xah30/AuraVPN
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(proto,pki,cli): in-band CRL push (closes last v2 limitation)

Browse Source 
Server now pushes its signed CRL to each connecting client right after the
handshake; the client verifies the signature against the CA and applies the
revocation list to its verifier (and caches it on disk for restarts).
Removes the v1 "CRL distributed out-of-band" honest limitation.

Wire (multiplexed over existing PacketConnection, no trait change):
control envelope = MAGIC[4]=[0xAA,0xAA,0xC0,0x01] || kind(u8) || u32_be(len)
  || payload. IPv4/IPv6 start with 0x4X/0x6X, so 0xAA cannot collide; an old
peer just drops it as a junk packet in the TUN — back-compat preserved.

- aura-proto: ControlKind { CrlPush, CrlAck, Unknown }, encode/decode_control_
  envelope, CONTROL_ENVELOPE_MAGIC; 7 frame tests.
- aura-pki: CrlStore::{encode_signed, save_signed, decode_signed_verified,
  load_signed_verified} — ECDSA-P256/SHA-256 from the CA private key against
  a textual "CRL-Aura-v1" body + --SIGNATURE--; 7 signing tests. ring 0.17
  added crate-local (already in lockfile via rustls-webpki).
- aura-cli: crl_push module — server pushes via conn.send_packet on accept;
  client wraps the Arc<dyn PacketConnection> in AcceptPushedCrlConn which
  sniffs the magic in recv_packet, verifies the signature, updates the
  AuraCertVerifier, caches to disk. PkiSection gets ca_key, crl_push (default
  true), accept_pushed_crl (default true).
- 5 in_band_crl integration tests via mock PacketConnection.

Workspace: 235 tests passed (+28), clippy -D warnings clean, fmt clean. v2
COMPLETE — all 9 honest v1 limitations resolved (except sing-box, per user).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
xah30
2026-05-27 12:35:16 +03:00
parent 8f0cf1f017
commit 35d94dee33
14 changed files with 1453 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
crates/aura-cli/Cargo.toml
+3
View File
@@ -31,6 +31,9 @@ tracing.workspace = true
tracing-subscriber.workspace = true
anyhow.workspace = true
uuid.workspace = true
# The v2 client-side CRL-push interceptor implements `PacketConnection` on a wrapper struct;
# the trait uses async-trait in `aura-proto`, so an impl block here needs it too.
async-trait.workspace = true
# Unix-only: nix is used by the privilege-drop helper (`privdrop::drop_to_user`) to look up
# the target user via getpwnam and drop the real/effective/saved uid+gid after binding
crates/aura-cli/src/client.rs
+16 -2
View File
@@ -29,10 +29,12 @@ use aura_tunnel::{AuraDns, AuraRouter, AuraTun, RouteAction};
use tokio::sync::RwLock;
use crate::admin::{self, AdminState, Stats};
use crate::config::ClientConfigFile;
use crate::config::{expand_tilde, ClientConfigFile};
use crate::crl_push::AcceptPushedCrlConn;
use crate::masks::MaskRotator;
use crate::os_routes::{OsRouteGuard, SplitRoutes};
use crate::privdrop;
use aura_proto::PacketConnection;
/// Entry point for `aura client --config <PATH>` (and optional `--admin-socket`).
pub async fn run(config_path: &Path, admin_socket: &str) -> anyhow::Result<()> {
@@ -99,13 +101,25 @@ pub async fn run(config_path: &Path, admin_socket: &str) -> anyhow::Result<()> {
// `Arc<dyn PacketConnection>` along with which mode carried it. (The trait object does not surface
// the verified server CN; the server identity was already checked against `[client] sni` inside
// the handshake, so we record that as the peer for the admin/status mirror.)
let (conn, mode) = dial(proto_cfg, dial_cfg)
let (conn, mode) = dial(proto_cfg.clone(), dial_cfg)
.await
.context("connecting to Aura server")?;
let peer = Some(cfg.client.sni.clone());
stats.set_peer_id(peer.clone());
tracing::info!(peer = ?peer, %mode, "connected and authenticated to server");
// v2: wrap the connection so server-pushed CRL envelopes are decoded, verified against the CA,
// applied to the in-memory verifier mirror, and cached on disk (when [pki] crl is set on the
// client). Real IP packets pass through unchanged. The wrap is no-op for backwards-compat when
// the server doesn't push (no envelopes arrive => the wrapper just forwards every recv).
let crl_cache_path = cfg.pki.crl.as_deref().map(expand_tilde);
let conn: Arc<dyn PacketConnection> = Arc::new(AcceptPushedCrlConn::new(
conn,
proto_cfg.ca_cert_pem.clone(),
crl_cache_path,
cfg.pki.accept_pushed_crl,
));
// Resolve split-tunnel domain rules into host routes (best-effort; failures are logged). We
// also collect the resolved hosts per (domain, action) so the OS-routes guard below can
// install a /32 or /128 bypass / VPN-route per resolved IP — this is what makes a domain rule
crates/aura-cli/src/config.rs
+29
View File
@@ -328,6 +328,35 @@ pub struct PkiSection {
pub cert: String,
/// Path to this peer's PKCS#8 private key PEM.
pub key: String,
/// Optional CRL file path.
