lo/libsoliton
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

initial commit
Some checks failed
CI / lint (push) Successful in 1m37s
Details
CI / test-python (push) Successful in 1m49s
Details
CI / test-zig (push) Successful in 1m39s
Details
CI / test-wasm (push) Successful in 1m54s
Details
CI / test (push) Successful in 14m44s
Details
CI / miri (push) Successful in 14m18s
Details
CI / build (push) Successful in 1m9s
Details
CI / fuzz-regression (push) Successful in 9m9s
Details
CI / publish (push) Failing after 1m10s
Details
CI / publish-python (push) Failing after 1m46s
Details
CI / publish-wasm (push) Has been cancelled
Details

Browse source 
Signed-off-by: Kamal Tufekcic <kamal@lo.sh>
This commit is contained in:
Kamal Tufekcic 2026-04-02 23:48:10 +03:00
commit 1d99048c95
No known key found for this signature in database
165830 changed files with 79062 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

146
.config/nextest.toml Normal file
View file

@ -0,0 +1,146 @@
# Nextest configuration for libsoliton workspace.
#
# Profiles:
# default — runs all tests normally
# miri — runs only PQ-free tests (safe for MIRI's instruction-level
# interpretation; PQ operations like ML-KEM/ML-DSA are tested
# upstream by the ml-kem and ml-dsa crates under their own MIRI)
[profile.default]
# Default profile — all tests, no special configuration.
[profile.default.junit]
path = "target/nextest/default/junit.xml"
[profile.miri]
# MIRI profile: skip tests that are impractical under MIRI's instruction-level
# interpreter. Three categories are excluded:
#
# 1. PQ crypto (ML-KEM, ML-DSA, X-Wing keygen/encap/decap) — 2-18 min each;
# memory safety tested upstream by ml-kem/ml-dsa crate MIRI runs.
# 2. zstd compression (C FFI) — MIRI cannot call foreign function ZSTD_createCCtx.
# 3. Proptest / iteration-heavy tests — hundreds of iterations are wasteful
# under MIRI; a single iteration already validates UB.
#
# Included (~408 tests):
# libsoliton (~184):
# random (4), sha3_256 (6), hmac (12), hkdf (10), aead (11), argon2 (18),
# x25519 (8), ed25519 (9), xwing combiner/label/from_bytes (9), call (18),
# storage (33, excluding 3 zstd-dependent + 2 proptests + 1 ignored),
# constants (2), streaming (22 — empty/error-path/pure-math + 7 small-data
# MIRI variants; full-chunk tests use 1 MiB AEAD which exceeds MIRI timeout),
# ratchet/11 (decode_optional_bytes_zero_length_rejected,
# all_default_rejected_by_root_key_check,
# all_default_structural_invariant_rejected,
# recv_seen_cap_in_blob, kdf_msg_key_kat,
# kdf_msg_key_different_counters_produce_different_keys,
# kdf_msg_key_different_epochs_produce_different_keys,
# kdf_root_kat, nonce_from_counter_values, from_bytes_wrong_sized_xwing_sk,
# reset_zeroes_all_fields),
# identity from_bytes/3 (public key, secret key, hybrid signature),
# kex/8 (kex_derivation_kat: from_bytes + HKDF only, no keygen/encap;
# decode_session_init_*: pure parser, zeroed key bytes, no PQ ops)
# libsoliton_capi (~262):
# All error-path and PQ-free happy-path CAPI tests. Covers null-pointer
# guards, output-zeroing, co-presence guards, and safe round-trips
# (aead, sha3_256, hmac, hkdf, argon2id, ratchet PQ-free, storage w/o zstd,
# xwing length-only, verification phrase, streaming). Storage tests use
# compress=false to avoid the zstd C FFI. Streaming uses ruzstd (pure Rust).
#
# Excluded:
# libsoliton:
# PQ-dependent modules: mlkem, mldsa, xwing keygen/round-trip/proptest,
# identity, auth, most kex, ratchet, verification, integration_kex_ratchet,
# integration_storage (absent from positive filter; would also fail via zstd C FFI)
# zstd FFI: encrypt_decrypt_compressed, empty_plaintext_both_modes,
# invalid_compressed_data
# streaming full-chunk (1 MiB AEAD per test, exceeds MIRI timeout):
# all tests using chunk_plaintext() / multi-chunk encrypt-decrypt
# Iteration-heavy: proptest_derive_round_trip, proptest_round_trip,
# round_trip_large_plaintext, sign_bit_normalization,
# boundary_t_cost_accepted, boundary_p_cost_accepted, advance_multiple_steps
# zeroize_verify tests (use xwing keygen/encapsulate — PQ-heavy)
# header_up_to_date (spawns cbindgen subprocess — MIRI cannot exec)
# libsoliton_capi:
# pq::* in binary libsoliton_capi::capi_tests — xwing/identity/auth/kex PQ round-trips
# streaming full-chunk CAPI tests (1 MiB AEAD): capi_stream_round_trip_*,
# capi_stream_random_access, stream_decrypt_chunk_out_too_small,
# stream_decrypt_chunk_zeros_output_on_failure, stream_decrypt_expected_index_increments
#
# Usage:
# MIRIFLAGS="-Zmiri-disable-isolation" cargo +nightly miri nextest run \
# -p libsoliton -p libsoliton_capi --profile miri -j$(nproc)
default-filter = """
(
test(/^primitives::random::/)
| test(/^primitives::sha3_256::/)
| test(/^primitives::hmac::/)
| test(/^primitives::hkdf::/)
| test(/^primitives::aead::/)
| test(/^primitives::argon2::/)
| test(/^primitives::x25519::/)
| test(/^primitives::ed25519::/)
| test(/^primitives::xwing::tests::combiner_/)
| test(/^primitives::xwing::tests::label_/)
| test(/^primitives::xwing::tests::encapsulate_wrong/)
| test(/^primitives::xwing::tests::decapsulate_wrong/)
| test(/^primitives::xwing::tests::sk_from_bytes/)
| test(/^call::/)
| test(/^storage::/)
| test(/^constants::/)
| test(/^ratchet::tests::decode_optional_bytes_zero_length_rejected$/)
| test(/^ratchet::tests::all_default_rejected/)
| test(/^ratchet::tests::recv_seen_cap_in_blob$/)
| test(/^ratchet::tests::kdf_msg_key_kat$/)
| test(/^ratchet::tests::kdf_msg_key_different_counters_produce_different_keys$/)
| test(/^ratchet::tests::kdf_msg_key_different_epochs_produce_different_keys$/)
| test(/^ratchet::tests::kdf_root_kat$/)
| test(/^ratchet::tests::nonce_from_counter_values$/)
| test(/^ratchet::tests::from_bytes_wrong_sized_xwing_sk_returns_invalid_data$/)
| test(/^ratchet::tests::reset_zeroes_all_fields$/)
| test(/^identity::tests::identity_public_key_from_bytes_wrong_size$/)
| test(/^identity::tests::identity_secret_key_from_bytes_wrong_size$/)
| test(/^identity::tests::hybrid_signature_from_bytes_wrong_size$/)
| test(/^kex::tests::kex_derivation_kat$/)
| test(/^kex::tests::decode_session_init_/)
| test(/^streaming::tests::encrypt_decrypt_empty_file$/)
| test(/^streaming::tests::encrypt_after_finalization$/)
| test(/^streaming::tests::decrypt_after_finalization$/)
| test(/^streaming::tests::chunk_too_short$/)
| test(/^streaming::tests::uncompressed_non_final_wrong_ciphertext_size$/)
| test(/^streaming::tests::compression_bypassed_for_empty_final$/)
| test(/^streaming::tests::decrypt_init_wrong_version$/)
| test(/^streaming::tests::decrypt_init_version_0x02$/)
| test(/^streaming::tests::decrypt_init_reserved_flags$/)
| test(/^streaming::tests::nonce_uniqueness_/)
| test(/^streaming::tests::nonce_injectivity$/)
| test(/^streaming::tests::base_nonce_freshness$/)
| test(/^streaming::tests::nonce_derivation_kat$/)
| test(/^streaming::tests::aad_construction_kat$/)
| test(/^streaming::tests::header_construction_kat$/)
| test(/^streaming::tests::miri_/)
| binary_id(/^libsoliton_capi::capi_tests$/)
)
- test(/proptest/)
- test(/round_trip_large_plaintext/)
- test(/sign_bit_normalization/)
- test(/^storage::tests::encrypt_decrypt_compressed$/)
- test(/^storage::tests::empty_plaintext_both_modes$/)
- test(/^storage::tests::invalid_compressed_data$/)
- (test(/^pq::/) & binary_id(/^libsoliton_capi::capi_tests$/))
- test(/^capi_stream_round_trip/)
- test(/^capi_stream_random_access$/)
- test(/^stream_decrypt_chunk_out_too_small$/)
- test(/^stream_decrypt_chunk_zeros_output_on_failure$/)
- test(/^stream_decrypt_expected_index_increments$/)
- test(/concurrent_access_detected/)
- test(/^primitives::argon2::tests::boundary_t_cost_accepted$/)
- test(/^primitives::argon2::tests::boundary_p_cost_accepted$/)
- test(/^call::tests::advance_multiple_steps$/)
- test(/^header_up_to_date$/)
"""
[[profile.miri.overrides]]
# MIRI is slow even for lightweight tests — extend timeout.
filter = "all()"
slow-timeout = { period = "60s", terminate-after = 4 }

198
.forgejo/workflows/ci.yml Normal file
View file

@ -0,0 +1,198 @@
name: CI
on:
push:
branches: [main]
tags: ['v*']
pull_request:
env:
CARGO_TERM_COLOR: always
RUSTFLAGS: "-D warnings"
jobs:
lint:
runs-on: lo-runner
steps:
- uses: actions/checkout@v6.0.2
- name: cargo fmt
run: cargo +nightly fmt --all --check
- name: cargo clippy
run: cargo +nightly clippy --all-targets --all-features --message-format=short
- name: cargo doc (no deps)
run: cargo +nightly doc --no-deps --document-private-items
env:
RUSTDOCFLAGS: "-D warnings"
- name: cargo audit
run: cargo audit
test:
runs-on: lo-runner
steps:
- uses: actions/checkout@v6.0.2
- name: cargo test (core + CAPI, including ignored)
run: cargo test -p libsoliton -p libsoliton_capi -- --include-ignored
test-python:
runs-on: lo-runner
steps:
- uses: actions/checkout@v6.0.2
- name: Set up Python venv
run: |
python3 -m venv .venv
. .venv/bin/activate
pip install maturin pytest
- name: Build and install soliton-python
working-directory: soliton_py
run: |
. ../.venv/bin/activate
maturin develop
- name: Run pytest
working-directory: soliton_py
run: |
. ../.venv/bin/activate
pytest tests/ -v
test-zig:
runs-on: lo-runner
steps:
- uses: actions/checkout@v6.0.2
- name: Build libsoliton_capi (release)
run: cargo build --release -p libsoliton_capi
- name: Run Zig tests
working-directory: soliton_zig
run: zig build test
env:
LD_LIBRARY_PATH: ${{ github.workspace }}/target/release
test-wasm:
runs-on: lo-runner
steps:
- uses: actions/checkout@v6.0.2
- name: Build WASM package
working-directory: soliton_wasm
run: wasm-pack build --target bundler
- name: Install dependencies
working-directory: soliton_wasm
run: bun install
- name: Run Node tests
working-directory: soliton_wasm
run: bunx vitest run
- name: Install Playwright
working-directory: soliton_wasm
run: bunx playwright install chromium
- name: Run browser tests
working-directory: soliton_wasm
run: bunx vitest run --config vitest.browser.config.js
miri:
runs-on: lo-runner
steps:
- uses: actions/checkout@v6.0.2
- name: MIRI test suite
run: |
MIRIFLAGS="-Zmiri-disable-isolation" cargo +nightly miri nextest run \
-p libsoliton -p libsoliton_capi --profile miri -j$(nproc)
env:
RUSTFLAGS: ""
fuzz-regression:
runs-on: lo-runner
steps:
- uses: actions/checkout@v6.0.2
with:
lfs: true
- name: Generate seed corpus
run: cd soliton/fuzz && cargo +nightly run --bin gen_corpus --quiet
- name: Corpus regression (all targets)
run: ./ci_regression.sh
build:
runs-on: lo-runner
steps:
- uses: actions/checkout@v6.0.2
- name: cargo build --release
run: cargo build --release -p libsoliton -p libsoliton_capi
publish:
needs: [lint, test, test-python, test-zig, test-wasm, miri, fuzz-regression, build]
runs-on: lo-runner
if: startsWith(github.ref, 'refs/tags/v')
steps:
- uses: actions/checkout@v6.0.2
- name: Publish libsoliton
run: cargo publish -p libsoliton
env:
CARGO_REGISTRY_TOKEN: ${{ secrets.CRATES_IO_TOKEN }}
- name: Wait for crates.io indexing
run: sleep 30
- name: Publish libsoliton_capi
run: cargo publish -p libsoliton_capi
env:
CARGO_REGISTRY_TOKEN: ${{ secrets.CRATES_IO_TOKEN }}
publish-python:
needs: [lint, test, test-python, test-wasm, miri, fuzz-regression, build]
runs-on: lo-runner
if: startsWith(github.ref, 'refs/tags/v')
steps:
- uses: actions/checkout@v6.0.2
- name: Set up Python venv
run: |
python3 -m venv .venv
. .venv/bin/activate
pip install maturin
- name: Build wheel
working-directory: soliton_py
run: |
. ../.venv/bin/activate
maturin build --release
- name: Publish to PyPI
working-directory: soliton_py
run: |
. ../.venv/bin/activate
maturin publish
env:
MATURIN_PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
publish-wasm:
needs: [lint, test, test-wasm, miri, fuzz-regression, build]
runs-on: lo-runner
if: startsWith(github.ref, 'refs/tags/v')
steps:
- uses: actions/checkout@v6.0.2
- name: Build WASM package
working-directory: soliton_wasm
run: wasm-pack build --target bundler
- name: Publish to Forgejo npm registry
working-directory: soliton_wasm/pkg
run: |
echo '//git.lo.sh/api/packages/lo/npm/:_authToken=${{ secrets.BUN_TOKEN }}' > .npmrc
bun publish --access public --registry ${{ github.server_url }}/api/packages/lo/npm/

4
.gitattributes vendored Normal file
View file

@ -0,0 +1,4 @@
# Fuzz corpus files — stored in Git LFS to keep clone size small.
# Contributors without corpus can generate seeds via: cargo run --bin gen_corpus
soliton/fuzz/corpus/** filter=lfs diff=lfs merge=lfs -text
soliton_capi/fuzz/corpus/** filter=lfs diff=lfs merge=lfs -text

38
.gitignore vendored Normal file
View file

@ -0,0 +1,38 @@
.DS_Store
._*
.vscode/
.idea/
*.iml
*.sublime-project
*.sublime-workspace
/target/
**/target/
**/*.rs.bk
CMakeCache.txt
CMakeFiles/
cmake_install.cmake
cmake-build-*/
*.log
/fuzz_logs/
__pycache__/
*.pyc
*.pyo
*.egg-info/
dist/
*.whl
.pytest_cache/
.zig-cache/
# wasm-pack output (rebuilt on demand)
soliton_wasm/pkg/
node_modules/
package-lock.json
yarn.lock
pnpm-lock.yaml
bun.lock

4072
Abstract.md Normal file
View file

File diff suppressed because it is too large Load diff

BIN
Abstract.pdf Normal file
View file

Binary file not shown.

2353
CHEATSHEET.md Normal file
View file

File diff suppressed because it is too large Load diff

1812
Cargo.lock generated Normal file
View file

File diff suppressed because it is too large Load diff

72
Cargo.toml Normal file
View file

@ -0,0 +1,72 @@
[workspace]
resolver = "3"
members = [
"soliton",
"soliton_capi",
"soliton_py",
"soliton_wasm",
"soliton_cli",
]
default-members = [
"soliton",
"soliton_capi",
]
[workspace.package]
version = "0.1.0"
edition = "2024"
rust-version = "1.85"
license = "AGPL-3.0-only"
repository = "https://git.lo.sh/lo/libsoliton"
homepage = "https://lo.sh"
authors = ["LO Contributors"]
description = "Cryptographic library for the LO protocol"
categories = ["cryptography"]
keywords = ["post-quantum", "hybrid-encryption", "x-wing", "ed25519", "double-ratchet"]
[workspace.dependencies]
libsoliton = { path = "soliton", version = "0.1.0" }
zeroize = { version = "=1.8.2", features = ["derive"] }
thiserror = "=2.0.18"
subtle = "=2.6.1"
# ChaCha20-Poly1305 key is a flat 256-bit value (no expanded key schedule like
# AES). The cipher is constructed per-operation from a 32-byte key reference
# and does not store persistent key material — zeroization of the key is
# handled by the caller (Zeroizing<[u8; 32]> wrappers in ratchet/storage).
#
# chacha20poly1305 enables chacha20/zeroize but not poly1305/zeroize.
# The poly1305 entry below activates zeroization of the Poly1305 universal
# hash state (the r,s key and accumulator) after each AEAD operation.
chacha20poly1305 = { version = "=0.10.1", default-features = false, features = ["alloc"] }
poly1305 = { version = "=0.8.0", features = ["zeroize"] }
# All panics must abort — libsoliton_capi exposes extern "C" functions,
# and unwinding across FFI boundaries is UB. panic=abort converts all
# panics (including keygen/sign assert_eq! guards) into well-defined
# process aborts.
#
# NOTE: Cargo overrides panic=abort to panic=unwind for the test profile
# (required by the standard test harness for #[should_panic]). CAPI code
# under test can therefore unwind across FFI boundaries — this is
# technically UB but only affects test builds, not production.
[profile.release]
panic = "abort"
lto = true
codegen-units = 1
overflow-checks = true
[profile.dev]
panic = "abort"
overflow-checks = true
# Bench profile inherits release optimizations. debug-assertions = true is
# required because dev-dependencies activate the `test-utils` feature
# (needed for integration tests), and `test-utils` has a compile_error guard
# that fires under `all(feature = "test-utils", not(debug_assertions))`. The
# bench target does not use any test-utils APIs — the flag only disarms the
# compile_error. The crypto benchmarks are dominated by KEM / AEAD operations
# for which the overhead of debug assertions is negligible.
[profile.bench]
inherits = "release"
debug-assertions = true

