPTOVERIF_LIB = packages.proverif-patched + "/lib/cryptoverif.pvl";
+            installPhase = ''
+              mkdir -p $out
+              bash analyze.sh -color -html $out
+            '';
+          };
 
 
           #
           ### Devshells ###
           #
           devShells.default = pkgs.mkShell {
-            inherit (pkgs.proof-proverif) CRYPTOVERIF_LIB;
-            inputsFrom = [ pkgs.rosenpass ];
+            inherit (packages.proof-proverif) CRYPTOVERIF_LIB;
+            inputsFrom = [ packages.default ];
             nativeBuildInputs = with pkgs; [
+              inputs.fenix.packages.${system}.complete.toolchain
+              cmake # override the fakecmake from the main step above
               cargo-release
               clippy
-              rustfmt
               nodePackages.prettier
               nushell # for the .ci/gen-workflow-files.nu script
-              proverif-patched
+              packages.proverif-patched
             ];
           };
           devShells.coverage = pkgs.mkShell {
-            inputsFrom = [ pkgs.rosenpass ];
-            nativeBuildInputs = [
-              inputs.fenix.packages.${system}.complete.toolchain
-              pkgs.cargo-llvm-cov
-            ];
+            inputsFrom = [ packages.default ];
+            nativeBuildInputs = with pkgs; [ inputs.fenix.packages.${system}.complete.toolchain cargo-llvm-cov ];
           };
 
 

overlay.nix

@@ -1,39 +0,0 @@
-final: prev: {
-
-
-  #
-  ### Actual rosenpass software ###
-  #
-  rosenpass = final.callPackage ./pkgs/rosenpass.nix { };
-  rosenpass-oci-image = final.callPackage ./pkgs/rosenpass-oci-image.nix { };
-  rp = final.callPackage ./pkgs/rosenpass.nix { package = "rp"; };
-
-  release-package = final.callPackage ./pkgs/release-package.nix { };
-
-  #
-  ### Appendix ###
-  #
-  proverif-patched = prev.proverif.overrideAttrs (old: {
-    postInstall = ''
-      install -D -t $out/lib cryptoverif.pvl
-    '';
-  });
-
-  proof-proverif = final.stdenv.mkDerivation {
-    name = "rosenpass-proverif-proof";
-    version = "unstable";
-    src = final.lib.sources.sourceByRegex ./. [
-      "analyze.sh"
-      "marzipan(/marzipan.awk)?"
-      "analysis(/.*)?"
-    ];
-    nativeBuildInputs = [ final.proverif final.graphviz ];
-    CRYPTOVERIF_LIB = final.proverif-patched + "/lib/cryptoverif.pvl";
-    installPhase = ''
-      mkdir -p $out
-      bash analyze.sh -color -html $out
-    '';
-  };
-
-  whitepaper = final.callPackage ./pkgs/whitepaper.nix { };
-}

pkgs/release-package.nix

@@ -1,27 +0,0 @@
-{ lib, stdenvNoCC, runCommandNoCC, pkgsStatic, rosenpass, rosenpass-oci-image, rp } @ args:
-
-let
-  version = rosenpass.version;
-
-  # select static packages on Linux, default packages otherwise
-  package =
-    if stdenvNoCC.hostPlatform.isLinux then
-      pkgsStatic.rosenpass
-    else args.rosenpass;
-  rp =
-    if stdenvNoCC.hostPlatform.isLinux then
-      pkgsStatic.rp
-    else args.rp;
-  oci-image =
-    if stdenvNoCC.hostPlatform.isLinux then
-      pkgsStatic.rosenpass-oci-image
-    else args.rosenpass-oci-image;
-in
-runCommandNoCC "lace-result" { } ''
-  mkdir {bin,$out}
-  tar -cvf $out/rosenpass-${stdenvNoCC.hostPlatform.system}-${version}.tar \
-    -C ${package} bin/rosenpass \
-    -C ${rp} bin/rp
-  cp ${oci-image} \
-    $out/rosenpass-oci-image-${stdenvNoCC.hostPlatform.system}-${version}.tar.gz
-''

pkgs/rosenpass-oci-image.nix

@@ -1,11 +0,0 @@
-{ dockerTools, buildEnv, rosenpass }:
-
-dockerTools.buildImage {
-  name = rosenpass.name + "-oci";
-  copyToRoot = buildEnv {
-    name = "image-root";
-    paths = [ rosenpass ];
-    pathsToLink = [ "/bin" ];
-  };
-  config.Cmd = [ "/bin/rosenpass" ];
-}

