xah30/AuraVPN
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: xah30/AuraVPN:278bcced956e3bda0d4bfa08e63c6b8f37e717d2
Branches Tags
xah30/AuraVPN:main
..
compare: xah30/AuraVPN:1893e24174f00589d89177e9ae09f56711a32144
Branches Tags
xah30/AuraVPN:main

10 Commits
278bcced95 .. 1893e24174

Author SHA1 Message Date
xah30 1893e24174 docs: README is now the full deployment guide 
Expanded the root README to include the complete setup instructions
(crates table + intro + the full 7-section deployment guide that
previously lived only in docs/deployment.md, with the doc-link paths
adjusted for a root-level README and a list of every v2/v3 feature
plus the RF entry-relay scenario). docs/deployment.md is preserved for
in-tree navigation.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-27 20:38:39 +03:00
xah30 e0e53665f1 feat(crypto,cli,docs): russian SNI palette + RF-billing deployment scenario 
Adds a way to make the outer-TLS SNI rotate among popular Russian-language
domains so that Russian carriers — who may start metering "foreign traffic"
separately — see the user's first hop as a domestic CDN/site request, not
as an exotic foreign destination.

- aura-crypto::masks:
  - SNI_PALETTE_RUSSIAN (15 real domains: mail.yandex.ru, vk.com, www.ozon.ru,
    dzen.ru, ya.ru, www.gosuslugi.ru, www.wildberries.ru, rutube.ru,
    news.rambler.ru, hh.ru, www.tinkoff.ru, lenta.ru, www.kinopoisk.ru,
    afisha.yandex.ru, music.yandex.ru).
  - enum SniPalette { Default, Russian, Mixed } (Default = v2 behavior).
  - derive_mask_for_msk_date_with_palette(...): pick from chosen palette,
    Mixed flips ~50/50 by HKDF okm[8]&1. Old derive_mask_for_msk_date kept
    as a thin wrapper -> byte-for-byte unchanged Default.
- aura-cli::masks::MaskRotator gains new_with_palette(...); the spawn loop
  uses the stored palette. Old new() preserves Default.
- aura-cli config: [transport.masks] palette = "default"|"russian"|"mixed"
  (serde rename_all = "lowercase", default Default).
- server.rs/client.rs read cfg.transport.masks.palette and pass it to the
  rotator at startup; logged at INFO so the operator sees the choice.
- docs/deployment.md: new §7 "Сервер в РФ против тарификации иностранного
  трафика" — context, ASCII topology, recommended RF providers, full
  server.toml + client.toml examples wiring [server.relay] + russian
  palette + LE outer cert + multi-hop, plus an honest list of what this
  does and does not give.
- config/{server,client}.toml.example updated with palette = "default".

Workspace: 284 tests passed (+8 new = 4 crypto + 2 cli masks + 2 config),
clippy -D warnings clean, fmt clean. 276 baseline tests untouched.
Backward-compatible: configs without palette default to Default, identical
to v2 wire behavior.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-27 20:29:18 +03:00
xah30 9b98004424 feat(cli): v3.2 multi-hop — per-hop cert, cell padding, 3-hop, CIDR whitelist 
Closes the v3.1 unlinkability gap and resists volume/timing correlation:

1) Per-hop client cert (identity-unlinkable hops). [[client.circuit.hops]]
   now accepts {addr, cert_path, key_path, [server_name]} per hop — each
   hop sees a different CN, so a relay and an exit cannot correlate the
   same client by certificate. Old flat `hops = ["ip:port"]` form still
   parses (serde untagged enum) and falls back to [pki] cert/key.
   `aura provision-client --circuit-hops N` mints N fresh UUIDv4 certs.

2) Cell padding. CellPaddingConn wrapper pads every outgoing packet to a
   fixed size (default 1280 bytes; `cell_size = N` configurable) before
   it hits the inner AEAD. Format: u16_be(real_len) || pkt || zero_pad.
   On-wire sizes become constant -> defeats volume/timing fingerprints.
   Opt-in via [client.circuit] cell_padding = true and the mirror
   [server] cell_padding_for_circuit_clients = true.

3) 3-hop support. dial_circuit now accepts N >= 2 hops; iterative
   ExtendBridge nests N-1 forwarders and N handshakes. Client owns the
   full chain via CircuitConnection (forwarders abort on drop).
   New integration test multihop_v3_2_three_hops_end_to_end runs three
   in-process actors (A relay -> B relay -> C exit) on loopback and
   verifies peer_id == C's CN.

4) CIDR whitelist. [server.relay] allow_extend_to entries accept
   "10.0.0.0/24" (subnet, any port), "10.0.0.0/24:443" (subnet + port),
   "[2001:db8::/32]:443" (IPv6 with port), as well as exact IP:port.
   Empty list keeps the v3.1 open-relay (warn).

19 new tests; workspace 276 passed (+19), clippy -D warnings clean, fmt clean.
257 baseline tests untouched; all v2 / v3.1 / LE configs work as before.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-27 20:07:12 +03:00
xah30 f26ed7fce0 feat(cli,transport): Let's Encrypt outer-cert support on TLS-443/QUIC 
Server admins can now point the outer TLS layer at a real CA-signed cert
(e.g. Let's Encrypt fullchain.pem) so the on-wire HTTPS camouflage is
indistinguishable from a normal CA-trusted HTTPS server. The inner Aura
mutual-auth handshake still uses the Aura CA (necessarily — that's where
the PQ mutual auth lives).

- aura-cli config: optional [server.outer_cert] {cert_path, key_path}.
  Both fields together (or neither); resolve() reads PEMs and returns
  (cert, key) tuple. Absent section -> falls back to reusing the Aura
  server cert (v2 behavior, fully back-compat).
- aura-transport: additive MultiServer::bind_with_outer and
  TcpServer::bind_with_outer that accept an optional separate outer cert.
  Old MultiServer::bind / TcpServer::bind preserved as thin wrappers
  (back-compat: existing callers untouched). AuraServer::bind already
  took outer cert separately.
- UDP transport doesn't have outer TLS, so outer cert is irrelevant
  there — only QUIC + TCP layers benefit.
- 4 new tests (parsing, back-compat, partial-section validation, two-CA
  loopback verifying inner peer_id is the inner CN). Workspace: 257 tests
  passed (+4), clippy -D warnings clean, fmt clean.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-27 19:35:22 +03:00
xah30 fe618b839d feat(cli): v3.1 multi-hop runtime — circuit client + relay rendezvous 
Completes v3.1 multi-hop / onion routing (2 hops: client → entry-relay →
exit-server). Combined with the scaffold commit (6c14c0d), the property
holds: entry-relay knows the client IP + client_id but cannot decrypt the
data; exit knows the destination but sees the relay's IP as source.

- aura-cli::circuit: dial_circuit(&[entry, exit], proto_cfg, udp_opts) →
  CircuitConnection. Connects to entry as a normal UdpClient, sends an
  ExtendBridge control envelope, awaits CircuitReady, then runs a SECOND
  Aura handshake to the exit through a local loopback UDP proxy — the
  forwarder ferries datagrams between that proxy socket and the outer
  relay PacketConnection. The inner handshake therefore authenticates the
  EXIT cert (verified by the integration test asserting
  circuit.peer_id() == "localhost-exit"); the relay never sees the inner
  session keys.
- aura-cli::relay: rendezvous(conn, whitelist) -> Bridged{bridge} |
  Fallback{first_pkt} | Refused. 2-second window after handshake to receive
  ExtendBridge. Whitelist enforced; CircuitFailed on miss. Empty whitelist
  logs a warning and runs open. Timeout / non-control → Fallback so the
  same server can be both relay (for circuit clients) and exit (for direct
  clients) simultaneously.
- aura-cli::client: when [client.circuit] enabled → dial_circuit; falls
  back to normal aura_transport::dial when disabled.
- aura-cli::server: relay rendezvous wired before pool/CRL/router path.
  run_bridge spawns two forwarder tasks (conn↔bridge UDP socket).
- 3 integration tests: end-to-end (with peer_id assertion), whitelist
  rejection, back-compat (relay disabled → Err). 3 unit tests in relay.rs.

Workspace: 253 tests passed (247 baseline + 6 new), clippy -D warnings clean,
fmt clean. No new workspace deps. All 28 tracked tasks (v1 + v2 + v3.1) now
complete.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-27 13:16:07 +03:00
xah30 6c14c0d103 feat(proto,cli): v3.1 multi-hop scaffold — control kinds + config sections 
Foundation for v3.1 onion routing (client → entry-relay → exit-server).
The relay/circuit runtime is implemented in a follow-up commit; this
scaffold lands the wire-level control extensions and the config schema:

- aura-proto: ControlKind gains ExtendBridge (client→relay), CircuitReady
  (relay→client), CircuitFailed (relay→client, with utf-8 reason); helpers
  encode_extend_bridge / decode_extend_bridge (1-byte family + 4/16 addr
  bytes + u16 port). Integration test in tests/control_extend.rs covers
  IPv4/IPv6 roundtrip + full magic-envelope wrap.
- aura-cli config: [server.relay] {enabled, allow_extend_to} +
  [client.circuit] {enabled, hops} sections; relay_whitelist() helper
  parses IP:port literals. All new fields serde-default, back-compat.
- crl_push.rs touched only to leave the new ControlKinds passing through
  the existing magic-envelope dispatcher unchanged.

Workspace: 247 tests passed (+12), clippy/fmt clean.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-27 12:54:12 +03:00
xah30 b98752b3eb docs(deployment): v2 complete - in-band CRL + anti-surveillance + automation 
deployment.md §6 updated:
- Moved CRL from "remaining" to "resolved" (now in-band via signed
  control-envelope with magic prefix).
- Added bullets for the new v2 features: port-knocking + cover traffic
  (anti-surveillance), `aura server-init` / `aura provision-client`
  (automation), `no_logs` field redaction, `bridges` list.
- Remaining honest limits trimmed to genuine v3 work: native Go phone
  client (sing-box, explicitly excluded by user) and multi-hop routing.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-27 12:36:00 +03:00
xah30 35d94dee33 feat(proto,pki,cli): in-band CRL push (closes last v2 limitation) 
Server now pushes its signed CRL to each connecting client right after the
handshake; the client verifies the signature against the CA and applies the
revocation list to its verifier (and caches it on disk for restarts).
Removes the v1 "CRL distributed out-of-band" honest limitation.

Wire (multiplexed over existing PacketConnection, no trait change):
control envelope = MAGIC[4]=[0xAA,0xAA,0xC0,0x01] || kind(u8) || u32_be(len)
  || payload. IPv4/IPv6 start with 0x4X/0x6X, so 0xAA cannot collide; an old
peer just drops it as a junk packet in the TUN — back-compat preserved.

- aura-proto: ControlKind { CrlPush, CrlAck, Unknown }, encode/decode_control_
  envelope, CONTROL_ENVELOPE_MAGIC; 7 frame tests.
- aura-pki: CrlStore::{encode_signed, save_signed, decode_signed_verified,
  load_signed_verified} — ECDSA-P256/SHA-256 from the CA private key against
  a textual "CRL-Aura-v1" body + --SIGNATURE--; 7 signing tests. ring 0.17
  added crate-local (already in lockfile via rustls-webpki).
- aura-cli: crl_push module — server pushes via conn.send_packet on accept;
  client wraps the Arc<dyn PacketConnection> in AcceptPushedCrlConn which
  sniffs the magic in recv_packet, verifies the signature, updates the
  AuraCertVerifier, caches to disk. PkiSection gets ca_key, crl_push (default
  true), accept_pushed_crl (default true).
- 5 in_band_crl integration tests via mock PacketConnection.

Workspace: 235 tests passed (+28), clippy -D warnings clean, fmt clean. v2
COMPLETE — all 9 honest v1 limitations resolved (except sing-box, per user).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-27 12:35:16 +03:00
xah30 8f0cf1f017 feat(cli): automation bundle + identity-minimization features 
Reduces manual setup steps and trims user-identifying data exposed by the
server/client, in the spirit of the deployment story: an operator on the
wire sees less, and the admin types fewer commands.

New CLI subcommands:
- `aura server-init`: one shot — pki init + issue-server + writes a ready
  server.toml with auto-detected egress iface; flags --enable-knock,
  --enable-cover-traffic, --no-nat, --run-as toggle the new transport
  defenses and privilege drop.
- `aura provision-client`: issues a client cert and assembles the full
  bundle (ca.crt + client.crt + client.key + client.toml in one directory)
  ready to hand over to the client device. --id is optional (defaults to
  a fresh UUIDv4, so client identities don't have to encode anything real).

Identity / log minimization:
- `aura pki issue-client --id` is now optional — UUIDv4 by default.
- `[server]/[client] no_logs = true` filters peer_id, client_ip,
  source_addr, client_id, local_ip, user, id, assigned_ip, peer field
  values through a custom tracing FormatFields layer (events still fire
  but the identifying fields are redacted before being written).
- `[client] bridges = [...]`: secondary server addresses; build_dial_targets
  shuffles them after the primary, so blocking one IP doesn't kill the
  client.
- Auto-detect egress iface in [server.nat] (via detect_default_egress_iface);
  egress_iface in config becomes optional with graceful fallback.

Config examples updated; backward-compatible (all new sections optional with
serde defaults). Workspace: 207 tests passed (+22), clippy -D warnings clean,
fmt clean. No new workspace deps.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-27 12:14:57 +03:00
xah30 7d711d8938 feat(transport): anti-surveillance - UDP port-knocking + cover traffic 
Two opt-in (default off) features directly targeting the kind of operator
dragnet described in the news context — make the server harder to identify
on a scan, and the traffic harder to fingerprint by volume/timing analysis.

1) Port-knocking (probe resistance, UDP)
   - Wire: every HS datagram (0x01) is prefixed with a 16-byte HMAC token
     when UdpOpts.knock_required is on:
       knock = HMAC-SHA256(knock_key, u64_be(unix_minute))[..16]
   - Server-side: validates against {now-1, now, now+1} minutes (3-minute
     window for clock skew, constant-time compare). Invalid -> silent drop;
     the port looks closed to scanners.
   - knock_key comes from the CLI (derived from CA fingerprint at the
     deployment layer); transport just consumes it.
   - DATA datagrams unchanged (AEAD already proves legitimacy past hs).

2) Cover traffic (chaff, UDP)
   - Optional background task per UdpConnection: every random delay
     (mean_interval_ms +/- jitter, default 500ms +/- 50%) sends a
     Frame::Ping{seq=random} when no Data was sent in the recent window
     (idle-skip => zero overhead under load). RAII-aborted on Drop.
   - Receiver answers Ping with Pong (existing logic); both are consumed
     internally by recv_packet, invisible to the app.

API: UdpOpts gains knock_required/knock_key/cover_traffic_enabled/
cover_mean_interval_ms/cover_jitter (all defaults preserve v2 behavior).
Helpers exported: knock_for_minute, KNOCK_LEN.