661
LICENSE.md Normal file
View file

@ -0,0 +1,661 @@
GNU AFFERO GENERAL PUBLIC LICENSE
Version 3, 19 November 2007
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The GNU Affero General Public License is a free, copyleft license for
software and other kinds of works, specifically designed to ensure
cooperation with the community in the case of network server software.
The licenses for most software and other practical works are designed
to take away your freedom to share and change the works. By contrast,
our General Public Licenses are intended to guarantee your freedom to
share and change all versions of a program--to make sure it remains free
software for all its users.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.
Developers that use our General Public Licenses protect your rights
with two steps: (1) assert copyright on the software, and (2) offer
you this License which gives you legal permission to copy, distribute
and/or modify the software.
A secondary benefit of defending all users' freedom is that
improvements made in alternate versions of the program, if they
receive widespread use, become available for other developers to
incorporate. Many developers of free software are heartened and
encouraged by the resulting cooperation. However, in the case of
software used on network servers, this result may fail to come about.
The GNU General Public License permits making a modified version and
letting the public access it on a server without ever releasing its
source code to the public.
The GNU Affero General Public License is designed specifically to
ensure that, in such cases, the modified source code becomes available
to the community. It requires the operator of a network server to
provide the source code of the modified version running there to the
users of that server. Therefore, public use of a modified version, on
a publicly accessible server, gives the public access to the source
code of the modified version.
An older license, called the Affero General Public License and
published by Affero, was designed to accomplish similar goals. This is
a different license, not a version of the Affero GPL, but Affero has
released a new version of the Affero GPL which permits relicensing under
this license.
The precise terms and conditions for copying, distribution and
modification follow.
TERMS AND CONDITIONS
0. Definitions.
"This License" refers to version 3 of the GNU Affero General Public License.
"Copyright" also means copyright-like laws that apply to other kinds of
works, such as semiconductor masks.
"The Program" refers to any copyrightable work licensed under this
License. Each licensee is addressed as "you". "Licensees" and
"recipients" may be individuals or organizations.
To "modify" a work means to copy from or adapt all or part of the work
in a fashion requiring copyright permission, other than the making of an
exact copy. The resulting work is called a "modified version" of the
earlier work or a work "based on" the earlier work.
A "covered work" means either the unmodified Program or a work based
on the Program.
To "propagate" a work means to do anything with it that, without
permission, would make you directly or secondarily liable for
infringement under applicable copyright law, except executing it on a
computer or modifying a private copy. Propagation includes copying,
distribution (with or without modification), making available to the
public, and in some countries other activities as well.
To "convey" a work means any kind of propagation that enables other
parties to make or receive copies. Mere interaction with a user through
a computer network, with no transfer of a copy, is not conveying.
An interactive user interface displays "Appropriate Legal Notices"
to the extent that it includes a convenient and prominently visible
feature that (1) displays an appropriate copyright notice, and (2)
tells the user that there is no warranty for the work (except to the
extent that warranties are provided), that licensees may convey the
work under this License, and how to view a copy of this License. If
the interface presents a list of user commands or options, such as a
menu, a prominent item in the list meets this criterion.
1. Source Code.
The "source code" for a work means the preferred form of the work
for making modifications to it. "Object code" means any non-source
form of a work.
A "Standard Interface" means an interface that either is an official
standard defined by a recognized standards body, or, in the case of
interfaces specified for a particular programming language, one that
is widely used among developers working in that language.
The "System Libraries" of an executable work include anything, other
than the work as a whole, that (a) is included in the normal form of
packaging a Major Component, but which is not part of that Major
Component, and (b) serves only to enable use of the work with that
Major Component, or to implement a Standard Interface for which an
implementation is available to the public in source code form. A
"Major Component", in this context, means a major essential component
(kernel, window system, and so on) of the specific operating system
(if any) on which the executable work runs, or a compiler used to
produce the work, or an object code interpreter used to run it.
The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities. However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not part of the work. For example, Corresponding Source
includes interface definition files associated with source files for
the work, and the source code for shared libraries and dynamically
linked subprograms that the work is specifically designed to require,
such as by intimate data communication or control flow between those
subprograms and other parts of the work.
The Corresponding Source need not include anything that users
can regenerate automatically from other parts of the Corresponding
Source.
The Corresponding Source for a work in source code form is that
same work.
2. Basic Permissions.
All rights granted under this License are granted for the term of
copyright on the Program, and are irrevocable provided the stated
conditions are met. This License explicitly affirms your unlimited
permission to run the unmodified Program. The output from running a
covered work is covered by this License only if the output, given its
content, constitutes a covered work. This License acknowledges your
rights of fair use or other equivalent, as provided by copyright law.
You may make, run and propagate covered works that you do not
convey, without conditions so long as your license otherwise remains
in force. You may convey covered works to others for the sole purpose
of having them make modifications exclusively for you, or provide you
with facilities for running those works, provided that you comply with
the terms of this License in conveying all material for which you do
not control copyright. Those thus making or running the covered works
for you must do so exclusively on your behalf, under your direction
and control, on terms that prohibit them from making any copies of
your copyrighted material outside their relationship with you.
Conveying under any other circumstances is permitted solely under
the conditions stated below. Sublicensing is not allowed; section 10
makes it unnecessary.
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
No covered work shall be deemed part of an effective technological
measure under any applicable law fulfilling obligations under article
11 of the WIPO copyright treaty adopted on 20 December 1996, or
similar laws prohibiting or restricting circumvention of such
measures.
When you convey a covered work, you waive any legal power to forbid
circumvention of technological measures to the extent such circumvention
is effected by exercising rights under this License with respect to
the covered work, and you disclaim any intention to limit operation or
modification of the work as a means of enforcing, against the work's
users, your or third parties' legal rights to forbid circumvention of
technological measures.
4. Conveying Verbatim Copies.
You may convey verbatim copies of the Program's source code as you
receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice;
keep intact all notices stating that this License and any
non-permissive terms added in accord with section 7 apply to the code;
keep intact all notices of the absence of any warranty; and give all
recipients a copy of this License along with the Program.
You may charge any price or no price for each copy that you convey,
and you may offer support or warranty protection for a fee.
5. Conveying Modified Source Versions.
You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the
terms of section 4, provided that you also meet all of these conditions:
a) The work must carry prominent notices stating that you modified
it, and giving a relevant date.
b) The work must carry prominent notices stating that it is
released under this License and any conditions added under section
7. This requirement modifies the requirement in section 4 to
"keep intact all notices".
c) You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This
License will therefore apply, along with any applicable section 7
additional terms, to the whole of the work, and all its parts,
regardless of how they are packaged. This License gives no
permission to license the work in any other way, but it does not
invalidate such permission if you have separately received it.
d) If the work has interactive user interfaces, each must display
Appropriate Legal Notices; however, if the Program has interactive
interfaces that do not display Appropriate Legal Notices, your
work need not make them do so.
A compilation of a covered work with other separate and independent
works, which are not by their nature extensions of the covered work,
and which are not combined with it such as to form a larger program,
in or on a volume of a storage or distribution medium, is called an
"aggregate" if the compilation and its resulting copyright are not
used to limit the access or legal rights of the compilation's users
beyond what the individual works permit. Inclusion of a covered work
in an aggregate does not cause this License to apply to the other
parts of the aggregate.
6. Conveying Non-Source Forms.
You may convey a covered work in object code form under the terms
of sections 4 and 5, provided that you also convey the
machine-readable Corresponding Source under the terms of this License,
in one of these ways:
a) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by the
Corresponding Source fixed on a durable physical medium
customarily used for software interchange.
b) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by a
written offer, valid for at least three years and valid for as
long as you offer spare parts or customer support for that product
model, to give anyone who possesses the object code either (1) a
copy of the Corresponding Source for all the software in the
product that is covered by this License, on a durable physical
medium customarily used for software interchange, for a price no
more than your reasonable cost of physically performing this
conveying of source, or (2) access to copy the
Corresponding Source from a network server at no charge.
c) Convey individual copies of the object code with a copy of the
written offer to provide the Corresponding Source. This
alternative is allowed only occasionally and noncommercially, and
only if you received the object code with such an offer, in accord
with subsection 6b.
d) Convey the object code by offering access from a designated
place (gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements.
e) Convey the object code using peer-to-peer transmission, provided
you inform other peers where the object code and Corresponding
Source of the work are being offered to the general public at no
charge under subsection 6d.
A separable portion of the object code, whose source code is excluded
from the Corresponding Source as a System Library, need not be
included in conveying the object code work.
A "User Product" is either (1) a "consumer product", which means any
tangible personal property which is normally used for personal, family,
or household purposes, or (2) anything designed or sold for incorporation
into a dwelling. In determining whether a product is a consumer product,
doubtful cases shall be resolved in favor of coverage. For a particular
product received by a particular user, "normally used" refers to a
typical or common use of that class of product, regardless of the status
of the particular user or of the way in which the particular user
actually uses, or expects or is expected to use, the product. A product
is a consumer product regardless of whether the product has substantial
commercial, industrial or non-consumer uses, unless such uses represent
the only significant mode of use of the product.
"Installation Information" for a User Product means any methods,
procedures, authorization keys, or other information required to install
and execute modified versions of a covered work in that User Product from
a modified version of its Corresponding Source. The information must
suffice to ensure that the continued functioning of the modified object
code is in no case prevented or interfered with solely because
modification has been made.
If you convey an object code work under this section in, or with, or
specifically for use in, a User Product, and the conveying occurs as
part of a transaction in which the right of possession and use of the
User Product is transferred to the recipient in perpetuity or for a
fixed term (regardless of how the transaction is characterized), the
Corresponding Source conveyed under this section must be accompanied
by the Installation Information. But this requirement does not apply
if neither you nor any third party retains the ability to install
modified object code on the User Product (for example, the work has
been installed in ROM).
The requirement to provide Installation Information does not include a
requirement to continue to provide support service, warranty, or updates
for a work that has been modified or installed by the recipient, or for
the User Product in which it has been modified or installed. Access to a
network may be denied when the modification itself materially and
adversely affects the operation of the network or violates the rules and
protocols for communication across the network.
Corresponding Source conveyed, and Installation Information provided,
in accord with this section must be in a format that is publicly
documented (and with an implementation available to the public in
source code form), and must require no special password or key for
unpacking, reading or copying.
7. Additional Terms.
"Additional permissions" are terms that supplement the terms of this
License by making exceptions from one or more of its conditions.
Additional permissions that are applicable to the entire Program shall
be treated as though they were included in this License, to the extent
that they are valid under applicable law. If additional permissions
apply only to part of the Program, that part may be used separately
under those permissions, but the entire Program remains governed by
this License without regard to the additional permissions.
When you convey a copy of a covered work, you may at your option
remove any additional permissions from that copy, or from any part of
it. (Additional permissions may be written to require their own
removal in certain cases when you modify the work.) You may place
additional permissions on material, added by you to a covered work,
for which you have or can give appropriate copyright permission.
Notwithstanding any other provision of this License, for material you
add to a covered work, you may (if authorized by the copyright holders of
that material) supplement the terms of this License with terms:
a) Disclaiming warranty or limiting liability differently from the
terms of sections 15 and 16 of this License; or
b) Requiring preservation of specified reasonable legal notices or
author attributions in that material or in the Appropriate Legal
Notices displayed by works containing it; or
c) Prohibiting misrepresentation of the origin of that material, or
requiring that modified versions of such material be marked in
reasonable ways as different from the original version; or
d) Limiting the use for publicity purposes of names of licensors or
authors of the material; or
e) Declining to grant rights under trademark law for use of some
trade names, trademarks, or service marks; or
f) Requiring indemnification of licensors and authors of that
material by anyone who conveys the material (or modified versions of
it) with contractual assumptions of liability to the recipient, for
any liability that these contractual assumptions directly impose on
those licensors and authors.
All other non-permissive additional terms are considered "further
restrictions" within the meaning of section 10. If the Program as you
received it, or any part of it, contains a notice stating that it is
governed by this License along with a term that is a further
restriction, you may remove that term. If a license document contains
a further restriction but permits relicensing or conveying under this
License, you may add to a covered work material governed by the terms
of that license document, provided that the further restriction does
not survive such relicensing or conveying.
If you add terms to a covered work in accord with this section, you
must place, in the relevant source files, a statement of the
additional terms that apply to those files, or a notice indicating
where to find the applicable terms.
Additional terms, permissive or non-permissive, may be stated in the
form of a separately written license, or stated as exceptions;
the above requirements apply either way.
8. Termination.
You may not propagate or modify a covered work except as expressly
provided under this License. Any attempt otherwise to propagate or
modify it is void, and will automatically terminate your rights under
this License (including any patent licenses granted under the third
paragraph of section 11).
However, if you cease all violation of this License, then your
license from a particular copyright holder is reinstated (a)
provisionally, unless and until the copyright holder explicitly and
finally terminates your license, and (b) permanently, if the copyright
holder fails to notify you of the violation by some reasonable means
prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is
reinstated permanently if the copyright holder notifies you of the
violation by some reasonable means, this is the first time you have
received notice of violation of this License (for any work) from that
copyright holder, and you cure the violation prior to 30 days after
your receipt of the notice.
Termination of your rights under this section does not terminate the
licenses of parties who have received copies or rights from you under
this License. If your rights have been terminated and not permanently
reinstated, you do not qualify to receive new licenses for the same
material under section 10.
9. Acceptance Not Required for Having Copies.
You are not required to accept this License in order to receive or
run a copy of the Program. Ancillary propagation of a covered work
occurring solely as a consequence of using peer-to-peer transmission
to receive a copy likewise does not require acceptance. However,
nothing other than this License grants you permission to propagate or
modify any covered work. These actions infringe copyright if you do
not accept this License. Therefore, by modifying or propagating a
covered work, you indicate your acceptance of this License to do so.
10. Automatic Licensing of Downstream Recipients.
Each time you convey a covered work, the recipient automatically
receives a license from the original licensors, to run, modify and
propagate that work, subject to this License. You are not responsible
for enforcing compliance by third parties with this License.
An "entity transaction" is a transaction transferring control of an
organization, or substantially all assets of one, or subdividing an
organization, or merging organizations. If propagation of a covered
work results from an entity transaction, each party to that
transaction who receives a copy of the work also receives whatever
licenses to the work the party's predecessor in interest had or could
give under the previous paragraph, plus a right to possession of the
Corresponding Source of the work from the predecessor in interest, if
the predecessor has it or can get it with reasonable efforts.
You may not impose any further restrictions on the exercise of the
rights granted or affirmed under this License. For example, you may
not impose a license fee, royalty, or other charge for exercise of
rights granted under this License, and you may not initiate litigation
(including a cross-claim or counterclaim in a lawsuit) alleging that
any patent claim is infringed by making, using, selling, offering for
sale, or importing the Program or any portion of it.
11. Patents.
A "contributor" is a copyright holder who authorizes use under this
License of the Program or a work on which the Program is based. The
work thus licensed is called the contributor's "contributor version".
A contributor's "essential patent claims" are all patent claims
owned or controlled by the contributor, whether already acquired or
hereafter acquired, that would be infringed by some manner, permitted
by this License, of making, using, or selling its contributor version,
but do not include claims that would be infringed only as a
consequence of further modification of the contributor version. For
purposes of this definition, "control" includes the right to grant
patent sublicenses in a manner consistent with the requirements of
this License.
Each contributor grants you a non-exclusive, worldwide, royalty-free
patent license under the contributor's essential patent claims, to
make, use, sell, offer for sale, import and otherwise run, modify and
propagate the contents of its contributor version.
In the following three paragraphs, a "patent license" is any express
agreement or commitment, however denominated, not to enforce a patent
(such as an express permission to practice a patent or covenant not to
sue for patent infringement). To "grant" such a patent license to a
party means to make such an agreement or commitment not to enforce a
patent against the party.
If you convey a covered work, knowingly relying on a patent license,
and the Corresponding Source of the work is not available for anyone
to copy, free of charge and under the terms of this License, through a
publicly available network server or other readily accessible means,
then you must either (1) cause the Corresponding Source to be so
available, or (2) arrange to deprive yourself of the benefit of the
patent license for this particular work, or (3) arrange, in a manner
consistent with the requirements of this License, to extend the patent
license to downstream recipients. "Knowingly relying" means you have
actual knowledge that, but for the patent license, your conveying the
covered work in a country, or your recipient's use of the covered work
in a country, would infringe one or more identifiable patents in that
country that you have reason to believe are valid.
If, pursuant to or in connection with a single transaction or
arrangement, you convey, or propagate by procuring conveyance of, a
covered work, and grant a patent license to some of the parties
receiving the covered work authorizing them to use, propagate, modify
or convey a specific copy of the covered work, then the patent license
you grant is automatically extended to all recipients of the covered
work and works based on it.
A patent license is "discriminatory" if it does not include within
the scope of its coverage, prohibits the exercise of, or is
conditioned on the non-exercise of one or more of the rights that are
specifically granted under this License. You may not convey a covered
work if you are a party to an arrangement with a third party that is
in the business of distributing software, under which you make payment
to the third party based on the extent of your activity of conveying
the work, and under which the third party grants, to any of the
parties who would receive the covered work from you, a discriminatory
patent license (a) in connection with copies of the covered work
conveyed by you (or copies made from those copies), or (b) primarily
for and in connection with specific products or compilations that
contain the covered work, unless you entered into that arrangement,
or that patent license was granted, prior to 28 March 2007.
Nothing in this License shall be construed as excluding or limiting
any implied license or other defenses to infringement that may
otherwise be available to you under applicable patent law.
12. No Surrender of Others' Freedom.
If conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot convey a
covered work so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you may
not convey it at all. For example, if you agree to terms that obligate you
to collect a royalty for further conveying from those to whom you convey
the Program, the only way you could satisfy both those terms and this
License would be to refrain entirely from conveying the Program.
13. Remote Network Interaction; Use with the GNU General Public License.
Notwithstanding any other provision of this License, if you modify the
Program, your modified version must prominently offer all users
interacting with it remotely through a computer network (if your version
supports such interaction) an opportunity to receive the Corresponding
Source of your version by providing access to the Corresponding Source
from a network server at no charge, through some standard or customary
means of facilitating copying of software. This Corresponding Source
shall include the Corresponding Source for any work covered by version 3
of the GNU General Public License that is incorporated pursuant to the
following paragraph.
Notwithstanding any other provision of this License, you have
permission to link or combine any covered work with a work licensed
under version 3 of the GNU General Public License into a single
combined work, and to convey the resulting work. The terms of this
License will continue to apply to the part which is the covered work,
but the work with which it is combined will remain governed by version
3 of the GNU General Public License.
14. Revised Versions of this License.
The Free Software Foundation may publish revised and/or new versions of
the GNU Affero General Public License from time to time. Such new versions
will be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the
Program specifies that a certain numbered version of the GNU Affero General
Public License "or any later version" applies to it, you have the
option of following the terms and conditions either of that numbered
version or of any later version published by the Free Software
Foundation. If the Program does not specify a version number of the
GNU Affero General Public License, you may choose any version ever published
by the Free Software Foundation.
If the Program specifies that a proxy can decide which future
versions of the GNU Affero General Public License can be used, that proxy's
public statement of acceptance of a version permanently authorizes you
to choose that version for the Program.
Later license versions may give you additional or different
permissions. However, no additional obligations are imposed on any
author or copyright holder as a result of your choosing to follow a
later version.
15. Disclaimer of Warranty.
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
16. Limitation of Liability.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.
17. Interpretation of Sections 15 and 16.
If the disclaimer of warranty and limitation of liability provided
above cannot be given local legal effect according to their terms,
reviewing courts shall apply local law that most closely approximates
an absolute waiver of all civil liability in connection with the
Program, unless a warranty or assumption of liability accompanies a
copy of the Program in return for a fee.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
state the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
Also add information on how to contact you by electronic and paper mail.
If your software can interact with users remotely through a computer
network, you should also make sure that it provides a way for users to
get its source. For example, if your program is a web application, its
interface could display a "Source" link that leads users to an archive
of the code. There are many ways you could offer source, and different
solutions will be better for different programs; see section 13 for the
specific requirements.
You should also get your employer (if you work as a programmer) or school,
if any, to sign a "copyright disclaimer" for the program, if necessary.
For more information on this, and how to apply and follow the GNU AGPL, see
<https://www.gnu.org/licenses/>.

155
README.md Normal file
View file

@ -0,0 +1,155 @@
# libsoliton
Pure-Rust post-quantum cryptographic library. Provides composite identity keys (X-Wing + ML-DSA-65), hybrid signatures, KEM-based authentication, asynchronous key exchange, double-ratchet message encryption, and encrypted storage — all without a C toolchain.
**Use cases:** any application requiring two-party encrypted communication or authenticated key agreement — messaging, voice/video calls, peer-to-peer sessions, file transfer, encrypted storage, zero-knowledge authentication, password-protected key vaults. The library provides the complete primitive stack; the application layer decides the transport and session management.
## Documentation
| Document | Description |
|----------|-------------|
| [Abstract.md](Abstract.md) | Security analysis specification — adversary model, theorems, and verification targets for formal modeling |
| [Specification.md](Specification.md) | Full cryptographic specification (v1) |
| [CHEATSHEET.md](CHEATSHEET.md) | API quick reference with types, sizes, and signatures |
## Crate Layout
| Package | Path | Purpose |
|---------|------|---------|
| `libsoliton` (crates.io) | `soliton/` | Core library — all cryptographic logic |
| `libsoliton_capi` (crates.io) | `soliton_capi/` | C ABI FFI layer (cbindgen-generated header) |
| `soliton` (PyPI) | `soliton_py/` | Python binding (PyO3/maturin, wraps core Rust API) |
| `soliton-wasm` (npm) | `soliton_wasm/` | WASM binding (wasm-bindgen, wraps core Rust API) |
| `soliton-cli` (cargo) | `soliton_cli/` | Native CLI (`cargo install soliton-cli`) |
| `soliton_zig` | `soliton_zig/` | Zig wrapper (consumes CAPI via `@cImport`) |
## Testing
**By location** (non-overlapping — these add up to the total):
| Location | Count | Description |
|----------|-------|-------------|
| Core unit tests | 488 | `soliton/src/**/` `#[cfg(test)]` — unit tests + proptests |
| Core integration tests | 61 | `soliton/tests/` — KEX → ratchet, storage round-trips, argon2, zeroization verification, Appendix F vectors |
| CAPI tests | 287 | `soliton_capi/tests/` — null pointers, invalid lengths, round-trips, error codes |
| Python tests | 49 | `soliton_py/tests/` — full KEX → ratchet round-trip, serialize, reset, call keys, storage, streaming (_at), auth, identity, primitives |
| Zig tests | 35 | `soliton_zig/src/soliton.zig` — full KEX → ratchet round-trip, serialize, reset, call keys, storage, streaming (_at), auth, AEAD, X-Wing, argon2id |
| WASM tests | 36 | `soliton_wasm/tests/` — full KEX → ratchet lifecycle, serialize/deserialize, call keys, storage, streaming (_at), auth, identity, primitives, argon2id (Node + Chromium) |
| Fuzz targets | 36 | `*/fuzz/fuzz_targets/` — 29 core + 7 CAPI (`cargo-fuzz` / libFuzzer) |
**Cross-cutting** (subsets of the above):
| Property | Count | Subset of | Description |
|----------|-------|-----------|-------------|
| MIRI-eligible | 455 | core + CAPI | PQ-free subset safe for instruction-level interpretation (`--profile miri`) |
| KAT vectors | 27 | core unit + integration | 17 in `src/**/` `#[cfg(test)]` — SHA3-256, HMAC-SHA3-256, HKDF-SHA3-256, Ed25519, X25519, X-Wing, AEAD, KDF, KEX, streaming, call; 10 in `tests/compute_vectors.rs` — Specification.md Appendix F vectors F.25-F.37 (HKDF, AEAD, HybridSign, streaming, Argon2, HMAC long-key, first-message AAD, SPK sig, session-init sig, LO-Auth) |
```bash
# Full test suite
cargo test -p libsoliton -p libsoliton_capi
# MIRI (requires nightly)
MIRIFLAGS="-Zmiri-disable-isolation" cargo +nightly miri nextest run \
-p libsoliton -p libsoliton_capi --profile miri -j$(nproc)
# Fuzzing — corpus regression (replays all seeds, no mutations, fast)
./ci_regression.sh
# Fuzzing — overnight campaign (all active targets in parallel)
./fuzz_overnight.sh 24 2 # 24 hours, 2 workers per target
./fuzz_stats.sh # Post-run summary
```
## Fuzzing
36 fuzz targets (29 core + 7 CAPI) with two corpora (core: `soliton/fuzz/corpus/`, CAPI: `soliton_capi/fuzz/corpus/`) totaling 165,540 entries (883 MB). All corpora are checked in via Git LFS; `ci_regression.sh` replays every seed with zero mutations as a CI regression gate.
**Excluded targets** — 5 of 36 are excluded from overnight campaigns after saturation analysis. All reachable edges were discovered; additional CPU time yields no new coverage. These targets retain their corpora and run in `ci_regression.sh`.
| Target | Corpus | Edges | Reason |
|---|---|---|---|
| `fuzz_identity_from_bytes` | 84 | 107 | 3 length checks only |
| `fuzz_auth_verify` | ~15 | 88 | Single `ct_eq` call |
| `fuzz_xwing_roundtrip` | 7 | 763 | No adversarial input (keygen→encap→decap) |
| `fuzz_verification_phrase` | 29 | 88 | SHA3→wordlist index, trivial surface |
| `fuzz_auth_respond` | 4 | 1573 | Single KEM decap→HMAC, no branching on input |
**Latest campaign** — 31 targets (24 core + 7 CAPI), 1 libFuzzer worker per target, Hetzner CCX53 (32 vCPUs, AMD EPYC, 128 GB RAM), 24 hours.
| Metric | Value |
|---|---|
| **Total targets** | 36 (29 core + 7 CAPI) |
| **Active in campaign** | 31 |
| **Total executions** | 574.6 billion |
| **Corpus** | 165,540 entries (883 MB) |
| **Crashes / Timeouts / OOM** | **0 / 0 / 0** |
The state-machine fuzzer (`fuzz_ratchet_state_machine`) performs full cryptographic sessions with up to 200 protocol actions per execution (KEM, AEAD, HKDF, HMAC per message) — 12,714 coverage features, the highest of any target.
```bash
./ci_regression.sh # Replay all seeds — fast, runs in CI
./fuzz_overnight.sh 24 1 # 31 active targets, 24 hours, 1 worker each
./fuzz_stats.sh # Per-target breakdown (edges, features, throughput, RSS)
```
## Benchmarks
Measured with `cargo +nightly bench` across three platforms. ML-DSA-65, SHA3-256, and Keccak do not have SIMD implementations in the current RustCrypto crates — expect these numbers to improve as upstream adds platform-specific optimizations. All operations are pure ARX or field arithmetic; no hardware acceleration is required.
**Platform support:** Tested on x86-64, aarch64, riscv64gc, and wasm32. 32-bit native platforms are untested and unsupported — the library uses `u64` extensively and the PQ primitives have non-trivial stack requirements.
| Platform | CPU | Arch | Clock |
|----------|-----|------|-------|
| **Desktop** | AMD Ryzen 7 7840HS | x86-64 (Zen 4) | ~5.1 GHz boost |
| **RPi 5** | Cortex-A76 | aarch64 | 2.4 GHz |
| **VisionFive 2** | SiFive U74 | riscv64gc | 1.5 GHz |
**Per-message hot paths** (what users feel on every send/receive):
| Operation | Desktop | RPi 5 | VisionFive 2 | Notes |
|-----------|---------|-------|-------------|-------|
| Ratchet encrypt (same epoch) | 4.3 µs | 7.2 µs | 47.6 µs | HMAC-SHA3-256 + XChaCha20-Poly1305 |
| Ratchet decrypt (same epoch) | 6.2 µs | 10.1 µs | 67.5 µs | Includes `from_bytes` deserialization |
| KDF root (isolated) | 5.7 µs | 9.2 µs | 59.5 µs | HKDF-SHA3-256, 64-byte output |
| Ratchet serialize | 1.6 µs | 6.1 µs | 38.1 µs | `to_bytes` |
| Ratchet deserialize | 0.7 µs | 2.7 µs | 17.8 µs | `from_bytes_with_min_epoch` |
**Direction-change paths** (one KEM round-trip per direction switch):
| Operation | Desktop | RPi 5 | VisionFive 2 | Notes |
|-----------|---------|-------|-------------|-------|
| Ratchet encrypt (direction change) | 182 µs | 651 µs | 2.46 ms | X-Wing keygen + encapsulate + KDF |
| Ratchet decrypt (direction change) | 127 µs | 473 µs | 1.76 ms | X-Wing decapsulate + KDF |
**Session establishment** (one-time per conversation):
| Operation | Desktop | RPi 5 | VisionFive 2 | Notes |
|-----------|---------|-------|-------------|-------|
| Identity keygen | 417 µs | 1.05 ms | 4.90 ms | X-Wing + Ed25519 + ML-DSA-65 |
| Hybrid sign | 988 µs | 2.85 ms | 10.6 ms | Ed25519 + ML-DSA-65 (no SIMD) |
| Hybrid verify | 254 µs | 794 µs | 3.31 ms | Ed25519 + ML-DSA-65 (no SIMD) |
| X-Wing encapsulate | 104 µs | 417 µs | 1.44 ms | X25519 + ML-KEM-768 |
| X-Wing decapsulate | 112 µs | 451 µs | 1.61 ms | X25519 + ML-KEM-768 |
| Initiate session (Alice) | 1.41 ms | 3.95 ms | 17.1 ms | Ephemeral keygen + 3 encaps + HKDF + sign |
| Receive session (Bob) | 585 µs | 1.88 ms | 7.70 ms | Verify + 3 decaps + HKDF |
**Streaming AEAD** (file/media encryption):
| Operation | Desktop | RPi 5 | VisionFive 2 | Notes |
|-----------|---------|-------|-------------|-------|
| Encrypt 1 MiB | 537 µs (1.95 GB/s) | 3.96 ms (265 MB/s) | 31.0 ms (33.8 MB/s) | XChaCha20-Poly1305, single chunk |
| Decrypt 1 MiB | 749 µs (1.40 GB/s) | 4.74 ms (221 MB/s) | 34.9 ms (30.0 MB/s) | Includes init overhead |
| Encrypt 4 MiB sequential | 2.58 ms (1.55 GB/s) | 15.8 ms (253 MB/s) | 124 ms (32.3 MB/s) | 4 chunks, sequential API |
| Encrypt 4 MiB parallel | 867 µs (4.61 GB/s) | 5.35 ms (748 MB/s) | 33.0 ms (121 MB/s) | 4 chunks via `encrypt_chunk_at`, rayon (4 cores) |
| Encrypt 8 MiB parallel | 1.29 ms (6.21 GB/s) | 10.7 ms (748 MB/s) | 67.8 ms (118 MB/s) | 8 chunks, 2 rounds on 4 cores |
**Password KDF** (key vault protection):
| Operation | Desktop | RPi 5 | VisionFive 2 | Notes |
|-----------|---------|-------|-------------|-------|
| Argon2id OWASP minimum | 10.9 ms | 42.0 ms | 256 ms | 19 MiB, 2 passes, 1 lane |
| Argon2id recommended | 65.0 ms | 227 ms | 1.35 s | 64 MiB, 3 passes, 4 lanes |
## License
[AGPL-3.0-only](LICENSE.md)

