Prettier

The script can be used to simulate setups of different sizes. A short
description is added to the `misc/` folder for further information.

This can be used for both benchmarking but also hunting down bugs which
may occur with larger setups.

Signed-off-by: Paul Spooren <mail@aparcar.org>

.ci/run-regression.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+iterations=$1
+sleep_time=$2
+
+PWD=$(pwd)
+EXEC=$PWD/target/release/rosenpass
+LOGS=$PWD/output/logs
+
+mkdir -p output/logs
+
+run_command() {
+  local file=$1
+  local log_file="$2"
+  ($EXEC exchange-config $file 2>&1 | sed "s/^/[$2] /" | tee -a $log_file) &
+  echo $!
+}
+
+pids=()
+
+(cd output/dut && run_command "configs/dut-$iterations.toml" "dut.log") & piddut=$!
+for (( x=0; x<$iterations; x++ )); do
+  (cd output/ate && run_command "configs/ate-$x.toml" "ate-$x.log") & pids+=($!)
+done
+
+sleep $sleep_time
+
+lsof -i :9999 | awk 'NR!=1 {print $2}' | xargs kill
+
+for (( x=0; x<$iterations; x++ )); do
+    port=$((x + 50000))
+    lsof -i :$port | awk 'NR!=1 {print $2}' | xargs kill
+done

.github/workflows/qc.yaml

@@ -176,8 +176,12 @@ jobs:
           cargo fuzz run fuzz_handle_msg -- -max_total_time=5
           ulimit -s 8192000 && RUST_MIN_STACK=33554432000 && cargo fuzz run fuzz_kyber_encaps -- -max_total_time=5
           cargo fuzz run fuzz_mceliece_encaps -- -max_total_time=5
-          cargo fuzz run fuzz_box_secret_alloc -- -max_total_time=5
-          cargo fuzz run fuzz_vec_secret_alloc -- -max_total_time=5
+          cargo fuzz run fuzz_box_secret_alloc_malloc -- -max_total_time=5
+          cargo fuzz run fuzz_box_secret_alloc_memfdsec -- -max_total_time=5
+          cargo fuzz run fuzz_box_secret_alloc_memfdsec_mallocfb -- -max_total_time=5
+          cargo fuzz run fuzz_vec_secret_alloc_malloc -- -max_total_time=5
+          cargo fuzz run fuzz_vec_secret_alloc_memfdsec -- -max_total_time=5
+          cargo fuzz run fuzz_vec_secret_alloc_memfdsec_mallocfb -- -max_total_time=5
 
   codecov:
     runs-on: ubuntu-latest

.github/workflows/regressions.yml

@@ -0,0 +1,19 @@
+name: QC
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+permissions:
+  checks: write
+  contents: read
+
+jobs:
+  multi-peer:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - run: cargo build --bin rosenpass --release
+      - run: python misc/generate_configs.py
+      - run: chmod +x .ci/run-regression.sh
+      - run: .ci/run-regression.sh 100 20

.gitignore

@@ -20,3 +20,5 @@ _markdown_*
 **/result
 **/result-*
 .direnv
+
+/output

Cargo.toml

@@ -12,15 +12,11 @@ members = [
     "fuzz",
     "secret-memory",
     "rp",
-    "wireguard-broker"
-]
-
-default-members = [
-    "rosenpass",
-    "rp",
     "wireguard-broker",
 ]
 
+default-members = ["rosenpass", "rp", "wireguard-broker"]
+
 [workspace.metadata.release]
 # ensure that adding `--package` as argument to `cargo release` still creates version tags in the form of `vx.y.z`
 tag-prefix = ""
@@ -45,18 +41,24 @@ env_logger = "0.10.2"
 toml = "0.7.8"
 static_assertions = "1.1.0"
 allocator-api2 = "0.2.14"
-memsec = "0.6.3"
+memsec = { git="https://github.com/rosenpass/memsec.git" ,rev="aceb9baee8aec6844125bd6612f92e9a281373df", features = [ "alloc_ext", ] }
 rand = "0.8.5"
 typenum = "1.17.0"
 log = { version = "0.4.21" }
-clap = { version = "4.5.6", features = ["derive"] }
+clap = { version = "4.5.7", features = ["derive"] }
 serde = { version = "1.0.203", features = ["derive"] }
 arbitrary = { version = "1.3.2", features = ["derive"] }
 anyhow = { version = "1.0.86", features = ["backtrace", "std"] }
 mio = { version = "0.8.11", features = ["net", "os-poll"] }
-oqs-sys = { version = "0.9.1", default-features = false, features = ['classic_mceliece', 'kyber']  }
+oqs-sys = { version = "0.9.1", default-features = false, features = [
+    'classic_mceliece',
+    'kyber',
+] }
 blake2 = "0.10.6"
-chacha20poly1305 = { version = "0.10.1", default-features = false, features = [ "std", "heapless" ] }
+chacha20poly1305 = { version = "0.10.1", default-features = false, features = [
+    "std",
+    "heapless",
+] }
 zerocopy = { version = "0.7.34", features = ["derive"] }
 home = "0.5.9"
 derive_builder = "0.20.0"
@@ -65,12 +67,14 @@ postcard= {version = "1.0.8", features = ["alloc"]}
 
 #Dev dependencies
 serial_test = "3.1.1"
-tempfile="3"
+tempfile = "3"
 stacker = "0.1.15"
 libfuzzer-sys = "0.4"
 test_bin = "0.4.0"
 criterion = "0.4.0"
 allocator-api2-tests = "0.2.15"
+procspawn = {version = "1.0.0", features= ["test-support"]}
+
 
 #Broker dependencies (might need cleanup or changes)
 wireguard-uapi = "3.0.0"

analysis/01_secrecy.entry.mpv

@@ -3,33 +3,12 @@
 #define SESSION_START_EVENTS 0
 #define RANDOMIZED_CALL_IDS 0
 
-
 #include "config.mpv"
 #include "prelude/basic.mpv"
 #include "crypto/key.mpv"
 #include "crypto/kem.mpv"
-
 #include "rosenpass/oracles.mpv"
 
-nounif v:seed_prec;   attacker(prepare_seed(trusted_seed( v )))/6217[hypothesis].
-nounif v:seed;        attacker(prepare_seed( v ))/6216[hypothesis].
-nounif v:seed;        attacker(rng_kem_sk( v ))/6215[hypothesis].
-nounif v:seed;        attacker(rng_key( v ))/6214[hypothesis].
-nounif v:key_prec;    attacker(prepare_key(trusted_key( v )))/6213[hypothesis].
-nounif v:kem_sk_prec; attacker(prepare_kem_sk(trusted_kem_sk( v )))/6212[hypothesis].
-nounif v:key;         attacker(prepare_key( v ))/6211[hypothesis].
-nounif v:kem_sk;      attacker(prepare_kem_sk( v ))/6210[hypothesis].
-nounif Spk:kem_sk_tmpl;
-  attacker(Creveal_kem_pk(Spk))/6110[conclusion].
-nounif sid:SessionId, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, Seski:seed_tmpl, Ssptr:seed_tmpl;
-  attacker(Cinitiator( *sid, *Ssskm, *Spsk, *Sspkt, *Seski, *Ssptr ))/6109[conclusion].
-nounif sid:SessionId, biscuit_no:Atom, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, Septi:seed_tmpl, Sspti:seed_tmpl, ih:InitHello_t;
-  attacker(Cinit_hello( *sid, *biscuit_no, *Ssskm, *Spsk, *Sspkt, *Septi, *Sspti, *ih ))/6108[conclusion].
-nounif rh:RespHello_t;
-  attacker(Cresp_hello( *rh ))/6107[conclusion].
-nounif Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, ic:InitConf_t;
-  attacker(Cinit_conf( *Ssskm, *Spsk, *Sspkt, *ic ))/6106[conclusion].
-
 let main = rosenpass_main.
 
 @lemma "state coherence, initiator: Initiator accepting a RespHello message implies they also generated the associated InitHello message"

analysis/02_availability.entry.mpv

@@ -10,26 +10,6 @@
 
 let main = rosenpass_main.
 
