@drop2p/cli 0.1.0 → 0.2.0

package/dist/cli.js

@@ -61,6 +61,16 @@ async function deriveFileKey(master, salt) {
     ["encrypt", "decrypt"]
   );
 }
+async function deriveSas(master, salt) {
+  const ikm = await crypto.subtle.importKey("raw", bs(master), "HKDF", false, ["deriveBits"]);
+  const bits = await crypto.subtle.deriveBits(
+    { name: "HKDF", hash: "SHA-256", salt: bs(salt), info: bs(TEXT.encode("DSTP/1 sas")) },
+    ikm,
+    32
+  );
+  const n = new DataView(bits).getUint32(0) % 1e6;
+  return String(n).padStart(6, "0");
+}
 var VAULT_SALT_BYTES = 16;
 var VAULT_VERIFIER_COUNTER = 4294967295;
 var VAULT_MARKER = TEXT.encode("DSTP/1 vault ok");
@@ -94,6 +104,184 @@ async function sha256(...parts) {
   }
   return new Uint8Array(await crypto.subtle.digest("SHA-256", bs(buf)));
 }
+var SHA256_K = new Uint32Array([
+  1116352408,
+  1899447441,
+  3049323471,
+  3921009573,
+  961987163,
+  1508970993,
+  2453635748,
+  2870763221,
+  3624381080,
+  310598401,
+  607225278,
+  1426881987,
+  1925078388,
+  2162078206,
+  2614888103,
+  3248222580,
+  3835390401,
+  4022224774,
+  264347078,
+  604807628,
+  770255983,
+  1249150122,
+  1555081692,
+  1996064986,
+  2554220882,
+  2821834349,
+  2952996808,
+  3210313671,
+  3336571891,
+  3584528711,
+  113926993,
+  338241895,
+  666307205,
+  773529912,
+  1294757372,
+  1396182291,
+  1695183700,
+  1986661051,
+  2177026350,
+  2456956037,
+  2730485921,
+  2820302411,
+  3259730800,
+  3345764771,
+  3516065817,
+  3600352804,
+  4094571909,
+  275423344,
+  430227734,
+  506948616,
+  659060556,
+  883997877,
+  958139571,
+  1322822218,
+  1537002063,
+  1747873779,
+  1955562222,
+  2024104815,
+  2227730452,
+  2361852424,
+  2428436474,
+  2756734187,
+  3204031479,
+  3329325298
+]);
+var rotr = (x, n) => x >>> n | x << 32 - n;
+var Sha256 = class {
+  h = new Uint32Array([
+    1779033703,
+    3144134277,
+    1013904242,
+    2773480762,
+    1359893119,
+    2600822924,
+    528734635,
+    1541459225
+  ]);
+  block = new Uint8Array(64);
+  w = new Uint32Array(64);
+  blockLen = 0;
+  bytes = 0;
+  update(data) {
+    this.bytes += data.length;
+    let i = 0;
+    if (this.blockLen > 0) {
+      while (i < data.length && this.blockLen < 64) this.block[this.blockLen++] = data[i++];
+      if (this.blockLen === 64) {
+        this.process(this.block, 0);
+        this.blockLen = 0;
+      }
+    }
+    while (i + 64 <= data.length) {
+      this.process(data, i);
+      i += 64;
+    }
+    while (i < data.length) this.block[this.blockLen++] = data[i++];
+    return this;
+  }
+  digest() {
+    const bitLen = this.bytes * 8;
+    this.block[this.blockLen++] = 128;
+    if (this.blockLen > 56) {
+      while (this.blockLen < 64) this.block[this.blockLen++] = 0;
+      this.process(this.block, 0);
+      this.blockLen = 0;
+    }
+    while (this.blockLen < 56) this.block[this.blockLen++] = 0;
+    const dv = new DataView(this.block.buffer);
+    dv.setUint32(56, Math.floor(bitLen / 4294967296) >>> 0, false);
+    dv.setUint32(60, bitLen >>> 0, false);
+    this.process(this.block, 0);
+    const out3 = new Uint8Array(32);
+    const odv = new DataView(out3.buffer);
+    for (let i = 0; i < 8; i++) odv.setUint32(i * 4, this.h[i], false);
+    return out3;
+  }
+  // Hot loop: every index below is provably in-bounds (a fixed 64-byte block and
+  // a 64-entry schedule), so the non-null assertions are safe — they exist only
+  // to satisfy `noUncheckedIndexedAccess` on the typed-array reads.
