fix: CI issues under Darwin

This is similar to `rosenpass exchange`/`rosenpass exchange-config`.
It's however slightly different to the configuration file models the `rp
exchange` command line.

Cargo.lock

@@ -381,9 +381,9 @@ dependencies = [
 
 [[package]]
 name = "clap"
-version = "4.5.23"
+version = "4.5.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3135e7ec2ef7b10c6ed8950f0f792ed96ee093fa088608f1c76e569722700c84"
+checksum = "69371e34337c4c984bbe322360c2547210bf632eb2814bbe78a6e87a2935bd2b"
 dependencies = [
  "clap_builder",
  "clap_derive",
@@ -391,13 +391,13 @@ dependencies = [
 
 [[package]]
 name = "clap_builder"
-version = "4.5.23"
+version = "4.5.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "30582fc632330df2bd26877bde0c1f4470d57c582bbc070376afcd04d8cb4838"
+checksum = "6e24c1b4099818523236a8ca881d2b45db98dadfb4625cf6608c12069fcbbde1"
 dependencies = [
  "anstream",
  "anstyle",
- "clap_lex 0.7.4",
+ "clap_lex 0.7.2",
  "strsim 0.11.1",
 ]
 
@@ -407,7 +407,7 @@ version = "4.5.38"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d9647a559c112175f17cf724dc72d3645680a883c58481332779192b0d8e7a01"
 dependencies = [
- "clap 4.5.23",
+ "clap 4.5.22",
 ]
 
 [[package]]
@@ -433,9 +433,9 @@ dependencies = [
 
 [[package]]
 name = "clap_lex"
-version = "0.7.4"
+version = "0.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f46ad14479a25103f283c0f10005961cf086d8dc42205bb44c46ac563475dca6"
+checksum = "1462739cb27611015575c0c11df5df7601141071f07518d56fcc1be504cbec97"
 
 [[package]]
 name = "clap_mangen"
@@ -443,7 +443,7 @@ version = "0.2.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fbae9cbfdc5d4fa8711c09bd7b83f644cb48281ac35bf97af3e47b0675864bdf"
 dependencies = [
- "clap 4.5.23",
+ "clap 4.5.22",
  "roff",
 ]
 
@@ -1823,7 +1823,7 @@ name = "rosenpass"
 version = "0.3.0-dev"
 dependencies = [
  "anyhow",
- "clap 4.5.23",
+ "clap 4.5.22",
  "clap_complete",
  "clap_mangen",
  "command-fds",
@@ -1964,7 +1964,7 @@ name = "rosenpass-wireguard-broker"
 version = "0.1.0"
 dependencies = [
  "anyhow",
- "clap 4.5.23",
+ "clap 4.5.22",
  "derive_builder 0.20.2",
  "env_logger",
  "libc",
@@ -2003,9 +2003,11 @@ dependencies = [
  "rosenpass-util",
  "rosenpass-wireguard-broker",
  "rtnetlink",
+ "serde",
  "stacker",
  "tempfile",
  "tokio",
+ "toml",
  "x25519-dalek",
  "zeroize",
 ]

Cargo.toml

@@ -47,7 +47,7 @@ memsec = { git = "https://github.com/rosenpass/memsec.git", rev = "aceb9baee8aec
 rand = "0.8.5"
 typenum = "1.17.0"
 log = { version = "0.4.22" }
-clap = { version = "4.5.23", features = ["derive"] }
+clap = { version = "4.5.22", features = ["derive"] }
 clap_mangen = "0.2.24"
 clap_complete = "4.5.38"
 serde = { version = "1.0.215", features = ["derive"] }

ciphers/src/hash_domain.rs

@@ -2,7 +2,7 @@ use anyhow::Result;
 use rosenpass_secret_memory::Secret;
 use rosenpass_to::To;
 
-use crate::keyed_hash as hash;
+use crate::subtle::incorrect_hmac_blake2b as hash;
 
 pub use hash::KEY_LEN;
 

ciphers/src/lib.rs

@@ -7,17 +7,6 @@ const_assert!(KEY_LEN == aead::KEY_LEN);
 const_assert!(KEY_LEN == xaead::KEY_LEN);
 const_assert!(KEY_LEN == hash_domain::KEY_LEN);
 
-/// Keyed hashing
-///
-/// This should only be used for implementation details; anything with relevance
-/// to the cryptographic protocol should use the facilities in [hash_domain], (though
-/// hash domain uses this module internally)
-pub mod keyed_hash {
-    pub use crate::subtle::incorrect_hmac_blake2b::{
-        hash, KEY_LEN, KEY_MAX, KEY_MIN, OUT_MAX, OUT_MIN,
-    };
-}
-
 /// Authenticated encryption with associated data
 pub mod aead {
     #[cfg(not(feature = "experiment_libcrux"))]

flake.nix

@@ -109,20 +109,6 @@
               proverif-patched
             ];
           };
-          # TODO: Write this as a patched version of the default environment
-          devShells.fullEnv = pkgs.mkShell {
-            inherit (pkgs.proof-proverif) CRYPTOVERIF_LIB;
-            inputsFrom = [ pkgs.rosenpass ];
-            nativeBuildInputs = with pkgs; [
-              cargo-release
-              rustfmt
-              nodePackages.prettier
-              nushell # for the .ci/gen-workflow-files.nu script
-              proverif-patched
-              inputs.fenix.packages.${system}.complete.toolchain
-              pkgs.cargo-llvm-cov
-            ];
-          };
           devShells.coverage = pkgs.mkShell {
             inputsFrom = [ pkgs.rosenpass ];
             nativeBuildInputs = [
@@ -133,6 +119,9 @@
 
 
           checks = {
+            systemd-rosenpass = pkgs.testers.runNixOSTest ./tests/systemd/rosenpass.nix;
+            systemd-rp = pkgs.testers.runNixOSTest ./tests/systemd/rp.nix;
+
             cargo-fmt = pkgs.runCommand "check-cargo-fmt"
               { inherit (self.devShells.${system}.default) nativeBuildInputs buildInputs; } ''
               cargo fmt --manifest-path=${./.}/Cargo.toml --check --all && touch $out

papers/whitepaper.md

@@ -2,8 +2,8 @@
 template: rosenpass
 title: Rosenpass
 author:
-- Karolin Varner = Rosenpass e.V., Max Planck Institute for Security and Privacy (MPI-SP)
-- Benjamin Lipp = Rosenpass e.V., Max Planck Institute for Security and Privacy (MPI-SP)
+- Karolin Varner = Independent Researcher
+- Benjamin Lipp = Max Planck Institute for Security and Privacy (MPI-SP)
 - Wanja Zaeske
 - Lisa Schmidt = {Scientific Illustrator – \\url{mullana.de}}
 - Prabhpreet Dua
@@ -383,18 +383,9 @@ fn load_biscuit(nct) {
       "biscuit additional data",
       spkr, sidi, sidr);
     let pt : Biscuit = XAEAD::dec(k, n, ct, ad);
-
     // Find the peer and apply retransmission protection
     lookup_peer(pt.peerid);
-
-    // In December 2024, the InitConf retransmission mechanisim was redesigned
-    // in a backwards-compatible way. See the changelog.
-    // 
-    // -- 2024-11-30, Karolin Varner
-    if (protocol_version!(< "0.3.0")) {
-        // Ensure that the biscuit is used only once
-        assert(pt.biscuit_no <= peer.biscuit_used);
-    }
+    assert(pt.biscuit_no <= peer.biscuit_used);
 
     // Restore the chaining key
     ck ← pt.ck;
@@ -510,7 +501,7 @@ LAST_UNDER_LOAD_WINDOW = 1 //seconds
 
 The initiator deals with packet loss by storing the messages it sends to the responder and retransmitting them in randomized, exponentially increasing intervals until they get a response. Receiving RespHello terminates retransmission of InitHello. A Data or EmptyData message serves as acknowledgement of receiving InitConf and terminates its retransmission.
 
-The responder uses less complex form of the same mechanism: The responder never retransmits RespHello, instead the responder generates a new RespHello message if InitHello is retransmitted. Responder confirmation messages of completed handshake (EmptyData) messages are retransmitted by storing the most recent InitConf messages (or their hashes) and caching the associated EmptyData messages. Through this cache, InitConf retransmission is detected and the associated EmptyData message is retransmitted.
+The responder does not need to do anything special to handle RespHello retransmission – if the RespHello package is lost, the initiator retransmits InitHello and the responder can generate another RespHello package from that. InitConf retransmission needs to be handled specifically in the responder code because accepting an InitConf retransmission would reset the live session including the nonce counter, which would cause nonce reuse. Implementations must detect the case that `biscuit_no = biscuit_used` in ICR5, skip execution of ICR6 and ICR7, and just transmit another EmptyData package to confirm that the initiator can stop transmitting InitConf.
 
