Commit Graph

62 Commits

Author SHA1 Message Date
Drazen Urch 8a00ed6071 LP Registration + Telescoping + Gateway Probe Localnet Mode (#6286)
* Add KKT cryptographic primitives

Post-quantum Key Encapsulation Mechanism (KEM) Key Transfer protocol.
Enables efficient distribution of post-quantum KEM public keys.

Squashed from georgio/noise-psq branch.

* Implement LP registration protocol with KKT/PSQ integration

Initial implementation of the Lewes Protocol (LP) for gateway registration:
- Add nym-lp crate with Noise protocol handshake
- Add LP listener to gateway for handling registrations
- Add LP client for registration flow
- Integrate KKT for post-quantum KEM key exchange
- Integrate PSQ for post-quantum PSK derivation
- Add Ed25519 authentication throughout
- Add docker/localnet support for testing

Co-authored-by: Jędrzej Stuczyński <jedrzej.stuczynski@gmail.com>

* Add LP telescoping with nested sessions and subsession support

Extends LP protocol with telescoping architecture for nested sessions:
- Add nested session support with KKpsk0 rekeying
- Add subsession support with collision detection
- Implement unified packet format with outer header
- Refactor gateway handlers for single-packet forwarding
- Add TTL-based state cleanup for stale sessions
- Add outer AEAD encryption layer
- Refactor registration client for packet-per-connection model

* Add gateway-probe localnet mode with WireGuard tunnel support

Adds localnet testing mode to gateway-probe for LP development:
- Add TestMode enum for different probe configurations
- Add --gateway-ip flag for direct gateway testing
- Implement two-hop WireGuard tunnel for localnet
- Add mock ecash support for testing without real credentials
- Add netstack Go bindings for userspace networking
- Restructure probe with mode and common modules
- Update README with localnet mode documentation

* Increase KCP fragment limit from u8 to u16

- Change frg field from u8 to u16 in packet header (25 bytes total)
- Update encode/decode to use get_u16_le/put_u16_le
- Update Segment struct frg field to u16
- Remove truncating cast in session.rs
- Max message size now ~91MB (65,535 fragments × MTU)
- Internal protocol only, no interop concerns

Nym uses KCP for reliability and multiplexing, not standard real-time
use cases. The u8 limit (255 fragments, ~355KB) was insufficient.

Addresses: nym-yih9

* Zeroize Ed25519 key material in to_x25519 conversion

Wrap hash and x25519_bytes in zeroize::Zeroizing to ensure private
key material is cleared from memory after use.

Closes: nym-k55g

* Return Result from KCP session input() for error detection

Change KcpSession::input() to return Result<(), KcpError> so callers
can detect invalid packets instead of silently ignoring them.

- Add ConvMismatch error variant for conversation ID mismatches
- Update driver to propagate errors from session.input()
- Update all test and example callers

Closes: nym-n0kk

* Fix Zeroizing deref in ed25519 to_x25519 conversion

The from_bytes() function expects &[u8], need to deref the Zeroizing
wrapper to get the inner array.

* Add semaphore-based connection limiting for LP packet forwarding

Limits concurrent outbound connections when forwarding LP packets to
prevent file descriptor exhaustion under high load.

Key changes:
- Add max_concurrent_forwards config (default 1000)
- Add forward_semaphore to LpHandlerState
- Acquire semaphore permit before connecting in handle_forward_packet
- Return "Gateway at forward capacity" error when at limit

This provides load signaling so clients can choose another gateway
when the current one is overloaded.

Design note: Connection pooling was considered but provides minimal
benefit since telescope setup is one-time and targets are distributed
across many different gateways. See AIDEV-NOTE in LpHandlerState for
full analysis.

Closes: nym-xi3m

* Return error on session unavailable in handle_subsession_packet

Replace .session().ok() with proper error handling to fail fast when
session is Closed or Processing after state machine processing.

Previously, the code silently continued with outer_key = None, which
could cause protocol errors downstream.

Closes: nym-8de0

* Use explicit bincode Options helper in nested_session

Add bincode_options() helper that returns DefaultOptions with explicit
big_endian and varint_encoding configuration. This future-proofs against
bincode 1.x/2.x default changes and makes serialization format explicit.

Updated all 4 bincode usages in nested_session.rs to use the helper.

* Deduplicate outer_key lookup pattern in nested_session.rs

Extract common state_machine.session().ok().and_then(...) pattern into
two helper methods:
- get_send_key() for encryption (outer_aead_key_for_sending)
- get_recv_key() for decryption (outer_aead_key)

Updated 6 call sites to use the helpers, reducing verbosity.

* Add LpConfig struct and AIDEV-NOTE documentation for KKT+PSQ

- Create config.rs with LpConfig struct (kem_algorithm, psk_ttl, enable_kkt)
- Export LpConfig from lib.rs
- Add AIDEV-NOTE to psk.rs explaining:
  - Why PSQ is embedded in Noise (single round-trip, PSK binding)
  - KEM migration path (X25519 → MlKem768 → XWing)
- Add AIDEV-NOTE to state_machine.rs explaining protocol flow:
  - KKTExchange → Handshaking → Transport state transitions
  - PSK derivation formula (ECDH || PSQ || salt)

* Add forward_timeout to LP client config

Add forward_timeout (30s default) to LpConfig and wrap send_forward_packet's
connect_send_receive call with tokio::time::timeout, matching the pattern
used by register() with registration_timeout.

This prevents indefinite hangs when forwarding packets through entry gateway.

* Add negotiated_version field to LpSession

Add AtomicU8 field to store the protocol version from handshake packet
headers. Includes getter and setter methods for future version negotiation
and compatibility checks.