Local deps: hmac 0.12 + sha2 0.10 (already in workspace lockfile, no new
resolution). Workspace: 185 tests passed (+11), clippy -D warnings clean,
fmt clean. 174 baseline tests unchanged.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-27 11:50:16 +03:00
44 changed files with 9172 additions and 153 deletions
Expand all files Collapse all files
Cargo.lock
Generated
+3
View File
@@ -235,6 +235,7 @@ version = "0.1.0"
dependencies = [
"anyhow",
"rcgen",
"ring",
"rustls",
"rustls-pki-types",
"rustls-webpki",
@@ -276,11 +277,13 @@ dependencies = [
"aura-pki",
"aura-proto",
"bytes",
"hmac",
"quinn",
"rand 0.8.6",
"rustls",
"rustls-pemfile",
"rustls-pki-types",
"sha2",
"thiserror 1.0.69",
"tokio",
"tokio-rustls",
README.md
+711 -9
View File
@@ -22,15 +22,717 @@ HTTPS-размеров.
| `aura-tunnel` | TUN, маршрутизатор, split-tunnel (CIDR + домены), DNS-резолв в host-маршруты |
| `aura-cli` | Бинарь `aura`: `pki`, `server`, `client`, `route`, `status`, `bench-crypto` |
## Быстрый старт
## Сопутствующая документация
Подъём сервера на удалённой машине и подключение клиента описаны в
[`docs/deployment.md`](docs/deployment.md). Это основная точка входа для развёртывания.
- [docs/protocol.md](docs/protocol.md) — wire-протокол: рукопожатие, кадры, выбор транспорта
- [docs/pki.md](docs/pki.md) — модель PKI, команды `aura pki`, верификация и CRL
- [docs/split-tunnel.md](docs/split-tunnel.md) — split-tunnel, статика и admin-сокет на лету
- [docs/sing-box.md](docs/sing-box.md) — план интеграции с sing-box (для мобильных клиентов)
- [docs/deployment.md](docs/deployment.md) — копия инструкции по развёртыванию (та же, что ниже в README)
## Документация
## Состояние
- [`docs/deployment.md`](docs/deployment.md) — руководство по развёртыванию (сервер + клиент)
- [`docs/protocol.md`](docs/protocol.md) — wire-протокол: рукопожатие, кадры, выбор транспорта
- [`docs/pki.md`](docs/pki.md) — модель PKI, команды `aura pki`, верификация и CRL
- [`docs/split-tunnel.md`](docs/split-tunnel.md) — split-tunnel, статика и admin-сокет на лету
- [`docs/sing-box.md`](docs/sing-box.md) — план интеграции с sing-box (для мобильных клиентов)
`cargo test --workspace` → 284 passed, 0 failed. `cargo clippy --workspace --all-targets -- -D warnings` чисто. `cargo fmt --all -- --check` чисто.
---
# Инструкция по развёртыванию
Этот README — пошаговое руководство, по которому вы поднимаете сервер Aura на удалённой машине,
провижините на нём сертификат для клиента и подключаете клиент (десктоп) к этому серверу. Все
команды и поля конфигов взяты из фактического кода и поставляемых примеров в `config/`.
---
## 1. Обзор схемы
Сервер Aura на удалённой машине провижинит сертификат для клиента (десктопа или, в будущем,
телефона через sing-box), отдаёт клиенту бандл сертификатов и трастового якоря, и клиент
подключается к серверу по протоколу AuraVPN.
На проводе по умолчанию используется **собственный UDP-транспорт Aura с пост-квантовой
криптографией** (без QUIC и без внешнего TLS на основном пути); fallback'и — это TCP/443 и QUIC.
Всё рукопожатие пост-квантовое: **гибридное X25519 + ML-KEM-768** с взаимной X.509-аутентификацией.
Для данных используется AEAD **ChaCha20-Poly1305** с explicit-nonce. Обфускация — это паддинг
датаграмм до «корзин» размера, характерных для HTTPS.
```
[клиент-десктоп] [удалённый сервер aura]
client.toml + PEM-бандл server.toml + PKI (CA + server leaf)
| |
| UDP (основной) / TCP/443 / QUIC |
| гибридное PQ-рукопожатие |
| ChaCha20-Poly1305 |
+--------------------------------------->
AuraVPN
```
---
## 2. Сервер (удалённый хост)
### 2.1. Установка бинаря
В корне репозитория:
```bash
cargo build --release
# -> target/release/aura
```
Скопируйте получившийся бинарь `target/release/aura` на сервер (например в `/usr/local/bin/aura`)
либо соберите его прямо на сервере (требуется Rust toolchain).
### 2.2. Поднять PKI
Эти три команды создают CA и выпускают листовые сертификаты для сервера и клиента. Все они
проверены против реализации в `crates/aura-pki/src/{ca,cert,store}.rs` и
`crates/aura-cli/src/pki.rs`.
```bash
# 1) Создать CA Aura.
aura pki init --ca-name "Aura Root CA" --out /etc/aura/pki
# -> /etc/aura/pki/ca.crt
# -> /etc/aura/pki/ca.key # секрет, защищайте правами файловой системы
# 2) Выпустить сертификат сервера. --domain должен совпадать с тем именем,
# которое клиент будет ожидать в [client] sni (это же имя проверяется по SAN).
aura pki issue-server \
--domain vpn.example.com \
--out /etc/aura/pki/server \
--ca /etc/aura/pki
# -> /etc/aura/pki/server/server.crt
# -> /etc/aura/pki/server/server.key # секрет
# 3) Выпустить сертификат клиента (по одному на устройство).
# --id становится Common Name'ом и проверенным peer_id, который видит сервер.
aura pki issue-client \
--id phone-1 \
--out /etc/aura/clients/phone-1 \
--ca /etc/aura/pki
# -> /etc/aura/clients/phone-1/client.crt
# -> /etc/aura/clients/phone-1/client.key # секрет
```
Подробности (включая `aura pki revoke` / `list`) — см. [docs/pki.md](docs/pki.md).
> **Совет (v2 автоматизация):** есть однокомандный вариант:
> `aura server-init --domain vpn.example.com --pki-dir /etc/aura/pki --out-config /etc/aura/server.toml --enable-knock --enable-cover-traffic`
> — это сразу делает CA + серверный cert + готовый `server.toml`. Полезно для свежей машины.
### 2.3. `server.toml`
Раскладка ниже взята из `config/server.toml.example` и поставляемых serde-структур
(`crates/aura-cli/src/config.rs`). Скопируйте пример и поправьте под себя.
```toml
[server]
# Человекочитаемое имя (также внутренняя identity сервера в рукопожатии).
name = "aura-edge-1"
# UDP/TCP listen-сокет. ":443" мимикрирует под HTTPS; для его биндинга нужны привилегии.
# IP отсюда переиспользуется как listen-IP для каждого включённого транспорта.
listen = "0.0.0.0:443"
# Число accept-воркеров (в v1 носит совещательный характер).
workers = 4
[pki]
# Trust anchor (Aura CA) и листовая пара сервера, все PEM.
ca_cert = "/etc/aura/pki/ca.crt"
cert = "/etc/aura/pki/server/server.crt"
key = "/etc/aura/pki/server/server.key"
[tunnel]
# Адресный пул для клиентов; v2 сервер выдаёт IP из этого пула per-client.
pool_cidr = "10.7.0.0/24"
# MTU TUN-устройства (запас под QUIC + framing Aura).
mtu = 1420
# DNS, анонсируемый клиентам (в v1 информационно).
dns = "10.7.0.1"
[mimicry]
# Hostname, под который мимикрирует внешний TLS-слой (для QUIC).
sni = "cdn.example.com"
# Паддинг для размытия размеров пакетов под «корзины» HTTPS.
padding = true
[transport]
# Набор и порядок транспортов, биндящихся одновременно. UDP — основной; TCP/443 и
# QUIC (мимикрия H3) — fallback'и. При отсутствии всей секции включаются udp/tcp/quic
# на 443/443/444.
order = ["udp", "tcp", "quic"]
# UDP-транспорт и QUIC оба используют UDP, поэтому udp_port и quic_port ДОЛЖНЫ
# различаться. TCP может занимать тот же номер порта (другой протокол).
udp_port = 443
tcp_port = 443
quic_port = 444
# UDP: дополнять датаграммы до «корзин» размера HTTPS, чтобы размыть распределение размеров.
obfuscate = true
[transport.masks]
# v2: ежедневная ротация SNI/UA/Server-header/padding-профиля в 05:00 МСК. Обе стороны
# выводят MaskSet детерминированно из CA fingerprint + UTC-даты.
enabled = true
# default | russian | mixed — выбор палитры SNI:
# default: глобальные CDN-домены (cloudflare, akamai, ...);
# russian: крупные российские (vk.com, mail.yandex.ru, ozon.ru, ...);
# mixed: ~50/50 random-pick по дням.
palette = "default"
[transport.knock]
# v2: probe resistance. Сервер молчит на скан-зондах; отвечает только на валидный
# 16-байтный HMAC-стук, ключ выводится из CA fingerprint. ±1-минутное окно для clock skew.
enabled = true
[transport.cover]
# v2: cover traffic. При простое отправляет Ping каждые ~500мс±50% — поток выглядит
# постоянным. Под нагрузкой подавляется автоматически (idle-only).
enabled = true
[server.nat]
# v2: авто-настройка IP-форвардинга и MASQUERADE на старте; откат при остановке.
auto = true
egress_iface = "eth0" # опционально — autodetect через `ip route show default`
# dry_run = true # для отладки: логировать команды без выполнения
[server.pool]
# v2: IP-пул для VPN-клиентов. cidr может совпадать с [tunnel] pool_cidr.
cidr = "10.7.0.0/24"
strategy = "static_or_dynamic" # static_only | dynamic_only | static_or_dynamic
[server.pool.static]
# Опциональные привязки по client_id (CN из сертификата).
# "phone-1" = "10.7.0.20"
# "laptop-1" = "10.7.0.21"
# Опционально v3: настоящий outer-TLS сертификат (Let's Encrypt) поверх QUIC/TCP.
# Без него работает self-signed Aura cert; с LE outer-TLS неотличим от обычного HTTPS.
# [server.outer_cert]
# cert_path = "/etc/letsencrypt/live/vpn.example.com/fullchain.pem"
# key_path = "/etc/letsencrypt/live/vpn.example.com/privkey.pem"
# Опционально v2: privilege drop после поднятия TUN.
# run_as = "nobody"
```
Пути могут начинаться с `~` (раскрывается в домашнюю директорию).
### 2.4. Сеть на сервере
#### Файрвол
Откройте те порты, которые перечислены у вас в `[transport]`. С приведённой выше конфигурацией:
- UDP **443** — основной транспорт Aura.
- TCP **443** — fallback Aura поверх TCP.
- UDP **444** — fallback Aura поверх QUIC.
Важно: UDP-транспорт и QUIC — это **оба UDP**, поэтому их порты обязательно должны различаться
(в примере: udp_port=443, quic_port=444). Конфиг-валидатор `transport.modes()` отвергает совпадение.
#### IP-форвардинг и NAT
В v2 это делает `[server.nat] auto = true` (см. конфиг выше). Если хотите по-старому вручную:
```bash
# 1) Включить IP-форвардинг.
sudo sysctl -w net.ipv4.ip_forward=1
# (для постоянства добавьте в /etc/sysctl.conf или /etc/sysctl.d/*)
# 2) MASQUERADE для исходящего трафика клиентов на интернет-интерфейсе (например eth0).
sudo iptables -t nat -A POSTROUTING \
-s 10.7.0.0/24 \
-o eth0 \
-j MASQUERADE
```
Подставьте свой `pool_cidr` и имя интернет-интерфейса.
### 2.5. Запуск сервера
```bash
sudo aura server --config /etc/aura/server.toml
```
`sudo` нужен для создания TUN-устройства и для биндинга привилегированных портов (`:443`). С
`[server] run_as = "nobody"` процесс сбросит привилегии после старта (TUN остаётся живым).
Можно опционально указать путь admin-сокета:
```bash
sudo aura server \
--config /etc/aura/server.toml \
--admin-socket /var/run/aura-admin.sock
```
По умолчанию admin-сокет — `/tmp/aura-admin.sock`.
---
## 3. Что вы получаете для клиента (бандл)
Отдайте клиенту **три PEM-файла**:
- `ca.crt` (из `/etc/aura/pki/ca.crt`) — trust anchor;
- `client.crt` (из `/etc/aura/clients/<id>/client.crt`) — листовой сертификат клиента;
- `client.key` (из `/etc/aura/clients/<id>/client.key`) — **секрет**, приватный ключ клиента.
И сообщите ему два параметра:
- **Адрес сервера** (например `203.0.113.10`).
- **`sni`** — то DNS-имя, которое вы указали в `aura pki issue-server --domain`. Оно же
ожидается в SAN серверного сертификата и проверяется в `verify_server_cert`.
Эти три файла плюс два параметра — это всё, что нужно клиенту для подключения.
> **Совет (v2 автоматизация):** `aura provision-client --id phone-1 --out ./phone-1-bundle` —
> одна команда, которая выпускает клиентский сертификат и собирает готовый бандл (ca + cert + key
> + готовый client.toml) для передачи на устройство. `--id` опционален: без него генерируется
> UUID v4, и имя пользователя не привязано к сертификату.
---
## 4. Клиент (десктоп)
Путь для телефона — через sing-box; пока нативного клиента нет, см. [docs/sing-box.md](docs/sing-box.md).
### 4.1. `client.toml`
Раскладка взята из `config/client.toml.example` и `crates/aura-cli/src/config.rs`.
```toml
[client]
# Человекочитаемое имя/id клиента.
name = "laptop"
# UDP-сокет сервера. IP отсюда переиспользуется как server-IP для каждого транспорта.
server_addr = "203.0.113.10:443"
# Внешний TLS-SNI (hostname-камуфляж), предъявляемый серверу. Он же проверяется
# внутри рукопожатия Aura против SAN серверного сертификата.
sni = "cdn.example.com"
# Опционально v2: запасные серверы; клиент пробует случайным порядком.
# bridges = ["203.0.113.11", "203.0.113.12"]
# Опционально v2: фильтр чувствительных полей из tracing-логов (peer_id, client_ip, ...).
# no_logs = false
[pki]
# Trust anchor (Aura CA) и листовая пара клиента, все PEM.
ca_cert = "~/.aura/ca.crt"
cert = "~/.aura/client.crt"
key = "~/.aura/client.key"
[tunnel]
# Запрошенное имя TUN-интерфейса (на macOS совещательно — ядро назначает utunN).
tun_name = "aura0"
# Локальный адрес для TUN и длина префикса.
local_ip = "10.7.0.2"
prefix = 24
# MTU TUN.
mtu = 1420
# DNS, используемый туннельным резолвером (в v1 информационно; реально используется
# системный резолвер).
dns = "10.7.0.1"
# Split-tunnel: действие по умолчанию плюс точечные правила.
[tunnel.split]
default = "VPN"
[[tunnel.split.direct]]
cidr = "192.168.0.0/16"
[[tunnel.split.direct]]
cidr = "10.0.0.0/8"
[[tunnel.split.direct]]
domain = "intranet.example.com"
# Более узкий префикс возвращает поддиапазон обратно в VPN (longest-prefix бьёт /8).
[[tunnel.split.vpn]]
cidr = "10.7.0.0/24"
[tunnel.os_routes]
# v2: ОС-уровень split-tunnel: программируем системную таблицу маршрутов так, что
# DIRECT-трафик идёт мимо TUN через default-gateway, а через TUN попадает только VPN.
# КРИТИЧНО для случая «весь трафик через VPN» (kill-switch).
enabled = true
[mimicry]
padding = false
[transport]
# Порядок fallback'а (handover), пробуется слева направо: первый удавшийся побеждает.
# При отсутствии всей секции — ["udp","tcp","quic"] на 443/443/444.
order = ["udp", "tcp", "quic"]
udp_port = 443
tcp_port = 443
quic_port = 444
obfuscate = true
[transport.masks]
enabled = true
palette = "default" # должна совпадать с server.toml
[transport.knock]
enabled = true # если включено на сервере
[transport.cover]
enabled = true # если включено на сервере
```
Подробности про `[tunnel.split]` — в [docs/split-tunnel.md](docs/split-tunnel.md).
### 4.2. Запуск клиента
```bash
sudo aura client --config client.toml
```
`sudo` нужен для поднятия TUN-устройства. Клиент:
1. Загружает PEM-файлы из `[pki]` и строит `aura_proto::ClientConfig`.
2. Строит таблицу маршрутизации из `[tunnel.split]`.
3. Дозванивается до сервера, перебирая транспорты в `[transport] order`
(handover UDP → TCP → QUIC); первый, который удался, побеждает.
4. Разрезолвит доменные правила split-tunnel'а в host-маршруты (best-effort).
5. Создаёт TUN, программирует ОС-маршруты (если `[tunnel.os_routes] enabled = true`),
передаёт TUN маршрутизатору и начинает гонять трафик.
В логе при успехе вы увидите строку с выбранным транспортом:
```
INFO connected and authenticated to server peer=Some("cdn.example.com") mode=udp
```
`mode` принимает значения `udp`, `tcp` или `quic`.
### 4.3. Управление на лету
После запуска клиента (или сервера) admin-сокет позволяет менять правила и смотреть статус без
перезапуска:
```bash
# Добавить CIDR на лету.
aura route add --cidr 8.8.8.0/24 --action direct
# Завернуть домен через VPN.
aura route add --domain example.com --action vpn
# Перечислить правила.
aura route list
# Удалить CIDR-правило.
aura route remove --cidr 8.8.8.0/24
# Статус и счётчики.
aura status
# Aura tunnel status
# peer: cdn.example.com
# default: vpn
# rules: 2
# rx packets: 0
# tx packets: 0
```
Если сокет лежит не там, добавьте `--admin-socket <PATH>` к каждой команде. Полная спецификация
команд и wire-протокола admin'а — в [docs/split-tunnel.md](docs/split-tunnel.md).
---
## 5. Что идёт по проводу (резюме)
- **Основной**: собственный UDP-транспорт Aura (в примере — `443/udp`). Один UDP-сокет несёт
обе фазы, различимые по первому байту:
- `0x01` HS — рукопожатие с надёжным DTLS-подобным слоем поверх (повторы, ack, упорядочивание);
- `0x02` DATA — датаграммы данных с explicit-nonce AEAD; обфускация = паддинг до «корзин»
HTTPS (`[64, 128, 256, 512, 1024, 1280, 1460]`).
- **Fallback TCP/443**: настоящий **outer TLS-443** (rustls) поверх TCP — на проводе неотличимо
от валидного HTTPS, ALPN `[h2, http/1.1]`. Внутри TLS — тот же Aura-handshake. Клиент
использует `AcceptAnyServerCert` (security гарантирует только внутренний Aura-handshake).
- **Fallback QUIC**: внешний TLS-камуфляж под HTTP/3 + внутреннее Aura-рукопожатие.
- Клиент пробует транспорты по `order`, переключается при отказе или таймауте подключения
(по умолчанию 8 с). Сервер слушает все включённые транспорты одновременно (`MultiServer`).
Подробный wire-протокол — в [docs/protocol.md](docs/protocol.md).
---
## 6. v2/v3 — что реализовано и что остаётся
### Сделано в v2
- **Мульти-клиент UDP-сервер** (демультиплексор по адресу пира; один сокет — много пиров).
- **IP-пул + per-client маршрутизация** на сервере (`[server.pool]`).
- **ОС-уровень split-tunnel** (`[tunnel.os_routes]`) — устранил `send_direct` заглушку.
- **Настоящий TLS-443** в TCP-транспорте (rustls outer + AcceptAnyServerCert).
- **Авто-NAT** на сервере (`[server.nat] auto = true`).
- **Privilege drop** (`run_as = "nobody"`).
- **Admin-сокет на Windows** (named pipe).
- **In-band CRL** (сервер пушит подписанный CRL клиенту по handshake'у).
- **Ежедневная ротация масок в 05:00 МСК** (`[transport.masks]`).
- **Port-knocking** (`[transport.knock]`) — сервер молчит на скан-зондах.
- **Cover traffic / chaff** (`[transport.cover]`).
- **`aura server-init`** и **`aura provision-client`** — однокомандный bootstrap и провижин.
- **`--id` опционален**: UUID v4 default.
- **`no_logs`** — field-level редактирование идентификаторов из tracing.
- **`bridges`** — список запасных IP-серверов.
### Сделано в v3
- **Let's Encrypt outer-cert** (`[server.outer_cert]`) — outer-TLS неотличим от обычного HTTPS.
- **Multi-hop / onion routing v3.1/v3.2** — цепочка из 2-3 хопов с разными сертами на каждом
(identity unlinkability), cell padding (constant-size cells), CIDR whitelist на relay.
- **`palette = "russian"`** — outer SNI ротируется среди крупных российских доменов (см. §7).
### Остающиеся честные ограничения
- TUN всё ещё требует root для **создания** интерфейса (privilege drop минимизирует окно, но саму
операцию обойти нельзя).
- IPv6 в OS-маршрутах и iptables MASQUERADE не реализован (план v3.3).
- Windows OS-маршруты — заглушка (план v3.3). Windows admin pipe работает.
- Нативного Go-клиента для телефона нет — через sing-box (см. [docs/sing-box.md](docs/sing-box.md)).
- Bridge-discovery без хардкода IP — план v3.3.
---
## 7. Сценарий: российский entry-узел против тарификации иностранного трафика
### 7.1. Контекст и угроза
Российские операторы связи могут начать тарифицировать «иностранный трафик» отдельно: классификация
выполняется по destination IP исходящего пакета пользователя. Если первый IP, к которому
обращается устройство, — российский, биллинг считает соединение «российским», даже если внутри
этого соединения трафик уходит дальше за рубеж. Цель — добиться того, чтобы оператор биллил трафик
пользователя как «российский», при этом сохраняя VPN-выход за рубежом.
Решение опирается на три компонента, уже реализованные в AuraVPN:
1. **Multi-hop / onion routing v3.1+** (`[client.circuit]` / `[server.relay]`) — entry-узел в РФ
не знает destination, exit-узел за рубежом не знает клиентский IP.
2. **Палитра SNI «russian»** (v3.2) — `[transport.masks] palette = "russian"` ротирует outer-TLS
SNI среди крупных российских доменов (`vk.com`, `www.ozon.ru`, `mail.yandex.ru`, ...).
3. **OS-уровень kill-switch** (`[tunnel.os_routes] enabled = true`) — гарантия, что системный
трафик (push-уведомления, OS-сервисы) не обходит туннель и не попадает напрямую к иностранным
серверам в обход entry-узла.
### 7.2. Топология
```
[устройство]
|
| весь трафик через TUN (kill-switch)
v
[оператор] <-- видит только UDP/443 на RU_VPS_IP, SNI = "vk.com"
|
v
[Russian VPS / entry-relay] <-- v3.1 relay: forward to next hop, never decodes IP packets
|
| inner Aura handshake (PQ-encrypted, opaque)
v
[Foreign VPS / exit] <-- настоящий VPN-выход в интернет
|
v
[internet]
```
Оператор видит только трафик до **entry-узла**: один UDP-поток с SNI крупного российского сайта.
Внутри этого потока — зашифрованный многохоп; entry-relay не имеет ключей внутреннего рукопожатия
и видит только AEAD-ciphertext, который он форвардит на exit. Exit видит только IP entry-узла, а
не IP клиентского устройства.
### 7.3. Что покупать
**Подходящие провайдеры для entry-узла в РФ** (юрисдикция РФ, IP в российских AS):
- **Selectel** (Москва, СПб).
- **Beget** (СПб).
- **Yandex.Cloud** (Москва).
- **VK Cloud** (бывш. Mail.ru Cloud Solutions).
- **Timeweb Cloud**.
**Неподходящие для роли entry-узла в РФ**:
- **Hetzner** (Германия/Финляндия) — IP классифицируется как «иностранный».
- **DigitalOcean / Vultr / Linode** (США/EU) — то же самое.
- **AWS / GCP / Azure** даже с российскими DC-локациями — IP-блоки за пределами российских AS у
большинства операторов.
Для **exit-узла** наоборот — берите любой удобный иностранный VPS (Hetzner, DigitalOcean, Vultr,
любой подходящий по юрисдикции и пропускной способности).
### 7.4. Конфиг сервера в РФ (entry-relay)
`server.toml` на российском VPS (например, Selectel с IP `RUSSIAN_VPS_IP`):
```toml
[server]
name = "aura-ru-entry-1"
listen = "0.0.0.0:443"
[pki]
ca_cert = "/etc/aura/pki/ca.crt"
cert = "/etc/aura/pki/server/server.crt"
key = "/etc/aura/pki/server/server.key"
[tunnel]
# Pool нужен формально (для v1-fallback-пути), но в роли чистого relay он не используется —
# bridged-клиенты не получают IP из пула и не регистрируются в ServerRouter.
pool_cidr = "10.7.0.0/24"
mtu = 1420
# v3.1: relay-режим. Принимаем ExtendBridge от клиента и сплайсим на foreign exit.
[server.relay]
enabled = true
allow_extend_to = ["EXIT_FOREIGN_IP:443"] # IP вашего иностранного exit-узла
# v3.2 cell padding: relay сам не декодирует — это сквозной байт-форвардинг. Знаки опции тут
# для симметрии конфига; реальный декод цельных ячеек — на exit'е.
cell_padding = true
cell_size = 1280
[transport.masks]
enabled = true
# v3.2: outer-TLS SNI крутится среди крупных российских доменов. Каждый день — другой домен.
palette = "russian"
# Опционально: настоящий outer-TLS сертификат (Let's Encrypt) поверх UDP/QUIC и TCP. Без него
# работает self-signed Aura, но с настоящим LE-сертификатом outer-handshake становится
# неотличим от обычного HTTPS на CA-trusted сайт.
[server.outer_cert]
cert_path = "/etc/letsencrypt/live/relay.example.ru/fullchain.pem"
key_path = "/etc/letsencrypt/live/relay.example.ru/privkey.pem"
```
И аналогичный `server.toml` на **иностранном exit-узле** — обычный VPN-сервер БЕЗ `[server.relay]`,
но с `cell_padding_for_circuit_clients = true` в секции `[server]`, чтобы он понимал
constant-size cells от клиента:
```toml
[server]
name = "aura-exit-1"
listen = "0.0.0.0:443"
# v3.2: exit для cell-padded клиентов — декодирует ячейки внутреннего рукопожатия.
cell_padding_for_circuit_clients = true
[pki]
ca_cert = "/etc/aura/pki/ca.crt"
cert = "/etc/aura/pki/server/exit.crt"
key = "/etc/aura/pki/server/exit.key"
[tunnel]
pool_cidr = "10.7.0.0/24"
[server.nat]
auto = true # включить IP-форвардинг и MASQUERADE на egress-интерфейсе
egress_iface = "eth0"
[transport.masks]
# На exit'е SNI палитра не критична (клиент видит exit только через relay) — оставим default.
palette = "default"
```
### 7.5. Конфиг клиента
```toml
[client]
name = "laptop"
server_addr = "RUSSIAN_VPS_IP:443" # entry-узел в РФ; именно этот IP видит оператор
sni = "relay.example.ru" # SAN серверного outer-TLS сертификата (если есть LE)
[pki]
ca_cert = "~/.aura/ca.crt"
cert = "~/.aura/client.crt"
key = "~/.aura/client.key"
[tunnel]
tun_name = "aura0"
local_ip = "10.7.0.2"
prefix = 24
mtu = 1420
[tunnel.split]
default = "VPN"
# КРИТИЧНО: kill-switch — весь трафик через TUN, OS-уровень. Без этого push-уведомления и
# OS-сервисы могут уйти напрямую в иностранные сервера в обход entry-узла, и оператор
# зачтёт это как «иностранный» трафик.
[tunnel.os_routes]
enabled = true
# v3.1 / v3.2: цепочка хопов client -> RU_entry -> foreign_exit.
[client.circuit]
enabled = true
cell_padding = true
cell_size = 1280
[[client.circuit.hops]]
addr = "RUSSIAN_VPS_IP:443" # entry в РФ — то, что видит оператор
cert_path = "~/.aura/circuit/entry.crt"
key_path = "~/.aura/circuit/entry.key"
[[client.circuit.hops]]
addr = "EXIT_FOREIGN_IP:443" # exit за рубежом, к которому привязаны DNS/маршруты внутри VPN
cert_path = "~/.aura/circuit/exit.crt"
key_path = "~/.aura/circuit/exit.key"
[transport.masks]
enabled = true
# Должно совпадать с palette = "russian" на entry-узле — иначе SNI в логах двух сторон
# не будут симметричны (на проводе это не ошибка, но удобнее для отладки).
palette = "russian"
```
Сертификаты двух хопов — разные (`entry.crt` != `exit.crt`). Это v3.2 identity-unlinkability:
entry-relay видит только клиентский cert для роли entry, exit-узел видит только cert для роли
exit, и они не пересекаются (см. `aura provision-client --circuit-hops 2 ...`).
### 7.6. Что это даёт
- **Оператор биллит как «российский».** На проводе оператор видит один UDP-поток на
`RUSSIAN_VPS_IP:443` — это российский IP в российской AS, классификатор биллинга его не
обозначает как иностранный.
- **SNI выглядит как обращение к российскому сайту.** В пакетах outer-TLS / outer-QUIC
hostname-камуфляж берётся из `SNI_PALETTE_RUSSIAN`: каждый день — другой домен (`vk.com`,
`www.ozon.ru`, `mail.yandex.ru`, ...). DPI видит «нормальный HTTPS на крупный российский
сайт».
- **Реальный VPN-выход — за рубежом.** Внутри multi-hop клиент дозванивается до иностранного
exit-узла; именно его IP видят внешние ресурсы. Entry-узел в РФ форвардит зашифрованный
трафик, не зная destination и не имея ключей внутреннего рукопожатия.
- **Kill-switch предотвращает обход.** `[tunnel.os_routes] enabled = true` программирует
системную таблицу маршрутов так, что весь трафик идёт через TUN — push-уведомления, OS-сервисы
и любые «прямые» обращения в обход VPN заблокированы, поэтому ничто из устройства не уйдёт
напрямую к иностранному IP в обход entry-узла.
### 7.7. Что это НЕ даёт (честное ограничение)
- **Не скрывает сам факт VPN-использования** от российских органов. DPI с deep-inspection может
по статистическим паттернам трафика (timing, размеры, поведение в течение сессии) узнать
Aura-протокол; ротация масок и `palette = "russian"` маскирует пассивного наблюдателя, но не
активного аналитика. Для дополнительной защиты включайте `[transport.knock]` и
`[transport.cover]` (port-knocking + cover traffic).
- **Не освобождает от ответственности за заходы на запрещённые ресурсы.** Кто и за что отвечает
при заходе на запрещённый ресурс через VPN — вопрос юрисдикции exit-узла и применимого
законодательства, не технический.
- **Не защищает от блокировки самого entry-IP.** Если СОРМ-система или Роскомнадзор начнут
активно блокировать конкретные VPS-IP, придётся ротировать IP / bridges. Сейчас это решается
через `[client] bridges = [...]` — список запасных российских entry-узлов; клиент пробует их
в случайном порядке при отказе primary. Полноценный bridge-discovery (без хардкода IP в
конфиге) — план v3.3.
- **Cell padding не скрывает наличие туннеля.** Constant-size cells устраняют per-packet
size-fingerprinting внутри multi-hop, но не делают сам поток неотличимым от HTTPS — общий
объём и временные паттерны остаются. Это компромисс между обфускацией и накладными расходами.
### 7.8. Что менять при ротации
При смене IP entry-узла (например, при блокировке текущего) обновите три места:
1. `[[client.circuit.hops]] addr` первого хопа → новый `RUSSIAN_VPS_IP:443`.
2. `[client] server_addr` → тот же новый IP.
3. На новом VPS — поднять PKI, выпустить cert для entry-роли, перенести `server.toml` с
`[server.relay]` и `palette = "russian"`.
Перевыпускать сертификаты двух хопов не нужно — они остаются те же, меняется только wire-адрес
entry-узла. На сертификате entry-сервера должен быть SAN, совпадающий с `[client] sni`
(см. `aura pki issue-server --domain relay.example.ru`).
---
## Лицензия
MIT.
config/client.toml.example
+71
View File
@@ -15,6 +15,14 @@ sni = "cdn.example.com"
# no-op (use a service account instead). When omitted (or already running as non-root) no
# privilege change happens.
# run_as = "nobody"
# Suppress identifier fields (peer_id, client_ip, source_addr, ...) from log output. The events
# still fire; only the identifying fields are dropped before formatting. Default: false. Set to
# true to keep the local log file from accumulating per-session identifiers.
no_logs = false
# Optional fallback server addresses (IP or IP:port). When the primary `server_addr` cannot be
# reached on any transport, the client retries the bridges in a process-randomised order, using
# the same per-transport ports from [transport]. The bridge `:port` part is parsed but ignored.
# bridges = ["203.0.113.11", "203.0.113.12"]
[pki]
# Trust anchor (the Aura CA) and this client's leaf cert/key, all PEM.
@@ -107,3 +115,66 @@ masquerade = true
# Existing connections keep the mask they connected with. Default: true.
# When `false`, the static values above ([client] sni, [transport] obfuscate, ...) are used as-is.
enabled = true
