Crypto Module

🔐 Core cryptographic operations for ascii-chat More...

Files
file	crypto.c
	🔐 Core cryptography: encryption/decryption, key exchange, authentication, and session rekeying with BearSSL
file	agent.c
	GPG agent connection and communication implementation.
file	agent.h
	GPG agent connection and communication interface.
file	export.c
	GPG public key export implementation.
file	export.h
	GPG public key export interface.
file	gpg.h
	GPG operations - main header.
file	signing.c
	GPG signing operations implementation.
file	signing.h
	GPG message signing interface.
file	verification.c
	GPG signature verification implementation.
file	verification.h
	GPG signature verification interface.
file	known_hosts.c
	📜 SSH known_hosts file parser for host key verification and trust management
file	known_hosts.h
	Known hosts management for MITM attack prevention.
file	pem_utils.c
	📄 PEM format encoding/decoding utilities for certificates and keys (adapted from BearSSL)
file	pem_utils.h
	BearSSL PEM and trust anchor utilities adapted for in-memory data.

Data Structures
struct	crypto_context_t
	Cryptographic context structure. More...
struct	anchor_list
	Vector type for trust anchors. More...

Macros
#define	SERVER_AUTH_RESPONSE_SIZE   AUTH_HMAC_SIZE
	Server authentication response size (32 bytes)
#define	SSH_KEY_TYPE_LENGTH_SIZE   4
#define	SSH_KEY_TYPE_STRING_SIZE   11
#define	SSH_KEY_PUBLIC_KEY_LENGTH_SIZE   4
#define	SSH_KEY_PUBLIC_KEY_SIZE   32
#define	SSH_KEY_HEADER_SIZE    (SSH_KEY_TYPE_LENGTH_SIZE + SSH_KEY_TYPE_STRING_SIZE + SSH_KEY_PUBLIC_KEY_LENGTH_SIZE + SSH_KEY_PUBLIC_KEY_SIZE)
#define	CRYPTO_KEY_SIZE   32
	Ed25519 key size in bytes.
#define	CRYPTO_FINGERPRINT_SIZE   32
	Ed25519 key fingerprint size in bytes.
#define	SSH_KEY_PERMISSIONS_MASK   (S_IRWXG | S_IRWXO)
#define	SSH_KEY_RECOMMENDED_PERMISSIONS   0600
#define	MAX_COMMENT_LEN   256
#define	MAX_GPG_KEYGRIP_LEN   64

Typedefs
typedef struct crypto_context_t	crypto_context_t
	Cryptographic context structure.

Enumerations
enum	crypto_result_t {   CRYPTO_OK = 0 , CRYPTO_ERROR_INIT_FAILED = -1 , CRYPTO_ERROR_INVALID_PARAMS = -2 , CRYPTO_ERROR_MEMORY = -3 ,   CRYPTO_ERROR_LIBSODIUM = -4 , CRYPTO_ERROR_KEY_GENERATION = -5 , CRYPTO_ERROR_PASSWORD_DERIVATION = -6 , CRYPTO_ERROR_ENCRYPTION = -7 ,   CRYPTO_ERROR_DECRYPTION = -8 , CRYPTO_ERROR_INVALID_MAC = -9 , CRYPTO_ERROR_BUFFER_TOO_SMALL = -10 , CRYPTO_ERROR_KEY_EXCHANGE_INCOMPLETE = -11 ,   CRYPTO_ERROR_NONCE_EXHAUSTED = -12 , CRYPTO_ERROR_REKEY_IN_PROGRESS = -13 , CRYPTO_ERROR_REKEY_FAILED = -14 , CRYPTO_ERROR_REKEY_RATE_LIMITED = -15 }
	Cryptographic operation result codes. More...

Variables
br_x509_trust_anchor *	anchor_list::buf
size_t	anchor_list::ptr
size_t	anchor_list::len

Core Initialization and Setup
crypto_result_t	crypto_init (crypto_context_t *ctx)
	Initialize libsodium and crypto context.
crypto_result_t	crypto_init_with_password (crypto_context_t *ctx, const char *password)
	Initialize with password-based encryption.
void	crypto_cleanup (crypto_context_t *ctx)
	Cleanup crypto context with secure memory wiping.
crypto_result_t	crypto_generate_keypair (crypto_context_t *ctx)
	Generate new X25519 key pair for key exchange.

Key Exchange Protocol
Automatic HTTPS-like key exchange using X25519 Diffie-Hellman. Both parties exchange ephemeral public keys and compute a shared secret.
crypto_result_t	crypto_get_public_key (const crypto_context_t *ctx, uint8_t *public_key_out)
	Get public key for sending to peer (step 1 of handshake)
crypto_result_t	crypto_set_peer_public_key (crypto_context_t *ctx, const uint8_t *peer_public_key)
	Set peer's public key and compute shared secret (step 2 of handshake)
bool	crypto_is_ready (const crypto_context_t *ctx)
	Check if key exchange is complete and ready for encryption.

Password-Based Encryption
Optional additional encryption layer using password-derived keys. Uses Argon2id for memory-hard key derivation, providing resistance to offline brute-force attacks.
crypto_result_t	crypto_validate_password (const char *password)
	Validate password length requirements.
crypto_result_t	crypto_derive_password_key (crypto_context_t *ctx, const char *password)
	Derive key from password using Argon2id.
bool	crypto_verify_password (const crypto_context_t *ctx, const char *password)
	Verify password matches stored salt/key.
crypto_result_t	crypto_derive_password_encryption_key (const char *password, uint8_t encryption_key[32])
	Derive deterministic encryption key from password for handshake.

Encryption/Decryption Operations
Encrypt/decrypt data using XSalsa20-Poly1305 (via libsodium secretbox). Automatically handles nonce generation and MAC verification.
crypto_result_t	crypto_encrypt (crypto_context_t *ctx, const uint8_t *plaintext, size_t plaintext_len, uint8_t *ciphertext_out, size_t ciphertext_out_size, size_t *ciphertext_len_out)
	Encrypt data using XSalsa20-Poly1305.
crypto_result_t	crypto_decrypt (crypto_context_t *ctx, const uint8_t *ciphertext, size_t ciphertext_len, uint8_t *plaintext_out, size_t plaintext_out_size, size_t *plaintext_len_out)
	Decrypt data using XSalsa20-Poly1305.

Utility Functions
const char *	crypto_result_to_string (crypto_result_t result)
	Convert crypto result to human-readable string.
void	crypto_get_status (const crypto_context_t *ctx, char *status_buffer, size_t buffer_size)
	Get crypto context status information for debugging.
bool	crypto_secure_compare (const uint8_t *lhs, const uint8_t *rhs, size_t len)
	Secure constant-time comparison of byte arrays.
crypto_result_t	crypto_random_bytes (uint8_t *buffer, size_t len)
	Generate cryptographically secure random bytes.

Authentication and Handshake
HMAC-based authentication using HMAC-SHA256. Used for password authentication and challenge-response protocols.
crypto_result_t	crypto_generate_nonce (uint8_t nonce[32])
	Generate random nonce for authentication.
crypto_result_t	crypto_compute_hmac (crypto_context_t *ctx, const uint8_t key[32], const uint8_t data[32], uint8_t hmac[32])
	Compute HMAC-SHA256 for fixed 32-byte data.
crypto_result_t	crypto_compute_hmac_ex (const crypto_context_t *ctx, const uint8_t key[32], const uint8_t *data, size_t data_len, uint8_t hmac[32])
	Compute HMAC-SHA256 for variable-length data.
bool	crypto_verify_hmac (const uint8_t key[32], const uint8_t data[32], const uint8_t expected_hmac[32])
	Verify HMAC-SHA256 for fixed 32-byte data.
bool	crypto_verify_hmac_ex (const uint8_t key[32], const uint8_t *data, size_t data_len, const uint8_t expected_hmac[32])
	Verify HMAC-SHA256 for variable-length data.

High-Level Authentication Helpers
Authentication helpers that bind password/key authentication to the DH key exchange, preventing man-in-the-middle attacks.
crypto_result_t	crypto_compute_auth_response (const crypto_context_t *ctx, const uint8_t nonce[32], uint8_t hmac_out[32])
	Compute authentication response HMAC bound to DH shared_secret.
bool	crypto_verify_auth_response (const crypto_context_t *ctx, const uint8_t nonce[32], const uint8_t expected_hmac[32])
	Verify authentication response HMAC bound to DH shared_secret.
crypto_result_t	crypto_create_auth_challenge (const crypto_context_t *ctx, uint8_t *packet_out, size_t packet_size, size_t *packet_len_out)
	Create authentication challenge packet.
crypto_result_t	crypto_process_auth_challenge (crypto_context_t *ctx, const uint8_t *packet, size_t packet_len)
	Process authentication challenge packet.
crypto_result_t	crypto_process_auth_response (crypto_context_t *ctx, const uint8_t *packet, size_t packet_len)
	Process authentication response packet.

Network Integration Helpers
Packet creation and processing functions for network transmission. Handles packet formatting, encryption, and decryption automatically.
crypto_result_t	crypto_create_public_key_packet (const crypto_context_t *ctx, uint8_t *packet_out, size_t packet_size, size_t *packet_len_out)
	Create public key packet for network transmission.
crypto_result_t	crypto_process_public_key_packet (crypto_context_t *ctx, const uint8_t *packet, size_t packet_len)
	Process received public key packet from peer.
crypto_result_t	crypto_create_encrypted_packet (crypto_context_t *ctx, const uint8_t *data, size_t data_len, uint8_t *packet_out, size_t packet_size, size_t *packet_len_out)
	Create encrypted data packet for network transmission.
crypto_result_t	crypto_process_encrypted_packet (crypto_context_t *ctx, const uint8_t *packet, size_t packet_len, uint8_t *data_out, size_t data_size, size_t *data_len_out)
	Process received encrypted packet from peer.

Shared Cryptographic Operations
Low-level cryptographic operations used by both client and server for authentication and key exchange.
asciichat_error_t	crypto_compute_password_hmac (crypto_context_t *ctx, const uint8_t *password_key, const uint8_t *nonce, const uint8_t *shared_secret, uint8_t *hmac_out)
	Compute password-based HMAC for authentication.
asciichat_error_t	crypto_verify_peer_signature (const uint8_t *peer_public_key, const uint8_t *ephemeral_key, size_t ephemeral_key_size, const uint8_t *signature)
	Verify peer's signature on ephemeral key.
asciichat_error_t	crypto_sign_ephemeral_key (const private_key_t *private_key, const uint8_t *ephemeral_key, size_t ephemeral_key_size, uint8_t *signature_out)
	Sign ephemeral key with private key.
void	crypto_combine_auth_data (const uint8_t *hmac, const uint8_t *challenge_nonce, uint8_t *combined_out)
	Combine HMAC and challenge nonce for transmission.
void	crypto_extract_auth_data (const uint8_t *combined_data, uint8_t *hmac_out, uint8_t *challenge_out)
	Extract HMAC and challenge nonce from combined data.

Session Rekeying Protocol
Periodic key rotation to limit exposure if keys are compromised. Rekeys after time threshold (default: 1 hour) OR packet count threshold (default: 1 million), whichever comes first. Note Test environment detection: If CRITERION_TEST or TESTING environment variable is set, rekey thresholds are reduced to 30 seconds / 1000 packets for faster testing. Rekeying flow: Initiator calls crypto_rekey_init() and sends REKEY_REQUEST Responder processes request, calls crypto_rekey_process_request(), sends REKEY_RESPONSE Initiator processes response, calls crypto_rekey_process_response(), sends REKEY_COMPLETE Responder verifies REKEY_COMPLETE decrypts with new key, calls crypto_rekey_commit() Initiator calls crypto_rekey_commit() after receiving confirmation Old keys remain active until REKEY_COMPLETE is verified, ensuring no service interruption.
bool	crypto_should_rekey (const crypto_context_t *ctx)
	Check if rekeying should be triggered based on time or packet count thresholds.
crypto_result_t	crypto_rekey_init (crypto_context_t *ctx)
	Initiate rekeying by generating new ephemeral keys.
crypto_result_t	crypto_rekey_process_request (crypto_context_t *ctx, const uint8_t *peer_new_public_key)
	Process REKEY_REQUEST from peer (responder side)
crypto_result_t	crypto_rekey_process_response (crypto_context_t *ctx, const uint8_t *peer_new_public_key)
	Process REKEY_RESPONSE from peer (initiator side)
crypto_result_t	crypto_rekey_commit (crypto_context_t *ctx)
	Commit to new keys after successful REKEY_COMPLETE.
void	crypto_rekey_abort (crypto_context_t *ctx)
	Abort rekeying and fallback to old keys.
void	crypto_get_rekey_status (const crypto_context_t *ctx, char *status_buffer, size_t buffer_size)
	Get the current rekeying state for debugging/logging.
#define	REKEY_MIN_INTERVAL   3
	Minimum time interval between rekey requests (3 seconds for testing, 60 for production)
#define	REKEY_DEFAULT_TIME_THRESHOLD   3600
	Default rekey time threshold (1 hour in seconds)
#define	REKEY_DEFAULT_PACKET_THRESHOLD   1000000
	Default rekey packet threshold (1 million packets)
#define	REKEY_TEST_TIME_THRESHOLD   30
	Test mode rekey time threshold (30 seconds)
#define	REKEY_TEST_PACKET_THRESHOLD   1000
	Test mode rekey packet threshold (1000 packets)
#define	REKEY_MAX_FAILURE_COUNT   10
	Maximum consecutive rekey failures before giving up.
#define	REKEY_MIN_REQUEST_INTERVAL   60
	Minimum interval between rekey requests (60 seconds, DDoS protection)

GPG Agent Connection Management
int	gpg_agent_connect (void)
	Connect to gpg-agent.
void	gpg_agent_disconnect (int sock)
	Disconnect from gpg-agent.
bool	gpg_agent_is_available (void)
	Check if GPG agent is available.

GPG Agent Signing Operations
int	gpg_agent_sign (int sock, const char *keygrip, const uint8_t *message, size_t message_len, uint8_t *signature_out, size_t *signature_len_out)
	Sign a message using GPG agent.

GPG Key Export
int	gpg_get_public_key (const char *key_id, uint8_t *public_key_out, char *keygrip_out)
	Get public key from GPG keyring by key ID.

GPG Signing Operations
int	gpg_sign_with_key (const char *key_id, const uint8_t *message, size_t message_len, uint8_t *signature_out, size_t *signature_len_out)
	Sign a message using GPG key and return OpenPGP signature.
int	gpg_sign_detached_ed25519 (const char *key_id, const uint8_t *message, size_t message_len, uint8_t signature_out[64])
	Sign message with GPG and extract raw Ed25519 signature.

GPG Signature Verification
int	gpg_verify_detached_ed25519 (const char *key_id, const uint8_t *message, size_t message_len, const uint8_t signature[64])
	Verify Ed25519 signature using GPG binary.
int	gpg_verify_signature (const uint8_t *public_key, const uint8_t *message, size_t message_len, const uint8_t *signature)
	Verify Ed25519 signature using libgcrypt (no GPG binary required)
int	gpg_verify_signature_with_binary (const uint8_t *signature, size_t signature_len, const uint8_t *message, size_t message_len, const char *expected_key_id)
	Verify OpenPGP signature using GPG binary.

Known Hosts Management
const char *	get_known_hosts_path (void)
	Get the path to the known_hosts file.
asciichat_error_t	add_known_host (const char *server_ip, uint16_t port, const uint8_t server_key[32])
	Add server to known_hosts.
asciichat_error_t	remove_known_host (const char *server_ip, uint16_t port)
	Remove server from known_hosts.

Known Hosts Verification
asciichat_error_t	check_known_host (const char *server_ip, uint16_t port, const uint8_t server_key[32])
	Check if server key is in known_hosts.
asciichat_error_t	check_known_host_no_identity (const char *server_ip, uint16_t port)
	Check known_hosts for servers without identity key (no-identity entries)

User Interaction
bool	display_mitm_warning (const char *server_ip, uint16_t port, const uint8_t expected_key[32], const uint8_t received_key[32])
	Display MITM warning with key comparison and prompt user for confirmation.
bool	prompt_unknown_host (const char *server_ip, uint16_t port, const uint8_t server_key[32])
	Interactive prompt for unknown host - returns true if user wants to add, false to abort.
bool	prompt_unknown_host_no_identity (const char *server_ip, uint16_t port)
	Interactive prompt for unknown host without identity key - returns true if user wants to continue, false to abort.

Key Fingerprinting
void	compute_key_fingerprint (const uint8_t key[32], char fingerprint[65])
	Compute SHA256 fingerprint of Ed25519 key for display.

Cleanup
void	known_hosts_cleanup (void)
	Cleanup function to free cached known_hosts path.

Trust Anchor Management
size_t	read_trust_anchors_from_memory (anchor_list *dst, const unsigned char *pem_data, size_t pem_len)
	Read trust anchors from PEM-encoded data in memory.
void	free_ta_contents (br_x509_trust_anchor *ta)
	Free the contents of a trust anchor.
#define	ANCHOR_LIST_INIT   {NULL, 0, 0}
	Initializer for anchor_list.

SSH Agent Detection
bool	ssh_agent_is_available (void)
	Check if ssh-agent is running and available.

SSH Agent Key Management
asciichat_error_t	ssh_agent_add_key (const private_key_t *private_key, const char *key_path)
	Add a private key to ssh-agent.
bool	ssh_agent_has_key (const public_key_t *public_key)
	Check if a public key is already in ssh-agent.
asciichat_error_t	ssh_agent_get_key (const public_key_t *public_key, private_key_t *key_out)
	Retrieve a private key from ssh-agent by matching public key.
asciichat_error_t	ssh_agent_sign (const public_key_t *public_key, const uint8_t *message, size_t message_len, uint8_t signature[64])
	Sign data using SSH agent with the specified public key.

Password Requirements
#define	MIN_PASSWORD_LENGTH   8
	Minimum password length (8 characters)
#define	MAX_PASSWORD_LENGTH   256
	Maximum password length (256 characters)

Algorithm-Specific Key Sizes
#define	X25519_KEY_SIZE   32
	X25519 key size in bytes.
#define	ED25519_PUBLIC_KEY_SIZE   32
	Ed25519 public key size in bytes.
#define	ED25519_PRIVATE_KEY_SIZE   64
	Ed25519 private key size (seed + public) in bytes.
#define	ED25519_SIGNATURE_SIZE   64
	Ed25519 signature size in bytes.
#define	XSALSA20_NONCE_SIZE   24
	XSalsa20 nonce size in bytes.
#define	POLY1305_MAC_SIZE   16
	Poly1305 MAC size in bytes.
#define	HMAC_SHA256_SIZE   32
	HMAC-SHA256 output size in bytes.
#define	ARGON2ID_SALT_SIZE   32
	Argon2id salt size in bytes.
#define	SECRETBOX_KEY_SIZE   32
	Secretbox key size in bytes.
#define	AES256_KEY_SIZE   32
	AES-256 key size in bytes.
#define	AES_IV_SIZE   16
	AES initialization vector (IV) size in bytes.
#define	AES256_DERIVED_SIZE   (AES256_KEY_SIZE + AES_IV_SIZE)
	AES-256 key + IV derived size in bytes (for bcrypt_pbkdf)
#define	SESSION_ID_SIZE   16
	Session ID size in bytes.

Abstracted Cryptographic Constants
These constants abstract the underlying algorithms to allow future changes.
#define	CRYPTO_PUBLIC_KEY_SIZE   X25519_KEY_SIZE
	Public key size (X25519)
#define	CRYPTO_PRIVATE_KEY_SIZE   X25519_KEY_SIZE
	Private key size (X25519)
#define	CRYPTO_SHARED_KEY_SIZE   X25519_KEY_SIZE
	Shared key size (X25519)
#define	CRYPTO_ED25519_PUBLIC_KEY_SIZE   ED25519_PUBLIC_KEY_SIZE
	Ed25519 public key size.
#define	CRYPTO_ED25519_PRIVATE_KEY_SIZE   ED25519_PRIVATE_KEY_SIZE
	Ed25519 private key size.
#define	CRYPTO_ED25519_SIGNATURE_SIZE   ED25519_SIGNATURE_SIZE
	Ed25519 signature size.
#define	CRYPTO_NONCE_SIZE   XSALSA20_NONCE_SIZE
	Nonce size (XSalsa20)
#define	CRYPTO_SALT_SIZE   ARGON2ID_SALT_SIZE
	Salt size (Argon2id)
#define	CRYPTO_ENCRYPTION_KEY_SIZE   SECRETBOX_KEY_SIZE
	Encryption key size (XSalsa20-Poly1305)
#define	CRYPTO_MAC_SIZE   POLY1305_MAC_SIZE
	MAC size (Poly1305)
#define	CRYPTO_HMAC_SIZE   HMAC_SHA256_SIZE
	HMAC size (HMAC-SHA256)

Authentication Packet Sizes
#define	AUTH_HMAC_SIZE   32
	HMAC size in authentication packets (32 bytes)
#define	AUTH_CHALLENGE_SIZE   32
	Challenge nonce size (32 bytes)
#define	AUTH_COMBINED_SIZE   (AUTH_HMAC_SIZE + AUTH_CHALLENGE_SIZE)
	Combined authentication data size (HMAC + challenge, 64 bytes)
#define	AUTH_SIGNATURE_SIZE   64
	Ed25519 signature size (64 bytes)
#define	AUTH_SIGNATURE_COMBINED_SIZE   (AUTH_SIGNATURE_SIZE + AUTH_CHALLENGE_SIZE)
	Combined signature + challenge size (96 bytes)

Authentication Challenge Packet Structure
#define	AUTH_CHALLENGE_FLAGS_SIZE   1
	Authentication flags size (1 byte)
#define	AUTH_CHALLENGE_PACKET_SIZE   (AUTH_CHALLENGE_FLAGS_SIZE + AUTH_CHALLENGE_SIZE)
	Complete authentication challenge packet size (1 + 32 = 33 bytes)

Authentication Response Packet Sizes
#define	AUTH_RESPONSE_PASSWORD_SIZE   (AUTH_HMAC_SIZE + AUTH_CHALLENGE_SIZE)
	Password-based authentication response size (HMAC + challenge, 64 bytes)
#define	AUTH_RESPONSE_SIGNATURE_SIZE   (AUTH_SIGNATURE_SIZE + AUTH_CHALLENGE_SIZE)
	Signature-based authentication response size (signature + challenge, 96 bytes)

Packet Size Limits
#define	MAX_AUTH_FAILED_PACKET_SIZE   256
	Maximum AUTH_FAILED packet size (256 bytes)
#define	MAX_ENCRYPTED_PACKET_SIZE   65536
	Maximum encrypted packet size (64KB)

Buffer Sizes
#define	HEX_STRING_SIZE_32   (32 * 2 + 1)
	Hex string size for 32-byte values (64 hex chars + null terminator)
#define	HEX_STRING_SIZE_64   (64 * 2 + 1)
	Hex string size for 64-byte values (128 hex chars + null terminator)
#define	PASSWORD_BUFFER_SIZE   256
	Password input buffer size (256 bytes)
#define	ZERO_KEY_SIZE   X25519_KEY_SIZE
	Zero key array size (32 bytes, used for no-identity entries)

Encryption Size Limits
#define	CRYPTO_MAX_PLAINTEXT_SIZE   ((size_t)1024 * 1024)
	Maximum plaintext size (1MB)
#define	CRYPTO_MAX_CIPHERTEXT_SIZE   (CRYPTO_MAX_PLAINTEXT_SIZE + CRYPTO_MAC_SIZE)
	Maximum ciphertext size (plaintext + MAC, ~1MB + 16 bytes)

Hex String Size Constants
#define	CRYPTO_HEX_KEY_SIZE   64
	Hex string size for 32-byte key (64 hex characters)
#define	CRYPTO_HEX_KEY_SIZE_NULL   65
	Hex string size for 32-byte key with null terminator (65 bytes)
#define	CRYPTO_HEX_KEY64_SIZE   128
	Hex string size for 64-byte key (128 hex characters)
#define	CRYPTO_HEX_KEY64_SIZE_NULL   129
	Hex string size for 64-byte key with null terminator (129 bytes)

Cryptographic String Literals
#define	SSH_ED25519_KEY_TYPE   "ssh-ed25519"
	SSH Ed25519 key type string ("ssh-ed25519")
#define	X25519_KEY_TYPE   "x25519"
	X25519 key type string ("x25519")
#define	NO_IDENTITY_MARKER   "no-identity"
	No-identity entry marker ("no-identity")

Detailed Description

🔐 Core cryptographic operations for ascii-chat

This header provides the core cryptographic operations for secure communication in ascii-chat, including key exchange, encryption/decryption, authentication, and session rekeying.

The interface provides:

• Cryptographic context management
• X25519 key exchange (Diffie-Hellman)
• XSalsa20-Poly1305 encryption/decryption
• Argon2id password-based key derivation
• HMAC-SHA256 authentication
• Session rekeying protocol

Note

Key Exchange: Uses ephemeral X25519 keys for perfect forward secrecy. Each connection generates new keys automatically.

Encryption: XSalsa20-Poly1305 provides authenticated encryption with automatic MAC verification. Nonces are generated as session_id || counter to prevent replay attacks.

Password Authentication: Optional password-based encryption using Argon2id for memory-hard key derivation. Passwords are bound to DH shared secrets to prevent MITM attacks.

Rekeying: Automatic periodic key rotation after time threshold (1 hour) OR packet count threshold (1 million), whichever comes first. Test mode uses reduced thresholds (30 seconds / 1000 packets).

Test Environment: Automatically detects test environment via CRITERION_TEST or TESTING environment variables and adjusts thresholds accordingly.

Byte Order: Client must convert network byte order to host byte order for crypto parameters. Server uses host byte order directly.

Key Exchange Formats:

• Simple format: Only ephemeral public key (when server has no identity key)
• Authenticated format: Ephemeral key + identity key + signature (when server has identity key)

Warning

Always use crypto_secure_compare() for comparing sensitive data (keys, MACs, HMACs). Do NOT use regular memcmp() as it is vulnerable to timing attacks.

Nonce counter starts at 1 (0 is reserved for testing). Returns CRYPTO_ERROR_NONCE_EXHAUSTED if counter reaches 0 or UINT64_MAX (extremely unlikely, but triggers rekeying).

Password salt is deterministic ("ascii-chat-password-salt-v1") for consistent key derivation across client/server. Only use for session encryption, not long-term storage.

Author

Zachary Fogg me@zf.nosp@m.o.gg

Date

October 2025

This header provides GPG agent (gpg-agent) integration for signing operations with GPG keys. Allows private keys to stay in GPG agent without being loaded into application memory.

Note

GPG agent protocol: Implements Assuan protocol for communicating with gpg-agent. Keys stay in agent and are never loaded into application memory.

Platform support:

• Unix: Uses GPG_AGENT_INFO or connects to standard socket (~/.gnupg/S.gpg-agent)
• Windows: Connects to standard named pipe (Gpg4win installs gpg-agent as service)

Key format: Only Ed25519 GPG keys are supported. RSA/ECDSA GPG keys are NOT supported.

Keygrip: GPG uses keygrips (40-char hex strings) to identify keys in the agent. Keygrips are computed from public key material and are stable identifiers.

Agent detection: Checks for agent socket/pipe existence and accessibility. On Unix, verifies socket is accessible. On Windows, checks for named pipe.

Author

Zachary Fogg me@zf.nosp@m.o.gg

Date

October 2025

This header provides functions for exporting public keys from GPG keyring. Supports retrieving Ed25519 public keys and keygrips for use in authentication and signing operations.

Note

Key export: Uses gpg --export to extract public key from local keyring. Parses OpenPGP packet format to extract Ed25519 public key material.

Keygrip extraction: Optionally extracts keygrip for use with GPG agent. Keygrip is a stable 40-char hex identifier computed from public key.

Key ID formats: Supports short (8-char), long (16-char), and full (40-char) key IDs. Accepts key IDs with or without "0x" prefix.

Ed25519 only: Only Ed25519 GPG keys are supported. RSA/ECDSA keys will cause export to fail.

Author

Zachary Fogg me@zf.nosp@m.o.gg

Date

October 2025

This header provides the complete GPG interface by including all submodule headers. Users can include this single header to access all GPG functionality.

Submodules:

• agent.h: GPG agent connection and communication
• export.h: Public key export from GPG keyring
• signing.h: Message signing operations
• verification.h: Signature verification operations

This header provides GPG signing operations for creating detached signatures. Supports both OpenPGP-formatted signatures and raw Ed25519 signatures extracted from GPG output.

Note

Signing method: Uses gpg --detach-sign to create detached signatures. Signatures are separate from message data (not inline signatures).

Key requirements: Only Ed25519 GPG keys are supported. RSA/ECDSA keys will cause signing operations to fail.

Output formats:

• gpg_sign_with_key(): Returns full OpenPGP signature packet (variable length)
• gpg_sign_detached_ed25519(): Extracts raw 64-byte Ed25519 signature (R||S)

GPG binary: Requires gpg binary in PATH for all operations. Returns error if GPG is not installed or not accessible.

Key passphrase: If key is encrypted, GPG may prompt for passphrase. Use ssh-agent or gpg-agent for password-free signing, or set $ASCII_CHAT_KEY_PASSWORD environment variable.

Author

Zachary Fogg me@zf.nosp@m.o.gg

Date

October 2025

This header provides GPG signature verification operations supporting both GPG binary-based verification and direct cryptographic verification via libgcrypt. Handles both raw Ed25519 signatures and OpenPGP-formatted signatures.

Note

Verification methods:

• GPG binary: Uses gpg --verify for full OpenPGP packet verification
• libgcrypt: Direct Ed25519 signature verification without GPG binary

Key requirements: Only Ed25519 signatures are supported. RSA/ECDSA signatures will cause verification to fail.

Signature formats:

• Raw Ed25519: 64-byte signature (R||S format) from gpg_sign_detached_ed25519()
• OpenPGP: Variable-length signature packet from gpg_sign_with_key()

GPG binary dependency: Functions using GPG binary require gpg in PATH. libgcrypt-based verification works without GPG binary installed.

Key trust: GPG binary verification checks key trust and validity. libgcrypt verification only checks cryptographic signature validity.

Author

Zachary Fogg me@zf.nosp@m.o.gg

Date

October 2025

This header provides known hosts management functionality similar to SSH's known_hosts. Tracks server identity keys to detect man-in-the-middle attacks and key changes.

Known hosts file format:

• Identity key entries: <IP:port> x25519 <hex_key> [comment]
• No-identity entries: <IP:port> no-identity [comment]

Note

File format examples:

• IPv4: 192.0.2.1:8080 x25519 1234abcd... ascii-chat
• IPv6: [2001:db8::1]:8080 x25519 1234abcd... ascii-chat
• No-identity: 192.0.2.1:8080 no-identity

No-identity servers: Servers without identity keys use "no-identity" entries. Cannot verify key (ephemeral keys change each connection) but can track server identity.

Key comparison: Uses constant-time comparison (sodium_memcmp) to prevent timing attacks.

MITM detection: Detects key mismatches by comparing received key with stored key. If key doesn't match, displays warning and prompts user for confirmation.

Multiple entries: Can have multiple entries for same IP:port (e.g., key rotation). Function searches all entries and uses first matching key.

Zero key handling: Special case for no-identity servers with zero keys. Zero key matches zero key (secure no-identity connection previously accepted).

Author

Zachary Fogg me@zf.nosp@m.o.gg

Date

October 2025

This file contains BearSSL tools utilities adapted to work with in-memory PEM data instead of files. Original code from BearSSL tools (ISC license).

These utilities are used for loading system CA certificates for TLS validation.

Note

BearSSL adaptation: Original BearSSL tools read PEM data from files. This version works with in-memory PEM data for better flexibility.

Trust anchors: Trust anchors are root CA certificates used for TLS validation. Loaded from system CA certificate store and used to validate server certificates.

Memory management: Trust anchors contain dynamically allocated memory. Must call free_ta_contents() for each anchor and free anchor_list.buf.

Author

Thomas Pornin (original BearSSL tools)

Zachary Fogg me@zf.nosp@m.o.gg (adaptation for ascii-chat)

Date

October 2025

This header provides SSH agent integration for signing operations. Allows keys to stay in SSH agent (not loaded into memory) for better security.

Note

SSH agent: Uses SSH agent protocol to communicate with ssh-agent. Keys stay in agent and are never loaded into application memory.

Platform support:

• Unix: Uses SSH_AUTH_SOCK environment variable (Unix domain socket)
• Windows: Uses SSH_AUTH_SOCK environment variable (named pipe)

Key format: Only Ed25519 keys are supported. RSA/ECDSA keys are NOT supported.

Agent detection: Checks SSH_AUTH_SOCK environment variable. On Unix, also verifies socket is accessible. On Windows, only checks environment variable (named pipes handled differently).

Author

Zachary Fogg me@zf.nosp@m.o.gg

Date

October 2025

Cryptography README

This page provides comprehensive documentation on ascii-chat's cryptographic implementation, including threat models, algorithms, protocols, security considerations, and known vulnerabilities.

Overview

ascii-chat implements end-to-end encryption by default using modern cryptographic primitives from libsodium. All data packets (headers and payloads) are encrypted after the initial handshake, protecting against eavesdropping and tampering.

Key Features

• Encrypted by default - No configuration required
• Modern crypto - X25519, XSalsa20-Poly1305, Argon2id
• SSH/GPG key integration - Use existing Ed25519 keys
• SSH agent support - Auto-adds keys, eliminates password prompts
• GPG agent support - Use gpg-agent for signing, no passphrase prompts
• GitHub/GitLab integration - Fetch public keys automatically
• Password protection - Optional shared password authentication
• Client whitelisting - Server-side access control
• Known hosts - SSH-style server verification
• Forward secrecy - Ephemeral key exchange per connection
• Dynamic algorithm negotiation - Future-proof crypto with post-quantum support

Non-Goals

❌ Not a replacement for TLS/HTTPS - Different trust model ❌ Not anonymous - Focus is encryption, not anonymity ❌ Not quantum-resistant - Uses elliptic curve cryptography (X25519) - Post-quantum support planned via dynamic algorithm negotiation

Philosophy & Threat Model

The MITM Problem

ascii-chat faces a fundamental cryptographic challenge: there is no pre-existing trust infrastructure like the Certificate Authority (CA) system used by HTTPS. This creates a security tradeoff:

Without verification:

• ✅ Privacy: Encrypted against passive eavesdropping (ISP, WiFi admin, etc.)
• ❌ Security: Vulnerable to active Man-in-the-Middle (MITM) attacks

With verification:

• ✅ Privacy: Encrypted against passive eavesdropping
• ✅ Security: Protected against MITM attacks via key pinning

Default Behavior: Privacy Without Trust

By default, ascii-chat provides privacy but not authentication:

# Server (ephemeral key generated)
./ascii-chat server
 
# Client (ephemeral key generated, no verification)
./ascii-chat client

Why this default?

1. No certificate infrastructure - Unlike HTTPS, there's no global CA system
2. Ease of use - Works immediately without configuration
3. Better than nothing - Protects against passive attacks (most common threat)
4. User choice - Advanced users can add verification with --server-key

This is similar to Bluetooth pairing or Signal safety numbers - the first connection is vulnerable, but subsequent connections can be verified.

Trust Models Supported

Mode	Trust Mechanism	MITM Protection	Use Case
Default	None (ephemeral DH)	❌	Quick sessions, low-threat environments
Password	Shared secret	✅	Friends exchanging password out-of-band
SSH Keys	Key pinning	✅	Tech users with existing SSH keys
GPG Keys	Key pinning + gpg-agent	✅	GPG users, no passphrase prompts
GitHub/GitLab	Social proof + keys	✅	Verify identity via public profiles
Known Hosts	First-use trust	⚠️	Like SSH - detect key changes
Whitelist	Pre-approved keys	✅	Private servers, access control

Comparison to Other Protocols

Protocol	Default Encryption	Trust Model	Verification Difficulty
HTTPS	✅ Always	CA system	Automatic (OS trust store)
SSH	✅ Always	Known hosts	Manual (first connection prompts)
Signal	✅ Always	Safety numbers	Manual (QR code scanning)
ascii-chat	✅ Always	Ephemeral DH	Optional (–server-key flag)
Zoom	✅ Sometimes	Central server	None (trust Zoom)

Cryptographic Primitives

ascii-chat uses libsodium, a modern, portable, easy-to-use crypto library based on NaCl.

X25519 (Key Exchange)

• Algorithm: Elliptic Curve Diffie-Hellman (ECDH) on Curve25519
• Key Size: 32 bytes (256 bits)
• Purpose: Establish shared secret between client and server
• Properties: Forward secrecy, constant-time operations
• Function: crypto_box_beforenm()

Why X25519?

• Fast: ~40,000 operations/second on modern CPUs
• Secure: No known practical attacks, constant-time implementation
• Small: 32-byte keys, 32-byte shared secrets
• Standard: RFC 7748, widely used (TLS 1.3, SSH, Signal)

XSalsa20-Poly1305 (Encryption)

• Algorithm: Stream cipher (XSalsa20) + MAC (Poly1305)
• Key Size: 32 bytes (256 bits)
• Nonce Size: 24 bytes (192 bits)
• MAC Size: 16 bytes (128 bits)
• Purpose: Encrypt packet data with authenticated encryption
• Function: crypto_secretbox_easy()

Why XSalsa20-Poly1305?

• AEAD: Authenticated Encryption with Associated Data (prevents tampering)
• Fast: ~700 MB/s encryption on modern CPUs
• Nonce-misuse resistant: Large 192-bit nonce makes collisions astronomically unlikely
• Proven: Used in libsodium, NaCl, and many production systems

Encryption formula:

ciphertext = XSalsa20(key, nonce, plaintext) + Poly1305(key, ciphertext)

Argon2id (Password Hashing)

• Algorithm: Argon2id (hybrid Argon2i + Argon2d)
• Purpose: Derive encryption keys from passwords
• Function: crypto_pwhash()
• Parameters:
  • Memory: 64 MB (interactive limit)
  • Operations: 2 (OPSLIMIT_INTERACTIVE)
  • Parallelism: 1
• Password Requirements:
  • Minimum: 8 characters
  • Maximum: 256 characters
  • Validation: Enforced on both client and server

Why Argon2id?

• Memory-hard: Resistant to GPU/ASIC brute-force attacks
• Modern: Winner of Password Hashing Competition (2015)
• Hybrid: Combines data-dependent (Argon2d) and data-independent (Argon2i) modes
• Tunable: Can increase difficulty as hardware improves

Ed25519 (Signatures - SSH Keys)

• Algorithm: EdDSA signatures on Edwards curve (Curve25519)
• Key Size: 32 bytes public key, 64 bytes private key (seed + public)
• Signature Size: 64 bytes
• Purpose: Authenticate clients with SSH keys
• Functions: crypto_sign_detached(), crypto_sign_verify_detached()

Ed25519 to X25519 Conversion:

// Convert Ed25519 public key to X25519 for DH
crypto_sign_ed25519_pk_to_curve25519(x25519_pk, ed25519_pk);
 
// Convert Ed25519 private key to X25519 for DH
crypto_sign_ed25519_sk_to_curve25519(x25519_sk, ed25519_sk);

This allows using existing SSH Ed25519 keys for both signing (authentication) and key exchange (encryption).

bcrypt_pbkdf (SSH Key Decryption)

• Algorithm: bcrypt-based password-based key derivation function (OpenBSD)
• Purpose: Decrypt encrypted SSH Ed25519 private keys (OpenSSH format)
• Library: libsodium-bcrypt-pbkdf (GitHub: openssh/openssh-portable)
• Integration: cmake/LibsodiumBcryptPbkdf.cmake

Supported OpenSSH Key Encryption:

• Cipher: aes256-ctr, aes256-cbc (OpenSSH defaults for Ed25519 keys)
• KDF: bcrypt (bcrypt_pbkdf with configurable rounds, typically 16-24)
• Key Format: openssh-key-v1 (OpenSSH private key format)

Native Decryption Process:

// 1. Parse OpenSSH key file format (openssh-key-v1)
// 2. Extract KDF parameters (salt, rounds)
// 3. Derive decryption key + IV using bcrypt_pbkdf:
uint8_t derived[48]; // 32-byte key + 16-byte IV
sodium_bcrypt_pbkdf(password, strlen(password), salt, salt_len,
                    derived, sizeof(derived), rounds);
 
const uint8_t *key = derived;       // First 32 bytes
const uint8_t *derived_iv = derived + 32; // Last 16 bytes
 
// 4. Decrypt private key blob using BearSSL AES-256-CTR:
br_aes_ct_ctr_keys aes_ctx;
br_aes_ct_ctr_init(&aes_ctx, key, 32); // 32-byte key
 
// Extract initial counter from last 4 bytes of IV (big-endian)
uint32_t initial_counter = ((uint32_t)derived_iv[12] << 24) |
                          ((uint32_t)derived_iv[13] << 16) |
                          ((uint32_t)derived_iv[14] << 8) |
                          ((uint32_t)derived_iv[15]);
 
// Decrypt in-place (BearSSL reads first 12 bytes of derived_iv as nonce)
memcpy(decrypted, encrypted_blob, blob_len);
br_aes_ct_ctr_run(&aes_ctx, derived_iv, initial_counter, decrypted, blob_len);
 
// 5. Parse decrypted Ed25519 seed (32 bytes) + public key (32 bytes)

Why bcrypt_pbkdf?

• Memory-hard: Resistant to GPU/FPGA brute-force attacks
• OpenSSH standard: Same algorithm as ssh-keygen uses for encryption
• Battle-tested: Used by OpenSSH since 2013 (OpenSSH 6.5+)
• Configurable: Adjustable rounds parameter (higher = slower = more secure)

The PBKDF Security Tradeoff:

PBKDF creates an asymmetric cost between legitimate users and attackers:

• Legitimate user: Pays the cost once per session (~200ms to load SSH key)
• Attacker: Pays the cost for every password guess (billions of attempts)

Without PBKDF (direct SHA256):
  User experience:  Instant key loading
  Attacker speed:   60 billion passwords/second (GPU)
  Weak password:    Cracked in 0.016 seconds ⚠️
 
With bcrypt_pbkdf (rounds=16):
  User experience:  200ms delay (barely noticeable)
  Attacker speed:   ~5 passwords/second (memory-hard slowdown)
  Weak password:    Cracked in 6.3 years ✅
  Strong password:  Effectively uncrackable (10^20+ years)

Keyspace vs. Compute Time:

A common observation: "Attackers get a smaller keyspace (passwords) instead of full AES-256 keyspace (2^256), but they sacrifice compute time for it."

This is precisely correct. The tradeoff works as follows:

Attack Strategy	Keyspace Size	Keys/Second	Time to Exhaust
Try random AES keys	2^256 (~10^77)	10^9	3.67 × 10^60 years (IMPOSSIBLE)
Try passwords (no PBKDF)	~10^12 common	60 × 10^9	16 minutes ⚠️
Try passwords (bcrypt r=16)	~10^12 common	5	6,300 years ✅

Key insight: The attacker chooses a drastically smaller keyspace (password space instead of full AES keyspace) to make the problem tractable, but PBKDF makes that small keyspace exponentially more expensive to search by adding computational cost to each attempt.

The result: Legitimate users pay ~200ms once, attackers pay years of compute time trying password guesses. This asymmetry is what makes password-based encryption practical and secure.

Tunable security (rounds parameter):

rounds=10:  ~50ms   delay, attacker: 50,000 guesses/sec  (weak)
rounds=16:  ~200ms  delay, attacker: 5,000 guesses/sec   (OpenSSH default)
rounds=20:  ~800ms  delay, attacker: 1,250 guesses/sec   (stronger)
rounds=24:  ~3.2sec delay, attacker: 312 guesses/sec     (very strong)

OpenSSH chose rounds=16 as optimal: barely noticeable for users, devastating for attackers.

Why attackers can't skip PBKDF:

• The encrypted file contains salt + rounds (attacker knows the parameters)
• The AES key was derived using bcrypt_pbkdf (not a random key)
• Attacker must replicate the exact derivation to get the correct key
• Trying random 256-bit keys is hopeless (2^256 keyspace, would take 10^60 years)
• Only viable attack: guess passwords and run them through bcrypt_pbkdf

Salt prevents rainbow tables:

• Each encrypted key file has unique random salt (16 bytes)
• Same password + different salt = completely different derived key
• Attacker cannot pre-compute password→key mappings
• Must derive keys fresh for each target file

Implementation verification:

• Byte-for-byte validation against ssh-keygen decryption output
• Supports same key formats as OpenSSH (aes256-ctr, aes256-cbc)
• No external tool dependencies (fully native C implementation)

See also:

• lib/crypto/keys/ssh_keys.c - Native decryption implementation
• cmake/LibsodiumBcryptPbkdf.cmake - Library integration
• deps/bearssl/ - BearSSL minimal TLS library (AES-CTR/CBC)

Randomness Source

CSPRNG: randombytes_buf() (libsodium)

• Implementation: Platform-specific secure random
  • Linux/BSD: /dev/urandom
  • Windows: CryptGenRandom() / BCryptGenRandom()
  • macOS: arc4random_buf()
• Properties: Cryptographically secure, non-blocking

Protocol Architecture

Packet Structure

All packets (encrypted and unencrypted) share a common header:

typedef struct {
  uint32_t magic;     // 0xDEADBEEF (packet validation)
  uint16_t type;      // packet_type_t (see below)
  uint32_t length;    // payload length in bytes
  uint32_t crc32;     // CRC32 checksum of payload
  uint32_t client_id; // source client ID (0 = server)
} __attribute__((packed)) packet_header_t;  // 18 bytes

Note: All multi-byte fields are in network byte order (big-endian).

Packet Types

Protocol Negotiation Packets (Always Unencrypted):

PACKET_TYPE_PROTOCOL_VERSION = 1  // Client → Server: Protocol version, compression support, encryption enabled

Crypto Handshake Packets (Always Unencrypted):

PACKET_TYPE_CRYPTO_CAPABILITIES       = 14  // Client → Server: Supported crypto algorithms
PACKET_TYPE_CRYPTO_PARAMETERS         = 15  // Server → Client: Chosen algorithms + data sizes
PACKET_TYPE_CRYPTO_KEY_EXCHANGE_INIT  = 16  // Server → Client: DH public key
PACKET_TYPE_CRYPTO_KEY_EXCHANGE_RESP  = 17  // Client → Server: DH public key
PACKET_TYPE_CRYPTO_AUTH_CHALLENGE     = 18  // Server → Client: Challenge nonce
PACKET_TYPE_CRYPTO_AUTH_RESPONSE      = 19  // Client → Server: HMAC response
PACKET_TYPE_CRYPTO_AUTH_FAILED        = 20  // Server → Client: Failure
PACKET_TYPE_CRYPTO_SERVER_AUTH_RESP   = 21  // Server → Client: HMAC proof
PACKET_TYPE_CRYPTO_HANDSHAKE_COMPLETE = 22  // Server → Client: Success
PACKET_TYPE_CRYPTO_NO_ENCRYPTION      = 23  // Client → Server: Opt-out

Encrypted Packets (After Handshake):

PACKET_TYPE_ENCRYPTED = 24  // Wrapper for all post-handshake packets

All application packets (video, audio, control) are wrapped in PACKET_TYPE_ENCRYPTED after successful handshake.

Dynamic Algorithm Negotiation: The CRYPTO_CAPABILITIES and CRYPTO_PARAMETERS packets enable future-proof algorithm selection:

• Client Capabilities: Declares supported algorithms (X25519, Ed25519, XSalsa20-Poly1305)
• Server Parameters: Selects algorithms and provides key sizes for dynamic handshake
• Future-Proof: Designed to support post-quantum algorithms (Kyber, Dilithium) when available

Why unencrypted? These packets establish the encryption keys - they cannot be encrypted with keys that don't exist yet. This is standard for all key exchange protocols (TLS, SSH, etc.).