- negotiated_version() returns current version (defaults to 1)
- set_negotiated_version() allows setting during handshake
- Subsessions inherit version 1 (can be enhanced to inherit parent's)

* Change MessageType from u16 to u32

Breaking wire protocol change: MessageType field increased from 2 bytes
to 4 bytes in LP packets. This future-proofs the message type space and
aligns with other u32 fields.

Changes:
- message.rs: #[repr(u32)], from_u32(), to_u32()
- error.rs: InvalidMessageType(u32)
- codec.rs: All serialization/deserialization updated to 4-byte msg_type
  - Cleartext parsing: inner_bytes[4..8], content at [8..]
  - AEAD parsing: decrypted[4..8], content at [8..]
  - Serialization: 4 bytes for message type

* Various smaller fixes

* Refactor LP to stream-oriented TCP processing

Gateway (handler.rs):
- Add bound_receiver_idx field for session-affine connections
- Convert handle() from single-packet to loop with EOF detection
- Add validate_or_set_binding() for receiver_idx validation
- Set binding in handle_client_hello after collision check
- Centralize emit_lifecycle_metrics in main loop only
- Add is_connection_closed() helper for graceful EOF

Client (client.rs):
- Add stream field for persistent TCP connection
- Add ensure_connected(), send_packet(), receive_packet(), close() methods
- Modify perform_handshake_inner() to use persistent stream
- Modify register_with_credential() to use persistent stream
- Modify send_forward_packet() to use persistent stream
- Keep connect_send_receive() for reference (marked dead_code)

This reduces handshake overhead from ~5 TCP connections to 1.

Drive-by: Fix log::info! -> info! in wireguard peer_controller.rs

* Add persistent exit stream for entry→exit forwarding

Entry gateway now maintains a persistent TCP connection to the exit
gateway per client session, reusing it for all forward requests from
that client. This reduces TCP handshake overhead significantly.

Key changes:
- Add exit_stream: Option<(TcpStream, SocketAddr)> to LpConnectionHandler
- Modify handle_forward_packet() to open on first forward, reuse after
- Clear exit_stream on connection errors (auto-reconnect on next forward)
- Semaphore only acquired for connection opens, not reuse (sequential access)

* Fix code review issues for stream-oriented LP

- Add 30s timeout to exit stream I/O operations (nym-df31)
  Prevents handler from hanging on unresponsive exit gateway

- Return error on forward target address mismatch (nym-zegu)
  Previously warned and proceeded, which could mask bugs

- Close client stream on handshake error paths (nym-scvm)
  Prevents state machine inconsistency on timeout or failure

* Add LP registration idempotency and retry logic

Make LP registration resilient to network failures that could waste
credentials. When registration succeeds on the gateway but the response
is lost (e.g., network drop), clients can retry with the same WG key
and get the cached result instead of spending another credential.

Gateway-side:
- Add check_existing_registration() helper that looks up WG peer and
  returns cached GatewayData if already registered
- Add idempotency check in process_registration() dVPN branch
- Only return cached response if bandwidth > 0 (ensures registration
  was actually completed, not just peer created)
- Track idempotent registrations with lp_registration_dvpn_idempotent metric

Client-side:
- Add register_with_retry() to LpRegistrationClient that acquires
  credential once and retries handshake+registration on failure
- Add handshake_and_register_with_retry() to NestedLpSession for
  exit gateway registration via forwarding
- Add exponential backoff with jitter between retry attempts
- Verify outer session validity before nested session retry

Both retry methods clear state machine before retry to ensure fresh
handshake, and reuse the same credential across all attempts.

* Add no-mix-acks feature flag to nym-sphinx-framing

When enabled, mix nodes skip ack extraction and forwarding entirely.
The full payload (including ack portion) is returned as the message.

Closes: nym-3wrr

* Create nym-lp-speedtest crate scaffold

- Created tools/nym-lp-speedtest/ with Cargo.toml
- Added main.rs with CLI argument parsing
- Created stub modules: client.rs, speedtest.rs, topology.rs
- Added to workspace members
- Verified compilation with cargo check

* Implement topology fetching for nym-lp-speedtest

- Add topology.rs with NymTopology integration
- Fetch mix nodes and gateways from nym-api
- Build GatewayInfo with LP addresses (port 41264)
- Provide random_route_to_gateway() for Sphinx routing
- Add required Cargo.toml dependencies

* Implement LP+Sphinx+KCP client with SURB support

- Add send_data() and send_data_with_surbs() methods for mixnet data
- Integrate KCP reliable delivery with Sphinx packet construction
- Add x25519 encryption keypair for SURB reply mechanism
- Wire up main.rs to test LP handshake and data path
- Add NymRouteProvider support in topology for SURB construction
- Refactor send_data() to delegate to send_data_with_surbs(0) (DRY)

The client can now:
- Perform LP handshake with gateways
- Send data through the mixnet wrapped in KCP + Sphinx packets
- Attach SURBs for bidirectional communication
- Return encryption keys for decrypting replies

* Rename nym-lp-speedtest to nym-lp-client and fix KCP bug

- Rename crate from nym-lp-speedtest to nym-lp-client
- Fix KCP bug: add driver.update() call before fetch_outgoing()
  Without update(), KCP never moves segments from snd_queue to snd_buf
- Update CLI name, about string, and user agent to match new name

* Add LP mixnet mode registration with nym address return

- Extend RegistrationMode::Mixnet to include client_ed25519_pubkey
  and client_x25519_pubkey for nym address construction
- Add LpGatewayData struct containing gateway_identity and
  gateway_sphinx_key for SURB reply routing
- Add lp_gateway_data field to LpRegistrationResponse for mixnet mode
- Implement success_mixnet() constructor for mixnet registrations
- Update gateway registration to insert clients into ActiveClientsStore
  for SURB reply delivery, matching the websocket flow

* Implement LP data handler on UDP:51264

- Add LpDataHandler for UDP data plane (port 51264)
- Decrypt LP layer and forward Sphinx packets to mixnet
- Add outbound_mix_sender to LpHandlerState
- Integrate data handler spawn into LpListener::run()
- Add metrics for data packets received/forwarded/errors

Implements nym-yzzm

* Fix replay protection vulnerability in LP data handler

Use state machine process_input() instead of manual decryption to ensure
proper replay protection:
- Counter check against receiving window
- Counter marking after successful decryption

Also handle subsession actions gracefully (SendPacket ignored on UDP,
clients should use TCP control plane for rekeying).