# v3.2: which SNI palette the daily rotator picks from. Must generally match the server's
# [transport.masks] palette so the daily SNI looks consistent across both sides' logs.
# "default" (back-compat) — global CDN-like names. Use against any foreign-hosted server.
# "russian" — top Russian domains (vk.com / ozon.ru / mail.yandex.ru / ...).
# Use when the entry-relay is a Russian VPS so the outer SNI looks
# like ordinary HTTPS to a domestic site (see docs/deployment.md § 7).
# "mixed" — HKDF flips between Default and Russian per day for variety.
palette = "default"
[transport.knock]
# UDP port-knocking. Must match the server's setting. Default: false.
enabled = false
knock_secret_source = "ca_fingerprint"
[transport.cover]
# Idle-time cover traffic. Must match the server's setting. Default: false.
enabled = false
mean_interval_ms = 500
jitter = 0.5
# v3.1 / v3.2 multi-hop / onion routing: dial through 1 or 2 intermediate hops before reaching
# the exit-server. When `enabled = true`, the client opens an OUTER Aura UDP connection to
# `hops[0]` (the entry-relay), sends one ExtendBridge envelope describing the next hop, waits for
# CircuitReady, then either dials the exit directly (2-hop) or repeats the ExtendBridge dance
# through a middle relay (3-hop). The innermost handshake authenticates the EXIT's cert opaquely
# — every relay sees only the next-hop address and AEAD ciphertext.
#
# v3.2 adds:
# * per-hop client certificates (the entry-relay and the exit see DIFFERENT CNs — they cannot
# link the two handshakes by identity), and
# * cell padding (every packet is padded to a constant `cell_size` bytes before sending — the
# exit MUST also enable `[server] cell_padding_for_circuit_clients = true` to decode), and
# * 3-hop support (just add a third [[client.circuit.hops]] table).
#
# Omitting the section (or `enabled = false`) keeps the v2 single-hop dial path intact.
#
# --- v3.1 FLAT FORM (back-compat) — every hop uses the [pki] cert/key above (NOT unlinkable):
# [client.circuit]
# enabled = true
# hops = ["198.51.100.5:443", "203.0.113.10:443"]
#
# --- v3.2 PER-HOP FORM — each hop has its own cert/key (identity-unlinkable):
# [client.circuit]
# enabled = true
# cell_padding = true
# cell_size = 1280
#
# [[client.circuit.hops]]
# addr = "198.51.100.5:443"
# cert_path = "~/.config/aura/circuit/entry.crt"
# key_path = "~/.config/aura/circuit/entry.key"
#
# [[client.circuit.hops]] # OPTIONAL middle hop for a 3-hop circuit
# addr = "198.51.100.99:443"
# cert_path = "~/.config/aura/circuit/middle.crt"
# key_path = "~/.config/aura/circuit/middle.key"
#
# [[client.circuit.hops]]
# addr = "203.0.113.10:443"
# cert_path = "~/.config/aura/circuit/exit.crt"
# key_path = "~/.config/aura/circuit/exit.key"
#
# Generate per-hop certs in one command: `aura provision-client --circuit-hops 3 ...`
config/server.toml.example
+88
View File
@@ -14,6 +14,11 @@ workers = 4
# uses setgid/setuid; Windows is a no-op (use a service account instead). When omitted (or
# already running as non-root) no privilege change happens.
# run_as = "nobody"
# Suppress identifier fields (peer_id, client_ip, source_addr, ...) from log output. The events
# still fire (so counters and rates are unaffected); only the offending fields are dropped before
# formatting. Default: false. Set to true on production hosts to keep the log file from accumulating
# the per-client identifiers Russian telcos may be compelled to forward on request.
no_logs = false
[pki]
# Trust anchor (the Aura CA) and this server's leaf cert/key, all PEM.
@@ -23,6 +28,21 @@ ca_cert = "~/.aura/ca.crt"
cert = "~/.aura/server.crt"
key = "~/.aura/server.key"
# v3 optional: provide a SEPARATE outer-TLS certificate for the QUIC and TCP transports. When set,
# a passive observer on :443 sees a CA-trusted handshake (e.g. Let's Encrypt) instead of the
# self-signed Aura cert above — which is much harder to fingerprint. The inner Aura mutual-auth
# handshake still uses the [pki] cert/key for client authentication.
#
# Both fields MUST be provided together. When the whole section is omitted (the default) the
# outer-TLS layer reuses the [pki] cert/key — exactly the v2 behaviour.
#
# Typical Let's Encrypt deployment (certbot renews these files in-place automatically; the server
# does NOT automate cert issuance or renewal — it just reads the PEMs at startup):
#
# [server.outer_cert]
# cert_path = "/etc/letsencrypt/live/vpn.example.com/fullchain.pem"
# key_path = "/etc/letsencrypt/live/vpn.example.com/privkey.pem"
[tunnel]
# Address pool / TUN network. v2 reads the active pool config from [server.pool] below; this value
# is kept as the v1-compatible fallback (used when [server.pool] is omitted entirely) and as the
@@ -98,3 +118,71 @@ masquerade = true
# needed. Existing connections keep the mask they accepted with. Default: true.
# When `false`, the static values above ([mimicry] sni, [transport] obfuscate, ...) are used as-is.
enabled = true
# v3.2: which SNI palette the daily rotator picks from.
# "default" (back-compat) — global CDN-like names (cloudflare/akamai/aws). Use on any
# foreign-hosted server. This is the pre-v3.2 default.
# "russian" — top Russian domains (vk.com / ozon.ru / mail.yandex.ru / ...).
# Use on an entry-relay hosted on a Russian VPS for the
# "domestic traffic" deployment (see docs/deployment.md § 7).
# "mixed" — HKDF flips between Default and Russian per day for variety.
# Server and client should generally agree on the palette (logs match; the wire itself does not
# require coordination — every connection's SNI is per-side).
palette = "default"
[transport.knock]
# UDP port-knocking. When `enabled = true`, the UDP transport demands a 16-byte HMAC prefix on
# every HS datagram, derived from `knock_secret_source` (`"ca_fingerprint"` = SHA-256 of the CA
# cert DER). To a passive scanner the listening UDP port looks closed. Default: false.
enabled = false
knock_secret_source = "ca_fingerprint"
[transport.cover]
# Idle-time cover traffic. When `enabled = true`, an established UDP connection periodically
# injects encrypted Ping frames during idle windows so the on-wire byte rate stays roughly
# constant. `mean_interval_ms` controls how often the chaffer wakes up; `jitter` is the
# uniform-random fraction applied (e.g. 0.5 = ±50%). Default: disabled.
enabled = false
mean_interval_ms = 500
jitter = 0.5
# v3.1 multi-hop / onion routing: turn THIS server into an **entry-relay** that can splice an
# inbound client connection to a downstream **exit-server**. Right after the inner Aura
# handshake completes, the relay waits up to 2 seconds for the client to send a single
# ExtendBridge control envelope describing the downstream exit's IP:port. When the address is
# on `allow_extend_to`, the relay opens a `connect()`ed UDP socket to that exit, replies
# CircuitReady, and forwards every byte verbatim — the inner client↔exit handshake travels
# through the relay opaquely, so the relay never sees destination IPs or plaintext bytes.
#
# The connection in that role is NOT registered with the IP pool / [`ServerRouter`]; bridged
# peers do not consume a tunnel address. If no ExtendBridge arrives within 2s the connection
# falls back to the normal VPN-client path (so one server can serve both roles on one port).
# v3.1 only supports the UDP transport for relay hops.
#
# Omitting the whole [server.relay] section (or `enabled = false`) keeps the v2 behaviour intact.
# [server.relay]
# enabled = true
# Whitelist of allowed downstream destinations. v3.2 accepts three entry formats:
# * "IP:port" — exact literal SocketAddr (the v3.1 form).
# * "10.0.0.0/24" — bare CIDR; matches ANY port at any IP in the subnet.
# * "10.0.0.0/24:443" — CIDR with explicit port; matches that port on any IP in the subnet.
# * "[2001:db8::/32]:443" — square-bracket IPv6 CIDR with port.
# * "2001:db8::/32" — bare IPv6 CIDR (any port).
# Unparseable entries are logged at WARN and skipped. An empty list turns this server into an
# OPEN relay accepting any downstream — dangerous; the runtime logs a WARN on each accepted bridge.
# allow_extend_to = [
# "198.51.100.5:443", # the exit you operate (exact)
# "203.0.113.0/24", # a whole /24 of trusted exits (any port)
# "10.0.0.0/16:443", # a /16 of relays on port 443 only
# ]
#
# v3.2 cell padding: opt-in. The relay itself does NOT decode cells — it just forwards bytes.
# These knobs are documented here for symmetry; the actual decode happens on the EXIT (see
# [server] cell_padding_for_circuit_clients below).
# cell_padding = false
# cell_size = 1280
# v3.2 EXIT-side cell padding. When an exit-server serves cell-padded circuit clients (i.e. the
# clients have `[client.circuit] cell_padding = true`), add the following field to the [server]
# block at the top of this file so the inner-handshake session's recv decodes the constant-size
# cells and the send re-pads on the way back. Defaults to `false` for v3.1 compatibility.
# cell_padding_for_circuit_clients = true
crates/aura-cli/Cargo.toml
+3
View File
@@ -31,6 +31,9 @@ tracing.workspace = true
tracing-subscriber.workspace = true
anyhow.workspace = true
uuid.workspace = true
# The v2 client-side CRL-push interceptor implements `PacketConnection` on a wrapper struct;
# the trait uses async-trait in `aura-proto`, so an impl block here needs it too.
async-trait.workspace = true
# Unix-only: nix is used by the privilege-drop helper (`privdrop::drop_to_user`) to look up
# the target user via getpwnam and drop the real/effective/saved uid+gid after binding
crates/aura-cli/src/cells.rs
+273
View File
@@ -0,0 +1,273 @@
//! v3.2: **cell padding** — a constant-size frame wrapper around any [`PacketConnection`].
//!
//! ## Why
//!
//! In v3.1 a packet's on-wire size leaks the *type* of payload (a TCP ack vs an HTTP response vs a
//! video chunk). Even with AEAD encryption a traffic analyst can correlate sizes with applications.
//! v3.2 closes that side-channel by **padding every packet to a fixed cell size** before it is
//! handed to the underlying connection: the analyst sees a uniform stream of equal-size cells with
//! no length information leaking out.
//!
//! ## Wire format
//!
//! Each cell is a `cell_size`-byte buffer:
//!
//! ```text
//! ┌─────────┬──────────────────────┬────────────────────────┐
//! │ len: u16│ payload (len bytes)│ padding (zero bytes) │
//! │ big-end │ │ (or random; AEAD hides)│
//! └─────────┴──────────────────────┴────────────────────────┘
//! 0 2 2 + len cell_size
//! ```
//!
//! Bytes `0..2` are the big-endian payload length. Bytes `2..2+len` hold the real payload (an inner
//! IP packet). The remainder `2+len..cell_size` is zero-filled padding — the underlying AEAD layer
//! (inside the Aura transport) re-encrypts the entire cell so the zeros are indistinguishable from
//! random bytes on the wire.
//!
//! ## Symmetric requirement
//!
//! Both peers MUST agree on `cell_size`. If the sender pads to 1280 but the receiver tries to parse
//! the bytes as a raw packet, parsing will fail (or, worse, succeed silently with garbage). The CLI
//! exposes the `[client.circuit] cell_padding` and `[server] cell_padding_for_circuit_clients`
//! knobs; **enable them together on every hop** in a circuit (entry-relay + exit, or entry +
//! middle + exit).
//!
//! ## Capacity
//!
//! A cell of `cell_size` bytes carries at most `cell_size - 2` bytes of payload (the 2-byte length
//! prefix). Sending a packet larger than that is a hard error — the caller must fragment upstream.
//! With the default `cell_size = 1280`, capacity is 1278 bytes which comfortably fits an IPv4 MTU
//! of 1280 (the Aura TUN default is 1420; operators using cell padding should lower it accordingly).
use std::sync::Arc;
use anyhow::bail;
use async_trait::async_trait;
use aura_proto::PacketConnection;
/// A [`PacketConnection`] wrapper that pads every outgoing packet to a constant `cell_size` and
/// strips the padding on the receive side. Both peers MUST use the same `cell_size` (see the module
/// docs).
pub struct CellPaddingConn {
inner: Arc<dyn PacketConnection>,
cell_size: usize,
}
impl CellPaddingConn {
/// Default cell size: 1280 bytes (the IPv6 minimum MTU). Comfortably fits the common IPv4 MTU
/// and matches a value an HTTPS observer would not find suspicious.
pub const DEFAULT_CELL_SIZE: usize = 1280;
/// Maximum payload bytes carried by a default-sized cell (1280 - 2 = 1278).
pub const MAX_PAYLOAD: usize = Self::DEFAULT_CELL_SIZE - 2;
/// Wrap `inner` with constant-size cell padding at `cell_size` bytes.
///
/// `cell_size` MUST be at least 3 (length prefix + 1 payload byte). The constructor does not
/// validate this; callers should use [`CellPaddingConn::DEFAULT_CELL_SIZE`] unless they have a
/// reason to override it (the runtime check inside [`PacketConnection::send_packet`] would
/// reject the resulting connection for any non-empty packet anyway).
#[must_use]
pub fn new(inner: Arc<dyn PacketConnection>, cell_size: usize) -> Self {
Self { inner, cell_size }
}
/// The cell size this wrapper is using (informational; for tests / logs).
#[must_use]
pub fn cell_size(&self) -> usize {
self.cell_size
}
}
#[async_trait]
impl PacketConnection for CellPaddingConn {
async fn send_packet(&self, pkt: &[u8]) -> anyhow::Result<()> {
let cap = self.cell_size.saturating_sub(2);
if pkt.len() > cap {
bail!(
"packet {} bytes exceeds cell payload capacity {} (cell_size = {})",
pkt.len(),
cap,
self.cell_size
);
}
// Allocate the constant-size cell, write the 2-byte big-endian length, copy the payload,
// leave the rest as zeros. The encryption layer (Aura transport AEAD, wrapped around this
// by every hop) will turn the zero-tail into ciphertext indistinguishable from random.
let mut cell = vec![0u8; self.cell_size];
let len_bytes = (pkt.len() as u16).to_be_bytes();
cell[0] = len_bytes[0];
cell[1] = len_bytes[1];
cell[2..2 + pkt.len()].copy_from_slice(pkt);
self.inner.send_packet(&cell).await
}
async fn recv_packet(&self) -> anyhow::Result<Vec<u8>> {
let cell = self.inner.recv_packet().await?;
if cell.len() < 2 {
bail!(
"cell shorter than the 2-byte length prefix ({} bytes received)",
cell.len()
);
}
let real_len = u16::from_be_bytes([cell[0], cell[1]]) as usize;
if real_len > cell.len().saturating_sub(2) {
bail!(