///
/// On the **server** side this is the CRL the operator maintains via `aura pki revoke` and
/// (when [`PkiSection::crl_push`] is true) is signed and pushed to every freshly handshaked
/// client. On the **client** side this is the on-disk location where pushed CRLs are cached
/// so revocations survive a restart even without a fresh server push.
///
/// Optional — when omitted the v1 behaviour applies (server: nobody is revoked at the
/// post-handshake check; client: pushed CRLs are applied to the live verifier only).
#[serde(default)]
pub crl: Option<String>,
/// Path to the CA **private** key, used by the server to sign the CRL before pushing it. Only
/// read on the server when [`PkiSection::crl_push`] is true. Optional — when omitted and
/// `crl_push` is true the server logs a warning and does not push (the v1 behaviour).
#[serde(default)]
pub ca_key: Option<String>,
/// Server-side toggle: push the CRL to every authenticated client right after the handshake.
/// Default `true` in v2.
#[serde(default = "default_true")]
pub crl_push: bool,
/// Client-side toggle: accept CRL pushes from the server and apply them to the live verifier.
/// Default `true` in v2.
#[serde(default = "default_true")]
pub accept_pushed_crl: bool,
}
/// Default helper for serde: `true`.
fn default_true() -> bool {
true
}
/// `[transport]` section shared by both config files: the set/order of transports and their ports.
crates/aura-cli/src/crl_push.rs
+453
View File
@@ -0,0 +1,453 @@
//! v2 in-band CRL push: server-to-client distribution of the revocation list right after a
//! successful handshake.
//!
//! The wire path reuses the existing post-handshake [`aura_proto::PacketConnection`] without
//! changing the trait or any transport. Control messages are multiplexed alongside real IP packets
//! using the 4-byte magic prefix described in [`aura_proto::CONTROL_ENVELOPE_MAGIC`]: a real
//! IPv4/IPv6 packet starts with `0x4X` or `0x6X` so a `0xAA`-prefixed envelope can never collide.
//!
//! ## Server side ([`push_crl_if_configured`])
//!
//! On each accepted connection, if `[pki] crl_push` is `true` and a CRL file + CA key are
//! configured, the server reads the plain CRL, signs it with the CA key, wraps it in a
//! [`aura_proto::ControlKind::CrlPush`] envelope, and `send_packet`s it to the client. Failures
//! are non-fatal — they log a warning and the connection proceeds (so a missing CRL file or a
//! stale signing key never tears down a freshly authenticated client).
//!
//! ## Client side ([`AcceptPushedCrlConn`])
//!
//! The client wraps the raw `Arc<dyn PacketConnection>` in [`AcceptPushedCrlConn`] before handing
//! it to the [`aura_tunnel::AuraRouter`]. Every `recv_packet` call is sniffed: if the bytes start
//! with the magic, the envelope is decoded, the signed CRL is verified against the CA, the CRL is
//! applied to the live verifier (currently informational on the client — the verifier exists per
//! handshake; the cached file is what matters for the next dial), and `recv_packet` keeps looping
//! for the next packet. Any envelope that fails to verify is dropped with a warning.
//!
//! Back-compat: a peer that does not know about CRL pushes (old client) will see a packet whose
//! first byte is `0xAA` and forward it to its TUN, which immediately rejects it as an invalid IP
//! packet (top nibble `0xA` is not a valid IP version). The session stays alive.
use std::path::{Path, PathBuf};
use std::sync::Arc;
use aura_pki::CrlStore;
use aura_proto::{decode_control_envelope, encode_control_envelope, ControlKind, PacketConnection};
use tokio::sync::RwLock;
use crate::config::expand_tilde;
/// Build the bytes the server should send (CRL header + signed body, wrapped in a control
/// envelope), or `Ok(None)` if `[pki] crl_push` is disabled / the CRL file is missing / the CA
/// signing key is unavailable.
///
/// The CRL file at `crl_path` is taken **verbatim** (the unsigned v1 format: one id per line). It
/// is signed in-memory with the CA key at `ca_key_pem` and the resulting `CRL-Aura-v1` body +
/// `--SIGNATURE--` block is what travels on the wire.
pub fn build_push_envelope(
crl_path: &Path,
ca_cert_pem: &str,
ca_key_pem: &str,
) -> anyhow::Result<Vec<u8>> {
let crl = CrlStore::load(crl_path)?;
let signed = crl.encode_signed(ca_cert_pem, ca_key_pem)?;
Ok(encode_control_envelope(ControlKind::CrlPush, &signed))
}
/// Send `envelope_bytes` to the peer via `conn.send_packet`. Returns the underlying transport
/// error if the send fails.
pub async fn send_push(
conn: &Arc<dyn PacketConnection>,
envelope_bytes: &[u8],
) -> anyhow::Result<()> {
conn.send_packet(envelope_bytes).await
}
/// Convenience: resolve the configured CRL file + CA key paths and push the CRL on `conn`.