 ### Interaction with cookie reply system
 
@@ -524,76 +515,6 @@ When the responder is under load and it recieves an InitConf message, the messag
 
 # Changelog
 
-### 0.3.x
-
-#### 2024-10-30 – InitConf retransmission updates
-
-\vspace{0.5em}
-
-Author: Karolin Varner  
-Issue: [#331](https://github.com/rosenpass/rosenpass/issues/331)  
-PR: [#513](https://github.com/rosenpass/rosenpass/pull/513)  
-
-\vspace{0.5em}
-
-We redesign the InitConf retransmission mechanism to use a hash table. This avoids the need for the InitConf handling code to account for InitConf retransmission specifically and moves the retransmission logic into less-sensitive code.
-
-Previously, we would specifically account for InitConf retransmission in the InitConf handling code by checking the biscuit number: If the biscuit number was higher than any previously seen biscuit number, then this must be a new key-exchange being completed; if the biscuit number was exactly the highest seen biscuit number, then the InitConf message is interpreted as an InitConf retransmission; in this case, an entirely new EmptyData (responder confirmation) message was generated as confirmation that InitConf has been received and that the initiator can now cease opportunistic retransmission of InitConf.
-
-This mechanism was a bit brittle; even leading to a very minor but still relevant security issue, necessitating the release of Rosenpass maintenance version 0.2.2 with a [fix for the problem](https://github.com/rosenpass/rosenpass/pull/329). We had processed the InitConf message, correctly identifying that InitConf was a retransmission, but we failed to pass this information on to the rest of the code base, leading to double emission of the same "hey, we have a new cryptographic session key" even if the `outfile` option was used to integrate Rosenpass into some external application. If this event was used anywhere to reset a nonce, then this could have led to a nonce-misuse, although for the use with WireGuard this is not an issue.
-
-By removing all retransmission handling code from the cryptographic protocol, we are taking structural measures to exclude the possibilities of similar issues.
-
-- In section "Dealing With Package Loss" we replace
-
-    \begin{quote}
-        The responder does not need to do anything special to handle RespHello retransmission – if the RespHello package is lost, the initiator retransmits InitHello and the responder can generate another RespHello package from that. InitConf retransmission needs to be handled specifically in the responder code because accepting an InitConf retransmission would reset the live session including the nonce counter, which would cause nonce reuse. Implementations must detect the case that `biscuit_no = biscuit_used` in ICR5, skip execution of ICR6 and ICR7, and just transmit another EmptyData package to confirm that the initiator can stop transmitting InitConf.
-    \end{quote}
-
-    by 
-
-    \begin{quote}
-        The responder uses less complex form of the same mechanism: The responder never retransmits RespHello, instead the responder generates a new RespHello message if InitHello is retransmitted. Responder confirmation messages of completed handshake (EmptyData) messages are retransmitted by storing the most recent InitConf messages (or their hashes) and caching the associated EmptyData messages. Through this cache, InitConf retransmission is detected and the associated EmptyData message is retransmitted.
-    \end{quote}
-
-- In function `load_biscuit` we replace
-
-    ``` {=tex}
-    \begin{quote}
-        \begin{minted}{pseudorust}
-        assert(pt.biscuit_no <= peer.biscuit_used);
-        \end{minted}
-    \end{quote}
-    ```
-
-    by
-
-    ``` {=tex}
-    \begin{quote}
-        \begin{minted}{pseudorust}
-        // In December 2024, the InitConf retransmission mechanisim was redesigned
-        // in a backwards-compatible way. See the changelog.
-        // 
-        // -- 2024-11-30, Karolin Varner
-        if (protocol_version!(< "0.3.0")) {
-            // Ensure that the biscuit is used only once
-            assert(pt.biscuit_no <= peer.biscuit_used);
-        }
-        \end{minted}
-    \end{quote}
-    ```
-
-#### 2024-04-16 – Denial of Service Mitigation
-
-\vspace{0.5em}
-
-Author: Prabhpreet Dua  
-Issue: [#137](https://github.com/rosenpass/rosenpass/issues/137)  
-PR: [#142](https://github.com/rosenpass/rosenpass/pull/142)  
-
-\vspace{0.5em}
-
-- Added denial of service mitigation using the WireGuard cookie mechanism
 - Added section "Denial of Service Mitigation and Cookies", and modify "Dealing with Packet Loss" for DoS cookie mechanism
 
 \printbibliography

pkgs/release-package.nix

@@ -20,7 +20,7 @@ in
 runCommandNoCC "lace-result" { } ''
   mkdir {bin,$out}
   tar -cvf $out/rosenpass-${stdenvNoCC.hostPlatform.system}-${version}.tar \
-    -C ${package} bin/rosenpass \
+    -C ${package} bin/rosenpass lib/systemd \
     -C ${rp} bin/rp
   cp ${oci-image} \
     $out/rosenpass-oci-image-${stdenvNoCC.hostPlatform.system}-${version}.tar.gz

pkgs/rosenpass.nix

@@ -12,6 +12,8 @@ let
     extensions = [
       "lock"
       "rs"
+      "service"
+      "target"
       "toml"
     ];
     # Files to explicitly include
@@ -69,6 +71,13 @@ rustPlatform.buildRustPackage {
 
   hardeningDisable = lib.optional isStatic "fortify";
 
+  postInstall = ''
+    mkdir -p $out/lib/systemd/system
+    install systemd/rosenpass@.service $out/lib/systemd/system
+    install systemd/rp@.service $out/lib/systemd/system
+    install systemd/rosenpass.target $out/lib/systemd/system
+  '';
+
   meta = {
     inherit (cargoToml.package) description homepage;
     license = with lib.licenses; [ mit asl20 ];

rosenpass/src/msgs.rs

@@ -21,11 +21,8 @@ pub const MAC_SIZE: usize = 16;
 pub const COOKIE_SIZE: usize = 16;
 pub const SID_LEN: usize = 4;
 
-pub type MsgEnvelopeMac = [u8; 16];
-pub type MsgEnvelopeCookie = MsgEnvelopeMac;
-
 #[repr(packed)]
-#[derive(AsBytes, FromBytes, FromZeroes, Clone)]
+#[derive(AsBytes, FromBytes, FromZeroes)]
 pub struct Envelope<M: AsBytes + FromBytes> {
     /// [MsgType] of this message
     pub msg_type: u8,
@@ -35,9 +32,9 @@ pub struct Envelope<M: AsBytes + FromBytes> {
     pub payload: M,
     /// Message Authentication Code (mac) over all bytes until (exclusive)
     /// `mac` itself
-    pub mac: MsgEnvelopeMac,
+    pub mac: [u8; 16],
     /// Currently unused, TODO: do something with this
-    pub cookie: MsgEnvelopeCookie,
+    pub cookie: [u8; 16],
 }
 
 #[repr(packed)]
@@ -73,7 +70,7 @@ pub struct RespHello {
 }
 
 #[repr(packed)]
-#[derive(AsBytes, FromBytes, FromZeroes, Debug)]
+#[derive(AsBytes, FromBytes, FromZeroes)]
 pub struct InitConf {
     /// Copied from InitHello
     pub sidi: [u8; 4],
@@ -86,7 +83,7 @@ pub struct InitConf {
 }
 
 #[repr(packed)]
-#[derive(AsBytes, FromBytes, FromZeroes, Clone, Copy)]
+#[derive(AsBytes, FromBytes, FromZeroes)]
 pub struct EmptyData {
     /// Copied from RespHello
     pub sid: [u8; 4],

rosenpass/src/protocol/protocol.rs

@@ -70,9 +70,7 @@
 //! # }
 //! ```
 
-use std::borrow::Borrow;
 use std::convert::Infallible;
-use std::fmt::Debug;
 use std::mem::size_of;
 use std::ops::Deref;
 use std::{
@@ -90,14 +88,9 @@ use memoffset::span_of;
 use rosenpass_cipher_traits::Kem;
 use rosenpass_ciphers::hash_domain::{SecretHashDomain, SecretHashDomainNamespace};
 use rosenpass_ciphers::kem::{EphemeralKem, StaticKem};
-use rosenpass_ciphers::keyed_hash;
 use rosenpass_ciphers::{aead, xaead, KEY_LEN};
 use rosenpass_constant_time as constant_time;
 use rosenpass_secret_memory::{Public, PublicBox, Secret};
-use rosenpass_to::ops::copy_slice;
-use rosenpass_to::To;
-use rosenpass_util::functional::ApplyExt;
-use rosenpass_util::mem::DiscardResultExt;
 use rosenpass_util::{cat, mem::cpy_min, time::Timebase};
 use zerocopy::{AsBytes, FromBytes, Ref};
 