"cell length prefix {} exceeds available cell payload ({})",
real_len,
cell.len().saturating_sub(2)
);
}
Ok(cell[2..2 + real_len].to_vec())
}
}
#[cfg(test)]
mod tests {
use super::*;
use std::collections::VecDeque;
use tokio::sync::Mutex as TokioMutex;
/// In-memory bidirectional pipe: each call to `send_packet` pushes the bytes onto a queue;
/// `recv_packet` pops from a (separately-loaded) queue. This lets us drive both sides of a
/// padded conversation without bringing in a real Aura transport.
struct MockConn {
send_log: TokioMutex<Vec<Vec<u8>>>,
recv_queue: TokioMutex<VecDeque<Vec<u8>>>,
}
impl MockConn {
fn new(recv: impl IntoIterator<Item = Vec<u8>>) -> Arc<Self> {
Arc::new(Self {
send_log: TokioMutex::new(Vec::new()),
recv_queue: TokioMutex::new(recv.into_iter().collect()),
})
}
}
#[async_trait]
impl PacketConnection for MockConn {
async fn send_packet(&self, packet: &[u8]) -> anyhow::Result<()> {
self.send_log.lock().await.push(packet.to_vec());
Ok(())
}
async fn recv_packet(&self) -> anyhow::Result<Vec<u8>> {
self.recv_queue
.lock()
.await
.pop_front()
.ok_or_else(|| anyhow::anyhow!("mock recv_queue empty"))
}
}
/// Every outgoing packet — empty, tiny, mid-sized, or maxed — is written to the inner
/// connection as EXACTLY `cell_size` bytes. This is the constant-size invariant.
#[tokio::test]
async fn cell_roundtrip_various_sizes() {
let mock = MockConn::new(std::iter::empty());
let wrapped = CellPaddingConn::new(mock.clone() as Arc<dyn PacketConnection>, 1280);
let payloads: Vec<Vec<u8>> = vec![
vec![],
vec![0x42],
b"hello cell padding".to_vec(),
vec![0xCDu8; 100],
vec![0xABu8; 1278], // max payload for cell_size = 1280
];
for pkt in &payloads {
wrapped.send_packet(pkt).await.expect("send");
}
let sent = mock.send_log.lock().await.clone();
assert_eq!(sent.len(), payloads.len(), "one cell per send");
for (i, cell) in sent.iter().enumerate() {
assert_eq!(
cell.len(),
1280,
"cell {i} has constant size; sent payload was {} bytes",
payloads[i].len()
);
// Length-prefix encodes the original payload length.
let parsed_len = u16::from_be_bytes([cell[0], cell[1]]) as usize;
assert_eq!(parsed_len, payloads[i].len(), "len-prefix matches payload");
assert_eq!(
&cell[2..2 + payloads[i].len()],
&payloads[i][..],
"payload bytes are preserved at offset 2"
);
}
}
/// Roundtrip: feed a recv queue with cells and recover the original payloads through
/// [`CellPaddingConn::recv_packet`].
#[tokio::test]
async fn cell_recv_strips_padding() {
// Build three cells by hand, then feed them to the recv queue.
let payloads: Vec<Vec<u8>> = vec![b"first".to_vec(), vec![0u8; 0], (0..=255u8).collect()];
let cell_size = 512;
let cells: Vec<Vec<u8>> = payloads
.iter()
.map(|p| {
let mut c = vec![0u8; cell_size];
let lb = (p.len() as u16).to_be_bytes();
c[0] = lb[0];
c[1] = lb[1];
c[2..2 + p.len()].copy_from_slice(p);
c
})
.collect();
let mock = MockConn::new(cells);
let wrapped = CellPaddingConn::new(mock as Arc<dyn PacketConnection>, cell_size);
for expected in &payloads {
let got = wrapped.recv_packet().await.expect("recv");
assert_eq!(&got, expected, "recovered payload matches");
}
}
/// Sending a packet larger than `cell_size - 2` is a hard error (the caller must fragment).
#[tokio::test]
async fn cell_too_large_returns_err() {
let mock = MockConn::new(std::iter::empty());
let wrapped = CellPaddingConn::new(mock as Arc<dyn PacketConnection>, 256);
// 256 - 2 = 254 is the cap; 255 must fail.
let oversized = vec![0u8; 255];
let err = wrapped.send_packet(&oversized).await.unwrap_err();
let msg = format!("{err:#}");
assert!(
msg.contains("exceeds cell payload capacity") || msg.contains("exceeds"),
"expected size-related error, got: {msg}"
);
}
/// A received cell shorter than 2 bytes (corrupt; never produced by a well-behaved peer) is
/// rejected so we surface the problem rather than silently returning empty.
#[tokio::test]
async fn cell_short_recv_is_rejected() {
let mock = MockConn::new([vec![0x05]]);
let wrapped = CellPaddingConn::new(mock as Arc<dyn PacketConnection>, 1280);
let err = wrapped.recv_packet().await.unwrap_err();
let msg = format!("{err:#}");
assert!(
msg.contains("shorter than"),
"expected short-cell error, got: {msg}"
);
}
/// A received cell whose embedded length is larger than the cell capacity is also rejected.
#[tokio::test]
async fn cell_recv_overlong_len_prefix_is_rejected() {
// cell with len = 9999 but only 50 bytes of cell — must be rejected.
let mut bad = vec![0u8; 50];
let lb = 9999u16.to_be_bytes();
bad[0] = lb[0];
bad[1] = lb[1];
let mock = MockConn::new([bad]);
let wrapped = CellPaddingConn::new(mock as Arc<dyn PacketConnection>, 50);
let err = wrapped.recv_packet().await.unwrap_err();
let msg = format!("{err:#}");
assert!(
msg.contains("exceeds available cell payload") || msg.contains("exceeds"),
"expected overlong-len-prefix error, got: {msg}"
);
}
}
crates/aura-cli/src/circuit.rs
+421
View File
@@ -0,0 +1,421 @@
//! v3.1 / v3.2 multi-hop / onion routing — the **client side** of an N-hop circuit
//! `client → hop[0] → hop[1] → ... → hop[N-1]`. v3.1 supports `N = 2` (entry + exit);
//! v3.2 supports `N = 2` OR `N = 3` (entry + middle + exit) plus **per-hop client
//! certificates** so different hops cannot be linked by certificate CN.
//!
//! ## Wire dance (recursive)
//!
//! For each hop `i` from `0` to `N-1` the dialler:
//!
//! 1. **Outer handshake to `hop[i]`**: opens an Aura UDP transport connection to `hop[i].addr`
//! (through any already-stacked proxy/forwarder chain) using `hop[i].proto_cfg`, which carries
//! that hop's expected SAN as `server_name` AND the per-hop client cert/key — see [`HopConfig`].
//! 2. **ExtendBridge** (only if `i < N - 1`): sends one
//! [`aura_proto::ControlKind::ExtendBridge`] envelope carrying `hop[i+1].addr` to ask the
//! current hop to splice a bridge to the next downstream hop. Waits for
//! [`aura_proto::ControlKind::CircuitReady`] (or [`aura_proto::ControlKind::CircuitFailed`]).
//! 3. **Loopback proxy** (only if `i < N - 1`): binds a local UDP socket and spawns a forwarder
//! that splices every datagram between that socket and the outer connection to `hop[i]`. The
//! next iteration's outer handshake is addressed at this loopback socket — so the actual bytes
//! on the wire travel through the existing tunnel to `hop[i]`, which forwards them through its
//! bridge to `hop[i+1]`.
//! 4. **Final hop** (`i == N - 1`): no ExtendBridge / loopback — the connection returned by step
//! 1 is the innermost session and authenticates the *exit's* cert. Its `peer_id()` is the exit
//! SAN; every subsequent send/recv on the resulting [`CircuitConnection`] is wrapped in
//! `N` AEAD layers (one per hop).
//!
//! Result: every IP packet is encrypted N times — once per hop — so the exit knows the client's
//! certificate CN but not the source IP; every intermediate hop knows the previous hop's address
//! and the next hop's address but not the destination, and never sees a plaintext byte.
//!
//! ## Per-hop client identity (v3.2)
//!
//! The v3.1 dialler used a single `[pki]` cert/key for every hop, so the entry-relay and the exit
//! both saw the *same* certificate CN — trivially linkable. v3.2 lets the caller pass a different
//! [`aura_proto::ClientConfig`] for each hop via [`HopConfig`]. The CLI generates an indepedent
//! UUID-v4 cert per hop with `aura provision-client --circuit-hops N`. With distinct CNs per hop
//! the only thing that is linkable is the *temporal* correlation of one packet leaving the client
//! and one packet leaving the exit — which the cell-padding wrapper (see [`crate::cells`]) is the
//! companion mitigation for.
use std::net::SocketAddr;
use std::sync::Arc;
use anyhow::{anyhow, bail, Context};
use async_trait::async_trait;
use aura_proto::{
decode_control_envelope, encode_control_envelope, encode_extend_bridge, ClientConfig,
ControlKind, PacketConnection,
};
use aura_transport::{UdpClient, UdpConnection, UdpOpts};
use tokio::net::UdpSocket;
use tokio::task::JoinHandle;
/// How long the client waits for each hop to reply with [`ControlKind::CircuitReady`] after
/// sending the [`ControlKind::ExtendBridge`] envelope.
const READY_TIMEOUT_SECS: u64 = 5;
/// Per-hop dial configuration. One instance per hop in the circuit; the order matches the wire
/// order (`hops[0]` = entry, `hops[N-1]` = exit).
///
/// `proto_cfg.server_name` is the SAN the verifier checks on **this hop's** certificate during the
/// outer Aura handshake. `proto_cfg.client_cert_pem` / `proto_cfg.client_key_pem` is the client
/// identity presented **to this hop** — different per hop in v3.2 so the entry and the exit cannot
/// link the two handshakes by certificate CN.
#[derive(Debug, Clone)]
pub struct HopConfig {
/// Wire address of this hop (already resolved to `IP:port`).
pub addr: SocketAddr,
/// Aura client config for the handshake to *this* hop.
pub proto_cfg: ClientConfig,
}
impl HopConfig {
/// Convenience: build a hop using the same client config as the rest of the circuit. Used by
/// the v3.1 / `CircuitHop::Addr` back-compat path where the caller wants every hop to use the
/// global `[pki]` cert/key (matching the v3.1 behaviour).
pub fn from_shared(addr: SocketAddr, proto_cfg: ClientConfig) -> Self {
Self { addr, proto_cfg }
}
}
/// An established multi-hop circuit. The inner [`UdpConnection`]'s outgoing datagrams travel
/// through a chain of loopback proxies + outer relay connections; from the inner handshake / data
/// exchange's point of view nothing is special — it is talking to a normal Aura UDP server.
///
/// The outer connections and forwarder tasks are owned here so dropping the circuit tears
/// everything down in order.
pub struct CircuitConnection {
/// The innermost UDP connection (target of the final hop's handshake). All `send_packet` /
/// `recv_packet` calls delegate to it; the forwarder chain splices its bytes onto the outer
/// hops in order.
inner: UdpConnection,
/// Every outer hop connection, in order (`hop[0]` first). Pinned alive for the lifetime of the
/// circuit; the per-hop forwarder tasks own clones, but holding the originals here means every
/// outer is dropped at exactly the same time as `Self`.
_outer_conns: Vec<Arc<dyn PacketConnection>>,
/// One forwarder task per intermediate hop (so `N - 1` tasks for an N-hop circuit). Aborted in
/// [`Drop`] so dropping the circuit cleans them up.
forwarders: Vec<JoinHandle<()>>,
/// The chain of loopback proxy sockets (one per intermediate hop). Held here so they outlive
/// the forwarders that read/write through them; the forwarder also holds an `Arc<UdpSocket>`
/// clone, but this prevents a close-on-last-clone race during shutdown.
_proxy_sockets: Vec<Arc<UdpSocket>>,
}
impl Drop for CircuitConnection {
fn drop(&mut self) {
for f in &self.forwarders {
f.abort();
}
}
}
impl CircuitConnection {
/// The verified peer Common Name as learned during the **innermost** handshake. This is the
/// **exit-server's** identity (NOT any intermediate hop) — the whole point of multi-hop is that
/// the inner handshake authenticates the exit through every relay opaquely.
#[must_use]
pub fn peer_id(&self) -> Option<&str> {
self.inner.peer_id()
}
/// Promote into a trait object so the router / dialer layer can treat the circuit the same way
/// it treats a single-hop UDP / TCP / QUIC connection.
#[must_use]
pub fn into_dyn(self) -> Arc<dyn PacketConnection> {
Arc::new(self)
}
}
#[async_trait]
impl PacketConnection for CircuitConnection {
async fn send_packet(&self, packet: &[u8]) -> anyhow::Result<()> {
// Delegate to the inner UdpConnection — the proxy forwarder picks up its outgoing
// datagrams from the innermost loopback proxy socket and tunnels them through the chain.
self.inner.send_packet(packet).await
}
async fn recv_packet(&self) -> anyhow::Result<Vec<u8>> {
self.inner.recv_packet().await
}
}
/// Build an N-hop circuit `client → hops[0] → hops[1] → ... → hops[N-1]`. Returns the established
/// [`CircuitConnection`].
///
/// `hops.len()` must be in `{2, 3}` — v3.1 accepted only 2; v3.2 extends to 3. Each entry's
/// [`HopConfig::proto_cfg`] supplies:
///
/// * The SAN expected on that hop's server certificate (`proto_cfg.server_name`).
/// * The client cert/key presented **to that hop** (`proto_cfg.client_cert_pem` /
/// `proto_cfg.client_key_pem`). Distinct per hop = identity-unlinkable v3.2 behaviour.
///
/// # Errors
/// * Any outer UDP connection failed.
/// * Any intermediate hop refused (`CircuitFailed`) or did not reply within
/// [`READY_TIMEOUT_SECS`] seconds.
/// * The inner Aura handshake to the exit failed (bad exit cert chain, SAN mismatch, etc.).
pub async fn dial_circuit(
hops: &[HopConfig],
udp_opts: UdpOpts,
) -> anyhow::Result<CircuitConnection> {
if hops.len() < 2 || hops.len() > 3 {
bail!(
"v3.2 multi-hop supports 2 or 3 hops (entry, [middle,] exit); got {}",
hops.len()
);
}
// We build the chain iteratively. At each iteration the "current outer" is what we are
// currently dialing through; for the first hop it is a literal `UdpClient::connect`, for every
// subsequent hop it is a loopback proxy + forwarder splicing onto the previous outer.
let mut outer_conns: Vec<Arc<dyn PacketConnection>> = Vec::with_capacity(hops.len() - 1);
let mut forwarders: Vec<JoinHandle<()>> = Vec::with_capacity(hops.len() - 1);
let mut proxy_sockets: Vec<Arc<UdpSocket>> = Vec::with_capacity(hops.len() - 1);
// Step 1: dial the very first hop directly via UDP. This is the only hop whose outer handshake
// exits the client process as a real datagram on the OS network stack.
let entry = &hops[0];
let first = UdpClient::connect(entry.addr, entry.proto_cfg.clone(), udp_opts)
.await
.with_context(|| format!("dial entry hop at {}", entry.addr))?;
let mut current_outer: Arc<dyn PacketConnection> = first.into_dyn();
// For every *intermediate* hop (every hop except the last) we:
// - ask it to bridge to the next hop via ExtendBridge,
// - wait for CircuitReady,
// - bring up a loopback proxy + forwarder so the next outer handshake travels through
// `current_outer`,
// - then re-dial the *next* hop via that loopback proxy and update `current_outer`.
//
// After the loop, `current_outer` is the outer connection to `hops[N-2]` and the next dial
// (step 6 below) is the inner handshake to `hops[N-1]` (the exit). We need to keep
// `current_outer` itself in `outer_conns` too — it is the outermost of the inner-handshake's