+  process(p, off) {
+    const w = this.w;
+    for (let i = 0; i < 16; i++) {
+      const j = off + i * 4;
+      w[i] = (p[j] << 24 | p[j + 1] << 16 | p[j + 2] << 8 | p[j + 3]) >>> 0;
+    }
+    for (let i = 16; i < 64; i++) {
+      const x = w[i - 15];
+      const y = w[i - 2];
+      const s0 = rotr(x, 7) ^ rotr(x, 18) ^ x >>> 3;
+      const s1 = rotr(y, 17) ^ rotr(y, 19) ^ y >>> 10;
+      w[i] = w[i - 16] + s0 + w[i - 7] + s1 | 0;
+    }
+    let a = this.h[0];
+    let b = this.h[1];
+    let c = this.h[2];
+    let d = this.h[3];
+    let e = this.h[4];
+    let f = this.h[5];
+    let g = this.h[6];
+    let hh = this.h[7];
+    for (let i = 0; i < 64; i++) {
+      const S1 = rotr(e, 6) ^ rotr(e, 11) ^ rotr(e, 25);
+      const ch = e & f ^ ~e & g;
+      const t1 = hh + S1 + ch + SHA256_K[i] + w[i] | 0;
+      const S0 = rotr(a, 2) ^ rotr(a, 13) ^ rotr(a, 22);
+      const maj = a & b ^ a & c ^ b & c;
+      const t2 = S0 + maj | 0;
+      hh = g;
+      g = f;
+      f = e;
+      e = d + t1 | 0;
+      d = c;
+      c = b;
+      b = a;
+      a = t1 + t2 | 0;
+    }
+    this.h[0] = this.h[0] + a | 0;
+    this.h[1] = this.h[1] + b | 0;
+    this.h[2] = this.h[2] + c | 0;
+    this.h[3] = this.h[3] + d | 0;
+    this.h[4] = this.h[4] + e | 0;
+    this.h[5] = this.h[5] + f | 0;
+    this.h[6] = this.h[6] + g | 0;
+    this.h[7] = this.h[7] + hh | 0;
+  }
+};
+function digestsEqual(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
+  return diff === 0;
+}
+function parseDtlsFingerprint(sdp) {
+  if (!sdp) return null;
+  const m = /^a=fingerprint:sha-256\s+([0-9a-fA-F:]+)\s*$/im.exec(sdp);
+  return m ? m[1].replace(/:/g, "").toLowerCase() : null;
+}
 function nonce(counter) {
   const n = new Uint8Array(12);
   new DataView(n.buffer).setBigUint64(4, BigInt(counter));
@@ -165,6 +353,13 @@ var TransferManager = class {
   fileKey;
   sendCounter = 0;
   recvCounter = 0;
+  // Transcript binding (MITM detection): fold both peers' DTLS fingerprints into
+  // the key-derivation salt. Negotiated — only active when BOTH sides advertise
+  // support AND both fingerprints parse, so mixed-version pairs fall back safely.
+  localFp = null;
+  remoteFp = null;
+  bindLocal = false;
+  peerBind = false;
   // Ultimate "double encryption": optional passphrase-derived (Argon2id) layer
   // applied to file content *inside* the DSTP file key.