121
SECURITY.md Normal file
View file

@ -0,0 +1,121 @@
# Security Policy
## Reporting a Vulnerability
**Critical or high severity** (key leakage, authentication bypass, ratchet desync
that leaks plaintext, FFI memory corruption):
> **security@lo.sh**
Use this for anything an attacker could exploit. If you have our public key,
encrypt the report. We will acknowledge within 72 hours and aim to ship a fix
within 14 days of confirmation.
**Medium or low severity** (interoperability bugs, non-exploitable logic errors,
documentation issues):
> Open an issue at **https://git.lo.sh/lo/libsoliton**
When in doubt, use the email. We would rather triage a false alarm than miss a
real vulnerability.
## Supported Versions
| Version | Supported |
|---------|-----------|
| 0.1.x | Yes |
Only the latest release is supported. Security fixes are not backported.
## Threat Model
### In scope
- **Protocol logic** in LO-KEX, LO-Ratchet, KEM authentication, and storage
encryption. Bugs here (wrong KDF inputs, missing domain separation, ratchet
state corruption) are the primary risk.
- **Memory safety** in the Rust code and the `unsafe` FFI boundary
(`libsoliton_capi`). Unsound pointer handling, use-after-free in opaque state
objects, buffer overflows in slice construction.
- **Wrapper binding correctness** (`soliton_py`, `soliton_wasm`, `soliton_zig`).
Incorrect type marshaling, use-after-free of opaque handles, missing zeroization
at the binding layer, header serialization mismatches. The Python and WASM
bindings wrap the core Rust API via PyO3 and wasm-bindgen respectively (no
`unsafe` in the bindings themselves). The Zig wrapper consumes the C ABI
directly.
- **Key management** — failure to zeroize secrets, key material leaking into
logs or error messages, nonce reuse.
- **Cryptographic misuse** — wrong algorithm parameters, truncated hashes,
clamping errors, incorrect domain separators.
### Out of scope
- **Side-channel attacks in upstream Rust crates.** Timing, power, or EM side
channels in ML-KEM-768 (`ml-kem`), ML-DSA-65 (`ml-dsa`), X25519
(`x25519-dalek`), or Ed25519 (`ed25519-dalek`) are upstream concerns.
Report those to the relevant [RustCrypto](https://github.com/RustCrypto)
or [dalek-cryptography](https://github.com/dalek-cryptography) project.
XChaCha20-Poly1305 and Ed25519 are constant-time by construction (ARX
operations only, no table lookups).
- **WASM linear memory.** Secret key material in WASM cannot be reliably
zeroized — the linear memory is GC-managed by the JS engine and may be
copied, paged, or retained after `free()`. This is inherent to the WASM
execution model, not a library bug.
- **Python GC.** `bytes` objects returned by the Python binding are
GC-managed. The Rust side zeroizes its copy, but the Python object persists
until collected. Context managers (`with`) minimize the window.
- **Compression oracle (CRIME/BREACH-style).** When streaming AEAD compression
is enabled and an attacker controls partial plaintext, ciphertext length may
leak information about co-resident secret content. File transfer (the primary
use case) does not have attacker-controlled plaintext injection, so this is
not exploitable in the intended deployment. Applications mixing
attacker-controlled and secret data in a single compressed stream should
disable compression.
- **Hardware faults** — rowhammer, fault injection, glitching.
- **Denial of service** — resource exhaustion from large inputs is a bug, but
not a security vulnerability in a library context.
### Known limitations
- **PQ crates are pre-1.0.** ML-KEM and ML-DSA are NIST FIPS 203/204 final,
but the RustCrypto implementations (`ml-kem`, `ml-dsa`) have not undergone
the same decades of scrutiny as, say, OpenSSL's AES. This is inherent to
post-quantum cryptography in 2026.
- **X-Wing is a draft.** We implement draft-connolly-cfrg-xwing-kem-09. The
combiner and encoding may change before the RFC is finalized.
- **Ed25519 (RFC 8032)** is used for classical signing via `ed25519-dalek`.
Strict verification mode rejects non-canonical signatures and small-order
public keys, preventing malleability attacks.
- **XChaCha20-Poly1305** is constant-time by construction (ARX operations
only — no table lookups or secret-dependent branches). No hardware
acceleration is required; it runs at full speed on all platforms including
RISC-V.
## Dependencies
All dependencies are pure Rust — no C libraries, no cmake, no system linker
dependencies.
| Dependency | Role |
|------------|------|
| [ml-kem](https://crates.io/crates/ml-kem) | ML-KEM-768 (inside X-Wing) |
| [ml-dsa](https://crates.io/crates/ml-dsa) | ML-DSA-65 hybrid signatures |
| [ed25519-dalek](https://crates.io/crates/ed25519-dalek) | Ed25519 signing/verification |
| [x25519-dalek](https://crates.io/crates/x25519-dalek) | X25519 (inside X-Wing) |
| [chacha20poly1305](https://crates.io/crates/chacha20poly1305) | XChaCha20-Poly1305 AEAD |
| [sha3](https://crates.io/crates/sha3) | SHA3-256 (HMAC, HKDF, fingerprints, X-Wing combiner) |
| [hmac](https://crates.io/crates/hmac) | HMAC-SHA3-256 |
| [hkdf](https://crates.io/crates/hkdf) | HKDF-SHA3-256 key derivation |
| [argon2](https://crates.io/crates/argon2) | Argon2id password hashing |
| [ruzstd](https://crates.io/crates/ruzstd) | Zstd decompression (storage blobs, streaming AEAD chunks) |
| [zeroize](https://crates.io/crates/zeroize) | Secret wiping |
**Binding-specific dependencies** (not part of the core library):
| Dependency | Role |
|------------|------|
| [pyo3](https://crates.io/crates/pyo3) | Python FFI bridge (`soliton_py`) |
| [wasm-bindgen](https://crates.io/crates/wasm-bindgen) | WASM/JS interop (`soliton_wasm`) |
Vulnerabilities in these dependencies may affect libsoliton. We track upstream
advisories and update pins accordingly.

4870
Specification.md Normal file
View file

File diff suppressed because it is too large Load diff

87
ci_regression.sh Executable file
View file

@ -0,0 +1,87 @@
#!/usr/bin/env bash
# Corpus-only fuzz regression: runs each fuzz target against its seed corpus
# with -runs=0 (no new mutations). Validates that:
# 1. All corpus files parse without panicking
# 2. No regressions in error handling
# 3. The fuzz harness builds and links correctly
#
# Covers both core (soliton) and CAPI (soliton_capi) fuzz targets.
#
# Usage: ./ci_regression.sh
# Exit code: 0 if all pass, non-zero on first failure.
set -euo pipefail
CORE_DIR="soliton"
CAPI_DIR="soliton_capi"
CORE_TARGETS=(
fuzz_storage_decrypt_blob
fuzz_ratchet_decrypt
fuzz_ratchet_decrypt_stateful
fuzz_ratchet_encrypt
fuzz_identity_from_bytes
fuzz_ed25519_verify
fuzz_hybrid_verify
fuzz_decrypt_first_message
fuzz_kex_receive_session
fuzz_storage_encrypt_blob
fuzz_auth_respond
fuzz_kex_verify_bundle
fuzz_verification_phrase
fuzz_ratchet_roundtrip
fuzz_xwing_roundtrip
fuzz_identity_sign_verify
fuzz_session_init_roundtrip
fuzz_call_derive
fuzz_auth_verify
fuzz_ratchet_from_bytes_epoch
fuzz_kex_decode_receive
fuzz_dm_queue_roundtrip
fuzz_dm_queue_decrypt_blob
fuzz_argon2_params
fuzz_stream_decrypt
fuzz_stream_decrypt_at
fuzz_stream_encrypt_decrypt
fuzz_stream_encrypt_at
fuzz_ratchet_state_machine
)
CAPI_TARGETS=(
fuzz_capi_ratchet_from_bytes
fuzz_capi_storage_decrypt
fuzz_capi_decode_session_init
fuzz_capi_dm_queue_decrypt
fuzz_capi_stream_decrypt
fuzz_capi_stream_decrypt_at
fuzz_capi_stream_encrypt_at
)
run_regression() {
local fuzz_dir="$1"
local label="$2"
shift 2
local targets=("$@")
echo ""
echo "=== ${label} (${#targets[@]} targets) ==="
for target in "${targets[@]}"; do
corpus_dir="${fuzz_dir}/fuzz/corpus/${target}"
if [ ! -d "$corpus_dir" ] || [ -z "$(ls -A "$corpus_dir" 2>/dev/null)" ]; then
echo "WARNING: No corpus for ${target}, skipping"
continue
fi
echo "--- ${target} ---"
(cd "$fuzz_dir" && cargo +nightly fuzz run "${target}" "fuzz/corpus/${target}" -- -runs=0 -max_len=65536)
echo "PASS: ${target}"
done
}
run_regression "$CORE_DIR" "Core" "${CORE_TARGETS[@]}"
run_regression "$CAPI_DIR" "CAPI" "${CAPI_TARGETS[@]}"
TOTAL=$(( ${#CORE_TARGETS[@]} + ${#CAPI_TARGETS[@]} ))
echo ""
echo "All ${TOTAL} corpus regressions passed."

108
fuzz_overnight.sh Executable file
View file

@ -0,0 +1,108 @@
#!/usr/bin/env bash
# Overnight fuzz run: all soliton targets in parallel.
# Covers both core (soliton) and CAPI (soliton_capi) fuzz targets.
#
# Usage: ./fuzz_overnight.sh [hours] [workers]
# hours — how long to fuzz (default: 8)
# workers — libFuzzer workers per target (default: 1)
# 1 worker → 32 total threads (one per target)
# 2 workers → 64 total threads (two per target)
set -euo pipefail
if ! command -v parallel &>/dev/null; then
echo "ERROR: GNU parallel is required." >&2
exit 1
fi
HOURS="${1:-8}"
WORKERS="${2:-1}"
SECONDS_TOTAL=$((HOURS * 1))
CORE_DIR="soliton"
CAPI_DIR="soliton_capi"
LOG_BASE="fuzz_logs"
CORE_TARGETS=(
fuzz_ed25519_verify
fuzz_hybrid_verify
# fuzz_xwing_roundtrip # Excluded: 7 corpus entries after 90.5B execs, fully saturated (keygen→encap→decap, no adversarial input)
fuzz_ratchet_decrypt
fuzz_ratchet_decrypt_stateful
fuzz_ratchet_encrypt
fuzz_kex_receive_session
fuzz_kex_verify_bundle
fuzz_identity_sign_verify
# fuzz_auth_respond # Excluded: 4 corpus entries after 68B execs, fully saturated (single decap→HMAC)
fuzz_storage_decrypt_blob
# fuzz_identity_from_bytes # Excluded: 107 edges, 3 length checks only, saturates instantly
fuzz_decrypt_first_message
fuzz_storage_encrypt_blob
# fuzz_verification_phrase # Excluded: 88 edges, 29 corpus entries, trivial surface (SHA3→wordlist index)
fuzz_ratchet_roundtrip
fuzz_session_init_roundtrip
fuzz_call_derive
# fuzz_auth_verify # Excluded: 88 edges, saturated after ~15 corpus entries (single ct_eq call)
fuzz_ratchet_from_bytes_epoch
fuzz_kex_decode_receive
fuzz_dm_queue_roundtrip
fuzz_dm_queue_decrypt_blob
fuzz_argon2_params
fuzz_stream_decrypt
fuzz_stream_decrypt_at
fuzz_stream_encrypt_decrypt
fuzz_stream_encrypt_at
fuzz_ratchet_state_machine
)
CAPI_TARGETS=(
fuzz_capi_ratchet_from_bytes
fuzz_capi_storage_decrypt
fuzz_capi_decode_session_init
fuzz_capi_dm_queue_decrypt
fuzz_capi_stream_decrypt
fuzz_capi_stream_decrypt_at
fuzz_capi_stream_encrypt_at
)
ALL_TARGETS=("${CORE_TARGETS[@]}" "${CAPI_TARGETS[@]}")
# Create timestamped log directory + "latest" symlink for fuzz_stats.sh.
# Must be absolute — parallel commands cd into different dirs before tee.
LOG_DIR="$(pwd)/${LOG_BASE}/$(date +%Y-%m-%d_%H%M%S)"
mkdir -p "${LOG_DIR}"
ln -sfn "$(basename "${LOG_DIR}")" "${LOG_BASE}/latest"
THREADS=$(( ${#ALL_TARGETS[@]} * WORKERS ))
echo "Fuzzing for ${HOURS}h (${SECONDS_TOTAL}s), ${WORKERS} worker(s) per target"
echo " Core targets (${#CORE_TARGETS[@]}): ${CORE_TARGETS[*]}"
echo " CAPI targets (${#CAPI_TARGETS[@]}): ${CAPI_TARGETS[*]}"
echo " Total CPU threads: ${THREADS}"
echo " Logs: ${LOG_DIR}/"
echo "---"
# Ensure seed corpus exists for both core and CAPI targets.
# gen_corpus writes to both soliton/fuzz/corpus/ and soliton_capi/fuzz/corpus/.
# Cheap and idempotent — safe to re-run.
echo "Generating seed corpus (core + CAPI)..."
(cd "${CORE_DIR}/fuzz" && cargo +nightly run --bin gen_corpus --quiet)
echo "---"
# Build a list of "fuzz_dir target" pairs for GNU parallel.
# -max_len=65536: required for targets with large minimum input (hybrid_verify needs 6541 bytes;
# libFuzzer's default max_len is 4096, which would make those targets produce zero progress).
# -print_final_stats=1: emit machine-parseable stats at end (for fuzz_stats.sh).
# Output is tee'd to per-target log files and also shown live via parallel --lb.
PAIRS=()
for t in "${CORE_TARGETS[@]}"; do
PAIRS+=("${CORE_DIR} ${t}")
done
for t in "${CAPI_TARGETS[@]}"; do
PAIRS+=("${CAPI_DIR} ${t}")
done
printf '%s\n' "${PAIRS[@]}" | parallel --lb --colsep ' ' --tagstring '{= s/.*fuzz_// =}' \
"cd {1} && cargo +nightly fuzz run {2} -- -max_total_time=${SECONDS_TOTAL} -jobs=${WORKERS} -workers=${WORKERS} -max_len=65536 -print_final_stats=1 2>&1 | tee ${LOG_DIR}/{2}.log"
echo "---"
echo "Done. Logs saved to: ${LOG_DIR}/"
echo "Run ./fuzz_stats.sh for summary."