@@ -207,7 +200,6 @@ pub struct CryptoServer {
     // Peer/Handshake DB
     pub peers: Vec<Peer>,
     pub index: HashMap<IndexKey, PeerNo>,
-    pub known_response_hasher: KnownResponseHasher,
 
     // Tick handling
     pub peer_poll_off: usize,
@@ -237,7 +229,6 @@ pub type BiscuitKey = CookieStore<KEY_LEN>;
 pub enum IndexKey {
     Peer(PeerId),
     Sid(SessionId),
-    KnownInitConfResponse(KnownResponseHash),
 }
 
 #[derive(Debug)]
@@ -248,7 +239,6 @@ pub struct Peer {
     pub session: Option<Session>,
     pub handshake: Option<InitiatorHandshake>,
     pub initiation_requested: bool,
-    pub known_init_conf_response: Option<KnownInitConfResponse>,
 }
 
 impl Peer {
@@ -260,7 +250,6 @@ impl Peer {
             session: None,
             initiation_requested: false,
             handshake: None,
-            known_init_conf_response: None,
         }
     }
 }
@@ -319,50 +308,6 @@ pub struct InitiatorHandshake {
     pub cookie_value: CookieStore<COOKIE_VALUE_LEN>,
 }
 
-pub struct KnownResponse<ResponseType: AsBytes + FromBytes> {
-    received_at: Timing,
-    request_mac: KnownResponseHash,
-    response: Envelope<ResponseType>,
-}
-
-impl<ResponseType: AsBytes + FromBytes> Debug for KnownResponse<ResponseType> {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        f.debug_struct("KnownResponse")
-            .field("received_at", &self.received_at)
-            .field("request_mac", &self.request_mac)
-            .field("response", &"...")
-            .finish()
-    }
-}
-
-pub type KnownInitConfResponse = KnownResponse<EmptyData>;
-
-pub type KnownResponseHash = Public<16>;
-
-#[derive(Debug)]
-pub struct KnownResponseHasher {
-    pub key: SymKey,
-}
-
-impl KnownResponseHasher {
-    fn new() -> Self {
-        Self {
-            key: SymKey::random(),
-        }
-    }
-
-    /// # Panic & Safety
-    ///
-    /// Panics in case of a problem with this underlying hash function
-    pub fn hash<Msg: AsBytes + FromBytes>(&self, msg: &Envelope<Msg>) -> KnownResponseHash {
-        let data = &msg.as_bytes()[span_of!(Envelope<Msg>, msg_type..cookie)];
-        let hash = keyed_hash::hash(self.key.secret(), data)
-            .to_this(Public::<32>::zero)
-            .unwrap();
-        Public::from_slice(&hash[0..16]) // truncate to 16 bytes
-    }
-}
-
 #[derive(Debug)]
 pub struct Session {
     // Metadata
@@ -424,12 +369,6 @@ pub struct IniHsPtr(pub usize);
 #[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, Debug)]
 pub struct SessionPtr(pub usize);
 
-/// Valid index to [CryptoServer::peers] cookie value
-pub struct PeerCookieValuePtr(usize); // TODO: Change
-
-/// Valid index to [CryptoServer::peers] known init conf response
-pub struct KnownInitConfResponsePtr(PeerNo);
-
 /// Valid index to [CryptoServer::biscuit_keys]
 #[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, Debug)]
 pub struct BiscuitKeyPtr(pub usize);
@@ -438,17 +377,14 @@ pub struct BiscuitKeyPtr(pub usize);
 #[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, Debug)]
 pub struct ServerCookieSecretPtr(pub usize);
 
+/// Valid index to [CryptoServer::peers] cookie value
+pub struct PeerCookieValuePtr(usize);
+
 impl PeerPtr {
-    /// # Panic & Safety
-    ///
-    /// The function panics if the peer referenced by this PeerPtr does not exist.
     pub fn get<'a>(&self, srv: &'a CryptoServer) -> &'a Peer {
         &srv.peers[self.0]
     }
 
-    /// # Panic & Safety
-    ///
-    /// The function panics if the peer referenced by this PeerPtr does not exist.
     pub fn get_mut<'a>(&self, srv: &'a mut CryptoServer) -> &'a mut Peer {
         &mut srv.peers[self.0]
     }
@@ -464,10 +400,6 @@ impl PeerPtr {
     pub fn cv(&self) -> PeerCookieValuePtr {
         PeerCookieValuePtr(self.0)
     }
-
-    pub fn known_init_conf_response(&self) -> KnownInitConfResponsePtr {
-        KnownInitConfResponsePtr(self.0)
-    }
 }
 
 impl IniHsPtr {
@@ -576,118 +508,6 @@ impl PeerCookieValuePtr {
     }
 }
 
-impl KnownInitConfResponsePtr {
-    pub fn peer(&self) -> PeerPtr {
-        PeerPtr(self.0)
-    }
-
-    /// # Panic & Safety
-    ///
-    /// The function panics if the peer referenced by this KnownInitConfResponsePtr does not exist.
-    pub fn get<'a>(&self, srv: &'a CryptoServer) -> Option<&'a KnownInitConfResponse> {
-        self.peer().get(srv).known_init_conf_response.as_ref()
-    }
-
-    /// # Panic & Safety
-    ///
-    /// The function panics if the peer referenced by this KnownInitConfResponsePtr does not exist.
-    pub fn get_mut<'a>(&self, srv: &'a mut CryptoServer) -> Option<&'a mut KnownInitConfResponse> {
-        self.peer().get_mut(srv).known_init_conf_response.as_mut()
-    }
-
-    /// # Panic & Safety
-    ///
-    /// The function panics if
-    ///
-    /// - the peer referenced by this KnownInitConfResponsePtr does not exist
-    /// - the peer contains a KnownInitConfResponse (i.e. if [Peer::known_init_conf_response] is Some(...)), but the index to this KnownInitConfResponsePtr is missing (i.e. there is no appropriate index
-    ///   value in [CryptoServer::index])
-    pub fn remove(&self, srv: &mut CryptoServer) -> Option<KnownInitConfResponse> {
-        let peer = self.peer();
-        let val = peer.get_mut(srv).known_init_conf_response.take()?;
-        let lookup_key = IndexKey::KnownInitConfResponse(val.request_mac);
-        srv.index.remove(&lookup_key).unwrap();
-        Some(val)
-    }
-
-    pub fn insert(&self, srv: &mut CryptoServer, known_response: KnownInitConfResponse) {
-        self.remove(srv).discard_result();
-
-        let index_key = IndexKey::KnownInitConfResponse(known_response.request_mac);
-        self.peer().get_mut(srv).known_init_conf_response = Some(known_response);
-
-        // There is a question here whether we should just discard the result…or panic if the
-        // result is Some(...).
-        //
-        // The result being anything other than None should never occur:
-        // - If we have never seen this InitConf message, then the result should be None and no value should
-        //   have been written. This is fine.
-        // - If we have seen this message before, we should have responded with a known answer –
-        //   which would be fine
-        // - If we have never seen this InitConf message before, but the hashes are the same, this
-        //   would constitute a collision on our hash function, which is security because the
-        //   cryptography (collision resistance of our hash) prevents this. If this happened, it
-        //   would be bad but we could not detect it.
-        if srv.index.insert(index_key, self.0).is_some() {
-            log::warn!(
-                r#"
-                Replaced a cached message in the InitConf known-response table
-                for network retransmission handling. This should never happen and is
-                probably a bug. Please report seeing this message at the following location:
-                
-                https://github.com/rosenpass/rosenpass/issues
-            "#
-            );
-        }
-    }
-
-    pub fn lookup_for_request_msg(
-        srv: &CryptoServer,
-        req: &Envelope<InitConf>,
-    ) -> Option<KnownInitConfResponsePtr> {
-        let index_key = Self::index_key_for_msg(srv, req);
-        let peer_no = *srv.index.get(&index_key)?;
-        Some(Self(peer_no))
-    }
-
-    pub fn lookup_response_for_request_msg<'a>(
-        srv: &'a CryptoServer,
-        req: &Envelope<InitConf>,
-    ) -> Option<&'a Envelope<EmptyData>> {
-        Self::lookup_for_request_msg(srv, req)?
-            .get(srv)
-            .map(|v| &v.response)
-    }
-
-    pub fn insert_for_request_msg(
-        srv: &mut CryptoServer,
-        peer: PeerPtr,
-        req: &Envelope<InitConf>,
-        res: Envelope<EmptyData>,
-    ) {
-        let ptr = peer.known_init_conf_response();
-        ptr.insert(
-            srv,
-            KnownInitConfResponse {
-                received_at: srv.timebase.now(),
-                request_mac: Self::index_key_hash_for_msg(srv, req),
-                response: res,
-            },
-        );
-    }
-
-    pub fn index_key_hash_for_msg(
-        srv: &CryptoServer,
-        req: &Envelope<InitConf>,
-    ) -> KnownResponseHash {
-        srv.known_response_hasher.hash(req)
-    }
-
-    pub fn index_key_for_msg(srv: &CryptoServer, req: &Envelope<InitConf>) -> IndexKey {
-        Self::index_key_hash_for_msg(srv, req).apply(IndexKey::KnownInitConfResponse)
-    }
-}
-
 // DATABASE //////////////////////////////////////
 