Security fix for nym-yzzm implementation.

* feat(ipr): add KcpSessionManager for LP client KCP handling

- Add fetch_incoming() and recv() methods to KcpDriver for retrieving
  reassembled messages
- Create KcpSessionManager in ip-packet-router that manages KCP sessions
  keyed by conv_id (first 4 bytes of KCP packet header)
- Store ReplySurbs per session for sending anonymous replies
- Implement session timeout (5 min) and max sessions limit (10000)
- Add comprehensive tests for session lifecycle and KCP roundtrip

* feat(ipr): integrate KcpSessionManager into MixnetListener

- Add KcpSessionManager field to MixnetListener struct
- Add is_kcp_message() helper to detect KCP-wrapped payloads
- Add on_kcp_message() to process LP client KCP messages
- Refactor on_reconstructed_message() to route KCP vs regular IPR
- Add KCP tick timer (100ms) for session updates and cleanup
- Initialize KcpSessionManager in IpPacketRouter::run_service_provider()

KCP messages are detected by checking byte 4 for valid KCP commands
(81-84), which doesn't conflict with IPR protocol version bytes (6-8)
at position 0.

Closes: nym-96zl

* fix(ipr): prevent KCP detection false positives on IPR messages

Add secondary check in is_kcp_message() to exclude messages that match
IPR protocol header pattern (version 6-8 at byte 0, ServiceProviderType
0-2 at byte 1). This prevents false positives where IPR messages with
byte 4 in range 81-84 would be incorrectly routed to KCP processing.

Added 4 unit tests to validate the detection logic.

Closes: nym-6f3x

* fix(ipr): wrap KCP client responses in KCP before SURB reply

- Modify on_kcp_message to handle responses directly instead of returning them
- Add handle_kcp_response method that wraps response in KCP and sends via mixnet
- Ensures KCP clients receive KCP-wrapped responses for proper reassembly

Closes: nym-7oh2

* fix(ipr): send KCP protocol packets in tick instead of just logging

- Add get_sender_tag() and fetch_outgoing_for_conv() to KcpSessionManager
- Change handle_kcp_tick() to actually send ACKs/retransmissions via mixnet
- Reduce KCP tick interval from 100ms to 10ms for better responsiveness

This fixes the KCP reliability protocol which was broken because
protocol packets (ACKs, retransmissions) were generated but never sent.

* feat(lp-client): wrap payload in IpPacketRequest before KCP

- Add nym-ip-packet-requests and bytes dependencies
- Wrap payload in IpPacketRequest::new_data_request() before sending to KCP
- Add LP_DATA_PORT constant (51264) and lp_data_address field to GatewayInfo

This ensures IPR can properly parse incoming messages as DataRequest.
LP framing (wrapping Sphinx in LP before sending) is a separate task.

* feat(lp-client): add LP session management and UDP data plane support

- Add wrap_data() and session_id() to LpRegistrationClient for LP packet
  creation after handshake
- Add init_lp_session() and close_lp_session() to SpeedtestClient for
  managing LP sessions
- Extract prepare_sphinx_fragments() helper to reduce code duplication
  between send_data_with_surbs() and send_data_via_lp()
- Add send_data_via_lp() for sending Sphinx packets through LP's UDP
  data plane (port 51264)

The LP session is kept alive after TCP handshake closes, allowing
subsequent wrap_data() calls for UDP transmission without re-handshaking.

* random formatting

* replaced all instances of bincode::serialize and bincode::deserialize with explicit lp_bincode_serialiser() within the LP

* additional formatting

* removed source of possible panic from nym-kkt

invalid KEM mapping will now return an Err rather than panicking

* integration test for LP entry registration

This includes creation of mocks of various gateway-related components, such as the PeerController

* changed ClientHelloData serialisation

the old variant using bincode did not produce constant-length output in some cases

* Fixed generation of receiver index

removes the possible clash with the boostrap id

* Integration test for nested LP registration

- move `LpTransport` trait definition to shared `nym-lp-transport` crate
- make transport layer within `LpConnectionHandler` generic with respect to the forwarding target. it must, however, use the same type as the incoming client connection
- extracted explicit `LpConnectionHandler::establish_exit_stream` to more easily modify it in the future to fully protect the channel and disallow using untrusted egress points
- fix additional log-string interpolation nits

* resolved clippy issues pointed out by clippy 1.91

* added LP discovery into self-described endpoint:

- removed changes to the node bonding within the contract
- introduced '/api/v1/lewes-protocol' route within nym-node http api
- added 'lewes_protocol' field to 'NymNodeData' inside of NymNodeDescription
- refactored LpConfig to allow separate bind and announce addresses and used more strict typing

* chore: allow unwrap/expect within kkt benchmarking code

* chore: downgraded sha2 dep for cosmwasm compatibility

* clippy

* marking simd calls as unsafe

* fixed calls to '_mm_testz_si128'