   passphrase;
@@ -192,6 +387,8 @@ var TransferManager = class {
   sink;
   recvMeta;
   recvBytes = 0;
+  // running SHA-256 of the received file content, for the whole-file integrity check
+  recvHash;
   closed = false;
   sentAllData = false;
   completed = false;
@@ -404,8 +601,13 @@ var TransferManager = class {
     try {
       const mod = await this.loadCrypto();
       this.pake = await createPake(mod, this.secret, this.channel);
+      this.localFp = parseDtlsFingerprint(this.pc?.localDescription?.sdp);
+      this.remoteFp = parseDtlsFingerprint(this.pc?.remoteDescription?.sdp);
+      this.bindLocal = this.localFp !== null && this.remoteFp !== null;
       if (this.dc?.readyState === "open") {
-        this.dc.send(JSON.stringify({ kind: "pake", data: toB64(this.pake.outbound) }));
+        this.dc.send(
+          JSON.stringify({ kind: "pake", data: toB64(this.pake.outbound), bind: this.bindLocal })
+        );
       }
       await this.maybeCompleteHandshake();
     } catch {
@@ -417,8 +619,15 @@ var TransferManager = class {
     const master = this.pake.finish(this.peerPake);
     const senderMsg = this.role === "sender" ? this.pake.outbound : this.peerPake;
     const receiverMsg = this.role === "sender" ? this.peerPake : this.pake.outbound;
-    const salt = await sha256(TEXT_ENC.encode(`DSTP/1:${this.channel}`), senderMsg, receiverMsg);
+    const saltParts = [TEXT_ENC.encode(`DSTP/1:${this.channel}`), senderMsg, receiverMsg];
+    if (this.bindLocal && this.peerBind && this.localFp && this.remoteFp) {
+      const senderFp = this.role === "sender" ? this.localFp : this.remoteFp;
+      const receiverFp = this.role === "sender" ? this.remoteFp : this.localFp;
+      saltParts.push(TEXT_ENC.encode(`DSTP/1 fp:${senderFp}:${receiverFp}`));
+    }
+    const salt = await sha256(...saltParts);
     this.fileKey = await deriveFileKey(master, salt);
+    this.patch({ sas: await deriveSas(master, salt) });
     this.keyReadyResolve();
     if (this.role === "sender" && this.source && this.dc) void this.sendEncrypted(this.source, this.dc);
   }
@@ -427,6 +636,7 @@ var TransferManager = class {
       const msg = JSON.parse(data);
       if (msg.kind === "pake" && msg.data) {
         this.peerPake = fromB64(msg.data);
+        this.peerBind = msg.bind === true;
         await this.maybeCompleteHandshake();
       } else if (msg.kind === "ready") {
         this.peerReadyResolve();
@@ -450,6 +660,7 @@ var TransferManager = class {
       const meta = JSON.parse(TEXT_DEC.decode(payload));
       this.recvMeta = meta;
       this.recvBytes = 0;
+      this.recvHash = new Sha256();
       if (meta.protected && meta.salt && meta.verifier) {
         this.vaultSalt = fromB64(meta.salt);
         this.vaultVerifier = fromB64(meta.verifier);
@@ -472,6 +683,7 @@ var TransferManager = class {
           return;
         }
       }
+      this.recvHash?.update(chunk);
       this.recvBytes += chunk.length;
       await this.sink?.write(chunk);
       this.emitProgress(this.recvBytes, this.recvMeta?.size ?? 0);
@@ -479,11 +691,16 @@ var TransferManager = class {
       if (this.recvMeta && this.recvBytes !== this.recvMeta.size) {
         await this.sink?.abort();
         this.fail("Transfer ended early \u2014 the file looks incomplete.");
-      } else {
-        await this.sink?.close();
-        if (this.dc?.readyState === "open") this.dc.send(JSON.stringify({ kind: "done-ack" }));
-        this.finishOk(this.recvBytes);
+        return;
+      }
+      if (payload.length === 32 && this.recvHash && !digestsEqual(this.recvHash.digest(), payload)) {
+        await this.sink?.abort();
+        this.fail("Integrity check failed \u2014 the file was corrupted in transit. Nothing was saved.");
+        return;
       }
+      await this.sink?.close();