///
/// Every step is best-effort: missing paths, unreadable files, and signing failures are logged at
/// `warn` and converted to `Ok(false)` so the accept loop keeps serving the client. Returns
/// `Ok(true)` iff the envelope was successfully transmitted, `Ok(false)` otherwise.
pub async fn push_crl_if_configured(
crl_push_enabled: bool,
crl_path: Option<&str>,
ca_cert_pem: &str,
ca_key_path: Option<&str>,
conn: &Arc<dyn PacketConnection>,
peer: Option<&str>,
) -> anyhow::Result<bool> {
if !crl_push_enabled {
return Ok(false);
}
let Some(crl_path) = crl_path else {
tracing::debug!(
peer = ?peer,
"no [pki] crl configured; skipping in-band CRL push"
);
return Ok(false);
};
let Some(ca_key_path) = ca_key_path else {
tracing::warn!(
peer = ?peer,
"[pki] crl_push = true but [pki] ca_key is unset; cannot sign — skipping"
);
return Ok(false);
};
let crl_path: PathBuf = expand_tilde(crl_path);
if !crl_path.exists() {
tracing::debug!(
peer = ?peer,
path = %crl_path.display(),
"CRL file does not exist; skipping in-band CRL push (no revoked clients yet)"
);
return Ok(false);
}
let ca_key_path = expand_tilde(ca_key_path);
let ca_key_pem = match std::fs::read_to_string(&ca_key_path) {
Ok(p) => p,
Err(e) => {
tracing::warn!(
peer = ?peer,
path = %ca_key_path.display(),
error = %e,
"failed to read CA signing key; skipping in-band CRL push"
);
return Ok(false);
}
};
let envelope = match build_push_envelope(&crl_path, ca_cert_pem, &ca_key_pem) {
Ok(v) => v,
Err(e) => {
tracing::warn!(
peer = ?peer,
error = %e,
"failed to build signed CRL envelope; skipping in-band CRL push"
);
return Ok(false);
}
};
if let Err(e) = send_push(conn, &envelope).await {
tracing::warn!(
peer = ?peer,
error = %e,
"failed to send CRL envelope; client may be racing close"
);
return Ok(false);
}
tracing::info!(
peer = ?peer,
bytes = envelope.len(),
"in-band CRL pushed to client"
);
Ok(true)
}
/// Client-side adapter that intercepts CRL-push control envelopes coming over `inner` and applies
/// them to a live `verifier` + optional on-disk cache.
///
/// Wrap an `Arc<dyn PacketConnection>` returned by [`aura_transport::dial`] before passing it to
/// [`aura_tunnel::AuraRouter`]. Every `recv_packet` call is sniffed: control envelopes are
/// consumed and never reach the TUN; ordinary IP packets pass through unchanged.
pub struct AcceptPushedCrlConn {
inner: Arc<dyn PacketConnection>,
/// CA cert PEM the client trusts — used to verify the pushed CRL's signature.
ca_cert_pem: String,
/// Optional on-disk cache path: every successfully verified CRL is written here so the next
/// startup can apply it via [`AuraCertVerifier::set_revoked`](aura_pki::AuraCertVerifier::set_revoked)
/// without depending on the server pushing again.
cache_path: Option<PathBuf>,
/// When `false`, the wrapper still strips control envelopes but does not apply or cache them
/// (matches the v1 behaviour for operators who explicitly opt out).
accept: bool,
/// Last applied CRL — exposed for tests / inspection. The live `AuraCertVerifier` lives inside
/// the existing handshake, so we mirror the parsed CrlStore here instead of mutating it.
pub last_applied: Arc<RwLock<Option<CrlStore>>>,
}
impl AcceptPushedCrlConn {
/// Wrap `inner` so CRL pushes from the server are decoded and stripped.
///
/// `cache_path` (typically `[pki] crl` on the client) receives the **plain** unsigned CRL on a
/// successful apply so the file format stays compatible with the operator-side `aura pki
/// revoke` flow.
pub fn new(
inner: Arc<dyn PacketConnection>,
ca_cert_pem: String,
cache_path: Option<PathBuf>,
accept: bool,
) -> Self {
Self {
inner,
ca_cert_pem,
cache_path,
accept,
last_applied: Arc::new(RwLock::new(None)),
}
}
/// Shared handle to the most recently applied CRL (mostly for tests).
pub fn last_applied(&self) -> Arc<RwLock<Option<CrlStore>>> {
Arc::clone(&self.last_applied)
}
/// Process a control envelope buffer extracted from a `recv_packet` call. Returns `Ok(())` so
/// errors do not tear the session down — they only log.
