Commit Graph

2255 Commits

Author SHA1 Message Date
Jędrzej Stuczyński 996fe3fdce clippy 2026-01-13 17:09:22 +00:00
Jędrzej Stuczyński 637c29adc7 chore: allow unwrap/expect within kkt benchmarking code 2026-01-13 17:00:47 +00:00
Jędrzej Stuczyński 9b567a8483 added LP discovery into self-described endpoint:
- removed changes to the node bonding within the contract
- introduced '/api/v1/lewes-protocol' route within nym-node http api
- added 'lewes_protocol' field to 'NymNodeData' inside of NymNodeDescription
- refactored LpConfig to allow separate bind and announce addresses and used more strict typing
2026-01-13 16:55:44 +00:00
Jędrzej Stuczyński d81fbdd501 resolved clippy issues pointed out by clippy 1.91 2026-01-08 16:54:46 +00:00
Jędrzej Stuczyński 5fa1a3fc17 Integration test for nested LP registration
- move `LpTransport` trait definition to shared `nym-lp-transport` crate
- make transport layer within `LpConnectionHandler` generic with respect to the forwarding target. it must, however, use the same type as the incoming client connection
- extracted explicit `LpConnectionHandler::establish_exit_stream` to more easily modify it in the future to fully protect the channel and disallow using untrusted egress points
- fix additional log-string interpolation nits
2026-01-08 16:05:56 +00:00
Jędrzej Stuczyński 9782ca1452 Fixed generation of receiver index
removes the possible clash with the boostrap id
2026-01-08 15:53:17 +00:00
Jędrzej Stuczyński 50fc7a8fbb changed ClientHelloData serialisation
the old variant using bincode did not produce constant-length output in some cases
2026-01-08 15:53:17 +00:00
Jędrzej Stuczyński c7cb17d7cf integration test for LP entry registration
This includes creation of mocks of various gateway-related components, such as the PeerController
2026-01-08 15:53:15 +00:00
Jędrzej Stuczyński a0bb89c6b9 removed source of possible panic from nym-kkt
invalid KEM mapping will now return an Err rather than panicking
2026-01-08 15:45:17 +00:00
Jędrzej Stuczyński 7e300654b8 replaced all instances of bincode::serialize and bincode::deserialize with explicit lp_bincode_serialiser() within the LP 2026-01-08 15:45:17 +00:00
Jędrzej Stuczyński e095f6c753 random formatting 2026-01-08 15:45:16 +00:00
durch 9b54a11f4b feat(ipr): add KcpSessionManager for LP client KCP handling
- Add fetch_incoming() and recv() methods to KcpDriver for retrieving
  reassembled messages
- Create KcpSessionManager in ip-packet-router that manages KCP sessions
  keyed by conv_id (first 4 bytes of KCP packet header)
- Store ReplySurbs per session for sending anonymous replies
- Implement session timeout (5 min) and max sessions limit (10000)
- Add comprehensive tests for session lifecycle and KCP roundtrip
2026-01-08 15:45:15 +00:00
durch d9b0d5d599 Add LP mixnet mode registration with nym address return
- Extend RegistrationMode::Mixnet to include client_ed25519_pubkey
  and client_x25519_pubkey for nym address construction
- Add LpGatewayData struct containing gateway_identity and
  gateway_sphinx_key for SURB reply routing
- Add lp_gateway_data field to LpRegistrationResponse for mixnet mode
- Implement success_mixnet() constructor for mixnet registrations
- Update gateway registration to insert clients into ActiveClientsStore
  for SURB reply delivery, matching the websocket flow
2026-01-08 15:45:15 +00:00
durch 3b891fff1c Add no-mix-acks feature flag to nym-sphinx-framing
When enabled, mix nodes skip ack extraction and forwarding entirely.
The full payload (including ack portion) is returned as the message.

Closes: nym-3wrr
2026-01-08 15:45:14 +00:00
durch dd7a43dd15 Various smaller fixes 2026-01-08 15:45:14 +00:00
durch 9eb8cc2de8 Change MessageType from u16 to u32
Breaking wire protocol change: MessageType field increased from 2 bytes
to 4 bytes in LP packets. This future-proofs the message type space and
aligns with other u32 fields.

Changes:
- message.rs: #[repr(u32)], from_u32(), to_u32()
- error.rs: InvalidMessageType(u32)
- codec.rs: All serialization/deserialization updated to 4-byte msg_type
  - Cleartext parsing: inner_bytes[4..8], content at [8..]
  - AEAD parsing: decrypted[4..8], content at [8..]
  - Serialization: 4 bytes for message type
2026-01-08 15:45:14 +00:00
durch 7ebacde1fc Add negotiated_version field to LpSession
Add AtomicU8 field to store the protocol version from handshake packet
headers. Includes getter and setter methods for future version negotiation
and compatibility checks.

