stash

Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

.ci/boot_race/a.toml

@@ -3,11 +3,6 @@ secret_key = "rp-a-secret-key"
 listen = ["127.0.0.1:9999"]
 verbosity = "Verbose"
 
-[api]
-listen_path = []
-listen_fd = []
-stream_fd = []
-
 [[peers]]
 public_key = "rp-b-public-key"
 endpoint = "127.0.0.1:9998"

.ci/boot_race/b.toml

@@ -3,11 +3,6 @@ secret_key = "rp-b-secret-key"
 listen = ["127.0.0.1:9998"]
 verbosity = "Verbose"
 
-[api]
-listen_path = []
-listen_fd = []
-stream_fd = []
-
 [[peers]]
 public_key = "rp-a-public-key"
 endpoint = "127.0.0.1:9999"

.github/workflows/bench-primitives.yml

@@ -4,7 +4,7 @@ permissions:
   contents: write
 
 on:
-  pull_request:
+  #pull_request:
   push:
 
 env:
@@ -21,13 +21,13 @@ jobs:
       matrix:
         system: ["x86_64-linux", "i686-linux"]
 
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-2
     defaults:
       run:
         shell: bash
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       # Install nix
 
@@ -93,7 +93,7 @@ jobs:
   ciphers-primitives-bench-status:
     if: ${{ always() }}
     needs: [prim-benchmark]
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-2
     steps:
       - name: Successful
         if: ${{ !(contains(needs.*.result, 'failure')) }}

.github/workflows/bench-protocol.yml

@@ -4,7 +4,7 @@ permissions:
   contents: write
 
 on:
-  pull_request:
+  #pull_request:
   push:
 
 env:
@@ -21,13 +21,13 @@ jobs:
       matrix:
         system: ["x86_64-linux", "i686-linux"]
 
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-2
     defaults:
       run:
         shell: bash
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       # Install nix
 
@@ -80,7 +80,7 @@ jobs:
   ciphers-protocol-bench-status:
     if: ${{ always() }}
     needs: [proto-benchmark]
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-2
     steps:
       - name: Successful
         if: ${{ !(contains(needs.*.result, 'failure')) }}

.github/workflows/doc-upload.yml

@@ -13,10 +13,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Clone rosenpass-website repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           repository: rosenpass/rosenpass-website
           ref: main

.github/workflows/docker.yaml

@@ -30,7 +30,7 @@ jobs:
     runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Build (no push) and Load
@@ -128,7 +128,7 @@ jobs:
     runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Docker meta
         id: meta
@@ -193,7 +193,7 @@ jobs:
     runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Docker meta
         id: meta
@@ -255,7 +255,7 @@ jobs:
         target: [rp, rosenpass]
     steps:
       - name: Download digests
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
         with:
           path: ${{ runner.temp }}/digests
           pattern: digests-${{ matrix.target }}-*

.github/workflows/integration.yml

@@ -0,0 +1,166 @@
+name: Integration Tests
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  integration-tests-x86_64-linux:
+    name: Integration tests x86_64-linux
+    runs-on:
+      - ubicloud-standard-2-ubuntu-2204
+    steps:
+      - uses: actions/checkout@v5
+      - uses: cachix/install-nix-action@v30
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+      - uses: cachix/cachix-action@v15
+        with:
+          name: rosenpass
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      - name: Extract the reference of before and after for the integration tests.
+        run: |
+          EVENT_NAME="${{ github.event_name }}"
+          REF_BEFORE=""
+          REF_AFTER="path:../../"
+          if [[ "$EVENT_NAME" == "pull_request" ]]; then
+            echo "This CI run was triggered in the context of a pull request."
+            REF_BEFORE="github:rosenpass/rosenpass/main"
+            git checkout -B pr-${{ github.event.pull_request.number }}
+            REF_AFTER="git+file://../../../?ref=pr-${{ github.event.pull_request.number }}"
+          elif [[ "$EVENT_NAME" == "push" ]]; then
+            echo "This CI run was triggered in the context of a push."
+            REF_BEFORE="github:rosenpass/rosenpass/${{ github.event.before }}"
+            REF_AFTER="github:rosenpass/rosenpass/${{ github.event.after }}"
+          else
+            echo "ERROR: This CI run was not triggered in the context of a pull request or a push. Exiting with error."
+            exit 1
+          fi
+          echo "REF_BEFORE=$REF_BEFORE" >> $GITHUB_ENV
+          echo "REF_AFTER=$REF_AFTER" >> $GITHUB_ENV
+      - name: Check
+        run: |
+          cd ./tests/integration
+          nix flake check --print-build-logs --system x86_64-linux --override-input rosenpass-old $REF_BEFORE --override-input rosenpass-new $REF_AFTER
+  # THE FOLLOWING TEST IS DISABLED FOR THE TIME BENG UNTIL WE GET AN ARM64 RUNNER THAT SUPPORTS KVM
+  #integration-tests-aarch64-linux:
+  #  name: Integration tests aarch64-linux
+  #  runs-on:
+  #    - ubicloud-standard-2-arm-ubuntu-2204
+  #  steps:
+  #    - uses: actions/checkout@v5
+  #    - uses: cachix/install-nix-action@v30
+  #      with:
+  #        nix_path: nixpkgs=channel:nixos-unstable
+  #    - uses: cachix/cachix-action@v15
+  #      with:
+  #        name: rosenpass
+  #        authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+  #    - name: Extract the reference of before and after for the integration tests.
+  #      run: |
+  #        EVENT_NAME="${{ github.event_name }}"
+  #        REF_BEFORE=""
+  #        REF_AFTER="path:../../"
+  #        if [[ "$EVENT_NAME" == "pull_request" ]]; then
+  #          echo "This CI run was triggered in the context of a pull request."
+  #          REF_BEFORE="github:rosenpass/rosenpass/main"
+  #          #git checkout -B pr-${{ github.event.pull_request.number }}
+  #          REF_AFTER="git+file://../../../?ref=pr-${{ github.event.pull_request.number }}"
+  #        elif [[ "$EVENT_NAME" == "push" ]]; then
+  #          echo "This CI run was triggered in the context of a push."
+  #          REF_BEFORE="github:rosenpass/rosenpass/${{ github.event.before }}"
+  #          REF_AFTER="github:rosenpass/rosenpass/${{ github.event.after }}"
+  #          #git checkout -B ${{ github.ref_name }}
+  #        else
+  #          echo "ERROR: This CI run was not triggered in the context of a pull request or a push. Exiting with error."
+  #          exit 1
+  #        fi
+  #        echo "REF_BEFORE=$REF_BEFORE" >> $GITHUB_ENV
+  #        echo "REF_AFTER=$REF_AFTER" >> $GITHUB_ENV
+  #    - name: Check
+  #      run: |
+  #        cd ./tests/integration
+  #        # export QEMU_OPTS="-machine virt -cpu cortex-a57"
+  #        nix flake check --print-build-logs --system aarch64-linux --override-input rosenpass-old $REF_BEFORE --override-input rosenpass-new $REF_AFTER
+  #integration-tests-i686-linux:
+  #  name: Integration tests i686-linux
+  #  timeout-minutes: 144000
+  #  runs-on:
+  #    - ubicloud-standard-8-ubuntu-2204
+  #  steps:
+  #    - uses: actions/checkout@v5
+  #    - uses: cachix/install-nix-action@v30
+  #      with:
+  #        nix_path: nixpkgs=channel:nixos-unstable
+  #    - uses: cachix/cachix-action@v15
+  #      with:
+  #        name: rosenpass
+  #        authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+  #    - name: Extract the reference of before and after for the integration tests.
+  #      run: |
+  #        EVENT_NAME="${{ github.event_name }}"
+  #        REF_BEFORE=""
+  #        REF_AFTER="path:../../"
+  #        if [[ "$EVENT_NAME" == "pull_request" ]]; then
+  #          echo "This CI run was triggered in the context of a pull request."
+  #          REF_BEFORE="github:rosenpass/rosenpass/main"
+  #          git checkout -B pr-${{ github.event.pull_request.number }}
+  #          REF_AFTER="git+file://../../../?ref=pr-${{ github.event.pull_request.number }}"
+  #        elif [[ "$EVENT_NAME" == "push" ]]; then
+  #          echo "This CI run was triggered in the context of a push."
+  #          REF_BEFORE="github:rosenpass/rosenpass/${{ github.event.before }}"
+  #          REF_AFTER="github:rosenpass/rosenpass/${{ github.event.after }}"
+  #        else
+  #          echo "ERROR: This CI run was not triggered in the context of a pull request or a push. Exiting with error."
+  #          exit 1
+  #        fi
+  #        echo "REF_BEFORE=$REF_BEFORE" >> $GITHUB_ENV
+  #        echo "REF_AFTER=$REF_AFTER" >> $GITHUB_ENV
+  #    - name: Check
+  #      run: |
+  #        cd ./tests/integration
+  #        nix flake check --print-build-logs --system i686-linux --override-input rosenpass-old $REF_BEFORE --override-input rosenpass-new $REF_AFTER
+  # THE FOLLOWING TEST IS DISABLED FOR THE TIME BENG UNTIL THIS ISSUE WITH NIXOS TESTS ON DARWIN GETS RESOLVED: https://github.com/NixOS/nixpkgs/issues/294725
+  #integration-tests-aarch64-darwin:
+  #  name: Integration tests aarch64-darwin
+  #  runs-on:
+  #    - warp-macos-13-arm64-6x
+  #  steps:
+  #    - uses: actions/checkout@v5
+  #    - uses: cachix/install-nix-action@v30
+  #      with:
+  #        nix_path: nixpkgs=channel:nixos-unstable
+  #    - uses: cachix/cachix-action@v15
+  #      with:
+  #        name: rosenpass
+  #        authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+  #    - name: Extract the reference of before and after for the integration tests.
+  #      run: |
+  #        EVENT_NAME="${{ github.event_name }}"
+  #        REF_BEFORE=""
+  #        REF_AFTER="path:../../"
+  #        if [[ "$EVENT_NAME" == "pull_request" ]]; then
+  #          echo "This CI run was triggered in the context of a pull request."
+  #          REF_BEFORE="github:rosenpass/rosenpass/main"
+  #          git checkout -B pr-${{ github.event.pull_request.number }}
+  #          REF_AFTER="git+file://../../../?ref=pr-${{ github.event.pull_request.number }}"
+  #        elif [[ "$EVENT_NAME" == "push" ]]; then
+  #          echo "This CI run was triggered in the context of a push."
+  #          REF_BEFORE="github:rosenpass/rosenpass/${{ github.event.before }}"
+  #          REF_AFTER="github:rosenpass/rosenpass/${{ github.event.after }}"
+  #        else
+  #          echo "ERROR: This CI run was not triggered in the context of a pull request or a push. Exiting with error."
+  #          exit 1
+  #        fi
+  #        echo "REF_BEFORE=$REF_BEFORE" >> $GITHUB_ENV
+  #        echo "REF_AFTER=$REF_AFTER" >> $GITHUB_ENV
+  #    - name: Check
+  #      run: |
+  #        cd ./tests/integration
+  #        nix flake check --print-build-logs --system aarch64-darwin --override-input rosenpass-old $REF_BEFORE --override-input rosenpass-new $REF_AFTER

.github/workflows/nix-mac.yaml

@@ -19,7 +19,7 @@ jobs:
     needs:
       - aarch64-darwin---rosenpass
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v30
         with:
           nix_path: nixpkgs=channel:nixos-unstable
@@ -38,7 +38,7 @@ jobs:
       - aarch64-darwin---rp
       - aarch64-darwin---rosenpass-oci-image
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v30
         with:
           nix_path: nixpkgs=channel:nixos-unstable
@@ -54,7 +54,7 @@ jobs:
       - warp-macos-13-arm64-6x
     needs: []
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v30
         with:
           nix_path: nixpkgs=channel:nixos-unstable
@@ -70,7 +70,7 @@ jobs:
       - warp-macos-13-arm64-6x
     needs: []
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v30
         with:
           nix_path: nixpkgs=channel:nixos-unstable
@@ -87,7 +87,7 @@ jobs:
     needs:
       - aarch64-darwin---rosenpass
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v30
         with:
           nix_path: nixpkgs=channel:nixos-unstable
@@ -102,7 +102,7 @@ jobs:
     runs-on:
       - warp-macos-13-arm64-6x
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v30
         with:
           nix_path: nixpkgs=channel:nixos-unstable

.github/workflows/nix.yaml

@@ -19,7 +19,7 @@ jobs:
     needs:
       - i686-linux---rosenpass
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v30
         with:
           nix_path: nixpkgs=channel:nixos-unstable
@@ -35,7 +35,7 @@ jobs:
       - ubicloud-standard-2-ubuntu-2204
     needs: []
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v30
         with:
           nix_path: nixpkgs=channel:nixos-unstable
@@ -52,7 +52,7 @@ jobs:
     needs:
       - i686-linux---rosenpass
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v30
         with:
           nix_path: nixpkgs=channel:nixos-unstable
@@ -67,7 +67,7 @@ jobs:
     runs-on:
       - ubicloud-standard-2-ubuntu-2204
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v30
         with:
           nix_path: nixpkgs=channel:nixos-unstable
@@ -76,7 +76,8 @@ jobs:
           name: rosenpass
           authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
       - name: Check
-        run: nix flake check . --print-build-logs
+        run: |
+          nix flake check . --print-build-logs
   x86_64-linux---default:
     name: Build x86_64-linux.default
     runs-on:
@@ -84,7 +85,7 @@ jobs:
     needs:
       - x86_64-linux---rosenpass
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v30
         with:
           nix_path: nixpkgs=channel:nixos-unstable
@@ -101,7 +102,7 @@ jobs:
     needs:
       - x86_64-linux---proverif-patched
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v30
         with:
           nix_path: nixpkgs=channel:nixos-unstable
@@ -117,7 +118,7 @@ jobs:
       - ubicloud-standard-2-ubuntu-2204
     needs: []
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v30
         with:
           nix_path: nixpkgs=channel:nixos-unstable
@@ -136,7 +137,7 @@ jobs:
       - x86_64-linux---rosenpass-static-oci-image
       - x86_64-linux---rp-static
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v30
         with:
           nix_path: nixpkgs=channel:nixos-unstable
@@ -158,7 +159,7 @@ jobs:
   #     - run: |
   #         DEBIAN_FRONTEND=noninteractive
   #         sudo apt-get update -q -y && sudo apt-get install -q -y qemu-system-aarch64 qemu-efi binfmt-support qemu-user-static
-  #     - uses: actions/checkout@v4
+  #     - uses: actions/checkout@v5
   #     - uses: cachix/install-nix-action@v30
   #       with:
   #         nix_path: nixpkgs=channel:nixos-unstable
@@ -176,7 +177,7 @@ jobs:
       - ubicloud-standard-2-ubuntu-2204
     needs: []
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v30
         with:
           nix_path: nixpkgs=channel:nixos-unstable
@@ -195,7 +196,7 @@ jobs:
       - run: |
           DEBIAN_FRONTEND=noninteractive
           sudo apt-get update -q -y && sudo apt-get install -q -y qemu-system-aarch64 qemu-efi-aarch64 binfmt-support qemu-user-static
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v30
         with:
           nix_path: nixpkgs=channel:nixos-unstable
@@ -216,7 +217,7 @@ jobs:
       - run: |
           DEBIAN_FRONTEND=noninteractive
           sudo apt-get update -q -y && sudo apt-get install -q -y qemu-system-aarch64 qemu-efi-aarch64 binfmt-support qemu-user-static
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v30
         with:
           nix_path: nixpkgs=channel:nixos-unstable
@@ -235,7 +236,7 @@ jobs:
     needs:
       - x86_64-linux---rosenpass
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v30
         with:
           nix_path: nixpkgs=channel:nixos-unstable
@@ -255,7 +256,7 @@ jobs:
       - run: |
           DEBIAN_FRONTEND=noninteractive
           sudo apt-get update -q -y && sudo apt-get install -q -y qemu-system-aarch64 qemu-efi-aarch64 binfmt-support qemu-user-static
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v30
         with:
           nix_path: nixpkgs=channel:nixos-unstable
@@ -273,7 +274,7 @@ jobs:
       - ubicloud-standard-2-ubuntu-2204
     needs: []
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v30
         with:
           nix_path: nixpkgs=channel:nixos-unstable
@@ -289,7 +290,7 @@ jobs:
       - ubicloud-standard-2-ubuntu-2204
     needs: []
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v30
         with:
           nix_path: nixpkgs=channel:nixos-unstable
@@ -306,7 +307,7 @@ jobs:
     needs:
       - x86_64-linux---rosenpass-static
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v30
         with:
           nix_path: nixpkgs=channel:nixos-unstable
@@ -322,7 +323,7 @@ jobs:
       - ubicloud-standard-2-ubuntu-2204
     needs: []
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v30
         with:
           nix_path: nixpkgs=channel:nixos-unstable
@@ -337,7 +338,7 @@ jobs:
     runs-on:
       - ubicloud-standard-2-ubuntu-2204
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v30
         with:
           nix_path: nixpkgs=channel:nixos-unstable
@@ -352,7 +353,7 @@ jobs:
     runs-on: ubicloud-standard-2-ubuntu-2204
     if: ${{ github.ref == 'refs/heads/main' }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v30
         with:
           nix_path: nixpkgs=channel:nixos-unstable

.github/workflows/qc-mac.yaml

@@ -16,7 +16,7 @@ jobs:
   cargo-test-mac:
     runs-on: warp-macos-13-arm64-6x
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions/cache@v4
         with:
           path: |

.github/workflows/qc.yaml

@@ -16,7 +16,7 @@ jobs:
   prettier:
     runs-on: ubicloud-standard-2-ubuntu-2204
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actionsx/prettier@v3
         with:
           args: --check .
@@ -25,7 +25,7 @@ jobs:
     name: Shellcheck
     runs-on: ubicloud-standard-2-ubuntu-2204
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Run ShellCheck
         uses: ludeeus/action-shellcheck@master
 
@@ -33,7 +33,7 @@ jobs:
     name: Rust code formatting
     runs-on: ubicloud-standard-2-ubuntu-2204
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions/cache@v4
         with:
           path: |
@@ -56,7 +56,7 @@ jobs:
   cargo-bench:
     runs-on: ubicloud-standard-2-ubuntu-2204
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions/cache@v4
         with:
           path: |
@@ -77,14 +77,14 @@ jobs:
     steps:
       - name: Install mandoc
         run: sudo apt-get install -y mandoc
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Check rp.1
         run: doc/check.sh doc/rp.1
 
   cargo-audit:
     runs-on: ubicloud-standard-2-ubuntu-2204
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions-rs/audit-check@v1
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -92,7 +92,7 @@ jobs:
   cargo-clippy:
     runs-on: ubicloud-standard-2-ubuntu-2204
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions/cache@v4
         with:
           path: |
@@ -111,7 +111,7 @@ jobs:
   cargo-doc:
     runs-on: ubicloud-standard-2-ubuntu-2204
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions/cache@v4
         with:
           path: |
@@ -130,7 +130,7 @@ jobs:
   cargo-test:
     runs-on: ubicloud-standard-2-ubuntu-2204
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions/cache@v4
         with:
           path: |
@@ -149,7 +149,7 @@ jobs:
     runs-on:
       - ubicloud-standard-2-ubuntu-2204
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions/cache@v4
         with:
           path: |
@@ -171,7 +171,7 @@ jobs:
   cargo-fuzz:
     runs-on: ubicloud-standard-2-ubuntu-2204
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions/cache@v4
         with:
           path: |
@@ -206,7 +206,7 @@ jobs:
     env:
       RUSTUP_TOOLCHAIN: nightly
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions/cache@v4
         with:
           path: |

.github/workflows/regressions.yml

@@ -16,7 +16,7 @@ jobs:
   multi-peer:
     runs-on: ubicloud-standard-2-ubuntu-2204
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - run: cargo build --bin rosenpass --release
       - run: python misc/generate_configs.py
       - run: chmod +x .ci/run-regression.sh
@@ -27,7 +27,7 @@ jobs:
   boot-race:
     runs-on: ubicloud-standard-2-ubuntu-2204
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - run: cargo build --bin rosenpass --release
       - run: chmod +x .ci/boot_race/run.sh
       - run: cargo run --release --bin rosenpass gen-keys .ci/boot_race/a.toml

.github/workflows/release.yaml

@@ -11,7 +11,7 @@ jobs:
     runs-on:
       - ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v30
       - uses: cachix/cachix-action@v15
         with:
@@ -30,7 +30,7 @@ jobs:
     runs-on:
       - macos-13
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v30
       - uses: cachix/cachix-action@v15
         with:
@@ -49,7 +49,7 @@ jobs:
     runs-on:
       - ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v30
         with:
           nix_path: nixpkgs=channel:nixos-unstable
@@ -69,7 +69,7 @@ jobs:
     name: Build and upload DEB and RPM packages
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: cachix/install-nix-action@v30
       - uses: cachix/cachix-action@v15
         with:

.github/workflows/supply-chain.yml

@@ -13,13 +13,13 @@ jobs:
     name: Deny dependencies with vulnerabilities or incompatible licenses
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: EmbarkStudios/cargo-deny-action@v2
   cargo-supply-chain:
     name: Supply Chain Report
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions/cache@v4
         with:
           path: |
@@ -28,10 +28,10 @@ jobs:
             ~/.cargo/registry/cache/
             ~/.cache/cargo-supply-chain/
           key: cargo-supply-chain-cache
-      - name: Install stable toolchain # Cargo-supply-chain is incompatible with older versions
+      - name: Install nightly toolchain
         run: |
-          rustup toolchain install stable
-          rustup default stable
+          rustup toolchain install nightly
+          rustup override set nightly
       - uses: actions/cache@v4
         with:
           path: ${{ runner.tool_cache }}/cargo-supply-chain
@@ -39,7 +39,7 @@ jobs:
       - name: Add the tool cache directory to the search path
         run: echo "${{ runner.tool_cache }}/cargo-supply-chain/bin" >> $GITHUB_PATH
       - name: Ensure that the tool cache is populated with the cargo-supply-chain binary
-        run: cargo +stable install --root ${{ runner.tool_cache }}/cargo-supply-chain cargo-supply-chain
+        run: cargo install --root ${{ runner.tool_cache }}/cargo-supply-chain cargo-supply-chain
       - name: Update data for cargo-supply-chain
         run: cargo supply-chain update
       - name: Generate cargo-supply-chain report about publishers
@@ -53,7 +53,9 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
       - uses: actions/cache@v4
         with:
           path: |
@@ -61,10 +63,10 @@ jobs:
             ~/.cargo/registry/index/
             ~/.cargo/registry/cache/
           key: cargo-vet-cache
-      - name: Install stable toolchain # Since we are running/compiling cargo-vet, we should rely on the stable toolchain.
+      - name: Install nightly toolchain
         run: |
-          rustup toolchain install stable
-          rustup default stable
+          rustup toolchain install nightly
+          rustup override set nightly
       - uses: actions/cache@v4
         with:
           path: ${{ runner.tool_cache }}/cargo-vet
@@ -72,24 +74,104 @@ jobs:
       - name: Add the tool cache directory to the search path
         run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH
       - name: Ensure that the tool cache is populated with the cargo-vet binary
-        run: cargo +stable install --root ${{ runner.tool_cache }}/cargo-vet cargo-vet
-      - name: Regenerate vet exemptions for dependabot PRs
-        if: github.actor == 'dependabot[bot]' # Run only for Dependabot PRs
-        run: cargo vet regenerate exemptions
-      - name: Check for changes in case of dependabot PR
-        if: github.actor == 'dependabot[bot]' # Run only for Dependabot PRs
-        run: git diff --exit-code || echo "Changes detected, committing..."
-      - name: Commit and push changes for dependabot PRs
-        if: success() && github.actor == 'dependabot[bot]'
+        run: cargo install --root ${{ runner.tool_cache }}/cargo-vet cargo-vet
+      - name: Check which event triggered this CI run, a push or a pull request.
         run: |
-          git fetch origin ${{ github.head_ref }}
-          git switch ${{ github.head_ref }}
-          git config --global user.name "github-actions[bot]"
-          git config --global user.email "github-actions@github.com"
-          git add supply-chain/*
-          git commit -m "Regenerate cargo vet exemptions"
-          git push origin ${{ github.head_ref }}
+          EVENT_NAME="${{ github.event_name }}"
+          IS_PR="false"
+          IS_PUSH="false"
+          if [[ "$EVENT_NAME" == "pull_request" ]]; then
+            echo "This CI run was triggered in the context of a pull request."
+            IS_PR="true"
+          elif [[ "$EVENT_NAME" == "push" ]]; then
+            echo "This CI run was triggered in the context of a push."
+            IS_PUSH="true"
+          else
+            echo "ERROR: This CI run was not triggered in the context of a pull request or a push. Exiting with error."
+            exit 1
+          fi
+          echo "IS_PR=$IS_PR" >> $GITHUB_ENV
+          echo "IS_PUSH=$IS_PUSH" >> $GITHUB_ENV
+        shell: bash
+      - name: Check if last commit was by Dependabot
+        run: |
+          # Depending on the trigger for, the relevant commit has to be deduced differently.
+          if [[ "$IS_PR" == true ]]; then
+            # This is the commit ID for the last commit to the head branch of the pull request.
+            # If we used github.sha here instead, it would point to a merge commit between the PR and the main branch, which is only created for the CI run.
+            SHA="${{ github.event.pull_request.head.sha }}"
+            REF="${{ github.head_ref }}"
+          elif [[ "$IS_PUSH" == "true" ]]; then
+            SHA="${{ github.sha }}" # This is the last commit to the branch.
+            REF=${GITHUB_REF#refs/heads/}
+          else
+            echo "ERROR: This action only supports pull requests and push events as triggers. Exiting with error."
+            exit 1
+          fi
+          echo "Commit SHA is $SHA"
+          echo "Branch is $REF"
+          echo "REF=$REF" >> $GITHUB_ENV
+
+          COMMIT_AUTHOR=$(gh api repos/${{ github.repository }}/commits/$SHA --jq .author.login) # .author.login might be null, but for dependabot it will always be there and cannot be spoofed in contrast to .commit.author.name
+          echo "The author of the last commit is $COMMIT_AUTHOR"
+          if [[ "$COMMIT_AUTHOR" == "dependabot[bot]" ]]; then
+            echo "The last commit was made by dependabot"
+            LAST_COMMIT_IS_BY_DEPENDABOT=true
+          else
+            echo "The last commit was made by $COMMIT_AUTHOR not by dependabot"
+            LAST_COMMIT_IS_BY_DEPENDABOT=false
+          fi
+          echo "LAST_COMMIT_IS_BY_DEPENDABOT=$LAST_COMMIT_IS_BY_DEPENDABOT" >> $GITHUB_ENV
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        shell: bash
+      - name: Check if the last commit's message ends in "--regenerate-exemptions"
+        run: |
+          # Get commit message
+          COMMIT_MESSAGE=$(git log -1 --pretty=format:"%s")
+          if [[ "$COMMIT_MESSAGE" == *"--regenerate-exemptions" ]]; then
+            echo "The last commit message ends in --regenerate-exemptions"
+            REGEN_EXEMP=true
+          else
+            echo "The last commit message does not end in --regenerate-exemptions"
+            REGEN_EXEMP=false
+          fi
+          echo "REGEN_EXEMP=$REGEN_EXEMP" >> $GITHUB_ENV
+        shell: bash
+      - name: Check if the CI run happens in the context of a dependabot PR # Even if a PR is created by dependabot, the last commit can, and often should be, the regeneration of the cargo vet exemptions. It could also be from an individual making manual changes.
+        run: |
+          IN_DEPENDABOT_PR_CONTEXT="false"
+          if [[ $IS_PR == "true" && "${{ github.event.pull_request.user.login }}" == "dependabot[bot]" ]]; then
+            IN_DEPENDABOT_PR_CONTEXT="true"
+            echo "This CI run is in the context of PR by dependabot."
+          else
+            echo "This CI run is NOT in the context of PR by dependabot."
+            IN_DEPENDABOT_PR_CONTEXT="false"
+          fi
+          echo "IN_DEPENDABOT_PR_CONTEXT=$IN_DEPENDABOT_PR_CONTEXT" >> $GITHUB_ENV
+        shell: bash
+      - uses: actions/checkout@v5
+        if: env.IN_DEPENDABOT_PR_CONTEXT == 'true'
+        with:
+          token: ${{ secrets.CI_BOT_PAT }}
+      - name: In case of a dependabot PR, ensure that we are not in a detached HEAD state
+        if: env.IN_DEPENDABOT_PR_CONTEXT == 'true'
+        run: |
+          git fetch origin $REF # ensure that we are up to date.
+          git switch $REF # ensure that we are NOT in a detached HEAD state. This is important for the commit action in the end
+        shell: bash
+      - name: Regenerate cargo vet exemptions if we are in the context of a PR created by dependabot and the last commit is by dependabot or a regeneration of cargo vet exemptions was explicitly requested.
+        if: env.IN_DEPENDABOT_PR_CONTEXT == 'true' && (env.LAST_COMMIT_IS_BY_DEPENDABOT == 'true' || env.REGEN_EXEMP=='true') # Run only for Dependabot PRs or if specifically requested
+        run: cargo vet regenerate exemptions
+      - name: Commit and push changes if we are in the context of a PR created by dependabot and the last commit is by dependabot or a regeneration of cargo vet exemptions was explicitly requested.
+        if: env.IN_DEPENDABOT_PR_CONTEXT == 'true' && (env.LAST_COMMIT_IS_BY_DEPENDABOT == 'true' || env.REGEN_EXEMP=='true')
+        uses: stefanzweifel/git-auto-commit-action@v6
+        with:
+          commit_message: Regenerate cargo vet exemptions
+          commit_user_name: rosenpass-ci-bot[bot]
+          commit_user_email: noreply@rosenpass.eu
+          commit_author: Rosenpass CI Bot <noreply@rosenpass.eu>
+        env:
+          GITHUB_TOKEN: ${{ secrets.CI_BOT_PAT }}
       - name: Invoke cargo-vet
         run: cargo vet --locked

Cargo.lock

@@ -110,9 +110,9 @@ dependencies = [
 
 [[package]]
 name = "anyhow"
-version = "1.0.96"
+version = "1.0.98"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6b964d184e89d9b6b67dd2715bc8e74cf3107fb2b529990c90cf517326150bf4"
+checksum = "e16d2d3311acee920a9eb8d33b8cbc1787ce4a264e85f964c2404b969bdcd487"
 dependencies = [
  "backtrace",
 ]
@@ -126,6 +126,34 @@ dependencies = [
  "derive_arbitrary",
 ]
 
+[[package]]
+name = "assert_tv"
+version = "0.6.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4aa42a8e0531efffd0fe96c6feef83221dc673c34b4ba2c2c9cbcd499511acba"
+dependencies = [
+ "anyhow",
+ "assert_tv_macros",
+ "base64",
+ "log",
+ "serde",
+ "serde_json",
+ "serde_yaml",
+ "toml",
+ "zstd",
+]
+
+[[package]]
+name = "assert_tv_macros"
+version = "0.6.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4c7b50043d3ecb7bc6e5e60dc6704757b7f9a9903d2c5ca13f8d62d494c68333"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.98",
+]
+
 [[package]]
 name = "atomic-polyfill"
 version = "1.0.3"
@@ -157,6 +185,12 @@ dependencies = [
  "windows-targets 0.52.6",
 ]
 
+[[package]]
+name = "base64"
+version = "0.22.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
+
 [[package]]
 name = "base64ct"
 version = "1.6.0"
@@ -178,7 +212,7 @@ version = "0.68.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "726e4313eb6ec35d2730258ad4e15b547ee75d6afaa1361a922e78e59b7d8078"
 dependencies = [
- "bitflags 2.8.0",
+ "bitflags 2.9.3",
  "cexpr",
  "clang-sys",
  "lazy_static",
@@ -203,9 +237,9 @@ checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
 
 [[package]]
 name = "bitflags"
-version = "2.8.0"
+version = "2.9.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8f68f53c83ab957f72c32642f3868eec03eb974d1fb82e453128456482613d36"
+checksum = "34efbcccd345379ca2868b2b2c9d3782e9cc58ba87bc7d79d5b53d9c9ae6f25d"
 
 [[package]]
 name = "blake2"
@@ -408,9 +442,9 @@ checksum = "f46ad14479a25103f283c0f10005961cf086d8dc42205bb44c46ac563475dca6"
 
 [[package]]
 name = "clap_mangen"
-version = "0.2.24"
+version = "0.2.29"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fbae9cbfdc5d4fa8711c09bd7b83f644cb48281ac35bf97af3e47b0675864bdf"
+checksum = "27b4c3c54b30f0d9adcb47f25f61fcce35c4dd8916638c6b82fbd5f4fb4179e2"
 dependencies = [
  "clap",
  "roff",
@@ -784,9 +818,9 @@ checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f"
 
 [[package]]
 name = "errno"
-version = "0.3.10"
+version = "0.3.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "33d852cb9b869c2a9b3df2f71a3074817f01e1844f839a144f5fcef059a4eb5d"
+checksum = "778e2ac28f6c47af28e4907f13ffd1e1ddbd400980a9abd7c8df189bf578a5ad"
 dependencies = [
  "libc",
  "windows-sys 0.59.0",
@@ -1153,6 +1187,17 @@ dependencies = [
  "generic-array",
 ]
 
+[[package]]
+name = "io-uring"
+version = "0.7.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d93587f37623a1a17d94ef2bc9ada592f5465fe7732084ab7beefabe5c77c0c4"
+dependencies = [
+ "bitflags 2.9.3",
+ "cfg-if",
+ "libc",
+]
+
 [[package]]
 name = "ipc-channel"
 version = "0.18.3"
@@ -1246,9 +1291,9 @@ checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55"
 
 [[package]]
 name = "libc"
-version = "0.2.169"
+version = "0.2.174"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b5aba8db14291edd000dfcc4d620c7ebfb122c613afb886ca8803fa4e128a20a"
+checksum = "1171693293099992e19cddea4e8b849964e9846f4acee11b3948bcc337be8776"
 
 [[package]]
 name = "libcrux"
@@ -1383,9 +1428,9 @@ dependencies = [
 
 [[package]]
 name = "libfuzzer-sys"
-version = "0.4.9"
+version = "0.4.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cf78f52d400cf2d84a3a973a78a592b4adc535739e0a5597a0da6f0c357adc75"
+checksum = "5037190e1f70cbeef565bd267599242926f724d3b8a9f510fd7e0b540cfa4404"
 dependencies = [
  "arbitrary",
  "cc",
@@ -1408,7 +1453,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fc2f4eb4bc735547cfed7c0a4922cbd04a4655978c09b54f1f7b228750664c34"
 dependencies = [
  "cfg-if",
- "windows-targets 0.48.5",
+ "windows-targets 0.52.6",
 ]
 
 [[package]]
@@ -1429,9 +1474,9 @@ dependencies = [
 
 [[package]]
 name = "log"
-version = "0.4.26"
+version = "0.4.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "30bde2b3dc3671ae49d8e2e9f044c7c005836e7a023ee57cffa25ab82764bb9e"
+checksum = "13dc2df351e3202783a1fe0d44375f7295ffb4049267b0f3018346dc122a1d94"
 
 [[package]]
 name = "memchr"
@@ -1628,7 +1673,7 @@ version = "0.27.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2eb04e9c688eff1c89d72b407f168cf79bb9e867a9d3323ed6c01519eb9cc053"
 dependencies = [
- "bitflags 2.8.0",
+ "bitflags 2.9.3",
  "cfg-if",
  "libc",
 ]
@@ -1920,7 +1965,7 @@ checksum = "3779b94aeb87e8bd4e834cee3650289ee9e0d5677f976ecdb6d219e5f4f6cd94"
 dependencies = [
  "rand_chacha 0.9.0",
  "rand_core 0.9.3",
- "zerocopy 0.8.24",
+ "zerocopy 0.8.27",
 ]
 
 [[package]]
@@ -1987,7 +2032,7 @@ version = "0.5.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "82b568323e98e49e2a0899dcee453dd679fae22d69adf9b11dd508d1549b7e2f"
 dependencies = [
- "bitflags 2.8.0",
+ "bitflags 2.9.3",
 ]
 
 [[package]]
@@ -2030,6 +2075,8 @@ name = "rosenpass"
 version = "0.3.0-dev"
 dependencies = [
  "anyhow",
+ "assert_tv",
+ "base64",
  "clap",
  "clap_complete",
  "clap_mangen",
@@ -2057,8 +2104,10 @@ dependencies = [
  "rosenpass-wireguard-broker",
  "rustix",
  "serde",
+ "serde_json",
  "serial_test",
  "signal-hook",
+ "signal-hook-mio",
  "stacker",
  "static_assertions",
  "tempfile",
@@ -2066,7 +2115,7 @@ dependencies = [
  "thiserror 1.0.69",
  "toml",
  "uds",
- "zerocopy 0.7.35",
+ "zerocopy 0.8.27",
  "zeroize",
 ]
 
@@ -2141,6 +2190,38 @@ dependencies = [
  "rosenpass-util",
 ]
 
+[[package]]
+name = "rosenpass-rp"
+version = "0.2.1"
+dependencies = [
+ "anyhow",
+ "base64ct",
+ "ctrlc-async",
+ "env_logger",
+ "futures",
+ "futures-util",
+ "genetlink",
+ "libc",
+ "log",
+ "netlink-packet-core",
+ "netlink-packet-generic",
+ "netlink-packet-wireguard",
+ "rosenpass",
+ "rosenpass-cipher-traits",
+ "rosenpass-ciphers",
+ "rosenpass-secret-memory",
+ "rosenpass-util",
+ "rosenpass-wireguard-broker",
+ "rtnetlink",
+ "serde",
+ "stacker",
+ "tempfile",
+ "tokio",
+ "toml",
+ "x25519-dalek",
+ "zeroize",
+]
+
 [[package]]
 name = "rosenpass-secret-memory"
 version = "0.1.0"
@@ -2148,6 +2229,8 @@ dependencies = [
  "allocator-api2",
  "allocator-api2-tests",
  "anyhow",
+ "assert_tv",
+ "base64",
  "base64ct",
  "log",
  "memsec",
@@ -2155,6 +2238,8 @@ dependencies = [
  "rand 0.8.5",
  "rosenpass-to",
  "rosenpass-util",
+ "serde",
+ "serde_json",
  "tempfile",
  "zeroize",
 ]
@@ -2172,15 +2257,23 @@ version = "0.1.0"
 dependencies = [
  "anyhow",
  "base64ct",
+ "bitflags 2.9.3",
+ "errno",
+ "libc",
  "libcrux-test-utils",
+ "log",
  "mio",
+ "num-traits",
+ "rosenpass-to",
  "rustix",
  "static_assertions",
  "tempfile",
  "thiserror 1.0.69",
+ "tinyvec",
+ "tokio",
  "typenum",
  "uds",
- "zerocopy 0.7.35",
+ "zerocopy 0.8.27",
  "zeroize",
 ]
 
@@ -2205,36 +2298,7 @@ dependencies = [
  "thiserror 1.0.69",
  "tokio",
  "wireguard-uapi",
- "zerocopy 0.7.35",
-]
-
-[[package]]
-name = "rp"
-version = "0.2.1"
-dependencies = [
- "anyhow",
- "base64ct",
- "ctrlc-async",
- "futures",
- "futures-util",
- "genetlink",
- "netlink-packet-core",
- "netlink-packet-generic",
- "netlink-packet-wireguard",
- "rosenpass",
- "rosenpass-cipher-traits",
- "rosenpass-ciphers",
- "rosenpass-secret-memory",
- "rosenpass-util",
- "rosenpass-wireguard-broker",
- "rtnetlink",
- "serde",
- "stacker",
- "tempfile",
- "tokio",
- "toml",
- "x25519-dalek",
- "zeroize",
+ "zerocopy 0.8.27",
 ]
 
 [[package]]
@@ -2282,7 +2346,7 @@ version = "0.38.44"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fdb5bc1ae2baa591800df16c9ca78619bf65c0488b41b96ccec5d11220d8c154"
 dependencies = [
- "bitflags 2.8.0",
+ "bitflags 2.9.3",
  "errno",
  "libc",
  "linux-raw-sys",
@@ -2359,9 +2423,9 @@ dependencies = [
 
 [[package]]
 name = "serde_json"
-version = "1.0.139"
+version = "1.0.140"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "44f86c3acccc9c65b153fe1b85a3be07fe5515274ec9f0653b4a0875731c72a6"
+checksum = "20068b6e96dc6c9bd23e01df8827e6c7e1f2fddd43c21810382803c136b99373"
 dependencies = [
  "itoa",
  "memchr",
@@ -2378,6 +2442,19 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "serde_yaml"
+version = "0.9.34+deprecated"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6a8b1a1a2ebf674015cc02edccce75287f1a0130d394307b36743c2f5d504b47"
+dependencies = [
+ "indexmap",
+ "itoa",
+ "ryu",
+ "serde",
+ "unsafe-libyaml",
+]
+
 [[package]]
 name = "serial_test"
 version = "3.2.0"
@@ -2421,14 +2498,25 @@ checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
 
 [[package]]
 name = "signal-hook"
-version = "0.3.17"
+version = "0.3.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8621587d4798caf8eb44879d42e56b9a93ea5dcd315a6487c357130095b62801"
+checksum = "d881a16cf4426aa584979d30bd82cb33429027e42122b169753d6ef1085ed6e2"
 dependencies = [
  "libc",
  "signal-hook-registry",
 ]
 
+[[package]]
+name = "signal-hook-mio"
+version = "0.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "34db1a06d485c9142248b7a054f034b349b212551f3dfd19c94d45a754a217cd"
+dependencies = [
+ "libc",
+ "mio",
+ "signal-hook",
+]
+
 [[package]]
 name = "signal-hook-registry"
 version = "1.4.2"
@@ -2461,12 +2549,12 @@ checksum = "7fcf8323ef1faaee30a44a340193b1ac6814fd9b7b4e88e9d4519a3e4abe1cfd"
 
 [[package]]
 name = "socket2"
-version = "0.5.8"
+version = "0.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c970269d99b64e60ec3bd6ad27270092a5394c4e309314b18ae3fe575695fbe8"
+checksum = "233504af464074f9d066d7b5416c5f9b894a5862a6506e306f7b816cdd6f1807"
 dependencies = [
  "libc",
- "windows-sys 0.52.0",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -2486,9 +2574,9 @@ checksum = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3"
 
 [[package]]
 name = "stacker"
-version = "0.1.19"
+version = "0.1.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d9156ebd5870ef293bfb43f91c7a74528d363ec0d424afe24160ed5a4343d08a"
+checksum = "cddb07e32ddb770749da91081d8d0ac3a16f1a569a18b20348cd371f5dead06b"
 dependencies = [
  "cc",
  "cfg-if",
@@ -2629,21 +2717,29 @@ dependencies = [
 ]
 
 [[package]]
-name = "tokio"
-version = "1.44.2"
+name = "tinyvec"
+version = "1.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e6b88822cbe49de4185e3a4cbf8321dd487cf5fe0c5c65695fef6346371e9c48"
+checksum = "bfa5fdc3bce6191a1dbc8c02d5c8bffcf557bafa17c124c5264a458f1b0613fa"
+
+[[package]]
+name = "tokio"
+version = "1.47.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "43864ed400b6043a4757a25c7a64a8efde741aed79a056a2fb348a406701bb35"
 dependencies = [
  "backtrace",
  "bytes",
+ "io-uring",
  "libc",
  "mio",
  "parking_lot",
  "pin-project-lite",
  "signal-hook-registry",
+ "slab",
  "socket2",
  "tokio-macros",
- "windows-sys 0.52.0",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -2722,6 +2818,12 @@ dependencies = [
  "subtle",
 ]
 
+[[package]]
+name = "unsafe-libyaml"
+version = "0.2.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "673aac59facbab8a9007c7f6108d11f63b603f7cabff99fabf650fea5c32b861"
+
 [[package]]
 name = "utf8parse"
 version = "0.2.2"
@@ -3186,7 +3288,7 @@ version = "0.33.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3268f3d866458b787f390cf61f4bbb563b922d091359f9608842999eaee3943c"
 dependencies = [
- "bitflags 2.8.0",
+ "bitflags 2.9.3",
 ]
 
 [[package]]
@@ -3213,11 +3315,11 @@ dependencies = [
 
 [[package]]
 name = "zerocopy"
-version = "0.8.24"
+version = "0.8.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2586fea28e186957ef732a5f8b3be2da217d65c5969d4b1e17f973ebbe876879"
+checksum = "0894878a5fa3edfd6da3f88c4805f4c8558e2b996227a3d864f47fe11e38282c"
 dependencies = [
- "zerocopy-derive 0.8.24",
+ "zerocopy-derive 0.8.27",
 ]
 
 [[package]]
@@ -3233,9 +3335,9 @@ dependencies = [
 
 [[package]]
 name = "zerocopy-derive"
-version = "0.8.24"
+version = "0.8.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a996a8f63c5c4448cd959ac1bab0aaa3306ccfd060472f85943ee0750f0169be"
+checksum = "88d2b8d9c68ad2b9e4340d7832716a4d21a22a1154777ad56ea55c51a9cf3831"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -3261,3 +3363,31 @@ dependencies = [
  "quote",
  "syn 2.0.98",
 ]
+
+[[package]]
+name = "zstd"
+version = "0.13.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e91ee311a569c327171651566e07972200e76fcfe2242a4fa446149a3881c08a"
+dependencies = [
+ "zstd-safe",
+]
+
+[[package]]
+name = "zstd-safe"
+version = "7.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8f49c4d5f0abb602a93fb8736af2a4f4dd9512e36f7f570d66e65ff867ed3b9d"
+dependencies = [
+ "zstd-sys",
+]
+
+[[package]]
+name = "zstd-sys"
+version = "2.0.15+zstd.1.5.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eb81183ddd97d0c74cedf1d50d85c8d08c1b8b68ee863bdee9e706eedba1a237"
+dependencies = [
+ "cc",
+ "pkg-config",
+]

Cargo.toml

@@ -46,14 +46,16 @@ memsec = { git = "https://github.com/rosenpass/memsec.git", rev = "aceb9baee8aec
 ] }
 rand = "0.8.5"
 typenum = "1.17.0"
-log = { version = "0.4.22" }
+log = { version = "0.4.27" }
 clap = { version = "4.5.23", features = ["derive"] }
-clap_mangen = "0.2.24"
+clap_mangen = "0.2.29"
 clap_complete = "4.5.40"
 serde = { version = "1.0.217", features = ["derive"] }
 arbitrary = { version = "1.4.1", features = ["derive"] }
-anyhow = { version = "1.0.95", features = ["backtrace", "std"] }
+anyhow = { version = "1.0.98", features = ["backtrace", "std"] }
 mio = { version = "1.0.3", features = ["net", "os-poll"] }
+signal-hook-mio = { version = "0.2.4", features = ["support-v1_0"] }
+signal-hook = "0.3.17"
 oqs-sys = { version = "0.9.1", default-features = false, features = [
   'classic_mceliece',
   'kyber',
@@ -64,10 +66,10 @@ chacha20poly1305 = { version = "0.10.1", default-features = false, features = [
   "std",
   "heapless",
 ] }
-zerocopy = { version = "0.7.35", features = ["derive"] }
+zerocopy = { version = "0.8.27", features = ["derive"] }
 home = "=0.5.9" # 5.11 requires rustc 1.81
 derive_builder = "0.20.1"
-tokio = { version = "1.42", features = ["macros", "rt-multi-thread"] }
+tokio = { version = "1.46", features = ["macros", "rt-multi-thread"] }
 postcard = { version = "1.1.1", features = ["alloc"] }
 libcrux = { version = "0.0.2-pre.2" }
 libcrux-chacha20poly1305 = { version = "0.0.2-beta.3" }
@@ -78,19 +80,23 @@ hex-literal = { version = "0.4.1" }
 hex = { version = "0.4.3" }
 heck = { version = "0.5.0" }
 libc = { version = "0.2" }
+errno = { version = "0.3.13" }
 uds = { git = "https://github.com/rosenpass/uds" }
-signal-hook = "0.3.17"
 lazy_static = "1.5"
 
 #Dev dependencies
+assert_tv = { version = "0.6.4" }
+base64 = { version = "0.22.1" }
 serial_test = "3.2.0"
 tempfile = "3"
-stacker = "0.1.17"
+stacker = "0.1.21"
 libfuzzer-sys = "0.4"
 test_bin = "0.4.0"
 criterion = "0.5.1"
 allocator-api2-tests = "0.2.15"
 procspawn = { version = "1.0.1", features = ["test-support"] }
+serde_json = { version = "1.0.140" }
+bitflags = "2.9.3"
 
 #Broker dependencies (might need cleanup or changes)
 wireguard-uapi = { version = "3.0.0", features = ["xplatform"] }

analysis/03_identity_hiding_initiator.entry.mpv

@@ -1,25 +0,0 @@
-#define INITIATOR_TEST 1
-
-#include "rosenpass/03_identity_hiding.mpv"
-
-// nounif a:Atom, s:seed, a2:Atom;
-// 	ConsumeSeed(a, s, a2) / 6300[conclusion].
-
-nounif v:seed_prec;   attacker(prepare_seed(trusted_seed( v )))/6217[hypothesis].
-nounif v:seed;        attacker(prepare_seed( v ))/6216[hypothesis].
-nounif v:seed;        attacker(rng_kem_sk( v ))/6215[hypothesis].
-nounif v:seed;        attacker(rng_key( v ))/6214[hypothesis].
-nounif v:key_prec;    attacker(prepare_key(trusted_key( v )))/6213[hypothesis].
-nounif v:kem_sk_prec; attacker(prepare_kem_sk(trusted_kem_sk( v )))/6212[hypothesis].
-nounif v:key;         attacker(prepare_key( v ))/6211[hypothesis].
-nounif v:kem_sk;      attacker(prepare_kem_sk( v ))/6210[hypothesis].
-nounif Spk:kem_sk_tmpl;
-  attacker(Creveal_kem_pk(Spk))/6110[conclusion].
-nounif sid:SessionId, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, Seski:seed_tmpl, Ssptr:seed_tmpl;
-  attacker(Cinitiator( *sid, *Ssskm, *Spsk, *Sspkt, *Seski, *Ssptr ))/6109[conclusion].
-nounif sid:SessionId, biscuit_no:Atom, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, Septi:seed_tmpl, Sspti:seed_tmpl, ih:InitHello_t;
-  attacker(Cinit_hello( *sid, *biscuit_no, *Ssskm, *Spsk, *Sspkt, *Septi, *Sspti, *ih ))/6108[conclusion].
-nounif rh:RespHello_t;
-  attacker(Cresp_hello( *rh ))/6107[conclusion].
-nounif Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, ic:InitConf_t;
-  attacker(Cinit_conf( *Ssskm, *Spsk, *Sspkt, *ic ))/6106[conclusion].

