1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
//!
//! # Construction
//!
//! `sealed-channel` is a transport-agnostic, forward-secret authenticated
//! record channel. It performs **pure compute only**: it knows nothing about
//! sockets, WebSockets, JSON, browsers, tokens, or any transport, and it
//! performs **no RNG and no I/O**. The caller supplies all randomness, the
//! ephemeral keys, and the Diffie-Hellman shared secret.
//!
//! Keys are derived with HKDF-SHA256 from the pre-shared secret (PSK), the
//! externally-supplied ephemeral DH shared secret, and a transcript hash that
//! binds the exact bytes of both handshake messages. Records are sealed with
//! ChaCha20-Poly1305, with the cleartext `magic || seq` header used as the
//! AEAD additional authenticated data and a per-direction nonce prefix
//! concatenated with the big-endian sequence number used as the nonce.
//!
//! Forward secrecy comes from the **ephemeral** DH shared secret supplied by
//! the caller: once the ephemeral private keys are discarded, past traffic
//! cannot be decrypted even if the PSK is later compromised.
//!
//! # CRITICAL SECURITY INVARIANT
//!
//! Authentication strength equals the entropy of the PSK. An active
//! man-in-the-middle (e.g. a relay) can perform its own DH with each side and
//! therefore knows both DH shared secrets; the ONLY thing keeping it out is
//! the PSK, which it does not know. The PSK MUST be high-entropy (at least 128
//! bits, 256 recommended). NEVER pass a low-entropy secret such as a PIN or
//! password as the PSK — authenticating a weak secret against an active MITM
//! requires a PAKE (e.g. SPAKE2+ / OPAQUE), which this crate is NOT.
extern crate alloc;
pub use Error;
pub use ;
pub use SessionKeys;
pub use transcript_hash;