indraj/libreshield
1
0
Fork 0
Code Issues Activity
A sane mTLS alternative
7 commits 1 branch 0 tags 83 KiB
  • D 80.8%
  • C 14.6%
  • Makefile 4.6%
Find a file
Exact
Indraj Gandham 024f4c0087 Remove -Werror and enable all compiler warnings
2026-01-25 22:09:04 +00:00
src Add erase() to tests 2026-01-25 09:12:25 +00:00
.gitignore Version 1.1 2025-12-06 01:53:01 +00:00
COPYING Version 1.1 2025-12-06 01:53:01 +00:00
Makefile Remove -Werror and enable all compiler warnings 2026-01-25 22:09:04 +00:00
README.md Update usage information in README 2026-01-25 09:12:07 +00:00

README.md

LibreShield is a modern, easy-to-use alternative to mTLS for secure communication across untrusted networks. It features post-quantum cryptography (PQC), perfect forward secrecy and anti-replay protection.

LibreShield can be used with any transport layer protocol, provided that streams are reliable and in-order. Adoption of LibreShield may help your organisation align with the PQC migration timelines set out by the UK NCSC.

Examples

Generating an identity:

JSONValue cert;
JSONValue identity;
libreshield.generateIdentity(identity, cert);

Creating a session:

libreshield.Session client;
libreshield.Session server;
client.load(clientIdentity, serverCert);
server.load(serverIdentity, clientCert);
ubyte[] clientHello = client.clientHandshake();
ubyte[] serverHello = server.serverHandshake(clientHello);
client.clientStart(serverHello);
server.serverStart();

Exchanging messages:

ubyte[] clientMessage = cast(ubyte[]) "Hello from client!";
ubyte[] serverMessage = cast(ubyte[]) "Hello from server!";
assert(server.unseal(client.seal(clientMessage)) == clientMessage);
assert(client.unseal(server.seal(serverMessage)) == serverMessage);

Cryptography

Identities use a hybrid combination of ed25519 and ML-DSA-65. Key exchange uses a hybrid combination of ECDH (X25519) and KEM (ML-KEM-768). Messages are encrypted using XChaCha20-Poly1305.

Compatibility

LibreShield should work correctly on systems which implement POSIX or POSIX-oriented standards. However, the Makefile (which builds the module and the test suite) is currently configured for GNU/Linux on amd64.

Build

To build the module and the test suite, the following dependencies are required:

  • the GNU D compiler
  • GNU Make
  • libsodium
  • liboqs

then run:

make prepare && make

Report a bug

Report bugs directly to hello@indraj.net.

For security bugs, please allow up to 48 hours for a reply and up to 90 days for the issue(s) to be confirmed and fixed before disclosing them publicly.

License

LibreShield is licensed under the GNU Affero General Public License.

Practical advice

If you are defining a new protocol, you should consider compressing your plaintexts (e.g. with zstd) prior to encryption. You should also consider the use of a messaging library (e.g. ZeroMQ).