gitea-mirror/rosenpass
1
0
Fork 0
mirror of https://github.com/rosenpass/rosenpass.git synced 2025-12-12 15:49:22 -08:00
Code Issues Packages Projects Releases Wiki Activity

Dev/wucke13 nix maintenance (#640)

Browse Source
This commit is contained in:
Karolin Varner
2025-05-09 18:32:44 +02:00
committed by GitHub
parent 1025de2c64 50501f37fd
commit db9d0b642b
27 changed files with 664 additions and 473 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
.ci/gen-workflow-files.nu
View File

@@ -32,9 +32,9 @@ let systems_map = {
# aarch64-darwin
# aarch64-linux
i686-linux: ubuntu-latest,
i686-linux: ubicloud-standard-2-ubuntu-2204,
x86_64-darwin: macos-13,
x86_64-linux: ubuntu-latest
x86_64-linux: ubicloud-standard-2-ubuntu-2204
}
let targets = (get-attr-names ".#packages"
@@ -61,14 +61,13 @@ mut release_workflow = {
let runner_setup = [
{
uses: "actions/checkout@v3"
uses: "actions/checkout@v4"
}
{
uses: "cachix/install-nix-action@v22",
with: { nix_path: "nixpkgs=channel:nixos-unstable" }
uses: "cachix/install-nix-action@v30",
}
{
uses: "cachix/cachix-action@v12",
uses: "cachix/cachix-action@v15",
with: {
name: rosenpass,
authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
@@ -154,7 +153,7 @@ for system in ($targets | columns) {
}
{
name: Release,
uses: "softprops/action-gh-release@v1",
uses: "softprops/action-gh-release@v2",
with: {
draft: "${{ contains(github.ref_name, 'rc') }}",
prerelease: "${{ contains(github.ref_name, 'alpha') || contains(github.ref_name, 'beta') }}",
@@ -182,7 +181,7 @@ $cachix_workflow.jobs = ($cachix_workflow.jobs | insert $"($system)---whitepaper
}
{
name: "Deploy PDF artifacts",
uses: "peaceiris/actions-gh-pages@v3",
uses: "peaceiris/actions-gh-pages@v4",
with: {
github_token: "${{ secrets.GITHUB_TOKEN }}",
publish_dir: result/,

35
Cargo.toml
View File

@@ -2,17 +2,17 @@
resolver = "2"
members = [
"rosenpass",
"cipher-traits",
"ciphers",
"util",
"constant-time",
"oqs",
"to",
"fuzz",
"secret-memory",
"rp",
"wireguard-broker",
"rosenpass",
"cipher-traits",
"ciphers",
"util",
"constant-time",
"oqs",
"to",
"fuzz",
"secret-memory",
"rp",
"wireguard-broker",
]
default-members = ["rosenpass", "rp", "wireguard-broker"]
@@ -42,7 +42,7 @@ toml = "0.7.8"
static_assertions = "1.1.0"
allocator-api2 = "0.2.14"
memsec = { git = "https://github.com/rosenpass/memsec.git", rev = "aceb9baee8aec6844125bd6612f92e9a281373df", features = [
"alloc_ext",
"alloc_ext",
] }
rand = "0.8.5"
typenum = "1.17.0"
@@ -55,14 +55,14 @@ arbitrary = { version = "1.4.1", features = ["derive"] }
anyhow = { version = "1.0.95", features = ["backtrace", "std"] }
mio = { version = "1.0.3", features = ["net", "os-poll"] }
oqs-sys = { version = "0.9.1", default-features = false, features = [
'classic_mceliece',
'kyber',
'classic_mceliece',
'kyber',
] }
blake2 = "0.10.6"
sha3 = "0.10.8"
chacha20poly1305 = { version = "0.10.1", default-features = false, features = [
"std",
"heapless",
"std",
"heapless",
] }
zerocopy = { version = "0.7.35", features = ["derive"] }
home = "=0.5.9" # 5.11 requires rustc 1.81
@@ -72,7 +72,7 @@ postcard = { version = "1.1.1", features = ["alloc"] }
libcrux = { version = "0.0.2-pre.2" }
libcrux-chacha20poly1305 = { version = "0.0.2-beta.3" }
libcrux-ml-kem = { version = "0.0.2-beta.3" }
libcrux-blake2 = { git = "https://github.com/cryspen/libcrux.git", rev = "10ce653e9476"}
libcrux-blake2 = { git = "https://github.com/cryspen/libcrux.git", rev = "10ce653e9476" }
hex-literal = { version = "0.4.1" }
hex = { version = "0.4.3" }
heck = { version = "0.5.0" }
@@ -90,7 +90,6 @@ criterion = "0.5.1"
allocator-api2-tests = "0.2.15"
procspawn = { version = "1.0.1", features = ["test-support"] }
#Broker dependencies (might need cleanup or changes)
wireguard-uapi = { version = "3.0.0", features = ["xplatform"] }
command-fds = "0.2.3"

2
cipher-traits/Cargo.toml
View File

@@ -8,7 +8,7 @@ description = "Rosenpass internal traits for cryptographic primitives"
homepage = "https://rosenpass.eu/"
repository = "https://github.com/rosenpass/rosenpass"
readme = "readme.md"
rust-version = "1.77"
rust-version = "1.77.0"
[dependencies]
thiserror = { workspace = true }

14
ciphers/Cargo.toml
View File

@@ -8,20 +8,20 @@ description = "Rosenpass internal ciphers and other cryptographic primitives use
homepage = "https://rosenpass.eu/"
repository = "https://github.com/rosenpass/rosenpass"
readme = "readme.md"
rust-version = "1.77"
rust-version = "1.77.0"
[features]
experiment_libcrux_all = [
"experiment_libcrux_blake2",
"experiment_libcrux_chachapoly",
"experiment_libcrux_chachapoly_test",
"experiment_libcrux_kyber",
"experiment_libcrux_blake2",
"experiment_libcrux_chachapoly",
"experiment_libcrux_chachapoly_test",
"experiment_libcrux_kyber",
]
experiment_libcrux_blake2 = ["dep:libcrux-blake2", "dep:thiserror"]
experiment_libcrux_chachapoly = ["dep:libcrux-chacha20poly1305"]
experiment_libcrux_chachapoly_test = [
"experiment_libcrux_chachapoly",
"dep:libcrux",
"experiment_libcrux_chachapoly",
"dep:libcrux",
]
experiment_libcrux_kyber = ["dep:libcrux-ml-kem", "dep:rand"]

2
constant-time/Cargo.toml
View File

@@ -8,7 +8,7 @@ description = "Rosenpass internal utilities for constant time crypto implementat
homepage = "https://rosenpass.eu/"
repository = "https://github.com/rosenpass/rosenpass"
readme = "readme.md"
rust-version = "1.77"
rust-version = "1.77.0"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