* additional clippy fixes

---------

Co-authored-by: Georgio Nicolas <me@georgio.xyz>
Co-authored-by: Jędrzej Stuczyński <jedrzej.stuczynski@gmail.com>
2026-01-14 09:06:02 +00:00
Jędrzej Stuczyński d9c2f6ebda Feature/credential proxy jwt (#5957)
* squashed feature/credential-proxy-jwt [#5957]

post rebasing fixes

clippy

changed obtain-async endpoint to conditionally return jwt instead of pending zk-nym

watching for the attestation file and issuing jwt

* changed attestation starting time serialisation into rfc3339

* including authorised JWT issuers in attestation

* reduce attestation retrieval error log
2025-11-03 16:42:39 +00:00
Simon Wicky f90fc4f2f0 Moving clients crate from vpn-client repo to here (#6015)
* moving crates as is

* changes due to crate moving

* cargo fmt
2025-09-08 10:50:18 +02:00
Jędrzej Stuczyński 01fa1df66c feat: shared library for attempting to retrieve update mode attestation (#5954)
* feat: shared library for attempting to retrieve update mode attestation

* clippy

* add nym- prefix to the crate name

* use pure-rust impl for jwt-simple
2025-09-02 09:28:32 +01:00
Jędrzej Stuczyński 65175fee09 merge #5512 again after reverting due to incorrect rebase (#5520)
* setup workspace global lints to prevent needless panics

* removed sources of panic in nym-crypto, nym-node and nym-api

* adjusted test code
2025-02-26 10:52:09 +00:00
Jędrzej Stuczyński 8f5457e698 feature: allow nym-nodes to understand future version of sphinx packets (#5496) (#5518)
* use updated sphinx crate

* updated outfox usage of keygen in tests

* use x25519 in outfox

* remove redundant constructor

* adjusted key convertion traits
2025-02-26 09:47:57 +00:00
Drazen Urch 134883522d Seedable clients (#5440)
* Seedable clients

* Finalize seedable PR

* Address PR comments

* More generic DerivationMaterials init

* Fix xoring the wrong index

* Tests
2025-02-17 00:00:17 +01:00
Jędrzej Stuczyński 8756763875 added support for aead in nym-crypto 2024-09-18 17:43:06 +01:00
Jon Häggblad 086611c7ac Use serde from workspace (#4833)
* cargo autoinherit for serde

* cargo autoinherit for bs58 and vergen in cosmwasm-smart-contracts
2024-09-16 11:16:21 +02:00
Jon Häggblad d0b380cd99 Remove serde_crate named import (#4832)
* Run cargo autoinherit following last weeks dependabot updates

* Remove serde_crate named import
2024-09-02 15:51:56 +02:00
Jon Häggblad 279de8a09b Run cargo-autoinherit for a few new crates (#4801)
* Run cargo-autoinherit for a few new crates

* Sort crates list

* sort
2024-08-27 14:06:17 +01:00
dependabot[bot] c521ee6702 build(deps): bump the patch-updates group with 23 updates (#4791)
Bumps the patch-updates group with 23 updates:

| Package | From | To |
| --- | --- | --- |
| [async-trait](https://github.com/dtolnay/async-trait) | `0.1.80` | `0.1.81` |
| [blake3](https://github.com/BLAKE3-team/BLAKE3) | `1.5.1` | `1.5.4` |
| [clap](https://github.com/clap-rs/clap) | `4.5.7` | `4.5.16` |
| [clap_complete](https://github.com/clap-rs/clap) | `4.5.5` | `4.5.23` |
| [clap_complete_fig](https://github.com/clap-rs/clap) | `4.5.1` | `4.5.2` |
| [curve25519-dalek](https://github.com/dalek-cryptography/curve25519-dalek) | `4.1.2` | `4.1.3` |
| [fastrand](https://github.com/smol-rs/fastrand) | `2.1.0` | `2.1.1` |
| [flate2](https://github.com/rust-lang/flate2-rs) | `1.0.30` | `1.0.33` |
| [log](https://github.com/rust-lang/log) | `0.4.21` | `0.4.22` |
| [quote](https://github.com/dtolnay/quote) | `1.0.36` | `1.0.37` |
| [regex](https://github.com/rust-lang/regex) | `1.10.5` | `1.10.6` |
| [safer-ffi](https://github.com/getditto/safer_ffi) | `0.1.8` | `0.1.12` |
| [serde](https://github.com/serde-rs/serde) | `1.0.203` | `1.0.209` |
| [serde_bytes](https://github.com/serde-rs/bytes) | `0.11.14` | `0.11.15` |
| [serde_derive](https://github.com/serde-rs/serde) | `1.0.203` | `1.0.209` |
| [serde_json](https://github.com/serde-rs/json) | `1.0.117` | `1.0.127` |
| [si-scale](https://github.com/graelo/si-scale) | `0.2.2` | `0.2.3` |
| [thiserror](https://github.com/dtolnay/thiserror) | `1.0.61` | `1.0.63` |
| [tokio](https://github.com/tokio-rs/tokio) | `1.39.2` | `1.39.3` |
| [url](https://github.com/servo/rust-url) | `2.5.1` | `2.5.2` |
| [bip32](https://github.com/iqlusioninc/crates) | `0.5.1` | `0.5.2` |
| [wasm-bindgen](https://github.com/rustwasm/wasm-bindgen) | `0.2.92` | `0.2.93` |
| [hyper-util](https://github.com/hyperium/hyper-util) | `0.1.5` | `0.1.7` |


Updates `async-trait` from 0.1.80 to 0.1.81
- [Release notes](https://github.com/dtolnay/async-trait/releases)
- [Commits](https://github.com/dtolnay/async-trait/compare/0.1.80...0.1.81)

Updates `blake3` from 1.5.1 to 1.5.4
- [Release notes](https://github.com/BLAKE3-team/BLAKE3/releases)
- [Commits](https://github.com/BLAKE3-team/BLAKE3/compare/1.5.1...1.5.4)