- negotiated_version() returns current version (defaults to 1)
- set_negotiated_version() allows setting during handshake
- Subsessions inherit version 1 (can be enhanced to inherit parent's)
2026-01-08 15:45:13 +00:00
durch bb76ff82bd Add LpConfig struct and AIDEV-NOTE documentation for KKT+PSQ
- Create config.rs with LpConfig struct (kem_algorithm, psk_ttl, enable_kkt)
- Export LpConfig from lib.rs
- Add AIDEV-NOTE to psk.rs explaining:
  - Why PSQ is embedded in Noise (single round-trip, PSK binding)
  - KEM migration path (X25519 → MlKem768 → XWing)
- Add AIDEV-NOTE to state_machine.rs explaining protocol flow:
  - KKTExchange → Handshaking → Transport state transitions
  - PSK derivation formula (ECDH || PSQ || salt)
2026-01-08 15:45:13 +00:00
durch 70311da0a6 Fix Zeroizing deref in ed25519 to_x25519 conversion
The from_bytes() function expects &[u8], need to deref the Zeroizing
wrapper to get the inner array.
2026-01-08 15:45:13 +00:00
durch bfd8eb3f2d Return Result from KCP session input() for error detection
Change KcpSession::input() to return Result<(), KcpError> so callers
can detect invalid packets instead of silently ignoring them.

- Add ConvMismatch error variant for conversation ID mismatches
- Update driver to propagate errors from session.input()
- Update all test and example callers

Closes: nym-n0kk
2026-01-08 15:45:13 +00:00
durch dcf5840b11 Zeroize Ed25519 key material in to_x25519 conversion
Wrap hash and x25519_bytes in zeroize::Zeroizing to ensure private
key material is cleared from memory after use.

Closes: nym-k55g
2026-01-08 15:45:12 +00:00
durch 9bcae469fc Increase KCP fragment limit from u8 to u16
- Change frg field from u8 to u16 in packet header (25 bytes total)
- Update encode/decode to use get_u16_le/put_u16_le
- Update Segment struct frg field to u16
- Remove truncating cast in session.rs
- Max message size now ~91MB (65,535 fragments × MTU)
- Internal protocol only, no interop concerns

Nym uses KCP for reliability and multiplexing, not standard real-time
use cases. The u8 limit (255 fragments, ~355KB) was insufficient.

Addresses: nym-yih9
2026-01-08 15:45:12 +00:00
durch 65bd47f342 Add gateway-probe localnet mode with WireGuard tunnel support
Adds localnet testing mode to gateway-probe for LP development:
- Add TestMode enum for different probe configurations
- Add --gateway-ip flag for direct gateway testing
- Implement two-hop WireGuard tunnel for localnet
- Add mock ecash support for testing without real credentials
- Add netstack Go bindings for userspace networking
- Restructure probe with mode and common modules
- Update README with localnet mode documentation
2026-01-08 15:45:12 +00:00
durch 637459b153 Add LP telescoping with nested sessions and subsession support
Extends LP protocol with telescoping architecture for nested sessions:
- Add nested session support with KKpsk0 rekeying
- Add subsession support with collision detection
- Implement unified packet format with outer header
- Refactor gateway handlers for single-packet forwarding
- Add TTL-based state cleanup for stale sessions
- Add outer AEAD encryption layer
- Refactor registration client for packet-per-connection model
2026-01-08 15:45:11 +00:00
durch 0a6f78a921 Implement LP registration protocol with KKT/PSQ integration
Initial implementation of the Lewes Protocol (LP) for gateway registration:
- Add nym-lp crate with Noise protocol handshake
- Add LP listener to gateway for handling registrations
- Add LP client for registration flow
- Integrate KKT for post-quantum KEM key exchange
- Integrate PSQ for post-quantum PSK derivation
- Add Ed25519 authentication throughout
- Add docker/localnet support for testing

Co-authored-by: Jędrzej Stuczyński <jedrzej.stuczynski@gmail.com>
2026-01-08 15:41:43 +00:00
Georgio Nicolas 539216d585 Add KKT cryptographic primitives
Post-quantum Key Encapsulation Mechanism (KEM) Key Transfer protocol.
Enables efficient distribution of post-quantum KEM public keys.