Wire Format: Encrypted vs Unencrypted

Unencrypted Packet (Handshake):

[Header: 18 bytes][Payload: N bytes]
|                  |
magic=0xDEADBEEF   type-specific data
type=14-21
length=N
crc32=checksum
client_id=0

Encrypted Packet (Post-Handshake):

[Outer Header: 18 bytes][Encrypted Blob]
|                        |
magic=0xDEADBEEF         [Nonce: 24 bytes][Inner Header + Payload: N bytes][MAC: 16 bytes]
type=20                  |                 |                                  |
length=24+N+16          Random nonce       Real packet data                 Poly1305 tag
crc32=0
client_id=0

Decryption process:

1. Verify outer header (magic, type)
2. Extract nonce (first 24 bytes of encrypted blob)
3. Decrypt remaining blob with XSalsa20-Poly1305
4. Parse inner header from plaintext
5. Extract real payload

Result: An attacker sees:

• Outer packet magic (needed for framing)
• Fact that packet is encrypted
• Total encrypted size (nonce + ciphertext + MAC)

Hidden from attacker:

• Real packet type (video, audio, control?)
• Real payload size
• Client ID
• All payload data

Handshake Protocol

Sequence Diagram

Client                                    Server
  |                                        |
  |------ TCP Connect ------------------->|
  |                                        |
  |<----- PROTOCOL_VERSION ----------------|
  |------ PROTOCOL_VERSION --------------->|
  |       [version, encryption support]    |
  |                                        |
  |------ CRYPTO_CAPABILITIES ------------>|
  |       [supported algorithms]           |
  |       [preferred algorithms]           |
  |                                        |
  |<----- CRYPTO_PARAMETERS ---------------|
  |       [selected algorithms + sizes]    |
  |                                        |
  |                                        | Generate ephemeral keypair
  |                                        | (or use --key loaded SSH key)
  |                                        |
  |<----- CRYPTO_KEY_EXCHANGE_INIT --------|
  |       [32-byte X25519 public key]      |
  |       [32-byte Ed25519 identity key]   | (if using SSH key)
  |       [64-byte Ed25519 signature]      | (signature of X25519 key)
  |                                        |
  | Verify signature (if present)          |
  | Check against --server-key (if set)    |
  | Check known_hosts (if exists)          |
  | Compute DH shared secret               |
  |                                        |
  |------ CRYPTO_KEY_EXCHANGE_RESP ------->|
  |       [32-byte X25519 public key]      |
  |       [32-byte Ed25519 identity key]   | (if using SSH key)
  |       [64-byte Ed25519 signature]      | (signature of X25519 key)
  |                                        |
  |                                        | Verify signature (if present)
  |                                        | Check whitelist (if enabled)
  |                                        | Compute DH shared secret
  |                                        |
  |<----- CRYPTO_AUTH_CHALLENGE -----------|
  |       [32-byte random nonce]           |
  |       [1-byte flags]                   | (password required? key required?)
  |                                        |
  | Compute HMAC(shared_secret, nonce)     |
  | If password: HMAC(password_key, nonce) |
  |                                        |
  |------ CRYPTO_AUTH_RESPONSE ----------->|
  |       [32-byte HMAC]                   |
  |                                        |
  |                                        | Verify HMAC
  |                                        | Check password (if required)
  |                                        | Check client key whitelist (if enabled)
  |                                        |
  |<----- CRYPTO_HANDSHAKE_COMPLETE -------|
  |                                        |
  | ✅ Encryption active                   | ✅ Encryption active
  |                                        |
  |<===== ENCRYPTED PACKETS ==============>|
  |       All future packets encrypted     |

Handshake Phases Explained

Phase 0: Dynamic Algorithm Negotiation

**Client Capabilities (CRYPTO_CAPABILITIES):**

typedef struct {
  uint16_t supported_kex_algorithms;      // Bitmask of supported KEX algorithms
  uint16_t supported_auth_algorithms;     // Bitmask of supported auth algorithms
  uint16_t supported_cipher_algorithms;   // Bitmask of supported cipher algorithms
  uint8_t requires_verification;          // Boolean: requires server identity verification
  uint8_t preferred_kex;                  // Preferred KEX algorithm
  uint8_t preferred_auth;                 // Preferred auth algorithm
  uint8_t preferred_cipher;               // Preferred cipher algorithm
} crypto_capabilities_packet_t;

**Server Parameters (CRYPTO_PARAMETERS):**

typedef struct {
  uint8_t selected_kex;            // Which KEX algorithm (KEX_ALGO_*)
  uint8_t selected_auth;           // Which auth algorithm (AUTH_ALGO_*)
  uint8_t selected_cipher;         // Which cipher algorithm (CIPHER_ALGO_*)
  uint8_t verification_enabled;    // Boolean: server requires verification
  uint16_t kex_public_key_size;    // e.g., 32 for X25519, 1568 for Kyber1024
  uint16_t auth_public_key_size;   // e.g., 32 for Ed25519, 1952 for Dilithium3
  uint16_t signature_size;         // e.g., 64 for Ed25519, 3309 for Dilithium3
  uint16_t shared_secret_size;     // e.g., 32 for X25519
  uint8_t nonce_size;              // e.g., 24 for XSalsa20 nonce
  uint8_t mac_size;                // e.g., 16 for Poly1305 MAC
  uint8_t hmac_size;               // e.g., 32 for HMAC-SHA256
} crypto_parameters_packet_t;

Current Algorithm Constants:

#define KEX_ALGO_X25519 0x01
#define AUTH_ALGO_ED25519 0x01
#define AUTH_ALGO_NONE 0x00
#define CIPHER_ALGO_XSALSA20_POLY1305 0x01

Future-Proofing Design:

• Algorithm negotiation enables post-quantum migration
• Hybrid mode support (classical + post-quantum)
• Backward compatibility with older clients
• Dynamic key sizes for different algorithms

Phase 1: Key Exchange Init (Server → Client)

Server sends:

typedef struct {
  uint8_t ephemeral_public_key[32];   // X25519 DH public key (always)
  uint8_t identity_public_key[32];    // Ed25519 identity (if --key used)
  uint8_t signature[64];              // Ed25519 signature (if --key used)
} key_exchange_init_packet_t;

Packet size:

• 32 bytes: Ephemeral mode (default)
• 128 bytes: Authenticated mode (--key SSH key)

Client verifies:

1. If --server-key provided: Verify identity key matches expected key → ABORT if mismatch
2. If signature present: Verify signature is valid for ephemeral_public_key using identity_public_key
3. Check known_hosts: If server:port in ~/.ascii-chat/known_hosts, verify identity key matches
4. First connection: Prompt user to save to known_hosts

Security note: The signature binds the ephemeral key to the long-term identity key, preventing an attacker from replacing the DH key while keeping the identity key.

Phase 2: Key Exchange Response (Client → Server)

Client sends:

typedef struct {
  uint8_t ephemeral_public_key[32];   // X25519 DH public key (always)
  uint8_t identity_public_key[32];    // Ed25519 identity (if --key used)
  uint8_t signature[64];              // Ed25519 signature (if --key used)
} key_exchange_response_packet_t;

Server verifies:

1. If --client-keys provided: Check if identity_public_key is in whitelist → REJECT if not found
2. If signature present: Verify signature is valid
3. Compute shared secret: shared_secret = X25519(server_private, client_public)

At this point both sides have:

• ✅ Ephemeral DH shared secret (32 bytes)
• ✅ Peer's identity public key (if authenticated mode)

Phase 3: Authentication Challenge (Server → Client)

Server sends:

typedef struct {
  uint8_t nonce[32];  // Random challenge nonce
  uint8_t flags;      // AUTH_REQUIRE_PASSWORD | AUTH_REQUIRE_CLIENT_KEY
} auth_challenge_packet_t;

Flags:

• AUTH_REQUIRE_PASSWORD (0x01): Server has --password, client must prove knowledge
• AUTH_REQUIRE_CLIENT_KEY (0x02): Server has --client-keys, client must be whitelisted

Client prepares response:

1. If password set: HMAC(password_key, nonce || shared_secret) using Argon2-derived key
2. If no password: HMAC(shared_secret, nonce || shared_secret) using DH shared secret
3. If client has SSH key: Also sign nonce with Ed25519 identity key

Phase 4: Authentication Response (Client → Server)

Client sends:

typedef struct {
  uint8_t hmac[32];  // HMAC of challenge nonce || shared_secret
} auth_response_packet_t;

Server verifies:

1. Recompute HMAC using same key (password_key or shared_secret) and same data (nonce || shared_secret)
2. Constant-time compare with received HMAC → REJECT if mismatch
3. If whitelist enabled: Verify client's identity key is in --client-keys

Phase 5: Server Authentication Response (Server → Client)

Server sends:

typedef struct {
  uint8_t hmac[32];  // HMAC of client_nonce || shared_secret
} server_auth_response_packet_t;

Client verifies:

1. Recompute HMAC using shared_secret and client_nonce
2. Constant-time compare with received HMAC → ABORT if mismatch

This provides mutual authentication - both sides prove knowledge of the shared secret.

Phase 6: Handshake Complete or Failed

Success:

PACKET_TYPE_HANDSHAKE_COMPLETE  // Empty packet

Failure:

PACKET_TYPE_AUTH_FAILED  // Empty packet

After HANDSHAKE_COMPLETE, both sides:

• ✅ Enable packet encryption using XSalsa20-Poly1305
• ✅ Use shared secret as encryption key
• ✅ Increment nonce counter for each packet

Keys Module

Design Principle: Separation of Identity and Encryption

Core architecture decision: SSH keys are ONLY used for authentication (identity proof), NEVER for encryption.

Why this matters:

1. Forward Secrecy is Critical
   • If your SSH key is compromised today, an attacker should NOT be able to decrypt conversations from last week
   • Ephemeral keys provide this guarantee: each session has unique encryption keys that are destroyed after use
   • Using long-term keys for encryption breaks forward secrecy (recorded traffic can be decrypted later)
2. Consistency Across Environments
   • SSH agent availability varies by system (Unix-only, requires configuration)
   • Users should get identical security regardless of environment
3. Matches SSH Protocol Design
   • SSH itself uses this exact model: long-term host/user keys for identity, ephemeral DH keys for encryption
   • Proven design with 30+ years of security analysis
   • No need to reinvent the wheel

SSH Agent Integration

ascii-chat supports SSH agent for encrypted private keys, allowing password-free authentication when your SSH key is already loaded in the agent.

How it works:

When you provide an encrypted SSH key via --key, ascii-chat automatically checks if that specific key is available in the SSH agent:

# 1. Start SSH agent (if not already running)
eval "$(ssh-agent -s)"
 
# 2. Add your encrypted key to the agent (prompts for password ONCE)
ssh-add ~/.ssh/id_ed25519
Enter passphrase for /Users/you/.ssh/id_ed25519: [password]
Identity added: /Users/you/.ssh/id_ed25519
 
# 3. Start server or client using the key - uses ssh-agent; NO password prompt!
ascii-chat server --key ~/.ssh/id_ed25519
# or
ascii-chat client --key ~/.ssh/id_ed25519
INFO: Using SSH agent for this key (agent signing + ephemeral encryption)
INFO: SSH agent mode: Will use agent for identity signing, ephemeral X25519 for encryption
# There was no password prompt because the key was decrypted in the ssh-agent already.

If the key is not in the ssh-agent and ssh-agent is running, ascii-chat will prompt for the password and decrypt the key and store it in the ssh-agent securely for future use. This is done via ssh-agent's official protocol and is safe for production use - this is the intended usage of ssh-agent.

GitHub/GitLab Key Fetching

Fetch SSH keys from public profiles:

# Server: Use your GitHub SSH key
ascii-chat server --key github:zfogg
 
# Client: Verify server using GitHub profile
ascii-chat client --server-key github:zfogg

How it works:

1. HTTPS fetch: GET https://github.com/zfogg.keys (using BearSSL)
2. Parse response: Extract ssh-ed25519 AAAAC3NzaC1lZDI1NTE5... lines
3. Filter: Only accept Ed25519 keys (RSA/ECDSA rejected)
4. Use first key: If multiple Ed25519 keys, use the first one

Security properties:

• ✅ TLS-protected fetch (BearSSL verifies GitHub's certificate)
• ✅ Public keys are not secret (safe to fetch over network)
• ✅ Social proof: Attacker must compromise GitHub account
• ⚠️ Trust GitHub's key infrastructure

GitLab support: Same mechanism, https://gitlab.com/username.keys

SSH Ed25519 Keys

ascii-chat can use existing SSH Ed25519 keys for authentication (identity proof via signatures):

# Server: Use SSH private key for identity
ascii-chat server --key ~/.ssh/id_ed25519
 
# Client: Verify server's SSH public key
ascii-chat client --server-key ~/.ssh/server_id_ed25519.pub

Key file formats supported:

• OpenSSH native format (BEGIN OPENSSH PRIVATE KEY)
• OpenSSH public key format (ssh-ed25519 AAAAC3...)
• Encrypted private keys (prompts for passphrase)

Ed25519 to X25519 conversion:

ascii-chat can convert Ed25519 keys to X25519 format for compatibility, but does NOT use the converted key for encryption:

// Public key: Ed25519 (signing) → X25519 (for compatibility only)
crypto_sign_ed25519_pk_to_curve25519(x25519_pk, ed25519_pk);
 
// Private key: Ed25519 (signing) → X25519 (NEVER used for encryption)
crypto_sign_ed25519_sk_to_curve25519(x25519_sk, ed25519_sk);

Why this works: Both Ed25519 and X25519 use the same underlying curve (Curve25519). Ed25519 uses the Edwards form for signing, X25519 uses the Montgomery form for DH. libsodium provides safe conversion functions.

Security architecture:

• ✅ SSH keys used for: Identity authentication (Ed25519 signatures only)
• ✅ Ephemeral keys used for: Encryption (X25519 Diffie-Hellman)
• ✅ Result: Forward secrecy + strong authentication

The SSH key proves identity through signatures. The ephemeral keys provide encryption with forward secrecy. The signature binds them together cryptographically, preventing MITM attacks while maintaining forward secrecy.

How it works:

Handshake Protocol:
  1. Server generates ephemeral X25519 keypair (random, per-connection)
  2. Server signs ephemeral public key with long-term Ed25519 key
  3. Server sends: [ephemeral_pk][identity_pk][signature]
  4. Client verifies signature (proves server has identity key)
  5. Client uses ephemeral_pk for encryption (forward secrecy)

The signature cryptographically binds the ephemeral encryption key to the long-term identity key. This provides:

• ✅ Strong authentication (server must possess identity private key)
• ✅ Forward secrecy (ephemeral keys are destroyed after session)
• ✅ MITM protection (signature prevents key substitution attacks)

Alternative considered and rejected:

Using Ed25519→X25519 conversion for encryption would be simpler code-wise, but:

• ❌ Breaks forward secrecy (recorded traffic can be decrypted if key is compromised later)
• ❌ Inconsistent security (SSH agent mode would still need ephemeral keys)
• ❌ Deviates from SSH protocol best practices

Result: All modes use ephemeral encryption keys. SSH keys are authentication-only.

SSH Agent Details

Key detection algorithm:

// lib/crypto/keys.c:823-844
// When parsing an encrypted private key:
if (is_encrypted) {
  // Extract the public key from the encrypted key file
  uint8_t embedded_public_key[32];
 
  // Check if THIS SPECIFIC key is in SSH agent (not just any Ed25519 key)
  bool ssh_agent_has_key = ssh_agent_has_specific_key(embedded_public_key);
 
  if (ssh_agent_has_key) {
    // Mode 1: SSH agent mode
    key_out->type = KEY_TYPE_ED25519;
    key_out->use_ssh_agent = true;
    memcpy(key_out->public_key, embedded_public_key, 32);
 
    // Use agent for identity signing, ephemeral X25519 for encryption
    return 0;
  } else {
    // Mode 2: Password prompt (agent doesn't have this key)
    // Prompts for passphrase and decrypts key
  }
}

SSH agent signing protocol:

When use_ssh_agent = true, all Ed25519 signatures are delegated to the SSH agent:

// lib/crypto/keys.c:1318-1494
int ed25519_sign_message(const private_key_t *key, const uint8_t *message,
                         size_t message_len, uint8_t signature[64]) {
  if (key->use_ssh_agent) {
    // 1. Connect to SSH agent Unix socket ($SSH_AUTH_SOCK)
    int agent_fd = connect_to_agent();
 
    // 2. Build SSH_AGENTC_SIGN_REQUEST (type 13)
    //    [pubkey_blob][data_to_sign][flags]
    uint8_t request[...];
    send(agent_fd, request);
 
    // 3. Receive SSH_AGENT_SIGN_RESPONSE (type 14)
    //    [signature_blob: "ssh-ed25519" + 64-byte signature]
    uint8_t response[...];
    recv(agent_fd, response);
 
    // 4. Extract 64-byte Ed25519 signature
    memcpy(signature, response + offset, 64);
    return 0;
  } else {
    // Use in-memory Ed25519 key to sign
    crypto_sign_detached(signature, NULL, message, message_len, key->key.ed25519);
    return 0;
  }
}

Security architecture:

ascii-chat uses a separation of concerns design where SSH keys are ONLY used for authentication, never encryption:

Component	SSH Agent Mode	In-Memory Mode
Identity signing	SSH agent (Ed25519)	In-memory Ed25519
Encryption keys	Ephemeral X25519	Ephemeral X25519
Private key storage	None (agent-only)	Decrypted in memory
Password required	No (once in agent)	Yes (every restart)
Forward secrecy	✅ YES	✅ YES

Why always ephemeral encryption?

Both modes use ephemeral X25519 keys for encryption to provide forward secrecy:

1. Identity authentication: SSH key proves identity via Ed25519 signature
2. Encryption: Ephemeral X25519 keys generated fresh per connection
3. Cryptographic binding: Signature covers ephemeral key, proving possession of both
4. Forward secrecy: If SSH key is compromised later, past sessions remain secure

This matches SSH protocol design: long-term keys for identity, ephemeral keys for encryption.

Handshake signature binding:

// Server proves: "I possess identity_Ed25519 AND I'm using ephemeral_X25519"
Server sends: [ephemeral_X25519:32][identity_Ed25519:32][signature:64]
  where: signature = sign(identity_private_key, ephemeral_X25519)

The signature cryptographically binds the ephemeral encryption key to the long-term identity key, preventing MITM attacks while maintaining forward secrecy.

Fallback behavior:

# If key is encrypted but NOT in SSH agent:
ascii-chat server --key ~/.ssh/id_ed25519
Encrypted private key detected (cipher: aes256-ctr)
Key not in SSH agent, will prompt for password
Enter passphrase for /Users/you/.ssh/id_ed25519: [password]
Successfully decrypted key, parsing...
 
# If SSH agent isn't running:
ascii-chat server --key ~/.ssh/id_ed25519
ssh_agent_has_specific_key: SSH_AUTH_SOCK not set
Key not in SSH agent, will prompt for password

Environment variable:

SSH agent communication requires the SSH_AUTH_SOCK environment variable:

# Check if SSH agent is running
echo $SSH_AUTH_SOCK
/tmp/ssh-XXXXXX/agent.12345
 
# If not set, start agent:
eval "$(ssh-agent -s)"

Security benefits:

• ✅ Password once per session - Add key to agent once, use many times
• ✅ No plaintext passwords - Agent handles passphrase, applications never see it
• ✅ Process isolation - Private key never leaves agent process
• ✅ Forward secrecy - Ephemeral X25519 keys per connection
• ✅ Transparent fallback - Works with or without agent

Limitations:

• ❌ Unix-only - SSH agent uses Unix domain sockets (not available on Windows)
• ❌ Signing only - Cannot use agent for X25519 DH operations
• ❌ Session-scoped - Keys removed from agent on logout/reboot

Code locations:

• lib/crypto/keys.h:37 - bool use_ssh_agent flag in private_key_t
• lib/crypto/keys.c:438-524 - ssh_agent_has_specific_key() detection
• lib/crypto/keys.c:820-844 - Encrypted key parsing with agent check
• lib/crypto/keys.c:502-690 - ed25519_sign_message() with agent protocol
• lib/crypto/keys.c:1546-1580 - crypto_setup_ssh_key_for_handshake() architecture

Security guarantee: Both SSH agent mode and in-memory mode provide identical forward secrecy - ephemeral X25519 keys are used for encryption in all cases. The only difference is where signatures come from (agent vs in-memory).

Automatic SSH Agent Key Addition

Problem: Users with encrypted SSH keys had to manually add keys to ssh-agent, or enter their password repeatedly.

Solution: ascii-chat now automatically adds decrypted keys to ssh-agent after successful password entry, eliminating future password prompts.

How it works:

# First run with encrypted key (password required)
ascii-chat server --key ~/.ssh/id_ed25519
Encrypted private key detected (cipher: aes256-ctr)
Key not in SSH agent, will prompt for password
Enter passphrase for /Users/you/.ssh/id_ed25519: [enter password]
Successfully decrypted key, parsing...
[SSH Agent] Adding key to ssh-agent to avoid future password prompts...
[SSH Agent] ✓ Key successfully added to ssh-agent
INFO: Key added to ssh-agent - password won't be required again this session
 
# Second run (NO password prompt!)
ascii-chat server --key ~/.ssh/id_ed25519
INFO: Using SSH agent for this key (agent signing + ephemeral encryption)
# Server starts immediately - no password needed!

What happens automatically:

1. User enters password - Decrypts SSH key successfully
2. Key parsed - Validates Ed25519 format
3. Check ssh-agent - Verifies $SSH_AUTH_SOCK is set
4. Auto-add to agent - Uses the agent's pipe to add the key to the agent (Windows named pipe or Unix domain socket)
5. Future runs - No password prompt (uses agent)

Implementation details:

The auto-add feature uses the SSH agent protocol directly via the pipe.h platform abstraction:

// lib/crypto/keys/ssh_keys.c:765-774
// After successfully decrypting the key from file:
 
// 1. Check if ssh-agent is available
if (!ssh_agent_is_available()) {
  log_debug("ssh-agent not available, skipping auto-add");
  return ASCIICHAT_OK; // Non-fatal: key is already decrypted
}
 
// 2. Check if key is already in agent (to avoid duplicate adds)
public_key_t pub_key = {0};
pub_key.type = KEY_TYPE_ED25519;
memcpy(pub_key.key, decrypted_key + 32, 32); // Extract public key
 
if (ssh_agent_has_key(&pub_key)) {
  log_info("Key already in ssh-agent - skipping auto-add");
  return ASCIICHAT_OK;
}
 
// 3. Add decrypted key to agent using SSH agent protocol
log_info("Attempting to add decrypted key to ssh-agent");
asciichat_error_t agent_result = ssh_agent_add_key(key_out, key_path);
if (agent_result == ASCIICHAT_OK) {
  log_info("Successfully added key to ssh-agent - password will not be required on next run");
} else {
  // Non-fatal: key is already decrypted and loaded
  log_warn("Failed to add key to ssh-agent (non-fatal): %s", asciichat_error_string(agent_result));
}

Platform abstraction:

The implementation uses lib/platform/pipe.h for cross-platform agent communication:

• POSIX (Linux/macOS): Uses Unix domain sockets via SSH_AUTH_SOCK environment variable
  • Path format: /tmp/ssh-XXXXXX/agent.XXXXXX (Unix socket)
  • Implementation: socket(AF_UNIX, SOCK_STREAM) + connect()
• Windows: Uses named pipes via SSH_AUTH_SOCK environment variable or default path
  • Path format: \\.\pipe\openssh-ssh-agent (named pipe)
  • Implementation: CreateFileA() with GENERIC_READ | GENERIC_WRITE

Agent communication flow:

// lib/crypto/ssh_agent.c: ssh_agent_open_pipe()
// 1. Get agent path from environment or use default
const char *auth_sock = SAFE_GETENV("SSH_AUTH_SOCK");
 
#ifdef _WIN32
  // Windows: Use named pipe path (default or from SSH_AUTH_SOCK)
  const char *pipe_path = (auth_sock && strlen(auth_sock) > 0)
                           ? auth_sock
                           : "\\\\.\\pipe\\openssh-ssh-agent";
  return platform_pipe_connect(pipe_path); // CreateFileA() to named pipe
#else
  // POSIX: Use Unix domain socket from SSH_AUTH_SOCK
  if (!auth_sock || strlen(auth_sock) == 0) {
    return INVALID_PIPE_VALUE;
  }
  return platform_pipe_connect(auth_sock); // socket() + connect() to Unix socket
#endif
 
// 2. Send SSH agent protocol messages via platform_pipe_read/platform_pipe_write
//    - SSH2_AGENTC_REQUEST_IDENTITIES (11) - List keys
//    - SSH2_AGENTC_ADD_IDENTITY (17) - Add key
//    - SSH_AGENT_SUCCESS (6) - Success response
 
// 3. Close connection when done
platform_pipe_close(pipe);

Security considerations:

• ✅ Direct protocol communication - No shell scripts or temporary files
• ✅ Memory zeroed - Private key material cleared with sodium_memzero() after use
• ✅ Agent session-scoped - Key removed from agent on logout/reboot
• ✅ Idempotent operation - Adding same key multiple times is safe (agent deduplicates)
• ✅ Non-fatal failures - Agent add failures don't prevent key decryption/use

Platform support:

Platform	Supported	Notes
Linux	✅ YES	Requires SSH agent running (check $SSH_AUTH_SOCK)
macOS	✅ YES	Built-in with macOS (ssh-agent auto-starts)
Windows	✅ YES	Uses Windows named pipes (requires OpenSSH for Windows)

Code locations:

• lib/crypto/keys/ssh_keys.c:242 - Check if key already in agent (before decryption)
• lib/crypto/keys/ssh_keys.c:767 - Auto-add implementation after successful decryption
• lib/crypto/ssh_agent.h - SSH agent interface declarations
• lib/crypto/ssh_agent.c - SSH agent protocol implementation
• lib/platform/pipe.h - Cross-platform pipe/agent socket abstraction
• lib/platform/posix/pipe.c - POSIX Unix domain socket implementation
• lib/platform/windows/pipe.c - Windows named pipe implementation

GPG Key Support

ascii-chat supports GPG Ed25519 keys via gpg-agent integration:

# Server with GPG key (short key ID - 8 hex chars)
ascii-chat server --key gpg:ABCD1234
 
# Server with GPG key (long key ID - 16 hex chars)
ascii-chat server --key gpg:1234567890ABCDEF
 
# Server with GPG key (full fingerprint - 40 hex chars)
ascii-chat server --key gpg:1234567890ABCDEF1234567890ABCDEF12345678
 
# Client verifying server GPG key
ascii-chat client --server-key gpg:1234567890ABCDEF1234567890ABCDEF12345678

Requirements:

• gpg binary must be in PATH
• GPG key must be Ed25519 (Curve 25519) type
• gpg-agent must be running for signing operations

Key ID formats:

• Short key ID: 8 hex characters (last 8 chars of fingerprint)
• Long key ID: 16 hex characters (last 16 chars of fingerprint)
• Full fingerprint: 40 hex characters (complete fingerprint)
• Optional 0x prefix is accepted for all formats

How it works:

1. Extract public key: gpg --list-keys + keygrip lookup
2. Get Ed25519 key: Query gpg-agent via READKEY command (Assuan protocol)
3. Sign challenges: gpg-agent signs via PKSIGN command (no passphrase prompt needed)
4. Verify signatures: gpg --verify for deterministic Ed25519 signature verification

Graceful fallback:

ERROR: GPG key requested but 'gpg' command not found
Install GPG:
  Ubuntu/Debian: apt-get install gnupg
  macOS: brew install gnupg
  Arch: pacman -S gnupg
Or use SSH keys: --key ~/.ssh/id_ed25519

Code locations:

• lib/crypto/gpg.h - GPG interface declarations
• lib/crypto/gpg.c - GPG protocol implementation and gpg-agent communication
• lib/crypto/keys/gpg_keys.c - GPG key parsing and Ed25519 extraction
• lib/crypto/keys/keys.c:167 - GPG key loading (keygrip stored for agent signing)

Known Hosts (IP-Based TOFU)

File location: ~/.ascii-chat/known_hosts

Format:

# ascii-chat Known Hosts
# Format: IP:port x25519 <hex-key> [comment]
# IPv4 example:
192.168.1.100:27224 x25519 a1b2c3d4e5f6... homeserver
10.0.0.50:8080 x25519 1234567890ab... office-server
 
# IPv6 example (bracket notation):
[2001:db8::1]:27224 x25519 fedcba098765... ipv6-server
[::1]:27224 x25519 abcdef123456... localhost-ipv6

Security Design: IP Binding (Not Hostnames)

ascii-chat binds server keys to resolved IP addresses, not DNS hostnames, for critical security reasons:

Why IP addresses?

1. DNS Hijacking Prevention:
   • DNS responses can be spoofed or hijacked
   • Attacker points example.com → malicious server IP
   • With hostname binding: Attacker's server key accepted as example.com's key ❌
   • With IP binding: Client connects to attacker's IP, which won't match trusted IP ✅
2. Cryptographic Binding:
   • TCP connection is to a specific IP address, not a hostname
   • Hostname is resolved once via getaddrinfo(), then IP is used
   • Binding key to IP matches actual network connection
3. IPv6 Support:
   • Dual-stack servers accept IPv4 (192.0.2.1) and IPv6 (2001:db8::1)
   • Each IP:port combination gets its own key binding
   • Bracket notation [::1]:8080 clearly distinguishes IPv6

Example attack scenario (hostname binding):

1. User connects to example.com:27224
2. DNS resolves to 203.0.113.50 (attacker-controlled)
3. Attacker's server presents key_A
4. Client saves: "example.com:27224 → key_A"
5. Later, DNS changes to 198.51.100.25 (legitimate server)
6. Legitimate server presents key_B
7. Client sees hostname match, ACCEPTS key_B
8. No MITM detection! ❌

With IP binding (current implementation):

1. User connects to example.com:27224
2. DNS resolves to 203.0.113.50
3. Attacker's server presents key_A
4. Client saves: "203.0.113.50:27224 → key_A"
5. Later, example.com resolves to 198.51.100.25
6. Different IP! No key stored, prompts user
7. User realizes IP changed, investigates
8. MITM detected! ✅

Behavior:

1. First connection: If server IP:port not in known_hosts, prompt user:

   The authenticity of host '192.168.1.100:27224' can't be established.
   Ed25519 key fingerprint is: SHA256:abc123...
   Are you sure you want to continue connecting (yes/no)? yes

2. IPv6 first connection:

   The authenticity of host '[2001:db8::1]:27224' can't be established.
   Ed25519 key fingerprint is: SHA256:def456...
   Are you sure you want to continue connecting (yes/no)? yes

3. Subsequent connections: Verify server key matches stored key → ABORT if mismatch
4. Key change detected:

   @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
   @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
   @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
   IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
    
   Connection ABORTED for security.
   To remove old key: sed -i '/192.168.1.100:27224 /d' ~/.ascii-chat/known_hosts

Trade-offs:

Aspect	IP Binding (Current)	Hostname Binding (SSH-style)
DNS Hijacking	✅ Protected	❌ Vulnerable
Server IP Change	⚠️ Prompts user (manual verification)	✅ Transparent
Dynamic DNS	⚠️ New prompt per IP	✅ Works seamlessly
Multi-homed Servers	⚠️ Separate entry per IP	✅ Single entry
Security Model	Paranoid (explicit trust)	Convenience (implicit trust)

Recommendation: The security benefit of IP binding outweighs the inconvenience of re-verification when server IPs change. For production servers, IP addresses should be stable (static IPs or fixed cloud instances).

Security model: "Trust on first use" (TOFU) with IP binding - assumes first connection to specific IP:port is legitimate, detects any changes in either IP or key thereafter.

Authentication Modes

Mode 1: Default (Ephemeral DH Only)

Server:

ascii-chat server

Client:

ascii-chat client

Security:

• ✅ Privacy: All packets encrypted
• ✅ Forward secrecy: New keys per connection
• ❌ MITM vulnerable: No identity verification

Use case: Quick sessions, low-threat environments

Mode 2: Password Authentication

Server:

ascii-chat server --password mySecretPass123

Client:

ascii-chat client --password mySecretPass123

Security:

• ✅ Privacy: All packets encrypted
• ✅ MITM protection: Attacker must know password
• ✅ Forward secrecy: DH keys still ephemeral
• ⚠️ Password strength: Security depends on password quality

Mode 3: SSH/GPG Key Pinning

Server with SSH key:

ascii-chat server --key ~/.ssh/id_ed25519

Server with GPG key:

ascii-chat server --key gpg:897607FA43DC66F612710AF97FE90A79F2E80ED3

Client (verify using GitHub SSH key):

ascii-chat client --server-key github:zfogg

Client (verify using GitHub GPG key):

ascii-chat client --server-key github:zfogg.gpg

Client (verify using GitLab GPG key):

ascii-chat client --server-key gitlab:username.gpg

Client (verify using local GPG key):

ascii-chat client --server-key gpg:897607FA43DC66F612710AF97FE90A79F2E80ED3

Security:

• ✅ Privacy: All packets encrypted
• ✅ MITM protection: Cryptographically verified identity
• ✅ Forward secrecy: DH keys still ephemeral
• ✅ No shared secret: Public keys can be shared openly
• ✅ GPG agent integration: No passphrase prompts during signing

Verification flow:

1. Server sends Ed25519 identity key + signature
2. Client fetches expected key (from GitHub, GPG keyring, or file)
3. Client verifies signature: ed25519_verify(signature, ephemeral_key, identity_key)
4. Client proceeds only if signature valid

Mode 4: Client Whitelisting

Server:

ascii-chat server --client-keys ~/.ssh/authorized_keys

Client:

# Client displays their public key on startup
ascii-chat client
 
# Output:
# Client public key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFoo... alice@laptop
# Share this key with the server operator to be whitelisted

Server's authorized_keys format:

# ascii-chat Authorized Keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFoo... alice@laptop
ssh-ed25519 AAAAB3NzaC1yc2EAAAADAQABAAABAQC... bob@desktop
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBar... carol@phone

Security:

• ✅ Access control: Only pre-approved clients connect
• ✅ Audit trail: Server logs all connection attempts with client keys
• ✅ Revocable: Remove key from file to revoke access

GitHub/GitLab GPG Key Fetching:

Both --server-key (client verifies server) and --client-keys (server whitelists clients) support fetching GPG public keys from GitHub/GitLab:

# Client verifies server using GitHub GPG keys
ascii-chat client --server-key github:zfogg.gpg
 
# Server whitelists clients using GitHub GPG keys
ascii-chat server --key gpg:MYKEYID --client-keys github:zfogg.gpg
 
# GitLab works the same way
ascii-chat client --server-key gitlab:username.gpg
ascii-chat server --key gpg:MYKEYID --client-keys gitlab:username.gpg
 
# Full example: Client authenticates with GPG key, verifies server via GitHub
ascii-chat client --key gpg:897607FA43DC66F612710AF97FE90A79F2E80ED3 \
                   --server-key github:serveruser.gpg

How it works:

1. Server fetches GPG armored public key block from https://github.com/username.gpg
2. Imports all GPG keys using gpg --import (GitHub users often have multiple keys)
3. Extracts full 40-character Ed25519 fingerprints using gpg --list-keys
4. Adds all valid Ed25519 keys to client whitelist
5. Client authenticates by signing challenge with their GPG key via gpg-agent

Why this is useful:

• ✅ Social proof: Verify client identity via their public GitHub/GitLab profile
• ✅ Zero configuration: No need to manually exchange public keys
• ✅ Multi-key support: Automatically whitelists all user's Ed25519 GPG keys
• ✅ No secrets: Only public keys are fetched; private keys stay in gpg-agent

Mode 5: Defense in Depth (All Features)

Server with SSH key:

ascii-chat server \
  --key ~/.ssh/id_ed25519 \
  --password myPass123 \
  --client-keys ~/.ssh/authorized_keys

Server with GPG key:

ascii-chat server \
  --key gpg:897607FA43DC66F612710AF97FE90A79F2E80ED3 \
  --password myPass123 \
  --client-keys ~/.ssh/authorized_keys

Client:

ascii-chat client \
  --password myPass123 \
  --server-key github:zfogg

Security:

• ✅ Password authentication (both sides verify password)
• ✅ SSH key pinning (client verifies server identity)
• ✅ Client whitelist (server only accepts known clients)
• ✅ Forward secrecy (ephemeral DH keys)
• ✅ Defense in depth (multiple layers)

Mode 6: Opt-Out (No Encryption)

Server:

ascii-chat server --no-encrypt

Client:

ascii-chat client --no-encrypt

Security:

• ❌ No protection whatsoever
• ⚠️ All packets sent in plaintext

Use case: Debugging, packet inspection with tcpdump

WARNING: Only use in trusted networks or for development!

Password Derivation

Password validation:

// Password validation
if (strlen(password) < MIN_PASSWORD_LENGTH || strlen(password) > MAX_PASSWORD_LENGTH) {
    log_error("Password length invalid (must be %d-%d characters)",
              MIN_PASSWORD_LENGTH, MAX_PASSWORD_LENGTH);
    return -1;
}
 
// Argon2id parameters
uint8_t salt[32];  // Random, generated once
uint8_t key[32];   // Derived key
randombytes_buf(salt, sizeof(salt));
 
crypto_pwhash(
  key, sizeof(key),
  password, strlen(password),
  salt,
  crypto_pwhash_OPSLIMIT_INTERACTIVE,  // 2 iterations
  crypto_pwhash_MEMLIMIT_INTERACTIVE,  // 64 MB
  crypto_pwhash_ALG_ARGON2ID13
);

HMAC challenge/response:

// Server generates challenge
uint8_t nonce[32];
randombytes_buf(nonce, sizeof(nonce));
 
// Client computes response (binds to shared_secret!)
uint8_t combined_data[64];  // nonce || shared_secret
memcpy(combined_data, nonce, 32);
memcpy(combined_data + 32, shared_secret, 32);
uint8_t hmac[32];
crypto_compute_hmac_ex(password_key, combined_data, 64, hmac);
 
// Server verifies (also binds to shared_secret)
crypto_verify_hmac_ex(password_key, combined_data, 64, hmac);

Critical security note: The HMAC binds both the nonce AND the DH shared_secret, preventing MITM attacks even if the attacker knows the password. See Issue 1: Password Mode MITM Vulnerability ⚠️ CRITICAL for details.

Packet Encryption

Encryption Process

For each packet after handshake:

// 1. Construct inner packet (real type, real payload)
packet_header_t inner_header = {
  .magic = htonl(PACKET_MAGIC),
  .type = htons(PACKET_TYPE_ASCII_FRAME),  // Real type
  .length = htonl(payload_len),
  .crc32 = htonl(crc32(payload, payload_len)),
  .client_id = htonl(client_id)
};
 
// 2. Combine inner header + payload
uint8_t plaintext[sizeof(inner_header) + payload_len];
memcpy(plaintext, &inner_header, sizeof(inner_header));
memcpy(plaintext + sizeof(inner_header), payload, payload_len);
 
// 3. Generate nonce (counter-based, never reused)
uint8_t nonce[24];
memcpy(nonce, ctx->session_id, 16);           // Session ID (unique per connection)
*(uint64_t*)(nonce + 16) = htole64(ctx->nonce_counter++);  // Increment counter
 
// 4. Encrypt with XSalsa20-Poly1305
uint8_t ciphertext[crypto_secretbox_MACBYTES + sizeof(plaintext)];
crypto_secretbox_easy(
  ciphertext,
  plaintext, sizeof(plaintext),
  nonce,
  shared_secret  // 32-byte key from DH
);
 
// 5. Build encrypted packet: [nonce][ciphertext][MAC]
uint8_t encrypted_blob[24 + sizeof(ciphertext)];
memcpy(encrypted_blob, nonce, 24);
memcpy(encrypted_blob + 24, ciphertext, sizeof(ciphertext));
 
// 6. Send outer packet (type=ENCRYPTED)
packet_header_t outer_header = {
  .magic = htonl(PACKET_MAGIC),
  .type = htons(PACKET_TYPE_ENCRYPTED),
  .length = htonl(sizeof(encrypted_blob)),
  .crc32 = 0,  // Not used for encrypted packets
  .client_id = 0
};
send_packet(socket, &outer_header, encrypted_blob);

Wire format:

[Outer Header: 18 bytes]
  magic: 0xDEADBEEF
  type: 20 (ENCRYPTED)
  length: 24 + N + 16
 
[Encrypted Blob: 24 + N + 16 bytes]
  [Nonce: 24 bytes] ← Session ID (16) + Counter (8)
  [Ciphertext: N bytes] ← XSalsa20(plaintext)
  [MAC: 16 bytes] ← Poly1305(ciphertext)

Decryption Process

// 1. Receive outer packet
packet_header_t outer_header;
recv(socket, &outer_header, sizeof(outer_header));
 
// Verify outer header
if (ntohl(outer_header.magic) != PACKET_MAGIC) return -1;
if (ntohs(outer_header.type) != PACKET_TYPE_ENCRYPTED) return -1;
 
// 2. Read encrypted blob
uint32_t blob_len = ntohl(outer_header.length);
uint8_t encrypted_blob[blob_len];
recv(socket, encrypted_blob, blob_len);
 
// 3. Extract nonce and ciphertext
uint8_t nonce[24];
memcpy(nonce, encrypted_blob, 24);
 
uint8_t *ciphertext = encrypted_blob + 24;
size_t ciphertext_len = blob_len - 24;
 
// 4. Decrypt with XSalsa20-Poly1305
uint8_t plaintext[ciphertext_len - crypto_secretbox_MACBYTES];
if (crypto_secretbox_open_easy(
      plaintext,
      ciphertext, ciphertext_len,
      nonce,
      shared_secret) != 0) {
  // MAC verification failed - packet was tampered with!
  return -1;
}
 
// 5. Parse inner header
packet_header_t *inner_header = (packet_header_t*)plaintext;
uint16_t real_type = ntohs(inner_header->type);
uint32_t payload_len = ntohl(inner_header->length);
 
// 6. Extract payload
uint8_t *payload = plaintext + sizeof(packet_header_t);
 
// 7. Process packet based on real type
handle_packet(real_type, payload, payload_len);

Nonce Management

Critical security requirement: Never reuse a nonce with the same key!

Implementation:

// Nonce format (24 bytes for XSalsa20-Poly1305):
// Bytes 0-15:  Session ID (random, unique per connection/rekey)
// Bytes 16-23: Counter (increments per packet, little-endian uint64_t)
 
// Generate nonce for each packet
uint8_t nonce[24];
memcpy(nonce, ctx->session_id, 16);           // Session ID prevents cross-session replay
*(uint64_t*)(nonce + 16) = htole64(ctx->nonce_counter++);  // Counter prevents within-session replay

Why this is safe:

• 24-byte nonce = 192 bits
• 16-byte session ID = unique per connection/rekey
• 8-byte counter = 2^64 = 18 quintillion packets per session
• At 60 FPS video, counter lasts 9.7 trillion years
• Session ID changes on rekey, providing additional safety

Replay protection:

• Each side maintains their own send counter
• Session ID prevents cross-session replay attacks
• Received packets are not checked for sequence (UDP-like behavior)
• Poly1305 MAC prevents tampering
• Application-level sequence numbers in packet headers (not crypto-related)

Rekeying integration:

• On rekey, session_id regenerated (16 random bytes)
• Counter reset to 1
• Prevents nonce reuse even if counters wrap (extremely unlikely)

Session Rekeying Protocol

Overview

ascii-chat implements automatic session rekeying to provide forward secrecy within long-lived connections. After the initial handshake establishes encryption, the system periodically performs new Diffie-Hellman key exchanges to rotate encryption keys.

Security benefits:

• ✅ Intra-session forward secrecy - Compromise at time T doesn't decrypt packets before time T
• ✅ Reduced cryptanalytic surface - Less ciphertext encrypted with same key
• ✅ Industry best practice - Aligns with TLS 1.3 (rekeys at 2^24 records)
• ✅ Protection against long-term key exposure - Limits damage from key compromise

Rekeying Triggers

Rekeying occurs automatically when either threshold is reached (whichever comes first):

Trigger Type	Default Threshold	Notes
Time-based	3600 seconds (1 hour)	Typical video chat session length
Traffic-based	1,000,000 packets	~4.6 hours at 60 FPS video

Configuration options:

# Custom thresholds
./ascii-chat server --rekey-time 1800 --rekey-packets 500000
 
# Default thresholds (1 hour OR 1M packets)
./ascii-chat server

Test mode (for development): For testing, use low thresholds to trigger frequent rekeying:

# Rekey every 30 seconds OR 1000 packets
./ascii-chat server --rekey-time 30 --rekey-packets 1000

Rekeying Protocol Flow

The rekeying protocol uses a 3-packet handshake similar to the initial key exchange:

Client (Initiator)              Server (Responder)
  |                                                 |
  | Trigger: Time/packet threshold                  |
  |                                                 |
  |-- CRYPTO_REKEY_REQUEST -------->                |
  |   [new_ephemeral_pk: 32 bytes]                  |
  |                                                 |
  | Generate new ephemeral X25519 keypair           |
  | Compute shared_secret_new = DH(my_sk, their_pk) |
  |                                                 |
  |<-- CRYPTO_REKEY_RESPONSE ------>                |
  |   [new_ephemeral_pk: 32 bytes]                  |
  |                                                 |
  | Compute shared_secret_new                       |
  |                                                 |
  |-- CRYPTO_REKEY_COMPLETE -->                     | (encrypted with NEW key)
  |                                                 |
  | ✅ Switch to new key                            |
  | ✅ Reset nonce_counter = 1                      |
  | ✅ Generate new session_id                      |
  | ✅ Wipe old shared_secret                       |

New Packet Types:

PACKET_TYPE_CRYPTO_REKEY_REQUEST  = 25  // Initiator sends new ephemeral public key
PACKET_TYPE_CRYPTO_REKEY_RESPONSE = 26  // Responder sends new ephemeral public key
PACKET_TYPE_CRYPTO_REKEY_COMPLETE = 27  // Initiator confirms (encrypted with new key)

Packet Structures:

REKEY_REQUEST:

typedef struct {
  uint8_t new_ephemeral_public_key[32];  // Fresh X25519 public key
} rekey_request_packet_t;

REKEY_RESPONSE:

typedef struct {
  uint8_t new_ephemeral_public_key[32];  // Fresh X25519 public key
} rekey_response_packet_t;

REKEY_COMPLETE:

// Empty packet (confirmation only)
// CRITICAL: Must be encrypted with NEW shared secret

Key Transition Logic

Before REKEY_COMPLETE:

• All packets encrypted with old shared_secret
• Keep old key in memory for decryption
• Keep new key (temp_shared_key) ready for transition

REKEY_COMPLETE packet:

• First packet encrypted with new key
• Proves both sides successfully computed same shared secret
• If decryption fails → abort rekey, keep old key

After REKEY_COMPLETE:

• Copy temp_shared_key → shared_key
• Reset nonce_counter = 1
• Generate new random session_id (16 bytes)
• Securely wipe old shared_secret and temp keys
• Update rekey_last_time and reset rekey_packet_count

Security Features

Anti-Denial-of-Service:

// Rate limiting
#define REKEY_MIN_INTERVAL 60  // Minimum 60 seconds between rekeys
 
// Reject if rekey already in progress
if (ctx->rekey_in_progress) {
  log_warn("Rekey already in progress, ignoring new request");
  return -1;
}
 
// Exponential backoff on repeated failures
if (rekey_failure_count > 3) {
  backoff_seconds = 60 * (1 << rekey_failure_count);  // 60s, 120s, 240s, ...
}

Race Condition Handling: If both sides simultaneously initiate rekeying:

• Lower client_id wins (becomes initiator)
• Higher client_id becomes responder
• Server has client_id=0, so server always wins ties

if (received_rekey_request && ctx->rekey_in_progress) {
  // Both sides initiated simultaneously
  if (my_client_id < peer_client_id) {
    // I win - continue as initiator, ignore their request
    log_debug("Rekey tie-break: I win (lower client_id)");
  } else {
    // They win - abort my rekey, become responder
    log_debug("Rekey tie-break: They win, switching to responder");
    crypto_rekey_abort(ctx);
    handle_rekey_request(peer_request);
  }
}

Key Confirmation: The REKEY_COMPLETE packet must decrypt successfully:

// Attempt to decrypt REKEY_COMPLETE with new key
if (crypto_decrypt_with_key(packet, temp_shared_key, plaintext) != 0) {
  log_error("REKEY_COMPLETE decryption failed - aborting rekey");
  crypto_rekey_abort(ctx);  // Keep old key
  return -1;
}
 
// Success - both sides have same key
crypto_rekey_commit(ctx);  // Switch to new key

Failure Handling:

Rekey can fail for several reasons:

1. Timeout - Peer doesn't respond within 10 seconds
2. Bad keys - DH computation yields different secrets
3. Decryption failure - REKEY_COMPLETE doesn't decrypt with new key
4. Network error - Connection lost during rekey

Failure recovery:

void crypto_rekey_abort(crypto_context_t *ctx) {
  log_warn("Aborting rekey, keeping old encryption key");
 
  // Wipe temporary keys
  sodium_memzero(ctx->temp_public_key, sizeof(ctx->temp_public_key));
  sodium_memzero(ctx->temp_private_key, sizeof(ctx->temp_private_key));
  sodium_memzero(ctx->temp_shared_key, sizeof(ctx->temp_shared_key));
 
  // Reset state
  ctx->rekey_in_progress = false;
  ctx->has_temp_key = false;
 
  // Increment failure counter for backoff
  ctx->rekey_failure_count++;
 
  // Continue using old key - no disruption to connection
}

Important: Rekey failure does NOT disconnect the session. The connection continues with the old key.