// pipe.
for i in 0..hops.len() - 1 {
let next = &hops[i + 1];
// 2. Tell the current hop to splice onto `next.addr`.
let payload = encode_extend_bridge(next.addr);
let envelope = encode_control_envelope(ControlKind::ExtendBridge, &payload);
current_outer
.send_packet(&envelope)
.await
.with_context(|| format!("send ExtendBridge to hop[{}] at {}", i, hops[i].addr))?;
// 3. Wait for CircuitReady from this hop (or CircuitFailed = bail). The remote may send
// unrelated envelopes (CRL pushes etc.) in front of ours; ignore until our envelope
// arrives or the deadline elapses.
let ready_deadline =
tokio::time::Instant::now() + std::time::Duration::from_secs(READY_TIMEOUT_SECS);
loop {
let now = tokio::time::Instant::now();
if now >= ready_deadline {
bail!(
"timeout waiting for CircuitReady from hop[{}] at {}",
i,
hops[i].addr
);
}
let remaining = ready_deadline - now;
let pkt = tokio::time::timeout(remaining, current_outer.recv_packet())
.await
.map_err(|_| {
anyhow!(
"timeout waiting for CircuitReady from hop[{}] at {}",
i,
hops[i].addr
)
})?
.with_context(|| format!("recv from hop[{}] at {}", i, hops[i].addr))?;
match decode_control_envelope(&pkt) {
Ok(Some((ControlKind::CircuitReady, _))) => break,
Ok(Some((ControlKind::CircuitFailed, reason))) => {
let r = String::from_utf8_lossy(&reason);
bail!("hop[{}] at {} refused circuit: {}", i, hops[i].addr, r);
}
Ok(Some((other, _))) => {
tracing::debug!(
hop = i,
kind = ?other,
"ignoring unexpected control envelope while waiting for CircuitReady"
);
continue;
}
Ok(None) => {
tracing::debug!(
hop = i,
"ignoring non-control packet from hop before CircuitReady"
);
continue;
}
Err(e) => {
tracing::debug!(
hop = i,
error = %e,
"malformed envelope from hop before CircuitReady"
);
continue;
}
}
}
// 4. Bring up the local proxy UDP socket. The next iteration's UdpClient::connect will
// target this address; the forwarder below splices every datagram between the proxy
// socket and the current outer connection.
let proxy_socket = UdpSocket::bind("127.0.0.1:0")
.await
.with_context(|| format!("bind loopback proxy for hop[{}] -> hop[{}]", i, i + 1))?;
let proxy_addr = proxy_socket
.local_addr()
.context("read local proxy address")?;
let proxy_socket = Arc::new(proxy_socket);
// 5. Spawn the forwarder BEFORE running the next outer handshake — the handshake's first
// datagram must already be flowing while it is being written.
let outer_for_send = Arc::clone(&current_outer);
let outer_for_recv = Arc::clone(&current_outer);
let proxy_for_send = Arc::clone(&proxy_socket);
let proxy_for_recv = Arc::clone(&proxy_socket);
let hop_idx = i;
let forwarder = tokio::spawn(async move {
// Source address of the next-hop UdpClient, learned from its first datagram on the
// proxy socket. We need it to know where to deliver `outer.recv_packet` payloads back.
let inner_peer: Arc<tokio::sync::Mutex<Option<SocketAddr>>> =
Arc::new(tokio::sync::Mutex::new(None));
// Task A: proxy.recv_from -> outer.send_packet
let inner_peer_a = Arc::clone(&inner_peer);
let to_outer = async move {
let mut buf = vec![0u8; 4096];
loop {
let (n, from) = match proxy_for_recv.recv_from(&mut buf).await {
Ok(v) => v,
Err(_) => break,
};
{
let mut latch = inner_peer_a.lock().await;
if latch.is_none() {
*latch = Some(from);
}
}
if outer_for_send.send_packet(&buf[..n]).await.is_err() {
break;
}
}
};
// Task B: outer.recv_packet -> proxy.send_to(inner_peer_addr)
let inner_peer_b = Arc::clone(&inner_peer);
let from_outer = async move {
loop {
let pkt = match outer_for_recv.recv_packet().await {
Ok(p) => p,
Err(_) => break,
};
let dest = { *inner_peer_b.lock().await };
if let Some(dest) = dest {
if proxy_for_send.send_to(&pkt, dest).await.is_err() {
break;
}
}
// Else: next-hop UdpClient has not sent its first datagram yet; drop. The
// reliable adapter will retransmit on its RTO timer. The race window is tiny.
}
};
tokio::select! {
_ = to_outer => {}
_ = from_outer => {}
}
tracing::debug!(hop = hop_idx, "circuit forwarder exited");
});
// 6. Move `current_outer` into our owned list, spawn the forwarder + socket into theirs,
// then dial the *next* hop through the loopback proxy. The dial returns the new
// `current_outer`.
outer_conns.push(current_outer);
forwarders.push(forwarder);
proxy_sockets.push(Arc::clone(&proxy_socket));
// 7. Dial the next hop through the proxy. For an intermediate next hop this becomes the
// new `current_outer`; for the final hop (last iteration) it is the *inner* connection
// we return wrapped in `CircuitConnection`.
let is_last = i == hops.len() - 2;
let next_conn = UdpClient::connect(proxy_addr, next.proto_cfg.clone(), udp_opts)
.await
.with_context(|| {
format!(
"{} handshake to hop[{}] at {} through hop[{}]",
if is_last { "inner" } else { "intermediate" },
i + 1,
next.addr,
i
)
})?;
if is_last {
// The innermost session: wrap it in CircuitConnection along with every outer + proxy
// we own. Note: we do NOT push next_conn into outer_conns — it becomes `inner`.
return Ok(CircuitConnection {
inner: next_conn,
_outer_conns: outer_conns,
forwarders,
_proxy_sockets: proxy_sockets,
});
} else {
// Promote to dyn for the next loop iteration.
current_outer = next_conn.into_dyn();
}
}
// Unreachable: the loop always returns when `is_last` is true (the last intermediate
// iteration always produces the inner session for the exit).
unreachable!("dial_circuit loop must return on the final hop")
}
/// v3.1 back-compat shim: build hops from a flat `[SocketAddr]` list using a shared
/// [`ClientConfig`] for every hop and call [`dial_circuit`]. Useful for code paths that have a
/// single proto_cfg (e.g. an old `[client] sni`).
///
/// Behaviour matches v3.1 exactly when given exactly 2 hops; with 3 hops it now also works (every
/// hop uses the same cert / key, i.e. NOT identity-unlinkable — use the per-hop variant for that).
pub async fn dial_circuit_shared_cfg(
hops: &[SocketAddr],
proto_cfg: ClientConfig,
udp_opts: UdpOpts,
) -> anyhow::Result<CircuitConnection> {
let hop_cfgs: Vec<HopConfig> = hops
.iter()
.map(|a| HopConfig::from_shared(*a, proto_cfg.clone()))
.collect();
dial_circuit(&hop_cfgs, udp_opts).await
}
/// Variant of [`dial_circuit_shared_cfg`] letting the caller override the SAN expected on the
/// **first hop's** cert (the relay) independently of the exit's expected SAN
/// (`proto_cfg.server_name`, used by the inner handshake). v3.1 kept this for the loopback test
/// which uses a different SAN per role.
///
/// Equivalent to v3.1 behaviour. For arbitrary per-hop overrides, build a `Vec<HopConfig>`
/// directly and call [`dial_circuit`].
pub async fn dial_circuit_with_relay_name(
hops: &[SocketAddr],
proto_cfg: ClientConfig,
udp_opts: UdpOpts,
relay_server_name: Option<&str>,
) -> anyhow::Result<CircuitConnection> {
if hops.len() != 2 {
bail!(
"dial_circuit_with_relay_name requires exactly 2 hops (entry, exit); got {}",
hops.len()
);
}
let mut entry_cfg = proto_cfg.clone();
if let Some(name) = relay_server_name {
entry_cfg.server_name = name.to_string();
}
let hop_cfgs = vec![
HopConfig::from_shared(hops[0], entry_cfg),
HopConfig::from_shared(hops[1], proto_cfg),
];
dial_circuit(&hop_cfgs, udp_opts).await
}
crates/aura-cli/src/client.rs
+69 -11
View File
@@ -24,15 +24,18 @@ use std::path::Path;
use std::sync::Arc;
use anyhow::Context;
use aura_transport::dial;
use aura_transport::{dial, TransportMode};
use aura_tunnel::{AuraDns, AuraRouter, AuraTun, RouteAction};
use tokio::sync::RwLock;
use crate::admin::{self, AdminState, Stats};
use crate::config::ClientConfigFile;
use crate::circuit;
use crate::config::{expand_tilde, ClientConfigFile};
use crate::crl_push::AcceptPushedCrlConn;
use crate::masks::MaskRotator;
use crate::os_routes::{OsRouteGuard, SplitRoutes};
use crate::privdrop;
use aura_proto::PacketConnection;
/// Entry point for `aura client --config <PATH>` (and optional `--admin-socket`).
pub async fn run(config_path: &Path, admin_socket: &str) -> anyhow::Result<()> {
@@ -47,8 +50,12 @@ pub async fn run(config_path: &Path, admin_socket: &str) -> anyhow::Result<()> {
// `DialConfig` so the connect we are about to do already uses today's mask. The rotator's
// background task keeps `rot.handle()` updated for any future re-dials.
let masks_enabled = cfg.transport.masks.enabled;
let mask_palette = cfg.transport.masks.palette.to_crypto();
let mask_rotator = if masks_enabled {
let rot = Arc::new(MaskRotator::new(&proto_cfg.ca_cert_pem)?);
let rot = Arc::new(MaskRotator::new_with_palette(
&proto_cfg.ca_cert_pem,
mask_palette,
)?);
let initial = rot.current().await;
dial_cfg.sni = initial.sni.clone();
dial_cfg.udp.padding_profile = initial.padding_profile_id;
@@ -58,6 +65,7 @@ pub async fn run(config_path: &Path, admin_socket: &str) -> anyhow::Result<()> {
tracing::info!(
sni = %initial.sni,
padding_profile = initial.padding_profile_id,
palette = ?cfg.transport.masks.palette,
"mask rotation enabled; initial mask applied to dial"
);
// Keep the rotation task running in the background; v1's client only dials once, so the
@@ -94,18 +102,68 @@ pub async fn run(config_path: &Path, admin_socket: &str) -> anyhow::Result<()> {
let routes = Arc::new(RwLock::new(table));
let stats = Arc::new(Stats::new());
// Dial: try each transport in `[transport] order` (UDP→TCP→QUIC handover) until one connects.
// Each transport runs the inner Aura mutual-auth handshake; the winner is returned as a uniform
// `Arc<dyn PacketConnection>` along with which mode carried it. (The trait object does not surface
// the verified server CN; the server identity was already checked against `[client] sni` inside
// the handshake, so we record that as the peer for the admin/status mirror.)
let (conn, mode) = dial(proto_cfg, dial_cfg)
.await
.context("connecting to Aura server")?;
// Dial: when [client.circuit] is enabled, build an N-hop circuit (v3.1: N=2; v3.2: N=2 or 3)
// via [`circuit::dial_circuit`] with per-hop client configs. Otherwise fall back to the v2
// single-hop dial across the configured [transport] order. In both cases the result is a
// uniform `Arc<dyn PacketConnection>` so the downstream router does not care which path was
// taken.
let (conn, mode) = if cfg.client.circuit.enabled {
let hop_cfgs = cfg
.build_circuit_hop_configs()
.context("building [client.circuit] hop configs")?;
let hop_count = hop_cfgs.len();
tracing::info!(
hops = hop_count,
entry = %hop_cfgs[0].addr,
exit = %hop_cfgs[hop_count - 1].addr,
cell_padding = cfg.client.circuit.cell_padding,
cell_size = cfg.client.circuit.cell_size,
"building v3.2 multi-hop circuit"
);
let circuit_conn = circuit::dial_circuit(&hop_cfgs, dial_cfg.udp)
.await
.context("building multi-hop circuit (v3.2)")?;
let peer_id = circuit_conn.peer_id().map(str::to_owned);
tracing::info!(
peer = ?peer_id,
"v3.2 circuit established (inner handshake authenticated the EXIT server)"
);
// v3.2 cell padding: wrap the circuit in a constant-size cell stream so on-wire bytes do
// not leak per-packet size. The exit's [server] cell_padding_for_circuit_clients flag
// MUST match.
let conn: Arc<dyn PacketConnection> = if cfg.client.circuit.cell_padding {
Arc::new(crate::cells::CellPaddingConn::new(
circuit_conn.into_dyn(),
cfg.client.circuit.cell_size,
))
} else {
circuit_conn.into_dyn()
};
(conn, TransportMode::Udp)
} else {
// Each transport runs the inner Aura mutual-auth handshake; the winner is returned along
// with which mode carried it. (The trait object does not surface the verified server CN;
// the server identity was already checked against `[client] sni` inside the handshake.)
dial(proto_cfg.clone(), dial_cfg)
.await
.context("connecting to Aura server")?
};
let peer = Some(cfg.client.sni.clone());
stats.set_peer_id(peer.clone());
tracing::info!(peer = ?peer, %mode, "connected and authenticated to server");
// v2: wrap the connection so server-pushed CRL envelopes are decoded, verified against the CA,
// applied to the in-memory verifier mirror, and cached on disk (when [pki] crl is set on the
// client). Real IP packets pass through unchanged. The wrap is no-op for backwards-compat when
// the server doesn't push (no envelopes arrive => the wrapper just forwards every recv).
let crl_cache_path = cfg.pki.crl.as_deref().map(expand_tilde);
let conn: Arc<dyn PacketConnection> = Arc::new(AcceptPushedCrlConn::new(
conn,
proto_cfg.ca_cert_pem.clone(),
crl_cache_path,
cfg.pki.accept_pushed_crl,
));
// Resolve split-tunnel domain rules into host routes (best-effort; failures are logged). We
// also collect the resolved hosts per (domain, action) so the OS-routes guard below can
// install a /32 or /128 bypass / VPN-route per resolved IP — this is what makes a domain rule
crates/aura-cli/src/config.rs
+978 -2
View File
File diff suppressed because it is too large Load Diff
crates/aura-cli/src/crl_push.rs
+463
View File
@@ -0,0 +1,463 @@
//! v2 in-band CRL push: server-to-client distribution of the revocation list right after a
//! successful handshake.
//!
//! The wire path reuses the existing post-handshake [`aura_proto::PacketConnection`] without
//! changing the trait or any transport. Control messages are multiplexed alongside real IP packets
//! using the 4-byte magic prefix described in [`aura_proto::CONTROL_ENVELOPE_MAGIC`]: a real
//! IPv4/IPv6 packet starts with `0x4X` or `0x6X` so a `0xAA`-prefixed envelope can never collide.
//!
//! ## Server side ([`push_crl_if_configured`])
//!
//! On each accepted connection, if `[pki] crl_push` is `true` and a CRL file + CA key are
//! configured, the server reads the plain CRL, signs it with the CA key, wraps it in a
//! [`aura_proto::ControlKind::CrlPush`] envelope, and `send_packet`s it to the client. Failures
//! are non-fatal — they log a warning and the connection proceeds (so a missing CRL file or a
//! stale signing key never tears down a freshly authenticated client).
//!
//! ## Client side ([`AcceptPushedCrlConn`])
//!
//! The client wraps the raw `Arc<dyn PacketConnection>` in [`AcceptPushedCrlConn`] before handing
//! it to the [`aura_tunnel::AuraRouter`]. Every `recv_packet` call is sniffed: if the bytes start
//! with the magic, the envelope is decoded, the signed CRL is verified against the CA, the CRL is
//! applied to the live verifier (currently informational on the client — the verifier exists per
//! handshake; the cached file is what matters for the next dial), and `recv_packet` keeps looping