-nounif v:seed_prec;   attacker(prepare_seed(trusted_seed( v )))/6217[hypothesis].
-nounif v:seed;        attacker(prepare_seed( v ))/6216[hypothesis].
-nounif v:seed;        attacker(rng_kem_sk( v ))/6215[hypothesis].
-nounif v:seed;        attacker(rng_key( v ))/6214[hypothesis].
-nounif v:key_prec;    attacker(prepare_key(trusted_key( v )))/6213[hypothesis].
-nounif v:kem_sk_prec; attacker(prepare_kem_sk(trusted_kem_sk( v )))/6212[hypothesis].
-nounif v:key;         attacker(prepare_key( v ))/6211[hypothesis].
-nounif v:kem_sk;      attacker(prepare_kem_sk( v ))/6210[hypothesis].
-nounif Spk:kem_sk_tmpl;
-  attacker(Creveal_kem_pk(Spk))/6110[conclusion].
-nounif sid:SessionId, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, Seski:seed_tmpl, Ssptr:seed_tmpl;
-  attacker(Cinitiator( *sid, *Ssskm, *Spsk, *Sspkt, *Seski, *Ssptr ))/6109[conclusion].
-nounif sid:SessionId, biscuit_no:Atom, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, Septi:seed_tmpl, Sspti:seed_tmpl, ih:InitHello_t;
-  attacker(Cinit_hello( *sid, *biscuit_no, *Ssskm, *Spsk, *Sspkt, *Septi, *Sspti, *ih ))/6108[conclusion].
-nounif rh:RespHello_t;
-  attacker(Cresp_hello( *rh ))/6107[conclusion].
-nounif Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, ic:InitConf_t;
-  attacker(Cinit_conf( *Ssskm, *Spsk, *Sspkt, *ic ))/6106[conclusion].
-
-
 @lemma "non-interruptability: Adv cannot prevent a genuine InitHello message from being accepted"
 lemma ih:InitHello_t, psk:key, sski:kem_sk, sskr:kem_sk;
   event(IHRjct(ih, psk, sskr, kem_pub(sski)))

analysis/config.mpv

@@ -88,18 +88,6 @@ set verboseCompleted=VERBOSE.
 #define SES_EV(...)
 #endif
 
-#if COOKIE_EVENTS
-#define COOKIE_EV(...) __VA_ARGS__
-#else
-#define COOKIE_EV(...)
-#endif
-
-#if KEM_EVENTS
-#define KEM_EV(...) __VA_ARGS__
-#else
-#define KEM_EV(...)
-#endif
-
 
 (* TODO: Authentication timing properties *)
 (* TODO: Proof that every adversary submitted package is equivalent to one generated by the proper algorithm using different coins. This probably requires introducing an oracle that extracts the coins used and explicitly adding the notion of coins used for Packet->Packet steps and an inductive RNG notion. *)

analysis/rosenpass/oracles.mpv

@@ -41,32 +41,23 @@ restriction s:seed, p1:Atom, p2:Atom, ad1:Atom, ad2:Atom;
   event(ConsumeSeed(p1, s, ad1)) && event(ConsumeSeed(p2, s, ad2))
     ==> p1 = p2 && ad1 = ad2.
 
-letfun create_mac2(k:key, msg:bits) = prf(k,msg).
-
 #include "rosenpass/responder.macro"
 fun Cinit_conf(kem_sk_tmpl, key_tmpl, kem_pk_tmpl, InitConf_t) : Atom [data].
 CK_EV(  event OskOinit_conf(key, key). )
 MTX_EV( event ICRjct(InitConf_t, key, kem_sk, kem_pk). )
 SES_EV( event ResponderSession(InitConf_t, key). )
-KEM_EV(event Oinit_conf_KemUse(SessionId, SessionId, Atom).)
-#ifdef KEM_EVENTS
-  restriction sidi:SessionId, sidr:SessionId, ad1:Atom, ad2:Atom;
-    event(Oinit_conf_KemUse(sidi, sidr, ad1)) && event(Oinit_conf_KemUse(sidi, sidr, ad2))
-      ==> ad1 = ad2.
-#endif
 event ConsumeBiscuit(Atom, kem_sk, kem_pk, Atom).
-
-fun Ccookie(key, bits) : Atom[data].
-
-let Oinit_conf_inner(Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, ic:InitConf_t, call:Atom) =
-
+let Oinit_conf() = 
+  in(C, Cinit_conf(Ssskm, Spsk, Sspkt, ic));
+#if RANDOMIZED_CALL_IDS
+  new call:Atom;
+#else
+  call <- Cinit_conf(Ssskm, Spsk, Sspkt, ic);
+#endif
   SETUP_HANDSHAKE_STATE()
-
   eski <- kem_sk0;
   epki <- kem_pk0;
   let try_ = (
-    let InitConf(sidi, sidr, biscuit, auth) = ic in 
-    KEM_EV(event Oinit_conf_KemUse(sidi, sidr, call);)
     INITCONF_CONSUME()
     event ConsumeBiscuit(biscuit_no, sskm, spkt, call);
     CK_EV(  event OskOinit_conf(ck_rh, osk); )
@@ -82,20 +73,10 @@ let Oinit_conf_inner(Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, ic:Ini
 #endif
   ).
 
-let Oinit_conf() = 
-
-  in(C, Cinit_conf(Ssskm, Spsk, Sspkt, ic));
-  #if RANDOMIZED_CALL_IDS
-    new call:Atom;
-  #else
-    call <- Cinit_conf(Ssskm, Spsk, Sspkt, ic);
-  #endif
-
-  Oinit_conf_inner(Ssskm, Spsk, Sspkt, ic, call).
-
 restriction biscuit_no:Atom, sskm:kem_sk, spkr:kem_pk, ad1:Atom, ad2:Atom;
   event(ConsumeBiscuit(biscuit_no, sskm, spkr, ad1)) && event(ConsumeBiscuit(biscuit_no, sskm, spkr, ad2))
     ==> ad1 = ad2.
+
 // TODO: Restriction biscuit no invalidation
 
 #include "rosenpass/initiator.macro"
@@ -104,29 +85,11 @@ CK_EV(  event OskOresp_hello(key, key, key). )
 MTX_EV( event RHRjct(RespHello_t, key, kem_sk, kem_pk). )
 MTX_EV( event ICSent(RespHello_t, InitConf_t, key, kem_sk, kem_pk). )
 SES_EV( event InitiatorSession(RespHello_t, key). )
-
-KEM_EV(event Oresp_hello_KemUse(SessionId, SessionId, Atom).)
-#ifdef KEM_EVENTS
-restriction sidi:SessionId, sidr:SessionId, ad1:Atom, ad2:Atom;
-  event(Oresp_hello_KemUse(sidi, sidr, ad1)) && event(Oresp_hello_KemUse(sidi, sidr, ad2))
-    ==> ad1 = ad2.
-#endif
-
-#ifdef COOKIE_EVENTS
-COOKIE_EVENTS(Oresp_hello)
-#endif
-let Oresp_hello(HS_DECL_ARGS, C_in:channel, call:Atom) =
-  in(C_in, Cresp_hello(RespHello(sidr, =sidi, ecti, scti, biscuit, auth)));
-  in(C_in, mac2_key:key);
+let Oresp_hello(HS_DECL_ARGS) =
+  in(C, Cresp_hello(RespHello(sidr, =sidi, ecti, scti, biscuit, auth)));
   rh <- RespHello(sidr, sidi, ecti, scti, biscuit, auth);
-  #ifdef COOKIE_EVENTS
-    msg <- RH2b(rh);
-
-    COOKIE_PROCESS(Oresp_hello,
-  #endif
   /* try */ let ic = (
     ck_ini <- ck;
-      KEM_EV(event Oresp_hello_KemUse(sidi, sidr, call);)
     RESPHELLO_CONSUME()
     ck_ih <- ck;
     INITCONF_PRODUCE()
@@ -135,25 +98,14 @@ let Oresp_hello(HS_DECL_ARGS, C_in:channel, call:Atom) =
     SES_EV( event InitiatorSession(rh, osk); )
     ic
   /* success */ ) in (
-      icbits <- IC2b(ic);
-      mac <- create_mac(spkt, icbits);
-      mac2 <- create_mac2(mac2_key, mac_envelope2b(mac));
-      out(C_in, ic);
-      out(C_in, mac);
-      out(C_in, mac2)
-
+    out(C, ic)
   /* fail */ ) else (
-  #if MESSAGE_TRANSMISSION_EVENTS
+#if MESSAGE_TRANSMISSION_EVENTS
     event RHRjct(rh, psk, sski, spkr)
-  #else
-      0
-  #endif
-    )
-#ifdef COOKIE_EVENTS
-  )
 #else
-  .
+    0
 #endif
+  ).
 
