sesame_cli 0.2.0

P2P encrypted chat with deniable authentication, panic mode, and multi-peer mesh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148

# Sesame


**Sesame** is a peer-to-peer encrypted chat over TLS 1.3 with deniable authentication, traffic obfuscation, and a panic mode. No servers, no central authority — just a shared passphrase and direct connections.

## Features


- **End-to-end encryption** — Double Ratchet algorithm (Signal protocol) on top of TLS 1.3 mTLS
- **Deniable authentication** — Zero-knowledge proof of shared passphrase without revealing it
- **Peer-to-peer** — No servers, no accounts, no infrastructure. Connect directly via IP:port
- **Multi-peer mesh** — Three or more peers in a fully connected mesh. Peer discovery propagates addresses automatically
- **Traffic obfuscation** — Constant-rate dummy traffic, uniform frame padding, memory locking to prevent secrets from swapping to disk
- **Panic mode** — Start with `--decoy` to use a decoy passphrase; the UI shows a clear indicator
- **Encrypted group chat** — Every peer-to-peer link is independently ratcheted; messages are broadcast to all connected peers

## Security


See [`SECURITY.md`](docs/SECURITY.md) for the formal threat model, current guarantees, known production gaps, and operational requirements.

- **TLS 1.3 mutual authentication** with self-signed Ed25519 certificates (generated at each startup, never persisted)
- **Argon2id** for passphrase hashing (memory-hard, resistant to GPU/ASIC attacks)
- **HKDF-SHA256** for key derivation
- **ChaCha20-Poly1305** for authenticated encryption
- **X25519** for elliptic-curve Diffie-Hellman key exchange
- **mlock** on key material (Windows via `VirtualLock`) to prevent memory from being swapped to disk
- **Automatic memory zeroing** via `zeroize` on session keys and secrets

All cryptographic material lives **in RAM only** — nothing is written to disk.

## Build


### Prerequisites


- [Rust](https://rustup.rs/) 1.75+ (stable)

### Compile


```bash
git clone https://github.com/cruemy/mailer.git
cd mailer
cargo build --release
```

The binary will be at `target/release/sesame.exe` (Windows) or `target/release/sesame` (Linux/macOS).

### Run directly


```bash
cargo run --release -- --phrase "your passphrase"
```

For safer local handling, prefer passing the phrase through a file descriptor when possible:

```bash
printf '%s' "your passphrase" | cargo run --release -- --phrase-fd 0
```

## Quick start


### Two people


**Person A** (just listens):

```bash
cargo run --release -- --phrase "secret"
```

**Person B** (connects to A):

```bash
cargo run --release -- --peer 192.168.1.42:9000 --phrase "secret"
```

### Three or more people


Only one person needs to listen; everyone else connects to at least one other peer. Peer discovery propagates the rest.

```bash
# Person 1 (listener)

cargo run --release -- --phrase "secret"

# Person 2 (connects to 1)

cargo run --release -- --peer 192.168.1.42:9000 --phrase "secret"

# Person 3 (connects to 1)

cargo run --release -- --peer 192.168.1.42:9000 --phrase "secret"
```

### Resilience (bidirectional)


For automatic reconnection when anyone disconnects, have every peer point to each other:

```bash
# Each person lists all other known peers

cargo run --release -- --peer 192.168.1.99:9000 --peer 192.168.1.77:9000 --phrase "secret"
```

See [USAGE.md](docs/USAGE.md) for detailed scenarios, CLI reference, and session management (Esc / F12 / disconnection behavior).

## UI Controls


| Key | Action |
|-----|--------|
| `Enter` | Send message |
| `Esc` | Clean exit — sends GOODBYE to peers, they stop reconnecting. On 1:1 / 1→N, receiver also closes |
| `F12` | Panic — regenerates TLS identity, clears all sessions and known peers. Process stays running with new identity |
| `Page Up` / `Page Down` | Scroll chat history |

## Display Name


Set a persistent visible name with `--display-name "Name"`. Stored in the platform config directory (`~/.config/sesame/` or `%APPDATA%\sesame\`). Peers see your name instead of the raw PeerId.

```bash
sesame --phrase "secret" --display-name "Alice"
```

See [USAGE.md](docs/USAGE.md) for details.

## Windows Firewall


If another peer can't reach you (connection refused / timeout), Windows Firewall is usually the culprit.

**Step 1 — Allow inbound port** (PowerShell as Administrator):

```powershell
New-NetFirewallRule -DisplayName "Sesame P2P" -Direction Inbound -Protocol TCP -LocalPort 9000 -Action Allow
```

This creates a firewall rule allowing TCP traffic on port `9000`. Change the port if you used `--port` with a different value.

**Step 2 — Temporarily disable firewall for diagnostics** (PowerShell as Administrator):

```powershell
Set-NetFirewallProfile -Profile (Get-NetConnectionProfile).NetworkCategory -Enabled False
```

This turns off the firewall **only for your active network profile**. Test the connection; if it works, re-enable with `-Enabled True`. If it still fails with the firewall off, the issue is elsewhere (different subnet, wrong IP, etc.).

**Verify local connectivity:**

```powershell
Test-NetConnection -ComputerName 127.0.0.1 -Port 9000
```

If `TcpTestSucceeded` is `True`, sesame is listening. Then test from the other PC using the listener's IP instead of `127.0.0.1`.

## License


MIT