Documentation ¶
Index ¶
- Constants
- Variables
- type Crypto
- func (cr *Crypto) ClientKEx(client client.Client, clientAddr string, pkt packet.Packet) error
- func (cr *Crypto) ConfigureKeyExClientPkt(addr string, pw packet.Writer)
- func (cr *Crypto) ConfigureKeyExServerPkt(pw packet.Writer)
- func (cr *Crypto) DecryptE2E(sender string, pkt packet.Packet) error
- func (cr *Crypto) DecryptFrom(addr string, data []byte) ([]byte, error)
- func (cr *Crypto) EncryptE2E(to string, pkt packet.Packet) error
- func (cr *Crypto) EncryptFor(addr string, data []byte) ([]byte, error)
- func (cr *Crypto) Extend(kind string, target core.Processor) error
- func (cr *Crypto) IsKeyExchanged(addr string) bool
- func (cr *Crypto) ProcessKeyExResp(addr string, resp packet.Packet) error
- func (cr *Crypto) ServerKEx(client client.Client, svrAddr string, pkt packet.Packet) error
- type PublicKey
Constants ¶
const ( TargetKeyExchangeServer = "crypto.kex-cs" TargetKeyExchangeClient = "crypto.kex-cc" )
Target names the Crypto extension reserves.
const ( // KeyNoCipher is a metadata key, which when set to "true" in a packet causes // the Crypto extension to skip that packet. KeyNoCrypto = "_no_crypto" )
Metadata keys for Crypto extension
Variables ¶
var Curve = elliptic.P256()
Curve is the elliptic curve used by Crypto.
Functions ¶
This section is empty.
Types ¶
type Crypto ¶
type Crypto struct {
// contains filtered or unexported fields
}
Crypto is a cyrptographic extension for a Server/Client. It provides, mainly, the ability to share keys and establish shared secrets. It uses the ECDSA algorithm with (currenly) NIST P-256 for the curve.
Before installation onto a Processor, a key exchange to the server will need to be performed. Due to the transforms that it installs on the in/out data pipelines on a client/server, these pipelines will fail if there is no shared key to the packet destination (when sending) or source (when receiving). To perform a server key exchange, create a packet and use the Crypto.ConfigureKeyExServerPkt method to configure it to target a server key exchange and then use Cryto.ProcessKeyExServer method to process the response, which when successful, will add the key to the internal key store, after which the pipelines will be unblocked.
func ConfigureClient ¶
ConfigureClient secures the given client by installing the Crypto extension on it (to which a pointer is returned). It then performs a key exchange with svrAddr. If successful, the connection between the server and the returned client will be secure i.e. packets sent between the server and the client will be encrypted with AES, using a shared key generated using ECDH. The `pkt` parameter will be used to compose the key exchange packet with the server (ownership of `pkt` is assumed by ConfigureClient).
func (*Crypto) ClientKEx ¶
ClientKEx performs a key exchange between the client and the client at clientAddr. If successful, there will then exist a shared key between `clientAddr` (remote) and `client` (local). This shared key can be used for end-to-end encryption with `clientAddr` with the {Encrypt,Decrypt}E2E methods.
func (*Crypto) ConfigureKeyExClientPkt ¶
ConfigureKeyExClientPkt writes the configuration (target, metadata, body, etc) for a client-client key-exchange with the given address to the packet. The packet being written to must be new and after a call to this method, the packet's Write method should not be used. Also, this method will clear pw's underlying Packet.
func (*Crypto) ConfigureKeyExServerPkt ¶
ConfigureKeyExServerPkt writes the configuration (target, metadata, body, etc) for a client-server key-exchange. The packet being written to must be new and after a call to this method, the packet's Write method should not be used. Also, this method will clear pw's underlying packet.
func (*Crypto) DecryptE2E ¶
DecryptE2E performs decryption on end-to-end encrypted packet data from the specified sender. The packet is modified so that its Data method returns the decrypted data. Clients should use this to decrypt packets.
Note that before this function can work, it needs a shared key with the sender of the packet. If a key exchange has been successfully performed, then there will most likely be no errors.
func (*Crypto) DecryptFrom ¶
DecryptFrom decrypts the given data using the shared key with `addr. The returned error is non-nil if there is no shared key between with the address and if there is an error in the decryption process.
It is used in end-to-end encryption to decrypt incoming payloads, which have been server-relayed from the given address. To generate a shared key with `addr`, a client-client key exchange has to be performed.
func (*Crypto) EncryptE2E ¶
EncryptE2E performs encryption on the packet's data for end-to-end encryption during transit to the packet's destination. The packet is modified so that its Data method returns the encrypted data. Clients should use this to encrypt their application data. Note that E2E does not imply that the entire packet is encrypted since the packet metadata will still possibly be plain text. To get full-packet encryption, clients should install Crypto on their `client` handle, and perform a key-exchange with they servers they interact with to get full-packet encryption between the client and the servers.
Note that before this function can work, it needs a shared key with the destination to which the packet is destined. If a key exchange has been successfully performed, then there will most likely be no errors.
func (*Crypto) EncryptFor ¶
EncryptFor encrypts the given data for the given address using the corresponding shared key. If there is no shared key, or there is an encryption error, the error returned will be non-nil and reflect this.
It is used in end-to-end encryption to encrypt outgoing payloads, being server-relayed to `addr`. To generate a shared key with `addr`, a client-client key exchange has to be performed.
func (*Crypto) IsKeyExchanged ¶
IsKeyExchanged reports whether or not a successful handshake has been performed with the given address.
func (*Crypto) ProcessKeyExResp ¶
ProcessKeyExResp processes the response to a key-exchange with the given address (server address if server and client address otherwise).
func (*Crypto) ServerKEx ¶
ServerKEx performs a key exchange between the client and the server at svrAddr. If successful, there will then exist a shared key between `svrAddr` and `client`. A side effect of this is that if the Crypto extension is installed on `client`, then all packets whose Dest method returns `svrAddr`, will have their content encrypted in transit. This is a full-packet encryption (metadata and data), in contrast to end-to-end encryption which is just a data encrytion i.e. the packet's metadata will still possibly be in plain text.