Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
84afd34
nix: add flake packaging for gssproxy on NixOS
tyler274 Jun 16, 2026
19e5aa0
Fix double free in libverto via a config flag
tyler274 Jun 16, 2026
02208c4
nix: run the full upstream test suite as a flake check
tyler274 Jun 16, 2026
c63f510
rust: bootstrap workspace and add configuration parsing
tyler274 Jun 16, 2026
950f74b
V3 Rust Rewrite:
tyler274 Jun 16, 2026
77cbf99
V3 Rust Rewirte:
tyler274 Jun 16, 2026
d5e96ac
V3 Rust Rewrite: I implemented the credential acquisition path for th…
tyler274 Jun 16, 2026
d412ec0
V3 Rust Rewrite:
tyler274 Jun 16, 2026
db90d15
v3 Rust Rewrite:
tyler274 Jun 16, 2026
d42b8d5
V3 Rust Rewrite, race condition in the C code fixed, Impersonation im…
tyler274 Jun 16, 2026
e1c3cde
rust: match C daemon CLI surface and extract-ccache utility
tyler274 Jun 16, 2026
ee26063
make vscode's rust-analyzer aware of Nix build env
tyler274 Jun 16, 2026
e8cdeef
V3 Rust Rewrite:
tyler274 Jun 16, 2026
8464280
docs: add VS Code recommendations and interposer documentation
tyler274 Jun 16, 2026
f8ed5f6
ci: add Rust formatting/lint gates and refresh GitHub Actions
tyler274 Jun 16, 2026
699d020
fix remaining warnings and have the prop fuzzing and chaos tests as a…
tyler274 Jun 16, 2026
3b5bbc0
rust: add Kani formal verification harnesses and CI gate
tyler274 Jun 16, 2026
88bbc42
V3 Rust Rewrite:
tyler274 Jun 16, 2026
1fbd52f
chore(rust): refresh Cargo.lock and apply rustfmt
tyler274 Jun 16, 2026
640e369
fix bindgen with 2024 edition without switching to a nightly rust too…
tyler274 Jun 16, 2026
b1fd8f6
correct some logging outputs to match upstream and tests
tyler274 Jun 16, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .envrc
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
use flake
39 changes: 39 additions & 0 deletions .github/workflows/audit.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
name: Supply-chain audit

# RustSec CVE scanning and the network-dependent cargo-deny advisories check for
# the ./rust workspace. These need to fetch the RustSec advisory database, so
# (unlike the offline cargo-deny licenses/bans/sources flake check in nix.yaml)
# they live in their own workflow and also run on a schedule to catch newly
# disclosed advisories against an unchanged dependency tree.
on:
push:
paths:
- "rust/**"
- "nix/audit.nix"
- ".github/workflows/audit.yaml"
pull_request:
paths:
- "rust/**"
- "nix/audit.nix"
- ".github/workflows/audit.yaml"
schedule:
# Weekly, Mondays 07:00 UTC.
- cron: "0 7 * * 1"