analysis/03_identity_hiding_responder.entry.mpv

@@ -1,96 +0,0 @@
-#define RESPONDER_TEST 1
-
-#include "rosenpass/03_identity_hiding.mpv"
-
-// select k:kem_pk,ih: InitHello_t;         attacker(prf(prf(prf(prf(key0, PROTOCOL), MAC), kem_pk2b(k) ), IH2b(ih))) phase 1/6300[hypothesis].
-
-// select epki:kem_pk, sctr:bits, pidiC:bits, auth:bits, epki2:kem_pk, sctr2:bits, pidiC2:bits, auth2:bits;
-// 	mess(D, prf(prf(prf(prf(key0,PROTOCOL),MAC),kem_pk2b(kem_pub(trusted_kem_sk(responder1)))),
-// 			IH2b(InitHello(secure_sidi, *epki, *sctr, *pidiC, *auth)))
-// 		) [hypothesis, conclusion].
-
-// select epki:kem_pk, sctr:bits, pidiC:bits, auth:bits, epki2:kem_pk, sctr2:bits, pidiC2:bits, auth2:bits;
-// attacker(choice[prf(prf(prf(prf(key0,PROTOCOL),MAC),kem_pk2b(kem_pub(trusted_kem_sk(responder1)))),
-// 		IH2b(InitHello(secure_sidi, *epki, *sctr, *pidiC, *auth))),
-
-// 		prf(prf(prf(prf(key0,PROTOCOL),MAC),kem_pk2b(kem_pub(trusted_kem_sk(responder2)))),
-// 				IH2b(InitHello(secure_sidi, *epki2, *sctr2, *pidiC2, *auth2)))]
-// 	) [hypothesis, conclusion].
-
-// select 
-// attacker(prf(prf(key0,PROTOCOL),MAC)) [hypothesis, conclusion].
-
-// select 
-// attacker(prf(key0,PROTOCOL)) [conclusion].
-
-// select  
-// attacker(key0) [conclusion].
-
-// select  
-// attacker(PROTOCOL) [conclusion].
-
-// select 
-// attacker(kem_pub(trusted_kem_sk(responder1))) /9999 [hypothesis, conclusion].
-
-// select 
-// attacker(kem_pub(trusted_kem_sk(responder2))) /9999 [hypothesis, conclusion].
-
-// nounif ih:InitHello_t;
-// 	attacker(ih) / 9999 [hypothesis].
-
-// nounif rh:RespHello_t;
-// 	attacker(rh) / 9999 [hypothesis].
-
-// nounif ic:InitConf_t;
-// 	attacker(ic) / 9999 [hypothesis].
-
-// nounif k:key;
-// attacker(ck_hs_enc( *k )) [hypothesis, conclusion].
-
-// nounif k:key;
-// attacker(ck_hs_enc( *k )) phase 1   [hypothesis, conclusion].
-
-// nounif k:key, b:bits;
-// attacker(ck_mix( *k , *b ))   [hypothesis, conclusion].
-
-// nounif k:key, b:bits;
-// attacker(ck_mix( *k , *b ))phase 1   [hypothesis, conclusion].
-
-// // select k:kem_pk, epki2:kem_pk, sctr2:bits, pidiC2:bits, auth2:bits, epki:kem_pk, sctr:bits, pidiC:bits, auth:bits;
-// // attacker(choice[Envelope(prf(prf(prf(prf(key0,PROTOCOL),MAC),kem_pub(trusted_kem_sk(responder1))),
-// // 	InitHello(secure_sidi, *epki2, *sctr2, *pidiC2, *auth2)
-// // 	), InitHello(secure_sidi, *epki2, *sctr2, *pidiC2, *auth2))
-// // 	Envelope(prf(prf(prf(prf(key0,PROTOCOL),MAC),kem_pub(trusted_kem_sk(responder2))),
-// // 		InitHello(secure_sidi, *epki, *sctr, *pidiC, *auth)),
-// // 		InitHello(secure_sidi, *epki, *sctr, *pidiC, *auth))
-// // 	]) / 9999[hypothesis, conclusion].
-
-// nounif k:key, b1:bits, b2:bits;
-// 	attacker(xaead_enc( *k, *b1, *b2)) / 9999[hypothesis,conclusion].
-
-// nounif pk:kem_pk, k:key; 
-// 	attacker(kem_enc( *pk , *k )) / 9999[hypothesis,conclusion].
-
-// nounif sid:SessionId, biscuit_no:Atom, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, Septi:seed_tmpl, Sspti:seed_tmpl, ih:InitHello_t;
-//   attacker(Cinit_hello( *sid, *biscuit_no, *Ssskm, *Spsk, *Sspkt, *Septi, *Sspti, *ih ))/9999[hypothesis, conclusion].
-// nounif Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, ic:InitConf_t;
-//   attacker(Cinit_conf( *Ssskm, *Spsk, *Sspkt, *ic ))/9999[hypothesis, conclusion].
-// nounif sid:SessionId, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, Seski:seed_tmpl, Ssptr:seed_tmpl;
-//   attacker(Cinitiator( *sid, *Ssskm, *Spsk, *Sspkt, *Seski, *Ssptr )) /9999 [hypothesis, conclusion].
-
-// nounif sid:SessionId, biscuit_no:Atom, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, Septi:seed_tmpl, Sspti:seed_tmpl, ih:InitHello_t;
-//   mess(C, Cinit_hello( *sid, *biscuit_no, *Ssskm, *Spsk, *Sspkt, *Septi, *Sspti, *ih ))/9999[hypothesis, conclusion].
-// nounif Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, ic:InitConf_t;
-//   mess(C, Cinit_conf( *Ssskm, *Spsk, *Sspkt, *ic ))/9999[hypothesis, conclusion].
-// nounif sid:SessionId, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, Seski:seed_tmpl, Ssptr:seed_tmpl;
-//   mess(C, Cinitiator( *sid, *Ssskm, *Spsk, *Sspkt, *Seski, *Ssptr )) /9999 [hypothesis, conclusion].
-// nounif rh:RespHello_t;
-//   attacker(Cresp_hello( *rh ))[conclusion].
-// nounif v:seed_prec;   attacker(prepare_seed(trusted_seed( v )))/6217[hypothesis].
-// nounif v:seed;        attacker(prepare_seed( v ))/6216[hypothesis].
-// nounif v:seed;        attacker(rng_kem_sk( v ))/6215[hypothesis].
-// nounif v:seed;        attacker(rng_key( v ))/6214[hypothesis].
-// nounif v:key_prec;    attacker(prepare_key(trusted_key( v )))/6213[hypothesis].
-// nounif v:kem_sk_prec; attacker(prepare_kem_sk(trusted_kem_sk( v )))/6212[hypothesis].
-// nounif v:key;         attacker(prepare_key( v ))/6211[hypothesis].
-// nounif v:kem_sk;      attacker(prepare_kem_sk( v ))/6210[hypothesis].

analysis/03_identity_hiding_test.entry.mpv

@@ -1,29 +0,0 @@
-#define INITIATOR_TEST 1
-#define CUSTOM_MAIN 1
-
-#include "rosenpass/03_identity_hiding.mpv"
-
-let Oinitiator_bad_actor_inner(sk_tmp:kem_sk_prec) =
-
-  in(C, Cinitiator(sidi, Ssskm, Spsk, Sspkt, Seski, Ssptr));
-
-  #if RANDOMIZED_CALL_IDS
-    new call:Atom;
-  #else
-    call <- Cinitiator(sidi, Ssskm, Spsk, Sspkt, Seski, Ssptr);
-  #endif
-
-  in(C, last_cookie:key);
-  tmpl <- make_trusted_kem_sk(sk_tmp);
-  out(C, setup_kem_sk(tmpl));
-  Oinitiator_inner(sidi, Ssskm, Spsk, tmpl, Seski, Ssptr, last_cookie, C, call).
-
-let Oinitiator_bad_actor() =
-  Oinitiator_bad_actor_inner(responder1) | Oinitiator_bad_actor_inner(responder2) | Oinitiator_bad_actor_inner(initiator1) | Oinitiator_bad_actor_inner(initiator2).
-
-
-let identity_hiding_main2() = 
-  0 | Oinitiator_bad_actor() | rosenpass_main2() | participants_communication() | phase 1; secretCommunication().
-
-
-let main = identity_hiding_main2.

analysis/04_dos_protection.entry.mpv

@@ -1,136 +0,0 @@
-#define CHAINING_KEY_EVENTS 1
-#define MESSAGE_TRANSMISSION_EVENTS 0
-#define SESSION_START_EVENTS 0
-#define RANDOMIZED_CALL_IDS 0
-#define COOKIE_EVENTS 1
-#define KEM_EVENTS 1
-
-#include "config.mpv"
-#include "prelude/basic.mpv"
-#include "crypto/key.mpv"
-#include "crypto/kem.mpv"
-#include "rosenpass/handshake_state.mpv"
-
-/* The cookie data structure is implemented based on the WireGuard protocol.
- * The ip and port is based purely on the public key and the implementation of the private cookie key is intended to mirror the biscuit key.
- * The code tests the response to a possible DOS attack by setting up alternative branches for the protocol
- * processes: Oinit_conf, Oinit_hello and resp_hello to simulate what happens when the responder or initiator is overloaded.
- * When under heavy load a valid cookie is required. When such a cookie is not present a cookie message is sent as a response.
- * Queries then test to make sure that expensive KEM operations are only conducted after a cookie has been successfully validated.
- */
-
-type CookieMsg_t.
-fun CookieMsg(
-  SessionId,  // sender
-  bits,     // nonce
-  bits      // cookie
-) : CookieMsg_t [data].
-
-#define COOKIE_EVENTS(eventLbl) \
-  COOKIE_EV(event MCAT(eventLbl, _UnderLoadEV) (SessionId, SessionId, Atom).)   \
-  COOKIE_EV(event MCAT(eventLbl, _CookieValidated) (SessionId, SessionId, Atom).)   \
-  COOKIE_EV(event MCAT(eventLbl, _CookieSent) (SessionId, SessionId, Atom, CookieMsg_t).)
-
-fun cookie_key(kem_sk) : key [private].
-fun ip_and_port(kem_pk):bits.
-letfun create_mac2_key(sskm:kem_sk, spkt:kem_pk) = prf(cookie_key(sskm), ip_and_port(spkt)).
-letfun create_cookie(sskm:kem_sk, spkm:kem_pk, spkt:kem_pk, nonce:bits, msg:bits) = xaead_enc(lprf2(COOKIE, kem_pk2b(spkm), nonce),
-    k2b(create_mac2_key(sskm, spkm)), msg).
-
-#define COOKIE_PROCESS(eventLbl, innerFunc) \
-  new nonce:bits; \
-  in(C, Ccookie(mac1, mac2)); \
-  COOKIE_EV(event MCAT(eventLbl, _UnderLoadEV) (sidi, sidr, call);)  \
-  msgB <- Envelope(mac1, msg); \
-  mac2_key <- create_mac2_key(sskm, spkt); \
-  if k2b(create_mac2(mac2_key, msgB)) = mac2 then  \
-    COOKIE_EV(event MCAT(eventLbl, _CookieValidated) (sidi, sidr, call);)  \
-    innerFunc \
-  else \
-    cookie <- create_cookie(sskm, spkm, spkt, nonce, msg); \
-    cookie_msg <- CookieMsg(sidi, nonce, cookie); \
-    COOKIE_EV(event MCAT(eventLbl, _CookieSent) (sidi, sidr, call, cookie_msg);)  \
-    out(C, cookie_msg). \
-
-#include "rosenpass/oracles.mpv"
-
-#include "rosenpass/responder.macro"
-COOKIE_EVENTS(Oinit_conf)
-let Oinit_conf_underLoad() =
-  in(C, Cinit_conf(Ssskm, Spsk, Sspkt, ic));
-  in(C, last_cookie:bits);
-
-  msg <- IC2b(ic);
-  let InitConf(sidi, sidr, biscuit, auth) = ic in 
-
-  new call:Atom;
-
-  SETUP_HANDSHAKE_STATE()
-
-  COOKIE_PROCESS(Oinit_conf, Oinit_conf_inner(Ssskm, Spsk, Sspkt, ic, call))
-
-#include "rosenpass/responder.macro"
-COOKIE_EVENTS(Oinit_hello)
-let Oinit_hello_underLoad() =
-
-  in(C, Cinit_hello(sidr, biscuit_no, Ssskm, Spsk, Sspkt, Septi, Sspti, ih));
-  in(C, Oinit_hello_last_cookie:key);
-  new call:Atom;
-
-  msg <- IH2b(ih);
-  let InitHello(sidi, epki, sctr, pidic, auth) = ih in
-  SETUP_HANDSHAKE_STATE()
-
-  COOKIE_PROCESS(Oinit_hello, Oinit_hello_inner(sidr, biscuit_no, Ssskm, Spsk, Sspkt, Septi, Sspti, ih, Oinit_hello_last_cookie, C, call))
-
-let rosenpass_dos_main() = 0
-  | !Oreveal_kem_pk
-  | REP(INITIATOR_BOUND, Oinitiator)
-  | REP(RESPONDER_BOUND, Oinit_hello)
-  | REP(RESPONDER_BOUND, Oinit_conf)
-  | REP(RESPONDER_BOUND, Oinit_hello_underLoad)
-  | REP(RESPONDER_BOUND, Oinit_conf_underLoad).
-
-let main = rosenpass_dos_main.
-
-select cookie:CookieMsg_t;         attacker(cookie)/6220[hypothesis].
-nounif v:key;         attacker(prepare_key( v ))/6217[hypothesis].
-nounif v:seed;        attacker(prepare_seed( v ))/6216[hypothesis].
-nounif v:seed;        attacker(prepare_seed( v ))/6216[hypothesis].
-nounif v:seed;        attacker(rng_kem_sk( v ))/6215[hypothesis].
-nounif v:seed;        attacker(rng_key( v ))/6214[hypothesis].
-nounif v:kem_sk;      attacker(prepare_kem_sk( v ))/6210[hypothesis].
-
-// nounif Spk:kem_sk_tmpl;
-//   attacker(Creveal_kem_pk(Spk))/6110[conclusion].
-// nounif sid:SessionId, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, Seski:seed_tmpl, Ssptr:seed_tmpl;
-//   attacker(Cinitiator( *sid, *Ssskm, *Spsk, *Sspkt, *Seski, *Ssptr ))/6109[conclusion].
-// nounif sid:SessionId, biscuit_no:Atom, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, Septi:seed_tmpl, Sspti:seed_tmpl, ih:InitHello_t;
-//   attacker(Cinit_hello( *sid, *biscuit_no, *Ssskm, *Spsk, *Sspkt, *Septi, *Sspti, *ih ))/6108[conclusion].
-nounif rh:RespHello_t;
-  attacker(Cresp_hello( *rh ))/6107[conclusion].
-nounif Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, ic:InitConf_t;
-  attacker(Cinit_conf( *Ssskm, *Spsk, *Sspkt, *ic ))/6106[conclusion].
-
-@reachable "DOS protection: cookie sent"
-query sidi:SessionId, sidr:SessionId, call:Atom, cookieMsg:CookieMsg_t;
-  event (Oinit_hello_CookieSent(sidi, sidr, call, cookieMsg)).
-
-@lemma "DOS protection: Oinit_hello kem use when under load implies validated cookie"
-lemma sidi:SessionId, sidr:SessionId, call:Atom;
-event(Oinit_hello_UnderLoadEV(sidi, sidr, call))
-  && event(Oinit_hello_KemUse(sidi, sidr, call))
-  ==> event(Oinit_hello_CookieValidated(sidi, sidr, call)).
-
-@lemma "DOS protection: Oinit_conf kem use when under load implies validated cookie"
-lemma sidi:SessionId, sidr:SessionId, call:Atom;
-event(Oinit_conf_UnderLoadEV(sidi, sidr, call))
-  && event(Oinit_conf_KemUse(sidi, sidr, call))
-  ==> event(Oinit_conf_CookieValidated(sidi, sidr, call)).
-
-@lemma "DOS protection: Oresp_hello kem use when under load implies validated cookie"
-lemma sidi:SessionId, sidr:SessionId, call:Atom;
-event(Oresp_hello_UnderLoadEV(sidi, sidr, call))
-  && event(Oresp_hello_KemUse(sidi, sidr, call))
-  ==> event(Oresp_hello_CookieValidated(sidi, sidr, call)).
-

analysis/rosenpass/03_identity_hiding.mpv

@@ -58,7 +58,7 @@ let secure_init_hello(initiator: kem_sk_tmpl, sidi : SessionId, psk: key_tmpl, r
 
   new epkit:kem_pk;    // epki
   new sctrt:bits;      // sctr 
-  new pidiCt:bits;      // pidiC
+  new pidi_ct:bits;      // pidi_ct
   new autht:bits;       // auth
 
   NEW_TRUSTED_SEED(seski_trusted_seed)
@@ -70,9 +70,9 @@ let secure_init_hello(initiator: kem_sk_tmpl, sidi : SessionId, psk: key_tmpl, r
 
 let secure_resp_hello(initiator: kem_sk_tmpl, responder: kem_sk_tmpl, sidi:SessionId, sidr:SessionId, biscuit_no:Atom, psk:key_tmpl) =
 
-  in(D, InitHello(=secure_sidi, epki, sctr, pidiC, auth));
+  in(D, InitHello(=secure_sidi, epki, sctr, pidi_ct, auth));
 
-  ih <- InitHello(sidi, epki, sctr, pidiC, auth);
+  ih <- InitHello(sidi, epki, sctr, pidi_ct, auth);
   NEW_TRUSTED_SEED(septi_trusted_seed)
   NEW_TRUSTED_SEED(sspti_trusted_seed)
   new last_cookie:key;

analysis/rosenpass/cookie.mpv

@@ -19,7 +19,7 @@ fun CookieMsg(
   COOKIE_EV(event MCAT(eventLbl, _UnderLoadEV) (spkm, spkt, last_cookie);)	\
   msgB <- Envelope(mac1, RH2b(rh));	\
   mac2_key <- create_mac2_key(sskm, spkt)	\
-  let RespHello(sidi, sidr, ecti, scti, biscuit, auth) = rh in \
+  let RespHello(sidi, sidr, ecti, scti, biscuit_ct, auth) = rh in \
   if Envelope(mac2_key, msgB) = mac2 then	\
     COOKIE_EV(event MCAT(eventLbl, _CookieValidated) (spkm, last_cookie);)	\
     innerFunc	\

analysis/rosenpass/handshake_state.mpv

@@ -143,10 +143,10 @@ letfun ENCRYPT_AND_MIX(ct, pt) \
 // TODO: Migrate kems to use binary ciphertexts directly
 #define ENCAPS_AND_MIX(ct, pk, shk) \
   ct <- kem_enc(pk, shk);           \
-  MIX3(kem_pk2b(pk), ct, k2b(shk))
+  MIX3(kem_pk2b(pk), k2b(shk), ct)
 #define DECAPS_AND_MIX(sk, pk, ct) \
   DUMMY(shk) <- kem_dec(sk, ct);   \
-  MIX3(kem_pk2b(pk), ct, k2b(DUMMY(shk)))
+  MIX3(kem_pk2b(pk), k2b(DUMMY(shk)), ct)
 
 
 // biscuits

analysis/rosenpass/oracles.mpv

@@ -86,8 +86,8 @@ MTX_EV( event RHRjct(RespHello_t, key, kem_sk, kem_pk). )
 MTX_EV( event ICSent(RespHello_t, InitConf_t, key, kem_sk, kem_pk). )
 SES_EV( event InitiatorSession(RespHello_t, key). )
 let Oresp_hello(HS_DECL_ARGS) =
-  in(C, Cresp_hello(RespHello(sidr, =sidi, ecti, scti, biscuit, auth)));
-  rh <- RespHello(sidr, sidi, ecti, scti, biscuit, auth);
+  in(C, Cresp_hello(RespHello(sidr, =sidi, ecti, scti, biscuit_ct, auth)));
+  rh <- RespHello(sidr, sidi, ecti, scti, biscuit_ct, auth);
   /* try */ let ic = (
     ck_ini <- ck;
     RESPHELLO_CONSUME()
@@ -124,7 +124,7 @@ let Oinit_hello() =
   call <- Cinit_hello(sidr, biscuit_no, Ssskm, Spsk, Sspkt, Septi, Sspti, ih);
 #endif
   // TODO: This is ugly
-  let InitHello(sidi, epki, sctr, pidiC, auth) = ih in
+  let InitHello(sidi, epki, sctr, pidi_ct, auth) = ih in
   SETUP_HANDSHAKE_STATE()
   eski <- kem_sk0;
   epti <- rng_key(setup_seed(Septi)); // RHR4

analysis/rosenpass/protocol.mpv

@@ -7,7 +7,7 @@ fun InitHello(
   SessionId, // sidi
   kem_pk,    // epki
   bits,      // sctr 
-  bits,      // pidiC
+  bits,      // pidi_ct
   bits       // auth
 ) : InitHello_t [data].
 
@@ -17,16 +17,16 @@ fun InitHello(
   /* not handled here */                /* IHI3 */ \
   MIX2(sid2b(sidi), kem_pk2b(epki))     /* IHI4 */ \
   ENCAPS_AND_MIX(sctr, spkr, sptr)      /* IHI5 */ \
-  ENCRYPT_AND_MIX(pidiC, pidi)          /* IHI6 */ \
+  ENCRYPT_AND_MIX(pidi_ct, pidi)        /* IHI6 */ \
   MIX2(kem_pk2b(spki), k2b(psk))        /* IHI7 */ \
   ENCRYPT_AND_MIX(auth, empty)          /* IHI8 */ \
-  ih <- InitHello(sidi, epki, sctr, pidiC, auth);
+  ih <- InitHello(sidi, epki, sctr, pidi_ct, auth);
 
 #define INITHELLO_CONSUME()                       \
   ck <- lprf1(CK_INIT, kem_pk2b(spkr)); /* IHR1 */ \
   MIX2(sid2b(sidi), kem_pk2b(epki))     /* IHR4 */ \
   DECAPS_AND_MIX(sskr, spkr, sctr)      /* IHR5 */ \
-  DECRYPT_AND_MIX(pid, pidiC)           /* IHR6 */ \
+  DECRYPT_AND_MIX(pid, pidi_ct)         /* IHR6 */ \
   LOOKUP_SENDER(pid)                    /* IHR6 */ \
   MIX2(kem_pk2b(spki), k2b(psk))        /* IHR7 */ \
   DECRYPT_AND_MIX(DUMMY(empty), auth)
@@ -46,17 +46,17 @@ fun RespHello(
   MIX2(sid2b(sidr), sid2b(sidi))   /* RHR3 */ \
   ENCAPS_AND_MIX(ecti, epki, epti) /* RHR4 */ \
   ENCAPS_AND_MIX(scti, spki, spti) /* RHR5 */ \
-  STORE_BISCUIT(biscuit)           /* RHR6 */ \
+  STORE_BISCUIT(biscuit_ct)        /* RHR6 */ \
   ENCRYPT_AND_MIX(auth, empty)     /* RHR7 */ \
-  rh <- RespHello(sidr, sidi, ecti, scti, biscuit, auth);
+  rh <- RespHello(sidr, sidi, ecti, scti, biscuit_ct, auth);
 
 #define RESPHELLO_CONSUME()                                    \
-  let RespHello(sidr, sidi, ecti, scti, biscuit, auth) = rh in \
+  let RespHello(sidr, sidi, ecti, scti, biscuit_ct, auth) = rh in \
   /* not handled here */               /* RHI2 */ \
   MIX2(sid2b(sidr), sid2b(sidi))       /* RHI3 */ \
   DECAPS_AND_MIX(eski, epki, ecti)     /* RHI4 */ \
   DECAPS_AND_MIX(sski, spki, scti)     /* RHI5 */ \
-  MIX(biscuit)                         /* RHI6 */ \
+  MIX(biscuit_ct)                      /* RHI6 */ \
   DECRYPT_AND_MIX(DUMMY(empty), auth)  /* RHI7 */
 
 type InitConf_t.
@@ -70,11 +70,11 @@ fun InitConf(
 #define INITCONF_PRODUCE()                  \
   MIX2(sid2b(sidi), sid2b(sidr)) /* ICI3 */ \
   ENCRYPT_AND_MIX(auth, empty)   /* ICI4 */ \
-  ic <- InitConf(sidi, sidr, biscuit, auth);
+  ic <- InitConf(sidi, sidr, biscuit_ct, auth);
 
 #define INITCONF_CONSUME()                        \
-  let InitConf(sidi, sidr, biscuit, auth) = ic in \
-  LOAD_BISCUIT(biscuit_no, biscuit)   /* ICR1 */    \
+  let InitConf(sidi, sidr, biscuit_ct, auth) = ic in \
+  LOAD_BISCUIT(biscuit_no, biscuit_ct)/* ICR1 */    \
   ENCRYPT_AND_MIX(rh_auth, empty)     /* ICIR */    \
   ck_rh <- ck;                        /* ---- */ /* TODO: Move into oracles.mpv */ \
   MIX2(sid2b(sidi), sid2b(sidr))      /* ICR3 */    \

cipher-traits/src/primitives/keyed_hash.rs

@@ -40,7 +40,7 @@ pub struct InferKeyedHash<Static, const KEY_LEN: usize, const HASH_LEN: usize>
 where
     Static: KeyedHash<KEY_LEN, HASH_LEN>,
 {
-    pub _phantom_keyed_hasher: PhantomData<*const Static>,
+    pub _phantom_keyed_hasher: PhantomData<Static>,
 }
 
 impl<Static, const KEY_LEN: usize, const HASH_LEN: usize> InferKeyedHash<Static, KEY_LEN, HASH_LEN>

ciphers/src/hash_domain.rs

@@ -83,6 +83,33 @@ impl HashDomain {
         Ok(Self(new_key, self.1))
     }
 
+    /// Version of [Self::mix] that accepts an iterator and mixes all values from the iterator into
+    /// this hash domain.
+    ///
+    /// # Examples
+    ///
+    /// ```rust
+    /// use rosenpass_ciphers::{hash_domain::HashDomain, KeyedHash};
+    ///
+    /// let hasher = HashDomain::zero(KeyedHash::keyed_shake256());
+    /// assert_eq!(
+    ///     hasher.clone().mix(b"Hello")?.mix(b"World")?.into_value(),
+    ///     hasher.clone().mix_many([b"Hello", b"World"])?.into_value()
+    /// );
+    ///
+    /// Ok::<(), anyhow::Error>(())
+    /// ```
+    pub fn mix_many<I, T>(mut self, it: I) -> Result<Self>
+    where
+        I: IntoIterator<Item = T>,
+        T: AsRef<[u8]>,
+    {
+        for e in it {
+            self = self.mix(e.as_ref())?;
+        }
+        Ok(self)
+    }
+
     /// Creates a new [SecretHashDomain] by mixing in a new key `v`
     /// by calling [SecretHashDomain::invoke_primitive] with this
     /// [HashDomain]'s key as `k` and `v` as `d`.
@@ -161,6 +188,46 @@ impl SecretHashDomain {
         Self::invoke_primitive(self.0.secret(), v, self.1)
     }
 
+    /// Version of [Self::mix] that accepts an iterator and mixes all values from the iterator into
+    /// this hash domain.
+    ///
+    /// # Examples
+    ///
+    /// ```rust
+    /// use rosenpass_ciphers::{hash_domain::HashDomain, KeyedHash};
+    ///
+    /// rosenpass_secret_memory::secret_policy_use_only_malloc_secrets();
+    ///
+    /// let hasher = HashDomain::zero(KeyedHash::keyed_shake256());
+    /// assert_eq!(
+    ///     hasher
+    ///         .clone()
+    ///         .turn_secret()
+    ///         .mix(b"Hello")?
+    ///         .mix(b"World")?
+    ///         .into_secret()
+    ///         .secret(),
+    ///     hasher
+    ///         .clone()
+    ///         .turn_secret()
+    ///         .mix_many([b"Hello", b"World"])?
+    ///         .into_secret()
+    ///         .secret(),
+    /// );
+
+    /// Ok::<(), anyhow::Error>(())
+    /// ```
+    pub fn mix_many<I, T>(mut self, it: I) -> Result<Self>
+    where
+        I: IntoIterator<Item = T>,
+        T: AsRef<[u8]>,
+    {
+        for e in it {
+            self = self.mix(e.as_ref())?;
+        }
+        Ok(self)
+    }
+
     /// Creates a new [SecretHashDomain] by mixing in a new key `v`
     /// by calling [SecretHashDomain::invoke_primitive] with the key of this
     /// [HashDomainNamespace] as `k` and `v` as `d`.

docker/Dockerfile

@@ -1,9 +1,10 @@
 # syntax=docker/dockerfile:1
 
 ARG BASE_IMAGE=debian:bookworm-slim
+ARG CHEF_IMAGE=rust:slim-bookworm
 
 # Stage 1: Base image with cargo-chef installed
-FROM rust:latest AS chef
+FROM ${CHEF_IMAGE} AS chef
 RUN cargo install cargo-chef
 # install software required for liboqs-rust
 RUN apt-get update && apt-get install -y clang cmake && rm -rf /var/lib/apt/lists/*

flake.lock

@@ -18,6 +18,24 @@
         "type": "github"
       }
     },
+    "flake-utils_2": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1726560853,
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
     "nix-vm-test": {
       "inputs": {
         "nixpkgs": [
@@ -38,6 +56,27 @@
         "type": "github"
       }
     },
+    "nix-vm-test_2": {
+      "inputs": {
+        "nixpkgs": [
+          "rosenpassOld",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1734355073,
+        "narHash": "sha256-FfdPOGy1zElTwKzjgIMp5K2D3gfPn6VWjVa4MJ9L1Tc=",
+        "owner": "numtide",
+        "repo": "nix-vm-test",
+        "rev": "5948de39a616f2261dbbf4b6f25cbe1cbefd788c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "nix-vm-test",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1728193676,
@@ -59,11 +98,58 @@
         "flake-utils": "flake-utils",
         "nix-vm-test": "nix-vm-test",
         "nixpkgs": "nixpkgs",
+        "rosenpassOld": "rosenpassOld",
+        "rust-overlay": "rust-overlay_2",
+        "treefmt-nix": "treefmt-nix_2"
+      }
+    },
+    "rosenpassOld": {
+      "inputs": {
+        "flake-utils": "flake-utils_2",
+        "nix-vm-test": "nix-vm-test_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
         "rust-overlay": "rust-overlay",
         "treefmt-nix": "treefmt-nix"
+      },
+      "locked": {
+        "lastModified": 1754748821,
+        "narHash": "sha256-mMggTZDC97lLvKNOLtDz3GBjjxXFD++e1s0RZsVH/vI=",
+        "owner": "rosenpass",
+        "repo": "rosenpass",
+        "rev": "916a9ebb7133f0b22057fb097a473217f261928a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "rosenpass",
+        "repo": "rosenpass",
+        "rev": "916a9ebb7133f0b22057fb097a473217f261928a",
+        "type": "github"
       }
     },
     "rust-overlay": {
+      "inputs": {
+        "nixpkgs": [
+          "rosenpassOld",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1744513456,
+        "narHash": "sha256-NLVluTmK8d01Iz+WyarQhwFcXpHEwU7m5hH3YQQFJS0=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "730fd8e82799219754418483fabe1844262fd1e2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
+    "rust-overlay_2": {
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
@@ -98,7 +184,43 @@
         "type": "github"
       }
     },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "rosenpassOld",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1743748085,
+        "narHash": "sha256-uhjnlaVTWo5iD3LXics1rp9gaKgDRQj6660+gbUU3cE=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "815e4121d6a5d504c0f96e5be2dd7f871e4fd99d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
+    "treefmt-nix_2": {
       "inputs": {
         "nixpkgs": [
           "nixpkgs"

flake.nix

@@ -13,6 +13,10 @@
 
     treefmt-nix.url = "github:numtide/treefmt-nix";
     treefmt-nix.inputs.nixpkgs.follows = "nixpkgs";
+
+    # Older version of rosenpass, referenced here for backwards compatibility
+    rosenpassOld.url = "github:rosenpass/rosenpass?rev=916a9ebb7133f0b22057fb097a473217f261928a";
+    rosenpassOld.inputs.nixpkgs.follows = "nixpkgs";
   };
 
   outputs =
@@ -23,6 +27,7 @@
       nix-vm-test,
       rust-overlay,
       treefmt-nix,
+      rosenpassOld,
       ...
     }@inputs:
     nixpkgs.lib.foldl (a: b: nixpkgs.lib.recursiveUpdate a b) { } [
@@ -181,9 +186,35 @@
                 rustfmt
               ];
             };
+            # a devshell to hunt unsafe `unsafe` in the code
+            devShells.miri = pkgs.mkShell {
+              # inputsFrom = [ self.packages.${system}.rosenpass ];
+              nativeBuildInputs = with pkgs; [
+                ((rust-bin.selectLatestNightlyWith (toolchain: toolchain.default)).override {
+                  extensions = [
+                    "rust-analysis"
+                    "rust-src"
+                    "miri-preview"
+                  ];
+                })
+                pkgs.cmake
+                pkgs.rustPlatform.bindgenHook
+              ];
+              # Run this to find unsafe `unsafe`:
+              # MIRIFLAGS="-Zmiri-disable-isolation" cargo miri test --no-fail-fast --lib --bins --tests
+              #
+              # - Some test failure is expected.
+            };
 
             checks =
-              {
+              import ./tests/integration/integration-checks.nix {
+                inherit system;
+                pkgs = inputs.nixpkgs;
+                lib = nixpkgs.lib;
+                rosenpassNew = self.packages.${system}.default;
+                rosenpassOld = rosenpassOld.packages.${system}.default;
+              }
+              // {
                 systemd-rosenpass = pkgs.testers.runNixOSTest ./tests/systemd/rosenpass.nix;
                 systemd-rp = pkgs.testers.runNixOSTest ./tests/systemd/rp.nix;
                 formatting = treefmtEval.config.build.check self;

papers/graphics/rosenpass-wp-key-exchange-protocol-rgb.svg

@@ -1,191 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
-<svg width="100%" height="100%" viewBox="0 0 2037 1491" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:1.5;">
-    <g transform="matrix(0.958104,0,0,0.883458,-169.743,-156.518)">
-        <rect id="ArtBoard1" x="177.165" y="177.165" width="2125.98" height="1687.51" style="fill:none;"/>
-        <clipPath id="_clip1">
-            <rect id="ArtBoard11" serif:id="ArtBoard1" x="177.165" y="177.165" width="2125.98" height="1687.51"/>
-        </clipPath>
-        <g clip-path="url(#_clip1)">
-            <g transform="matrix(0.377816,0,0,0.318513,-62.5845,3.62207)">
-                <path d="M1608.99,599.153C1608.99,575.987 1594.37,557.179 1576.37,557.179L680.292,557.179C662.284,557.179 647.664,575.987 647.664,599.153L647.664,903.661C647.664,926.827 662.284,945.635 680.292,945.635L1576.37,945.635C1594.37,945.635 1608.99,926.827 1608.99,903.661L1608.99,599.153Z" style="fill:rgb(247,4,132);"/>
-            </g>
-            <g transform="matrix(1.11885,0,0,0.472336,1334.4,22.5297)">
-                <path d="M497.076,394.18L497.076,1793.56C497.076,1793.56 -810.094,1791.78 -810.094,1793.56L-810.094,2231.73L497.076,2231.73L497.076,3888.59" style="fill:none;stroke:rgb(255,166,48);stroke-width:15.37px;"/>
-            </g>
-            <g transform="matrix(1.10326,0,0,0.239529,-152.083,336.057)">
-                <g transform="matrix(0.946041,-0,-0,4.72559,298.433,-663.352)">
-                    <path d="M1597.09,252.781L1609.59,265.281L1597.09,277.781" style="fill:none;stroke:rgb(247,4,132);stroke-width:8.33px;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:10;"/>
-                    <path d="M209.973,265.281L1609.59,265.281" style="fill:none;stroke:rgb(247,4,132);stroke-width:8.33px;stroke-linecap:round;stroke-dasharray:8.33,16.67,0,0;"/>
-                </g>
-            </g>
-            <g transform="matrix(0.54423,0,0,0.514519,523.603,90.8277)">
-                <path d="M1608.99,583.163C1608.99,568.822 1598.85,557.179 1586.34,557.179L670.315,557.179C657.814,557.179 647.664,568.822 647.664,583.163L647.664,919.651C647.664,933.992 657.814,945.635 670.315,945.635L1586.34,945.635C1598.85,945.635 1608.99,933.992 1608.99,919.651L1608.99,583.163Z" style="fill:rgb(247,4,132);"/>
-                <path d="M1624.98,583.163L1624.98,919.651C1624.98,944.11 1607.66,963.968 1586.34,963.968L670.315,963.968C648.993,963.968 631.682,944.11 631.682,919.651L631.682,583.163C631.682,558.704 648.993,538.846 670.315,538.846L1586.34,538.846C1607.66,538.846 1624.98,558.704 1624.98,583.163ZM1608.99,583.163C1608.99,568.822 1598.85,557.179 1586.34,557.179L670.315,557.179C657.814,557.179 647.664,568.822 647.664,583.163L647.664,919.651C647.664,933.992 657.814,945.635 670.315,945.635L1586.34,945.635C1598.85,945.635 1608.99,933.992 1608.99,919.651L1608.99,583.163Z" style="fill:white;"/>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.13192,-323.596,-1172.27)">
-                <g transform="matrix(50,0,0,50,1497.15,1475.25)">
-                </g>
-                <text x="1302.95px" y="1475.25px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:50px;">InitHell<tspan x="1469.15px " y="1475.25px ">o</tspan></text>
-            </g>
-            <g transform="matrix(1.10157,0,0,0.239529,-151.245,1006.25)">
-                <g transform="matrix(0.947489,-0,-0,4.72559,298.129,-3461.31)">
-                    <path d="M1597.09,844.867L1609.59,857.367L1597.09,869.867" style="fill:none;stroke:rgb(247,4,132);stroke-width:8.33px;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:10;"/>
-                    <path d="M209.973,857.367L1609.59,857.367" style="fill:none;stroke:rgb(247,4,132);stroke-width:8.33px;stroke-linecap:round;stroke-dasharray:8.33,16.67,0,0;"/>
-                </g>
-            </g>
-            <g transform="matrix(0.54423,0,0,0.514519,523.603,752.344)">
-                <path d="M1608.99,583.163C1608.99,568.822 1598.85,557.179 1586.34,557.179L670.315,557.179C657.814,557.179 647.664,568.822 647.664,583.163L647.664,919.651C647.664,933.992 657.814,945.635 670.315,945.635L1586.34,945.635C1598.85,945.635 1608.99,933.992 1608.99,919.651L1608.99,583.163Z" style="fill:rgb(247,4,132);"/>
-                <path d="M1624.98,583.163L1624.98,919.651C1624.98,944.11 1607.66,963.968 1586.34,963.968L670.315,963.968C648.993,963.968 631.682,944.11 631.682,919.651L631.682,583.163C631.682,558.704 648.993,538.846 670.315,538.846L1586.34,538.846C1607.66,538.846 1624.98,558.704 1624.98,583.163ZM1608.99,583.163C1608.99,568.822 1598.85,557.179 1586.34,557.179L670.315,557.179C657.814,557.179 647.664,568.822 647.664,583.163L647.664,919.651C647.664,933.992 657.814,945.635 670.315,945.635L1586.34,945.635C1598.85,945.635 1608.99,933.992 1608.99,919.651L1608.99,583.163Z" style="fill:white;"/>
-            </g>
-            <g transform="matrix(0.19416,0,0,0.275328,1052.99,940.806)">
-                <path d="M1608.99,571.746C1608.99,563.706 1600.46,557.179 1589.95,557.179L666.712,557.179C656.199,557.179 647.664,563.706 647.664,571.746L647.664,931.068C647.664,939.108 656.199,945.635 666.712,945.635L1589.95,945.635C1600.46,945.635 1608.99,939.108 1608.99,931.068L1608.99,571.746Z" style="fill:rgb(255,211,152);stroke:white;stroke-width:19.24px;stroke-linecap:round;"/>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.13192,-345.04,-502.074)">
-                <g transform="matrix(50,0,0,50,1404.28,1475.25)">
-                </g>
-                <text x="1227.23px" y="1475.25px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:50px;">InitC<tspan x="1330.68px " y="1475.25px ">o</tspan>nf</text>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.13192,-34.3588,-501.229)">
-                <g transform="matrix(41.6667,0,0,41.6667,1315.29,1464.53)">
-                </g>
-                <text x="1188.09px" y="1464.53px" style="font-family:'Nunito-SemiBold', 'Nunito';font-weight:600;font-size:41.667px;">Biscuit</text>
-            </g>
-            <g transform="matrix(8.61155e-18,1.13192,-0.0754413,3.71795e-17,1069.8,-342.031)">
-                <path d="M497.076,394.18L497.076,1793.56" style="fill:none;stroke:rgb(247,4,132);stroke-width:17.63px;"/>
-            </g>
-            <g transform="matrix(8.61155e-18,1.13192,-0.0754413,3.71795e-17,1069.8,-288.169)">
-                <path d="M497.076,394.18L497.076,1793.56" style="fill:none;stroke:rgb(255,166,48);stroke-width:17.63px;"/>
-            </g>
-            <g transform="matrix(1.10808,0,0,1.04133,-187.35,-115.819)">
-                <path d="M497.076,394.18L497.076,1896.68" style="fill:none;stroke:rgb(247,4,132);stroke-width:12.58px;"/>
-            </g>
-            <g transform="matrix(-1.09658,0,0,0.321304,2399.88,618.547)">
-                <g transform="matrix(-0.9518,0,0,3.52288,2026.95,-1373.72)">
-                    <path d="M220.225,569.992L207.725,557.492L220.225,544.992" style="fill:none;stroke:rgb(255,166,48);stroke-width:8.33px;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:10;"/>
-                    <path d="M1607.34,557.492L207.725,557.492" style="fill:none;stroke:rgb(255,166,48);stroke-width:8.33px;stroke-linecap:round;stroke-dasharray:8.33,16.67,0,0;"/>
-                </g>
-            </g>
-            <g transform="matrix(0.54423,0,0,0.514519,523.603,421.586)">
-                <path d="M1608.99,583.163C1608.99,568.822 1598.85,557.179 1586.34,557.179L670.315,557.179C657.814,557.179 647.664,568.822 647.664,583.163L647.664,919.651C647.664,933.992 657.814,945.635 670.315,945.635L1586.34,945.635C1598.85,945.635 1608.99,933.992 1608.99,919.651L1608.99,583.163Z" style="fill:rgb(255,166,48);"/>
-                <path d="M1624.98,583.163L1624.98,919.651C1624.98,944.11 1607.66,963.968 1586.34,963.968L670.315,963.968C648.993,963.968 631.682,944.11 631.682,919.651L631.682,583.163C631.682,558.704 648.993,538.846 670.315,538.846L1586.34,538.846C1607.66,538.846 1624.98,558.704 1624.98,583.163ZM1608.99,583.163C1608.99,568.822 1598.85,557.179 1586.34,557.179L670.315,557.179C657.814,557.179 647.664,568.822 647.664,583.163L647.664,919.651C647.664,933.992 657.814,945.635 670.315,945.635L1586.34,945.635C1598.85,945.635 1608.99,933.992 1608.99,919.651L1608.99,583.163Z" style="fill:white;"/>
-            </g>
-            <g transform="matrix(0.19416,0,0,0.275328,1052.99,601.372)">
-                <path d="M1608.99,571.746C1608.99,563.706 1600.46,557.179 1589.95,557.179L666.712,557.179C656.199,557.179 647.664,563.706 647.664,571.746L647.664,931.068C647.664,939.108 656.199,945.635 666.712,945.635L1589.95,945.635C1600.46,945.635 1608.99,939.108 1608.99,931.068L1608.99,571.746Z" style="fill:rgb(255,211,152);stroke:white;stroke-width:19.24px;stroke-linecap:round;"/>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.13192,-345.04,-841.508)">
-                <g transform="matrix(50,0,0,50,1433.76,1475.25)">
-                </g>
-                <text x="1197.76px" y="1475.25px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:50px;">R<tspan x="1230.81px " y="1475.25px ">e</tspan>spHell<tspan x="1405.76px " y="1475.25px ">o</tspan></text>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.13192,-34.3588,-841.794)">
-                <g transform="matrix(41.6667,0,0,41.6667,1315.29,1464.53)">
-                </g>
-                <text x="1188.09px" y="1464.53px" style="font-family:'Nunito-SemiBold', 'Nunito';font-weight:600;font-size:41.667px;">Biscuit</text>
-            </g>
-            <g transform="matrix(-1.10076,0,0,0.321304,2401.96,1404.06)">
-                <g transform="matrix(-0.94819,0,0,3.52288,2021.14,-3818.47)">
-                    <path d="M220.225,1263.96L207.725,1251.46L220.225,1238.96" style="fill:none;stroke:rgb(255,166,48);stroke-width:8.33px;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:10;"/>
-                    <path d="M1607.34,1251.46L207.725,1251.46" style="fill:none;stroke:rgb(255,166,48);stroke-width:8.33px;stroke-linecap:round;stroke-dasharray:8.33,16.67,0,0;"/>
-                </g>
-            </g>
-            <g transform="matrix(0.54423,0,0,0.514519,523.603,1207.09)">
-                <path d="M1608.99,583.163C1608.99,568.822 1598.85,557.179 1586.34,557.179L670.315,557.179C657.814,557.179 647.664,568.822 647.664,583.163L647.664,919.651C647.664,933.992 657.814,945.635 670.315,945.635L1586.34,945.635C1598.85,945.635 1608.99,933.992 1608.99,919.651L1608.99,583.163Z" style="fill:rgb(255,166,48);"/>
-                <path d="M1624.98,583.163L1624.98,919.651C1624.98,944.11 1607.66,963.968 1586.34,963.968L670.315,963.968C648.993,963.968 631.682,944.11 631.682,919.651L631.682,583.163C631.682,558.704 648.993,538.846 670.315,538.846L1586.34,538.846C1607.66,538.846 1624.98,558.704 1624.98,583.163ZM1608.99,583.163C1608.99,568.822 1598.85,557.179 1586.34,557.179L670.315,557.179C657.814,557.179 647.664,568.822 647.664,583.163L647.664,919.651C647.664,933.992 657.814,945.635 670.315,945.635L1586.34,945.635C1598.85,945.635 1608.99,933.992 1608.99,919.651L1608.99,583.163Z" style="fill:white;"/>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.13192,-323.596,-115.707)">
-                <g transform="matrix(50,0,0,50,1528.5,1528)">
-                </g>
-                <text x="1274.4px" y="1528px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:50px;">Emp<tspan x="1375.85px 1394.1px " y="1528px 1528px ">ty</tspan>Data</text>
-            </g>
-            <g transform="matrix(1.16933e-17,1.13192,-0.102439,3.71795e-17,1384.12,272.481)">
-                <path d="M497.076,394.18L497.076,1793.56" style="fill:none;stroke:rgb(255,166,48);stroke-width:17.59px;stroke-linecap:round;"/>
-            </g>
-            <g transform="matrix(1.16933e-17,1.13192,-0.102439,3.71795e-17,1384.12,612.276)">
-                <path d="M497.076,394.18L497.076,1793.56" style="fill:none;stroke:rgb(255,166,48);stroke-width:17.59px;stroke-linecap:round;"/>
-            </g>
-            <g transform="matrix(0.377816,0,0,0.318513,1464.43,3.62207)">
-                <path d="M1608.99,599.153C1608.99,575.987 1594.37,557.179 1576.37,557.179L680.292,557.179C662.284,557.179 647.664,575.987 647.664,599.153L647.664,903.661C647.664,926.827 662.284,945.635 680.292,945.635L1576.37,945.635C1594.37,945.635 1608.99,926.827 1608.99,903.661L1608.99,599.153Z" style="fill:rgb(255,166,48);"/>
-            </g>
-            <g transform="matrix(1.04373,2.9937e-16,-2.74652e-16,1.13192,767.205,-815.996)">
-                <text x="1171.58px" y="1474.94px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">r<tspan x="1185.58px " y="1474.94px ">e</tspan>sponder</text>
-                <g transform="matrix(41.6667,0,0,41.6667,1432.53,1516.61)">
-                </g>
-                <text x="1171.58px" y="1516.61px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">aut<tspan x="1230.45px " y="1516.61px ">h</tspan>ent<tspan x="1313.16px 1322.41px 1341.33px 1363.08px 1377.16px " y="1516.61px 1516.61px 1516.61px 1516.61px 1516.61px ">icati</tspan>on</text>
-            </g>
-            <g transform="matrix(1.04373,1.80409e-17,1.85964e-17,1.13192,767.205,-611.456)">
-                <text x="1171.58px" y="1454.11px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">init<tspan x="1227.49px " y="1454.11px ">i</tspan>at<tspan x="1272.24px " y="1454.11px ">o</tspan>r</text>
-                <text x="1171.58px" y="1495.78px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">aut<tspan x="1230.45px " y="1495.78px ">h</tspan>ent<tspan x="1313.16px 1322.41px 1341.33px 1363.08px 1377.16px " y="1495.78px 1495.78px 1495.78px 1495.78px 1495.78px ">icati</tspan>on,</text>
-                <g transform="matrix(41.6667,0,0,41.6667,1464.49,1537.44)">
-                </g>
-                <text x="1171.58px" y="1537.44px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">f<tspan x="1184.24px 1207.03px 1222.53px 1256.91px 1278.66px 1292.66px " y="1537.44px 1537.44px 1537.44px 1537.44px 1537.44px 1537.44px ">orward</tspan> secr<tspan x="1402.12px " y="1537.44px ">e</tspan>cy</text>
-            </g>
-            <g transform="matrix(1.04373,1.80409e-17,1.85964e-17,1.13192,705.967,-92.9691)">
-                <text x="1171.58px" y="1474.94px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">ackno<tspan x="1278.49px 1313.28px 1324.95px " y="1474.94px 1474.94px 1474.94px ">wle</tspan>dges</text>
-                <g transform="matrix(41.6667,0,0,41.6667,1314.2,1516.61)">
-                </g>
-                <text x="1171.58px" y="1516.61px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">InitC<tspan x="1254.78px " y="1516.61px ">o</tspan>nf</text>
-            </g>
-            <g transform="matrix(1.04373,1.72621e-17,1.94353e-17,1.13192,767.205,-321.469)">
-                <text x="1171.58px" y="1472.39px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">OSK handed</text>
-                <g transform="matrix(41.6667,0,0,41.6667,1422.78,1514.06)">
-                </g>
-                <text x="1171.58px" y="1514.06px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">t<tspan x="1185.33px " y="1514.06px ">o</tspan> W<tspan x="1264.74px 1273.99px 1287.99px " y="1514.06px 1514.06px 1514.06px ">ire</tspan>Guar<tspan x="1398.83px " y="1514.06px ">d</tspan></text>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.13192,-159.675,-1425.03)">
-                <g transform="matrix(33.3333,0,0,33.3333,1376.21,1461.44)">
-                </g>
-                <text x="1171.58px" y="1461.44px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:33.333px;fill:rgb(64,63,73);">Init<tspan x="1219.48px " y="1461.44px ">i</tspan>at<tspan x="1256.91px " y="1461.44px ">o</tspan>r Stat<tspan x="1358.41px " y="1461.44px ">e</tspan></text>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.13192,-159.675,-1369.01)">
-                <g transform="matrix(33.3333,0,0,33.3333,1422.81,1461.44)">
-                </g>
-                <text x="1171.58px" y="1461.44px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:33.333px;fill:rgb(64,63,73);">R<tspan x="1193.61px " y="1461.44px ">e</tspan>sponder Stat<tspan x="1405.01px " y="1461.44px ">e</tspan></text>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.13192,-1040.69,-1406.95)">
-                <g transform="matrix(50,0,0,50,1434.05,1476.14)">
-                </g>
-                <text x="1257.1px" y="1476.14px" style="font-family:'Nunito-SemiBold', 'Nunito';font-weight:600;font-size:50px;fill:white;">Init<tspan x="1330.14px " y="1476.14px ">i</tspan>at<tspan x="1387.14px " y="1476.14px ">o</tspan>r</text>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.13192,486.326,-1406.95)">
-                <g transform="matrix(50,0,0,50,1468.55,1476.14)">
-                </g>
-                <text x="1222.6px" y="1476.14px" style="font-family:'Nunito-SemiBold', 'Nunito';font-weight:600;font-size:50px;fill:white;">R<tspan x="1255.85px " y="1476.14px ">e</tspan>sponder</text>
-            </g>
-            <g transform="matrix(1.29981,-1.40964,1.29981,1.40964,-996.095,-284.091)">
-                <path d="M735.267,1542.91L717.276,1524.92L711.619,1548.57L735.267,1542.91Z" style="fill:rgb(179,178,182);"/>
-                <path d="M736.092,1546.36L712.445,1552.02L708.168,1547.74L713.825,1524.09L719.785,1522.41L737.776,1540.4L736.092,1546.36ZM735.267,1542.91L717.276,1524.92L711.619,1548.57L735.267,1542.91Z" style="fill:white;"/>
-            </g>
-            <g transform="matrix(1.29981,-1.40964,1.29981,1.40964,-996.095,-79.5508)">
-                <path d="M735.267,1542.91L717.276,1524.92L711.619,1548.57L735.267,1542.91Z" style="fill:rgb(179,178,182);"/>
-                <path d="M736.092,1546.36L712.445,1552.02L708.168,1547.74L713.825,1524.09L719.785,1522.41L737.776,1540.4L736.092,1546.36ZM735.267,1542.91L717.276,1524.92L711.619,1548.57L735.267,1542.91Z" style="fill:white;"/>
-            </g>
-            <g transform="matrix(1.29981,-1.40964,1.29981,1.40964,-996.095,207.55)">
-                <path d="M735.267,1542.91L717.276,1524.92L711.619,1548.57L735.267,1542.91Z" style="fill:rgb(179,178,182);"/>
-                <path d="M736.092,1546.36L712.445,1552.02L708.168,1547.74L713.825,1524.09L719.785,1522.41L737.776,1540.4L736.092,1546.36ZM735.267,1542.91L717.276,1524.92L711.619,1548.57L735.267,1542.91Z" style="fill:white;"/>
-            </g>
-            <g transform="matrix(1.04373,2.04033e-17,1.82707e-17,1.13192,287.154,-312.768)">
-                <g transform="matrix(41.6667,0,0,41.6667,1473.76,1457.69)">
-                </g>
-                <text x="1274.85px" y="1457.69px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">handshak<tspan x="1451.8px " y="1457.69px ">e</tspan></text>
-            </g>
-            <g transform="matrix(1.04373,4.8711e-17,3.06091e-17,1.13192,312.355,-241.08)">
-                <g transform="matrix(41.6667,0,0,41.6667,1449.62,1457.69)">
-                </g>
-                <text x="1249.16px" y="1457.69px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">l<tspan x="1262.7px 1273.62px 1296.24px 1319.87px 1332.03px 1357.66px 1382.66px 1406.07px 1427.66px " y="1457.69px 1457.69px 1457.69px 1457.69px 1457.69px 1457.69px 1457.69px 1457.69px 1457.69px ">ive phase</tspan></text>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.24761,-135.752,-334.388)">
-                <g transform="matrix(1,-0,-0,0.90727,299.807,410.028)">
-                    <path d="M1593.36,999.66L1602.74,980.91L1612.11,999.66C1607.42,994.973 1598.05,994.973 1593.36,999.66Z" style="fill:rgb(179,178,182);"/>
-                    <path d="M1602.74,1027.14L1602.74,995.91" style="fill:none;stroke:rgb(179,178,182);stroke-width:6.25px;stroke-linecap:round;"/>
-                </g>
-            </g>
-            <g transform="matrix(-1.04373,1.52788e-16,-1.2782e-16,-1.24761,3835.73,3054.11)">
-                <g transform="matrix(-1,-1.22465e-16,1.11109e-16,-0.90727,3505.28,2305.97)">
-                    <path d="M1612.11,1090.07L1602.74,1108.82L1593.36,1090.07C1598.05,1094.75 1607.42,1094.75 1612.11,1090.07Z" style="fill:rgb(179,178,182);"/>
-                    <path d="M1602.74,1062.59L1602.74,1093.82" style="fill:none;stroke:rgb(179,178,182);stroke-width:6.25px;stroke-linecap:round;"/>
-                </g>
-            </g>
-        </g>
-    </g>
-</svg>