Performance impact:

• Rekey adds ~10ms latency (3 packets, DH computation)
• Occurs once per hour (or less frequently)
• Negligible impact on user experience

Security Considerations

Cryptographic Strengths

✅ Modern primitives: X25519, XSalsa20-Poly1305, Argon2id (current best practices) ✅ Forward secrecy (connection-level): Ephemeral DH keys per connection ✅ Forward secrecy (session-level): Automatic rekeying within long-lived sessions ✅ Authenticated encryption: XSalsa20-Poly1305 AEAD prevents tampering ✅ Memory-hard passwords: Argon2id resistant to GPU brute-force ✅ Constant-time crypto: libsodium uses constant-time implementations (timing attack resistant) ✅ Large nonce space: 192-bit nonces make collision astronomically unlikely ✅ Intra-session forward secrecy: Rekeying limits exposure from key compromise

Potential Weaknesses

⚠️ Default MITM vulnerability:

• Threat: Attacker intercepts initial handshake, performs two separate DH exchanges
• Mitigation: Use --server-key or known_hosts verification
• Acceptable because: User is warned, optional verification available

⚠️ Password quality:

• Threat: Weak passwords vulnerable to offline dictionary attacks
• Mitigation: Argon2id makes attacks expensive, but cannot prevent weak passwords
• Best practice: Use long, random passwords (20+ characters)

⚠️ No quantum resistance:

• Threat: Large quantum computers could break X25519 in the future
• Timeline: Not a practical threat as of 2025
• Future: Post-quantum algorithms (Kyber, Dilithium) may be added later

Known Vulnerabilities

Summary

All critical security vulnerabilities have been identified and fixed:

Issue	Severity	Status
Password Mode MITM	🔴 Critical	✅ FIXED - HMACs bound to DH shared_secret
No Mutual Auth	🔴 High	✅ FIXED - Bidirectional challenge-response
Replay Across Sessions	🟡 Medium	✅ FIXED - Session IDs implemented
No Whitelist Revocation	🟢 Low	🟢 Won't Fix - Out of scope, manual restart acceptable
TOFU Weakness	🟢 Info	🟢 Acceptable - Inherent to TOFU model
Code Duplication	🟢 Low	✅ FIXED - Shared authentication functions
Timing Attack on Keys	🔴 Critical	✅ FIXED - Constant-time sodium_memcmp()

Security Status: ✅ All security vulnerabilities have been addressed

CVE-None: Default MITM Vulnerability (By Design)

Severity: Medium (mitigated by user choice)

Description: By default, ascii-chat does not verify server identity. An attacker who controls the network can intercept the initial handshake and perform a man-in-the-middle attack.

Attack scenario:

1. Client attempts to connect to server at 192.168.1.100:27224
2. Attacker intercepts connection, poses as server to client
3. Attacker poses as client to real server
4. Attacker decrypts client packets, re-encrypts with server's key
5. Result: Attacker sees all traffic

Why this is not a critical bug:

1. Informed choice: This is the default because there's no global CA system
2. User can verify: --server-key, --password, or known_hosts provide protection
3. Active attack required: Attacker must control network (harder than passive eavesdropping)
4. Similar to SSH: First SSH connection has same vulnerability (known_hosts helps thereafter)

Mitigation:

# Server: Use SSH key for identity
ascii-chat server --key ~/.ssh/id_ed25519
 
# Client: Verify server (pick one)
ascii-chat client --server-key github:zfogg  # Fetch from GitHub
ascii-chat client --server-key ~/.ssh/server.pub  # Manual verification
ascii-chat client  # Will prompt to save to known_hosts

Potential Bug: Nonce Counter Overflow

Severity: Low (practically impossible)

Description: If a single connection sends more than 2^64 packets, the nonce counter wraps to zero, potentially reusing nonces.

Attack scenario:

1. Keep connection alive for years
2. Send packets at maximum rate (10,000/sec) for ~58 million years
3. Nonce counter wraps to zero
4. Nonces start repeating

Likelihood: Astronomically low (would require 58 million years of continuous packets)

Impact: Nonce reuse could allow an attacker to recover plaintext of two packets with the same nonce

Mitigation: Reconnect periodically (every 24 hours is more than sufficient)

Potential Bug: SSH Key Signature Bypass

Severity: High (if implementation bug exists)

Description: If signature verification is skipped when --server-key is set, attacker could send any identity key.

Attack scenario:

1. Client connects with --server-key github:zfogg
2. Attacker sends their own Ed25519 key in handshake
3. BUG: Client doesn't verify signature of ephemeral key
4. Client accepts attacker's identity key as valid

Current status: ✅ Not vulnerable (signature verification is mandatory)

Critical Security Review (Third-Party Analysis)

‍Note: This section documents security issues identified during independent review of the cryptographic implementation. These represent real vulnerabilities that should be addressed before production use.

Issue 1: Password Mode MITM Vulnerability ⚠️ <strong>CRITICAL</strong>

Severity: Critical (actively exploitable)

Description: Password mode was vulnerable to MITM attacks despite using encryption. An attacker could intercept the key exchange and derive the password-based key themselves because the password HMAC wasn't bound to the DH shared_secret.

Previous attack scenario:

               Client              Attacker               Server
|                                     |                                              |
| --------KEY_EXCHANGE_INIT---------> |                                              |
|                                     | ------------KEY_EXCHANGE_INIT--------------> |
|                                     | <--------------server_pubkey---------------- |
| <-------attacker_pubkey------------ |                                              |
|                                     |                                              |
| Computes: HMAC(password_key, nonce) |                                              |
|                                     | Attacker can compute same HMAC with password |
|                                     | Even though DH secrets differ!               |

Root cause:

• Password HMAC was computed as: HMAC(password_key, nonce)
• This didn't bind the password to the DH exchange
• Attacker who knows the password can MITM the DH exchange and still pass authentication

Status: 🟢 FIXED - Password HMACs now bound to DH shared_secret

Implementation: All password HMAC computations now bind to the DH shared_secret to prevent MITM:

// Client and server now both compute (for AUTH_RESPONSE):
uint8_t combined_data[64];  // nonce || shared_secret
memcpy(combined_data, nonce, 32);
memcpy(combined_data + 32, shared_secret, 32);
uint8_t hmac[32];
crypto_compute_hmac_ex(password_key, combined_data, 64, hmac);
 
// Server verifies (for SERVER_AUTH_RESPONSE):
uint8_t combined_data[64];  // client_nonce || shared_secret
memcpy(combined_data, client_challenge_nonce, 32);
memcpy(combined_data + 32, shared_secret, 32);
uint8_t server_hmac[32];
crypto_compute_hmac_ex(password_key, combined_data, 64, server_hmac);

Why this fixes the MITM vulnerability:

• Client computes: HMAC(password_key, nonce || DH_secret_A)
• Attacker with different DH secret computes: HMAC(password_key, nonce || DH_secret_B)
• Server expects: HMAC(password_key, nonce || DH_secret_A)
• Attacker's HMAC doesn't match → authentication fails

Code locations:

• lib/crypto/crypto.h:168-172 - Added crypto_compute_hmac_ex() and crypto_verify_hmac_ex() for variable-length HMAC
• lib/crypto/crypto.c:610-648 - Implemented extended HMAC functions
• lib/crypto/handshake.c:569-582 - Client AUTH_RESPONSE binds to shared_secret
• lib/crypto/handshake.c:644-657 - Client optional AUTH_RESPONSE binds to shared_secret
• lib/crypto/handshake.c:706-719 - Client no-server-requirement AUTH_RESPONSE binds to shared_secret
• lib/crypto/handshake.c:829-841 - Client SERVER_AUTH_RESPONSE verification binds to shared_secret
• lib/crypto/handshake.c:890-902 - Server AUTH_RESPONSE verification binds to shared_secret
• lib/crypto/handshake.c:962-974 - Server SERVER_AUTH_RESPONSE computation binds to shared_secret

Impact: Critical vulnerability fixed - Password mode now provides true MITM protection, not just passive eavesdropping protection

Issue 2: No Mutual Authentication in Default Mode ⚠️ <strong>HIGH</strong>

Severity: High (design flaw)

Description: The challenge-response protocol only authenticated the client to the server, not the other way around. Server never proved it has the shared secret.

Previous handshake flow:

Server                          Client
  |----KEY_EXCHANGE_INIT--------->|
  |<---KEY_EXCHANGE_RESPONSE------|
  |                                |
  | Derives: shared_secret         | Derives: shared_secret
  |                                |
  |----AUTH_CHALLENGE: nonce----->|
  |<---AUTH_RESPONSE: HMAC--------|
  |                                |
  | Verifies HMAC ✓                | Hopes server has key (no verification)
  |----HANDSHAKE_COMPLETE-------->|

Problem: Client never received proof that server has the correct shared secret. A MITM attacker could:

1. Intercept client's DH pubkey
2. Generate their own server DH pubkey
3. Send AUTH_CHALLENGE to client
4. Client responds with HMAC (client is now authenticated)
5. Attacker sends HANDSHAKE_COMPLETE (without ever proving they have the shared secret)

Status: 🟢 FIXED - Mutual authentication implemented

Implementation: The protocol now includes bidirectional challenge-response:

// New handshake flow with mutual authentication:
// 1. Server → Client: AUTH_CHALLENGE (server_nonce)
// 2. Client generates client_nonce
// 3. Client → Server: AUTH_RESPONSE (HMAC + client_nonce)
//    - Password mode: HMAC(32) + client_nonce(32) = 64 bytes
//    - Ed25519 mode: signature(64) + client_nonce(32) = 96 bytes
// 4. Server verifies client's HMAC/signature
// 5. Server computes HMAC(shared_secret, client_nonce)
// 6. Server → Client: AUTH_CONFIRM (server's HMAC of client_nonce)
// 7. Client verifies server's HMAC
// Both sides now authenticated

New packet type:

PACKET_TYPE_SERVER_AUTH_RESPONSE = 22  // Server → Client: HMAC(32 bytes)

Code locations:

• lib/network.h:97 - Added PACKET_TYPE_SERVER_AUTH_RESPONSE
• lib/crypto/handshake.c:593 - Client sends challenge nonce
• lib/crypto/handshake.c:946 - Server sends AUTH_CONFIRM
• lib/crypto/handshake.c:834 - Client verifies server's HMAC

Impact: High - Previously allowed MITM without server authentication, now both sides prove knowledge of shared secret

Issue 3: Replay Vulnerability Across Sessions ⚠️ <strong>MEDIUM</strong>

Severity: Medium (limited exploitation window)

Description: Nonce counter resets to 0 on each connection. An attacker who records packets from Session 1 can replay them into Session 2 if the same shared secret is used.

Attack scenario:

Session 1:
  Client sends: encrypt(nonce=0, "start stream")
  Client sends: encrypt(nonce=1, "video frame 1")
  Attacker records these packets
 
Session 2 (client reconnects):
  Nonce counter resets to 0
  Attacker replays: encrypt(nonce=0, "start stream")  ← Accepted!
  Attacker replays: encrypt(nonce=1, "video frame 1") ← Accepted!

Root cause:

// crypto_context_init() in lib/crypto/crypto.c
ctx->send_nonce_counter = 1;  // Resets to 1 every connection!

Status: 🟢 FIXED - Session IDs added to nonce generation

Implementation:

// Each connection gets a unique random session ID
randombytes_buf(ctx->session_id, 16);
 
// Nonce format: [session_id (16 bytes)][counter (8 bytes)]
SAFE_MEMCPY(nonce_out, 16, ctx->session_id, 16);
uint64_t counter = ctx->nonce_counter++;
SAFE_MEMCPY(nonce_out + 16, 8, &counter, 8);

This ensures nonces are unique across sessions even if counters reset.

Impact: Medium - Attacker can replay old packets into new sessions, but needs network position and recorded traffic

Issue 4: Whitelist Has No Revocation Mechanism ⚠️ <strong>LOW</strong>

Severity: Informational (not a security issue)

Description: If a client's SSH key is compromised, the server operator must manually edit the whitelist file and restart the server to revoke access.

Why hot-reload is not needed:

ascii-chat's security model does not require hot revocation:

1. Server makes no assumptions about key compromise - The server's job is to enforce the whitelist at connection time, not to detect or respond to compromise
2. Manual restart is acceptable - If an operator learns a client key is compromised, a simple server restart (2 seconds) is perfectly adequate
3. Symmetric responsibility - Just as clients can choose not to connect to servers with compromised keys, operators can restart servers to remove compromised client keys
4. Operator responsibility - Key management and compromise response are the operator's concern, not the server's

Revocation workflow (current and sufficient):

# 1. Remove compromised key from whitelist
vim ~/.ascii-chat/authorized_clients.txt
 
# 2. Restart server (takes ~2 seconds)
killall ascii-chat server
./ascii-chat server --client-keys ~/.ascii-chat/authorized_clients.txt
 
# Result: Compromised key can no longer connect

Why this is acceptable:

• ✅ Simple and predictable
• ✅ No additional complexity or attack surface
• ✅ Matches SSH's authorized_keys model (also requires service restart for revocation)
• ✅ If a key is compromised, a 2-second restart is not a meaningful security delay
• ✅ Zero-downtime reload is overkill for a video chat application

Status: 🟢 Won't Fix - Out of Scope - Manual restart is the intended design

Impact: None - This is not a security issue, just an operational characteristic

Issue 5: Known Hosts TOFU Weakness ⚠️ <strong>INFORMATIONAL</strong>

Severity: Informational (inherent to TOFU model)

Description: Trust On First Use (TOFU) means the first connection is always vulnerable. If an attacker MITM's the first connection, their key is saved as "trusted".

This is the same vulnerability as:

• SSH on first connection
• HTTPS certificate pinning on first connection
• Signal safety numbers on first message

Attack scenario:

User's first connection to server:
  1. Attacker intercepts first connection
  2. Attacker presents their own Ed25519 key
  3. Client saves attacker's key to known_hosts
  4. Future connections verify against attacker's key ✓
  5. Real server's key is never seen

Why this is acceptable:

1. Industry standard: SSH uses the same model
2. User can verify: Out-of-band key fingerprint verification (QR code, voice call, etc.)
3. Detectable: Key change triggers warning
4. Better than nothing: Prevents MITM on all future connections

Status: 🟢 Acceptable by design (future verification server will improve this)

Impact: Informational - This is an accepted trade-off in the TOFU model

Issue 6: Code Duplication in Handshake Implementation ⚠️ <strong>TECHNICAL DEBT</strong>

Severity: Low (code quality issue, not a security vulnerability)

Description: The cryptographic protocol is symmetric - both client and server perform identical crypto operations - yet the code duplicates logic between crypto_client_handshake() and crypto_server_handshake().

Problem:

// lib/crypto/handshake.c has two nearly identical functions:
crypto_client_handshake()  // Lines 416+
crypto_server_handshake()  // Lines 772+
 
// Both compute identical crypto operations:
// - HMAC(password_key, nonce || shared_secret)
// - crypto_verify_hmac_ex(password_key, combined_data, 64, hmac)
// - Ed25519 signature generation/verification
// - DH key derivation

Status: 🟢 FIXED - Shared authentication functions implemented

Implementation: The password HMAC duplication has been eliminated by extracting shared functions:

// lib/crypto/crypto.c - New shared authentication helpers
crypto_result_t crypto_compute_auth_response(const crypto_context_t *ctx,
                                            const uint8_t nonce[32],
                                            uint8_t hmac_out[32]);
 
bool crypto_verify_auth_response(const crypto_context_t *ctx,
                                 const uint8_t nonce[32],
                                 const uint8_t expected_hmac[32]);

Code locations:

• lib/crypto/crypto.h:182-206 - Function declarations with documentation
• lib/crypto/crypto.c:655-689 - Implementation of shared functions
• lib/crypto/handshake.c:572 - Client AUTH_RESPONSE (3 locations) now use shared function
• lib/crypto/handshake.c:815 - Client SERVER_AUTH_RESPONSE verification uses shared function
• lib/crypto/handshake.c:862 - Server AUTH_RESPONSE verification uses shared function
• lib/crypto/handshake.c:923 - Server SERVER_AUTH_RESPONSE computation uses shared function

Results:

• ✅ ~35 lines of duplicated code eliminated
• ✅ Single source of truth for HMAC computation and verification
• ✅ Bug fixes now apply to all code paths automatically
• ✅ Shared functions can be unit tested independently

Impact: Low - This is technical debt, not a security issue

Issue 7: Timing Attack on Public Key Comparisons ⚠️ <strong>CRITICAL</strong>

Severity: Critical (side-channel information leakage)

Description: Public key comparisons used variable-time memcmp() instead of constant-time comparison, allowing timing attacks that could leak information about cryptographic keys through side-channel analysis.

Vulnerability: The standard C library function memcmp() returns early on the first byte difference. This creates timing differences that can be measured by an attacker to learn information about the expected key.

// ❌ WRONG: memcmp() is NOT constant-time
if (memcmp(server_key, expected_key.key, 32) == 0) {
  return 1;  // Match
}

Attack scenario:

Attacker tries different server identity keys:
 
Attempt 1: Key starts with 0x00... → memcmp() fails on byte 0 → 10ns
Attempt 2: Key starts with 0xAB... → memcmp() fails on byte 0 → 10ns
Attempt 3: Key starts with 0xFF... → memcmp() succeeds on byte 0, fails on byte 1 → 11ns ✓
 
Attacker learns: First byte of expected key is 0xFF
Repeat for each byte to recover full 32-byte key

Root cause: Three locations used memcmp() for cryptographic key comparisons:

1. lib/crypto/handshake.c:194 - Server identity verification during client key exchange
2. lib/crypto/handshake.c:363 - Client whitelist verification during server auth challenge
3. lib/crypto/known_hosts.c:69 - Known hosts verification (client-side server verification)

Why this is critical:

• Timing attacks are practical - Measurable over network with enough samples
• Leaks information about expected keys - Helps attacker forge identity
• Affects authentication bypass - Compromise of identity verification
• Applicable to all authentication modes - SSH keys, whitelists, known_hosts

Status: 🟢 FIXED - All comparisons now use constant-time sodium_memcmp()

Implementation: All cryptographic key comparisons now use libsodium's constant-time comparison:

// ✅ CORRECT: sodium_memcmp() is constant-time
// Compare server's IDENTITY key with expected key (constant-time to prevent timing attacks)
if (sodium_memcmp(server_identity_key, expected_key.key, 32) != 0) {
  log_error("Server identity key mismatch - potential MITM attack!");
  return -1;
}

Code locations:

• lib/crypto/handshake.c:194 - ✅ Fixed: Server identity verification
• lib/crypto/handshake.c:363 - ✅ Fixed: Client whitelist verification
• lib/crypto/known_hosts.c:69 - ✅ Fixed: Known hosts verification

How sodium_memcmp() prevents timing attacks:

// From libsodium source (simplified):
int sodium_memcmp(const void *b1, const void *b2, size_t len) {
  const unsigned char *c1 = b1;
  const unsigned char *c2 = b2;
  unsigned char d = 0;
 
  // Always compares ALL bytes, never returns early
  for (size_t i = 0; i < len; i++) {
    d |= c1[i] ^ c2[i];
  }
 
  return (1 & ((d - 1) >> 8)) - 1;  // Constant-time final comparison
}

Benefits of constant-time comparison:

• ✅ No timing variation - Takes same time regardless of where keys differ
• ✅ Cryptographically sound - Standard practice for key comparison
• ✅ libsodium guarantee - Maintained by crypto experts
• ✅ Zero performance cost - 32-byte comparison is <100ns either way

**Impact:** Critical vulnerability fixed - All cryptographic key comparisons now resistant to timing attacks

Future Enhancements

Post-Quantum Cryptography

**Current:** X25519 (not quantum-resistant)

**Future:** Hybrid key exchange with post-quantum algorithm

**Candidates:**

• **Kyber:** NIST-selected post-quantum KEM (key encapsulation)
• **Dilithium:** NIST-selected post-quantum signatures
• **X25519-Kyber:** Hybrid combining classical + post-quantum
• **Ed25519-Dilithium:** Hybrid signature algorithms

The dynamic algorithm negotiation system is designed to support post-quantum migration when libsodium adds support.

Verification Server (Planned - See Issue #82)

**Problem:** No global certificate authority like HTTPS

**Proposed solution:** Optional verification server for key registry

**Architecture:**

┌─────────┐
│ Client  │────┐
└─────────┘    │
               ├─→ [Verification Server] ←─── Stores public keys
┌─────────┐    │     - Users register keys
│ Server  │────┘     - Provides key lookup
└─────────┘          - Issues signed certificates

**Benefits:**

• ✅ Verified identity without pre-sharing keys
• ✅ Revocation support (server marks keys as invalid)
• ✅ Discovery service integration (session strings + verification)

**Trust model:** Similar to Signal's key server - optional, transparency log, user can verify out-of-band

**Status:** RFC in progress (see issue #82 for detailed spec)

Post-Quantum Cryptography Details

**Current:** X25519 (not quantum-resistant)

**Future:** Hybrid key exchange with post-quantum algorithm

**Candidates:**

• **Kyber:** NIST-selected post-quantum KEM (key encapsulation)
• **Dilithium:** NIST-selected post-quantum signatures
• **X25519-Kyber:** Hybrid combining classical + post-quantum
• **Ed25519-Dilithium:** Hybrid signature algorithms

**Implementation Strategy:** The dynamic algorithm negotiation system is designed to support post-quantum migration:

1. **Phase 1**: Add post-quantum algorithms to capabilities

   #define KEX_ALGO_KYBER1024 0x02
   #define AUTH_ALGO_DILITHIUM3 0x02
   #define KEX_ALGO_X25519_KYBER_HYBRID 0x03
   #define AUTH_ALGO_ED25519_DILITHIUM_HYBRID 0x03

2. **Phase 2**: Prefer hybrid mode when both sides support it
   • Client capabilities include both classical and post-quantum
   • Server selects hybrid algorithms when available
   • Fallback to classical-only for older clients
3. **Phase 3**: Gradual migration
   • New clients prefer post-quantum
   • Legacy clients continue working
   • Server can enforce post-quantum for sensitive applications

**Timeline:** Wait for libsodium to add post-quantum support (currently in development)

**Backward compatibility:** Hybrid mode allows gradual migration without breaking existing connections

Session Rekeying (IMPLEMENTED ✅)

**Status:** ✅ **IMPLEMENTED** - See Session Rekeying Protocol section above

**Implementation:**

• Automatic rekeying based on time (1 hour) or traffic (1M packets)
• Full DH re-exchange with new ephemeral keys
• Intra-session forward secrecy

**Future consideration:** Double Ratchet (Signal-style per-message rekeying)

• **Benefit:** Forward secrecy per message
• **Cost:** Massive complexity, state synchronization issues
• **Decision:** Current session rekeying is sufficient for video chat use case

Certificate Transparency Log

**Inspired by:** Let's Encrypt Certificate Transparency

**Idea:** Public append-only log of all server public keys

**Benefits:**

• Detect rogue keys (someone impersonating your server)
• Audit trail of key changes
• Social accountability (anyone can verify log integrity)

**Implementation:**

• Merkle tree of Ed25519 public keys
• Signed by verification server
• Clients can request inclusion proofs

**Status:** Research phase

Appendix: Cryptography Bugs to Watch For

Bug Class 1: Nonce Reuse

**Danger:** Reusing a nonce with the same key breaks XSalsa20-Poly1305 security

**How it happens:**

// ❌ WRONG: Same nonce for multiple packets
uint8_t nonce[24] = {0};  // Never changes!
for (int i = 0; i < 100; i++) {
  crypto_secretbox_easy(ciphertext, plaintext, nonce, key);  // Same nonce!
}

**Fix:**

// ✅ CORRECT: Increment nonce counter
uint64_t counter = 1;
for (int i = 0; i < 100; i++) {
  uint8_t nonce[24] = {0};
  *(uint64_t*)nonce = htole64(counter++);  // Unique nonce per packet
  crypto_secretbox_easy(ciphertext, plaintext, nonce, key);
}

**Test:** Verify nonce increments in packet capture

Bug Class 2: Timing Attacks in Verification

**Danger:** Variable-time comparison leaks information

**How it happens:**

// ❌ WRONG: memcmp() returns early on first mismatch
if (memcmp(expected_hmac, received_hmac, 32) == 0) {
  // Attacker can measure timing differences to guess HMAC
}

**Fix:**

// ✅ CORRECT: Constant-time comparison
if (crypto_verify_32(expected_hmac, received_hmac) == 0) {
  // Takes same time regardless of mismatch location
}

**Test:** Run verification 10,000 times with random HMACs, verify timing is consistent

Bug Class 3: Signature Bypass

**Danger:** Skipping signature verification allows impersonation

**How it happens:**

// ❌ WRONG: Assuming presence of signature field means it's valid
if (packet_len == 128) {
  // Has signature field, assume it's correct
  identity_key = packet->identity_key;
}

Fix:

// ✅ CORRECT: Always verify signature if present
if (packet_len == 128) {
  if (ed25519_verify_signature(identity_key, ephemeral_key, signature) != 0) {
    return -1;  // REJECT invalid signature
  }
}

Test: Send handshake with random signature bytes → should be rejected

Bug Class 4: Replay Attacks

Danger: Old packets can be re-sent by attacker

How it happens:

// ❌ WRONG: No replay protection
decrypt_packet(ciphertext, plaintext);
process_packet(plaintext);  // Attacker can replay old encrypted packets

Fix:

// ✅ CORRECT: Check sequence numbers or use nonces
if (packet->sequence_number <= last_seen_sequence) {
  return -1;  // REJECT replayed packet
}

Note: ascii-chat uses nonce-based encryption which provides implicit replay resistance (same nonce won't decrypt to same plaintext due to MAC)

Bug Class 5: Key Confusion

Danger: Using wrong key for operation

How it happens:

// ❌ WRONG: Using password key when DH key should be used
if (password_set) {
  crypto_secretbox_easy(ciphertext, plaintext, nonce, password_key);
} else {
  crypto_secretbox_easy(ciphertext, plaintext, nonce, shared_secret);
}
// Attacker can cause decrypt with wrong key by manipulating password flag

Fix:

// ✅ CORRECT: Consistent key selection logic
uint8_t *encryption_key = (key_exchange_complete && shared_secret_valid)
                         ? shared_secret
                         : password_key;
crypto_secretbox_easy(ciphertext, plaintext, nonce, encryption_key);

Test: Verify encrypted packets with password can't be decrypted with DH key and vice versa

References

• libsodium Documentation
• RFC 7748: Elliptic Curves for Security (X25519)
• RFC 8439: ChaCha20 and Poly1305
• Argon2: Password Hashing Competition Winner
• NaCl: Networking and Cryptography library
• Signal Protocol
• OpenSSH SSH Agent Protocol

Document Version: 2.3 Last Updated: October 2025 (Session rekeying protocol implemented) Maintainer: ascii-chat Development Team License: Same as ascii-chat project (see LICENSE)

See also

topic_crypto "Cryptography Module" for module API documentation

topic_keys "Keys Module" for detailed key handling

topic_handshake "Handshake Protocol" for Handshake Module details

Macro Definition Documentation

AES256_DERIVED_SIZE

#define AES256_DERIVED_SIZE   (AES256_KEY_SIZE + AES_IV_SIZE)

#include <crypto.h>

AES-256 key + IV derived size in bytes (for bcrypt_pbkdf)

Definition at line 112 of file lib/crypto/crypto.h.

AES256_KEY_SIZE

#define AES256_KEY_SIZE   32

#include <crypto.h>

AES-256 key size in bytes.

Definition at line 108 of file lib/crypto/crypto.h.

AES_IV_SIZE

#define AES_IV_SIZE   16

#include <crypto.h>

AES initialization vector (IV) size in bytes.

Definition at line 110 of file lib/crypto/crypto.h.

ANCHOR_LIST_INIT

#define ANCHOR_LIST_INIT   {NULL, 0, 0}

#include <pem_utils.h>

Initializer for anchor_list.

Macro for initializing an empty anchor_list structure. Sets all fields to zero/NULL.

Definition at line 93 of file pem_utils.h.

ARGON2ID_SALT_SIZE

#define ARGON2ID_SALT_SIZE   32

#include <crypto.h>

Argon2id salt size in bytes.

Definition at line 104 of file lib/crypto/crypto.h.

AUTH_CHALLENGE_FLAGS_SIZE

#define AUTH_CHALLENGE_FLAGS_SIZE   1

#include <crypto.h>

Authentication flags size (1 byte)

Definition at line 174 of file lib/crypto/crypto.h.

AUTH_CHALLENGE_PACKET_SIZE

#define AUTH_CHALLENGE_PACKET_SIZE   (AUTH_CHALLENGE_FLAGS_SIZE + AUTH_CHALLENGE_SIZE)

#include <crypto.h>

Complete authentication challenge packet size (1 + 32 = 33 bytes)

Definition at line 176 of file lib/crypto/crypto.h.

AUTH_CHALLENGE_SIZE

#define AUTH_CHALLENGE_SIZE   32

#include <crypto.h>

Challenge nonce size (32 bytes)

Definition at line 158 of file lib/crypto/crypto.h.

AUTH_COMBINED_SIZE

#define AUTH_COMBINED_SIZE   (AUTH_HMAC_SIZE + AUTH_CHALLENGE_SIZE)

#include <crypto.h>

Combined authentication data size (HMAC + challenge, 64 bytes)

Definition at line 160 of file lib/crypto/crypto.h.

AUTH_HMAC_SIZE

#define AUTH_HMAC_SIZE   32

#include <crypto.h>

HMAC size in authentication packets (32 bytes)

Definition at line 156 of file lib/crypto/crypto.h.

AUTH_RESPONSE_PASSWORD_SIZE

#define AUTH_RESPONSE_PASSWORD_SIZE   (AUTH_HMAC_SIZE + AUTH_CHALLENGE_SIZE)

#include <crypto.h>

Password-based authentication response size (HMAC + challenge, 64 bytes)

Definition at line 186 of file lib/crypto/crypto.h.

AUTH_RESPONSE_SIGNATURE_SIZE

#define AUTH_RESPONSE_SIGNATURE_SIZE   (AUTH_SIGNATURE_SIZE + AUTH_CHALLENGE_SIZE)

#include <crypto.h>

Signature-based authentication response size (signature + challenge, 96 bytes)

Definition at line 188 of file lib/crypto/crypto.h.

AUTH_SIGNATURE_COMBINED_SIZE

#define AUTH_SIGNATURE_COMBINED_SIZE   (AUTH_SIGNATURE_SIZE + AUTH_CHALLENGE_SIZE)

#include <crypto.h>

Combined signature + challenge size (96 bytes)

Definition at line 164 of file lib/crypto/crypto.h.

AUTH_SIGNATURE_SIZE

#define AUTH_SIGNATURE_SIZE   64

#include <crypto.h>

Ed25519 signature size (64 bytes)

Definition at line 162 of file lib/crypto/crypto.h.

CRYPTO_ED25519_PRIVATE_KEY_SIZE

#define CRYPTO_ED25519_PRIVATE_KEY_SIZE   ED25519_PRIVATE_KEY_SIZE

#include <crypto.h>

Ed25519 private key size.

Definition at line 134 of file lib/crypto/crypto.h.

CRYPTO_ED25519_PUBLIC_KEY_SIZE

#define CRYPTO_ED25519_PUBLIC_KEY_SIZE   ED25519_PUBLIC_KEY_SIZE

#include <crypto.h>

Ed25519 public key size.

Definition at line 132 of file lib/crypto/crypto.h.

CRYPTO_ED25519_SIGNATURE_SIZE

#define CRYPTO_ED25519_SIGNATURE_SIZE   ED25519_SIGNATURE_SIZE

#include <crypto.h>

Ed25519 signature size.

Definition at line 136 of file lib/crypto/crypto.h.

CRYPTO_ENCRYPTION_KEY_SIZE

#define CRYPTO_ENCRYPTION_KEY_SIZE   SECRETBOX_KEY_SIZE

#include <crypto.h>

Encryption key size (XSalsa20-Poly1305)

Definition at line 142 of file lib/crypto/crypto.h.

CRYPTO_FINGERPRINT_SIZE

#define CRYPTO_FINGERPRINT_SIZE   32

#include <crypto.h>

Ed25519 key fingerprint size in bytes.

SHA-256 hash of the key, resulting in 32 bytes.

Definition at line 380 of file lib/crypto/crypto.h.

CRYPTO_HEX_KEY64_SIZE

#define CRYPTO_HEX_KEY64_SIZE   128

#include <crypto.h>

Hex string size for 64-byte key (128 hex characters)

Definition at line 396 of file lib/crypto/crypto.h.

CRYPTO_HEX_KEY64_SIZE_NULL

#define CRYPTO_HEX_KEY64_SIZE_NULL   129

#include <crypto.h>

Hex string size for 64-byte key with null terminator (129 bytes)

Definition at line 398 of file lib/crypto/crypto.h.

CRYPTO_HEX_KEY_SIZE

#define CRYPTO_HEX_KEY_SIZE   64

#include <crypto.h>

Hex string size for 32-byte key (64 hex characters)

Definition at line 392 of file lib/crypto/crypto.h.

CRYPTO_HEX_KEY_SIZE_NULL

#define CRYPTO_HEX_KEY_SIZE_NULL   65

#include <crypto.h>

Hex string size for 32-byte key with null terminator (65 bytes)

Definition at line 394 of file lib/crypto/crypto.h.

CRYPTO_HMAC_SIZE

#define CRYPTO_HMAC_SIZE   HMAC_SHA256_SIZE

#include <crypto.h>

HMAC size (HMAC-SHA256)

Definition at line 146 of file lib/crypto/crypto.h.

CRYPTO_KEY_SIZE

#define CRYPTO_KEY_SIZE   32

#include <crypto.h>

Ed25519 key size in bytes.

Ed25519 public and private keys are 32 bytes each.

Definition at line 371 of file lib/crypto/crypto.h.

CRYPTO_MAC_SIZE

#define CRYPTO_MAC_SIZE   POLY1305_MAC_SIZE

#include <crypto.h>

MAC size (Poly1305)

Definition at line 144 of file lib/crypto/crypto.h.

CRYPTO_MAX_CIPHERTEXT_SIZE

#define CRYPTO_MAX_CIPHERTEXT_SIZE   (CRYPTO_MAX_PLAINTEXT_SIZE + CRYPTO_MAC_SIZE)

#include <crypto.h>

Maximum ciphertext size (plaintext + MAC, ~1MB + 16 bytes)

Definition at line 231 of file lib/crypto/crypto.h.

CRYPTO_MAX_PLAINTEXT_SIZE

#define CRYPTO_MAX_PLAINTEXT_SIZE   ((size_t)1024 * 1024)

#include <crypto.h>

Maximum plaintext size (1MB)

Definition at line 229 of file lib/crypto/crypto.h.

CRYPTO_NONCE_SIZE

#define CRYPTO_NONCE_SIZE   XSALSA20_NONCE_SIZE

#include <crypto.h>

Nonce size (XSalsa20)

Definition at line 138 of file lib/crypto/crypto.h.

CRYPTO_PRIVATE_KEY_SIZE

#define CRYPTO_PRIVATE_KEY_SIZE   X25519_KEY_SIZE

#include <crypto.h>

Private key size (X25519)

Definition at line 128 of file lib/crypto/crypto.h.

CRYPTO_PUBLIC_KEY_SIZE

#define CRYPTO_PUBLIC_KEY_SIZE   X25519_KEY_SIZE

#include <crypto.h>

Public key size (X25519)

Definition at line 126 of file lib/crypto/crypto.h.

CRYPTO_SALT_SIZE

#define CRYPTO_SALT_SIZE   ARGON2ID_SALT_SIZE

#include <crypto.h>

Salt size (Argon2id)

Definition at line 140 of file lib/crypto/crypto.h.

CRYPTO_SHARED_KEY_SIZE

#define CRYPTO_SHARED_KEY_SIZE   X25519_KEY_SIZE

#include <crypto.h>

Shared key size (X25519)

Definition at line 130 of file lib/crypto/crypto.h.

ED25519_PRIVATE_KEY_SIZE

#define ED25519_PRIVATE_KEY_SIZE   64

#include <crypto.h>

Ed25519 private key size (seed + public) in bytes.

Definition at line 94 of file lib/crypto/crypto.h.

ED25519_PUBLIC_KEY_SIZE

#define ED25519_PUBLIC_KEY_SIZE   32

#include <crypto.h>

Ed25519 public key size in bytes.

Definition at line 92 of file lib/crypto/crypto.h.

ED25519_SIGNATURE_SIZE

#define ED25519_SIGNATURE_SIZE   64

#include <crypto.h>

Ed25519 signature size in bytes.

Definition at line 96 of file lib/crypto/crypto.h.

HEX_STRING_SIZE_32

#define HEX_STRING_SIZE_32   (32 * 2 + 1)

#include <crypto.h>

Hex string size for 32-byte values (64 hex chars + null terminator)

Definition at line 213 of file lib/crypto/crypto.h.

HEX_STRING_SIZE_64

#define HEX_STRING_SIZE_64   (64 * 2 + 1)

#include <crypto.h>

Hex string size for 64-byte values (128 hex chars + null terminator)

Definition at line 215 of file lib/crypto/crypto.h.

HMAC_SHA256_SIZE

#define HMAC_SHA256_SIZE   32

#include <crypto.h>

HMAC-SHA256 output size in bytes.

Definition at line 102 of file lib/crypto/crypto.h.

MAX_AUTH_FAILED_PACKET_SIZE

#define MAX_AUTH_FAILED_PACKET_SIZE   256

#include <crypto.h>

Maximum AUTH_FAILED packet size (256 bytes)

Definition at line 201 of file lib/crypto/crypto.h.

MAX_COMMENT_LEN

#define MAX_COMMENT_LEN   256

#include <crypto.h>

Definition at line 433 of file lib/crypto/crypto.h.

MAX_ENCRYPTED_PACKET_SIZE

#define MAX_ENCRYPTED_PACKET_SIZE   65536

#include <crypto.h>

Maximum encrypted packet size (64KB)

Definition at line 203 of file lib/crypto/crypto.h.

MAX_GPG_KEYGRIP_LEN

#define MAX_GPG_KEYGRIP_LEN   64

#include <crypto.h>

Definition at line 434 of file lib/crypto/crypto.h.

MAX_PASSWORD_LENGTH

#define MAX_PASSWORD_LENGTH   256

#include <crypto.h>

Maximum password length (256 characters)

Definition at line 80 of file lib/crypto/crypto.h.

MIN_PASSWORD_LENGTH

#define MIN_PASSWORD_LENGTH   8

#include <crypto.h>

Minimum password length (8 characters)

Definition at line 78 of file lib/crypto/crypto.h.

NO_IDENTITY_MARKER

#define NO_IDENTITY_MARKER   "no-identity"

#include <crypto.h>

No-identity entry marker ("no-identity")

Definition at line 416 of file lib/crypto/crypto.h.

PASSWORD_BUFFER_SIZE

#define PASSWORD_BUFFER_SIZE   256

#include <crypto.h>

Password input buffer size (256 bytes)

Definition at line 217 of file lib/crypto/crypto.h.

POLY1305_MAC_SIZE

#define POLY1305_MAC_SIZE   16

#include <crypto.h>

Poly1305 MAC size in bytes.

Definition at line 100 of file lib/crypto/crypto.h.

REKEY_DEFAULT_PACKET_THRESHOLD

#define REKEY_DEFAULT_PACKET_THRESHOLD   1000000

#include <crypto.h>

Default rekey packet threshold (1 million packets)

Definition at line 1242 of file lib/crypto/crypto.h.

REKEY_DEFAULT_TIME_THRESHOLD

#define REKEY_DEFAULT_TIME_THRESHOLD   3600

#include <crypto.h>

Default rekey time threshold (1 hour in seconds)

Definition at line 1240 of file lib/crypto/crypto.h.

REKEY_MAX_FAILURE_COUNT

#define REKEY_MAX_FAILURE_COUNT   10

#include <crypto.h>

Maximum consecutive rekey failures before giving up.

Definition at line 1248 of file lib/crypto/crypto.h.

REKEY_MIN_INTERVAL

#define REKEY_MIN_INTERVAL   3

#include <crypto.h>

Minimum time interval between rekey requests (3 seconds for testing, 60 for production)

Definition at line 1238 of file lib/crypto/crypto.h.

REKEY_MIN_REQUEST_INTERVAL

#define REKEY_MIN_REQUEST_INTERVAL   60

#include <crypto.h>

Minimum interval between rekey requests (60 seconds, DDoS protection)

Definition at line 1250 of file lib/crypto/crypto.h.

REKEY_TEST_PACKET_THRESHOLD

#define REKEY_TEST_PACKET_THRESHOLD   1000

#include <crypto.h>

Test mode rekey packet threshold (1000 packets)

Definition at line 1246 of file lib/crypto/crypto.h.

REKEY_TEST_TIME_THRESHOLD

#define REKEY_TEST_TIME_THRESHOLD   30

#include <crypto.h>

Test mode rekey time threshold (30 seconds)

Definition at line 1244 of file lib/crypto/crypto.h.

SECRETBOX_KEY_SIZE

#define SECRETBOX_KEY_SIZE   32

#include <crypto.h>

Secretbox key size in bytes.

Definition at line 106 of file lib/crypto/crypto.h.

SERVER_AUTH_RESPONSE_SIZE

#define SERVER_AUTH_RESPONSE_SIZE   AUTH_HMAC_SIZE

#include <crypto.h>

Server authentication response size (32 bytes)

Definition at line 193 of file lib/crypto/crypto.h.

SESSION_ID_SIZE

#define SESSION_ID_SIZE   16

#include <crypto.h>

Session ID size in bytes.

Definition at line 114 of file lib/crypto/crypto.h.

SSH_ED25519_KEY_TYPE

#define SSH_ED25519_KEY_TYPE   "ssh-ed25519"

#include <crypto.h>

SSH Ed25519 key type string ("ssh-ed25519")

Definition at line 412 of file lib/crypto/crypto.h.

SSH_KEY_HEADER_SIZE

#define SSH_KEY_HEADER_SIZE    (SSH_KEY_TYPE_LENGTH_SIZE + SSH_KEY_TYPE_STRING_SIZE + SSH_KEY_PUBLIC_KEY_LENGTH_SIZE + SSH_KEY_PUBLIC_KEY_SIZE)

#include <crypto.h>

Definition at line 357 of file lib/crypto/crypto.h.

SSH_KEY_PERMISSIONS_MASK

#define SSH_KEY_PERMISSIONS_MASK   (S_IRWXG | S_IRWXO)

#include <crypto.h>

Definition at line 425 of file lib/crypto/crypto.h.

SSH_KEY_PUBLIC_KEY_LENGTH_SIZE

#define SSH_KEY_PUBLIC_KEY_LENGTH_SIZE   4

#include <crypto.h>

Definition at line 355 of file lib/crypto/crypto.h.

SSH_KEY_PUBLIC_KEY_SIZE

#define SSH_KEY_PUBLIC_KEY_SIZE   32

#include <crypto.h>

Definition at line 356 of file lib/crypto/crypto.h.

SSH_KEY_RECOMMENDED_PERMISSIONS

#define SSH_KEY_RECOMMENDED_PERMISSIONS   0600

#include <crypto.h>

Definition at line 426 of file lib/crypto/crypto.h.

SSH_KEY_TYPE_LENGTH_SIZE

#define SSH_KEY_TYPE_LENGTH_SIZE   4

#include <crypto.h>

Definition at line 353 of file lib/crypto/crypto.h.

SSH_KEY_TYPE_STRING_SIZE

#define SSH_KEY_TYPE_STRING_SIZE   11

#include <crypto.h>

Definition at line 354 of file lib/crypto/crypto.h.

X25519_KEY_SIZE

#define X25519_KEY_SIZE   32

#include <crypto.h>

X25519 key size in bytes.

Definition at line 90 of file lib/crypto/crypto.h.

X25519_KEY_TYPE

#define X25519_KEY_TYPE   "x25519"

#include <crypto.h>

X25519 key type string ("x25519")

Definition at line 414 of file lib/crypto/crypto.h.

XSALSA20_NONCE_SIZE

#define XSALSA20_NONCE_SIZE   24

#include <crypto.h>

XSalsa20 nonce size in bytes.

Definition at line 98 of file lib/crypto/crypto.h.

ZERO_KEY_SIZE

#define ZERO_KEY_SIZE   X25519_KEY_SIZE

#include <crypto.h>

Zero key array size (32 bytes, used for no-identity entries)

Definition at line 219 of file lib/crypto/crypto.h.

Typedef Documentation

crypto_context_t

typedef struct crypto_context_t crypto_context_t

#include <crypto.h>

Cryptographic context structure.

Manages all cryptographic state for a single connection, including key exchange, encryption/decryption, authentication, and session rekeying.

Note

Nonce generation: Nonces are constructed as session_id || counter where session_id is 16 bytes and counter fills the remaining bytes. This prevents both within-session and cross-session replay attacks.

Session ID: Generated once per connection and remains constant. Used to prevent cross-session replay attacks.

Nonce counter: Starts at 1 (0 is reserved for testing) and increments for each encryption operation. Prevents nonce reuse within a session.

Byte order: Client must convert network byte order to host byte order for crypto parameters. Server uses host byte order directly.

Key exchange formats:

• Simple format: Only ephemeral public key (when server has no identity key)
• Authenticated format: Ephemeral key + identity key + signature (when server has identity key)

Enumeration Type Documentation

crypto_result_t

enum crypto_result_t

#include <crypto.h>

Cryptographic operation result codes.

Enumerator
CRYPTO_OK	Operation succeeded
CRYPTO_ERROR_INIT_FAILED	Initialization failed
CRYPTO_ERROR_INVALID_PARAMS	Invalid parameters provided
CRYPTO_ERROR_MEMORY	Memory allocation failed
CRYPTO_ERROR_LIBSODIUM	libsodium operation failed
CRYPTO_ERROR_KEY_GENERATION	Key generation failed
CRYPTO_ERROR_PASSWORD_DERIVATION	Password-based key derivation failed
CRYPTO_ERROR_ENCRYPTION	Encryption operation failed
CRYPTO_ERROR_DECRYPTION	Decryption operation failed
CRYPTO_ERROR_INVALID_MAC	MAC verification failed (possible tampering)
CRYPTO_ERROR_BUFFER_TOO_SMALL	Output buffer too small
CRYPTO_ERROR_KEY_EXCHANGE_INCOMPLETE	Key exchange not complete
CRYPTO_ERROR_NONCE_EXHAUSTED	Nonce counter exhausted (should rekey)
CRYPTO_ERROR_REKEY_IN_PROGRESS	Rekey already in progress
CRYPTO_ERROR_REKEY_FAILED	Rekey handshake failed
CRYPTO_ERROR_REKEY_RATE_LIMITED	Too many rekey attempts (DDoS protection)

Definition at line 329 of file lib/crypto/crypto.h.