 impl CryptoServer {
@@ -705,7 +525,6 @@ impl CryptoServer {
             biscuit_keys: [CookieStore::new(), CookieStore::new()],
             peers: Vec::new(),
             index: HashMap::new(),
-            known_response_hasher: KnownResponseHasher::new(),
             peer_poll_off: 0,
             cookie_secrets: [CookieStore::new(), CookieStore::new()],
         }
@@ -744,7 +563,6 @@ impl CryptoServer {
             biscuit_used: BiscuitId::zero(),
             session: None,
             handshake: None,
-            known_init_conf_response: None,
             initiation_requested: false,
         };
         let peerid = peer.pidt()?;
@@ -877,7 +695,6 @@ impl Peer {
             biscuit_used: BiscuitId::zero(),
             session: None,
             handshake: None,
-            known_init_conf_response: None,
             initiation_requested: false,
         }
     }
@@ -1035,25 +852,6 @@ impl Mortal for PeerCookieValuePtr {
     }
 }
 
-impl Mortal for KnownInitConfResponsePtr {
-    fn created_at(&self, srv: &CryptoServer) -> Option<Timing> {
-        let t = self.get(srv)?.received_at;
-        if t < 0.0 {
-            None
-        } else {
-            Some(t)
-        }
-    }
-
-    fn retire_at(&self, srv: &CryptoServer) -> Option<Timing> {
-        self.die_at(srv)
-    }
-
-    fn die_at(&self, srv: &CryptoServer) -> Option<Timing> {
-        self.created_at(srv).map(|t| t + REKEY_AFTER_TIME_RESPONDER)
-    }
-}
-
 /// Trait extension to the [Mortal] Trait, that enables nicer access to timing
 /// information
 trait MortalExt: Mortal {
@@ -1317,38 +1115,10 @@ impl CryptoServer {
                 ensure!(msg_in.check_seal(self)?, seal_broken);
 
                 let mut msg_out = truncating_cast_into::<Envelope<EmptyData>>(tx_buf)?;
-
-                // Check if we have a cached response
-                let peer = match KnownInitConfResponsePtr::lookup_for_request_msg(self, &msg_in) {
-                    // Cached response; copy out of cache
-                    Some(cached) => {
-                        let peer = cached.peer();
-                        let cached = cached
-                            .get(self)
-                            .map(|v| v.response.borrow())
-                            // Invalid! Found peer no with cache in index but the cache does not exist
-                            .unwrap();
-                        copy_slice(cached.as_bytes()).to(msg_out.as_bytes_mut());
-                        peer
-                    }
-
-                    // No cached response, actually call cryptographic handler
-                    None => {
-                        let peer = self.handle_init_conf(&msg_in.payload, &mut msg_out.payload)?;
-
-                        KnownInitConfResponsePtr::insert_for_request_msg(
-                            self,
-                            peer,
-                            &msg_in,
-                            msg_out.clone(),
-                        );
-
-                        exchanged = true;
-                        peer
-                    }
-                };
-
+                let (peer, if_exchanged) =
+                    self.handle_init_conf(&msg_in.payload, &mut msg_out.payload)?;
                 len = self.seal_and_commit_msg(peer, MsgType::EmptyData, &mut msg_out)?;
+                exchanged = if_exchanged;
                 peer
             }
             Ok(MsgType::EmptyData) => {
@@ -1632,8 +1402,7 @@ impl Pollable for PeerPtr {
                     PollResult::SendInitiation(*self)
                 },
             )
-            .poll_child(srv, &hs)? // Defer to the handshake for polling (retransmissions)
-            .poll_child(srv, &self.known_init_conf_response())
+            .poll_child(srv, &hs) // Defer to the handshake for polling (retransmissions)
     }
 }
 
@@ -1648,15 +1417,6 @@ impl Pollable for IniHsPtr {
     }
 }
 
-impl Pollable for KnownInitConfResponsePtr {
-    fn poll(&self, srv: &mut CryptoServer) -> Result<PollResult> {
-        begin_poll()
-            // Erase stale cache
-            .sched(self.life_left(srv), void_poll(|| self.remove(srv)))
-            .ok()
-    }
-}
-
 // MESSAGE RETRANSMISSION ////////////////////////
 
 impl CryptoServer {
@@ -1941,6 +1701,15 @@ impl HandshakeState {
             .find_peer(pid) // TODO: FindPeer should return a Result<()>
             .with_context(|| format!("Could not decode biscuit for peer {pid:?}: No such peer."))?;
 
+        // Defense against replay attacks; implementations may accept
+        // the most recent biscuit no again (bn = peer.bn_{prev}) which
+        // indicates retransmission
+        // TODO: Handle retransmissions without involving the crypto code
+        ensure!(
+            constant_time::compare(&biscuit.biscuit_no, &*peer.get(srv).biscuit_used) >= 0,
+            "Rejecting biscuit: Outdated biscuit number"
+        );
+
         Ok((peer, no, hs))
     }
 
@@ -2178,7 +1947,12 @@ impl CryptoServer {
         Ok(peer)
     }
 
-    pub fn handle_init_conf(&mut self, ic: &InitConf, rc: &mut EmptyData) -> Result<PeerPtr> {
+    pub fn handle_init_conf(
+        &mut self,
+        ic: &InitConf,
+        rc: &mut EmptyData,
+    ) -> Result<(PeerPtr, bool)> {
+        let mut exchanged = false;
         // (peer, bn) ← LoadBiscuit(InitConf.biscuit)
         // ICR1
         let (peer, biscuit_no, mut core) = HandshakeState::load_biscuit(
@@ -2198,23 +1972,20 @@ impl CryptoServer {
         core.decrypt_and_mix(&mut [0u8; 0], &ic.auth)?;
 
         // ICR5
-        // Defense against replay attacks; implementations may accept
-        // the most recent biscuit no again (bn = peer.bn_{prev}) which
-        // indicates retransmission
-        ensure!(
-            constant_time::compare(&*biscuit_no, &*peer.get(self).biscuit_used) > 0,
-            "Rejecting biscuit: Outdated biscuit number"
-        );
+        if constant_time::compare(&*biscuit_no, &*peer.get(self).biscuit_used) > 0 {
+            // ICR6
+            peer.get_mut(self).biscuit_used = biscuit_no;
 
-        // ICR6
-        peer.get_mut(self).biscuit_used = biscuit_no;
+            // ICR7
+            peer.session()
+                .insert(self, core.enter_live(self, HandshakeRole::Responder)?)?;
+            // TODO: This should be part of the protocol specification.
+            // Abort any ongoing handshake from initiator role
+            peer.hs().take(self);
 
-        // ICR7
-        peer.session()
-            .insert(self, core.enter_live(self, HandshakeRole::Responder)?)?;
-        // TODO: This should be part of the protocol specification.
-        // Abort any ongoing handshake from initiator role
-        peer.hs().take(self);
+            // Only exchange key on new biscuit number- avoid duplicate key exchanges on retransmitted InitConf messages
+            exchanged = true;
+        }
 
         // TODO: Implementing RP should be possible without touching the live session stuff
         // TODO: I fear that this may lead to race conditions; the acknowledgement may be
@@ -2252,7 +2023,7 @@ impl CryptoServer {
         let k = ses.txkm.secret();
         aead::encrypt(&mut rc.auth, k, &n, &[], &[])?; // ct, k, n, ad, pt
 
-        Ok(peer)
+        Ok((peer, exchanged))
     }
 
     pub fn handle_resp_conf(&mut self, rc: &EmptyData) -> Result<PeerPtr> {
@@ -2369,11 +2140,10 @@ fn truncating_cast_into_nomut<T: FromBytes>(buf: &[u8]) -> Result<Ref<&[u8], T>,
 