34
deny.toml
View File

@@ -24,11 +24,7 @@ feature-depth = 1
[advisories]
# A list of advisory IDs to ignore. Note that ignored advisories will still
# output a note when they are encountered.
ignore = [
"RUSTSEC-2024-0370",
"RUSTSEC-2024-0436",
"RUSTSEC-2023-0089",
]
ignore = ["RUSTSEC-2024-0370", "RUSTSEC-2024-0436", "RUSTSEC-2023-0089"]
# If this is true, then cargo deny will use the git executable to fetch advisory database.
# If this is false, then it uses a built-in git library.
# Setting this to true can be helpful if you have special authentication requirements that cargo-deny does not support.
@@ -43,11 +39,11 @@ ignore = [
# See https://spdx.org/licenses/ for list of possible licenses
# [possible values: any SPDX 3.11 short identifier (+ optional exception)].
allow = [
"MIT",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"BSD-3-Clause",
"ISC",
"MIT",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"BSD-3-Clause",
"ISC",
]
# The confidence threshold for detecting a license from license text.
# The higher the value, the more closely the license text must be to the
@@ -57,10 +53,10 @@ confidence-threshold = 0.8
# Allow 1 or more licenses on a per-crate basis, so that particular licenses
# aren't accepted for every possible crate as with the normal allow list
exceptions = [
# Each entry is the crate and version constraint, and its specific allow
# list
{ allow = ["Unicode-DFS-2016", "Unicode-3.0"], crate = "unicode-ident" },
{ allow = ["NCSA"], crate = "libfuzzer-sys" },
# Each entry is the crate and version constraint, and its specific allow
# list
{ allow = ["Unicode-DFS-2016", "Unicode-3.0"], crate = "unicode-ident" },
{ allow = ["NCSA"], crate = "libfuzzer-sys" },
]
@@ -94,15 +90,11 @@ workspace-default-features = "allow"
# on a crate-by-crate basis if desired.
external-default-features = "allow"
# List of crates that are allowed. Use with care!
allow = [
]
allow = []
# List of crates to deny
deny = [
]
deny = []
skip-tree = [
]
skip-tree = []
# This section is considered when running `cargo deny check sources`.
# More documentation about the 'sources' section can be found here:

69
flake.lock generated
View File

@@ -1,26 +1,5 @@
{
"nodes": {
"fenix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"rust-analyzer-src": "rust-analyzer-src"
},
"locked": {
"lastModified": 1728282832,
"narHash": "sha256-I7AbcwGggf+CHqpyd/9PiAjpIBGTGx5woYHqtwxaV7I=",
"owner": "nix-community",
"repo": "fenix",
"rev": "1ec71be1f4b8f3105c5d38da339cb061fefc43f4",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "fenix",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
@@ -77,26 +56,30 @@
},
"root": {
"inputs": {
"fenix": "fenix",
"flake-utils": "flake-utils",
"nix-vm-test": "nix-vm-test",
"nixpkgs": "nixpkgs"
"nixpkgs": "nixpkgs",
"rust-overlay": "rust-overlay",
"treefmt-nix": "treefmt-nix"
}
},
"rust-analyzer-src": {
"flake": false,
"rust-overlay": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1728249780,
"narHash": "sha256-J269DvCI5dzBmPrXhAAtj566qt0b22TJtF3TIK+tMsI=",
"owner": "rust-lang",
"repo": "rust-analyzer",
"rev": "2b750da1a1a2c1d2c70896108d7096089842d877",
"lastModified": 1744513456,
"narHash": "sha256-NLVluTmK8d01Iz+WyarQhwFcXpHEwU7m5hH3YQQFJS0=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "730fd8e82799219754418483fabe1844262fd1e2",
"type": "github"
},
"original": {
"owner": "rust-lang",
"ref": "nightly",
"repo": "rust-analyzer",
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
@@ -114,6 +97,26 @@
"repo": "default",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1743748085,
"narHash": "sha256-uhjnlaVTWo5iD3LXics1rp9gaKgDRQj6660+gbUU3cE=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "815e4121d6a5d504c0f96e5be2dd7f871e4fd99d",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
}
},
"root": "root",