 // TODO: Restriction: Biscuit no invalidation
 
@@ -164,33 +116,24 @@ MTX_EV( event IHRjct(InitHello_t, key, kem_sk, kem_pk). )
 MTX_EV( event RHSent(InitHello_t, RespHello_t, key, kem_sk, kem_pk). )
 event ConsumeSidr(SessionId, Atom).
 event ConsumeBn(Atom, kem_sk, kem_pk, Atom).
-KEM_EV(event Oinit_hello_KemUse(SessionId, SessionId, Atom).)
-
-#ifdef KEM_EVENTS
-restriction sidi:SessionId, sidr:SessionId, ad1:Atom, ad2:Atom;
-  event(Oinit_hello_KemUse(sidi, sidr, ad1)) && event(Oinit_hello_KemUse(sidi, sidr, ad2))
-    ==> ad1 = ad2.
+let Oinit_hello() = 
+  in(C, Cinit_hello(sidr, biscuit_no, Ssskm, Spsk, Sspkt, Septi, Sspti, ih));
+#if RANDOMIZED_CALL_IDS
+  new call:Atom;
+#else
+  call <- Cinit_hello(sidr, biscuit_no, Ssskm, Spsk, Sspkt, Septi, Sspti, ih);
 #endif
-
-let Oinit_hello_inner(sidm:SessionId, biscuit_no:Atom, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt: kem_sk_tmpl, Septi: seed_tmpl, Sspti: seed_tmpl, ih: InitHello_t, mac2_key:key, C_out:channel, call:Atom) = 
   // TODO: This is ugly
   let InitHello(sidi, epki, sctr, pidiC, auth) = ih in
-
   SETUP_HANDSHAKE_STATE()
-
   eski <- kem_sk0;
-
-  event ConsumeBn(biscuit_no, sskm, spkt, call);
-  event ConsumeSidr(sidr, call);
-
   epti <- rng_key(setup_seed(Septi)); // RHR4
   spti <- rng_key(setup_seed(Sspti)); // RHR5
+  event ConsumeBn(biscuit_no, sskm, spkt, call);
+  event ConsumeSidr(sidr, call);
   event ConsumeSeed(Epti, setup_seed(Septi), call);
   event ConsumeSeed(Spti, setup_seed(Sspti), call);
-  // out(C_out, spkt);
-
   let rh = (
-    KEM_EV(event Oinit_hello_KemUse(sidi, sidr, call);)
     INITHELLO_CONSUME()
     ck_ini <- ck;
     RESPHELLO_PRODUCE()
@@ -198,14 +141,7 @@ let Oinit_hello_inner(sidm:SessionId, biscuit_no:Atom, Ssskm:kem_sk_tmpl, Spsk:k
     MTX_EV( event RHSent(ih, rh, psk, sskr, spki); )
     rh
   /* success */ ) in (
-    rhbits <- RH2b(rh);
-    mac <- create_mac(spkt, rhbits);
-    
-    out(C_out, rh);
-    out(C_out, mac);
-    mac2 <- create_mac2(mac2_key, mac_envelope2b(mac));
-    out(C_out, mac2)
-
+    out(C, rh)
   /* fail */ ) else (
 #if MESSAGE_TRANSMISSION_EVENTS
     event IHRjct(ih, psk, sskr, spki)
@@ -214,18 +150,6 @@ let Oinit_hello_inner(sidm:SessionId, biscuit_no:Atom, Ssskm:kem_sk_tmpl, Spsk:k
 #endif
   ).
 
-let Oinit_hello() = 
-  in(C, Cinit_hello(sidr, biscuit_no, Ssskm, Spsk, Sspkt, Septi, Sspti, ih));
-  in(C, mac2_key:key);
-
-  #if RANDOMIZED_CALL_IDS
-    new call:Atom;
-  #else
-    call <- Cinit_hello(sidr, biscuit_no, Ssskm, Spsk, Sspkt, Septi, Sspti, ih);
-  #endif
-
-  Oinit_hello_inner(sidr, biscuit_no, Ssskm, Spsk, Sspkt, Septi, Sspti, ih, mac2_key, C, call).
-
 restriction sid:SessionId, ad1:Atom, ad2:Atom;
   event(ConsumeSidr(sid, ad1)) && event(ConsumeSidr(sid, ad2))
     ==> ad1 = ad2.
@@ -242,55 +166,27 @@ fun Cinitiator(SessionId, kem_sk_tmpl, key_tmpl, kem_pk_tmpl, seed_tmpl, seed_tm
 CK_EV( event OskOinitiator_ck(key). )
 CK_EV( event OskOinitiator(key, key, kem_sk, kem_pk, key). )
 MTX_EV( event IHSent(InitHello_t, key, kem_sk, kem_pk). )
-KEM_EV(event Oinitiator_inner_KemUse(SessionId, SessionId, Atom).)
-
-#ifdef KEM_EVENTS
-restriction sidi:SessionId, sidr:SessionId, ad1:Atom, ad2:Atom;
-  event(Oinitiator_inner_KemUse(sidi, sidr, ad1)) && event(Oinitiator_inner_KemUse(sidi, sidr, ad2))
-    ==> ad1 = ad2.
-#endif
 event ConsumeSidi(SessionId, Atom).
-
-let Oinitiator_inner(sidi: SessionId, Ssskm: kem_sk_tmpl, Spsk: key_tmpl, Sspkt: kem_sk_tmpl, Seski: seed_tmpl, Ssptr: seed_tmpl, last_cookie:key, C_out:channel, call:Atom) =
-
+let Oinitiator() =
+  in(C, Cinitiator(sidi, Ssskm, Spsk, Sspkt, Seski, Ssptr));
+#if RANDOMIZED_CALL_IDS
+  new call:Atom;
+#else
+  call <- Cinitiator(sidi, Ssskm, Spsk, Sspkt, Seski, Ssptr);
+#endif
   SETUP_HANDSHAKE_STATE()
-    sidr <- sid0;
-
-    KEM_EV(event Oinitiator_inner_KemUse(sidi, sidr, call);)
-
   RNG_KEM_PAIR(eski, epki, Seski) // IHI3
+  sidr <- sid0;
   sptr <- rng_key(setup_seed(Ssptr)); // IHI5
   event ConsumeSidi(sidi, call);
   event ConsumeSeed(Sptr, setup_seed(Ssptr), call);
   event ConsumeSeed(Eski, setup_seed(Seski), call);
-
   INITHELLO_PRODUCE()
   CK_EV( event OskOinitiator_ck(ck); ) 
   CK_EV( event OskOinitiator(ck, psk, sski, spkr, sptr); )
   MTX_EV( event IHSent(ih, psk, sski, spkr); )
-  
-    out(C_out, ih);
-    ihbits <- IH2b(ih);
-    mac <- create_mac(spkt, ihbits);
-    out(C_out, mac);
-    mac2 <- create_mac2(last_cookie, mac_envelope2b(mac));
-    out(C_out, mac2);
-
-    Oresp_hello(HS_PASS_ARGS, C_out, call).
-
-let Oinitiator() =
-
-  in(C, Cinitiator(sidi, Ssskm, Spsk, Sspkt, Seski, Ssptr));
-
-  #if RANDOMIZED_CALL_IDS
-    new call:Atom;
-  #else
-    call <- Cinitiator(sidi, Ssskm, Spsk, Sspkt, Seski, Ssptr);
-  #endif
-
-  in(C, last_cookie:key);
-  Oinitiator_inner(sidi, Ssskm, Spsk, Sspkt, Seski, Ssptr, last_cookie, C, call).
-
+  out(C, ih);
+  Oresp_hello(HS_PASS_ARGS).
 
 restriction sid:SessionId, ad1:Atom, ad2:Atom;
   event(ConsumeSidi(sid, ad1)) && event(ConsumeSidi(sid, ad2))
@@ -311,3 +207,21 @@ let rosenpass_main() = 0
   | REP(RESPONDER_BOUND, Oinit_hello)
   | REP(RESPONDER_BOUND, Oinit_conf).
 
+nounif v:seed_prec;   attacker(prepare_seed(trusted_seed( v )))/6217[hypothesis].
+nounif v:seed;        attacker(prepare_seed( v ))/6216[hypothesis].
+nounif v:seed;        attacker(rng_kem_sk( v ))/6215[hypothesis].
+nounif v:seed;        attacker(rng_key( v ))/6214[hypothesis].
+nounif v:key_prec;    attacker(prepare_key(trusted_key( v )))/6213[hypothesis].
+nounif v:kem_sk_prec; attacker(prepare_kem_sk(trusted_kem_sk( v )))/6212[hypothesis].
+nounif v:key;         attacker(prepare_key( v ))/6211[hypothesis].
+nounif v:kem_sk;      attacker(prepare_kem_sk( v ))/6210[hypothesis].
+nounif Spk:kem_sk_tmpl;
+  attacker(Creveal_kem_pk(Spk))/6110[conclusion].
+nounif sid:SessionId, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, Seski:seed_tmpl, Ssptr:seed_tmpl;
+  attacker(Cinitiator( *sid, *Ssskm, *Spsk, *Sspkt, *Seski, *Ssptr ))/6109[conclusion].
+nounif sid:SessionId, biscuit_no:Atom, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, Septi:seed_tmpl, Sspti:seed_tmpl, ih:InitHello_t;
+  attacker(Cinit_hello( *sid, *biscuit_no, *Ssskm, *Spsk, *Sspkt, *Septi, *Sspti, *ih ))/6108[conclusion].
+nounif rh:RespHello_t;
+  attacker(Cresp_hello( *rh ))/6107[conclusion].
+nounif Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, ic:InitConf_t;
+  attacker(Cinit_conf( *Ssskm, *Spsk, *Sspkt, *ic ))/6106[conclusion].

analysis/rosenpass/protocol.mpv

@@ -2,26 +2,6 @@
 #include "crypto/kem.mpv"
 #include "rosenpass/handshake_state.mpv"
 
-fun Envelope(
-  key,
-  bits
-): bits [data].
-
-type mac_envelope_t.
-fun mac_envelope(
-  key,
-  bits
-) : mac_envelope_t.
-
-fun mac_envelope2b(mac_envelope_t) : bits [typeConverter].
-
-letfun create_mac(pk:kem_pk, payload:bits) = mac_envelope(lprf2(MAC, kem_pk2b(pk), payload), payload).
-
-fun mac_envelope_pk_test(mac_envelope_t, kem_pk) : bool
-  reduc forall pk:kem_pk, b:bits;
-    mac_envelope_pk_test(mac_envelope(prf(prf(prf(prf(key0,PROTOCOL),MAC),kem_pk2b(pk)),
-        b), b), pk) = true.
-
 type InitHello_t.
 fun InitHello(
   SessionId, // sidi
@@ -31,8 +11,6 @@ fun InitHello(
   bits       // auth
 ) : InitHello_t [data].
 