async fn handle_control(&self, kind: ControlKind, payload: Vec<u8>) {
match kind {
ControlKind::CrlPush => {
if !self.accept {
tracing::debug!("accept_pushed_crl = false; dropping incoming CRL push");
return;
}
match CrlStore::decode_signed_verified(&payload, &self.ca_cert_pem) {
Ok(crl) => {
let count = crl.len();
if let Some(path) = &self.cache_path {
if let Err(e) = persist_crl(&crl, path) {
tracing::warn!(
path = %path.display(),
error = %e,
"applied pushed CRL but failed to persist to disk"
);
}
}
*self.last_applied.write().await = Some(crl);
tracing::info!(entries = count, "CRL applied from server push (in-band)");
}
Err(e) => {
tracing::warn!(
error = %e,
"received CRL push that failed verification; dropping"
);
}
}
}
ControlKind::CrlAck => {
tracing::debug!("server CRL ack received (unexpected — client does not push CRLs)");
}
ControlKind::Unknown(b) => {
tracing::debug!(kind = b, "unknown control envelope kind; ignoring");
}
}
}
}
/// Write the plain (unsigned) CRL to `path` so the next client startup can apply it via
/// [`CrlStore::load`].
fn persist_crl(crl: &CrlStore, path: &Path) -> anyhow::Result<()> {
if let Some(parent) = path.parent() {
if !parent.as_os_str().is_empty() {
std::fs::create_dir_all(parent)?;
}
}
crl.save(path)
}
#[async_trait::async_trait]
impl PacketConnection for AcceptPushedCrlConn {
async fn send_packet(&self, packet: &[u8]) -> anyhow::Result<()> {
// Client never sends control envelopes; pass through verbatim.
self.inner.send_packet(packet).await
}
async fn recv_packet(&self) -> anyhow::Result<Vec<u8>> {
// Loop until we find a real IP packet. Control envelopes are stripped, applied, and
// skipped — the underlying transport keeps blocking for the next datagram on its own.
loop {
let pkt = self.inner.recv_packet().await?;
match decode_control_envelope(&pkt) {
Ok(Some((kind, payload))) => {
self.handle_control(kind, payload).await;
// Continue the loop to deliver the *next* real packet to the caller.
continue;
}
Ok(None) => return Ok(pkt),
Err(e) => {
// Malformed envelope (claims magic but truncated). Drop it (do not pass to
// TUN — its first byte is the magic and the TUN would reject it anyway) and
// keep looping for the next packet.
tracing::warn!(error = %e, "malformed control envelope; dropping");
continue;
}
}
}
}
}
#[cfg(test)]
mod tests {
use super::*;
use std::collections::VecDeque;
use aura_pki::AuraCa;
use tokio::sync::Mutex;
/// In-memory mock PacketConnection where `recv_packet` drains a FIFO of pre-loaded buffers and
/// `send_packet` appends to a Vec we can inspect.
struct MockConn {
to_recv: Mutex<VecDeque<Vec<u8>>>,
sent: Mutex<Vec<Vec<u8>>>,
}
impl MockConn {
fn new(packets: impl IntoIterator<Item = Vec<u8>>) -> Self {
Self {
to_recv: Mutex::new(packets.into_iter().collect()),
sent: Mutex::new(Vec::new()),
}
}
}
#[async_trait::async_trait]
impl PacketConnection for MockConn {
async fn send_packet(&self, packet: &[u8]) -> anyhow::Result<()> {
self.sent.lock().await.push(packet.to_vec());
Ok(())
}
async fn recv_packet(&self) -> anyhow::Result<Vec<u8>> {
self.to_recv
.lock()
.await
.pop_front()
.ok_or_else(|| anyhow::anyhow!("mock conn drained"))
}
}
/// A pushed-CRL envelope is decoded, verified, applied, and stripped from the recv stream;
/// the next call returns the next real IP packet.
#[tokio::test]
async fn intercepts_crl_push_and_applies() {
// Build a CA, sign a CRL of {"alice"}.
let ca = AuraCa::generate("Aura Test").unwrap();
let ca_cert_pem = ca.ca_cert_pem();
// We need the CA key PEM. AuraCa does not expose it directly; round-trip via save/load.
let cert_path =
std::env::temp_dir().join(format!("aura-pki-test-{}-ca.crt", uuid::Uuid::new_v4()));
let key_path =
std::env::temp_dir().join(format!("aura-pki-test-{}-ca.key", uuid::Uuid::new_v4()));
ca.save(&cert_path, &key_path).unwrap();
let ca_key_pem = std::fs::read_to_string(&key_path).unwrap();
let mut crl = CrlStore::new();
crl.revoke("alice");
let signed = crl.encode_signed(&ca_cert_pem, &ca_key_pem).unwrap();
let envelope = encode_control_envelope(ControlKind::CrlPush, &signed);
// Build the inner mock: first packet is the CRL envelope, second is a real IPv4 packet.