 #[cfg(test)]
 mod test {
-    use std::{borrow::BorrowMut, net::SocketAddrV4, ops::DerefMut, thread::sleep, time::Duration};
+    use std::{net::SocketAddrV4, ops::DerefMut, thread::sleep, time::Duration};
 
     use super::*;
     use serial_test::serial;
-    use zerocopy::FromZeroes;
 
     struct VecHostIdentifier(Vec<u8>);
 
@@ -2789,186 +2559,4 @@ mod test {
                 .is_err());
         });
     }
-
-    #[test]
-    fn init_conf_retransmission() -> anyhow::Result<()> {
-        rosenpass_secret_memory::secret_policy_try_use_memfd_secrets();
-
-        fn keypair() -> anyhow::Result<(SSk, SPk)> {
-            let (mut sk, mut pk) = (SSk::zero(), SPk::zero());
-            StaticKem::keygen(sk.secret_mut(), pk.deref_mut())?;
-            Ok((sk, pk))
-        }
-
-        fn proc_initiation(
-            srv: &mut CryptoServer,
-            peer: PeerPtr,
-        ) -> anyhow::Result<Envelope<InitHello>> {
-            let mut buf = MsgBuf::zero();
-            srv.initiate_handshake(peer, buf.as_mut_slice())?
-                .discard_result();
-            let msg = truncating_cast_into::<Envelope<InitHello>>(buf.borrow_mut())?;
-            Ok(msg.read())
-        }
-
-        fn proc_msg<Rx: AsBytes + FromBytes, Tx: AsBytes + FromBytes>(
-            srv: &mut CryptoServer,
-            rx: &Envelope<Rx>,
-        ) -> anyhow::Result<Envelope<Tx>> {
-            let mut buf = MsgBuf::zero();
-            srv.handle_msg(rx.as_bytes(), buf.as_mut_slice())?
-                .resp
-                .context("Failed to produce RespHello message")?
-                .discard_result();
-            let msg = truncating_cast_into::<Envelope<Tx>>(buf.borrow_mut())?;
-            Ok(msg.read())
-        }
-
-        fn proc_init_hello(
-            srv: &mut CryptoServer,
-            ih: &Envelope<InitHello>,
-        ) -> anyhow::Result<Envelope<RespHello>> {
-            proc_msg::<InitHello, RespHello>(srv, ih)
-        }
-
-        fn proc_resp_hello(
-            srv: &mut CryptoServer,
-            rh: &Envelope<RespHello>,
-        ) -> anyhow::Result<Envelope<InitConf>> {
-            proc_msg::<RespHello, InitConf>(srv, rh)
-        }
-
-        fn proc_init_conf(
-            srv: &mut CryptoServer,
-            rh: &Envelope<InitConf>,
-        ) -> anyhow::Result<Envelope<EmptyData>> {
-            proc_msg::<InitConf, EmptyData>(srv, rh)
-        }
-
-        fn poll(srv: &mut CryptoServer) -> anyhow::Result<()> {
-            // Discard all events; just apply the side effects
-            while !matches!(srv.poll()?, PollResult::Sleep(_)) {}
-            Ok(())
-        }
-
-        // TODO: Implement Clone on our message types
-        fn clone_msg<Msg: AsBytes + FromBytes>(msg: &Msg) -> anyhow::Result<Msg> {
-            Ok(truncating_cast_into_nomut::<Msg>(msg.as_bytes())?.read())
-        }
-
-        fn break_payload<Msg: AsBytes + FromBytes>(
-            srv: &mut CryptoServer,
-            peer: PeerPtr,
-            msg: &Envelope<Msg>,
-        ) -> anyhow::Result<Envelope<Msg>> {
-            let mut msg = clone_msg(msg)?;
-            msg.as_bytes_mut()[memoffset::offset_of!(Envelope<Msg>, payload)] ^= 0x01;
-            msg.seal(peer, srv)?; // Recalculate seal; we do not want to focus on "seal broken" errs
-            Ok(msg)
-        }
-
-        fn time_travel_forward(srv: &mut CryptoServer, secs: f64) {
-            let dur = std::time::Duration::from_secs_f64(secs);
-            srv.timebase.0 = srv.timebase.0.checked_sub(dur).unwrap();
-        }
-
-        fn check_faulty_proc_init_conf(srv: &mut CryptoServer, ic_broken: &Envelope<InitConf>) {
-            let mut buf = MsgBuf::zero();
-            let res = srv.handle_msg(ic_broken.as_bytes(), buf.as_mut_slice());
-            assert!(res.is_err());
-        }
-
-        fn check_retransmission(
-            srv: &mut CryptoServer,
-            ic: &Envelope<InitConf>,
-            ic_broken: &Envelope<InitConf>,
-            rc: &Envelope<EmptyData>,
-        ) -> anyhow::Result<()> {
-            // Processing the same RespHello package again leads to retransmission (i.e. exactly the
-            // same output)
-            let rc_dup = proc_init_conf(srv, ic)?;
-            assert_eq!(rc.as_bytes(), rc_dup.as_bytes());
-
-            // Though if we directly call handle_resp_hello() we get an error since
-            // retransmission is not being handled by the cryptographic code
-            let mut discard_resp_conf = EmptyData::new_zeroed();
-            let res = srv.handle_init_conf(&ic.payload, &mut discard_resp_conf);
-            assert!(res.is_err());
-
-            // Obviously, a broken InitConf message should still be rejected
-            check_faulty_proc_init_conf(srv, ic_broken);
-
-            Ok(())
-        }
-
-        let (ska, pka) = keypair()?;
-        let (skb, pkb) = keypair()?;
-
-        // initialize server and a pre-shared key
-        let mut a = CryptoServer::new(ska, pka.clone());
-        let mut b = CryptoServer::new(skb, pkb.clone());
-
-        // introduce peers to each other
-        let b_peer = a.add_peer(None, pkb)?;
-        let a_peer = b.add_peer(None, pka)?;
-
-        // Execute protocol up till the responder confirmation (EmptyData)
-        let ih1 = proc_initiation(&mut a, b_peer)?;
-        let rh1 = proc_init_hello(&mut b, &ih1)?;
-        let ic1 = proc_resp_hello(&mut a, &rh1)?;
-        let rc1 = proc_init_conf(&mut b, &ic1)?;
-
-        // Modified version of ic1 and rc1, for tests that require it
-        let ic1_broken = break_payload(&mut a, b_peer, &ic1)?;
-        assert_ne!(ic1.as_bytes(), ic1_broken.as_bytes());
-
-        // Modified version of rc1, for tests that require it
-        let rc1_broken = break_payload(&mut b, a_peer, &rc1)?;
-        assert_ne!(rc1.as_bytes(), rc1_broken.as_bytes());
-
-        // Retransmission works as designed
-        check_retransmission(&mut b, &ic1, &ic1_broken, &rc1)?;
-
-        // Even with a couple of poll operations in between (which clears the cache
-        // after a time out of two minutes…we should never hit this time out in this
-        // cache)
-        for _ in 0..4 {
-            poll(&mut b)?;
-            check_retransmission(&mut b, &ic1, &ic1_broken, &rc1)?;
-        }
-
-        // We can even validate that the data is coming out of the cache by changing the cache
-        // to use our broken messages. It does not matter that these messages are cryptographically
-        // broken since we insert them manually into the cache
-        // a_peer.known_init_conf_response()
-        KnownInitConfResponsePtr::insert_for_request_msg(
-            &mut b,
-            a_peer,
-            &ic1_broken,
-            rc1_broken.clone(),
-        );
-        check_retransmission(&mut b, &ic1_broken, &ic1, &rc1_broken)?;
-
-        // Lets reset to the correct message though
-        KnownInitConfResponsePtr::insert_for_request_msg(&mut b, a_peer, &ic1, rc1.clone());
-
-        // Again, nothing changes after calling poll
-        poll(&mut b)?;
-        check_retransmission(&mut b, &ic1, &ic1_broken, &rc1)?;
-
-        // Except if we jump forward into the future past the point where the responder
-        // starts to initiate rekeying; in this case, the automatic time out is triggered and the cache is cleared
-        time_travel_forward(&mut b, REKEY_AFTER_TIME_RESPONDER);
-
-        // As long as we do not call poll, everything is fine
-        check_retransmission(&mut b, &ic1, &ic1_broken, &rc1)?;
-
-        // But after we do, the response is gone and can not be recreated
-        // since the biscuit is stale
-        poll(&mut b)?;
-        check_faulty_proc_init_conf(&mut b, &ic1); // ic1 is now effectively broken
-        assert!(b.peers[0].known_init_conf_response.is_none()); // The cache is gone
-
-        Ok(())
-    }
 }

rp/Cargo.toml

@@ -12,6 +12,8 @@ repository = "https://github.com/rosenpass/rosenpass"
 [dependencies]
 anyhow = { workspace = true }
 base64ct = { workspace = true }
+serde = { workspace = true }
+toml = { workspace = true }
 x25519-dalek = { version = "2", features = ["static_secrets"] }
 zeroize = { workspace = true }
 

rp/src/cli.rs

@@ -12,6 +12,9 @@ pub enum Command {
         public_keys_dir: PathBuf,
     },
     Exchange(ExchangeOptions),
+    ExchangeConfig {
+        config_file: PathBuf,
+    },
     Help,
 }
 