-fun IH2b(InitHello_t) : bitstring [typeConverter].
-
 #define INITHELLO_PRODUCE()       \
   ck <- lprf1(CK_INIT, kem_pk2b(spkr)); /* IHI1 */ \
   /* not handled here */                /* IHI2 */ \
@@ -63,8 +41,6 @@ fun RespHello(
     bits       // auth
 ) : RespHello_t [data].
 
-fun RH2b(RespHello_t) : bitstring [typeConverter].
-
 #define RESPHELLO_PRODUCE()                   \
   /* not handled here */           /* RHR1 */ \
   MIX2(sid2b(sidr), sid2b(sidi))   /* RHR3 */ \
@@ -91,14 +67,13 @@ fun InitConf(
     bits       // auth
 ) : InitConf_t [data].
 
-fun IC2b(InitConf_t) : bitstring [typeConverter].
-
 #define INITCONF_PRODUCE()                  \
   MIX2(sid2b(sidi), sid2b(sidr)) /* ICI3 */ \
   ENCRYPT_AND_MIX(auth, empty)   /* ICI4 */ \
   ic <- InitConf(sidi, sidr, biscuit, auth);
 
 #define INITCONF_CONSUME()                        \
+  let InitConf(sidi, sidr, biscuit, auth) = ic in \
   LOAD_BISCUIT(biscuit_no, biscuit)   /* ICR1 */    \
   ENCRYPT_AND_MIX(rh_auth, empty)     /* ICIR */    \
   ck_rh <- ck;                        /* ---- */ /* TODO: Move into oracles.mpv */ \

fuzz/Cargo.toml

@@ -48,13 +48,37 @@ test = false
 doc = false
 
 [[bin]]
-name = "fuzz_box_secret_alloc"
-path = "fuzz_targets/box_secret_alloc.rs"
+name = "fuzz_box_secret_alloc_malloc"
+path = "fuzz_targets/box_secret_alloc_malloc.rs"
 test = false
 doc = false
 
 [[bin]]
-name = "fuzz_vec_secret_alloc"
-path = "fuzz_targets/vec_secret_alloc.rs"
+name = "fuzz_vec_secret_alloc_malloc"
+path = "fuzz_targets/vec_secret_alloc_malloc.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "fuzz_box_secret_alloc_memfdsec"
+path = "fuzz_targets/box_secret_alloc_memfdsec.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "fuzz_vec_secret_alloc_memfdsec"
+path = "fuzz_targets/vec_secret_alloc_memfdsec.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "fuzz_box_secret_alloc_memfdsec_mallocfb"
+path = "fuzz_targets/box_secret_alloc_memfdsec_mallocfb.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "fuzz_vec_secret_alloc_memfdsec_mallocfb"
+path = "fuzz_targets/vec_secret_alloc_memfdsec_mallocfb.rs"
 test = false
 doc = false

fuzz/fuzz_targets/box_secret_alloc_malloc.rs

@@ -0,0 +1,12 @@
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+use rosenpass_secret_memory::alloc::secret_box;
+use rosenpass_secret_memory::policy::*;
+use std::sync::Once;
+static ONCE: Once = Once::new();
+
+fuzz_target!(|data: &[u8]| {
+    ONCE.call_once(secret_policy_use_only_malloc_secrets);
+    let _ = secret_box(data);
+});

fuzz/fuzz_targets/box_secret_alloc_memfdsec.rs

@@ -0,0 +1,13 @@
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+use rosenpass_secret_memory::alloc::secret_box;
+use rosenpass_secret_memory::policy::*;
+use std::sync::Once;
+
+static ONCE: Once = Once::new();
+
+fuzz_target!(|data: &[u8]| {
+    ONCE.call_once(secret_policy_use_only_memfd_secrets);
+    let _ = secret_box(data);
+});

fuzz/fuzz_targets/box_secret_alloc_memfdsec_mallocfb.rs

@@ -2,7 +2,12 @@
 
 use libfuzzer_sys::fuzz_target;
 use rosenpass_secret_memory::alloc::secret_box;
+use rosenpass_secret_memory::policy::*;
+use std::sync::Once;
+
+static ONCE: Once = Once::new();
 
 fuzz_target!(|data: &[u8]| {
+    ONCE.call_once(secret_policy_try_use_memfd_secrets);
     let _ = secret_box(data);
 });

fuzz/fuzz_targets/handle_msg.rs

@@ -6,9 +6,13 @@ use libfuzzer_sys::fuzz_target;
 use rosenpass::protocol::CryptoServer;
 use rosenpass_cipher_traits::Kem;
 use rosenpass_ciphers::kem::StaticKem;
+use rosenpass_secret_memory::policy::*;
 use rosenpass_secret_memory::Secret;
+use std::sync::Once;
 
+static ONCE: Once = Once::new();
 fuzz_target!(|rx_buf: &[u8]| {
+    ONCE.call_once(secret_policy_use_only_malloc_secrets);
     let sk = Secret::from_slice(&[0; StaticKem::SK_LEN]);
     let pk = Secret::from_slice(&[0; StaticKem::PK_LEN]);
 

fuzz/fuzz_targets/vec_secret_alloc_malloc.rs

@@ -0,0 +1,15 @@
+#![no_main]
+
+use std::sync::Once;
+
+use libfuzzer_sys::fuzz_target;
+use rosenpass_secret_memory::alloc::secret_vec;
+use rosenpass_secret_memory::policy::*;
+
+static ONCE: Once = Once::new();
+
+fuzz_target!(|data: &[u8]| {
+    ONCE.call_once(secret_policy_use_only_malloc_secrets);
+    let mut vec = secret_vec();
+    vec.extend_from_slice(data);
+});

fuzz/fuzz_targets/vec_secret_alloc_memfdsec.rs

@@ -0,0 +1,15 @@
+#![no_main]
+
+use std::sync::Once;
+
+use libfuzzer_sys::fuzz_target;
+use rosenpass_secret_memory::alloc::secret_vec;
+use rosenpass_secret_memory::policy::*;
+
+static ONCE: Once = Once::new();
+
+fuzz_target!(|data: &[u8]| {
+    ONCE.call_once(secret_policy_use_only_memfd_secrets);
+    let mut vec = secret_vec();
+    vec.extend_from_slice(data);
+});

fuzz/fuzz_targets/vec_secret_alloc_memfdsec_mallocfb.rs

@@ -1,9 +1,15 @@
 #![no_main]
 
+use std::sync::Once;
+
 use libfuzzer_sys::fuzz_target;
 use rosenpass_secret_memory::alloc::secret_vec;
+use rosenpass_secret_memory::policy::*;
+
+static ONCE: Once = Once::new();
 
 fuzz_target!(|data: &[u8]| {
+    ONCE.call_once(secret_policy_try_use_memfd_secrets);
     let mut vec = secret_vec();
     vec.extend_from_slice(data);
 });

misc/README.md

@@ -0,0 +1,40 @@
+# Additional files
+
+This folder contains additional files that are used in the project.
+
+## `generate_configs.py`
+
+The script is used to generate configuration files for a benchmark setup
+consisting of a device under testing (DUT) and automatic test equipment (ATE),
+basically a strong machine capable of running multiple Rosenpass instances at
+once.
+
+At the top of the script multiple variables can be set to configure the DUT IP
+address and more. Once configured you may run `python3 generate_configs.py` to
+create the configuration files.
+
+A new folder called `output/` is created containing the subfolder `dut/` and
+`ate/`. The former has to be copied on the DUT, ideally reproducible hardware
+like a Raspberry Pi, while the latter is copied to the ATE, i.e. a laptop.
+
+### Running a benchmark
+
+On the ATE a run script is required since multiple instances of `rosenpass` are
+started with different configurations in parallel. The scripts are named after
+the number of instances they start, e.g. `run-50.sh` starts 50 instances.
+
+```shell
+# on the ATE aka laptop
+cd output/ate
+./run-10.sh
+```
+
+On the DUT you start a single Rosenpass instance with the configuration matching
+the ATE number of peers.
+
+```shell
+# on the DUT aka Raspberry Pi
+rosenpass exchange-config configs/dut-10.toml
+```
+
+Use whatever measurement tool you like to monitor the DUT and ATE.