papers/graphics/rosenpass-wp-key-exchange-protocol.svg

@@ -1,15 +1,12 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
 <svg width="100%" height="100%" viewBox="0 0 2037 1491" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:1.5;">
-    <g transform="matrix(0.958104,0,0,0.883458,-169.743,-156.518)">
-        <rect id="ArtBoard1" x="177.165" y="177.165" width="2125.98" height="1687.51" style="fill:none;"/>
+    <g id="ArtBoard1" transform="matrix(0.958104,0,0,0.883458,-169.743,-156.518)">
+        <rect x="177.165" y="177.165" width="2125.98" height="1687.51" style="fill:none;"/>
         <clipPath id="_clip1">
-            <rect id="ArtBoard11" serif:id="ArtBoard1" x="177.165" y="177.165" width="2125.98" height="1687.51"/>
+            <rect x="177.165" y="177.165" width="2125.98" height="1687.51"/>
         </clipPath>
         <g clip-path="url(#_clip1)">
-            <g transform="matrix(1.04373,0,0,1.13192,177.165,177.165)">
-                <rect x="-16.526" y="0" width="2083.17" height="1490.84" style="fill:white;"/>
-            </g>
             <g transform="matrix(0.377816,0,0,0.318513,-62.5845,3.62207)">
                 <path d="M1608.99,599.153C1608.99,575.987 1594.37,557.179 1576.37,557.179L680.292,557.179C662.284,557.179 647.664,575.987 647.664,599.153L647.664,903.661C647.664,926.827 662.284,945.635 680.292,945.635L1576.37,945.635C1594.37,945.635 1608.99,926.827 1608.99,903.661L1608.99,599.153Z" style="fill:rgb(247,4,132);"/>
             </g>

papers/graphics/rosenpass-wp-message-handling-code.svg

@@ -1,10 +1,10 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
 <svg width="100%" height="100%" viewBox="0 0 2990 2133" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:1.5;">
-    <g transform="matrix(1.0091,0,0,1.00305,-371.54,-177.706)">
-        <rect id="ArtBoard1" x="368.192" y="177.165" width="2962.52" height="2125.98" style="fill:none;"/>
+    <g id="ArtBoard1" transform="matrix(1.0091,0,0,1.00305,-371.54,-177.706)">
+        <rect x="368.192" y="177.165" width="2962.52" height="2125.98" style="fill:none;"/>
         <clipPath id="_clip1">
-            <rect id="ArtBoard11" serif:id="ArtBoard1" x="368.192" y="177.165" width="2962.52" height="2125.98"/>
+            <rect x="368.192" y="177.165" width="2962.52" height="2125.98"/>
         </clipPath>
         <g clip-path="url(#_clip1)">
             <g transform="matrix(0.990987,0,0,0.996959,368.192,177.165)">
@@ -70,9 +70,6 @@
             <g transform="matrix(0.72523,0,0,0.837445,1933.65,1691.32)">
                 <path d="M1922.27,398.791C1922.27,390.83 1914.85,384.367 1905.72,384.367L363.747,384.367C354.61,384.367 347.192,390.83 347.192,398.791L347.192,427.639C347.192,435.599 354.61,442.062 363.747,442.062L1905.72,442.062C1914.85,442.062 1922.27,435.599 1922.27,427.639L1922.27,398.791Z" style="fill:rgb(253,180,218);fill-opacity:0.5;"/>
             </g>
-            <g transform="matrix(1.1024,0,0,1.21164,9.17461,250.929)">
-                <rect x="347.192" y="384.367" width="1575.08" height="57.695" style="fill:rgb(253,180,218);"/>
-            </g>
             <g transform="matrix(1.1024,0,0,1.20414,9.17461,982.985)">
                 <rect x="347.192" y="384.367" width="1575.08" height="57.695" style="fill:rgb(255,229,193);"/>
             </g>
@@ -94,6 +91,9 @@
             <g transform="matrix(1.1024,0,0,1.21164,9.17461,375.544)">
                 <rect x="347.192" y="384.367" width="1575.08" height="57.695" style="fill:rgb(253,180,218);"/>
             </g>
+            <g transform="matrix(1.1024,0,0,1.21164,9.17461,251.722)">
+                <rect x="347.192" y="384.367" width="1575.08" height="57.695" style="fill:rgb(253,180,218);"/>
+            </g>
             <g transform="matrix(1.1024,0,0,0.837445,9.17461,1264.69)">
                 <rect x="347.192" y="384.367" width="1575.08" height="57.695" style="fill:rgb(255,229,193);"/>
             </g>
@@ -310,7 +310,7 @@
             <g transform="matrix(0.990987,0,0,0.996959,400.873,805.267)">
                 <g transform="matrix(29.1667,0,0,29.1667,209.923,19.398)">
                 </g>
-                <text x="142.169px" y="19.398px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:29.167px;">pidiC</text>
+                <text x="123.853px" y="19.398px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:29.167px;">pidi_<tspan x="185.89px " y="19.398px ">c</tspan>t</text>
             </g>
             <g transform="matrix(0.990987,0,0,0.996959,556.294,805.267)">
                 <text x="63.967px" y="19.461px" style="font-family:'ArialMT', 'Arial', sans-serif;font-size:29.167px;">←</text>
@@ -351,9 +351,9 @@
                 <text x="46.506px" y="26.764px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;"><tspan x="46.506px " y="26.764px ">m</tspan>ix(sidi, epki)</text>
             </g>
             <g transform="matrix(0.990987,0,0,0.996959,1406.03,735.765)">
-                <g transform="matrix(29.1667,0,0,29.1667,595.77,26.2132)">
+                <g transform="matrix(29.1667,0,0,29.1667,595.391,26.2132)">
                 </g>
-                <text x="70.595px" y="26.213px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;"><tspan x="70.595px " y="26.213px ">d</tspan>ec<tspan x="115.978px " y="26.213px ">a</tspan>ps<tspan x="161.77px 176.207px " y="26.213px 26.213px ">_a</tspan>nd_mix&lt;SKEM&gt;(sskr<tspan x="457.374px " y="26.213px ">,</tspan> spkr<tspan x="525.303px " y="26.213px ">,</tspan> ct1)</text>
+                <text x="70.595px" y="26.213px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;"><tspan x="70.595px " y="26.213px ">d</tspan>ec<tspan x="115.978px " y="26.213px ">a</tspan>ps<tspan x="161.77px 176.207px " y="26.213px 26.213px ">_a</tspan>nd_mix&lt;SKEM&gt;(sskr<tspan x="457.374px " y="26.213px ">,</tspan> spkr<tspan x="525.303px " y="26.213px ">,</tspan> sctr<tspan x="586.67px " y="26.213px ">)</tspan></text>
             </g>
             <g transform="matrix(0.990987,0,0,0.996959,944.05,805.321)">
                 <g transform="matrix(29.1667,0,0,29.1667,492.12,19.3437)">
@@ -362,9 +362,9 @@
             </g>
             <g transform="matrix(0.990987,0,0,0.996959,1343.8,805.267)">
                 <text x="97.956px" y="19.461px" style="font-family:'ArialMT', 'Arial', sans-serif;font-size:29.167px;">←</text>
-                <g transform="matrix(29.1667,0,0,29.1667,621.377,19.4608)">
+                <g transform="matrix(29.1667,0,0,29.1667,641.239,19.4608)">
                 </g>
-                <text x="133.389px" y="19.461px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;"><tspan x="133.389px 141.556px " y="19.461px 19.461px ">lo</tspan>okup<tspan x="219.81px " y="19.461px ">_</tspan>peer(<tspan x="300.31px " y="19.461px ">d</tspan>ecr<tspan x="356.689px 371.535px 388.16px 398.281px 412.718px " y="19.461px 19.461px 19.461px 19.461px 19.461px ">ypt_a</tspan>nd_mix(pidiC))</text>
+                <text x="133.389px" y="19.461px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;"><tspan x="133.389px 141.556px " y="19.461px 19.461px ">lo</tspan>okup<tspan x="219.81px " y="19.461px ">_</tspan>peer(<tspan x="300.31px " y="19.461px ">d</tspan>ecr<tspan x="356.689px 371.535px 388.16px 398.281px 412.718px " y="19.461px 19.461px 19.461px 19.461px 19.461px ">ypt_a</tspan>nd_mix(pidi_<tspan x="590.956px 604.343px 616.448px " y="19.461px 19.461px 19.461px ">ct)</tspan>)</text>
             </g>
             <g transform="matrix(0.990987,0,0,0.996959,1428.98,860.915)">
                 <g transform="matrix(29.1667,0,0,29.1667,234.685,25.593)">
@@ -720,9 +720,9 @@
                 <text x="85.515px" y="26.478px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;"><tspan x="85.515px " y="26.478px ">d</tspan>ec<tspan x="130.898px " y="26.478px ">a</tspan>ps<tspan x="176.69px 191.127px " y="26.478px 26.478px ">_a</tspan>nd_mix&lt;SKEM&gt;(sski, spki, scti);</text>
             </g>
             <g transform="matrix(0.990987,0,0,0.996959,598.806,1534.07)">
-                <g transform="matrix(29.1667,0,0,29.1667,212.777,27.2845)">
+                <g transform="matrix(29.1667,0,0,29.1667,250.198,27.2845)">
                 </g>
-                <text x="56.502px" y="27.284px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;"><tspan x="56.502px " y="27.284px ">m</tspan>ix(biscuit<tspan x="196.706px " y="27.284px ">)</tspan></text>
+                <text x="56.502px" y="27.284px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;"><tspan x="56.502px " y="27.284px ">m</tspan>ix(biscuit<tspan x="194.723px 208.635px 222.023px 234.127px " y="27.284px 27.284px 27.284px 27.284px ">_ct)</tspan></text>
             </g>
             <g transform="matrix(0.990987,0,0,0.996959,589.076,1605.36)">
                 <g transform="matrix(29.1667,0,0,29.1667,370.179,15.7636)">
@@ -774,9 +774,9 @@
                 <text x="55.154px" y="28.384px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;"><tspan x="55.154px 68.95px 78.575px 94.529px 104.329px " y="28.384px 28.384px 28.384px 28.384px 28.384px ">store</tspan>_biscuit(<tspan x="227.121px " y="28.384px ">)</tspan>;</text>
             </g>
             <g transform="matrix(0.990987,0,0,0.996959,1231.61,1534.18)">
-                <g transform="matrix(29.1667,0,0,29.1667,192.222,28.1459)">
+                <g transform="matrix(28.75,0,0,28.75,192.222,27.9976)">
                 </g>
-                <text x="106.705px" y="28.146px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:29.167px;">biscuit</text>
+                <text x="70.034px" y="27.998px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:28.75px;">biscuit<tspan x="154.761px 168.532px " y="27.998px 27.998px ">_c</tspan>t</text>
             </g>
             <g transform="matrix(0.990987,0,0,0.996959,1413.83,1606.73)">
                 <text x="27.294px" y="15.076px" style="font-family:'ArialMT', 'Arial', sans-serif;font-size:29.167px;">←</text>
@@ -816,10 +816,10 @@
                 <text x="39.094px" y="15.047px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:29.167px;">biscuit<tspan x="125.049px " y="15.047px ">_</tspan>no</text>
             </g>
             <g transform="matrix(0.990987,0,0,0.996959,1414.45,1937)">
-                <text x="26.666px" y="15.727px" style="font-family:'ArialMT', 'Arial', sans-serif;font-size:29.167px;">←</text>
-                <g transform="matrix(29.1667,0,0,29.1667,332.212,15.727)">
+                <text x="26.666px" y="15.72px" style="font-family:'Arial-BoldMT', 'Arial', sans-serif;font-weight:700;font-size:29.167px;">←</text>
+                <g transform="matrix(29.1667,0,0,29.1667,356.978,15.7199)">
                 </g>
-                <text x="62.099px" y="15.727px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;"><tspan x="62.099px 70.266px " y="15.727px 15.727px ">lo</tspan>ad_biscuit(biscuit<tspan x="309.753px " y="15.727px ">)</tspan>;</text>
+                <text x="63.183px" y="15.72px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;">l<tspan x="71.349px " y="15.72px ">o</tspan>ad_biscuit(biscuit<tspan x="308.853px 322.766px 336.153px 348.258px " y="15.72px 15.72px 15.72px 15.72px ">_ct)</tspan></text>
             </g>
             <g transform="matrix(0.990987,0,0,0.996959,1420.02,1985.2)">
                 <g transform="matrix(29.1667,0,0,29.1667,408.55,14.2792)">
@@ -924,32 +924,32 @@
                     <path d="M25.178,1596.45L1770.22,1596.45" style="fill:none;stroke:rgb(247,4,132);stroke-width:8.33px;stroke-dasharray:8.33,16.67,0,0;"/>
                 </g>
             </g>
-            <g transform="matrix(1.04736,0,0,0.265077,49.2217,146.07)">
-                <path d="M1608.99,601.6C1608.99,577.084 1603.99,557.179 1597.82,557.179L658.84,557.179C652.672,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.672,945.635 658.84,945.635L1597.82,945.635C1603.99,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:rgb(247,4,132);"/>
-                <path d="M1616.88,601.6L1616.88,901.214C1616.88,943.028 1608.34,976.977 1597.82,976.977L658.84,976.977C648.32,976.977 639.779,943.028 639.779,901.214L639.779,601.6C639.779,559.786 648.32,525.837 658.84,525.837L1597.82,525.837C1608.34,525.837 1616.88,559.786 1616.88,601.6ZM1608.99,601.6C1608.99,577.084 1603.99,557.179 1597.82,557.179L658.84,557.179C652.672,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.672,945.635 658.84,945.635L1597.82,945.635C1603.99,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:white;"/>
+            <g transform="matrix(1.11927,0,0,0.265077,-31.9199,146.07)">
+                <path d="M1608.99,601.6C1608.99,577.084 1604.31,557.179 1598.54,557.179L658.122,557.179C652.35,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.35,945.635 658.122,945.635L1598.54,945.635C1604.31,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:rgb(247,4,132);"/>
+                <path d="M1616.37,601.6L1616.37,901.214C1616.37,943.028 1608.38,976.977 1598.54,976.977L658.122,976.977C648.278,976.977 640.286,943.028 640.286,901.214L640.286,601.6C640.286,559.786 648.278,525.837 658.122,525.837L1598.54,525.837C1608.38,525.837 1616.37,559.786 1616.37,601.6ZM1608.99,601.6C1608.99,577.084 1604.31,557.179 1598.54,557.179L658.122,557.179C652.35,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.35,945.635 658.122,945.635L1598.54,945.635C1604.31,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:white;"/>
             </g>
-            <g transform="matrix(1.04736,0,0,0.265077,49.2217,912.386)">
-                <path d="M1608.99,601.6C1608.99,577.084 1603.99,557.179 1597.82,557.179L658.84,557.179C652.672,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.672,945.635 658.84,945.635L1597.82,945.635C1603.99,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:rgb(255,166,48);"/>
-                <path d="M1616.88,601.6L1616.88,901.214C1616.88,943.028 1608.34,976.977 1597.82,976.977L658.84,976.977C648.32,976.977 639.779,943.028 639.779,901.214L639.779,601.6C639.779,559.786 648.32,525.837 658.84,525.837L1597.82,525.837C1608.34,525.837 1616.88,559.786 1616.88,601.6ZM1608.99,601.6C1608.99,577.084 1603.99,557.179 1597.82,557.179L658.84,557.179C652.672,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.672,945.635 658.84,945.635L1597.82,945.635C1603.99,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:white;"/>
+            <g transform="matrix(1.11927,0,0,0.265077,-31.9199,912.386)">
+                <path d="M1608.99,601.6C1608.99,577.084 1604.31,557.179 1598.54,557.179L658.122,557.179C652.35,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.35,945.635 658.122,945.635L1598.54,945.635C1604.31,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:rgb(255,166,48);"/>
+                <path d="M1616.37,601.6L1616.37,901.214C1616.37,943.028 1608.38,976.977 1598.54,976.977L658.122,976.977C648.278,976.977 640.286,943.028 640.286,901.214L640.286,601.6C640.286,559.786 648.278,525.837 658.122,525.837L1598.54,525.837C1608.38,525.837 1616.37,559.786 1616.37,601.6ZM1608.99,601.6C1608.99,577.084 1604.31,557.179 1598.54,557.179L658.122,557.179C652.35,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.35,945.635 658.122,945.635L1598.54,945.635C1604.31,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:white;"/>
             </g>
-            <g transform="matrix(1.04736,0,0,0.265077,49.2217,1569.58)">
-                <path d="M1608.99,601.6C1608.99,577.084 1603.99,557.179 1597.82,557.179L658.84,557.179C652.672,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.672,945.635 658.84,945.635L1597.82,945.635C1603.99,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:rgb(247,4,132);"/>
-                <path d="M1616.88,601.6L1616.88,901.214C1616.88,943.028 1608.34,976.977 1597.82,976.977L658.84,976.977C648.32,976.977 639.779,943.028 639.779,901.214L639.779,601.6C639.779,559.786 648.32,525.837 658.84,525.837L1597.82,525.837C1608.34,525.837 1616.88,559.786 1616.88,601.6ZM1608.99,601.6C1608.99,577.084 1603.99,557.179 1597.82,557.179L658.84,557.179C652.672,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.672,945.635 658.84,945.635L1597.82,945.635C1603.99,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:white;"/>
+            <g transform="matrix(1.11927,0,0,0.265077,-31.9199,1569.58)">
+                <path d="M1608.99,601.6C1608.99,577.084 1604.31,557.179 1598.54,557.179L658.122,557.179C652.35,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.35,945.635 658.122,945.635L1598.54,945.635C1604.31,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:rgb(247,4,132);"/>
+                <path d="M1616.37,601.6L1616.37,901.214C1616.37,943.028 1608.38,976.977 1598.54,976.977L658.122,976.977C648.278,976.977 640.286,943.028 640.286,901.214L640.286,601.6C640.286,559.786 648.278,525.837 658.122,525.837L1598.54,525.837C1608.38,525.837 1616.37,559.786 1616.37,601.6ZM1608.99,601.6C1608.99,577.084 1604.31,557.179 1598.54,557.179L658.122,557.179C652.35,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.35,945.635 658.122,945.635L1598.54,945.635C1604.31,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:white;"/>
             </g>
             <g transform="matrix(0.990987,0,0,0.996959,-393.972,-1123.82)">
-                <g transform="matrix(50,0,0,50,2059.59,1491.35)">
+                <g transform="matrix(50,0,0,50,2075.42,1491.35)">
                 </g>
-                <text x="1219.89px" y="1491.35px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:50px;">InitHell<tspan x="1386.09px " y="1491.35px ">o</tspan> { sidi, epki, sctr<tspan x="1760.64px " y="1491.35px ">,</tspan> pidiC<tspan x="1901.99px " y="1491.35px ">,</tspan> aut<tspan x="1999.89px " y="1491.35px ">h</tspan> }</text>
+                <text x="1204.07px" y="1491.35px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:50px;">InitHell<tspan x="1370.27px " y="1491.35px ">o</tspan> { sidi, epki, sctr<tspan x="1744.82px " y="1491.35px ">,</tspan> pidi_<tspan x="1875.87px 1899.17px 1917.82px " y="1491.35px 1491.35px 1491.35px ">ct,</tspan> aut<tspan x="2015.72px " y="1491.35px ">h</tspan> }</text>
             </g>
-            <g transform="matrix(0.990987,0,0,0.996959,-433.456,-357.502)">
-                <g transform="matrix(50,0,0,50,2155.26,1491.35)">
+            <g transform="matrix(0.990987,0,0,0.996959,-477.45,-357.502)">
+                <g transform="matrix(50,0,0,50,2231.1,1491.35)">
                 </g>
-                <text x="1203.91px" y="1491.35px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:50px;">R<tspan x="1235.96px 1261.66px 1284.81px 1313.16px 1350.36px 1376.06px 1390.11px 1403.91px 1430.91px 1442.96px 1460.01px 1472.06px 1495.21px 1506.06px 1534.41px 1550.56px 1561.21px 1573.26px 1596.41px 1607.26px 1635.61px 1646.46px 1657.11px 1669.16px 1694.86px 1717.16px 1734.46px 1745.31px 1755.96px 1768.01px 1791.16px 1813.46px 1830.76px 1841.61px 1852.26px 1864.31px 1892.66px 1903.51px 1926.66px 1948.91px 1976.16px 1987.01px 2004.66px 2015.31px 2027.36px 2053.01px 2080.26px 2097.56px 2125.16px 2137.21px " y="1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px ">espHello { sidr, sidi, ecti, scti, biscuit, auth }</tspan></text>
+                <text x="1216.85px" y="1491.35px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:50px;">R<tspan x="1248.9px 1274.6px 1297.75px 1326.1px 1363.3px 1389px 1403.05px 1416.85px 1443.85px 1455.9px 1472.95px 1485px 1508.15px 1519px 1547.35px 1563.5px 1574.15px 1586.2px 1609.35px 1620.2px 1648.55px 1659.4px 1670.05px 1682.1px 1707.8px 1730.1px 1747.4px 1758.25px 1768.9px 1780.95px 1804.1px 1826.4px 1843.7px 1854.55px 1865.2px 1877.25px 1905.6px 1916.45px 1939.6px 1961.85px 1989.1px 1999.95px 2017.6px 2040.55px 2062.85px 2080.5px 2091.15px 2103.2px 2128.85px 2156.1px 2173.4px 2201px 2213.05px " y="1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px ">espHello { sidr, sidi, ecti, scti, biscuit_ct, auth }</tspan></text>
             </g>
             <g transform="matrix(0.990987,0,0,0.996959,-393.972,299.694)">
-                <g transform="matrix(50,0,0,50,2020.42,1491.35)">
+                <g transform="matrix(50,0,0,50,2053.37,1491.35)">
                 </g>
-                <text x="1272.12px" y="1491.35px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:50px;">InitC<tspan x="1375.57px " y="1491.35px ">o</tspan>nf { sidi, sidr<tspan x="1677.72px " y="1491.35px ">,</tspan> biscuit<tspan x="1849.77px " y="1491.35px ">,</tspan> aut<tspan x="1947.67px " y="1491.35px ">h</tspan> }</text>
+                <text x="1239.17px" y="1491.35px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:50px;">InitC<tspan x="1342.62px " y="1491.35px ">o</tspan>nf { sidi, sidr<tspan x="1644.77px " y="1491.35px ">,</tspan> biscuit<tspan x="1816.82px 1840.77px 1864.07px 1882.72px " y="1491.35px 1491.35px 1491.35px 1491.35px ">_ct,</tspan> aut<tspan x="1980.62px " y="1491.35px ">h</tspan> }</text>
             </g>
             <g transform="matrix(0.990987,0,0,0.996959,467.587,-208.686)">
                 <circle cx="92.21" cy="555.627" r="46.396" style="fill:rgb(64,63,73);"/>

papers/graphics/rosenpass-wp-message-types-rgb.svg

@@ -1,393 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
-<svg width="100%" height="100%" viewBox="0 0 1890 1086" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:1.5;">
-    <g transform="matrix(0.888676,0,0,0.801704,-157.443,-1585.2)">
-        <rect id="ArtBoard1" x="177.165" y="1977.29" width="2125.98" height="1353.42" style="fill:none;"/>
-        <g id="ArtBoard11" serif:id="ArtBoard1">
-            <g transform="matrix(1.12527,0,-3.46751e-33,1.24734,-109.061,-29.2601)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(212,226,247);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(212,226,247);"/>
-            </g>
-            <g transform="matrix(1.12527,0,-3.46751e-33,1.24734,-646.644,-769.875)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(212,226,247);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(212,226,247);"/>
-            </g>
-            <g transform="matrix(4.00596,0,-1.23443e-32,1.24734,-4842.07,-29.2601)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(212,226,247);"/>
-                <path d="M1481.4,2496.4L1481.4,2517.3C1481.4,2519.61 1480.88,2521.47 1480.23,2521.47L1454.89,2521.47C1454.24,2521.47 1453.72,2519.61 1453.72,2517.3L1453.72,2496.4C1453.72,2494.1 1454.24,2492.23 1454.89,2492.23L1480.23,2492.23C1480.88,2492.23 1481.4,2494.1 1481.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(212,226,247);"/>
-            </g>
-            <g transform="matrix(1.12527,0,-3.46751e-33,1.24734,-42.3997,-29.2601)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(198,198,201);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(198,198,201);"/>
-            </g>
-            <g transform="matrix(1.12527,0,-3.46751e-33,1.24734,-579.982,-769.875)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(198,198,201);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(198,198,201);"/>
-            </g>
-            <g transform="matrix(0.381932,0,0,1.66872,42.8569,1055.77)">
-                <path d="M1608.99,559.828C1608.99,558.366 1604.32,557.179 1598.56,557.179L658.104,557.179C652.342,557.179 647.664,558.366 647.664,559.828L647.664,942.986C647.664,944.448 652.342,945.635 658.104,945.635L1598.56,945.635C1604.32,945.635 1608.99,944.448 1608.99,942.986L1608.99,559.828Z" style="fill:none;stroke:rgb(64,63,73);stroke-width:8.54px;"/>
-            </g>
-            <g transform="matrix(0.319269,0,0,0.306737,111.831,2084.53)">
-                <path d="M1608.99,571.588C1608.99,563.635 1603.4,557.179 1596.51,557.179L660.153,557.179C653.26,557.179 647.664,563.635 647.664,571.588L647.664,931.226C647.664,939.179 653.26,945.635 660.153,945.635L1596.51,945.635C1603.4,945.635 1608.99,939.179 1608.99,931.226L1608.99,571.588Z" style="fill:white;"/>
-            </g>
-            <g transform="matrix(0.381932,0,0,0.364294,42.8569,1783.2)">
-                <rect x="647.664" y="557.179" width="961.33" height="388.456" style="fill:rgb(64,63,73);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-142.419,-742.377)">
-                <path d="M686.627,2406.91L686.627,2495.34C686.627,2499.6 683.172,2503.05 678.917,2503.05L413.249,2503.05C408.994,2503.05 405.539,2499.6 405.539,2495.34L405.539,2406.91C405.539,2402.65 408.994,2399.2 413.249,2399.2L678.917,2399.2C683.172,2399.2 686.627,2402.65 686.627,2406.91ZM413.872,2457.17L413.872,2494.72L678.293,2494.72L678.293,2457.17L413.872,2457.17Z" style="fill:rgb(179,178,182);"/>
-                <clipPath id="_clip1">
-                    <path d="M686.627,2406.91L686.627,2495.34C686.627,2499.6 683.172,2503.05 678.917,2503.05L413.249,2503.05C408.994,2503.05 405.539,2499.6 405.539,2495.34L405.539,2406.91C405.539,2402.65 408.994,2399.2 413.249,2399.2L678.917,2399.2C683.172,2399.2 686.627,2402.65 686.627,2406.91ZM413.872,2457.17L413.872,2494.72L678.293,2494.72L678.293,2457.17L413.872,2457.17Z"/>
-                </clipPath>
-                <g clip-path="url(#_clip1)">
-                    <g>
-                        <g transform="matrix(0.707107,0.707107,-0.707107,0.707107,1731.31,392.021)">
-                            <rect x="320.594" y="2142.43" width="296.282" height="308.698" style="fill:rgb(247,4,132);"/>
-                        </g>
-                        <g transform="matrix(0.707107,0.707107,-0.707107,0.707107,1939.29,599.998)">
-                            <rect x="320.594" y="2142.43" width="296.282" height="308.698" style="fill:rgb(255,166,48);"/>
-                        </g>
-                    </g>
-                </g>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-988.061,373.696)">
-                <text x="1171.58px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">t<tspan x="1183.44px " y="1445.64px ">y</tspan>pe</text>
-                <text x="1171.58px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;fill:rgb(160,159,164);">r<tspan x="1183.31px " y="1487.31px ">e</tspan>ser<tspan x="1247.74px 1264.68px " y="1487.31px 1487.31px ">ve</tspan>d</text>
-                <text x="1171.58px" y="1545.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pa<tspan x="1208.51px 1225.64px 1235.34px " y="1545.64px 1545.64px 1545.64px ">ylo</tspan>ad</text>
-                <text x="1171.58px" y="1653.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">mac</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1265.88,1695.64)">
-                </g>
-                <text x="1171.58px" y="1695.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">c<tspan x="1186.68px " y="1695.64px ">o</tspan>okie</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-1032.48,373.696)">
-                <text x="1443.43px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">1</text>
-                <text x="1443.43px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">3</text>
-                <text x="1444.5px" y="1545.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">n</text>
-                <text x="1423.43px" y="1653.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">16</text>
-                <text x="1443.43px" y="1695.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">6</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1463.43,1766.48)">
-                </g>
-                <text x="1213.53px" y="1766.48px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">en<tspan x="1250.03px 1266.96px 1284.7px 1294.4px " y="1766.48px 1766.48px 1766.48px 1766.48px ">velo</tspan>pe  n + 36</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-1006.67,212.568)">
-                <text x="1228.7px" y="1470.55px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:41.667px;fill:white;">En<tspan x="1276.75px 1298px 1320.25px 1332.58px " y="1470.55px 1470.55px 1470.55px 1470.55px ">velo</tspan>pe</text>
-                <g transform="matrix(25,0,0,25,1459.75,1516.38)">
-                </g>
-                <text x="1398.3px" y="1516.38px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;fill:white;">b<tspan x="1412.7px 1425.8px 1434.42px " y="1516.38px 1516.38px 1516.38px ">yte</tspan>s</text>
-            </g>
-            <g transform="matrix(0.597054,0,0,0.741612,65.5056,511.466)">
-                <path d="M432.703,2196.97L345.361,2196.97L345.361,2547.98L432.703,2547.98" style="fill:none;stroke:rgb(160,159,164);stroke-width:5.18px;"/>
-            </g>
-            <g transform="matrix(0.63007,0,0,0.90399,0.337587,154.729)">
-                <path d="M376.162,2196.97L345.361,2196.97L345.361,2544.77L513.459,2544.77" style="fill:none;stroke:rgb(160,159,164);stroke-width:4.5px;"/>
-            </g>
-            <g transform="matrix(4.69386e-17,-1.24734,1.12527,9.74939e-17,-2569.76,2501.33)">
-                <g transform="matrix(25,0,0,25,286.877,2518.25)">
-                </g>
-                <text x="82.852px" y="2518.25px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">M<tspan x="103.602px 120.902px 137.352px 147.927px 174.827px 180.627px 196.727px 210.927px 222.802px 240.427px 256.127px 268.652px " y="2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px ">AC_WIRE_DATA</tspan></text>
-            </g>
-            <g transform="matrix(4.35236e-17,-1.24734,1.12527,9.46525e-17,-2623.43,2555.42)">
-                <g transform="matrix(25,0,0,25,325.196,2518.25)">
-                </g>
-                <text x="87.896px" y="2518.25px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">C<tspan x="103.571px 122.121px 140.671px 155.671px 161.471px 175.671px 186.246px 213.146px 218.946px 235.046px 249.246px 261.121px 278.746px 294.446px 306.971px " y="2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px ">OOKIE_WIRE_DATA</tspan></text>
-            </g>
-            <g transform="matrix(0.986529,0,0,1.24734,-548.881,-459.807)">
-                <path d="M891.165,2388.54L1187.72,2388.54" style="fill:none;stroke:rgb(64,63,73);stroke-width:3.1px;"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,1.66616,413.374,1057.2)">
-                <path d="M1608.99,559.832C1608.99,558.368 1605.36,557.179 1600.88,557.179L655.78,557.179C651.301,557.179 647.664,558.368 647.664,559.832L647.664,942.982C647.664,944.446 651.301,945.635 655.78,945.635L1600.88,945.635C1605.36,945.635 1608.99,944.446 1608.99,942.982L1608.99,559.832Z" style="fill:none;stroke:rgb(247,4,132);stroke-width:8.39px;"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,0.365649,411.795,1781.92)">
-                <rect x="647.664" y="557.179" width="961.33" height="388.456" style="fill:rgb(247,4,132);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-536.656,211.942)">
-                <text x="1254.57px" y="1470.8px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:41.667px;">InitHell<tspan x="1393.07px " y="1470.8px ">o</tspan></text>
-                <g transform="matrix(25,0,0,25,1397.15,1512.47)">
-                </g>
-                <text x="1273.83px" y="1512.47px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:25px;fill:white;">t<tspan x="1282.95px " y="1512.47px ">y</tspan>pe=0x81</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-550.023,408.588)">
-                <text x="1171.58px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidi</text>
-                <text x="1171.58px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">epki</text>
-                <text x="1171.58px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sctr</text>
-                <text x="1171.58px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">peerid</text>
-                <text x="1171.58px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">aut<tspan x="1219.81px " y="1612.31px ">h</tspan></text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-505.817,408.588)">
-                <text x="1463.37px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
-                <text x="1423.37px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">800</text>
-                <text x="1423.37px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">188</text>
-                <text x="1327.57px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">32 + 16 =</text>
-                <text x="1443.37px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">48</text>
-                <text x="1443.37px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">16</text>
-                <text x="1266.77px" y="1683.14px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pa<tspan x="1303.71px 1320.84px 1330.54px " y="1683.14px 1683.14px 1683.14px ">ylo</tspan>ad  1056</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1483.37,1724.81)">
-                </g>
-                <text x="1221.01px" y="1724.81px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;fill:rgb(102,101,109);">+ en<tspan x="1286.11px 1303.04px 1320.77px 1330.47px " y="1724.81px 1724.81px 1724.81px 1724.81px ">velo</tspan>pe  1092</text>
-            </g>
-            <g transform="matrix(1.33216,0,0,1.24734,-418.853,-527.648)">
-                <path d="M891.165,2388.54L1187.72,2388.54" style="fill:none;stroke:rgb(64,63,73);stroke-width:2.66px;"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,1.66616,959.846,1057.2)">
-                <path d="M1608.99,559.832C1608.99,558.368 1605.36,557.179 1600.88,557.179L655.78,557.179C651.301,557.179 647.664,558.368 647.664,559.832L647.664,942.982C647.664,944.446 651.301,945.635 655.78,945.635L1600.88,945.635C1605.36,945.635 1608.99,944.446 1608.99,942.982L1608.99,559.832Z" style="fill:none;stroke:rgb(255,166,48);stroke-width:8.39px;"/>
-            </g>
-            <g transform="matrix(0.410953,0,0,0.095385,1048.63,2310.36)">
-                <path d="M1608.99,603.515C1608.99,577.941 1604.65,557.179 1599.29,557.179L657.366,557.179C652.012,557.179 647.664,577.941 647.664,603.515L647.664,899.299C647.664,924.873 652.012,945.635 657.366,945.635L1599.29,945.635C1604.65,945.635 1608.99,924.873 1608.99,899.299L1608.99,603.515Z" style="fill:rgb(255,211,152);"/>
-                <path d="M1631.81,603.515L1631.81,899.299C1631.81,985.017 1617.24,1054.61 1599.29,1054.61L657.366,1054.61C639.418,1054.61 624.846,985.017 624.846,899.299L624.846,603.515C624.846,517.797 639.418,448.205 657.366,448.205L1599.29,448.205C1617.24,448.205 1631.81,517.797 1631.81,603.515ZM1608.99,603.515C1608.99,577.941 1604.65,557.179 1599.29,557.179L657.366,557.179C652.012,557.179 647.664,577.941 647.664,603.515L647.664,899.299C647.664,924.873 652.012,945.635 657.366,945.635L1599.29,945.635C1604.65,945.635 1608.99,924.873 1608.99,899.299L1608.99,603.515Z" style="fill:rgb(255,211,152);"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,0.365649,958.268,1781.92)">
-                <rect x="647.664" y="557.179" width="961.33" height="388.456" style="fill:rgb(255,166,48);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-187.43,-743.625)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(212,226,247);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(212,226,247);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,255.507,157.594)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(212,226,247);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(212,226,247);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-122.635,-743.625)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(253,180,218);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(253,180,218);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,350.049,158.841)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(253,180,218);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(253,180,218);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-56.47,-743.625)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(198,198,201);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(198,198,201);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,452.097,158.629)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(198,198,201);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(198,198,201);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,15.782,211.942)">
-                <text x="1231.86px" y="1470.8px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:41.667px;">R<tspan x="1259.4px " y="1470.8px ">e</tspan>spHell<tspan x="1405.19px " y="1470.8px ">o</tspan></text>
-                <g transform="matrix(25,0,0,25,1391.85,1512.47)">
-                </g>
-                <text x="1268.53px" y="1512.47px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:25px;fill:white;">t<tspan x="1277.65px " y="1512.47px ">y</tspan>pe=0x82</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-3.54999,383.641)">
-                <text x="1171.58px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidr</text>
-                <text x="1171.58px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidi</text>
-                <text x="1171.58px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">ect<tspan x="1216.61px " y="1528.98px ">i</tspan></text>
-                <text x="1171.58px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sct<tspan x="1214.91px " y="1570.64px ">i</tspan></text>
-                <text x="1171.58px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">biscuit</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1238.74,1653.98)">
-                </g>
-                <text x="1171.58px" y="1653.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">aut<tspan x="1219.81px " y="1653.98px ">h</tspan></text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,5.40653,383.641)">
-                <text x="1494.7px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
-                <text x="1494.7px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
-                <text x="1454.7px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">768</text>
-                <text x="1454.7px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">188</text>
-                <text x="1281px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">76 + 24 + 16 =</text>
-                <text x="1454.7px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">116</text>
-                <text x="1474.7px" y="1653.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">16</text>
-                <text x="1298.1px" y="1724.81px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pa<tspan x="1335.03px 1352.16px 1361.86px " y="1724.81px 1724.81px 1724.81px ">ylo</tspan>ad  1096</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1514.7,1766.48)">
-                </g>
-                <text x="1252.33px" y="1766.48px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;fill:rgb(102,101,109);">+ en<tspan x="1317.43px 1334.36px 1352.1px 1361.8px " y="1766.48px 1766.48px 1766.48px 1766.48px ">velo</tspan>pe  1132</text>
-            </g>
-            <g transform="matrix(1.12526,-0.00552033,0,1.24736,577.101,1504.92)">
-                <g transform="matrix(25,0,0,25,1221.4,1439.71)">
-                </g>
-                <text x="1171.58px" y="1439.71px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">data</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,671.631,1498.47)">
-                <g transform="matrix(25,0,0,25,1238.5,1439.71)">
-                </g>
-                <text x="1171.58px" y="1439.71px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">nonc<tspan x="1225.2px " y="1439.71px ">e</tspan></text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,773.678,1498.47)">
-                <g transform="matrix(25,0,0,25,1281.5,1439.71)">
-                </g>
-                <text x="1171.58px" y="1439.71px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">aut<tspan x="1207.75px " y="1439.71px ">h</tspan> c<tspan x="1239.73px " y="1439.71px ">o</tspan>de</text>
-            </g>
-            <g transform="matrix(1.33216,0,0,1.24734,127.619,-497.943)">
-                <path d="M891.165,2388.54L1187.72,2388.54" style="fill:none;stroke:rgb(64,63,73);stroke-width:2.66px;"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,1.40614,-133.099,1992.75)">
-                <path d="M1608.99,560.322C1608.99,558.587 1605.36,557.179 1600.88,557.179L655.78,557.179C651.301,557.179 647.664,558.587 647.664,560.322L647.664,942.492C647.664,944.227 651.301,945.635 655.78,945.635L1600.88,945.635C1605.36,945.635 1608.99,944.227 1608.99,942.492L1608.99,560.322Z" style="fill:none;stroke:rgb(255,166,48);stroke-width:9.75px;"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,0.368077,-134.677,2571.24)">
-                <rect x="647.664" y="557.179" width="961.33" height="388.456" style="fill:rgb(255,166,48);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-1077.16,1002.61)">
-                <text x="1224.31px" y="1471.18px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:41.667px;">Emp<tspan x="1308.86px 1324.06px " y="1471.18px 1471.18px ">ty</tspan>Data</text>
-                <g transform="matrix(25,0,0,25,1391.85,1512.85)">
-                </g>
-                <text x="1268.53px" y="1512.85px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:25px;fill:white;">t<tspan x="1277.65px " y="1512.85px ">y</tspan>pe=0x84</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-1096.5,1200.43)">
-                <text x="1171.58px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidx</text>
-                <text x="1171.58px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">ctr</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1238.74,1528.98)">
-                </g>
-                <text x="1171.58px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">aut<tspan x="1219.81px " y="1528.98px ">h</tspan></text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-1029.53,1200.43)">
-                <text x="1443.14px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
-                <text x="1443.14px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">8</text>
-                <text x="1423.14px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">16</text>
-                <text x="1286.55px" y="1599.81px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pa<tspan x="1323.48px 1340.61px 1350.31px " y="1599.81px 1599.81px 1599.81px ">ylo</tspan>ad  28</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1463.15,1641.48)">
-                </g>
-                <text x="1240.78px" y="1641.48px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;fill:rgb(102,101,109);">+ en<tspan x="1305.88px 1322.81px 1340.55px 1350.25px " y="1641.48px 1641.48px 1641.48px 1641.48px ">velo</tspan>pe  64</text>
-            </g>
-            <g transform="matrix(1.33216,0,0,1.24734,-965.326,161.211)">
-                <path d="M891.165,2388.54L1187.72,2388.54" style="fill:none;stroke:rgb(64,63,73);stroke-width:2.66px;"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,1.40614,959.846,1992.75)">
-                <path d="M1608.99,560.322C1608.99,558.587 1605.36,557.179 1600.88,557.179L655.78,557.179C651.301,557.179 647.664,558.587 647.664,560.322L647.664,942.492C647.664,944.227 651.301,945.635 655.78,945.635L1600.88,945.635C1605.36,945.635 1608.99,944.227 1608.99,942.492L1608.99,560.322Z" style="fill:none;stroke:rgb(255,166,48);stroke-width:9.75px;"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,0.368077,958.268,2571.24)">
-                <rect x="647.664" y="557.179" width="961.33" height="388.456" style="fill:rgb(255,166,48);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,15.782,1002.61)">
-                <text x="1211.79px" y="1471.12px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:42.083px;">C<tspan x="1238.72px " y="1471.12px ">o</tspan>okieR<tspan x="1367.5px " y="1471.12px ">e</tspan>pl<tspan x="1426.83px " y="1471.12px ">y</tspan></text>
-                <g transform="matrix(25.4167,0,0,25.4167,1392.88,1513.2)">
-                </g>
-                <text x="1267.5px" y="1513.2px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:25.417px;fill:white;">t<tspan x="1276.78px " y="1513.2px ">y</tspan>pe=0x86</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-1.30896,1200.2)">
-                <text x="1171.58px" y="1445.94px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">sidx</text>
-                <text x="1171.58px" y="1487.61px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">nonc<tspan x="1243.97px " y="1487.61px ">e</tspan></text>
-                <g transform="matrix(33.75,0,0,33.75,1267.05,1529.27)">
-                </g>
-                <text x="1171.58px" y="1529.27px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">c<tspan x="1186.87px " y="1529.27px ">o</tspan>okie</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,65.6578,1200.2)">
-                <text x="1442.89px" y="1445.94px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">4</text>
-                <text x="1422.64px" y="1487.61px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">24</text>
-                <text x="1296.21px" y="1529.27px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25.417px;">16 + 16 =</text>
-                <text x="1422.64px" y="1529.27px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">32</text>
-                <text x="1284.34px" y="1600.11px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">pa<tspan x="1321.73px 1339.08px 1348.9px " y="1600.11px 1600.11px 1600.11px ">ylo</tspan>ad  60</text>
-                <g transform="matrix(33.75,0,0,33.75,1463.15,1641.77)">
-                </g>
-                <text x="1238px" y="1641.77px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;fill:rgb(102,101,109);">+ en<tspan x="1303.91px 1321.06px 1339.01px 1348.83px " y="1641.77px 1641.77px 1641.77px 1641.77px ">velo</tspan>pe  96</text>
-            </g>
-            <g transform="matrix(1.33216,0,0,1.24734,129.86,160.982)">
-                <path d="M891.165,2388.54L1187.72,2388.54" style="fill:none;stroke:rgb(64,63,73);stroke-width:2.66px;"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,1.66616,1506.32,1057.2)">
-                <path d="M1608.99,559.832C1608.99,558.368 1605.36,557.179 1600.88,557.179L655.78,557.179C651.301,557.179 647.664,558.368 647.664,559.832L647.664,942.982C647.664,944.446 651.301,945.635 655.78,945.635L1600.88,945.635C1605.36,945.635 1608.99,944.446 1608.99,942.982L1608.99,559.832Z" style="fill:none;stroke:rgb(247,4,132);stroke-width:8.39px;"/>
-            </g>
-            <g transform="matrix(0.410953,0,0,0.095385,1595.1,2285.75)">
-                <path d="M1608.99,603.515C1608.99,577.941 1604.65,557.179 1599.29,557.179L657.366,557.179C652.012,557.179 647.664,577.941 647.664,603.515L647.664,899.299C647.664,924.873 652.012,945.635 657.366,945.635L1599.29,945.635C1604.65,945.635 1608.99,924.873 1608.99,899.299L1608.99,603.515Z" style="fill:rgb(255,211,152);"/>
-                <path d="M1631.81,603.515L1631.81,899.299C1631.81,985.017 1617.24,1054.61 1599.29,1054.61L657.366,1054.61C639.418,1054.61 624.846,985.017 624.846,899.299L624.846,603.515C624.846,517.797 639.418,448.205 657.366,448.205L1599.29,448.205C1617.24,448.205 1631.81,517.797 1631.81,603.515ZM1608.99,603.515C1608.99,577.941 1604.65,557.179 1599.29,557.179L657.366,557.179C652.012,557.179 647.664,577.941 647.664,603.515L647.664,899.299C647.664,924.873 652.012,945.635 657.366,945.635L1599.29,945.635C1604.65,945.635 1608.99,924.873 1608.99,899.299L1608.99,603.515Z" style="fill:rgb(255,211,152);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,359.526,-769.283)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(212,226,247);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(212,226,247);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,424.321,-769.283)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(253,180,218);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(253,180,218);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,490.486,-769.283)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(198,198,201);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(198,198,201);"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,0.365649,1504.74,1781.92)">
-                <rect x="647.664" y="557.179" width="961.33" height="388.456" style="fill:rgb(247,4,132);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,568.22,211.942)">
-                <text x="1251.12px" y="1470.8px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:41.667px;">InitC<tspan x="1337.33px " y="1470.8px ">o</tspan>nf</text>
-                <g transform="matrix(25,0,0,25,1386.55,1512.47)">
-                </g>
-                <text x="1263.23px" y="1512.47px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:25px;fill:white;">t<tspan x="1272.35px " y="1512.47px ">y</tspan>pe=0x83</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,542.923,463.055)">
-                <text x="1171.58px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidi</text>
-                <text x="1171.58px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidr</text>
-                <text x="1171.58px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">biscuit</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1238.74,1570.64)">
-                </g>
-                <text x="1171.58px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">aut<tspan x="1219.81px " y="1570.64px ">h</tspan></text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,587.128,463.055)">
-                <text x="1463.37px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
-                <text x="1463.37px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
-                <text x="1249.67px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">76 + 24 + 16 =</text>
-                <text x="1423.37px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">116</text>
-                <text x="1443.37px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">16</text>
-                <text x="1286.77px" y="1641.48px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pa<tspan x="1323.71px 1340.84px 1350.54px " y="1641.48px 1641.48px 1641.48px ">ylo</tspan>ad  140</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1483.37,1683.14)">
-                </g>
-                <text x="1241.01px" y="1683.14px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;fill:rgb(102,101,109);">+ en<tspan x="1306.11px 1323.04px 1340.77px 1350.47px " y="1683.14px 1683.14px 1683.14px 1683.14px ">velo</tspan>pe  176</text>
-            </g>
-            <g transform="matrix(1.33216,0,0,1.24734,674.092,-525.153)">
-                <path d="M891.165,2388.54L1187.72,2388.54" style="fill:none;stroke:rgb(64,63,73);stroke-width:2.66px;"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,1.40614,413.374,1992.75)">
-                <path d="M1608.99,560.322C1608.99,558.587 1605.36,557.179 1600.88,557.179L655.78,557.179C651.301,557.179 647.664,558.587 647.664,560.322L647.664,942.492C647.664,944.227 651.301,945.635 655.78,945.635L1600.88,945.635C1605.36,945.635 1608.99,944.227 1608.99,942.492L1608.99,560.322Z" style="fill:none;stroke:rgb(247,4,132);stroke-width:9.75px;"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,0.368077,411.795,2571.24)">
-                <rect x="647.664" y="557.179" width="961.33" height="388.456" style="fill:rgb(247,4,132);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-524.725,1002.61)">
-                <text x="1279.66px" y="1471.18px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:41.667px;">Data</text>
-                <g transform="matrix(25,0,0,25,1386.55,1512.85)">
-                </g>
-                <text x="1263.23px" y="1512.85px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:25px;fill:white;">t<tspan x="1272.35px " y="1512.85px ">y</tspan>pe=0x85</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-550.023,1200.57)">
-                <text x="1171.58px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidx</text>
-                <text x="1171.58px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">ctr</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1290.6,1528.98)">
-                </g>
-                <text x="1171.58px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">data</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-586.775,1200.57)">
-                <text x="1535.32px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
-                <text x="1535.32px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">8</text>
-                <text x="1398.39px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">v<tspan x="1411.02px " y="1528.98px ">a</tspan>riabl<tspan x="1474.12px " y="1528.98px ">e</tspan> +</text>
-                <text x="1515.32px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">16</text>
-                <text x="1268.24px" y="1599.81px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pa<tspan x="1305.18px 1322.31px 1332.01px " y="1599.81px 1599.81px 1599.81px ">ylo</tspan>ad</text>
-                <text x="1396.24px" y="1599.81px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">v<tspan x="1408.87px " y="1599.81px ">a</tspan>riabl<tspan x="1471.97px " y="1599.81px ">e</tspan> +</text>
-                <text x="1515.32px" y="1599.81px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">28</text>
-                <text x="1222.48px" y="1641.48px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;fill:rgb(102,101,109);">+ en<tspan x="1287.58px 1304.51px 1322.24px 1331.94px " y="1641.48px 1641.48px 1641.48px 1641.48px ">velo</tspan>pe</text>
-                <text x="1396.24px" y="1641.48px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">v<tspan x="1408.87px " y="1641.48px ">a</tspan>riabl<tspan x="1471.97px " y="1641.48px ">e</tspan> +</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1555.32,1641.48)">
-                </g>
-                <text x="1515.32px" y="1641.48px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;fill:rgb(102,101,109);">64</text>
-            </g>
-            <g transform="matrix(1.33216,0,0,1.24734,-416.123,162.22)">
-                <path d="M891.165,2388.54L1187.72,2388.54" style="fill:none;stroke:rgb(64,63,73);stroke-width:2.66px;"/>
-            </g>
-            <g transform="matrix(0.400209,0,0,1.19089,1603.98,2115.3)">
-                <path d="M1608.99,560.89C1608.99,558.842 1604.53,557.179 1599.03,557.179L657.627,557.179C652.128,557.179 647.664,558.842 647.664,560.89L647.664,941.924C647.664,943.972 652.128,945.635 657.627,945.635L1599.03,945.635C1604.53,945.635 1608.99,943.972 1608.99,941.924L1608.99,560.89Z" style="fill:white;stroke:rgb(255,211,152);stroke-width:11.57px;"/>
-            </g>
-            <g transform="matrix(0.400209,0,0,0.196676,1603.98,2669.25)">
-                <rect x="647.664" y="557.179" width="961.33" height="388.456" style="fill:rgb(255,211,152);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,550.082,1014.76)">
-                <g transform="matrix(41.6667,0,0,41.6667,1401.28,1457.77)">
-                </g>
-                <text x="1279.11px" y="1457.77px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:41.667px;">biscuit</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,588.6,1106.02)">
-                <text x="1398.83px" y="1445.94px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">32</text>
-                <text x="1398.83px" y="1487.61px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">12</text>
-                <text x="1398.83px" y="1529.27px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">32</text>
-                <text x="1283.47px" y="1600.11px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">biscuit  76</text>
-                <text x="1241.85px" y="1641.77px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;fill:rgb(102,101,109);">+ nonc<tspan x="1343.21px " y="1641.77px ">e</tspan>  100</text>
-                <g transform="matrix(33.75,0,0,33.75,1450.58,1683.44)">
-                </g>
-                <text x="1183.8px" y="1683.44px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;fill:rgb(102,101,109);">+ aut<tspan x="1261.6px " y="1683.44px ">h</tspan> c<tspan x="1304.76px " y="1683.44px ">o</tspan>de  116</text>
-            </g>
-            <g transform="matrix(1.05033,0,0,1.24734,960.732,66.8014)">
-                <path d="M891.165,2388.54L1187.72,2388.54" style="fill:none;stroke:rgb(64,63,73);stroke-width:3.02px;"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,578.408,1106.02)">
-                <text x="1171.58px" y="1445.94px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">peerid</text>
-                <text x="1171.58px" y="1487.61px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">no</text>
-                <g transform="matrix(33.75,0,0,33.75,1204.08,1529.27)">
-                </g>
-                <text x="1171.58px" y="1529.27px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">ck</text>
-            </g>
-        </g>
-    </g>
-</svg>