Updates `clap` from 4.5.7 to 4.5.16
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/clap_complete-v4.5.7...clap_complete-v4.5.16)

Updates `clap_complete` from 4.5.5 to 4.5.23
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/clap_complete-v4.5.5...clap_complete-v4.5.23)

Updates `clap_complete_fig` from 4.5.1 to 4.5.2
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/clap_complete_fig-v4.5.1...clap_complete_fig-v4.5.2)

Updates `curve25519-dalek` from 4.1.2 to 4.1.3
- [Release notes](https://github.com/dalek-cryptography/curve25519-dalek/releases)
- [Commits](https://github.com/dalek-cryptography/curve25519-dalek/compare/curve25519-4.1.2...curve25519-4.1.3)

Updates `fastrand` from 2.1.0 to 2.1.1
- [Release notes](https://github.com/smol-rs/fastrand/releases)
- [Changelog](https://github.com/smol-rs/fastrand/blob/master/CHANGELOG.md)
- [Commits](https://github.com/smol-rs/fastrand/compare/v2.1.0...v2.1.1)

Updates `flate2` from 1.0.30 to 1.0.33
- [Release notes](https://github.com/rust-lang/flate2-rs/releases)
- [Changelog](https://github.com/rust-lang/flate2-rs/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rust-lang/flate2-rs/compare/1.0.30...1.0.33)

Updates `log` from 0.4.21 to 0.4.22
- [Release notes](https://github.com/rust-lang/log/releases)
- [Changelog](https://github.com/rust-lang/log/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rust-lang/log/compare/0.4.21...0.4.22)

Updates `quote` from 1.0.36 to 1.0.37
- [Release notes](https://github.com/dtolnay/quote/releases)
- [Commits](https://github.com/dtolnay/quote/compare/1.0.36...1.0.37)

Updates `regex` from 1.10.5 to 1.10.6
- [Release notes](https://github.com/rust-lang/regex/releases)
- [Changelog](https://github.com/rust-lang/regex/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rust-lang/regex/compare/1.10.5...1.10.6)

Updates `safer-ffi` from 0.1.8 to 0.1.12
- [Release notes](https://github.com/getditto/safer_ffi/releases)
- [Commits](https://github.com/getditto/safer_ffi/compare/v0.1.8...v0.1.12)

Updates `serde` from 1.0.203 to 1.0.209
- [Release notes](https://github.com/serde-rs/serde/releases)
- [Commits](https://github.com/serde-rs/serde/compare/v1.0.203...v1.0.209)

Updates `serde_bytes` from 0.11.14 to 0.11.15
- [Release notes](https://github.com/serde-rs/bytes/releases)
- [Commits](https://github.com/serde-rs/bytes/compare/0.11.14...0.11.15)

Updates `serde_derive` from 1.0.203 to 1.0.209
- [Release notes](https://github.com/serde-rs/serde/releases)
- [Commits](https://github.com/serde-rs/serde/compare/v1.0.203...v1.0.209)

Updates `serde_json` from 1.0.117 to 1.0.127
- [Release notes](https://github.com/serde-rs/json/releases)
- [Commits](https://github.com/serde-rs/json/compare/v1.0.117...1.0.127)

Updates `si-scale` from 0.2.2 to 0.2.3
- [Release notes](https://github.com/graelo/si-scale/releases)
- [Changelog](https://github.com/graelo/si-scale/blob/main/CHANGELOG.md)
- [Commits](https://github.com/graelo/si-scale/compare/0.2.2...v0.2.3)

Updates `thiserror` from 1.0.61 to 1.0.63
- [Release notes](https://github.com/dtolnay/thiserror/releases)
- [Commits](https://github.com/dtolnay/thiserror/compare/1.0.61...1.0.63)

Updates `tokio` from 1.39.2 to 1.39.3
- [Release notes](https://github.com/tokio-rs/tokio/releases)
- [Commits](https://github.com/tokio-rs/tokio/compare/tokio-1.39.2...tokio-1.39.3)

Updates `url` from 2.5.1 to 2.5.2
- [Release notes](https://github.com/servo/rust-url/releases)
- [Commits](https://github.com/servo/rust-url/compare/v2.5.1...v2.5.2)

Updates `bip32` from 0.5.1 to 0.5.2
- [Commits](https://github.com/iqlusioninc/crates/compare/bip32/v0.5.1...secrecy/v0.5.2)

Updates `wasm-bindgen` from 0.2.92 to 0.2.93
- [Release notes](https://github.com/rustwasm/wasm-bindgen/releases)
- [Changelog](https://github.com/rustwasm/wasm-bindgen/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rustwasm/wasm-bindgen/compare/0.2.92...0.2.93)

Updates `hyper-util` from 0.1.5 to 0.1.7
- [Release notes](https://github.com/hyperium/hyper-util/releases)
- [Changelog](https://github.com/hyperium/hyper-util/blob/master/CHANGELOG.md)
- [Commits](https://github.com/hyperium/hyper-util/compare/v0.1.5...v0.1.7)