misc/generate_configs.py

@@ -0,0 +1,105 @@
+from pathlib import Path
+from subprocess import run
+import os
+
+config = dict(
+    peer_counts=[1, 5, 10, 50, 100, 500],
+    peer_count_max=100,
+    ate_ip="127.0.0.1",
+    dut_ip="127.0.0.1",
+    dut_port=9999,
+    path_to_rosenpass_bin=os.getcwd() + "/target/release/rosenpass",
+)
+
+print(config)
+
+output_dir = Path("output")
+output_dir.mkdir(exist_ok=True)
+
+template_dut = """
+public_key = "keys/dut-public-key"
+secret_key = "keys/dut-secret-key"
+listen = ["{dut_ip}:{dut_port}"]
+verbosity = "Quiet"
+"""
+template_dut_peer = """
+[[peers]] # ATE-{i}
+public_key = "keys/ate-{i}-public-key"
+endpoint = "{ate_ip}:{ate_port}"
+key_out = "out/key_out_{i}"
+"""
+
+template_ate = """
+public_key = "keys/ate-{i}-public-key"
+secret_key = "keys/ate-{i}-secret-key"
+listen = ["{ate_ip}:{ate_port}"]
+verbosity = "Quiet"
+
+[[peers]] # DUT
+public_key = "keys/dut-public-key"
+endpoint = "{dut_ip}:{dut_port}"
+key_out = "out/key_out_{i}"
+"""
+
+(output_dir / "dut" / "keys").mkdir(exist_ok=True, parents=True)
+(output_dir / "dut" / "out").mkdir(exist_ok=True, parents=True)
+(output_dir / "dut" / "configs").mkdir(exist_ok=True, parents=True)
+(output_dir / "ate" / "keys").mkdir(exist_ok=True, parents=True)
+(output_dir / "ate" / "out").mkdir(exist_ok=True, parents=True)
+(output_dir / "ate" / "configs").mkdir(exist_ok=True, parents=True)
+
+for peer_count in config["peer_counts"]:
+    dut_config = template_dut.format(**config)
+    for i in range(peer_count):
+        dut_config += template_dut_peer.format(**config, i=i, ate_port=50000 + i)
+
+    (output_dir / "dut" / "configs" / f"dut-{peer_count}.toml").write_text(dut_config)
+
+    if not (output_dir / "dut" / "keys" / "dut-public-key").exists():
+        print("Generate DUT keys")
+        run(
+            [
+                config["path_to_rosenpass_bin"],
+                "gen-keys",
+                f"configs/dut-{peer_count}.toml",
+            ],
+            cwd=output_dir / "dut",
+        )
+    else:
+        print("DUT keys already exist")
+
+# copy the DUT public key to the ATE
+(output_dir / "ate" / "keys" / "dut-public-key").write_bytes(
+    (output_dir / "dut" / "keys" / "dut-public-key").read_bytes()
+)
+
+ate_script = "(trap 'kill 0' SIGINT; \\\n"
+
+for i in range(config["peer_count_max"]):
+    (output_dir / "ate" / "configs" / f"ate-{i}.toml").write_text(
+        template_ate.format(**config, i=i, ate_port=50000 + i)
+    )
+
+    if not (output_dir / "ate" / "keys" / f"ate-{i}-public-key").exists():
+        # generate ATE keys
+        run(
+            [config["path_to_rosenpass_bin"], "gen-keys", f"configs/ate-{i}.toml"],
+            cwd=output_dir / "ate",
+        )
+    else:
+        print(f"ATE-{i} keys already exist")
+
+    # copy the ATE public keys to the DUT
+    (output_dir / "dut" / "keys" / f"ate-{i}-public-key").write_bytes(
+        (output_dir / "ate" / "keys" / f"ate-{i}-public-key").read_bytes()
+    )
+
+    ate_script += (
+        f"{config['path_to_rosenpass_bin']} exchange-config configs/ate-{i}.toml & \\\n"
+    )
+
+    if (i + 1) in config["peer_counts"]:
+        write_script = ate_script
+        write_script += "wait)"
+
+        (output_dir / "ate" / f"run-{i+1}.sh").write_text(write_script)

rosenpass/Cargo.toml

@@ -49,6 +49,8 @@ criterion = { workspace = true }
 test_bin = { workspace = true }
 stacker = { workspace = true }
 serial_test = {workspace = true}
+procspawn = {workspace = true}
 
 [features]
 enable_broker_api = ["rosenpass-wireguard-broker/enable_broker_api"]
+enable_memfd_alloc = []

rosenpass/benches/handshake.rs

@@ -5,6 +5,7 @@ use rosenpass_cipher_traits::Kem;
 use rosenpass_ciphers::kem::StaticKem;
 
 use criterion::{black_box, criterion_group, criterion_main, Criterion};
+use rosenpass_secret_memory::secret_policy_try_use_memfd_secrets;
 
 fn handle(
     tx: &mut CryptoServer,
@@ -56,6 +57,7 @@ fn make_server_pair() -> Result<(CryptoServer, CryptoServer)> {
 }
 
 fn criterion_benchmark(c: &mut Criterion) {
+    secret_policy_try_use_memfd_secrets();
     let (mut a, mut b) = make_server_pair().unwrap();
     c.bench_function("cca_secret_alloc", |bench| {
         bench.iter(|| {

rosenpass/src/cli.rs

@@ -3,6 +3,9 @@ use clap::{Parser, Subcommand};
 use rosenpass_cipher_traits::Kem;
 use rosenpass_ciphers::kem::StaticKem;
 use rosenpass_secret_memory::file::StoreSecret;
+use rosenpass_secret_memory::{
+    secret_policy_try_use_memfd_secrets, secret_policy_use_only_malloc_secrets,
+};
 use rosenpass_util::file::{LoadValue, LoadValueB64};
 use rosenpass_wireguard_broker::brokers::native_unix::{
     NativeUnixBroker, NativeUnixBrokerConfigBaseBuilder, NativeUnixBrokerConfigBaseBuilderError,
@@ -154,6 +157,13 @@ impl CliCommand {
     /// ## TODO
     /// - This method consumes the [`CliCommand`] value. It might be wise to use a reference...
     pub fn run(self, test_helpers: Option<AppServerTest>) -> anyhow::Result<()> {
+        //Specify secret policy
+
+        #[cfg(feature = "enable_memfd_alloc")]
+        secret_policy_try_use_memfd_secrets();
+        #[cfg(not(feature = "enable_memfd_alloc"))]
+        secret_policy_use_only_malloc_secrets();
+
         use CliCommand::*;
         match self {
             Man => {

rosenpass/src/protocol.rs

@@ -19,12 +19,16 @@
 //! [CryptoServer].
 //!
 //! ```
+//! use rosenpass_secret_memory::policy::*;
 //! use rosenpass_cipher_traits::Kem;
 //! use rosenpass_ciphers::kem::StaticKem;
 //! use rosenpass::{
 //!     protocol::{SSk, SPk, MsgBuf, PeerPtr, CryptoServer, SymKey},
 //! };
 //! # fn main() -> anyhow::Result<()> {
+//! // Set security policy for storing secrets
+//!
+//! secret_policy_try_use_memfd_secrets();
 //!
 //! // initialize secret and public key for peer a ...
 //! let (mut peer_a_sk, mut peer_a_pk) = (SSk::zero(), SPk::zero());
@@ -2145,6 +2149,7 @@ mod test {
     use std::{net::SocketAddrV4, thread::sleep, time::Duration};
 
     use super::*;
+    use serial_test::serial;
 
     struct VecHostIdentifier(Vec<u8>);
 
@@ -2166,7 +2171,21 @@ mod test {
         }
     }
 
+    fn setup_logging() {
+        use std::io::Write;
+        let mut log_builder = env_logger::Builder::from_default_env(); // sets log level filter from environment (or defaults)
+        log_builder.filter_level(log::LevelFilter::Info);
+        log_builder.format_timestamp_nanos();
+        log_builder.format(|buf, record| {
+            let ts_format = buf.timestamp_nanos().to_string();
+            writeln!(buf, "{}: {}", &ts_format[14..], record.args())
+        });
+
+        let _ = log_builder.try_init();
+    }
+
     #[test]
+    #[serial]
     /// Ensure that the protocol implementation can deal with truncated
     /// messages and with overlong messages.
     ///
@@ -2182,6 +2201,8 @@ mod test {
     /// Through all this, the handshake should still successfully terminate;
     /// i.e. an exchanged key must be produced in both servers.
     fn handles_incorrect_size_messages() {
+        setup_logging();
+        rosenpass_secret_memory::secret_policy_try_use_memfd_secrets();
         stacker::grow(8 * 1024 * 1024, || {
             const OVERSIZED_MESSAGE: usize = ((MAX_MESSAGE_LEN as f32) * 1.2) as usize;
             type MsgBufPlus = Public<OVERSIZED_MESSAGE>;
@@ -2252,7 +2273,10 @@ mod test {
     }
 
