xah30/AuraVPN
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(transport): custom UDP post-quantum transport (own tunneling, no QUIC)

Browse Source 
Aura's own data path over plain UDP, authenticated solely by the existing Aura
PQ handshake (hybrid X25519+ML-KEM-768 + mutual X.509) — no QUIC, no outer TLS.

- One UDP socket, two phases by type byte: 0x01 HS (reliable handshake), 0x02
  DATA (datagram records). HS = DTLS-flight reliability over UDP: per-message
  seq, cumulative acks, retransmit (RTO), reorder/dedup, post-handshake linger;
  message boundaries parsed from the 5-byte Aura header. DATA = one explicit-
  nonce AEAD record per datagram (seq||AEAD), replay-checked, optional padding to
  HTTPS size buckets (obfuscation).
- UdpServer/UdpClient/UdpConnection (impl PacketConnection, concurrent send/recv).
  v1: single peer per accept (multi-client demux is a follow-up).
- 5 adapter unit tests + udp loopback end-to-end (obfuscation on, 1300B/empty/
  duplex) + handshake-survives-30%-loss-and-reorder. No new deps. QUIC tests
  preserved. Whole workspace builds; clippy/fmt clean.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
xah30
2026-05-25 19:10:43 +03:00
parent fa9f18ec17
commit 866b9f427a
3 changed files with 1435 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
crates/aura-transport/src/lib.rs
+7
View File
@@ -18,6 +18,11 @@
//! * [`mimicry`] — ALPN/SNI constants and [`mimicry::chrome_quic_transport_config`].
//! * [`padding`] — [`padding::pad_to_https_size`] / [`padding::inject_padding_frames`] traffic shaping.
//! * [`conn`] — [`AuraConnection`], the [`aura_proto::PacketConnection`] implementation.
//! * [`udp`] — an alternative backend that carries Aura's *own* protocol over **plain UDP**
//! (no QUIC, no outer TLS): [`UdpServer`] / [`UdpClient`] / [`UdpConnection`]. The Aura PQ
//! handshake runs over a small DTLS-flight-style reliability adapter; application packets then ride
//! as unreliable explicit-nonce AEAD datagrams. This is the security-equivalent of the QUIC path
//! (the inner Aura handshake is the only authentication either way), minus the HTTP/3 disguise.
//!
//! ## Usage (Wave 4 / CLI)
//! ```no_run
@@ -62,11 +67,13 @@ pub mod conn;
pub mod mimicry;
pub mod padding;
pub mod quic;
pub mod udp;
pub use conn::AuraConnection;
pub use mimicry::{alpn_protocols, chrome_quic_transport_config, ALPN_H3, DEFAULT_SNI};
pub use padding::{inject_padding_frames, pad_to_https_size, HTTPS_SIZE_BUCKETS};
pub use quic::{client_endpoint, server_endpoint, AcceptAnyServerCert};
pub use udp::{UdpClient, UdpConnection, UdpOpts, UdpServer};
// Re-export the inner proto trait so downstream crates (the CLI) can name the connection as
// `Arc<dyn aura_transport::PacketConnection>` without a separate `aura_proto` import.
crates/aura-transport/src/udp.rs
+1086
View File
File diff suppressed because it is too large Load Diff