papers/graphics/rosenpass-wp-message-types.svg

@@ -1,10 +1,10 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
 <svg width="100%" height="100%" viewBox="0 0 1890 1086" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:1.5;">
-    <g transform="matrix(0.888676,0,0,0.801704,-157.443,-1585.2)">
-        <rect id="ArtBoard1" x="177.165" y="1977.29" width="2125.98" height="1353.42" style="fill:none;"/>
+    <g id="ArtBoard1" transform="matrix(0.888676,0,0,0.801704,-157.443,-1585.2)">
+        <rect x="177.165" y="1977.29" width="2125.98" height="1353.42" style="fill:none;"/>
         <clipPath id="_clip1">
-            <rect id="ArtBoard11" serif:id="ArtBoard1" x="177.165" y="1977.29" width="2125.98" height="1353.42"/>
+            <rect x="177.165" y="1977.29" width="2125.98" height="1353.42"/>
         </clipPath>
         <g clip-path="url(#_clip1)">
             <g transform="matrix(1.12527,0,0,1.24734,177.165,1977.29)">
@@ -72,7 +72,7 @@
                 <text x="1423.43px" y="1695.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">16</text>
                 <g transform="matrix(33.3333,0,0,33.3333,1463.43,1766.48)">
                 </g>
-                <text x="1213.53px" y="1766.48px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">en<tspan x="1250.03px 1266.96px 1284.7px 1294.4px " y="1766.48px 1766.48px 1766.48px 1766.48px ">velo</tspan>pe  n + 36</text>
+                <text x="1226.13px" y="1766.48px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pack<tspan x="1295.16px " y="1766.48px ">a</tspan>ge  n + 36</text>
             </g>
             <g transform="matrix(1.12527,0,0,1.24734,-1007.2,213.348)">
                 <text x="1228.7px" y="1470.55px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:41.667px;fill:white;">En<tspan x="1276.75px 1298px 1320.25px 1332.58px " y="1470.55px 1470.55px 1470.55px 1470.55px ">velo</tspan>pe</text>
@@ -115,7 +115,7 @@
                 <text x="1171.58px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidi</text>
                 <text x="1171.58px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">epki</text>
                 <text x="1171.58px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sctr</text>
-                <text x="1171.58px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pidiC</text>
+                <text x="1171.58px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pidi_<tspan x="1241.84px " y="1570.64px ">c</tspan>t</text>
                 <text x="1171.58px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">aut<tspan x="1219.81px " y="1612.31px ">h</tspan></text>
             </g>
             <g transform="matrix(1.12527,0,0,1.24734,-506.344,409.368)">
@@ -136,14 +136,14 @@
             <g transform="matrix(0.49129,0,0,1.66616,959.319,1057.98)">
                 <path d="M1608.99,559.832C1608.99,558.368 1605.36,557.179 1600.88,557.179L655.78,557.179C651.301,557.179 647.664,558.368 647.664,559.832L647.664,942.982C647.664,944.446 651.301,945.635 655.78,945.635L1600.88,945.635C1605.36,945.635 1608.99,944.446 1608.99,942.982L1608.99,559.832Z" style="fill:none;stroke:rgb(255,166,48);stroke-width:8.39px;"/>
             </g>
-            <g transform="matrix(0.410953,0,0,0.095385,1048.1,2311.14)">
+            <g transform="matrix(0.410953,0,0,0.095385,1048.1,2363.41)">
                 <path d="M1608.99,603.515C1608.99,577.941 1604.65,557.179 1599.29,557.179L657.366,557.179C652.012,557.179 647.664,577.941 647.664,603.515L647.664,899.299C647.664,924.873 652.012,945.635 657.366,945.635L1599.29,945.635C1604.65,945.635 1608.99,924.873 1608.99,899.299L1608.99,603.515Z" style="fill:rgb(255,211,152);"/>
-                <path d="M1631.81,603.515L1631.81,899.299C1631.81,985.017 1617.24,1054.61 1599.29,1054.61L657.366,1054.61C639.418,1054.61 624.846,985.017 624.846,899.299L624.846,603.515C624.846,517.797 639.418,448.205 657.366,448.205L1599.29,448.205C1617.24,448.205 1631.81,517.797 1631.81,603.515ZM1608.99,603.515C1608.99,577.941 1604.65,557.179 1599.29,557.179L657.366,557.179C652.012,557.179 647.664,577.941 647.664,603.515L647.664,899.299C647.664,924.873 652.012,945.635 657.366,945.635L1599.29,945.635C1604.65,945.635 1608.99,924.873 1608.99,899.299L1608.99,603.515Z" style="fill:rgb(255,211,152);"/>
+                <path d="M1631.81,603.515L1631.81,899.299L1631.15,930.502L1629.25,959.805L1626.24,986.218L1622.29,1009.11L1617.49,1028.01L1611.96,1042.35L1605.83,1051.45L1599.29,1054.61L657.366,1054.61L650.833,1051.45L644.697,1042.35L639.166,1028.01L634.372,1009.11L630.416,986.218L627.414,959.805L625.507,930.502L624.846,899.299L624.846,603.515L625.507,572.312L627.414,543.009L630.416,516.596L634.372,493.7L639.166,474.808L644.697,460.468L650.833,451.364L657.366,448.205L1599.29,448.205L1605.83,451.364L1611.96,460.468L1617.49,474.808L1622.29,493.7L1626.24,516.596L1629.25,543.009L1631.15,572.312L1631.81,603.515ZM1608.99,603.515C1608.99,577.941 1604.65,557.179 1599.29,557.179L657.366,557.179C652.012,557.179 647.664,577.941 647.664,603.515L647.664,899.299C647.664,924.873 652.012,945.635 657.366,945.635L1599.29,945.635C1604.65,945.635 1608.99,924.873 1608.99,899.299L1608.99,603.515Z" style="fill:rgb(255,211,152);"/>
             </g>
             <g transform="matrix(0.49129,0,0,0.365649,957.741,1782.7)">
                 <rect x="647.664" y="557.179" width="961.33" height="388.456" style="fill:rgb(255,166,48);"/>
             </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-187.957,-742.844)">
+            <g transform="matrix(1.12527,0,0,1.24734,-161.376,-690.576)">
                 <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(212,226,247);"/>
                 <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(212,226,247);"/>
             </g>
@@ -151,7 +151,7 @@
                 <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(212,226,247);"/>
                 <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(212,226,247);"/>
             </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-123.162,-742.844)">
+            <g transform="matrix(1.12527,0,0,1.24734,-109.871,-690.576)">
                 <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(253,180,218);"/>
                 <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(253,180,218);"/>
             </g>
@@ -159,7 +159,7 @@
                 <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(253,180,218);"/>
                 <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(253,180,218);"/>
             </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-56.9969,-742.844)">
+            <g transform="matrix(1.12527,0,0,1.24734,-56.9969,-690.576)">
                 <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(198,198,201);"/>
                 <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(198,198,201);"/>
             </g>
@@ -178,19 +178,17 @@
                 <text x="1171.58px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidi</text>
                 <text x="1171.58px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">ect<tspan x="1216.61px " y="1528.98px ">i</tspan></text>
                 <text x="1171.58px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sct<tspan x="1214.91px " y="1570.64px ">i</tspan></text>
-                <text x="1171.58px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">biscuit</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1238.74,1653.98)">
-                </g>
-                <text x="1171.58px" y="1653.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">aut<tspan x="1219.81px " y="1653.98px ">h</tspan></text>
+                <text x="1171.58px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">aut<tspan x="1219.81px " y="1612.31px ">h</tspan></text>
+                <text x="1171.58px" y="1653.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">b<tspan x="1190.01px 1196.74px 1211.78px 1226.21px 1243.91px 1250.64px 1261.78px 1276.71px 1291.14px " y="1653.98px 1653.98px 1653.98px 1653.98px 1653.98px 1653.98px 1653.98px 1653.98px 1653.98px ">iscuit_ct</tspan></text>
             </g>
             <g transform="matrix(1.12527,0,0,1.24734,4.87963,384.421)">
                 <text x="1494.7px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
                 <text x="1494.7px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
                 <text x="1454.7px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">768</text>
                 <text x="1454.7px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">188</text>
-                <text x="1281px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">76 + 24 + 16 =</text>
-                <text x="1454.7px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">116</text>
-                <text x="1474.7px" y="1653.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">16</text>
+                <text x="1474.7px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">16</text>
+                <text x="1306.8px" y="1653.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">76+24+16 =</text>
+                <text x="1454.7px" y="1653.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">116</text>
                 <text x="1298.1px" y="1724.81px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pa<tspan x="1335.03px 1352.16px 1361.86px " y="1724.81px 1724.81px 1724.81px ">ylo</tspan>ad  1096</text>
                 <g transform="matrix(33.3333,0,0,33.3333,1514.7,1766.48)">
                 </g>
@@ -275,7 +273,7 @@
                 <text x="1422.64px" y="1612.61px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">32</text>
                 <g transform="matrix(33.75,0,0,33.75,1463.15,1683.44)">
                 </g>
-                <text x="1284.34px" y="1683.44px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">pa<tspan x="1321.73px 1339.08px 1348.9px " y="1683.44px 1683.44px 1683.44px ">ylo</tspan>ad  64</text>
+                <text x="1279.71px" y="1683.44px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">pack<tspan x="1349.61px " y="1683.44px ">a</tspan>ge  64</text>
             </g>
             <g transform="matrix(1.33216,0,0,1.24734,129.333,240.128)">
                 <path d="M891.165,2388.54L1187.72,2388.54" style="fill:none;stroke:rgb(64,63,73);stroke-width:2.66px;"/>
@@ -285,13 +283,13 @@
             </g>
             <g transform="matrix(0.410953,0,0,0.095385,1594.58,2286.53)">
                 <path d="M1608.99,603.515C1608.99,577.941 1604.65,557.179 1599.29,557.179L657.366,557.179C652.012,557.179 647.664,577.941 647.664,603.515L647.664,899.299C647.664,924.873 652.012,945.635 657.366,945.635L1599.29,945.635C1604.65,945.635 1608.99,924.873 1608.99,899.299L1608.99,603.515Z" style="fill:rgb(255,211,152);"/>
-                <path d="M1631.81,603.515L1631.81,899.299C1631.81,985.017 1617.24,1054.61 1599.29,1054.61L657.366,1054.61C639.418,1054.61 624.846,985.017 624.846,899.299L624.846,603.515C624.846,517.797 639.418,448.205 657.366,448.205L1599.29,448.205C1617.24,448.205 1631.81,517.797 1631.81,603.515ZM1608.99,603.515C1608.99,577.941 1604.65,557.179 1599.29,557.179L657.366,557.179C652.012,557.179 647.664,577.941 647.664,603.515L647.664,899.299C647.664,924.873 652.012,945.635 657.366,945.635L1599.29,945.635C1604.65,945.635 1608.99,924.873 1608.99,899.299L1608.99,603.515Z" style="fill:rgb(255,211,152);"/>
+                <path d="M1631.81,603.515L1631.81,899.299L1631.15,930.502L1629.25,959.805L1626.24,986.218L1622.29,1009.11L1617.49,1028.01L1611.96,1042.35L1605.83,1051.45L1599.29,1054.61L657.366,1054.61L650.833,1051.45L644.697,1042.35L639.166,1028.01L634.372,1009.11L630.416,986.218L627.414,959.805L625.507,930.502L624.846,899.299L624.846,603.515L625.507,572.312L627.414,543.009L630.416,516.596L634.372,493.7L639.166,474.808L644.697,460.468L650.833,451.364L657.366,448.205L1599.29,448.205L1605.83,451.364L1611.96,460.468L1617.49,474.808L1622.29,493.7L1626.24,516.596L1629.25,543.009L1631.15,572.312L1631.81,603.515ZM1608.99,603.515C1608.99,577.941 1604.65,557.179 1599.29,557.179L657.366,557.179C652.012,557.179 647.664,577.941 647.664,603.515L647.664,899.299C647.664,924.873 652.012,945.635 657.366,945.635L1599.29,945.635C1604.65,945.635 1608.99,924.873 1608.99,899.299L1608.99,603.515Z" style="fill:rgb(255,211,152);"/>
             </g>
-            <g transform="matrix(1.12527,0,0,1.24734,358.999,-768.503)">
+            <g transform="matrix(1.12527,0,0,1.24734,385.58,-768.503)">
                 <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(212,226,247);"/>
                 <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(212,226,247);"/>
             </g>
-            <g transform="matrix(1.12527,0,0,1.24734,423.794,-768.503)">
+            <g transform="matrix(1.12527,0,0,1.24734,437.085,-768.503)">
                 <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(253,180,218);"/>
                 <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(253,180,218);"/>
             </g>
@@ -311,7 +309,7 @@
             <g transform="matrix(1.12527,0,0,1.24734,542.396,463.835)">
                 <text x="1171.58px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidi</text>
                 <text x="1171.58px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidr</text>
-                <text x="1171.58px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">biscuit</text>
+                <text x="1171.58px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">b<tspan x="1190.01px 1196.74px 1211.78px 1226.21px 1243.91px 1250.64px 1261.78px 1276.71px 1291.14px " y="1528.98px 1528.98px 1528.98px 1528.98px 1528.98px 1528.98px 1528.98px 1528.98px 1528.98px ">iscuit_ct</tspan></text>
                 <g transform="matrix(33.3333,0,0,33.3333,1238.74,1570.64)">
                 </g>
                 <text x="1171.58px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">aut<tspan x="1219.81px " y="1570.64px ">h</tspan></text>
@@ -319,7 +317,7 @@
             <g transform="matrix(1.12527,0,0,1.24734,586.601,463.835)">
                 <text x="1463.37px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
                 <text x="1463.37px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
-                <text x="1249.67px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">76 + 24 + 16 =</text>
+                <text x="1275.47px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">76+24+16 =</text>
                 <text x="1423.37px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">116</text>
                 <text x="1443.37px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">16</text>
                 <text x="1286.77px" y="1641.48px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pa<tspan x="1323.71px 1340.84px 1350.54px " y="1641.48px 1641.48px 1641.48px ">ylo</tspan>ad  140</text>

papers/references.bib

@@ -179,25 +179,22 @@
 @techreport{mceliece,
     title = {{C}lassic {M}c{E}liece: conservative code-based cryptography},
     author = {Martin R. Albrecht and Daniel J. Bernstein and Tung Chou and Carlos Cid and Jan Gilcher and Tanja Lange and Varun Maram and Ingo von Maurich and Rafael Misoczki and Ruben Niederhagen and Kenneth G. Paterson and Edoardo Persichetti and Christiane Peters and Peter Schwabe and Nicolas Sendrier and Jakub Szefer and Cen Jung Tjhai and Martin Tomlinson and Wen Wang},
-    year = 2022,
+    year = 2020,
     month = 10,
-    day = 23,
-    type = {NIST Post-Quantum Cryptography Round 4 Submission},
-    url = {https://classic.mceliece.org/}
+    day = 10,
+    type = {NIST Post-Quantum Cryptography Round 3 Submission},
+    url={https://classic.mceliece.org/nist/mceliece-20201010.pdf},
 }
 
 @techreport{kyber,
-    title = {CRYSTALS-Kyber},
-    author = {Roberto Avanzi and Joppe Bos and Léo Ducas and Eike Kiltz and Tancrède Lepoint and
-Vadim Lyubashevsky and John M. Schanck and Peter Schwabe and Gregor Seiler and Damien Stehlé},
-    year = 2020,
-    month = 10,
-    day = 1,
-    type = {NIST Post-Quantum Cryptography Selected Algorithm},
-    url = {https://pq-crystals.org/kyber/}
+  title={CRYSTALS-Kyber algorithm specifications and supporting documentation},
+  author={Avanzi, Roberto and Bos, Joppe and Ducas, L{\'e}o and Kiltz, Eike and Lepoint, Tancr{\`e}de and Lyubashevsky, Vadim and Schanck, John M and Schwabe, Peter and Seiler, Gregor and Stehl{\'e}, Damien and others},
+  year = 2021,
+  month = 08,
+  day = 04,
+  url = {https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf}
 }
 
-
 @misc{SHAKE256,
   author   = "National Institute of Standards and Technology",
   title    = "FIPS PUB 202: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions",
@@ -206,3 +203,18 @@ Vadim Lyubashevsky and John M. Schanck and Peter Schwabe and Gregor Seiler and D
   doi      = {10.6028/NIST.FIPS.202}
 }
 
+@misc{boneh_shoup_graduate,
+  title  = "A graduate course in applied cryptography",
+  author = "Dan Boneh and Victor Shoup",
+  url    = "https://toc.cryptobook.us/",
+  year   = {2023},
+}
+
+@inproceedings{hmac,
+  title={Keying hash functions for message authentication},
+  author={Bellare, Mihir and Canetti, Ran and Krawczyk, Hugo},
+  booktitle={Annual international cryptology conference},
+  pages={1--15},
+  year={1996},
+  organization={Springer}
+}

papers/tex/template-rosenpass.tex

@@ -2,6 +2,7 @@
 \usepackage{amssymb}
 \usepackage{mathtools}
 \usepackage{fontspec}
+\usepackage{dirtytalk}
 
 %font fallback
 \directlua{luaotfload.add_fallback

papers/whitepaper.md

@@ -8,21 +8,23 @@ author:
 - Lisa Schmidt = {Scientific Illustrator – \\url{mullana.de}}
 - Prabhpreet Dua
 abstract: |
-       Rosenpass is used to create post-quantum-secure VPNs. Rosenpass computes a shared key, WireGuard (WG) [@wg] uses the shared key to establish a secure connection. Rosenpass can also be used without WireGuard, deriving post-quantum-secure symmetric keys for another application. The Rosenpass protocol builds on “Post-quantum WireGuard” (PQWG) [@pqwg] and improves it by using a cookie mechanism to provide security against state disruption attacks.
+       Rosenpass is a post-quantum-secure authenticated key exchange protocol. Its main practical use case is creating post-quantum-secure VPNs by combining WireGuard and Rosenpass.
 
-       The WireGuard implementation enjoys great trust from the cryptography community and has excellent performance characteristics. To preserve these features, the Rosenpass application runs side-by-side with WireGuard and supplies a new post-quantum-secure pre-shared key (PSK) every two minutes. WireGuard itself still performs the pre-quantum-secure key exchange and transfers any transport data with no involvement from Rosenpass at all.
+       In this combination, Rosenpass generates a post-quantum-secure shared key every two minutes that is then used by WireGuard (WG) [@wg] to establish a secure connection. Rosenpass can also be used without WireGuard, providing post-quantum-secure symmetric keys for other applications, as long as the other application accepts a pre-shared key and provides cryptographic security based on the pre-shared key alone.
+
+       The Rosenpass protocol builds on “Post-quantum WireGuard” (PQWG) [@pqwg] and improves it by using a cookie mechanism to provide security against state disruption attacks. From a cryptographic perspective, Rosenpass can be thought of as a post-quantum secure variant of the Noise IK[@noise] key exchange. \say{Noise IK} means that the protocol makes both parties authenticate themselves, but that the initiator knows before the protocol starts which other party they are communicating with. There is no negotiation step where the responder communicates their identity to the initiator.
 
        The Rosenpass project consists of a protocol description, an implementation written in Rust, and a symbolic analysis of the protocol’s security using ProVerif [@proverif]. We are working on a cryptographic security proof using CryptoVerif [@cryptoverif].
 
-       This document is a guide for engineers and researchers implementing the protocol; a scientific paper discussing the security properties of Rosenpass is work in progress.
+       This document is a guide for engineers and researchers implementing the protocol.
 ---
 
 \enlargethispage{5mm}
 \setupimage{label=img:KeyExchangeProt,width=.9\linewidth}
-![Rosenpass Key Exchange Protocol](graphics/rosenpass-wp-key-exchange-protocol-rgb.svg)
+![Rosenpass Key Exchange Protocol](graphics/rosenpass-wp-key-exchange-protocol.svg)
 
 \setupimage{label=img:MessageTypes}
-![Rosenpass Message Types](graphics/rosenpass-wp-message-types-rgb.svg)
+![Rosenpass Message Types](graphics/rosenpass-wp-message-types.svg)
 
 \clearpage
 
@@ -31,7 +33,7 @@ abstract: |
 
 # Security
 
-Rosenpass inherits most security properties from Post-Quantum WireGuard (PQWG). The security properties mentioned here are covered by the symbolic analysis in the Rosenpass repository. 
+Rosenpass inherits most security properties from Post-Quantum WireGuard (PQWG). The security properties mentioned here are covered by the symbolic analysis in the Rosenpass repository.
 
 ## Secrecy
 Three key encapsulations using the keypairs `sski`/`spki`, `sskr`/`spkr`, and `eski`/`epki` provide secrecy (see Section \ref{variables} for an introduction of the variables). Their respective ciphertexts are called `scti`, `sctr`, and `ectr` and the resulting keys are called `spti`, `sptr`, `epti`. A single secure encapsulation is sufficient to provide secrecy. We use two different KEMs (Key Encapsulation Mechanisms; see Section \ref{skem}): Kyber and Classic McEliece.
@@ -66,11 +68,13 @@ All symmetric keys and hash values used in Rosenpass are 32 bytes long.
 
 ### Hash {#hash}
 
-A keyed hash function with one 32-byte input, one variable-size input, and one 32-byte output. As keyed hash function we offer two options that can be configured on a peer-basis, with Blake2s being the default:
+A keyed hash function with one 32-byte input, one variable-size input, and one 32-byte output. As keyed hash function we offer two options that can be configured on a peer-basis, with Blake2b being the default:
 
-1. the HMAC construction [@rfc_hmac] with BLAKE2s [@rfc_blake2] as the inner hash function.
+1. an **incorrect** HMAC construction [@rfc_hmac] with BLAKE2b [@rfc_blake2] as the inner hash function. See Sec. \ref{incorrect-hmac} for details.
 2. the SHAKE256 extendable output function (XOF) [@SHAKE256] truncated to a 32-byte output. The result is produced be concatenating the 32-byte input with the variable-size input in this order.
 
+The use of BLAKE2b is being phased out.
+
 ```pseudorust
 hash(key, data) -> key
 ```
@@ -96,7 +100,7 @@ XAEAD::dec(key, nonce, ciphertext, additional_data) -> plaintext
 
 ### SKEM {#skem}
 
-“Key Encapsulation Mechanism” (KEM) is the name of an interface widely used in post-quantum-secure protocols. KEMs can be seen as asymmetric encryption specifically for symmetric keys. Rosenpass uses two different KEMs. SKEM is the key encapsulation mechanism used with the static keypairs in Rosenpass. The public keys of these keypairs are not transmitted over the wire during the protocol. We use Classic McEliece 460896 [@mceliece] which claims to be as hard to break as 192-bit AES. As one of the oldest post-quantum-secure KEMs, it enjoys wide trust among cryptographers, but it has not been chosen for standardization by NIST. Its ciphertexts and private keys are small (188 bytes and 13568 bytes), and its public keys are large (524160 bytes). This fits our use case: public keys are exchanged out-of-band, and only the small ciphertexts have to be transmitted during the handshake.
+“Key Encapsulation Mechanism” (KEM) is the name of an interface widely used in post-quantum-secure protocols. KEMs can be seen as asymmetric encryption specifically for symmetric keys. Rosenpass uses two different KEMs. SKEM is the key encapsulation mechanism used with the static keypairs in Rosenpass. The public keys of these keypairs are not transmitted over the wire during the protocol. We use Classic McEliece 460896\footnote{The exact Classic McEliece version is from the NIST-Competition, Round 3: \par https://classic.mceliece.org/nist/mceliece-20201010.tar.gz}[@mceliece] which claims to be as hard to break as 192-bit AES. As one of the oldest post-quantum-secure KEMs, it enjoys wide trust among cryptographers, but it has not been chosen for standardization by NIST. Its ciphertexts and secret keys are small (188 bytes and 13568 bytes), and its public keys are large (524160 bytes). This fits our use case: public keys are exchanged out-of-band, and only the small ciphertexts have to be transmitted during the handshake.
 
 ```pseudorust
 SKEM::enc(public_key) -> (ciphertext, shared_key)
@@ -105,7 +109,7 @@ SKEM::dec(secret_key, ciphertext) -> shared_key
 
 ### EKEM
 
-Key encapsulation mechanism used with the ephemeral KEM keypairs in Rosenpass. The public keys of these keypairs need to be transmitted over the wire during the protocol. We use Kyber-512 [@kyber], which has been selected in the NIST post-quantum cryptography competition and claims to be as hard to break as 128-bit AES. Its ciphertexts, public keys, and private keys are 768, 800, and 1632 bytes long, respectively, providing a good balance for our use case as both a public key and a ciphertext have to be transmitted during the handshake.
+Key encapsulation mechanism used with the ephemeral KEM keypairs in Rosenpass. The public keys of these keypairs need to be transmitted over the wire during the protocol. We use Kyber-512\footnote{The exact Kyber version is from the NIST-Competition, Round 3: \par https://pq-crystals.org/kyber/data/kyber-submission-nist-round3.zip \par https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf}[@kyber], which has been selected in the NIST post-quantum cryptography competition and claims to be as hard to break as 128-bit AES. Its ciphertexts, public keys, and secret keys are 768, 800, and 1632 bytes long, respectively, providing a good balance for our use case as both a public key and a ciphertext have to be transmitted during the handshake.
 
 ```pseudorust
 EKEM::enc(public_key) -> (ciphertext, shared_key)
@@ -116,7 +120,46 @@ Using a combination of two KEMs – Classic McEliece for static keys and Kyber f
 
 Rosenpass uses libsodium [@libsodium] as cryptographic backend for hash, AEAD, and XAEAD, and liboqs [@liboqs] for the post-quantum-secure KEMs.
 
-## Variables {#variables}
+## Protocol Roles {#roles}
+
+The protocol specifies two roles: initiator and responder.
+
+* initiator – The party that starts a handshake.
+* responder – The party that does not start a handshake.
+
+All Rosenpass instances operate in either mode; the traditional "client"/"server" distinction does not apply to the Rosenpass protocol. We sometimes use the term "server". In these cases, we generally refer to the "Rosenpass Server," as in the application that implements the Rosenpass protocol, not to a server/client distinction.
+
+The initiator is stateful, and directs the handshake process. The responder is stateless for most of the protocol and reacts to the initiator's messages; this is important to protect our protocol against state disruption (protocol level denial of service) attacks. Since the responder does require some state to complete the protocol, this state is moved into an encrypted cookie, called "biscuit".
+
+The number of concurrent responder-role handshakes with another client is unlimited to account for the possibility of an imposter trying to execute a handshake: before completion of said handshake, there is no way to figure out which peer is an imposter and which peer is a legitimate party; any attempt to do so might lead to a state-disruption attack -- denial of service on the protocol level.
+
+There is no particular mechanism to negotiate which party acts as initiator and which acts as responder. At startup and when a key exchange is timer-triggered, Rosenpass will *initiate* a key exchange in initiator mode. At startup of another peer, and when they start a timer-triggered key exchange, the local server will *respond* in responder mode.
+
+Implementations must account for one ongoing initiator-role key exchange and many ongoing responder-role key exchanges. Upon receiving a well-formed InitConf package and successfully completing a responder-role key exchange, implementations should abort any ongoing initiator-role key exchange. Implementations should also use different back-off periods depending on whether the handshake was completed in initiator role or in responder role. The following values are used in the Rust reference implementation:
+
+- Initiator rekey interval: 130s
+- Responder rekey interval: 120s
+
+In practice these delays cause participants to take turns acting as initiator and acting as responder, since the ten-second difference is usually enough for the handshake with switched roles to complete before the old initiator's rekey timer goes to zero.
+
+## Packages {#packages}
+
+The packages, their contents, and their type IDs are graphically represented in Fig. \ref{img:MessageTypes}. Their purposes are:
+
+* \textbf{Envelope} – This is not a package on its own; it is the envelope all the other packages are put into.
+* \textbf{InitHello} – First package of the handshake, from initiator to responder.
+* \textbf{RespHello} – Second package of the handshake, from responder to initiator.
+* \textbf{InitConf} – Third package of the handshake, from initiator to responder.
+* \textbf{EmptyData} – Empty payload package. Used as acknowledgment to abort data retransmission (see Secs. \ref{payload-keys}, \ref{packet-loss}, and function `enter_live()` in Sec. \ref{fn:enter_live}).
+* \textbf{Data} – Transmission of actual payload data is not used in Rosenpass, but the package is still specified since it is part of WireGuard (see Sec. \ref{payload-keys} and function `enter_live()` in Sec. \ref{fn:enter_live}).
+* \textbf{CookieReply} – Used for proof-of-IP-ownership-based denial-of-service mitigation (see Sec. \ref{dos-mitigation}).
+* \textbf{biscuit} – This is not a stand-alone package; instead, it is an encrypted fragment present in \textbf{RespHello} and \textbf{InitConf}.
+
+## Endianness {#endianess}
+
+Unless otherwise specified, all integer values in the Rosenpass protocol use little-endian encoding.
+
+## Variables and Domain Separators {#variables}
 
 ### KEM Keypairs and Ciphertexts
 
@@ -136,10 +179,10 @@ Rosenpass uses multiple keypairs, ciphertexts, and plaintexts for key encapsulat
 
 These values use a naming scheme consisting of four lower-case characters. The first character indicates whether the key is static `s` or ephemeral `e`. The second character is an `s` or a `p` for secret or public. The third character is always a `k`. The fourth and final character is an `i`, `r`, `m`, or `t`, for `initiator`, `responder`, `mine`, or `theirs`. The initiator's static public key for instance is `spki`. During execution of the protocol, three KEM ciphertexts are produced: `scti`, `sctr`, and `ecti`.
 
-Besides the initiator and responder roles, we define the roles `mine` and `theirs` (`m`/`t`). These are sometimes used in the code when the assignment to initiator or responder roles is flexible. As an example, “this server's” static secret key is `sskm`, and the peer's public key is `spkt`.
+Besides the initiator and responder roles, we define the roles `mine` and `theirs` (`m`/`t`). These are sometimes used in the code when the assignment to initiator or responder roles is flexible. As an example, our static secret key is `sskm`, and the peer's public key is `spkt`.
 
 
-### IDs
+### IDs {#peer-ids}
 
 Rosenpass uses two types of ID variables. See Figure \ref{img:HashingTree} for how the IDs are calculated.
 
@@ -154,43 +197,115 @@ Rosenpass uses two types of ID variables. See Figure \ref{img:HashingTree} for h
 
 The first lower-case character indicates whether the variable is a session ID (`sid`) or a peer ID (`pid`). The final character indicates the role using the characters `i`, `r`, `m`, or `t`, for `initiator`, `responder`, `mine`, or `theirs` respectively.
 
-### Symmetric Keys
-
-Rosenpass uses two symmetric key variables `psk` and `osk` in its interface, and maintains the entire handshake state in a variable called the chaining key.
+### Symmetric Keys {#symmetric-keys}
 
+Rosenpass uses two main symmetric key variables `psk` and `osk` in its interface, and maintains the entire handshake state in a variable called the chaining key.
 
 * `psk`: A pre-shared key that can be optionally supplied as input to Rosenpass.
-* `osk`: The output shared key, generated by Rosenpass and supplied to WireGuard for use as its pre-shared key.
-* `ck`: The chaining key.
+* `osk`: The output shared key, generated by Rosenpass. The main use case is to supply the key to WireGuard for use as its pre-shared key.
+* `ck`: The chaining key. This refers to various intermediate keys produced during the execution of the protocol, before the final `osk` is produced.
 
-We mix all key material (e.g. `psk`) into the chaining key, and derive symmetric keys such as `osk` from it. We authenticate public values by mixing them into the chaining key; in particular, we include the entire protocol transcript in the chaining key, i.e., all values transmitted over the network.
+We mix all key material (e.g. `psk`) into the chaining key and derive symmetric keys such as `osk` from it. We authenticate public values by mixing them into the chaining key; in particular, we include the entire protocol transcript in the chaining key, i.e., all values transmitted over the network.
+
+The protocol allows for multiple `osk`s to be generated; each of these keys is labeled with a domain separator to make sure different key usages are always given separate keys. The domain separator for using Rosenpass and WireGuard together is a token generated using the domain separator sequence `["rosenpass.eu", "wireguard psk"]` (see Fig. \ref{img:HashingTree}), as described in \ref{protocol-extension-wireguard-psk}. Third-parties using Rosenpass-keys for other purposes are asked to define their own protocol-extensions. Standard protocol extensions are described in \ref{protocol-extensions}.
+
+#### Symmetric Keys and Nonces for payload data transmission {#payload-keys}
+
+Keys generated by the Rosenpass key exchange could be used for encryption of payload data if post-quantum security but not hybrid post-quantum security is a goal. Despite this, we do not generally offer payload transmission in the protocol. Instead, the Rosenpass protocol focuses on providing a key exchange, letting external applications handle data transmission. When used with WireGuard, the default use case, this integration also ensures hybrid security.
+
+Still we specify the `Data` and `EmptyData` packets. `Data` is not used, but we still specify it as the same packet is also present in WireGuard. `EmptyData` is used for packet retransmission (see Sec. \ref{packet-loss}).
+
+We also specify how symmetric keys are generated for payload encryption. See Sec. {#live-session-state} and the function `enter_live()` (Sec. \ref{fn:enter_live}).
+
+Keys and nonces for this purpose use the following naming scheme:
+
+\begin{namepartpicture}
+\namepart{tx=Transmission,rx=Reception}
+\namepart[3.5cm]{k=Key,n=Nonce}
+\namepart[7cm]{i=Initiator,r=Responder,m=Mine,t=Theirs}
+\begin{scope}[decoration={brace,amplitude=5mm},thick]
+\namebraceright{tx}{rx}
+\namebraceleft{k}{n}
+\namebraceright{k}{n}
+\namebraceleft{i}{t}
+\end{scope}
+\end{namepartpicture}
+
+Note that this scheme is deliberately redundant. For instance, when we are the initiator, then `txki = rxki = txkm = rxkt`. I.e. the initiator's transmission key is the responder's reception key. Since we are the initiator, the initiator's transmission key is also the transmission key of `mine` and the reception key of `theirs`.
+
+There also is a -- now deprecated -- naming scheme:
+
+\begin{namepartpicture}
+\namepart{ini=Initiator,res=Responder,hs=Handshake}
+\SingleNamePart[3.5cm]{enc}{\textunderscore{}enc}{Encryption}
+\begin{scope}[decoration={brace,amplitude=5mm},thick]
+\namebraceright{ini}{hs}
+\namebraceleft{enc}{enc}
+\end{scope}
+\end{namepartpicture}
+
+`ini_enc = txki = rxkr` and `res_enc = txkr = rxki`, but this usage is deprecated. The third name `hs_enc` is for encryption as part of the key exchange itself; this name is still in use.
+
+### Labels
+
+Fig. \ref{img:HashingTree} specifies multiple domain separators for various uses.
+
+* `PROTOCOL` (`[0, PROTOCOL]`) – The global domain separator; used to generate more domain separators.
+
+Immediately below the global domain separator, you can find:
+
+* `"mac"` – Network package integrity verification and pre-authentication with `spkt`. See Sec. \ref{envelope-mac-field}.
+* `"cookie"` – Denial of Service mitigation through proof-of-ip ownership. See Sec. \ref{dos-mitigation}.
+* `"peer id"` – Generation of peer ids. See Sec. \ref{peer-ids}.
+* `"biscuit additional data"` – Storing the protocol state in encrypted cookies so the responder is stateless. See Sec. \ref{hs-state-and-biscuits}.
+* `"chaining key init"` – Starting point for the execution of the actual rosenpass protocol.
+* `"chaining key extract"` – Key derivation from the current protocol state, the chaining key. See Sec. \ref{symmetric-keys}.
+
+Below `"chaining key extract"`, there are multiple labels, generating domain separators for deriving keys for various purposes during the execution of the protocol.
+
+It is important to understand that there are two phases for these labels, e.g. applying the `"mix"` label produces a random fixed-size hash value we call `mix`. Not the label `"mix"` but the resulting hash value is used to derive keys during protocol execution. This allows us to use very complicated label structures for key derivation without losing efficiency.
+
+The different labels are:
+
+* `"mix"` – Mixing further values into the chaining key; i.e. into the protocol state.
+* `"user"` – Labels for external uses; these are what generate the `osk` (output shared key). See Sec. \ref{symmetric-keys}.
+* `"handshake encryption"` – Used when encrypting data using a shared key as part of the protocol execution; e.g. used to generate the `auth` (authentication tag) fields in protocol packages.
+* `"initiator handshake encryption"` and `"responder handshake encryption"` – For transmission of data after the key-exchange finishes. See Sec. \ref{symmetric-keys}.
 
 ## Hashes
 
 Rosenpass uses a cryptographic hash function for multiple purposes:
 
 * Computing the message authentication code in the message envelope as in WireGuard
-* Computing the cookie to guard against denial of service attacks. This is a feature adopted from WireGuard, but not yet included in the implementation of Rosenpass.
+* Computing the cookie to guard against denial of service attacks.
 * Computing the peer ID
 * Key derivation during and after the handshake
 * Computing the additional data for the biscuit encryption, to provide some privacy for its contents
 
-Recall from Section \ref{hash} that rosenpass supports using either BLAKE2s or SHAKE256 as hash function, which can be configured for each peer ID. However, as noted above, rosenpass uses a hash function to compute the peer ID and thus also to access the configuration for a peer ID. This is an issue when receiving an `InitHello`-message, because the correct hash function is not known when a responder receives this message and at the same the responders needs it in order to compute the peer ID and by that also identfy the hash function for that peer. The reference implementation resolves this issue by first trying to derive the peer ID using SHAKE256. If that does not work (i.e. leads to an AEAD decryption error), the reference implementation tries again with BLAKE2s. The reference implementation verifies that the hash function matches the one confgured for the peer. Similarly, if the correct peer ID is not cached when receiving an InitConf message, the reference implementation proceeds in the same manner.
+Recall from Section \ref{hash} that rosenpass supports using either BLAKE2b or SHAKE256 as hash function, which can be configured for each peer ID. However, as noted above, rosenpass uses a hash function to compute the peer ID and thus also to access the configuration for a peer ID. This is an issue when receiving an `InitHello`-message, because the correct hash function is not known when a responder receives this message and at the same the responders needs it in order to compute the peer ID and by that also identfy the hash function for that peer. The reference implementation resolves this issue by first trying to derive the peer ID using SHAKE256. If that does not work (i.e. leads to an AEAD decryption error), the reference implementation tries again with BLAKE2b. The reference implementation verifies that the hash function matches the one confgured for the peer. Similarly, if the correct peer ID is not cached when receiving an InitConf message, the reference implementation proceeds in the same manner.
 
 Using one hash function for multiple purposes can cause real-world security issues and even key recovery attacks [@oraclecloning]. We choose a tree-based domain separation scheme based on a keyed hash function – the previously introduced primitive `hash` – to make sure all our hash function calls can be seen as distinct.
 
 \setupimage{landscape,fullpage,label=img:HashingTree}
-![Rosenpass Hashing Tree](graphics/rosenpass-wp-hashing-tree-rgb.svg)
+![Rosenpass Hashing Tree](graphics/rosenpass-wp-hashing-tree.svg)
 
-Each tree node $\circ{}$ in Figure 3 represents the application of the keyed hash function, using the previous chaining key value as first parameter. The root of the tree is the zero key. In level one, the `PROTOCOL` identifier is applied to the zero key to generate a label unique across cryptographic protocols (unless the same label is deliberately used elsewhere). In level two, purpose identifiers are applied to the protocol label to generate labels to use with each separate hash function application within the Rosenpass protocol. The following layers contain the inputs used in each separate usage of the hash function: Beneath the identifiers `"mac"`, `"cookie"`, `"peer id"`, and `"biscuit additional data"` are hash functions or message authentication codes with a small number of inputs. The second, third, and fourth column in Figure 3 cover the long sequential branch beneath the identifier `"chaining key init"` representing the entire protocol execution, one column for each message processed during the handshake. The leaves beneath `"chaining key extract"` in the left column represent pseudo-random labels for use when extracting values from the chaining key during the protocol execution. These values such as `mix >` appear as outputs in the left column, and then as inputs `< mix` in the other three columns.
+Each tree node $\circ{}$ in Figure \ref{img:HashingTree} represents the application of the keyed hash function, using the previous chaining key value as first parameter. The root of the tree is the zero key. In level one, the `PROTOCOL` identifier is applied to the zero key to generate a label unique across cryptographic protocols (unless the same label is deliberately used elsewhere). In level two, purpose identifiers are applied to the protocol label to generate labels to use with each separate hash function application within the Rosenpass protocol. The following layers contain the inputs used in each separate usage of the hash function: Beneath the identifiers `"mac"`, `"cookie"`, `"peer id"`, and `"biscuit additional data"` are hash functions or message authentication codes with a small number of inputs. The second, third, and fourth column in Figure \ref{img:HashingTree} cover the long sequential branch beneath the identifier `"chaining key init"` representing the entire protocol execution, one column for each message processed during the handshake. The leaves beneath `"chaining key extract"` in the left column represent pseudo-random labels for use when extracting values from the chaining key during the protocol execution. These values such as `mix >` appear as outputs in the left column, and then as inputs `< mix` in the other three columns.
 
-The protocol identifier depends on the hash function used with the respective peer is defined as follows if BLAKE2s [@rfc_blake2] is used:
+The protocol identifier depends on the hash function used with the respective peer is defined as follows if BLAKE2b [@rfc_blake2] is used:
 
 ```pseudorust
-PROTOCOL = "rosenpass 1 rosenpass.eu aead=chachapoly1305 hash=blake2s ekem=kyber512 skem=mceliece460896 xaead=xchachapoly1305"
+PROTOCOL = "Rosenpass v1 mceliece460896 Kyber512 ChaChaPoly1305 BLAKE2s"
+```
+Note that the domain separator used here maintains that BLAKE2s is used, while in
+reality, we use BLAKE2b. The reason for this is an implementation error. Since fixing this would have led to a breaking change in the Rosenpass reference implementation, and all other known implementations of Rosenpass simply reproduced this error, we chose to harmonize the white paper with the implementation instead of fixing the implementation.
+
+If SHAKE256 [@SHAKE256] is used, then `BLAKE2s` is substituted with `SHAKE256`:
+
+```pseudorust
+PROTOCOL = "Rosenpass v1 mceliece460896 Kyber512 ChaChaPoly1305 SHAKE256"
 ```
 
-If SHAKE256 [@SHAKE256] is used, `blake2s` is replaced by `shake256` in `PROTOCOL`. Since every tree node represents a sequence of `hash` calls, the node beneath `"handshake encryption"` called `hs_enc` can be written as follows:
+Since every tree node represents a sequence of `hash` calls, the node beneath `"handshake encryption"` called `hs_enc` can be written as follows:
 
 ```pseudorust
 hs_enc = hash(hash(hash(0, PROTOCOL), "chaining key extract"), "handshake encryption")
@@ -214,7 +329,7 @@ hs_enc = hash(hash(hash(0, PROTOCOL), "chaining key extract"), "handshake encryp
        = lhash("chaining key extract", "handshake encryption")
 ```
 
-## Server State
+## Rosenpass Server State
 
 ### Global
 
@@ -238,9 +353,9 @@ For each peer, the server stores:
 * `psk` – The pre-shared key used with the peer
 * `spkt` – The peer's public key
 * `biscuit_used` – The `biscuit_no` from the last biscuit accepted for the peer as part of InitConf processing
-* `hash_function` – The hash function, SHAKE256 or BLAKE2s, used with the peer.
+* `hash_function` – The hash function, SHAKE256 or BLAKE2b, used with the peer.
 
