diff options
Diffstat (limited to 'cmake/config/lib.cmake')
| -rw-r--r-- | cmake/config/lib.cmake | 38 |
1 files changed, 36 insertions, 2 deletions
diff --git a/cmake/config/lib.cmake b/cmake/config/lib.cmake index 25130519..2c01b311 100644 --- a/cmake/config/lib.cmake +++ b/cmake/config/lib.cmake @@ -87,8 +87,42 @@ set(TPM_DEBUG_ABORT_TIMEOUT 0 CACHE STRING "TPM abort process after a thread reaches this timeout (s), 0 disables") # Encryption -set(KEY_ROTATION_BIT 20 CACHE STRING - "Bit position in packet counter that triggers key rotation (default 20 = every 2^20 packets)") +set(KEY_LEAF_BITS 20 CACHE STRING + "Packets per leaf key as a power of two (2^20 = AEAD-safe default)") +set(KEY_NODE_BITS 6 CACHE STRING + "Leaf keys per node key, power of two (2^6 = 64; leak compartment)") +set(KEY_NODE_COUNT 128 CACHE STRING + "Node keys per batch (N); <= 4096, the 12-bit on-wire node index") +set(KEY_REKEY_WATERMARK 4 CACHE STRING + "Re-key when this many node keys remain; 0 disables the count trigger") +set(KEY_REPLAY_WINDOW 2048 CACHE STRING + "RX replay window in packets; power of two, >= 128") +if(NOT KEY_REPLAY_WINDOW MATCHES "^[0-9]+$") + message(FATAL_ERROR "KEY_REPLAY_WINDOW must be a positive integer") +endif() +math(EXPR _krw_p2 "${KEY_REPLAY_WINDOW} & (${KEY_REPLAY_WINDOW} - 1)") +if(KEY_REPLAY_WINDOW LESS 128 OR NOT _krw_p2 EQUAL 0) + message(FATAL_ERROR "KEY_REPLAY_WINDOW must be a power of two >= 128") +endif() + +# Re-key must finish within its lead window - KEY_REKEY_WATERMARK node keys +# worth of packets - before the batch exhausts and TX fails closed. dev.c only +# evaluates the watermark once per FLOW_WM_CHECK writes, so a lead below ~2x +# that leaves a high-rate flow no room to complete the exchange. Production +# defaults are vast; this guards under-sized (test) geometries. +if(KEY_REKEY_WATERMARK GREATER 0) + set(_rk_wm_check 65536) # FLOW_WM_CHECK in src/lib/dev.c (2^16) + math(EXPR _rk_lead + "${KEY_REKEY_WATERMARK} << (${KEY_LEAF_BITS} + ${KEY_NODE_BITS})") + math(EXPR _rk_min "2 * ${_rk_wm_check}") + if(_rk_lead LESS _rk_min) + message(WARNING + "Re-key lead is ${_rk_lead} packets vs the watermark check interval " + "${_rk_wm_check}; a high-rate flow may exhaust its key batch before the " + "re-key completes (TX fails closed until it does). Raise KEY_LEAF_BITS, " + "KEY_NODE_BITS, or KEY_REKEY_WATERMARK.") + endif() +endif() # Flow statistics (requires FUSE) if(HAVE_FUSE) |
