feat: implement YAW/2.1 forward-secret signaling
Upgrades the signaling layer from static X25519 (2.0) to per-session ephemeral X25519 (2.1). Recorded signaling traffic cannot be decrypted even if long-term Ed25519 keys later leak, because esk is zeroed on session close. Protocol: - Each peer generates a fresh X25519 keypair (esk/epk) per session. - Peers exchange signed `ekey` messages sealed under static keys before the offer/answer. Offer/answer/candidate payloads are then sealed with ephemeral keys (crypto_box(·, peer_epk, my_esk)). - ekey sig binds both peer IDs and the epk to prevent replay to third parties. - Offerer waits up to 2 s for the peer's ekey; if none arrives it falls back to YAW/2.0 static-key sealing and logs "2.0 fallback offer". - 2.0 peers silently ignore the unknown `ekey` kind — full interop preserved. Implementation: - crypto.go: add EphemeralKey.PublicRaw/PrivateRaw/Wipe helpers. - proto.go: add SigEkey kind; EPK/V/EkeySig fields on SignalingPayload. - anchor/client.go: replace flat pcs map with peerSession struct tracking ephemeral keys, peerEPK, and fs flag; openBoxAuto tries ephemeral then static; sealAndSend chooses seal based on session state. - test-network.sh: pipe daemon stderr through tee to daemon.log; add YAW/2.1 FS verification section. - test-tui.sh: same daemon.log capture. - README.md: document 2.1 forward secrecy, file transfer IPC, updated roadmap. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -231,6 +231,21 @@ func (ek *EphemeralKey) PublicKeyB64() string {
|
||||
return b64.EncodeToString(ek.public[:])
|
||||
}
|
||||
|
||||
// PublicRaw returns a pointer to the raw 32-byte X25519 public key.
|
||||
// The returned pointer is valid for the lifetime of the EphemeralKey.
|
||||
func (ek *EphemeralKey) PublicRaw() *[32]byte { return &ek.public }
|
||||
|
||||
// PrivateRaw returns a pointer to the raw 32-byte X25519 private key.
|
||||
// Use only when you need to pass it directly to SignalingBox.
|
||||
func (ek *EphemeralKey) PrivateRaw() *[32]byte { return &ek.private }
|
||||
|
||||
// Wipe zeroes the private key. Call when the session ends.
|
||||
func (ek *EphemeralKey) Wipe() {
|
||||
for i := range ek.private {
|
||||
ek.private[i] = 0
|
||||
}
|
||||
}
|
||||
|
||||
// SharedSecret performs ECDH with the other party's public key.
|
||||
// Returns a 32-byte shared secret suitable for use as an AEAD key.
|
||||
func (ek *EphemeralKey) SharedSecret(theirPublicB64 string) ([32]byte, error) {
|
||||
|
||||
Reference in New Issue
Block a user