@@ -19,6 +22,7 @@ enum CommandType {
     GenKey,
     PubKey,
     Exchange,
+    ExchangeConfig,
 }
 
 #[derive(Default)]
@@ -32,9 +36,10 @@ fn fatal<T>(note: &str, command: Option<CommandType>) -> Result<T, String> {
         Some(command) => match command {
             CommandType::GenKey => Err(format!("{}\nUsage: rp genkey PRIVATE_KEYS_DIR", note)),
             CommandType::PubKey => Err(format!("{}\nUsage: rp pubkey PRIVATE_KEYS_DIR PUBLIC_KEYS_DIR", note)),
-            CommandType::Exchange => Err(format!("{}\nUsage: rp exchange PRIVATE_KEYS_DIR [dev <device>] [listen <ip>:<port>] [peer PUBLIC_KEYS_DIR [endpoint <ip>:<port>] [persistent-keepalive <interval>] [allowed-ips <ip1>/<cidr1>[,<ip2>/<cidr2>]...]]...", note)),
+            CommandType::Exchange => Err(format!("{}\nUsage: rp exchange PRIVATE_KEYS_DIR [dev <device>] [ip <ip1>/<cidr1>] [listen <ip>:<port>] [peer PUBLIC_KEYS_DIR [endpoint <ip>:<port>] [persistent-keepalive <interval>] [allowed-ips <ip1>/<cidr1>[,<ip2>/<cidr2>]...]]...", note)),
+            CommandType::ExchangeConfig => Err(format!("{}\nUsage: rp exchange-config <CONFIG_FILE>", note)),
         },
-        None => Err(format!("{}\nUsage: rp [verbose] genkey|pubkey|exchange [ARGS]...", note)),
+        None => Err(format!("{}\nUsage: rp [verbose] genkey|pubkey|exchange|exchange-config [ARGS]...", note)),
     }
 }
 
@@ -144,6 +149,13 @@ impl ExchangeOptions {
                         return fatal("dev option requires parameter", Some(CommandType::Exchange));
                     }
                 }
+                "ip" => {
+                    if let Some(ip) = args.next() {
+                        options.ip = Some(ip);
+                    } else {
+                        return fatal("is option requires parameter", Some(CommandType::Exchange));
+                    }
+                }
                 "listen" => {
                     if let Some(addr) = args.next() {
                         if let Ok(addr) = addr.parse::<SocketAddr>() {
@@ -246,6 +258,21 @@ impl Cli {
                     let options = ExchangeOptions::parse(&mut args)?;
                     cli.command = Some(Command::Exchange(options));
                 }
+                "exchange-config" => {
+                    if cli.command.is_some() {
+                        return fatal("Too many commands supplied", None);
+                    }
+
+                    if let Some(config_file) = args.next() {
+                        let config_file = PathBuf::from(config_file);
+                        cli.command = Some(Command::ExchangeConfig { config_file });
+                    } else {
+                        return fatal(
+                            "Required position argument: CONFIG_FILE",
+                            Some(CommandType::ExchangeConfig),
+                        );
+                    }
+                }
                 "help" => {
                     cli.command = Some(Command::Help);
                 }

rp/src/exchange.rs

@@ -1,11 +1,17 @@
-use std::{net::SocketAddr, path::PathBuf};
+use anyhow::Error;
+use serde::Deserialize;
+use std::future::Future;
+use std::ops::DerefMut;
+use std::pin::Pin;
+use std::sync::Arc;
+use std::{net::SocketAddr, path::PathBuf, process::Command};
 
 use anyhow::Result;
 
 #[cfg(any(target_os = "linux", target_os = "freebsd"))]
 use crate::key::WG_B64_LEN;
 
-#[derive(Default)]
+#[derive(Default, Deserialize)]
 pub struct ExchangePeer {
     pub public_keys_dir: PathBuf,
     pub endpoint: Option<SocketAddr>,
@@ -13,11 +19,12 @@ pub struct ExchangePeer {
     pub allowed_ips: Option<String>,
 }
 
-#[derive(Default)]
+#[derive(Default, Deserialize)]
 pub struct ExchangeOptions {
     pub verbose: bool,
     pub private_keys_dir: PathBuf,
     pub dev: Option<String>,
+    pub ip: Option<String>,
     pub listen: Option<SocketAddr>,
     pub peers: Vec<ExchangePeer>,
 }
@@ -131,6 +138,27 @@ mod netlink {
     }
 }
 
+#[derive(Clone)]
+#[cfg(any(target_os = "linux", target_os = "freebsd"))]
+struct CleanupHandlers(
+    Arc<::futures::lock::Mutex<Vec<Pin<Box<dyn Future<Output = Result<(), Error>> + Send>>>>>,
+);
+
+#[cfg(any(target_os = "linux", target_os = "freebsd"))]
+impl CleanupHandlers {
+    fn new() -> Self {
+        CleanupHandlers(Arc::new(::futures::lock::Mutex::new(vec![])))
+    }
+
+    async fn enqueue(&self, handler: Pin<Box<dyn Future<Output = Result<(), Error>> + Send>>) {
+        self.0.lock().await.push(Box::pin(handler))
+    }
+
+    async fn run(self) -> Result<Vec<()>, Error> {
+        futures::future::try_join_all(self.0.lock().await.deref_mut()).await
+    }
+}
+
 #[cfg(any(target_os = "linux", target_os = "freebsd"))]
 pub async fn exchange(options: ExchangeOptions) -> Result<()> {
     use std::fs;
@@ -151,15 +179,50 @@ pub async fn exchange(options: ExchangeOptions) -> Result<()> {
     let (connection, rtnetlink, _) = rtnetlink::new_connection()?;
     tokio::spawn(connection);
 
-    let link_name = options.dev.unwrap_or("rosenpass0".to_string());
+    let link_name = options.dev.clone().unwrap_or("rosenpass0".to_string());
     let link_index = netlink::link_create_and_up(&rtnetlink, link_name.clone()).await?;
 
+    let cleanup_handlers = CleanupHandlers::new();
+    let final_cleanup_handlers = (&cleanup_handlers).clone();
+
+    cleanup_handlers
+        .enqueue(Box::pin(async move {
+            netlink::link_cleanup_standalone(link_index).await
+        }))
+        .await;
+
     ctrlc_async::set_async_handler(async move {
-        netlink::link_cleanup_standalone(link_index)
+        final_cleanup_handlers
+            .run()
             .await
             .expect("Failed to clean up");
     })?;
 
+    if let Some(ip) = options.ip {
+        let dev = options.dev.clone().unwrap_or("rosenpass0".to_string());
+        Command::new("ip")
+            .arg("address")
+            .arg("add")
+            .arg(ip.clone())
+            .arg("dev")
+            .arg(dev.clone())
+            .status()
+            .expect("failed to configure ip");
+        cleanup_handlers
+            .enqueue(Box::pin(async move {
+                Command::new("ip")
+                    .arg("address")
+                    .arg("del")
+                    .arg(ip)
+                    .arg("dev")
+                    .arg(dev)
+                    .status()
+                    .expect("failed to remove ip");
+                Ok(())
+            }))
+            .await;
+    }
+
     // Deploy the classic wireguard private key
     let (connection, mut genetlink, _) = genetlink::new_connection()?;
     tokio::spawn(connection);
@@ -254,6 +317,29 @@ pub async fn exchange(options: ExchangeOptions) -> Result<()> {
             broker_peer,
             peer.endpoint.map(|x| x.to_string()),
         )?;
+
+        // Configure routes
+        if let Some(allowed_ips) = peer.allowed_ips {
+            Command::new("ip")
+                .arg("route")
+                .arg("replace")
+                .arg(allowed_ips.clone())
+                .arg("dev")
+                .arg(options.dev.clone().unwrap_or("rosenpass0".to_string()))
+                .status()
+                .expect("failed to configure route");
+            cleanup_handlers
+                .enqueue(Box::pin(async move {
+                    Command::new("ip")
+                        .arg("route")
+                        .arg("del")
+                        .arg(allowed_ips)
+                        .status()
+                        .expect("failed to remove ip");
+                    Ok(())
+                }))
+                .await;
+        }
     }
 