342
fuzz_stats.sh Executable file
View file

@ -0,0 +1,342 @@
#!/usr/bin/env bash
# Post-run fuzzing statistics for soliton.
#
# Shows per-target and overall stats: corpus size, coverage, crashes, etc.
# If logs from fuzz_overnight.sh are available, also shows execution counts
# and throughput from the run.
# Covers both core (soliton) and CAPI (soliton_capi) fuzz targets.
#
# Usage: ./fuzz_stats.sh [--quick] [--logs <dir>]
# --quick Skip coverage measurement (no build/run, filesystem stats only)
# --logs <dir> Path to log directory (default: latest from fuzz_overnight.sh)
set -euo pipefail
QUICK=false
LOG_DIR=""
while [[ $# -gt 0 ]]; do
case "$1" in
--quick) QUICK=true; shift ;;
--logs) LOG_DIR="$2"; shift 2 ;;
*) echo "Unknown option: $1"; exit 1 ;;
esac
done
CORE_DIR="soliton"
CAPI_DIR="soliton_capi"
CORE_FUZZ="${CORE_DIR}/fuzz"
CAPI_FUZZ="${CAPI_DIR}/fuzz"
# Auto-find latest log directory if not specified.
if [ -z "$LOG_DIR" ] && [ -L "fuzz_logs/latest" ]; then
LOG_DIR="$(cd "fuzz_logs/latest" && pwd)"
fi
CORE_TARGETS=(
fuzz_ed25519_verify
fuzz_hybrid_verify
# fuzz_xwing_roundtrip # Excluded: 7 corpus entries after 90.5B execs, fully saturated (keygen→encap→decap, no adversarial input)
fuzz_ratchet_decrypt
fuzz_ratchet_decrypt_stateful
fuzz_ratchet_encrypt
fuzz_kex_receive_session
fuzz_kex_verify_bundle
fuzz_identity_sign_verify
# fuzz_auth_respond # Excluded: 4 corpus entries after 68B execs, fully saturated (single decap→HMAC)
fuzz_storage_decrypt_blob
# fuzz_identity_from_bytes # Excluded: 107 edges, 3 length checks only, saturates instantly
fuzz_decrypt_first_message
fuzz_storage_encrypt_blob
# fuzz_verification_phrase # Excluded: 88 edges, 29 corpus entries, trivial surface (SHA3→wordlist index)
fuzz_ratchet_roundtrip
fuzz_session_init_roundtrip
fuzz_call_derive
# fuzz_auth_verify # Excluded: 88 edges, saturated after ~15 corpus entries (single ct_eq call)
fuzz_ratchet_from_bytes_epoch
fuzz_kex_decode_receive
fuzz_dm_queue_roundtrip
fuzz_dm_queue_decrypt_blob
fuzz_argon2_params
fuzz_stream_decrypt
fuzz_stream_decrypt_at
fuzz_stream_encrypt_decrypt
fuzz_stream_encrypt_at
fuzz_ratchet_state_machine
)
CAPI_TARGETS=(
fuzz_capi_ratchet_from_bytes
fuzz_capi_storage_decrypt
fuzz_capi_decode_session_init
fuzz_capi_dm_queue_decrypt
fuzz_capi_stream_decrypt
fuzz_capi_stream_decrypt_at
fuzz_capi_stream_encrypt_at
)
HAS_LOGS=false
if [ -n "$LOG_DIR" ] && [ -d "$LOG_DIR" ]; then
HAS_LOGS=true
fi
human_size() {
local bytes=$1
if (( bytes >= 1048576 )); then
echo "$((bytes / 1048576))MB"
elif (( bytes >= 1024 )); then
echo "$((bytes / 1024))KB"
else
echo "${bytes}B"
fi
}
human_count() {
local n=$1
if (( n >= 1000000000 )); then
echo "$(awk "BEGIN {printf \"%.1fB\", $n / 1000000000}")"
elif (( n >= 1000000 )); then
echo "$(awk "BEGIN {printf \"%.1fM\", $n / 1000000}")"
elif (( n >= 1000 )); then
echo "$(awk "BEGIN {printf \"%.1fK\", $n / 1000}")"
else
echo "$n"
fi
}
# Parse a log file for libFuzzer stats.
# With -jobs=N there may be multiple stat blocks — sum executions, avg exec/s, max rss.
parse_log() {
local log_file="$1"
local stat="$2"
[ -f "$log_file" ] || { echo "0"; return; }
grep "stat::${stat}:" "$log_file" 2>/dev/null | awk -F: '{s += $NF} END {print s+0}'
}
parse_log_max() {
local log_file="$1"
local stat="$2"
[ -f "$log_file" ] || { echo "0"; return; }
grep "stat::${stat}:" "$log_file" 2>/dev/null | awk -F: '{v=$NF+0; if(v>m)m=v} END {print m+0}'
}
print_header() {
if $QUICK; then
if $HAS_LOGS; then
printf "%-32s %7s %9s %10s %9s %6s %7s %5s %4s\n" \
"Target" "Corpus" "Size" "Execs" "Exec/s" "RSS" "Crashes" "T/O" "OOM"
printf "%-32s %7s %9s %10s %9s %6s %7s %5s %4s\n" \
"---" "---" "---" "---" "---" "---" "---" "---" "---"
else
printf "%-32s %7s %9s %7s %5s %4s\n" \
"Target" "Corpus" "Size" "Crashes" "T/O" "OOM"
printf "%-32s %7s %9s %7s %5s %4s\n" \
"---" "---" "---" "---" "---" "---"
fi
else
if $HAS_LOGS; then
printf "%-32s %7s %9s %5s %8s %10s %9s %6s %7s %5s %4s\n" \
"Target" "Corpus" "Size" "Cov" "Features" "Execs" "Exec/s" "RSS" "Crashes" "T/O" "OOM"
printf "%-32s %7s %9s %5s %8s %10s %9s %6s %7s %5s %4s\n" \
"---" "---" "---" "---" "---" "---" "---" "---" "---" "---" "---"
else
printf "%-32s %7s %9s %5s %8s %7s %5s %4s\n" \
"Target" "Corpus" "Size" "Cov" "Features" "Crashes" "T/O" "OOM"
printf "%-32s %7s %9s %5s %8s %7s %5s %4s\n" \
"---" "---" "---" "---" "---" "---" "---" "---"
fi
fi
}
total_corpus=0
total_size=0
total_crashes=0
total_timeouts=0
total_ooms=0
total_execs=0
# Process one target group. Arguments: fuzz_dir fuzz_root target...
process_targets() {
local fuzz_dir="$1"
local fuzz_root="$2"
shift 2
local targets=("$@")
for target in "${targets[@]}"; do
corpus_dir="${fuzz_root}/corpus/${target}"
artifact_dir="${fuzz_root}/artifacts/${target}"
# Corpus: file count + total bytes.
if [ -d "$corpus_dir" ]; then
corpus_count=$(find "$corpus_dir" -maxdepth 1 -type f | wc -l)
corpus_bytes=$(find "$corpus_dir" -maxdepth 1 -type f -printf '%s\n' 2>/dev/null | awk '{s+=$1}END{print s+0}')
else
corpus_count=0
corpus_bytes=0
fi
# Artifacts: crashes, timeouts, OOM (libFuzzer names them crash-*, timeout-*, oom-*).
if [ -d "$artifact_dir" ]; then
crashes=$(find "$artifact_dir" -maxdepth 1 -name 'crash-*' -type f | wc -l)
timeouts=$(find "$artifact_dir" -maxdepth 1 -name 'timeout-*' -type f | wc -l)
ooms=$(find "$artifact_dir" -maxdepth 1 -name 'oom-*' -type f | wc -l)
else
crashes=0
timeouts=0
ooms=0
fi
# Log stats (from overnight run).
execs_fmt="-"
execps_fmt="-"
rss_fmt="-"
execs_raw=0
if $HAS_LOGS; then
log_file="${LOG_DIR}/${target}.log"
if [ -f "$log_file" ]; then
execs_raw=$(parse_log "$log_file" "number_of_executed_units")
execps_raw=$(parse_log "$log_file" "average_exec_per_sec")
rss_raw=$(parse_log_max "$log_file" "peak_rss_mb")
execs_fmt=$(human_count "$execs_raw")
if (( execps_raw > 0 )); then
execps_fmt=$(human_count "$execps_raw")
else
execps_fmt="-"
fi
if (( rss_raw > 0 )); then
rss_fmt="${rss_raw}MB"
fi
fi
fi
# Coverage: replay corpus with -runs=0.
cov="-"
ft="-"
if ! $QUICK && [ "$corpus_count" -gt 0 ]; then
output=$(cd "$fuzz_dir" && cargo +nightly fuzz run "$target" \
"fuzz/corpus/${target}" -- -runs=0 -print_final_stats=1 -max_len=65536 2>&1 || true)
cov=$(echo "$output" | grep -oP 'cov: \K[0-9]+' | tail -1) || cov="-"
ft=$(echo "$output" | grep -oP 'ft: \K[0-9]+' | tail -1) || ft="-"
fi
size_fmt=$(human_size "$corpus_bytes")
if $QUICK; then
if $HAS_LOGS; then
printf "%-32s %7d %9s %10s %9s %6s %7d %5d %4d\n" \
"$target" "$corpus_count" "$size_fmt" "$execs_fmt" "$execps_fmt" "$rss_fmt" "$crashes" "$timeouts" "$ooms"
else
printf "%-32s %7d %9s %7d %5d %4d\n" \
"$target" "$corpus_count" "$size_fmt" "$crashes" "$timeouts" "$ooms"
fi
else
if $HAS_LOGS; then
printf "%-32s %7d %9s %5s %8s %10s %9s %6s %7d %5d %4d\n" \
"$target" "$corpus_count" "$size_fmt" "${cov:--}" "${ft:--}" "$execs_fmt" "$execps_fmt" "$rss_fmt" "$crashes" "$timeouts" "$ooms"
else
printf "%-32s %7d %9s %5s %8s %7d %5d %4d\n" \
"$target" "$corpus_count" "$size_fmt" "${cov:--}" "${ft:--}" "$crashes" "$timeouts" "$ooms"
fi
fi
total_corpus=$((total_corpus + corpus_count))
total_size=$((total_size + corpus_bytes))
total_crashes=$((total_crashes + crashes))
total_timeouts=$((total_timeouts + timeouts))
total_ooms=$((total_ooms + ooms))
total_execs=$((total_execs + execs_raw))
done
}
# Header
echo "soliton fuzzing statistics"
echo "============================"
if $HAS_LOGS; then
echo " Logs: ${LOG_DIR}"
fi
echo ""
print_header
echo ""
echo "Core (${#CORE_TARGETS[@]} targets)"
process_targets "$CORE_DIR" "$CORE_FUZZ" "${CORE_TARGETS[@]}"
echo ""
echo "CAPI (${#CAPI_TARGETS[@]} targets)"
process_targets "$CAPI_DIR" "$CAPI_FUZZ" "${CAPI_TARGETS[@]}"
# Totals
total_size_fmt=$(human_size "$total_size")
total_execs_fmt=$(human_count "$total_execs")
TOTAL_TARGETS=$(( ${#CORE_TARGETS[@]} + ${#CAPI_TARGETS[@]} ))
echo ""
if $QUICK; then
if $HAS_LOGS; then
printf "%-32s %7s %9s %10s %9s %6s %7s %5s %4s\n" \
"---" "---" "---" "---" "---" "---" "---" "---" "---"
printf "%-32s %7d %9s %10s %9s %6s %7d %5d %4d\n" \
"TOTAL (${TOTAL_TARGETS})" "$total_corpus" "$total_size_fmt" "$total_execs_fmt" "" "" "$total_crashes" "$total_timeouts" "$total_ooms"
else
printf "%-32s %7s %9s %7s %5s %4s\n" \
"---" "---" "---" "---" "---" "---"
printf "%-32s %7d %9s %7d %5d %4d\n" \
"TOTAL (${TOTAL_TARGETS})" "$total_corpus" "$total_size_fmt" "$total_crashes" "$total_timeouts" "$total_ooms"
fi
else
if $HAS_LOGS; then
printf "%-32s %7s %9s %5s %8s %10s %9s %6s %7s %5s %4s\n" \
"---" "---" "---" "---" "---" "---" "---" "---" "---" "---" "---"
printf "%-32s %7d %9s %5s %8s %10s %9s %6s %7d %5d %4d\n" \
"TOTAL (${TOTAL_TARGETS})" "$total_corpus" "$total_size_fmt" "" "" "$total_execs_fmt" "" "" "$total_crashes" "$total_timeouts" "$total_ooms"
else
printf "%-32s %7s %9s %5s %8s %7s %5s %4s\n" \
"---" "---" "---" "---" "---" "---" "---" "---"
printf "%-32s %7d %9s %5s %8s %7d %5d %4d\n" \
"TOTAL (${TOTAL_TARGETS})" "$total_corpus" "$total_size_fmt" "" "" "$total_crashes" "$total_timeouts" "$total_ooms"
fi
fi
echo ""
# Glossary
echo "Glossary"
echo "--------"
echo " Corpus Accumulated inputs that each trigger unique code paths."
echo " Grows over time as the fuzzer discovers new coverage."
echo " Cov Edge coverage — number of unique code branches reached."
echo " Features Fine-grained coverage (edges + hit counts + value profiles)."
echo " Higher = more behavioral diversity explored."
echo " Execs Total inputs tested during the run (from logs)."
echo " Exec/s Throughput — inputs tested per second."
echo " RSS Peak memory usage of the fuzzer process."
echo " Crashes Inputs that caused a panic, abort, or segfault."
echo " T/O Inputs that exceeded the per-input time limit."
echo " OOM Inputs that exceeded the memory limit."
# Crash details
if (( total_crashes + total_timeouts + total_ooms > 0 )); then
echo ""
echo "Artifact details"
echo "----------------"
for fuzz_root in "$CORE_FUZZ" "$CAPI_FUZZ"; do
if [ "$fuzz_root" = "$CORE_FUZZ" ]; then
targets=("${CORE_TARGETS[@]}")
else
targets=("${CAPI_TARGETS[@]}")
fi
for target in "${targets[@]}"; do
artifact_dir="${fuzz_root}/artifacts/${target}"
[ -d "$artifact_dir" ] || continue
files=$(find "$artifact_dir" -maxdepth 1 -type f 2>/dev/null)
[ -z "$files" ] && continue
echo ""
echo " ${target}:"
echo "$files" | while read -r f; do
echo " $(basename "$f") ($(wc -c < "$f") bytes)"
done
done
done
echo ""
echo "Triage: cargo +nightly fuzz tmin <target> <artifact-file>"
fi

4
rust-toolchain.toml Normal file
View file

@ -0,0 +1,4 @@
[toolchain]
channel = "stable"
components = ["rustfmt", "clippy"]
targets = ["wasm32-unknown-unknown"]

119
soliton/Cargo.toml Normal file
View file

@ -0,0 +1,119 @@
[package]
name = "libsoliton"
version.workspace = true
edition.workspace = true
rust-version.workspace = true
license.workspace = true
repository.workspace = true
homepage.workspace = true
authors.workspace = true
description = "Core cryptographic library for the LO protocol — hybrid post-quantum key exchange, signatures, ratchet, and storage encryption"
categories = ["cryptography"]
keywords = ["post-quantum", "x-wing", "ed25519", "double-ratchet", "ml-kem"]
[lib]
name = "soliton"
# All dependencies are exact-pinned (=x.y.z) for supply-chain attack prevention
# and reproducible builds. Cargo.lock alone is insufficient — it can be
# regenerated, losing the pin. Exact versions here are the source of truth.
#
# RC dependencies: sha3, hmac, hkdf (0.11/0.13-rc), kem (0.3.0-pre),
# ml-dsa (0.1.0-rc). These are the RustCrypto PQ ecosystem — stable releases
# are pending upstream FIPS 203/204 finalization. Exact pins prevent silent
# updates; track https://github.com/RustCrypto for stable releases.
#
# sha3 0.10.x has no `zeroize` feature — the feature was added in 0.11.x rc.
# Since HMAC and HKDF use Sha3_256 as a keyed state (containing key material),
# we must use sha3 0.11.x rc to get ZeroizeOnDrop on the hash state.
#
# Transitive dep pins (not imported directly):
#
# keccak 0.2.0 (2026-03-16) removed the `p1600` function in favor of a new
# `Keccak` struct API. sha3 0.11.0-rc.7 still calls `keccak::p1600` and
# fails to compile against keccak 0.2.0. Pin to the last version with the
# old API. Remove once sha3 publishes an rc compatible with keccak 0.2.0.
#
# digest 0.11.2 (2026-03-13) and crypto-common 0.2.1 (2026-02-25) removed
# `BlockSizes` (re-exported as `digest::common::BlockSizes`); digest 0.11.2
# also changed `Clone` handling in `(Reset)MacTraits`. sha3 0.11.0-rc.7
# imports `BlockSizes`; hmac/hkdf 0.13.0-rc.5 require `Hmac<H>: Clone`.
# Pin to the snapshot versions published on the same day as sha3/hmac/hkdf rc.
# Remove once sha3/hmac/hkdf publish versions compatible with the new APIs.
[dependencies]
zeroize = { workspace = true }
thiserror = { workspace = true }
ruzstd = "=0.8.2"
sha3 = { version = "=0.11.0-rc.7", features = ["zeroize"] }
hmac = { version = "=0.13.0-rc.5", features = ["zeroize"] }
hkdf = "=0.13.0-rc.5"
keccak = "=0.2.0-rc.2"
digest = "=0.11.0-rc.11"
crypto-common = "=0.2.0-rc.15"
chacha20poly1305 = { workspace = true }
# chacha20poly1305 propagates chacha20/zeroize but NOT poly1305/zeroize.
# This explicit dependency activates zeroization of the Poly1305 r,s key
# pair and accumulator state after each AEAD operation.
poly1305 = { workspace = true }
argon2 = { version = "=0.5.3", features = ["zeroize"] }
# No explicit backend selected: auto-detection picks fiat_u64_backend (formally
# verified constant-time field arithmetic) on 64-bit stable, fiat_u32_backend on
# 32-bit, simd on nightly x86_64 with AVX2. All backends are constant-time.
curve25519-dalek = { version = "=4.1.3", features = ["zeroize"] }
subtle = { workspace = true }
# Three getrandom versions in the dep tree: 0.2 (multiple transitive), 0.3 (direct),
# 0.4 (tempfile transitive). All use the same OS syscall; the duplication is
# unavoidable until upstream crates align on a single version.
getrandom = "=0.3.4"
# Pinned to 2.2.0: 2.2.1 pulls newer digest transitive deps that break zeroize
# feature propagation through ml-kem/ml-dsa. Do not bump without verifying the
# full zeroize feature chain across the dependency tree.
ed25519-dalek = { version = "=2.2.0", default-features = false, features = ["zeroize", "std"] }
# ml-kem/ml-dsa depend on rc digest/sha3/signature stacks (0.11.x/0.11.x/3.x)
# while ed25519-dalek/chacha20poly1305 use stable stacks (0.10.x/0.10.x/2.x).
# This causes ~15 duplicate crate pairs (digest, sha2, sha3, block-buffer,
# crypto-common, hybrid-array, signature, etc). Unavoidable until ml-kem/ml-dsa
# publish against the stable digest stack. Does not affect correctness — the two
# stacks are isolated at the type level and never share state.
ml-kem = { version = "=0.2.3", features = ["zeroize", "deterministic"] }
kem = "=0.3.0-pre.0"
ml-dsa = { version = "=0.1.0-rc.7", features = ["zeroize"] }
# rand_core is pulled transitively by ml-kem (0.6) and ml-dsa (0.10).
# Deterministic/seed-based APIs + getrandom are used to avoid RNG trait issues.
[target.'cfg(all(target_arch = "wasm32", target_os = "unknown"))'.dependencies]
getrandom = { version = "=0.3.4", features = ["wasm_js"] }
# ml-kem → rand_core 0.6 → getrandom 0.2.17. On wasm32-unknown-unknown,
# getrandom 0.2 without the `js` feature produces a compile_error!. This
# dependency exists solely to activate the feature — soliton never imports
# getrandom_02 directly. Cargo unifies features by package name (not alias).
getrandom_02 = { package = "getrandom", version = "=0.2.17", features = ["js"] }
[features]
# Enables internal accessors for white-box integration testing only.
# Not part of the public API — never enable in production.
test-utils = []
[dev-dependencies]
# Self-reference with test-utils so integration tests can call test-only accessors
# (e.g. RatchetState::root_key_bytes). Has no effect on normal library builds.
libsoliton = { path = ".", features = ["test-utils"] }
hex-literal = "=1.1.0"
hex = "=0.4.3"
proptest = "=1.10.0"
# Used exclusively in the parallel streaming benchmark (stream_encrypt_*mib_parallel).
# Provides a pre-warmed thread pool so b.iter() measures encryption throughput,
# not thread spawn cost. Dev-only — never compiled into the library.
rayon = "=1.11.0"
# ml-dsa is a direct dependency, re-declared here so integration tests can call
# sign_internal directly to produce deterministic F.27 test vectors (pinned rnd).
ml-dsa = { version = "=0.1.0-rc.7", features = ["zeroize"] }
[[bench]]
name = "bench"
harness = true
[build-dependencies]
# sha2 0.10 (stable) for build-time wordlist hash verification only.
# Build scripts run on the host and don't link into the final binary.
sha2 = "=0.10.9"