-### Handshake State and Biscuits
+### Handshake State and Biscuits {#hs-state-and-biscuits}
 
 The initiator stores the following local state for each ongoing handshake:
 
@@ -261,9 +376,13 @@ The responder stores no state. While the responder has access to all of the abov
 
 The biscuit is encrypted with the `XAEAD` primitive and a randomly chosen nonce. The values `sidi` and `sidr` are transmitted publicly as part of InitConf, so they do not need to be present in the biscuit, but they are added to the biscuit's additional data to make sure the correct values are transmitted as part of InitConf.
 
-The `biscuit_key` used to encrypt biscuits should be rotated every two minutes. Implementations should keep two biscuit keys in memory at any given time to avoid having to drop packages when `biscuit_key` is rotated.
+The `biscuit_key` used to encrypt biscuits should be rotated frequently. Implementations should keep two biscuit keys in memory at any given time to avoid having to drop packages when `biscuit_key` is rotated. The Rosenpass reference implementation retires biscuits after five minutes and erases them after ten.
 
-### Live Session State
+### Live Session State {#live-session-state}
+
+These variables are used after the handshake terminates for encryption of the \textbf{Data} and \textbf{EmptyData} packages.
+\textbf{EmptyData} is used as an acknowledgement package to terminate package retransmission (see Sec. \ref{packet-loss}).
+\textbf{Data} would be used for transmission of actual payload, but this feature is currently not specified for Rosenpass. Despite this, we do specify the however as it is also part of WireGuard.
 
 * `ck` – The chaining key
 * `sidm` – Our session ID (“mine”)
@@ -273,6 +392,13 @@ The `biscuit_key` used to encrypt biscuits should be rotated every two minutes.
 * `txkt` – Peer's transmission key
 * `txnt` – Peer's transmission nonce
 
+## Protocol Code {#functions}
+
+The main reference for how messages are processed in the Rosenpass protocol can be found in Fig. \ref{img:HandlingCode}. The figure uses Rust-like pseudo code.
+
+\setupimage{landscape,fullpage,label=img:HandlingCode}
+![Rosenpass Message Handling Code](graphics/rosenpass-wp-message-handling-code.svg)
+
 ## Helper Functions {#functions}
 
 Given the peer ID, look up the peer and load the peer's variables.
@@ -289,7 +415,7 @@ fn lookup_session(sid);
 
 The protocol framework used by Rosenpass allows arbitrarily many different keys to be extracted using labels for each key. The `extract_key` function is used to derive protocol-internal keys, its labels are under the “chaining key extract” node in Figure \ref{img:HashingTree}. The export key function is used to export application keys.
 
-Third-party applications using the protocol are supposed to choose a unique label (e.g., their domain name) and use that as their own namespace for custom labels. The Rosenpass project itself uses the “rosenpass.eu” namespace.
+Third-party applications using the protocol are supposed to define a protocol extension (see \ref{protocol-extensions}) and choose a globally unique label, such as their domain name for custom labels of their own. The Rosenpass project itself uses the `["rosenpass.eu"]` namespace in the WireGuard PSK protocol extension (see \ref{protocol-extension-wireguard-psk}).
 
 Applications can cache or statically compile the pseudo-random label values into their binary to improve performance.
 
@@ -343,13 +469,13 @@ Rosenpass is built with KEMs, not with NIKEs (Diffie-Hellman-style operations);
 ```pseudorust
 fn encaps_and_mix<T: KEM>(pk) {
     let (ct, shk) = T::enc(pk);
-    mix(pk, ct, shk);
+    mix(pk, shk, ct);
     ct
 }
 
 fn decaps_and_mix<T: KEM>(sk, pk, ct) {
     let shk = T::dec(sk, ct);
-    mix(pk, ct, shk);
+    mix(pk, shk, ct);
 }
 ```
 
@@ -371,40 +497,40 @@ fn store_biscuit() {
       "biscuit additional data",
       spkr, sidi, sidr);
     let ct = XAEAD::enc(k, n, pt, ad);
-    let nct = concat(n, ct);
+    let biscuit_ct = concat(n, ct);
 
-    mix(nct)
-    nct
+    mix(biscuit_ct)
+    biscuit_ct
 }
 ```
-Note that the `mix(nct)` call updates the chaining key, but that update does not make it into the biscuit. Therefore, `mix(nct)` is reapplied in `load_biscuit`. The responder handshake code also needs to reapply any other operations modifying `ck` after calling `store_biscuit`. The handshake code on the initiator's side also needs to call `mix(nct)`.
+Note that the `mix(biscuit_ct)` call updates the chaining key, but that update does not make it into the biscuit. Therefore, `mix(biscuit_ct)` is reapplied in `load_biscuit`. The responder handshake code also needs to reapply any other operations modifying `ck` after calling `store_biscuit`. The handshake code on the initiator's side also needs to call `mix(biscuit_ct)`.
 
 
 ```pseudorust
-fn load_biscuit(nct) {
+fn load_biscuit(biscuit_ct) {
     // Decrypt the biscuit
     let k = biscuit_key;
-    let (n, ct) = nct;
+    let concat(n, ct) = biscuit_ct;
     let ad = lhash(
       "biscuit additional data",
       spkr, sidi, sidr);
     let pt : Biscuit = XAEAD::dec(k, n, ct, ad);
 
     // Find the peer and apply retransmission protection
-    lookup_peer(pt.peerid);
+    lookup_peer(pt.pidi);
 
-    // In December 2024, the InitConf retransmission mechanisim was redesigned
+    // In December 2024, the InitConf retransmission mechanism was redesigned
     // in a backwards-compatible way. See the changelog.
-    // 
+    //
     // -- 2024-11-30, Karolin Varner
     if (protocol_version!(< "0.3.0")) {
         // Ensure that the biscuit is used only once
-        assert(pt.biscuit_no <= peer.biscuit_used);
+        assert(pt.biscuit_no >= peer.biscuit_used);
     }
 
     // Restore the chaining key
     ck ← pt.ck;
-    mix(nct);
+    mix(biscuit_ct);
 
     // Expose the biscuit no,
     // so the handshake code can differentiate
@@ -413,6 +539,8 @@ fn load_biscuit(nct) {
 }
 ```
 
+\phantomsection\label{fn:enter_live}
+
 Entering the live session is very simple in Rosenpass – we just use `extract_key` with dedicated identifiers to derive initiator and responder keys.
 
 ```pseudorust
@@ -421,6 +549,18 @@ fn enter_live() {
     txkr ← extract_key("responder payload encryption");
     txnm ← 0;
     txnt ← 0;
+
+    // Setup output keys for protocol extensions such as the
+    // WireGuard PSK protocol extension.
+    setup_osks();
+}
+```
+
+The final step `setup_osks()` can be defined by protocol extensions (see \ref{protocol-extensions}) to set up `osk`s for custom use cases. By default, the WireGuard PSK (see \ref{protocol-extension-wireguard-psk}) is active.
+
+```pseudorust
+fn setup_osks() {
+    ... // Defined by protocol extensions
 }
 ```
 
@@ -446,13 +586,15 @@ The responder code handling InitConf needs to deal with the biscuits and package
 
 ICR5 and ICR6 perform biscuit replay protection using the biscuit number. This is not handled in `load_biscuit()` itself because there is the case that `biscuit_no = biscuit_used` which needs to be dealt with for retransmission handling.
 
-### Denial of Service Mitigation and Cookies
+### Denial of Service Mitigation and Cookies {#dos-mitigation}
 
-Rosenpass derives its cookie-based DoS mitigation technique for a responder when receiving InitHello messages from Wireguard [@wg]. 
+Rosenpass derives its cookie-based DoS mitigation technique for a responder when receiving InitHello messages from WireGuard [@wg].
+
+**This is currently implemented in the Rosenpass implementation but still considered an experimental feature and not enabled by default.**
 
 When the responder is under load, it may choose to not process further InitHello handshake messages, but instead to respond with a cookie reply message (see Figure \ref{img:MessageTypes}).
 
-The sender of the exchange then uses this cookie in order to resend the message and have it accepted the following time by the reciever. 
+The sender of the exchange then uses this cookie in order to resend the message and have it accepted the following time by the receiver.
 
 For an initiator, Rosenpass ignores all messages when under load.
 
@@ -465,11 +607,11 @@ cookie_value = lhash("cookie-value", cookie_secret, initiator_host_info)[0..16]
 cookie_encrypted = XAEAD(lhash("cookie-key", spkm), nonce, cookie_value, mac_peer)
 ```
 
-where `cookie_secret` is a secret variable that changes every two minutes to a random value. Moreover, `lhash` is always instantiated with SHAKE256 when computing `cookie_value` for compatability reasons.  `initiator_host_info` is used to identify the initiator host, and is implementation-specific for the client. This paramaters used to identify the host must be carefully chosen to ensure there is a unique mapping, especially when using IPv4 and IPv6 addresses to identify the host (such as taking care of IPv6 link-local addresses). `cookie_value` is a truncated 16 byte value from the above hash operation. `mac_peer` is the `mac` field of the peer's handshake message to which message is the reply.  
+where `cookie_secret` is a secret variable that changes every two minutes to a random value. Moreover, `lhash` is always instantiated with SHAKE256 when computing `cookie_value` for compatability reasons.  `initiator_host_info` is used to identify the initiator host, and is implementation-specific for the client. This paramaters used to identify the host must be carefully chosen to ensure there is a unique mapping, especially when using IPv4 and IPv6 addresses to identify the host (such as taking care of IPv6 link-local addresses). `cookie_value` is a truncated 16 byte value from the above hash operation. `mac_peer` is the `mac` field of the peer's handshake message to which message is the reply.
 
-#### Envelope `mac` Field
+#### Envelope `mac` Field {#envelope-mac-field}
 
-Similar to `mac.1` in Wireguard handshake messages, the `mac` field of a Rosenpass envelope from a handshake packet sender's point of view consists of the following:
+Similar to `mac.1` in WireGuard handshake messages, the `mac` field of a Rosenpass envelope from a handshake packet sender's point of view consists of the following:
 
 ```pseudorust
 mac = lhash("mac", spkt, MAC_WIRE_DATA)[0..16]
@@ -492,27 +634,27 @@ else {
 }
 ```
 
-Here, `seconds_since_update(peer.cookie_value)` is the amount of time in seconds ellapsed since last cookie was received, and `COOKIE_WIRE_DATA` are the message contents of all bytes of the retransmitted message prior to the `cookie` field.
+Here, `seconds_since_update(peer.cookie_value)` is the amount of time in seconds elapsed since last cookie was received, and `COOKIE_WIRE_DATA` are the message contents of all bytes of the retransmitted message prior to the `cookie` field.
 
 The inititator can use an invalid value for the `cookie` value, when the responder is not under load, and the responder must ignore this value.
-However, when the responder is under load, it may reject InitHello messages with the invalid `cookie` value, and issue a cookie reply message. 
+However, when the responder is under load, it may reject InitHello messages with the invalid `cookie` value, and issue a cookie reply message.
 
 ### Conditions to trigger DoS Mechanism
 
 This whitepaper does not mandate any specific mechanism to detect responder contention (also mentioned as the under load condition) that would trigger use of the cookie mechanism.
 
-For the reference implemenation, Rosenpass has derived inspiration from the Linux implementation of Wireguard.  This implementation suggests that the reciever keep track of the number of messages it is processing at a given time. 
+For the reference implemenation, Rosenpass has derived inspiration from the Linux implementation of WireGuard.  This implementation suggests that the receiver keep track of the number of messages it is processing at a given time.
 
-On receiving an incoming message, if the length of the message queue to be processed exceeds a threshold `MAX_QUEUED_INCOMING_HANDSHAKES_THRESHOLD`, the client is considered under load and its state is stored as under load. In addition, the timestamp of this instant when the client was last under load is stored. When recieving subsequent messages, if the client is still in an under load state, the client will check if the time ellpased since the client was last under load has exceeded `LAST_UNDER_LOAD_WINDOW` seconds. If this is the case, the client will update its state to normal operation, and process the message in a normal fashion.
+On receiving an incoming message, if the length of the message queue to be processed exceeds a threshold `MAX_QUEUED_INCOMING_HANDSHAKES_THRESHOLD`, the client is considered under load and its state is stored as under load. In addition, the timestamp of this instant when the client was last under load is stored. When recieving subsequent messages, if the client is still in an under load state, the client will check if the time elapsed since the client was last under load has exceeded `LAST_UNDER_LOAD_WINDOW` seconds. If this is the case, the client will update its state to normal operation, and process the message in a normal fashion.
 
-Currently, the following constants are derived from the Linux kernel implementation of Wireguard:
+Currently, the following constants are derived from the Linux kernel implementation of WireGuard:
 
 ```pseudorust
 MAX_QUEUED_INCOMING_HANDSHAKES_THRESHOLD = 4096
 LAST_UNDER_LOAD_WINDOW = 1 //seconds
 ```
 
-## Dealing with Packet Loss
+## Dealing with Packet Loss {#packet-loss}
 
 The initiator deals with packet loss by storing the messages it sends to the responder and retransmitting them in randomized, exponentially increasing intervals until they get a response. Receiving RespHello terminates retransmission of InitHello. A Data or EmptyData message serves as acknowledgement of receiving InitConf and terminates its retransmission.
 
@@ -520,23 +662,435 @@ The responder uses less complex form of the same mechanism: The responder never
 
 ### Interaction with cookie reply system
 
-The cookie reply system does not interfere with the retransmission logic discussed above. 
+The cookie reply system does not interfere with the retransmission logic discussed above.
 
 When the initator is under load, it will ignore processing any incoming messages.
 
-When a responder is under load and it receives an InitHello handshake message, the InitHello message will be discarded and a cookie reply message is sent. The initiator, then on the reciept of the cookie reply message, will store a decrypted `cookie_value` to set the `cookie` field to subsequently sent messages. As per the retransmission mechanism above, the initiator will send a retransmitted InitHello message with a valid `cookie` value appended. On receiving the retransmitted handshake message, the responder will validate the `cookie` value and resume with the handshake process. 
+When a responder is under load and it receives an InitHello handshake message, the InitHello message will be discarded and a cookie reply message is sent. The initiator, then on the reciept of the cookie reply message, will store a decrypted `cookie_value` to set the `cookie` field to subsequently sent messages. As per the retransmission mechanism above, the initiator will send a retransmitted InitHello message with a valid `cookie` value appended. On receiving the retransmitted handshake message, the responder will validate the `cookie` value and resume with the handshake process.
 
 When the responder is under load and it recieves an InitConf message, the message will be directly processed without checking the validity of the cookie field.
 
+## Timers
+
+The Rosenpass protocol uses various timer-triggered events during its operation. This section provides a listing of the timers used and gives the values used in the reference implementation. Other implementations may choose different values.
+
+### Rekeying
+
+Period after which the previous responder starts a new handshake in initiator role; period after which the previous initiator starts a new handshake in initiator role again; period after which a peer rejects an existing shared key.
+
+```pseudorust
+REKEY_AFTER_TIME_RESPONDER = 120s
+REKEY_AFTER_TIME_INITIATOR = 130s
+REJECT_AFTER_TIME = 180s
+```
+
+### Biscuits
+
+Period after which the biscuit key is rotated.
+
+```pseudorust
+BISCUIT_EPOCH = 300s
+```
+
+### Retransmission
+
+Delay after which all retransmission attempts are aborted; exponential backoff factor for retransmission delay; initial (minimum) retransmission delay; final (maximum) retransmission delay; retransmission jitter/variance factor.
+
+```pseudorust
+RETRANSMIT_ABORT        = 120s
+RETRANSMIT_DELAY_GROWTH = 2
+RETRANSMIT_DELAY_BEGIN  = 500ms
+RETRANSMIT_DELAY_END    = 10s
+RETRANSMIT_DELAY_JITTER = 0.5
+```
+
+# Protocol extensions {#protocol-extensions}
+
+The main extension point for the Rosenpass protocol is to generate `osk`s (speak output shared keys, see Sec. \ref{symmetric-keys}) for purposes other than using them to secure WireGuard. By default, the Rosenpass application generates keys for the WireGuard PSK (see \ref{protocol-extension-wireguard-psk}). It would not be impossible to use the keys generated for WireGuard in other use cases, but this might lead to attacks[@oraclecloning]. Specifying a custom protocol extension in practice just means settling on alternative domain separators (see Sec. \ref{symmetric-keys}, Fig. \ref{img:HashingTree}).
+
+## Using custom domain separators in the Rosenpass application
+
+The Rosenpass application supports protocol extensions to change the OSK domain separator without modification of the source code.
+
+The following example configuration file can be used to execute Rosenpass in outfile mode with custom domain separators.
+In this mode, the Rosenpass application will write keys to the file specified with `key_out` and send notifications when new keys are exchanged via standard out.
+This can be used to embed Rosenpass into third-party application.
+
+```toml
+# peer-a.toml
+public_key = "peer-a.pk"
+secret_key = "peer-a.sk"
+listen = ["[::1]:6789"]
+verbosity = "Verbose"
+
+[[peers]]
+public_key = "peer-b.pk"
+key_out = "peer-a.osk" # path to store the key
+osk_organization = "myorg.com"
+osk_label = ["My Custom Messenger app", "Backend VPN Example Subusecase"]
+```
+
+## Extension: WireGuard PSK {#protocol-extension-wireguard-psk}
+
+The WireGuard PSK protocol extension is active by default; this is the mode where Rosenpass is used to provide post-quantum security for WireGuard. Hybrid security (i.e. redundant pre-quantum and post-quantum security) is achieved because WireGuard provides pre-quantum security, with or without Rosenpass.
+
+This extension uses the `"rosenpass.eu"` namespace for user-labels and specifies a single additional user-label:
+
+* `["rosenpass.eu", "wireguard psk"]`
+
+The label's full domain separator is
+
+* `[PROTOCOL, "user", "rosenpass.eu", "wireguard psk"]`
+
+and can be seen in Figure \ref{img:HashingTree}.
+
+We require two extra per-peer configuration variables:
+
+* `wireguard_interface` — Name of a local network interface. Identifies local WireGuard interface we are supplying a PSK to.
+* `wireguard_peer` — A WireGuard public key. Identifies the particular WireGuard peer whose connection we are supplying PSKs for.
+
+When creating the WireGuard interface for use with Rosenpass, the PSK used by WireGuard must be initialized to a random value; otherwise, WireGuard can establish an insecure key before Rosenpass had a change to exchange its own key.
+
+```pseudorust
+fn on_wireguard_setup() {
+    // We use a random PSK to make sure the other side will never
+    // have a matching PSK when the WireGuard interface is created.
+    //
+    // Never use a fixed value here as this would lead to an attack!
+    let fake_wireguard_psk = random_key();
+
+    // How the interface is create
+    let wg_peer = WireGuard::setup_peer()
+        .public_key(wireguard_peer)
+        ... // Supply any custom peerconfiguration
+        .psk(fake_wireguard_psk);
+
+    // The random PSK must be supplied before the
+    // WireGuard interface comes up
+    WireGuard::setup_interface()
+        .name(wireguard_interface)
+        ... // Supply any custom configuration
+        .add_peer(wg_peer)
+        .create();
+}
+```
+
+Every time a key is successfully negotiated, we upload the key to WireGuard.
+For this protocol extension, the `setup_osks()` function is thus defined as:
+
+```pseudorust
+fn setup_osks() {
+    // Generate WireGuard OSK (output shared key) from Rosenpass'
+    // perspective, respectively the PSK (preshared key) from
+    // WireGuard's perspective
+    let wireguard_psk = export_key("rosenpass.eu", "wireguard psk");
+
+    /// Supply the PSK to WireGuard
+    WireGuard::get_interface(wireguard_interface)
+        .get_peer(wireguard_peer)
+        .set_psk(wireguard_psk);
+}
+```
+
+The Rosenpass protocol uses key renegotiation, just like WireGuard.
+If no new `osk` is produced within a set amount of time, the OSK generated by Rosenpass times out.
+In this case, the WireGuard PSK must be overwritten with a random key.
+This interaction is visualized in Figure \ref{img:ExtWireguardPSKHybridSecurity}.
+
+```pseudorust
+fn on_key_timeout() {
+    // Generate a random – deliberately invalid – WireGuard PSK.
+    // Never use a fixed value here as this would lead to an attack!
+    let fake_wireguard_psk = random_key();
+
+    // Securely erase the PSK currently used by WireGuard by
+    // overwriting it with the fake key we just generated.
+    WireGuard::get_interface(wireguard_interface)
+        .get_peer(wireguard_peer)
+        .set_psk(fake_wireguard_psk);
+}
+```
+
+\begin{minipage}{\textwidth}
+\setupimage{label=img:ExtWireguardPSKHybridSecurity,fullpage}
+![Rosenpass + WireGuard: Hybrid Security](graphics/rosenpass-wireguard-hybrid-security.pdf)
+\end{minipage}
+
+# Errata {#errata}
+
+## Incorrect HMAC, Hash Function Choice {#incorrect-hmac}
+
+Initially, we chose to use `HMAC+BLAKE2s` for our message authentication code, mostly as a form of cargo cult. WireGuard used BLAKE2s, so we should use it too. BLAKE2 supports a directly keyed mode, so there is not much reason to prefer rolling your own using HMAC from a security standpoint.
+
+It seems likely that WireGuard used HMAC as a heuristic security measure. Message authentication codes, keyed hash functions, had long been constructed by combining HMAC with a hash function; why change that? And there actually is a good reason to use HMAC: Merkle-Damgard constructions have long been the norm for hash functions; their usage was even standardized as MD5 or SHA-2. But Merkle-Damgard constructions are susceptible to extension attacks, where you can calculate `H(message || suffix)` assuming `H(message)` is known to you. HMAC fixes this issue[@boneh_shoup_graduate][@hmac].
+
+
+But SHA-3 (or SHAKE) and BLAKE2 depart from this long-standing status quo: these hash functions are not based on Merkle-Damgard and they are deliberately designed so they are not susceptible to length extension attacks. On top of this, both schemes provide a keyed mode as a feature of the hash function. At this point it makes much more sense to require a keyed hash function, satisfying the PRF ("pseudo random function") security property and the PRF-SWAP security property[@pqwg] instead of building our own keyed hash from a hash function. HMAC can still be used; if someone wanted to operate Rosenpass with SHA2, the best way to do it would be using `HMAC-SHA512` as the underlying keyed hash. We just also allow using `SHAKE256` without an extra application of HMAC.
+
+Unfortunately, there were a couple of errors in the implementation: we should have used BLAKE2s like WireGuard; instead, we used BLAKE2b. We should have implemented HMAC properly, but we failed to do so. For a fixed-length, 32 byte key and a 32 byte block size, the HMAC function is specified as:
+
+```pseudorust
+type Key = [u8; 32];
+type HashFunction = Fn(&[u8]) -> Key;
+
+const INNER_PAD: [u8; KEY_LEN] = [0x36u8; KEY_LEN];
+const OUTER_PAD: [u8; KEY_LEN] = [0x5Cu8; KEY_LEN];
+
+fn hmac<Hash: HashFunction>(h: Hash, key: Key, data: &[u8]) -> Key {
+    // `^` denotes XOR, `||` denotes concatenation
+
+    let inner_key = key ^ INNER_PAD; 
+    let outer_key = key ^ OUTER_PAD;
+
+    let inner_hash = h(inner_key || data);
+    let outer_hash = h(outer_key || inner_hash);
+
+    return outer_hash;
+} 
+```
+
+Instead of implementing this function, we somehow lost track of the fact that HMAC uses concatenation to combine the keys with its data, and instead we built a construction around BLAKE2b in keyed hash mode. That is, we replaced the concatenation with calls to the keyed version of our hash:
+
+```pseudorust
+type Key = [u8; 32];
+type KeyedHashFunction = Fn(Key, &[u8]) -> Key;
+
+const INNER_PAD: [u8; KEY_LEN] = [0x36u8; KEY_LEN];
+const OUTER_PAD: [u8; KEY_LEN] = [0x5Cu8; KEY_LEN];
+
+fn incorrect_rosenpass_hmac<KeyedHash: KeyedHashFunction>(kh: KeyedHashFunction, key: Key, data: &[u8]) -> Key {
+    // `^` denotes XOR, `||` denotes concatenation
+
+    let inner_key = key ^ INNER_PAD; 
+    let outer_key = key ^ OUTER_PAD;
+
+    let inner_hash = kh(inner_key, data);
+    let outer_hash = kh(outer_key, inner_hash);
+
+    return outer_hash;
+} 
+```
+
+We therefore add this section explaining our incorrect HMAC usage to harmonize the white paper with the implementation.
+To ensure compatibility with the existing versions of Rosenpass, you have to replicate this incorrect variant of HMAC.
+
+Neither mistake is assumed to cause security issues. BLAKE2b is a secure hash function.
+There is no reason to assume that our incorrect variant of HMAC-BLAKE2b would be insecure; it is, however, non-standard and needlessly complicates the protocol. We are therefore phasing out usage of HMAC-BLAKE2b in favor of us using SHAKE256 as our keyed hash of choice.
+
 # Changelog
 
 ### 0.3.x
 
+#### 2025-08-10 – Applying fixes from Steffen Vogel proof reading of the whitepaper
+
+\vspace{0.5em}
+
+Author: Karolin varner
+
+Issue: [#68](https://github.com/rosenpass/rosenpass/issues/68)
+
+PR: [#664](https://github.com/rosenpass/rosenpass/)
+
+\vspace{0.5em}
+
+Early in the project lifetime, Steffen Vogel successfully implemented a [port of the Rosenpass protocol in [go](https://github.com/cunicu/go-rosenpass).
+This implementation has not received an in-depth review from a cryptography implementation perspective, which is why we (the Rosenpass project) are not yet recommending this implementation for production usage;
+still, creating this implementation was a great achievement.
+
+During the process, Steffen discovered a large number of possible improvements for the whitepaper. With this update, we are addressing those issues.
+
+This process also ensures that the world knows, that I have ADHD and makes me fix all the little mistakes I could not spot even on the seventh review of the whitepaper.
+
+Changes, in particular:
+
+1. Added a comprehensive reference about labels used in the protocol
+2. Added a comprehensive reference about symmetric keys and nonces used for encryption/decryption (`txki`, `txni`, `ini_enc`, `hs_enc`, …)
+3. Added a comprehensive reference about packages used.
+4. Added an explaining paragraph to section "Live Session State".
+5. Added a section about protocol roles.
+6. Brief section about endianness.
+7. In Fig. 5: Rosenpass Message Handling Code; in IHR5 we replace
+
+
+    ``` {=tex}
+    \begin{quote}
+        \begin{minted}{pseudorust}
+        decaps_and_mix<SKEM>(sskr, spkr, ct1)
+        \end{minted}
+    \end{quote}
+
+    ```
+
+    by
+
+    ``` {=tex}
+    \begin{quote}
+        \begin{minted}{pseudorust}
+        decaps_and_mix<SKEM>(sskr, spkr, sctr)
+        \end{minted}
+    \end{quote}
+    ```
+
+8. In `load_biscuit()`, there was a typo doing an incorrect comparison between `biscuit_no` and `biscuit_used`. This is not a security issue, as a verbatim implementation would simply have lead to a non-functional implementation. We replace
+
+    ``` {=tex}
+    \begin{quote}
+        \begin{minted}{pseudorust}
+        assert(pt.biscuit_no <= peer.biscuit_used);
+        \end{minted}
+    \end{quote}
+
+    ```
+
+    by
+
+    ``` {=tex}
+    \begin{quote}
+        \begin{minted}{pseudorust}
+        assert(pt.biscuit_no >= peer.biscuit_used);
+        \end{minted}
+    \end{quote}
+    ```
+
+9. In the whitepaper we used the labels `"initiator session encryption"` and `"responder session encryption"`, but in the implementation we used `"initiator handshake encryption"` and `"responder handshake encryption"`. While the whitepaper was correct and the implementation was not, we opt to harmonize the whitepaper with the implementation to avoid a breaking change.
+10. The protocol strings used in the whitepaper where different to the ones used in the implementation. We harmonize the two by updating the whitepaper to reflect the protocol identifier used in the implementation. We substitute
+
+    ``` {=tex}
+    \begin{quote}
+        The protocol identifier depends on the hash function used with the respective peer is defined as follows if BLAKE2s is used:
+
+        \begin{minted}{pseudorust}
+        PROTOCOL = "rosenpass 1 rosenpass.eu aead=chachapoly1305 hash=blake2s ekem=kyber512 skem=mceliece460896 xaead=xchachapoly1305"
+        \end{minted}
+
+        If SHAKE256 is used, \texttt{blake2s} is replaced by \texttt{shake256} in \texttt{PROTOCOL}.
+    \end{quote}
+    ```
+
+    with
+
+    ``` {=tex}
+    \begin{quote}
+        The protocol identifier depends on the hash function used with the respective peer is defined as follows if BLAKE2s is used:
+
+        \begin{minted}{pseudorust}
+        PROTOCOL = "Rosenpass v1 mceliece460896 Kyber512 ChaChaPoly1305 BLAKE2s"
+        \end{minted}
+
+        If SHAKE256 is used, then \texttt{BLAKE2s} is substituted with \texttt{SHAKE256}:
+
+        \begin{minted}{pseudorust}
+        PROTOCOL = "Rosenpass v1 mceliece460896 Kyber512 ChaChaPoly1305 SHAKE256"
+        \end{minted}
+    \end{quote}
+    ```
+11. The whitepaper stated that Rosenpass uses BLAKE2s, while the implementation used BLAKE2b; we update the whitepaper to reflect that reality. The places where this substitution happened are a bit too numerous to count them all here. On top of this, we added the following paragraph to explain the discrepancy between `PROTOCOL` and actual hash function used:
+    ``` {=tex}
+    \begin{quote}
+    Note that the domain separator used here maintains that BLAKE2s is used, while in
+    reality, we use BLAKE2b. The reason for this is an implementation error. Since fixing this would have led to a breaking change in the Rosenpass reference implementation, and all other known implementations of Rosenpass simply reproduced this error, we chose to harmonize the white paper with the implementation instead of fixing the implementation.
+    \end{quote}
+    ```
+12. Added a section to explain and specify our incorrect implementation of HMAC-BLAKE2b.
+13. In `encaps_and_mix()`/`decaps_and_mix()` the whitepaper stated that public key, ciphertext, and shared key are mixed into the chaining key in that order, but the implementation used a different order: public key, shared key, and ciphertext (shared key and ciphertext are swapped). We harmonize the white paper with the implementation.
+14. In the white paper, in package `RespHello` the field `auth` was indicated to come after `biscuit`, but in the implementation, `auth` came first and `biscuit` was last. The semantics of how fields in Rosenpass messages are processed generally demand that fields are processed in the order they appear in the message, so having `biscuit` first and `auth` second—as was done in the white paper—would be correct; still, we harmonize the white paper with the implementation.
+15. Fix a discrepancy with regard to biscuit key life times.
+
+    ``` {=tex}
+    \begin{quote}
+    The \texttt{biscuit\textunderscore{}key} used to encrypt biscuits should be rotated every two minutes. Implementations should keep two biscuit keys in memory at any given time to avoid having to drop packages when \texttt{biscuit\textunderscore{}key} is rotated.
+    \end{quote}
+    ```
+
+    by
+
+    ``` {=tex}
+    \begin{quote}
+    The \texttt{biscuit\textunderscore{}key} used to encrypt biscuits should be rotated frequently. Implementations should keep two biscuit keys in memory at any given time to avoid having to drop packages when \texttt{biscuit\textunderscore{}key} is rotated. The Rosenpass reference implementation retires biscuits after five minutes and erases them after ten.
+    \end{quote}
+    ```
+16. Point out explicitly that we use KEMs from NIST-Competition Round 3. Include links to the competition submission packages. Update citations to reflect the exact specification version.
+17. Consistent naming convention. Always use the term `secret key`, never  `private key`.
+18. `pidiC` -> `pidi_ct`; to make it clearer that this is a cipher text
+19. Where we refer to the biscuit ciphertext, we now use the term `biscuit_ct`. Previously we had used various variable names such as `nct` (nonce followed by cipher text) or just plain `biscuit`.
+20. In `load_biscuit`, we make it clear that destructuring of `biscuit_ct` destructures a concatenation.
+
+    ``` {=tex}
+    \begin{quote}
+        \begin{minted}{pseudorust}
+        let (n, ct) = biscuit_ct;
+        \end{minted}
+    \end{quote}
+    ```
+
+    with
+
+    ``` {=tex}
+    \begin{quote}
+        \begin{minted}{pseudorust}
+        let concat(n, ct) = biscuit_ct;
+        \end{minted}
+    \end{quote}
+    ```
+21. Added a section about timers used in the Rosenpass protocol
+
+Additional changes (also motivated by a close review, but not reported by Steffen):
+
+1. Fig. 2 "Rosenpass Message Types", CookieReply package. Renamed the length sum from payload to package.
+2. Fig. 2 "Rosenpass Message Types", Envelope package. Renamed the length sum from envelope to package.
+3. In `load_biscuit()` fix a naming typo:
+
+    ``` {=tex}
+    \begin{quote}
+        \begin{minted}{pseudorust}
+        lookup_peer(pt.peerid);
+        \end{minted}
+    \end{quote}
+    ```
+
+    with
+
+    ``` {=tex}
+    \begin{quote}
+        \begin{minted}{pseudorust}
+        lookup_peer(pt.pidi);
+        \end{minted}
+    \end{quote}
+    ```
+4. Remove reference to the proof-of-IP-ownership-based DoS mitigation feature not being implemented. Add a notice, that the feature is currently experimental.
+5. Fixed a few typos and capitalization issues
+
+#### 2025-06-24 – Specifying the `osk` used for WireGuard as a protocol extension
+
+\vspace{0.5em}
+
+Author: Karolin varner
+
+PR: [#664](https://github.com/rosenpass/rosenpass/pull/664)
+
+\vspace{0.5em}
+
+We introduce the concept of protocol extensions to make the option of using Rosenpass for purposes other than encrypting WireGuard more explicit. This captures the status-quo in a better way and does not constitute a functional change of the protocol.
+
+When we designed the Rosenpass protocol, we built it with support for alternative `osk`-labels in mind.
+This is why we specified the domain separator for the `osk` to be `[PROTOCOL, "user", "rosenpass.eu", "wireguard psk"]`.
+By choosing alternative values for the namespace (e.g. `"myorg.eu"` instead of `"rosenpass.eu`) and the label (e.g. `"MyApp Symmetric Encryption"`), the protocol could easily accommodate alternative usage scenarios.
+
+By introducing the concept of protocol extensions, we make this possibility explicit.
+
+1. Reworded the abstract to make it clearer that Rosenpass can be used for other purposes than to secure WireGuard
+2. Reworded Section Symmetric Keys, adding references to the new section on protocol extension
+3. Added a `setup_osks()` function in section Hashes, to make the reference to protocol extensions explicit
+4. Added a new section on protocol extensions and the standard extension for using Rosenpass with WireGuard
+5. Added a new graphic to showcase how Rosenpass and WireGuard interact
+5. Minor formatting and intra-document references fixes
+
 #### 2025-05-22 - SHAKE256 keyed hash
 \vspace{0.5em}
 
 Author: David Niehues
-PR: [#653](https://github.com/rosenpass/rosenpass/pull/653)  
+
+PR: [#653](https://github.com/rosenpass/rosenpass/pull/653)
 
 \vspace{0.5em}
 
@@ -554,9 +1108,11 @@ In order to maintain compatablity without introducing an explcit version number
 
 \vspace{0.5em}
 
-Author: Karolin Varner  
-Issue: [#331](https://github.com/rosenpass/rosenpass/issues/331)  
-PR: [#513](https://github.com/rosenpass/rosenpass/pull/513)  
+Author: Karolin Varner
+
+Issue: [#331](https://github.com/rosenpass/rosenpass/issues/331)
+
+PR: [#513](https://github.com/rosenpass/rosenpass/pull/513)
 
 \vspace{0.5em}
 
@@ -574,7 +1130,7 @@ By removing all retransmission handling code from the cryptographic protocol, we
         The responder does not need to do anything special to handle RespHello retransmission – if the RespHello package is lost, the initiator retransmits InitHello and the responder can generate another RespHello package from that. InitConf retransmission needs to be handled specifically in the responder code because accepting an InitConf retransmission would reset the live session including the nonce counter, which would cause nonce reuse. Implementations must detect the case that `biscuit_no = biscuit_used` in ICR5, skip execution of ICR6 and ICR7, and just transmit another EmptyData package to confirm that the initiator can stop transmitting InitConf.
     \end{quote}
 
-    by 
+    by
 
     \begin{quote}
         The responder uses less complex form of the same mechanism: The responder never retransmits RespHello, instead the responder generates a new RespHello message if InitHello is retransmitted. Responder confirmation messages of completed handshake (EmptyData) messages are retransmitted by storing the most recent InitConf messages (or their hashes) and caching the associated EmptyData messages. Through this cache, InitConf retransmission is detected and the associated EmptyData message is retransmitted.
@@ -595,9 +1151,9 @@ By removing all retransmission handling code from the cryptographic protocol, we
     ``` {=tex}
     \begin{quote}
         \begin{minted}{pseudorust}
-        // In December 2024, the InitConf retransmission mechanisim was redesigned
+        // In December 2024, the InitConf retransmission mechanism was redesigned
         // in a backwards-compatible way. See the changelog.
-        // 
+        //
         // -- 2024-11-30, Karolin Varner
         if (protocol_version!(< "0.3.0")) {
             // Ensure that the biscuit is used only once
@@ -611,9 +1167,11 @@ By removing all retransmission handling code from the cryptographic protocol, we
 
 \vspace{0.5em}
 
-Author: Prabhpreet Dua  
-Issue: [#137](https://github.com/rosenpass/rosenpass/issues/137)  
-PR: [#142](https://github.com/rosenpass/rosenpass/pull/142)  
+Author: Prabhpreet Dua
+
+Issue: [#137](https://github.com/rosenpass/rosenpass/issues/137)
+
+PR: [#142](https://github.com/rosenpass/rosenpass/pull/142)
 
 \vspace{0.5em}
 
@@ -621,7 +1179,3 @@ PR: [#142](https://github.com/rosenpass/rosenpass/pull/142)
 - Added section "Denial of Service Mitigation and Cookies", and modify "Dealing with Packet Loss" for DoS cookie mechanism
 
 \printbibliography
-
-\setupimage{landscape,fullpage,label=img:HandlingCode}
-![Rosenpass Message Handling Code](graphics/rosenpass-wp-message-handling-code-rgb.svg)
-

pkgs/rosenpass.nix

@@ -24,6 +24,7 @@ let
       "service"
       "target"
       "toml"
+      "zstd" # used for offloaded test vector values
     ];
     # Files to explicitly include
     files = [ "to/README.md" ];
@@ -71,6 +72,8 @@ rustPlatform.buildRustPackage {
     package
   ];
 
+  configFileVersion = "1";
+
   doCheck = true;
 
   cargoLock = {

pkgs/whitepaper.nix

@@ -44,6 +44,7 @@ let
         xifthen
         xkeyval
         xurl
+        dirtytalk
         ;
     }
   );

rosenpass/.test_vectors/crypto_server_test_vector_1.toml

@@ -0,0 +1,351 @@
+[[entries]]
+entry_type = "Const"
+description = "test setup: peer a secret key"
+name = "peer_a_sk"
+code_location = "tests/test_vector_crypto_server.rs:95"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:33"
+offload = true
+
+[[entries]]
+entry_type = "Const"
+description = "test setup: peer a public key"
+name = "peer_a_pk"
+code_location = "tests/test_vector_crypto_server.rs:96"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:33"
+offload = true
+
+[[entries]]
+entry_type = "Const"
+description = "test setup: peer b secret key"
+name = "peer_b_sk"
+code_location = "tests/test_vector_crypto_server.rs:101"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:33"
+offload = true
+
+[[entries]]
+entry_type = "Const"
+description = "test setup: peer b public key"
+name = "peer_b_pk"
+code_location = "tests/test_vector_crypto_server.rs:102"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:33"
+offload = true
+
+[[entries]]
+entry_type = "Const"
+description = "pre-shared key"
+name = "psk"
+value = "Vw7bZ1vyXfZo4D5/633F5IbTOntNFBjZRCWf/0cP3Ss="
+code_location = "tests/test_vector_crypto_server.rs:105"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:33"
+
+[[entries]]
+entry_type = "Const"
+name = "CryptoServer::cookie_secrets[0]"
+value = "COU/279CXvyB3mwVxT6fCQ=="
+code_location = "tests/test_vector_crypto_server.rs:167"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:69"
+
+[[entries]]
+entry_type = "Const"
+name = "CryptoServer::cookie_secrets[1]"
+value = "5Q+e2O020FTcmBWlAPnWlw=="
+code_location = "tests/test_vector_crypto_server.rs:172"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:69"
+
+[[entries]]
+entry_type = "Const"
+name = "CryptoServer::biscuit_keys[0]"
+value = "5h9KZ2KfLP5uNbEdimMNLHUjPFm0L3helyg8QE7pd/E="
+code_location = "tests/test_vector_crypto_server.rs:177"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:69"
+
+[[entries]]
+entry_type = "Const"
+name = "CryptoServer::biscuit_keys[1]"
+value = "uwyhSvwuEeXwVUg4+9CBoPWPL0AY+oSVUhFpGpnBaY8="
+code_location = "tests/test_vector_crypto_server.rs:179"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:69"
+
+[[entries]]
+entry_type = "Const"
+name = "CryptoServer::cookie_secrets[0]"
+value = "KtKzsfp1NMN3mrln54w0TA=="
+code_location = "tests/test_vector_crypto_server.rs:167"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:69"
+
+[[entries]]
+entry_type = "Const"
+name = "CryptoServer::cookie_secrets[1]"
+value = "cc1hSqM+Jhal8AII5NIWLA=="
+code_location = "tests/test_vector_crypto_server.rs:172"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:69"
+
+[[entries]]
+entry_type = "Const"
+name = "CryptoServer::biscuit_keys[0]"
+value = "ih8UroUklL5NLdegMFQAEWE6huLEO4HBNL44jpk0VsI="
+code_location = "tests/test_vector_crypto_server.rs:177"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:69"
+
+[[entries]]
+entry_type = "Const"
+name = "CryptoServer::biscuit_keys[1]"
+value = "mXEYSvzhz5E9eUskbKJBZlXlYF2N3Q1MwmbGeXmhXoI="
+code_location = "tests/test_vector_crypto_server.rs:179"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:69"
+
+[[entries]]
+entry_type = "Const"
+name = "hs.cookie_value.value"
+value = "BryZRk1KR5Gc+AEm0plH1Q=="
+code_location = "rosenpass/src/protocol/protocol.rs:3559"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Const"
+name = "hs.core.sidi"
+value = "avpJ6g=="
+code_location = "rosenpass/src/protocol/protocol.rs:3572"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Const"
+name = "hs.eski"
+value = "KpIH2rHL5MR1TQosRVTAUhpDGYUfE7FbeDA/VgN2shd0gdwBRkdeTEZqKKdAY+ikmKydZQwNlFQW8WuH8fwknbUt/SCzo2iPbDg22sAuClQFN1sXckmEpDG2G4cqXHqkdVSuwhymt9V0w1lKFotTwNIN9Fo0eKq19twT16DP+nIPwrkDveAAm8OqwNp1iAODI8GuB3aL3Str/HDC7YR8QtuuzJQwfEa8CbihEpk+zZqVCJVZDrlfH6ydcJsahypuWpJQ4RwS+NejEvJirvgKngsgdPkGXyYLzQQhS4qagQDMkklWaxwL5pdSqlB+M/Cbx1iqgXgOp2PEykkOpgpEBKfDoCQxBnIYNEisx9B8XuibzqQiq0qctty3GBUf+peApMdataC6WwGqH1KpQiW8aUufIWFDK8xW56t3/bMV/AIsMWx3XpaxbGOQOgqAmRAxeYh23TeQ6lVturw/aMsV2phXBkgG6iQnzyd9z6Zufgezz3Ui2hdeJ/iCzfG0A7SMWlS8zETM46wExxO5smNh8jCoTzeSMpOeH3GfFyRs44PFybSQHtAbdcpcA+pj2VljGfRzq5U1AjpdbSKm8JO6n2PDOQlXHaNp5wZMTHZeywq/BrRWO0FXU9davLcEqUJ2xkwRIvEo24ae0MSD1SSd0rRK5LFilFWZXpDCkaoHvst87mdMeIBUYppMD+WkSuKun0XMXXSSWNPIvrGKFJlt4yTCNYsdfRBthGEa5sEApYd4jmi49zKbRSGGm/u915gdo0AvsFYa85EZzzBI0wfK3uW0X+YvGSEzwHGOAMaAyJu3tCGHt2tuevqND2lybzkJS+ih80l3jyaBbNmqQzBRt8YZtLg+e0ijH/x8IyGq+efCioRQjeN50sBAJrsSgncVtgoSraWbPLNu9movqQMtLiwGkUaZSqVANtQPQuccOFyzK7XD8zy5V0Bx/We0ijOvlyUPJWW+1LoALiArHhG7xIRQL8oe9RDP1mzPoGQd1MNRvCuePNpRX+JAO7a49vwsqUtsK6iAY5C1WIxc1TAVhrIz2YzKuyOQYJCbtkOTx5EZ+AbCsTa/E7VHJacj5xQXtYpy3NogXpAnI/ubjABhCVKTfNFytwKkQUAR1ZcoqzJlngdFILIFBeTEUJChXpBb3/obCCQOFVWCKaYfuLam34JgWkmKYUoao4ZP68yn7yc1l4lDRswKSgFt6YI31PcWGAbKM9QeKLF1Tso2bQOXlEF8MssCQjhN+PimSYU/A1ANTHEyQMxM+uUGXBAJwViSGSshHpioLkF3nBc2h7FT5Fi6hMU4xqUwsBgkfZKYQ6gMsMIqZjd/gIkbawwGU6VdLNNf4tw1f4ssD3QbKSA9LfsSHHV8YjcJ3vVoIVVd/Pmbe/kV8Ccz0zLPYWxyrrEanTOJwPqzYxBqTOBilVWlEfREu1ddYaccILMGEMdsQ6eBj4ySZYhj24Ajc3R8afR+anR2NNorfgIlF1d7VuW1BQG+loA3UqdO9lE4mwrARoy87LZKagYHUshet/CAYxinr0UlfCKqbEydljslyafPC4x/mmRWqjTNsTAVfZdOc1ESLyQ6fCkZ/ewOMmsVgUZsBPHI5LgE/2qjYhgXxzg72OmYynR4+8EWunEd2JScjTAurTVZBEPDfGq9wvySBeMbyIGgY0yIfJF/oGRI6/oyNoOBMyKff7oCVNzH+UBGPQJE0De7U1wmEqBNIOu6MMx4nFVgdNzA3TyLrhaOT3uDoJMo/9NnnvWDS5xhp9l8URkcVsol12MhmZAhqlhtGIOR72e5Jml6DNkLvYCX49ZKfMGBbnHNk/RhN5k3dccuD+UvIwxR3irMUXt6jITE0RbPCYWX14N4Jlcdz2oxA6U+RXW8ccJ0YQYjsNgmj1xpsnwY8/O6LkiB+Sm/fsJAkRGsKrWeyPKRcNR1uioBr6YpqKa0aHC0meQX7YqKNWZujOQX6ZJb2aMgx4CRJOc/fbqrtgpQy8mEy4JG2dmEPCdYKmY3YTGlpiVb65pLciEtJRIRiCqh4QNmCwtrixM5QgO5Y5gNfX/fXULtbtZdCDgQJ8CKaJNgxosHESp7YfeW+bO2tmmEwSHG+/s4YEEVQZm2OfJ46gLFPIixcTmADwFGOKEgTRofmHFxOUlIH1gXBkuqH0zWp71FqEpAoucjrROw"
+code_location = "rosenpass/src/protocol/protocol.rs:3579"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Const"
+name = "hs.core.ck"
+value = "qUtsK6iAY5C1WIxc1TAVhrIz2YzKuyOQYJCbtkOTx5EZ+AbCsTa/E7VHJacj5xQXtYpy3NogXpAnI/ubjABhCVKTfNFytwKkQUAR1ZcoqzJlngdFILIFBeTEUJChXpBb3/obCCQOFVWCKaYfuLam34JgWkmKYUoao4ZP68yn7yc1l4lDRswKSgFt6YI31PcWGAbKM9QeKLF1Tso2bQOXlEF8MssCQjhN+PimSYU/A1ANTHEyQMxM+uUGXBAJwViSGSshHpioLkF3nBc2h7FT5Fi6hMU4xqUwsBgkfZKYQ6gMsMIqZjd/gIkbawwGU6VdLNNf4tw1f4ssD3QbKSA9LfsSHHV8YjcJ3vVoIVVd/Pmbe/kV8Ccz0zLPYWxyrrEanTOJwPqzYxBqTOBilVWlEfREu1ddYaccILMGEMdsQ6eBj4ySZYhj24Ajc3R8afR+anR2NNorfgIlF1d7VuW1BQG+loA3UqdO9lE4mwrARoy87LZKagYHUshet/CAYxinr0UlfCKqbEydljslyafPC4x/mmRWqjTNsTAVfZdOc1ESLyQ6fCkZ/ewOMmsVgUZsBPHI5LgE/2qjYhgXxzg72OmYynR4+8EWunEd2JScjTAurTVZBEPDfGq9wvySBeMbyIGgY0yIfJF/oGRI6/oyNoOBMyKff7oCVNzH+UBGPQJE0De7U1wmEqBNIOu6MMx4nFVgdNzA3TyLrhaOT3uDoJMo/9NnnvWDS5xhp9l8URkcVsol12MhmZAhqlhtGIOR72e5Jml6DNkLvYCX49ZKfMGBbnHNk/RhN5k3dccuD+UvIwxR3irMUXt6jITE0RbPCYWX14N4Jlcdz2oxA6U+RXW8ccJ0YQYjsNgmj1xpsnwY8/O6LkiB+Sm/fsJAkRGsKrWeyPKRcNR1uioBr6YpqKa0aHC0meQX7YqKNWZujOQX6ZJb2aMgx4CRJOc/fbqrtgpQy8mEy4JG2dmEPCdYKmY3YTGlpiVb65pLciEtJRIRiCqh4QNmCwtrixM5QgO5Y5gNfX/fXULtbtZdCDgQJ8CKaJNgxosHESp7YfeW+bM="
+code_location = "rosenpass/src/protocol/protocol.rs:3580"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Output"
+name = "hs.core.ck 1"
+value = "z2JAxQ4DPIikqHMSpFDAlmhjSBumhLZatJMrFAP+D1U="
+code_location = "rosenpass/src/protocol/protocol.rs:3587"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Const"
+value = "crPEWzqlCERLJr83BrZupxLUOxWHsYZalisk94tma0k="
+code_location = "rosenpass/src/protocol/protocol.rs:3263"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:23"
+
+[[entries]]
+entry_type = "Const"
+value = "eJXlj5zOJo/Eq85TzOTi7QY8zqWBP0QOOl3PAcpFDYnZyWmuzdpwDZJTbagAP52Md9r+j2vME4SW9UvdvOQo+jbNfuCHytU5K3yxI77srR4aWepM+xPAmxbyIwD4VGjDOQNAjP4Rn8n5L9cCju1tgit7yeM0S4Mx2KDR/Emr8V7gQnERob6LrPJgu6BMWkbZA2+dLVZOsvWPFmmn"
+code_location = "rosenpass/src/protocol/protocol.rs:3264"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:23"
+
+[[entries]]
+entry_type = "Output"
+name = "hs.core.ck 2"
+value = "UVoOgm+xgnV9tXlaLrlBHiM8XDAH+4tPm3DTbP9uJzs="
+code_location = "rosenpass/src/protocol/protocol.rs:3602"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Output"
+name = "ih.pidi_ct"
+value = "Y3Wstn84+vmUb/a/CtWHFixkdyTFKEaE7joUFM0vBZPehPAeDOXls/u5I1PvViF6"
+code_location = "rosenpass/src/protocol/protocol.rs:3615"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Output"
+name = "hs.core.ck 3"
+value = "RTCFQy236fEakHlQn8Pq4+ZbWAg4zvkP5iSp+RU7CpQ="
+code_location = "rosenpass/src/protocol/protocol.rs:3616"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Output"
+name = "hs.core.ck 4"
+value = "9bjg2ICzmCeqYMt4ACfX5UMQUde7WgeuI6H+vdQuWck="
+code_location = "rosenpass/src/protocol/protocol.rs:3627"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Output"
+name = "ih.auth"
+value = "E+AP6wyOrpngo7vE9Vpkjg=="
+code_location = "rosenpass/src/protocol/protocol.rs:3636"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Output"
+name = "hs.core.ck 5"
+value = "MkkapMEoAWftWlVPIcroCCTpqOrMv5TYSff5h8Un/OE="
+code_location = "rosenpass/src/protocol/protocol.rs:3637"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Output"
+description = "message exchanged by the protocol parties"
+name = "message"
+code_location = "tests/test_vector_crypto_server.rs:136"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:33"
+offload = true
+
+[[entries]]
+entry_type = "Output"
+name = "chaining_key_ihr IHR 4"
+value = "z2JAxQ4DPIikqHMSpFDAlmhjSBumhLZatJMrFAP+D1U="
+code_location = "rosenpass/src/protocol/protocol.rs:3693"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Output"
+name = "chaining_key_ihr IHR 5"
+value = "UVoOgm+xgnV9tXlaLrlBHiM8XDAH+4tPm3DTbP9uJzs="
+code_location = "rosenpass/src/protocol/protocol.rs:3702"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Output"
+name = "chaining_key_ihr IHR 6"
+value = "RTCFQy236fEakHlQn8Pq4+ZbWAg4zvkP5iSp+RU7CpQ="
+code_location = "rosenpass/src/protocol/protocol.rs:3714"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Output"
+name = "chaining_key_ihr IHR 7"
+value = "9bjg2ICzmCeqYMt4ACfX5UMQUde7WgeuI6H+vdQuWck="
+code_location = "rosenpass/src/protocol/protocol.rs:3724"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Output"
+name = "chaining_key_ihr IHR 8"
+value = "MkkapMEoAWftWlVPIcroCCTpqOrMv5TYSff5h8Un/OE="
+code_location = "rosenpass/src/protocol/protocol.rs:3733"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Const"
+name = "session_id"
+value = "+qqWGQ=="
+code_location = "rosenpass/src/protocol/protocol.rs:3741"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Output"
+name = "chaining_key_ihr RHR 3"
+value = "rPSnj3sQzMcnolHZJZpDlZ71VcFEtIEENGLWUPyRZws="
+code_location = "rosenpass/src/protocol/protocol.rs:3749"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Const"
+value = "aQGM2N7OhVgSlsa7pEaqdiRZLacxgDhwuEplHORsv3s="
+code_location = "rosenpass/src/protocol/protocol.rs:3263"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:23"
+
+[[entries]]
+entry_type = "Const"
+value = "XIOzetMa7cemW0Qq+vEu1frv9J/MhfFiT68mfbWZrZbzM5AI2lVPLXi75KvjbNC7YrqVG20d2DhZ38g9vjIAG50Lc8LHw3C+tQV2g/lCa4p1XySyQOJUAj/CpBGito8MdcdcxpFzLhCnq0owBSonbgyboxZq/hsX5z+unJu+5UiJYlxpcvu++w954OQiXi9lJpfnC4biY8Mw+8UL5d2UgWp8Yn3y3ZoIKSNGA5hR5/JUg1QStbSvWrhNiiDrfNUR0k2zKmLPXPS1pmaBvSuWQptq3WiA1OtkRsCSrAzjOtyUPWSZyXrttAZ4VJCBkEnd4OZy7eC/mBa3FjwJAfcvVY7i8mU1yDpLtS7MtdAZKMeGn0fQDWOx5z+vM+jbwOxXer79jPKPcdigxjTfARz+SxhfWfqGO5hBh86Ra0F+vgw3KH/YQgTchroWVF8WIwZlNwp6DqvwXBXwRPbtrv+uxmRHT9Oe+ZxJr88Nd1gRtjL0FN6faE1quGDAHWPuAfhFcxa7kdPpHN46cHSC+nzO1gtabPX/b0PM2awmNPB5QPpWoGHzz4HTYV7MYHmC4mxdKU7BT+U3vJd4+vl+7wGQSVxSCwzWHqCjRwOkIDLeiyZss7iz8BnOeErDySbPTMYI/Jv/R7lalOk4+73a1m2m4uZKetXRGEjg8btiKfhFaPZMc9p8xZeJNbsUbqoMl8/R1QGRqXHxzk9tTZW0AHV0t4uLnvHJgu9mR6LApZ99sAJpNcuU9TnsSPfT32DlXWNxtb0DnTQXxLQ7TnSWFYPCYyv7hbfNk8lDdGJqStSvnCe16KYoYjxpExEIfCAFicYhhar5MOpkinJMeyhMhVd2ctVIIIzZXePfZXcdOod2JbYh6+dmp0bnTyussHv9R+qYCCv5AyU/crKSmTbjgyOsmaVpyoTljsozC32uhqZh4M7KBUz1XyPJfD6L4NE1ovCKSfwJepYOqBw0MkdWoXwScyhMWNpVhS8X1aZ/QOZFVIuyYxoiwqpF/y3xV6QYFZmd"
+code_location = "rosenpass/src/protocol/protocol.rs:3264"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:23"
+
+[[entries]]
+entry_type = "Output"
+name = "chaining_key_ihr RHR 4"
+value = "WCh3N6kKat+5vvn3WNTxsF9yXGYTQS7hlMUplMac/14="
+code_location = "rosenpass/src/protocol/protocol.rs:3764"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Const"
+value = "Sx7y7DSdVQVHWxR4OOMjyrDr8vuZa7MPX/U8GnPCIHY="
+code_location = "rosenpass/src/protocol/protocol.rs:3263"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:23"
+
+[[entries]]
+entry_type = "Const"
+value = "VwqEOlvdW0Evc1CasejxXQ0dN3mZ4HPMA6ogk3Q7OUzzgCIvbTU8BvBK6d1UH2R7Y5Nd/JdHgag42f5FpjVljX2vlXMk3XxUtREpORxqJ5qUgHejsgJyRO9caOPX/ZXmUZ6vORP7pIulLt2i47ykPNNlWuJmxVJj6NK+lE1BDMIuivHebR31atigV/fFFJui26vy5V9y6xZmnCJm"
+code_location = "rosenpass/src/protocol/protocol.rs:3264"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:23"
+
+[[entries]]
+entry_type = "Output"
+name = "chaining_key_ihr RHR 5"
+value = "7gd9Mw7X0ZFmkIkP/JDofflRSAw21F1RjG4HXeMJfTI="
+code_location = "rosenpass/src/protocol/protocol.rs:3779"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Output"
+value = "QyffgzBjc8qAqK18vYsH9TKs9lc6Njg8Q8nANsF/FMMBAAAAAAAAAAAAAADuB30zDtfRkWaQiQ/8kOh9+VFIDDbUXVGMbgdd4wl9Mg=="
+code_location = "rosenpass/src/protocol/protocol.rs:3336"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:31"
+
+[[entries]]
+entry_type = "Const"
+description = "Biscuit key after being cycled"
+name = "CryptoServer::biscuit_key[r]"
+value = "TIDswcSHh8WKsEsuwMCyldE0zVH8IEjV97ES8v3nHw0="
+code_location = "rosenpass/src/protocol/protocol.rs:1430"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:127"
+
+[[entries]]
+entry_type = "Const"
+value = "iSR2RKOw5VeBICb4b+i8P4QtF8XnJq2N"
+code_location = "rosenpass/src/protocol/protocol.rs:3353"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:31"
+
+[[entries]]
+entry_type = "Output"
+value = "iSR2RKOw5VeBICb4b+i8P4QtF8XnJq2Nq1gaCMgEJ+v1LulDYsjbfU5O0alWStfs4fBy7zS69RkzT8p0m3mVcK0TY9RRdWfxmCzU1U8DP7CbhfZxZHJC9CO8xwIa5r1NjVE1gxJJUEJCTHvtCc3PtFj861c="
+code_location = "rosenpass/src/protocol/protocol.rs:3361"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:31"
+
+[[entries]]
+entry_type = "Output"
+name = "chaining_key_ihr RHR 6"
+value = "urS3a0/ufhUxj7bAnafEQ3j7it4q2XOfO+DVCeQJp4U="
+code_location = "rosenpass/src/protocol/protocol.rs:3788"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Output"
+name = "chaining_key_ihr RHR 7"
+value = "bbWd4iHXPK6helZLik4t96JKB7yiyw+qcNWbvlDiaQs="
+code_location = "rosenpass/src/protocol/protocol.rs:3797"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Output"
+description = "message exchanged by the protocol parties"
+name = "message"
+code_location = "tests/test_vector_crypto_server.rs:136"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:33"
+offload = true
+
+[[entries]]
+entry_type = "Output"
+description = "message exchanged by the protocol parties"
+name = "message"
+code_location = "tests/test_vector_crypto_server.rs:136"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:33"
+offload = true
+
+[[entries]]
+entry_type = "Output"
+description = "message exchanged by the protocol parties"
+name = "message"
+code_location = "tests/test_vector_crypto_server.rs:136"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:33"
+offload = true
+
+[[entries]]
+entry_type = "Output"
+description = "final exchanged key"
+name = "exchanged_key"
+value = "NKG5/vCPc0akKnm5RxctcPigO8fvd0zqJeO2+xbDpq4="
+code_location = "tests/test_vector_crypto_server.rs:153"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:33"