Squashed from georgio/noise-psq branch.
2026-01-08 14:20:40 +00:00
Tommy Verrall 6fb5d002e6 Merge pull request #6313 from promalert/develop
chore: remove repetitive words in comment
2026-01-08 13:25:29 +01:00
Simon Wicky 0f927e85d9 serialize gateway data (#6314) 2026-01-07 11:22:40 +01:00
promalert 09d444b78b chore: remove repetitive words in comment
Signed-off-by: promalert <promalert@outlook.com>
2026-01-07 16:47:40 +08:00
Simon Wicky d08da7f998 [bugfix] Sqlite transaction escalation was causing errors (#6299)
* well that was an easy fix

* change fn name because somebody wasn't happy about my one line fix
2025-12-18 16:53:33 +01:00
Jack Wampler ae54e86bf4 add pre-resolve stage that returns addrs if we have used static table previously (#6297) 2025-12-17 09:06:43 -07:00
Andrej Mihajlov 177fbaec99 Add Copy+Clone to nym_client_core::client::topology_control::nym_api_provider::Config (#6296) 2025-12-17 10:00:40 +00:00
Simon Wicky 892341fa59 [chore] clippy fixes and use fixed rust version from REQUIRED_RUSTC_VERSION (#6295)
* clippy fix part 1

* use REQUIRED_RUSTC_VERSION instead of stable

* workflow fix

* forgot latest
2025-12-16 13:53:45 +01:00
Jack Wampler 35fc4bdb61 remove jit resolve in http client & slight increase to dns timeouts (#6283) 2025-12-12 07:50:34 -07:00
Andrej Mihajlov 1c82ff5df3 DNS: reduce number of attempts (#6278)
* Define configure_and_build_resolver as infallible

* Use ResolverOpts to build builder

* Set retry attempts to 0
2025-12-11 15:55:52 -07:00
Jack Wampler 9ecbdfc3af fix issues with using the http client using default-features=false (#6281) 2025-12-10 11:54:24 -07:00
Jack Wampler d7a7bbe525 DNS resilience patch (#6267) (#6279)
* shared resolver static init, ipv4 only by default, nameserver list

* add fn to run a trial resolution with each nameserver and log results
2025-12-10 14:05:16 +01:00
Drazen Urch c17a205ada Inline closures, no randomness for http-client-macro (#6273)
* Inline closures, no randomness

* Fix cfg usage
2025-12-09 18:45:17 +01:00
Simon Wicky 8383a35352 use proper mixing delay instead of poisson delay in cover traffic (#6269) 2025-12-04 15:00:35 +01:00
Simon Wicky 50bc3babb7 [Stats API] Active device endpoint and exit country code (#6265)
* active_device endpoint and exit_cc in report

* bump stats API version

* stats API version in lockflie

* migration changes
2025-12-04 11:00:51 +01:00
Simon Wicky 46268edf9c [Feature] Fallback gateway listener and remove legacy key support (#6249)
* one commit to rule them all

* remove too aggressive copy pasting

* update details when outdated

* typo and serde alias

* no hostname option and fixes

* fix wasm client?

* non fallback fixed

* improve gateway details update

* better ws addresses

* PR review fixes

* improve type safety on update_gateway_published_data

* fix client gateway storage migration
2025-12-03 09:49:23 +01:00
Mark Sinclair f2091cc9d6 Data Observatory (#6172)
* rename nyxd-scraper to sqlite

wip: made storage mostly generic minus modules

changed error types to make modules dyn compatible

implemented traits for sqlite instance

using sqlite instance for rewarder and chain watcher

psql scaffolding

initial postgres support - missing some proto -> json parsing

use postgres in chain scraper

added message registry to block processor

message content parsing in psql

involved addresses

adding null value for logs

Revert "use postgres in chain scraper"

This reverts commit 83c84bfd2d.

using SignerInfo proto definitions for db serialisation

added ibc messages to MessageRegistry

* add the data observatory

* add the data observatory

* move message parsing and change webhook

* handle wasm messages in a module

* formatting and clippy

* copy shared migrations and add comments to ignore file to explain

* update offline queries

* change to clap args and use url::Url to parse args

* tidy up README, startup info, typos

* tidy up validator rewarder

* lock file

* change webhook module from msg to tx handler

* ignore profiler output

* add missing things and make clippy happy

* updated cosmrs version used by the nym wallet

* add glob to workspace dependencies

* rename migration files

* remove copying from shared migrations

* duplicate shared migrations to keep things simple

* add check for manual migration sync that will fail on `cargo build` in CI

* build.rs checks data observatory migrations have content of all shared scraper migrations and errors on changes or new files