+      if (this.dc?.readyState === "open") this.dc.send(JSON.stringify({ kind: "done-ack" }));
+      this.finishOk(this.recvBytes);
     }
   }
   /** Receiver: ask the host how to save, then act on its decision. */
@@ -536,19 +753,22 @@ var TransferManager = class {
     dc.bufferedAmountLowThreshold = LOW_WATER;
     this.startProgress();
     this.patch({ phase: "transferring", transferred: 0, progress: 0 });
+    const fileHash = new Sha256();
     let offset = 0;
     while (offset < source.size && dc.readyState === "open") {
       if (dc.bufferedAmount > HIGH_WATER) await this.waitDrain(dc);
       const end = Math.min(offset + chunkSize, source.size);
-      let chunk = await source.slice(offset, end);
+      const plain = await source.slice(offset, end);
+      fileHash.update(plain);
+      let chunk = plain;
       if (this.vaultKey) {
-        chunk = new Uint8Array(await encryptFrame(this.vaultKey, this.innerSendCounter++, chunk));
+        chunk = new Uint8Array(await encryptFrame(this.vaultKey, this.innerSendCounter++, plain));
       }
       await this.sendFrame(dc, TYPE_CHUNK, chunk);
       offset = end;
       this.emitProgress(Math.max(0, offset - dc.bufferedAmount), source.size);
     }
-    if (dc.readyState === "open") await this.sendFrame(dc, TYPE_DONE, new Uint8Array(0));
+    if (dc.readyState === "open") await this.sendFrame(dc, TYPE_DONE, fileHash.digest());
     this.sentAllData = true;
     while (dc.readyState === "open" && dc.bufferedAmount > 0) {
       this.emitProgress(Math.max(0, source.size - dc.bufferedAmount), source.size);
@@ -1063,7 +1283,7 @@ function exit(code) {
   setTimeout(() => process.exit(code), 150);
   return void 0;
 }
-var VERSION = true ? "0.1.0" : "dev";
+var VERSION = true ? "0.2.0" : "dev";
 var USAGE = [
   "drop2p \u2014 zero-storage, end-to-end-encrypted file transfer in your terminal.",
   "",
@@ -1127,9 +1347,16 @@ async function send(filePath, flags, emit) {
     iceTransportPolicy: process.env.DROP2P_FORCE_RELAY ? "relay" : void 0
   });
   let printedCode = false;
+  let printedSas = false;
   let finished = false;
   let lastLine = 0;
   const mgr = new TransferManager(env, (s) => {
+    if (s.sas && !printedSas) {
+      printedSas = true;
+      emit("verify", { sas: s.sas });
+      if (!flags.json)
+        err2(`  \u{1F512} Verification code: ${s.sas.slice(0, 3)} ${s.sas.slice(3)} \u2014 confirm it matches on the other device.`);
+    }
     if (s.code && !printedCode) {
       printedCode = true;
       emit("code", { code: s.code, expiresAt: s.expiresAt });
@@ -1194,9 +1421,16 @@ async function receive(code, flags, emit) {
   let name = "";
   let lastLine = 0;
   let askedPassphrase = false;
+  let printedSas = false;
   const mgr = new TransferManager(env, (s) => {
     if (s.fileSize != null) total = s.fileSize;
     if (s.fileName) name = s.fileName;
+    if (s.sas && !printedSas) {
+      printedSas = true;
+      emit("verify", { sas: s.sas });
+      if (!flags.json)
+        err2(`  \u{1F512} Verification code: ${s.sas.slice(0, 3)} ${s.sas.slice(3)} \u2014 confirm it matches on the other device.`);
+    }
     if (s.connectionType && s.connectionType !== "unknown") {
       emit("connected", { via: s.connectionType });
       if (!flags.json) err2(`  Connected (${s.connectionType === "relay" ? "\u{1F6F0}  relay" : "\u26A1 direct"}). Receiving\u2026`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@drop2p/cli",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "type": "module",
   "description": "Drop2p CLI — a zero-storage, end-to-end-encrypted file transfer peer for the terminal.",
   "bin": {
@@ -14,7 +14,7 @@
     "node": ">=20"
   },
   "scripts": {
-    "dev": "tsx src/cli.ts",
+    "start": "tsx src/cli.ts",
     "build": "node build.mjs",
     "prepack": "node build.mjs",
     "typecheck": "tsc --noEmit"