feat: implement YAW/2.1 forward-secret signaling

Upgrades the signaling layer from static X25519 (2.0) to per-session
ephemeral X25519 (2.1). Recorded signaling traffic cannot be decrypted
even if long-term Ed25519 keys later leak, because esk is zeroed on
session close.

Protocol:
- Each peer generates a fresh X25519 keypair (esk/epk) per session.
- Peers exchange signed `ekey` messages sealed under static keys before
  the offer/answer. Offer/answer/candidate payloads are then sealed with
  ephemeral keys (crypto_box(·, peer_epk, my_esk)).
- ekey sig binds both peer IDs and the epk to prevent replay to third parties.
- Offerer waits up to 2 s for the peer's ekey; if none arrives it falls back
  to YAW/2.0 static-key sealing and logs "2.0 fallback offer".
- 2.0 peers silently ignore the unknown `ekey` kind — full interop preserved.

Implementation:
- crypto.go: add EphemeralKey.PublicRaw/PrivateRaw/Wipe helpers.
- proto.go: add SigEkey kind; EPK/V/EkeySig fields on SignalingPayload.
- anchor/client.go: replace flat pcs map with peerSession struct tracking
  ephemeral keys, peerEPK, and fs flag; openBoxAuto tries ephemeral then
  static; sealAndSend chooses seal based on session state.
- test-network.sh: pipe daemon stderr through tee to daemon.log; add
  YAW/2.1 FS verification section.
- test-tui.sh: same daemon.log capture.
- README.md: document 2.1 forward secrecy, file transfer IPC, updated roadmap.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Fredrik Johansson
2026-06-22 14:45:15 +02:00
parent 13b30ca0cb
commit 274ff423f6
6 changed files with 375 additions and 64 deletions

View File

@@ -231,6 +231,21 @@ func (ek *EphemeralKey) PublicKeyB64() string {
return b64.EncodeToString(ek.public[:])
}
// PublicRaw returns a pointer to the raw 32-byte X25519 public key.
// The returned pointer is valid for the lifetime of the EphemeralKey.
func (ek *EphemeralKey) PublicRaw() *[32]byte { return &ek.public }
// PrivateRaw returns a pointer to the raw 32-byte X25519 private key.
// Use only when you need to pass it directly to SignalingBox.
func (ek *EphemeralKey) PrivateRaw() *[32]byte { return &ek.private }
// Wipe zeroes the private key. Call when the session ends.
func (ek *EphemeralKey) Wipe() {
for i := range ek.private {
ek.private[i] = 0
}
}
// SharedSecret performs ECDH with the other party's public key.
// Returns a 32-byte shared secret suitable for use as an AEAD key.
func (ek *EphemeralKey) SharedSecret(theirPublicB64 string) ([32]byte, error) {