Protocol security hardening

What's new in 0.0.9 release - 2026-03-13 - Protocol security hardening based on internal audit, addressing session lifecycle, rekey, and error handling vulnerabilities.

Security

• Session resumption forward secrecy - fresh CH-KEM exchange mixed with PSK, following TLS 1.3 PSK+ECDHE model
• Verify data shared secret binding - verify_data now incorporates shared secret, not just transcript
• Rekey message authentication - payloads sealed with session AEAD before transmission
• Rekey forward secrecy - secrets ratcheted via DeriveRekeySecret(oldMaster, freshKEM)
• Key material zeroization - runtime.KeepAlive prevents dead store elimination; fixed aliased slice zeroization
• Iterative message handling - replaces recursive Receive(), preventing stack exhaustion DoS
• KDF error propagation - TranscriptHash returns errors instead of panicking
• Alert sanitization - generic messages to peers; IP masking in logs
• Dependency upgrades - x/crypto, otel, x/sys, circl

Changed

• Minimum Go version bumped to 1.26
• Rekey wire format now includes AEAD ciphertext
• Session resumption always performs fresh KEM exchange

Full changelog: CHANGELOG.md

Regulatory & documentation clarity

What's new in 0.0.8 release - 2026-01-22 - Clear regulatory guidance and documentation improvements

Updated Regulatory Documentation (docs/ROADMAP.md)

• EU Dual-Use Regulation open source exemption status documented
• Project origin (Spain/EU) and applicable regulations clarified
• User deployment guidance for 15+ jurisdictions
• Clear distinction between developer obligations and user responsibilities

Changed

• Regulatory Section: Reframed from developer action items to user deployment guidance
• US/BIS Guidance: Reframed as user deployment consideration (not developer obligation)
• All "Action:" items: Changed to "User Action:" to clarify responsibility lies with deployers
• Restricted Zones: From region-specific to "highly regulated zones"

Documentation

• Updated README.md with v0.0.8 status
• Condensed compliance section with clearer liability terms

FIPS 140-3 compliance preparation

What's new in 0.0.7 release - 2026-01-22

• FIPS 140-3 Compliance (pkg/crypto/)

  • FIPS build mode via //go:build fips conditional compilation
  • Runtime FIPS mode detection with crypto.FIPSMode()
  • ChaCha20-Poly1305 disabled in FIPS mode (AES-256-GCM only)
  • FIPS mode indicator in session statistics and transport
  • Comprehensive FIPS deployment documentation (docs/FIPS.md)

• Power-On Self-Tests (POST) (pkg/crypto/post.go)

  • Known Answer Tests (KAT) for SHAKE-256, AES-256-GCM, ML-KEM-1024
  • Automatic execution on package initialization
  • Module integrity check mechanism
  • FIPS mode: failures cause panic; Standard mode: failures logged
  • POSTRan(), POSTPassed(), RunPOST(), CheckModuleIntegrity() API

• Conditional Self-Tests (CST) (pkg/crypto/cst.go)

  • Pairwise consistency tests for X25519 and ML-KEM key generation
  • DRBG/RNG continuous health check
  • Configurable via CSTConfig struct
  • GenerateX25519KeyPairWithCST(), GenerateMLKEMKeyPairWithCST()
  • SecureRandomWithCST() with continuous RNG test
  • FIPS mode: enabled by default with panic on failure
  • Standard mode: disabled by default with error return on failure

• FIPS Cipher Suite Validation (pkg/protocol/, pkg/tunnel/)

  • CipherSuite.IsFIPSApproved() method
  • Session.IsFIPSCompliant() for compliance verification
  • Session ticket rejection for non-FIPS cipher suites in FIPS mode
  • ErrCipherSuiteNotFIPSApproved error type

Changed

• Cipher negotiation: In FIPS mode, only AES-256-GCM is offered/accepted
• Session stats: Added FIPSMode and CipherSuite fields to Stats struct

Security

• FIPS 140-3 compliant self-test implementation
• Cryptographic algorithm validation at module load time
• Continuous RNG health monitoring prevents use of degraded randomness
• Pairwise consistency tests catch key generation failures before use

Connection & Buffer pooling, Rate Limiting & DoS Protection, Metrics & Observability

What's new in the release v0.0.6 from 2026-01-22

Added

• Connection Pooling (pkg/tunnel/pool*.go)