             {
  CRYPTO_OK = 0,                              
  CRYPTO_ERROR_INIT_FAILED = -1,              
  CRYPTO_ERROR_INVALID_PARAMS = -2,           
  CRYPTO_ERROR_MEMORY = -3,                   
  CRYPTO_ERROR_LIBSODIUM = -4,                
  CRYPTO_ERROR_KEY_GENERATION = -5,           
  CRYPTO_ERROR_PASSWORD_DERIVATION = -6,      
  CRYPTO_ERROR_ENCRYPTION = -7,               
  CRYPTO_ERROR_DECRYPTION = -8,               
  CRYPTO_ERROR_INVALID_MAC = -9,              
  CRYPTO_ERROR_BUFFER_TOO_SMALL = -10,        
  CRYPTO_ERROR_KEY_EXCHANGE_INCOMPLETE = -11, 
  CRYPTO_ERROR_NONCE_EXHAUSTED = -12,         
  CRYPTO_ERROR_REKEY_IN_PROGRESS = -13,       
  CRYPTO_ERROR_REKEY_FAILED = -14,            
  CRYPTO_ERROR_REKEY_RATE_LIMITED = -15       
} crypto_result_t;

Function Documentation

add_known_host()

asciichat_error_t add_known_host	(	const char *	server_ip,
		uint16_t	port,
		const uint8_t	server_key[32]
	)

#include <known_hosts.h>

Add server to known_hosts.

Parameters

server_ip	Server IP address (IPv4 or IPv6, must not be NULL)
port	Server port number
server_key	Server's Ed25519 public key (32 bytes, must not be NULL)

Returns

ASCIICHAT_OK on success, error code on failure

Adds server identity key to known_hosts file. Creates file if it doesn't exist and creates directory if needed.

Note

File format: Adds entry as <IP:port> x25519 <hex_key> [comment]. Uses proper bracket notation for IPv6 addresses.

File creation: Creates ~/.ascii-chat/known_hosts if it doesn't exist. Creates ~/.ascii-chat/ directory if needed.

File permissions: Sets file permissions to 0600 (Unix only). Windows does not have Unix-style permissions.

Append mode: Appends entry to end of file (does not overwrite existing entries). Multiple entries for same IP:port are allowed (e.g., key rotation).

Key format: Converts server key to hex string (64 hex chars) for storage. Key is stored as X25519 format (32 bytes).

Warning

File permissions: Sets restrictive permissions (0600) but function may fail if file was just created by fopen (chmod may fail). This is acceptable.

Definition at line 347 of file known_hosts.c.

                                                                                                     {
  // Validate parameters first
  if (!server_ip || !server_key) {
    return SET_ERRNO(ERROR_INVALID_PARAM, "Invalid parameters: server_ip=%p, server_key=%p", server_ip, server_key);
  }
 
  // Check for empty string (must be after NULL check)
  size_t ip_len = strlen(server_ip);
  if (ip_len == 0) {
    return SET_ERRNO(ERROR_INVALID_PARAM, "Empty hostname/IP");
  }
 
  const char *path = get_known_hosts_path();
  if (!path || path[0] == '\0') {
    SET_ERRNO(ERROR_CONFIG, "Failed to get known hosts file path");
    return ERROR_CONFIG;
  }
 
  // Create parent directories recursively (like mkdir -p)
  size_t path_len = strlen(path);
  if (path_len == 0) {
    SET_ERRNO(ERROR_CONFIG, "Empty known hosts file path");
    return ERROR_CONFIG;
  }
  char *dir = SAFE_MALLOC(path_len + 1, char *);
  defer(SAFE_FREE(dir));
  if (!dir) {
    SET_ERRNO(ERROR_MEMORY, "Failed to allocate memory for directory path");
    return ERROR_MEMORY;
  }
  memcpy(dir, path, path_len + 1);
 
  // Find the last path separator
  char *last_sep = strrchr(dir, PATH_DELIM);
 
  if (last_sep) {
    *last_sep = '\0'; // Truncate to get directory path
    asciichat_error_t result = mkdir_recursive(dir);
    if (result != ASCIICHAT_OK) {
      return result; // Error already set by mkdir_recursive
    }
  }
 
  // Create the file if it doesn't exist, then append to it
  // Note: Temporarily removed log_debug to avoid potential crashes during debugging
  // log_debug("KNOWN_HOSTS: Attempting to create/open file: %s", path);
  // Use "a" mode for append-only (simpler and works better with chmod)
  FILE *f = platform_fopen(path, "a");
  defer(SAFE_FCLOSE(f));
  if (!f) {
    // log_debug("KNOWN_HOSTS: platform_fopen failed: %s (errno=%d)", SAFE_STRERROR(errno), errno);
    return SET_ERRNO_SYS(ERROR_CONFIG, "Failed to create/open known hosts file: %s", path);
  }
  // Set secure permissions (0600) - only owner can read/write
  // Note: chmod may fail if file was just created by fopen, but that's okay
  (void)platform_chmod(path, FILE_PERM_PRIVATE);
  // log_debug("KNOWN_HOSTS: Successfully opened file: %s", path);
 
  // Format IP:port with proper bracket notation for IPv6
  char ip_with_port[BUFFER_SIZE_MEDIUM];
  if (format_ip_with_port(server_ip, port, ip_with_port, sizeof(ip_with_port)) != ASCIICHAT_OK) {
    return SET_ERRNO(ERROR_INVALID_PARAM, "Invalid IP format: %s", server_ip);
  }
 
  // Convert key to hex for storage
  char hex[CRYPTO_HEX_KEY_SIZE_NULL] = {0}; // Initialize to zeros for safety
  bool is_placeholder = true;
  // Build hex string byte by byte to avoid buffer overflow issues
  for (int i = 0; i < ED25519_PUBLIC_KEY_SIZE; i++) {
    // Convert each byte to 2 hex digits directly
    uint8_t byte = server_key[i];
    hex[i * 2] = "0123456789abcdef"[byte >> 4];      // High nibble
    hex[i * 2 + 1] = "0123456789abcdef"[byte & 0xf]; // Low nibble
    if (byte != 0) {
      is_placeholder = false;
    }
  }
  hex[CRYPTO_HEX_KEY_SIZE] = '\0'; // Ensure null termination (64 hex digits + null terminator)
 
  // Write to file and check for errors
  int fprintf_result;
  if (is_placeholder) {
    // Server has no identity key - store as placeholder
    fprintf_result = safe_fprintf(f, "%s %s 0000000000000000000000000000000000000000000000000000000000000000 %s\n",
                                  ip_with_port, NO_IDENTITY_MARKER, ASCII_CHAT_APP_NAME);
  } else {
    // Server has identity key - store normally
    fprintf_result = safe_fprintf(f, "%s %s %s %s\n", ip_with_port, X25519_KEY_TYPE, hex, ASCII_CHAT_APP_NAME);
  }
 
  // Check if fprintf failed
  if (fprintf_result < 0) {
    return SET_ERRNO_SYS(ERROR_CONFIG, "CRITICAL SECURITY ERROR: Failed to write to known_hosts file: %s", path);
  }
 
  // Flush to ensure data is written
  if (fflush(f) != 0) {
    return SET_ERRNO_SYS(ERROR_CONFIG, "CRITICAL SECURITY ERROR: Failed to flush known_hosts file: %s", path);
  }
 
  log_debug("KNOWN_HOSTS: Successfully added host to known_hosts file: %s", path);
 
  return ASCIICHAT_OK;
}

References ASCII_CHAT_APP_NAME, ASCIICHAT_OK, BUFFER_SIZE_MEDIUM, CRYPTO_HEX_KEY_SIZE, CRYPTO_HEX_KEY_SIZE_NULL, defer, ED25519_PUBLIC_KEY_SIZE, ERROR_CONFIG, ERROR_INVALID_PARAM, ERROR_MEMORY, FILE_PERM_PRIVATE, format_ip_with_port(), get_known_hosts_path(), log_debug, NO_IDENTITY_MARKER, PATH_DELIM, platform_chmod(), platform_fopen(), SAFE_FCLOSE, safe_fprintf(), SAFE_FREE, SAFE_MALLOC, SET_ERRNO, SET_ERRNO_SYS, and X25519_KEY_TYPE.

Referenced by crypto_handshake_client_key_exchange().

check_known_host()

asciichat_error_t check_known_host	(	const char *	server_ip,
		uint16_t	port,
		const uint8_t	server_key[32]
	)

#include <known_hosts.h>

Check if server key is in known_hosts.

Parameters

server_ip	Server IP address (IPv4 or IPv6, must not be NULL)
port	Server port number
server_key	Server's Ed25519 public key (32 bytes, must not be NULL)

Returns

ASCIICHAT_OK if server not in known_hosts (first connection), positive value if key matches (connection verified), ERROR_CRYPTO_VERIFICATION if key mismatch (MITM warning)

Checks if server key matches known hosts entry for the given IP:port. Returns different values based on verification result.

Note

Return values:

• ASCIICHAT_OK (0): Server not in known_hosts (first connection, needs verification)
• Positive value (1): Key matches known_hosts (connection verified, safe to proceed)
• ERROR_CRYPTO_VERIFICATION: Key mismatch (MITM attack or key rotation, needs user confirmation)

File format: Searches for entries matching <IP:port> x25519 <hex_key>. Supports both IPv4 and IPv6 addresses with proper bracket notation.

Multiple entries: If multiple entries exist for same IP:port, searches all entries and uses first matching key. Continues searching if key doesn't match.

No-identity entries: Skips "no-identity" entries when checking identity keys. If server has identity key but entry is "no-identity", continues searching.

Zero key handling: Special case for no-identity servers with zero keys. If both server key and stored key are zero, returns match (verified no-identity connection).

Key comparison: Uses constant-time comparison (sodium_memcmp) to prevent timing attacks.

File location: Uses ~/.ascii-chat/known_hosts (or equivalent on Windows). Returns ASCIICHAT_OK if file doesn't exist (first connection).

Warning

This function should NOT be called for servers without identity keys. Use check_known_host_no_identity() for servers without identity keys.

Key mismatch: Returns ERROR_CRYPTO_VERIFICATION if key doesn't match. This indicates potential MITM attack or key rotation. User should verify.

Definition at line 77 of file known_hosts.c.

                                                                                                       {
  // Validate parameters first
  if (!server_ip || !server_key) {
    return SET_ERRNO(ERROR_INVALID_PARAM, "Invalid parameters: server_ip=%p, server_key=%p", server_ip, server_key);
  }
 
  const char *path = get_known_hosts_path();
  int fd = platform_open(path, PLATFORM_O_RDONLY, FILE_PERM_PRIVATE);
  if (fd < 0) {
    // File doesn't exist - this is an unknown host that needs verification
    log_warn("Known hosts file does not exist: %s", path);
    return ASCIICHAT_OK; // Return 0 to indicate unknown host (first connection)
  }
  FILE *f = platform_fdopen(fd, "r");
  defer(SAFE_FCLOSE(f));
  if (!f) {
    // Failed to open file descriptor as FILE*
    platform_close(fd);
    log_warn("Failed to open known hosts file: %s", path);
    return ASCIICHAT_OK; // Return 0 to indicate unknown host (first connection)
  }
 
  char line[BUFFER_SIZE_XLARGE];
  char expected_prefix[BUFFER_SIZE_MEDIUM];
 
  // Format IP:port with proper bracket notation for IPv6
  char ip_with_port[BUFFER_SIZE_MEDIUM];
  if (format_ip_with_port(server_ip, port, ip_with_port, sizeof(ip_with_port)) != ASCIICHAT_OK) {
 
    return SET_ERRNO(ERROR_INVALID_PARAM, "Invalid IP format: %s", server_ip);
  }
 
  // Add space after IP:port for prefix matching
  safe_snprintf(expected_prefix, sizeof(expected_prefix), "%s ", ip_with_port);
 
  // Search through ALL matching entries to find one that matches the server key
  bool found_entries = false;
  while (fgets(line, sizeof(line), f)) {
    if (line[0] == '#')
      continue; // Comment
 
    if (strncmp(line, expected_prefix, strlen(expected_prefix)) == 0) {
      // Found matching IP:port - check if this entry matches the server key
      found_entries = true;
      size_t prefix_len = strlen(expected_prefix);
      size_t line_len = strlen(line);
      if (line_len < prefix_len) {
        // Line is too short to contain the prefix - skip this entry
        continue;
      }
      char *key_type = line + prefix_len;
 
      if (strncmp(key_type, NO_IDENTITY_MARKER, strlen(NO_IDENTITY_MARKER)) == 0) {
        // This is a "no-identity" entry, but server is presenting an identity key
        // This is a key mismatch - continue searching for a matching identity key
        log_debug("SECURITY_DEBUG: Found no-identity entry, but server has identity key - continuing search");
        continue;
      }
 
      // Parse key from line (normal identity key)
      // Format: x25519 <hex_key> <comment>
      // Extract just the hex key part
      char *hex_key_start = strchr(key_type, ' ');
      if (!hex_key_start) {
        log_debug("SECURITY_DEBUG: No space found in key type: %s", key_type);
        continue; // Try next entry
      }
      hex_key_start++; // Skip the space
 
      // Find the end of the hex key (next space or end of line)
      char *hex_key_end = strchr(hex_key_start, ' ');
      if (hex_key_end) {
        *hex_key_end = '\0'; // Null-terminate the hex key
      }
 
      public_key_t stored_key;
      if (parse_public_key(hex_key_start, &stored_key) != 0) {
        log_debug("SECURITY_DEBUG: Failed to parse key from hex: %s", hex_key_start);
        continue; // Try next entry
      }
 
      // DEBUG: Print both keys for comparison
      char server_key_hex[CRYPTO_HEX_KEY_SIZE_NULL], stored_key_hex[CRYPTO_HEX_KEY_SIZE_NULL];
      for (int i = 0; i < CRYPTO_KEY_SIZE; i++) {
        safe_snprintf(server_key_hex + i * 2, 3, "%02x", server_key[i]);
        safe_snprintf(stored_key_hex + i * 2, 3, "%02x", stored_key.key[i]);
      }
      server_key_hex[CRYPTO_HEX_KEY_SIZE] = '\0';
      stored_key_hex[CRYPTO_HEX_KEY_SIZE] = '\0';
      log_debug("SECURITY_DEBUG: Server key: %s", server_key_hex);
      log_debug("SECURITY_DEBUG: Stored key: %s", stored_key_hex);
 
      // Check if server key is all zeros (no-identity server)
      bool server_key_is_zero = true;
      for (int i = 0; i < ED25519_PUBLIC_KEY_SIZE; i++) {
        if (server_key[i] != 0) {
          server_key_is_zero = false;
          break;
        }
      }
 
      // Check if stored key is all zeros
      bool stored_key_is_zero = true;
      for (int i = 0; i < ED25519_PUBLIC_KEY_SIZE; i++) {
        if (stored_key.key[i] != 0) {
          stored_key_is_zero = false;
          break;
        }
      }
 
      // If both keys are zero, this is a no-identity connection
      // that was previously accepted by the user. Note: This provides weaker
      // security than key-based verification since any server at this IP:port
      // without an identity key will match.
      if (server_key_is_zero && stored_key_is_zero) {
        log_warn("SECURITY: Connecting to no-identity server at known IP:port. "
                 "This provides weaker security than key-based verification.");
        return 1; // Match found (no-identity server)
      }
 
      // Compare keys (constant-time to prevent timing attacks)
      if (sodium_memcmp(server_key, stored_key.key, ED25519_PUBLIC_KEY_SIZE) == 0) {
        log_info("SECURITY: Server key matches known_hosts - connection verified");
        return 1; // Match found!
      }
      log_debug("SECURITY_DEBUG: Key mismatch, continuing search...");
    }
  }
 
  // No matching key found - check if we found any entries at all
  if (found_entries) {
    // We found entries for this IP:port but none matched the server key
    // This is a key mismatch (potential MITM attack)
    log_error("SECURITY: Server key does NOT match any known_hosts entries!");
    log_error("SECURITY: This indicates a possible man-in-the-middle attack!");
    return ERROR_CRYPTO_VERIFICATION; // Key mismatch - MITM warning!
  }
 
  // No entries found for this IP:port - first connection
  return ASCIICHAT_OK; // Not found = first connection
}

References ASCIICHAT_OK, BUFFER_SIZE_MEDIUM, BUFFER_SIZE_XLARGE, CRYPTO_HEX_KEY_SIZE, CRYPTO_HEX_KEY_SIZE_NULL, CRYPTO_KEY_SIZE, defer, ED25519_PUBLIC_KEY_SIZE, ERROR_CRYPTO_VERIFICATION, ERROR_INVALID_PARAM, FILE_PERM_PRIVATE, format_ip_with_port(), get_known_hosts_path(), public_key_t::key, log_debug, log_error, log_info, log_warn, NO_IDENTITY_MARKER, parse_public_key(), platform_close(), platform_fdopen(), PLATFORM_O_RDONLY, platform_open(), SAFE_FCLOSE, safe_snprintf(), and SET_ERRNO.

Referenced by crypto_handshake_client_key_exchange().

check_known_host_no_identity()

asciichat_error_t check_known_host_no_identity	(	const char *	server_ip,
		uint16_t	port
	)

#include <known_hosts.h>

Check known_hosts for servers without identity key (no-identity entries)

Parameters

server_ip	Server IP address (IPv4 or IPv6, must not be NULL)
port	Server port number

Returns

ASCIICHAT_OK if server not in known_hosts (first connection), positive value if no-identity entry found (connection previously accepted), ERROR_CRYPTO_VERIFICATION if server previously had identity key but now has none

Checks if server has "no-identity" entry in known_hosts. Used for servers that don't have identity keys (ephemeral keys only).

Note

Return values:

• ASCIICHAT_OK (0): Server not in known_hosts (first connection, needs verification)
• Positive value (1): No-identity entry found (connection previously accepted)
• ERROR_CRYPTO_VERIFICATION: Server previously had identity key but now has none (security concern)

File format: Searches for entries matching <IP:port> no-identity. Does NOT verify keys (no keys to verify for no-identity servers).

Purpose: This function is NOT for key verification (no keys to verify). Use check_known_host() for servers with identity keys.

Security: Cannot verify server identity (no identity key to verify). Only tracks whether user previously accepted connection to this server.

Warning

This function should NOT be used for key verification. Use check_known_host() for servers with identity keys.

Security limitation: Cannot verify server identity (no keys to compare). Only provides tracking of previously accepted connections.

Definition at line 223 of file known_hosts.c.

                                                                                     {
  const char *path = get_known_hosts_path();
  int fd = platform_open(path, PLATFORM_O_RDONLY, FILE_PERM_PRIVATE);
  if (fd < 0) {
    // File doesn't exist - this is an unknown host that needs verification
    log_warn("Known hosts file does not exist: %s", path);
    return ASCIICHAT_OK; // Return 0 to indicate unknown host (first connection)
  }
 
  FILE *f = platform_fdopen(fd, "r");
  defer(SAFE_FCLOSE(f));
  if (!f) {
    // Failed to open file descriptor as FILE*
    platform_close(fd);
    log_warn("Failed to open known hosts file: %s", path);
    return ASCIICHAT_OK; // Return 0 to indicate unknown host (first connection)
  }
 
  char line[BUFFER_SIZE_XLARGE];
  char expected_prefix[BUFFER_SIZE_MEDIUM];
 
  // Format IP:port with proper bracket notation for IPv6
  char ip_with_port[BUFFER_SIZE_MEDIUM];
  if (format_ip_with_port(server_ip, port, ip_with_port, sizeof(ip_with_port)) != ASCIICHAT_OK) {
 
    return SET_ERRNO(ERROR_INVALID_PARAM, "Invalid IP format: %s", server_ip);
  }
 
  // Add space after IP:port for prefix matching
  safe_snprintf(expected_prefix, sizeof(expected_prefix), "%s ", ip_with_port);
 
  while (fgets(line, sizeof(line), f)) {
    if (line[0] == '#')
      continue; // Comment
 
    if (strncmp(line, expected_prefix, strlen(expected_prefix)) == 0) {
      // Found matching IP:port
 
      // Check if this is a "no-identity" entry
      // Bounds check: ensure line is long enough to contain the prefix
      size_t prefix_len = strlen(expected_prefix);
      size_t line_len = strlen(line);
      if (line_len < prefix_len) {
        // Line is too short to contain the prefix - this shouldn't happen
        // but let's be safe and treat as unknown host
        return ASCIICHAT_OK;
      }
      char *key_type = line + prefix_len;
      // Skip leading whitespace
      while (*key_type == ' ' || *key_type == '\t') {
        key_type++;
      }
      if (strncmp(key_type, "no-identity", 11) == 0) {
        // This is a server without identity key that was previously accepted by the user
        // No warnings or user confirmation needed - user already accepted this server
        return 1; // Known host (no-identity entry) - secure connection
      }
 
      // If we found a normal identity key entry, this is a mismatch
      // Server previously had identity key but now has none
      log_warn("Server previously had identity key but now has none - potential security issue");
      return ERROR_CRYPTO_VERIFICATION; // Mismatch - server changed from identity to no-identity
    }
  }
 
  return ASCIICHAT_OK; // Not found = first connection
}

References ASCIICHAT_OK, BUFFER_SIZE_MEDIUM, BUFFER_SIZE_XLARGE, defer, ERROR_CRYPTO_VERIFICATION, ERROR_INVALID_PARAM, FILE_PERM_PRIVATE, format_ip_with_port(), get_known_hosts_path(), log_warn, platform_close(), platform_fdopen(), PLATFORM_O_RDONLY, platform_open(), SAFE_FCLOSE, safe_snprintf(), and SET_ERRNO.

Referenced by crypto_handshake_client_key_exchange().

compute_key_fingerprint()

void compute_key_fingerprint	(	const uint8_t	key[32],
		char	fingerprint[65]
	)

#include <known_hosts.h>

Compute SHA256 fingerprint of Ed25519 key for display.

Parameters

key	Ed25519 public key (32 bytes, must not be NULL)
fingerprint	Output buffer for fingerprint (65 bytes including null terminator)

Computes SHA256 fingerprint of Ed25519 public key for display. Fingerprint is displayed in hex format (64 hex chars + null terminator).

Note

Fingerprint format: SHA256 hash of key, displayed as 64 hex characters. Example: "a1b2c3d4e5f6..."

Output format: Fingerprint is stored as null-terminated hex string (65 bytes total). First 64 bytes are hex characters, 65th byte is null terminator.

Key format: Accepts Ed25519 public key (32 bytes). Fingerprint is computed over raw key bytes.

Use case: Used for displaying key fingerprints in warnings and prompts. Helps users verify keys visually.

Warning

Output buffer must be at least 65 bytes (64 hex chars + null terminator). Function does not validate buffer size (may overflow).

crypto_cleanup()

void crypto_cleanup

(

crypto_context_t *

ctx

)

#include <crypto.h>

Cleanup crypto context with secure memory wiping.

Parameters

ctx	Crypto context to cleanup

Securely zeroes all sensitive data (keys, salts, etc.) before freeing. Always call this when done with a crypto context.

Note

Uses sodium_memzero() to prevent key material from persisting in memory.

Definition at line 183 of file lib/crypto/crypto.c.

                                           {
  if (!ctx || !ctx->initialized) {
    return;
  }
 
  // Securely wipe sensitive data
  secure_memzero(ctx->private_key, sizeof(ctx->private_key));
  secure_memzero(ctx->shared_key, sizeof(ctx->shared_key));
  secure_memzero(ctx->password_key, sizeof(ctx->password_key));
  secure_memzero(ctx->password_salt, sizeof(ctx->password_salt));
 
  log_debug("Crypto context cleaned up (encrypted: %lu bytes, decrypted: %lu bytes)", ctx->bytes_encrypted,
            ctx->bytes_decrypted);
 
  // Clear entire context
  secure_memzero(ctx, sizeof(crypto_context_t));
}

References crypto_context_t::bytes_decrypted, crypto_context_t::bytes_encrypted, crypto_context_t::initialized, log_debug, crypto_context_t::password_key, crypto_context_t::password_salt, crypto_context_t::private_key, and crypto_context_t::shared_key.

Referenced by crypto_handshake_cleanup(), and crypto_init_with_password().

crypto_combine_auth_data()

void crypto_combine_auth_data	(	const uint8_t *	hmac,
		const uint8_t *	challenge_nonce,
		uint8_t *	combined_out
	)

#include <crypto.h>

Combine HMAC and challenge nonce for transmission.

Parameters

hmac	HMAC to transmit (32 bytes)
challenge_nonce	Challenge nonce to transmit (32 bytes)
combined_out	Output buffer for combined data (64 bytes)

Combines HMAC and challenge nonce into a single buffer: [HMAC:32][nonce:32] Used to pack authentication response data for transmission.

Note

Format: [HMAC:32][challenge_nonce:32] (64 bytes total)

Definition at line 1115 of file lib/crypto/crypto.c.

                                                                                                          {
  if (!hmac || !challenge_nonce || !combined_out) {
    SET_ERRNO(ERROR_INVALID_PARAM, "Invalid parameters: hmac=%p, challenge_nonce=%p, combined_out=%p", hmac,
              challenge_nonce, combined_out);
    return;
  }
 
  // Combine HMAC (32 bytes) + challenge nonce (32 bytes) = 64 bytes total
  memcpy(combined_out, hmac, 32);
  memcpy(combined_out + 32, challenge_nonce, 32);
}

References ERROR_INVALID_PARAM, and SET_ERRNO.

crypto_compute_auth_response()

crypto_result_t crypto_compute_auth_response	(	const crypto_context_t *	ctx,
		const uint8_t	nonce[32],
		uint8_t	hmac_out[32]
	)

#include <crypto.h>

Compute authentication response HMAC bound to DH shared_secret.

Parameters

ctx	Crypto context with keys (must have completed key exchange)
nonce	Challenge nonce from server (32 bytes)
hmac_out	Output HMAC (32 bytes)

Returns

CRYPTO_OK on success, error code on failure

Computes: HMAC(auth_key, nonce || shared_secret) This binds the password/key authentication to the DH exchange, preventing MITM.

Note

Key selection: Uses password_key if available, otherwise uses shared_key. This allows password authentication to be optional while still binding to DH.

Key exchange requirement: ctx->key_exchange_complete must be true. Returns CRYPTO_ERROR_INVALID_PARAMS if key exchange is not complete.

MITM prevention: By including shared_secret in the HMAC computation, an attacker cannot intercept and replay authentication responses without knowing the shared secret.

Warning

Context must have completed key exchange before calling this function.

Definition at line 871 of file lib/crypto/crypto.c.

                                                                   {
  if (!ctx || !nonce || !hmac_out) {
    SET_ERRNO(ERROR_INVALID_PARAM, "crypto_compute_auth_response: Invalid parameters (ctx=%p, nonce=%p, hmac_out=%p)",
              ctx, nonce, hmac_out);
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  // Ensure shared secret is derived before computing HMAC
  // This is critical for password HMAC which binds to the shared secret
  if (!ctx->key_exchange_complete) {
    SET_ERRNO(ERROR_CRYPTO, "Cannot compute auth response - key exchange not complete");
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  // Bind password HMAC to DH shared_secret to prevent MITM
  // Combined data: nonce || shared_secret
  uint8_t combined_data[64];
  memcpy(combined_data, nonce, 32);
  memcpy(combined_data + 32, ctx->shared_key, 32);
 
  // Use password_key if available, otherwise use shared_key
  const uint8_t *auth_key = ctx->has_password ? ctx->password_key : ctx->shared_key;
 
  crypto_result_t result = crypto_compute_hmac_ex(ctx, auth_key, combined_data, 64, hmac_out);
 
  // Securely zero sensitive data containing shared secret
  sodium_memzero(combined_data, sizeof(combined_data));
 
  return result;
}

References crypto_compute_hmac_ex(), CRYPTO_ERROR_INVALID_PARAMS, ERROR_CRYPTO, ERROR_INVALID_PARAM, crypto_context_t::has_password, crypto_context_t::key_exchange_complete, crypto_context_t::password_key, SET_ERRNO, and crypto_context_t::shared_key.

Referenced by crypto_handshake_server_complete().

crypto_compute_hmac()

crypto_result_t crypto_compute_hmac	(	crypto_context_t *	ctx,
		const uint8_t	key[32],
		const uint8_t	data[32],
		uint8_t	hmac[32]
	)

#include <crypto.h>

Compute HMAC-SHA256 for fixed 32-byte data.

Parameters

ctx	Crypto context (for libsodium initialization check)
key	HMAC key (32 bytes)
data	Data to authenticate (32 bytes)
hmac	Output buffer for HMAC (32 bytes)

Returns

CRYPTO_OK on success, error code on failure

Computes HMAC-SHA256 over exactly 32 bytes of data. Useful for authenticating challenge nonces and other fixed-size values.

Note

Automatically initializes libsodium if not already initialized.

Definition at line 802 of file lib/crypto/crypto.c.

                                                      {
  if (!ctx || !key || !data || !hmac) {
    return SET_ERRNO(ERROR_INVALID_PARAM, "crypto_compute_hmac: Invalid parameters (ctx=%p, key=%p, data=%p, hmac=%p)",
                     ctx, key, data, hmac);
  }
 
  crypto_result_t result = init_libsodium();
  if (result != CRYPTO_OK) {
    return result;
  }
 
  crypto_auth_hmacsha256(hmac, data, 32, key);
  return CRYPTO_OK;
}

References CRYPTO_OK, ERROR_INVALID_PARAM, and SET_ERRNO.

crypto_compute_hmac_ex()

crypto_result_t crypto_compute_hmac_ex	(	const crypto_context_t *	ctx,
		const uint8_t	key[32],
		const uint8_t *	data,
		size_t	data_len,
		uint8_t	hmac[32]
	)

#include <crypto.h>

Compute HMAC-SHA256 for variable-length data.

Parameters

ctx	Crypto context (for libsodium initialization check)
key	HMAC key (32 bytes)
data	Data to authenticate (variable length)
data_len	Length of data (must be > 0)
hmac	Output buffer for HMAC (32 bytes)

Returns

CRYPTO_OK on success, error code on failure

Computes HMAC-SHA256 over variable-length data. Useful for authenticating combined values (e.g., nonce || shared_secret).

Note

Automatically initializes libsodium if not already initialized.

Definition at line 818 of file lib/crypto/crypto.c.

                                                                          {
  if (!ctx || !key || !data || !hmac || data_len == 0) {
    return SET_ERRNO(ERROR_INVALID_PARAM,
                     "crypto_compute_hmac_ex: Invalid parameters (ctx=%p, key=%p, data=%p, data_len=%zu, hmac=%p)", ctx,
                     key, data, data_len, hmac);
  }
 
  crypto_result_t result = init_libsodium();
  if (result != CRYPTO_OK) {
    return result;
  }
 
  crypto_auth_hmacsha256(hmac, data, data_len, key);
  return CRYPTO_OK;
}

References CRYPTO_OK, ERROR_INVALID_PARAM, and SET_ERRNO.

Referenced by crypto_compute_auth_response(), and crypto_compute_password_hmac().

crypto_compute_password_hmac()

asciichat_error_t crypto_compute_password_hmac	(	crypto_context_t *	ctx,
		const uint8_t *	password_key,
		const uint8_t *	nonce,
		const uint8_t *	shared_secret,
		uint8_t *	hmac_out
	)

#include <crypto.h>

Compute password-based HMAC for authentication.

Parameters

ctx	Crypto context
password_key	Password-derived key (32 bytes)
nonce	Challenge nonce (32 bytes)
shared_secret	DH shared secret (32 bytes)
hmac_out	Output buffer for HMAC (32 bytes)

Returns

ASCIICHAT_OK on success, error code on failure

Computes: HMAC(password_key, nonce || shared_secret) Binds password authentication to DH key exchange, preventing MITM.

Note

Used by authentication handlers to prove knowledge of password AND shared secret.

Combined data: nonce || shared_secret (64 bytes total)

Definition at line 1045 of file lib/crypto/crypto.c.

                                                                                                {
  if (!ctx || !password_key || !nonce || !shared_secret || !hmac_out) {
    return SET_ERRNO(ERROR_INVALID_PARAM,
                     "Invalid parameters: ctx=%p, password_key=%p, nonce=%p, shared_secret=%p, hmac_out=%p", ctx,
                     password_key, nonce, shared_secret, hmac_out);
  }
 
  // Combine nonce and shared_secret for HMAC computation
  // This binds the password to the DH shared secret, preventing MITM attacks
  uint8_t combined_data[64];
  memcpy(combined_data, nonce, 32);
  memcpy(combined_data + 32, shared_secret, 32);
 
  // Compute HMAC using the password-derived key
  if (crypto_compute_hmac_ex(ctx, password_key, combined_data, 64, hmac_out) != 0) {
    // Securely zero sensitive data containing shared secret even on error
    sodium_memzero(combined_data, sizeof(combined_data));
    return SET_ERRNO(ERROR_CRYPTO, "Failed to compute password HMAC");
  }
 
  // Securely zero sensitive data containing shared secret
  sodium_memzero(combined_data, sizeof(combined_data));
 
  return ASCIICHAT_OK;
}

References ASCIICHAT_OK, crypto_compute_hmac_ex(), ERROR_CRYPTO, ERROR_INVALID_PARAM, and SET_ERRNO.

crypto_create_auth_challenge()

crypto_result_t crypto_create_auth_challenge	(	const crypto_context_t *	ctx,
		uint8_t *	packet_out,
		size_t	packet_size,
		size_t *	packet_len_out
	)

#include <crypto.h>

Create authentication challenge packet.

Parameters

ctx	Crypto context (must be initialized)
packet_out	Output buffer for challenge packet
packet_size	Size of output buffer
packet_len_out	Output parameter for actual packet length

Returns

CRYPTO_OK on success, error code on failure

Creates an authentication challenge packet: [type:4][nonce:auth_challenge_size] Generates a random nonce and stores it in ctx->auth_nonce for later verification.

Note

Packet format: [PACKET_TYPE_AUTH_CHALLENGE:4][random_nonce:32] Total size: sizeof(uint32_t) + ctx->auth_challenge_size (typically 36 bytes)

The generated nonce is stored in ctx->auth_nonce and should be used later to verify the authentication response.

Definition at line 939 of file lib/crypto/crypto.c.

                                                                     {
  if (!ctx || !ctx->initialized || !packet_out || !packet_len_out) {
    SET_ERRNO(
        ERROR_INVALID_PARAM,
        "crypto_create_auth_challenge: Invalid parameters (ctx=%p, initialized=%d, packet_out=%p, packet_len_out=%p)",
        ctx, ctx ? ctx->initialized : 0, packet_out, packet_len_out);
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  size_t required_size = sizeof(uint32_t) + ctx->auth_challenge_size; // type + nonce
  if (packet_size < required_size) {
    SET_ERRNO(ERROR_BUFFER, "crypto_create_auth_challenge: Buffer too small (size=%zu, required=%zu)", packet_size,
              required_size);
    return CRYPTO_ERROR_BUFFER_TOO_SMALL;
  }
 
  // Generate random nonce (stores result in ctx->auth_nonce)
  crypto_result_t result = crypto_generate_nonce(ctx->auth_nonce);
  if (result != CRYPTO_OK) {
    return result;
  }
 
  // Pack packet: [type:4][nonce:auth_challenge_size]
  uint32_t packet_type = CRYPTO_PACKET_AUTH_CHALLENGE;
  SAFE_MEMCPY(packet_out, sizeof(packet_type), &packet_type, sizeof(packet_type));
  SAFE_MEMCPY(packet_out + sizeof(packet_type), ctx->auth_challenge_size, ctx->auth_nonce, ctx->auth_challenge_size);
 
  *packet_len_out = required_size;
  return CRYPTO_OK;
}

References crypto_context_t::auth_challenge_size, crypto_context_t::auth_nonce, CRYPTO_ERROR_BUFFER_TOO_SMALL, CRYPTO_ERROR_INVALID_PARAMS, crypto_generate_nonce(), CRYPTO_OK, ERROR_BUFFER, ERROR_INVALID_PARAM, crypto_context_t::initialized, SAFE_MEMCPY, and SET_ERRNO.

crypto_create_encrypted_packet()

crypto_result_t crypto_create_encrypted_packet	(	crypto_context_t *	ctx,
		const uint8_t *	data,
		size_t	data_len,
		uint8_t *	packet_out,
		size_t	packet_size,
		size_t *	packet_len_out
	)

#include <crypto.h>

Create encrypted data packet for network transmission.

Parameters

ctx	Crypto context (must be initialized and ready)
data	Plaintext data to encrypt
data_len	Length of plaintext data
packet_out	Output buffer for encrypted packet
packet_size	Size of output buffer
packet_len_out	Output parameter for actual packet length

Returns

CRYPTO_OK on success, error code on failure

Creates an encrypted data packet: [type:4][length:4][encrypted_data:var] Encrypts the data using crypto_encrypt() and prepends packet type and length.

Note

Packet format: [PACKET_TYPE_ENCRYPTED_DATA:4][data_length:4][encrypted_data] Encrypted data format: [nonce:24][encrypted_data][MAC:16] Total size: sizeof(uint32_t) + sizeof(uint32_t) + data_len + nonce_size + mac_size

Context must be ready (crypto_is_ready() returns true) before calling. This requires either completed key exchange or password-based encryption.

Warning

Ensure packet_size is large enough for encrypted data + headers.

Definition at line 680 of file lib/crypto/crypto.c.

                                                                                                                {
  if (!ctx || !data || !packet_out || !packet_len_out) {
    SET_ERRNO(ERROR_INVALID_PARAM,
              "crypto_create_encrypted_packet: Invalid parameters (ctx=%p, data=%p, packet_out=%p, packet_len_out=%p)",
              ctx, data, packet_out, packet_len_out);
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  if (!crypto_is_ready(ctx)) {
    SET_ERRNO(ERROR_CRYPTO, "crypto_create_encrypted_packet: Crypto context not ready");
    return CRYPTO_ERROR_KEY_EXCHANGE_INCOMPLETE;
  }
 
  // CRITICAL: Validate data_len to prevent integer overflow in size calculations
  if (data_len > CRYPTO_MAX_PLAINTEXT_SIZE) {
    SET_ERRNO(ERROR_INVALID_PARAM, "crypto_create_encrypted_packet: data_len %zu exceeds max %d", data_len,
              CRYPTO_MAX_PLAINTEXT_SIZE);
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  // Check for integer overflow: data_len + nonce_size + mac_size
  if (data_len > SIZE_MAX - ctx->nonce_size - ctx->mac_size) {
    SET_ERRNO(ERROR_BUFFER, "crypto_create_encrypted_packet: encrypted_size overflow");
    return CRYPTO_ERROR_BUFFER_TOO_SMALL;
  }
  size_t encrypted_size = data_len + ctx->nonce_size + ctx->mac_size;
 
  // Check for integer overflow: header + encrypted_size
  size_t header_size = sizeof(uint32_t) + sizeof(uint32_t);
  if (encrypted_size > SIZE_MAX - header_size) {
    SET_ERRNO(ERROR_BUFFER, "crypto_create_encrypted_packet: required_size overflow");
    return CRYPTO_ERROR_BUFFER_TOO_SMALL;
  }
  size_t required_size = header_size + encrypted_size; // type + len + encrypted_data
 
  if (packet_size < required_size) {
    SET_ERRNO(ERROR_BUFFER, "crypto_create_encrypted_packet: Buffer too small (size=%zu, required=%zu)", packet_size,
              required_size);
    return CRYPTO_ERROR_BUFFER_TOO_SMALL;
  }
 
  // Encrypt the data
  size_t ciphertext_len;
  uint8_t *encrypted_data = packet_out + sizeof(uint32_t) + sizeof(uint32_t);
  crypto_result_t result = crypto_encrypt(ctx, data, data_len, encrypted_data,
                                          packet_size - sizeof(uint32_t) - sizeof(uint32_t), &ciphertext_len);
  if (result != CRYPTO_OK) {
    return result;
  }
 
  // Pack packet: [type:4][length:4][encrypted_data:var]
  uint32_t packet_type = CRYPTO_PACKET_ENCRYPTED_DATA;
  uint32_t data_length = (uint32_t)ciphertext_len;
 
  SAFE_MEMCPY(packet_out, sizeof(packet_type), &packet_type, sizeof(packet_type));
  SAFE_MEMCPY(packet_out + sizeof(packet_type), sizeof(data_length), &data_length, sizeof(data_length));
 
  *packet_len_out = required_size;
  return CRYPTO_OK;
}

References crypto_encrypt(), CRYPTO_ERROR_BUFFER_TOO_SMALL, CRYPTO_ERROR_INVALID_PARAMS, CRYPTO_ERROR_KEY_EXCHANGE_INCOMPLETE, crypto_is_ready(), CRYPTO_MAX_PLAINTEXT_SIZE, CRYPTO_OK, ERROR_BUFFER, ERROR_CRYPTO, ERROR_INVALID_PARAM, crypto_context_t::mac_size, crypto_context_t::nonce_size, SAFE_MEMCPY, and SET_ERRNO.

crypto_create_public_key_packet()

crypto_result_t crypto_create_public_key_packet	(	const crypto_context_t *	ctx,
		uint8_t *	packet_out,
		size_t	packet_size,
		size_t *	packet_len_out
	)

#include <crypto.h>

Create public key packet for network transmission.

Parameters

ctx	Crypto context (must be initialized)
packet_out	Output buffer for packet
packet_size	Size of output buffer
packet_len_out	Output parameter for actual packet length

Returns

CRYPTO_OK on success, error code on failure

Creates a public key packet: [type:4][public_key:public_key_size] Used during key exchange handshake to send ephemeral public key to peer.

Note

Packet format: [PACKET_TYPE_PUBLIC_KEY:4][ephemeral_public_key:32] Total size: sizeof(uint32_t) + ctx->public_key_size (typically 36 bytes)

This packet is NOT encrypted - it's part of the key exchange protocol.

Definition at line 623 of file lib/crypto/crypto.c.

                                                                        {
  if (!ctx || !ctx->initialized || !packet_out || !packet_len_out) {
    SET_ERRNO(ERROR_INVALID_PARAM,
              "crypto_create_public_key_packet: Invalid parameters (ctx=%p, initialized=%d, packet_out=%p, "
              "packet_len_out=%p)",
              ctx, ctx ? ctx->initialized : 0, packet_out, packet_len_out);
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  size_t required_size = sizeof(uint32_t) + ctx->public_key_size; // type + key
  if (packet_size < required_size) {
    SET_ERRNO(ERROR_BUFFER, "crypto_create_public_key_packet: Buffer too small (size=%zu, required=%zu)", packet_size,
              required_size);
    return CRYPTO_ERROR_BUFFER_TOO_SMALL;
  }
 
  // Pack packet: [type:4][public_key:32]
  uint32_t packet_type = CRYPTO_PACKET_PUBLIC_KEY;
  SAFE_MEMCPY(packet_out, sizeof(packet_type), &packet_type, sizeof(packet_type));
  // Bounds check to prevent buffer overflow
  size_t copy_size = (ctx->public_key_size <= X25519_KEY_SIZE) ? ctx->public_key_size : X25519_KEY_SIZE;
  SAFE_MEMCPY(packet_out + sizeof(packet_type), copy_size, ctx->public_key, copy_size);
 
  *packet_len_out = required_size;
  return CRYPTO_OK;
}

References CRYPTO_ERROR_BUFFER_TOO_SMALL, CRYPTO_ERROR_INVALID_PARAMS, CRYPTO_OK, ERROR_BUFFER, ERROR_INVALID_PARAM, crypto_context_t::initialized, crypto_context_t::public_key, crypto_context_t::public_key_size, SAFE_MEMCPY, SET_ERRNO, and X25519_KEY_SIZE.

crypto_decrypt()

crypto_result_t crypto_decrypt	(	crypto_context_t *	ctx,
		const uint8_t *	ciphertext,
		size_t	ciphertext_len,
		uint8_t *	plaintext_out,
		size_t	plaintext_out_size,
		size_t *	plaintext_len_out
	)

#include <crypto.h>

Decrypt data using XSalsa20-Poly1305.

Parameters

ctx	Crypto context (must be initialized and ready)
ciphertext	Ciphertext data to decrypt
ciphertext_len	Length of ciphertext (must be >= nonce_size + mac_size)
plaintext_out	Output buffer for plaintext
plaintext_out_size	Size of output buffer
plaintext_len_out	Output parameter for actual plaintext length

Returns

CRYPTO_OK on success, CRYPTO_ERROR_INVALID_MAC if MAC verification fails

Decrypts data using XSalsa20-Poly1305 authenticated encryption. Uses shared_key if key exchange is complete, otherwise falls back to password_key.

Note

Ciphertext format: [nonce:nonce_size][encrypted_data][MAC:mac_size] Nonce is extracted from the first nonce_size bytes of ciphertext.

MAC verification: Automatically verified during decryption. Returns CRYPTO_ERROR_INVALID_MAC if MAC verification fails (indicating tampering or wrong key).

Plaintext size: ciphertext_len - nonce_size - mac_size

Buffer requirements: plaintext_out_size must be >= ciphertext_len - nonce_size - mac_size

Warning

Context must be ready (crypto_is_ready() returns true) before calling this function.

Always check return value. CRYPTO_ERROR_INVALID_MAC indicates tampering or wrong key.

Definition at line 481 of file lib/crypto/crypto.c.

                                                                                                             {
  if (!ctx || !ctx->initialized || !ciphertext || !plaintext_out || !plaintext_len_out) {
    SET_ERRNO(ERROR_INVALID_PARAM,
              "Invalid parameters: ctx=%p, initialized=%d, ciphertext=%p, plaintext_out=%p, plaintext_len_out=%p", ctx,
              ctx ? ctx->initialized : 0, ciphertext, plaintext_out, plaintext_len_out);
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  if (!crypto_is_ready(ctx)) {
    SET_ERRNO(ERROR_CRYPTO, "Crypto context not ready for decryption");
    return CRYPTO_ERROR_KEY_EXCHANGE_INCOMPLETE;
  }
 
  // Check minimum ciphertext size (nonce + MAC)
  size_t min_ciphertext_size = ctx->nonce_size + ctx->mac_size;
  if (ciphertext_len < min_ciphertext_size) {
    SET_ERRNO(ERROR_INVALID_PARAM, "Ciphertext too small: %zu < %zu", ciphertext_len, min_ciphertext_size);
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  size_t plaintext_len = ciphertext_len - ctx->nonce_size - ctx->mac_size;
  if (plaintext_out_size < plaintext_len) {
    SET_ERRNO(ERROR_BUFFER, "Plaintext buffer too small: %zu < %zu", plaintext_out_size, plaintext_len);
    return CRYPTO_ERROR_BUFFER_TOO_SMALL;
  }
 
  // Extract nonce from beginning of ciphertext
  const uint8_t *nonce = ciphertext;
  const uint8_t *encrypted_data = ciphertext + ctx->nonce_size;
 
  // Choose decryption key (prefer shared key over password key)
  const uint8_t *decryption_key = NULL;
  if (ctx->key_exchange_complete) {
    decryption_key = ctx->shared_key;
  } else if (ctx->has_password) {
    decryption_key = ctx->password_key;
  } else {
    SET_ERRNO(ERROR_CRYPTO, "No decryption key available");
    return CRYPTO_ERROR_KEY_EXCHANGE_INCOMPLETE;
  }
 
  // Decrypt using NaCl secretbox (XSalsa20 + Poly1305)
  if (crypto_secretbox_open_easy(plaintext_out, encrypted_data, ciphertext_len - ctx->nonce_size, nonce,
                                 decryption_key) != 0) {
    SET_ERRNO(ERROR_CRYPTO, "Decryption failed - invalid MAC or corrupted data");
    return CRYPTO_ERROR_INVALID_MAC;
  }
 
  *plaintext_len_out = plaintext_len;
  ctx->bytes_decrypted += plaintext_len;
 
  return CRYPTO_OK;
}

References crypto_context_t::bytes_decrypted, CRYPTO_ERROR_BUFFER_TOO_SMALL, CRYPTO_ERROR_INVALID_MAC, CRYPTO_ERROR_INVALID_PARAMS, CRYPTO_ERROR_KEY_EXCHANGE_INCOMPLETE, crypto_is_ready(), CRYPTO_OK, ERROR_BUFFER, ERROR_CRYPTO, ERROR_INVALID_PARAM, crypto_context_t::has_password, crypto_context_t::initialized, crypto_context_t::key_exchange_complete, crypto_context_t::mac_size, crypto_context_t::nonce_size, crypto_context_t::password_key, SET_ERRNO, and crypto_context_t::shared_key.