661
soliton/LICENSE.md Normal file
View file

@ -0,0 +1,661 @@
GNU AFFERO GENERAL PUBLIC LICENSE
Version 3, 19 November 2007
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The GNU Affero General Public License is a free, copyleft license for
software and other kinds of works, specifically designed to ensure
cooperation with the community in the case of network server software.
The licenses for most software and other practical works are designed
to take away your freedom to share and change the works. By contrast,
our General Public Licenses are intended to guarantee your freedom to
share and change all versions of a program--to make sure it remains free
software for all its users.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.
Developers that use our General Public Licenses protect your rights
with two steps: (1) assert copyright on the software, and (2) offer
you this License which gives you legal permission to copy, distribute
and/or modify the software.
A secondary benefit of defending all users' freedom is that
improvements made in alternate versions of the program, if they
receive widespread use, become available for other developers to
incorporate. Many developers of free software are heartened and
encouraged by the resulting cooperation. However, in the case of
software used on network servers, this result may fail to come about.
The GNU General Public License permits making a modified version and
letting the public access it on a server without ever releasing its
source code to the public.
The GNU Affero General Public License is designed specifically to
ensure that, in such cases, the modified source code becomes available
to the community. It requires the operator of a network server to
provide the source code of the modified version running there to the
users of that server. Therefore, public use of a modified version, on
a publicly accessible server, gives the public access to the source
code of the modified version.
An older license, called the Affero General Public License and
published by Affero, was designed to accomplish similar goals. This is
a different license, not a version of the Affero GPL, but Affero has
released a new version of the Affero GPL which permits relicensing under
this license.
The precise terms and conditions for copying, distribution and
modification follow.
TERMS AND CONDITIONS
0. Definitions.
"This License" refers to version 3 of the GNU Affero General Public License.
"Copyright" also means copyright-like laws that apply to other kinds of
works, such as semiconductor masks.
"The Program" refers to any copyrightable work licensed under this
License. Each licensee is addressed as "you". "Licensees" and
"recipients" may be individuals or organizations.
To "modify" a work means to copy from or adapt all or part of the work
in a fashion requiring copyright permission, other than the making of an
exact copy. The resulting work is called a "modified version" of the
earlier work or a work "based on" the earlier work.
A "covered work" means either the unmodified Program or a work based
on the Program.
To "propagate" a work means to do anything with it that, without
permission, would make you directly or secondarily liable for
infringement under applicable copyright law, except executing it on a
computer or modifying a private copy. Propagation includes copying,
distribution (with or without modification), making available to the
public, and in some countries other activities as well.
To "convey" a work means any kind of propagation that enables other
parties to make or receive copies. Mere interaction with a user through
a computer network, with no transfer of a copy, is not conveying.
An interactive user interface displays "Appropriate Legal Notices"
to the extent that it includes a convenient and prominently visible
feature that (1) displays an appropriate copyright notice, and (2)
tells the user that there is no warranty for the work (except to the
extent that warranties are provided), that licensees may convey the
work under this License, and how to view a copy of this License. If
the interface presents a list of user commands or options, such as a
menu, a prominent item in the list meets this criterion.
1. Source Code.
The "source code" for a work means the preferred form of the work
for making modifications to it. "Object code" means any non-source
form of a work.
A "Standard Interface" means an interface that either is an official
standard defined by a recognized standards body, or, in the case of
interfaces specified for a particular programming language, one that
is widely used among developers working in that language.
The "System Libraries" of an executable work include anything, other
than the work as a whole, that (a) is included in the normal form of
packaging a Major Component, but which is not part of that Major
Component, and (b) serves only to enable use of the work with that
Major Component, or to implement a Standard Interface for which an
implementation is available to the public in source code form. A
"Major Component", in this context, means a major essential component
(kernel, window system, and so on) of the specific operating system
(if any) on which the executable work runs, or a compiler used to
produce the work, or an object code interpreter used to run it.
The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities. However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not part of the work. For example, Corresponding Source
includes interface definition files associated with source files for
the work, and the source code for shared libraries and dynamically
linked subprograms that the work is specifically designed to require,
such as by intimate data communication or control flow between those
subprograms and other parts of the work.
The Corresponding Source need not include anything that users
can regenerate automatically from other parts of the Corresponding
Source.
The Corresponding Source for a work in source code form is that
same work.
2. Basic Permissions.
All rights granted under this License are granted for the term of
copyright on the Program, and are irrevocable provided the stated
conditions are met. This License explicitly affirms your unlimited
permission to run the unmodified Program. The output from running a
covered work is covered by this License only if the output, given its
content, constitutes a covered work. This License acknowledges your
rights of fair use or other equivalent, as provided by copyright law.
You may make, run and propagate covered works that you do not
convey, without conditions so long as your license otherwise remains
in force. You may convey covered works to others for the sole purpose
of having them make modifications exclusively for you, or provide you
with facilities for running those works, provided that you comply with
the terms of this License in conveying all material for which you do
not control copyright. Those thus making or running the covered works
for you must do so exclusively on your behalf, under your direction
and control, on terms that prohibit them from making any copies of
your copyrighted material outside their relationship with you.
Conveying under any other circumstances is permitted solely under
the conditions stated below. Sublicensing is not allowed; section 10
makes it unnecessary.
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
No covered work shall be deemed part of an effective technological
measure under any applicable law fulfilling obligations under article
11 of the WIPO copyright treaty adopted on 20 December 1996, or
similar laws prohibiting or restricting circumvention of such
measures.
When you convey a covered work, you waive any legal power to forbid
circumvention of technological measures to the extent such circumvention
is effected by exercising rights under this License with respect to
the covered work, and you disclaim any intention to limit operation or
modification of the work as a means of enforcing, against the work's
users, your or third parties' legal rights to forbid circumvention of
technological measures.
4. Conveying Verbatim Copies.
You may convey verbatim copies of the Program's source code as you
receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice;
keep intact all notices stating that this License and any
non-permissive terms added in accord with section 7 apply to the code;
keep intact all notices of the absence of any warranty; and give all
recipients a copy of this License along with the Program.
You may charge any price or no price for each copy that you convey,
and you may offer support or warranty protection for a fee.
5. Conveying Modified Source Versions.
You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the
terms of section 4, provided that you also meet all of these conditions:
a) The work must carry prominent notices stating that you modified
it, and giving a relevant date.
b) The work must carry prominent notices stating that it is
released under this License and any conditions added under section
7. This requirement modifies the requirement in section 4 to
"keep intact all notices".
c) You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This
License will therefore apply, along with any applicable section 7
additional terms, to the whole of the work, and all its parts,
regardless of how they are packaged. This License gives no
permission to license the work in any other way, but it does not
invalidate such permission if you have separately received it.
d) If the work has interactive user interfaces, each must display
Appropriate Legal Notices; however, if the Program has interactive
interfaces that do not display Appropriate Legal Notices, your
work need not make them do so.
A compilation of a covered work with other separate and independent
works, which are not by their nature extensions of the covered work,
and which are not combined with it such as to form a larger program,
in or on a volume of a storage or distribution medium, is called an
"aggregate" if the compilation and its resulting copyright are not
used to limit the access or legal rights of the compilation's users
beyond what the individual works permit. Inclusion of a covered work
in an aggregate does not cause this License to apply to the other
parts of the aggregate.
6. Conveying Non-Source Forms.
You may convey a covered work in object code form under the terms
of sections 4 and 5, provided that you also convey the
machine-readable Corresponding Source under the terms of this License,
in one of these ways:
a) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by the
Corresponding Source fixed on a durable physical medium
customarily used for software interchange.
b) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by a
written offer, valid for at least three years and valid for as
long as you offer spare parts or customer support for that product
model, to give anyone who possesses the object code either (1) a
copy of the Corresponding Source for all the software in the
product that is covered by this License, on a durable physical
medium customarily used for software interchange, for a price no
more than your reasonable cost of physically performing this
conveying of source, or (2) access to copy the
Corresponding Source from a network server at no charge.
c) Convey individual copies of the object code with a copy of the
written offer to provide the Corresponding Source. This
alternative is allowed only occasionally and noncommercially, and
only if you received the object code with such an offer, in accord
with subsection 6b.
d) Convey the object code by offering access from a designated
place (gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements.
e) Convey the object code using peer-to-peer transmission, provided
you inform other peers where the object code and Corresponding
Source of the work are being offered to the general public at no
charge under subsection 6d.
A separable portion of the object code, whose source code is excluded
from the Corresponding Source as a System Library, need not be
included in conveying the object code work.
A "User Product" is either (1) a "consumer product", which means any
tangible personal property which is normally used for personal, family,
or household purposes, or (2) anything designed or sold for incorporation
into a dwelling. In determining whether a product is a consumer product,
doubtful cases shall be resolved in favor of coverage. For a particular
product received by a particular user, "normally used" refers to a
typical or common use of that class of product, regardless of the status
of the particular user or of the way in which the particular user
actually uses, or expects or is expected to use, the product. A product
is a consumer product regardless of whether the product has substantial
commercial, industrial or non-consumer uses, unless such uses represent
the only significant mode of use of the product.
"Installation Information" for a User Product means any methods,
procedures, authorization keys, or other information required to install
and execute modified versions of a covered work in that User Product from
a modified version of its Corresponding Source. The information must
suffice to ensure that the continued functioning of the modified object
code is in no case prevented or interfered with solely because
modification has been made.
If you convey an object code work under this section in, or with, or
specifically for use in, a User Product, and the conveying occurs as
part of a transaction in which the right of possession and use of the
User Product is transferred to the recipient in perpetuity or for a
fixed term (regardless of how the transaction is characterized), the
Corresponding Source conveyed under this section must be accompanied
by the Installation Information. But this requirement does not apply
if neither you nor any third party retains the ability to install
modified object code on the User Product (for example, the work has
been installed in ROM).
The requirement to provide Installation Information does not include a
requirement to continue to provide support service, warranty, or updates
for a work that has been modified or installed by the recipient, or for
the User Product in which it has been modified or installed. Access to a
network may be denied when the modification itself materially and
adversely affects the operation of the network or violates the rules and
protocols for communication across the network.
Corresponding Source conveyed, and Installation Information provided,
in accord with this section must be in a format that is publicly
documented (and with an implementation available to the public in
source code form), and must require no special password or key for
unpacking, reading or copying.
7. Additional Terms.
"Additional permissions" are terms that supplement the terms of this
License by making exceptions from one or more of its conditions.
Additional permissions that are applicable to the entire Program shall
be treated as though they were included in this License, to the extent
that they are valid under applicable law. If additional permissions
apply only to part of the Program, that part may be used separately
under those permissions, but the entire Program remains governed by
this License without regard to the additional permissions.
When you convey a copy of a covered work, you may at your option
remove any additional permissions from that copy, or from any part of
it. (Additional permissions may be written to require their own
removal in certain cases when you modify the work.) You may place
additional permissions on material, added by you to a covered work,
for which you have or can give appropriate copyright permission.
Notwithstanding any other provision of this License, for material you
add to a covered work, you may (if authorized by the copyright holders of
that material) supplement the terms of this License with terms:
a) Disclaiming warranty or limiting liability differently from the
terms of sections 15 and 16 of this License; or
b) Requiring preservation of specified reasonable legal notices or
author attributions in that material or in the Appropriate Legal
Notices displayed by works containing it; or
c) Prohibiting misrepresentation of the origin of that material, or
requiring that modified versions of such material be marked in
reasonable ways as different from the original version; or
d) Limiting the use for publicity purposes of names of licensors or
authors of the material; or
e) Declining to grant rights under trademark law for use of some
trade names, trademarks, or service marks; or
f) Requiring indemnification of licensors and authors of that
material by anyone who conveys the material (or modified versions of
it) with contractual assumptions of liability to the recipient, for
any liability that these contractual assumptions directly impose on
those licensors and authors.
All other non-permissive additional terms are considered "further
restrictions" within the meaning of section 10. If the Program as you
received it, or any part of it, contains a notice stating that it is
governed by this License along with a term that is a further
restriction, you may remove that term. If a license document contains
a further restriction but permits relicensing or conveying under this
License, you may add to a covered work material governed by the terms
of that license document, provided that the further restriction does
not survive such relicensing or conveying.
If you add terms to a covered work in accord with this section, you
must place, in the relevant source files, a statement of the
additional terms that apply to those files, or a notice indicating
where to find the applicable terms.
Additional terms, permissive or non-permissive, may be stated in the
form of a separately written license, or stated as exceptions;
the above requirements apply either way.
8. Termination.
You may not propagate or modify a covered work except as expressly
provided under this License. Any attempt otherwise to propagate or
modify it is void, and will automatically terminate your rights under
this License (including any patent licenses granted under the third
paragraph of section 11).
However, if you cease all violation of this License, then your
license from a particular copyright holder is reinstated (a)
provisionally, unless and until the copyright holder explicitly and
finally terminates your license, and (b) permanently, if the copyright
holder fails to notify you of the violation by some reasonable means
prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is
reinstated permanently if the copyright holder notifies you of the
violation by some reasonable means, this is the first time you have
received notice of violation of this License (for any work) from that
copyright holder, and you cure the violation prior to 30 days after
your receipt of the notice.
Termination of your rights under this section does not terminate the
licenses of parties who have received copies or rights from you under
this License. If your rights have been terminated and not permanently
reinstated, you do not qualify to receive new licenses for the same
material under section 10.
9. Acceptance Not Required for Having Copies.
You are not required to accept this License in order to receive or
run a copy of the Program. Ancillary propagation of a covered work
occurring solely as a consequence of using peer-to-peer transmission
to receive a copy likewise does not require acceptance. However,
nothing other than this License grants you permission to propagate or
modify any covered work. These actions infringe copyright if you do
not accept this License. Therefore, by modifying or propagating a
covered work, you indicate your acceptance of this License to do so.
10. Automatic Licensing of Downstream Recipients.
Each time you convey a covered work, the recipient automatically
receives a license from the original licensors, to run, modify and
propagate that work, subject to this License. You are not responsible
for enforcing compliance by third parties with this License.
An "entity transaction" is a transaction transferring control of an
organization, or substantially all assets of one, or subdividing an
organization, or merging organizations. If propagation of a covered
work results from an entity transaction, each party to that
transaction who receives a copy of the work also receives whatever
licenses to the work the party's predecessor in interest had or could
give under the previous paragraph, plus a right to possession of the
Corresponding Source of the work from the predecessor in interest, if
the predecessor has it or can get it with reasonable efforts.
You may not impose any further restrictions on the exercise of the
rights granted or affirmed under this License. For example, you may
not impose a license fee, royalty, or other charge for exercise of
rights granted under this License, and you may not initiate litigation
(including a cross-claim or counterclaim in a lawsuit) alleging that
any patent claim is infringed by making, using, selling, offering for
sale, or importing the Program or any portion of it.
11. Patents.
A "contributor" is a copyright holder who authorizes use under this
License of the Program or a work on which the Program is based. The
work thus licensed is called the contributor's "contributor version".
A contributor's "essential patent claims" are all patent claims
owned or controlled by the contributor, whether already acquired or
hereafter acquired, that would be infringed by some manner, permitted
by this License, of making, using, or selling its contributor version,
but do not include claims that would be infringed only as a
consequence of further modification of the contributor version. For
purposes of this definition, "control" includes the right to grant
patent sublicenses in a manner consistent with the requirements of
this License.
Each contributor grants you a non-exclusive, worldwide, royalty-free
patent license under the contributor's essential patent claims, to
make, use, sell, offer for sale, import and otherwise run, modify and
propagate the contents of its contributor version.
In the following three paragraphs, a "patent license" is any express
agreement or commitment, however denominated, not to enforce a patent
(such as an express permission to practice a patent or covenant not to
sue for patent infringement). To "grant" such a patent license to a
party means to make such an agreement or commitment not to enforce a
patent against the party.
If you convey a covered work, knowingly relying on a patent license,
and the Corresponding Source of the work is not available for anyone
to copy, free of charge and under the terms of this License, through a
publicly available network server or other readily accessible means,
then you must either (1) cause the Corresponding Source to be so
available, or (2) arrange to deprive yourself of the benefit of the
patent license for this particular work, or (3) arrange, in a manner
consistent with the requirements of this License, to extend the patent
license to downstream recipients. "Knowingly relying" means you have
actual knowledge that, but for the patent license, your conveying the
covered work in a country, or your recipient's use of the covered work
in a country, would infringe one or more identifiable patents in that
country that you have reason to believe are valid.
If, pursuant to or in connection with a single transaction or
arrangement, you convey, or propagate by procuring conveyance of, a
covered work, and grant a patent license to some of the parties
receiving the covered work authorizing them to use, propagate, modify
or convey a specific copy of the covered work, then the patent license
you grant is automatically extended to all recipients of the covered
work and works based on it.
A patent license is "discriminatory" if it does not include within
the scope of its coverage, prohibits the exercise of, or is
conditioned on the non-exercise of one or more of the rights that are
specifically granted under this License. You may not convey a covered
work if you are a party to an arrangement with a third party that is
in the business of distributing software, under which you make payment
to the third party based on the extent of your activity of conveying
the work, and under which the third party grants, to any of the
parties who would receive the covered work from you, a discriminatory
patent license (a) in connection with copies of the covered work
conveyed by you (or copies made from those copies), or (b) primarily
for and in connection with specific products or compilations that
contain the covered work, unless you entered into that arrangement,
or that patent license was granted, prior to 28 March 2007.
Nothing in this License shall be construed as excluding or limiting
any implied license or other defenses to infringement that may
otherwise be available to you under applicable patent law.
12. No Surrender of Others' Freedom.
If conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot convey a
covered work so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you may
not convey it at all. For example, if you agree to terms that obligate you
to collect a royalty for further conveying from those to whom you convey
the Program, the only way you could satisfy both those terms and this
License would be to refrain entirely from conveying the Program.
13. Remote Network Interaction; Use with the GNU General Public License.
Notwithstanding any other provision of this License, if you modify the
Program, your modified version must prominently offer all users
interacting with it remotely through a computer network (if your version
supports such interaction) an opportunity to receive the Corresponding
Source of your version by providing access to the Corresponding Source
from a network server at no charge, through some standard or customary
means of facilitating copying of software. This Corresponding Source
shall include the Corresponding Source for any work covered by version 3
of the GNU General Public License that is incorporated pursuant to the
following paragraph.
Notwithstanding any other provision of this License, you have
permission to link or combine any covered work with a work licensed
under version 3 of the GNU General Public License into a single
combined work, and to convey the resulting work. The terms of this
License will continue to apply to the part which is the covered work,
but the work with which it is combined will remain governed by version
3 of the GNU General Public License.
14. Revised Versions of this License.
The Free Software Foundation may publish revised and/or new versions of
the GNU Affero General Public License from time to time. Such new versions
will be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the
Program specifies that a certain numbered version of the GNU Affero General
Public License "or any later version" applies to it, you have the
option of following the terms and conditions either of that numbered
version or of any later version published by the Free Software
Foundation. If the Program does not specify a version number of the
GNU Affero General Public License, you may choose any version ever published
by the Free Software Foundation.
If the Program specifies that a proxy can decide which future
versions of the GNU Affero General Public License can be used, that proxy's
public statement of acceptance of a version permanently authorizes you
to choose that version for the Program.
Later license versions may give you additional or different
permissions. However, no additional obligations are imposed on any
author or copyright holder as a result of your choosing to follow a
later version.
15. Disclaimer of Warranty.
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
16. Limitation of Liability.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.
17. Interpretation of Sections 15 and 16.
If the disclaimer of warranty and limitation of liability provided
above cannot be given local legal effect according to their terms,
reviewing courts shall apply local law that most closely approximates
an absolute waiver of all civil liability in connection with the
Program, unless a warranty or assumption of liability accompanies a
copy of the Program in return for a fee.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
state the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
Also add information on how to contact you by electronic and paper mail.
If your software can interact with users remotely through a computer
network, you should also make sure that it provides a way for users to
get its source. For example, if your program is a web application, its
interface could display a "Source" link that leads users to an archive
of the code. There are many ways you could offer source, and different
solutions will be better for different programs; see section 13 for the
specific requirements.
You should also get your employer (if you work as a programmer) or school,
if any, to sign a "copyright disclaimer" for the program, if necessary.
For more information on this, and how to apply and follow the GNU AGPL, see
<https://www.gnu.org/licenses/>.

39
soliton/README.md Normal file
View file

@ -0,0 +1,39 @@
# libsoliton
Pure-Rust post-quantum cryptographic library. Provides composite identity keys (X-Wing + ML-DSA-65), hybrid signatures, KEM-based authentication, asynchronous key exchange, double-ratchet message encryption, streaming AEAD, and encrypted storage — all without a C toolchain.
## Features
- **Hybrid post-quantum**: X-Wing (X25519 + ML-KEM-768) for KEM, Ed25519 + ML-DSA-65 for signatures
- **Double ratchet**: KEM-based ratchet with per-epoch forward secrecy and post-compromise security
- **Streaming AEAD**: Chunked XChaCha20-Poly1305 with random-access decrypt
- **Encrypted storage**: Versioned key rings, community blobs, DM queue blobs
- **Zero-knowledge auth**: KEM challenge-response proof of identity key possession
- **Pure Rust**: No C dependencies, no system linker requirements, cross-compiles to WASM
## Usage
```rust
use soliton::identity::generate_identity;
use soliton::primitives::sha3_256;
// Generate a post-quantum identity keypair
let id = generate_identity().unwrap();
let fingerprint = sha3_256::hash(id.public_key.as_bytes());
// Sign and verify
let sig = soliton::identity::hybrid_sign(&id.secret_key, b"hello").unwrap();
soliton::identity::hybrid_verify(&id.public_key, b"hello", &sig).unwrap();
```
See [CHEATSHEET.md](https://git.lo.sh/lo/libsoliton/src/branch/main/CHEATSHEET.md) for the full API reference.
## Documentation
- [Specification.md](https://git.lo.sh/lo/libsoliton/src/branch/main/Specification.md) — full cryptographic specification
- [Abstract.md](https://git.lo.sh/lo/libsoliton/src/branch/main/Abstract.md) — security analysis specification
- [CHEATSHEET.md](https://git.lo.sh/lo/libsoliton/src/branch/main/CHEATSHEET.md) — API quick reference
## License
[AGPL-3.0-only](https://git.lo.sh/lo/libsoliton/src/branch/main/LICENSE.md)