     #[test]
+    #[serial]
     fn test_regular_exchange() {
+        setup_logging();
+        rosenpass_secret_memory::secret_policy_try_use_memfd_secrets();
         stacker::grow(8 * 1024 * 1024, || {
             type MsgBufPlus = Public<MAX_MESSAGE_LEN>;
             let (mut a, mut b) = make_server_pair().unwrap();
@@ -2296,7 +2320,7 @@ mod test {
 
             //B handles InitConf, sends EmptyData
             let HandleMsgResult {
-                resp,
+                resp: _,
                 exchanged_with,
             } = b
                 .handle_msg(&a_to_b_buf.as_slice()[..init_conf_len], &mut *b_to_a_buf)
@@ -2310,7 +2334,10 @@ mod test {
     }
 
     #[test]
+    #[serial]
     fn test_regular_init_conf_retransmit() {
+        setup_logging();
+        rosenpass_secret_memory::secret_policy_try_use_memfd_secrets();
         stacker::grow(8 * 1024 * 1024, || {
             type MsgBufPlus = Public<MAX_MESSAGE_LEN>;
             let (mut a, mut b) = make_server_pair().unwrap();
@@ -2355,7 +2382,7 @@ mod test {
 
             //B handles InitConf, sends EmptyData
             let HandleMsgResult {
-                resp,
+                resp: _,
                 exchanged_with,
             } = b
                 .handle_msg(&a_to_b_buf.as_slice()[..init_conf_len], &mut *b_to_a_buf)
@@ -2368,7 +2395,7 @@ mod test {
 
             //B handles InitConf again, sends EmptyData
             let HandleMsgResult {
-                resp,
+                resp: _,
                 exchanged_with,
             } = b
                 .handle_msg(&a_to_b_buf.as_slice()[..init_conf_len], &mut *b_to_a_buf)
@@ -2382,7 +2409,10 @@ mod test {
     }
 
     #[test]
+    #[serial]
     fn cookie_reply_mechanism_responder_under_load() {
+        setup_logging();
+        rosenpass_secret_memory::secret_policy_try_use_memfd_secrets();
         stacker::grow(8 * 1024 * 1024, || {
             type MsgBufPlus = Public<MAX_MESSAGE_LEN>;
             let (mut a, mut b) = make_server_pair().unwrap();
@@ -2476,7 +2506,10 @@ mod test {
     }
 
     #[test]
+    #[serial]
     fn cookie_reply_mechanism_initiator_bails_on_message_under_load() {
+        setup_logging();
+        rosenpass_secret_memory::secret_policy_try_use_memfd_secrets();
         stacker::grow(8 * 1024 * 1024, || {
             type MsgBufPlus = Public<MAX_MESSAGE_LEN>;
             let (mut a, mut b) = make_server_pair().unwrap();

rosenpass/tests/integration_test.rs

@@ -6,7 +6,7 @@ use std::{
     time::Duration,
 };
 
-use clap::{builder::Str, Parser};
+use clap::Parser;
 use rosenpass::{app_server::AppServerTestBuilder, cli::CliArgs};
 use rosenpass_secret_memory::{Public, Secret};
 use rosenpass_wireguard_broker::{WireguardBrokerMio, WG_KEY_LEN, WG_PEER_LEN};
@@ -275,6 +275,7 @@ fn check_exchange_under_dos() {
     fs::remove_dir_all(&tmpdir).unwrap();
 }
 
+#[allow(dead_code)]
 #[derive(Debug, Default)]
 struct MockBrokerInner {
     psk: Option<Secret<WG_KEY_LEN>>,

rp/Cargo.toml

@@ -37,3 +37,6 @@ netlink-packet-wireguard = "0.2"
 [dev-dependencies]
 tempfile = {workspace = true}
 stacker = {workspace = true}
+
+[features]
+enable_memfd_alloc = []

rp/src/key.rs

@@ -102,6 +102,7 @@ mod tests {
     use std::fs;
 
     use rosenpass::protocol::{SPk, SSk};
+    use rosenpass_secret_memory::secret_policy_try_use_memfd_secrets;
     use rosenpass_secret_memory::Secret;
     use rosenpass_util::file::LoadValue;
     use rosenpass_util::file::LoadValueB64;
@@ -110,7 +111,8 @@ mod tests {
     use crate::key::{genkey, pubkey, WG_B64_LEN};
 
     #[test]
-    fn it_works() {
+    fn test_key_loopback() {
+        secret_policy_try_use_memfd_secrets();
         let private_keys_dir = tempdir().unwrap();
         fs::remove_dir(private_keys_dir.path()).unwrap();
 

rp/src/main.rs

@@ -3,6 +3,7 @@ use std::process::exit;
 use cli::{Cli, Command};
 use exchange::exchange;
 use key::{genkey, pubkey};
+use rosenpass_secret_memory::policy;
 
 mod cli;
 mod exchange;
@@ -10,6 +11,11 @@ mod key;
 
 #[tokio::main]
 async fn main() {
+    #[cfg(feature = "enable_memfd_alloc")]
+    policy::secret_policy_try_use_memfd_secrets();
+    #[cfg(not(feature = "enable_memfd_alloc"))]
+    policy::secret_policy_use_only_malloc_secrets();
+
     let cli = match Cli::parse(std::env::args().peekable()) {
         Ok(cli) => cli,
         Err(err) => {

secret-memory/Cargo.toml

@@ -23,3 +23,4 @@ log = { workspace = true }
 allocator-api2-tests = { workspace = true }
 tempfile = {workspace = true}
 base64ct = {workspace = true}
+procspawn = {workspace = true}

secret-memory/src/alloc/memsec/malloc.rs

@@ -4,37 +4,41 @@ use std::ptr::NonNull;
 use allocator_api2::alloc::{AllocError, Allocator, Layout};
 
 #[derive(Copy, Clone, Default)]
-struct MemsecAllocatorContents;
+struct MallocAllocatorContents;
 
 /// Memory allocation using using the memsec crate
 #[derive(Copy, Clone, Default)]
-pub struct MemsecAllocator {
-    _dummy_private_data: MemsecAllocatorContents,
+pub struct MallocAllocator {
+    _dummy_private_data: MallocAllocatorContents,
 }
 
 /// A box backed by the memsec allocator
-pub type MemsecBox<T> = allocator_api2::boxed::Box<T, MemsecAllocator>;
+pub type MallocBox<T> = allocator_api2::boxed::Box<T, MallocAllocator>;
 
 /// A vector backed by the memsec allocator
-pub type MemsecVec<T> = allocator_api2::vec::Vec<T, MemsecAllocator>;
+pub type MallocVec<T> = allocator_api2::vec::Vec<T, MallocAllocator>;
 
-pub fn memsec_box<T>(x: T) -> MemsecBox<T> {
-    MemsecBox::<T>::new_in(x, MemsecAllocator::new())
+pub fn malloc_box_try<T>(x: T) -> Result<MallocBox<T>, AllocError> {
+    MallocBox::<T>::try_new_in(x, MallocAllocator::new())
 }
 
-pub fn memsec_vec<T>() -> MemsecVec<T> {
-    MemsecVec::<T>::new_in(MemsecAllocator::new())
+pub fn malloc_box<T>(x: T) -> MallocBox<T> {
+    MallocBox::<T>::new_in(x, MallocAllocator::new())
 }
 
-impl MemsecAllocator {
+pub fn malloc_vec<T>() -> MallocVec<T> {
+    MallocVec::<T>::new_in(MallocAllocator::new())
+}
+
+impl MallocAllocator {
     pub fn new() -> Self {
         Self {
-            _dummy_private_data: MemsecAllocatorContents,
+            _dummy_private_data: MallocAllocatorContents,
         }
     }
 }
 