288
flake.nix
View File

@@ -3,41 +3,51 @@
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
flake-utils.url = "github:numtide/flake-utils";
# for rust nightly with llvm-tools-preview
fenix.url = "github:nix-community/fenix";
fenix.inputs.nixpkgs.follows = "nixpkgs";
nix-vm-test.url = "github:numtide/nix-vm-test";
nix-vm-test.inputs.nixpkgs.follows = "nixpkgs";
nix-vm-test.inputs.flake-utils.follows = "flake-utils";
# for rust nightly with llvm-tools-preview
rust-overlay.url = "github:oxalica/rust-overlay";
rust-overlay.inputs.nixpkgs.follows = "nixpkgs";
treefmt-nix.url = "github:numtide/treefmt-nix";
treefmt-nix.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = { self, nixpkgs, flake-utils, nix-vm-test, ... }@inputs:
outputs =
{
self,
nixpkgs,
flake-utils,
nix-vm-test,
rust-overlay,
treefmt-nix,
...
}@inputs:
nixpkgs.lib.foldl (a: b: nixpkgs.lib.recursiveUpdate a b) { } [
#
### Export the overlay.nix from this flake ###
#
{
overlays.default = import ./overlay.nix;
}
{ overlays.default = import ./overlay.nix; }
#
### Actual Rosenpass Package and Docker Container Images ###
#
(flake-utils.lib.eachSystem [
"x86_64-linux"
"aarch64-linux"
(flake-utils.lib.eachSystem
[
"x86_64-linux"
"aarch64-linux"
# unsuported best-effort
"i686-linux"
"x86_64-darwin"
"aarch64-darwin"
# "x86_64-windows"
]
(system:
# unsuported best-effort
"i686-linux"
"x86_64-darwin"
"aarch64-darwin"
# "x86_64-windows"
]
(
system:
let
# normal nixpkgs
pkgs = import nixpkgs {
@@ -48,130 +58,150 @@
};
in
{
packages = {
default = pkgs.rosenpass;
rosenpass = pkgs.rosenpass;
rosenpass-oci-image = pkgs.rosenpass-oci-image;
rp = pkgs.rp;
packages =
{
default = pkgs.rosenpass;
rosenpass = pkgs.rosenpass;
rosenpass-oci-image = pkgs.rosenpass-oci-image;
rp = pkgs.rp;
release-package = pkgs.release-package;
release-package = pkgs.release-package;
# for good measure, we also offer to cross compile to Linux on Arm
aarch64-linux-rosenpass-static =
pkgs.pkgsCross.aarch64-multiplatform.pkgsStatic.rosenpass;
aarch64-linux-rp-static = pkgs.pkgsCross.aarch64-multiplatform.pkgsStatic.rp;
}
//
# We only offer static builds for linux, as this is not supported on OS X
(nixpkgs.lib.attrsets.optionalAttrs pkgs.stdenv.isLinux {
rosenpass-static = pkgs.pkgsStatic.rosenpass;
rosenpass-static-oci-image = pkgs.pkgsStatic.rosenpass-oci-image;
rp-static = pkgs.pkgsStatic.rp;
});
# for good measure, we also offer to cross compile to Linux on Arm
aarch64-linux-rosenpass-static = pkgs.pkgsCross.aarch64-multiplatform.pkgsStatic.rosenpass;
aarch64-linux-rp-static = pkgs.pkgsCross.aarch64-multiplatform.pkgsStatic.rp;
}
//
# We only offer static builds for linux, as this is not supported on OS X
(nixpkgs.lib.attrsets.optionalAttrs pkgs.stdenv.isLinux {
rosenpass-static = pkgs.pkgsStatic.rosenpass;
rosenpass-static-oci-image = pkgs.pkgsStatic.rosenpass-oci-image;
rp-static = pkgs.pkgsStatic.rp;
});
}
))
)
)
#
### Linux specifics ###
#
(flake-utils.lib.eachSystem [ "x86_64-linux" "aarch64-linux" ] (system:
let
pkgs = import nixpkgs {
inherit system;
(flake-utils.lib.eachSystem
[
"x86_64-linux"
"aarch64-linux"
]
(
system:
let
pkgs = import nixpkgs {
inherit system;
# apply our own overlay, overriding/inserting our packages as defined in ./pkgs
overlays = [
self.overlays.default
nix-vm-test.overlays.default
];
};
in
{
packages.package-deb = pkgs.callPackage ./pkgs/package-deb.nix {
rosenpass = pkgs.pkgsStatic.rosenpass;
};
packages.package-rpm = pkgs.callPackage ./pkgs/package-rpm.nix {
rosenpass = pkgs.pkgsStatic.rosenpass;
};
overlays = [
# apply our own overlay, overriding/inserting our packages as defined in ./pkgs
self.overlays.default
#
### Reading materials ###
#
packages.whitepaper = pkgs.whitepaper;
nix-vm-test.overlays.default
#
### Proof and Proof Tools ###
#
packages.proverif-patched = pkgs.proverif-patched;
packages.proof-proverif = pkgs.proof-proverif;
# apply rust-overlay to get specific versions of the rust toolchain for a MSRV check
(import rust-overlay)
];
};
treefmtEval = treefmt-nix.lib.evalModule pkgs ./treefmt.nix;