//! for the next packet. Any envelope that fails to verify is dropped with a warning.
//!
//! Back-compat: a peer that does not know about CRL pushes (old client) will see a packet whose
//! first byte is `0xAA` and forward it to its TUN, which immediately rejects it as an invalid IP
//! packet (top nibble `0xA` is not a valid IP version). The session stays alive.
use std::path::{Path, PathBuf};
use std::sync::Arc;
use aura_pki::CrlStore;
use aura_proto::{decode_control_envelope, encode_control_envelope, ControlKind, PacketConnection};
use tokio::sync::RwLock;
use crate::config::expand_tilde;
/// Build the bytes the server should send (CRL header + signed body, wrapped in a control
/// envelope), or `Ok(None)` if `[pki] crl_push` is disabled / the CRL file is missing / the CA
/// signing key is unavailable.
///
/// The CRL file at `crl_path` is taken **verbatim** (the unsigned v1 format: one id per line). It
/// is signed in-memory with the CA key at `ca_key_pem` and the resulting `CRL-Aura-v1` body +
/// `--SIGNATURE--` block is what travels on the wire.
pub fn build_push_envelope(
crl_path: &Path,
ca_cert_pem: &str,
ca_key_pem: &str,
) -> anyhow::Result<Vec<u8>> {
let crl = CrlStore::load(crl_path)?;
let signed = crl.encode_signed(ca_cert_pem, ca_key_pem)?;
Ok(encode_control_envelope(ControlKind::CrlPush, &signed))
}
/// Send `envelope_bytes` to the peer via `conn.send_packet`. Returns the underlying transport
/// error if the send fails.
pub async fn send_push(
conn: &Arc<dyn PacketConnection>,
envelope_bytes: &[u8],
) -> anyhow::Result<()> {
conn.send_packet(envelope_bytes).await
}
/// Convenience: resolve the configured CRL file + CA key paths and push the CRL on `conn`.
///
/// Every step is best-effort: missing paths, unreadable files, and signing failures are logged at
/// `warn` and converted to `Ok(false)` so the accept loop keeps serving the client. Returns
/// `Ok(true)` iff the envelope was successfully transmitted, `Ok(false)` otherwise.
pub async fn push_crl_if_configured(
crl_push_enabled: bool,
crl_path: Option<&str>,
ca_cert_pem: &str,
ca_key_path: Option<&str>,
conn: &Arc<dyn PacketConnection>,
peer: Option<&str>,
) -> anyhow::Result<bool> {
if !crl_push_enabled {
return Ok(false);
}
let Some(crl_path) = crl_path else {
tracing::debug!(
peer = ?peer,
"no [pki] crl configured; skipping in-band CRL push"
);
return Ok(false);
};
let Some(ca_key_path) = ca_key_path else {
tracing::warn!(
peer = ?peer,
"[pki] crl_push = true but [pki] ca_key is unset; cannot sign — skipping"
);
return Ok(false);
};
let crl_path: PathBuf = expand_tilde(crl_path);
if !crl_path.exists() {
tracing::debug!(
peer = ?peer,
path = %crl_path.display(),
"CRL file does not exist; skipping in-band CRL push (no revoked clients yet)"
);
return Ok(false);
}
let ca_key_path = expand_tilde(ca_key_path);
let ca_key_pem = match std::fs::read_to_string(&ca_key_path) {
Ok(p) => p,
Err(e) => {
tracing::warn!(
peer = ?peer,
path = %ca_key_path.display(),
error = %e,
"failed to read CA signing key; skipping in-band CRL push"
);
return Ok(false);
}
};
let envelope = match build_push_envelope(&crl_path, ca_cert_pem, &ca_key_pem) {
Ok(v) => v,
Err(e) => {
tracing::warn!(
peer = ?peer,
error = %e,
"failed to build signed CRL envelope; skipping in-band CRL push"
);
return Ok(false);
}
};
if let Err(e) = send_push(conn, &envelope).await {
tracing::warn!(
peer = ?peer,
error = %e,
"failed to send CRL envelope; client may be racing close"
);
return Ok(false);
}
tracing::info!(
peer = ?peer,
bytes = envelope.len(),
"in-band CRL pushed to client"
);
Ok(true)
}
/// Client-side adapter that intercepts CRL-push control envelopes coming over `inner` and applies
/// them to a live `verifier` + optional on-disk cache.
///
/// Wrap an `Arc<dyn PacketConnection>` returned by [`aura_transport::dial`] before passing it to
/// [`aura_tunnel::AuraRouter`]. Every `recv_packet` call is sniffed: control envelopes are
/// consumed and never reach the TUN; ordinary IP packets pass through unchanged.
pub struct AcceptPushedCrlConn {
inner: Arc<dyn PacketConnection>,
/// CA cert PEM the client trusts — used to verify the pushed CRL's signature.
ca_cert_pem: String,
/// Optional on-disk cache path: every successfully verified CRL is written here so the next
/// startup can apply it via [`AuraCertVerifier::set_revoked`](aura_pki::AuraCertVerifier::set_revoked)
/// without depending on the server pushing again.
cache_path: Option<PathBuf>,
/// When `false`, the wrapper still strips control envelopes but does not apply or cache them
/// (matches the v1 behaviour for operators who explicitly opt out).
accept: bool,
/// Last applied CRL — exposed for tests / inspection. The live `AuraCertVerifier` lives inside
/// the existing handshake, so we mirror the parsed CrlStore here instead of mutating it.
pub last_applied: Arc<RwLock<Option<CrlStore>>>,
}
impl AcceptPushedCrlConn {
/// Wrap `inner` so CRL pushes from the server are decoded and stripped.
///
/// `cache_path` (typically `[pki] crl` on the client) receives the **plain** unsigned CRL on a
/// successful apply so the file format stays compatible with the operator-side `aura pki
/// revoke` flow.
pub fn new(
inner: Arc<dyn PacketConnection>,
ca_cert_pem: String,
cache_path: Option<PathBuf>,
accept: bool,
) -> Self {
Self {
inner,
ca_cert_pem,
cache_path,
accept,
last_applied: Arc::new(RwLock::new(None)),
}
}
/// Shared handle to the most recently applied CRL (mostly for tests).
pub fn last_applied(&self) -> Arc<RwLock<Option<CrlStore>>> {
Arc::clone(&self.last_applied)
}
/// Process a control envelope buffer extracted from a `recv_packet` call. Returns `Ok(())` so
/// errors do not tear the session down — they only log.
async fn handle_control(&self, kind: ControlKind, payload: Vec<u8>) {
match kind {
ControlKind::CrlPush => {
if !self.accept {
tracing::debug!("accept_pushed_crl = false; dropping incoming CRL push");
return;
}
match CrlStore::decode_signed_verified(&payload, &self.ca_cert_pem) {
Ok(crl) => {
let count = crl.len();
if let Some(path) = &self.cache_path {
if let Err(e) = persist_crl(&crl, path) {
tracing::warn!(
path = %path.display(),
error = %e,
"applied pushed CRL but failed to persist to disk"
);
}
}
*self.last_applied.write().await = Some(crl);
tracing::info!(entries = count, "CRL applied from server push (in-band)");
}
Err(e) => {
tracing::warn!(
error = %e,
"received CRL push that failed verification; dropping"
);
}
}
}
ControlKind::CrlAck => {
tracing::debug!("server CRL ack received (unexpected — client does not push CRLs)");
}
// v3.1 circuit-setup envelopes (ExtendBridge / CircuitReady / CircuitFailed) are only
// meaningful during multi-hop dial (see [`crate::circuit`]). By the time this wrapper
// sees a connection the circuit (if any) is already established, so any late envelopes
// are a no-op here.
ControlKind::ExtendBridge | ControlKind::CircuitReady | ControlKind::CircuitFailed => {
tracing::debug!(
kind = ?kind,
"unexpected circuit-setup control envelope on established connection; ignoring"
);
}
ControlKind::Unknown(b) => {
tracing::debug!(kind = b, "unknown control envelope kind; ignoring");
}
}
}
}
/// Write the plain (unsigned) CRL to `path` so the next client startup can apply it via
/// [`CrlStore::load`].
fn persist_crl(crl: &CrlStore, path: &Path) -> anyhow::Result<()> {
if let Some(parent) = path.parent() {
if !parent.as_os_str().is_empty() {
std::fs::create_dir_all(parent)?;
}
}
crl.save(path)
}
#[async_trait::async_trait]
impl PacketConnection for AcceptPushedCrlConn {
async fn send_packet(&self, packet: &[u8]) -> anyhow::Result<()> {
// Client never sends control envelopes; pass through verbatim.
self.inner.send_packet(packet).await
}
async fn recv_packet(&self) -> anyhow::Result<Vec<u8>> {
// Loop until we find a real IP packet. Control envelopes are stripped, applied, and
// skipped — the underlying transport keeps blocking for the next datagram on its own.
loop {
let pkt = self.inner.recv_packet().await?;
match decode_control_envelope(&pkt) {
Ok(Some((kind, payload))) => {
self.handle_control(kind, payload).await;
// Continue the loop to deliver the *next* real packet to the caller.
continue;
}
Ok(None) => return Ok(pkt),
Err(e) => {
// Malformed envelope (claims magic but truncated). Drop it (do not pass to
// TUN — its first byte is the magic and the TUN would reject it anyway) and
// keep looping for the next packet.
tracing::warn!(error = %e, "malformed control envelope; dropping");
continue;
}
}
}
}
}
#[cfg(test)]
mod tests {
use super::*;
use std::collections::VecDeque;
use aura_pki::AuraCa;
use tokio::sync::Mutex;
/// In-memory mock PacketConnection where `recv_packet` drains a FIFO of pre-loaded buffers and
/// `send_packet` appends to a Vec we can inspect.
struct MockConn {
to_recv: Mutex<VecDeque<Vec<u8>>>,
sent: Mutex<Vec<Vec<u8>>>,
}
impl MockConn {
fn new(packets: impl IntoIterator<Item = Vec<u8>>) -> Self {
Self {
to_recv: Mutex::new(packets.into_iter().collect()),
sent: Mutex::new(Vec::new()),
}
}
}
#[async_trait::async_trait]
impl PacketConnection for MockConn {
async fn send_packet(&self, packet: &[u8]) -> anyhow::Result<()> {
self.sent.lock().await.push(packet.to_vec());
Ok(())
}
async fn recv_packet(&self) -> anyhow::Result<Vec<u8>> {
self.to_recv
.lock()
.await
.pop_front()
.ok_or_else(|| anyhow::anyhow!("mock conn drained"))
}
}
/// A pushed-CRL envelope is decoded, verified, applied, and stripped from the recv stream;
/// the next call returns the next real IP packet.
#[tokio::test]
async fn intercepts_crl_push_and_applies() {
// Build a CA, sign a CRL of {"alice"}.
let ca = AuraCa::generate("Aura Test").unwrap();
let ca_cert_pem = ca.ca_cert_pem();
// We need the CA key PEM. AuraCa does not expose it directly; round-trip via save/load.
let cert_path =
std::env::temp_dir().join(format!("aura-pki-test-{}-ca.crt", uuid::Uuid::new_v4()));
let key_path =
std::env::temp_dir().join(format!("aura-pki-test-{}-ca.key", uuid::Uuid::new_v4()));
ca.save(&cert_path, &key_path).unwrap();
let ca_key_pem = std::fs::read_to_string(&key_path).unwrap();
let mut crl = CrlStore::new();
crl.revoke("alice");
let signed = crl.encode_signed(&ca_cert_pem, &ca_key_pem).unwrap();
let envelope = encode_control_envelope(ControlKind::CrlPush, &signed);
// Build the inner mock: first packet is the CRL envelope, second is a real IPv4 packet.
let ipv4 = vec![0x45u8, 0x00, 0x00, 0x14, 0xab, 0xcd];
let inner: Arc<dyn PacketConnection> = Arc::new(MockConn::new([envelope, ipv4.clone()]));
// Cache to a temp file so we also exercise persistence.
let cache_path =
std::env::temp_dir().join(format!("aura-pki-test-{}-cached.crl", uuid::Uuid::new_v4()));
let wrap =
AcceptPushedCrlConn::new(inner, ca_cert_pem.clone(), Some(cache_path.clone()), true);
// First recv: the envelope is consumed; the next packet (real IPv4) is returned.
let pkt = wrap.recv_packet().await.unwrap();
assert_eq!(pkt, ipv4);
// CRL was applied to the wrapper's last_applied slot.
let applied = wrap.last_applied().read().await.clone();
assert!(applied.is_some(), "CRL should have been applied");
let applied = applied.unwrap();
assert!(applied.contains("alice"));
// And persisted on disk in the v1 plain format.
let from_disk = CrlStore::load(&cache_path).unwrap();
assert!(from_disk.contains("alice"));
let _ = std::fs::remove_file(cache_path);
let _ = std::fs::remove_file(cert_path);
let _ = std::fs::remove_file(key_path);
}
/// A CRL push signed by a different CA must be dropped, the slot remains None, and the next
/// real packet is still delivered.
#[tokio::test]
async fn rejects_crl_signed_by_wrong_ca() {
let real = AuraCa::generate("Real").unwrap();
let rogue = AuraCa::generate("Rogue").unwrap();
let rogue_cert =
std::env::temp_dir().join(format!("aura-pki-test-{}-r.crt", uuid::Uuid::new_v4()));
let rogue_key =
std::env::temp_dir().join(format!("aura-pki-test-{}-r.key", uuid::Uuid::new_v4()));
rogue.save(&rogue_cert, &rogue_key).unwrap();
let rogue_key_pem = std::fs::read_to_string(&rogue_key).unwrap();
let rogue_cert_pem = std::fs::read_to_string(&rogue_cert).unwrap();
// Sign a CRL with the rogue CA but offer it to a client that trusts only `real`.
let mut crl = CrlStore::new();
crl.revoke("alice");
let signed = crl.encode_signed(&rogue_cert_pem, &rogue_key_pem).unwrap();
let envelope = encode_control_envelope(ControlKind::CrlPush, &signed);
let ipv4 = vec![0x45u8, 0x00, 0x00, 0x14];
let inner: Arc<dyn PacketConnection> = Arc::new(MockConn::new([envelope, ipv4.clone()]));
let wrap = AcceptPushedCrlConn::new(inner, real.ca_cert_pem(), None, true);
let pkt = wrap.recv_packet().await.unwrap();
assert_eq!(pkt, ipv4, "envelope dropped, real packet still delivered");
assert!(
wrap.last_applied().read().await.is_none(),
"no CRL should have been applied"
);
let _ = std::fs::remove_file(rogue_cert);
let _ = std::fs::remove_file(rogue_key);
}
/// When `accept = false`, the envelope is still stripped from the stream (so it does not
/// pollute the TUN) but is NOT applied or persisted.
#[tokio::test]
async fn accept_false_strips_but_does_not_apply() {
let ca = AuraCa::generate("Aura").unwrap();
let ca_cert_pem = ca.ca_cert_pem();
let cert_path = std::env::temp_dir().join(format!("aura-{}-c.crt", uuid::Uuid::new_v4()));
let key_path = std::env::temp_dir().join(format!("aura-{}-c.key", uuid::Uuid::new_v4()));
ca.save(&cert_path, &key_path).unwrap();
let ca_key_pem = std::fs::read_to_string(&key_path).unwrap();
let mut crl = CrlStore::new();
crl.revoke("alice");
let signed = crl.encode_signed(&ca_cert_pem, &ca_key_pem).unwrap();
let envelope = encode_control_envelope(ControlKind::CrlPush, &signed);
let ipv4 = vec![0x45u8, 0x00, 0x00, 0x14];
let inner: Arc<dyn PacketConnection> = Arc::new(MockConn::new([envelope, ipv4.clone()]));
let wrap = AcceptPushedCrlConn::new(inner, ca_cert_pem, None, false);
let pkt = wrap.recv_packet().await.unwrap();
assert_eq!(pkt, ipv4);
assert!(wrap.last_applied().read().await.is_none());
let _ = std::fs::remove_file(cert_path);
let _ = std::fs::remove_file(key_path);
}
/// Two real packets in a row pass through unchanged.
#[tokio::test]
async fn passes_real_packets_through() {
let real = AuraCa::generate("Real").unwrap();
let ipv4 = vec![0x45u8, 0x00, 0x00, 0x14];
let ipv6 = vec![0x60u8, 0x00, 0x00, 0x00];