-unsafe impl Allocator for MemsecAllocator {
+unsafe impl Allocator for MallocAllocator {
     fn allocate(&self, layout: Layout) -> Result<NonNull<[u8]>, AllocError> {
         // Call memsec allocator
         let mem: Option<NonNull<[u8]>> = unsafe { memsec::malloc_sized(layout.size()) };
@@ -48,8 +52,8 @@ unsafe impl Allocator for MemsecAllocator {
         // Ensure the right alignment is used
         let off = (mem.as_ptr() as *const u8).align_offset(layout.align());
         if off != 0 {
-            log::error!("Allocation {layout:?} was requested but memsec returned allocation \
-                with offset {off} from the requested alignment. Memsec always allocates values \
+            log::error!("Allocation {layout:?} was requested but malloc-based memsec returned allocation \
+                with offset {off} from the requested alignment. Malloc always allocates values \
                 at the end of a memory page for security reasons, custom alignments are not supported. \
                 You could try allocating an oversized value.");
             unsafe { memsec::free(mem) };
@@ -66,7 +70,7 @@ unsafe impl Allocator for MemsecAllocator {
     }
 }
 
-impl fmt::Debug for MemsecAllocator {
+impl fmt::Debug for MallocAllocator {
     fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result {
         fmt.write_str("<memsec based Rust allocator>")
     }
@@ -78,21 +82,21 @@ mod test {
 
     use super::*;
 
-    make_test! { test_sizes(MemsecAllocator::new()) }
-    make_test! { test_vec(MemsecAllocator::new()) }
-    make_test! { test_many_boxes(MemsecAllocator::new()) }
+    make_test! { test_sizes(MallocAllocator::new()) }
+    make_test! { test_vec(MallocAllocator::new()) }
+    make_test! { test_many_boxes(MallocAllocator::new()) }
 
     #[test]
-    fn memsec_allocation() {
-        let alloc = MemsecAllocator::new();
-        memsec_allocation_impl::<0>(&alloc);
-        memsec_allocation_impl::<7>(&alloc);
-        memsec_allocation_impl::<8>(&alloc);
-        memsec_allocation_impl::<64>(&alloc);
-        memsec_allocation_impl::<999>(&alloc);
+    fn malloc_allocation() {
+        let alloc = MallocAllocator::new();
+        malloc_allocation_impl::<0>(&alloc);
+        malloc_allocation_impl::<7>(&alloc);
+        malloc_allocation_impl::<8>(&alloc);
+        malloc_allocation_impl::<64>(&alloc);
+        malloc_allocation_impl::<999>(&alloc);
     }
 
-    fn memsec_allocation_impl<const N: usize>(alloc: &MemsecAllocator) {
+    fn malloc_allocation_impl<const N: usize>(alloc: &MallocAllocator) {
         let layout = Layout::new::<[u8; N]>();
         let mem = alloc.allocate(layout).unwrap();
 

secret-memory/src/alloc/memsec/memfdsec.rs

@@ -0,0 +1,112 @@
+#![cfg(target_os = "linux")]
+use std::fmt;
+use std::ptr::NonNull;
+
+use allocator_api2::alloc::{AllocError, Allocator, Layout};
+
+#[derive(Copy, Clone, Default)]
+struct MemfdSecAllocatorContents;
+
+/// Memory allocation using using the memsec crate
+#[derive(Copy, Clone, Default)]
+pub struct MemfdSecAllocator {
+    _dummy_private_data: MemfdSecAllocatorContents,
+}
+
+/// A box backed by the memsec allocator
+pub type MemfdSecBox<T> = allocator_api2::boxed::Box<T, MemfdSecAllocator>;
+
+/// A vector backed by the memsec allocator
+pub type MemfdSecVec<T> = allocator_api2::vec::Vec<T, MemfdSecAllocator>;
+
+pub fn memfdsec_box_try<T>(x: T) -> Result<MemfdSecBox<T>, AllocError> {
+    MemfdSecBox::<T>::try_new_in(x, MemfdSecAllocator::new())
+}
+
+pub fn memfdsec_box<T>(x: T) -> MemfdSecBox<T> {
+    MemfdSecBox::<T>::new_in(x, MemfdSecAllocator::new())
+}
+
+pub fn memfdsec_vec<T>() -> MemfdSecVec<T> {
+    MemfdSecVec::<T>::new_in(MemfdSecAllocator::new())
+}
+
+impl MemfdSecAllocator {
+    pub fn new() -> Self {
+        Self {
+            _dummy_private_data: MemfdSecAllocatorContents,
+        }
+    }
+}
+
+unsafe impl Allocator for MemfdSecAllocator {
+    fn allocate(&self, layout: Layout) -> Result<NonNull<[u8]>, AllocError> {
+        // Call memsec allocator
+        let mem: Option<NonNull<[u8]>> = unsafe { memsec::memfd_secret_sized(layout.size()) };
+
+        // Unwrap the option
+        let Some(mem) = mem else {
+            log::error!("Allocation {layout:?} was requested but memfd-based memsec returned a null pointer");
+            return Err(AllocError);
+        };
+
+        // Ensure the right alignment is used
+        let off = (mem.as_ptr() as *const u8).align_offset(layout.align());
+        if off != 0 {
+            log::error!("Allocation {layout:?} was requested but memfd-based memsec returned allocation \
+                with offset {off} from the requested alignment. Memfd always allocates values \
+                at the end of a memory page for security reasons, custom alignments are not supported. \
+                You could try allocating an oversized value.");
+            unsafe { memsec::free_memfd_secret(mem) };
+            return Err(AllocError);
+        };
+
+        Ok(mem)
+    }
+
+    unsafe fn deallocate(&self, ptr: NonNull<u8>, _layout: Layout) {
+        unsafe {
+            memsec::free_memfd_secret(ptr);
+        }
+    }
+}
+
+impl fmt::Debug for MemfdSecAllocator {
+    fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result {
+        fmt.write_str("<memsec based Rust allocator>")
+    }
+}
+
+#[cfg(test)]
+mod test {
+    use allocator_api2_tests::make_test;
+
+    use super::*;
+
+    make_test! { test_sizes(MemfdSecAllocator::new()) }
+    make_test! { test_vec(MemfdSecAllocator::new()) }
+    make_test! { test_many_boxes(MemfdSecAllocator::new()) }
+
+    #[test]
+    fn memfdsec_allocation() {
+        let alloc = MemfdSecAllocator::new();
+        memfdsec_allocation_impl::<0>(&alloc);
+        memfdsec_allocation_impl::<7>(&alloc);
+        memfdsec_allocation_impl::<8>(&alloc);
+        memfdsec_allocation_impl::<64>(&alloc);
+        memfdsec_allocation_impl::<999>(&alloc);
+    }
+
+    fn memfdsec_allocation_impl<const N: usize>(alloc: &MemfdSecAllocator) {
+        let layout = Layout::new::<[u8; N]>();
+        let mem = alloc.allocate(layout).unwrap();
+
+        // https://libsodium.gitbook.io/doc/memory_management#guarded-heap-allocations
+        // promises us that allocated memory is initialized with the magic byte 0xDB
+        // and memsec promises to provide a reimplementation of the libsodium mechanism;
+        // it uses the magic value 0xD0 though
+        assert_eq!(unsafe { mem.as_ref() }, &[0xD0u8; N]);
+        let mem = NonNull::new(mem.as_ptr() as *mut u8).unwrap();
+        unsafe { alloc.deallocate(mem, layout) };
+    }
+}

secret-memory/src/alloc/memsec/mod.rs

@@ -0,0 +1,2 @@
+pub mod malloc;
+pub mod memfdsec;

secret-memory/src/alloc/mod.rs

@@ -1,6 +1,86 @@
 pub mod memsec;
 
