xah30/AuraVPN
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(singbox-aura,tools): Go port of Aura UDP client + KAT bridge to Rust

Browse Source 
Lays the foundation for sing-box mobile clients (Option B from
docs/sing-box.md): an independent Go module that speaks the AuraVPN wire
protocol byte-for-byte. Proof of equivalence is in KAT tests cross-loaded
from a Rust-side deterministic vector exporter.

- tools/export-kat (new Rust bin in workspace): captures a handshake +
  derived keys + a sealed datagram record + a knock token using seeded
  RNGs (rand::rngs::StdRng + ml-kem's *_deterministic public API), emits
  JSON. Reproducible byte-for-byte.
- singbox-aura/ (new Go module, ~3000 LOC, 22 files):
  - aura/frame: 5-byte protocol header + Frame{Data,Ping,Pong,Close,
    Control} + magic envelope (0xAA,0xAA,0xC0,0x01) — encode/decode
    matching aura-proto::frame.
  - aura/crypto: hybrid X25519 + ML-KEM-768 (stdlib crypto/ecdh +
    crypto/mlkem on Go 1.24+; falls back to circl on older Go via a
    documented swap), HKDF-SHA256 derive_session_keys, ChaCha20-Poly1305
    with the **LE(u64 counter) || [0;4]** nonce scheme that matches
    aura-crypto::AeadKey/AeadSession.
  - aura/handshake: client_handshake state machine reproducing protocol.md
    §6.2 exactly (CH→SH→ServerAuth→ClientAuth→Finished×2; transcript hash;
    ECDSA-P256 transcript signature; HMAC-SHA256 Finished).
  - aura/session: DatagramSender/Receiver + 64-wide sliding replay window.
  - aura/transport: reliable HS-adapter (DTLS-flight retransmit) + UDP
    datagram data path + 16-byte HMAC port-knock with ±1-minute window.
  - aura/outbound: sing-box-shaped shim (interface signatures only — sing-
    box upstream registration is one more step, documented in README).
  - cmd/aura-client: standalone Go binary; reads client.toml via
    pelletier/go-toml/v2 and connects to a real aura server. Validates
    end-to-end interop with the Rust side.
- KAT: 6 comparisons against Rust vectors — session_keys (HKDF), hybrid
  KEM ek/encaps roundtrip, c2s + s2c Finished HMAC, sealed datagram
  record at seq=2 (incl. 16-byte Poly1305 tag), knock token. All byte-
  for-byte.

Go: 29 tests across 5 packages, all green. Only deps: golang.org/x/crypto
and pelletier/go-toml/v2. Rust: 293 tests still green; tools/export-kat
added to workspace members.

v1 limits documented in singbox-aura/README.md: UDP-only (no TCP/QUIC
fallback yet), no cell padding / cover traffic, no relay/exit role, no
multi-hop, sing-box upstream-registration sketch (vendor sagernet/sing-box +
init() RegisterOutbound) for follow-up.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
xah30
2026-05-27 21:14:23 +03:00
parent 5ea643a9e5
commit a070da0be9
26 changed files with 3425 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
singbox-aura/aura/session/replay.go
+70
View File
@@ -0,0 +1,70 @@
// Package session provides the post-handshake AEAD-protected Frame exchange and the sliding
// replay window — direct port of crates/aura-proto/src/session.rs.
package session
import "fmt"
// ReplayWindow is the width (in records) of the anti-replay sliding window.
const ReplayWindow uint64 = 64
// ErrReplay is returned when a record's sequence number is a duplicate or too old.
type ErrReplay struct{ Seq uint64 }
func (e *ErrReplay) Error() string { return fmt.Sprintf("aura/session: replay seq=%d", e.Seq) }
// Replay tracks the highest accepted sequence number and a 64-bit bitmap of the positions
// below it that have already been accepted. A datagram is accepted iff its seq is strictly
// newer than everything seen, or falls inside the window and was not previously seen.
type Replay struct {
highest uint64
bitmap uint64
seeded bool
}
// NewReplay primes a window so the first expected record is `start` (the AEAD counter at the
// end of the handshake). Anything strictly below `start` is treated as already-consumed.
//
// This mirrors ReplayWindow::new in the Rust impl: highest = start - 1 (saturating),
// seeded = start > 0.
func NewReplay(start uint64) *Replay {
r := &Replay{seeded: start > 0}
if start > 0 {
r.highest = start - 1
}
return r
}
// CheckAndSet records a seen seq. Returns nil if it is fresh; *ErrReplay otherwise.
func (r *Replay) CheckAndSet(seq uint64) error {
if !r.seeded {
// First-ever record (only reachable when started at 0): accept and seed.
r.seeded = true
r.highest = seq
r.bitmap = 0
return nil
}
if seq > r.highest {
shift := seq - r.highest
if shift >= 64 {
r.bitmap = 0
} else {
r.bitmap = (r.bitmap << shift) | (1 << (shift - 1))
}
r.highest = seq
return nil
}
// seq <= highest: must be inside the window and previously unseen.
offset := r.highest - seq
if offset >= ReplayWindow {
return &ErrReplay{Seq: seq}
}
if offset == 0 {
return &ErrReplay{Seq: seq}
}
mask := uint64(1) << (offset - 1)
if r.bitmap&mask != 0 {
return &ErrReplay{Seq: seq}
}
r.bitmap |= mask
return nil
}