---
updated-dependencies:
- dependency-name: async-trait
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: blake3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: clap
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: clap_complete
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: clap_complete_fig
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: curve25519-dalek
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: fastrand
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: flate2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: log
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: quote
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: regex
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: safer-ffi
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: serde
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: serde_bytes
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: serde_derive
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: serde_json
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: si-scale
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: thiserror
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: tokio
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: url
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: bip32
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: wasm-bindgen
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: hyper-util
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-08-27 12:45:26 +02:00
Jon Häggblad 8acd3a0975 Move a few more deps partially to workspace 2024-06-27 10:52:15 +02:00
Jon Häggblad 4aa8cb4647 Move dalek and rand_chacha crates to workspace 2024-06-27 10:52:15 +02:00
Jon Häggblad 4bbbcf629d Fix warning for default_features 2024-06-27 10:52:15 +02:00
Simon Wicky 2a1d37dd22 update crypto and rand crates 2024-05-31 11:33:16 +01:00
Jon Häggblad 9badeac832 cargo autoinherit in root workspace 2024-05-20 13:16:25 +02:00
Jędrzej Stuczyński e7d0c1812a added import commands for client binaries 2024-02-19 11:43:15 +00:00
Jędrzej Stuczyński f328f3fa9e Feature/gateway api (#3970)
* Squashing all the changes

initial router

started expanding the API

initial empty openapi/swagger

populated build-info endpoint

wip: populating rest of swagger

missing swagger data + using closure capture for immutable state

running the api as a proper task in gateway 'run'

fixing some version/feature clashes

refactored routes structures

initial host information endpoint

expanded on gateway-related endpoints

signing host information

moved all models to separate crate

unified http api client

routes unification + node api client

new generic cache and refresher

nym-api caching node self described information

removed old cache type

temporarily wired up NymContractCache to NodeDescriptionProvider

caching self reported host info

clients using self-described gateway information

fixed request timeouts for wasm

fixed wasm builds

post rebase fixes

cargo fmt

brought in wg routes into nym-node router

added ErrorResponse for wireguard routes

basic swagger support for wg endpoints

turns out swagger can be happy with strongly typed requests

output type support for wg routes

using concrete error type for nym node request error

fixed the registration test

landing page configurability

increased configurability

fixed build and lints of other crates

added default user-agent to http-api-client

reduced severity of gateway details lookup failure

changed default http port from 80 to 8080

nym-api using new default port for queries

added health endpoint

nym-api trying multiple ports for the client

using camelcase for node status

corrected health endpoint description

restored and revamped 'force_tls' flag to filter all gateways that support the wss protocol

fixed 'pub_key' path param in open api schema

derived Debug on 'NymNodeDescription'

ensuring valid public ips

added init and run flags to set hostname and public ips

fixed listening address being pushed to public ip

fixed the positional local flag

logging remote ip address of the request

updated helper function to query for described gateways

enabled tls in gateway client

removed hack-opts from mix fetch

additional changes after rebasing against origin/develop

* clippy

* wasm-related target locking

* more clippy, but this time in tests
2023-10-19 12:36:53 +02:00
Bogdan-Ștefan Neacșu 5620fd7009 Set sphinx as default packet type 2023-08-08 15:16:22 +02:00
Bogdan-Ștefan Neacşu a47899aa77 Apply fix from feature/ephemera to develop too (#3698) 2023-07-27 12:18:08 +03:00
farbanas 8f3d7606f5 bump crate versions 2023-06-06 10:07:06 +02:00
Jędrzej Stuczyński 28a965e698 persistent wasm client keys 2023-05-09 10:46:40 +01:00
Jędrzej Stuczyński 5478c23563 experimenting with storing concrete crypto types 2023-05-09 10:45:48 +01:00
farbanas 6209e78c1e bump crates 2023-05-02 10:53:42 +02:00
Jędrzej Stuczyński 78d568e04e Feature/store cipher (#3350)
* initial nym-store-cipher

* cleanup
2023-04-27 10:24:36 +01:00
farbanas e89ed985fc chore: bumped version of common crates 2023-03-07 13:27:03 +01:00
Jon Häggblad 24823356fc nym-crypto: update nym-sphinx-types dependency to published (#3086)
* nym-crypto: update nym-sphinx-types dependency to published

* nym-crypto: update cargo metadata
2023-02-22 15:55:00 +01:00
Jon Häggblad c75c5e0903 Rename to crate name to nym-sphinx (#3060)
* nymsphinx: rename to nym- prefix in Cargo.toml files

* regex use nymsphinx to use nym_sphinx

* all: updated explict crate name in a few places
2023-02-20 16:28:08 +01:00
Jon Häggblad ec00918524 Update crate metadata for nym-crypto (#3059)
* dkg: move crate and un-nest

* all: update paths to common/dkg

* crypto: Cargo.toml metadata
2023-02-20 15:44:51 +01:00
Jon Häggblad 8f4fd62957 rename pemstore to nym-pemstore 2023-02-15 16:13:53 +01:00
Jon Häggblad 4844ac953a rename crypto to nym-crypto 2023-02-15 16:13:53 +01:00
Jędrzej Stuczyński 97b01db23e Chore/more error macros (#2686)
* cleaned up MixProcessingError

* Added Error impl to (hopefully) all error enums in the codebase

* Replaced all occurences of error("{0}") with error(transparent)

* Changelog entry
2022-12-13 17:42:11 +00:00
Drazen Urch 16ef1c547b Remove eth feature, and BBBC related code (#1612)
* Remove eth feature, and BBBC related code

* Burn some more, especially clients
2022-09-15 13:58:44 +02:00
Jędrzej Stuczyński 7d82fe0c0d Feature/various improvements (#1282)
* Added abci::Data field to ExecuteResult

* optional serde support for ed25519 keys

* optional serde support for x25519 keys

* actually calling dotenv at validator API startup

* Added STATE_DENOM network specific constant

* unit test fixes
2022-05-24 09:52:00 +01:00
Jędrzej Stuczyński 9462bc726d Feature-locking parts of common/crypto 2022-03-02 10:34:27 +00:00
Jędrzej Stuczyński 2a539dc3cc Upgrade blake3 to v1.3.1 2022-03-01 18:50:05 +00:00
Jon Häggblad c6e41ca3f3 Update to rust edition 2021 everywhere (#1086)
* chore: update to rust edition 2021 everywhere

