projects / project / unetd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d09f353) | patch
pex-pqc: add sntrup761-based post-quantum WireGuard PSK exchange pqc
authorFelix Fietkau <nbd@nbd.name>
Mon, 16 Feb 2026 13:50:27 +0000 (13:50 +0000)
committerFelix Fietkau <nbd@nbd.name>
Mon, 16 Feb 2026 18:28:32 +0000 (19:28 +0100)
commitf96694bd432bdd06a9b7398905e244eac20c35f9
tree597f986b5245e26d2424514f9c076928edb74f42tree | snapshot
parentd09f35306617f3a6b5dfff7bed9e13af6dd8d1dacommit | diff
pex-pqc: add sntrup761-based post-quantum WireGuard PSK exchange

Implement periodic WireGuard preshared key renewal using a hybrid
pqKK handshake (PQNoise framework [1]) with sntrup761 as KEM and an
additional Curve25519 DH encryption layer on the first ciphertext.

Both peers' static sntrup761 public keys are pre-distributed via the
host config (pqc-key). The initiator role is determined by public key
comparison. The three KEM shared secrets (k1, k2, k3) are combined
via SHA-512 to derive the WireGuard PSK.

Handshakes are driven by the connect timer with bounded retransmission,
sending to all known peer endpoints with deduplication.

[1] Y. Angel, B. Dowling, A. Hulsing, P. Schwabe, F. Weber,
    "Post Quantum Noise", ACM CCS 2022. https://eprint.iacr.org/2022/539

Co-developed-by: Jonas Jelonek <jelonek.jonas@gmail.com>
Signed-off-by: Jonas Jelonek <jelonek.jonas@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
12 files changed:
CMakeLists.txt diff | blob | history
host.c diff | blob | history
host.h diff | blob | history
network.c diff | blob | history
network.h diff | blob | history
pex-msg.h diff | blob | history
pex-pqc.c [new file with mode: 0644] blob
pex-pqc.h [new file with mode: 0644] blob
pex.c diff | blob | history
pex.h diff | blob | history
wg-linux.c diff | blob | history
wg-user.c diff | blob | history
WireGuard based VPN connection manager for OpenWrt