in
{
packages.package-deb = pkgs.callPackage ./pkgs/package-deb.nix {
rosenpass = pkgs.pkgsStatic.rosenpass;
};
packages.package-rpm = pkgs.callPackage ./pkgs/package-rpm.nix {
rosenpass = pkgs.pkgsStatic.rosenpass;
};
#
### Devshells ###
#
devShells.default = pkgs.mkShell {
inherit (pkgs.proof-proverif) CRYPTOVERIF_LIB;
inputsFrom = [ pkgs.rosenpass ];
nativeBuildInputs = with pkgs; [
cargo-release
clippy
rustfmt
nodePackages.prettier
nushell # for the .ci/gen-workflow-files.nu script
proverif-patched
];
};
# TODO: Write this as a patched version of the default environment
devShells.fullEnv = pkgs.mkShell {
inherit (pkgs.proof-proverif) CRYPTOVERIF_LIB;
inputsFrom = [ pkgs.rosenpass ];
nativeBuildInputs = with pkgs; [
cargo-audit
cargo-release
cargo-msrv
rustfmt
nodePackages.prettier
nushell # for the .ci/gen-workflow-files.nu script
proverif-patched
inputs.fenix.packages.${system}.complete.toolchain
pkgs.cargo-llvm-cov
pkgs.grcov
];
};
devShells.coverage = pkgs.mkShell {
inputsFrom = [ pkgs.rosenpass ];
nativeBuildInputs = [
inputs.fenix.packages.${system}.complete.toolchain
pkgs.cargo-llvm-cov
pkgs.grcov
];
};
#
### Reading materials ###
#
packages.whitepaper = pkgs.whitepaper;
#
### Proof and Proof Tools ###
#
packages.proverif-patched = pkgs.proverif-patched;
packages.proof-proverif = pkgs.proof-proverif;
checks = {
systemd-rosenpass = pkgs.testers.runNixOSTest ./tests/systemd/rosenpass.nix;
systemd-rp = pkgs.testers.runNixOSTest ./tests/systemd/rp.nix;
#
### Devshells ###
#
devShells.default = pkgs.mkShell {
inherit (pkgs.proof-proverif) CRYPTOVERIF_LIB;
inputsFrom = [ pkgs.rosenpass ];
nativeBuildInputs = with pkgs; [
cargo-release
clippy
rustfmt
nodePackages.prettier
nushell # for the .ci/gen-workflow-files.nu script
proverif-patched
];
};
# TODO: Write this as a patched version of the default environment
devShells.fullEnv = pkgs.mkShell {
inherit (pkgs.proof-proverif) CRYPTOVERIF_LIB;
inputsFrom = [ pkgs.rosenpass ];
nativeBuildInputs = with pkgs; [
cargo-audit
cargo-msrv
cargo-release
cargo-vet
rustfmt
nodePackages.prettier
nushell # for the .ci/gen-workflow-files.nu script
proverif-patched
pkgs.cargo-llvm-cov
pkgs.grcov
pkgs.rust-bin.stable.latest.complete
];
};
devShells.coverage = pkgs.mkShell {
inputsFrom = [ pkgs.rosenpass ];
nativeBuildInputs = [
pkgs.cargo-llvm-cov
pkgs.grcov
pkgs.rustc.llvmPackages.llvm
];
env = {
inherit (pkgs.cargo-llvm-cov) LLVM_COV LLVM_PROFDATA;
};
};
cargo-fmt = pkgs.runCommand "check-cargo-fmt"
{ inherit (self.devShells.${system}.default) nativeBuildInputs buildInputs; } ''
cargo fmt --manifest-path=${./.}/Cargo.toml --check --all && touch $out
'';
nixpkgs-fmt = pkgs.runCommand "check-nixpkgs-fmt"
{ nativeBuildInputs = [ pkgs.nixpkgs-fmt ]; } ''
nixpkgs-fmt --check ${./.} && touch $out
'';
prettier-check = pkgs.runCommand "check-with-prettier"
{ nativeBuildInputs = [ pkgs.nodePackages.prettier ]; } ''
cd ${./.} && prettier --check . && touch $out
'';
} // pkgs.lib.optionalAttrs (system == "x86_64-linux") (import ./tests/legacy-distro-packaging.nix {
inherit pkgs;
rosenpass-deb = self.packages.${system}.package-deb;
rosenpass-rpm = self.packages.${system}.package-rpm;
});
checks =
{
systemd-rosenpass = pkgs.testers.runNixOSTest ./tests/systemd/rosenpass.nix;
systemd-rp = pkgs.testers.runNixOSTest ./tests/systemd/rp.nix;
formatting = treefmtEval.config.build.check self;
rosenpass-msrv-check =
let
rosenpassCargoToml = pkgs.lib.trivial.importTOML ./rosenpass/Cargo.toml;
formatter = pkgs.nixpkgs-fmt;
}))
rustToolchain = pkgs.rust-bin.stable.${rosenpassCargoToml.package.rust-version}.default;
rustPlatform = pkgs.makeRustPlatform {
cargo = rustToolchain;
rustc = rustToolchain;
};
in
pkgs.rosenpass.override { inherit rustPlatform; };
}
// pkgs.lib.optionalAttrs (system == "x86_64-linux") (
import ./tests/legacy-distro-packaging.nix {
inherit pkgs;
rosenpass-deb = self.packages.${system}.package-deb;
rosenpass-rpm = self.packages.${system}.package-rpm;
}
);
# for `nix fmt`
formatter = treefmtEval.config.build.wrapper;
}
)
)
];
}