     let out = srv.event_loop();

rp/src/main.rs

@@ -1,4 +1,4 @@
-use std::process::exit;
+use std::{fs, process::exit};
 
 use cli::{Cli, Command};
 use exchange::exchange;
@@ -36,6 +36,13 @@ async fn main() {
             options.verbose = cli.verbose;
             exchange(options).await
         }
+        Command::ExchangeConfig { config_file } => {
+            let s: String = fs::read_to_string(config_file).expect("cannot read config");
+            let mut options: exchange::ExchangeOptions =
+                toml::from_str::<exchange::ExchangeOptions>(&s).expect("cannot parse config");
+            options.verbose = options.verbose || cli.verbose;
+            exchange(options).await
+        }
         Command::Help => {
             println!("Usage: rp [verbose] genkey|pubkey|exchange [ARGS]...");
             Ok(())

systemd/rosenpass.target

@@ -0,0 +1,2 @@
+[Unit]
+Description=Rosenpass target

systemd/rosenpass@.service

@@ -0,0 +1,47 @@
+[Unit]
+Description=Rosenpass key exchange for %I
+Documentation=man:rosenpass(1)
+Documentation=https://rosenpass.eu/docs
+
+After=network-online.target nss-lookup.target sys-devices-virtual-net-%i.device
+Wants=network-online.target nss-lookup.target
+BindsTo=sys-devices-virtual-net-%i.device
+PartOf=rosenpass.target
+
+[Service]
+ExecStart=rosenpass exchange-config /etc/rosenpass/%i.toml
+LoadCredential=pqsk:/etc/rosenpass/%i/pqsk
+
+AmbientCapabilities=CAP_NET_ADMIN
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER CAP_IPC_LOCK CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYSLOG CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_RESOURCE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM
+DynamicUser=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+PrivateDevices=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=noaccess
+RestrictAddressFamilies=AF_NETLINK AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=~@clock
+SystemCallFilter=~@cpu-emulation
+SystemCallFilter=~@debug
+SystemCallFilter=~@module
+SystemCallFilter=~@mount
+SystemCallFilter=~@obsolete
+SystemCallFilter=~@privileged
+SystemCallFilter=~@raw-io
+SystemCallFilter=~@reboot
+SystemCallFilter=~@swap
+UMask=0077
+
+[Install]
+WantedBy=multi-user.target

systemd/rp@.service

@@ -0,0 +1,48 @@
+[Unit]
+Description=Rosenpass key exchange for %I
+Documentation=man:rosenpass(1)
+Documentation=https://rosenpass.eu/docs
+
+After=network-online.target nss-lookup.target
+Wants=network-online.target nss-lookup.target
+PartOf=rosenpass.target
+
+[Service]
+ExecStart=rp exchange-config /etc/rosenpass/%i.toml
+LoadCredential=pqpk:/etc/rosenpass/%i/pqpk
+LoadCredential=pqsk:/etc/rosenpass/%i/pqsk
+LoadCredential=wgsk:/etc/rosenpass/%i/wgsk
+
+AmbientCapabilities=CAP_NET_ADMIN
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER CAP_IPC_LOCK CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYSLOG CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_RESOURCE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM
+DynamicUser=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+PrivateDevices=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=noaccess
+RestrictAddressFamilies=AF_NETLINK AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=~@clock
+SystemCallFilter=~@cpu-emulation
+SystemCallFilter=~@debug
+SystemCallFilter=~@module
+SystemCallFilter=~@mount
+SystemCallFilter=~@obsolete
+SystemCallFilter=~@privileged
+SystemCallFilter=~@raw-io
+SystemCallFilter=~@reboot
+SystemCallFilter=~@swap
+UMask=0077
+
+[Install]
+WantedBy=multi-user.target

tests/systemd/rosenpass.nix

@@ -0,0 +1,183 @@
+# This test is largely inspired from:
+# https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/rosenpass.nix
+# https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/wireguard/basic.nix
+{ pkgs, ... }:
+
+let
+  server = {
+    ip4 = "192.168.0.1";
+    ip6 = "fd00::1";
+    wg = {
+      ip4 = "10.23.42.1";
+      ip6 = "fc00::1";
+      public = "mQufmDFeQQuU/fIaB2hHgluhjjm1ypK4hJr1cW3WqAw=";
+      secret = "4N5Y1dldqrpsbaEiY8O0XBUGUFf8vkvtBtm8AoOX7Eo=";
+      listen = 10000;
+    };
+  };
+
+  client = {
+    ip4 = "192.168.0.2";
+    ip6 = "fd00::2";
+    wg = {
+      ip4 = "10.23.42.2";
+      ip6 = "fc00::2";
+      public = "Mb3GOlT7oS+F3JntVKiaD7SpHxLxNdtEmWz/9FMnRFU=";
+      secret = "uC5dfGMv7Oxf5UDfdPkj6rZiRZT2dRWp5x8IQxrNcUE=";
+    };
+  };
+
+  server_config = {
+    listen = [ "0.0.0.0:9999" ];
+    public_key = "/etc/rosenpass/rp0/pqpk";
+    secret_key = "/run/credentials/rosenpass@rp0.service/pqsk";
+    verbosity = "Verbose";
+    peers = [{
+      device = "rp0";
+      peer = client.wg.public;
+      public_key = "/etc/rosenpass/rp0/peers/client/pqpk";
+    }];
+  };
+  client_config = {
+    listen = [ "0.0.0.0:9999" ]; # TODO: Should not be necessary to set, but wouldn't parse.
+    public_key = "/etc/rosenpass/rp0/pqpk";
+    secret_key = "/run/credentials/rosenpass@rp0.service/pqsk";
+    verbosity = "Verbose";
+    peers = [{
+      device = "rp0";
+      peer = server.wg.public;
+      public_key = "/etc/rosenpass/rp0/peers/server/pqpk";
+      endpoint = "${server.ip4}:9999";
+    }];
+  };
+
+  config = pkgs.runCommand "config" { } ''
+    mkdir -pv $out
+    cp -v ${(pkgs.formats.toml {}).generate "rp0.toml" server_config} $out/server
+    cp -v ${(pkgs.formats.toml {}).generate "rp0.toml" client_config} $out/client
+  '';
+in
+{
+  name = "rosenpass unit";
+
+  nodes =
+    let
+      shared = peer: { config, modulesPath, pkgs, ... }: {
+        # Need to work around a problem in recent systemd changes.
+        # It won't be necessary in other distros (for which the systemd file was designed), this is NixOS specific
+        # https://github.com/NixOS/nixpkgs/issues/258371#issuecomment-1925672767
+        # This can potentially be removed in future nixpkgs updates
+        systemd.packages = [
+          (pkgs.runCommand "rosenpass" { } ''
+            mkdir -p $out/lib/systemd/system
+            < ${pkgs.rosenpass}/lib/systemd/system/rosenpass.target > $out/lib/systemd/system/rosenpass.target
+            < ${pkgs.rosenpass}/lib/systemd/system/rosenpass@.service \
+            sed 's@^\(\[Service]\)$@\1\nEnvironment=PATH=${pkgs.wireguard-tools}/bin@' |
+            sed 's@^ExecStartPre=envsubst @ExecStartPre='"${pkgs.envsubst}"'/bin/envsubst @' |
+            sed 's@^ExecStart=rosenpass @ExecStart='"${pkgs.rosenpass}"'/bin/rosenpass @' > $out/lib/systemd/system/rosenpass@.service
+          '')
+        ];
+        networking.wireguard = {
+          enable = true;
+          interfaces.rp0 = {
+            ips = [ "${peer.wg.ip4}/32" "${peer.wg.ip6}/128" ];
+            privateKeyFile = "/etc/wireguard/wgsk";
+          };
+        };
+        environment.etc."wireguard/wgsk".text = peer.wg.secret;
+        networking.interfaces.eth1 = {
+          ipv4.addresses = [{
+            address = peer.ip4;
+            prefixLength = 24;
+          }];
+          ipv6.addresses = [{
+            address = peer.ip6;
+            prefixLength = 64;
+          }];
+        };
+      };
+    in
+    {
+      server = {
+        imports = [ (shared server) ];
+        networking.firewall.allowedUDPPorts = [ 9999 server.wg.listen ];
+        networking.wireguard.interfaces.rp0 = {
+          listenPort = server.wg.listen;
+          peers = [
+            {
+              allowedIPs = [ client.wg.ip4 client.wg.ip6 ];
+              publicKey = client.wg.public;
+            }
+          ];
+        };
+      };
+      client = {
+        imports = [ (shared client) ];
+        networking.wireguard.interfaces.rp0 = {
+          peers = [
+            {
+              allowedIPs = [ "10.23.42.0/24" "fc00::/64" ];
+              publicKey = server.wg.public;
+              endpoint = "${server.ip4}:${toString server.wg.listen}";
+            }
+          ];
+        };
+      };
+    };
+  testScript = { ... }: ''
+    from os import system
+    rosenpass = "${pkgs.rosenpass}/bin/rosenpass"
+
+    start_all()
+
+    for machine in [server, client]:
+      machine.wait_for_unit("multi-user.target")
+      machine.wait_for_unit("network-online.target")
+
+    with subtest("Key, Config, and Service Setup"):
+      for name, machine, remote in [("server", server, client), ("client", client, server)]:
+        # generate all the keys
+        system(f"{rosenpass} gen-keys --public-key {name}-pqpk --secret-key {name}-pqsk")
+
+        # copy private keys to our side
+        machine.copy_from_host(f"{name}-pqsk", "/etc/rosenpass/rp0/pqsk")
+        machine.copy_from_host(f"{name}-pqpk", "/etc/rosenpass/rp0/pqpk")
+
+        # copy public keys to other side
+        remote.copy_from_host(f"{name}-pqpk", f"/etc/rosenpass/rp0/peers/{name}/pqpk")
+
+        machine.copy_from_host(f"${config}/{name}", "/etc/rosenpass/rp0.toml")
+
+      for machine in [server, client]:
+        machine.wait_for_unit("wireguard-rp0.service")
+
+    with subtest("wg network test"):
+      client.succeed("wg show all preshared-keys | grep none", timeout=5);
+      client.succeed("ping -c5 ${server.wg.ip4}")
+      server.succeed("ping -c5 ${client.wg.ip6}")
+
+    with subtest("Set up rosenpass"):
+      for machine in [server, client]:
+        machine.succeed("systemctl start rosenpass@rp0.service")
+
+      for machine in [server, client]:
+        machine.wait_for_unit("rosenpass@rp0.service")
+
+
+    with subtest("compare preshared keys"):
+      client.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5);
+      server.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5);
+
+      def get_psk(m):
+        psk = m.succeed("wg show rp0 preshared-keys | awk '{print $2}'")
+        psk = psk.strip()
+        assert len(psk.split()) == 1, "Only one PSK"
+        return psk
+
+      assert get_psk(client) == get_psk(server), "preshared keys need to match"
+
+    with subtest("rosenpass network test"):
+      client.succeed("ping -c5 ${server.wg.ip4}")
+      server.succeed("ping -c5 ${client.wg.ip6}")
+  '';
+}