Referenced by crypto_handshake_decrypt_packet(), crypto_handshake_process_rekey_complete(), crypto_process_encrypted_packet(), and receive_packet_secure().

crypto_derive_password_encryption_key()

crypto_result_t crypto_derive_password_encryption_key	(	const char *	password,
		uint8_t	encryption_key[32]
	)

#include <crypto.h>

Derive deterministic encryption key from password for handshake.

Parameters

password	Password to derive key from
encryption_key	Output buffer for derived key (CRYPTO_ENCRYPTION_KEY_SIZE bytes)

Returns

CRYPTO_OK on success, error code on failure

Derives a deterministic key using a fixed salt (for handshake purposes). This allows password-protected sessions without requiring key exchange to be completed first.

Note

Uses same deterministic salt ("ascii-chat-password-salt-v1") as crypto_derive_password_key() for consistency.

Same password always produces same key. Only use for handshake encryption, not for long-term key storage.

Definition at line 371 of file lib/crypto/crypto.c.

                                                                                                  {
  if (!password || !encryption_key) {
    SET_ERRNO(ERROR_INVALID_PARAM,
              "crypto_derive_password_encryption_key: Invalid parameters (password=%p, encryption_key=%p)", password,
              encryption_key);
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  // Validate password length requirements
  crypto_result_t validation_result = crypto_validate_password(password);
  if (validation_result != CRYPTO_OK) {
    return validation_result;
  }
 
  // Use deterministic salt for consistent key derivation across client/server
  // Salt must be exactly ARGON2ID_SALT_SIZE (32) bytes
  const char *deterministic_salt = "ascii-chat-password-salt-v1";
  uint8_t salt[ARGON2ID_SALT_SIZE]; // Use maximum size for buffer
  size_t salt_str_len = strlen(deterministic_salt);
 
  // Zero-initialize the salt buffer first
  memset(salt, 0, ARGON2ID_SALT_SIZE);
 
  // Copy the salt string (will be padded with zeros to ARGON2ID_SALT_SIZE)
  memcpy(salt, deterministic_salt, (salt_str_len < ARGON2ID_SALT_SIZE) ? salt_str_len : ARGON2ID_SALT_SIZE);
 
  // Derive key using Argon2id (memory-hard, secure against GPU attacks)
  if (crypto_pwhash(encryption_key, SECRETBOX_KEY_SIZE, password, strlen(password), salt,
                    crypto_pwhash_OPSLIMIT_INTERACTIVE, // ~0.1 seconds
                    crypto_pwhash_MEMLIMIT_INTERACTIVE, // ~64MB
                    crypto_pwhash_ALG_DEFAULT) != 0) {
    SET_ERRNO(ERROR_CRYPTO, "Password encryption key derivation failed - possibly out of memory");
    return CRYPTO_ERROR_PASSWORD_DERIVATION;
  }
 
  log_debug("Password encryption key derived successfully using Argon2id");
  return CRYPTO_OK;
}

References ARGON2ID_SALT_SIZE, CRYPTO_ERROR_INVALID_PARAMS, CRYPTO_ERROR_PASSWORD_DERIVATION, CRYPTO_OK, crypto_validate_password(), ERROR_CRYPTO, ERROR_INVALID_PARAM, log_debug, SECRETBOX_KEY_SIZE, and SET_ERRNO.

crypto_derive_password_key()

crypto_result_t crypto_derive_password_key	(	crypto_context_t *	ctx,
		const char *	password
	)

#include <crypto.h>

Derive key from password using Argon2id.

Parameters

ctx	Crypto context (must be initialized)
password	Password to derive key from

Returns

CRYPTO_OK on success, error code on failure

Derives a 32-byte encryption key from the password using Argon2id KDF. The salt is deterministic ("ascii-chat-password-salt-v1") for consistent key derivation across client/server.

Note

Argon2id is memory-hard, making offline brute-force attacks expensive.

Salt: Uses deterministic salt ("ascii-chat-password-salt-v1") padded to ARGON2ID_SALT_SIZE (32 bytes) with zeros. This ensures the same password produces the same key on both client and server.

Argon2id parameters: Uses INTERACTIVE limits (~0.1 seconds, ~64MB memory).

Warning

Deterministic salt: Same password always produces same key. Only use for session encryption, not long-term key storage.

Definition at line 297 of file lib/crypto/crypto.c.

                                                                                        {
  if (!ctx || !ctx->initialized || !password) {
    SET_ERRNO(ERROR_INVALID_PARAM,
              "crypto_derive_password_key: Invalid parameters (ctx=%p, initialized=%d, password=%p)", ctx,
              ctx ? ctx->initialized : 0, password);
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  // Validate password length requirements
  crypto_result_t validation_result = crypto_validate_password(password);
  if (validation_result != CRYPTO_OK) {
    return validation_result;
  }
 
  // Use deterministic salt for consistent key derivation across client/server
  // This ensures the same password produces the same key on both sides
  // Salt must be exactly ARGON2ID_SALT_SIZE (32) bytes
  const char *deterministic_salt = "ascii-chat-password-salt-v1";
  size_t salt_str_len = strlen(deterministic_salt);
 
  // Zero-initialize the salt buffer first
  memset(ctx->password_salt, 0, ctx->salt_size);
 
  // Copy the salt string (will be padded with zeros to ctx->salt_size)
  memcpy(ctx->password_salt, deterministic_salt, (salt_str_len < ctx->salt_size) ? salt_str_len : ctx->salt_size);
 
  // Derive key using Argon2id (memory-hard, secure against GPU attacks)
  if (crypto_pwhash(ctx->password_key, ctx->encryption_key_size, password, strlen(password), ctx->password_salt,
                    crypto_pwhash_OPSLIMIT_INTERACTIVE, // ~0.1 seconds
                    crypto_pwhash_MEMLIMIT_INTERACTIVE, // ~64MB
                    crypto_pwhash_ALG_DEFAULT) != 0) {
    SET_ERRNO(ERROR_CRYPTO, "Password key derivation failed - possibly out of memory");
    return CRYPTO_ERROR_PASSWORD_DERIVATION;
  }
 
  log_debug("Password key derived successfully using Argon2id with deterministic salt");
  return CRYPTO_OK;
}

References CRYPTO_ERROR_INVALID_PARAMS, CRYPTO_ERROR_PASSWORD_DERIVATION, CRYPTO_OK, crypto_validate_password(), crypto_context_t::encryption_key_size, ERROR_CRYPTO, ERROR_INVALID_PARAM, crypto_context_t::initialized, log_debug, crypto_context_t::password_key, crypto_context_t::password_salt, crypto_context_t::salt_size, and SET_ERRNO.

Referenced by client_crypto_init(), crypto_handshake_client_auth_response(), and crypto_init_with_password().

crypto_encrypt()

crypto_result_t crypto_encrypt	(	crypto_context_t *	ctx,
		const uint8_t *	plaintext,
		size_t	plaintext_len,
		uint8_t *	ciphertext_out,
		size_t	ciphertext_out_size,
		size_t *	ciphertext_len_out
	)

#include <crypto.h>

Encrypt data using XSalsa20-Poly1305.

Parameters

ctx	Crypto context (must be initialized and ready)
plaintext	Plaintext data to encrypt
plaintext_len	Length of plaintext (must be > 0 and <= CRYPTO_MAX_PLAINTEXT_SIZE)
ciphertext_out	Output buffer for ciphertext
ciphertext_out_size	Size of output buffer
ciphertext_len_out	Output parameter for actual ciphertext length

Returns

CRYPTO_OK on success, error code on failure

Encrypts data using XSalsa20-Poly1305 authenticated encryption. Uses shared_key if key exchange is complete, otherwise falls back to password_key.

Note

Nonce generation: Automatically generates nonce as session_id || counter. Nonce is prepended to ciphertext: [nonce:24][encrypted_data + MAC]. Counter increments after each encryption to prevent nonce reuse.

Ciphertext format: [nonce:nonce_size][encrypted_data][MAC:mac_size] Total size = plaintext_len + nonce_size + mac_size

Buffer requirements: ciphertext_out_size must be >= plaintext_len + nonce_size + mac_size

Nonce counter: Starts at 1 (0 reserved for testing). Returns CRYPTO_ERROR_NONCE_EXHAUSTED if counter reaches 0 or UINT64_MAX (extremely unlikely, but triggers rekeying).

Maximum plaintext size: CRYPTO_MAX_PLAINTEXT_SIZE (1MB)

Rekeying: Automatically increments rekey_packet_count. Check crypto_should_rekey() after encryption to determine if rekeying should be initiated.

Warning

Context must be ready (crypto_is_ready() returns true) before calling this function.

Definition at line 415 of file lib/crypto/crypto.c.

                                                                                                                {
  if (!ctx || !ctx->initialized || !plaintext || !ciphertext_out || !ciphertext_len_out) {
    SET_ERRNO(ERROR_INVALID_PARAM,
              "Invalid parameters: ctx=%p, initialized=%d, plaintext=%p, ciphertext_out=%p, ciphertext_len_out=%p", ctx,
              ctx ? ctx->initialized : 0, plaintext, ciphertext_out, ciphertext_len_out);
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  if (plaintext_len == 0 || plaintext_len > CRYPTO_MAX_PLAINTEXT_SIZE) {
    SET_ERRNO(ERROR_INVALID_PARAM, "Invalid plaintext length: %zu (max: %d)", plaintext_len, CRYPTO_MAX_PLAINTEXT_SIZE);
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  if (!crypto_is_ready(ctx)) {
    SET_ERRNO(ERROR_CRYPTO, "Crypto context not ready for encryption");
    return CRYPTO_ERROR_KEY_EXCHANGE_INCOMPLETE;
  }
 
  // Check output buffer size
  size_t required_size = plaintext_len + ctx->nonce_size + ctx->mac_size;
  if (ciphertext_out_size < required_size) {
    SET_ERRNO(ERROR_BUFFER, "Ciphertext buffer too small: %zu < %zu", ciphertext_out_size, required_size);
    return CRYPTO_ERROR_BUFFER_TOO_SMALL;
  }
 
  // Check for nonce counter exhaustion (extremely unlikely in practice)
  // Starting from 1, reaching UINT64_MAX would require ~292 billion years at 60 FPS.
  // With key rotation required at 1M packets (~16 seconds), exhaustion is virtually impossible.
  // This check is a safety fallback that should never trigger in practice.
  if (ctx->nonce_counter == 0 || ctx->nonce_counter == UINT64_MAX) {
    SET_ERRNO(ERROR_CRYPTO, "Nonce counter exhausted - key rotation required");
    return CRYPTO_ERROR_NONCE_EXHAUSTED;
  }
 
  // Generate nonce and place at beginning of ciphertext
  uint8_t nonce[XSALSA20_NONCE_SIZE]; // Use maximum nonce size for buffer
  generate_nonce(ctx, nonce);
  SAFE_MEMCPY(ciphertext_out, ctx->nonce_size, nonce, ctx->nonce_size);
 
  // Choose encryption key (prefer shared key over password key)
  const uint8_t *encryption_key = NULL;
  if (ctx->key_exchange_complete) {
    encryption_key = ctx->shared_key;
  } else if (ctx->has_password) {
    encryption_key = ctx->password_key;
  } else {
    SET_ERRNO(ERROR_CRYPTO, "No encryption key available");
    return CRYPTO_ERROR_KEY_EXCHANGE_INCOMPLETE;
  }
 
  // Encrypt using NaCl secretbox (XSalsa20 + Poly1305)
  if (crypto_secretbox_easy(ciphertext_out + ctx->nonce_size, plaintext, plaintext_len, nonce, encryption_key) != 0) {
    SET_ERRNO(ERROR_CRYPTO, "Encryption failed");
    return CRYPTO_ERROR_ENCRYPTION;
  }
 
  *ciphertext_len_out = required_size;
  ctx->bytes_encrypted += plaintext_len;
 
  // Increment rekey packet counter for rekeying trigger detection
  ctx->rekey_packet_count++;
 
  return CRYPTO_OK;
}

References crypto_context_t::bytes_encrypted, CRYPTO_ERROR_BUFFER_TOO_SMALL, CRYPTO_ERROR_ENCRYPTION, CRYPTO_ERROR_INVALID_PARAMS, CRYPTO_ERROR_KEY_EXCHANGE_INCOMPLETE, CRYPTO_ERROR_NONCE_EXHAUSTED, crypto_is_ready(), CRYPTO_MAX_PLAINTEXT_SIZE, CRYPTO_OK, ERROR_BUFFER, ERROR_CRYPTO, ERROR_INVALID_PARAM, crypto_context_t::has_password, crypto_context_t::initialized, crypto_context_t::key_exchange_complete, crypto_context_t::mac_size, crypto_context_t::nonce_counter, crypto_context_t::nonce_size, crypto_context_t::password_key, crypto_context_t::rekey_packet_count, SAFE_MEMCPY, SET_ERRNO, crypto_context_t::shared_key, and XSALSA20_NONCE_SIZE.

Referenced by crypto_create_encrypted_packet(), crypto_handshake_encrypt_packet(), crypto_handshake_rekey_complete(), and send_packet_secure().

crypto_extract_auth_data()

void crypto_extract_auth_data	(	const uint8_t *	combined_data,
		uint8_t *	hmac_out,
		uint8_t *	challenge_out
	)

#include <crypto.h>

Extract HMAC and challenge nonce from combined data.

Parameters

combined_data	Combined data received from peer (64 bytes)
hmac_out	Output buffer for HMAC (32 bytes)
challenge_out	Output buffer for challenge nonce (32 bytes)

Extracts HMAC and challenge nonce from combined buffer: [HMAC:32][nonce:32] Used to unpack authentication response data received from peer.

Note

Format: [HMAC:32][challenge_nonce:32] (64 bytes total)

Definition at line 1127 of file lib/crypto/crypto.c.

                                                                                                       {
  if (!combined_data || !hmac_out || !challenge_out) {
    SET_ERRNO(ERROR_INVALID_PARAM, "Invalid parameters: combined_data=%p, hmac_out=%p, challenge_out=%p", combined_data,
              hmac_out, challenge_out);
    return;
  }
 
  // Extract HMAC (first 32 bytes) and challenge nonce (last 32 bytes)
  memcpy(hmac_out, combined_data, 32);
  memcpy(challenge_out, combined_data + 32, 32);
}

References ERROR_INVALID_PARAM, and SET_ERRNO.

crypto_generate_keypair()

crypto_result_t crypto_generate_keypair

(

crypto_context_t *

ctx

)

#include <crypto.h>

Generate new X25519 key pair for key exchange.

Parameters

ctx	Crypto context

Returns

CRYPTO_OK on success, error code on failure

Generates a new ephemeral X25519 key pair. Called automatically by crypto_init(). Can be called again to regenerate keys (e.g., for rekeying).

Definition at line 201 of file lib/crypto/crypto.c.

                                                               {
  if (!ctx) {
    SET_ERRNO(ERROR_INVALID_PARAM, "crypto_generate_keypair: NULL context");
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  // Generate X25519 key pair for key exchange
  if (crypto_box_keypair(ctx->public_key, ctx->private_key) != 0) {
    SET_ERRNO(ERROR_CRYPTO, "Failed to generate X25519 key pair");
    return CRYPTO_ERROR_KEY_GENERATION;
  }
 
  log_debug("Generated X25519 key pair for key exchange");
  return CRYPTO_OK;
}

References CRYPTO_ERROR_INVALID_PARAMS, CRYPTO_ERROR_KEY_GENERATION, CRYPTO_OK, ERROR_CRYPTO, ERROR_INVALID_PARAM, log_debug, crypto_context_t::private_key, crypto_context_t::public_key, and SET_ERRNO.

Referenced by crypto_init().

crypto_generate_nonce()

crypto_result_t crypto_generate_nonce

(

uint8_t

nonce[32]

)

#include <crypto.h>

Generate random nonce for authentication.

Parameters

nonce

Output buffer for 32-byte random nonce

Returns

CRYPTO_OK on success, error code on failure

Generates a cryptographically secure random nonce for authentication challenges. Uses libsodium's secure random number generator.

Note

Automatically initializes libsodium if not already initialized.

Definition at line 787 of file lib/crypto/crypto.c.

                                                         {
  if (!nonce) {
    SET_ERRNO(ERROR_INVALID_PARAM, "crypto_generate_nonce: NULL nonce buffer");
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  crypto_result_t result = init_libsodium();
  if (result != CRYPTO_OK) {
    return result;
  }
 
  randombytes_buf(nonce, 32);
  return CRYPTO_OK;
}

References CRYPTO_ERROR_INVALID_PARAMS, CRYPTO_OK, ERROR_INVALID_PARAM, and SET_ERRNO.

Referenced by crypto_create_auth_challenge(), and crypto_handshake_server_auth_challenge().

crypto_get_public_key()

crypto_result_t crypto_get_public_key	(	const crypto_context_t *	ctx,
		uint8_t *	public_key_out
	)

#include <crypto.h>

Get public key for sending to peer (step 1 of handshake)

Parameters

ctx	Crypto context
public_key_out	Output buffer for public key (must be CRYPTO_PUBLIC_KEY_SIZE bytes)

Returns

CRYPTO_OK on success, error code on failure

Retrieves our ephemeral public key for transmission to the peer. This is the first step in the key exchange handshake.

Definition at line 221 of file lib/crypto/crypto.c.

                                                                                            {
  if (!ctx || !ctx->initialized || !public_key_out) {
    SET_ERRNO(ERROR_INVALID_PARAM,
              "crypto_get_public_key: Invalid parameters (ctx=%p, initialized=%d, public_key_out=%p)", ctx,
              ctx ? ctx->initialized : 0, public_key_out);
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  // Bounds check to prevent buffer overflow
  size_t copy_size = (ctx->public_key_size <= X25519_KEY_SIZE) ? ctx->public_key_size : X25519_KEY_SIZE;
  SAFE_MEMCPY(public_key_out, copy_size, ctx->public_key, copy_size);
  return CRYPTO_OK;
}

References CRYPTO_ERROR_INVALID_PARAMS, CRYPTO_OK, ERROR_INVALID_PARAM, crypto_context_t::initialized, crypto_context_t::public_key, crypto_context_t::public_key_size, SAFE_MEMCPY, SET_ERRNO, and X25519_KEY_SIZE.

crypto_get_rekey_status()

void crypto_get_rekey_status	(	const crypto_context_t *	ctx,
		char *	status_buffer,
		size_t	buffer_size
	)

#include <crypto.h>

Get the current rekeying state for debugging/logging.

Parameters

ctx	Crypto context
status_buffer	Output buffer for status string
buffer_size	Size of status buffer

Formats a human-readable status string with rekeying state:

• Packet count since last rekey
• Time since last rekey
• Rekey in progress status
• Failure count
• Threshold values

Note

Safe to call with NULL ctx or buffer (does nothing).

Definition at line 1337 of file lib/crypto/crypto.c.

                                                                                                   {
  if (!ctx || !status_buffer || buffer_size == 0) {
    return;
  }
 
  time_t now = time(NULL);
  time_t elapsed = now - ctx->rekey_last_time;
  time_t remaining_time = (ctx->rekey_time_threshold > elapsed) ? (ctx->rekey_time_threshold - elapsed) : 0;
  uint64_t remaining_packets = (ctx->rekey_packet_threshold > ctx->rekey_packet_count)
                                   ? (ctx->rekey_packet_threshold - ctx->rekey_packet_count)
                                   : 0;
 
  snprintf(status_buffer, buffer_size,
           "Rekey status: %s | "
           "Packets: %llu/%llu (%llu remaining) | "
           "Time: %ld/%ld sec (%ld sec remaining) | "
           "Rekeys: %llu | Failures: %d",
           ctx->rekey_in_progress ? "IN_PROGRESS" : "IDLE", (unsigned long long)ctx->rekey_packet_count,
           (unsigned long long)ctx->rekey_packet_threshold, (unsigned long long)remaining_packets, (long)elapsed,
           (long)ctx->rekey_time_threshold, (long)remaining_time, (unsigned long long)ctx->rekey_count,
           ctx->rekey_failure_count);
}

References crypto_context_t::rekey_count, crypto_context_t::rekey_failure_count, crypto_context_t::rekey_in_progress, crypto_context_t::rekey_last_time, crypto_context_t::rekey_packet_count, crypto_context_t::rekey_packet_threshold, and crypto_context_t::rekey_time_threshold.

crypto_get_status()

void crypto_get_status	(	const crypto_context_t *	ctx,
		char *	status_buffer,
		size_t	buffer_size
	)

#include <crypto.h>

Get crypto context status information for debugging.

Parameters

ctx	Crypto context
status_buffer	Output buffer for status string
buffer_size	Size of status buffer

Formats a human-readable status string with context state information:

• Initialization status
• Password status
• Key exchange status
• Ready status
• Encrypted/decrypted byte counts
• Nonce counter value

Note

Safe to call with NULL ctx or buffer (does nothing).

Definition at line 579 of file lib/crypto/crypto.c.

                                                                                             {
  if (!ctx || !status_buffer || buffer_size == 0) {
    return;
  }
 
  if (!ctx->initialized) {
    SAFE_SNPRINTF(status_buffer, buffer_size, "Not initialized");
    return;
  }
 
  SAFE_SNPRINTF(status_buffer, buffer_size,
                "Initialized: %s, Password: %s, Key Exchange: %s, Ready: %s, "
                "Encrypted: %" PRIu64 " bytes, Decrypted: %" PRIu64 " bytes, Nonce: %" PRIu64,
                ctx->initialized ? "yes" : "no", ctx->has_password ? "yes" : "no",
                ctx->key_exchange_complete ? "complete" : "incomplete", crypto_is_ready(ctx) ? "yes" : "no",
                ctx->bytes_encrypted, ctx->bytes_decrypted, ctx->nonce_counter);
}

References crypto_context_t::bytes_decrypted, crypto_context_t::bytes_encrypted, crypto_is_ready(), crypto_context_t::has_password, crypto_context_t::initialized, crypto_context_t::key_exchange_complete, crypto_context_t::nonce_counter, and SAFE_SNPRINTF.

crypto_init()

crypto_result_t crypto_init

(

crypto_context_t *

ctx

)

#include <crypto.h>

Initialize libsodium and crypto context.

Parameters

ctx	Crypto context to initialize

Returns

CRYPTO_OK on success, error code on failure

Initializes libsodium (thread-safe, idempotent) and generates a new X25519 key pair for key exchange.

Note

libsodium initialization is global and thread-safe. Multiple calls to crypto_init() will only initialize libsodium once.

Generates a new ephemeral key pair automatically. The nonce counter starts at 1 (0 is reserved for testing).

Definition at line 78 of file lib/crypto/crypto.c.

                                                   {
  if (!ctx) {
    SET_ERRNO(ERROR_INVALID_PARAM, "Invalid parameters: ctx=%p", ctx);
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  // Initialize libsodium
  crypto_result_t result = init_libsodium();
  if (result != CRYPTO_OK) {
    return result;
  }
 
  // Clear context
  secure_memzero(ctx, sizeof(crypto_context_t));
 
  // Generate key pair for X25519 key exchange
  result = crypto_generate_keypair(ctx);
  if (result != CRYPTO_OK) {
    return result;
  }
 
  ctx->initialized = true;
  ctx->has_password = false;
  ctx->key_exchange_complete = false;
  ctx->peer_key_received = false;
  ctx->handshake_complete = false;
  ctx->nonce_counter = 1; // Start from 1 (0 reserved for testing)
  ctx->bytes_encrypted = 0;
  ctx->bytes_decrypted = 0;
 
  // Set default algorithm-specific parameters (can be overridden during handshake)
  ctx->nonce_size = XSALSA20_NONCE_SIZE;
  ctx->mac_size = POLY1305_MAC_SIZE;
  ctx->hmac_size = HMAC_SHA256_SIZE;
  ctx->encryption_key_size = SECRETBOX_KEY_SIZE;
  ctx->auth_challenge_size = AUTH_CHALLENGE_SIZE;
  ctx->public_key_size = X25519_KEY_SIZE;
  ctx->private_key_size = X25519_KEY_SIZE;
  ctx->shared_key_size = X25519_KEY_SIZE;
  ctx->salt_size = ARGON2ID_SALT_SIZE;
  ctx->signature_size = ED25519_SIGNATURE_SIZE;
 
  // Generate unique session ID to prevent replay attacks across connections
  randombytes_buf(ctx->session_id, sizeof(ctx->session_id));
 
  // Initialize rekeying state
  ctx->rekey_packet_count = 0;
  ctx->rekey_last_time = time(NULL); // Initialize to current time
  ctx->rekey_last_request_time = 0;  // No rekey request yet
  ctx->rekey_in_progress = false;
  ctx->rekey_failure_count = 0;
  ctx->has_temp_key = false;
  ctx->rekey_count = 0;
 
  // SECURITY: Use production-safe rekey thresholds by default
  // Rekey every 1 hour OR 1 million packets (whichever comes first)
  // Only use test mode if explicitly requested via environment variable
  if (is_test_environment()) {
    ctx->rekey_packet_threshold = REKEY_TEST_PACKET_THRESHOLD; // 1,000 packets
    ctx->rekey_time_threshold = REKEY_TEST_TIME_THRESHOLD;     // 30 seconds
    char duration_str[32];
    format_duration_s((double)ctx->rekey_time_threshold, duration_str, sizeof(duration_str));
    log_info("Crypto context initialized with X25519 key exchange (TEST MODE rekey thresholds: %llu packets, %s)",
             (unsigned long long)ctx->rekey_packet_threshold, duration_str);
  } else {
    ctx->rekey_packet_threshold = REKEY_DEFAULT_PACKET_THRESHOLD; // 1 million packets
    ctx->rekey_time_threshold = REKEY_DEFAULT_TIME_THRESHOLD;     // 3600 seconds (1 hour)
    char duration_str[32];
    format_duration_s((double)ctx->rekey_time_threshold, duration_str, sizeof(duration_str));
    log_info("Crypto context initialized with X25519 key exchange (rekey thresholds: %llu packets, %s)",
             (unsigned long long)ctx->rekey_packet_threshold, duration_str);
  }
  return CRYPTO_OK;
}

References ARGON2ID_SALT_SIZE, AUTH_CHALLENGE_SIZE, crypto_context_t::auth_challenge_size, crypto_context_t::bytes_decrypted, crypto_context_t::bytes_encrypted, CRYPTO_ERROR_INVALID_PARAMS, crypto_generate_keypair(), CRYPTO_OK, ED25519_SIGNATURE_SIZE, crypto_context_t::encryption_key_size, ERROR_INVALID_PARAM, format_duration_s(), crypto_context_t::handshake_complete, crypto_context_t::has_password, crypto_context_t::has_temp_key, HMAC_SHA256_SIZE, crypto_context_t::hmac_size, crypto_context_t::initialized, crypto_context_t::key_exchange_complete, log_info, crypto_context_t::mac_size, crypto_context_t::nonce_counter, crypto_context_t::nonce_size, crypto_context_t::peer_key_received, POLY1305_MAC_SIZE, crypto_context_t::private_key_size, crypto_context_t::public_key_size, crypto_context_t::rekey_count, REKEY_DEFAULT_PACKET_THRESHOLD, REKEY_DEFAULT_TIME_THRESHOLD, crypto_context_t::rekey_failure_count, crypto_context_t::rekey_in_progress, crypto_context_t::rekey_last_request_time, crypto_context_t::rekey_last_time, crypto_context_t::rekey_packet_count, crypto_context_t::rekey_packet_threshold, REKEY_TEST_PACKET_THRESHOLD, REKEY_TEST_TIME_THRESHOLD, crypto_context_t::rekey_time_threshold, crypto_context_t::salt_size, SECRETBOX_KEY_SIZE, crypto_context_t::session_id, SET_ERRNO, crypto_context_t::shared_key_size, crypto_context_t::signature_size, X25519_KEY_SIZE, and XSALSA20_NONCE_SIZE.

Referenced by crypto_handshake_init(), and crypto_init_with_password().

crypto_init_with_password()

crypto_result_t crypto_init_with_password	(	crypto_context_t *	ctx,
		const char *	password
	)

#include <crypto.h>

Initialize with password-based encryption.

Parameters

ctx	Crypto context to initialize
password	Password for key derivation

Returns

CRYPTO_OK on success, error code on failure

Initializes context and derives encryption key from password using Argon2id. The password is used as an additional layer on top of DH key exchange.

Note

Password must meet length requirements (8-256 characters).

Definition at line 153 of file lib/crypto/crypto.c.

                                                                                       {
  if (!ctx || !password) {
    SET_ERRNO(ERROR_INVALID_PARAM, "Invalid parameters: ctx=%p, password=%p", ctx, password);
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  if (strlen(password) == 0) {
    SET_ERRNO(ERROR_INVALID_PARAM, "Password cannot be empty");
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  // First initialize basic crypto
  crypto_result_t result = crypto_init(ctx);
  if (result != CRYPTO_OK) {
    return result;
  }
 
  // Derive password key
  result = crypto_derive_password_key(ctx, password);
  if (result != CRYPTO_OK) {
    crypto_cleanup(ctx);
    return result;
  }
 
  ctx->has_password = true;
 
  log_info("Crypto context initialized with password-based encryption");
  return CRYPTO_OK;
}

References crypto_cleanup(), crypto_derive_password_key(), CRYPTO_ERROR_INVALID_PARAMS, crypto_init(), CRYPTO_OK, ERROR_INVALID_PARAM, crypto_context_t::has_password, log_info, and SET_ERRNO.

Referenced by crypto_handshake_init_with_password().

crypto_is_ready()

bool crypto_is_ready

(

const crypto_context_t *

ctx

)

#include <crypto.h>

Check if key exchange is complete and ready for encryption.

Parameters

ctx	Crypto context

Returns

true if key exchange is complete, false otherwise

Returns true only after both parties have exchanged public keys and the shared secret has been computed.

Definition at line 261 of file lib/crypto/crypto.c.

                                                  {
  if (!ctx || !ctx->initialized) {
    return false;
  }
 
  // Ready if either key exchange is complete OR password is set
  return ctx->key_exchange_complete || ctx->has_password;
}

References crypto_context_t::has_password, crypto_context_t::initialized, and crypto_context_t::key_exchange_complete.

Referenced by crypto_create_encrypted_packet(), crypto_decrypt(), crypto_encrypt(), crypto_get_status(), crypto_handshake_is_ready(), crypto_process_encrypted_packet(), packet_send_error(), packet_send_remote_log(), and send_packet_secure().

crypto_process_auth_challenge()

crypto_result_t crypto_process_auth_challenge	(	crypto_context_t *	ctx,
		const uint8_t *	packet,
		size_t	packet_len
	)

#include <crypto.h>

Process authentication challenge packet.

Parameters

ctx	Crypto context (must be initialized)
packet	Challenge packet received from peer
packet_len	Length of challenge packet

Returns

CRYPTO_OK on success, error code on failure

Processes an authentication challenge packet: [type:4][nonce:auth_challenge_size] Extracts the nonce and stores it in ctx->auth_nonce for generating the response.

Note

Packet format: [PACKET_TYPE_AUTH_CHALLENGE:4][nonce:32] Expected size: sizeof(uint32_t) + ctx->auth_challenge_size (typically 36 bytes)

The extracted nonce is stored in ctx->auth_nonce and should be used with crypto_compute_auth_response() to generate the authentication response.

Definition at line 971 of file lib/crypto/crypto.c.

                                                                                                               {
  if (!ctx || !ctx->initialized || !packet) {
    SET_ERRNO(ERROR_INVALID_PARAM,
              "crypto_process_auth_challenge: Invalid parameters (ctx=%p, initialized=%d, packet=%p)", ctx,
              ctx ? ctx->initialized : 0, packet);
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  size_t expected_size = sizeof(uint32_t) + ctx->auth_challenge_size; // type + nonce
  if (packet_len != expected_size) {
    SET_ERRNO(ERROR_INVALID_PARAM, "crypto_process_auth_challenge: Invalid packet size (expected=%zu, got=%zu)",
              expected_size, packet_len);
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  // Unpack packet: [type:4][nonce:auth_challenge_size]
  uint32_t packet_type;
  SAFE_MEMCPY(&packet_type, sizeof(packet_type), packet, sizeof(packet_type));
 
  if (packet_type != CRYPTO_PACKET_AUTH_CHALLENGE) {
    SET_ERRNO(ERROR_INVALID_PARAM, "crypto_process_auth_challenge: Invalid packet type (expected=%u, got=%u)",
              CRYPTO_PACKET_AUTH_CHALLENGE, packet_type);
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  // Store the nonce for HMAC computation (use buffer size for memcpy size, actual size from context)
  SAFE_MEMCPY(ctx->auth_nonce, sizeof(ctx->auth_nonce), packet + sizeof(packet_type), ctx->auth_challenge_size);
 
  log_debug("Auth challenge received and processed");
  return CRYPTO_OK;
}

References crypto_context_t::auth_challenge_size, crypto_context_t::auth_nonce, CRYPTO_ERROR_INVALID_PARAMS, CRYPTO_OK, ERROR_INVALID_PARAM, crypto_context_t::initialized, log_debug, SAFE_MEMCPY, and SET_ERRNO.

crypto_process_auth_response()

crypto_result_t crypto_process_auth_response	(	crypto_context_t *	ctx,
		const uint8_t *	packet,
		size_t	packet_len
	)

#include <crypto.h>

Process authentication response packet.

Parameters

ctx	Crypto context (must be initialized and have completed key exchange)
packet	Response packet received from peer
packet_len	Length of response packet

Returns

CRYPTO_OK on success, error code on failure

Processes an authentication response packet containing HMAC. Verifies the HMAC using crypto_verify_auth_response().

Note

Packet format depends on authentication method:

• Password: [HMAC:32][challenge_nonce:32] (64 bytes)
• Signature: [signature:64][challenge_nonce:32] (96 bytes)

Warning

Context must have completed key exchange before calling this function.

Definition at line 1003 of file lib/crypto/crypto.c.

                                                                                                              {
  if (!ctx || !ctx->initialized || !packet) {
    SET_ERRNO(ERROR_INVALID_PARAM,
              "crypto_process_auth_response: Invalid context or packet (ctx=%p, initialized=%d, packet=%p)", ctx,
              ctx ? ctx->initialized : 0, packet);
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  size_t expected_size = sizeof(uint32_t) + 32; // type + hmac
  if (packet_len != expected_size) {
    SET_ERRNO(ERROR_INVALID_PARAM, "crypto_process_auth_response: Invalid packet size (expected=%zu, got=%zu)",
              expected_size, packet_len);
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  // Unpack packet: [type:4][hmac:32]
  uint32_t packet_type;
  SAFE_MEMCPY(&packet_type, sizeof(packet_type), packet, sizeof(packet_type));
 
  if (packet_type != CRYPTO_PACKET_AUTH_RESPONSE) {
    SET_ERRNO(ERROR_INVALID_PARAM, "crypto_process_auth_response: Invalid packet type (expected=0x%x, got=0x%x)",
              CRYPTO_PACKET_AUTH_RESPONSE, packet_type);
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  const uint8_t *received_hmac = packet + sizeof(packet_type);
 
  // Verify HMAC using shared secret
  if (!crypto_verify_hmac(ctx->shared_key, ctx->auth_nonce, received_hmac)) {
    SET_ERRNO(ERROR_CRYPTO, "crypto_process_auth_response: HMAC verification failed");
    return CRYPTO_ERROR_INVALID_MAC;
  }
 
  ctx->handshake_complete = true;
  log_debug("Authentication successful - handshake complete");
  return CRYPTO_OK;
}

References crypto_context_t::auth_nonce, CRYPTO_ERROR_INVALID_MAC, CRYPTO_ERROR_INVALID_PARAMS, CRYPTO_OK, crypto_verify_hmac(), ERROR_CRYPTO, ERROR_INVALID_PARAM, crypto_context_t::handshake_complete, crypto_context_t::initialized, log_debug, SAFE_MEMCPY, SET_ERRNO, and crypto_context_t::shared_key.

crypto_process_encrypted_packet()

crypto_result_t crypto_process_encrypted_packet	(	crypto_context_t *	ctx,
		const uint8_t *	packet,
		size_t	packet_len,
		uint8_t *	data_out,
		size_t	data_size,
		size_t *	data_len_out
	)

#include <crypto.h>

Process received encrypted packet from peer.

Parameters

ctx	Crypto context (must be initialized and ready)
packet	Encrypted packet received from peer
packet_len	Length of packet
data_out	Output buffer for decrypted plaintext
data_size	Size of output buffer
data_len_out	Output parameter for actual plaintext length

Returns

CRYPTO_OK on success, CRYPTO_ERROR_INVALID_MAC if MAC verification fails

Processes an encrypted data packet: [type:4][length:4][encrypted_data:var] Decrypts the data using crypto_decrypt().

Note

Packet format: [PACKET_TYPE_ENCRYPTED_DATA:4][data_length:4][encrypted_data] Encrypted data format: [nonce:24][encrypted_data][MAC:16] Plaintext size: data_length - nonce_size - mac_size

Context must be ready (crypto_is_ready() returns true) before calling.

Warning

Always check return value. CRYPTO_ERROR_INVALID_MAC indicates tampering or wrong key.

Definition at line 742 of file lib/crypto/crypto.c.

                                                                                                           {
  if (!ctx || !packet || !data_out || !data_len_out) {
    SET_ERRNO(ERROR_INVALID_PARAM,
              "crypto_process_encrypted_packet: Invalid parameters (ctx=%p, packet=%p, data_out=%p, data_len_out=%p)",
              ctx, packet, data_out, data_len_out);
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  if (!crypto_is_ready(ctx)) {
    SET_ERRNO(ERROR_CRYPTO, "crypto_process_encrypted_packet: Crypto context not ready");
    return CRYPTO_ERROR_KEY_EXCHANGE_INCOMPLETE;
  }
 
  if (packet_len < sizeof(uint32_t) + sizeof(uint32_t)) {
    SET_ERRNO(ERROR_INVALID_PARAM, "crypto_process_encrypted_packet: Packet too small (size=%zu)", packet_len);
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  // Unpack packet: [type:4][length:4][encrypted_data:var]
  uint32_t packet_type;
  uint32_t data_length;
  SAFE_MEMCPY(&packet_type, sizeof(packet_type), packet, sizeof(packet_type));
  SAFE_MEMCPY(&data_length, sizeof(data_length), packet + sizeof(packet_type), sizeof(data_length));
 
  if (packet_type != CRYPTO_PACKET_ENCRYPTED_DATA) {
    SET_ERRNO(ERROR_INVALID_PARAM, "crypto_process_encrypted_packet: Invalid packet type (expected=%u, got=%u)",
              CRYPTO_PACKET_ENCRYPTED_DATA, packet_type);
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  if (packet_len != sizeof(uint32_t) + sizeof(uint32_t) + data_length) {
    SET_ERRNO(ERROR_INVALID_PARAM, "crypto_process_encrypted_packet: Packet length mismatch (expected=%zu, got=%zu)",
              sizeof(uint32_t) + sizeof(uint32_t) + data_length, packet_len);
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  const uint8_t *encrypted_data = packet + sizeof(uint32_t) + sizeof(uint32_t);
  return crypto_decrypt(ctx, encrypted_data, data_length, data_out, data_size, data_len_out);
}

References crypto_decrypt(), CRYPTO_ERROR_INVALID_PARAMS, CRYPTO_ERROR_KEY_EXCHANGE_INCOMPLETE, crypto_is_ready(), ERROR_CRYPTO, ERROR_INVALID_PARAM, SAFE_MEMCPY, and SET_ERRNO.

crypto_process_public_key_packet()

crypto_result_t crypto_process_public_key_packet	(	crypto_context_t *	ctx,
		const uint8_t *	packet,
		size_t	packet_len
	)

#include <crypto.h>

Process received public key packet from peer.

Parameters

ctx	Crypto context (must be initialized)
packet	Public key packet received from peer
packet_len	Length of packet

Returns

CRYPTO_OK on success, error code on failure

Processes a public key packet: [type:4][public_key:public_key_size] Extracts peer's public key and computes shared secret automatically.

Note

Packet format: [PACKET_TYPE_PUBLIC_KEY:4][peer_public_key:32] Expected size: sizeof(uint32_t) + ctx->public_key_size (typically 36 bytes)

Automatically computes shared secret via crypto_set_peer_public_key(). After this call, crypto_is_ready() may return true if key exchange is complete.

Definition at line 651 of file lib/crypto/crypto.c.

                                                                                                                  {
  if (!ctx || !ctx->initialized || !packet) {
    SET_ERRNO(ERROR_INVALID_PARAM,
              "crypto_process_public_key_packet: Invalid parameters (ctx=%p, initialized=%d, packet=%p)", ctx,
              ctx ? ctx->initialized : 0, packet);
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  size_t expected_size = sizeof(uint32_t) + ctx->public_key_size;
  if (packet_len != expected_size) {
    SET_ERRNO(ERROR_INVALID_PARAM, "crypto_process_public_key_packet: Invalid packet size (expected=%zu, got=%zu)",
              expected_size, packet_len);
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  // Unpack packet: [type:4][public_key:32]
  uint32_t packet_type;
  SAFE_MEMCPY(&packet_type, sizeof(packet_type), packet, sizeof(packet_type));
 
  if (packet_type != CRYPTO_PACKET_PUBLIC_KEY) {
    SET_ERRNO(ERROR_INVALID_PARAM, "crypto_process_public_key_packet: Invalid packet type (expected=%u, got=%u)",
              CRYPTO_PACKET_PUBLIC_KEY, packet_type);
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  const uint8_t *peer_public_key = packet + sizeof(packet_type);
  return crypto_set_peer_public_key(ctx, peer_public_key);
}

References CRYPTO_ERROR_INVALID_PARAMS, crypto_set_peer_public_key(), ERROR_INVALID_PARAM, crypto_context_t::initialized, crypto_context_t::public_key_size, SAFE_MEMCPY, and SET_ERRNO.

crypto_random_bytes()

crypto_result_t crypto_random_bytes	(	uint8_t *	buffer,
		size_t	len
	)

#include <crypto.h>

Generate cryptographically secure random bytes.

Parameters

buffer	Output buffer for random bytes
len	Number of random bytes to generate (must be > 0)

Returns

CRYPTO_OK on success, error code on failure

Uses libsodium's secure random number generator (randombytes_buf). Suitable for generating nonces, keys, salts, and other cryptographic material.

Note

Automatically initializes libsodium if not already initialized.

Warning

Returns CRYPTO_ERROR_INVALID_PARAMS if buffer is NULL or len is 0.

Definition at line 604 of file lib/crypto/crypto.c.

                                                                 {
  if (!buffer || len == 0) {
    SET_ERRNO(ERROR_INVALID_PARAM, "crypto_random_bytes: Invalid parameters (buffer=%p, len=%zu)", buffer, len);
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  crypto_result_t result = init_libsodium();
  if (result != CRYPTO_OK) {
    return result;
  }
 
  randombytes_buf(buffer, len);
  return CRYPTO_OK;
}

References CRYPTO_ERROR_INVALID_PARAMS, CRYPTO_OK, ERROR_INVALID_PARAM, and SET_ERRNO.

crypto_rekey_abort()

void crypto_rekey_abort

(

crypto_context_t *

ctx

)

#include <crypto.h>

Abort rekeying and fallback to old keys.

Parameters

ctx	Crypto context

Aborts ongoing rekey and clears temp_* keys. Called on rekey failure (timeout, bad keys, decryption failure, etc.).

Note

Clears temp_* keys and sets rekey_in_progress = false.

Old keys remain active (no service interruption).

Increments rekey_failure_count for exponential backoff.

Definition at line 1315 of file lib/crypto/crypto.c.

                                               {
  if (!ctx) {
    return;
  }
 
  log_warn("Aborting rekey (attempt %d failed), keeping old encryption key", ctx->rekey_failure_count + 1);
 
  // Wipe temporary keys securely
  secure_memzero(ctx->temp_public_key, sizeof(ctx->temp_public_key));
  secure_memzero(ctx->temp_private_key, sizeof(ctx->temp_private_key));
  secure_memzero(ctx->temp_shared_key, sizeof(ctx->temp_shared_key));
 
  // Reset rekey state
  ctx->has_temp_key = false;
  ctx->rekey_in_progress = false;
 
  // Increment failure counter for exponential backoff
  ctx->rekey_failure_count++;
 
  // Continue using old key - no disruption to connection
}

References crypto_context_t::has_temp_key, log_warn, crypto_context_t::rekey_failure_count, crypto_context_t::rekey_in_progress, crypto_context_t::temp_private_key, crypto_context_t::temp_public_key, and crypto_context_t::temp_shared_key.

Referenced by crypto_handshake_process_rekey_complete(), crypto_handshake_process_rekey_request(), crypto_handshake_process_rekey_response(), crypto_handshake_rekey_complete(), crypto_handshake_rekey_request(), crypto_handshake_rekey_response(), and crypto_rekey_process_response().

crypto_rekey_commit()

crypto_result_t crypto_rekey_commit

(

crypto_context_t *

ctx

)

#include <crypto.h>

Commit to new keys after successful REKEY_COMPLETE.

Parameters

ctx	Crypto context

Returns

CRYPTO_OK on success, error code on failure

Switches from old shared_key to temp_shared_key, resets counters. Called after REKEY_COMPLETE is verified (decrypts successfully with new key).

Note

Replaces shared_key with temp_shared_key.

Resets rekey_packet_count, rekey_last_time, and rekey_in_progress.

Clears temp_* keys (they are now the active keys).

Warning

Only call after verifying REKEY_COMPLETE decrypts with new key.

Definition at line 1271 of file lib/crypto/crypto.c.

                                                           {
  if (!ctx || !ctx->initialized) {
    SET_ERRNO(ERROR_INVALID_PARAM, "crypto_rekey_commit: Invalid context");
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  if (!ctx->rekey_in_progress || !ctx->has_temp_key) {
    SET_ERRNO(ERROR_CRYPTO, "No rekey in progress to commit");
    return CRYPTO_ERROR_REKEY_FAILED;
  }
 
  // Wipe old shared secret securely
  secure_memzero(ctx->shared_key, sizeof(ctx->shared_key));
 
  // Switch to new shared secret
  SAFE_MEMCPY(ctx->shared_key, sizeof(ctx->shared_key), ctx->temp_shared_key, sizeof(ctx->temp_shared_key));
 
  // Reset nonce counter to 1 (fresh start with new key)
  ctx->nonce_counter = 1;
 
  // Generate new session ID to prevent cross-session replay
  randombytes_buf(ctx->session_id, sizeof(ctx->session_id));
 
  // Reset rekey tracking
  ctx->rekey_packet_count = 0;
  ctx->rekey_last_time = time(NULL);
  ctx->rekey_count++;
 
  // Clear rekey state
  secure_memzero(ctx->temp_public_key, sizeof(ctx->temp_public_key));
  secure_memzero(ctx->temp_private_key, sizeof(ctx->temp_private_key));
  secure_memzero(ctx->temp_shared_key, sizeof(ctx->temp_shared_key));
  ctx->has_temp_key = false;
  ctx->rekey_in_progress = false;
 
  // Reset failure counter on successful rekey
  ctx->rekey_failure_count = 0;
 
  log_info("Rekey committed successfully (rekey #%llu, nonce reset to 1, new session_id generated)",
           (unsigned long long)ctx->rekey_count);
 
  return CRYPTO_OK;
}

References CRYPTO_ERROR_INVALID_PARAMS, CRYPTO_ERROR_REKEY_FAILED, CRYPTO_OK, ERROR_CRYPTO, ERROR_INVALID_PARAM, crypto_context_t::has_temp_key, crypto_context_t::initialized, log_info, crypto_context_t::nonce_counter, crypto_context_t::rekey_count, crypto_context_t::rekey_failure_count, crypto_context_t::rekey_in_progress, crypto_context_t::rekey_last_time, crypto_context_t::rekey_packet_count, SAFE_MEMCPY, crypto_context_t::session_id, SET_ERRNO, crypto_context_t::shared_key, crypto_context_t::temp_private_key, crypto_context_t::temp_public_key, and crypto_context_t::temp_shared_key.