-pub use crate::alloc::memsec::{
-    memsec_box as secret_box, memsec_vec as secret_vec, MemsecAllocator as SecretAllocator,
-    MemsecBox as SecretBox, MemsecVec as SecretVec,
-};
+use std::sync::OnceLock;
+
+use allocator_api2::alloc::{AllocError, Allocator};
+use memsec::malloc::MallocAllocator;
+
+#[cfg(target_os = "linux")]
+use memsec::memfdsec::MemfdSecAllocator;
+
+static ALLOC_TYPE: OnceLock<SecretAllocType> = OnceLock::new();
+
+/// Sets the secret allocation type to use.
+/// Intended usage at startup before secret allocation
+/// takes place
+pub fn set_secret_alloc_type(alloc_type: SecretAllocType) {
+    ALLOC_TYPE.set(alloc_type).unwrap();
+}
+
+pub fn get_or_init_secret_alloc_type(alloc_type: SecretAllocType) -> SecretAllocType {
+    *ALLOC_TYPE.get_or_init(|| alloc_type)
+}
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum SecretAllocType {
+    MemsecMalloc,
+    #[cfg(target_os = "linux")]
+    MemsecMemfdSec,
+}
+
+pub struct SecretAlloc {
+    alloc_type: SecretAllocType,
+}
+
+impl Default for SecretAlloc {
+    fn default() -> Self {
+        Self {
+            alloc_type: *ALLOC_TYPE.get().expect(
+                "Secret security policy not specified. \
+                Run the specifying policy function in \
+                 rosenpass_secret_memory::policy or set a \
+                 custom policy by initializing \
+                 rosenpass_secret_memory::alloc::ALLOC_TYPE \
+                 before using secrets",
+            ),
+        }
+    }
+}
+
+unsafe impl Allocator for SecretAlloc {
+    fn allocate(
+        &self,
+        layout: std::alloc::Layout,
+    ) -> Result<std::ptr::NonNull<[u8]>, allocator_api2::alloc::AllocError> {
+        match self.alloc_type {
+            SecretAllocType::MemsecMalloc => MallocAllocator::default().allocate(layout),
+            #[cfg(target_os = "linux")]
+            SecretAllocType::MemsecMemfdSec => MemfdSecAllocator::default().allocate(layout),
+        }
+    }
+
+    unsafe fn deallocate(&self, ptr: std::ptr::NonNull<u8>, layout: std::alloc::Layout) {
+        match self.alloc_type {
+            SecretAllocType::MemsecMalloc => MallocAllocator::default().deallocate(ptr, layout),
+            #[cfg(target_os = "linux")]
+            SecretAllocType::MemsecMemfdSec => MemfdSecAllocator::default().deallocate(ptr, layout),
+        }
+    }
+}
+
+pub type SecretBox<T> = allocator_api2::boxed::Box<T, SecretAlloc>;
+
+/// A vector backed by the memsec allocator
+pub type SecretVec<T> = allocator_api2::vec::Vec<T, SecretAlloc>;
+
+pub fn secret_box_try<T>(x: T) -> Result<SecretBox<T>, AllocError> {
+    SecretBox::<T>::try_new_in(x, SecretAlloc::default())
+}
+
+pub fn secret_box<T>(x: T) -> SecretBox<T> {
+    SecretBox::<T>::new_in(x, SecretAlloc::default())
+}
+
+pub fn secret_vec<T>() -> SecretVec<T> {
+    SecretVec::<T>::new_in(SecretAlloc::default())
+}

secret-memory/src/lib.rs

@@ -9,3 +9,6 @@ pub use crate::public::Public;
 
 mod secret;
 pub use crate::secret::Secret;
+
+pub mod policy;
+pub use crate::policy::*;

secret-memory/src/policy.rs

@@ -0,0 +1,82 @@
+pub fn secret_policy_try_use_memfd_secrets() {
+    let alloc_type = {
+        #[cfg(target_os = "linux")]
+        {
+            if crate::alloc::memsec::memfdsec::memfdsec_box_try(0u8).is_ok() {
+                crate::alloc::SecretAllocType::MemsecMemfdSec
+            } else {
+                crate::alloc::SecretAllocType::MemsecMalloc
+            }
+        }
+
+        #[cfg(not(target_os = "linux"))]
+        {
+            crate::alloc::SecretAllocType::MemsecMalloc
+        }
+    };
+    assert_eq!(
+        alloc_type,
+        crate::alloc::get_or_init_secret_alloc_type(alloc_type)
+    );
+
+    log::info!("Secrets will be allocated using {:?}", alloc_type);
+}
+
+#[cfg(target_os = "linux")]
+pub fn secret_policy_use_only_memfd_secrets() {
+    let alloc_type = crate::alloc::SecretAllocType::MemsecMemfdSec;
+
+    assert_eq!(
+        alloc_type,
+        crate::alloc::get_or_init_secret_alloc_type(alloc_type)
+    );
+
+    log::info!("Secrets will be allocated using {:?}", alloc_type);
+}
+
+pub fn secret_policy_use_only_malloc_secrets() {
+    let alloc_type = crate::alloc::SecretAllocType::MemsecMalloc;
+    assert_eq!(
+        alloc_type,
+        crate::alloc::get_or_init_secret_alloc_type(alloc_type)
+    );
+
+    log::info!("Secrets will be allocated using {:?}", alloc_type);
+}
+
+pub mod test {
+    #[macro_export]
+    macro_rules! test_spawn_process_with_policies {
+        ($body:block, $($f: expr),*) => {
+            $(
+                let handle = procspawn::spawn((), |_| {
+
+                $f();
+
+                $body
+
+                });
+                handle.join().unwrap();
+            )*
+            };
+        }
+
+    #[macro_export]
+    macro_rules! test_spawn_process_provided_policies {
+        ($body: block) => {
+            $crate::test_spawn_process_with_policies!(
+                $body,
+                $crate::policy::secret_policy_try_use_memfd_secrets,
+                $crate::secret_policy_use_only_malloc_secrets
+            );
+
+            #[cfg(target_os = "linux")]
+            {
+                $crate::test_spawn_process_with_policies!(
+                    $body,
+                    $crate::policy::secret_policy_use_only_memfd_secrets
+                );
+            }
+        };
+    }
+}

secret-memory/src/secret.rs

@@ -321,32 +321,41 @@ impl<const N: usize> StoreSecret for Secret<N> {
 
 #[cfg(test)]
 mod test {
+    use crate::test_spawn_process_provided_policies;
+
     use super::*;
     use std::{fs, os::unix::fs::PermissionsExt};
     use tempfile::tempdir;
 
+    procspawn::enable_test_support!();
+
     /// check that we can alloc using the magic pool
     #[test]
     fn secret_memory_pool_take() {
+        test_spawn_process_provided_policies!({
             const N: usize = 0x100;
             let mut pool = SecretMemoryPool::new();
             let secret: ZeroizingSecretBox<[u8; N]> = pool.take();
             assert_eq!(secret.as_ref(), &[0; N]);
+        });
     }
 
     /// check that a secret lives, even if its [SecretMemoryPool] is deleted
     #[test]
     fn secret_memory_pool_drop() {
+        test_spawn_process_provided_policies!({
             const N: usize = 0x100;
             let mut pool = SecretMemoryPool::new();
             let secret: ZeroizingSecretBox<[u8; N]> = pool.take();
             std::mem::drop(pool);
             assert_eq!(secret.as_ref(), &[0; N]);
+        });
     }
 
     /// check that a secret can be reborn, freshly initialized with zero
     #[test]
     fn secret_memory_pool_release() {
+        test_spawn_process_provided_policies!({
             const N: usize = 1;
             let mut pool = SecretMemoryPool::new();
             let mut secret: ZeroizingSecretBox<[u8; N]> = pool.take();
@@ -361,11 +370,13 @@ mod test {
 
             // and that the secret was zeroized
             assert_eq!(new_secret.as_ref(), &[0; N]);
+        });
     }
 
     /// test loading a secret from an example file, and then storing it again in a different file
     #[test]
     fn test_secret_load_store() {
+        test_spawn_process_provided_policies!({
             const N: usize = 100;
 
             // Generate original random bytes
@@ -396,11 +407,13 @@ mod test {
 
             // Check that the contents of the new file match the original file
             assert_eq!(new_file_contents, original_file_contents);
+        });
     }
 
     /// test loading a base64 encoded secret from an example file, and then storing it again in a different file
     #[test]
     fn test_secret_load_store_base64() {
+        test_spawn_process_provided_policies!({
             const N: usize = 100;
             // Generate original random bytes
             let original_bytes: [u8; N] = [rand::random(); N];
@@ -449,5 +462,6 @@ mod test {
             //Check new file permissions are secret
             let metadata = fs::metadata(&new_file).unwrap();
             assert_eq!(metadata.permissions().mode() & 0o000777, 0o600);
+        });
     }
 }

wireguard-broker/Cargo.toml

@@ -33,6 +33,7 @@ rosenpass-util = { workspace = true }
 
 [dev-dependencies]
 rand = {workspace = true}
+procspawn = {workspace = true}
 
 [features]
 enable_broker_api=[]

wireguard-broker/src/brokers/netlink.rs

@@ -77,7 +77,7 @@ impl WireGuardBroker for NetlinkWireGuardBroker {
     fn set_psk(&mut self, config: SerializedBrokerConfig) -> Result<(), Self::Error> {
         let config: NetworkBrokerConfig = config
             .try_into()
-            .map_err(|e| SetPskError::NoSuchInterface)?;
+            .map_err(|_e| SetPskError::NoSuchInterface)?;
         // Ensure that the peer exists by querying the device configuration
         // TODO: Use InvalidInterfaceError
 

wireguard-broker/tests/integration.rs

@@ -53,10 +53,15 @@ mod integration_tests {
         }
     }
 
+    procspawn::enable_test_support!();
+
     #[test]
     fn test_psk_exchanges() {
         const TEST_RUNS: usize = 100;
 
+        use rosenpass_secret_memory::test_spawn_process_provided_policies;
+
+        test_spawn_process_provided_policies!({
             let server_broker_inner = Arc::new(Mutex::new(MockServerBrokerInner::default()));
             // Create a mock BrokerServer
             let server_broker = MockServerBroker::new(server_broker_inner.clone());
@@ -130,5 +135,6 @@ mod integration_tests {
                 }
             }
             handle.join().unwrap().unwrap();
+        });
     }
 }