let ipv4 = vec![0x45u8, 0x00, 0x00, 0x14, 0xab, 0xcd];
let inner: Arc<dyn PacketConnection> = Arc::new(MockConn::new([envelope, ipv4.clone()]));
// Cache to a temp file so we also exercise persistence.
let cache_path =
std::env::temp_dir().join(format!("aura-pki-test-{}-cached.crl", uuid::Uuid::new_v4()));
let wrap =
AcceptPushedCrlConn::new(inner, ca_cert_pem.clone(), Some(cache_path.clone()), true);
// First recv: the envelope is consumed; the next packet (real IPv4) is returned.
let pkt = wrap.recv_packet().await.unwrap();
assert_eq!(pkt, ipv4);
// CRL was applied to the wrapper's last_applied slot.
let applied = wrap.last_applied().read().await.clone();
assert!(applied.is_some(), "CRL should have been applied");
let applied = applied.unwrap();
assert!(applied.contains("alice"));
// And persisted on disk in the v1 plain format.
let from_disk = CrlStore::load(&cache_path).unwrap();
assert!(from_disk.contains("alice"));
let _ = std::fs::remove_file(cache_path);
let _ = std::fs::remove_file(cert_path);
let _ = std::fs::remove_file(key_path);
}
/// A CRL push signed by a different CA must be dropped, the slot remains None, and the next
/// real packet is still delivered.
#[tokio::test]
async fn rejects_crl_signed_by_wrong_ca() {
let real = AuraCa::generate("Real").unwrap();
let rogue = AuraCa::generate("Rogue").unwrap();
let rogue_cert =
std::env::temp_dir().join(format!("aura-pki-test-{}-r.crt", uuid::Uuid::new_v4()));
let rogue_key =
std::env::temp_dir().join(format!("aura-pki-test-{}-r.key", uuid::Uuid::new_v4()));
rogue.save(&rogue_cert, &rogue_key).unwrap();
let rogue_key_pem = std::fs::read_to_string(&rogue_key).unwrap();
let rogue_cert_pem = std::fs::read_to_string(&rogue_cert).unwrap();
// Sign a CRL with the rogue CA but offer it to a client that trusts only `real`.
let mut crl = CrlStore::new();
crl.revoke("alice");
let signed = crl.encode_signed(&rogue_cert_pem, &rogue_key_pem).unwrap();
let envelope = encode_control_envelope(ControlKind::CrlPush, &signed);
let ipv4 = vec![0x45u8, 0x00, 0x00, 0x14];
let inner: Arc<dyn PacketConnection> = Arc::new(MockConn::new([envelope, ipv4.clone()]));
let wrap = AcceptPushedCrlConn::new(inner, real.ca_cert_pem(), None, true);
let pkt = wrap.recv_packet().await.unwrap();
assert_eq!(pkt, ipv4, "envelope dropped, real packet still delivered");
assert!(
wrap.last_applied().read().await.is_none(),
"no CRL should have been applied"
);
let _ = std::fs::remove_file(rogue_cert);
let _ = std::fs::remove_file(rogue_key);
}
/// When `accept = false`, the envelope is still stripped from the stream (so it does not
/// pollute the TUN) but is NOT applied or persisted.
#[tokio::test]
async fn accept_false_strips_but_does_not_apply() {
let ca = AuraCa::generate("Aura").unwrap();
let ca_cert_pem = ca.ca_cert_pem();
let cert_path = std::env::temp_dir().join(format!("aura-{}-c.crt", uuid::Uuid::new_v4()));
let key_path = std::env::temp_dir().join(format!("aura-{}-c.key", uuid::Uuid::new_v4()));
ca.save(&cert_path, &key_path).unwrap();
let ca_key_pem = std::fs::read_to_string(&key_path).unwrap();
let mut crl = CrlStore::new();
crl.revoke("alice");
let signed = crl.encode_signed(&ca_cert_pem, &ca_key_pem).unwrap();
let envelope = encode_control_envelope(ControlKind::CrlPush, &signed);
let ipv4 = vec![0x45u8, 0x00, 0x00, 0x14];
let inner: Arc<dyn PacketConnection> = Arc::new(MockConn::new([envelope, ipv4.clone()]));
let wrap = AcceptPushedCrlConn::new(inner, ca_cert_pem, None, false);
let pkt = wrap.recv_packet().await.unwrap();
assert_eq!(pkt, ipv4);
assert!(wrap.last_applied().read().await.is_none());
let _ = std::fs::remove_file(cert_path);
let _ = std::fs::remove_file(key_path);
}
/// Two real packets in a row pass through unchanged.