rosenpass/Cargo.toml

@@ -64,6 +64,8 @@ clap = { workspace = true }
 clap_complete = { workspace = true }
 clap_mangen = { workspace = true }
 mio = { workspace = true }
+signal-hook = { workspace = true }
+signal-hook-mio = { workspace = true }
 rand = { workspace = true }
 zerocopy = { workspace = true }
 home = { workspace = true }
@@ -76,8 +78,10 @@ heck = { workspace = true, optional = true }
 command-fds = { workspace = true, optional = true }
 rustix = { workspace = true, optional = true }
 uds = { workspace = true, optional = true, features = ["mio_1xx"] }
-signal-hook = { workspace = true, optional = true }
 libcrux-test-utils = { workspace = true, optional = true }
+assert_tv = { workspace = true }
+base64 = { workspace = true }
+serde_json = { workspace = true }
 
 [build-dependencies]
 anyhow = { workspace = true }
@@ -90,9 +94,10 @@ serial_test = { workspace = true }
 procspawn = { workspace = true }
 tempfile = { workspace = true }
 rustix = { workspace = true }
+serde_json = { workspace = true }
 
 [features]
-#default = ["experiment_libcrux_all"]
+default = ["experiment_api"]
 experiment_cookie_dos_mitigation = []
 experiment_memfd_secret = ["rosenpass-wireguard-broker/experiment_memfd_secret"]
 experiment_libcrux_all = ["rosenpass-ciphers/experiment_libcrux_all"]
@@ -109,7 +114,6 @@ experiment_api = [
   "rosenpass-util/experiment_file_descriptor_passing",
   "rosenpass-wireguard-broker/experiment_api",
 ]
-internal_signal_handling_for_coverage_reports = ["signal-hook"]
 internal_testing = []
 internal_bin_gen_ipc_msg_types = ["hex", "heck"]
 trace_bench = ["rosenpass-util/trace_bench", "dep:libcrux-test-utils"]

rosenpass/benches/handshake.rs

@@ -1,15 +1,16 @@
-use anyhow::Result;
-use rosenpass::protocol::{
-    CryptoServer, HandleMsgResult, MsgBuf, PeerPtr, ProtocolVersion, SPk, SSk, SymKey,
-};
 use std::ops::DerefMut;
 
+use anyhow::Result;
+use criterion::{black_box, criterion_group, criterion_main, Criterion};
+
 use rosenpass_cipher_traits::primitives::Kem;
 use rosenpass_ciphers::StaticKem;
-
-use criterion::{black_box, criterion_group, criterion_main, Criterion};
 use rosenpass_secret_memory::secret_policy_try_use_memfd_secrets;
 
+use rosenpass::protocol::basic_types::{MsgBuf, SPk, SSk, SymKey};
+use rosenpass::protocol::osk_domain_separator::OskDomainSeparator;
+use rosenpass::protocol::{CryptoServer, HandleMsgResult, PeerPtr, ProtocolVersion};
+
 fn handle(
     tx: &mut CryptoServer,
     msgb: &mut MsgBuf,
@@ -54,8 +55,18 @@ fn make_server_pair(protocol_version: ProtocolVersion) -> Result<(CryptoServer,
         CryptoServer::new(ska, pka.clone()),
         CryptoServer::new(skb, pkb.clone()),
     );
-    a.add_peer(Some(psk.clone()), pkb, protocol_version.clone())?;
-    b.add_peer(Some(psk), pka, protocol_version)?;
+    a.add_peer(
+        Some(psk.clone()),
+        pkb,
+        protocol_version.clone(),
+        OskDomainSeparator::default(),
+    )?;
+    b.add_peer(
+        Some(psk),
+        pka,
+        protocol_version,
+        OskDomainSeparator::default(),
+    )?;
     Ok((a, b))
 }
 

rosenpass/benches/trace_handshake.rs

@@ -1,22 +1,23 @@
 use std::{
     collections::HashMap,
     hint::black_box,
-    io::{self, Write},
     ops::DerefMut,
     time::{Duration, Instant},
 };
 
 use anyhow::Result;
+
 use libcrux_test_utils::tracing::{EventType, Trace as _};
 
 use rosenpass_cipher_traits::primitives::Kem;
 use rosenpass_ciphers::StaticKem;
 use rosenpass_secret_memory::secret_policy_try_use_memfd_secrets;
-use rosenpass_util::trace_bench::RpEventType;
+use rosenpass_util::trace_bench::RpEvent;
 
-use rosenpass::protocol::{
-    CryptoServer, HandleMsgResult, MsgBuf, PeerPtr, ProtocolVersion, SPk, SSk, SymKey,
-};
+use rosenpass::protocol::basic_types::{MsgBuf, SPk, SSk, SymKey};
+use rosenpass::protocol::osk_domain_separator::OskDomainSeparator;
+use rosenpass::protocol::{CryptoServer, HandleMsgResult, PeerPtr, ProtocolVersion};
+use serde::ser::SerializeStruct;
 
 const ITERATIONS: usize = 100;
 
@@ -77,8 +78,18 @@ fn make_server_pair(protocol_version: ProtocolVersion) -> Result<(CryptoServer,
         CryptoServer::new(ska, pka.clone()),
         CryptoServer::new(skb, pkb.clone()),
     );
-    a.add_peer(Some(psk.clone()), pkb, protocol_version.clone())?;
-    b.add_peer(Some(psk), pka, protocol_version)?;
+    a.add_peer(
+        Some(psk.clone()),
+        pkb,
+        protocol_version.clone(),
+        OskDomainSeparator::default(),
+    )?;
+    b.add_peer(
+        Some(psk),
+        pka,
+        protocol_version,
+        OskDomainSeparator::default(),
+    )?;
     Ok((a, b))
 }
 
@@ -117,15 +128,30 @@ fn main() {
         (v02, &v03_with_marker[1..])
     };
 
-    // Perform statistical analysis on both trace sections and write results as JSON
-    write_json_arrays(
-        &mut std::io::stdout(), // Write to standard output
-        vec![
-            ("V02", statistical_analysis(trace_v02.to_vec())),
-            ("V03", statistical_analysis(trace_v03.to_vec())),
-        ],
-    )
-    .expect("error writing json data");
+    // Perform statistical analysis on both trace sections
+    let analysis_v02 = statistical_analysis(trace_v02);
+    let analysis_v03 = statistical_analysis(trace_v03);
+
+    // Transform analysis results to JSON-encodable data type
+    let stats_v02 = analysis_v02
+        .iter()
+        .map(|(label, agg_stat)| JsonAggregateStat {
+            protocol_version: "V02",
+            label,
+            agg_stat,
+        });
+    let stats_v03 = analysis_v03
+        .iter()
+        .map(|(label, agg_stat)| JsonAggregateStat {
+            protocol_version: "V03",
+            label,
+            agg_stat: &agg_stat,
+        });
+
+    // Write results as JSON
+    let stats_all: Vec<_> = stats_v02.chain(stats_v03).collect();
+    let stats_json = serde_json::to_string_pretty(&stats_all).expect("error encoding to json");
+    println!("{stats_json}");
 }
 
 /// Performs a simple statistical analysis:
@@ -133,7 +159,7 @@ fn main() {
 /// - extracts durations of spamns
 /// - filters out empty bins
 /// - calculates aggregate statistics (mean, std dev)
-fn statistical_analysis(trace: Vec<RpEventType>) -> Vec<(&'static str, AggregateStat<Duration>)> {
+fn statistical_analysis(trace: &[RpEvent]) -> Vec<(&'static str, AggregateStat<Duration>)> {
     bin_events(trace)
         .into_iter()
         .map(|(label, spans)| (label, extract_span_durations(label, spans.as_slice())))
@@ -142,44 +168,6 @@ fn statistical_analysis(trace: Vec<RpEventType>) -> Vec<(&'static str, Aggregate
         .collect()
 }
 
-/// Takes an iterator of ("protocol_version", iterator_of_stats) pairs and writes them
-/// as a single flat JSON array to the provided writer.
-///
-/// # Arguments
-/// * `w` - The writer to output JSON to (e.g., stdout, file).
-/// * `item_groups` - An iterator producing tuples `(version, stats): (&'static str, II)`.
-///    Here `II` is itself an iterator producing `(label, agg_stat): (&'static str, AggregateStat<Duration>)`,
-///    where the label is the label of the span, e.g. "IHI2".
-///
-/// # Type Parameters
-/// * `W` - A type that implements `std::io::Write`.
-/// * `II` - An iterator type yielding (`&'static str`, `AggregateStat<Duration>`).
-fn write_json_arrays<W: Write, II: IntoIterator<Item = (&'static str, AggregateStat<Duration>)>>(
-    w: &mut W,
-    item_groups: impl IntoIterator<Item = (&'static str, II)>,
-) -> io::Result<()> {
-    // Flatten the groups into a single iterator of (protocol_version, label, stats)
-    let iter = item_groups.into_iter().flat_map(|(version, items)| {
-        items
-            .into_iter()
-            .map(move |(label, agg_stat)| (version, label, agg_stat))
-    });
-    let mut delim = ""; // Start with no delimiter
-
-    // Start the JSON array
-    write!(w, "[")?;
-
-    // Write the flattened statistics as JSON objects, separated by commas.
-    for (version, label, agg_stat) in iter {
-        write!(w, "{delim}")?; // Write delimiter (empty for first item, "," for subsequent)
-        agg_stat.write_json_ns(label, version, w)?; // Write the JSON object for the stat entry
-        delim = ","; // Set delimiter for the next iteration
-    }
-
-    // End the JSON array
-    write!(w, "]")
-}
-
 /// Used to group benchmark results in visualizations
 enum RunTimeGroup {
     /// For particularly long operations.
@@ -232,13 +220,13 @@ enum StatEntry {
 
 /// Takes a flat list of events and organizes them into a HashMap where keys
 /// are event labels and values are vectors of events with that label.
-fn bin_events(events: Vec<RpEventType>) -> HashMap<&'static str, Vec<RpEventType>> {
+fn bin_events(events: &[RpEvent]) -> HashMap<&'static str, Vec<RpEvent>> {
     let mut spans = HashMap::<_, Vec<_>>::new();
     for event in events {
         // Get the vector for the event's label, or create a new one
         let spans_for_label = spans.entry(event.label).or_default();
         // Add the event to the vector
-        spans_for_label.push(event);
+        spans_for_label.push(event.clone());
     }
     spans
 }
@@ -246,7 +234,7 @@ fn bin_events(events: Vec<RpEventType>) -> HashMap<&'static str, Vec<RpEventType
 /// Processes a list of events (assumed to be for the same label), matching
 /// `SpanOpen` and `SpanClose` events to calculate the duration of each span.
 /// It handles potentially interleaved spans correctly.
-fn extract_span_durations(label: &str, events: &[RpEventType]) -> Vec<Duration> {
+fn extract_span_durations(label: &str, events: &[RpEvent]) -> Vec<Duration> {
     let mut processing_list: Vec<StatEntry> = vec![]; // List to track open spans and final durations
 
     for entry in events {
@@ -306,6 +294,7 @@ fn extract_span_durations(label: &str, events: &[RpEventType]) -> Vec<Duration>
 /// Stores the mean, standard deviation, relative standard deviation (sd/mean),
 /// and the number of samples used for calculation.
 #[derive(Debug)]
+#[allow(dead_code)]
 struct AggregateStat<T> {
     /// Average duration.
     mean_duration: T,
@@ -355,32 +344,33 @@ impl AggregateStat<Duration> {
             sample_size,
         }
     }
+}
 
-    /// Writes the statistics as a JSON object to the provided writer.
-    /// Includes metadata like label, protocol_version, OS, architecture, and run time group.
-    ///
-    /// # Arguments
-    /// * `label` - The specific benchmark/span label.
-    /// * `protocol_version` - Version of the protocol that is benchmarked.
-    /// * `w` - The output writer (must implement `std::io::Write`).
-    fn write_json_ns(
-        &self,
-        label: &str,
-        protocol_version: &str,
-        w: &mut impl io::Write,
-    ) -> io::Result<()> {
-        // Format the JSON string using measured values and environment constants
-        writeln!(
-            w,
-            r#"{{"name":"{name}", "unit":"ns/iter", "value":"{value}", "range":"± {range}", "protocol version":"{protocol_version}", "sample size":"{sample_size}", "operating system":"{os}", "architecture":"{arch}", "run time":"{run_time}"}}"#,
-            name = label,                          // Benchmark name
-            value = self.mean_duration.as_nanos(), // Mean duration in nanoseconds
-            range = self.sd_duration.as_nanos(),   // Standard deviation in nanoseconds
-            sample_size = self.sample_size,        // Number of samples
-            os = std::env::consts::OS,             // Operating system
-            arch = std::env::consts::ARCH,         // CPU architecture
-            run_time = run_time_group(label),      // Run time group category (long, medium, etc.)
-            protocol_version = protocol_version // Overall protocol_version (e.g., protocol version)
-        )
+struct JsonAggregateStat<'a, T> {
+    agg_stat: &'a AggregateStat<T>,
+    label: &'a str,
+    protocol_version: &'a str,
+}
+
+impl<'a> serde::Serialize for JsonAggregateStat<'a, Duration> {
+    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
+    where
+        S: serde::Serializer,
+    {
+        let mut stat = serializer.serialize_struct("AggregateStat", 9)?;
+        stat.serialize_field("name", self.label)?;
+        stat.serialize_field("unit", "ns/iter")?;
+        stat.serialize_field("value", &self.agg_stat.mean_duration.as_nanos().to_string())?;
+        stat.serialize_field(
+            "range",
+            &format!("± {}", self.agg_stat.sd_duration.as_nanos()),
+        )?;
+        stat.serialize_field("protocol version", self.protocol_version)?;
+        stat.serialize_field("sample size", &self.agg_stat.sample_size)?;
+        stat.serialize_field("operating system", std::env::consts::OS)?;
+        stat.serialize_field("architecture", std::env::consts::ARCH)?;
+        stat.serialize_field("run time", &run_time_group(self.label).to_string())?;
+
+        stat.end()
     }
 }

rosenpass/src/api/api_handler.rs

@@ -6,12 +6,12 @@ use std::{borrow::BorrowMut, collections::VecDeque, os::fd::OwnedFd};
 use anyhow::Context;
 use rosenpass_to::{ops::copy_slice, To};
 use rosenpass_util::{
-    fd::FdIo,
     functional::{run, ApplyExt},
     io::ReadExt,
     mem::DiscardResultExt,
     mio::UnixStreamExt,
     result::OkExt,
+    rustix::FdIo,
 };
 use rosenpass_wireguard_broker::brokers::mio_client::MioBrokerClient;
 
@@ -158,10 +158,10 @@ where
             );
 
             // Actually read the secrets
-            let mut sk = crate::protocol::SSk::zero();
+            let mut sk = crate::protocol::basic_types::SSk::zero();
             sk_io.read_exact_til_end(sk.secret_mut()).einvalid_req()?;
 
-            let mut pk = crate::protocol::SPk::zero();
+            let mut pk = crate::protocol::basic_types::SPk::zero();
             pk_io.read_exact_til_end(pk.borrow_mut()).einvalid_req()?;
 
             // Retrieve the construction site
@@ -243,7 +243,7 @@ where
                 .context("Invalid request – socket missing.")?;
             // TODO: We need to have this outside linux
             #[cfg(target_os = "linux")]
-            rosenpass_util::fd::GetSocketProtocol::demand_udp_socket(&sock)?;
+            rosenpass_util::rustix::GetSocketProtocol::demand_udp_socket(&sock)?;
             let sock = std::net::UdpSocket::from(sock);
             sock.set_nonblocking(true)?;
             mio::net::UdpSocket::from_std(sock).ok()
@@ -316,7 +316,7 @@ where
             use crate::app_server::BrokerStorePtr;
             //
             use rosenpass_secret_memory::Public;
-            use zerocopy::AsBytes;
+            use zerocopy::IntoBytes;
             (self.app_server().brokers.store.len() - 1)
                 .apply(|x| x as u64)
                 .apply(|x| Public::from_slice(x.as_bytes()))

rosenpass/src/api/boilerplate/byte_slice_ext.rs

@@ -1,4 +1,4 @@
-use zerocopy::{ByteSlice, Ref};
+use zerocopy::{Ref, SplitByteSlice};
 
 use rosenpass_util::zerocopy::{RefMaker, ZerocopySliceExt};
 
@@ -7,7 +7,7 @@ use super::{
     ResponseMsgType, ResponseRef, SupplyKeypairRequest, SupplyKeypairResponse,
 };
 
-pub trait ByteSliceRefExt: ByteSlice {
+pub trait ByteSliceRefExt: SplitByteSlice {
     /// Shorthand for the typed use of [ZerocopySliceExt::zk_ref_maker].
     fn msg_type_maker(self) -> RefMaker<Self, RawMsgType> {
         self.zk_ref_maker()
@@ -259,4 +259,4 @@ pub trait ByteSliceRefExt: ByteSlice {
     }
 }
 
-impl<B: ByteSlice> ByteSliceRefExt for B {}
+impl<B: SplitByteSlice> ByteSliceRefExt for B {}

rosenpass/src/api/boilerplate/message_trait.rs

@@ -1,4 +1,4 @@
-use zerocopy::{ByteSliceMut, Ref};
+use zerocopy::{Ref, SplitByteSliceMut};
 
 use rosenpass_util::zerocopy::RefMaker;
 
@@ -35,7 +35,7 @@ pub trait Message {
     /// # Examples
     ///
     /// See [crate::api::PingRequest::setup]
-    fn setup<B: ByteSliceMut>(buf: B) -> anyhow::Result<Ref<B, Self>>;
+    fn setup<B: SplitByteSliceMut>(buf: B) -> anyhow::Result<Ref<B, Self>>;
 }
 
 /// Additional convenience functions for working with [rosenpass_util::zerocopy::RefMaker]
@@ -45,7 +45,7 @@ pub trait ZerocopyResponseMakerSetupMessageExt<B, T> {
 
 impl<B, T> ZerocopyResponseMakerSetupMessageExt<B, T> for RefMaker<B, T>
 where
-    B: ByteSliceMut,
+    B: SplitByteSliceMut,
     T: Message,
 {
     /// Initialize the message using [Message::setup].

rosenpass/src/api/boilerplate/message_type.rs

@@ -1,6 +1,6 @@
 use hex_literal::hex;
 use rosenpass_util::zerocopy::RefMaker;
-use zerocopy::ByteSlice;
+use zerocopy::SplitByteSlice;
 
 use crate::RosenpassError::{self, InvalidApiMessageType};
 
@@ -169,12 +169,12 @@ pub trait RefMakerRawMsgTypeExt {
     fn parse_response_msg_type(self) -> anyhow::Result<ResponseMsgType>;
 }
 
-impl<B: ByteSlice> RefMakerRawMsgTypeExt for RefMaker<B, RawMsgType> {
+impl<B: SplitByteSlice> RefMakerRawMsgTypeExt for RefMaker<B, RawMsgType> {
     fn parse_request_msg_type(self) -> anyhow::Result<RequestMsgType> {
-        Ok(self.parse()?.read().try_into()?)
+        Ok(zerocopy::Ref::read(&self.parse()?).try_into()?)
     }
 
     fn parse_response_msg_type(self) -> anyhow::Result<ResponseMsgType> {
-        Ok(self.parse()?.read().try_into()?)
+        Ok(zerocopy::Ref::<B, u128>::read(&self.parse()?).try_into()?)
     }
 }

rosenpass/src/api/boilerplate/payload.rs

@@ -1,5 +1,5 @@
 use rosenpass_util::zerocopy::ZerocopyMutSliceExt;
-use zerocopy::{AsBytes, ByteSliceMut, FromBytes, FromZeroes, Ref};
+use zerocopy::{FromBytes, Immutable, IntoBytes, KnownLayout, Ref, SplitByteSliceMut};
 
 use super::{Message, RawMsgType, RequestMsgType, ResponseMsgType};
 
@@ -12,8 +12,8 @@ pub const MAX_REQUEST_FDS: usize = 2;
 
 /// Message envelope for API messages
 #[repr(packed)]
-#[derive(Debug, Copy, Clone, Hash, AsBytes, FromBytes, FromZeroes, PartialEq, Eq)]
-pub struct Envelope<M: AsBytes + FromBytes> {
+#[derive(Debug, Copy, Clone, Hash, IntoBytes, FromBytes, PartialEq, Eq, Immutable, KnownLayout)]
+pub struct Envelope<M: IntoBytes + FromBytes + Immutable + KnownLayout> {
     /// Which message this is
     pub msg_type: RawMsgType,
     /// The actual Paylod
@@ -27,7 +27,7 @@ pub type ResponseEnvelope<M> = Envelope<M>;
 
 #[allow(missing_docs)]
 #[repr(packed)]
-#[derive(Debug, Copy, Clone, Hash, AsBytes, FromBytes, FromZeroes, PartialEq, Eq)]
+#[derive(Debug, Copy, Clone, Hash, IntoBytes, FromBytes, PartialEq, Eq, Immutable, KnownLayout)]
 pub struct PingRequestPayload {
     /// Randomly generated connection id
     pub echo: [u8; 256],
@@ -55,7 +55,7 @@ impl Message for PingRequest {
         }
     }
 
-    fn setup<B: ByteSliceMut>(buf: B) -> anyhow::Result<Ref<B, Self>> {
+    fn setup<B: SplitByteSliceMut>(buf: B) -> anyhow::Result<Ref<B, Self>> {
         let mut r: Ref<B, Self> = buf.zk_zeroized()?;
         r.init();
         Ok(r)
@@ -68,7 +68,7 @@ impl Message for PingRequest {
 
 #[allow(missing_docs)]
 #[repr(packed)]
-#[derive(Debug, Copy, Clone, Hash, AsBytes, FromBytes, FromZeroes, PartialEq, Eq)]
+#[derive(Debug, Copy, Clone, Hash, IntoBytes, FromBytes, PartialEq, Eq, Immutable, KnownLayout)]
 pub struct PingResponsePayload {
     /// Randomly generated connection id
     pub echo: [u8; 256],
@@ -96,7 +96,7 @@ impl Message for PingResponse {
         }
     }
 
-    fn setup<B: ByteSliceMut>(buf: B) -> anyhow::Result<Ref<B, Self>> {
+    fn setup<B: SplitByteSliceMut>(buf: B) -> anyhow::Result<Ref<B, Self>> {
         let mut r: Ref<B, Self> = buf.zk_zeroized()?;
         r.init();
         Ok(r)
@@ -109,7 +109,7 @@ impl Message for PingResponse {
 
 #[allow(missing_docs)]
 #[repr(packed)]
-#[derive(Debug, Copy, Clone, Hash, AsBytes, FromBytes, FromZeroes, PartialEq, Eq)]
+#[derive(Debug, Copy, Clone, Hash, IntoBytes, FromBytes, PartialEq, Eq, Immutable, KnownLayout)]
 pub struct SupplyKeypairRequestPayload {}
 
 #[allow(missing_docs)]
@@ -140,7 +140,7 @@ impl Message for SupplyKeypairRequest {
         }
     }
 
-    fn setup<B: ByteSliceMut>(buf: B) -> anyhow::Result<Ref<B, Self>> {
+    fn setup<B: SplitByteSliceMut>(buf: B) -> anyhow::Result<Ref<B, Self>> {
         let mut r: Ref<B, Self> = buf.zk_zeroized()?;
         r.init();
         Ok(r)
@@ -169,7 +169,7 @@ pub mod supply_keypair_response_status {
 
 #[allow(missing_docs)]
 #[repr(packed)]
-#[derive(Debug, Copy, Clone, Hash, AsBytes, FromBytes, FromZeroes, PartialEq, Eq)]
+#[derive(Debug, Copy, Clone, Hash, IntoBytes, FromBytes, PartialEq, Eq, Immutable, KnownLayout)]
 pub struct SupplyKeypairResponsePayload {
     #[allow(missing_docs)]
     pub status: u128,
@@ -197,7 +197,7 @@ impl Message for SupplyKeypairResponse {
         }
     }
 
-    fn setup<B: ByteSliceMut>(buf: B) -> anyhow::Result<Ref<B, Self>> {
+    fn setup<B: SplitByteSliceMut>(buf: B) -> anyhow::Result<Ref<B, Self>> {
         let mut r: Ref<B, Self> = buf.zk_zeroized()?;
         r.init();
         Ok(r)
@@ -210,7 +210,7 @@ impl Message for SupplyKeypairResponse {
 
 #[allow(missing_docs)]
 #[repr(packed)]
-#[derive(Debug, Copy, Clone, Hash, AsBytes, FromBytes, FromZeroes, PartialEq, Eq)]
+#[derive(Debug, Copy, Clone, Hash, IntoBytes, FromBytes, PartialEq, Eq, Immutable, KnownLayout)]
 pub struct AddListenSocketRequestPayload {}
 
 #[allow(missing_docs)]
@@ -241,7 +241,7 @@ impl Message for AddListenSocketRequest {
         }
     }
 
-    fn setup<B: ByteSliceMut>(buf: B) -> anyhow::Result<Ref<B, Self>> {
+    fn setup<B: SplitByteSliceMut>(buf: B) -> anyhow::Result<Ref<B, Self>> {
         let mut r: Ref<B, Self> = buf.zk_zeroized()?;
         r.init();
         Ok(r)
@@ -264,7 +264,7 @@ pub mod add_listen_socket_response_status {
 
 #[allow(missing_docs)]
 #[repr(packed)]
-#[derive(Debug, Copy, Clone, Hash, AsBytes, FromBytes, FromZeroes, PartialEq, Eq)]
+#[derive(Debug, Copy, Clone, Hash, IntoBytes, FromBytes, PartialEq, Eq, Immutable, KnownLayout)]
 pub struct AddListenSocketResponsePayload {
     pub status: u128,
 }
@@ -291,7 +291,7 @@ impl Message for AddListenSocketResponse {
         }
     }
 
-    fn setup<B: ByteSliceMut>(buf: B) -> anyhow::Result<Ref<B, Self>> {
+    fn setup<B: SplitByteSliceMut>(buf: B) -> anyhow::Result<Ref<B, Self>> {
         let mut r: Ref<B, Self> = buf.zk_zeroized()?;
         r.init();
         Ok(r)
@@ -304,7 +304,7 @@ impl Message for AddListenSocketResponse {
 
 #[allow(missing_docs)]
 #[repr(packed)]
-#[derive(Debug, Copy, Clone, Hash, AsBytes, FromBytes, FromZeroes, PartialEq, Eq)]
+#[derive(Debug, Copy, Clone, Hash, IntoBytes, FromBytes, PartialEq, Eq, Immutable, KnownLayout)]
 pub struct AddPskBrokerRequestPayload {}
 
 #[allow(missing_docs)]
@@ -336,7 +336,7 @@ impl Message for AddPskBrokerRequest {
         }
     }
 
-    fn setup<B: ByteSliceMut>(buf: B) -> anyhow::Result<Ref<B, Self>> {
+    fn setup<B: SplitByteSliceMut>(buf: B) -> anyhow::Result<Ref<B, Self>> {
         let mut r: Ref<B, Self> = buf.zk_zeroized()?;
         r.init();
         Ok(r)
@@ -359,7 +359,7 @@ pub mod add_psk_broker_response_status {
 
 #[allow(missing_docs)]
 #[repr(packed)]
-#[derive(Debug, Copy, Clone, Hash, AsBytes, FromBytes, FromZeroes, PartialEq, Eq)]
+#[derive(Debug, Copy, Clone, Hash, IntoBytes, FromBytes, PartialEq, Eq, Immutable, KnownLayout)]
 pub struct AddPskBrokerResponsePayload {
     pub status: u128,
 }
@@ -386,7 +386,7 @@ impl Message for AddPskBrokerResponse {
         }
     }
 
-    fn setup<B: ByteSliceMut>(buf: B) -> anyhow::Result<Ref<B, Self>> {
+    fn setup<B: SplitByteSliceMut>(buf: B) -> anyhow::Result<Ref<B, Self>> {
         let mut r: Ref<B, Self> = buf.zk_zeroized()?;
         r.init();
         Ok(r)

rosenpass/src/api/boilerplate/request_ref.rs

@@ -1,6 +1,6 @@
-use anyhow::ensure;
+use anyhow::{anyhow, ensure};
 
-use zerocopy::{ByteSlice, ByteSliceMut, Ref};
+use zerocopy::{IntoBytes, Ref, SplitByteSlice, SplitByteSliceMut};
 
 use super::{ByteSliceRefExt, MessageAttributes, PingRequest, RequestMsgType};
 
@@ -13,14 +13,14 @@ struct RequestRefMaker<B> {
     msg_type: RequestMsgType,
 }
 
-impl<B: ByteSlice> RequestRef<B> {
+impl<B: SplitByteSlice> RequestRef<B> {
     /// Produce a [RequestRef] from a raw message buffer,
     /// reading the type from the buffer
     ///
     /// # Examples
     ///
     /// ```
-    /// use zerocopy::AsBytes;
+    /// use zerocopy::IntoBytes;
     ///
     /// use rosenpass::api::{PingRequest, RequestRef, RequestMsgType};
     ///
@@ -95,7 +95,7 @@ impl<B> From<Ref<B, super::AddPskBrokerRequest>> for RequestRef<B> {
     }
 }
 
-impl<B: ByteSlice> RequestRefMaker<B> {
+impl<B: SplitByteSlice> RequestRefMaker<B> {
     fn new(buf: B) -> anyhow::Result<Self> {
         let msg_type = buf.deref().request_msg_type_from_prefix()?;
         Ok(Self { buf, msg_type })
@@ -125,7 +125,9 @@ impl<B: ByteSlice> RequestRefMaker<B> {
         self.ensure_fit()?;
         let point = self.target_size();
         let Self { buf, msg_type } = self;
-        let (buf, _) = buf.split_at(point);
+        let (buf, _) = buf
+            .split_at(point)
+            .map_err(|_| anyhow!("Failed to split buffer"))?;
         Ok(Self { buf, msg_type })
     }
 
@@ -134,7 +136,9 @@ impl<B: ByteSlice> RequestRefMaker<B> {
         self.ensure_fit()?;
         let point = self.buf.len() - self.target_size();
         let Self { buf, msg_type } = self;
-        let (buf, _) = buf.split_at(point);
+        let (buf, _) = buf
+            .split_at(point)
+            .map_err(|_| anyhow!("Failed to split buffer"))?;
         Ok(Self { buf, msg_type })
     }
 
@@ -159,7 +163,7 @@ pub enum RequestRef<B> {
 
 impl<B> RequestRef<B>
 where
-    B: ByteSlice,
+    B: SplitByteSlice,
 {
     /// Access the byte data of this reference
     ///
@@ -168,25 +172,25 @@ where
     /// See [Self::parse].
     pub fn bytes(&self) -> &[u8] {
         match self {
-            Self::Ping(r) => r.bytes(),
-            Self::SupplyKeypair(r) => r.bytes(),
-            Self::AddListenSocket(r) => r.bytes(),
-            Self::AddPskBroker(r) => r.bytes(),
+            Self::Ping(r) => r.as_bytes(),
+            Self::SupplyKeypair(r) => r.as_bytes(),
+            Self::AddListenSocket(r) => r.as_bytes(),
+            Self::AddPskBroker(r) => r.as_bytes(),
         }
     }
 }
 
 impl<B> RequestRef<B>
 where
-    B: ByteSliceMut,
+    B: SplitByteSliceMut,
 {
     /// Access the byte data of this reference; mutably
     pub fn bytes_mut(&mut self) -> &[u8] {
         match self {
-            Self::Ping(r) => r.bytes_mut(),
-            Self::SupplyKeypair(r) => r.bytes_mut(),
-            Self::AddListenSocket(r) => r.bytes_mut(),
-            Self::AddPskBroker(r) => r.bytes_mut(),
+            Self::Ping(r) => r.as_mut_bytes(),
+            Self::SupplyKeypair(r) => r.as_mut_bytes(),
+            Self::AddListenSocket(r) => r.as_mut_bytes(),
+            Self::AddPskBroker(r) => r.as_mut_bytes(),
         }
     }
 }

rosenpass/src/api/boilerplate/request_response.rs

@@ -1,7 +1,7 @@
 use rosenpass_util::zerocopy::{
     RefMaker, ZerocopyEmancipateExt, ZerocopyEmancipateMutExt, ZerocopySliceExt,
 };
-use zerocopy::{ByteSlice, ByteSliceMut, Ref};
+use zerocopy::{Immutable, KnownLayout, Ref, SplitByteSlice, SplitByteSliceMut};
 
 use super::{Message, PingRequest, PingResponse};
 use super::{RequestRef, ResponseRef, ZerocopyResponseMakerSetupMessageExt};
@@ -9,27 +9,27 @@ use super::{RequestRef, ResponseRef, ZerocopyResponseMakerSetupMessageExt};
 /// Extension trait for [Message]s that are requests messages
 pub trait RequestMsg: Sized + Message {
     /// The response message belonging to this request message
-    type ResponseMsg: ResponseMsg;
+    type ResponseMsg: ResponseMsg + Immutable + KnownLayout;
 
     /// Construct a response make for this particular message
-    fn zk_response_maker<B: ByteSlice>(buf: B) -> RefMaker<B, Self::ResponseMsg> {
+    fn zk_response_maker<B: SplitByteSlice>(buf: B) -> RefMaker<B, Self::ResponseMsg> {
         buf.zk_ref_maker()
     }
 
     /// Setup a response maker (through [Message::setup]) for this request message type
-    fn setup_response<B: ByteSliceMut>(buf: B) -> anyhow::Result<Ref<B, Self::ResponseMsg>> {
+    fn setup_response<B: SplitByteSliceMut>(buf: B) -> anyhow::Result<Ref<B, Self::ResponseMsg>> {
         Self::zk_response_maker(buf).setup_msg()
     }
 
     /// Setup a response maker from a buffer prefix (through [Message::setup]) for this request message type
-    fn setup_response_from_prefix<B: ByteSliceMut>(
+    fn setup_response_from_prefix<B: SplitByteSliceMut>(
         buf: B,
     ) -> anyhow::Result<Ref<B, Self::ResponseMsg>> {
         Self::zk_response_maker(buf).from_prefix()?.setup_msg()
     }
 
     /// Setup a response maker from a buffer suffix (through [Message::setup]) for this request message type
-    fn setup_response_from_suffix<B: ByteSliceMut>(
+    fn setup_response_from_suffix<B: SplitByteSliceMut>(
         buf: B,
     ) -> anyhow::Result<Ref<B, Self::ResponseMsg>> {
         Self::zk_response_maker(buf).from_prefix()?.setup_msg()
@@ -125,8 +125,8 @@ impl<B1, B2> From<AddPskBrokerPair<B1, B2>> for RequestResponsePair<B1, B2> {
 
 impl<B1, B2> RequestResponsePair<B1, B2>
 where
-    B1: ByteSlice,
-    B2: ByteSlice,
+    B1: SplitByteSlice,
+    B2: SplitByteSlice,
 {
     /// Returns a tuple to both the request and the response message
     pub fn both(&self) -> (RequestRef<&[u8]>, ResponseRef<&[u8]>) {
@@ -167,8 +167,8 @@ where
 
 impl<B1, B2> RequestResponsePair<B1, B2>
 where
-    B1: ByteSliceMut,
-    B2: ByteSliceMut,
+    B1: SplitByteSliceMut,
+    B2: SplitByteSliceMut,
 {
     /// Returns a mutable tuple to both the request and the response message
     pub fn both_mut(&mut self) -> (RequestRef<&mut [u8]>, ResponseRef<&mut [u8]>) {

rosenpass/src/api/boilerplate/response_ref.rs

@@ -1,7 +1,7 @@
 // TODO: This is copied verbatim from ResponseRef…not pretty
-use anyhow::ensure;
+use anyhow::{anyhow, ensure};
 
-use zerocopy::{ByteSlice, ByteSliceMut, Ref};
+use zerocopy::{IntoBytes, Ref, SplitByteSlice, SplitByteSliceMut};
 
 use super::{ByteSliceRefExt, MessageAttributes, PingResponse, ResponseMsgType};
 
@@ -16,14 +16,14 @@ struct ResponseRefMaker<B> {
     msg_type: ResponseMsgType,
 }
 
-impl<B: ByteSlice> ResponseRef<B> {
+impl<B: SplitByteSlice> ResponseRef<B> {
     /// Produce a [ResponseRef] from a raw message buffer,
     /// reading the type from the buffer
     ///
     /// # Examples
     ///
     /// ```
-    /// use zerocopy::AsBytes;
+    /// use zerocopy::IntoBytes;
     ///
     /// use rosenpass::api::{PingResponse, ResponseRef, ResponseMsgType};
     /// // Produce the original PingResponse
@@ -99,7 +99,7 @@ impl<B> From<Ref<B, super::AddPskBrokerResponse>> for ResponseRef<B> {
     }
 }
 
-impl<B: ByteSlice> ResponseRefMaker<B> {
+impl<B: SplitByteSlice> ResponseRefMaker<B> {
     fn new(buf: B) -> anyhow::Result<Self> {
         let msg_type = buf.deref().response_msg_type_from_prefix()?;
         Ok(Self { buf, msg_type })
@@ -129,7 +129,9 @@ impl<B: ByteSlice> ResponseRefMaker<B> {
         self.ensure_fit()?;
         let point = self.target_size();
         let Self { buf, msg_type } = self;
-        let (buf, _) = buf.split_at(point);
+        let (buf, _) = buf
+            .split_at(point)
+            .map_err(|_| anyhow!("Failed to split buffer!"))?;
         Ok(Self { buf, msg_type })
     }
 
@@ -138,7 +140,9 @@ impl<B: ByteSlice> ResponseRefMaker<B> {
         self.ensure_fit()?;
         let point = self.buf.len() - self.target_size();
         let Self { buf, msg_type } = self;
-        let (buf, _) = buf.split_at(point);
+        let (buf, _) = buf
+            .split_at(point)
+            .map_err(|_| anyhow!("Failed to split buffer!"))?;
         Ok(Self { buf, msg_type })
     }
 
@@ -163,7 +167,7 @@ pub enum ResponseRef<B> {
 
 impl<B> ResponseRef<B>
 where
-    B: ByteSlice,
+    B: SplitByteSlice,
 {
     /// Access the byte data of this reference
     ///
@@ -172,25 +176,25 @@ where
     /// See [Self::parse].
     pub fn bytes(&self) -> &[u8] {
         match self {
-            Self::Ping(r) => r.bytes(),
-            Self::SupplyKeypair(r) => r.bytes(),
-            Self::AddListenSocket(r) => r.bytes(),
-            Self::AddPskBroker(r) => r.bytes(),
+            Self::Ping(r) => r.as_bytes(),
+            Self::SupplyKeypair(r) => r.as_bytes(),
+            Self::AddListenSocket(r) => r.as_bytes(),
+            Self::AddPskBroker(r) => r.as_bytes(),
         }
     }
 }
 
 impl<B> ResponseRef<B>
 where
-    B: ByteSliceMut,
+    B: SplitByteSliceMut,
 {
     /// Access the byte data of this reference; mutably
     pub fn bytes_mut(&mut self) -> &[u8] {
         match self {
-            Self::Ping(r) => r.bytes_mut(),
-            Self::SupplyKeypair(r) => r.bytes_mut(),
-            Self::AddListenSocket(r) => r.bytes_mut(),
-            Self::AddPskBroker(r) => r.bytes_mut(),
+            Self::Ping(r) => r.as_mut_bytes(),
+            Self::SupplyKeypair(r) => r.as_mut_bytes(),
+            Self::AddListenSocket(r) => r.as_mut_bytes(),
+            Self::AddPskBroker(r) => r.as_mut_bytes(),
         }
     }
 }

rosenpass/src/api/boilerplate/server.rs

@@ -1,6 +1,6 @@
 use super::{ByteSliceRefExt, Message, PingRequest, PingResponse, RequestRef, RequestResponsePair};
 use std::{collections::VecDeque, os::fd::OwnedFd};
-use zerocopy::{ByteSlice, ByteSliceMut};
+use zerocopy::{SplitByteSlice, SplitByteSliceMut};
 