704
soliton/benches/bench.rs Normal file
View file

@ -0,0 +1,704 @@
#![feature(test)]
extern crate test;
use rayon::prelude::*;
use soliton::{
constants,
identity::{
GeneratedIdentity, IdentityPublicKey, generate_identity, hybrid_sign, hybrid_verify,
},
kex::{
PreKeyBundle, build_first_message_aad, initiate_session, receive_session, sign_prekey,
verify_bundle,
},
primitives::{
argon2::{Argon2Params, argon2id},
hkdf::hkdf_sha3_256,
random::random_array,
xwing,
},
ratchet::{RatchetHeader, RatchetState},
streaming::{stream_decrypt_init, stream_encrypt_init},
};
use test::{Bencher, black_box};
// ── Setup helpers ──────────────────────────────────────────────────────────────
/// Build a full LO-KEX and return initialized Alice + Bob ratchet states plus fingerprints.
///
/// Alice is initialized with `init_alice` (she holds `ek_pk` + `ek_sk`).
/// Bob is initialized with `init_bob` (he holds Alice's `peer_ek` as his receive ratchet key).
///
/// Used to pre-allocate ratchet state outside `b.iter()` closures.
fn setup_ratchet() -> (RatchetState, RatchetState, [u8; 32], [u8; 32]) {
let GeneratedIdentity {
public_key: alice_pk,
secret_key: alice_sk,
..
} = generate_identity().unwrap();
let GeneratedIdentity {
public_key: bob_pk,
secret_key: bob_sk,
..
} = generate_identity().unwrap();
let (spk_pk, spk_sk) = xwing::keygen().unwrap();
let spk_sig = sign_prekey(&bob_sk, &spk_pk).unwrap();
let bundle = PreKeyBundle {
ik_pub: IdentityPublicKey::from_bytes(bob_pk.as_bytes().to_vec()).unwrap(),
crypto_version: constants::CRYPTO_VERSION.to_string(),
spk_pub: spk_pk,
spk_id: 1,
spk_sig,
opk_pub: None,
opk_id: None,
};
let fp_a = alice_pk.fingerprint_raw();
let fp_b = bob_pk.fingerprint_raw();
let verified = verify_bundle(bundle, &bob_pk).unwrap();
let mut initiated = initiate_session(&alice_pk, &alice_sk, &verified).unwrap();
let aad = build_first_message_aad(&fp_a, &fp_b, &initiated.session_init).unwrap();
let (first_ct, alice_ck) =
RatchetState::encrypt_first_message(initiated.take_initial_chain_key(), b"hello", &aad)
.unwrap();
let mut received = receive_session(
&bob_pk,
&bob_sk,
&alice_pk,
&initiated.session_init,
&initiated.sender_sig,
&spk_sk,
None,
)
.unwrap();
let (_, bob_ck) =
RatchetState::decrypt_first_message(received.take_initial_chain_key(), &first_ct, &aad)
.unwrap();
// Clone the EK bytes before init_alice consumes ek_pk.
let ek_pk_bytes = initiated.ek_pk.as_bytes().to_vec();
let ek_sk_bytes = initiated.ek_sk().as_bytes().to_vec();
let peer_ek = xwing::PublicKey::from_bytes(ek_pk_bytes.clone()).unwrap();
let ek_pk = xwing::PublicKey::from_bytes(ek_pk_bytes).unwrap();
let ek_sk = xwing::SecretKey::from_bytes(ek_sk_bytes).unwrap();
let alice = RatchetState::init_alice(
*initiated.take_root_key(),
*alice_ck,
fp_a,
fp_b,
ek_pk,
ek_sk,
)
.unwrap();
let bob =
RatchetState::init_bob(*received.take_root_key(), *bob_ck, fp_b, fp_a, peer_ek).unwrap();
(alice, bob, fp_a, fp_b)
}
// ── Identity ────────────────────────────────────────────────────────────────
/// ML-DSA-65 + X-Wing + Ed25519 keygen: the most expensive single call ("first launch cost").
#[bench]
fn identity_keygen(b: &mut Bencher) {
b.iter(|| {
let id = generate_identity().unwrap();
black_box(id);
});
}
/// Hybrid sign (Ed25519 + ML-DSA-65): Alice's signing step in session initiation.
#[bench]
fn hybrid_sign_bench(b: &mut Bencher) {
let GeneratedIdentity { secret_key: sk, .. } = generate_identity().unwrap();
let msg = [0u8; 64];
b.iter(|| {
let sig = hybrid_sign(&sk, &msg).unwrap();
black_box(sig);
});
}
/// Hybrid verify (Ed25519 + ML-DSA-65): Bob's first operation — sets the floor for receive_session.
#[bench]
fn hybrid_verify_bench(b: &mut Bencher) {
let GeneratedIdentity {
public_key: pk,
secret_key: sk,
..
} = generate_identity().unwrap();
let msg = [0u8; 64];
let sig = hybrid_sign(&sk, &msg).unwrap();
b.iter(|| {
hybrid_verify(&pk, &msg, &sig).unwrap();
black_box(());
});
}
// ── X-Wing ──────────────────────────────────────────────────────────────────
/// X-Wing encapsulation: isolates ML-KEM-768 + X25519 encapsulation cost.
#[bench]
fn xwing_encap(b: &mut Bencher) {
let (pk, _sk) = xwing::keygen().unwrap();
b.iter(|| {
let (ct, ss) = xwing::encapsulate(&pk).unwrap();
black_box((ct, ss));
});
}
/// X-Wing decapsulation: isolates ML-KEM-768 + X25519 decapsulation cost.
#[bench]
fn xwing_decap(b: &mut Bencher) {
let (pk, sk) = xwing::keygen().unwrap();
let (ct, _ss) = xwing::encapsulate(&pk).unwrap();
b.iter(|| {
let ss = xwing::decapsulate(&sk, &ct).unwrap();
black_box(ss);
});
}
// ── KEX ─────────────────────────────────────────────────────────────────────
/// Alice's full session setup: ephemeral keygen + 3 encaps + HKDF + sign.
///
/// Pre-builds a verified bundle outside the iter closure so bundle verification
/// is not included. The measured path is `initiate_session` alone.
#[bench]
fn initiate_session_bench(b: &mut Bencher) {
let GeneratedIdentity {
public_key: alice_pk,
secret_key: alice_sk,
..
} = generate_identity().unwrap();
let GeneratedIdentity {
public_key: bob_pk,
secret_key: bob_sk,
..
} = generate_identity().unwrap();
let (spk_pk, _spk_sk) = xwing::keygen().unwrap();
let spk_sig = sign_prekey(&bob_sk, &spk_pk).unwrap();
let bundle = PreKeyBundle {
ik_pub: IdentityPublicKey::from_bytes(bob_pk.as_bytes().to_vec()).unwrap(),
crypto_version: constants::CRYPTO_VERSION.to_string(),
spk_pub: spk_pk,
spk_id: 1,
spk_sig,
opk_pub: None,
opk_id: None,
};
let verified = verify_bundle(bundle, &bob_pk).unwrap();
b.iter(|| {
let session = initiate_session(&alice_pk, &alice_sk, &verified).unwrap();
black_box(session);
});
}
/// Bob's full session reception: verify + 3 decaps + HKDF.
///
/// Pre-initiates a session outside the iter closure so Alice's setup cost is
/// excluded. `receive_session` takes all inputs by reference and is idempotent
/// (same ciphertexts produce the same root key each call).
#[bench]
fn receive_session_bench(b: &mut Bencher) {
let GeneratedIdentity {
public_key: alice_pk,
secret_key: alice_sk,
..
} = generate_identity().unwrap();
let GeneratedIdentity {
public_key: bob_pk,
secret_key: bob_sk,
..
} = generate_identity().unwrap();
let (spk_pk, spk_sk) = xwing::keygen().unwrap();
let spk_sig = sign_prekey(&bob_sk, &spk_pk).unwrap();
let bundle = PreKeyBundle {
ik_pub: IdentityPublicKey::from_bytes(bob_pk.as_bytes().to_vec()).unwrap(),
crypto_version: constants::CRYPTO_VERSION.to_string(),
spk_pub: spk_pk,
spk_id: 1,
spk_sig,
opk_pub: None,
opk_id: None,
};
let verified = verify_bundle(bundle, &bob_pk).unwrap();
let initiated = initiate_session(&alice_pk, &alice_sk, &verified).unwrap();
b.iter(|| {
let received = receive_session(
&bob_pk,
&bob_sk,
&alice_pk,
&initiated.session_init,
&initiated.sender_sig,
&spk_sk,
None,
)
.unwrap();
black_box(received);
});
}
// ── Ratchet: per-message hot paths ──────────────────────────────────────────
/// Same-epoch encrypt: HMAC-SHA3-256 key derivation + XChaCha20-Poly1305 encrypt.
///
/// RatchetState is built before `b.iter()`. Each call increments `send_count`
/// but stays in the same epoch (no KEM step). The hot path is O(1) per message.
#[bench]
fn ratchet_encrypt_same_epoch(b: &mut Bencher) {
let (mut alice, _bob, _fp_a, _fp_b) = setup_ratchet();
let msg = [0u8; 256];
b.iter(|| {
let enc = alice.encrypt(&msg).unwrap();
black_box(enc);
});
}
/// Same-epoch decrypt: HMAC-SHA3-256 key derivation + XChaCha20-Poly1305 decrypt.
///
/// Bob's `recv_seen` duplicate-detection set is bounded at 65,536 entries and
/// never resets within an epoch. For a ~4 µs operation the harness would run
/// ~230,000 iterations, exhausting the set and returning `ChainExhausted`.
/// To avoid this, Bob's state is restored from a pre-serialized blob each
/// iteration via `from_bytes_with_min_epoch` (~817 ns overhead per the
/// `ratchet_from_bytes` benchmark). Alice pre-encrypts a single message so no
/// encryption cost is included in the measurement.
#[bench]
fn ratchet_decrypt_same_epoch(b: &mut Bencher) {
let (mut alice, bob, _fp_a, _fp_b) = setup_ratchet();
let msg = [0u8; 256];
// Pre-encrypt one message to produce a valid ciphertext for Bob to decrypt.
let enc = alice.encrypt(&msg).unwrap();
// Alice's first encrypt is same-epoch (no direction change): kem_ct is None.
let header_rk_bytes = enc.header.ratchet_pk.as_bytes().to_vec();
let header_n = enc.header.n;
let header_pn = enc.header.pn;
let ciphertext = enc.ciphertext.clone();
// Serialize Bob's state before any decryption so it can be restored each
// iteration. to_bytes consumes bob; epoch is not needed (min_epoch = 0).
let (bob_bytes, _) = bob.to_bytes().unwrap();
let bob_bytes: Vec<u8> = bob_bytes.to_vec();
b.iter(|| {
// Restore Bob each iteration to keep recv_seen empty, preventing
// ChainExhausted after 65,536 iterations.
let mut bob_fresh = RatchetState::from_bytes_with_min_epoch(&bob_bytes, 0).unwrap();
let header = RatchetHeader {
ratchet_pk: xwing::PublicKey::from_bytes(header_rk_bytes.clone()).unwrap(),
kem_ct: None,
n: header_n,
pn: header_pn,
};
let pt = bob_fresh.decrypt(&header, &ciphertext).unwrap();
black_box(pt);
});
}
// ── Ratchet: direction-change paths ─────────────────────────────────────────
/// Direction-change encrypt cost: X-Wing keygen + encap (to peer's ratchet pk) + kdf_root.
///
/// Each iteration reconstructs a fresh Bob state from pre-computed key material.
/// `init_bob` is cheap (struct initialization only — no KEM). The measured cost
/// is `bob.encrypt()` which, with `send_ratchet_pk == None`, always triggers a
/// KEM ratchet step: keygen + encapsulate + HKDF-SHA3-256.
#[bench]
fn ratchet_encrypt_direction_change(b: &mut Bencher) {
// Run KEX to get realistic key material; extract what init_bob needs.
let GeneratedIdentity {
public_key: alice_pk,
secret_key: alice_sk,
..
} = generate_identity().unwrap();
let GeneratedIdentity {
public_key: bob_pk,
secret_key: bob_sk,
..
} = generate_identity().unwrap();
let (spk_pk, spk_sk) = xwing::keygen().unwrap();
let spk_sig = sign_prekey(&bob_sk, &spk_pk).unwrap();
let bundle = PreKeyBundle {
ik_pub: IdentityPublicKey::from_bytes(bob_pk.as_bytes().to_vec()).unwrap(),
crypto_version: constants::CRYPTO_VERSION.to_string(),
spk_pub: spk_pk,
spk_id: 1,
spk_sig,
opk_pub: None,
opk_id: None,
};
let fp_a = alice_pk.fingerprint_raw();
let fp_b = bob_pk.fingerprint_raw();
let verified = verify_bundle(bundle, &bob_pk).unwrap();
let mut initiated = initiate_session(&alice_pk, &alice_sk, &verified).unwrap();
let aad = build_first_message_aad(&fp_a, &fp_b, &initiated.session_init).unwrap();
let (first_ct, _alice_ck) =
RatchetState::encrypt_first_message(initiated.take_initial_chain_key(), b"hello", &aad)
.unwrap();
let mut received = receive_session(
&bob_pk,
&bob_sk,
&alice_pk,
&initiated.session_init,
&initiated.sender_sig,
&spk_sk,
None,
)
.unwrap();
let (_, bob_ck) =
RatchetState::decrypt_first_message(received.take_initial_chain_key(), &first_ct, &aad)
.unwrap();
// Save the raw key bytes for per-iter reconstruction.
// [u8; 32] is Copy — these are moved into the arrays and the originals
// on the Zeroizing<...> wrappers are dropped (zeroized) immediately after.
let bob_root_key: [u8; 32] = *received.take_root_key();
let bob_chain_key: [u8; 32] = *bob_ck;
// Alice's ephemeral pk becomes Bob's recv_ratchet_pk — the key he encapsulates
// to on his first direction-change encrypt.
let alice_ek_pk_bytes = initiated.ek_pk.as_bytes().to_vec();
let msg = [0u8; 256];
b.iter(|| {
// Reconstruct Alice's ek as Bob's recv_ratchet_pk. from_bytes is a Vec
// allocation + length check — negligible vs the KEM operations below.
let peer_ek = xwing::PublicKey::from_bytes(alice_ek_pk_bytes.clone()).unwrap();
// init_bob is struct initialization only (no crypto). send_ratchet_pk is
// None, so the first encrypt call unconditionally performs a direction-change
// KEM step: keygen + encapsulate (to peer_ek) + kdf_root.
let mut bob =
RatchetState::init_bob(bob_root_key, bob_chain_key, fp_b, fp_a, peer_ek).unwrap();
let enc = bob.encrypt(&msg).unwrap();
black_box(enc);
});
}
/// Direction-change decrypt cost: X-Wing decapsulate (using send_ratchet_sk) + kdf_root.
///
/// Pre-computes a direction-change message from Bob outside the iter closure.
/// Alice's ratchet state is serialized before the iter and restored via
/// `from_bytes_with_min_epoch` each iteration so she can re-process the same
/// direction-change message with a fresh decapsulation key.
#[bench]
fn ratchet_decrypt_direction_change(b: &mut Bencher) {
let (alice, mut bob, _fp_a, _fp_b) = setup_ratchet();
// Bob has recv_ratchet_pk = Some(alice's ek_pk). His first encrypt triggers a
// direction change: keygen new ratchet keypair, encapsulate to alice's ek_pk,
// kdf_root, then AEAD-encrypt the payload. Alice needs her ek_sk (stored in
// her send_ratchet_sk) to decapsulate.
let bob_dc_msg = bob.encrypt(&[0u8; 256]).unwrap();
// Serialize Alice's ratchet state (includes send_ratchet_sk = ek_sk).
// to_bytes() consumes Alice; the blob captures her state at epoch 1.
let (alice_bytes, _epoch) = alice.to_bytes().unwrap();
let alice_bytes: Vec<u8> = alice_bytes.to_vec();
// Pre-extract header fields as raw bytes so RatchetHeader can be reconstructed
// per iteration without allocating inside the benchmark.
let rk_pk_bytes = bob_dc_msg.header.ratchet_pk.as_bytes().to_vec();
let kem_ct_bytes = bob_dc_msg
.header
.kem_ct
.as_ref()
.unwrap()
.as_bytes()
.to_vec();
let header_n = bob_dc_msg.header.n;
let header_pn = bob_dc_msg.header.pn;
let ciphertext = bob_dc_msg.ciphertext.clone();
b.iter(|| {
// Restore Alice's state. from_bytes_with_min_epoch validates and
// deserializes the blob — its cost is small relative to the decap + kdf
// in the decrypt call below.
let mut alice_restored = RatchetState::from_bytes_with_min_epoch(&alice_bytes, 0).unwrap();
// Reconstruct the RatchetHeader. The kem_ct triggers Alice to run
// perform_kem_ratchet_recv: xwing::decapsulate(ek_sk, ct) + kdf_root.
let header = RatchetHeader {
ratchet_pk: xwing::PublicKey::from_bytes(rk_pk_bytes.clone()).unwrap(),
kem_ct: Some(xwing::Ciphertext::from_bytes(kem_ct_bytes.clone()).unwrap()),
n: header_n,
pn: header_pn,
};
let pt = alice_restored.decrypt(&header, &ciphertext).unwrap();
black_box(pt);
});
}
// ── Ratchet: KDF isolation ───────────────────────────────────────────────────
/// HKDF-SHA3-256(root_key, kem_ss) → 64 bytes.
///
/// Isolates the KDF step from the KEM operations in a direction-change cycle.
/// Uses the same construction as `kdf_root` inside the ratchet: salt=root_key,
/// ikm=kem_ss, info=RATCHET_HKDF_INFO, output=64 bytes.
#[bench]
fn kdf_root_isolated(b: &mut Bencher) {
let root_key: [u8; 32] = random_array();
let kem_ss: [u8; 32] = random_array();
let mut out = [0u8; 64];
b.iter(|| {
// Matches kdf_root internals: salt=root_key, ikm=kem_ss, info=RATCHET_HKDF_INFO.
hkdf_sha3_256(&root_key, &kem_ss, constants::RATCHET_HKDF_INFO, &mut out).unwrap();
black_box(out);
});
}
// ── Ratchet: serialization ───────────────────────────────────────────────────
/// Ratchet serialization: mobile clients serialize after every message.
///
/// Each iteration reconstructs Alice's ratchet state from pre-computed key
/// material (cheap — no KEM) then calls `to_bytes`. The measured path is the
/// serialization itself: counter encoding, key serialization, recv_seen set
/// encoding, Vec allocation.
#[bench]
fn ratchet_to_bytes(b: &mut Bencher) {
// Extract raw init material from a real KEX.
let GeneratedIdentity {
public_key: alice_pk,
secret_key: alice_sk,
..
} = generate_identity().unwrap();
let GeneratedIdentity {
public_key: bob_pk,
secret_key: bob_sk,
..
} = generate_identity().unwrap();
let (spk_pk, spk_sk) = xwing::keygen().unwrap();
let spk_sig = sign_prekey(&bob_sk, &spk_pk).unwrap();
let bundle = PreKeyBundle {
ik_pub: IdentityPublicKey::from_bytes(bob_pk.as_bytes().to_vec()).unwrap(),
crypto_version: constants::CRYPTO_VERSION.to_string(),
spk_pub: spk_pk,
spk_id: 1,
spk_sig,
opk_pub: None,
opk_id: None,
};
let fp_a = alice_pk.fingerprint_raw();
let fp_b = bob_pk.fingerprint_raw();
let verified = verify_bundle(bundle, &bob_pk).unwrap();
let mut initiated = initiate_session(&alice_pk, &alice_sk, &verified).unwrap();
let aad = build_first_message_aad(&fp_a, &fp_b, &initiated.session_init).unwrap();
let (first_ct, alice_ck) =
RatchetState::encrypt_first_message(initiated.take_initial_chain_key(), b"hello", &aad)
.unwrap();
let mut received = receive_session(
&bob_pk,
&bob_sk,
&alice_pk,
&initiated.session_init,
&initiated.sender_sig,
&spk_sk,
None,
)
.unwrap();
let (_, _bob_ck) =
RatchetState::decrypt_first_message(received.take_initial_chain_key(), &first_ct, &aad)
.unwrap();
// Save raw key bytes for per-iter reconstruction of Alice's state.
let alice_root: [u8; 32] = *initiated.take_root_key();
let alice_chain: [u8; 32] = *alice_ck;
let ek_pk_bytes = initiated.ek_pk.as_bytes().to_vec();
let ek_sk_bytes = initiated.ek_sk().as_bytes().to_vec();
b.iter(|| {
// Reconstruct Alice's ratchet state. init_alice is struct initialization
// only (no KEM) — its cost is negligible vs to_bytes.
let ek_pk = xwing::PublicKey::from_bytes(ek_pk_bytes.clone()).unwrap();
let ek_sk = xwing::SecretKey::from_bytes(ek_sk_bytes.clone()).unwrap();
let alice =
RatchetState::init_alice(alice_root, alice_chain, fp_a, fp_b, ek_pk, ek_sk).unwrap();
let (blob, epoch) = alice.to_bytes().unwrap();
black_box((blob, epoch));
});
}
/// Ratchet deserialization: load on app resume.
///
/// Pre-serializes a state once. Each iteration deserializes it fresh.
/// The measured path is `from_bytes_with_min_epoch`: version check, field
/// parsing, recv_seen reconstruction, anti-rollback epoch check.
#[bench]
fn ratchet_from_bytes(b: &mut Bencher) {
let (alice, _bob, _fp_a, _fp_b) = setup_ratchet();
let (blob, _epoch) = alice.to_bytes().unwrap();
let blob: Vec<u8> = blob.to_vec();
b.iter(|| {
// min_epoch = 0: accept any epoch — anti-rollback protection is not
// the subject of this benchmark.
let state = RatchetState::from_bytes_with_min_epoch(&blob, 0).unwrap();
black_box(state);
});
}
// ── Argon2id ────────────────────────────────────────────────────────────────
/// Argon2id at OWASP interactive floor: 19 MiB, 2 passes, 1 lane.
///
/// Validates the "interactive login floor" documentation claim.
/// Variance is wide (±20% typical) — these are indicative values.
#[bench]
fn argon2id_owasp_min(b: &mut Bencher) {
let password = b"bench-password";
let salt: [u8; 16] = random_array();
let mut out = [0u8; 32];
b.iter(|| {
argon2id(password, &salt, Argon2Params::OWASP_MIN, &mut out).unwrap();
black_box(out);
});
}
/// Argon2id at recommended keypair-protection settings: 64 MiB, 3 passes, 4 lanes.
///
/// Validates the "0.1-1 s on modern hardware" documentation claim.
/// Variance is wide (±20% typical) — these are indicative values.
#[bench]
fn argon2id_recommended(b: &mut Bencher) {
let password = b"bench-password";
let salt: [u8; 16] = random_array();
let mut out = [0u8; 32];
b.iter(|| {
argon2id(password, &salt, Argon2Params::RECOMMENDED, &mut out).unwrap();
black_box(out);
});
}
// ── Streaming AEAD ──────────────────────────────────────────────────────────
/// Stream encrypt 1 MiB: throughput baseline.
///
/// Encrypts exactly one STREAM_CHUNK_SIZE (1 MiB) chunk as the final chunk.
/// The throughput in MB/s is: `1_048_576_000 / ns_per_iter`.
#[bench]
fn stream_encrypt_1mib(b: &mut Bencher) {
let key: [u8; 32] = random_array();
let aad = b"bench-aad";
// 1 MiB plaintext pre-allocated outside the iter closure.
let plaintext = vec![0u8; constants::STREAM_CHUNK_SIZE];
b.iter(|| {
let mut enc = stream_encrypt_init(&key, aad, false).unwrap();
// Single final chunk — exactly STREAM_CHUNK_SIZE bytes is valid for is_last=true.
let chunk = enc.encrypt_chunk(&plaintext, true).unwrap();
black_box(chunk);
});
}
/// Stream encrypt 4 MiB sequentially: baseline for parallel comparison.
///
/// Encrypts four STREAM_CHUNK_SIZE (1 MiB) chunks back-to-back via the
/// sequential `encrypt_chunk` API. The throughput in MB/s is:
/// `4_194_304_000 / ns_per_iter`. Compare with `stream_encrypt_4mib_parallel`
/// to measure the wall-clock speedup from rayon parallelism on this machine.
#[bench]
fn stream_encrypt_4mib_sequential(b: &mut Bencher) {
let key: [u8; 32] = random_array();
let plaintext = vec![0u8; constants::STREAM_CHUNK_SIZE];
b.iter(|| {
let mut enc = stream_encrypt_init(&key, b"", false).unwrap();
for _ in 0..3 {
black_box(enc.encrypt_chunk(&plaintext, false).unwrap());
}
black_box(enc.encrypt_chunk(&plaintext, true).unwrap());
});
}
/// Stream encrypt 4 MiB in parallel via rayon: measures parallelism speedup.
///
/// Encrypts four STREAM_CHUNK_SIZE (1 MiB) chunks concurrently using
/// `encrypt_chunk_at` dispatched over rayon's thread pool. Because chunks are
/// index-keyed and the encryptor takes `&self`, no synchronization is needed
/// between workers. The thread pool is pre-warmed by rayon before `b.iter()`
/// runs, so spawn cost is excluded from the measurement.
///
/// Divide `stream_encrypt_4mib_sequential` ns/iter by this result to get the
/// effective parallelism factor on this machine.
#[bench]
fn stream_encrypt_4mib_parallel(b: &mut Bencher) {
let key: [u8; 32] = random_array();
let plaintext = vec![0u8; constants::STREAM_CHUNK_SIZE];
// Force rayon's global pool to initialize before the timed loop so the
// first b.iter() call does not include thread-pool startup latency.
rayon::current_num_threads();
b.iter(|| {
let enc = stream_encrypt_init(&key, b"", false).unwrap();
let chunks: Vec<Vec<u8>> = (0u64..4)
.into_par_iter()
.map(|i| enc.encrypt_chunk_at(i, i == 3, &plaintext).unwrap())
.collect();
black_box(chunks);
});
}
/// Stream encrypt 8 MiB in parallel via rayon: bandwidth ceiling check.
///
/// Same construction as `stream_encrypt_4mib_parallel` but with 8 chunks.
/// If ns/iter stays roughly flat vs the 4-chunk bench, the bottleneck is
/// memory bandwidth — all cores are already saturating the bus at 4 chunks.
/// If it scales toward 2× the 4-chunk time, there was spare bandwidth and
/// the 4-chunk result was CPU-limited.
#[bench]
fn stream_encrypt_8mib_parallel(b: &mut Bencher) {
let key: [u8; 32] = random_array();
let plaintext = vec![0u8; constants::STREAM_CHUNK_SIZE];
rayon::current_num_threads();
b.iter(|| {
let enc = stream_encrypt_init(&key, b"", false).unwrap();
let chunks: Vec<Vec<u8>> = (0u64..8)
.into_par_iter()
.map(|i| enc.encrypt_chunk_at(i, i == 7, &plaintext).unwrap())
.collect();
black_box(chunks);
});
}
/// Stream decrypt 1 MiB: throughput baseline.
///
/// Pre-encrypts a 1 MiB chunk outside the iter closure and decrypts it each
/// iteration. The throughput in MB/s is: `1_048_576_000 / ns_per_iter`.
#[bench]
fn stream_decrypt_1mib(b: &mut Bencher) {
let key: [u8; 32] = random_array();
let aad = b"bench-aad";
let plaintext = vec![0u8; constants::STREAM_CHUNK_SIZE];
// Pre-encrypt: produces the 26-byte header and the encrypted chunk bytes.
let mut enc = stream_encrypt_init(&key, aad, false).unwrap();
let header = enc.header();
let encrypted_chunk = enc.encrypt_chunk(&plaintext, true).unwrap();
b.iter(|| {
let mut dec = stream_decrypt_init(&key, &header, aad).unwrap();
let (pt, _is_last) = dec.decrypt_chunk(&encrypted_chunk).unwrap();
black_box(pt);
});
}