Referenced by crypto_handshake_process_rekey_complete(), and crypto_handshake_rekey_complete().

crypto_rekey_init()

crypto_result_t crypto_rekey_init

(

crypto_context_t *

ctx

)

#include <crypto.h>

Initiate rekeying by generating new ephemeral keys.

Parameters

ctx	Crypto context

Returns

CRYPTO_OK on success, error code on failure

Generates new ephemeral key pair and stores in temp_* fields. Called by the initiator (client or server) before sending REKEY_REQUEST.

Note

New keys are stored in temp_public_key and temp_private_key. They are NOT active until crypto_rekey_commit() is called.

Sets ctx->rekey_in_progress = true and updates rekey_last_request_time.

Warning

Do not call if rekey is already in progress.

Definition at line 1177 of file lib/crypto/crypto.c.

                                                         {
  if (!ctx || !ctx->initialized) {
    SET_ERRNO(ERROR_INVALID_PARAM, "crypto_rekey_init: Invalid context");
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  if (ctx->rekey_in_progress) {
    SET_ERRNO(ERROR_CRYPTO, "Rekey already in progress");
    return CRYPTO_ERROR_REKEY_IN_PROGRESS;
  }
 
  // Rate limiting: check minimum interval since last rekey
  time_t now = time(NULL);
  time_t since_last_rekey = now - ctx->rekey_last_time;
  if (since_last_rekey < REKEY_MIN_INTERVAL) {
    char elapsed_str[32], min_str[32];
    format_duration_s((double)since_last_rekey, elapsed_str, sizeof(elapsed_str));
    format_duration_s((double)REKEY_MIN_INTERVAL, min_str, sizeof(min_str));
    log_warn("Rekey rate limited: %s since last rekey (minimum: %s)", elapsed_str, min_str);
    return CRYPTO_ERROR_REKEY_RATE_LIMITED;
  }
 
  // Check if too many consecutive failures
  if (ctx->rekey_failure_count >= REKEY_MAX_FAILURE_COUNT) {
    log_error("Too many consecutive rekey failures (%d), giving up", ctx->rekey_failure_count);
    return CRYPTO_ERROR_REKEY_FAILED;
  }
 
  // Generate new ephemeral X25519 keypair for rekeying
  if (crypto_box_keypair(ctx->temp_public_key, ctx->temp_private_key) != 0) {
    SET_ERRNO(ERROR_CRYPTO, "Failed to generate rekey ephemeral keypair");
    return CRYPTO_ERROR_KEY_GENERATION;
  }
 
  ctx->rekey_in_progress = true;
  ctx->has_temp_key = true;
 
  log_info("Rekey initiated (packets: %llu, time elapsed: %ld sec, attempt %d)",
           (unsigned long long)ctx->rekey_packet_count, (long)since_last_rekey, ctx->rekey_failure_count + 1);
 
  return CRYPTO_OK;
}

References CRYPTO_ERROR_INVALID_PARAMS, CRYPTO_ERROR_KEY_GENERATION, CRYPTO_ERROR_REKEY_FAILED, CRYPTO_ERROR_REKEY_IN_PROGRESS, CRYPTO_ERROR_REKEY_RATE_LIMITED, CRYPTO_OK, ERROR_CRYPTO, ERROR_INVALID_PARAM, format_duration_s(), crypto_context_t::has_temp_key, crypto_context_t::initialized, log_error, log_info, log_warn, crypto_context_t::rekey_failure_count, crypto_context_t::rekey_in_progress, crypto_context_t::rekey_last_time, REKEY_MAX_FAILURE_COUNT, REKEY_MIN_INTERVAL, crypto_context_t::rekey_packet_count, SET_ERRNO, crypto_context_t::temp_private_key, and crypto_context_t::temp_public_key.

Referenced by crypto_handshake_process_rekey_request(), and crypto_handshake_rekey_request().

crypto_rekey_process_request()

crypto_result_t crypto_rekey_process_request	(	crypto_context_t *	ctx,
		const uint8_t *	peer_new_public_key
	)

#include <crypto.h>

Process REKEY_REQUEST from peer (responder side)

Parameters

ctx	Crypto context
peer_new_public_key	Peer's new ephemeral public key (32 bytes)

Returns

CRYPTO_OK on success, error code on failure

Processes peer's new ephemeral public key from REKEY_REQUEST. Generates our own new ephemeral keys and computes new shared secret.

Note

Generates new temp_* keys and computes temp_shared_key. Keys are NOT active until crypto_rekey_commit() is called.

Should send REKEY_RESPONSE with our new public key after this call.

Definition at line 1220 of file lib/crypto/crypto.c.

                                                                                                        {
  if (!ctx || !ctx->initialized || !peer_new_public_key) {
    SET_ERRNO(ERROR_INVALID_PARAM, "crypto_rekey_process_request: Invalid parameters");
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  // Generate our own new ephemeral keypair (responder side)
  if (crypto_box_keypair(ctx->temp_public_key, ctx->temp_private_key) != 0) {
    SET_ERRNO(ERROR_CRYPTO, "Failed to generate rekey ephemeral keypair");
    return CRYPTO_ERROR_KEY_GENERATION;
  }
 
  // Compute new shared secret: DH(our_new_private_key, peer_new_public_key)
  if (crypto_box_beforenm(ctx->temp_shared_key, peer_new_public_key, ctx->temp_private_key) != 0) {
    SET_ERRNO(ERROR_CRYPTO, "Failed to compute rekey shared secret");
    secure_memzero(ctx->temp_private_key, sizeof(ctx->temp_private_key));
    secure_memzero(ctx->temp_public_key, sizeof(ctx->temp_public_key));
    return CRYPTO_ERROR_KEY_GENERATION;
  }
 
  ctx->rekey_in_progress = true;
  ctx->has_temp_key = true;
 
  log_debug("Rekey request processed (responder side), new shared secret computed");
 
  return CRYPTO_OK;
}

References CRYPTO_ERROR_INVALID_PARAMS, CRYPTO_ERROR_KEY_GENERATION, CRYPTO_OK, ERROR_CRYPTO, ERROR_INVALID_PARAM, crypto_context_t::has_temp_key, crypto_context_t::initialized, log_debug, crypto_context_t::rekey_in_progress, SET_ERRNO, crypto_context_t::temp_private_key, crypto_context_t::temp_public_key, and crypto_context_t::temp_shared_key.

Referenced by crypto_handshake_process_rekey_request().

crypto_rekey_process_response()

crypto_result_t crypto_rekey_process_response	(	crypto_context_t *	ctx,
		const uint8_t *	peer_new_public_key
	)

#include <crypto.h>

Process REKEY_RESPONSE from peer (initiator side)

Parameters

ctx	Crypto context
peer_new_public_key	Peer's new ephemeral public key (32 bytes)

Returns

CRYPTO_OK on success, error code on failure

Processes peer's new ephemeral public key from REKEY_RESPONSE. Computes new shared secret using our temp_private_key and peer's temp_public_key.

Note

Computes temp_shared_key. Keys are NOT active until crypto_rekey_commit() is called.

Should send REKEY_COMPLETE encrypted with NEW key after this call.

Definition at line 1248 of file lib/crypto/crypto.c.

                                                                                                         {
  if (!ctx || !ctx->initialized || !peer_new_public_key) {
    SET_ERRNO(ERROR_INVALID_PARAM, "crypto_rekey_process_response: Invalid parameters");
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  if (!ctx->rekey_in_progress || !ctx->has_temp_key) {
    SET_ERRNO(ERROR_CRYPTO, "No rekey in progress");
    return CRYPTO_ERROR_REKEY_FAILED;
  }
 
  // Compute new shared secret: DH(our_new_private_key, peer_new_public_key)
  if (crypto_box_beforenm(ctx->temp_shared_key, peer_new_public_key, ctx->temp_private_key) != 0) {
    SET_ERRNO(ERROR_CRYPTO, "Failed to compute rekey shared secret");
    crypto_rekey_abort(ctx);
    return CRYPTO_ERROR_KEY_GENERATION;
  }
 
  log_debug("Rekey response processed (initiator side), new shared secret computed");
 
  return CRYPTO_OK;
}

References CRYPTO_ERROR_INVALID_PARAMS, CRYPTO_ERROR_KEY_GENERATION, CRYPTO_ERROR_REKEY_FAILED, CRYPTO_OK, crypto_rekey_abort(), ERROR_CRYPTO, ERROR_INVALID_PARAM, crypto_context_t::has_temp_key, crypto_context_t::initialized, log_debug, crypto_context_t::rekey_in_progress, SET_ERRNO, crypto_context_t::temp_private_key, and crypto_context_t::temp_shared_key.

Referenced by crypto_handshake_process_rekey_response().

crypto_result_to_string()

const char * crypto_result_to_string

(

crypto_result_t

result

)

#include <crypto.h>

Convert crypto result to human-readable string.

Parameters

result

Crypto result code

Returns

Human-readable error string (never NULL)

Returns a descriptive string for each crypto_result_t value. Useful for logging and error reporting.

Definition at line 540 of file lib/crypto/crypto.c.

                                                            {
  switch (result) {
  case CRYPTO_OK:
    return "Success";
  case CRYPTO_ERROR_INIT_FAILED:
    return "Initialization failed";
  case CRYPTO_ERROR_INVALID_PARAMS:
    return "Invalid parameters";
  case CRYPTO_ERROR_MEMORY:
    return "Memory allocation failed";
  case CRYPTO_ERROR_LIBSODIUM:
    return "Libsodium error";
  case CRYPTO_ERROR_KEY_GENERATION:
    return "Key generation failed";
  case CRYPTO_ERROR_PASSWORD_DERIVATION:
    return "Password derivation failed";
  case CRYPTO_ERROR_ENCRYPTION:
    return "Encryption failed";
  case CRYPTO_ERROR_DECRYPTION:
    return "Decryption failed";
  case CRYPTO_ERROR_INVALID_MAC:
    return "Invalid MAC or corrupted data";
  case CRYPTO_ERROR_BUFFER_TOO_SMALL:
    return "Buffer too small";
  case CRYPTO_ERROR_KEY_EXCHANGE_INCOMPLETE:
    return "Key exchange not complete";
  case CRYPTO_ERROR_NONCE_EXHAUSTED:
    return "Nonce counter exhausted";
  case CRYPTO_ERROR_REKEY_IN_PROGRESS:
    return "Rekey already in progress";
  case CRYPTO_ERROR_REKEY_FAILED:
    return "Rekey failed";
  case CRYPTO_ERROR_REKEY_RATE_LIMITED:
    return "Rekey rate limited";
  default:
    return "Unknown error";
  }
}

References CRYPTO_ERROR_BUFFER_TOO_SMALL, CRYPTO_ERROR_DECRYPTION, CRYPTO_ERROR_ENCRYPTION, CRYPTO_ERROR_INIT_FAILED, CRYPTO_ERROR_INVALID_MAC, CRYPTO_ERROR_INVALID_PARAMS, CRYPTO_ERROR_KEY_EXCHANGE_INCOMPLETE, CRYPTO_ERROR_KEY_GENERATION, CRYPTO_ERROR_LIBSODIUM, CRYPTO_ERROR_MEMORY, CRYPTO_ERROR_NONCE_EXHAUSTED, CRYPTO_ERROR_PASSWORD_DERIVATION, CRYPTO_ERROR_REKEY_FAILED, CRYPTO_ERROR_REKEY_IN_PROGRESS, CRYPTO_ERROR_REKEY_RATE_LIMITED, and CRYPTO_OK.

Referenced by client_crypto_init(), crypto_handshake_client_auth_response(), crypto_handshake_client_key_exchange(), crypto_handshake_decrypt_packet(), crypto_handshake_encrypt_packet(), crypto_handshake_init(), crypto_handshake_init_with_password(), crypto_handshake_process_rekey_complete(), crypto_handshake_process_rekey_request(), crypto_handshake_process_rekey_response(), crypto_handshake_rekey_complete(), crypto_handshake_rekey_request(), crypto_handshake_server_auth_challenge(), crypto_handshake_server_complete(), receive_packet_secure(), and send_packet_secure().

crypto_secure_compare()

bool crypto_secure_compare	(	const uint8_t *	lhs,
		const uint8_t *	rhs,
		size_t	len
	)

#include <crypto.h>

Secure constant-time comparison of byte arrays.

Parameters

lhs	First byte array
rhs	Second byte array
len	Length of arrays to compare

Returns

true if arrays are equal, false otherwise

Uses constant-time comparison (sodium_memcmp) to prevent timing attacks. Always compares all bytes, regardless of where difference is found.

Note

Use this for comparing sensitive data: keys, MACs, HMACs, signatures. Do NOT use regular memcmp() for cryptographic comparisons.

Warning

Returns false if either pointer is NULL.

Definition at line 597 of file lib/crypto/crypto.c.

                                                                               {
  if (!lhs || !rhs) {
    return false;
  }
  return sodium_memcmp(lhs, rhs, len) == 0;
}

crypto_set_peer_public_key()

crypto_result_t crypto_set_peer_public_key	(	crypto_context_t *	ctx,
		const uint8_t *	peer_public_key
	)

#include <crypto.h>

Set peer's public key and compute shared secret (step 2 of handshake)

Parameters

ctx	Crypto context
peer_public_key	Peer's ephemeral public key (CRYPTO_PUBLIC_KEY_SIZE bytes)

Returns

CRYPTO_OK on success, error code on failure

Receives peer's public key and computes the shared secret using X25519. After this call, crypto_is_ready() will return true.

Note

This function computes the shared secret immediately. The shared secret is used for encryption/decryption after key exchange is complete.

Definition at line 235 of file lib/crypto/crypto.c.

                                                                                                  {
  if (!ctx || !ctx->initialized || !peer_public_key) {
    SET_ERRNO(ERROR_INVALID_PARAM,
              "crypto_set_peer_public_key: Invalid parameters (ctx=%p, initialized=%d, peer_public_key=%p)", ctx,
              ctx ? ctx->initialized : 0, peer_public_key);
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  // Store peer's public key
  // Bounds check to prevent buffer overflow
  size_t copy_size = (ctx->public_key_size <= X25519_KEY_SIZE) ? ctx->public_key_size : X25519_KEY_SIZE;
  SAFE_MEMCPY(ctx->peer_public_key, copy_size, peer_public_key, copy_size);
  ctx->peer_key_received = true;
 
  // Compute shared secret using X25519
  if (crypto_box_beforenm(ctx->shared_key, peer_public_key, ctx->private_key) != 0) {
    SET_ERRNO(ERROR_CRYPTO, "Failed to compute shared secret from peer public key");
    return CRYPTO_ERROR_KEY_GENERATION;
  }
 
  ctx->key_exchange_complete = true;
 
  log_debug("Key exchange completed - shared secret computed");
  return CRYPTO_OK;
}

References CRYPTO_ERROR_INVALID_PARAMS, CRYPTO_ERROR_KEY_GENERATION, CRYPTO_OK, ERROR_CRYPTO, ERROR_INVALID_PARAM, crypto_context_t::initialized, crypto_context_t::key_exchange_complete, log_debug, crypto_context_t::peer_key_received, crypto_context_t::peer_public_key, crypto_context_t::private_key, crypto_context_t::public_key_size, SAFE_MEMCPY, SET_ERRNO, crypto_context_t::shared_key, and X25519_KEY_SIZE.

Referenced by crypto_handshake_client_key_exchange(), crypto_handshake_server_auth_challenge(), and crypto_process_public_key_packet().

crypto_should_rekey()

bool crypto_should_rekey

(

const crypto_context_t *

ctx

)

#include <crypto.h>

Check if rekeying should be triggered based on time or packet count thresholds.

Parameters

ctx	Crypto context

Returns

true if rekey should be initiated, false otherwise

Checks if rekeying should be triggered based on:

• Time since last rekey >= rekey_time_threshold
• Packet count since last rekey >= rekey_packet_threshold
• Minimum interval since last rekey request (DDoS protection)

Note

Should be called after each packet encryption.

Test environment: Automatically uses test thresholds if CRITERION_TEST or TESTING env var is set.

DDoS protection: Requires at least REKEY_MIN_REQUEST_INTERVAL seconds between requests.

Definition at line 1143 of file lib/crypto/crypto.c.

                                                      {
  if (!ctx || !ctx->initialized) {
    return false;
  }
 
  // Don't trigger rekey if one is already in progress
  if (ctx->rekey_in_progress) {
    return false;
  }
 
  // Don't trigger rekey if handshake isn't complete yet
  if (!ctx->handshake_complete) {
    return false;
  }
 
  // Check packet count threshold
  if (ctx->rekey_packet_count >= ctx->rekey_packet_threshold) {
    log_debug("Rekey triggered: packet count (%llu) >= threshold (%llu)", (unsigned long long)ctx->rekey_packet_count,
              (unsigned long long)ctx->rekey_packet_threshold);
    return true;
  }
 
  // Check time threshold
  time_t now = time(NULL);
  time_t elapsed = now - ctx->rekey_last_time;
  if (elapsed >= ctx->rekey_time_threshold) {
    log_debug("Rekey triggered: time elapsed (%ld sec) >= threshold (%ld sec)", (long)elapsed,
              (long)ctx->rekey_time_threshold);
    return true;
  }
 
  return false;
}

References crypto_context_t::handshake_complete, crypto_context_t::initialized, log_debug, crypto_context_t::rekey_in_progress, crypto_context_t::rekey_last_time, crypto_context_t::rekey_packet_count, crypto_context_t::rekey_packet_threshold, and crypto_context_t::rekey_time_threshold.

Referenced by crypto_handshake_should_rekey().

crypto_sign_ephemeral_key()

asciichat_error_t crypto_sign_ephemeral_key	(	const private_key_t *	private_key,
		const uint8_t *	ephemeral_key,
		size_t	ephemeral_key_size,
		uint8_t *	signature_out
	)

#include <crypto.h>

Sign ephemeral key with private key.

Parameters

private_key	Ed25519 private key for signing (64 bytes)
ephemeral_key	Ephemeral public key to sign (variable size)
ephemeral_key_size	Size of ephemeral key (typically 32 bytes for X25519)
signature_out	Output buffer for Ed25519 signature (64 bytes)

Returns

ASCIICHAT_OK on success, error code on failure

Signs ephemeral public key with Ed25519 identity key. Used during authenticated key exchange to prove server identity.

Note

Signature is over the ephemeral public key itself. Allows verification without revealing the identity key.

Used in authenticated key exchange format (ephemeral + identity + signature).

Definition at line 1091 of file lib/crypto/crypto.c.

                                                                                               {
  if (!private_key || !ephemeral_key || !signature_out) {
    return SET_ERRNO(ERROR_INVALID_PARAM, "Invalid parameters: private_key=%p, ephemeral_key=%p, signature_out=%p",
                     private_key, ephemeral_key, signature_out);
  }
 
  if (ephemeral_key_size == 0) {
    SET_ERRNO(ERROR_INVALID_PARAM, "Invalid ephemeral key size: %zu", ephemeral_key_size);
    return ERROR_INVALID_PARAM;
  }
 
  // Sign the ephemeral key with our Ed25519 private key
  if (private_key->type == KEY_TYPE_ED25519) {
    if (crypto_sign_detached(signature_out, NULL, ephemeral_key, ephemeral_key_size, private_key->key.ed25519) != 0) {
      return SET_ERRNO(ERROR_CRYPTO, "Failed to sign ephemeral key");
    }
  } else {
    return SET_ERRNO(ERROR_CRYPTO, "Unsupported private key type for signing");
  }
 
  return ASCIICHAT_OK;
}

References ASCIICHAT_OK, private_key_t::ed25519, ERROR_CRYPTO, ERROR_INVALID_PARAM, private_key_t::key, KEY_TYPE_ED25519, SET_ERRNO, and private_key_t::type.

crypto_validate_password()

crypto_result_t crypto_validate_password

(

const char *

password

)

#include <crypto.h>

Validate password length requirements.

Parameters

password

Password to validate

Returns

CRYPTO_OK if valid, CRYPTO_ERROR_INVALID_PARAMS if too short/long

Validates that password meets length requirements (MIN_PASSWORD_LENGTH to MAX_PASSWORD_LENGTH characters).

Note

Password must be between MIN_PASSWORD_LENGTH (8) and MAX_PASSWORD_LENGTH (256) characters.

Definition at line 274 of file lib/crypto/crypto.c.

                                                               {
  if (!password) {
    SET_ERRNO(ERROR_INVALID_PARAM, "crypto_validate_password: Password is NULL");
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  size_t password_len = strlen(password);
 
  if (password_len < MIN_PASSWORD_LENGTH) {
    SET_ERRNO(ERROR_INVALID_PARAM, "Password too short (minimum %d characters, got %zu)", MIN_PASSWORD_LENGTH,
              password_len);
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  if (password_len > MAX_PASSWORD_LENGTH) {
    SET_ERRNO(ERROR_INVALID_PARAM, "Password too long (maximum %d characters, got %zu)", MAX_PASSWORD_LENGTH,
              password_len);
    return CRYPTO_ERROR_INVALID_PARAMS;
  }
 
  return CRYPTO_OK;
}

References CRYPTO_ERROR_INVALID_PARAMS, CRYPTO_OK, ERROR_INVALID_PARAM, MAX_PASSWORD_LENGTH, MIN_PASSWORD_LENGTH, and SET_ERRNO.

Referenced by crypto_derive_password_encryption_key(), and crypto_derive_password_key().

crypto_verify_auth_response()

bool crypto_verify_auth_response	(	const crypto_context_t *	ctx,
		const uint8_t	nonce[32],
		const uint8_t	expected_hmac[32]
	)

#include <crypto.h>

Verify authentication response HMAC bound to DH shared_secret.

Parameters

ctx	Crypto context with keys (must have completed key exchange)
nonce	Challenge nonce that was sent (32 bytes)
expected_hmac	Expected HMAC to verify (32 bytes)

Returns

true if HMAC is valid, false otherwise

Verifies: HMAC(auth_key, nonce || shared_secret)

Note

Key selection: Uses password_key if available, otherwise uses shared_key. Must match the key used by crypto_compute_auth_response() on the peer side.

Key exchange requirement: ctx->key_exchange_complete must be true. Returns false if key exchange is not complete.

Warning

Always check return value. False indicates authentication failure or wrong key.

Definition at line 903 of file lib/crypto/crypto.c.

                                                                  {
  if (!ctx || !nonce || !expected_hmac) {
    SET_ERRNO(ERROR_INVALID_PARAM,
              "crypto_verify_auth_response: Invalid parameters (ctx=%p, nonce=%p, expected_hmac=%p)", ctx, nonce,
              expected_hmac);
    return false;
  }
 
  // Ensure shared secret is derived before verifying HMAC
  // This is critical for password HMAC verification which binds to the shared secret
  if (!ctx->key_exchange_complete) {
    SET_ERRNO(ERROR_CRYPTO, "Cannot verify auth response - key exchange not complete");
    return false;
  }
 
  // Bind password HMAC to DH shared_secret to prevent MITM
  // Combined data: nonce || shared_secret
  uint8_t combined_data[64];
  memcpy(combined_data, nonce, 32);
  memcpy(combined_data + 32, ctx->shared_key, 32);
 
  // Use password_key if available, otherwise use shared_key
  const uint8_t *auth_key = ctx->has_password ? ctx->password_key : ctx->shared_key;
 
  log_debug("Verifying auth response: has_password=%d, key_exchange_complete=%d, using_password_key=%d",
            ctx->has_password, ctx->key_exchange_complete, (auth_key == ctx->password_key));
 
  bool result = crypto_verify_hmac_ex(auth_key, combined_data, 64, expected_hmac);
 
  // Securely zero sensitive data containing shared secret
  sodium_memzero(combined_data, sizeof(combined_data));
 
  return result;
}

References crypto_verify_hmac_ex(), ERROR_CRYPTO, ERROR_INVALID_PARAM, crypto_context_t::has_password, crypto_context_t::key_exchange_complete, log_debug, crypto_context_t::password_key, SET_ERRNO, and crypto_context_t::shared_key.

Referenced by crypto_handshake_client_complete(), and crypto_handshake_server_complete().

crypto_verify_hmac()

bool crypto_verify_hmac	(	const uint8_t	key[32],
		const uint8_t	data[32],
		const uint8_t	expected_hmac[32]
	)

#include <crypto.h>

Verify HMAC-SHA256 for fixed 32-byte data.

Parameters

key	HMAC key (32 bytes)
data	Data that was authenticated (32 bytes)
expected_hmac	Expected HMAC to verify (32 bytes)

Returns

true if HMAC is valid, false otherwise

Verifies HMAC-SHA256 using constant-time comparison. Prevents timing attacks during verification.

Note

Returns false if any parameter is NULL.

Definition at line 835 of file lib/crypto/crypto.c.

                                                                                                        {
  if (!key || !data || !expected_hmac) {
    SET_ERRNO(ERROR_INVALID_PARAM, "crypto_verify_hmac: Invalid parameters (key=%p, data=%p, expected_hmac=%p)", key,
              data, expected_hmac);
    return false;
  }
 
  uint8_t computed_hmac[32];
  if (crypto_auth_hmacsha256(computed_hmac, data, 32, key) != 0) {
    return false;
  }
 
  return sodium_memcmp(computed_hmac, expected_hmac, 32) == 0;
}

References ERROR_INVALID_PARAM, and SET_ERRNO.

Referenced by crypto_process_auth_response().

crypto_verify_hmac_ex()

bool crypto_verify_hmac_ex	(	const uint8_t	key[32],
		const uint8_t *	data,
		size_t	data_len,
		const uint8_t	expected_hmac[32]
	)

#include <crypto.h>

Verify HMAC-SHA256 for variable-length data.

Parameters

key	HMAC key (32 bytes)
data	Data that was authenticated (variable length)
data_len	Length of data (must be > 0)
expected_hmac	Expected HMAC to verify (32 bytes)

Returns

true if HMAC is valid, false otherwise

Verifies HMAC-SHA256 using constant-time comparison. Prevents timing attacks during verification.

Note

Returns false if any parameter is NULL or data_len is 0.

Definition at line 850 of file lib/crypto/crypto.c.

                                                            {
  if (!key || !data || !expected_hmac || data_len == 0) {
    SET_ERRNO(ERROR_INVALID_PARAM,
              "crypto_verify_hmac_ex: Invalid parameters (key=%p, data=%p, data_len=%zu, expected_hmac=%p)", key, data,
              data_len, expected_hmac);
    return false;
  }
 
  uint8_t computed_hmac[32];
  if (crypto_auth_hmacsha256(computed_hmac, data, data_len, key) != 0) {
    return false;
  }
 
  return sodium_memcmp(computed_hmac, expected_hmac, 32) == 0;
}

References ERROR_INVALID_PARAM, and SET_ERRNO.

Referenced by crypto_verify_auth_response().

crypto_verify_password()

bool crypto_verify_password	(	const crypto_context_t *	ctx,
		const char *	password
	)

#include <crypto.h>

Verify password matches stored salt/key.

Parameters

ctx	Crypto context (must be initialized and have password)
password	Password to verify

Returns

true if password matches, false otherwise

Verifies that the provided password, when derived with the stored salt, produces the same key as stored in the context.

Note

Uses constant-time comparison to prevent timing attacks.

Salt: Uses same deterministic salt as crypto_derive_password_key().

Definition at line 336 of file lib/crypto/crypto.c.

                                                                               {
  if (!ctx || !ctx->initialized || !ctx->has_password || !password) {
    return false;
  }
 
  uint8_t test_key[SECRETBOX_KEY_SIZE]; // Use maximum size for buffer
 
  // Use the same deterministic salt for verification
  // Salt must be exactly ARGON2ID_SALT_SIZE (32) bytes
  const char *deterministic_salt = "ascii-chat-password-salt-v1";
  uint8_t salt[ARGON2ID_SALT_SIZE]; // Use maximum size for buffer
  size_t salt_str_len = strlen(deterministic_salt);
 
  // Zero-initialize the salt buffer first
  memset(salt, 0, ARGON2ID_SALT_SIZE);
 
  // Copy the salt string (will be padded with zeros to ctx->salt_size)
  memcpy(salt, deterministic_salt, (salt_str_len < ctx->salt_size) ? salt_str_len : ctx->salt_size);
 
  // Derive key with same salt
  if (crypto_pwhash(test_key, ctx->encryption_key_size, password, strlen(password), salt,
                    crypto_pwhash_OPSLIMIT_INTERACTIVE, crypto_pwhash_MEMLIMIT_INTERACTIVE,
                    crypto_pwhash_ALG_DEFAULT) != 0) {
    secure_memzero(test_key, sizeof(test_key));
    return false;
  }
 
  // Constant-time comparison
  bool match = (sodium_memcmp(test_key, ctx->password_key, ctx->encryption_key_size) == 0);
 
  secure_memzero(test_key, sizeof(test_key));
  return match;
}

References ARGON2ID_SALT_SIZE, crypto_context_t::encryption_key_size, crypto_context_t::has_password, crypto_context_t::initialized, crypto_context_t::password_key, crypto_context_t::salt_size, and SECRETBOX_KEY_SIZE.

crypto_verify_peer_signature()

asciichat_error_t crypto_verify_peer_signature	(	const uint8_t *	peer_public_key,
		const uint8_t *	ephemeral_key,
		size_t	ephemeral_key_size,
		const uint8_t *	signature
	)

#include <crypto.h>

Verify peer's signature on ephemeral key.

Parameters

peer_public_key	Peer's Ed25519 public key (32 bytes)
ephemeral_key	Ephemeral public key that was signed (variable size)
ephemeral_key_size	Size of ephemeral key (typically 32 bytes for X25519)
signature	Ed25519 signature (64 bytes)

Returns

ASCIICHAT_OK if signature is valid, error code on failure

Verifies Ed25519 signature on ephemeral public key using peer's identity key. Used during authenticated key exchange to verify server identity.

Note

Signature is over the ephemeral public key itself, proving ownership of the identity key without revealing it.

Used in authenticated key exchange format (ephemeral + identity + signature).

Definition at line 1072 of file lib/crypto/crypto.c.

                                                                                                    {
  if (!peer_public_key || !ephemeral_key || !signature) {
    return SET_ERRNO(ERROR_INVALID_PARAM, "Invalid parameters: peer_public_key=%p, ephemeral_key=%p, signature=%p",
                     peer_public_key, ephemeral_key, signature);
  }
 
  if (ephemeral_key_size == 0) {
    return SET_ERRNO(ERROR_INVALID_PARAM, "Invalid ephemeral key size: %zu", ephemeral_key_size);
  }
 
  // Verify the signature using Ed25519
  if (crypto_sign_verify_detached(signature, ephemeral_key, ephemeral_key_size, peer_public_key) != 0) {
    return SET_ERRNO(ERROR_CRYPTO, "Peer signature verification failed");
  }
 
  return ASCIICHAT_OK;
}

References ASCIICHAT_OK, ERROR_CRYPTO, ERROR_INVALID_PARAM, and SET_ERRNO.

display_mitm_warning()

bool display_mitm_warning	(	const char *	server_ip,
		uint16_t	port,
		const uint8_t	expected_key[32],
		const uint8_t	received_key[32]
	)

#include <known_hosts.h>

Display MITM warning with key comparison and prompt user for confirmation.

Parameters

server_ip	Server IP address (IPv4 or IPv6, must not be NULL)
port	Server port number
expected_key	Expected server key from known_hosts (32 bytes, must not be NULL)
received_key	Received server key from connection (32 bytes, must not be NULL)

Returns

true if user accepts the risk and wants to continue, false otherwise

Displays man-in-the-middle warning with key comparison and prompts user for confirmation. Shows both expected and received keys in hex format for comparison.

Note

Warning display: Shows formatted warning message with:

• Server IP:port
• Expected key fingerprint (SHA256)
• Received key fingerprint (SHA256)
• Prompt for user confirmation

Key fingerprints: Displays SHA256 fingerprints of both keys for easy comparison. Fingerprints are displayed in hex format (64 hex chars).

User prompt: Prompts user to accept risk (continue) or abort connection. Returns true if user accepts, false if user aborts.

Non-interactive mode: If not connected to TTY (snapshot mode), automatically accepts the connection (returns true). This allows automated connections.

Security: Key mismatch indicates potential MITM attack or key rotation. User should verify keys before accepting.

Warning

Always check return value. If false, connection should be aborted.

MITM risk: Key mismatch may indicate man-in-the-middle attack. User should verify keys before accepting connection.

Definition at line 621 of file known_hosts.c.

                                                          {
  char expected_fp[CRYPTO_HEX_KEY_SIZE_NULL], received_fp[CRYPTO_HEX_KEY_SIZE_NULL];
  compute_key_fingerprint(expected_key, expected_fp);
  compute_key_fingerprint(received_key, received_fp);
 
  const char *known_hosts_path = get_known_hosts_path();
 
  // Format IP:port with proper bracket notation for IPv6
  char ip_with_port[BUFFER_SIZE_MEDIUM];
  if (format_ip_with_port(server_ip, port, ip_with_port, sizeof(ip_with_port)) != ASCIICHAT_OK) {
    // Fallback to basic format if error
    safe_snprintf(ip_with_port, sizeof(ip_with_port), "%s:%u", server_ip, port);
  }
 
  char escaped_ip_with_port[128];
  escape_ascii(ip_with_port, "[]", escaped_ip_with_port, 128);
  log_warn("\n"
           "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n"
           "@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @\n"
           "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n"
           "\n"
           "IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!\n"
           "Someone could be eavesdropping on you right now (man-in-the-middle attack)!\n"
           "It is also possible that the host key has just been changed.\n"
           "\n"
           "The fingerprint for the Ed25519 key sent by the remote host is:\n"
           "SHA256:%s\n"
           "\n"
           "Expected fingerprint:\n"
           "SHA256:%s\n"
           "\n"
           "Please contact your system administrator.\n"
           "\n"
           "Add correct host key in %s to get rid of this message.\n"
           "Offending key for IP address %s was found at:\n"
           "%s\n"
           "\n"
           "To update the key, run:\n"
           "  # Linux/macOS:\n"
           "    sed -i '' '/%s /d' ~/.ascii-chat/known_hosts\n"
           "    # or run this instead:\n"
           "    cat ~/.ascii-chat/known_hosts | grep -v '%s ' > /tmp/x; cp /tmp/x ~/.ascii-chat/known_hosts\n"
           "  # Windows PowerShell:\n"
           "    (Get-Content ~/.ascii-chat/known_hosts) | Where-Object { $_ -notmatch '^%s ' } | Set-Content "
           "~/.ascii-chat/known_hosts\n"
           "  # Or manually edit ~/.ascii-chat/known_hosts to remove lines starting with '%s '\n"
           "\n"
           "Host key verification failed.\n"
           "\n",
           received_fp, expected_fp, known_hosts_path, ip_with_port, known_hosts_path, ip_with_port,
           escaped_ip_with_port, ip_with_port, ip_with_port);
 
  return false;
}

References ASCIICHAT_OK, BUFFER_SIZE_MEDIUM, compute_key_fingerprint(), CRYPTO_HEX_KEY_SIZE_NULL, escape_ascii(), format_ip_with_port(), get_known_hosts_path(), log_warn, and safe_snprintf().

Referenced by crypto_handshake_client_key_exchange().

free_ta_contents()

void free_ta_contents

(

br_x509_trust_anchor *

ta

)

#include <pem_utils.h>

Free the contents of a trust anchor.

Parameters

ta	Pointer to trust anchor to free (must not be NULL)

Releases all dynamically allocated memory within a trust anchor structure, but does not free the structure itself. Call this for each trust anchor before freeing the anchor_list buffer.

Note

Memory cleanup: Frees certificate data, public key, and other dynamically allocated fields within trust anchor structure.

Structure preservation: Does not free the trust anchor structure itself. Only frees dynamically allocated fields within the structure.

Usage: Must be called for each trust anchor in anchor_list.buf before freeing anchor_list.buf. Loop through anchors and call for each one.

Warning

Memory leak: Must call this for each trust anchor before freeing anchor_list.buf. Failing to do so will leak memory.

Definition at line 419 of file pem_utils.c.

                                                {
  if (!ta) {
    return;
  }
  xfree(ta->dn.data);
  switch (ta->pkey.key_type) {
  case BR_KEYTYPE_RSA:
    xfree((void *)ta->pkey.key.rsa.n);
    xfree((void *)ta->pkey.key.rsa.e);
    break;
  case BR_KEYTYPE_EC:
    xfree((void *)ta->pkey.key.ec.q);
    break;
  default:
    SET_ERRNO(ERROR_CRYPTO, "Unknown public key type in CA");
    break;
  }
}

References ERROR_CRYPTO, and SET_ERRNO.

Referenced by https_get(), and read_trust_anchors_from_memory().

get_known_hosts_path()

const char * get_known_hosts_path

(

void

)

#include <known_hosts.c>

Get the path to the known_hosts file.

Get known_hosts file path.

Returns the path to the known_hosts file, using the same directory as all other ascii-chat configuration files (get_config_dir()).

PATH RESOLUTION:

• Unix: $XDG_CONFIG_HOME/ascii-chat/known_hosts or ~/.config/ascii-chat/known_hosts
• Windows: APPDATA%\ascii-chat\known_hosts

Returns

Pointer to cached known_hosts path (do not free), or NULL on failure

Note

The returned pointer is valid for the lifetime of the program

Returns

Path to known_hosts file (never NULL, cached)

Returns path to known_hosts file, expanding user directory if needed. Path is cached after first call.

Note

File location: Returns ~/.ascii-chat/known_hosts (or equivalent on Windows). Uses expand_path() to resolve user directory.

Path caching: Path is cached after first call to avoid repeated expansion. Cache is freed by known_hosts_cleanup().

Platform-specific paths (same directory as config.toml):

• Unix: $XDG_CONFIG_HOME/ascii-chat/known_hosts if set, otherwise ~/.ascii-chat/known_hosts
• Windows: APPDATA%\ascii-chat\known_hosts if set, otherwise ~\.ascii-chat\known_hosts

Warning

Path may not exist: Function returns path even if file doesn't exist. File will be created when first entry is added.

Definition at line 46 of file known_hosts.c.

                                       {
  // Return cached path if already determined
  if (!g_known_hosts_path_cache) {
    char *config_dir = get_config_dir();
    if (!config_dir) {
      log_error("Failed to determine configuration directory for known_hosts");
      return NULL;
    }
 
    // Build path: config_dir + "known_hosts"
    size_t config_len = strlen(config_dir);
    size_t total_len = config_len + strlen("known_hosts") + 1;
    char *path = SAFE_MALLOC(total_len, char *);
    if (!path) {
      SAFE_FREE(config_dir);
      log_error("Failed to allocate memory for known_hosts path");
      return NULL;
    }
 
    safe_snprintf(path, total_len, "%sknown_hosts", config_dir);
    SAFE_FREE(config_dir);
 
    g_known_hosts_path_cache = path;
    log_debug("KNOWN_HOSTS: Using path %s", g_known_hosts_path_cache);
  }
  return g_known_hosts_path_cache;
}

References get_config_dir(), log_debug, log_error, SAFE_FREE, SAFE_MALLOC, and safe_snprintf().

Referenced by add_known_host(), check_known_host(), check_known_host_no_identity(), crypto_handshake_client_key_exchange(), display_mitm_warning(), prompt_unknown_host(), and remove_known_host().

gpg_agent_connect()

int gpg_agent_connect

(

void

)

#include <agent.h>

Connect to gpg-agent.

Returns

Socket/pipe handle on success, -1 on error

Establishes connection to GPG agent using Assuan protocol. Connects to agent socket/pipe and performs initial handshake.

Note

Connection method:

• Unix: Connects to Unix domain socket (~/.gnupg/S.gpg-agent or GPG_AGENT_INFO)
• Windows: Connects to named pipe (\.\pipe\gpg-agent or from GPG_AGENT_INFO)

Socket location:

• Unix: $GPG_AGENT_INFO or ~/.gnupg/S.gpg-agent
• Windows: Named pipe from GPG_AGENT_INFO or default pipe

Assuan protocol: After connection, sends initial commands:

• Receives "OK Pleased to meet you" greeting
• No additional initialization needed for signing operations

Connection ownership: Caller must call gpg_agent_disconnect() when done. Failing to disconnect will leak socket handles.

Warning

Agent requirement: GPG agent must be running and accessible. Returns -1 if agent is not available (not running, wrong path, etc.).

Socket cleanup: Must call gpg_agent_disconnect() to close socket. Failing to do so will leak file descriptors/handles.

Definition at line 267 of file agent.c.

                            {
  char socket_path[PLATFORM_MAX_PATH_LENGTH];
  if (get_agent_socket_path(socket_path, sizeof(socket_path)) != 0) {
    log_error("Failed to get GPG agent socket path");
    return -1;
  }
 
  log_debug("Connecting to GPG agent at: %s", socket_path);
 
  int sock = socket(AF_UNIX, SOCK_STREAM, 0);
  if (sock < 0) {
    log_error("Failed to create socket: %s", SAFE_STRERROR(errno));
    return -1;
  }
 
  struct sockaddr_un addr;
  memset(&addr, 0, sizeof(addr));
  addr.sun_family = AF_UNIX;
  SAFE_STRNCPY(addr.sun_path, socket_path, sizeof(addr.sun_path) - 1);
 
  if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) != 0) {
    log_error("Failed to connect to GPG agent: %s", SAFE_STRERROR(errno));
    close(sock);
    return -1;
  }
 
  // Read initial greeting
  char response[GPG_AGENT_MAX_RESPONSE];
  if (read_agent_line(sock, response, sizeof(response)) != 0) {
    log_error("Failed to read GPG agent greeting");
    close(sock);
    return -1;
  }
 
  if (!is_ok_response(response)) {
    log_error("Unexpected GPG agent greeting: %s", response);
    close(sock);
    return -1;
  }
 
  log_debug("Connected to GPG agent successfully");
 
  // Set loopback pinentry mode to avoid interactive prompts
  // This allows GPG agent to work in non-interactive environments
  if (send_agent_command(sock, "OPTION pinentry-mode=loopback") != 0) {
    log_warn("Failed to set loopback pinentry mode (continuing anyway)");
  } else {
    // Read response for OPTION command
    if (read_agent_line(sock, response, sizeof(response)) != 0) {
      log_warn("Failed to read OPTION command response (continuing anyway)");
    } else if (is_ok_response(response)) {
      log_debug("Loopback pinentry mode enabled");
    } else {
      log_warn("Failed to enable loopback pinentry mode: %s (continuing anyway)", response);
    }
  }
 
  return sock;
}

References errno, GPG_AGENT_MAX_RESPONSE, log_debug, log_error, log_warn, PLATFORM_MAX_PATH_LENGTH, SAFE_STRERROR, and SAFE_STRNCPY.

Referenced by ed25519_sign_message(), gpg_agent_is_available(), and gpg_get_public_key().

gpg_agent_disconnect()

void gpg_agent_disconnect

(

int

sock

)

#include <agent.h>

Disconnect from gpg-agent.

Parameters

sock	Socket/pipe handle from gpg_agent_connect()

Closes connection to GPG agent and releases socket resources. Safe to call with invalid socket (does nothing if sock < 0).

Note

Socket closure: Closes socket handle using platform-specific close function. On Unix, uses close(). On Windows, uses CloseHandle().

Assuan protocol: No goodbye message needed - just closes socket. GPG agent handles disconnections gracefully.

Safe disconnect: Function validates socket handle before closing. Safe to call with -1 or invalid handles.

Warning

Always call this after gpg_agent_connect() to avoid resource leaks.

Definition at line 337 of file agent.c.

                                    {
  if (sock >= 0) {
    send_agent_command(sock, "BYE");
    close(sock);
  }
}

Referenced by ed25519_sign_message(), gpg_agent_is_available(), and gpg_get_public_key().

gpg_agent_is_available()

bool gpg_agent_is_available

(

void

)

#include <agent.h>

Check if GPG agent is available.

Returns

true if gpg-agent is running and accessible, false otherwise

Checks if GPG agent is running by attempting to connect and immediately disconnecting. Uses gpg_agent_connect() internally.

Note

Agent detection: Attempts actual connection to verify agent is running. Returns false if connection fails for any reason.

Platform differences:

• Unix: Checks for socket existence and accessibility (~/.gnupg/S.gpg-agent)
• Windows: Attempts to connect to named pipe

Connection test: Creates temporary connection and closes it immediately. Does not leave connection open.

Performance: Involves actual socket connection - may be slow if agent is not running. Consider caching result if calling frequently.

Warning

Agent may not be running: Function returns false if agent is not running, socket/pipe doesn't exist, or permissions prevent access.

Definition at line 539 of file agent.c.

                                  {
  int sock = gpg_agent_connect();
  if (sock < 0) {
    return false;
  }
  gpg_agent_disconnect(sock);
  return true;
}

References gpg_agent_connect(), and gpg_agent_disconnect().

gpg_agent_sign()

int gpg_agent_sign	(	int	sock,
		const char *	keygrip,
		const uint8_t *	message,
		size_t	message_len,
		uint8_t *	signature_out,
		size_t *	signature_len_out
	)

#include <agent.h>

Sign a message using GPG agent.

Parameters

sock	Socket/pipe handle from gpg_agent_connect() (must be valid)
keygrip	GPG keygrip (40-char hex string, must not be NULL)
message	Message to sign (must not be NULL)
message_len	Message length (must be > 0)
signature_out	Output buffer for signature (must be >= 64 bytes for Ed25519)
signature_len_out	Output parameter for signature length (must not be NULL)

Returns

0 on success, -1 on error

Signs message using GPG agent Assuan protocol PKSIGN command. Key stays in GPG agent - private key never enters application memory.

Note

Assuan protocol commands:

1. RESET - Clear any previous state
2. SIGKEY <keygrip> - Select key to use for signing
3. SETHASH –hash=sha256 <hex_hash> - Set message hash (SHA-256 of message)
4. PKSIGN - Perform signature operation

Key selection: Uses keygrip to identify key in agent. Keygrip is 40-char hex string computed from public key material.

Hash algorithm: Uses SHA-256 hash of message for signing. GPG agent expects hex-encoded hash, not raw message.

Signature format: Returns raw Ed25519 signature (64 bytes). Format: R || S (32 bytes each) for Ed25519.

Error handling: Returns -1 on any error:

• Agent connection lost
• Key not found in agent (wrong keygrip)
• Signature operation failed
• Protocol error (malformed response)

Connection requirement: Requires active connection from gpg_agent_connect(). Does not create or close connection - caller manages connection lifecycle.

Warning

Agent connection: Requires valid socket from gpg_agent_connect(). Returns -1 if socket is invalid or connection is closed.

Key availability: Key must be in GPG agent and identified by keygrip. Returns -1 if key not found or keygrip is invalid.

Buffer size: signature_out must be at least 64 bytes for Ed25519. Function writes up to 64 bytes and sets signature_len_out accordingly.

Definition at line 345 of file agent.c.