 /// The rosenpass API implementation functions.
 ///
@@ -152,8 +152,8 @@ pub trait Server {
         req_fds: &mut VecDeque<OwnedFd>,
     ) -> anyhow::Result<()>
     where
-        ReqBuf: ByteSlice,
-        ResBuf: ByteSliceMut,
+        ReqBuf: SplitByteSlice,
+        ResBuf: SplitByteSliceMut,
     {
         match p {
             RequestResponsePair::Ping((req, res)) => self.ping(req, req_fds, res),
@@ -182,8 +182,8 @@ pub trait Server {
         res: ResBuf,
     ) -> anyhow::Result<usize>
     where
-        ReqBuf: ByteSlice,
-        ResBuf: ByteSliceMut,
+        ReqBuf: SplitByteSlice,
+        ResBuf: SplitByteSliceMut,
     {
         let req = req.parse_request_from_prefix()?;
         // TODO: This is not pretty; This match should be moved into RequestRef

rosenpass/src/api/config.rs

@@ -8,6 +8,7 @@ use crate::app_server::AppServer;
 
 /// Configuration options for the Rosenpass API
 #[derive(Debug, Serialize, Deserialize, Default, Clone, PartialEq, Eq)]
+#[serde(deny_unknown_fields)]
 pub struct ApiConfig {
     /// Where in the file-system to create the unix socket the rosenpass API will be listening for
     /// connections on

rosenpass/src/app_server.rs

@@ -1,56 +1,37 @@
-/// This contains the bulk of the rosenpass server IO handling code whereas
-/// the actual cryptographic code lives in the [crate::protocol] module
-use anyhow::bail;
+//! This contains the bulk of the rosenpass server IO handling code whereas
+//! the actual cryptographic code lives in the [crate::protocol] module
 
-use anyhow::Context;
-use anyhow::Result;
+use std::collections::{HashMap, VecDeque};
+use std::io::{stdout, ErrorKind, Write};
+use std::net::{Ipv4Addr, Ipv6Addr, SocketAddr, SocketAddrV4, SocketAddrV6, ToSocketAddrs};
+use std::time::{Duration, Instant};
+use std::{cell::Cell, fmt::Debug, io, path::PathBuf, slice};
+
+use mio::{Interest, Token};
+use signal_hook_mio::v1_0 as signal_hook_mio;
+
+use anyhow::{bail, Context, Result};
 use derive_builder::Builder;
 use log::{error, info, warn};
-use mio::Interest;
-use mio::Token;
-use rosenpass_secret_memory::Public;
-use rosenpass_secret_memory::Secret;
-use rosenpass_util::build::ConstructionSite;
-use rosenpass_util::file::StoreValueB64;
-use rosenpass_util::functional::run;
-use rosenpass_util::functional::ApplyExt;
-use rosenpass_util::io::IoResultKindHintExt;
-use rosenpass_util::io::SubstituteForIoErrorKindExt;
-use rosenpass_util::option::SomeExt;
-use rosenpass_util::result::OkExt;
-use rosenpass_wireguard_broker::WireguardBrokerMio;
-use rosenpass_wireguard_broker::{WireguardBrokerCfg, WG_KEY_LEN};
-use zerocopy::AsBytes;
+use zerocopy::IntoBytes;
 
-use std::cell::Cell;
-
-use std::collections::HashMap;
-use std::collections::VecDeque;
-use std::fmt::Debug;
-use std::io;
-use std::io::stdout;
-use std::io::ErrorKind;
-use std::io::Write;
-use std::net::Ipv4Addr;
-use std::net::Ipv6Addr;
-use std::net::SocketAddr;
-use std::net::SocketAddrV4;
-use std::net::SocketAddrV6;
-use std::net::ToSocketAddrs;
-use std::path::PathBuf;
-use std::slice;
-use std::time::Duration;
-use std::time::Instant;
-
-use crate::config::ProtocolVersion;
-use crate::protocol::BuildCryptoServer;
-use crate::protocol::HostIdentification;
-use crate::{
-    config::Verbosity,
-    protocol::{CryptoServer, MsgBuf, PeerPtr, SPk, SSk, SymKey, Timing},
-};
 use rosenpass_util::attempt;
-use rosenpass_util::b64::B64Display;
+use rosenpass_util::fmt::debug::NullDebug;
+use rosenpass_util::functional::{run, ApplyExt};
+use rosenpass_util::io::{IoResultKindHintExt, SubstituteForIoErrorKindExt};
+use rosenpass_util::{
+    b64::B64Display, build::ConstructionSite, file::StoreValueB64, result::OkExt,
+};
+
+use rosenpass_secret_memory::{Public, Secret};
+use rosenpass_wireguard_broker::{WireguardBrokerCfg, WireguardBrokerMio, WG_KEY_LEN};
+
+use crate::config::{ProtocolVersion, Verbosity};
+
+use crate::protocol::basic_types::{MsgBuf, SPk, SSk, SymKey};
+use crate::protocol::osk_domain_separator::OskDomainSeparator;
+use crate::protocol::timing::Timing;
+use crate::protocol::{BuildCryptoServer, CryptoServer, HostIdentification, PeerPtr};
 
 /// The maximum size of a base64 encoded symmetric key (estimate)
 pub const MAX_B64_KEY_SIZE: usize = 32 * 5 / 3;
@@ -151,7 +132,7 @@ pub struct BrokerStore {
     /// The collection of WireGuard brokers. See [Self].
     pub store: HashMap<
         Public<BROKER_ID_BYTES>,
-        Box<dyn WireguardBrokerMio<Error = anyhow::Error, MioError = anyhow::Error>>,
+        Box<dyn WireguardBrokerMio<Error = anyhow::Error, MioError = anyhow::Error> + Send>,
     >,
 }
 
@@ -168,12 +149,12 @@ pub struct BrokerPeer {
     ///
     /// This is woefully overengineered and there is very little reason why the broker
     /// configuration should not live in the particular WireGuard broker.
-    peer_cfg: Box<dyn WireguardBrokerCfg>,
+    peer_cfg: Box<dyn WireguardBrokerCfg + Send>,
 }
 
 impl BrokerPeer {
     /// Create a broker peer
-    pub fn new(ptr: BrokerStorePtr, peer_cfg: Box<dyn WireguardBrokerCfg>) -> Self {
+    pub fn new(ptr: BrokerStorePtr, peer_cfg: Box<dyn WireguardBrokerCfg + Send>) -> Self {
         Self { ptr, peer_cfg }
     }
 
@@ -308,12 +289,20 @@ pub enum AppServerIoSource {
     Socket(usize),
     /// IO source refers to a PSK broker in [AppServer::brokers]
     PskBroker(Public<BROKER_ID_BYTES>),
+    /// IO source refers to our signal handlers
+    SignalHandler,
     /// IO source refers to some IO sources used in the API;
     /// see [AppServer::api_manager]
     #[cfg(feature = "experiment_api")]
     MioManager(crate::api::mio::MioManagerIoSource),
 }
 
+pub enum AppServerTryRecvResult {
+    None,
+    Terminate,
+    NetworkMessage(usize, Endpoint),
+}
+
 /// Number of epoll(7) events Rosenpass can receive at a time
 const EVENT_CAPACITY: usize = 20;
 
@@ -354,6 +343,8 @@ pub struct AppServer {
     /// MIO associates IO sources with numeric tokens. This struct takes care of generating these
     /// tokens
     pub mio_token_dispenser: MioTokenDispenser,
+    /// Mio-based handler for signals
+    pub signal_handler: NullDebug<signal_hook_mio::Signals>,
     /// Helpers handling communication with WireGuard; these take a generated key and forward it to
     /// WireGuard
     pub brokers: BrokerStore,
@@ -379,16 +370,6 @@ pub struct AppServer {
     /// Used by integration tests to force [Self] into DoS condition
     /// and to terminate the AppServer after the test is complete
     pub test_helpers: Option<AppServerTest>,
-    /// Helper for integration tests running rosenpass as a subprocess
-    /// to terminate properly upon receiving an appropriate system signal.
-    ///
-    /// This is primarily needed for coverage testing, since llvm-cov does not
-    /// write coverage reports to disk when a process is stopped by the default
-    /// signal handler.
-    ///
-    /// See <https://github.com/rosenpass/rosenpass/issues/385>
-    #[cfg(feature = "internal_signal_handling_for_coverage_reports")]
-    pub term_signal: terminate::TerminateRequested,
     #[cfg(feature = "experiment_api")]
     /// The Rosenpass unix socket API handler; this is an experimental
     /// feature that can be used to embed Rosenpass in external applications
@@ -478,6 +459,8 @@ impl AppPeerPtr {
 /// Instructs [AppServer::event_loop_without_error_handling] on how to proceed.
 #[derive(Debug)]
 pub enum AppPollResult {
+    /// Received request to terminate the application
+    Terminate,
     /// Erase the key for a given peer. Corresponds to [crate::protocol::PollResult::DeleteKey]
     DeleteKey(AppPeerPtr),
     /// Send an initiation to the given peer. Corresponds to [crate::protocol::PollResult::SendInitiation]
@@ -824,10 +807,27 @@ impl AppServer {
         verbosity: Verbosity,
         test_helpers: Option<AppServerTest>,
     ) -> anyhow::Result<Self> {
-        // setup mio
+        // Setup Mio itself
         let mio_poll = mio::Poll::new()?;
         let events = mio::Events::with_capacity(EVENT_CAPACITY);
+
+        // And helpers to map mio tokens to internal event types
         let mut mio_token_dispenser = MioTokenDispenser::default();
+        let mut io_source_index = HashMap::new();
+
+        // Setup signal handling
+        let signal_handler = attempt!({
+            let mut handler =
+                signal_hook_mio::Signals::new(signal_hook::consts::TERM_SIGNALS.iter())?;
+            let mio_token = mio_token_dispenser.dispense();
+            mio_poll
+                .registry()
+                .register(&mut handler, mio_token, Interest::READABLE)?;
+            let prev = io_source_index.insert(mio_token, AppServerIoSource::SignalHandler);
+            assert!(prev.is_none());
+            Ok(NullDebug(handler))
+        })
+        .context("Failed to set up signal (user triggered program termination) handler")?;
 
         // bind each SocketAddr to a socket
         let maybe_sockets: Result<Vec<_>, _> =
@@ -901,7 +901,6 @@ impl AppServer {
         }
 
         // register all sockets to mio
-        let mut io_source_index = HashMap::new();
         for (idx, socket) in sockets.iter_mut().enumerate() {
             let mio_token = mio_token_dispenser.dispense();
             mio_poll
@@ -917,8 +916,6 @@ impl AppServer {
         };
 
         Ok(Self {
-            #[cfg(feature = "internal_signal_handling_for_coverage_reports")]
-            term_signal: terminate::TerminateRequested::new()?,
             crypto_site,
             peers: Vec::new(),
             verbosity,
@@ -929,6 +926,7 @@ impl AppServer {
             io_source_index,
             mio_poll,
             mio_token_dispenser,
+            signal_handler,
             brokers: BrokerStore::default(),
             all_sockets_drained: false,
             under_load: DoSOperation::Normal,
@@ -999,7 +997,7 @@ impl AppServer {
     /// Register a new WireGuard PSK broker
     pub fn register_broker(
         &mut self,
-        broker: Box<dyn WireguardBrokerMio<Error = anyhow::Error, MioError = anyhow::Error>>,
+        broker: Box<dyn WireguardBrokerMio<Error = anyhow::Error, MioError = anyhow::Error> + Send>,
     ) -> Result<BrokerStorePtr> {
         let ptr = Public::from_slice((self.brokers.store.len() as u64).as_bytes());
         if self.brokers.store.insert(ptr, broker).is_some() {
@@ -1036,6 +1034,7 @@ impl AppServer {
     /// # Examples
     ///
     /// See [Self::new].
+    #[allow(clippy::too_many_arguments)]
     pub fn add_peer(
         &mut self,
         psk: Option<SymKey>,
@@ -1044,11 +1043,16 @@ impl AppServer {
         broker_peer: Option<BrokerPeer>,
         hostname: Option<String>,
         protocol_version: ProtocolVersion,
+        osk_domain_separator: OskDomainSeparator,
     ) -> anyhow::Result<AppPeerPtr> {
         let PeerPtr(pn) = match &mut self.crypto_site {
             ConstructionSite::Void => bail!("Crypto server construction site is void"),
-            ConstructionSite::Builder(builder) => builder.add_peer(psk, pk, protocol_version),
-            ConstructionSite::Product(srv) => srv.add_peer(psk, pk, protocol_version.into())?,
+            ConstructionSite::Builder(builder) => {
+                builder.add_peer(psk, pk, protocol_version, osk_domain_separator)
+            }
+            ConstructionSite::Product(srv) => {
+                srv.add_peer(psk, pk, protocol_version.into(), osk_domain_separator)?
+            }
         };
         assert!(pn == self.peers.len());
 
@@ -1065,7 +1069,7 @@ impl AppServer {
         Ok(AppPeerPtr(pn))
     }
 
-    /// Main IO handler; this generally does not terminate
+    /// Main IO handler; this generally does not terminate other than through unix signals
     ///
     /// # Examples
     ///
@@ -1082,23 +1086,6 @@ impl AppServer {
                 Err(e) => e,
             };
 
-            #[cfg(feature = "internal_signal_handling_for_coverage_reports")]
-            {
-                let terminated_by_signal = err
-                    .downcast_ref::<std::io::Error>()
-                    .filter(|e| e.kind() == std::io::ErrorKind::Interrupted)
-                    .filter(|_| self.term_signal.value())
-                    .is_some();
-                if terminated_by_signal {
-                    log::warn!(
-                        "\
-                        Terminated by signal; this signal handler is correct during coverage testing \
-                        but should be otherwise disabled"
-                    );
-                    return Ok(());
-                }
-            }
-
             // This should not happen…
             failure_cnt = if msgs_processed > 0 {
                 0
@@ -1151,6 +1138,7 @@ impl AppServer {
             use AppPollResult::*;
             use KeyOutputReason::*;
 
+            // TODO: We should read from this using a mio channel
             if let Some(AppServerTest {
                 termination_handler: Some(terminate),
                 ..
@@ -1174,6 +1162,8 @@ impl AppServer {
 
             #[allow(clippy::redundant_closure_call)]
             match (have_crypto, poll_result) {
+                (_, Terminate) => return Ok(()),
+
                 (CryptoSrv::Missing, SendInitiation(_)) => {}
                 (CryptoSrv::Avail, SendInitiation(peer)) => tx_maybe_with!(peer, || self
                     .crypto_server_mut()?
@@ -1321,6 +1311,7 @@ impl AppServer {
     pub fn poll(&mut self, rx_buf: &mut [u8]) -> anyhow::Result<AppPollResult> {
         use crate::protocol::PollResult as C;
         use AppPollResult as A;
+        use AppServerTryRecvResult as R;
         let res = loop {
             // Call CryptoServer's poll (if available)
             let crypto_poll = self
@@ -1337,12 +1328,14 @@ impl AppServer {
                     break A::SendRetransmission(AppPeerPtr(no))
                 }
                 Some(C::Sleep(timeout)) => timeout, // No event from crypto-server, do IO
-                None => crate::protocol::UNENDING,  // Crypto server is uninitialized, do IO
+                None => crate::protocol::timing::UNENDING, // Crypto server is uninitialized, do IO
             };
 
             // Perform IO (look for a message)
-            if let Some((len, addr)) = self.try_recv(rx_buf, io_poll_timeout)? {
-                break A::ReceivedMessage(len, addr);
+            match self.try_recv(rx_buf, io_poll_timeout)? {
+                R::None => {}
+                R::Terminate => break A::Terminate,
+                R::NetworkMessage(len, addr) => break A::ReceivedMessage(len, addr),
             }
         };
 
@@ -1360,12 +1353,12 @@ impl AppServer {
         &mut self,
         buf: &mut [u8],
         timeout: Timing,
-    ) -> anyhow::Result<Option<(usize, Endpoint)>> {
+    ) -> anyhow::Result<AppServerTryRecvResult> {
         let timeout = Duration::from_secs_f64(timeout);
 
         // if there is no time to wait on IO, well, then, lets not waste any time!
         if timeout.is_zero() {
-            return Ok(None);
+            return Ok(AppServerTryRecvResult::None);
         }
 
         // NOTE when using mio::Poll, there are some particularities (taken from
@@ -1475,12 +1468,19 @@ impl AppServer {
         // blocking poll, we go through all available IO sources to see if we missed anything.
         {
             while let Some(ev) = self.short_poll_queue.pop_front() {
-                if let Some(v) = self.try_recv_from_mio_token(buf, ev.token())? {
-                    return Ok(Some(v));
+                match self.try_recv_from_mio_token(buf, ev.token())? {
+                    AppServerTryRecvResult::None => continue,
+                    res => return Ok(res),
                 }
             }
         }
 
+        // Drain operating system signals
+        match self.try_recv_from_signal_handler()? {
+            AppServerTryRecvResult::None => {} // Nop
+            res => return Ok(res),
+        }
+
         // drain all sockets
         let mut would_block_count = 0;
         for sock_no in 0..self.sockets.len() {
@@ -1488,11 +1488,11 @@ impl AppServer {
                 .try_recv_from_listen_socket(buf, sock_no)
                 .io_err_kind_hint()
             {
-                Ok(None) => continue,
-                Ok(Some(v)) => {
+                Ok(AppServerTryRecvResult::None) => continue,
+                Ok(res) => {
                     // at least one socket was not drained...
                     self.all_sockets_drained = false;
-                    return Ok(Some(v));
+                    return Ok(res);
                 }
                 Err((_, ErrorKind::WouldBlock)) => {
                     would_block_count += 1;
@@ -1520,12 +1520,24 @@ impl AppServer {
 
         self.performed_long_poll = true;
 
-        Ok(None)
+        Ok(AppServerTryRecvResult::None)
     }
 
     /// Internal helper for [Self::try_recv]
     fn perform_mio_poll_and_register_events(&mut self, timeout: Duration) -> io::Result<()> {
-        self.mio_poll.poll(&mut self.events, Some(timeout))?;
+        loop {
+            use std::io::ErrorKind as IOE;
+            match self
+                .mio_poll
+                .poll(&mut self.events, Some(timeout))
+                .io_err_kind_hint()
+            {
+                Ok(()) => break,
+                Err((_, IOE::Interrupted)) => continue,
+                Err((err, _)) => return Err(err),
+            }
+        }
+
         // Fill the short poll buffer with the acquired events
         self.events
             .iter()
@@ -1539,12 +1551,12 @@ impl AppServer {
         &mut self,
         buf: &mut [u8],
         token: mio::Token,
-    ) -> anyhow::Result<Option<(usize, Endpoint)>> {
+    ) -> anyhow::Result<AppServerTryRecvResult> {
         let io_source = match self.io_source_index.get(&token) {
             Some(io_source) => *io_source,
             None => {
                 log::warn!("No IO source assiociated with mio token ({token:?}). Polling using mio tokens directly is an experimental feature and IO handler should recover when all available io sources are polled. This is a developer error. Please report it.");
-                return Ok(None);
+                return Ok(AppServerTryRecvResult::None);
             }
         };
 
@@ -1556,11 +1568,13 @@ impl AppServer {
         &mut self,
         buf: &mut [u8],
         io_source: AppServerIoSource,
-    ) -> anyhow::Result<Option<(usize, Endpoint)>> {
+    ) -> anyhow::Result<AppServerTryRecvResult> {
         match io_source {
+            AppServerIoSource::SignalHandler => self.try_recv_from_signal_handler()?.ok(),
+
             AppServerIoSource::Socket(idx) => self
                 .try_recv_from_listen_socket(buf, idx)
-                .substitute_for_ioerr_wouldblock(None)?
+                .substitute_for_ioerr_wouldblock(AppServerTryRecvResult::None)?
                 .ok(),
 
             AppServerIoSource::PskBroker(key) => self
@@ -1569,7 +1583,7 @@ impl AppServer {
                 .get_mut(&key)
                 .with_context(|| format!("No PSK broker under key {key:?}"))?
                 .process_poll()
-                .map(|_| None),
+                .map(|_| AppServerTryRecvResult::None),
 
             #[cfg(feature = "experiment_api")]
             AppServerIoSource::MioManager(mmio_src) => {
@@ -1577,17 +1591,28 @@ impl AppServer {
 
                 MioManagerFocus(self)
                     .poll_particular(mmio_src)
-                    .map(|_| None)
+                    .map(|_| AppServerTryRecvResult::None)
             }
         }
     }
 
+    /// Internal helper for [Self::try_recv]
+    fn try_recv_from_signal_handler(&mut self) -> io::Result<AppServerTryRecvResult> {
+        #[allow(clippy::never_loop)]
+        for signal in self.signal_handler.pending() {
+            log::debug!("Received operating system signal no {signal}.");
+            log::info!("Received termination request; exiting.");
+            return Ok(AppServerTryRecvResult::Terminate);
+        }
+        Ok(AppServerTryRecvResult::None)
+    }
+
     /// Internal helper for [Self::try_recv]
     fn try_recv_from_listen_socket(
         &mut self,
         buf: &mut [u8],
         idx: usize,
-    ) -> io::Result<Option<(usize, Endpoint)>> {
+    ) -> io::Result<AppServerTryRecvResult> {
         use std::io::ErrorKind as K;
         let (n, addr) = loop {
             match self.sockets[idx].recv_from(buf).io_err_kind_hint() {
@@ -1599,8 +1624,7 @@ impl AppServer {
         SocketPtr(idx)
             .apply(|sp| SocketBoundEndpoint::new(sp, addr))
             .apply(Endpoint::SocketBoundAddress)
-            .apply(|ep| (n, ep))
-            .some()
+            .apply(|ep| AppServerTryRecvResult::NetworkMessage(n, ep))
             .ok()
     }
 
@@ -1652,48 +1676,3 @@ impl crate::api::mio::MioManagerContext for MioManagerFocus<'_> {
         self.0
     }
 }
-
-/// These signal handlers are used exclusively used during coverage testing
-/// to ensure that the llvm-cov can produce reports during integration tests
-/// with multiple processes where subprocesses are terminated via kill(2).
-///
-/// llvm-cov does not support producing coverage reports when the process exits
-/// through a signal, so this is necessary.
-///
-/// The functionality of exiting gracefully upon reception of a terminating signal
-/// is desired for the production variant of Rosenpass, but we should make sure
-/// to use a higher quality implementation; in particular, we should use signalfd(2).
-///
-#[cfg(feature = "internal_signal_handling_for_coverage_reports")]
-mod terminate {
-    use signal_hook::flag::register as sig_register;
-    use std::sync::{
-        atomic::{AtomicBool, Ordering},
-        Arc,
-    };
-
-    /// Automatically register a signal handler for common termination signals;
-    /// whether one of these signals was issued can be polled using [Self::value].
-    ///
-    /// The signal handler is not removed when this struct goes out of scope.
-    #[derive(Debug)]
-    pub struct TerminateRequested {
-        value: Arc<AtomicBool>,
-    }
-
-    impl TerminateRequested {
-        /// Register signal handlers watching for common termination signals
-        pub fn new() -> anyhow::Result<Self> {
-            let value = Arc::new(AtomicBool::new(false));
-            for sig in signal_hook::consts::TERM_SIGNALS.iter().copied() {
-                sig_register(sig, Arc::clone(&value))?;
-            }
-            Ok(Self { value })
-        }
-
-        /// Check whether a termination signal has been set
-        pub fn value(&self) -> bool {
-            self.value.load(Ordering::Relaxed)
-        }
-    }
-}

rosenpass/src/cli.rs

@@ -17,7 +17,7 @@ use std::path::PathBuf;
 
 use crate::app_server::AppServerTest;
 use crate::app_server::{AppServer, BrokerPeer};
-use crate::protocol::{SPk, SSk, SymKey};
+use crate::protocol::basic_types::{SPk, SSk, SymKey};
 
 use super::config;
 
@@ -26,7 +26,7 @@ use {
     command_fds::{CommandFdExt, FdMapping},
     log::{error, info},
     mio::net::UnixStream,
-    rosenpass_util::fd::claim_fd,
+    rosenpass_util::rustix::claim_fd,
     rosenpass_wireguard_broker::brokers::mio_client::MioBrokerClient,
     rosenpass_wireguard_broker::WireguardBrokerMio,
     rustix::net::{socketpair, AddressFamily, SocketFlags, SocketType},
@@ -490,7 +490,8 @@ impl CliArgs {
                 cfg_peer.key_out,
                 broker_peer,
                 cfg_peer.endpoint.clone(),
-                cfg_peer.protocol_version.into(),
+                cfg_peer.protocol_version,
+                cfg_peer.osk_domain_separator.try_into()?,
             )?;
         }
 
@@ -514,7 +515,7 @@ impl CliArgs {
     fn create_broker(
         broker_interface: Option<BrokerInterface>,
     ) -> Result<
-        Box<dyn WireguardBrokerMio<MioError = anyhow::Error, Error = anyhow::Error>>,
+        Box<dyn WireguardBrokerMio<MioError = anyhow::Error, Error = anyhow::Error> + Send>,
         anyhow::Error,
     > {
         if let Some(interface) = broker_interface {
@@ -607,8 +608,8 @@ impl CliArgs {
 
 /// generate secret and public keys, store in files according to the paths passed as arguments
 pub fn generate_and_save_keypair(secret_key: PathBuf, public_key: PathBuf) -> anyhow::Result<()> {
-    let mut ssk = crate::protocol::SSk::random();
-    let mut spk = crate::protocol::SPk::random();
+    let mut ssk = crate::protocol::basic_types::SSk::random();
+    let mut spk = crate::protocol::basic_types::SPk::random();
     StaticKem.keygen(ssk.secret_mut(), spk.deref_mut())?;
     ssk.store_secret(secret_key)?;
     spk.store(public_key)

rosenpass/src/config.rs

@@ -7,20 +7,19 @@
 //! - TODO: support `~` in <https://github.com/rosenpass/rosenpass/issues/237>
 //! - TODO: provide tooling to create config file from shell <https://github.com/rosenpass/rosenpass/issues/247>
 
-use crate::protocol::{SPk, SSk};
-use rosenpass_util::file::LoadValue;
-use std::{
-    collections::HashSet,
-    fs,
-    io::Write,
-    net::{Ipv4Addr, Ipv6Addr, SocketAddr, SocketAddrV4, SocketAddrV6, ToSocketAddrs},
-    path::{Path, PathBuf},
-};
+use std::net::{Ipv4Addr, Ipv6Addr, SocketAddr, SocketAddrV4, SocketAddrV6, ToSocketAddrs};
+use std::path::{Path, PathBuf};
+use std::{collections::HashSet, fs, io::Write};
 
 use anyhow::{bail, ensure};
-use rosenpass_util::file::{fopen_w, Visibility};
+
 use serde::{Deserialize, Serialize};
 
+use rosenpass_util::file::{fopen_w, LoadValue, Visibility};
+
+use crate::protocol::basic_types::{SPk, SSk};
+use crate::protocol::osk_domain_separator::OskDomainSeparator;
+
 use crate::app_server::AppServer;
 
 #[cfg(feature = "experiment_api")]
@@ -36,6 +35,7 @@ fn empty_api_config() -> crate::api::config::ApiConfig {
 ///
 /// i.e. configuration for the `rosenpass exchange` and `rosenpass exchange-config` commands
 #[derive(Debug, Serialize, Deserialize, PartialEq, Eq)]
+#[serde(deny_unknown_fields)]
 pub struct Rosenpass {
     // TODO: Raise error if secret key or public key alone is set during deserialization
     // SEE: https://github.com/serde-rs/serde/issues/2793
@@ -77,6 +77,7 @@ pub struct Rosenpass {
 
 /// Public key and secret key locations.
 #[derive(Debug, Deserialize, Serialize, PartialEq, Eq, Clone)]
+#[serde(deny_unknown_fields)]
 pub struct Keypair {
     /// path to the public key file
     pub public_key: PathBuf,
@@ -104,6 +105,7 @@ impl Keypair {
 ///
 /// - TODO: replace this type with [`log::LevelFilter`], also see <https://github.com/rosenpass/rosenpass/pull/246>
 #[derive(Debug, PartialEq, Eq, Serialize, Deserialize, Copy, Clone)]
+#[serde(deny_unknown_fields)]
 pub enum Verbosity {
     Quiet,
     Verbose,
@@ -111,6 +113,7 @@ pub enum Verbosity {
 
 /// The protocol version to be used by a peer.
 #[derive(Debug, PartialEq, Eq, Serialize, Deserialize, Copy, Clone, Default)]
+#[serde(deny_unknown_fields)]
 pub enum ProtocolVersion {
     #[default]
     V02,
@@ -119,6 +122,7 @@ pub enum ProtocolVersion {
 
 /// Configuration data for a single Rosenpass peer
 #[derive(Debug, Default, PartialEq, Eq, Serialize, Deserialize)]
+#[serde(deny_unknown_fields)]
 pub struct RosenpassPeer {
     /// path to the public key of the peer
     pub public_key: PathBuf,
@@ -150,10 +154,78 @@ pub struct RosenpassPeer {
     #[serde(default)]
     /// The protocol version to use for the exchange
     pub protocol_version: ProtocolVersion,
+
+    /// Allows using a custom domain separator
+    #[serde(flatten)]
+    pub osk_domain_separator: RosenpassPeerOskDomainSeparator,
+}
+
+/// Configuration for [crate::protocol::osk_domain_separator::OskDomainSeparator]
+///
+/// Refer to its documentation for more information and examples of how to use this.
+#[derive(Debug, Default, Clone, PartialEq, Eq, Serialize, Deserialize)]
+#[serde(deny_unknown_fields)]
+pub struct RosenpassPeerOskDomainSeparator {
+    /// If Rosenpass is used for purposes other then securing WireGuard,
+    /// a custom domain separator and domain separator must be specified.
+    ///
+    /// Use `osk_organization` to indicate the organization who specifies the use case
+    /// and `osk_label` for a specific purpose within that organization.
+    ///
+    /// ```toml
+    /// [[peer]]
+    /// public_key = "my_public_key"
+    /// ...
+    /// osk_organization = "myorg.com"
+    /// osk_label = ["My Custom Messenger app"]
+    /// ```
+    pub osk_organization: Option<String>,
+    // If Rosenpass is used for purposes other then securing WireGuard,
+    /// a custom domain separator and domain separator must be specified.
+    ///
+    /// Use `osk_organization` to indicate the organization who specifies the use case
+    /// and `osk_label` for a specific purpose within that organization.
+    ///
+    /// ```toml
+    /// [[peer]]
+    /// public_key = "my_public_key"
+    /// ...
+    /// osk_namespace = "myorg.com"
+    /// osk_label = ["My Custom Messenger app"]
+    /// ```
+    pub osk_label: Option<Vec<String>>,
+}
+
+impl RosenpassPeerOskDomainSeparator {
+    pub fn org_and_label(&self) -> anyhow::Result<Option<(&String, &Vec<String>)>> {
+        match (&self.osk_organization, &self.osk_label) {
+            (None, None) => Ok(None),
+            (Some(org), Some(label)) => Ok(Some((org, label))),
+            (Some(_), None) => bail!("Specified osk_organization but not osk_label in config file. You need to specify both, or none."),
+            (None, Some(_)) =>  bail!("Specified osk_label but not osk_organization in config file. You need to specify both, or none."),
+        }
+    }
+
+    pub fn validate(&self) -> anyhow::Result<()> {
+        let _org_and_label: Option<(_, _)> = self.org_and_label()?;
+        Ok(())
+    }
+}
+
+impl TryFrom<RosenpassPeerOskDomainSeparator> for OskDomainSeparator {
+    type Error = anyhow::Error;
+
+    fn try_from(val: RosenpassPeerOskDomainSeparator) -> anyhow::Result<Self> {
+        match val.org_and_label()? {
+            None => Ok(OskDomainSeparator::default()),
+            Some((org, label)) => Ok(OskDomainSeparator::custom_utf8(org, label)),
+        }
+    }
 }
 
 /// Information for supplying exchanged keys directly to WireGuard
 #[derive(Debug, Default, PartialEq, Eq, Serialize, Deserialize)]
+#[serde(deny_unknown_fields)]
 pub struct WireGuard {
     /// Name of the WireGuard interface to supply with pre-shared keys generated by the Rosenpass
     /// key exchange
@@ -292,7 +364,7 @@ impl Rosenpass {
             // check the secret-key file is a valid key
             ensure!(
                 SSk::load(&keypair.secret_key).is_ok(),
-                "could not load public-key file {:?}: invalid key",
+                "could not load secret-key file {:?}: invalid key",
                 keypair.secret_key
             );
         }
@@ -337,6 +409,10 @@ impl Rosenpass {
                     );
                 }
             }
+
+            if let Err(e) = peer.osk_domain_separator.validate() {
+                bail!("Invalid OSK domain separation configuration for peer {i}: {e}");
+            }
         }
 
         Ok(())

rosenpass/src/hash_domains.rs

@@ -166,7 +166,7 @@ hash_domain_ns!(
     protocol, cookie_key, "cookie-key");
 hash_domain_ns!(
     /// Hash domain based on [protocol] for calculating the peer id as transmitted (encrypted)
-    /// in [crate::msgs::InitHello::pidic].
+    /// in [crate::msgs::InitHello::pidi_ct].
     ///
     /// # Examples
     ///
@@ -179,7 +179,7 @@ hash_domain_ns!(
 hash_domain_ns!(
     /// Hash domain based on [protocol] for calculating the additional data
     /// during [crate::msgs::Biscuit] encryption, storing the biscuit into
-    /// [crate::msgs::RespHello::biscuit].
+    /// [crate::msgs::RespHello::biscuit_ct].
     ///
     /// # Examples
     ///
@@ -295,25 +295,21 @@ hash_domain_ns!(
     /// We do recommend that third parties base their specific domain separators
     /// on a internet domain and/or mix in much more specific information.
     ///
-    /// We only really use this to derive a output key for wireguard; see [osk].
-    ///
     /// See [_ckextract].
     ///
     /// # Examples
     ///
     /// See the [module](self) documentation on how to use the hash domains in general.
-    _ckextract, _user, "user");
+    _ckextract, cke_user, "user");
 hash_domain_ns!(
     /// Chaining key domain separator for any rosenpass specific purposes.
     ///
-    /// We only really use this to derive a output key for wireguard; see [osk].
-    ///
     /// See [_ckextract].
     ///
     /// # Examples
     ///
     /// See the [module](self) documentation on how to use the hash domains in general.
-    _user, _rp, "rosenpass.eu");
+    cke_user, cke_user_rosenpass, "rosenpass.eu");
 hash_domain!(
     /// Chaining key domain separator for deriving the key sent to WireGuard.
     ///
@@ -325,4 +321,4 @@ hash_domain!(
     /// Check out its source code!
     ///
     /// See the [module](self) documentation on how to use the hash domains in general.
-    _rp, osk, "wireguard psk");
+    cke_user_rosenpass, ext_wireguard_psk_osk, "wireguard psk");

rosenpass/src/msgs.rs

@@ -9,7 +9,7 @@
 //! To achieve this we utilize the zerocopy library.
 //!
 use std::mem::size_of;
-use zerocopy::{AsBytes, FromBytes, FromZeroes};
+use zerocopy::{FromBytes, Immutable, IntoBytes, KnownLayout};
 
 use super::RosenpassError;
 use rosenpass_cipher_traits::primitives::{Aead as _, Kem};
@@ -51,7 +51,7 @@ pub type MsgEnvelopeCookie = [u8; COOKIE_SIZE];
 ///
 /// ```
 /// use rosenpass::msgs::{Envelope, InitHello};
-/// use zerocopy::{AsBytes, FromBytes, Ref, FromZeroes};
+/// use zerocopy::{FromZeros, IntoBytes, FromBytes, Ref};
 /// use memoffset::offset_of;
 ///
 /// // Zero-initialization
@@ -76,8 +76,8 @@ pub type MsgEnvelopeCookie = [u8; COOKIE_SIZE];
 /// assert_eq!(ih3.msg_type, 42);
 /// ```
 #[repr(packed)]
-#[derive(AsBytes, FromBytes, FromZeroes, Clone)]
-pub struct Envelope<M: AsBytes + FromBytes> {
+#[derive(IntoBytes, FromBytes, Clone, Immutable, KnownLayout)]
+pub struct Envelope<M: IntoBytes + FromBytes> {
     /// [MsgType] of this message
     pub msg_type: u8,
     /// Reserved for future use
@@ -106,7 +106,7 @@ pub struct Envelope<M: AsBytes + FromBytes> {
 ///
 /// ```
 /// use rosenpass::msgs::{Envelope, InitHello};
-/// use zerocopy::{AsBytes, FromBytes, Ref, FromZeroes};
+/// use zerocopy::{FromZeros, IntoBytes, FromBytes, Ref};
 /// use memoffset::span_of;
 ///
 /// // Zero initialization
@@ -126,7 +126,7 @@ pub struct Envelope<M: AsBytes + FromBytes> {
 /// assert_eq!(ih.payload.sidi, [1,2,3,4]);
 /// ```
 #[repr(packed)]
-#[derive(AsBytes, FromBytes, FromZeroes)]
+#[derive(IntoBytes, FromBytes, Immutable, KnownLayout)]
 pub struct InitHello {
     /// Randomly generated connection id
     pub sidi: [u8; 4],
@@ -135,7 +135,7 @@ pub struct InitHello {
     /// Classic McEliece Ciphertext
     pub sctr: [u8; StaticKem::CT_LEN],
     /// Encryped: 16 byte hash of McEliece initiator static key
-    pub pidic: [u8; Aead::TAG_LEN + 32],
+    pub pidi_ct: [u8; Aead::TAG_LEN + 32],
     /// Encrypted TAI64N Time Stamp (against replay attacks)
     pub auth: [u8; Aead::TAG_LEN],
 }
@@ -155,7 +155,7 @@ pub struct InitHello {
 ///
 /// ```
 /// use rosenpass::msgs::{Envelope, RespHello};
-/// use zerocopy::{AsBytes, FromBytes, Ref, FromZeroes};
+/// use zerocopy::{FromZeros, IntoBytes, FromBytes, Ref};
 /// use memoffset::span_of;
 ///
 /// // Zero initialization
@@ -175,7 +175,7 @@ pub struct InitHello {
 /// assert_eq!(ih.payload.sidi, [1,2,3,4]);
 /// ```
 #[repr(packed)]
-#[derive(AsBytes, FromBytes, FromZeroes)]
+#[derive(IntoBytes, FromBytes, Immutable, KnownLayout)]
 pub struct RespHello {
     /// Randomly generated connection id
     pub sidr: [u8; 4],
@@ -188,7 +188,7 @@ pub struct RespHello {
     /// Empty encrypted message (just an auth tag)
     pub auth: [u8; Aead::TAG_LEN],
     /// Responders handshake state in encrypted form
-    pub biscuit: [u8; BISCUIT_CT_LEN],
+    pub biscuit_ct: [u8; BISCUIT_CT_LEN],
 }
 
 /// This is the third message sent by the initiator to the responder
@@ -206,7 +206,7 @@ pub struct RespHello {
 ///
 /// ```
 /// use rosenpass::msgs::{Envelope, InitConf};
-/// use zerocopy::{AsBytes, FromBytes, Ref, FromZeroes};
+/// use zerocopy::{IntoBytes, FromBytes, FromZeros, Ref};
 /// use memoffset::span_of;
 ///
 /// // Zero initialization
@@ -226,14 +226,14 @@ pub struct RespHello {
 /// assert_eq!(ih.payload.sidi, [1,2,3,4]);
 /// ```
 #[repr(packed)]
-#[derive(AsBytes, FromBytes, FromZeroes, Debug)]
+#[derive(IntoBytes, FromBytes, Debug, Immutable, KnownLayout)]
 pub struct InitConf {
     /// Copied from InitHello
     pub sidi: [u8; 4],
     /// Copied from RespHello
     pub sidr: [u8; 4],
     /// Responders handshake state in encrypted form
-    pub biscuit: [u8; BISCUIT_CT_LEN],
+    pub biscuit_ct: [u8; BISCUIT_CT_LEN],
     /// Empty encrypted message (just an auth tag)
     pub auth: [u8; Aead::TAG_LEN],
 }
@@ -264,7 +264,7 @@ pub struct InitConf {
 ///
 /// ```
 /// use rosenpass::msgs::{Envelope, EmptyData};
-/// use zerocopy::{AsBytes, FromBytes, Ref, FromZeroes};
+/// use zerocopy::{FromZeros, IntoBytes, FromBytes, Ref};
 /// use memoffset::span_of;
 ///
 /// // Zero initialization
@@ -284,7 +284,7 @@ pub struct InitConf {
 /// assert_eq!(ih.payload.sid, [1,2,3,4]);
 /// ```
 #[repr(packed)]
-#[derive(AsBytes, FromBytes, FromZeroes, Clone, Copy)]
+#[derive(IntoBytes, FromBytes, Clone, Copy, Immutable, KnownLayout)]
 pub struct EmptyData {
     /// Copied from RespHello
     pub sid: [u8; 4],
@@ -311,7 +311,7 @@ pub struct EmptyData {
 ///
 /// [Envelope] and [InitHello] contain some extra examples on how to use structures from the [::zerocopy] crate.
 #[repr(packed)]
-#[derive(AsBytes, FromBytes, FromZeroes)]
+#[derive(IntoBytes, FromBytes, Immutable, KnownLayout)]
 pub struct Biscuit {
     /// H(spki) – Ident ifies the initiator
     pub pidi: [u8; KEY_LEN],
@@ -336,7 +336,7 @@ pub struct Biscuit {
 ///
 /// [Envelope] and [InitHello] contain some extra examples on how to use structures from the [::zerocopy] crate.
 #[repr(packed)]
-#[derive(AsBytes, FromBytes, FromZeroes)]
+#[derive(IntoBytes, FromBytes, Immutable, KnownLayout)]
 pub struct CookieReplyInner {
     /// [MsgType] of this message
     pub msg_type: u8,
@@ -363,7 +363,7 @@ pub struct CookieReplyInner {
 ///
 /// [Envelope] and [InitHello] contain some extra examples on how to use structures from the [::zerocopy] crate.
 #[repr(packed)]
-#[derive(AsBytes, FromBytes, FromZeroes)]
+#[derive(IntoBytes, FromBytes, Immutable, KnownLayout)]
 pub struct CookieReply {
     pub inner: CookieReplyInner,
     pub padding: [u8; size_of::<Envelope<InitHello>>() - size_of::<CookieReplyInner>()],

rosenpass/src/protocol/basic_types.rs

@@ -0,0 +1,38 @@
+//! Key types and other fundamental types used in the Rosenpass protocol
+
+use rosenpass_cipher_traits::primitives::{Aead, Kem};
+use rosenpass_ciphers::{EphemeralKem, StaticKem, XAead, KEY_LEN};
+use rosenpass_secret_memory::{Public, PublicBox, Secret};
+
+use crate::msgs::{BISCUIT_ID_LEN, MAX_MESSAGE_LEN, SESSION_ID_LEN};
+
+/// Static public key
+///
+/// Using [PublicBox] instead of [Public] because Classic McEliece keys are very large.
+pub type SPk = PublicBox<{ StaticKem::PK_LEN }>;
+/// Static secret key
+pub type SSk = Secret<{ StaticKem::SK_LEN }>;
+/// Ephemeral public key
+pub type EPk = Public<{ EphemeralKem::PK_LEN }>;
+pub type ESk = Secret<{ EphemeralKem::SK_LEN }>;
+
+/// Symmetric key
+pub type SymKey = Secret<KEY_LEN>;
+/// Variant of [SymKey] for use cases where the value is public
+pub type PublicSymKey = [u8; 32];
+
+/// Peer ID (derived from the public key, see the hash derivations in the [whitepaper](https://rosenpass.eu/whitepaper.pdf))
+pub type PeerId = Public<KEY_LEN>;
+/// Session ID
+pub type SessionId = Public<SESSION_ID_LEN>;
+/// Biscuit ID
+pub type BiscuitId = Public<BISCUIT_ID_LEN>;
+
+/// Nonce for use with random-nonce AEAD
+pub type XAEADNonce = Public<{ XAead::NONCE_LEN }>;
+
+/// Buffer capably of holding any Rosenpass protocol message
+pub type MsgBuf = Public<MAX_MESSAGE_LEN>;
+
+/// Server-local peer number; this is just the index in [super::CryptoServer::peers]
+pub type PeerNo = usize;

rosenpass/src/protocol/build_crypto_server.rs

@@ -1,12 +1,14 @@
-use super::{CryptoServer, PeerPtr, SPk, SSk, SymKey};
-use crate::config::ProtocolVersion;
-use rosenpass_util::{
-    build::Build,
-    mem::{DiscardResultExt, SwapWithDefaultExt},
-    result::ensure_or,
-};
 use thiserror::Error;
 
+use rosenpass_util::mem::{DiscardResultExt, SwapWithDefaultExt};
+use rosenpass_util::{build::Build, result::ensure_or};
+
+use crate::config::ProtocolVersion;
+
+use super::basic_types::{SPk, SSk, SymKey};
+use super::osk_domain_separator::OskDomainSeparator;
+use super::{CryptoServer, PeerPtr};
+
 #[derive(Debug, Clone)]
 /// A pair of matching public/secret keys used to launch the crypto server.
 ///
@@ -47,7 +49,8 @@ impl Keypair {
     /// # Example
     ///
     /// ```rust
-    /// use rosenpass::protocol::{Keypair, SSk, SPk};
+    /// use rosenpass::protocol::basic_types::{SSk, SPk};
+    /// use rosenpass::protocol::Keypair;
     ///
     /// // We have to define the security policy before using Secrets.
     /// use rosenpass_secret_memory::secret_policy_use_only_malloc_secrets;
@@ -66,12 +69,13 @@ impl Keypair {
 
     /// Creates a new "empty" key pair. All bytes are initialized to zero.
     ///
-    /// See [SSk:zero()][crate::protocol::SSk::zero] and [SPk:zero()][crate::protocol::SPk::zero], respectively.
+    /// See [SSk:zero()][SSk::zero] and [SPk:zero()][SPk::zero], respectively.
     ///
     /// # Example
     ///
     /// ```rust
-    /// use rosenpass::protocol::{Keypair, SSk, SPk};
+    /// use rosenpass::protocol::basic_types::{SSk, SPk};
+    /// use rosenpass::protocol::Keypair;
     ///
     /// // We have to define the security policy before using Secrets.
     /// use rosenpass_secret_memory::secret_policy_use_only_malloc_secrets;
@@ -90,7 +94,7 @@ impl Keypair {
 
     /// Creates a new (securely-)random key pair. The mechanism is described in [rosenpass_secret_memory::Secret].
     ///
-    /// See [SSk:random()][crate::protocol::SSk::random] and [SPk:random()][crate::protocol::SPk::random], respectively.
+    /// See [SSk:random()][SSk::random] and [SPk:random()][SPk::random], respectively.
     pub fn random() -> Self {
         Self::new(SSk::random(), SPk::random())
     }
@@ -127,7 +131,7 @@ pub struct MissingKeypair;
 ///
 /// There are multiple ways of creating a crypto server:
 ///
-/// 1. Provide the key pair at initialization time (using [CryptoServer::new][crate::protocol::CryptoServer::new])
+/// 1. Provide the key pair at initialization time (using [CryptoServer::new][CryptoServer::new])
 /// 2. Provide the key pair at a later time (using [BuildCryptoServer::empty])
 ///
 /// With BuildCryptoServer, you can gradually configure parameters as they become available.
@@ -145,19 +149,23 @@ pub struct MissingKeypair;
 ///
 /// ```rust
 /// use rosenpass_util::build::Build;
-/// use rosenpass::protocol::{BuildCryptoServer, Keypair, PeerParams, SPk, SymKey};
+/// use rosenpass_secret_memory::secret_policy_use_only_malloc_secrets;
+///
 /// use rosenpass::config::ProtocolVersion;
 ///
+/// use rosenpass::protocol::basic_types::{SPk, SymKey};
+/// use rosenpass::protocol::{BuildCryptoServer, Keypair, PeerParams};
+/// use rosenpass::protocol::osk_domain_separator::OskDomainSeparator;
+///
 /// // We have to define the security policy before using Secrets.
-/// use rosenpass_secret_memory::secret_policy_use_only_malloc_secrets;
 /// secret_policy_use_only_malloc_secrets();
 ///
 /// let keypair = Keypair::random();
-/// let peer1 = PeerParams { psk: Some(SymKey::random()), pk: SPk::random(), protocol_version: ProtocolVersion::V02 };
-/// let peer2 = PeerParams { psk: None, pk: SPk::random(), protocol_version: ProtocolVersion::V02 };
+/// let peer1 = PeerParams { psk: Some(SymKey::random()), pk: SPk::random(), protocol_version: ProtocolVersion::V02, osk_domain_separator: OskDomainSeparator::default() };
+/// let peer2 = PeerParams { psk: None, pk: SPk::random(), protocol_version: ProtocolVersion::V02, osk_domain_separator: OskDomainSeparator::default() };
 ///
 /// let mut builder = BuildCryptoServer::new(Some(keypair.clone()), vec![peer1]);
-/// builder.add_peer(peer2.psk.clone(), peer2.pk, ProtocolVersion::V02);
+/// builder.add_peer(peer2.psk.clone(), peer2.pk, ProtocolVersion::V02, OskDomainSeparator::default());
 ///
 /// let server = builder.build().expect("build failed");
 /// assert_eq!(server.peers.len(), 2);
@@ -187,16 +195,17 @@ impl Build<CryptoServer> for BuildCryptoServer {
 
         let mut srv = CryptoServer::new(sk, pk);
 
-        for (
-            idx,
-            PeerParams {
+        for (idx, params) in self.peers.into_iter().enumerate() {
+            let PeerParams {
                 psk,
                 pk,
                 protocol_version,
-            },
-        ) in self.peers.into_iter().enumerate()
-        {
-            let PeerPtr(idx2) = srv.add_peer(psk, pk, protocol_version.into())?;
+                osk_domain_separator,
+            } = params;
+
+            let PeerPtr(idx2) =
+                srv.add_peer(psk, pk, protocol_version.into(), osk_domain_separator)?;
+
             assert!(idx == idx2, "Peer id changed during CryptoServer construction from {idx} to {idx2}. This is a developer error.")
         }
 