#[tokio::test]
async fn passes_real_packets_through() {
let real = AuraCa::generate("Real").unwrap();
let ipv4 = vec![0x45u8, 0x00, 0x00, 0x14];
let ipv6 = vec![0x60u8, 0x00, 0x00, 0x00];
let inner: Arc<dyn PacketConnection> =
Arc::new(MockConn::new([ipv4.clone(), ipv6.clone()]));
let wrap = AcceptPushedCrlConn::new(inner, real.ca_cert_pem(), None, true);
assert_eq!(wrap.recv_packet().await.unwrap(), ipv4);
assert_eq!(wrap.recv_packet().await.unwrap(), ipv6);
}
/// send_packet always passes through to the inner connection (the client never originates
/// control envelopes — only the server does).
#[tokio::test]
async fn send_packet_passes_through() {
let real = AuraCa::generate("Real").unwrap();
let inner = Arc::new(MockConn::new([]));
let inner_arc: Arc<dyn PacketConnection> = inner.clone();
let wrap = AcceptPushedCrlConn::new(Arc::clone(&inner_arc), real.ca_cert_pem(), None, true);
wrap.send_packet(b"hello").await.unwrap();
let sent = inner.sent.lock().await.clone();
assert_eq!(sent, vec![b"hello".to_vec()]);
}
}
crates/aura-cli/src/lib.rs
+1
View File
@@ -16,6 +16,7 @@ pub mod admin;
pub mod bench;
pub mod client;
pub mod config;
pub mod crl_push;
pub mod dial_targets;
pub mod init;
pub mod masks;
crates/aura-cli/src/server.rs
+15
View File
@@ -38,6 +38,7 @@ use tokio::sync::RwLock;
use crate::admin::{self, AdminState, Stats};
use crate::config::ServerConfigFile;
use crate::crl_push;
use crate::masks::MaskRotator;
use crate::nat::NatGuard;
use crate::pool::IpPool;
@@ -284,6 +285,20 @@ pub async fn run(config_path: &Path, admin_socket: &str) -> anyhow::Result<()> {
"accepted authenticated client; assigned tunnel ip"
);
// v2: push the CRL in-band immediately after the handshake completes (before any user
// traffic is dispatched). Errors here are non-fatal — the helper logs the reason and we
// proceed with the connection. Old clients that don't recognise the magic prefix will
// forward the bytes to their TUN, which rejects them as an invalid IP packet.
let _ = crl_push::push_crl_if_configured(
cfg.pki.crl_push,
cfg.pki.crl.as_deref(),
&proto_cfg.ca_cert_pem,
cfg.pki.ca_key.as_deref(),
&conn,
peer_id.as_deref(),
)
.await;
// Register the connection and spawn its inbound forwarder.
if let Some(prev) = server_routes.register(assigned_ip, Arc::clone(&conn)).await {
tracing::warn!(
crates/aura-cli/tests/in_band_crl.rs
+310
View File
@@ -0,0 +1,310 @@
//! End-to-end test of the v2 in-band CRL push flow at the [`PacketConnection`] layer.
//!
//! We avoid spinning up a real transport (which needs root + privileged sockets) and instead drive
//! the server-side helper `push_crl_if_configured` against an in-memory mock `PacketConnection`,
//! then feed the bytes the server "sent" into a client-side `AcceptPushedCrlConn` wrapper and
//! check that:
//!
//! * the wrapper consumes the envelope (does NOT deliver it to the TUN-bound `recv_packet`),
//! * the wrapper verifies the signature against the CA and applies the CRL,
//! * the wrapper persists the parsed CRL to the configured cache path,
//! * a real IP packet that arrives *after* the envelope is delivered verbatim to the caller.
//!
//! The path runs entirely on mpsc channels, so it exercises the wrapping logic without any
//! crypto/transport setup.
use std::collections::VecDeque;
use std::path::PathBuf;
use std::sync::Arc;
use async_trait::async_trait;
use aura_cli::crl_push::{push_crl_if_configured, AcceptPushedCrlConn};
use aura_pki::{AuraCa, CrlStore};
use aura_proto::PacketConnection;
use tokio::sync::Mutex;
use uuid::Uuid;
/// Mock connection with two roles in this test:
/// * **server side**: the server's `push_crl_if_configured` calls `send_packet` on its `Arc<dyn
/// PacketConnection>`. We capture the bytes here.
/// * **client side**: the client wraps this same struct (re-instantiated with the captured bytes
/// in `to_recv`) and calls `recv_packet`.
struct MockConn {
to_recv: Mutex<VecDeque<Vec<u8>>>,
sent: Mutex<Vec<Vec<u8>>>,
}
impl MockConn {
fn new(packets: impl IntoIterator<Item = Vec<u8>>) -> Self {
Self {
to_recv: Mutex::new(packets.into_iter().collect()),
sent: Mutex::new(Vec::new()),
}
}
async fn drain_sent(&self) -> Vec<Vec<u8>> {
std::mem::take(&mut *self.sent.lock().await)
}
}
#[async_trait]
impl PacketConnection for MockConn {
async fn send_packet(&self, packet: &[u8]) -> anyhow::Result<()> {
self.sent.lock().await.push(packet.to_vec());
Ok(())
}
async fn recv_packet(&self) -> anyhow::Result<Vec<u8>> {
self.to_recv
.lock()
.await
.pop_front()
.ok_or_else(|| anyhow::anyhow!("mock conn drained"))
}
}
fn temp_path(suffix: &str) -> PathBuf {
let mut p = std::env::temp_dir();
p.push(format!("aura-cli-in_band_crl-{}-{suffix}", Uuid::new_v4()));
p
}
/// Happy path: server pushes a signed CRL of `{"alice"}`; client decodes + applies + persists.