  • Reusable *Tunnel connection pool reducing handshake overhead
  • Configurable pool size (MinConns, MaxConns)
  • Idle connection timeout and max lifetime
  • Background health checking with configurable interval
  • Wait timeout for exhausted pools
  • LIFO ordering for better cache locality
  • Comprehensive statistics (gauges, counters, histograms)
  • PoolObserver interface for metrics integration
  • Thread-safe with proper locking and atomic operations

• Buffer Pooling (pkg/crypto/buffer_pool.go, pkg/protocol/buffer_pool.go)

  • sync.Pool-based buffer reuse for message encoding/decoding
  • Size-class pooling (256B, 4KB, 64KB, 2MB for protocol; optimized for crypto)
  • Security zeroing of crypto buffers before returning to pool
  • SealPooled() method for zero-allocation encryption
  • 75%+ reduction in allocations for typical workloads
  • Parallel-safe with minimal contention

• Rate Limiting & DoS Protection (pkg/tunnel/limiter.go)

  • Per-IP connection rate limiting
  • Global handshake rate limiting with token bucket
  • Configurable via TransportConfig.RateLimit
  • Metrics for rate limit events

• Metrics & Observability (pkg/metrics/)

  • Prometheus-compatible metrics export
  • OpenTelemetry tracing support
  • Structured logging with levels
  • Health check endpoint
  • Pool metrics observer (PoolMetricsObserver)

Changed

• Performance: Buffer pooling reduces GC pressure by 75%+ in high-throughput scenarios
• Pool errors: Added ErrPoolClosed, ErrPoolTimeout, ErrPoolExhausted to internal/errors

Fixed

• Integer overflow: Fixed potential int64→uint64 overflow in pool statistics

Performance

Benchmark results (Apple M-series):

Operation	Non-Pooled	Pooled	Improvement
Seal 1KB	378 ns, 1168 B/op	325 ns, 48 B/op	14% faster, 96% less alloc
Seal 16KB	4567 ns, 18448 B/op	3356 ns, 48 B/op	26% faster, 99% less alloc
Encode 1KB	172 ns, 1152 B/op	44 ns, 24 B/op	74% faster, 98% less alloc
Buffer 1MB	49383 ns	26 ns	1900x faster

Protocol hardening & global compliance roadmap

This release marks a significant milestone in the maturity of the Quantum-Go protocol, finalizing the core cryptographic mechanisms and extending the project's compliance roadmap for global adoption.

Key Features

• Network rekey protocol: Implemented secure, seamless key rotation (handshake and activation) to limit the lifetime of traffic keys.
• Session resumption: Added support for encrypted session tickets (RFC 5077 style), enabling fast resumption (0-RTT equivalent) without compromising forward secrecy.
• Alert protocol: Standardized error reporting and graceful connection termination using CloseNotify.
• Global compliance roadmap: Extensive updates to ROADMAP.md covering cryptographic regulations for EU/Spain, US, UK, China, India, GCC, and LATAM.

Security improvements

• Defensive coding:
  • Zeroization of sensitive keys after use (best effort).
  • Constant-time comparisons for secrets.
  • Improved input validation and panic prevention (e.g., fixed usage of net.Pipe in tests).
• Static analysis fixes:
  • Addressed gosec G602 (slice bounds out of range) in benchmarking tools.
  • Resolved 16+ errcheck linter issues for robust error handling.
• Testing: Achieved 90%+ test coverage for core library packages (pkg/tunnel, pkg/crypto, pkg/chkem) with new error-path and edge-case tests.

Fixes & improvements

• Graceful shutdown: Implemented CloseNotify alert to distinguish between network errors and intentional disconnects.
• Linting: Fixed numerous golangci-lint issues across the codebase.
• Documentation: Added clear regulatory disclaimers regarding telecom regulations in high-risk regions.

Breaking changes

• Transport.Close() now sends an encrypted specific alert before closing the connection.
• Session struct fields modified to support rekeying state machine.