113
soliton/build.rs Normal file
View file

@ -0,0 +1,113 @@
//! Build script for soliton.
//!
//! Embeds the EFF large wordlist for verification phrase generation.
//! The wordlist is checked into the repo at `src/eff_large_wordlist.txt`
//! and SHA-256 verified at build time.
//!
//! All cryptographic dependencies are pure Rust — no C compilation or linking needed.
use sha2::{Digest, Sha256};
use std::env;
use std::fs;
use std::io::Write;
use std::path::PathBuf;
/// SHA-256 hash of the canonical EFF large wordlist (7776 lines).
/// <https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt>
const EFF_WORDLIST_SHA256: &str =
"addd35536511597a02fa0a9ff1e5284677b8883b83e986e43f15a3db996b903e";
fn main() {
println!("cargo:rerun-if-changed=build.rs");
println!("cargo:rerun-if-changed=src/eff_large_wordlist.txt");
generate_wordlist();
}
/// Read the EFF large wordlist from the in-repo cached copy and generate
/// a Rust source file with the words as a static array. The file is
/// written to OUT_DIR and included via `include!` in the verification
/// module.
///
/// The EFF large wordlist contains 7776 words (6^5), one per line, prefixed
/// with a dice roll number and a tab. We strip the prefix and keep only the
/// words.
fn generate_wordlist() {
// Cargo guarantees OUT_DIR and CARGO_MANIFEST_DIR for build scripts.
let out_dir = PathBuf::from(env::var("OUT_DIR").unwrap());
let wordlist_rs = out_dir.join("eff_wordlist.rs");
let cache_path = PathBuf::from(env::var("CARGO_MANIFEST_DIR").unwrap())
.join("src")
.join("eff_large_wordlist.txt");
// Skip regeneration if the output already exists AND the cached source
// passes SHA-256 verification. Safe because the output is deterministically
// generated from the source — same input always produces identical output.
// The SHA-256 check protects against tampered build caches.
if wordlist_rs.exists() {
if let Ok(cached) = fs::read_to_string(&cache_path) {
verify_wordlist_hash(&cached);
return;
}
}
let raw = fs::read_to_string(&cache_path)
.expect("EFF wordlist not available: src/eff_large_wordlist.txt missing from repo");
verify_wordlist_hash(&raw);
// Parse: each line is "DDDDD\tword\n" (5-digit dice roll, tab, word).
let words: Vec<&str> = raw
.lines()
.filter_map(|line| {
let line = line.trim();
if line.is_empty() {
return None;
}
line.split('\t').nth(1)
})
.collect();
// Panic: build scripts communicate errors by panicking. A count mismatch
// indicates a corrupted or non-canonical wordlist that passed SHA-256
// (hash collision or wrong file).
assert_eq!(
words.len(),
7776,
"EFF wordlist should have 7776 entries, got {}",
words.len()
);
// Panic on I/O failure: build scripts have no recovery path — Cargo
// treats a panic as a build error and reports the message to the user.
let mut out = fs::File::create(&wordlist_rs).unwrap();
writeln!(out, "/// EFF large wordlist (7776 words).").unwrap();
writeln!(
out,
"/// Source: <https://www.eff.org/dice>, checked into repo at src/eff_large_wordlist.txt."
)
.unwrap();
writeln!(out, "pub(crate) static EFF_WORDLIST: [&str; 7776] = [").unwrap();
for word in &words {
writeln!(out, " \"{word}\",").unwrap();
}
writeln!(out, "];").unwrap();
}
/// Verify the SHA-256 hash of the EFF wordlist content.
///
/// # Security
///
/// Panics with a clear message if the hash doesn't match, preventing
/// use of a tampered or corrupted wordlist in verification phrases.
/// This is the sole integrity gate for the in-repo wordlist.
fn verify_wordlist_hash(content: &str) {
let computed = format!("{:x}", Sha256::digest(content.as_bytes()));
assert_eq!(
computed, EFF_WORDLIST_SHA256,
"EFF wordlist SHA-256 mismatch!\n expected: {}\n computed: {}\n\
The wordlist may be corrupted or tampered with.",
EFF_WORDLIST_SHA256, computed
);
}

918
soliton/fuzz/Cargo.lock generated Normal file
View file

@ -0,0 +1,918 @@
# This file is automatically @generated by Cargo.
# It is not intended for manual editing.
version = 4
[[package]]
name = "aead"
version = "0.5.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d122413f284cf2d62fb1b7db97e02edb8cda96d769b16e443a4f6195e35662b0"
dependencies = [
"crypto-common 0.1.7",
"generic-array",
]
[[package]]
name = "arbitrary"
version = "1.4.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c3d036a3c4ab069c7b410a2ce876bd74808d2d0888a82667669f8e783a898bf1"
[[package]]
name = "argon2"
version = "0.5.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3c3610892ee6e0cbce8ae2700349fcf8f98adb0dbfbee85aec3c9179d29cc072"
dependencies = [
"base64ct",
"blake2",
"cpufeatures 0.2.17",
"password-hash",
"zeroize",
]
[[package]]
name = "autocfg"
version = "1.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
[[package]]
name = "base64ct"
version = "1.8.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2af50177e190e07a26ab74f8b1efbfe2ef87da2116221318cb1c2e82baf7de06"
[[package]]
name = "blake2"
version = "0.10.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "46502ad458c9a52b69d4d4d32775c788b7a1b85e8bc9d482d92250fc0e3f8efe"
dependencies = [
"digest 0.10.7",
]
[[package]]
name = "block-buffer"
version = "0.10.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71"
dependencies = [
"generic-array",
]
[[package]]
name = "block-buffer"
version = "0.11.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "96eb4cdd6cf1b31d671e9efe75c5d1ec614776856cefbe109ca373554a6d514f"
dependencies = [
"hybrid-array 0.4.7",
"zeroize",
]
[[package]]
name = "bumpalo"
version = "3.20.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5d20789868f4b01b2f2caec9f5c4e0213b41e3e5702a50157d699ae31ced2fcb"
[[package]]
name = "cc"
version = "1.2.56"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "aebf35691d1bfb0ac386a69bac2fde4dd276fb618cf8bf4f5318fe285e821bb2"
dependencies = [
"find-msvc-tools",
"jobserver",
"libc",
"shlex",
]
[[package]]
name = "cfg-if"
version = "1.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801"
[[package]]
name = "chacha20"
version = "0.9.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c3613f74bd2eac03dad61bd53dbe620703d4371614fe0bc3b9f04dd36fe4e818"
dependencies = [
"cfg-if",
"cipher",
"cpufeatures 0.2.17",
]
[[package]]
name = "chacha20poly1305"
version = "0.10.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "10cd79432192d1c0f4e1a0fef9527696cc039165d729fb41b3f4f4f354c2dc35"
dependencies = [
"aead",
"chacha20",
"cipher",
"poly1305",
"zeroize",
]
[[package]]
name = "cipher"
version = "0.4.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "773f3b9af64447d2ce9850330c473515014aa235e6a783b02db81ff39e4a3dad"
dependencies = [
"crypto-common 0.1.7",
"inout",
"zeroize",
]
[[package]]
name = "const-oid"
version = "0.9.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8"
[[package]]
name = "const-oid"
version = "0.10.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a6ef517f0926dd24a1582492c791b6a4818a4d94e789a334894aa15b0d12f55c"
[[package]]
name = "cpufeatures"
version = "0.2.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "59ed5838eebb26a2bb2e58f6d5b5316989ae9d08bab10e0e6d103e656d1b0280"
dependencies = [
"libc",
]
[[package]]
name = "cpufeatures"
version = "0.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8b2a41393f66f16b0823bb79094d54ac5fbd34ab292ddafb9a0456ac9f87d201"
dependencies = [
"libc",
]
[[package]]
name = "crypto-common"
version = "0.1.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "78c8292055d1c1df0cce5d180393dc8cce0abec0a7102adb6c7b1eef6016d60a"
dependencies = [
"generic-array",
"typenum",
]
[[package]]
name = "crypto-common"
version = "0.2.0-rc.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6f8441110cea75afde0b89a8d796e2bc67b23432f5a9566cb15d9d365d91a2b0"
dependencies = [
"hybrid-array 0.4.7",
]
[[package]]
name = "curve25519-dalek"
version = "4.1.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "97fb8b7c4503de7d6ae7b42ab72a5a59857b4c937ec27a3d4539dba95b5ab2be"
dependencies = [
"cfg-if",
"cpufeatures 0.2.17",
"curve25519-dalek-derive",
"digest 0.10.7",
"fiat-crypto",
"rustc_version",
"subtle",
"zeroize",
]
[[package]]
name = "curve25519-dalek-derive"
version = "0.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f46882e17999c6cc590af592290432be3bce0428cb0d5f8b6715e4dc7b383eb3"
dependencies = [
"proc-macro2",
"quote",
"syn",
]
[[package]]
name = "der"
version = "0.7.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e7c1832837b905bbfb5101e07cc24c8deddf52f93225eee6ead5f4d63d53ddcb"
dependencies = [
"const-oid 0.9.6",
"zeroize",
]
[[package]]
name = "der"
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "71fd89660b2dc699704064e59e9dba0147b903e85319429e131620d022be411b"
dependencies = [
"const-oid 0.10.2",
"zeroize",
]
[[package]]
name = "digest"
version = "0.10.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
dependencies = [
"block-buffer 0.10.4",
"crypto-common 0.1.7",
"subtle",
]
[[package]]
name = "digest"
version = "0.11.0-rc.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "02b42f1d9edf5207c137646b568a0168ca0ec25b7f9eaf7f9961da51a3d91cea"
dependencies = [
"block-buffer 0.11.0",
"const-oid 0.10.2",
"crypto-common 0.2.0-rc.15",
"subtle",
"zeroize",
]
[[package]]
name = "ed25519"
version = "2.2.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "115531babc129696a58c64a4fef0a8bf9e9698629fb97e9e40767d235cfbcd53"
dependencies = [
"pkcs8 0.10.2",
"signature 2.2.0",
]
[[package]]
name = "ed25519-dalek"
version = "2.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "70e796c081cee67dc755e1a36a0a172b897fab85fc3f6bc48307991f64e4eca9"
dependencies = [
"curve25519-dalek",
"ed25519",
"serde",
"sha2",
"subtle",
"zeroize",
]
[[package]]
name = "fiat-crypto"
version = "0.2.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "28dea519a9695b9977216879a3ebfddf92f1c08c05d984f8996aecd6ecdc811d"
[[package]]
name = "find-msvc-tools"
version = "0.1.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582"
[[package]]
name = "generic-array"
version = "0.14.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
dependencies = [
"typenum",
"version_check",
]
[[package]]
name = "getrandom"
version = "0.2.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ff2abc00be7fca6ebc474524697ae276ad847ad0a6b3faa4bcb027e9a4614ad0"
dependencies = [
"cfg-if",
"js-sys",
"libc",
"wasi",
"wasm-bindgen",
]
[[package]]
name = "getrandom"
version = "0.3.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "899def5c37c4fd7b2664648c28120ecec138e4d395b459e5ca34f9cce2dd77fd"
dependencies = [
"cfg-if",
"js-sys",
"libc",
"r-efi",
"wasip2",
"wasm-bindgen",
]
[[package]]
name = "hkdf"
version = "0.13.0-rc.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cbb55385998ae66b8d2d5143c05c94b9025ab863966f0c94ce7a5fde30105092"
dependencies = [
"hmac",
]
[[package]]
name = "hmac"
version = "0.13.0-rc.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ef451d73f36d8a3f93ad32c332ea01146c9650e1ec821a9b0e46c01277d544f8"
dependencies = [
"digest 0.11.0-rc.11",
]
[[package]]
name = "hybrid-array"
version = "0.2.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f2d35805454dc9f8662a98d6d61886ffe26bd465f5960e0e55345c70d5c0d2a9"
dependencies = [
"typenum",
]
[[package]]
name = "hybrid-array"
version = "0.4.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e1b229d73f5803b562cc26e4da0396c8610a4ee209f4fac8fa4f8d709166dc45"
dependencies = [
"typenum",
"zeroize",
]
[[package]]
name = "inout"
version = "0.1.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "879f10e63c20629ecabbb64a8010319738c66a5cd0c29b02d63d272b03751d01"
dependencies = [
"generic-array",
]
[[package]]
name = "jobserver"
version = "0.1.34"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9afb3de4395d6b3e67a780b6de64b51c978ecf11cb9a462c66be7d4ca9039d33"
dependencies = [
"getrandom 0.3.4",
"libc",
]
[[package]]
name = "js-sys"
version = "0.3.77"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1cfaf33c695fc6e08064efbc1f72ec937429614f25eef83af942d0e227c3a28f"
dependencies = [
"once_cell",
"wasm-bindgen",
]
[[package]]
name = "keccak"
version = "0.1.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cb26cec98cce3a3d96cbb7bced3c4b16e3d13f27ec56dbd62cbc8f39cfb9d653"
dependencies = [
"cpufeatures 0.2.17",
]
[[package]]
name = "keccak"
version = "0.2.0-rc.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "882b69cb15b1f78b51342322a97ccd16f5123d1dc8a3da981a95244f488e8692"
dependencies = [
"cpufeatures 0.3.0",
]
[[package]]
name = "kem"
version = "0.3.0-pre.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2b8645470337db67b01a7f966decf7d0bafedbae74147d33e641c67a91df239f"
dependencies = [
"rand_core 0.6.4",
"zeroize",
]
[[package]]
name = "libc"
version = "0.2.182"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6800badb6cb2082ffd7b6a67e6125bb39f18782f793520caee8cb8846be06112"
[[package]]
name = "libfuzzer-sys"
version = "0.4.12"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f12a681b7dd8ce12bff52488013ba614b869148d54dd79836ab85aafdd53f08d"
dependencies = [
"arbitrary",
"cc",
]
[[package]]
name = "libsoliton"
version = "0.1.0"
dependencies = [
"argon2",
"chacha20poly1305",
"crypto-common 0.2.0-rc.15",
"curve25519-dalek",
"digest 0.11.0-rc.11",
"ed25519-dalek",
"getrandom 0.2.17",
"getrandom 0.3.4",
"hkdf",
"hmac",
"keccak 0.2.0-rc.2",
"kem",
"ml-dsa",
"ml-kem",
"poly1305",
"ruzstd",
"sha2",
"sha3 0.11.0-rc.7",
"subtle",
"thiserror",
"zeroize",
]
[[package]]
name = "libsoliton-fuzz"
version = "0.0.0"
dependencies = [
"ed25519-dalek",
"libfuzzer-sys",
"libsoliton",
"zeroize",
]
[[package]]
name = "log"
version = "0.4.29"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897"
[[package]]
name = "ml-dsa"
version = "0.1.0-rc.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "af6e554a2affc86740759dbe568a92abd58b47fea4e28ebe1b7bb4da99e490d4"
dependencies = [
"const-oid 0.10.2",
"hybrid-array 0.4.7",
"module-lattice",
"pkcs8 0.11.0-rc.11",
"rand_core 0.10.0",
"sha3 0.11.0-rc.7",
"signature 3.0.0-rc.10",
"zeroize",
]
[[package]]
name = "ml-kem"
version = "0.2.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8de49b3df74c35498c0232031bb7e85f9389f913e2796169c8ab47a53993a18f"
dependencies = [
"hybrid-array 0.2.3",
"kem",
"rand_core 0.6.4",
"sha3 0.10.8",
"zeroize",
]
[[package]]
name = "module-lattice"
version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6dfecc750073acc09af2f8899b2342d520d570392ba1c3aed53eeb0d84ca4103"
dependencies = [
"hybrid-array 0.4.7",
"num-traits",
"zeroize",
]
[[package]]
name = "num-traits"
version = "0.2.19"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841"
dependencies = [
"autocfg",
]
[[package]]
name = "once_cell"
version = "1.21.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "42f5e15c9953c5e4ccceeb2e7382a716482c34515315f7b03532b8b4e8393d2d"
[[package]]
name = "opaque-debug"
version = "0.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381"
[[package]]
name = "password-hash"
version = "0.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "346f04948ba92c43e8469c1ee6736c7563d71012b17d40745260fe106aac2166"
dependencies = [
"base64ct",
"rand_core 0.6.4",
"subtle",
]
[[package]]
name = "pkcs8"
version = "0.10.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7"
dependencies = [
"der 0.7.10",
"spki 0.7.3",
]
[[package]]
name = "pkcs8"
version = "0.11.0-rc.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "12922b6296c06eb741b02d7b5161e3aaa22864af38dfa025a1a3ba3f68c84577"
dependencies = [
"der 0.8.0",
"spki 0.8.0-rc.4",
]
[[package]]
name = "poly1305"
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8159bd90725d2df49889a078b54f4f79e87f1f8a8444194cdca81d38f5393abf"
dependencies = [
"cpufeatures 0.2.17",
"opaque-debug",
"universal-hash",
"zeroize",
]
[[package]]
name = "proc-macro2"
version = "1.0.106"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8fd00f0bb2e90d81d1044c2b32617f68fcb9fa3bb7640c23e9c748e53fb30934"
dependencies = [
"unicode-ident",
]
[[package]]
name = "quote"
version = "1.0.44"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "21b2ebcf727b7760c461f091f9f0f539b77b8e87f2fd88131e7f1b433b3cece4"
dependencies = [
"proc-macro2",
]
[[package]]
name = "r-efi"
version = "5.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f"
[[package]]
name = "rand_core"
version = "0.6.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
dependencies = [
"getrandom 0.2.17",
]
[[package]]
name = "rand_core"
version = "0.10.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0c8d0fd677905edcbeedbf2edb6494d676f0e98d54d5cf9bda0b061cb8fb8aba"
[[package]]
name = "rustc_version"
version = "0.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cfcb3a22ef46e85b45de6ee7e79d063319ebb6594faafcf1c225ea92ab6e9b92"
dependencies = [
"semver",
]
[[package]]
name = "ruzstd"
version = "0.8.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e5ff0cc5e135c8870a775d3320910cd9b564ec036b4dc0b8741629020be63f01"
dependencies = [
"twox-hash",
]
[[package]]
name = "semver"
version = "1.0.27"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d767eb0aabc880b29956c35734170f26ed551a859dbd361d140cdbeca61ab1e2"
[[package]]
name = "serde"
version = "1.0.228"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9a8e94ea7f378bd32cbbd37198a4a91436180c5bb472411e48b5ec2e2124ae9e"
dependencies = [
"serde_core",
]
[[package]]
name = "serde_core"
version = "1.0.228"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad"
dependencies = [
"serde_derive",
]
[[package]]
name = "serde_derive"
version = "1.0.228"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79"
dependencies = [
"proc-macro2",
"quote",
"syn",
]
[[package]]
name = "sha2"
version = "0.10.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283"
dependencies = [
"cfg-if",
"cpufeatures 0.2.17",
"digest 0.10.7",
]
[[package]]
name = "sha3"
version = "0.10.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "75872d278a8f37ef87fa0ddbda7802605cb18344497949862c0d4dcb291eba60"
dependencies = [
"digest 0.10.7",
"keccak 0.1.6",
]
[[package]]
name = "sha3"
version = "0.11.0-rc.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c5bfe7820113e633d8886e839aae78c1184b8d7011000db6bc7eb61e34f28350"
dependencies = [
"digest 0.11.0-rc.11",
"keccak 0.2.0-rc.2",
]
[[package]]
name = "shlex"
version = "1.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
[[package]]
name = "signature"
version = "2.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "77549399552de45a898a580c1b41d445bf730df867cc44e6c0233bbc4b8329de"
dependencies = [
"rand_core 0.6.4",
]
[[package]]
name = "signature"
version = "3.0.0-rc.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7f1880df446116126965eeec169136b2e0251dba37c6223bcc819569550edea3"
dependencies = [
"digest 0.11.0-rc.11",
"rand_core 0.10.0",
]
[[package]]
name = "spki"
version = "0.7.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d91ed6c858b01f942cd56b37a94b3e0a1798290327d1236e4d9cf4eaca44d29d"
dependencies = [
"base64ct",
"der 0.7.10",
]
[[package]]
name = "spki"
version = "0.8.0-rc.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8baeff88f34ed0691978ec34440140e1572b68c7dd4a495fd14a3dc1944daa80"
dependencies = [
"base64ct",
"der 0.8.0",
]
[[package]]
name = "subtle"
version = "2.6.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
[[package]]
name = "syn"
version = "2.0.117"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e665b8803e7b1d2a727f4023456bbbbe74da67099c585258af0ad9c5013b9b99"
dependencies = [
"proc-macro2",
"quote",
"unicode-ident",
]
[[package]]
name = "thiserror"
version = "2.0.18"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4288b5bcbc7920c07a1149a35cf9590a2aa808e0bc1eafaade0b80947865fbc4"
dependencies = [
"thiserror-impl",
]
[[package]]
name = "thiserror-impl"
version = "2.0.18"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ebc4ee7f67670e9b64d05fa4253e753e016c6c95ff35b89b7941d6b856dec1d5"
dependencies = [
"proc-macro2",
"quote",
"syn",
]
[[package]]
name = "twox-hash"
version = "2.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9ea3136b675547379c4bd395ca6b938e5ad3c3d20fad76e7fe85f9e0d011419c"
[[package]]
name = "typenum"
version = "1.19.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "562d481066bde0658276a35467c4af00bdc6ee726305698a55b86e61d7ad82bb"
[[package]]
name = "unicode-ident"
version = "1.0.24"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75"
[[package]]
name = "universal-hash"
version = "0.5.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fc1de2c688dc15305988b563c3854064043356019f97a4b46276fe734c4f07ea"
dependencies = [
"crypto-common 0.1.7",
"subtle",
]
[[package]]
name = "version_check"
version = "0.9.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a"
[[package]]
name = "wasi"
version = "0.11.1+wasi-snapshot-preview1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ccf3ec651a847eb01de73ccad15eb7d99f80485de043efb2f370cd654f4ea44b"
[[package]]
name = "wasip2"
version = "1.0.2+wasi-0.2.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9517f9239f02c069db75e65f174b3da828fe5f5b945c4dd26bd25d89c03ebcf5"
dependencies = [
"wit-bindgen",
]
[[package]]
name = "wasm-bindgen"
version = "0.2.100"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1edc8929d7499fc4e8f0be2262a241556cfc54a0bea223790e71446f2aab1ef5"
dependencies = [
"cfg-if",
"once_cell",
"wasm-bindgen-macro",
]
[[package]]
name = "wasm-bindgen-backend"
version = "0.2.100"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2f0a0651a5c2bc21487bde11ee802ccaf4c51935d0d3d42a6101f98161700bc6"
dependencies = [
"bumpalo",
"log",
"proc-macro2",
"quote",
"syn",
"wasm-bindgen-shared",
]
[[package]]
name = "wasm-bindgen-macro"
version = "0.2.100"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7fe63fc6d09ed3792bd0897b314f53de8e16568c2b3f7982f468c0bf9bd0b407"
dependencies = [
"quote",
"wasm-bindgen-macro-support",
]
[[package]]
name = "wasm-bindgen-macro-support"
version = "0.2.100"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8ae87ea40c9f689fc23f209965b6fb8a99ad69aeeb0231408be24920604395de"
dependencies = [
"proc-macro2",
"quote",
"syn",
"wasm-bindgen-backend",
"wasm-bindgen-shared",
]
[[package]]
name = "wasm-bindgen-shared"
version = "0.2.100"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1a05d73b933a847d6cccdda8f838a22ff101ad9bf93e33684f39c1f5f0eece3d"
dependencies = [
"unicode-ident",
]
[[package]]
name = "wit-bindgen"
version = "0.51.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d7249219f66ced02969388cf2bb044a09756a083d0fab1e566056b04d9fbcaa5"
[[package]]
name = "zeroize"
version = "1.8.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b97154e67e32c85465826e8bcc1c59429aaaf107c1e4a9e53c8d8ccd5eff88d0"
dependencies = [
"zeroize_derive",
]
[[package]]
name = "zeroize_derive"
version = "1.4.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "85a5b4158499876c763cb03bc4e49185d3cccbabb15b33c627f7884f43db852e"
dependencies = [
"proc-macro2",
"quote",
"syn",
]