pkgs/rosenpass.nix

@@ -1,78 +0,0 @@
-{ lib, stdenv, rustPlatform, cmake, mandoc, removeReferencesTo, bash, package ? "rosenpass" }:
-
-let
-  # whether we want to build a statically linked binary
-  isStatic = stdenv.targetPlatform.isStatic;
-
-  scoped = (scope: scope.result);
-
-  # source files relevant for rust
-  src = scoped rec {
-    # File suffices to include
-    extensions = [
-      "lock"
-      "rs"
-      "toml"
-    ];
-    # Files to explicitly include
-    files = [
-      "to/README.md"
-    ];
-
-    src = ../.;
-    filter = (path: type: scoped rec {
-      inherit (lib) any id removePrefix hasSuffix;
-      anyof = (any id);
-
-      basename = baseNameOf (toString path);
-      relative = removePrefix (toString src + "/") (toString path);
-
-      result = anyof [
-        (type == "directory")
-        (any (ext: hasSuffix ".${ext}" basename) extensions)
-        (any (file: file == relative) files)
-      ];
-    });
-
-    result = lib.sources.cleanSourceWith { inherit src filter; };
-  };
-
-  # parsed Cargo.toml
-  cargoToml = builtins.fromTOML (builtins.readFile (src + "/rosenpass/Cargo.toml"));
-in
-rustPlatform.buildRustPackage {
-  name = cargoToml.package.name;
-  version = cargoToml.package.version;
-  inherit src;
-
-  cargoBuildOptions = [ "--package" package ];
-  cargoTestOptions = [ "--package" package ];
-
-  doCheck = true;
-
-  cargoLock = {
-    lockFile = src + "/Cargo.lock";
-    outputHashes = {
-      "memsec-0.6.3" = "sha256-4ri+IEqLd77cLcul3lZrmpDKj4cwuYJ8oPRAiQNGeLw=";
-      "uds-0.4.2" = "sha256-qlxr/iJt2AV4WryePIvqm/8/MK/iqtzegztNliR93W8=";
-    };
-  };
-
-  nativeBuildInputs = [
-    stdenv.cc
-    cmake # for oqs build in the oqs-sys crate
-    mandoc # for the built-in manual
-    removeReferencesTo
-    rustPlatform.bindgenHook # for C-bindings in the crypto libs
-  ];
-  buildInputs = [ bash ];
-
-  hardeningDisable = lib.optional isStatic "fortify";
-
-  meta = {
-    inherit (cargoToml.package) description homepage;
-    license = with lib.licenses; [ mit asl20 ];
-    maintainers = [ lib.maintainers.wucke13 ];
-    platforms = lib.platforms.all;
-  };
-}

pkgs/whitepaper.nix

@@ -1,29 +0,0 @@
-{ stdenvNoCC, texlive, ncurses, python3Packages, which }:
-
-let
-  customTexLiveSetup = (texlive.combine {
-    inherit (texlive) acmart amsfonts biber biblatex biblatex-software
-      biblatex-trad ccicons csquotes csvsimple doclicense eso-pic fancyvrb
-      fontspec gitinfo2 gobble ifmtarg koma-script latexmk lm lualatex-math
-      markdown mathtools minted noto nunito paralist pgf scheme-basic soul
-      unicode-math upquote xifthen xkeyval xurl;
-  });
-in
-stdenvNoCC.mkDerivation {
-  name = "whitepaper";
-  src = ../papers;
-  nativeBuildInputs = [
-    ncurses # tput
-    python3Packages.pygments
-    customTexLiveSetup # custom tex live scheme
-    which
-  ];
-  buildPhase = ''
-    export HOME=$(mktemp -d)
-    latexmk -r tex/CI.rc
-  '';
-  installPhase = ''
-    mkdir -p $out
-    mv *.pdf readme.md $out/
-  '';
-}

rosenpass/Cargo.toml

@@ -51,8 +51,8 @@ mio = { workspace = true }
 rand = { workspace = true }
 zerocopy = { workspace = true }
 home = { workspace = true }
-derive_builder = { workspace = true }
-rosenpass-wireguard-broker = { workspace = true }
+derive_builder = {workspace = true}
+rosenpass-wireguard-broker = {workspace = true}
 zeroize = { workspace = true }
 hex-literal = { workspace = true, optional = true }
 hex = { workspace = true, optional = true }
@@ -68,21 +68,15 @@ anyhow = { workspace = true }
 criterion = { workspace = true }
 test_bin = { workspace = true }
 stacker = { workspace = true }
-serial_test = { workspace = true }
-procspawn = { workspace = true }
+serial_test = {workspace = true}
+procspawn = {workspace = true}
 tempfile = { workspace = true }
-rustix = { workspace = true }
+rustix = {workspace = true}
 
 [features]
 default = ["experiment_api"]
 experiment_memfd_secret = ["rosenpass-wireguard-broker/experiment_memfd_secret"]
 experiment_libcrux = ["rosenpass-ciphers/experiment_libcrux"]
-experiment_api = [
-    "hex-literal",
-    "uds",
-    "command-fds",
-    "rosenpass-util/experiment_file_descriptor_passing",
-    "rosenpass-wireguard-broker/experiment_api",
-]
-internal_testing = []
+experiment_api = ["hex-literal", "uds", "command-fds", "rosenpass-util/experiment_file_descriptor_passing", "rosenpass-wireguard-broker/experiment_api"]
+internal_testing  = []
 internal_bin_gen_ipc_msg_types = ["hex", "heck"]

rosenpass/src/protocol/protocol.rs

@@ -134,10 +134,11 @@ pub const PEER_COOKIE_VALUE_EPOCH: Timing = 120.0;
 // decryption for a second epoch
 pub const BISCUIT_EPOCH: Timing = 300.0;
 