* validator-api: simplify into_iter call in rust 2021
2022-02-01 13:28:02 +01:00
Jędrzej Stuczyński d71ef635e2 Restricted blake3 dependency (#1025) 2022-01-11 16:22:55 +00:00
Dave Hrycyszyn 8e99ae8979 Feature/add wallet to gateway init (#984)
* Moving sign_text method into common/crypto to dry it up

* Moved bech32 address validation into common/crypto

* ibid

* Gateway now requires a --wallet-address arg on init
2021-12-18 12:45:55 +00:00
Drazen Urch 5dfaff6296 Update hmac and blake3 (#673)
* Update hmac and blake3

* Remain paranoid for `0.*` crates

* Most paranoid versions :)

* Updated aes and using published version of blake3

Co-authored-by: Jędrzej Stuczyński <jedrzej.stuczynski@gmail.com>
2021-09-21 09:59:17 +01:00
Jędrzej Stuczyński 596bc76cc6 Chore/dependency updates (#549)
* Updated all non-breaking dependencies

* Updated common/crypto dependencies

* Updated all tokio [and associated] dependencies to most recent version

* Bumped version of rand_distr

* Fixed api changes in tests

* Made clippy happier about the acronym

* Fixed the type while trying to make clippy even happier

* nightly cargo fmt
2021-03-29 15:32:34 +01:00
Jędrzej Stuczyński 124712a954 Feature/network monitor (#369)
* WIP commit

* Further into errors (WIP)

* WIP commit, more stuff compiling, but now we switch to sneaky Jedrzej trick

* Websocket connections starting to work

* WIP

* Constructing the socket stream in one go

* Nicer connections. Getting topology now works.

* Fixing startup message

* Injecting directory uri

* Injecting good mixndodes

* Deleting old healthcheck

* Starting to wrap gateway client

* Splitting out good topology contstruction

* Starting to breathe finally

* Fixed layer assignment error

* Starting gateway client in a better spot

* Cleanup

* Renamed construct() to new()

* Injected channels, removed websockets

* Added a MixnetListener to deal with returned packet traffic

* Simplification

* Renaming and commenting a few things

* Renamed temp variables

* Fixed variable names

* Made errors a bit more explicit on message reconstruction

* Added the mixmining route / object to the directory server client

* Recipient is always "me", a bit easier to understand what's going on

* Subbing in test nodes works

* Using QA directory

* Noting which directory server we're using at monitor start

* Adding Debug to MixStatus so we can print it more easily

* Prettification of startup messages

* Notifying directory of successful packet receipt

* All nodes now being tested

* Now able to do timer-based test runs and detect the last node tested

* Renamed mixnet_listener to notifier

* Moved message chunking into its own home

* Starting to pull out packet sends

* Basic functionality working!

* Enabled timer runs forever

* License notices

* Depdendency cleanup

* Import cleanup

* Moved to implicit tokio runtime

* Removed some unnecessary data clones

* Fixed monitor doing two runs at startup rather than one

* dalek version updates

* This should have been split but got carried away

* Initial ipv6 support

* Don't test outdated nodes

* Added network monitor to default workspace members

* Actually sending reports

* Batch-sending mix status

* Cargo fmt

* Minor cleanup

* Malformed Cargo.lock

* Post-merge fixes

* Defined constant in main.rs for enabling detailed reporting

* Updated package versions of the system

* Checking version compatibility on startup

Co-authored-by: Dave Hrycyszyn <futurechimp@users.noreply.github.com>
2020-10-09 16:00:19 +01:00
Jędrzej Stuczyński c50e9a9ed7 Feature/wasm update (#341)
* Split text and binary client apis

* Very initial attempt at new serialization

* Defined ser+de for Recipient and ReplySURB

* Response errors

* builds with changes

* Working WS API + moved to separate crate

* updated python examples

* Fixed parsing bug

* Updated go examples

* Updated rust examples

* formatting

* Removed unused imports

* dependency updates

* Further dependency changes

* nymsphinx exposingn framing only if not in wasm32

* Cargo lock changes before develop merge

* Pending work

* Actually sending and receiving websocket from rust!

* more WIP

* Initial wasm client + establishing shared key with gateway!

* Splitting and sending a message!

* WIP

* WIP

* Initial wasm-ification of the gateway client

* Passing reconstruction result to js callback!

* Initial WASM cleaning pass

* Dependency pruning

* Moved processing loop to received_processor + at least ack unwrappingn

* Post merge fix

* Kinda updated react example

* Old print statement removed

* Removed yarn.lock

* Fixed building issue for other clients

* Fixed travis test command
2020-09-16 15:18:04 +01:00
Jędrzej Stuczyński d9d549fd0f Feature/reply surbs (#299)
* Changed identity keypair to use ed25519

* Encryption key is now x25519 based + compatibiltiy with sphinx

* Pathing and import fixes

* Moved all asymmetric keys to sub-module in crypto

* Extracted aes to separate module

* kdf module in crypto

* Ability to perform diffie hellman on encryption keys

* ecdsa on identity keys

* Extremely rough and incomplete registration handshake

* Authentication primitives

* Creating new random authenticationIV

* Wrapper type for the derived shared key

* Removed AuthToken in favour of using SharedKey for authentication

* Gateway identity keys

* Registration handshake without error mapping

* Gateway address in client config

* Added extra key for gateway presence

* Updated pemstore to work on borrows instead

* Gateway client trying to perform the handshake

* Gateway changes to allow for handshake and shared key

* Debug trait on sharedkey

* native client using updated gateway client

* Slightly updated gateway API

* Minor cleanup

* Fixed pemstore to correctly save multiple keypairs

* Gateway actually deriving shared key during handshake

* Gateway sending correct mid-handshake message

* Missing quotation mark in client config template

* Fixed template for correct shared key serialization

* Fixed gateway authentication

* Fixed tests

* Using correct gateway key when converting to sphinx node

* "get_all_clients" takes them from gateways as opposed to providers now

* cargo fmt

* Renamed pemstore methods

* Unused import

* Encryption of forward requests between client and gateway

* Updated sphinx dependency to use public revision

* Sending 'error' on handshake processing error

* Removed some dead code

* Dead code I forgot to remove before

* Extracted AckAes128Key into a struct

* Slight pemstore revamp allowing for symmetric key store

* ibid.