@@ -205,13 +214,13 @@ impl Build<CryptoServer> for BuildCryptoServer {
 }
 
 #[derive(Debug)]
-/// Cryptographic key(s) identifying the connected [peer][crate::protocol::Peer] ("client")
+/// Cryptographic key(s) identifying the connected [peer][super::Peer] ("client")
 /// for a given session that is being managed by the crypto server.
 ///
-/// Each peer must be identified by a [public key (SPk)][crate::protocol::SPk].
-/// Optionally, a [symmetric key (SymKey)][crate::protocol::SymKey]
+/// Each peer must be identified by a [public key (SPk)][SPk].
+/// Optionally, a [symmetric key (SymKey)][SymKey]
 /// can be provided when setting up the connection.
-/// For more information on the intended usage and security considerations, see [Peer::psk][crate::protocol::Peer::psk] and [Peer::spkt][crate::protocol::Peer::spkt].
+/// For more information on the intended usage and security considerations, see [Peer::psk][super::Peer::psk] and [Peer::spkt][super::Peer::spkt].
 pub struct PeerParams {
     /// Pre-shared (symmetric) encryption keys that should be used with this peer.
     pub psk: Option<SymKey>,
@@ -219,6 +228,7 @@ pub struct PeerParams {
     pub pk: SPk,
     /// The used protocol version.
     pub protocol_version: ProtocolVersion,
+    pub osk_domain_separator: OskDomainSeparator,
 }
 
 impl BuildCryptoServer {
@@ -317,13 +327,16 @@ impl BuildCryptoServer {
     ///
     /// ```rust
     /// use rosenpass::config::ProtocolVersion;
+    ///
+    /// use rosenpass_util::build::Build;
+    /// use rosenpass::protocol::basic_types::{SymKey, SPk};
+    /// use rosenpass::protocol::{BuildCryptoServer, Keypair};
+    /// use rosenpass::protocol::osk_domain_separator::OskDomainSeparator;
+    ///
     /// // We have to define the security policy before using Secrets.
     /// use rosenpass_secret_memory::secret_policy_use_only_malloc_secrets;
     /// secret_policy_use_only_malloc_secrets();
     ///
-    /// use rosenpass_util::build::Build;
-    /// use rosenpass::protocol::{BuildCryptoServer, Keypair, SymKey, SPk};
-    ///
     /// // Deferred initialization: Create builder first, add some peers later
     /// let keypair_option = Some(Keypair::random());
     /// let mut builder = BuildCryptoServer::new(keypair_option, Vec::new());
@@ -335,7 +348,7 @@ impl BuildCryptoServer {
     /// // Now we've found a peer that should be added to the configuration
     /// let pre_shared_key = SymKey::random();
     /// let public_key = SPk::random();
-    /// builder.with_added_peer(Some(pre_shared_key.clone()), public_key.clone(), ProtocolVersion::V02);
+    /// builder.with_added_peer(Some(pre_shared_key.clone()), public_key.clone(), ProtocolVersion::V02, OskDomainSeparator::default());
     ///
     /// // New server instances will then start with the peer being registered already
     /// let server = builder.build().expect("build failed");
@@ -350,12 +363,14 @@ impl BuildCryptoServer {
         psk: Option<SymKey>,
         pk: SPk,
         protocol_version: ProtocolVersion,
+        osk_domain_separator: OskDomainSeparator,
     ) -> &mut Self {
         // TODO: Check here already whether peer was already added
         self.peers.push(PeerParams {
             psk,
             pk,
             protocol_version,
+            osk_domain_separator,
         });
         self
     }
@@ -366,9 +381,10 @@ impl BuildCryptoServer {
         psk: Option<SymKey>,
         pk: SPk,
         protocol_version: ProtocolVersion,
+        osk_domain_separator: OskDomainSeparator,
     ) -> PeerPtr {
         let id = PeerPtr(self.peers.len());
-        self.with_added_peer(psk, pk, protocol_version);
+        self.with_added_peer(psk, pk, protocol_version, osk_domain_separator);
         id
     }
 
@@ -381,19 +397,23 @@ impl BuildCryptoServer {
     ///  Extracting the server configuration from a builder:
     ///
     /// ```rust
-    /// // We have to define the security policy before using Secrets.
+    /// use rosenpass_util::build::Build;
+    /// use rosenpass_secret_memory::secret_policy_use_only_malloc_secrets;
+    ///
     /// use rosenpass::config::ProtocolVersion;
     /// use rosenpass::hash_domains::protocol;
-    /// use rosenpass_secret_memory::secret_policy_use_only_malloc_secrets;
-    /// secret_policy_use_only_malloc_secrets();
     ///
-    /// use rosenpass_util::build::Build;
-    /// use rosenpass::protocol::{BuildCryptoServer, Keypair, SymKey, SPk};
+    /// use rosenpass::protocol::basic_types::{SymKey, SPk};
+    /// use rosenpass::protocol::{BuildCryptoServer, Keypair};
+    /// use rosenpass::protocol::osk_domain_separator::OskDomainSeparator;
+    ///
+    /// // We have to define the security policy before using Secrets.
+    /// secret_policy_use_only_malloc_secrets();
     ///
     /// let keypair = Keypair::random();
     /// let peer_pk = SPk::random();
     /// let mut builder = BuildCryptoServer::new(Some(keypair.clone()), vec![]);
-    /// builder.add_peer(None, peer_pk, ProtocolVersion::V02);
+    /// builder.add_peer(None, peer_pk, ProtocolVersion::V02, OskDomainSeparator::default());
     ///
     /// // Extract configuration parameters from the decomissioned builder
     /// let (keypair_option, peers) = builder.take_parts();

rosenpass/src/protocol/constants.rs

@@ -0,0 +1,64 @@
+//! Constants and configuration values used in the rosenpass core protocol
+
+use crate::msgs::MAC_SIZE;
+
+use super::timing::Timing;
+
+/// Time after which the responder attempts to rekey the session
+///
+/// From the wireguard paper: rekey every two minutes,
+/// discard the key if no rekey is achieved within three
+pub const REKEY_AFTER_TIME_RESPONDER: Timing = 120.0;
+/// Time after which the initiator attempts to rekey the session.
+///
+/// This happens ten seconds after [REKEY_AFTER_TIME_RESPONDER], so
+/// parties would usually switch roles after every handshake.
+///
+/// From the wireguard paper: rekey every two minutes,
+/// discard the key if no rekey is achieved within three
+pub const REKEY_AFTER_TIME_INITIATOR: Timing = 130.0;
+/// Time after which either party rejects the current key.
+///
+/// At this point a new key should have been negotiated.
+///
+/// Rejection happens 50-60 seconds after key renegotiation
+/// to allow for a graceful handover.
+/// From the wireguard paper: rekey every two minutes,
+/// discard the key if no rekey is achieved within three
+pub const REJECT_AFTER_TIME: Timing = 180.0;
+
+/// The length of the `cookie_secret` in the [whitepaper](https://rosenpass.eu/whitepaper.pdf)
+pub const COOKIE_SECRET_LEN: usize = MAC_SIZE;
+/// The life time of the `cookie_secret` in the [whitepaper](https://rosenpass.eu/whitepaper.pdf)
+pub const COOKIE_SECRET_EPOCH: Timing = 120.0;
+
+/// Length of a cookie value (see info about the cookie mechanism in the [whitepaper](https://rosenpass.eu/whitepaper.pdf))
+pub const COOKIE_VALUE_LEN: usize = MAC_SIZE;
+/// Time after which to delete a cookie, as the initiator, for a certain peer (see info about the cookie mechanism in the [whitepaper](https://rosenpass.eu/whitepaper.pdf))
+pub const PEER_COOKIE_VALUE_EPOCH: Timing = 120.0;
+
+/// Seconds until the biscuit key is changed; we issue biscuits
+/// using one biscuit key for one epoch and store the biscuit for
+/// decryption for a second epoch
+///
+/// The biscuit mechanism is used to make sure the responder is stateless in our protocol.
+pub const BISCUIT_EPOCH: Timing = 300.0;
+
+/// The initiator opportunistically retransmits their messages; it applies an increasing delay
+/// between each retreansmission. This is the factor by which the delay grows after each
+/// retransmission.
+pub const RETRANSMIT_DELAY_GROWTH: Timing = 2.0;
+/// The initiator opportunistically retransmits their messages; it applies an increasing delay
+/// between each retreansmission. This is the initial delay between retransmissions.
+pub const RETRANSMIT_DELAY_BEGIN: Timing = 0.5;
+/// The initiator opportunistically retransmits their messages; it applies an increasing delay
+/// between each retreansmission. This is the maximum delay between retransmissions.
+pub const RETRANSMIT_DELAY_END: Timing = 10.0;
+/// The initiator opportunistically retransmits their messages; it applies an increasing delay
+/// between each retreansmission. This is the jitter (randomness) applied to the retransmission
+/// delay.
+pub const RETRANSMIT_DELAY_JITTER: Timing = 0.5;
+
+/// This is the maximum delay that can separate two events for us to consider the events to have
+/// happened at the same time.
+pub const EVENT_GRACE: Timing = 0.0025;

rosenpass/src/protocol/cookies.rs

@@ -0,0 +1,98 @@
+//! Cryptographic key management for cookies and biscuits used in the protocol
+//!
+//! Cookies in general are conceptually similar to browser cookies;
+//! i.e. mechanisms to store information in the party connected to via network.
+//!
+//! In our case specifically we refer to any mechanisms in the Rosenpass protocol
+//! where a peer stores some information in the other party that is cryptographically
+//! protected using a temporary, randomly generated key. This file contains the mechanisms
+//! used to store the secret keys.
+//!
+//! We have two cookie-mechanisms in particular:
+//!
+//! - Rosenpass "biscuits" — the mechanism used to make sure the Rosenpass protocol is stateless
+//!   with respect to the responder
+//! - WireGuard's cookie mechanism to enable proof of IP ownership; Rosenpass has experimental
+//!   support for this mechanism
+//!
+//! The CookieStore type is also used to store cookie secrets sent from the responder to the
+//! initiator. This is a bad design and we should separate out this functionality.
+//!
+//! TODO: CookieStore should not be used for cookie secrets sent from responder to initiator.
+//! TODO: Move cookie lifetime management functionality into here
+
+use rosenpass_ciphers::KEY_LEN;
+use rosenpass_secret_memory::Secret;
+
+use super::{constants::COOKIE_SECRET_LEN, timing::Timing};
+
+/// Container for storing cookie secrets like [BiscuitKey] or [CookieSecret].
+///
+/// This is really just a secret key and a time stamp of creation. Concrete
+/// usages (such as for the biscuit key) impose a time limit about how long
+/// a key can be used and the time of creation is used to impose that time limit.
+///
+/// # Examples
+///
+/// ```
+/// use rosenpass_util::time::Timebase;
+/// use rosenpass::protocol::{timing::BCE, basic_types::SymKey, cookies::CookieStore};
+///
+/// rosenpass_secret_memory::secret_policy_try_use_memfd_secrets();
+///
+/// let fixed_secret = SymKey::random();
+/// let timebase = Timebase::default();
+///
+/// let mut store = CookieStore::<32>::new();
+/// assert_ne!(store.value.secret(), SymKey::zero().secret());
+/// assert_eq!(store.created_at, BCE);
+///
+/// let time_before_call = timebase.now();
+/// store.update(&timebase, fixed_secret.secret());
+/// assert_eq!(store.value.secret(), fixed_secret.secret());
+/// assert!(store.created_at < timebase.now());
+/// assert!(store.created_at > time_before_call);
+///
+/// // Same as new()
+/// store.erase();
+/// assert_ne!(store.value.secret(), SymKey::zero().secret());
+/// assert_eq!(store.created_at, BCE);
+///
+/// let secret_before_call = store.value.clone();
+/// let time_before_call = timebase.now();
+/// store.randomize(&timebase);
+/// assert_ne!(store.value.secret(), secret_before_call.secret());
+/// assert!(store.created_at < timebase.now());
+/// assert!(store.created_at > time_before_call);
+/// ```
+#[derive(Debug)]
+pub struct CookieStore<const N: usize> {
+    /// Time of creation of the secret key
+    pub created_at: Timing,
+    /// The secret key
+    pub value: Secret<N>,
+}
+
+/// Stores cookie secret, which is used to create a rotating the cookie value
+///
+/// Concrete value is in [super::CryptoServer::cookie_secrets].
+///
+/// The pointer type is [super::ServerCookieSecretPtr].
+pub type CookieSecret = CookieStore<COOKIE_SECRET_LEN>;
+
+/// Storage for our biscuit keys.
+///
+/// The biscuit keys encrypt what we call "biscuits".
+/// These biscuits contain the responder state for a particular handshake. By moving
+/// state into these biscuits, we make sure the responder is stateless.
+///
+/// A Biscuit is like a fancy cookie. To avoid state disruption attacks,
+/// the responder doesn't store state. Instead the state is stored in a
+/// Biscuit, that is encrypted using the [BiscuitKey] which is only known to
+/// the Responder. Thus secrecy of the Responder state is not violated, still
+/// the responder can avoid storing this state.
+///
+/// Concrete value is in [super::CryptoServer::biscuit_keys].
+///
+/// The pointer type is [super::BiscuitKeyPtr].
+pub type BiscuitKey = CookieStore<KEY_LEN>;

rosenpass/src/protocol/index.rs

@@ -0,0 +1,45 @@
+//! Quick lookup of values in [super::CryptoServer]
+
+use std::collections::HashMap;
+
+use super::basic_types::{PeerId, PeerNo, SessionId};
+use super::KnownResponseHash;
+
+/// Maps various keys to peer (numbers).
+///
+/// See:
+/// - [super::CryptoServer::index]
+/// - [super::CryptoServer::peers]
+/// - [PeerNo]
+/// - [super::PeerPtr]
+/// - [super::Peer]
+pub type PeerIndex = HashMap<PeerIndexKey, PeerNo>;
+
+/// We maintain various indices in [super::CryptoServer::index], mapping some key to a particular
+/// [PeerNo], i.e. to an index in [super::CryptoServer::peers]. These are the possible index key.
+#[derive(Hash, PartialEq, Eq, PartialOrd, Ord, Debug)]
+pub enum PeerIndexKey {
+    /// Lookup of a particular peer given the [PeerId], i.e. a value derived from the peers public
+    /// key as created by [super::CryptoServer::pidm] or [super::Peer::pidt].
+    ///
+    /// The peer id is used by the initiator to tell the responder about its identity in
+    /// [crate::msgs::InitHello].
+    ///
+    /// See also the pointer types [super::PeerPtr].
+    Peer(PeerId),
+    /// Lookup of a particular session id.
+    ///
+    /// This is used to look up both established sessions (see
+    /// [super::CryptoServer::lookup_session]) and ongoing handshakes (see [super::CryptoServer::lookup_handshake]).
+    ///
+    /// Lookup of a peer to get an established session or a handshake is sufficient, because a peer
+    /// contains a limited number of sessions and handshakes ([super::Peer::session] and [super::Peer::handshake] respectively).
+    ///
+    /// See also the pointer types [super::IniHsPtr] and [super::SessionPtr].
+    Sid(SessionId),
+    /// Lookup of a cached response ([crate::msgs::Envelope]<[crate::msgs::EmptyData]>) to an [crate::msgs::InitConf] (i.e.
+    /// [crate::msgs::Envelope]<[crate::msgs::InitConf]>) message.
+    ///
+    /// See [super::KnownInitConfResponsePtr] on how this value is maintained.
+    KnownInitConfResponse(KnownResponseHash),
+}

rosenpass/src/protocol/mod.rs

@@ -24,12 +24,15 @@
 //!
 //! ```
 //! use std::ops::DerefMut;
+//!
 //! use rosenpass_secret_memory::policy::*;
 //! use rosenpass_cipher_traits::primitives::Kem;
 //! use rosenpass_ciphers::StaticKem;
-//! use rosenpass::{
-//!     protocol::{SSk, SPk, MsgBuf, PeerPtr, CryptoServer, SymKey},
-//! };
+//!
+//! use rosenpass::protocol::basic_types::{SSk, SPk, MsgBuf, SymKey};
+//! use rosenpass::protocol::{PeerPtr, CryptoServer};
+//! use rosenpass::protocol::osk_domain_separator::OskDomainSeparator;
+//!
 //! # fn main() -> anyhow::Result<()> {
 //! // Set security policy for storing secrets
 //!
@@ -50,8 +53,8 @@
 //! let mut b = CryptoServer::new(peer_b_sk, peer_b_pk.clone());
 //!
 //! // introduce peers to each other
-//! a.add_peer(Some(psk.clone()), peer_b_pk, ProtocolVersion::V03)?;
-//! b.add_peer(Some(psk), peer_a_pk, ProtocolVersion::V03)?;
+//! a.add_peer(Some(psk.clone()), peer_b_pk, ProtocolVersion::V03, OskDomainSeparator::default())?;
+//! b.add_peer(Some(psk), peer_a_pk, ProtocolVersion::V03, OskDomainSeparator::default())?;
 //!
 //! // declare buffers for message exchange
 //! let (mut a_buf, mut b_buf) = (MsgBuf::zero(), MsgBuf::zero());
@@ -76,8 +79,21 @@
 //! ```
 
 mod build_crypto_server;
+pub use build_crypto_server::*;
+
+pub mod basic_types;
+pub mod constants;
+pub mod cookies;
+pub mod index;
+pub mod osk_domain_separator;
+pub mod test_vector_sets;
+pub mod testutils;
+pub mod timing;
+pub mod zerocopy;
+
 #[allow(clippy::module_inception)]
 mod protocol;
-
-pub use build_crypto_server::*;
 pub use protocol::*;
+
+#[cfg(test)]
+mod test;

rosenpass/src/protocol/osk_domain_separator.rs

@@ -0,0 +1,91 @@
+//! Management of domain separators for the OSK (output key) in the rosenpass protocol
+//!
+//! The domain separator is there to ensure that keys are bound to the purpose they are used for.
+//!
+//! See the whitepaper section on protocol extensions for more details on how this is used.
+//!
+//! # See also
+//!
+//! - [crate::protocol::Peer]
+//! - [crate::protocol::CryptoServer::add_peer]
+//! - [crate::protocol::CryptoServer::osk]
+//!
+//! # Examples
+//!
+//! There are some basic examples of using custom domain separators in the examples of
+//! [super::CryptoServer::poll]. Look for the test function `test_osk_label_mismatch()`
+//! in particular.
+
+use rosenpass_ciphers::subtle::keyed_hash::KeyedHash;
+use rosenpass_util::result::OkExt;
+
+use crate::hash_domains;
+
+use super::basic_types::PublicSymKey;
+
+/// The OSK (output shared key) domain separator to use for a specific peer
+///
+#[derive(Clone, PartialEq, Eq, Debug, PartialOrd, Ord, Default)]
+pub enum OskDomainSeparator {
+    /// By default we use the domain separator that indicates that the resulting keys
+    /// are used by WireGuard to establish a connection
+    #[default]
+    ExtensionWireguardPsk,
+    /// Used for user-defined domain separators
+    Custom {
+        /// A globally unique string identifying the vendor or group who defines this domain
+        /// separator (we use our domain ourselves – "rosenpass.eu")
+        namespace: Vec<u8>,
+        /// Any custom labels within that namespace. Could be descriptive prose.
+        labels: Vec<Vec<u8>>,
+    },
+}
+
+impl OskDomainSeparator {
+    /// Construct [OskDomainSeparator::ExtensionWireguardPsk]
+    pub fn for_wireguard_psk() -> Self {
+        Self::ExtensionWireguardPsk
+    }
+
+    /// Construct [OskDomainSeparator::Custom] from strings
+    pub fn custom_utf8<I, T>(namespace: &str, label: I) -> Self
+    where
+        I: IntoIterator<Item = T>,
+        T: AsRef<str>,
+    {
+        let namespace = namespace.as_bytes().to_owned();
+        let labels = label
+            .into_iter()
+            .map(|e| e.as_ref().as_bytes().to_owned())
+            .collect::<Vec<_>>();
+        Self::Custom { namespace, labels }
+    }
+
+    /// Variant of [Self::custom_utf8] that takes just one label (instead of a sequence)
+    pub fn custom_utf8_single_label(namespace: &str, label: &str) -> Self {
+        Self::custom_utf8(namespace, std::iter::once(label))
+    }
+
+    /// The domain separator is not just an encoded string, it instead uses
+    /// [rosenpass_ciphers::hash_domain::HashDomain], starting from [hash_domains::cke_user].
+    ///
+    /// This means, that the domain separator is really a sequence of multiple different domain
+    /// separators, each of which is allowed to be quite long. This is very useful as it allows
+    /// users to avoid specifying complex, prosaic domain separators. To ensure that this does not
+    /// force us create extra overhead when the protocol is executed, this sequence of strings is
+    /// compressed into a single, fixed-length hash of all the inputs. This hash could be created
+    /// at program startup and cached.
+    ///
+    /// This function generates this fixed-length hash.
+    pub fn compress_with(&self, hash_choice: KeyedHash) -> anyhow::Result<PublicSymKey> {
+        use OskDomainSeparator as O;
+        match &self {
+            O::ExtensionWireguardPsk => hash_domains::ext_wireguard_psk_osk(hash_choice),
+            O::Custom { namespace, labels } => hash_domains::cke_user(hash_choice)?
+                .mix(namespace)?
+                .mix_many(labels)?
+                .into_value()
+                .ok(),
+        }
+    }
+}

rosenpass/src/protocol/test.rs

@@ -0,0 +1,715 @@
+use std::{borrow::BorrowMut, fmt::Display, net::SocketAddrV4, ops::DerefMut};
+
+use anyhow::{Context, Result};
+use serial_test::serial;
+use zerocopy::{FromBytes, FromZeros, Immutable, IntoBytes, KnownLayout};
+
+use rosenpass_cipher_traits::primitives::Kem;
+use rosenpass_ciphers::StaticKem;
+use rosenpass_secret_memory::Public;
+use rosenpass_util::mem::DiscardResultExt;
+
+use crate::msgs::{EmptyData, Envelope, InitConf, InitHello, MsgType, RespHello, MAX_MESSAGE_LEN};
+
+use super::basic_types::{MsgBuf, SPk, SSk, SymKey};
+use super::constants::REKEY_AFTER_TIME_RESPONDER;
+use super::osk_domain_separator::OskDomainSeparator;
+use super::zerocopy::{truncating_cast_into, truncating_cast_into_nomut};
+use super::{
+    CryptoServer, HandleMsgResult, HostIdentification, KnownInitConfResponsePtr, PeerPtr,
+    PollResult, ProtocolVersion,
+};
+
+struct VecHostIdentifier(Vec<u8>);
+
+impl HostIdentification for VecHostIdentifier {
+    fn encode(&self) -> &[u8] {
+        &self.0
+    }
+}
+
+impl Display for VecHostIdentifier {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        write!(f, "{:?}", self.0)
+    }
+}
+
+impl From<Vec<u8>> for VecHostIdentifier {
+    fn from(v: Vec<u8>) -> Self {
+        VecHostIdentifier(v)
+    }
+}
+
+fn setup_logging() {
+    use std::io::Write;
+    let mut log_builder = env_logger::Builder::from_default_env(); // sets log level filter from environment (or defaults)
+    log_builder.filter_level(log::LevelFilter::Info);
+    log_builder.format_timestamp_nanos();
+    log_builder.format(|buf, record| {
+        let ts_format = buf.timestamp_nanos().to_string();
+        writeln!(buf, "{}: {}", &ts_format[14..], record.args())
+    });
+
+    let _ = log_builder.try_init();
+}
+
+#[test]
+#[serial]
+#[cfg_attr(miri, ignore)] // Miri does not support calls to mmap with protections other than PROT_READ|PROT_WRITE
+fn handles_incorrect_size_messages_v02() {
+    handles_incorrect_size_messages(ProtocolVersion::V02)
+}
+
+#[test]
+#[serial]
+#[cfg_attr(miri, ignore)] // Miri does not support calls to mmap with protections other than PROT_READ|PROT_WRITE
+fn handles_incorrect_size_messages_v03() {
+    handles_incorrect_size_messages(ProtocolVersion::V03)
+}
+
+/// Ensure that the protocol implementation can deal with truncated
+/// messages and with overlong messages.
+///
+/// This test performs a complete handshake between two randomly generated
+/// servers; instead of delivering the message correctly at first messages
+/// of length zero through about 1.2 times the correct message size are delivered.
+///
+/// Producing an error is expected on each of these messages.
+///
+/// Finally the correct message is delivered and the same process
+/// starts again in the other direction.
+///
+/// Through all this, the handshake should still successfully terminate;
+/// i.e. an exchanged key must be produced in both servers.
+fn handles_incorrect_size_messages(protocol_version: ProtocolVersion) {
+    setup_logging();
+    rosenpass_secret_memory::secret_policy_try_use_memfd_secrets();
+    stacker::grow(8 * 1024 * 1024, || {
+        const OVERSIZED_MESSAGE: usize = ((MAX_MESSAGE_LEN as f32) * 1.2) as usize;
+        type MsgBufPlus = Public<OVERSIZED_MESSAGE>;
+
+        const PEER0: PeerPtr = PeerPtr(0);
+
+        let (mut me, mut they) = make_server_pair(protocol_version).unwrap();
+        let (mut msgbuf, mut resbuf) = (MsgBufPlus::zero(), MsgBufPlus::zero());
+
+        // Process the entire handshake
+        let mut msglen = Some(me.initiate_handshake(PEER0, &mut *resbuf).unwrap());
+        while let Some(l) = msglen {
+            std::mem::swap(&mut me, &mut they);
+            std::mem::swap(&mut msgbuf, &mut resbuf);
+            msglen = test_incorrect_sizes_for_msg(&mut me, &*msgbuf, l, &mut *resbuf);
+        }
+
+        assert_eq!(
+            me.osk(PEER0).unwrap().secret(),
+            they.osk(PEER0).unwrap().secret()
+        );
+    });
+}
+
+/// Used in handles_incorrect_size_messages() to first deliver many truncated
+/// and overlong messages, finally the correct message is delivered and the response
+/// returned.
+fn test_incorrect_sizes_for_msg(
+    srv: &mut CryptoServer,
+    msgbuf: &[u8],
+    msglen: usize,
+    resbuf: &mut [u8],
+) -> Option<usize> {
+    resbuf.fill(0);
+
+    for l in 0..(((msglen as f32) * 1.2) as usize) {
+        if l == msglen {
+            continue;
+        }
+
+        let res = srv.handle_msg(&msgbuf[..l], resbuf);
+        assert!(res.is_err()); // handle_msg should raise an error
+        assert!(!resbuf.iter().any(|x| *x != 0)); // resbuf should not have been changed
+    }
+
+    // Apply the proper handle_msg operation
+    srv.handle_msg(&msgbuf[..msglen], resbuf).unwrap().resp
+}
+
+fn keygen() -> Result<(SSk, SPk)> {
+    // TODO: Copied from the benchmark; deduplicate
+    let (mut sk, mut pk) = (SSk::zero(), SPk::zero());
+    StaticKem.keygen(sk.secret_mut(), pk.deref_mut())?;
+    Ok((sk, pk))
+}
+
+fn make_server_pair(protocol_version: ProtocolVersion) -> Result<(CryptoServer, CryptoServer)> {
+    // TODO: Copied from the benchmark; deduplicate
+    let psk = SymKey::random();
+    let ((ska, pka), (skb, pkb)) = (keygen()?, keygen()?);
+    let (mut a, mut b) = (
+        CryptoServer::new(ska, pka.clone()),
+        CryptoServer::new(skb, pkb.clone()),
+    );
+    a.add_peer(
+        Some(psk.clone()),
+        pkb,
+        protocol_version.clone(),
+        OskDomainSeparator::default(),
+    )?;
+    b.add_peer(
+        Some(psk),
+        pka,
+        protocol_version,
+        OskDomainSeparator::default(),
+    )?;
+    Ok((a, b))
+}
+
+#[test]
+#[serial]
+#[cfg_attr(miri, ignore)] // Miri does not support calls to mmap with protections other than PROT_READ|PROT_WRITE
+fn test_regular_exchange_v02() {
+    test_regular_exchange(ProtocolVersion::V02)
+}
+
+#[test]
+#[serial]
+#[cfg_attr(miri, ignore)] // Miri does not support calls to mmap with protections other than PROT_READ|PROT_WRITE
+fn test_regular_exchange_v03() {
+    test_regular_exchange(ProtocolVersion::V03)
+}
+
+fn test_regular_exchange(protocol_version: ProtocolVersion) {
+    setup_logging();
+    rosenpass_secret_memory::secret_policy_try_use_memfd_secrets();
+    stacker::grow(8 * 1024 * 1024, || {
+        type MsgBufPlus = Public<MAX_MESSAGE_LEN>;
+        let (mut a, mut b) = make_server_pair(protocol_version).unwrap();
+
+        let mut a_to_b_buf = MsgBufPlus::zero();
+        let mut b_to_a_buf = MsgBufPlus::zero();
+
+        let ip_a: SocketAddrV4 = "127.0.0.1:8080".parse().unwrap();
+        let mut ip_addr_port_a = ip_a.ip().octets().to_vec();
+        ip_addr_port_a.extend_from_slice(&ip_a.port().to_be_bytes());
+
+        let _ip_b: SocketAddrV4 = "127.0.0.1:8081".parse().unwrap();
+
+        let init_hello_len = a.initiate_handshake(PeerPtr(0), &mut *a_to_b_buf).unwrap();
+
+        let init_msg_type: MsgType = a_to_b_buf.value[0].try_into().unwrap();
+        assert_eq!(init_msg_type, MsgType::InitHello);
+
+        //B handles InitHello, sends RespHello
+        let HandleMsgResult { resp, .. } = b
+            .handle_msg(&a_to_b_buf.as_slice()[..init_hello_len], &mut *b_to_a_buf)
+            .unwrap();
+
+        let resp_hello_len = resp.unwrap();
+
+        let resp_msg_type: MsgType = b_to_a_buf.value[0].try_into().unwrap();
+        assert_eq!(resp_msg_type, MsgType::RespHello);
+
+        let HandleMsgResult {
+            resp,
+            exchanged_with,
+        } = a
+            .handle_msg(&b_to_a_buf[..resp_hello_len], &mut *a_to_b_buf)
+            .unwrap();
+
+        let init_conf_len = resp.unwrap();
+        let init_conf_msg_type: MsgType = a_to_b_buf.value[0].try_into().unwrap();
+
+        assert_eq!(exchanged_with, Some(PeerPtr(0)));
+        assert_eq!(init_conf_msg_type, MsgType::InitConf);
+
+        //B handles InitConf, sends EmptyData
+        let HandleMsgResult {
+            resp: _,
+            exchanged_with,
+        } = b
+            .handle_msg(&a_to_b_buf.as_slice()[..init_conf_len], &mut *b_to_a_buf)
+            .unwrap();
+
+        let empty_data_msg_type: MsgType = b_to_a_buf.value[0].try_into().unwrap();
+
+        assert_eq!(exchanged_with, Some(PeerPtr(0)));
+        assert_eq!(empty_data_msg_type, MsgType::EmptyData);
+    });
+}
+
+#[test]
+#[serial]
+#[cfg_attr(miri, ignore)] // Miri does not support calls to mmap with protections other than PROT_READ|PROT_WRITE
+fn test_regular_init_conf_retransmit_v02() {
+    test_regular_init_conf_retransmit(ProtocolVersion::V02)
+}
+
+#[test]
+#[serial]
+#[cfg_attr(miri, ignore)] // Miri does not support calls to mmap with protections other than PROT_READ|PROT_WRITE
+fn test_regular_init_conf_retransmit_v03() {
+    test_regular_init_conf_retransmit(ProtocolVersion::V03)
+}
+
+fn test_regular_init_conf_retransmit(protocol_version: ProtocolVersion) {
+    setup_logging();
+    rosenpass_secret_memory::secret_policy_try_use_memfd_secrets();
+    stacker::grow(8 * 1024 * 1024, || {
+        type MsgBufPlus = Public<MAX_MESSAGE_LEN>;
+        let (mut a, mut b) = make_server_pair(protocol_version).unwrap();
+
+        let mut a_to_b_buf = MsgBufPlus::zero();
+        let mut b_to_a_buf = MsgBufPlus::zero();
+
+        let ip_a: SocketAddrV4 = "127.0.0.1:8080".parse().unwrap();
+        let mut ip_addr_port_a = ip_a.ip().octets().to_vec();
+        ip_addr_port_a.extend_from_slice(&ip_a.port().to_be_bytes());
+
+        let _ip_b: SocketAddrV4 = "127.0.0.1:8081".parse().unwrap();
+
+        let init_hello_len = a.initiate_handshake(PeerPtr(0), &mut *a_to_b_buf).unwrap();
+
+        let init_msg_type: MsgType = a_to_b_buf.value[0].try_into().unwrap();
+        assert_eq!(init_msg_type, MsgType::InitHello);
+
+        //B handles InitHello, sends RespHello
+        let HandleMsgResult { resp, .. } = b
+            .handle_msg(&a_to_b_buf.as_slice()[..init_hello_len], &mut *b_to_a_buf)
+            .unwrap();
+
+        let resp_hello_len = resp.unwrap();
+
+        let resp_msg_type: MsgType = b_to_a_buf.value[0].try_into().unwrap();
+        assert_eq!(resp_msg_type, MsgType::RespHello);
+
+        //A handles RespHello, sends InitConf, exchanges keys
+        let HandleMsgResult {
+            resp,
+            exchanged_with,
+        } = a
+            .handle_msg(&b_to_a_buf[..resp_hello_len], &mut *a_to_b_buf)
+            .unwrap();
+
+        let init_conf_len = resp.unwrap();
+        let init_conf_msg_type: MsgType = a_to_b_buf.value[0].try_into().unwrap();
+
+        assert_eq!(exchanged_with, Some(PeerPtr(0)));
+        assert_eq!(init_conf_msg_type, MsgType::InitConf);
+
+        //B handles InitConf, sends EmptyData
+        let HandleMsgResult {
+            resp: _,
+            exchanged_with,
+        } = b
+            .handle_msg(&a_to_b_buf.as_slice()[..init_conf_len], &mut *b_to_a_buf)
+            .unwrap();
+
+        let empty_data_msg_type: MsgType = b_to_a_buf.value[0].try_into().unwrap();
+
+        assert_eq!(exchanged_with, Some(PeerPtr(0)));
+        assert_eq!(empty_data_msg_type, MsgType::EmptyData);
+
+        //B handles InitConf again, sends EmptyData
+        let HandleMsgResult {
+            resp: _,
+            exchanged_with,
+        } = b
+            .handle_msg(&a_to_b_buf.as_slice()[..init_conf_len], &mut *b_to_a_buf)
+            .unwrap();
+
+        let empty_data_msg_type: MsgType = b_to_a_buf.value[0].try_into().unwrap();
+
+        assert!(exchanged_with.is_none());
+        assert_eq!(empty_data_msg_type, MsgType::EmptyData);
+    });
+}
+
+#[test]
+#[serial]
+#[cfg(feature = "experiment_cookie_dos_mitigation")]
+fn cookie_reply_mechanism_responder_under_load_v02() {
+    cookie_reply_mechanism_initiator_bails_on_message_under_load(ProtocolVersion::V02)
+}
+
+#[test]
+#[serial]
+#[cfg(feature = "experiment_cookie_dos_mitigation")]
+fn cookie_reply_mechanism_responder_under_load_v03() {
+    cookie_reply_mechanism_initiator_bails_on_message_under_load(ProtocolVersion::V03)
+}
+
+#[cfg(feature = "experiment_cookie_dos_mitigation")]
+fn cookie_reply_mechanism_responder_under_load(protocol_version: ProtocolVersion) {
+    use std::{thread::sleep, time::Duration};
+
+    use super::{Lifecycle, MortalExt};
+
+    setup_logging();
+    rosenpass_secret_memory::secret_policy_try_use_memfd_secrets();
+    stacker::grow(8 * 1024 * 1024, || {
+        type MsgBufPlus = Public<MAX_MESSAGE_LEN>;
+        let (mut a, mut b) = make_server_pair(protocol_version.clone()).unwrap();
+
+        let mut a_to_b_buf = MsgBufPlus::zero();
+        let mut b_to_a_buf = MsgBufPlus::zero();
+
+        let ip_a: SocketAddrV4 = "127.0.0.1:8080".parse().unwrap();
+        let mut ip_addr_port_a = ip_a.ip().octets().to_vec();
+        ip_addr_port_a.extend_from_slice(&ip_a.port().to_be_bytes());
+
+        let _ip_b: SocketAddrV4 = "127.0.0.1:8081".parse().unwrap();
+
+        let init_hello_len = a.initiate_handshake(PeerPtr(0), &mut *a_to_b_buf).unwrap();
+        let socket_addr_a = std::net::SocketAddr::V4(ip_a);
+        let mut ip_addr_port_a = match socket_addr_a.ip() {
+            std::net::IpAddr::V4(ipv4) => ipv4.octets().to_vec(),
+            std::net::IpAddr::V6(ipv6) => ipv6.octets().to_vec(),
+        };
+
+        ip_addr_port_a.extend_from_slice(&socket_addr_a.port().to_be_bytes());
+
+        let ip_addr_port_a: VecHostIdentifier = ip_addr_port_a.into();
+
+        //B handles handshake under load, should send cookie reply message with invalid cookie
+        let HandleMsgResult { resp, .. } = b
+            .handle_msg_under_load(
+                &a_to_b_buf.as_slice()[..init_hello_len],
+                &mut *b_to_a_buf,
+                &ip_addr_port_a,
+            )
+            .unwrap();
+
+        let cookie_reply_len = resp.unwrap();
+
+        //A handles cookie reply message
+        a.handle_msg(&b_to_a_buf[..cookie_reply_len], &mut *a_to_b_buf)
+            .unwrap();
+
+        assert_eq!(PeerPtr(0).cv().lifecycle(&a), Lifecycle::Young);
+
+        let expected_cookie_value =
+            crate::hash_domains::cookie_value(protocol_version.keyed_hash())
+                .unwrap()
+                .mix(
+                    b.active_or_retired_cookie_secrets()[0]
+                        .unwrap()
+                        .get(&b)
+                        .value
+                        .secret(),
+                )
+                .unwrap()
+                .mix(ip_addr_port_a.encode())
+                .unwrap()
+                .into_value()[..16]
+                .to_vec();
+
+        assert_eq!(
+            PeerPtr(0).cv().get(&a).map(|x| &x.value.secret()[..]),
+            Some(&expected_cookie_value[..])
+        );
+
+        let retx_init_hello_len = loop {
+            match a.poll().unwrap() {
+                PollResult::SendRetransmission(peer) => {
+                    break a.retransmit_handshake(peer, &mut *a_to_b_buf).unwrap();
+                }
+                PollResult::Sleep(time) => {
+                    sleep(Duration::from_secs_f64(time));
+                }
+                _ => {}
+            }
+        };
+
+        let retx_msg_type: MsgType = a_to_b_buf.value[0].try_into().unwrap();
+        assert_eq!(retx_msg_type, MsgType::InitHello);
+
+        //B handles retransmitted message
+        let HandleMsgResult { resp, .. } = b
+            .handle_msg_under_load(
+                &a_to_b_buf.as_slice()[..retx_init_hello_len],
+                &mut *b_to_a_buf,
+                &ip_addr_port_a,
+            )
+            .unwrap();
+
+        let _resp_hello_len = resp.unwrap();
+
+        let resp_msg_type: MsgType = b_to_a_buf.value[0].try_into().unwrap();
+        assert_eq!(resp_msg_type, MsgType::RespHello);
+    });
+}
+
+#[test]
+#[serial]
+#[cfg(feature = "experiment_cookie_dos_mitigation")]
+fn cookie_reply_mechanism_initiator_bails_on_message_under_load_v02() {
+    cookie_reply_mechanism_initiator_bails_on_message_under_load(ProtocolVersion::V02)
+}
+
+#[test]
+#[serial]
+#[cfg(feature = "experiment_cookie_dos_mitigation")]
+fn cookie_reply_mechanism_initiator_bails_on_message_under_load_v03() {
+    cookie_reply_mechanism_initiator_bails_on_message_under_load(ProtocolVersion::V03)
+}
+
+#[cfg(feature = "experiment_cookie_dos_mitigation")]
+fn cookie_reply_mechanism_initiator_bails_on_message_under_load(protocol_version: ProtocolVersion) {
+    setup_logging();
+    rosenpass_secret_memory::secret_policy_try_use_memfd_secrets();
+    stacker::grow(8 * 1024 * 1024, || {
+        type MsgBufPlus = Public<MAX_MESSAGE_LEN>;
+        let (mut a, mut b) = make_server_pair(protocol_version).unwrap();
+
+        let mut a_to_b_buf = MsgBufPlus::zero();
+        let mut b_to_a_buf = MsgBufPlus::zero();
+
+        let ip_a: SocketAddrV4 = "127.0.0.1:8080".parse().unwrap();
+        let mut ip_addr_port_a = ip_a.ip().octets().to_vec();
+        ip_addr_port_a.extend_from_slice(&ip_a.port().to_be_bytes());
+        let ip_b: SocketAddrV4 = "127.0.0.1:8081".parse().unwrap();
+
+        //A initiates handshake
+        let init_hello_len = a.initiate_handshake(PeerPtr(0), &mut *a_to_b_buf).unwrap();
+
+        //B handles InitHello message, should respond with RespHello
+        let HandleMsgResult { resp, .. } = b
+            .handle_msg(&a_to_b_buf.as_slice()[..init_hello_len], &mut *b_to_a_buf)
+            .unwrap();
+
+        let resp_hello_len = resp.unwrap();
+        let resp_msg_type: MsgType = b_to_a_buf.value[0].try_into().unwrap();
+        assert_eq!(resp_msg_type, MsgType::RespHello);
+
+        let socket_addr_b = std::net::SocketAddr::V4(ip_b);
+        let mut ip_addr_port_b = [0u8; 18];
+        let mut ip_addr_port_b_len = 0;
+        match socket_addr_b.ip() {
+            std::net::IpAddr::V4(ipv4) => {
+                ip_addr_port_b[0..4].copy_from_slice(&ipv4.octets());
+                ip_addr_port_b_len += 4;
+            }
+            std::net::IpAddr::V6(ipv6) => {
+                ip_addr_port_b[0..16].copy_from_slice(&ipv6.octets());
+                ip_addr_port_b_len += 16;
+            }
+        };
+
+        ip_addr_port_b[ip_addr_port_b_len..ip_addr_port_b_len + 2]
+            .copy_from_slice(&socket_addr_b.port().to_be_bytes());
+        ip_addr_port_b_len += 2;
+
+        let ip_addr_port_b: VecHostIdentifier =
+            ip_addr_port_b[..ip_addr_port_b_len].to_vec().into();
+
+        //A handles RespHello message under load, should not send cookie reply
+        assert!(a
+            .handle_msg_under_load(
+                &b_to_a_buf[..resp_hello_len],
+                &mut *a_to_b_buf,
+                &ip_addr_port_b
+            )
+            .is_err());
+    });
+}
+
+#[test]
+#[cfg_attr(miri, ignore)] // Miri does not support calls to mmap with protections other than PROT_READ|PROT_WRITE
+fn init_conf_retransmission_v02() -> Result<()> {
+    init_conf_retransmission(ProtocolVersion::V02)
+}
+
+#[test]
+#[cfg_attr(miri, ignore)] // Miri does not support calls to mmap with protections other than PROT_READ|PROT_WRITE
+fn init_conf_retransmission_v03() -> Result<()> {
+    init_conf_retransmission(ProtocolVersion::V03)
+}
+
+fn init_conf_retransmission(protocol_version: ProtocolVersion) -> anyhow::Result<()> {
+    rosenpass_secret_memory::secret_policy_try_use_memfd_secrets();
+
+    fn keypair() -> Result<(SSk, SPk)> {
+        let (mut sk, mut pk) = (SSk::zero(), SPk::zero());
+        StaticKem.keygen(sk.secret_mut(), pk.deref_mut())?;
+        Ok((sk, pk))
+    }
+
+    fn proc_initiation(srv: &mut CryptoServer, peer: PeerPtr) -> Result<Envelope<InitHello>> {
+        let mut buf = MsgBuf::zero();
+        srv.initiate_handshake(peer, buf.as_mut_slice())?
+            .discard_result();
+        let msg = truncating_cast_into::<Envelope<InitHello>>(buf.borrow_mut())?;
+        Ok(zerocopy::Ref::read(&msg))
+    }
+
+    fn proc_msg<Rx: IntoBytes + FromBytes + Immutable, Tx: IntoBytes + FromBytes + Immutable>(
+        srv: &mut CryptoServer,
+        rx: &Envelope<Rx>,
+    ) -> anyhow::Result<Envelope<Tx>> {
+        let mut buf = MsgBuf::zero();
+        srv.handle_msg(rx.as_bytes(), buf.as_mut_slice())?
+            .resp
+            .context("Failed to produce RespHello message")?
+            .discard_result();
+        let msg = truncating_cast_into::<Envelope<Tx>>(buf.borrow_mut())?;
+        Ok(zerocopy::Ref::read(&msg))
+    }
+
+    fn proc_init_hello(
+        srv: &mut CryptoServer,
+        ih: &Envelope<InitHello>,
+    ) -> anyhow::Result<Envelope<RespHello>> {
+        proc_msg::<InitHello, RespHello>(srv, ih)
+    }
+
+    fn proc_resp_hello(
+        srv: &mut CryptoServer,
+        rh: &Envelope<RespHello>,
+    ) -> anyhow::Result<Envelope<InitConf>> {
+        proc_msg::<RespHello, InitConf>(srv, rh)
+    }
+
+    fn proc_init_conf(
+        srv: &mut CryptoServer,
+        rh: &Envelope<InitConf>,
+    ) -> anyhow::Result<Envelope<EmptyData>> {
+        proc_msg::<InitConf, EmptyData>(srv, rh)
+    }
+
+    fn poll(srv: &mut CryptoServer) -> anyhow::Result<()> {
+        // Discard all events; just apply the side effects
+        while !matches!(srv.poll()?, PollResult::Sleep(_)) {}
+        Ok(())
+    }
+
+    // TODO: Implement Clone on our message types
+    fn clone_msg<Msg: IntoBytes + FromBytes + Immutable + KnownLayout>(
+        msg: &Msg,
+    ) -> anyhow::Result<Msg> {
+        Ok(zerocopy::Ref::read(&truncating_cast_into_nomut::<Msg>(
+            msg.as_bytes(),
+        )?))
+    }
+
+    fn break_payload<Msg: IntoBytes + FromBytes + Immutable + KnownLayout>(
+        srv: &mut CryptoServer,
+        peer: PeerPtr,
+        msg: &Envelope<Msg>,
+    ) -> anyhow::Result<Envelope<Msg>> {
+        let mut msg = clone_msg(msg)?;
+        msg.as_mut_bytes()[memoffset::offset_of!(Envelope<Msg>, payload)] ^= 0x01;
+        msg.seal(peer, srv)?; // Recalculate seal; we do not want to focus on "seal broken" errs
+        Ok(msg)
+    }
+
+    fn check_faulty_proc_init_conf(srv: &mut CryptoServer, ic_broken: &Envelope<InitConf>) {
+        let mut buf = MsgBuf::zero();
+        let res = srv.handle_msg(ic_broken.as_bytes(), buf.as_mut_slice());
+        assert!(res.is_err());
+    }
+
+    // we this as a closure in orer to use the protocol_version variable in it.
+    let check_retransmission = |srv: &mut CryptoServer,
+                                ic: &Envelope<InitConf>,
+                                ic_broken: &Envelope<InitConf>,
+                                rc: &Envelope<EmptyData>|
+     -> Result<()> {
+        // Processing the same RespHello package again leads to retransmission (i.e. exactly the
+        // same output)
+        let rc_dup = proc_init_conf(srv, ic)?;
+        assert_eq!(rc.as_bytes(), rc_dup.as_bytes());
+
+        // Though if we directly call handle_resp_hello() we get an error since
+        // retransmission is not being handled by the cryptographic code
+        let mut discard_resp_conf = EmptyData::new_zeroed();
+        let res = srv.handle_init_conf(
+            &ic.payload,
+            &mut discard_resp_conf,
+            protocol_version.clone().keyed_hash(),
+        );
+        assert!(res.is_err());
+
+        // Obviously, a broken InitConf message should still be rejected
+        check_faulty_proc_init_conf(srv, ic_broken);
+
+        Ok(())
+    };
+
+    let (ska, pka) = keypair()?;
+    let (skb, pkb) = keypair()?;
+
+    // initialize server and a pre-shared key
+    let mut a = CryptoServer::new(ska, pka.clone());
+    let mut b = CryptoServer::new(skb, pkb.clone());
+
+    // introduce peers to each other
+    let b_peer = a.add_peer(
+        None,
+        pkb,
+        protocol_version.clone(),
+        OskDomainSeparator::default(),
+    )?;
+    let a_peer = b.add_peer(
+        None,
+        pka,
+        protocol_version.clone(),
+        OskDomainSeparator::default(),
+    )?;
+
+    // Execute protocol up till the responder confirmation (EmptyData)
+    let ih1 = proc_initiation(&mut a, b_peer)?;
+    let rh1 = proc_init_hello(&mut b, &ih1)?;
+    let ic1 = proc_resp_hello(&mut a, &rh1)?;
+    let rc1 = proc_init_conf(&mut b, &ic1)?;
+
+    // Modified version of ic1 and rc1, for tests that require it
+    let ic1_broken = break_payload(&mut a, b_peer, &ic1)?;
+    assert_ne!(ic1.as_bytes(), ic1_broken.as_bytes());
+
+    // Modified version of rc1, for tests that require it
+    let rc1_broken = break_payload(&mut b, a_peer, &rc1)?;
+    assert_ne!(rc1.as_bytes(), rc1_broken.as_bytes());
+
+    // Retransmission works as designed
+    check_retransmission(&mut b, &ic1, &ic1_broken, &rc1)?;
+
+    // Even with a couple of poll operations in between (which clears the cache
+    // after a time out of two minutes…we should never hit this time out in this
+    // cache)
+    for _ in 0..4 {
+        poll(&mut b)?;
+        check_retransmission(&mut b, &ic1, &ic1_broken, &rc1)?;
+    }
+    // We can even validate that the data is coming out of the cache by changing the cache
+    // to use our broken messages. It does not matter that these messages are cryptographically
+    // broken since we insert them manually into the cache
+    // a_peer.known_init_conf_response()
+    KnownInitConfResponsePtr::insert_for_request_msg(
+        &mut b,
+        a_peer,
+        &ic1_broken,
+        rc1_broken.clone(),
+    );
+    check_retransmission(&mut b, &ic1_broken, &ic1, &rc1_broken)?;
+
+    // Lets reset to the correct message though
+    KnownInitConfResponsePtr::insert_for_request_msg(&mut b, a_peer, &ic1, rc1.clone());
+
+    // Again, nothing changes after calling poll
+    poll(&mut b)?;
+    check_retransmission(&mut b, &ic1, &ic1_broken, &rc1)?;
+
+    // Except if we jump forward into the future past the point where the responder
+    // starts to initiate rekeying; in this case, the automatic time out is triggered and the cache is cleared
+    super::testutils::time_travel_forward(&mut b, REKEY_AFTER_TIME_RESPONDER);
+
+    // As long as we do not call poll, everything is fine
+    check_retransmission(&mut b, &ic1, &ic1_broken, &rc1)?;
+
+    // But after we do, the response is gone and can not be recreated
+    // since the biscuit is stale
+    poll(&mut b)?;
+    check_faulty_proc_init_conf(&mut b, &ic1); // ic1 is now effectively broken
+    assert!(b.peers[0].known_init_conf_response.is_none()); // The cache is gone
+
+    Ok(())
+}