Adds proof artifacts that the PQ tunnel is real:
- crates/aura-proto/tests/pq_wire_tap.rs — new integration test that
intercepts every byte flowing on the in-memory transport and asserts:
(1) ClientHello payload = 32 + 1184 + 32 (X25519 + ML-KEM-768 ek + nonce),
(2) ServerHello payload = 32 + 1088 + 32 (X25519_eph + ML-KEM-768 ct + nonce),
(3) a 56-byte plaintext marker shipped in a Data frame is absent from
the wire in both directions,
(4) ServerAuth/Data AEAD bodies have Shannon entropy >= 7 bits/byte.
- TEST_CASES.md — Russian-language report mapping 12 test cases to the
exact code and captured outputs (KAT, hybrid round-trip, AEAD tamper
detection, mutual X.509 rejection, replay window, 1000-packet flow,
in-vivo ping, bench-crypto timings, new wire-tap proof).
- docs/test_evidence/ — full captured stdout of cargo test runs and
aura bench-crypto, referenced from TEST_CASES.md.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Foundation for v3.1 onion routing (client → entry-relay → exit-server).
The relay/circuit runtime is implemented in a follow-up commit; this
scaffold lands the wire-level control extensions and the config schema:
- aura-proto: ControlKind gains ExtendBridge (client→relay), CircuitReady
(relay→client), CircuitFailed (relay→client, with utf-8 reason); helpers
encode_extend_bridge / decode_extend_bridge (1-byte family + 4/16 addr
bytes + u16 port). Integration test in tests/control_extend.rs covers
IPv4/IPv6 roundtrip + full magic-envelope wrap.
- aura-cli config: [server.relay] {enabled, allow_extend_to} +
[client.circuit] {enabled, hops} sections; relay_whitelist() helper
parses IP:port literals. All new fields serde-default, back-compat.
- crl_push.rs touched only to leave the new ControlKinds passing through
the existing magic-envelope dispatcher unchanged.
Workspace: 247 tests passed (+12), clippy/fmt clean.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Server now pushes its signed CRL to each connecting client right after the
handshake; the client verifies the signature against the CA and applies the
revocation list to its verifier (and caches it on disk for restarts).
Removes the v1 "CRL distributed out-of-band" honest limitation.
Wire (multiplexed over existing PacketConnection, no trait change):
control envelope = MAGIC[4]=[0xAA,0xAA,0xC0,0x01] || kind(u8) || u32_be(len)
|| payload. IPv4/IPv6 start with 0x4X/0x6X, so 0xAA cannot collide; an old
peer just drops it as a junk packet in the TUN — back-compat preserved.
- aura-proto: ControlKind { CrlPush, CrlAck, Unknown }, encode/decode_control_
envelope, CONTROL_ENVELOPE_MAGIC; 7 frame tests.
- aura-pki: CrlStore::{encode_signed, save_signed, decode_signed_verified,
load_signed_verified} — ECDSA-P256/SHA-256 from the CA private key against
a textual "CRL-Aura-v1" body + --SIGNATURE--; 7 signing tests. ring 0.17
added crate-local (already in lockfile via rustls-webpki).
- aura-cli: crl_push module — server pushes via conn.send_packet on accept;
client wraps the Arc<dyn PacketConnection> in AcceptPushedCrlConn which
sniffs the magic in recv_packet, verifies the signature, updates the
AuraCertVerifier, caches to disk. PkiSection gets ca_key, crl_push (default
true), accept_pushed_crl (default true).
- 5 in_band_crl integration tests via mock PacketConnection.
Workspace: 235 tests passed (+28), clippy -D warnings clean, fmt clean. v2
COMPLETE — all 9 honest v1 limitations resolved (except sing-box, per user).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Contract for the custom UDP transport (v2):
- aura-crypto: AeadKey — ChaCha20-Poly1305 with an EXPLICIT per-message nonce
(caller passes the counter), for datagram transports where packets may be lost
or reordered. AeadSession::into_parts() hands off (AeadKey, counter). Same
nonce scheme as AeadSession, so they interoperate on one key with disjoint
counter ranges. +4 tests.
- aura-proto: DatagramSender/DatagramReceiver (record = seq(8) || AEAD(frame,
aad=seq), sliding replay window) and Session::into_datagram_parts(); reuse for
a UDP data path. +1 test. Existing 16 crypto / 13 proto tests still green.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Worktree isolation is unavailable in this environment, so make Wave 3 safe for
same-tree parallel work instead: the PacketConnection contract now lives in
aura-proto (stable) and aura-tunnel no longer depends on aura-transport. With
transport and tunnel both depending only on proto (and not each other), the two
crates are independent leaves and can be built/edited concurrently without one
breaking the other's build. proto: 13 tests still green.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Compose Session from SessionSender (writer + outbound AEAD/seq) and
SessionReceiver (reader + inbound AEAD + replay window); split() hands back
the two halves so a VPN data path can run concurrent read/write tasks
(recv_frame is not cancellation-safe, so select! on one &mut Session is unsafe).
send_frame/recv_frame/peer_id/into_inner unchanged; 13 tests still green.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- 6-crate Cargo workspace, dependency tree frozen (cargo check green in ~1m)
- ml-kem 0.3 (FIPS 203) replaces spec's pqcrypto-kyber for ML-KEM-768
- fix invalid target-gated workspace.dependencies: Windows deps (wintun/windows)
declared untargeted, cfg-gated per-crate in aura-tunnel
- version bumps vs spec: tun 0.8, rcgen 0.14, wintun 0.5
- stub lib/main per crate; real implementations land wave by wave
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
xah30