* PemStorableKey for SharedKey

* Introduced single location responsible for key management for client

* WIP

* Sphinx version update

* Stop using NodeAddressBytes for two distinct and confusing purposes

* Abstracting away SocketAddr from sphinx forwarding

* Passing the bool for reply surbs

* Attack plan for replies + encryption

* Comment + removed variable binding

* ReplySURB usage

* Topology import in nymsphinx

* Sphinx version update

* Changed 'Recipient' to contain client's encryption key

* Message preparation taking shape!

* reply surb also containing the encryption key

* Very initial message receiver

* Sphinx version update

* A possibly working way of receiving surbs

* Fixed incorrect field name in client config template

* camel casing all request arguments

* Renamed and moved `MessageMode` to more appropriate file

* Restored reconstruction tests

* Removed dead code from chunking

* Made rust examples compilable

* reply SURB key storage

* Replies as an InputMessage

* Forgotten commented code

* No retransmission processing for cover or replies

* Received reply processing

* Renamed client pathfinder to something more appropriate

* Made HasherOutputSize public

* Added key store path to config

* Reply surb attaching key digest when used

* Changes due to previous renaming

* Removed comment

* Fixed insert_encryption_key

* Assigning initial value of key store path

* Computing key digest with correct algorithm

* Initial and presumably temporary request serialization

* hacky way of introducing 'FragmentIdentifier' for replies

* Moved responsibility of reply encryption, padding, etc, to message preparer

* Optional recipient in try_get_valid_topology_ref

* Handling new reply surbs with acks and padding

* Updated go and python examples to include replies in text and binary cases

* Updated rust examples + binaryserverresponse

* Helpers in rust examples

* And updated JS example

* Moved shared key generation function to crypto crate

* Cover traffic encryption!

* hmac computation in crypto

* Updated aes imports due to new dependencies

* hkdf made more generic

* crypto cleanup + algorithms in params

* Clippy cleanup pass

* Generating encryption+mac shared keys between client and gateway

* MACs attached to forward requests to gateway

* Gateway messages encrypted and mac'd

* Lowered logging level

* compiler warning cleanup

* Some minor cleanup

* Generic stream cipher

* Generic shared key derivation + algorithm definitions

* Project-wide AES clean-up

* Comment fix

* Removed commented imports

* Updated comments

* Fixed topology test fixture
2020-08-07 18:16:54 +01:00
Jędrzej Stuczyński 5ef96aa241 Updated blake3 dependency to 0.3.5 (#281) 2020-07-13 12:04:25 +01:00
Jędrzej Stuczyński e849e45b12 Feature/gateway shared key generation (#272)
* Changed identity keypair to use ed25519

* Encryption key is now x25519 based + compatibiltiy with sphinx

* Pathing and import fixes

* Moved all asymmetric keys to sub-module in crypto

* Extracted aes to separate module

* kdf module in crypto

* Ability to perform diffie hellman on encryption keys

* ecdsa on identity keys

* Extremely rough and incomplete registration handshake

* Authentication primitives

* Creating new random authenticationIV

* Wrapper type for the derived shared key

* Removed AuthToken in favour of using SharedKey for authentication

* Gateway identity keys

* Registration handshake without error mapping

* Gateway address in client config

* Added extra key for gateway presence

* Updated pemstore to work on borrows instead

* Gateway client trying to perform the handshake

* Gateway changes to allow for handshake and shared key

* Debug trait on sharedkey

* native client using updated gateway client

* Slightly updated gateway API

* Minor cleanup

* Fixed pemstore to correctly save multiple keypairs

* Gateway actually deriving shared key during handshake

* Gateway sending correct mid-handshake message

* Missing quotation mark in client config template

* Fixed template for correct shared key serialization

* Fixed gateway authentication

* Fixed tests

* Using correct gateway key when converting to sphinx node

* "get_all_clients" takes them from gateways as opposed to providers now

* cargo fmt

* Renamed pemstore methods

* Unused import

* Encryption of forward requests between client and gateway

* Updated sphinx dependency to use public revision

* Sending 'error' on handshake processing error

* Removed some dead code
2020-06-30 12:01:45 +01:00
Jędrzej Stuczyński 4af5788bba Feature/limit direct sphinx dependency + remove direct curve25519 dependency from wasm client (#189)
* Initial set of re-exported sphinx types and constants

* Removed direct sphinx dependency from healthchecker

* Crypto module

* nym-client no longer needing sphinx

* All common modules

* mix-client until removed

* Sfw-provider no longer depending on sphinx crate

* Mixnode no longe depending directly on sphinx crate

* Ibid. for sfw-provider-requests

* Corrected import inside nymsphinx itself

* wasm client no longer needing direct sphinx dependency

* Required gateway change due to re-exporting constants in one place

* Missing import path changes in tests

* Removed direct dependency on curve25519 from wasm client

* Lock file changes
2020-04-20 16:59:51 +01:00
Dave Hrycyszyn 7088fb3ffc Upgraded all Sphinx commits to latest. 2020-04-15 13:08:31 +01:00
Dave Hrycyszyn 3c8aad49fc Updated all uses of ed25519-dalek to 2.0.0 so that wasm-pack build works 2020-04-09 17:20:22 +01:00