2
fuzz/Cargo.toml
View File

@@ -3,7 +3,7 @@ name = "rosenpass-fuzzing"
version = "0.0.1"
publish = false
edition = "2021"
rust-version = "1.77"
rust-version = "1.77.0"
[features]
experiment_libcrux = ["rosenpass-ciphers/experiment_libcrux_all"]

2
oqs/Cargo.toml
View File

@@ -8,7 +8,7 @@ description = "Rosenpass internal bindings to liboqs"
homepage = "https://rosenpass.eu/"
repository = "https://github.com/rosenpass/rosenpass"
readme = "readme.md"
rust-version = "1.77"
rust-version = "1.77.0"
[dependencies]
rosenpass-cipher-traits = { workspace = true }

6
overlay.nix
View File

@@ -1,6 +1,5 @@
final: prev: {
#
### Actual rosenpass software ###
#
@@ -27,7 +26,10 @@ final: prev: {
"marzipan(/marzipan.awk)?"
"analysis(/.*)?"
];
nativeBuildInputs = [ final.proverif final.graphviz ];
nativeBuildInputs = [
final.proverif
final.graphviz
];
CRYPTOVERIF_LIB = final.proverif-patched + "/lib/cryptoverif.pvl";
installPhase = ''
mkdir -p $out

6
pkgs/package-deb.nix
View File

@@ -1,4 +1,8 @@
{ runCommand, dpkg, rosenpass }:
{
runCommand,
dpkg,
rosenpass,
}:
let
inherit (rosenpass) version;

13
pkgs/package-rpm.nix
View File

@@ -1,12 +1,15 @@
{ lib, system, runCommand, rosenpass, rpm }:
{
lib,
system,
runCommand,
rosenpass,
rpm,
}:
let
splitVersion = lib.strings.splitString "-" rosenpass.version;
version = builtins.head splitVersion;
release =
if builtins.length splitVersion != 2
then "release"
else builtins.elemAt splitVersion 1;
release = if builtins.length splitVersion != 2 then "release" else builtins.elemAt splitVersion 1;
arch = builtins.head (builtins.split "-" system);
in

23
pkgs/release-package.nix
View File

@@ -1,21 +1,24 @@
{ lib, stdenvNoCC, runCommandNoCC, pkgsStatic, rosenpass, rosenpass-oci-image, rp } @ args:
{
lib,
stdenvNoCC,
runCommandNoCC,
pkgsStatic,
rosenpass,
rosenpass-oci-image,
rp,
}@args:
let
version = rosenpass.version;
# select static packages on Linux, default packages otherwise
package =
if stdenvNoCC.hostPlatform.isLinux then
pkgsStatic.rosenpass
else args.rosenpass;
rp =
if stdenvNoCC.hostPlatform.isLinux then
pkgsStatic.rp
else args.rp;
package = if stdenvNoCC.hostPlatform.isLinux then pkgsStatic.rosenpass else args.rosenpass;
rp = if stdenvNoCC.hostPlatform.isLinux then pkgsStatic.rp else args.rp;
oci-image =
if stdenvNoCC.hostPlatform.isLinux then
pkgsStatic.rosenpass-oci-image
else args.rosenpass-oci-image;
else
args.rosenpass-oci-image;
in
runCommandNoCC "lace-result" { } ''
mkdir {bin,$out}

6
pkgs/rosenpass-oci-image.nix
View File

@@ -1,4 +1,8 @@
{ dockerTools, buildEnv, rosenpass }:
{
dockerTools,
buildEnv,
rosenpass,
}:
dockerTools.buildImage {
name = rosenpass.name + "-oci";

60
pkgs/rosenpass.nix
View File

@@ -1,4 +1,13 @@
{ lib, stdenv, rustPlatform, cmake, mandoc, removeReferencesTo, bash, package ? "rosenpass" }:
{
lib,
stdenv,
rustPlatform,
cmake,
mandoc,
removeReferencesTo,
bash,
package ? "rosenpass",
}:
let
# whether we want to build a statically linked binary
@@ -17,24 +26,30 @@ let
"toml"
];
# Files to explicitly include
files = [
"to/README.md"
];
files = [ "to/README.md" ];
src = ../.;
filter = (path: type: scoped rec {
inherit (lib) any id removePrefix hasSuffix;
anyof = (any id);
filter = (
path: type:
scoped rec {
inherit (lib)
any
id
removePrefix
hasSuffix
;
anyof = (any id);
basename = baseNameOf (toString path);
relative = removePrefix (toString src + "/") (toString path);
basename = baseNameOf (toString path);
relative = removePrefix (toString src + "/") (toString path);
result = anyof [
(type == "directory")
(any (ext: hasSuffix ".${ext}" basename) extensions)
(any (file: file == relative) files)
];
});
result = anyof [
(type == "directory")
(any (ext: hasSuffix ".${ext}" basename) extensions)
(any (file: file == relative) files)
];
}
);
result = lib.sources.cleanSourceWith { inherit src filter; };
};
@@ -47,8 +62,14 @@ rustPlatform.buildRustPackage {
version = cargoToml.package.version;
inherit src;
cargoBuildOptions = [ "--package" package ];
cargoTestOptions = [ "--package" package ];
cargoBuildOptions = [
"--package"
package
];
cargoTestOptions = [
"--package"
package
];
doCheck = true;
@@ -81,7 +102,10 @@ rustPlatform.buildRustPackage {
meta = {
inherit (cargoToml.package) description homepage;
license = with lib.licenses; [ mit asl20 ];
license = with lib.licenses; [
mit
asl20
];
maintainers = [ lib.maintainers.wucke13 ];
platforms = lib.platforms.all;
};