                                                                      {
  if (handle_as_int < 0 || !keygrip || !message || !signature_out || !signature_len_out) {
    log_error("Invalid arguments to gpg_agent_sign");
    return -1;
  }
 
#ifdef _WIN32
  HANDLE handle = (HANDLE)(intptr_t)handle_as_int;
#else
  int handle = handle_as_int;
#endif
 
  char response[GPG_AGENT_MAX_RESPONSE];
 
  // 1. Set the key to use (SIGKEY command)
  char sigkey_cmd[128];
  safe_snprintf(sigkey_cmd, sizeof(sigkey_cmd), "SIGKEY %s", keygrip);
  if (send_agent_command(handle, sigkey_cmd) != 0) {
    log_error("Failed to send SIGKEY command");
    return -1;
  }
 
  if (read_agent_line(handle, response, sizeof(response)) != 0) {
    log_error("Failed to read SIGKEY response");
    return -1;
  }
 
  if (!is_ok_response(response)) {
    log_error("SIGKEY failed: %s", response);
    return -1;
  }
 
  // 2. For EdDSA/Ed25519, GPG agent requires SETHASH with a hash algorithm
  // GPG agent doesn't support --inquire for SETHASH - the command syntax is:
  //   SETHASH (--hash=<name>)|(<algonumber>) <hexstring>
  // For Ed25519, we hash the message with SHA512 (algo 10) first
 
  // Hash the message with SHA512 using libsodium
  uint8_t hash[crypto_hash_sha512_BYTES];
  crypto_hash_sha512(hash, message, message_len);
 
  // Build SETHASH command with SHA512 hash (algo 10)
  // Format: "SETHASH 10 <128 hex chars for 64-byte SHA512 hash>"
  char sethash_cmd[256];
  int offset = safe_snprintf(sethash_cmd, sizeof(sethash_cmd), "SETHASH 10 ");
  for (size_t i = 0; i < crypto_hash_sha512_BYTES; i++) {
    offset += safe_snprintf(sethash_cmd + offset, sizeof(sethash_cmd) - (size_t)offset, "%02X", hash[i]);
  }
 
  log_debug("Sending SETHASH command with SHA512 hash");
  if (send_agent_command(handle, sethash_cmd) != 0) {
    log_error("Failed to send SETHASH command");
    return -1;
  }
 
  // Read SETHASH response
  if (read_agent_line(handle, response, sizeof(response)) != 0) {
    log_error("Failed to read SETHASH response");
    return -1;
  }
 
  if (!is_ok_response(response)) {
    log_error("SETHASH failed: %s", response);
    return -1;
  }
 
  // 3. Request signature using PKSIGN
  if (send_agent_command(handle, "PKSIGN") != 0) {
    log_error("Failed to send PKSIGN command");
    return -1;
  }
 
  // Read response - skip status/error lines and wait for data line (D ...)
  // GPG agent sends informational ERR lines that are not fatal (e.g., "Not implemented")
  // Keep reading until we get the actual signature data
  bool found_data = false;
  for (int attempts = 0; attempts < 20; attempts++) {
    if (read_agent_line(handle, response, sizeof(response)) != 0) {
      log_error("Failed to read PKSIGN response");
      return -1;
    }
 
    log_debug("PKSIGN response line %d: %s", attempts + 1, response);
 
    // Skip status lines (S INQUIRE_MAXLEN, etc)
    if (response[0] == 'S' && response[1] == ' ') {
      log_debug("Skipping PKSIGN status line: %s", response);
      continue;
    }
 
    // Skip informational ERR lines (GPG agent sends these even on success)
    // Common ERR codes: 67109141 (IPC cancelled), 67108933 (Not implemented)
    if (strncmp(response, "ERR", 3) == 0) {
      log_debug("Skipping PKSIGN error line (informational): %s", response);
      continue;
    }
 
    // Check if it's a data line (D followed by space)
    if (response[0] == 'D' && response[1] == ' ') {
      log_debug("Found signature data line");
      found_data = true;
      break;
    }
 
    // Check for OK (success without data would be unexpected)
    if (strncmp(response, "OK", 2) == 0) {
      log_warn("PKSIGN returned OK without data line");
      continue; // Keep trying in case D line follows
    }
 
    // Check if GPG agent is sending another INQUIRE (shouldn't happen)
    if (strncmp(response, "INQUIRE", 7) == 0) {
      log_error("Unexpected INQUIRE after PKSIGN: %s", response);
      return -1;
    }
 
    // Unknown response type
    log_warn("Unexpected PKSIGN response (attempt %d): %s", attempts + 1, response);
  }
 
  if (!found_data) {
    log_error("Expected D line from PKSIGN after %d attempts", 20);
    return -1;
  }
 
  // Parse S-expression signature from GPG agent
  // GPG agent returns: D <percent-encoded-sexp>
  // Example: D (7:sig-val(5:eddsa(1:r32:%<hex>)(1:s32:%<hex>)))
  // The signature is 64 bytes total: R (32) + S (32)
 
  // DEBUG: Print first 200 chars of response to see format
  char debug_buf[201];
  size_t response_len = strlen(response);
  size_t debug_len = response_len < 200 ? response_len : 200;
  memcpy(debug_buf, response, debug_len);
  debug_buf[debug_len] = '\0';
  log_debug("GPG agent D line (first 200 bytes): %s", debug_buf);
 
  const char *data = response + 2; // Skip "D "
 
  // The response format from GPG agent for EdDSA is percent-encoded
  // We need to decode it to get the raw binary signature
  // For now, let's try the simple approach: find the raw data
 
  // Look for the pattern that indicates where R starts: "(1:r32:"
  const char *r_marker = strstr(data, "(1:r32:");
  if (!r_marker) {
    log_error("Could not find r value marker in S-expression");
    return -1;
  }
 
  // Skip the marker to get to the actual R data
  const char *r_data = r_marker + 7; // strlen("(1:r32:")
 
  // Look for the pattern that indicates where S starts: "(1:s32:"
  const char *s_marker = strstr(r_data + 32, "(1:s32:");
  if (!s_marker) {
    log_error("Could not find s value marker in S-expression");
    return -1;
  }
 
  // Skip the marker to get to the actual S data
  const char *s_data = s_marker + 7; // strlen("(1:s32:")
 
  // Copy the raw binary data
  memcpy(signature_out, r_data, 32);
  memcpy(signature_out + 32, s_data, 32);
 
  *signature_len_out = 64;
 
  // DEBUG: Print signature in hex
  char sig_hex[129];
  for (int i = 0; i < 64; i++) {
    safe_snprintf(sig_hex + i * 2, 3, "%02x", (unsigned char)signature_out[i]);
  }
  sig_hex[128] = '\0';
  log_debug("Extracted signature (64 bytes): %s", sig_hex);
 
  // Read final OK
  if (read_agent_line(handle, response, sizeof(response)) != 0) {
    log_error("Failed to read final PKSIGN response");
    return -1;
  }
 
  if (!is_ok_response(response)) {
    log_error("PKSIGN final response not OK: %s", response);
    return -1;
  }
 
  log_debug("Successfully signed message with GPG agent");
  return 0;
}

References GPG_AGENT_MAX_RESPONSE, log_debug, log_error, log_warn, and safe_snprintf().

Referenced by ed25519_sign_message().

gpg_get_public_key()

int gpg_get_public_key	(	const char *	key_id,
		uint8_t *	public_key_out,
		char *	keygrip_out
	)

#include <export.h>

Get public key from GPG keyring by key ID.

Parameters

key_id	GPG key ID (8/16/40-char hex string, must not be NULL)
public_key_out	Output buffer for 32-byte Ed25519 public key (must not be NULL)
keygrip_out	Output buffer for 40-char keygrip + null terminator (can be NULL if not needed)

Returns

0 on success, -1 on error

Retrieves Ed25519 public key from GPG keyring using gpg --export command. Parses OpenPGP packet format to extract raw 32-byte Ed25519 public key.

Note

Key ID format: Accepts short (8-char), long (16-char), or full (40-char) hex key IDs. Prefix "0x" is optional and will be added automatically if missing. Examples: "7FE90A79F2E80ED3", "0x7FE90A79F2E80ED3", "EDDAE1DA7360D7F4"

Export method: Uses gpg --export 0x<KEY_ID> to export public key. Output is in binary OpenPGP packet format, which is then parsed.

OpenPGP parsing: Parses OpenPGP packet structure to locate Ed25519 public key packet. Extracts 32-byte Ed25519 public key material from packet (algorithm ID 22). Skips 0x40 prefix byte if present (standard OpenPGP MPI format).

Keygrip extraction: If keygrip_out is not NULL, extracts keygrip using gpg --with-keygrip --list-keys. Keygrip is 40-char hex string that identifies key in GPG agent. Useful for subsequent gpg_agent_sign() operations.

Key validation: Validates that key is Ed25519 (algorithm 22 in OpenPGP). Returns error if key is RSA, ECDSA, or other unsupported algorithm.

Buffer requirements:

• public_key_out: Must be at least 32 bytes
• keygrip_out: Must be at least 41 bytes (40 hex chars + null terminator) if provided

Error conditions: Returns -1 if:

• Key ID not found in keyring
• Key is not Ed25519 (RSA/ECDSA not supported)
• gpg binary not found in PATH
• OpenPGP packet parsing fails
• Key export produces empty output

Warning

GPG binary required: Requires gpg binary in PATH. Returns -1 if GPG is not installed or not accessible.

Ed25519 only: Only Ed25519 keys are supported (OpenPGP algorithm 22). RSA/ECDSA keys will return error.

Key ID must exist: Key must exist in local GPG keyring. Returns -1 if key is not found (check with gpg --list-keys <KEY_ID>).

Definition at line 251 of file export.c.

                                                                                       {
  if (!key_id || !public_key_out) {
    log_error("Invalid arguments to gpg_get_public_key");
    return -1;
  }
 
  // SECURITY: Validate key_id to prevent command injection
  // GPG key IDs should be hexadecimal (0-9, a-f, A-F)
  if (!validate_shell_safe(key_id, NULL)) {
    log_error("Invalid GPG key ID format - contains unsafe characters: %s", key_id);
    return -1;
  }
 
  // Additional validation: ensure key_id is hex alphanumeric
  for (size_t i = 0; key_id[i] != '\0'; i++) {
    if (!isxdigit((unsigned char)key_id[i])) {
      log_error("Invalid GPG key ID format - must be hexadecimal: %s", key_id);
      return -1;
    }
  }
 
  // Escape key_id for safe use in shell command (single quotes)
  char escaped_key_id[BUFFER_SIZE_MEDIUM];
  if (!escape_shell_single_quotes(key_id, escaped_key_id, sizeof(escaped_key_id))) {
    log_error("Failed to escape GPG key ID for shell command");
    return -1;
  }
 
  // Use gpg to list the key and get the keygrip
  char cmd[BUFFER_SIZE_LARGE];
#ifdef _WIN32
  safe_snprintf(cmd, sizeof(cmd), "gpg --list-keys --with-keygrip --with-colons 0x%s 2>nul", escaped_key_id);
#else
  safe_snprintf(cmd, sizeof(cmd), "gpg --list-keys --with-keygrip --with-colons 0x%s 2>/dev/null", escaped_key_id);
#endif
  FILE *fp = SAFE_POPEN(cmd, "r");
  if (!fp) {
    log_error("Failed to run gpg command - GPG may not be installed");
#ifdef _WIN32
    log_error("To install GPG on Windows, download Gpg4win from:");
    log_error("  https://www.gpg4win.org/download.html");
#elif defined(__APPLE__)
    log_error("To install GPG on macOS, use Homebrew:");
    log_error("  brew install gnupg");
#else
    log_error("To install GPG on Linux:");
    log_error("  Debian/Ubuntu: sudo apt-get install gnupg");
    log_error("  Fedora/RHEL:   sudo dnf install gnupg2");
    log_error("  Arch Linux:    sudo pacman -S gnupg");
    log_error("  Alpine Linux:  sudo apk add gnupg");
#endif
    return -1;
  }
 
  char line[BUFFER_SIZE_XLARGE];
  char found_keygrip[128] = {0};
  bool found_key = false;
 
  // Parse gpg output
  // Format: pub:..., grp:::::::::<keygrip>:
  while (fgets(line, sizeof(line), fp)) {
    if (strncmp(line, "pub:", 4) == 0) {
      // Found the public key line
      found_key = true;
    } else if (found_key && strncmp(line, "grp:", 4) == 0) {
      // Extract keygrip
      // Format: grp:::::::::D52FF935FBA59609EE65E1685287828242A1EA1A:
      // (8 empty fields, then keygrip, then final colon)
      const char *grp_start = line + 4;
      int colon_count = 0;
      while (*grp_start && colon_count < 8) {
        if (*grp_start == ':') {
          colon_count++;
        }
        grp_start++;
      }
 
      if (colon_count == 8) {
        const char *grp_end = strchr(grp_start, ':');
        if (grp_end) {
          size_t grp_len = grp_end - grp_start;
          if (grp_len < sizeof(found_keygrip)) {
            memcpy(found_keygrip, grp_start, grp_len);
            found_keygrip[grp_len] = '\0';
 
            if (keygrip_out) {
              SAFE_STRNCPY(keygrip_out, found_keygrip, 41);
            }
          }
        }
      }
      break;
    }
  }
 
  SAFE_PCLOSE(fp);
 
  if (!found_key || strlen(found_keygrip) == 0) {
    log_error("Could not find GPG key with ID: %s", key_id);
    return -1;
  }
 
  log_debug("Found keygrip for key %s: %s", key_id, found_keygrip);
 
  // Try to use GPG agent API to read the public key directly via READKEY command
  int agent_sock = gpg_agent_connect();
  if (agent_sock < 0) {
    log_info("GPG agent not available, falling back to gpg --export for public key extraction");
    // Fallback: Use gpg --export to get the public key
    int export_result = gpg_export_public_key(key_id, public_key_out);
    if (export_result == 0) {
      log_info("Successfully extracted public key using fallback method");
    } else {
      log_error("Fallback public key extraction failed for key ID: %s", key_id);
    }
    return export_result;
  }
 
  // Send READKEY command with keygrip to get the public key S-expression
  char readkey_cmd[256];
  safe_snprintf(readkey_cmd, sizeof(readkey_cmd), "READKEY %s\n", found_keygrip);
 
  ssize_t bytes_written = platform_pipe_write(agent_sock, (const unsigned char *)readkey_cmd, strlen(readkey_cmd));
  if (bytes_written != (ssize_t)strlen(readkey_cmd)) {
    log_error("Failed to send READKEY command to GPG agent");
    gpg_agent_disconnect(agent_sock);
    return -1;
  }
 
  // Read the response (public key S-expression)
  char response[BUFFER_SIZE_XXXLARGE];
  memset(response, 0, sizeof(response));
  ssize_t bytes_read = platform_pipe_read(agent_sock, (unsigned char *)response, sizeof(response) - 1);
 
  gpg_agent_disconnect(agent_sock);
 
  if (bytes_read <= 0) {
    log_error("Failed to read READKEY response from GPG agent");
    return -1;
  }
 
  // Parse the S-expression to extract Ed25519 public key (q value)
  // GPG agent returns binary S-expressions in format: (1:q<length>:<binary-data>)
  // Example: (1:q33:<33-bytes>) where first byte is 0x40 (Ed25519 prefix), then 32-byte key
  const char *q_marker = strstr(response, "(1:q");
  if (!q_marker) {
    log_warn("Failed to find public key (1:q) in GPG agent READKEY response, trying gpg --export fallback");
    log_debug("Response was: %.*s", (int)(bytes_read < 200 ? bytes_read : 200), response);
    gpg_agent_disconnect(agent_sock);
 
    // Fallback: Use gpg --export for public-only keys
    int export_result = gpg_export_public_key(key_id, public_key_out);
    if (export_result == 0) {
      log_info("Successfully extracted public key using gpg --export fallback");
    } else {
      log_error("Fallback public key extraction failed for key ID: %s", key_id);
    }
    return export_result;
  }
 
  // Skip "(1:q" to get to the length field
  const char *len_start = q_marker + 4;
 
  // Parse the length (e.g., "33:")
  char *colon = strchr(len_start, ':');
  if (!colon) {
    log_error("Malformed S-expression: missing colon after length");
    return -1;
  }
 
  size_t key_len = strtoul(len_start, NULL, 10);
  if (key_len != 33) {
    log_error("Unexpected Ed25519 public key length: %zu bytes (expected 33)", key_len);
    return -1;
  }
 
  // Skip the colon to get to the binary data
  const unsigned char *binary_start = (const unsigned char *)(colon + 1);
 
  // Ed25519 public keys in GPG format have a 0x40 prefix byte, then 32 bytes of actual key
  if (binary_start[0] != 0x40) {
    log_error("Invalid Ed25519 public key prefix: 0x%02x (expected 0x40)", binary_start[0]);
    return -1;
  }
 
  // Copy the 32-byte public key (skip the 0x40 prefix)
  memcpy(public_key_out, binary_start + 1, 32);
 
  log_info("Extracted Ed25519 public key from GPG agent via READKEY command");
  return 0;
}

References BUFFER_SIZE_LARGE, BUFFER_SIZE_MEDIUM, BUFFER_SIZE_XLARGE, BUFFER_SIZE_XXXLARGE, bytes_written, escape_shell_single_quotes(), gpg_agent_connect(), gpg_agent_disconnect(), log_debug, log_error, log_info, log_warn, platform_pipe_read(), platform_pipe_write(), SAFE_PCLOSE, SAFE_POPEN, safe_snprintf(), SAFE_STRNCPY, and validate_shell_safe().

Referenced by extract_ed25519_from_gpg(), and parse_private_key().

gpg_sign_detached_ed25519()

int gpg_sign_detached_ed25519	(	const char *	key_id,
		const uint8_t *	message,
		size_t	message_len,
		uint8_t	signature_out[64]
	)

#include <signing.h>

Sign message with GPG and extract raw Ed25519 signature.

Parameters

key_id	GPG key ID (8/16/40-char hex string, must not be NULL)
message	Message to sign (must not be NULL)
message_len	Message length in bytes (must be > 0)
signature_out	Output buffer for 64-byte Ed25519 signature (must not be NULL)

Returns

0 on success, -1 on error

Signs message using gpg --detach-sign, then extracts raw 64-byte Ed25519 signature from OpenPGP packet format. Returns signature in libsodium-compatible format (R||S).

Note

Key ID format: Accepts short (8-char), long (16-char), or full (40-char) hex key IDs. Prefix "0x" is optional and will be added automatically if missing.

Signing method: Uses gpg --detach-sign --local-user 0x<KEY_ID> command. Then parses OpenPGP output to extract raw signature bytes.

OpenPGP parsing: Parses binary OpenPGP signature packet to locate signature data. Extracts raw Ed25519 signature (R||S format, 64 bytes total). Skips packet headers and metadata to get pure signature bytes.

Output format: Returns raw Ed25519 signature in libsodium format. Format: R || S (32 bytes R + 32 bytes S = 64 bytes total). Compatible with crypto_sign_verify_detached() from libsodium.

Fixed length: Ed25519 signatures are always exactly 64 bytes. No length parameter needed - signature_out is always fully written.

Use case: Prefer this over gpg_sign_with_key() when you need raw signature. Useful for protocol implementations that expect raw Ed25519 signatures rather than OpenPGP-wrapped signatures.

Comparison with gpg_sign_with_key():

• gpg_sign_with_key(): Returns full OpenPGP packet (~150-200 bytes)
• gpg_sign_detached_ed25519(): Returns raw Ed25519 signature (64 bytes)

Key passphrase handling:

• If key is encrypted, GPG may prompt for passphrase interactively
• Use gpg-agent for password-free signing (recommended)
• Or set $ASCII_CHAT_KEY_PASSWORD environment variable

Buffer requirements:

• signature_out: Must be exactly 64 bytes (Ed25519 signature size)

Error conditions: Returns -1 if:

• Key ID not found in keyring
• Key is not Ed25519 (RSA/ECDSA not supported)
• gpg binary not found in PATH
• Signing operation fails (wrong passphrase, key expired, etc.)
• OpenPGP packet parsing fails
• Signature extraction fails (unexpected packet format)

Warning

GPG binary required: Requires gpg binary in PATH. Returns -1 if GPG is not installed or not accessible.

Ed25519 only: Only Ed25519 keys are supported (OpenPGP algorithm 22). RSA/ECDSA keys will return error.

Buffer size: signature_out must be exactly 64 bytes. Function always writes exactly 64 bytes on success.

Key must exist: Key must exist in local GPG keyring. Returns -1 if key is not found (check with gpg --list-keys <KEY_ID>).

Definition at line 180 of file signing.c.

                                                         {
  log_info("gpg_sign_detached_ed25519: Signing with key ID %s (fallback mode)", key_id);
 
  // Get OpenPGP signature packet from gpg --detach-sign
  uint8_t openpgp_signature[512];
  size_t openpgp_len = 0;
 
  int result = gpg_sign_with_key(key_id, message, message_len, openpgp_signature, &openpgp_len);
  if (result != 0) {
    log_error("GPG detached signing failed for key %s", key_id);
    return -1;
  }
 
  log_debug("gpg_sign_with_key returned %zu bytes", openpgp_len);
 
  if (openpgp_len < 10) {
    log_error("GPG signature too short: %zu bytes", openpgp_len);
    return -1;
  }
 
  log_debug("Parsing OpenPGP signature packet (%zu bytes) to extract Ed25519 signature", openpgp_len);
 
  // Parse OpenPGP signature packet format
  // Reference: RFC 4880 Section 5.2 (Signature Packet)
  // Format: [header][version][type][algo][hash-algo][...][signature-data]
  size_t offset = 0;
 
  // Parse packet header
  uint8_t tag = openpgp_signature[offset++];
  size_t packet_len = 0;
 
  if ((tag & 0x40) == 0) {
    // Old format packet
    uint8_t length_type = tag & 0x03;
    if (length_type == 0) {
      packet_len = openpgp_signature[offset++];
    } else if (length_type == 1) {
      packet_len = (openpgp_signature[offset] << 8) | openpgp_signature[offset + 1];
      offset += 2;
    } else if (length_type == 2) {
      packet_len = (openpgp_signature[offset] << 24) | (openpgp_signature[offset + 1] << 16) |
                   (openpgp_signature[offset + 2] << 8) | openpgp_signature[offset + 3];
      offset += 4;
    } else {
      log_error("Unsupported old-format packet length type: %d", length_type);
      return -1;
    }
  } else {
    // New format packet
    uint8_t length_byte = openpgp_signature[offset++];
    if (length_byte < 192) {
      packet_len = length_byte;
    } else if (length_byte < 224) {
      packet_len = ((length_byte - 192) << 8) + openpgp_signature[offset++] + 192;
    } else if (length_byte == 255) {
      packet_len = (openpgp_signature[offset] << 24) | (openpgp_signature[offset + 1] << 16) |
                   (openpgp_signature[offset + 2] << 8) | openpgp_signature[offset + 3];
      offset += 4;
    } else {
      log_error("Unsupported new-format packet length encoding: %d", length_byte);
      return -1;
    }
  }
 
  if (offset + packet_len > openpgp_len) {
    log_error("Packet length exceeds signature size: %zu + %zu > %zu", offset, packet_len, openpgp_len);
    return -1;
  }
 
  log_debug("Signature packet: offset=%zu, length=%zu", offset, packet_len);
 
  // Parse signature packet body
  // Skip: version (1), sig_type (1), pub_algo (1), hash_algo (1)
  if (offset + 4 > openpgp_len) {
    log_error("Signature packet too short for header");
    return -1;
  }
 
  uint8_t version = openpgp_signature[offset++];
  uint8_t sig_type = openpgp_signature[offset++];
  uint8_t pub_algo = openpgp_signature[offset++];
  uint8_t hash_algo = openpgp_signature[offset++];
 
  log_debug("Signature: version=%d, type=%d, algo=%d, hash=%d", version, sig_type, pub_algo, hash_algo);
 
  // Verify algorithm is Ed25519 (22 = EdDSA)
  if (pub_algo != 22) {
    log_error("Expected EdDSA algorithm (22), got %d", pub_algo);
    return -1;
  }
 
  // For v4 signatures: skip hashed subpackets
  if (version == 4) {
    if (offset + 2 > openpgp_len) {
      log_error("Cannot read hashed subpacket length");
      return -1;
    }
    uint16_t hashed_len = (openpgp_signature[offset] << 8) | openpgp_signature[offset + 1];
    offset += 2;
    offset += hashed_len; // Skip hashed subpackets
 
    if (offset + 2 > openpgp_len) {
      log_error("Cannot read unhashed subpacket length");
      return -1;
    }
    uint16_t unhashed_len = (openpgp_signature[offset] << 8) | openpgp_signature[offset + 1];
    offset += 2;
    offset += unhashed_len; // Skip unhashed subpackets
 
    // Skip left 16 bits of signed hash value
    if (offset + 2 > openpgp_len) {
      log_error("Cannot read hash left bits");
      return -1;
    }
    offset += 2;
  }
 
  // Now we're at the signature data (MPI format for Ed25519)
  // Ed25519 signature is: r (32 bytes) || s (32 bytes) = 64 bytes total
  // In OpenPGP, each MPI is encoded as: [2-byte bit count][data]
 
  if (offset + 2 > openpgp_len) {
    log_error("Cannot read MPI bit count for R");
    return -1;
  }
 
  uint16_t r_bits = (openpgp_signature[offset] << 8) | openpgp_signature[offset + 1];
  offset += 2;
  size_t r_bytes = (r_bits + 7) / 8;
 
  log_debug("R: %d bits (%zu bytes)", r_bits, r_bytes);
 
  if (r_bytes != 32) {
    log_error("Expected 32-byte R value, got %zu bytes", r_bytes);
    return -1;
  }
 
  if (offset + r_bytes > openpgp_len) {
    log_error("R value exceeds packet size");
    return -1;
  }
 
  memcpy(signature_out, &openpgp_signature[offset], 32);
  offset += r_bytes;
 
  // Read S value
  if (offset + 2 > openpgp_len) {
    log_error("Cannot read MPI bit count for S");
    return -1;
  }
 
  uint16_t s_bits = (openpgp_signature[offset] << 8) | openpgp_signature[offset + 1];
  offset += 2;
  size_t s_bytes = (s_bits + 7) / 8;
 
  log_debug("S: %d bits (%zu bytes)", s_bits, s_bytes);
 
  if (s_bytes != 32) {
    log_error("Expected 32-byte S value, got %zu bytes", s_bytes);
    return -1;
  }
 
  if (offset + s_bytes > openpgp_len) {
    log_error("S value exceeds packet size");
    return -1;
  }
 
  memcpy(signature_out + 32, &openpgp_signature[offset], 32);
 
  log_info("Successfully extracted 64-byte Ed25519 signature from OpenPGP packet");
 
  // Debug: Log signature components
  char hex_r[65], hex_s[65];
  for (int i = 0; i < 32; i++) {
    safe_snprintf(hex_r + i * 2, 3, "%02x", signature_out[i]);
    safe_snprintf(hex_s + i * 2, 3, "%02x", signature_out[i + 32]);
  }
  hex_r[64] = hex_s[64] = '\0';
  log_debug("Signature R (first 32 bytes): %s", hex_r);
  log_debug("Signature S (last 32 bytes): %s", hex_s);
 
  return 0;
}

References gpg_sign_with_key(), log_debug, log_error, log_info, and safe_snprintf().

Referenced by ed25519_sign_message().

gpg_sign_with_key()

int gpg_sign_with_key	(	const char *	key_id,
		const uint8_t *	message,
		size_t	message_len,
		uint8_t *	signature_out,
		size_t *	signature_len_out
	)

#include <signing.h>

Sign a message using GPG key and return OpenPGP signature.

Parameters

key_id	GPG key ID (8/16/40-char hex string, must not be NULL)
message	Message to sign (must not be NULL)
message_len	Message length in bytes (must be > 0)
signature_out	Output buffer for OpenPGP signature (must be >= 512 bytes)
signature_len_out	Output parameter for actual signature length (must not be NULL)

Returns

0 on success, -1 on error

Signs message using gpg --detach-sign and returns full OpenPGP signature packet. Signature is in binary OpenPGP format and includes packet headers.

Note

Key ID format: Accepts short (8-char), long (16-char), or full (40-char) hex key IDs. Prefix "0x" is optional and will be added automatically if missing. Examples: "7FE90A79F2E80ED3", "0x7FE90A79F2E80ED3", "EDDAE1DA7360D7F4"

Signing method: Uses gpg --detach-sign --local-user 0x<KEY_ID> command. Creates detached signature (signature separate from message).

Output format: Returns binary OpenPGP signature packet (RFC 4880). Signature includes packet headers and metadata beyond raw signature data. Typical size: 150-200 bytes for Ed25519 signatures.

Variable length: OpenPGP format means signature length varies. Always check signature_len_out to know actual signature length. Buffer must be at least 512 bytes to accommodate various key types.

GPG interaction: Executes gpg as subprocess and reads output. Signature is read from GPG's stdout in binary format.

Key passphrase handling:

• If key is encrypted, GPG may prompt for passphrase interactively
• Use gpg-agent for password-free signing (recommended)
• Or set $ASCII_CHAT_KEY_PASSWORD environment variable

Buffer requirements:

• signature_out: Must be at least 512 bytes
• signature_len_out: Will be set to actual signature length (typically 150-200 bytes)

Error conditions: Returns -1 if:

• Key ID not found in keyring
• Key is not Ed25519 (RSA/ECDSA not supported)
• gpg binary not found in PATH
• Signing operation fails (wrong passphrase, key expired, etc.)
• Output buffer too small (< 512 bytes)

Warning

GPG binary required: Requires gpg binary in PATH. Returns -1 if GPG is not installed or not accessible.

Ed25519 only: Only Ed25519 keys are supported (OpenPGP algorithm 22). RSA/ECDSA keys will return error.

Buffer size: signature_out must be at least 512 bytes. Smaller buffers may cause buffer overflow or signature truncation.

Key must exist: Key must exist in local GPG keyring. Returns -1 if key is not found (check with gpg --list-keys <KEY_ID>).

Sign a message using GPG key and return OpenPGP signature.

This function uses gpg --detach-sign which internally uses gpg-agent, so no passphrase prompt if the key is cached in the agent.

Parameters

key_id	GPG key ID (e.g., "7FE90A79F2E80ED3")
message	Message to sign
message_len	Message length
signature_out	Output buffer for signature (caller must provide at least 512 bytes)
signature_len_out	Actual signature length written

Returns

0 on success, -1 on error

Definition at line 44 of file signing.c.

                                                 {
  if (!key_id || !message || message_len == 0 || !signature_out || !signature_len_out) {
    log_error("Invalid parameters to gpg_sign_with_key");
    return -1;
  }
 
  char msg_path[512];
  char sig_path[512];
  int msg_fd = -1;
  int result = -1;
 
#ifdef _WIN32
  // Windows: use GetTempPath + GetTempFileName with process ID
  char temp_dir[MAX_PATH];
  if (GetTempPathA(sizeof(temp_dir), temp_dir) == 0) {
    log_error("Failed to get temp directory");
    return -1;
  }
 
  char msg_prefix[32];
  char sig_prefix[32];
  safe_snprintf(msg_prefix, sizeof(msg_prefix), "asc_msg_%lu_", GetCurrentProcessId());
  safe_snprintf(sig_prefix, sizeof(sig_prefix), "asc_sig_%lu_", GetCurrentProcessId());
 
  if (GetTempFileNameA(temp_dir, msg_prefix, 0, msg_path) == 0) {
    log_error("Failed to create temp message file");
    return -1;
  }
  if (GetTempFileNameA(temp_dir, sig_prefix, 0, sig_path) == 0) {
    log_error("Failed to create temp signature file");
    unlink(msg_path);
    return -1;
  }
 
  msg_fd = platform_open(msg_path, O_WRONLY | O_CREAT | O_TRUNC, 0600);
#else
  // Unix: use mkstemp with process ID in template
  safe_snprintf(msg_path, sizeof(msg_path), "/tmp/asciichat_msg_%d_XXXXXX", getpid());
  safe_snprintf(sig_path, sizeof(sig_path), "/tmp/asciichat_sig_%d_XXXXXX", getpid());
 
  msg_fd = mkstemp(msg_path);
  if (msg_fd < 0) {
    log_error("Failed to create temp message file: %s", SAFE_STRERROR(errno));
    return -1;
  }
 
  // Create signature file path (will be created by gpg)
  int sig_fd = mkstemp(sig_path);
  if (sig_fd < 0) {
    log_error("Failed to create temp signature file: %s", SAFE_STRERROR(errno));
    close(msg_fd);
    unlink(msg_path);
    return -1;
  }
  close(sig_fd);    // Close and let gpg overwrite it
  unlink(sig_path); // Remove it so gpg can create it fresh
#endif
 
  if (msg_fd < 0) {
    log_error("Failed to open temp message file");
    goto cleanup;
  }
 
  // Write message to temp file
  ssize_t written = write(msg_fd, message, message_len);
  close(msg_fd);
  msg_fd = -1;
 
  if (written != (ssize_t)message_len) {
    log_error("Failed to write message to temp file");
    goto cleanup;
  }
 
  // Escape key ID for shell command (prevent injection)
  char escaped_key_id[64];
  if (!escape_path_for_shell(key_id, escaped_key_id, sizeof(escaped_key_id))) {
    log_error("Failed to escape GPG key ID for shell command");
    goto cleanup;
  }
 
  // Call gpg --detach-sign
  char cmd[BUFFER_SIZE_LARGE];
#ifdef _WIN32
  safe_snprintf(cmd, sizeof(cmd), "gpg --local-user 0x%s --detach-sign --output \"%s\" \"%s\" 2>nul", escaped_key_id,
                sig_path, msg_path);
#else
  safe_snprintf(cmd, sizeof(cmd), "gpg --local-user 0x%s --detach-sign --output \"%s\" \"%s\" 2>/dev/null",
                escaped_key_id, sig_path, msg_path);
#endif
 
  log_debug("Signing with GPG: %s", cmd);
  int status = system(cmd);
  if (status != 0) {
    log_error("GPG signing failed (exit code %d)", status);
    goto cleanup;
  }
 
  // Read signature file
  FILE *sig_fp = fopen(sig_path, "rb");
  if (!sig_fp) {
    log_error("Failed to open signature file: %s", SAFE_STRERROR(errno));
    goto cleanup;
  }
 
  fseek(sig_fp, 0, SEEK_END);
  long sig_size = ftell(sig_fp);
  fseek(sig_fp, 0, SEEK_SET);
 
  if (sig_size <= 0 || sig_size > 512) {
    log_error("Invalid signature size: %ld bytes", sig_size);
    fclose(sig_fp);
    goto cleanup;
  }
 
  size_t bytes_read = fread(signature_out, 1, sig_size, sig_fp);
  fclose(sig_fp);
 
  if (bytes_read != (size_t)sig_size) {
    log_error("Failed to read signature file");
    goto cleanup;
  }
 
  *signature_len_out = sig_size;
  log_info("GPG signature created successfully (%zu bytes)", *signature_len_out);
  result = 0;
 
cleanup:
  if (msg_fd >= 0) {
    close(msg_fd);
  }
  unlink(msg_path);
  unlink(sig_path);
  return result;
}

References BUFFER_SIZE_LARGE, errno, escape_path_for_shell(), log_debug, log_error, log_info, platform_open(), safe_snprintf(), and SAFE_STRERROR.

Referenced by gpg_sign_detached_ed25519(), and gpg_verify_detached_ed25519().

gpg_verify_detached_ed25519()

int gpg_verify_detached_ed25519	(	const char *	key_id,
		const uint8_t *	message,
		size_t	message_len,
		const uint8_t	signature[64]
	)

#include <verification.h>

Verify Ed25519 signature using GPG binary.

Parameters

key_id	GPG key ID to use for verification (8/16/40-char hex, must not be NULL)
message	Message that was signed (must not be NULL)
message_len	Message length in bytes (must be > 0)
signature	64-byte Ed25519 signature (must not be NULL)

Returns

0 on success (valid signature), -1 on error (invalid signature or error)

Verifies raw Ed25519 signature using gpg --verify command. Converts raw signature to OpenPGP format, then uses GPG binary for verification.

Note

Key ID format: Accepts short (8-char), long (16-char), or full (40-char) hex key IDs. Prefix "0x" is optional and will be added automatically if missing. Examples: "7FE90A79F2E80ED3", "0x7FE90A79F2E80ED3", "EDDAE1DA7360D7F4"

Verification method: Uses gpg --verify command on converted OpenPGP signature. Checks both cryptographic validity and key trust status.

Signature format: Input must be raw 64-byte Ed25519 signature (R||S). Function internally converts to OpenPGP format for GPG binary. Not compatible with OpenPGP-wrapped signatures (use gpg_verify_signature_with_binary()).

Key trust checking: GPG binary checks key trust and expiry. Verification fails if key is expired, revoked, or untrusted.

Public key requirement: Key must be in GPG keyring for verification. Import public key first with gpg --import <public_key_file>.

Return value interpretation:

• 0: Signature is cryptographically valid and key is trusted
• -1: Signature invalid, key not found, key untrusted, or other error

Error conditions: Returns -1 if:

• Signature cryptographically invalid
• Key ID not found in keyring
• Key is expired or revoked
• Key is not trusted (not in web of trust)
• gpg binary not found in PATH
• OpenPGP conversion fails

Warning

GPG binary required: Requires gpg binary in PATH. Returns -1 if GPG is not installed or not accessible.

Ed25519 only: Only Ed25519 signatures are supported (OpenPGP algorithm 22). RSA/ECDSA signatures will return error.

Key must be imported: Public key must exist in GPG keyring. Returns -1 if key is not found (import with gpg --import).

Trust required: GPG checks key trust status. Verification may fail if key is not in web of trust.

Definition at line 35 of file verification.c.

                                                             {
  // Note: We don't use the raw signature parameter directly.
  // Instead, we regenerate the OpenPGP signature using GPG (Ed25519 is deterministic).
  (void)signature;
 
  log_info("gpg_verify_detached_ed25519: Verifying signature with key ID %s using gpg --verify", key_id);
 
  // To verify with GPG, we need to:
  // 1. Reconstruct the OpenPGP signature packet from the raw R||S signature
  // 2. Write message and signature to temp files
  // 3. Call gpg --verify
 
  // First, reconstruct OpenPGP signature by signing the same message
  // Since Ed25519 is deterministic, we should get the same OpenPGP packet
  uint8_t openpgp_signature[512];
  size_t openpgp_len = 0;
 
  int sign_result = gpg_sign_with_key(key_id, message, message_len, openpgp_signature, &openpgp_len);
  if (sign_result != 0) {
    log_error("Failed to create reference signature for verification");
    return -1;
  }
 
  // Now verify using gpg --verify
  char msg_path[] = "/tmp/gpg_verify_msg_XXXXXX";
  char sig_path[] = "/tmp/gpg_verify_sig_XXXXXX";
 
  int msg_fd = mkstemp(msg_path);
  if (msg_fd < 0) {
    log_error("Failed to create temporary message file");
    return -1;
  }
 
  int sig_fd = mkstemp(sig_path);
  if (sig_fd < 0) {
    close(msg_fd);
    unlink(msg_path);
    log_error("Failed to create temporary signature file");
    return -1;
  }
 
  // Write message
  if (write(msg_fd, message, message_len) != (ssize_t)message_len) {
    log_error("Failed to write message to temp file");
    close(msg_fd);
    close(sig_fd);
    unlink(msg_path);
    unlink(sig_path);
    return -1;
  }
  close(msg_fd);
 
  // Write OpenPGP signature
  if (write(sig_fd, openpgp_signature, openpgp_len) != (ssize_t)openpgp_len) {
    log_error("Failed to write signature to temp file");
    close(sig_fd);
    unlink(msg_path);
    unlink(sig_path);
    return -1;
  }
  close(sig_fd);
 
  // Call gpg --verify
  char cmd[1024];
  snprintf(cmd, sizeof(cmd), "gpg --verify '%s' '%s' 2>&1", sig_path, msg_path);
 
  log_debug("Running: %s", cmd);
  FILE *fp = popen(cmd, "r");
  if (!fp) {
    log_error("Failed to run gpg --verify");
    unlink(msg_path);
    unlink(sig_path);
    return -1;
  }
 
  char output[4096] = {0};
  size_t output_len = fread(output, 1, sizeof(output) - 1, fp);
  int exit_code = pclose(fp);
 
  // Cleanup temp files
  unlink(msg_path);
  unlink(sig_path);
 
  if (exit_code == 0) {
    log_info("GPG signature verification PASSED");
    return 0;
  } else {
    log_error("GPG signature verification FAILED (exit code %d)", exit_code);
    if (output_len > 0) {
      log_debug("GPG output: %s", output);
    }
    return -1;
  }
}

References gpg_sign_with_key(), log_debug, log_error, and log_info.

Referenced by ed25519_verify_signature().

gpg_verify_signature()

int gpg_verify_signature	(	const uint8_t *	public_key,
		const uint8_t *	message,
		size_t	message_len,
		const uint8_t *	signature
	)

#include <verification.h>

Verify Ed25519 signature using libgcrypt (no GPG binary required)

Parameters

public_key	32-byte Ed25519 public key (must not be NULL)
message	Message that was signed (must not be NULL)
message_len	Message length in bytes (must be > 0)
signature	64-byte Ed25519 signature (must not be NULL)

Returns

0 on success (valid signature), -1 on error (invalid signature or error)

Verifies Ed25519 signature directly using libgcrypt cryptographic library. Does not require GPG binary - performs pure cryptographic verification.

Note

Verification method: Uses libgcrypt's gcry_pk_verify() for Ed25519. Pure cryptographic verification - no key trust or expiry checking.

No GPG required: Works without GPG binary installed. Only requires libgcrypt library (linked during build).

Public key format: Accepts raw 32-byte Ed25519 public key. Can be extracted from GPG keyring using gpg_get_public_key().

Signature format: Input must be raw 64-byte Ed25519 signature (R||S). Compatible with signatures from gpg_sign_detached_ed25519(). Not compatible with OpenPGP-wrapped signatures.

No trust checking: Only verifies cryptographic signature validity. Does not check key expiry, revocation, or trust status. Use gpg_verify_detached_ed25519() if trust checking is needed.

Performance: Faster than GPG binary verification (no subprocess spawning). Suitable for high-frequency verification operations.

Use case: Prefer this when:

• You have raw public key (not just key ID)
• You don't need key trust/expiry checking
• You want faster verification (no subprocess)
• GPG binary may not be installed

Return value interpretation:

• 0: Signature is cryptographically valid for given public key
• -1: Signature invalid or verification error

Buffer requirements:

• public_key: Must be exactly 32 bytes (Ed25519 public key)
• signature: Must be exactly 64 bytes (Ed25519 signature)

Error conditions: Returns -1 if:

• Signature cryptographically invalid
• libgcrypt initialization fails
• Public key format invalid
• Signature format invalid

Warning

Ed25519 only: Only Ed25519 signatures are supported. Other key types will cause libgcrypt errors.

No trust checking: Does not verify key trust, expiry, or revocation. Only checks cryptographic signature validity.

Buffer sizes: public_key must be 32 bytes, signature must be 64 bytes. Other sizes will cause verification to fail.

Definition at line 131 of file verification.c.

                                                   {
#ifdef HAVE_LIBGCRYPT
  gcry_error_t err;
  gcry_sexp_t s_pubkey = NULL;
  gcry_sexp_t s_sig = NULL;
  gcry_sexp_t s_data = NULL;
 
  // Initialize libgcrypt if not already done
  if (!gcry_control(GCRYCTL_INITIALIZATION_FINISHED_P)) {
    gcry_check_version(NULL);
    gcry_control(GCRYCTL_DISABLE_SECMEM, 0);
    gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
  }
 
  // Build public key S-expression: (public-key (ecc (curve Ed25519) (flags eddsa) (q %b)))
  // CRITICAL: Must include (flags eddsa) to match libgcrypt's Ed25519 test suite!
  // See libgcrypt/tests/t-ed25519.c line 246-251
  err = gcry_sexp_build(&s_pubkey, NULL, "(public-key (ecc (curve Ed25519) (flags eddsa) (q %b)))", 32, public_key);
  if (err) {
    log_error("gpg_verify_signature: Failed to build public key S-expression: %s", gcry_strerror(err));
    return -1;
  }
 
  // Build signature S-expression: (sig-val (eddsa (r %b) (s %b)))
  // Signature is 64 bytes: first 32 bytes are R, last 32 bytes are S
  err = gcry_sexp_build(&s_sig, NULL, "(sig-val (eddsa (r %b) (s %b)))", 32, signature, 32, signature + 32);
  if (err) {
    log_error("gpg_verify_signature: Failed to build signature S-expression: %s", gcry_strerror(err));
    gcry_sexp_release(s_pubkey);
    return -1;
  }
 
  // Build data S-expression with raw message
  // CRITICAL: According to libgcrypt's test suite (t-ed25519.c line 273),
  // Ed25519 data should be: (data (value %b)) with NO FLAGS!
  // The (flags eddsa) belongs in the KEY S-expression above, NOT in the data.
  // GPG agent's internal format is different - this is the correct libgcrypt API usage.
  err = gcry_sexp_build(&s_data, NULL, "(data (value %b))", message_len, message);
  if (err) {
    log_error("gpg_verify_signature: Failed to build data S-expression: %s", gcry_strerror(err));
    gcry_sexp_release(s_pubkey);
    gcry_sexp_release(s_sig);
    return -1;
  }
 
  // Debug logging
  char pubkey_hex[65];
  char r_hex[65];
  char s_hex[65];
  char msg_hex[128];
 
  for (int i = 0; i < 32; i++) {
    snprintf(pubkey_hex + i * 2, 3, "%02x", public_key[i]);
    snprintf(r_hex + i * 2, 3, "%02x", signature[i]);
    snprintf(s_hex + i * 2, 3, "%02x", signature[32 + i]);
  }
  for (size_t i = 0; i < (message_len < 32 ? message_len : 32); i++) {
    snprintf(msg_hex + i * 2, 3, "%02x", message[i]);
  }
 
  log_debug("gpg_verify_signature: pubkey=%s", pubkey_hex);
  log_debug("gpg_verify_signature: R=%s", r_hex);
  log_debug("gpg_verify_signature: S=%s", s_hex);
  log_debug("gpg_verify_signature: msg=%s (len=%zu)", msg_hex, message_len);
 
  // Verify the signature
  err = gcry_pk_verify(s_sig, s_data, s_pubkey);
 
  // Clean up S-expressions
  gcry_sexp_release(s_pubkey);
  gcry_sexp_release(s_sig);
  gcry_sexp_release(s_data);
 
  if (err) {
    log_debug("gpg_verify_signature: Signature verification failed: %s", gcry_strerror(err));
    return -1;
  }
 
  log_debug("gpg_verify_signature: Signature verified successfully");
  return 0;
#else
  // Explicitly mark parameters as unused when libgcrypt is not available
  (void)public_key;
  (void)message;
  (void)message_len;
  (void)signature;
  log_error("gpg_verify_signature: libgcrypt not available");
  return -1;
#endif
}

References log_debug, and log_error.

gpg_verify_signature_with_binary()

int gpg_verify_signature_with_binary	(	const uint8_t *	signature,
		size_t	signature_len,
		const uint8_t *	message,
		size_t	message_len,
		const char *	expected_key_id
	)

#include <verification.h>

Verify OpenPGP signature using GPG binary.

Parameters

signature	GPG signature in OpenPGP packet format (must not be NULL)
signature_len	Signature length in bytes (must be > 0)
message	Message that was signed (must not be NULL)
message_len	Message length in bytes (must be > 0)
expected_key_id	Expected GPG key ID for signature (optional, can be NULL)

Returns

0 on success (valid signature), -1 on error (invalid signature or error)

Verifies OpenPGP-formatted signature using gpg --verify command. Accepts full OpenPGP signature packets from gpg_sign_with_key().

Note

Verification method: Uses gpg --verify on OpenPGP signature packet. Checks both cryptographic validity and key trust status.

Signature format: Input must be OpenPGP signature packet (binary format). Compatible with output from gpg_sign_with_key(). Not compatible with raw 64-byte Ed25519 signatures (use gpg_verify_detached_ed25519()).

OpenPGP parsing: GPG binary parses signature packet to extract:

• Signature algorithm (must be Ed25519/algorithm 22)
• Signing key ID
• Signature data

Key ID checking: If expected_key_id is provided, verifies signature was made by that key. Returns -1 if signature is from different key (prevents key substitution attacks).

Optional key verification: If expected_key_id is NULL, accepts signature from any key. Useful when you don't know signer's key ID in advance.

Public key requirement: Signing key must be in GPG keyring for verification. Import public key first with gpg --import <public_key_file>.

Key trust checking: GPG binary checks key trust and expiry. Verification fails if key is expired, revoked, or untrusted.

Variable length: OpenPGP signatures are variable length (typically 150-200 bytes). Must pass actual signature length in signature_len parameter.

Use case: Prefer this when:

• You have OpenPGP-formatted signature (from gpg_sign_with_key())
• You need key trust/expiry checking
• You want to verify signer identity (via expected_key_id)

Return value interpretation:

• 0: Signature valid, from expected key (if specified), and key trusted
• -1: Signature invalid, wrong key, key untrusted, or other error

Error conditions: Returns -1 if:

• Signature cryptographically invalid
• Signature from unexpected key (if expected_key_id specified)
• Signing key not found in keyring
• Key is expired or revoked
• Key is not trusted
• gpg binary not found in PATH
• OpenPGP packet parsing fails

Warning

GPG binary required: Requires gpg binary in PATH. Returns -1 if GPG is not installed or not accessible.