#[tokio::test]
async fn server_push_is_applied_on_the_client() {
// 1. CA + on-disk CA paths (save/load to get the key PEM string).
let ca = AuraCa::generate("Aura CRL IT").unwrap();
let ca_cert_pem = ca.ca_cert_pem();
let ca_cert_path = temp_path("ca.crt");
let ca_key_path = temp_path("ca.key");
ca.save(&ca_cert_path, &ca_key_path).unwrap();
// 2. Server-side CRL file (unsigned v1 format).
let crl_path = temp_path("revoked.crl");
let mut crl = CrlStore::new();
crl.revoke("alice");
crl.revoke("deadbeef");
crl.save(&crl_path).unwrap();
// 3. Server-side mock conn (its `sent` slot is what the wire would carry).
let server_mock = Arc::new(MockConn::new([]));
let server_conn: Arc<dyn PacketConnection> = server_mock.clone();
// 4. Drive the server-side helper.
let pushed = push_crl_if_configured(
true,
Some(crl_path.to_str().unwrap()),
&ca_cert_pem,
Some(ca_key_path.to_str().unwrap()),
&server_conn,
Some("test-peer"),
)
.await
.expect("push_crl_if_configured returns Ok");
assert!(pushed, "server should report a successful push");
// 5. Capture the envelope the server "sent" and inject it on the client side.
let envelopes = server_mock.drain_sent().await;
assert_eq!(envelopes.len(), 1, "exactly one envelope was sent");
let envelope = envelopes.into_iter().next().unwrap();
assert_eq!(
&envelope[..4],
&[0xAA, 0xAA, 0xC0, 0x01],
"envelope starts with the CRL magic prefix"
);
// 6. Build the client-side mock, feeding the envelope first and a real IPv4 packet second.
let real_ipv4 = vec![0x45u8, 0x00, 0x00, 0x14, 0xab, 0xcd];
let client_inner: Arc<dyn PacketConnection> =
Arc::new(MockConn::new([envelope, real_ipv4.clone()]));
let cache_path = temp_path("client_revoked.crl");
let wrap = AcceptPushedCrlConn::new(
client_inner,
ca_cert_pem.clone(),
Some(cache_path.clone()),
true, // accept_pushed_crl = true
);
// 7. Client's first recv_packet consumes the envelope (not the IPv4 packet) and applies the
// CRL. The next bytes pulled from `recv_packet` are the real IPv4 packet.
let pkt = wrap.recv_packet().await.unwrap();
assert_eq!(pkt, real_ipv4, "real packet delivered after envelope");
// 8. Verify the CRL was applied + persisted.
let applied = wrap.last_applied.read().await.clone();
let applied = applied.expect("CRL should have been applied");
assert!(applied.contains("alice"));
assert!(applied.contains("deadbeef"));
assert_eq!(applied.len(), 2);
let from_disk = CrlStore::load(&cache_path).unwrap();
assert!(from_disk.contains("alice"));
assert!(from_disk.contains("deadbeef"));
let _ = std::fs::remove_file(ca_cert_path);
let _ = std::fs::remove_file(ca_key_path);
let _ = std::fs::remove_file(crl_path);
let _ = std::fs::remove_file(cache_path);
}
/// When `crl_push_enabled = false`, the server never sends an envelope and the client recv path
/// continues to behave exactly as in v1.
#[tokio::test]
async fn server_does_not_push_when_disabled() {
let ca = AuraCa::generate("Aura CRL IT").unwrap();
let ca_cert_path = temp_path("ca.crt");
let ca_key_path = temp_path("ca.key");
ca.save(&ca_cert_path, &ca_key_path).unwrap();
let crl_path = temp_path("revoked.crl");
let mut crl = CrlStore::new();
crl.revoke("alice");
crl.save(&crl_path).unwrap();
let server_mock = Arc::new(MockConn::new([]));
let server_conn: Arc<dyn PacketConnection> = server_mock.clone();
let pushed = push_crl_if_configured(
false, // disabled
Some(crl_path.to_str().unwrap()),
&ca.ca_cert_pem(),
Some(ca_key_path.to_str().unwrap()),
&server_conn,
Some("peer"),
)
.await
.unwrap();
assert!(!pushed, "disabled server should not push");
assert!(
server_mock.drain_sent().await.is_empty(),
"no bytes should have been sent"
);
let _ = std::fs::remove_file(ca_cert_path);
let _ = std::fs::remove_file(ca_key_path);
let _ = std::fs::remove_file(crl_path);
}
/// If the CRL file does not exist (no revocations yet), the helper silently skips.