-// Retransmission pub constants; will retransmit for up to _ABORT seconds;
-// starting with a delay of _DELAY_BEGIN seconds and increasing the delay
-// exponentially by a factor of _DELAY_GROWTH up to _DELAY_END.
-// An additional jitter factor of ±_DELAY_JITTER is added.
+// Retransmission pub constants; will retransmit for up to _ABORT ms; starting with a delay of
+// _DELAY_BEG ms and increasing the delay exponentially by a factor of
+// _DELAY_GROWTH up to _DELAY_END. An additional jitter factor of ±_DELAY_JITTER
+// is added.
+pub const RETRANSMIT_ABORT: Timing = 120.0;
 pub const RETRANSMIT_DELAY_GROWTH: Timing = 2.0;
 pub const RETRANSMIT_DELAY_BEGIN: Timing = 0.5;
 pub const RETRANSMIT_DELAY_END: Timing = 10.0;
@@ -1472,7 +1473,7 @@ impl IniHsPtr {
                         .min(ih.tx_count as f64),
                 )
                 * RETRANSMIT_DELAY_JITTER
-                * (rand::random::<f64>() + 1.0);
+                * (rand::random::<f64>() + 1.0); // TODO: Replace with the rand crate
         ih.tx_count += 1;
         Ok(())
     }

rp/Cargo.toml

@@ -20,9 +20,9 @@ rosenpass-ciphers = { workspace = true }
 rosenpass-cipher-traits = { workspace = true }
 rosenpass-secret-memory = { workspace = true }
 rosenpass-util = { workspace = true }
-rosenpass-wireguard-broker = { workspace = true }
+rosenpass-wireguard-broker = {workspace = true}
 
-tokio = { workspace = true }
+tokio = {workspace = true}
 
 [target.'cfg(any(target_os = "linux", target_os = "freebsd"))'.dependencies]
 ctrlc-async = "3.2"
@@ -35,8 +35,8 @@ netlink-packet-generic = "0.3"
 netlink-packet-wireguard = "0.2"
 
 [dev-dependencies]
-tempfile = { workspace = true }
-stacker = { workspace = true }
+tempfile = {workspace = true}
+stacker = {workspace = true}
 
 [features]
 experiment_memfd_secret = []

secret-memory/Cargo.toml

@@ -21,6 +21,6 @@ log = { workspace = true }
 
 [dev-dependencies]
 allocator-api2-tests = { workspace = true }
-tempfile = { workspace = true }
-base64ct = { workspace = true }
-procspawn = { workspace = true }
+tempfile = {workspace = true}
+base64ct = {workspace = true}
+procspawn = {workspace = true}

wireguard-broker/Cargo.toml

@@ -12,7 +12,7 @@ readme = "readme.md"
 [dependencies]
 thiserror = { workspace = true }
 zerocopy = { workspace = true }
-rosenpass-secret-memory = { workspace = true }
+rosenpass-secret-memory = {workspace = true}
 
 # Privileged only
 wireguard-uapi = { workspace = true }
@@ -24,20 +24,20 @@ anyhow = { workspace = true }
 clap = { workspace = true }
 env_logger = { workspace = true }
 log = { workspace = true }
-derive_builder = { workspace = true }
-postcard = { workspace = true }
+derive_builder = {workspace = true}
+postcard = {workspace = true}
 # Problem in CI, unknown reasons: dependency (libc) specified without providing a local path, Git repository, version, or workspace dependency to use
 # Maybe something about the combination of features and optional crates?
-rustix = { version = "0.38.37", optional = true }
-libc = { version = "0.2", optional = true }
+rustix = { version = "0.38.37", optional = true } 
+libc = { version = "0.2", optional = true } 
 
 # Mio broker client
 mio = { workspace = true }
 rosenpass-util = { workspace = true }
 
 [dev-dependencies]
-rand = { workspace = true }
-procspawn = { workspace = true }
+rand = {workspace = true}
+procspawn = {workspace = true}
 
 [features]
 experiment_api = ["rustix", "libc"]
@@ -49,7 +49,7 @@ path = "src/bin/priviledged.rs"
 test = false
 doc = false
 required-features = ["experiment_api"]
-cfg = { target_os = "linux" }
+cfg = { target_os = "linux" } 
 
 [[bin]]
 name = "rosenpass-wireguard-broker-socket-handler"
@@ -57,4 +57,4 @@ test = false
 path = "src/bin/socket_handler.rs"
 doc = false
 required-features = ["experiment_api"]
-cfg = { target_os = "linux" }
+cfg = { target_os = "linux" }