55
pkgs/whitepaper.nix
View File

@@ -1,13 +1,52 @@
{ stdenvNoCC, texlive, ncurses, python3Packages, which }:
{
stdenvNoCC,
texlive,
ncurses,
python3Packages,
which,
}:
let
customTexLiveSetup = (texlive.combine {
inherit (texlive) acmart amsfonts biber biblatex biblatex-software
biblatex-trad ccicons csquotes csvsimple doclicense eso-pic fancyvrb
fontspec gitinfo2 gobble ifmtarg koma-script latexmk lm lualatex-math
markdown mathtools minted noto nunito paralist pgf scheme-basic soul
unicode-math upquote xifthen xkeyval xurl;
});
customTexLiveSetup = (
texlive.combine {
inherit (texlive)
acmart
amsfonts
biber
biblatex
biblatex-software
biblatex-trad
ccicons
csquotes
csvsimple
doclicense
eso-pic
fancyvrb
fontspec
gitinfo2
gobble
ifmtarg
koma-script
latexmk
lm
lualatex-math
markdown
mathtools
minted
noto
nunito
paralist
pgf
scheme-basic
soul
unicode-math
upquote
xifthen
xkeyval
xurl
;
}
);
in
stdenvNoCC.mkDerivation {
name = "whitepaper";

22
rosenpass/Cargo.toml
View File

@@ -8,7 +8,7 @@ description = "Build post-quantum-secure VPNs with WireGuard!"
homepage = "https://rosenpass.eu/"
repository = "https://github.com/rosenpass/rosenpass"
readme = "readme.md"
rust-version = "1.77"
rust-version = "1.77.0"
[[bin]]
name = "rosenpass"
@@ -30,9 +30,9 @@ required-features = ["experiment_api", "internal_testing"]
[[test]]
name = "gen-ipc-msg-types"
required-features = [
"experiment_api",
"internal_testing",
"internal_bin_gen_ipc_msg_types",
"experiment_api",
"internal_testing",
"internal_bin_gen_ipc_msg_types",
]
[[bench]]
@@ -92,16 +92,16 @@ experiment_memfd_secret = ["rosenpass-wireguard-broker/experiment_memfd_secret"]
experiment_libcrux_all = ["rosenpass-ciphers/experiment_libcrux_all"]
experiment_libcrux_blake2 = ["rosenpass-ciphers/experiment_libcrux_blake2"]
experiment_libcrux_chachapoly = [
"rosenpass-ciphers/experiment_libcrux_chachapoly",
"rosenpass-ciphers/experiment_libcrux_chachapoly",
]
experiment_libcrux_kyber = ["rosenpass-ciphers/experiment_libcrux_kyber"]
experiment_api = [
"hex-literal",
"uds",
"command-fds",
"rustix",
"rosenpass-util/experiment_file_descriptor_passing",
"rosenpass-wireguard-broker/experiment_api",
"hex-literal",
"uds",
"command-fds",
"rustix",
"rosenpass-util/experiment_file_descriptor_passing",
"rosenpass-wireguard-broker/experiment_api",
]
internal_signal_handling_for_coverage_reports = ["signal-hook"]
internal_testing = []

2
rp/Cargo.toml
View File

@@ -6,7 +6,7 @@ license = "MIT OR Apache-2.0"
description = "Build post-quantum-secure VPNs with WireGuard!"
homepage = "https://rosenpass.eu/"
repository = "https://github.com/rosenpass/rosenpass"
rust-version = "1.77"
rust-version = "1.77.0"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

2
secret-memory/Cargo.toml
View File

@@ -8,7 +8,7 @@ description = "Rosenpass internal utilities for storing secrets in memory"
homepage = "https://rosenpass.eu/"
repository = "https://github.com/rosenpass/rosenpass"
readme = "readme.md"
rust-version = "1.77"
rust-version = "1.77.0"
[dependencies]
anyhow = { workspace = true }

53
tests/legacy-distro-packaging.nix
View File

@@ -1,4 +1,8 @@
{ pkgs, rosenpass-deb, rosenpass-rpm }:
{
pkgs,
rosenpass-deb,
rosenpass-rpm,
}:
let
wg-deb = pkgs.fetchurl {
@@ -23,31 +27,38 @@ let
cp ${./prepare-test.sh} $out/prepare-test.sh
'';
test = { tester, installPrefix, suffix, source }: (tester {
sharedDirs.share = {
inherit source;
target = "/mnt/share";
};
testScript = ''
vm.wait_for_unit("multi-user.target")
vm.succeed("${installPrefix} /mnt/share/wireguard.${suffix}")
vm.succeed("${installPrefix} /mnt/share/rosenpass.${suffix}")
vm.succeed("bash /mnt/share/prepare-test.sh")
test =
{
tester,
installPrefix,
suffix,
source,
}:
(tester {
sharedDirs.share = {
inherit source;
target = "/mnt/share";
};
testScript = ''
vm.wait_for_unit("multi-user.target")
vm.succeed("${installPrefix} /mnt/share/wireguard.${suffix}")
vm.succeed("${installPrefix} /mnt/share/rosenpass.${suffix}")
vm.succeed("bash /mnt/share/prepare-test.sh")
vm.succeed(f"systemctl start rp@server")
vm.succeed(f"systemctl start rp@client")
vm.succeed(f"systemctl start rp@server")
vm.succeed(f"systemctl start rp@client")
vm.wait_for_unit("rp@server.service")
vm.wait_for_unit("rp@client.service")
vm.wait_for_unit("rp@server.service")
vm.wait_for_unit("rp@client.service")
vm.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5);
vm.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5);
psk_server = vm.succeed("wg show rp-server preshared-keys").strip().split()[-1]
psk_client = vm.succeed("wg show rp-client preshared-keys").strip().split()[-1]
psk_server = vm.succeed("wg show rp-server preshared-keys").strip().split()[-1]
psk_client = vm.succeed("wg show rp-client preshared-keys").strip().split()[-1]
assert psk_server == psk_client, "preshared-key exchange must be successful"
'';
}).sandboxed;
assert psk_server == psk_client, "preshared-key exchange must be successful"
'';
}).sandboxed;
in
{
package-deb-debian-13 = test {