Ed25519 only: Only Ed25519 signatures are supported (OpenPGP algorithm 22). RSA/ECDSA signatures will return error.

Key must be imported: Signing public key must exist in GPG keyring. Returns -1 if key is not found (import with gpg --import).

Trust required: GPG checks key trust status. Verification may fail if key is not in web of trust.

Key ID mismatch: If expected_key_id is provided and signature is from different key, verification fails even if signature is cryptographically valid.

Definition at line 223 of file verification.c.

                                                                                      {
  // Validate inputs
  if (!signature || signature_len == 0 || signature_len > 512) {
    log_error("gpg_verify_signature_with_binary: Invalid signature (expected 1-512 bytes, got %zu)", signature_len);
    return -1;
  }
  if (!message || message_len == 0) {
    log_error("gpg_verify_signature_with_binary: Invalid message");
    return -1;
  }
 
  // Create temporary files for signature and message
  char sig_path[PLATFORM_MAX_PATH_LENGTH];
  char msg_path[PLATFORM_MAX_PATH_LENGTH];
  int sig_fd = -1;
  int msg_fd = -1;
  int result = -1;
 
#ifdef _WIN32
  // Windows temp file creation with process ID for concurrent process safety
  char temp_dir[PLATFORM_MAX_PATH_LENGTH];
  DWORD temp_dir_len = GetTempPathA(sizeof(temp_dir), temp_dir);
  if (temp_dir_len == 0 || temp_dir_len >= sizeof(temp_dir)) {
    log_error("Failed to get Windows temp directory");
    return -1;
  }
 
  // Create process-specific temp file prefixes (e.g., "asc_sig_12345_")
  char sig_prefix[32];
  char msg_prefix[32];
  safe_snprintf(sig_prefix, sizeof(sig_prefix), "asc_sig_%lu_", GetCurrentProcessId());
  safe_snprintf(msg_prefix, sizeof(msg_prefix), "asc_msg_%lu_", GetCurrentProcessId());
 
  // Create signature temp file
  if (GetTempFileNameA(temp_dir, sig_prefix, 0, sig_path) == 0) {
    log_error("Failed to create signature temp file: %lu", GetLastError());
    return -1;
  }
 
  // Create message temp file
  if (GetTempFileNameA(temp_dir, msg_prefix, 0, msg_path) == 0) {
    log_error("Failed to create message temp file: %lu", GetLastError());
    DeleteFileA(sig_path);
    return -1;
  }
 
  // Open files for writing (Windows CreateFile for binary mode)
  HANDLE sig_handle = CreateFileA(sig_path, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_TEMPORARY, NULL);
  if (sig_handle == INVALID_HANDLE_VALUE) {
    log_error("Failed to open signature temp file: %lu", GetLastError());
    DeleteFileA(sig_path);
    DeleteFileA(msg_path);
    return -1;
  }
 
  DWORD bytes_written;
  if (!WriteFile(sig_handle, signature, (DWORD)signature_len, &bytes_written, NULL) || bytes_written != signature_len) {
    log_error("Failed to write signature to temp file: %lu", GetLastError());
    CloseHandle(sig_handle);
    DeleteFileA(sig_path);
    DeleteFileA(msg_path);
    return -1;
  }
  CloseHandle(sig_handle);
 
  HANDLE msg_handle = CreateFileA(msg_path, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_TEMPORARY, NULL);
  if (msg_handle == INVALID_HANDLE_VALUE) {
    log_error("Failed to open message temp file: %lu", GetLastError());
    DeleteFileA(sig_path);
    DeleteFileA(msg_path);
    return -1;
  }
 
  if (!WriteFile(msg_handle, message, (DWORD)message_len, &bytes_written, NULL) || bytes_written != message_len) {
    log_error("Failed to write message to temp file: %lu", GetLastError());
    CloseHandle(msg_handle);
    DeleteFileA(sig_path);
    DeleteFileA(msg_path);
    return -1;
  }
  CloseHandle(msg_handle);
 
#else
  // Unix temp file creation with mkstemp() - include PID for concurrent process safety
  safe_snprintf(sig_path, sizeof(sig_path), "/tmp/asciichat_sig_%d_XXXXXX", getpid());
  safe_snprintf(msg_path, sizeof(msg_path), "/tmp/asciichat_msg_%d_XXXXXX", getpid());
 
  sig_fd = mkstemp(sig_path);
  if (sig_fd < 0) {
    log_error("Failed to create signature temp file: %s", SAFE_STRERROR(errno));
    return -1;
  }
 
  msg_fd = mkstemp(msg_path);
  if (msg_fd < 0) {
    log_error("Failed to create message temp file: %s", SAFE_STRERROR(errno));
    close(sig_fd);
    unlink(sig_path);
    return -1;
  }
 
  // Write signature to temp file
  ssize_t sig_written = write(sig_fd, signature, signature_len);
  if (sig_written != (ssize_t)signature_len) {
    log_error("Failed to write signature to temp file: %s", SAFE_STRERROR(errno));
    close(sig_fd);
    close(msg_fd);
    unlink(sig_path);
    unlink(msg_path);
    return -1;
  }
  close(sig_fd);
 
  // Write message to temp file
  ssize_t msg_written = write(msg_fd, message, message_len);
  if (msg_written != (ssize_t)message_len) {
    log_error("Failed to write message to temp file: %s", SAFE_STRERROR(errno));
    close(msg_fd);
    unlink(sig_path);
    unlink(msg_path);
    return -1;
  }
  close(msg_fd);
#endif
 
  // Build gpg --verify command
  char cmd[BUFFER_SIZE_LARGE];
#ifdef _WIN32
  safe_snprintf(cmd, sizeof(cmd), "gpg --verify \"%s\" \"%s\" 2>&1", sig_path, msg_path);
#else
  safe_snprintf(cmd, sizeof(cmd), "gpg --verify '%s' '%s' 2>&1", sig_path, msg_path);
#endif
 
  log_debug("Running GPG verify command: %s", cmd);
 
  // Execute gpg --verify command
  FILE *fp = SAFE_POPEN(cmd, "r");
  if (!fp) {
    log_error("Failed to execute gpg --verify command");
    goto cleanup;
  }
 
  // Parse output for "Good signature" and verify key ID
  char line[BUFFER_SIZE_MEDIUM];
  bool found_good_sig = false;
  bool found_key_id = false;
 
  while (fgets(line, sizeof(line), fp)) {
    log_debug("GPG output: %s", line);
 
    // Check for "Good signature"
    if (strstr(line, "Good signature")) {
      found_good_sig = true;
    }
 
    // Check if this line contains the expected key ID (GPG outputs key ID on separate line)
    if (expected_key_id && strlen(expected_key_id) > 0) {
      if (strstr(line, expected_key_id)) {
        found_key_id = true;
        log_debug("Found expected key ID in GPG output: %s", expected_key_id);
      }
    }
 
    // Check for signature errors
    if (strstr(line, "BAD signature")) {
      log_error("GPG reports BAD signature");
      SAFE_PCLOSE(fp);
      fp = NULL;
      goto cleanup;
    }
  }
 
  // Check exit code
  int status = SAFE_PCLOSE(fp);
  fp = NULL;
 
#ifdef _WIN32
  int exit_code = status;
#else
  int exit_code = WEXITSTATUS(status);
#endif
 
  if (exit_code != 0) {
    log_error("GPG verify failed with exit code: %d", exit_code);
    goto cleanup;
  }
 
  if (!found_good_sig) {
    log_error("GPG verify did not report 'Good signature'");
    goto cleanup;
  }
 
  // If expected_key_id was provided, verify we found it in the output
  if (expected_key_id && strlen(expected_key_id) > 0) {
    if (!found_key_id) {
      log_error("GPG signature key ID does not match expected key ID: %s", expected_key_id);
      goto cleanup;
    }
  }
 
  log_info("GPG signature verified successfully via gpg --verify binary");
  result = 0;
 
cleanup:
  // Clean up temp files
#ifdef _WIN32
  DeleteFileA(sig_path);
  DeleteFileA(msg_path);
#else
  unlink(sig_path);
  unlink(msg_path);
#endif
 
  if (fp) {
    SAFE_PCLOSE(fp);
  }
 
  return result;
}

References BUFFER_SIZE_LARGE, BUFFER_SIZE_MEDIUM, bytes_written, errno, log_debug, log_error, log_info, PLATFORM_MAX_PATH_LENGTH, SAFE_PCLOSE, SAFE_POPEN, safe_snprintf(), and SAFE_STRERROR.

known_hosts_cleanup()

void known_hosts_cleanup

(

void

)

#include <known_hosts.h>

Cleanup function to free cached known_hosts path.

Frees cached known_hosts file path. Should be called at program shutdown to clean up resources.

Note

Path caching: Path is cached after first call to get_known_hosts_path(). This function frees the cached path.

Safe to call multiple times: Function checks if cache exists before freeing. Safe to call even if cache was never allocated.

Definition at line 731 of file known_hosts.c.

                               {
  if (g_known_hosts_path_cache) {
    SAFE_FREE(g_known_hosts_path_cache);
    g_known_hosts_path_cache = NULL;
  }
}

References SAFE_FREE.

Referenced by asciichat_shared_init().

prompt_unknown_host()

bool prompt_unknown_host	(	const char *	server_ip,
		uint16_t	port,
		const uint8_t	server_key[32]
	)

#include <known_hosts.h>

Interactive prompt for unknown host - returns true if user wants to add, false to abort.

Parameters

server_ip	Server IP address (IPv4 or IPv6, must not be NULL)
port	Server port number
server_key	Server's Ed25519 public key (32 bytes, must not be NULL)

Returns

true if user wants to add to known_hosts, false to abort

Prompts user to add unknown host to known_hosts. Displays server information and key fingerprint for user verification.

Note

Prompt display: Shows server IP:port and key fingerprint (SHA256). Prompts user to accept (add to known_hosts) or reject (abort connection).

Key fingerprint: Displays SHA256 fingerprint of server key for verification. Fingerprint is displayed in hex format (64 hex chars).

Non-interactive mode: If not connected to TTY (snapshot mode), automatically adds host to known_hosts (returns true). This allows automated connections.

Security: User should verify key fingerprint before accepting. Only add host if key fingerprint matches expected value.

Warning

Always check return value. If false, connection should be aborted.

Definition at line 550 of file known_hosts.c.

                                                                                             {
  char fingerprint[CRYPTO_HEX_KEY_SIZE_NULL];
  compute_key_fingerprint(server_key, fingerprint);
 
  // Format IP:port with proper bracket notation for IPv6
  char ip_with_port[BUFFER_SIZE_MEDIUM];
  if (format_ip_with_port(server_ip, port, ip_with_port, sizeof(ip_with_port)) != ASCIICHAT_OK) {
    // Fallback to basic format if error
    safe_snprintf(ip_with_port, sizeof(ip_with_port), "%s:%u", server_ip, port);
  }
 
  // Check if we're running interactively (stdin is a terminal and not in snapshot mode)
  const char *env_skip_known_hosts_checking = platform_getenv("ASCII_CHAT_INSECURE_NO_HOST_IDENTITY_CHECK");
  if (env_skip_known_hosts_checking && strcmp(env_skip_known_hosts_checking, STR_ONE) == 0) {
    log_warn("Skipping known_hosts checking. This is a security vulnerability.");
    return true;
  }
#ifndef NDEBUG
  // In debug builds, also skip for Claude Code (LLM automation can't do interactive prompts)
  const char *env_claudecode = platform_getenv("CLAUDECODE");
  if (env_claudecode && strlen(env_claudecode) > 0) {
    log_warn("Skipping known_hosts checking (CLAUDECODE set in debug build).");
    return true;
  }
#endif
  if (!platform_isatty(STDIN_FILENO) || GET_OPTION(snapshot_mode)) {
    // SECURITY: Non-interactive mode - REJECT unknown hosts to prevent MITM attacks
    SET_ERRNO(ERROR_CRYPTO, "SECURITY: Cannot verify unknown host in non-interactive mode");
    log_error("ERROR: Cannot verify unknown host in non-interactive mode without environment variable bypass.\n"
              "This connection may be a man-in-the-middle attack!\n"
              "\n"
              "To connect to this host:\n"
              "  1. Run the client interactively (from a terminal with TTY)\n"
              "  2. Verify the fingerprint: SHA256:%s\n"
              "  3. Accept the host when prompted\n"
              "  4. The host will be added to: %s\n"
              "\n"
              "Connection aborted for security.\n"
              "To bypass this check, set the environment variable ASCII_CHAT_INSECURE_NO_HOST_IDENTITY_CHECK to 1",
              fingerprint, get_known_hosts_path());
    return false; // REJECT unknown hosts in non-interactive mode
  }
 
  // Interactive mode - prompt user
  // Lock terminal so only this thread can output to terminal
  // Other threads' logs are buffered until we unlock
  bool previous_terminal_state = log_lock_terminal();
 
  log_plain("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n"
            "@    WARNING: REMOTE HOST IDENTIFICATION NOT KNOWN!      @\n"
            "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n"
            "\n"
            "The authenticity of host '%s' can't be established.\n"
            "Ed25519 key fingerprint is SHA256:%s\n",
            ip_with_port, fingerprint);
 
  // Unlock before prompt (prompt_yes_no handles its own terminal locking)
  log_unlock_terminal(previous_terminal_state);
 
  // Prompt user - default is No for security
  if (platform_prompt_yes_no("Are you sure you want to continue connecting", false)) {
    log_warn("Warning: Permanently added '%s' to the list of known hosts.", ip_with_port);
    return true;
  }
 
  log_warn("Connection aborted by user.");
  return false;
}

References ASCIICHAT_OK, BUFFER_SIZE_MEDIUM, compute_key_fingerprint(), CRYPTO_HEX_KEY_SIZE_NULL, ERROR_CRYPTO, format_ip_with_port(), get_known_hosts_path(), GET_OPTION, log_error, log_lock_terminal(), log_plain, log_unlock_terminal(), log_warn, platform_getenv(), platform_isatty(), platform_prompt_yes_no(), safe_snprintf(), SET_ERRNO, and STR_ONE.

Referenced by crypto_handshake_client_key_exchange().

prompt_unknown_host_no_identity()

bool prompt_unknown_host_no_identity	(	const char *	server_ip,
		uint16_t	port
	)

#include <known_hosts.h>

Interactive prompt for unknown host without identity key - returns true if user wants to continue, false to abort.

Parameters

server_ip	Server IP address (IPv4 or IPv6, must not be NULL)
port	Server port number

Returns

true if user wants to continue (accepts no-identity connection), false to abort

Prompts user to accept unknown host without identity key. Displays server information and warns that identity cannot be verified.

Note

Prompt display: Shows server IP:port and warning that identity cannot be verified. Prompts user to accept (continue connection) or reject (abort connection).

Security warning: Warns that server identity cannot be verified (no identity key). Connection is vulnerable to MITM attacks without identity verification.

Non-interactive mode: If not connected to TTY (snapshot mode), automatically accepts connection (returns true). This allows automated connections.

No-identity entries: If user accepts, adds "no-identity" entry to known_hosts. This tracks that user previously accepted this server without identity verification.

Warning

Security limitation: Cannot verify server identity (no keys to compare). Connection is vulnerable to MITM attacks.

Always check return value. If false, connection should be aborted.

Definition at line 679 of file known_hosts.c.

                                                                           {
  // Format IP:port with proper bracket notation for IPv6
  char ip_with_port[BUFFER_SIZE_MEDIUM];
  if (format_ip_with_port(server_ip, port, ip_with_port, sizeof(ip_with_port)) != ASCIICHAT_OK) {
    // Fallback to basic format if error
    safe_snprintf(ip_with_port, sizeof(ip_with_port), "%s:%u", server_ip, port);
  }
 
  log_warn("\n"
           "The authenticity of host '%s' can't be established.\n"
           "The server has no identity key to verify its authenticity.\n"
           "\n"
           "WARNING: This connection is vulnerable to man-in-the-middle attacks!\n"
           "Anyone can intercept your connection and read your data.\n"
           "\n"
           "To secure this connection:\n"
           "  1. Server should use --key to provide an identity key\n"
           "  2. Client should use --server-key to verify the server\n"
           "\n",
           ip_with_port);
 
  // Check if we're running interactively (stdin is a terminal and not in snapshot mode)
  if (!platform_isatty(STDIN_FILENO) || GET_OPTION(snapshot_mode)) {
    // SECURITY: Non-interactive mode - REJECT unknown hosts without identity
    SET_ERRNO(ERROR_CRYPTO, "SECURITY: Cannot verify server without identity key in non-interactive mode");
    log_error("ERROR: Cannot verify server without identity key in non-interactive mode.\n"
              "ERROR: This connection is vulnerable to man-in-the-middle attacks!\n"
              "\n"
              "To connect to this host:\n"
              "  1. Run the client interactively (from a terminal with TTY)\n"
              "  2. Verify you trust this server despite no identity key\n"
              "  3. Accept the risk when prompted\n"
              "  OR better: Ask server admin to use --key for proper authentication\n"
              "\n"
              "Connection aborted for security.\n"
              "\n");
    return false; // REJECT unknown hosts without identity in non-interactive mode
  }
 
  // Interactive mode - prompt user (default is No for security)
  if (platform_prompt_yes_no("Are you sure you want to continue connecting", false)) {
    log_warn("Warning: Proceeding with unverified connection.\n"
             "Your data may be intercepted by attackers!\n"
             "\n");
    return true;
  }
 
  log_plain("Connection aborted by user.");
  return false;
}

References ASCIICHAT_OK, BUFFER_SIZE_MEDIUM, ERROR_CRYPTO, format_ip_with_port(), GET_OPTION, log_error, log_plain, log_warn, platform_isatty(), platform_prompt_yes_no(), safe_snprintf(), and SET_ERRNO.

Referenced by crypto_handshake_client_key_exchange().

read_trust_anchors_from_memory()

size_t read_trust_anchors_from_memory	(	anchor_list *	dst,
		const unsigned char *	pem_data,
		size_t	pem_len
	)

#include <pem_utils.h>

Read trust anchors from PEM-encoded data in memory.

Parameters

dst	Pointer to anchor_list to append trust anchors to (must not be NULL)
pem_data	Pointer to PEM-encoded certificate data (must not be NULL)
pem_len	Length of PEM data in bytes (must be > 0)

Returns

Number of trust anchors successfully decoded and added, or 0 on error

Parses PEM-encoded CA certificates from a memory buffer and converts them to BearSSL trust anchors. The trust anchors are appended to the provided anchor_list.

Note

PEM format: Accepts PEM-encoded certificates (--—BEGIN CERTIFICATE--—). Supports multiple certificates in single PEM data (concatenated).

Trust anchor parsing: Parses each certificate in PEM data and creates trust anchor structure. Appends trust anchors to anchor_list.

Memory allocation: Dynamically allocates memory for trust anchors. Resizes anchor_list.buf as needed (realloc).

Error handling: Returns 0 on error (parse error, memory error, etc.). Partially parsed trust anchors are retained (not rolled back).

Warning

Memory management: Trust anchors contain dynamically allocated memory. Must call free_ta_contents() for each anchor and free anchor_list.buf.

PEM data format: PEM data must be valid PEM-encoded certificates. Invalid PEM data may cause parse errors or crashes.

Definition at line 440 of file pem_utils.c.

                                                                                                       {
  br_x509_certificate *xcs;
  anchor_list tas = VEC_INIT;
  size_t u, num;
 
  xcs = read_certificates_from_memory(pem_data, pem_len, &num);
  if (xcs == NULL) {
    return 0;
  }
 
  for (u = 0; u < num; u++) {
    br_x509_trust_anchor ta;
 
    if (certificate_to_trust_anchor_inner(&ta, &xcs[u]) != ASCIICHAT_OK) {
      VEC_CLEAREXT(tas, free_ta_contents);
      free_certificates(xcs, num);
      return 0;
    }
    VEC_ADD(tas, ta);
  }
 
  VEC_ADDMANY(*dst, &VEC_ELT(tas, 0), num);
  VEC_CLEAR(tas);
  free_certificates(xcs, num);
  return num;
}

References ASCIICHAT_OK, free_ta_contents(), VEC_ADD, VEC_ADDMANY, VEC_CLEAR, VEC_CLEAREXT, VEC_ELT, and VEC_INIT.

Referenced by https_get().

remove_known_host()

asciichat_error_t remove_known_host	(	const char *	server_ip,
		uint16_t	port
	)

#include <known_hosts.h>

Remove server from known_hosts.

Parameters

server_ip	Server IP address (IPv4 or IPv6, must not be NULL)
port	Server port number

Returns

ASCIICHAT_OK on success, error code on failure

Removes all entries for server IP:port from known_hosts file. Removes both identity key entries and no-identity entries.

Note

Removal: Removes ALL entries matching IP:port (including multiple entries). File is rewritten with all matching entries removed.

File format: Removes entries matching <IP:port> x25519 ... and <IP:port> no-identity .... Uses proper bracket notation for IPv6 addresses.

File preservation: Preserves all other entries and comments. Only removes entries matching the specified IP:port.

Warning

File is rewritten: Function reads entire file, removes matching entries, and rewrites. Original file is preserved as backup if possible.

Definition at line 452 of file known_hosts.c.

                                                                          {
  // Validate parameters first
  if (!server_ip) {
    return SET_ERRNO(ERROR_INVALID_PARAM, "Invalid parameter: server_ip=%p", server_ip);
  }
 
  const char *path = get_known_hosts_path();
  int fd = platform_open(path, PLATFORM_O_RDONLY, FILE_PERM_PRIVATE);
  if (fd < 0) {
    // File doesn't exist - nothing to remove, return success
    return ASCIICHAT_OK;
  }
  FILE *f = platform_fdopen(fd, "r");
  defer(SAFE_FCLOSE(f));
  if (!f) {
    platform_close(fd);
    SET_ERRNO_SYS(ERROR_CONFIG, "Failed to open known hosts file: %s", path);
    return ERROR_CONFIG;
  }
 
  // Format IP:port with proper bracket notation for IPv6
  char ip_with_port[BUFFER_SIZE_MEDIUM];
  if (format_ip_with_port(server_ip, port, ip_with_port, sizeof(ip_with_port)) != ASCIICHAT_OK) {
 
    return SET_ERRNO(ERROR_INVALID_PARAM, "Invalid IP format: %s", server_ip);
  }
 
  // Read all lines into memory
  char **lines = NULL;
  size_t num_lines = 0;
  defer({
    if (lines) {
      for (size_t i = 0; i < num_lines; i++) {
        SAFE_FREE(lines[i]);
      }
    }
    SAFE_FREE(lines);
  });
  char line[BUFFER_SIZE_XLARGE];
 
  char expected_prefix[BUFFER_SIZE_MEDIUM];
  safe_snprintf(expected_prefix, sizeof(expected_prefix), "%s ", ip_with_port);
 
  while (fgets(line, sizeof(line), f)) {
    // Skip lines that match this IP:port
    if (strncmp(line, expected_prefix, strlen(expected_prefix)) != 0) {
      // Keep this line
      char **new_lines = SAFE_REALLOC((void *)lines, (num_lines + 1) * sizeof(char *), char **);
      if (new_lines) {
        lines = new_lines;
        lines[num_lines] = platform_strdup(line);
        if (lines[num_lines] == NULL) {
          return SET_ERRNO(ERROR_MEMORY, "Failed to duplicate line from known_hosts file");
        }
        num_lines++;
      }
    }
  }
  // Close first file before opening for write
  if (f) {
    fclose(f);
    f = NULL; // Prevent double-close by defer
  }
 
  // Write back the filtered lines
  fd = platform_open(path, PLATFORM_O_WRONLY | PLATFORM_O_CREAT | PLATFORM_O_TRUNC, FILE_PERM_PRIVATE);
  f = platform_fdopen(fd, "w");
  if (!f) {
    // Cleanup on error - fdopen failed, so fd is still open but f is NULL
    // Individual line strings will be freed by defer cleanup
    platform_close(fd); // Close fd directly since fdopen failed
    return SET_ERRNO_SYS(ERROR_CONFIG, "Failed to open known hosts file: %s", path);
  }
 
  for (size_t i = 0; i < num_lines; i++) {
    (void)fputs(lines[i], f);
  }
  // All cleanup (lines, individual strings, file handle) handled by defer statements
 
  log_debug("KNOWN_HOSTS: Successfully removed host from known_hosts file: %s", path);
  return ASCIICHAT_OK;
}

References ASCIICHAT_OK, BUFFER_SIZE_MEDIUM, BUFFER_SIZE_XLARGE, defer, ERROR_CONFIG, ERROR_INVALID_PARAM, ERROR_MEMORY, FILE_PERM_PRIVATE, format_ip_with_port(), get_known_hosts_path(), log_debug, platform_close(), platform_fdopen(), PLATFORM_O_CREAT, PLATFORM_O_RDONLY, PLATFORM_O_TRUNC, PLATFORM_O_WRONLY, platform_open(), platform_strdup(), SAFE_FCLOSE, SAFE_FREE, SAFE_REALLOC, safe_snprintf(), SET_ERRNO, and SET_ERRNO_SYS.

ssh_agent_add_key()

asciichat_error_t ssh_agent_add_key	(	const private_key_t *	private_key,
		const char *	key_path
	)

#include <ssh_agent.h>

Add a private key to ssh-agent.

Parameters

private_key	Private key to add (must not be NULL)
key_path	Original key file path (for reference, can be NULL)

Returns

ASCIICHAT_OK on success, error code on failure

Adds private key to SSH agent using the SSH agent protocol.

Message format: uint32: message length byte: SSH2_AGENTC_ADD_IDENTITY (17) string: key type ("ssh-ed25519") string: public key (32 bytes) string: private key (64 bytes) string: comment (key path or empty)

Note

Agent requirement: SSH agent must be running and accessible. Function returns error if agent is not available.

Key format: Only Ed25519 keys are supported. Returns error if key type is not KEY_TYPE_ED25519.

Key addition: Uses SSH agent protocol directly via lib/platform/pipe.h abstraction:

• Connects to agent via Unix domain socket (POSIX) or named pipe (Windows)
• Sends SSH2_AGENTC_ADD_IDENTITY (17) message with key material
• Receives SSH_AGENT_SUCCESS (6) response on success
• No temporary files or external commands required

Platform abstraction: Uses lib/platform/pipe.h for cross-platform communication:

• POSIX: Unix domain socket via SSH_AUTH_SOCK environment variable
• Windows: Named pipe via SSH_AUTH_SOCK or default \\.\pipe\openssh-ssh-agent

Idempotent: SSH agent protocol is idempotent - adding same key multiple times is safe. Key is not duplicated in agent.

Key path: key_path is only used for logging/reference in agent comment field. No temporary files are created.

Warning

Agent requirement: SSH agent must be running and accessible. Returns error if agent connection fails (agent not running, wrong path, etc.).

Key format: Only Ed25519 keys are supported. Other key types will return error.

Definition at line 185 of file ssh_agent.c.

                                                                                            {
  if (private_key == NULL) {
    return SET_ERRNO(ERROR_INVALID_PARAM, "Cannot add key to ssh-agent: private_key is NULL");
  }
  if (private_key->type != KEY_TYPE_ED25519) {
    return SET_ERRNO(ERROR_INVALID_PARAM, "Cannot add key to ssh-agent: only Ed25519 keys supported");
  }
 
  log_info("Adding key to ssh-agent: %s", key_path ? key_path : "(memory)");
 
  // Open the pipe/socket for this operation (works on both Windows and Unix)
  pipe_t pipe = ssh_agent_open_pipe();
  if (pipe == INVALID_PIPE_VALUE) {
    return SET_ERRNO(ERROR_CRYPTO, "Failed to connect to ssh-agent");
  }
 
  // Build SSH agent protocol message: SSH2_AGENTC_ADD_IDENTITY (17)
  // Message format:
  //   uint32: message length
  //   byte:   SSH2_AGENTC_ADD_IDENTITY (17)
  //   string: key type ("ssh-ed25519")
  //   string: public key (32 bytes)
  //   string: private key (64 bytes)
  //   string: comment (key path or empty)
 
  unsigned char buf[BUFFER_SIZE_XXLARGE];
  size_t pos = 4; // Reserve space for length prefix
 
  // Message type: SSH2_AGENTC_ADD_IDENTITY
  buf[pos++] = 17;
 
  // Key type: "ssh-ed25519" (11 bytes)
  uint32_t len = 11;
  write_u32_be(buf + pos, len);
  pos += 4;
  // NOLINTNEXTLINE(bugprone-not-null-terminated-result) - Binary protocol, intentionally not null-terminated
  memcpy(buf + pos, "ssh-ed25519", 11);
  pos += 11;
 
  // Public key (32 bytes) - last 32 bytes of the 64-byte ed25519 key
  len = 32;
  write_u32_be(buf + pos, len);
  pos += 4;
  memcpy(buf + pos, private_key->key.ed25519 + 32, 32); // Public key is second half
  pos += 32;
 
  // Private key (64 bytes - full ed25519 key: 32-byte seed + 32-byte public)
  len = 64;
  write_u32_be(buf + pos, len);
  pos += 4;
  memcpy(buf + pos, private_key->key.ed25519, 64);
  pos += 64;
 
  // Comment (key path)
  len = key_path ? strlen(key_path) : 0;
 
  // SECURITY: Validate key path length to prevent buffer overflow
  // Buffer is BUFFER_SIZE_XXLARGE (4096), pos is ~128 at this point, need 4 bytes for length prefix
  size_t max_key_path_len = sizeof(buf) - pos - 4;
  if (len > max_key_path_len) {
    platform_pipe_close(pipe);
    sodium_memzero(buf, sizeof(buf));
    return SET_ERRNO(ERROR_BUFFER_OVERFLOW, "SSH key path too long: %u bytes (max %zu)", len, max_key_path_len);
  }
 
  write_u32_be(buf + pos, len);
  pos += 4;
  if (len > 0) {
    memcpy(buf + pos, key_path, len);
    pos += len;
  }
 
  // Write message length at start (excluding the 4-byte length field itself)
  uint32_t msg_len = pos - 4;
  write_u32_be(buf, msg_len);
 
  // Send message to agent
  ssize_t bytes_written = platform_pipe_write(pipe, buf, pos);
  if (bytes_written != (ssize_t)pos) {
    platform_pipe_close(pipe);
    sodium_memzero(buf, sizeof(buf));
    return SET_ERRNO_SYS(ERROR_CRYPTO, "Failed to write to ssh-agent pipe");
  }
 
  // Read response
  unsigned char response[BUFFER_SIZE_SMALL];
  ssize_t bytes_read = platform_pipe_read(pipe, response, sizeof(response));
  if (bytes_read < 5) {
    platform_pipe_close(pipe);
    sodium_memzero(buf, sizeof(buf));
    return SET_ERRNO_SYS(ERROR_CRYPTO, "Failed to read from ssh-agent pipe");
  }
 
  // Done with the pipe - close it
  platform_pipe_close(pipe);
  sodium_memzero(buf, sizeof(buf));
 
  // Check response: should be SSH_AGENT_SUCCESS (6)
  // Response format: uint32 length, byte message_type
  uint8_t response_type = response[4];
  if (response_type == 6) {
    log_info("Successfully added key to ssh-agent");
    return ASCIICHAT_OK;
  } else if (response_type == 5) {
    return SET_ERRNO(ERROR_CRYPTO, "ssh-agent rejected key (SSH_AGENT_FAILURE)");
  } else {
    return SET_ERRNO(ERROR_CRYPTO, "ssh-agent returned unexpected response: %d", response_type);
  }
}

References ASCIICHAT_OK, BUFFER_SIZE_SMALL, BUFFER_SIZE_XXLARGE, bytes_written, private_key_t::ed25519, ERROR_BUFFER_OVERFLOW, ERROR_CRYPTO, ERROR_INVALID_PARAM, INVALID_PIPE_VALUE, private_key_t::key, KEY_TYPE_ED25519, log_info, platform_pipe_close(), platform_pipe_read(), platform_pipe_write(), SET_ERRNO, SET_ERRNO_SYS, and private_key_t::type.

Referenced by parse_ssh_private_key().

ssh_agent_get_key()

asciichat_error_t ssh_agent_get_key	(	const public_key_t *	public_key,
		private_key_t *	key_out
	)

#include <ssh_agent.h>

Retrieve a private key from ssh-agent by matching public key.

Parameters

public_key	Public key to match (must not be NULL)
key_out	Output private key structure (must not be NULL)

Returns

ASCIICHAT_OK on success, error code on failure

Retrieves private key from SSH agent by sending SSH2_AGENTC_SIGN_REQUEST. This doesn't actually retrieve the private key material - instead it proves the key exists in the agent by attempting a signature operation.

Note

Agent requirement: SSH agent must be running and accessible. Returns error if agent is not available.

Key format: Only Ed25519 keys are supported.

Security: Private key never leaves ssh-agent. This function only verifies the key exists by matching the public key.

ssh_agent_has_key()

bool ssh_agent_has_key

(

const public_key_t *

public_key

)

#include <ssh_agent.h>

Check if a public key is already in ssh-agent.

Parameters

public_key

Public key to check (must not be NULL)

Returns

true if key is in agent, false otherwise

Checks if public key is already in SSH agent by listing agent keys using SSH agent protocol.

Note

Agent requirement: SSH agent must be running and accessible. Returns false if agent is not available.

Key listing: Uses SSH agent protocol directly via lib/platform/pipe.h abstraction:

• Connects to agent via Unix domain socket (POSIX) or named pipe (Windows)
• Sends SSH2_AGENTC_REQUEST_IDENTITIES (11) message
• Receives SSH2_AGENT_IDENTITIES_ANSWER (12) response with key list
• Parses response to find matching Ed25519 public key (32-byte comparison)

Key matching: Compares raw Ed25519 public keys (32 bytes) directly. No fingerprint computation required - direct byte comparison.

Platform abstraction: Uses lib/platform/pipe.h for cross-platform communication:

• POSIX: Unix domain socket via SSH_AUTH_SOCK environment variable
• Windows: Named pipe via SSH_AUTH_SOCK or default \\.\pipe\openssh-ssh-agent

Warning

Agent requirement: SSH agent must be running and accessible. Returns false if agent connection fails (agent not running, wrong path, etc.).

Definition at line 90 of file ssh_agent.c.

                                                       {
  if (public_key == NULL) {
    log_warn("NULL is not a valid public key");
    return false;
  }
 
  // Use SSH agent protocol to list keys (works on both Windows and Unix)
  pipe_t pipe = ssh_agent_open_pipe();
  if (pipe == INVALID_PIPE_VALUE) {
    return false;
  }
 
  // Build SSH2_AGENTC_REQUEST_IDENTITIES message (type 11)
  unsigned char request[5];
  request[0] = 0; // length: 1 (4-byte big-endian)
  request[1] = 0;
  request[2] = 0;
  request[3] = 1;
  request[4] = 11; // SSH2_AGENTC_REQUEST_IDENTITIES
 
  // Send request
  ssize_t bytes_written = platform_pipe_write(pipe, request, 5);
  if (bytes_written != 5) {
    platform_pipe_close(pipe);
    return false;
  }
 
  // Read response
  unsigned char response[BUFFER_SIZE_XXXLARGE];
  ssize_t bytes_read = platform_pipe_read(pipe, response, sizeof(response));
  if (bytes_read < 9) {
    platform_pipe_close(pipe);
    return false;
  }
 
  platform_pipe_close(pipe);
 
  // Parse response: type should be SSH2_AGENT_IDENTITIES_ANSWER (12)
  uint8_t resp_type = response[4];
  if (resp_type != 12) {
    return false;
  }
 
  // Number of keys at bytes 5-8
  uint32_t num_keys = read_u32_be(response + 5);
 
  // Parse keys and check if our public key matches
  size_t pos = 9;
  for (uint32_t i = 0; i < num_keys && pos + 4 < (size_t)bytes_read; i++) {
    // Read key blob length
    uint32_t blob_len = read_u32_be(response + pos);
    pos += 4;
 
    if (pos + blob_len > (size_t)bytes_read)
      break;
 
    // Parse the blob to extract the Ed25519 public key
    size_t blob_pos = pos;
    // Skip key type string
    if (blob_pos + 4 > pos + blob_len) {
      pos += blob_len;
      continue;
    }
    uint32_t type_len = read_u32_be(response + blob_pos);
    blob_pos += 4 + type_len;
 
    // Read public key data
    if (blob_pos + 4 > pos + blob_len) {
      pos += blob_len;
      continue;
    }
    uint32_t pubkey_len = read_u32_be(response + blob_pos);
    blob_pos += 4;
 
    // Compare public key (should be 32 bytes for Ed25519)
    // Use constant-time comparison to prevent timing side channels
    if (pubkey_len == 32 && blob_pos + 32 <= pos + blob_len) {
      if (sodium_memcmp(response + blob_pos, public_key->key, 32) == 0) {
        log_debug("Found matching key in ssh-agent");
        return true;
      }
    }
 
    pos += blob_len;
 
    // Skip comment string length + comment
    if (pos + 4 > (size_t)bytes_read)
      break;
    uint32_t comment_len = read_u32_be(response + pos);
    pos += 4 + comment_len;
  }
 
  return false;
}

References BUFFER_SIZE_XXXLARGE, bytes_written, INVALID_PIPE_VALUE, public_key_t::key, log_debug, log_warn, platform_pipe_close(), platform_pipe_read(), and platform_pipe_write().

Referenced by parse_ssh_private_key().

ssh_agent_is_available()

bool ssh_agent_is_available

(

void

)

#include <ssh_agent.h>

Check if ssh-agent is running and available.

Returns

true if ssh-agent is available, false otherwise

Checks if SSH agent is running and accessible by verifying SSH_AUTH_SOCK environment variable.

Note

Agent detection:

• Checks SSH_AUTH_SOCK environment variable is set
• On Unix: Verifies socket exists and is accessible (access() with W_OK)
• On Windows: Only checks environment variable (named pipe accessibility checked at connection time)

Platform differences:

• Unix: Uses Unix domain socket (AF_UNIX) - can verify socket exists
• Windows: Uses named pipe - can't use access() on named pipes

Agent location:

• Unix: SSH_AUTH_SOCK points to Unix domain socket (e.g., /tmp/ssh-XXXXXXXX/agent.XXXXXX)
• Windows: SSH_AUTH_SOCK points to named pipe (e.g., \\.\pipe\openssh-ssh-agent)

Warning

Agent may not be running: Function checks environment variable but doesn't verify agent is actually running. Connection may fail later if agent is not running.

Windows limitation: Cannot verify named pipe accessibility without attempting connection. Function may return true even if agent is not running (connection will fail later).

Definition at line 52 of file ssh_agent.c.

                                  {
  // Check if SSH_AUTH_SOCK environment variable is set
  const char *auth_sock = SAFE_GETENV("SSH_AUTH_SOCK");
 
#ifdef _WIN32
  // On Windows, if SSH_AUTH_SOCK is not set, try to open the Windows named pipe to check availability
  if (!auth_sock || strlen(auth_sock) == 0) {
    pipe_t pipe = ssh_agent_open_pipe();
    if (pipe != INVALID_PIPE_VALUE) {
      platform_pipe_close(pipe); // Close immediately after checking
      log_debug("ssh-agent is available via Windows named pipe (SSH_AUTH_SOCK not set)");
      return true;
    } else {
      log_debug("ssh-agent not available: SSH_AUTH_SOCK not set and Windows named pipe not accessible");
      return false;
    }
  }
 
  // SSH_AUTH_SOCK is set on Windows
  log_debug("ssh-agent appears available (SSH_AUTH_SOCK=%s)", auth_sock);
  return true;
#else
  // Unix: SSH_AUTH_SOCK is required
  if (!auth_sock || strlen(auth_sock) == 0) {
    log_debug("ssh-agent not available: SSH_AUTH_SOCK not set");
    return false;
  }
 
  // Check if Unix socket exists and is accessible
  if (access(auth_sock, W_OK) != 0) {
    log_debug("ssh-agent not available: cannot access socket at %s", auth_sock);
    return false;
  }
  log_debug("ssh-agent is available at %s", auth_sock);
  return true;
#endif
}

References INVALID_PIPE_VALUE, log_debug, platform_pipe_close(), and SAFE_GETENV.

ssh_agent_sign()

asciichat_error_t ssh_agent_sign	(	const public_key_t *	public_key,
		const uint8_t *	message,
		size_t	message_len,
		uint8_t	signature[64]
	)

#include <ssh_agent.h>

Sign data using SSH agent with the specified public key.

Parameters

public_key	Public key to use for signing (must not be NULL)
message	Data to sign (must not be NULL)
message_len	Length of data to sign
signature	Output buffer for signature (must be 64 bytes for Ed25519)

Returns

ASCIICHAT_OK on success, error code on failure

Signs message data using SSH agent protocol SSH2_AGENTC_SIGN_REQUEST (message type 13).

Note

Agent requirement: SSH agent must be running and accessible, and must have the private key corresponding to public_key.

Only Ed25519 signatures are supported (64 bytes).

The public key must already be in the ssh-agent (check with ssh_agent_has_key first).

Definition at line 295 of file ssh_agent.c.

                                                        {
  if (!public_key || !message || !signature) {
    return SET_ERRNO(ERROR_INVALID_PARAM, "Invalid parameters: public_key=%p, message=%p, signature=%p", public_key,
                     message, signature);
  }
 
  if (public_key->type != KEY_TYPE_ED25519) {
    return SET_ERRNO(ERROR_CRYPTO_KEY, "Only Ed25519 keys are supported for SSH agent signing");
  }
 
  // Connect to SSH agent
  pipe_t pipe = ssh_agent_open_pipe();
  if (pipe == INVALID_PIPE_VALUE) {
    return SET_ERRNO(ERROR_CRYPTO, "Cannot connect to ssh-agent");
  }
 
  // Build SSH2_AGENTC_SIGN_REQUEST message (type 13)
  // Format: uint32 length, byte type, string key_blob, string data, uint32 flags
  // For Ed25519, key_blob is: string "ssh-ed25519", string public_key(32 bytes)
 
  const char *key_type = "ssh-ed25519";
  uint32_t key_type_len = (uint32_t)strlen(key_type);
 
  // Calculate total message length
  // 1 (type) + 4 (key_blob_len) + key_blob_size + 4 (data_len) + data_size + 4 (flags)
  uint32_t key_blob_size = 4 + key_type_len + 4 + 32; // string(key_type) + string(pubkey)
  uint32_t total_len = 1 + 4 + key_blob_size + 4 + message_len + 4;
 
  uint8_t *buf = SAFE_MALLOC(total_len + 4, uint8_t *); // +4 for length prefix
  if (!buf) {
    platform_pipe_close(pipe);
    return SET_ERRNO(ERROR_CRYPTO, "Out of memory for SSH agent sign request");
  }
 
  uint32_t offset = 0;
 
  // Write total message length (excluding this 4-byte length field)
  write_u32_be(buf + offset, total_len);
  offset += 4;
 
  // Write message type (13 = SSH2_AGENTC_SIGN_REQUEST)
  buf[offset++] = 13;
 
  // Write key_blob length
  write_u32_be(buf + offset, key_blob_size);
  offset += 4;
 
  // Write key_blob: string(key_type)
  write_u32_be(buf + offset, key_type_len);
  offset += 4;
  memcpy(buf + offset, key_type, key_type_len);
  offset += key_type_len;
 
  // Write key_blob: string(public_key)
  write_u32_be(buf + offset, 32);
  offset += 4;
  memcpy(buf + offset, public_key->key, 32);
  offset += 32;
 
  // Write data to sign
  write_u32_be(buf + offset, (uint32_t)message_len);
  offset += 4;
  memcpy(buf + offset, message, message_len);
  offset += (uint32_t)message_len;
 
  // Write flags (0 = default)
  write_u32_be(buf + offset, 0);
  offset += 4;
 
  // Send request
  ssize_t written = platform_pipe_write(pipe, buf, total_len + 4);
  sodium_memzero(buf, total_len + 4);
  SAFE_FREE(buf);
 
  if (written < 0 || (size_t)written != total_len + 4) {
    platform_pipe_close(pipe);
    return SET_ERRNO(ERROR_CRYPTO, "Failed to write SSH agent sign request");
  }
 
  // Read response
  uint8_t response[BUFFER_SIZE_XXLARGE];
  ssize_t read_bytes = platform_pipe_read(pipe, response, sizeof(response));
  platform_pipe_close(pipe);
 
  if (read_bytes < 5) {
    return SET_ERRNO(ERROR_CRYPTO, "Failed to read SSH agent sign response (read %zd bytes)", read_bytes);
  }
 
  // Response format: uint32 length, byte type, data...
  // We validate length implicitly by checking read_bytes and parsing the full response
  (void)read_u32_be(response); // Read but don't need explicit length check
  uint8_t response_type = response[4];
 
  // Check for SSH2_AGENT_SIGN_RESPONSE (14)
  if (response_type != 14) {
    if (response_type == 5) {
      return SET_ERRNO(ERROR_CRYPTO, "ssh-agent refused to sign (SSH_AGENT_FAILURE)");
    }
    return SET_ERRNO(ERROR_CRYPTO, "ssh-agent returned unexpected response type: %d (expected 14)", response_type);
  }
 
  // Parse signature blob
  // Response format: uint32 len, byte type(14), string signature_blob
  if (read_bytes < 9) {
    return SET_ERRNO(ERROR_CRYPTO, "SSH agent response too short (no signature blob length)");
  }
 
  uint32_t sig_blob_len = read_u32_be(response + 5);
  uint32_t expected_total = 4 + 1 + 4 + sig_blob_len;
 
  if ((size_t)read_bytes < expected_total) {
    return SET_ERRNO(ERROR_CRYPTO, "SSH agent response truncated (expected %u bytes, got %zd)", expected_total,
                     read_bytes);
  }
 
  // Signature blob format for Ed25519: string "ssh-ed25519", string signature(64 bytes)
  uint32_t offset_sig = 9;
  uint32_t sig_type_len = read_u32_be(response + offset_sig);
  offset_sig += 4;
 
  if (offset_sig + sig_type_len + 4 > (uint32_t)read_bytes) {
    return SET_ERRNO(ERROR_CRYPTO, "SSH agent signature blob truncated at signature type");
  }
 
  // Verify signature type is "ssh-ed25519"
  if (sig_type_len != 11 || memcmp(response + offset_sig, "ssh-ed25519", 11) != 0) {
    return SET_ERRNO(ERROR_CRYPTO, "SSH agent returned non-Ed25519 signature");
  }
  offset_sig += sig_type_len;
 
  // Read signature bytes
  uint32_t sig_len = read_u32_be(response + offset_sig);
  offset_sig += 4;
 
  if (sig_len != 64) {
    return SET_ERRNO(ERROR_CRYPTO, "SSH agent returned invalid Ed25519 signature length: %u (expected 64)", sig_len);
  }
 
  if (offset_sig + 64 > (uint32_t)read_bytes) {
    return SET_ERRNO(ERROR_CRYPTO, "SSH agent signature blob truncated at signature bytes");
  }
 
  // Copy signature to output
  memcpy(signature, response + offset_sig, 64);
 
  log_debug("SSH agent successfully signed %zu bytes with Ed25519 key", message_len);
  return ASCIICHAT_OK;
}

References ASCIICHAT_OK, BUFFER_SIZE_XXLARGE, ERROR_CRYPTO, ERROR_CRYPTO_KEY, ERROR_INVALID_PARAM, INVALID_PIPE_VALUE, public_key_t::key, KEY_TYPE_ED25519, log_debug, platform_pipe_close(), platform_pipe_read(), platform_pipe_write(), SAFE_FREE, SAFE_MALLOC, SET_ERRNO, and public_key_t::type.

Referenced by ed25519_sign_message().

Variable Documentation

buf

br_x509_trust_anchor* anchor_list::buf

Array of trust anchors (dynamically allocated)

Definition at line 79 of file pem_utils.h.

Referenced by https_get().

len

size_t anchor_list::len

Total capacity of array

Definition at line 81 of file pem_utils.h.

ptr

size_t anchor_list::ptr

Current number of trust anchors

Definition at line 80 of file pem_utils.h.

Referenced by https_get().