permissions:
contents: read

jobs:
audit:
name: cargo-audit + cargo-deny advisories
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: DeterminateSystems/nix-installer-action@v22
- uses: DeterminateSystems/magic-nix-cache-action@v13
# RustSec advisory scan of the workspace Cargo.lock.
- name: cargo audit
run: nix run -L .#audit
# Full cargo-deny run (licenses + bans + sources + advisories).
- name: cargo deny check
run: nix run -L .#deny
4 changes: 2 additions & 2 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ jobs:
valgrind
fi
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@v6
- name: Setup
run: |
autoreconf -fiv
Expand All @@ -49,7 +49,7 @@ jobs:
env:
CC: ${{ matrix.compiler }}
run: make -s distcheck DISTCHECK_CONFIGURE_FLAGS="CC=\"$CC\""
- uses: actions/upload-artifact@v4
- uses: actions/upload-artifact@v7
if: failure()
with:
name: logs ${{ matrix.name }}, ${{ matrix.compiler }}
Expand Down
16 changes: 13 additions & 3 deletions .github/workflows/coverity.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,11 @@ jobs:
coverity:
name: Coverity Scan
runs-on: ubuntu-22.04
env:
RUN_COV: '0'
steps:
- name: Checkout repository
uses: actions/checkout@v2
uses: actions/checkout@v6
- name: Install dependencies
run: |
sudo apt-get update
Expand All @@ -24,15 +26,23 @@ jobs:
autoreconf -fiv
./configure
- name: Check for changes
env:
COVERITY_SCAN_TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
run: |
echo "RUN_COV=0" >> $GITHUB_ENV;
# Without the Coverity token (e.g. on forks) the scan action would
# download an HTML error page instead of the build tool and fail; skip.
if [ -z "${COVERITY_SCAN_TOKEN}" ]; then
echo "COVERITY_SCAN_TOKEN not configured; skipping Coverity scan."
exit 0
fi
DIFF=`git log --since=1week | wc -l`
if [ x${DIFF} != "x0" ]; then
echo "RUN_COV=1" >> $GITHUB_ENV;
fi
- name: Coverity Scan
if: env.RUN_COV == 1
uses: vapier/coverity-scan-action@v1
if: env.RUN_COV == '1'
uses: vapier/coverity-scan-action@v1.8.0
with:
project: "gssproxy"
email: ${{ secrets.COVERITY_SCAN_EMAIL }}
Expand Down
58 changes: 58 additions & 0 deletions .github/workflows/kani.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
name: Kani

# Bounded model checking of the FFI-free, security-critical Rust logic: the
# gssx wire codec (gssproxy-proto) and the pure OID helpers in the interposer.
# These proofs upgrade the proptest fuzzers to exhaustive guarantees over
# bounded inputs. See rust/docs/formal-verification.md.
#
# This is intentionally separate from the Nix workflow and from `nix flake
# check`: Kani is not packaged in nixpkgs (nightly toolchain + downloads CBMC),
# so CI uses the official Kani GitHub Action and developers use `nix run .#kani`.
#
# The job's pass/fail status is the gate: `cargo kani` exits non-zero if any
# harness fails to verify. (SARIF/Code-Scanning upload is intentionally not used
# yet: `--sarif` is not available in released Kani 0.67.0, only on unreleased
# main. Re-add `--sarif` + github/codeql-action/upload-sarif once it ships.)
on:
push:
pull_request:

permissions:
contents: read

jobs:
proto:
name: Kani proofs (gssproxy-proto codec)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Run Kani on gssproxy-proto
uses: model-checking/kani-github-action@v1.1
with:
kani-version: "0.67.0"
working-directory: rust
args: >-
-p gssproxy-proto
--output-format=terse

interposer:
name: Kani proofs (interposer OID helpers)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
# gssproxy-interposer depends on gssapi-sys, whose build.rs runs bindgen
# against the krb5/gssapi headers (the OID harnesses don't call any FFI,
# but the crate must still compile).
- name: Install krb5/clang build dependencies
run: |
sudo apt-get update
sudo apt-get install -y --no-install-recommends \
libkrb5-dev libclang-dev clang pkg-config
- name: Run Kani on gssproxy-interposer OID helpers
uses: model-checking/kani-github-action@v1.1
with:
kani-version: "0.67.0"
working-directory: rust
args: >-
-p gssproxy-interposer
--output-format=terse
91 changes: 91 additions & 0 deletions .github/workflows/nix.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
name: Nix

# Validates the Nix flake and the ./rust port: formatting, linting, the C<->Rust
# interposer ABI parity gate, CLI parity, the upstream integration suite across
# the C/Rust daemon and interposer combinations, and the dev container image.
on:
push:
pull_request:

permissions:
contents: read

jobs:
lint:
name: Format & lint (nixpkgs-fmt, rustfmt, clippy)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: DeterminateSystems/nix-installer-action@v22
- uses: DeterminateSystems/magic-nix-cache-action@v13
- name: nixpkgs-fmt
run: nix build -L .#checks.x86_64-linux.nix-fmt
- name: cargo fmt --check
run: nix build -L .#checks.x86_64-linux.rust-fmt
- name: cargo clippy -D warnings
run: nix build -L .#checks.x86_64-linux.clippy
- name: cargo-deny (licenses, bans, sources)
run: nix build -L .#checks.x86_64-linux.cargo-deny

