Documentation
¶
Index ¶
- Constants
- func Decrypt(kek, input []byte) ([]byte, error)
- func DecryptChunked(kek []byte, r io.Reader, w io.Writer, cipherSize uint64) error
- func DecryptWithAAD(kek, input, aad []byte) ([]byte, error)
- func DecryptedSize(cipherSize uint64) (uint64, error)
- func DeriveAES256Key(sharedSecrets ...[]byte) ([]byte, error)
- func DeriveChaCha20Key(sharedSecrets ...[]byte) ([]byte, error)
- func DeriveFileEncryptionKey(masterKey, salt []byte, info string) ([]byte, error)
- func DeriveKey(suite CipherSuite, sharedSecrets ...[]byte) ([]byte, error)
- func DerivePresenceKey(ownFingerprint, peerFingerprint string) ([]byte, error)
- func DeriveRelayKeys(roomPassword []byte) (lookupKey []byte, encryptionKey []byte, err error)
- func Encrypt(kek, plainText []byte) ([]byte, error)
- func EncryptChunked(kek []byte, r io.Reader, w io.Writer, plainSize uint64) error
- func EncryptWithAAD(kek, plainText, aad []byte) ([]byte, error)
- func EncryptWithNonce(kek, plainText []byte, nonce [NonceSize]byte) ([]byte, error)
- func EncryptedSize(plainSize uint64) uint64
- func ExtractRoomPassword(fingerprint string) ([]byte, error)
- func Fingerprint(pub []byte) string
- func GenerateMLKEMKeypair() (*mlkem.DecapsulationKey1024, *mlkem.EncapsulationKey1024, error)
- func GenerateSeed() []byte
- func GenerateX25519Keypair() (*ecdh.PrivateKey, *ecdh.PublicKey, error)
- func HasHardwareAES() bool
- func NewAEAD(suite CipherSuite, key []byte) (cipher.AEAD, error)
- func ProtocolFingerprintV0(pubkeys map[string][]byte) (string, error)
- func RandomBytes(size int) ([]byte, error)
- func ValidateSeed(s []byte) error
- func X25519Decapsulate(ciphertext []byte, recipientPriv *ecdh.PrivateKey, senderPub *ecdh.PublicKey) ([]byte, error)
- func X25519Encapsulate(seed []byte, senderPriv *ecdh.PrivateKey, recipientPub *ecdh.PublicKey) ([]byte, error)
- type CipherSuite
- type NonceGenerator
- type OwnKeys
- type PeerKeys
Constants ¶
const BlockSize = uint64(2 << 16) // On linux cp works with blocks of 128KiB, we use double.
const EncOverhead = uint64(chacha20poly1305.NonceSize + chacha20poly1305.Overhead)
const KeySize = chacha20poly1305.KeySize
const NonceSize = chacha20poly1305.NonceSize
Variables ¶
This section is empty.
Functions ¶
func Decrypt ¶
Decrypt decrypts [nonce | ciphertext+MAC] using KEK. Returns plainText or error if authentication fails.
func DecryptChunked ¶
func DecryptWithAAD ¶ added in v0.2.0
DecryptWithAAD decrypts [nonce | ciphertext+MAC] using KEK, verifying the authenticated associated data (aad). The aad must match what was passed to EncryptWithAAD; any mismatch causes authentication failure. Pass nil or empty slice when no AAD was used during encryption. Returns plainText or error if authentication fails.
func DecryptedSize ¶
func DeriveAES256Key ¶
DeriveAES256Key derives a 32-byte symmetric key for AES-256-GCM. Uses a different HKDF label for domain separation from ChaCha20 keys.
func DeriveChaCha20Key ¶
DeriveChaCha20Key derives a 32-byte symmetric key using SHA-512 over the given secrets.
func DeriveFileEncryptionKey ¶ added in v0.2.0
DeriveFileEncryptionKey derives a 32-byte per-file AEAD key from a master key (e.g. a random 32-byte secret from the OS keychain or a passphrase- derived key) plus a per-file random salt, using HKDF-SHA512 with a distinct info string per use case ("keibidrop-identity-file-v1", "keibidrop-contacts-file-v1", etc.).
func DeriveKey ¶
func DeriveKey(suite CipherSuite, sharedSecrets ...[]byte) ([]byte, error)
DeriveKey derives a symmetric key using the appropriate HKDF label for the cipher suite. Domain separation ensures the same input secrets produce different keys for different ciphers.
func DerivePresenceKey ¶ added in v0.2.0
DerivePresenceKey derives a shared presence token from two fingerprints. Both peers compute the same key (fingerprints are sorted). The relay cannot link presence tokens to registration tokens (different HKDF label).