Improved test coverage, stability for cross-platform execution, and CI compatibility

What's new in the release [0.0.4] - 2026-01-20

Added

• Expanded test coverage across core packages
  • pkg/crypto: 66.9% -> 86.4% (+19.5%)
  • pkg/protocol: 89.8% -> 96.0% (+6.2%)
  • pkg/tunnel: 73.2% -> 75.0% (+1.8%)
• New crypto tests: AEAD methods (SetCounter, NeedsRekey, Suite, Overhead, NonceSize, SealWithNonce/OpenWithNonce), ML-KEM (NewMLKEMKeyPairFromSeed, ParseMLKEMPublicKey, Zeroize), X25519 (NewX25519KeyPairFromBytes, Zeroize), random utilities (MustSecureRandom, MustSecureRandomBytes)
• New protocol tests: Version serialization (Bytes, Uint16, ParseVersion, String), cipher suite helpers (SupportedCipherSuites, PreferredCipherSuite), Finished message validation (ClientFinished, ServerFinished)
• New tunnel tests: SessionState.String(), role constants, session state edge cases (encrypt/decrypt before established, invalid cipher suite)
• CodeQL Advanced Security Analysis for deep semantic code analysis

Fixed

• Data race in Session: Fixed concurrent access to LastActivity field in Encrypt/Decrypt methods by adding proper mutex synchronization
• CI compatibility: Fixed test runner for cross-platform execution
• Code quality: Resolved all static analysis warnings in test files

CLI with the build tool & more tests & documentation

What's new in this version:

• Command-line tool (quantum-vpn) with demo, benchmark, and example modes

  • Demo mode: Interactive client/server demonstration
  • Benchmark mode: Handshake and throughput performance testing
  • Example mode: 6 interactive code examples with explanations

• Build automation

  • Makefile with 30+ commands for building, testing, and releasing
  • build.sh portable shell script as alternative to Make
  • Cross-platform compilation (Linux, macOS, Windows; amd64, arm64)
  • Docker support with multi-stage builds

• Comprehensive test suite

  • Increased coverage from 70.7% to 76.3%
  • 14 new high-level API tests (Dial/Listen/Accept)
  • 10 new transport error path tests
  • 10 new error package tests
  • 3 new constants validation tests

• Documentation

  • BUILD.md: Comprehensive build instructions
  • CHANGELOG.md: Version history tracking
  • Updated README with command-line tool documentation

Security

• All tests pass with race detection enabled
• Fuzz tests added for security-critical parsers
• Known Answer Tests (KATs) for cryptographic correctness

Test coverage improvement and QoL

What's new in the release:

1. High-Level API coverage: The main user-facing Dial/Listen/Accept API went from 0% to full coverage
2. Error handling: All custom error types now tested (CryptoError, ProtocolError)
3. Concurrent testing: Added tests for multiple simultaneous connections
4. Production-ready docs: SECURITY.md follows crypto library best practices
5. QoL/Contributor-friendly: CONTRIBUTING.md lowers barrier to contributions

What's well covered:

• Protocol codec: 89.8%
• CH-KEM API: 83.3%
• High-level tunnel API: 73.3%
• Error handling: 100%

The 76.3% coverage for a cryptographic library: all security-critical paths are tested, and the gaps are primarily in non-critical utility functions only.

Bugfixes and improved test coverage

Bugs fixed:

1. Handshake Deadlock
   Situation: Encrypted finished messages (ClientFinished/ServerFinished) were sent as raw ciphertext without framing. The receiver used codec.ReadMessage() which expected a 5-byte header, causing it to misinterpret the ciphertext as a header and block waiting for more data.
   Solution: Added writeEncryptedRecord() and readEncryptedRecord() helper functions that frame encrypted messages with a 4-byte length prefix. Updated InitiatorHandshake() and ResponderHandshake() to use these functions for encrypted Finished messages.

2. Transport.Close() Blocking
   Situation: Close() tried to send a close notification message. With net.Pipe() (and potentially other synchronous connections), writes block until the other side reads. If no one is reading (e.g., after tests complete), Close() would block indefinitely.
   Solution: Added a short 100ms timeout for the close notification write, and explicitly close the underlying connection after sending. This makes Close() non-blocking while still attempting graceful notification.

3. Protocol Codec Bounds Check
   Situation: DecodeClientHello and DecodeServerHello didn't validate minimum payload length, causing panics on malformed input.
   Solution: Added minimum payload length checks before parsing.

4. Alert Description Overflow
   Situation: Alert descriptions were truncated to 256 bytes but length stored in 1 byte (max 255), causing byte(256) = 0.
   Solution: Changed truncation limit from 256 to 255.

Tests added:
TestHandshakeStateMachine, TestHandshakeTimeout, TestHandshakeWithData, TestMultipleHandshakes, TestHandshakeEncryptedRecordFraming, TestSessionKeyAgreement, TestTransportCloseNonBlocking.