* update runner

* add reset target to make file

* process events and logs

* migrations - remove unnecessary columns

* update offline queries

* chore: run cargo fmt

* fix up: inpsect_err instead of map_err

---------

Co-authored-by: Jędrzej Stuczyński <jedrzej.stuczynski@gmail.com>
Co-authored-by: Mark Sinclair <mmsinclair@users.noreply.github.com>
Co-authored-by: benedettadavico <benedetta.davico@gmail.com>
2025-12-02 21:27:22 +00:00
Jędrzej Stuczyński f5d22a66f6 bugfix: reexposed 'derive_extended_private_key' (#6247) 2025-11-27 10:28:53 +00:00
Jędrzej Stuczyński ca7cbac320 chore: don't rederive wallet keys on every tx (#6213)
* chore: make 'DirectSecp256k1HdWallet' only derive its keys once on construction

Previously all the keys and account information was being derived for every transaction signed

* no longer keep account seed on the wallet struct
2025-11-26 10:45:01 +00:00
Simon Wicky 6eb8f29235 Statistics API v2 (#6227)
* vpn client report v2

* report v2 support in nym-stats API

* version bump

* CI fix while we're at it

* more CI fix

* needed the dind after all

* PR comments
2025-11-25 13:16:31 +01:00
Jędrzej Stuczyński 440aadf124 chore: updated default endpoint for retrieving attestation.json (#6207) 2025-11-14 15:04:51 +00:00
Jędrzej Stuczyński d126d8e5a0 feat: upgrade mode: VPN adjustments (#6189)
* placeholder handling of wg registration with upgrade mode token

* include upgrade mode credentials as part of credential storage

* introduce helper for decoding JWT payload

* expose methods for removing emergency credentials from the storage

* don't allow duplicate emergency credentials with the same content

* added authenticator ClientMessage for upgrade mode check

* retrieve credentials with longest expiration first

* post rebasing fixes

* fixed gateway config

* feat: allow specifying minimum node performance for client init

* nym-node UM improvements

* fixed upgrade mode bandwidth on initial authentication

* fix: logs and thresholds

* expose attestation information from nym-node http api

* additional logs

* post rebasing fixes

* make @simonwicky happy by removing empty lines in emergency_credential table definition

* chore: remove '_' prefix for internal counters within in-mem ecash storage

* improved import of 'UpgradeModeState' within the nym-node

* use explicit time dependency within credential-storage

* re-order imports within the gateway-client

* moved 'AvailableBandwidth' definition to the monorepo
2025-11-14 13:34:36 +00:00
Jędrzej Stuczyński 6b2bb3029b feat: merge intermediate upgrade mode changes (#6174)
* squashing feat: merge intermediate upgrade mode changes #6174 to more easily resolve merge conflicts during rebasing

added additional v2 query for metadata endpoint for requesting upgrade mode recheck

added additional message to v6 authenticator to request explicit upgrade mode recheck

clippy

test fixes due to updated keys

updated assertion for upgrading v1 top up request to v2

compare attester public key against the expected value within the credential proxy

use pre-generated attestation public keys within nym-nodes

remove version deprecation

bugfix: default bandwidth response for authenticator

expose upgrade mode information in authenticator responses

adding tests for new v2 server

passing upgrade mode information in metadata endpoint

v2 wireguard private metadata

bugfix: make sure to immediately poll for attestation after spawning task

fix gateway probe and remove code duplication for finalizing registration

squashing before rebasing

post rebasing fixes

AuthenticatorVersion helpers

additional nits

allow unwraps in mocks

fixed linux build

clippy

integrating upgrade mode into authenticator

fixed build after adding wrappers to response types

conditionally updating peer handle bandwidth

cleanup

negotiate initial protocol during registration

change auth to use highest protocol

handler for JWT message

dont meter client bandwidth in upgrade mode

handling recheck requests

sending information about upgrade_mode on client messages

gateway watching for upgrade mode attestation

wip: gateways to disable bandwidth metering on upgrade mode

* fixed ServerResponse deserialisation

* fixed incorrect swagger path for upgrade mode check endpoint

* moved upgrade mode endpoint out of bandwidth routes

* chore: remove unused error variant

* removed re-export of UpgradeModeAttestation from credentials-interface

* chore: define single source of truth for minimum bandwidth threshold value

* moved type definitions out of traits.rs

* updated v6 versioning to point to niolo release instead

* fixed incorrect error mapping
2025-11-14 13:13:15 +00:00
Jędrzej Stuczyński 350d244032 bugfix: fix credential proxy upgrade mode attestation url arg (#6202)
this includes bringing over changes introduced in #6174
2025-11-14 08:19:21 +00:00
Jack Wampler 17ca000782 HTTP API resilience enable & domain rotation conditions (#6200)
* http url fallback conditions

* include changes and tests for fronted

* Allow for explicit DNS error Handling in HTTP client  (#6201)

when sending http reqs add manual DNS so we can handle errors directly

* Address PR nits

---------

Co-authored-by: durch <durch@users.noreply.github.com>
2025-11-14 08:59:36 +01:00