summaryrefslogtreecommitdiff
path: root/cmake/config/lib.cmake
diff options
context:
space:
mode:
Diffstat (limited to 'cmake/config/lib.cmake')
-rw-r--r--cmake/config/lib.cmake38
1 files changed, 36 insertions, 2 deletions
diff --git a/cmake/config/lib.cmake b/cmake/config/lib.cmake
index 25130519..2c01b311 100644
--- a/cmake/config/lib.cmake
+++ b/cmake/config/lib.cmake
@@ -87,8 +87,42 @@ set(TPM_DEBUG_ABORT_TIMEOUT 0 CACHE STRING
"TPM abort process after a thread reaches this timeout (s), 0 disables")
# Encryption
-set(KEY_ROTATION_BIT 20 CACHE STRING
- "Bit position in packet counter that triggers key rotation (default 20 = every 2^20 packets)")
+set(KEY_LEAF_BITS 20 CACHE STRING
+ "Packets per leaf key as a power of two (2^20 = AEAD-safe default)")
+set(KEY_NODE_BITS 6 CACHE STRING
+ "Leaf keys per node key, power of two (2^6 = 64; leak compartment)")
+set(KEY_NODE_COUNT 128 CACHE STRING
+ "Node keys per batch (N); <= 4096, the 12-bit on-wire node index")
+set(KEY_REKEY_WATERMARK 4 CACHE STRING
+ "Re-key when this many node keys remain; 0 disables the count trigger")
+set(KEY_REPLAY_WINDOW 2048 CACHE STRING
+ "RX replay window in packets; power of two, >= 128")
+if(NOT KEY_REPLAY_WINDOW MATCHES "^[0-9]+$")
+ message(FATAL_ERROR "KEY_REPLAY_WINDOW must be a positive integer")
+endif()
+math(EXPR _krw_p2 "${KEY_REPLAY_WINDOW} & (${KEY_REPLAY_WINDOW} - 1)")
+if(KEY_REPLAY_WINDOW LESS 128 OR NOT _krw_p2 EQUAL 0)
+ message(FATAL_ERROR "KEY_REPLAY_WINDOW must be a power of two >= 128")
+endif()
+
+# Re-key must finish within its lead window - KEY_REKEY_WATERMARK node keys
+# worth of packets - before the batch exhausts and TX fails closed. dev.c only
+# evaluates the watermark once per FLOW_WM_CHECK writes, so a lead below ~2x
+# that leaves a high-rate flow no room to complete the exchange. Production
+# defaults are vast; this guards under-sized (test) geometries.
+if(KEY_REKEY_WATERMARK GREATER 0)
+ set(_rk_wm_check 65536) # FLOW_WM_CHECK in src/lib/dev.c (2^16)
+ math(EXPR _rk_lead
+ "${KEY_REKEY_WATERMARK} << (${KEY_LEAF_BITS} + ${KEY_NODE_BITS})")
+ math(EXPR _rk_min "2 * ${_rk_wm_check}")
+ if(_rk_lead LESS _rk_min)
+ message(WARNING
+ "Re-key lead is ${_rk_lead} packets vs the watermark check interval "
+ "${_rk_wm_check}; a high-rate flow may exhaust its key batch before the "
+ "re-key completes (TX fails closed until it does). Raise KEY_LEAF_BITS, "
+ "KEY_NODE_BITS, or KEY_REKEY_WATERMARK.")
+ endif()
+endif()
# Flow statistics (requires FUSE)
if(HAVE_FUSE)