rust-tests:
name: Rust tests (property-based + chaos/fuzz)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: DeterminateSystems/nix-installer-action@v22
- uses: DeterminateSystems/magic-nix-cache-action@v13
# Runs the whole `cargo test` workspace: proptest round-trip fidelity,
# the config/CLI property tests, and the chaos-monkey robustness fuzzers
# that hammer the gssx decoders with arbitrary/truncated/biased input.
- name: cargo test (property + chaos/fuzz)
run: nix build -L .#checks.x86_64-linux.rust-tests

abi-parity:
name: Interposer ABI parity (C vs Rust)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: DeterminateSystems/nix-installer-action@v22
- uses: DeterminateSystems/magic-nix-cache-action@v13
# The headline gate: the Rust proxymech.so's exported gss_mech_interposer
# /gssi_* surface must stay a subset of (and match) the C plugin's ABI.
- name: proxymech.so symbol parity
run: nix build -L .#checks.x86_64-linux.interposer-symbol-parity
- name: CLI parity (C vs Rust daemon)
run: nix build -L .#checks.x86_64-linux.cli-parity

build:
name: Build packages (C, Rust, devcontainer)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: DeterminateSystems/nix-installer-action@v22
- uses: DeterminateSystems/magic-nix-cache-action@v13
- name: gssproxy (C)
run: nix build -L .#gssproxy
- name: gssproxy-rs (Rust daemon + interposer)
run: nix build -L .#gssproxy-rs
- name: devcontainer image
run: nix build -L .#devcontainer

integration:
name: Upstream integration suite (${{ matrix.check }})
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
check:
# C daemon + C interposer (baseline).
- integration-tests
# Rust daemon, C interposer/tests (wire/ABI compat, gate #1).
- integration-tests-rust
# C daemon, Rust interposer (interposer data-path compat, gate #2).
- integration-tests-rust-proxymech
# Rust daemon + Rust interposer end-to-end.
- integration-tests-all-rust
steps:
- uses: actions/checkout@v6
- uses: DeterminateSystems/nix-installer-action@v22
- uses: DeterminateSystems/magic-nix-cache-action@v13
- name: ${{ matrix.check }}
run: nix build -L .#checks.x86_64-linux.${{ matrix.check }}
42 changes: 42 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -67,3 +67,45 @@ tests/t_impersonate
tests/t_init
tests/t_names
tests/t_setcredopt
direnv/
result
result-man
result-c-man/**/*
rust/target/
rust/gssproxy-bench/target/

# Generated by Cargo
# will have compiled files and executables
rust/debug
rust/target

# These are backup files generated by rustfmt
**/*.rs.bk

# MSVC Windows builds of rustc generate these, which store debugging information
*.pdb

# Generated by cargo mutants
# Contains mutation testing data
**/mutants.out*/

# Project-local Kani toolchain/cargo/CBMC state created by `nix run .#kani`
.kani/

# cargo-flamegraph output (written to the cwd by `nix run .#flamegraph`).
# pprof per-bench SVGs live under rust/target/criterion and are covered above.
flamegraph.svg
perf.data
perf.data.old

# rustc will dump stack traces when hitting an internal compiler error to PWD
rustc-ice-*.txt

# RustRover
# JetBrains specific template is maintained in a separate JetBrains.gitignore that can
# be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
# and can be added to the global gitignore or merged into this file. For a more nuclear
# option (not recommended) you can uncomment the following to ignore the entire idea folder.
#.idea/
result-c-man
result-*
11 changes: 11 additions & 0 deletions .vscode/extensions.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"recommendations": [
"waderyan.gitblame",
"rust-lang.rust-analyzer",
"tombi-toml.tombi",
"anysphere.remote-containers",
"ms-azuretools.vscode-containers",
"jnoortheen.nix-ide",
"davidanson.vscode-markdownlint"
]
}
16 changes: 16 additions & 0 deletions .vscode/rust-analyzer-nix.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
#!/usr/bin/env bash
# Launch rust-analyzer inside the Nix flake dev shell.
#
# This keeps a single toolchain in play: the server's proc-macro expander,
# the sysroot, and every cargo/rustc invocation rust-analyzer spawns all come
# from the flake's pinned rustc (matching the artifacts built into rust/target).
# It also inherits LIBCLANG_PATH (via rustPlatform.bindgenHook) so the bindgen
# build scripts (libgssapi-sys, gssapi-sys) work.
#
# Without this, the IDE's bundled rust-analyzer uses the host rustup toolchain,
# producing "Unable to find libclang" and proc-macro ABI mismatch errors.
set -euo pipefail

repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"

exec nix develop "$repo_root" --command rust-analyzer "$@"
15 changes: 15 additions & 0 deletions .vscode/rust-analyzer-proc-macro-srv.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
# Proc-macro server for rust-analyzer, sourced from the flake dev shell's rustc.
#
# rust-analyzer's built-in expander matches whatever rustc the rust-analyzer
# package was built with, which is not necessarily the dev shell's rustc that
# compiles rust/target. Point rust-analyzer.procMacro.server at this script so
# the expander always comes from the *same* rustc sysroot that builds the
# crates, avoiding proc-macro ABI mismatches. The sysroot is resolved at runtime
# (no hardcoded /nix/store path, so it survives toolchain updates).
set -euo pipefail

repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"

exec nix develop "$repo_root" --command \
sh -c 'exec "$(rustc --print sysroot)/libexec/rust-analyzer-proc-macro-srv" "$@"' sh "$@"
55 changes: 55 additions & 0 deletions .vscode/settings.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
{
// The Rust workspace under ./rust needs the Nix flake dev shell to build:
// - bindgen build scripts (libgssapi-sys, gssapi-sys) need libclang,
// which is only provided in the dev shell via rustPlatform.bindgenHook
// (it exports LIBCLANG_PATH).
// - artifacts in rust/target are built with the flake's pinned rustc, so
// rust-analyzer must use that same toolchain or proc-macro .so files
// fail to load with an ABI mismatch.
//
// The IDE's bundled rust-analyzer runs with the host environment (rustup
// toolchain, no LIBCLANG_PATH), which triggers both failures. Running the
// whole server inside `nix develop` (see rust-analyzer-nix.sh) puts the
// server, its proc-macro expander, the sysroot, and every cargo invocation
// it spawns on one toolchain, without hardcoding store paths that change on
// toolchain updates.
"rust-analyzer.server.path": "${workspaceFolder}/.vscode/rust-analyzer-nix.sh",
"rust-analyzer.cachePriming.numThreads": "physical",
// Use the proc-macro expander from the dev shell's rustc sysroot (the same
// rustc that builds rust/target), so proc-macro .so files load without an ABI
// mismatch. Don't leave this null: that would fall back to rust-analyzer's
// built-in expander, which tracks whatever rustc the rust-analyzer package was
// built with and may differ from the dev shell's rustc.
"rust-analyzer.procMacro.server": "${workspaceFolder}/.vscode/rust-analyzer-proc-macro-srv.sh",
"rust-analyzer.restartServerOnConfigChange": true,
// Pin rust-analyzer to the real workspace. Without this, rust-analyzer
// auto-discovers every Cargo.toml under the repo and loads the vendored crates
// in .kani/cargo/registry (bootstrapped by `nix run .#kani`) as spurious
// projects. files.exclude alone does not reliably stop that discovery.
"rust-analyzer.linkedProjects": [
"rust/Cargo.toml"
],
// Don't let rust-analyzer scan the project-local Kani toolchain/registry.
// The bench crate's target dir is likewise not a source tree.
"rust-analyzer.files.exclude": [
".kani",
"rust/gssproxy-bench/target"
],
// rust-analyzer.files.exclude stops indexing, but Code still *watches* these
// dirs. Exclude them from the file watcher too so the large vendored Kani
// registry and build output don't churn CPU/inotify.
"files.watcherExclude": {
"**/.kani/**": true,
"**/rust/gssproxy-bench/target/**": true
},
// Hide the Kani toolchain/registry and bench output from the file explorer
// and from search so they don't clutter navigation or grep results.
"files.exclude": {
"**/.kani": true,
"**/rust/gssproxy-bench/target": true
},
"search.exclude": {
"**/.kani": true,
"**/rust/gssproxy-bench/target": true
}
}
Loading