Server now pushes its signed CRL to each connecting client right after the
handshake; the client verifies the signature against the CA and applies the
revocation list to its verifier (and caches it on disk for restarts).
Removes the v1 "CRL distributed out-of-band" honest limitation.
Wire (multiplexed over existing PacketConnection, no trait change):
control envelope = MAGIC[4]=[0xAA,0xAA,0xC0,0x01] || kind(u8) || u32_be(len)
|| payload. IPv4/IPv6 start with 0x4X/0x6X, so 0xAA cannot collide; an old
peer just drops it as a junk packet in the TUN — back-compat preserved.
- aura-proto: ControlKind { CrlPush, CrlAck, Unknown }, encode/decode_control_
envelope, CONTROL_ENVELOPE_MAGIC; 7 frame tests.
- aura-pki: CrlStore::{encode_signed, save_signed, decode_signed_verified,
load_signed_verified} — ECDSA-P256/SHA-256 from the CA private key against
a textual "CRL-Aura-v1" body + --SIGNATURE--; 7 signing tests. ring 0.17
added crate-local (already in lockfile via rustls-webpki).
- aura-cli: crl_push module — server pushes via conn.send_packet on accept;
client wraps the Arc<dyn PacketConnection> in AcceptPushedCrlConn which
sniffs the magic in recv_packet, verifies the signature, updates the
AuraCertVerifier, caches to disk. PkiSection gets ca_key, crl_push (default
true), accept_pushed_crl (default true).
- 5 in_band_crl integration tests via mock PacketConnection.
Workspace: 235 tests passed (+28), clippy -D warnings clean, fmt clean. v2
COMPLETE — all 9 honest v1 limitations resolved (except sing-box, per user).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Contract for the custom UDP transport (v2):
- aura-crypto: AeadKey — ChaCha20-Poly1305 with an EXPLICIT per-message nonce
(caller passes the counter), for datagram transports where packets may be lost
or reordered. AeadSession::into_parts() hands off (AeadKey, counter). Same
nonce scheme as AeadSession, so they interoperate on one key with disjoint
counter ranges. +4 tests.
- aura-proto: DatagramSender/DatagramReceiver (record = seq(8) || AEAD(frame,
aad=seq), sliding replay window) and Session::into_datagram_parts(); reuse for
a UDP data path. +1 test. Existing 16 crypto / 13 proto tests still green.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Worktree isolation is unavailable in this environment, so make Wave 3 safe for
same-tree parallel work instead: the PacketConnection contract now lives in
aura-proto (stable) and aura-tunnel no longer depends on aura-transport. With
transport and tunnel both depending only on proto (and not each other), the two
crates are independent leaves and can be built/edited concurrently without one
breaking the other's build. proto: 13 tests still green.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Compose Session from SessionSender (writer + outbound AEAD/seq) and
SessionReceiver (reader + inbound AEAD + replay window); split() hands back
the two halves so a VPN data path can run concurrent read/write tasks
(recv_frame is not cancellation-safe, so select! on one &mut Session is unsafe).
send_frame/recv_frame/peer_id/into_inner unchanged; 13 tests still green.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- 6-crate Cargo workspace, dependency tree frozen (cargo check green in ~1m)
- ml-kem 0.3 (FIPS 203) replaces spec's pqcrypto-kyber for ML-KEM-768
- fix invalid target-gated workspace.dependencies: Windows deps (wintun/windows)
declared untargeted, cfg-gated per-crate in aura-tunnel
- version bumps vs spec: tun 0.8, rcgen 0.14, wintun 0.5
- stub lib/main per crate; real implementations land wave by wave
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
xah30