216
tests/systemd/rosenpass.nix
View File

@@ -32,29 +32,33 @@ let
public_key = "/etc/rosenpass/rp0/pqpk";
secret_key = "/run/credentials/rosenpass@rp0.service/pqsk";
verbosity = "Verbose";
peers = [{
device = "rp0";
peer = client.wg.public;
public_key = "/etc/rosenpass/rp0/peers/client/pqpk";
}];
peers = [
{
device = "rp0";
peer = client.wg.public;
public_key = "/etc/rosenpass/rp0/peers/client/pqpk";
}
];
};
client_config = {
listen = [ ];
public_key = "/etc/rosenpass/rp0/pqpk";
secret_key = "/run/credentials/rosenpass@rp0.service/pqsk";
verbosity = "Verbose";
peers = [{
device = "rp0";
peer = server.wg.public;
public_key = "/etc/rosenpass/rp0/peers/server/pqpk";
endpoint = "${server.ip4}:9999";
}];
peers = [
{
device = "rp0";
peer = server.wg.public;
public_key = "/etc/rosenpass/rp0/peers/server/pqpk";
endpoint = "${server.ip4}:9999";
}
];
};
config = pkgs.runCommand "config" { } ''
mkdir -pv $out
cp -v ${(pkgs.formats.toml {}).generate "rp0.toml" server_config} $out/server
cp -v ${(pkgs.formats.toml {}).generate "rp0.toml" client_config} $out/client
cp -v ${(pkgs.formats.toml { }).generate "rp0.toml" server_config} $out/server
cp -v ${(pkgs.formats.toml { }).generate "rp0.toml" client_config} $out/client
'';
in
{
@@ -62,50 +66,71 @@ in
nodes =
let
shared = peer: { config, modulesPath, pkgs, ... }: {
# Need to work around a problem in recent systemd changes.
# It won't be necessary in other distros (for which the systemd file was designed), this is NixOS specific
# https://github.com/NixOS/nixpkgs/issues/258371#issuecomment-1925672767
# This can potentially be removed in future nixpkgs updates
systemd.packages = [
(pkgs.runCommand "rosenpass" { } ''
mkdir -p $out/lib/systemd/system
< ${pkgs.rosenpass}/lib/systemd/system/rosenpass.target > $out/lib/systemd/system/rosenpass.target
< ${pkgs.rosenpass}/lib/systemd/system/rosenpass@.service \
sed 's@^\(\[Service]\)$@\1\nEnvironment=PATH=${pkgs.wireguard-tools}/bin@' |
sed 's@^ExecStartPre=envsubst @ExecStartPre='"${pkgs.envsubst}"'/bin/envsubst @' |
sed 's@^ExecStart=rosenpass @ExecStart='"${pkgs.rosenpass}"'/bin/rosenpass @' > $out/lib/systemd/system/rosenpass@.service
'')
];
networking.wireguard = {
enable = true;
interfaces.rp0 = {
ips = [ "${peer.wg.ip4}/32" "${peer.wg.ip6}/128" ];
privateKeyFile = "/etc/wireguard/wgsk";
shared =
peer:
{
config,
modulesPath,
pkgs,
...
}:
{
# Need to work around a problem in recent systemd changes.
# It won't be necessary in other distros (for which the systemd file was designed), this is NixOS specific
# https://github.com/NixOS/nixpkgs/issues/258371#issuecomment-1925672767
# This can potentially be removed in future nixpkgs updates
systemd.packages = [
(pkgs.runCommand "rosenpass" { } ''
mkdir -p $out/lib/systemd/system
< ${pkgs.rosenpass}/lib/systemd/system/rosenpass.target > $out/lib/systemd/system/rosenpass.target
< ${pkgs.rosenpass}/lib/systemd/system/rosenpass@.service \
sed 's@^\(\[Service]\)$@\1\nEnvironment=PATH=${pkgs.wireguard-tools}/bin@' |
sed 's@^ExecStartPre=envsubst @ExecStartPre='"${pkgs.envsubst}"'/bin/envsubst @' |
sed 's@^ExecStart=rosenpass @ExecStart='"${pkgs.rosenpass}"'/bin/rosenpass @' > $out/lib/systemd/system/rosenpass@.service
'')
];
networking.wireguard = {
enable = true;
interfaces.rp0 = {
ips = [
"${peer.wg.ip4}/32"
"${peer.wg.ip6}/128"
];
privateKeyFile = "/etc/wireguard/wgsk";
};
};
environment.etc."wireguard/wgsk".text = peer.wg.secret;
networking.interfaces.eth1 = {
ipv4.addresses = [
{
address = peer.ip4;
prefixLength = 24;
}
];
ipv6.addresses = [
{
address = peer.ip6;
prefixLength = 64;
}
];
};
};
environment.etc."wireguard/wgsk".text = peer.wg.secret;
networking.interfaces.eth1 = {
ipv4.addresses = [{
address = peer.ip4;
prefixLength = 24;
}];
ipv6.addresses = [{
address = peer.ip6;
prefixLength = 64;
}];
};
};
in
{
server = {
imports = [ (shared server) ];
networking.firewall.allowedUDPPorts = [ 9999 server.wg.listen ];
networking.firewall.allowedUDPPorts = [
9999
server.wg.listen
];
networking.wireguard.interfaces.rp0 = {
listenPort = server.wg.listen;
peers = [
{
allowedIPs = [ client.wg.ip4 client.wg.ip6 ];
allowedIPs = [
client.wg.ip4
client.wg.ip6
];
publicKey = client.wg.public;
}
];
@@ -116,7 +141,10 @@ in
networking.wireguard.interfaces.rp0 = {
peers = [
{
allowedIPs = [ "10.23.42.0/24" "fc00::/64" ];
allowedIPs = [
"10.23.42.0/24"
"fc00::/64"
];
publicKey = server.wg.public;
endpoint = "${server.ip4}:${toString server.wg.listen}";
}
@@ -124,60 +152,62 @@ in
};
};
};
testScript = { ... }: ''
from os import system
rosenpass = "${pkgs.rosenpass}/bin/rosenpass"
testScript =
{ ... }:
''
from os import system
rosenpass = "${pkgs.rosenpass}/bin/rosenpass"
start_all()
for machine in [server, client]:
machine.wait_for_unit("multi-user.target")
machine.wait_for_unit("network-online.target")
with subtest("Key, Config, and Service Setup"):
for name, machine, remote in [("server", server, client), ("client", client, server)]:
# generate all the keys
system(f"{rosenpass} gen-keys --public-key {name}-pqpk --secret-key {name}-pqsk")
# copy private keys to our side
machine.copy_from_host(f"{name}-pqsk", "/etc/rosenpass/rp0/pqsk")
machine.copy_from_host(f"{name}-pqpk", "/etc/rosenpass/rp0/pqpk")
# copy public keys to other side
remote.copy_from_host(f"{name}-pqpk", f"/etc/rosenpass/rp0/peers/{name}/pqpk")
machine.copy_from_host(f"${config}/{name}", "/etc/rosenpass/rp0.toml")
start_all()
for machine in [server, client]:
machine.wait_for_unit("wireguard-rp0.service")
machine.wait_for_unit("multi-user.target")
machine.wait_for_unit("network-online.target")
with subtest("wg network test"):
client.succeed("wg show all preshared-keys | grep none", timeout=5);
client.succeed("ping -c5 ${server.wg.ip4}")
server.succeed("ping -c5 ${client.wg.ip6}")
with subtest("Key, Config, and Service Setup"):
for name, machine, remote in [("server", server, client), ("client", client, server)]:
# generate all the keys
system(f"{rosenpass} gen-keys --public-key {name}-pqpk --secret-key {name}-pqsk")
with subtest("Set up rosenpass"):
for machine in [server, client]:
machine.succeed("systemctl start rosenpass@rp0.service")
# copy private keys to our side
machine.copy_from_host(f"{name}-pqsk", "/etc/rosenpass/rp0/pqsk")
machine.copy_from_host(f"{name}-pqpk", "/etc/rosenpass/rp0/pqpk")
for machine in [server, client]:
machine.wait_for_unit("rosenpass@rp0.service")
# copy public keys to other side
remote.copy_from_host(f"{name}-pqpk", f"/etc/rosenpass/rp0/peers/{name}/pqpk")
machine.copy_from_host(f"${config}/{name}", "/etc/rosenpass/rp0.toml")
for machine in [server, client]:
machine.wait_for_unit("wireguard-rp0.service")
with subtest("wg network test"):
client.succeed("wg show all preshared-keys | grep none", timeout=5);
client.succeed("ping -c5 ${server.wg.ip4}")
server.succeed("ping -c5 ${client.wg.ip6}")
with subtest("Set up rosenpass"):
for machine in [server, client]:
machine.succeed("systemctl start rosenpass@rp0.service")
for machine in [server, client]:
machine.wait_for_unit("rosenpass@rp0.service")
with subtest("compare preshared keys"):
client.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5);
server.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5);
with subtest("compare preshared keys"):
client.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5);
server.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5);
def get_psk(m):
psk = m.succeed("wg show rp0 preshared-keys | awk '{print $2}'")
psk = psk.strip()
assert len(psk.split()) == 1, "Only one PSK"
return psk
def get_psk(m):
psk = m.succeed("wg show rp0 preshared-keys | awk '{print $2}'")
psk = psk.strip()
assert len(psk.split()) == 1, "Only one PSK"
return psk
assert get_psk(client) == get_psk(server), "preshared keys need to match"
assert get_psk(client) == get_psk(server), "preshared keys need to match"
with subtest("rosenpass network test"):
client.succeed("ping -c5 ${server.wg.ip4}")
server.succeed("ping -c5 ${client.wg.ip6}")
'';
with subtest("rosenpass network test"):
client.succeed("ping -c5 ${server.wg.ip4}")
server.succeed("ping -c5 ${client.wg.ip6}")
'';
}