func DeriveRelayKeys ¶
DeriveRelayKeys derives lookup and encryption keys from a room password. The room password should be the first 32 bytes of the shared fingerprint. Returns:
- lookupKey: 32 bytes, used as relay index (base64 encoded as Bearer token)
- encryptionKey: 32 bytes, used for ChaCha20-Poly1305 encryption of registration data
func Encrypt ¶
Encrypt encrypts plainText using KEK with ChaCha20-Poly1305. Returns [nonce | ciphertext+MAC], or error.
func EncryptChunked ¶
func EncryptWithAAD ¶ added in v0.2.0
EncryptWithAAD encrypts plainText using KEK with ChaCha20-Poly1305 and authenticated associated data (aad). The aad is authenticated but not included in the ciphertext. Pass nil or empty slice for no AAD. Returns [nonce | ciphertext+MAC], or error.
func EncryptWithNonce ¶
EncryptWithNonce encrypts using a provided nonce (for counter-based encryption). Returns [nonce | ciphertext+MAC], or error.
func EncryptedSize ¶
func ExtractRoomPassword ¶
ExtractRoomPassword extracts the first 32 bytes from a base64-encoded fingerprint. This "room password" is shared out-of-band and used to derive relay encryption keys.
func Fingerprint ¶
func GenerateMLKEMKeypair ¶
func GenerateMLKEMKeypair() (*mlkem.DecapsulationKey1024, *mlkem.EncapsulationKey1024, error)
func GenerateSeed ¶
func GenerateSeed() []byte
func GenerateX25519Keypair ¶
func GenerateX25519Keypair() (*ecdh.PrivateKey, *ecdh.PublicKey, error)
func HasHardwareAES ¶
func HasHardwareAES() bool
HasHardwareAES returns true if the CPU has hardware AES acceleration. On x86 this is AES-NI; on ARM64 this is the ARMv8 AES extension.
func NewAEAD ¶
func NewAEAD(suite CipherSuite, key []byte) (cipher.AEAD, error)
NewAEAD creates an AEAD cipher for the given suite and key. Both AES-256-GCM and ChaCha20-Poly1305 use 32-byte keys, 12-byte nonces, and 16-byte auth tags — the wire format is identical.
func ProtocolFingerprintV0 ¶
ProtocolFingerprintV0 computes a stable fingerprint hash of ordered public keys.
func RandomBytes ¶
func ValidateSeed ¶
func X25519Decapsulate ¶
func X25519Encapsulate ¶
Types ¶
type CipherSuite ¶
type CipherSuite string
CipherSuite identifies an AEAD cipher for the encrypted connection.
const ( CipherChaCha20 CipherSuite = "chacha20-poly1305" CipherAES256 CipherSuite = "aes-256-gcm" )
func NegotiateCipher ¶
func NegotiateCipher(local, remote []CipherSuite) CipherSuite
NegotiateCipher picks the best cipher both peers support. Returns the first cipher from `local` that also appears in `remote`. Falls back to ChaCha20 if no intersection (should never happen).
func SupportedCiphers ¶
func SupportedCiphers() []CipherSuite
SupportedCiphers returns the cipher suites this peer supports, ordered by preference (best first).
type NonceGenerator ¶
type NonceGenerator struct {
// contains filtered or unexported fields
}
NonceGenerator provides deterministic counter-based nonces. Structure: [4-byte prefix][8-byte counter] = 12 bytes total. The prefix distinguishes directions (inbound vs outbound) to prevent reuse.
func NewNonceGenerator ¶
func NewNonceGenerator(prefix uint32) *NonceGenerator
NewNonceGenerator creates a nonce generator with the given prefix. Use different prefixes for inbound vs outbound to avoid nonce reuse.
func (*NonceGenerator) Count ¶
func (ng *NonceGenerator) Count() uint64
Count returns the current counter value (for monitoring/debugging).
func (*NonceGenerator) Next ¶
func (ng *NonceGenerator) Next() [NonceSize]byte
Next returns the next nonce and increments the counter. Thread-safe via atomic operations.
type OwnKeys ¶
type OwnKeys struct {
MlKemPrivate *mlkem.DecapsulationKey1024
MlKemPublic *mlkem.EncapsulationKey1024
X25519Private *ecdh.PrivateKey
X25519Public *ecdh.PublicKey
}
func (*OwnKeys) ExportPubKeysAsMap ¶
func (*OwnKeys) Fingerprint ¶
type PeerKeys ¶
type PeerKeys struct {
MlKemPublic *mlkem.EncapsulationKey1024
X25519Public *ecdh.PublicKey
}
Source Files