172
soliton/fuzz/Cargo.toml Normal file
View file

@ -0,0 +1,172 @@
[package]
name = "libsoliton-fuzz"
version = "0.0.0"
publish = false
edition = "2024"
[workspace]
[package.metadata]
cargo-fuzz = true
[dependencies]
libfuzzer-sys = "=0.4.12"
# Pin to match workspace — separate workspace, so cargo update here could
# otherwise pull a different zeroize than the main build tested against.
zeroize = "=1.8.2"
# Match main workspace features — separate workspace means Cargo does not
# unify features. Without zeroize, ed25519-dalek types lack ZeroizeOnDrop.
ed25519-dalek = { version = "=2.2.0", default-features = false, features = ["zeroize", "std"] }
[dependencies.libsoliton]
path = ".."
[[bin]]
name = "fuzz_storage_decrypt_blob"
path = "fuzz_targets/fuzz_storage_decrypt_blob.rs"
doc = false
[[bin]]
name = "fuzz_ratchet_decrypt"
path = "fuzz_targets/fuzz_ratchet_decrypt.rs"
doc = false
[[bin]]
name = "fuzz_ratchet_decrypt_stateful"
path = "fuzz_targets/fuzz_ratchet_decrypt_stateful.rs"
doc = false
[[bin]]
name = "fuzz_identity_from_bytes"
path = "fuzz_targets/fuzz_identity_from_bytes.rs"
doc = false
[[bin]]
name = "fuzz_ed25519_verify"
path = "fuzz_targets/fuzz_ed25519_verify.rs"
doc = false
[[bin]]
name = "fuzz_hybrid_verify"
path = "fuzz_targets/fuzz_hybrid_verify.rs"
doc = false
[[bin]]
name = "fuzz_ratchet_encrypt"
path = "fuzz_targets/fuzz_ratchet_encrypt.rs"
doc = false
[[bin]]
name = "fuzz_decrypt_first_message"
path = "fuzz_targets/fuzz_decrypt_first_message.rs"
doc = false
[[bin]]
name = "fuzz_kex_receive_session"
path = "fuzz_targets/fuzz_kex_receive_session.rs"
doc = false
[[bin]]
name = "fuzz_storage_encrypt_blob"
path = "fuzz_targets/fuzz_storage_encrypt_blob.rs"
doc = false
[[bin]]
name = "fuzz_auth_respond"
path = "fuzz_targets/fuzz_auth_respond.rs"
doc = false
[[bin]]
name = "fuzz_kex_verify_bundle"
path = "fuzz_targets/fuzz_kex_verify_bundle.rs"
doc = false
[[bin]]
name = "fuzz_verification_phrase"
path = "fuzz_targets/fuzz_verification_phrase.rs"
doc = false
[[bin]]
name = "fuzz_ratchet_roundtrip"
path = "fuzz_targets/fuzz_ratchet_roundtrip.rs"
doc = false
[[bin]]
name = "fuzz_xwing_roundtrip"
path = "fuzz_targets/fuzz_xwing_roundtrip.rs"
doc = false
[[bin]]
name = "fuzz_identity_sign_verify"
path = "fuzz_targets/fuzz_identity_sign_verify.rs"
doc = false
[[bin]]
name = "fuzz_session_init_roundtrip"
path = "fuzz_targets/fuzz_session_init_roundtrip.rs"
doc = false
[[bin]]
name = "fuzz_call_derive"
path = "fuzz_targets/fuzz_call_derive.rs"
doc = false
[[bin]]
name = "fuzz_auth_verify"
path = "fuzz_targets/fuzz_auth_verify.rs"
doc = false
[[bin]]
name = "fuzz_ratchet_from_bytes_epoch"
path = "fuzz_targets/fuzz_ratchet_from_bytes_epoch.rs"
doc = false
[[bin]]
name = "fuzz_kex_decode_receive"
path = "fuzz_targets/fuzz_kex_decode_receive.rs"
doc = false
[[bin]]
name = "fuzz_dm_queue_roundtrip"
path = "fuzz_targets/fuzz_dm_queue_roundtrip.rs"
doc = false
[[bin]]
name = "fuzz_dm_queue_decrypt_blob"
path = "fuzz_targets/fuzz_dm_queue_decrypt_blob.rs"
doc = false
[[bin]]
name = "fuzz_argon2_params"
path = "fuzz_targets/fuzz_argon2_params.rs"
doc = false
[[bin]]
name = "fuzz_stream_decrypt"
path = "fuzz_targets/fuzz_stream_decrypt.rs"
doc = false
[[bin]]
name = "fuzz_stream_encrypt_decrypt"
path = "fuzz_targets/fuzz_stream_encrypt_decrypt.rs"
doc = false
[[bin]]
name = "fuzz_stream_encrypt_at"
path = "fuzz_targets/fuzz_stream_encrypt_at.rs"
doc = false
[[bin]]
name = "fuzz_stream_decrypt_at"
path = "fuzz_targets/fuzz_stream_decrypt_at.rs"
doc = false
[[bin]]
name = "fuzz_ratchet_state_machine"
path = "fuzz_targets/fuzz_ratchet_state_machine.rs"
doc = false
[[bin]]
name = "gen_corpus"
path = "gen_corpus.rs"
doc = false

BIN
soliton/fuzz/corpus/fuzz_argon2_params/00a3a275e6b969ae9f0957c36545f992d48341a6 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/02e4622a98ffb160d2ab134786a125b494e9bea5 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/02ff74ea547817d960a0f598e7c29c3409588b29 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/03a824a8bb270eee464a2c35af769763e91ee811 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/03cef0b0b39a1a19982efc307eb80f3bb868dc10 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/042ea48c2645d355aa930281c2006218bfd35948 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/05a80cd6ed5a7927c94d75cca191577767c4bfab Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/05e3c0313f095eef093652478d0067e51d3e371a Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/06cf134b890cdff1a194443715cdc414eb11731c Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/076da1fd33fbfd0216722c126686f1c5ba3f4721 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/08a16dcca71620a10a59210e28ab0ce55675c408 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/09cb0cc352ad5a4c8d70fe0347b874a50c8c8c1d Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/09cf8a0bba059b64d9254cb5727b4ee02404b9ad Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/0a303fa88a5707e28837c54543072163cca196b2 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/0aab63d644c5a28f01243395ca0395ce36c5a74f Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/0c68e5d1867ca2371848059e9c50174d01cd3fc0 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/0d1127fca7d27e7568f23893a1f0181c41888ec1 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/0d4b9115d322c9d2340d0a96363a100febf31522 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/0e7640f02bf52200c9f4f7a753439f03546e71f4 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/0e8154a6b4170195ed044f3acc0b093aa5712f2a Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/0ecb8c6be484b3ca13375022300bd88d61bd158d Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/0f015092c7c5ccd4f0c7452fbf83956f75814825 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/0f8c26b9e450905e0c84752420d8ac33ba27debc Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/10533c7b4e34c4b73092a725e0eae7366c2be725 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/1116266b0203b34bf06ed2c6c704ffb5839e62c6 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/123869ddd63cdacba6d5d816549a69fd4ca89de9 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/129c6cd19ca455a0b497be4bb23c865ed75c3185 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/12e1300b5dbfcb818e9fb058eaae3f99afcb976a Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/12f4dacc0a8a4cc61bbcdaa906f7f623bfcc93a0 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/132ca2484471ae731eabbd6e417298783ff386e1 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/135f6d0ecf44c54c2ba87ac6266830233440b258 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/14e72a9c04aee10ebca6c7a38fe070958c5a2006 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/15b0a6858428252d8cb3e8559233b8b43de64207 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/15bf0e248890fbba3f9b268e85f30d827c8e9b0e Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/1886f380363b75c4ec4cdd21ff821954cd5e4709 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/1931e52c4158110441e83061b33b4b61a78edc78 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/1acb33231343b0381284207072c0040f08928cb4 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/1ae91dba2943957af4217d73ec69e3570d122c2b Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/1afe856e6605aa0670a75601b5aa5c83e2e7b467 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/1b7836bd4eb6cf4c9511f8ae6e96ba35605a402e Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/1cba06d789c56b34a18bdf2cb0d42573fe38cd6f Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/1d3734223d4016103d4e1c97646cea0e86d7b892 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/1eca7eb0efbcd8de2702f722998e21abfc8e4145 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/200051156af8a4f44dd3190c7df6083585019592 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/22be4ed46351525d7ba797875e60b449e03e1287 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/231a89bc78107d1c38467a06a55c290f3fc3a7a1 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/2746976606bd111b2e87cf7c7f109069af8a1298 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/27a99b8394edc84f6b4af723f026435aa5c0e93e Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/280fc7a0ff7f866029762c8ec33f7ebd86842975 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/28b3be63904b997c9122d1875616068ac41faf40 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/29926653e8d90074e54e9433f6202ef54df6ced5 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/29ab3e956a0851f56d5005650e64710e5daf6268 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/2adb9e42576c96354240b08c78497d41a836abe6 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/2c6b2d0fcb83e702681adc5fb099872971f5bd1c Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/2e0dbb8c58bec8fa31dd117423352f88c2042588 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/2e821425b3c1d8e555c6066c8459cdead4b4017d Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/2e9d5579ce5da38796cd8a4288793631d78a150d Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/2ef648d83a1888e1ed361a292cb7873da560901a Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/30bad8c6acea514e4fd9f053288c63948d4aa0b6 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/3151638d5f9f937bd09e6932a3a2417adbec2929 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/32f9a5f861d06c28361e56df8feb40430d3e6cb6 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/334e8e6886b41e40e5f6f2a40a5bdc82583bc1a5 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/33e6c0df86a96c015efb8cc72ed1147737df684e Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/35b6bee9bb27d780700285c243a7c11995ac7cf0 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/35e0a0b434a5a1fa8991ed154a2f89e69aeb78a4 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/36e5ec3c1764734598a4db4280510c6933c4d604 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/376b71cadbb4d060ff1ab74c95a2e8d4502b8aaa Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/37c3b86669f7e9af13c0af0b7dd3342756f2be0a Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/3910b5836114a9c0ed0a351b28de0d7be8021846 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/39576188e470cb6afe275a9ea8b3d026d6701fed Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/3980395b7eb44def93487725936991ab24362f30 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/3a82187a49821db02e20ad3292981f739a79d067 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/3a8fd5855f2a20aee47e1840ac084e4385eef4ad Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/3ac15ca510ee51a241f1af24b27c80edb8dfe8f5 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/3afea33c7e2061ed78ffc6f7ab67a167b607212e Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/3b0bac8b4c1ae0e9aed4409eeb0bfde9c2b3202f Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/3b9b40d9f8e912ae6c40c17ebb8546870c3f54ce Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/3c3664b9f59e935ef33b2dfa70daf381f6be1aec Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/3c46b6d8ef426ae26abca7950946db6167368623 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/3d332b8c5cf23f28956775639a205a14ca589281 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/3d49ab4a64f72be38c3c1d105b56e2292936305b Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/3dfbc92965a5a5fe0c20308684e1d27e3f34f4b4 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/41a1afd651fcfdbdceaa491f42b579a270c0600c Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/4295951b7a58bf054d18afa74038f1786d41f52b Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/432d6981ad61bce4fb359574dbdc8dc35b68492c Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/439e9032e5918424adef3d82f63534b5a890838b Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/43a7327d5ce619cfe06240ee11f17ade17aa098a Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/4447e51bae829670c5db1d6e8d38f2cd56794d56 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/44d48a128ad252c4388289b2a018e19c6ced3e63 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/462b5c989510f46e2deace0d8853e8c6980f83fd Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/469640623502238c4d83b76618761b7d03ba98d6 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/4750e984d7ad7e07c026c711a85db890d57f48b9 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/47523143b60a538aa2a6782858b1292d1611863a Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/477a7322f6ba9b5ec554f1980c2e1404355715fc Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/47ab5a4f263f418d2bc04db4e72b2d7b528a4f1a Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/48c2a8e0af0aa406f6b598a59412f550c713a757 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/4a0ea158bbc6ffc29b9ae9c932d6ffea943a97b2 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/4a77f7c11fb07c05a41beef303fcda341eb3a376 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/4bf9a9ed7ab9891b87cc400243f809591df92635 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/4dfc8d27e042eb037da32c0c930407e34794933b Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/4e792f9af432980bd3f1e8ed7bf29aa61b0707f0 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/4eb08a35c683eb1926c276b3bf1cc640663e89cb Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/4f5e5e2fb2783509df3bb5c55ee60ecc6ffd646e Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/4fde5aa7fd2a263c4d1d75473071646b8516359a Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/4fe78bf9e79f13dcec93ec357ecb15676723091f Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/5114a06ff9e8f9286fd17ae3f771d560aec03582 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/51d5179b588715f066a97bcb06581ab64d832fae Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/5231d5c47eea5045b085de52d35fe5b2588db646 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/5429a04397fd3891c7253759ffb8283b979c4a6f Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/5478131fe7931f4f1fdb85d5a250bd7f3cb8a1ae Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/54b7895bc5265b39f5c3b8707515fe07f790f87b Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/55a137ab84d7366c62a7721fbd25be68125cb23a Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/562195f71ede55caa6c707ed705cf75c89f81ad5 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/56b712df0f218b7c277b12191eeef63624ca430a Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/56f07c657e9930389c7043bdda355c375a74667f Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/5755324627b17d56b17798f8e6fe1216c0dd6ec9 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/577ec0d6b2844e88ec039a6a5fad308653d28cbb Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/57892d1c03701cbc711ce5999495ae77a03cb898 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/586d50c6b4401087e26930803364839c683835e9 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/59a30133dbabf9a476153661f90f72c1a396fe07 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/5a08b974861e69c9cafc696361a0793193baa793 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/5a14e343a2779fd4a4c03bce5c517974d5ce7559 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/5d7fbe1808e20c8892bc99f0d85d0b3dc2064b24 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/5dd5b3bcb247536b716c322f322e45664ad83dbd Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/5de37c0360fab69623ed100a7bbdaf5ca29e6a72 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/5e582f363da62392d4fa4063b8ec6e5d955b029c Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/5ff15e8b667c7d0e4016db87aba13d5fe061be79 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/60431ea72124eb70526b6b5547d7353df1e93abd Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/608725f3c66e538eb58f927bf55b48b822b41ad1 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/608ff7628ec552218ecaf297117b72902f249dfc Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/6113ca70656b722bae29103c64c4b854ddcc275e Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/61a1d37ca8161caf669f038dff1ddb3f78c12635 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/61c8575f6c12c547440ed55e194ba9b7cdcb2d03 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/61f563324bf2de44c57cf6e57a5d09b1d9df9f53 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/61fde245cd1287f99e775043ab242e798ae0188a Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/621102a26d5d43abebda91fe04d3abaf10e88162 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/62407e3d6151210e24a195688e69ab3d6c10c3e0 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/6248b9f244456c9102e4557e542b5abe9665fafd Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/63d1c43691eaeb2294ff45619d9970799b65ac93 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/6470c8114a5b1104a9e233521c8fc460f6f26221 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/64f0b3b8af6420ed40d347685837cc46dad24abc Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/650a95d2d935c12b54c2b32ed991f0250e45929b Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/650b2d0c5ecab3504d9da9143a174655c5a52b5f Normal file
View file

Binary file not shown.

1
soliton/fuzz/corpus/fuzz_argon2_params/655f2b71ddfafbcbd5af517f02eb9386a2a7a2a1 Normal file
View file

@ -0,0 +1 @@
<EFBFBD>

BIN
soliton/fuzz/corpus/fuzz_argon2_params/66c3fdea105764aece623b6b92d5fc669a6250f1 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/67f1cab05a097aa16b03636e0d8d6b6d68400f45 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/684800f0ec5c515afab6535cd111d7980e177d5b Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/68aeadbc6236e7e8db2b07c058a07e1511868e13 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/69ea02e4bb7482efa2847d0c5de11ce5372875c5 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/6b2d17fd62aa6cdfe8e657cfe388c48a4a2ec69c Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/6b3489047e8e60bdbe3c2903aa804c42528aac9d Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/6beae2fffca3ca082d88d7419f199855a0dd52c0 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/6c72a329420dcbab1ba4d0b30421f7ec2e5b50c8 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/6cc0805270076805fbc8af417f4192f2e93df6a8 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/6cfe5815acf90f1e5fc61143b3b5f9186aa129f2 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/6dc1f10a86b75ebd8349bc390e9db344d8c838f9 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/6de9a69b595939e0daa0837700261b529e6deb4d Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/6e1c3bd7857aa0e58967e11477802703e485cea0 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/6e512517b2f7c170db43ec73e8cd65272ca6b303 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/6ebe0ba2cda84fde40327fcf0b1d04a1d450443c Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/6ec08e7d3a33e53553b3dc2f64625c54a7b4df77 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/6f7ab4c702de0271faee7c09dd9ab05dedd59064 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/6fba4fc5d03d0cfcd8c00038239012e4c62bc2e5 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/706e9df9856b4e7f51c1f78f6d9ec6a2a8f952d5 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/70c542cef50370aefacb7f5a2d4be913f044c7b9 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/71bc6892b1837c6156a1c5d35a7f95959dfe832f Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/72de2c55692f186bace009ffe51259162ad615c8 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/7376776c990f6c17bc9627fed3b87b8aa083d1f0 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/746cdb47892ef0853f793e3d88793a855c889589 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/74b17d594bb292bf013c16ea8c0ff15b2ee8d2df Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/759a07c5720ea1b0882e41a78a9b811487343519 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/772d98356bb57421267b5798b74a81611a92e4d8 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/7854eefc1e8f9c9b3190dffec519b30fbabb62db Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/787639f774e12fcf3b9453ce378bd96096dce9d8 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/795eb61786f91761904a8141cebe14a93ca2f632 Normal file
View file

Binary file not shown.

BIN
soliton/fuzz/corpus/fuzz_argon2_params/7b887eb7ef48a6a1f7adbeb891f8e64102f1f341 Normal file
View file

Binary file not shown.

Some files were not shown because too many files have changed in this diff Show more