Categorygithub.com/qsocket/encrypted-stream
modulepackage
0.0.0-20231023165659-580d263e71f4
Repository: https://github.com/qsocket/encrypted-stream.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
13
Dependents
1
Files
535 SLOC

# README

encrypted-stream

GoDoc GitHub license Go Report Card Build Status PRs Welcome

Encrypted-stream is a Golang library that transforms any net.Conn or io.ReadWriter stream to an encrypted and/or authenticated stream.

  • The encrypted stream implements net.Conn and io.ReadWriter and can be used as drop-in replacement.

  • Works with any encryption, authentication, or authenticated encryption algorithm or even arbitrary transformation. Only a cipher that implements encrypt/decrypt needs to be provided. XSalsa20-Poly1305 and AES-GCM are provided as reference cipher.

  • The encrypted stream only adds a small constant memory overhead compared to the original stream.

Note: this library does not handle handshake or key exchange. Handshake should be done separately before using this library to compute a shared key.

Documentation

Full documentation can be found at GoDoc.

Usage

Assume you have a net.Conn and you want to transform it into an encrypted net.Conn:

conn, err := net.Dial("tcp", "host:port")

You first need to have a shared key at both side of the connection (e.g. derived from key exchange algorithm). Then all you need to do is to choose or implements a cipher:

encryptedConn, err := stream.NewEncryptedStream(conn, &stream.Config{
  Cipher: stream.NewXSalsa20Poly1305Cipher(&key),
  SequentialNonce: true, // only when key is unique for every stream
  Initiator: true, // only on the dialer side
})

Now you can use encryptedConn just like conn, but everything is encrypted and authenticated.

See stream_test.go for complete example and benchmark with TCP connection.

Benchmark

$ go test -v -bench=. -run=^$
goos: darwin
goarch: amd64
pkg: github.com/qsocket/encrypted-stream
BenchmarkPipeXSalsa20Poly1305-12    	    4064	    266725 ns/op	 491.41 MB/s	       3 B/op	       0 allocs/op
BenchmarkPipeAESGCM128-12           	   16195	     71669 ns/op	1828.86 MB/s	       0 B/op	       0 allocs/op
BenchmarkPipeAESGCM256-12           	   14328	     83337 ns/op	1572.79 MB/s	       0 B/op	       0 allocs/op
BenchmarkTCPXSalsa20Poly1305-12     	    6489	    185980 ns/op	 704.76 MB/s	       0 B/op	       0 allocs/op
BenchmarkTCPAESGCM128-12            	   20089	     59684 ns/op	2196.08 MB/s	       0 B/op	       0 allocs/op
BenchmarkTCPAESGCM256-12            	   17656	     67721 ns/op	1935.48 MB/s	       0 B/op	       0 allocs/op
PASS
ok  	github.com/qsocket/encrypted-stream	9.997s

# Functions

DefaultConfig returns the default config.
NewAESGCMCipher creates a 128-bit (16 bytes key) or 256-bit (32 bytes key) AES block cipher wrapped in Galois Counter Mode with the standard nonce length.
NewCryptoAEADCipher converts a crypto/cipher AEAD to Cipher.
NewDecoder creates a Decoder with given cipher and config.
NewEncoder creates a Encoder with given cipher and config.
NewEncryptedStream creates an EncryptedStream with a given ReadWriter and config.
NewXSalsa20Poly1305Cipher creates a XSalsa20Poly1305Cipher with a given key.

# Variables

ErrMaxNonce indicates the max allowed nonce is reach.
ErrWrongNonceInitiator indicates a nonce with the wrong party is received, i.e.
ErrWrongNonceSequential indicates a nonce with the wrong value is received.

# Structs

Config is the configuration for encrypted stream.
CryptoAEADCipher is a wrapper to crypto/cipher AEAD interface and implements Cipher interface.
Decoder provides decode function of a slice data.
Encoder provides encode function of a slice data.
EncryptedStream is an encrypted stream.
XSalsa20Poly1305Cipher is an AEAD cipher that uses XSalsa20 and Poly1305 to encrypt and authenticate messages.

# Interfaces

Cipher provides encrypt and decrypt function of a slice data.