175
tests/systemd/rp.nix
View File

@@ -24,27 +24,31 @@ let
verbose = true;
dev = "test-rp-device0";
ip = "fc00::1/64";
peers = [{
public_keys_dir = "/etc/rosenpass/test-rp-device0/peers/client";
allowed_ips = "fc00::2";
}];
peers = [
{
public_keys_dir = "/etc/rosenpass/test-rp-device0/peers/client";
allowed_ips = "fc00::2";
}
];
};
client_config = {
private_keys_dir = "/run/credentials/rp@test-rp-device0.service";
verbose = true;
dev = "test-rp-device0";
ip = "fc00::2/128";
peers = [{
public_keys_dir = "/etc/rosenpass/test-rp-device0/peers/server";
endpoint = "${server.ip4}:9999";
allowed_ips = "fc00::/64";
}];
peers = [
{
public_keys_dir = "/etc/rosenpass/test-rp-device0/peers/server";
endpoint = "${server.ip4}:9999";
allowed_ips = "fc00::/64";
}
];
};
config = pkgs.runCommand "config" { } ''
mkdir -pv $out
cp -v ${(pkgs.formats.toml {}).generate "test-rp-device0.toml" server_config} $out/server
cp -v ${(pkgs.formats.toml {}).generate "test-rp-device0.toml" client_config} $out/client
cp -v ${(pkgs.formats.toml { }).generate "test-rp-device0.toml" server_config} $out/server
cp -v ${(pkgs.formats.toml { }).generate "test-rp-device0.toml" client_config} $out/client
'';
in
{
@@ -52,88 +56,105 @@ in
nodes =
let
shared = peer: { config, modulesPath, pkgs, ... }: {
# Need to work around a problem in recent systemd changes.
# It won't be necessary in other distros (for which the systemd file was designed), this is NixOS specific
# https://github.com/NixOS/nixpkgs/issues/258371#issuecomment-1925672767
# This can potentially be removed in future nixpkgs updates
systemd.packages = [
(pkgs.runCommand "rp@.service" { } ''
mkdir -p $out/lib/systemd/system
< ${pkgs.rosenpass}/lib/systemd/system/rosenpass.target > $out/lib/systemd/system/rosenpass.target
< ${pkgs.rosenpass}/lib/systemd/system/rp@.service \
sed 's@^\(\[Service]\)$@\1\nEnvironment=PATH=${pkgs.iproute2}/bin:${pkgs.wireguard-tools}/bin@' |
sed 's@^ExecStartPre=envsubst @ExecStartPre='"${pkgs.envsubst}"'/bin/envsubst @' |
sed 's@^ExecStart=rp @ExecStart='"${pkgs.rosenpass}"'/bin/rp @' > $out/lib/systemd/system/rp@.service
'')
];
environment.systemPackages = [ pkgs.wireguard-tools ];
networking.interfaces.eth1 = {
ipv4.addresses = [{
address = peer.ip4;
prefixLength = 24;
}];
ipv6.addresses = [{
address = peer.ip6;
prefixLength = 64;
}];
shared =
peer:
{
config,
modulesPath,
pkgs,
...
}:
{
# Need to work around a problem in recent systemd changes.
# It won't be necessary in other distros (for which the systemd file was designed), this is NixOS specific
# https://github.com/NixOS/nixpkgs/issues/258371#issuecomment-1925672767
# This can potentially be removed in future nixpkgs updates
systemd.packages = [
(pkgs.runCommand "rp@.service" { } ''
mkdir -p $out/lib/systemd/system
< ${pkgs.rosenpass}/lib/systemd/system/rosenpass.target > $out/lib/systemd/system/rosenpass.target
< ${pkgs.rosenpass}/lib/systemd/system/rp@.service \
sed 's@^\(\[Service]\)$@\1\nEnvironment=PATH=${pkgs.iproute2}/bin:${pkgs.wireguard-tools}/bin@' |
sed 's@^ExecStartPre=envsubst @ExecStartPre='"${pkgs.envsubst}"'/bin/envsubst @' |
sed 's@^ExecStart=rp @ExecStart='"${pkgs.rosenpass}"'/bin/rp @' > $out/lib/systemd/system/rp@.service
'')
];
environment.systemPackages = [ pkgs.wireguard-tools ];
networking.interfaces.eth1 = {
ipv4.addresses = [
{
address = peer.ip4;
prefixLength = 24;
}
];
ipv6.addresses = [
{
address = peer.ip6;
prefixLength = 64;
}
];
};
};
};
in
{
server = {
imports = [ (shared server) ];
networking.firewall.allowedUDPPorts = [ 9999 server.wg.listen ];
networking.firewall.allowedUDPPorts = [
9999
server.wg.listen
];
};
client = {
imports = [ (shared client) ];
};
};
testScript = { ... }: ''
from os import system
rp = "${pkgs.rosenpass}/bin/rp"
testScript =
{ ... }:
''
from os import system
rp = "${pkgs.rosenpass}/bin/rp"
start_all()
for machine in [server, client]:
machine.wait_for_unit("multi-user.target")
machine.wait_for_unit("network-online.target")
with subtest("Key, Config, and Service Setup"):
for name, machine, remote in [("server", server, client), ("client", client, server)]:
# create all the keys
system(f"{rp} genkey {name}-sk")
system(f"{rp} pubkey {name}-sk {name}-pk")
# copy secret keys to our side
for file in ["pqpk", "pqsk", "wgsk"]:
machine.copy_from_host(f"{name}-sk/{file}", f"/etc/rosenpass/test-rp-device0/{file}")
# copy public keys to other side
for file in ["pqpk", "wgpk"]:
remote.copy_from_host(f"{name}-pk/{file}", f"/etc/rosenpass/test-rp-device0/peers/{name}/{file}")
machine.copy_from_host(f"${config}/{name}", "/etc/rosenpass/test-rp-device0.toml")
start_all()
for machine in [server, client]:
machine.succeed("systemctl start rp@test-rp-device0.service")
machine.wait_for_unit("multi-user.target")
machine.wait_for_unit("network-online.target")
for machine in [server, client]:
machine.wait_for_unit("rp@test-rp-device0.service")
with subtest("Key, Config, and Service Setup"):
for name, machine, remote in [("server", server, client), ("client", client, server)]:
# create all the keys
system(f"{rp} genkey {name}-sk")
system(f"{rp} pubkey {name}-sk {name}-pk")
with subtest("compare preshared keys"):
client.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5);
server.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5);
# copy secret keys to our side
for file in ["pqpk", "pqsk", "wgsk"]:
machine.copy_from_host(f"{name}-sk/{file}", f"/etc/rosenpass/test-rp-device0/{file}")
# copy public keys to other side
for file in ["pqpk", "wgpk"]:
remote.copy_from_host(f"{name}-pk/{file}", f"/etc/rosenpass/test-rp-device0/peers/{name}/{file}")
def get_psk(m):
psk = m.succeed("wg show test-rp-device0 preshared-keys | awk '{print $2}'")
psk = psk.strip()
assert len(psk.split()) == 1, "Only one PSK"
return psk
machine.copy_from_host(f"${config}/{name}", "/etc/rosenpass/test-rp-device0.toml")
assert get_psk(client) == get_psk(server), "preshared keys need to match"
for machine in [server, client]:
machine.succeed("systemctl start rp@test-rp-device0.service")
with subtest("network test"):
client.succeed("ping -c5 ${server.wg.ip6}")
server.succeed("ping -c5 ${client.wg.ip6}")
'';
for machine in [server, client]:
machine.wait_for_unit("rp@test-rp-device0.service")
with subtest("compare preshared keys"):
client.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5);
server.wait_until_succeeds("wg show all preshared-keys | grep --invert-match none", timeout=5);
def get_psk(m):
psk = m.succeed("wg show test-rp-device0 preshared-keys | awk '{print $2}'")
psk = psk.strip()
assert len(psk.split()) == 1, "Only one PSK"
return psk
assert get_psk(client) == get_psk(server), "preshared keys need to match"
with subtest("network test"):
client.succeed("ping -c5 ${server.wg.ip6}")
server.succeed("ping -c5 ${client.wg.ip6}")
'';
}

2
to/Cargo.toml
View File

@@ -8,7 +8,7 @@ description = "Flexible destination parameters"
homepage = "https://rosenpass.eu/"
repository = "https://github.com/rosenpass/rosenpass"
readme = "readme.md"
rust-version = "1.77"
rust-version = "1.77.0"
[dev-dependencies]
doc-comment = { workspace = true }

28
treefmt.nix Normal file
View File

@@ -0,0 +1,28 @@
{ pkgs, ... }:
{
# Used to find the project root
projectRootFile = "flake.nix";
programs.nixfmt.enable = true;
programs.prettier = {
enable = true;
includes = [
"*.css"
"*.html"
"*.js"
"*.json"
"*.json5"
"*.md"
"*.mdx"
"*.toml"
"*.yaml"
"*.yml"
];
excludes = [ "supply-chain/*" ];
settings = {
plugins = [
"${pkgs.nodePackages.prettier-plugin-toml}/lib/node_modules/prettier-plugin-toml/lib/index.js"
];
};
};
programs.rustfmt.enable = true;
}

3
util/Cargo.toml
View File

@@ -8,7 +8,7 @@ description = "Rosenpass internal utilities"
homepage = "https://rosenpass.eu/"
repository = "https://github.com/rosenpass/rosenpass"
readme = "readme.md"
rust-version = "1.77"
rust-version = "1.77.0"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
@@ -25,6 +25,5 @@ mio = { workspace = true }
tempfile = { workspace = true }
uds = { workspace = true, optional = true, features = ["mio_1xx"] }
[features]
experiment_file_descriptor_passing = ["uds"]

2
wireguard-broker/Cargo.toml
View File

@@ -8,7 +8,7 @@ description = "Rosenpass internal broker that runs as root and supplies exchange
homepage = "https://rosenpass.eu/"
repository = "https://github.com/rosenpass/rosenpass"
readme = "readme.md"
rust-version = "1.77"
rust-version = "1.77.0"
[dependencies]
thiserror = { workspace = true }