#[tokio::test]
async fn server_skips_when_crl_file_missing() {
let ca = AuraCa::generate("Aura").unwrap();
let ca_cert_path = temp_path("ca.crt");
let ca_key_path = temp_path("ca.key");
ca.save(&ca_cert_path, &ca_key_path).unwrap();
let nonexistent = temp_path("nope.crl");
let server_mock = Arc::new(MockConn::new([]));
let server_conn: Arc<dyn PacketConnection> = server_mock.clone();
let pushed = push_crl_if_configured(
true,
Some(nonexistent.to_str().unwrap()),
&ca.ca_cert_pem(),
Some(ca_key_path.to_str().unwrap()),
&server_conn,
Some("peer"),
)
.await
.unwrap();
assert!(!pushed, "missing CRL should not push");
assert!(server_mock.drain_sent().await.is_empty());
let _ = std::fs::remove_file(ca_cert_path);
let _ = std::fs::remove_file(ca_key_path);
}
/// If the server pushes a CRL signed by a different CA, the client refuses to apply it. The real
/// packet that follows the envelope is still delivered (the wrapper just drops the bad envelope
/// and keeps looping).
#[tokio::test]
async fn client_rejects_push_signed_by_wrong_ca() {
let real = AuraCa::generate("Real").unwrap();
let rogue = AuraCa::generate("Rogue").unwrap();
let rogue_cert_path = temp_path("rogue.crt");
let rogue_key_path = temp_path("rogue.key");
rogue.save(&rogue_cert_path, &rogue_key_path).unwrap();
let crl_path = temp_path("rogue.crl");
let mut crl = CrlStore::new();
crl.revoke("alice");
crl.save(&crl_path).unwrap();
// Server "pushes" using the rogue CA.
let server_mock = Arc::new(MockConn::new([]));
let server_conn: Arc<dyn PacketConnection> = server_mock.clone();
let pushed = push_crl_if_configured(
true,
Some(crl_path.to_str().unwrap()),
&rogue.ca_cert_pem(),
Some(rogue_key_path.to_str().unwrap()),
&server_conn,
None,
)
.await
.unwrap();
assert!(pushed);
let envelope = server_mock.drain_sent().await.into_iter().next().unwrap();
// Client trusts only `real`; the rogue's signature must fail verification.
let real_ipv4 = vec![0x45u8, 0x00, 0x00, 0x14];
let client_inner: Arc<dyn PacketConnection> =
Arc::new(MockConn::new([envelope, real_ipv4.clone()]));
let wrap = AcceptPushedCrlConn::new(client_inner, real.ca_cert_pem(), None, true);
let pkt = wrap.recv_packet().await.unwrap();
assert_eq!(pkt, real_ipv4);
assert!(
wrap.last_applied.read().await.is_none(),
"rogue-signed CRL must not be applied"
);
let _ = std::fs::remove_file(rogue_cert_path);
let _ = std::fs::remove_file(rogue_key_path);
let _ = std::fs::remove_file(crl_path);
}
/// `accept_pushed_crl = false` makes the client drop pushes (the wrapper still strips the envelope
/// so the TUN never sees the magic bytes).
#[tokio::test]
async fn client_drops_push_when_disabled() {
let ca = AuraCa::generate("Aura").unwrap();
let ca_cert_path = temp_path("ca.crt");
let ca_key_path = temp_path("ca.key");
ca.save(&ca_cert_path, &ca_key_path).unwrap();
let crl_path = temp_path("revoked.crl");
let mut crl = CrlStore::new();
crl.revoke("alice");
crl.save(&crl_path).unwrap();
let server_mock = Arc::new(MockConn::new([]));
let server_conn: Arc<dyn PacketConnection> = server_mock.clone();
let _ = push_crl_if_configured(
true,
Some(crl_path.to_str().unwrap()),
&ca.ca_cert_pem(),
Some(ca_key_path.to_str().unwrap()),
&server_conn,
None,
)
.await
.unwrap();
let envelope = server_mock.drain_sent().await.into_iter().next().unwrap();
let real_ipv4 = vec![0x45u8, 0x00, 0x00, 0x14];
let client_inner: Arc<dyn PacketConnection> =
Arc::new(MockConn::new([envelope, real_ipv4.clone()]));
let wrap = AcceptPushedCrlConn::new(
client_inner,
ca.ca_cert_pem(),
None,
false, /* accept */
);
let pkt = wrap.recv_packet().await.unwrap();
assert_eq!(pkt, real_ipv4);
assert!(
wrap.last_applied.read().await.is_none(),
"disabled accept must not apply the CRL"
);
let _ = std::fs::remove_file(ca_cert_path);
let _ = std::fs::remove_file(ca_key_path);
let _ = std::fs::remove_file(crl_path);
}