tests/systemd/rp.nix

@@ -0,0 +1,139 @@
+{ pkgs, ... }:
+
+let
+  server = {
+    ip4 = "192.168.0.1";
+    ip6 = "fd00::1";
+    wg = {
+      ip6 = "fc00::1";
+      listen = 10000;
+    };
+  };
+
+  client = {
+    ip4 = "192.168.0.2";
+    ip6 = "fd00::2";
+    wg = {
+      ip6 = "fc00::2";
+    };
+  };
+
+  server_config = {
+    listen = "${server.ip4}:9999";
+    private_keys_dir = "/run/credentials/rp@test-rp-device0.service";
+    verbose = true;
+    dev = "test-rp-device0";
+    ip = "fc00::1/64";
+    peers = [{
+      public_keys_dir = "/etc/rosenpass/test-rp-device0/peers/client";
+      allowed_ips = "fc00::2";
+    }];
+  };
+  client_config = {
+    private_keys_dir = "/run/credentials/rp@test-rp-device0.service";
+    verbose = true;
+    dev = "test-rp-device0";
+    ip = "fc00::2/128";
+    peers = [{
+      public_keys_dir = "/etc/rosenpass/test-rp-device0/peers/server";
+      endpoint = "${server.ip4}:9999";
+      allowed_ips = "fc00::/64";
+    }];
+  };
+
+  config = pkgs.runCommand "config" { } ''
+    mkdir -pv $out
+    cp -v ${(pkgs.formats.toml {}).generate "test-rp-device0.toml" server_config} $out/server
+    cp -v ${(pkgs.formats.toml {}).generate "test-rp-device0.toml" client_config} $out/client
+  '';
+in
+{
+  name = "rp systemd unit";
+
+  nodes =
+    let
+      shared = peer: { config, modulesPath, pkgs, ... }: {
+        # Need to work around a problem in recent systemd changes.
+        # It won't be necessary in other distros (for which the systemd file was designed), this is NixOS specific
+        # https://github.com/NixOS/nixpkgs/issues/258371#issuecomment-1925672767
+        # This can potentially be removed in future nixpkgs updates
+        systemd.packages = [
+          (pkgs.runCommand "rp@.service" { } ''
+            mkdir -p $out/lib/systemd/system
+            < ${pkgs.rosenpass}/lib/systemd/system/rosenpass.target > $out/lib/systemd/system/rosenpass.target
+            < ${pkgs.rosenpass}/lib/systemd/system/rp@.service \
+            sed 's@^\(\[Service]\)$@\1\nEnvironment=PATH=${pkgs.iproute2}/bin:${pkgs.wireguard-tools}/bin@' |
+            sed 's@^ExecStartPre=envsubst @ExecStartPre='"${pkgs.envsubst}"'/bin/envsubst @' |
+            sed 's@^ExecStart=rp @ExecStart='"${pkgs.rosenpass}"'/bin/rp @' > $out/lib/systemd/system/rp@.service
+          '')
+        ];
+        environment.systemPackages = [ pkgs.wireguard-tools ];
+        networking.interfaces.eth1 = {
+          ipv4.addresses = [{
+            address = peer.ip4;
+            prefixLength = 24;
+          }];
+          ipv6.addresses = [{
+            address = peer.ip6;
+            prefixLength = 64;
+          }];
+        };
+      };
+    in
+    {
+      server = {
+        imports = [ (shared server) ];
+        networking.firewall.allowedUDPPorts = [ 9999 server.wg.listen ];
+      };
+      client = {
+        imports = [ (shared client) ];
+      };
+    };
+  testScript = { ... }: ''
+    from os import system
+    rp = "${pkgs.rosenpass}/bin/rp"
+
+    start_all()
+
+    for machine in [server, client]:
+      machine.wait_for_unit("multi-user.target")
+      machine.wait_for_unit("network-online.target")
+
+    with subtest("Key, Config, and Service Setup"):
+      for name, machine, remote in [("server", server, client), ("client", client, server)]:
+        # create all the keys
+        system(f"{rp} genkey {name}-sk")
+        system(f"{rp} pubkey {name}-sk {name}-pk")
+
+        # copy secret keys to our side
+        for file in ["pqpk", "pqsk", "wgsk"]:
+          machine.copy_from_host(f"{name}-sk/{file}", f"/etc/rosenpass/test-rp-device0/{file}")
+        # copy public keys to other side
+        for file in ["pqpk", "wgpk"]:
+          remote.copy_from_host(f"{name}-pk/{file}", f"/etc/rosenpass/test-rp-device0/peers/{name}/{file}")
+
+        machine.copy_from_host(f"${config}/{name}", "/etc/rosenpass/test-rp-device0.toml")
+
+      for machine in [server, client]:
+        machine.succeed("systemctl start rp@test-rp-device0.service")
+
+      for machine in [server, client]:
+        machine.wait_for_unit("rp@test-rp-device0.service")
+
+    with subtest("compare preshared keys"):
+      client.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5);
+      server.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5);
+
+      def get_psk(m):
+        psk = m.succeed("wg show test-rp-device0 preshared-keys | awk '{print $2}'")
+        psk = psk.strip()
+        assert len(psk.split()) == 1, "Only one PSK"
+        return psk
+
+      assert get_psk(client) == get_psk(server), "preshared keys need to match"
+
+    with subtest("network test"):
+      client.succeed("ping -c5 ${server.wg.ip6}")
+      server.succeed("ping -c5 ${client.wg.ip6}")
+  '';
+}

util/src/time.rs

@@ -17,7 +17,7 @@ use std::time::Instant;
 /// ```
 
 #[derive(Clone, Debug)]
-pub struct Timebase(pub Instant);
+pub struct Timebase(Instant);
 
 impl Default for Timebase {
     // TODO: Implement new()?