let inner: Arc<dyn PacketConnection> =
Arc::new(MockConn::new([ipv4.clone(), ipv6.clone()]));
let wrap = AcceptPushedCrlConn::new(inner, real.ca_cert_pem(), None, true);
assert_eq!(wrap.recv_packet().await.unwrap(), ipv4);
assert_eq!(wrap.recv_packet().await.unwrap(), ipv6);
}
/// send_packet always passes through to the inner connection (the client never originates
/// control envelopes — only the server does).
#[tokio::test]
async fn send_packet_passes_through() {
let real = AuraCa::generate("Real").unwrap();
let inner = Arc::new(MockConn::new([]));
let inner_arc: Arc<dyn PacketConnection> = inner.clone();
let wrap = AcceptPushedCrlConn::new(Arc::clone(&inner_arc), real.ca_cert_pem(), None, true);
wrap.send_packet(b"hello").await.unwrap();
let sent = inner.sent.lock().await.clone();
assert_eq!(sent, vec![b"hello".to_vec()]);
}
}
crates/aura-cli/src/dial_targets.rs
+189
View File
@@ -0,0 +1,189 @@
//! Helpers that turn `[client] server_addr + bridges` into the ordered list of [`Endpoints`] a
//! client should try in turn.
//!
//! ## Why
//!
//! A real-world Aura deployment often runs multiple servers (different IPs, same CA). The
//! `[client]` section now accepts a `bridges = [...]` list of additional server addresses; when
//! the primary `server_addr` cannot be reached on any transport, the client retries against each
//! bridge in turn. The bridge order is shuffled per-process so a flapping primary does not always
//! pin clients to the same fallback (the "thundering herd to bridge[0]" failure mode).
//!
//! The transport per-port mapping (`udp_port` / `tcp_port` / `quic_port`) is identical across all
//! bridges — only the destination IP changes — so a bridge is just a copy of the primary
//! [`Endpoints`] with each `SocketAddr` rewritten in place.
//!
//! ## Scope
//!
//! This module only builds the candidate list. The actual sequential dial loop lives in
//! [`crate::client::run`]; it iterates the returned `Vec<Endpoints>` and, for each entry, calls
//! [`aura_transport::dial`] with the shared [`DialConfig`] template, returning on the first
//! successful connect.
//!
//! Each bridge string is parsed as either:
//!
//! * `"IP:port"` — the port is *ignored* (transports use the `[transport]` per-mode ports), the
//! IP is taken;
//! * `"IP"` — taken as is.
//!
//! Unparseable bridges are skipped with a `tracing::warn!`.
use std::net::{IpAddr, SocketAddr};
use aura_transport::Endpoints;
/// Build the ordered list of [`Endpoints`] the client should attempt in turn.
///
/// * The **first** entry is always the primary `server_addr` from the config (so the deterministic
/// "primary first" expectation holds).
/// * Subsequent entries are the parsed `bridges`, shuffled into a random order using a
/// `SystemTime`-derived seed (no `rand` dep). Each bridge inherits the primary's per-transport
/// ports; only the IP changes.
///
/// Invalid bridge strings are silently skipped (after a `warn!` log line via the caller — the
/// helper itself stays pure).
#[must_use]
pub fn build_dial_targets(primary: &Endpoints, bridges: &[String]) -> Vec<Endpoints> {
let mut out = Vec::with_capacity(1 + bridges.len());
out.push(primary.clone());
// Parse every bridge string into an IpAddr, dropping the ones that fail to parse.
let mut parsed: Vec<IpAddr> = bridges.iter().filter_map(|s| parse_bridge_ip(s)).collect();
// Shuffle the remaining bridges. We avoid pulling in `rand` for this single shuffle — a tiny
// FisherYates seeded from the wall-clock nanoseconds is sufficient to break the thundering
// herd. Deterministic across a single dial attempt; differs between processes / second-ticks.
shuffle_in_place(&mut parsed);
for ip in parsed {
out.push(endpoints_with_ip(primary, ip));
}
out
}
/// Parse a single bridge string. Accepts `"IP"` or `"IP:port"` (the port is ignored).
fn parse_bridge_ip(s: &str) -> Option<IpAddr> {
let trimmed = s.trim();
if trimmed.is_empty() {
return None;
}
if let Ok(addr) = trimmed.parse::<SocketAddr>() {
return Some(addr.ip());
}
trimmed.parse::<IpAddr>().ok()
}
/// Replace the IP of every populated transport socket in `primary` with `ip`, leaving the ports
/// (and the None-ness of disabled transports) intact.
fn endpoints_with_ip(primary: &Endpoints, ip: IpAddr) -> Endpoints {
let rewrite = |addr: Option<SocketAddr>| addr.map(|sa| SocketAddr::new(ip, sa.port()));
Endpoints {
udp: rewrite(primary.udp),
tcp: rewrite(primary.tcp),
quic: rewrite(primary.quic),
}
}
/// Tiny in-place FisherYates shuffle using a `SystemTime`-derived seed.
fn shuffle_in_place<T>(v: &mut [T]) {
if v.len() < 2 {
return;
}
// Wall-clock nanoseconds give us a low-quality but sufficient seed for breaking ties between
// bridges — we don't need cryptographic randomness here, just a different order across runs.
let mut state: u64 = std::time::SystemTime::now()
.duration_since(std::time::UNIX_EPOCH)
.map(|d| d.as_nanos() as u64)
.unwrap_or(0xa5a5_a5a5_a5a5_a5a5)
.wrapping_mul(0x9E37_79B9_7F4A_7C15)
.wrapping_add(1);
for i in (1..v.len()).rev() {
// xorshift64*
state ^= state << 13;
state ^= state >> 7;
state ^= state << 17;
let j = (state as usize) % (i + 1);
v.swap(i, j);
}
}
#[cfg(test)]
mod tests {
use super::*;
use std::collections::HashSet;
fn endpoints(udp: &str, tcp: &str, quic: &str) -> Endpoints {
Endpoints {
udp: Some(udp.parse().unwrap()),
tcp: Some(tcp.parse().unwrap()),
quic: Some(quic.parse().unwrap()),
}
}
/// No bridges → only the primary is returned, untouched.
#[test]
fn no_bridges_yields_only_primary() {
let p = endpoints("203.0.113.10:443", "203.0.113.10:443", "203.0.113.10:444");
let targets = build_dial_targets(&p, &[]);
assert_eq!(targets.len(), 1);
assert_eq!(targets[0].udp, p.udp);
assert_eq!(targets[0].tcp, p.tcp);
assert_eq!(targets[0].quic, p.quic);
}
/// With bridges, the primary is always first and bridges keep the primary's per-transport
/// ports but use the bridge IP.
#[test]
fn bridges_inherit_primary_ports() {
let p = endpoints("203.0.113.10:443", "203.0.113.10:443", "203.0.113.10:444");
let targets = build_dial_targets(
&p,
&["203.0.113.11".to_string(), "203.0.113.12:9999".to_string()],
);
assert_eq!(targets.len(), 3, "primary + two bridges");
assert_eq!(targets[0].udp.unwrap().port(), 443);
// Each bridge entry must keep the primary's per-transport ports (the bridge `:9999` is
// ignored — transports always use [transport] ports).
for t in &targets[1..] {
assert_eq!(t.udp.unwrap().port(), 443);
assert_eq!(t.tcp.unwrap().port(), 443);
assert_eq!(t.quic.unwrap().port(), 444);
}
// The two bridge IPs both show up among the non-primary entries.
let bridge_ips: HashSet<IpAddr> =
targets[1..].iter().map(|e| e.udp.unwrap().ip()).collect();
assert!(bridge_ips.contains(&"203.0.113.11".parse::<IpAddr>().unwrap()));
assert!(bridge_ips.contains(&"203.0.113.12".parse::<IpAddr>().unwrap()));
}
/// Bad bridges are skipped (no panic, no None entries returned).
#[test]
fn invalid_bridges_skipped() {
let p = endpoints("203.0.113.10:443", "203.0.113.10:443", "203.0.113.10:444");
let targets = build_dial_targets(
&p,
&[
"not-an-ip".to_string(),
"".to_string(),
"203.0.113.20".to_string(),
],
);
assert_eq!(targets.len(), 2, "primary + one valid bridge");
assert_eq!(targets[1].udp.unwrap().ip().to_string(), "203.0.113.20");
}
/// A disabled transport (None in primary) stays None across all bridges.
#[test]
fn disabled_transport_propagates() {
let p = Endpoints {
udp: Some("203.0.113.10:443".parse().unwrap()),
tcp: None,
quic: Some("203.0.113.10:444".parse().unwrap()),
};
let targets = build_dial_targets(&p, &["203.0.113.11".to_string()]);
assert!(targets[0].tcp.is_none());
assert!(targets[1].tcp.is_none());
assert!(targets[1].udp.is_some());
assert!(targets[1].quic.is_some());
}
}
crates/aura-cli/src/init.rs
+551
View File
@@ -0,0 +1,551 @@
//! `aura server-init` and `aura provision-client`: one-shot bootstrap and per-client provisioning.
//!
//! ## Motivation
//!
//! Aura v1 left every step of server bring-up to the operator: generate a CA, issue a server
//! cert, write a server.toml by hand, manually configure NAT, then for every client repeat the
//! cert issuance and hand-author a client.toml. Each manual step is an opportunity to leak a real
//! hostname / username / SAN into a config file — exactly the kind of data Russian operators are
//! now compelled to forward on request.
//!
//! These two helpers collapse the entire workflow into two commands:
//!
//! * [`server_init`] — generate the CA, issue the server cert, optionally auto-detect the egress
//! interface, and write a ready-to-run `server.toml`. Optional anti-surveillance toggles
//! (`enable_knock`, `enable_cover_traffic`) and `no_logs` switch on the corresponding TOML
//! sections.
//! * [`provision_client`] — generate a UUID-v4 id (or accept one), issue the matching client
//! cert, and assemble a bundle directory with `ca.crt`, `client.crt`, `client.key`, and a
//! pre-rendered `client.toml`. The operator hands the directory to the client over any secure
//! channel.
//!
//! Both helpers are pure functions (no clap parsing inside them) so the integration tests can
//! drive them directly without spawning the binary. The clap layer in `main.rs` is a thin wrapper.
use std::path::{Path, PathBuf};
use anyhow::{anyhow, Context};
use crate::os_routes::detect_default_egress_iface;
use crate::pki;
// ---- server_init -----------------------------------------------------------------------------
/// Inputs to [`server_init`]. Mirrors the `aura server-init` flag set; see the module docs.
#[derive(Debug, Clone)]
pub struct ServerInitOpts {
/// DNS name placed in the server cert's SAN and used as the client-side `[client] sni`.
pub domain: String,
/// Output directory for the CA + server cert/key.
pub pki_dir: PathBuf,
/// Listen IP for `[server] listen` and `[transport]` bindings. Default `0.0.0.0`.
pub listen_ip: String,
/// UDP transport port. Default 443.
pub udp_port: u16,
/// TCP fallback port. Default 443.
pub tcp_port: u16,
/// QUIC fallback port. Default 444. Must differ from `udp_port`.
pub quic_port: u16,
/// VPN address pool. Default `10.7.0.0/24`.
pub pool_cidr: String,
/// Optional explicit egress interface for `[server.nat] egress_iface`. When `None`, the
/// helper tries [`detect_default_egress_iface`]; when both fail, `[server.nat]` is omitted.
pub egress_iface: Option<String>,
/// Path to write the rendered `server.toml`.
pub out_config: PathBuf,
/// Enable `[transport.knock]` (`enabled = true`, `knock_secret_source = "ca_fingerprint"`).
pub enable_knock: bool,
/// Enable `[transport.cover]` (`enabled = true`, default interval / jitter).
pub enable_cover_traffic: bool,
/// Disable `[server.nat]` even if an egress iface is known. Useful when the operator runs
/// the host behind an existing NAT (router, cloud LB, ...).
pub no_nat: bool,
/// Optional non-root user to drop privileges to (`[server] run_as`).
pub run_as: Option<String>,
/// When `true`, refuse to overwrite an existing CA / server.toml. When `false`, missing
/// files are written and existing files are overwritten (use with care).
pub force: bool,
}
impl ServerInitOpts {
/// Defaults matching the `aura server-init` flag defaults.
pub fn new(domain: impl Into<String>, pki_dir: impl Into<PathBuf>) -> Self {
Self {
domain: domain.into(),
pki_dir: pki_dir.into(),
listen_ip: "0.0.0.0".to_string(),
udp_port: 443,
tcp_port: 443,
quic_port: 444,
pool_cidr: "10.7.0.0/24".to_string(),
egress_iface: None,
out_config: PathBuf::from("/etc/aura/server.toml"),
enable_knock: false,
enable_cover_traffic: false,
no_nat: false,
run_as: None,
force: false,
}
}
}
/// Summary of what [`server_init`] did, useful for the CLI to print a "next steps" message.
#[derive(Debug, Clone)]
pub struct ServerInitReport {
/// Path of the generated CA cert (always `<pki_dir>/ca.crt`).
pub ca_cert: PathBuf,
/// Path of the generated CA key (always `<pki_dir>/ca.key`).
pub ca_key: PathBuf,
/// Path of the generated server cert.
pub server_cert: PathBuf,
/// Path of the generated server key.
pub server_key: PathBuf,
/// Path of the rendered server.toml.
pub server_config: PathBuf,
/// Egress interface that ended up in `[server.nat]`, or `None` if the section was omitted.
pub nat_egress_iface: Option<String>,
}
/// Run the full server-init workflow. Pure: returns a [`ServerInitReport`] without printing.
///
/// 1. Create `pki_dir`, write `ca.crt` + `ca.key`.
/// 2. Create a `pki_dir/server/` subdir and write `server.crt` + `server.key` for `domain`.
/// 3. Resolve the egress iface (explicit > auto-detected). If `no_nat` is set the result is
/// treated as `None`.
/// 4. Render a `server.toml` reflecting every option and write it to `out_config`. Parent
/// directories are created.
pub fn server_init(opts: &ServerInitOpts) -> anyhow::Result<ServerInitReport> {
let pki_dir = &opts.pki_dir;
let ca_cert = pki_dir.join(pki::CA_CERT);
let ca_key = pki_dir.join(pki::CA_KEY);
// 1. CA: refuse to clobber an existing CA unless --force.
if (ca_cert.exists() || ca_key.exists()) && !opts.force {
return Err(anyhow!(
"CA already exists at {}/{{ca.crt,ca.key}}; pass --force to overwrite",
pki_dir.display()
));
}
let (ca_cert_path, ca_key_path) =
pki::init(&format!("Aura CA for {}", opts.domain), pki_dir).context("initialising CA")?;
// 2. Server cert.
let server_dir = pki_dir.join("server");
let server_cert_path = server_dir.join("server.crt");
let server_key_path = server_dir.join("server.key");
if (server_cert_path.exists() || server_key_path.exists()) && !opts.force {
return Err(anyhow!(
"server cert already exists at {}; pass --force to overwrite",
server_dir.display()
));
}
let (server_cert, server_key) =
pki::issue_server(&opts.domain, &server_dir, pki_dir).context("issuing server cert")?;
// 3. Egress iface: explicit > auto-detected > None.
let nat_egress = if opts.no_nat {
None
} else {
opts.egress_iface
.clone()
.or_else(detect_default_egress_iface)
};
// 4. Render server.toml.
if opts.out_config.exists() && !opts.force {
return Err(anyhow!(
"{} already exists; pass --force to overwrite",
opts.out_config.display()
));
}
let toml_text = render_server_toml(opts, &ca_cert_path, &server_cert, &server_key, &nat_egress);
if let Some(parent) = opts.out_config.parent() {
if !parent.as_os_str().is_empty() {
std::fs::create_dir_all(parent)
.with_context(|| format!("creating config dir {}", parent.display()))?;
}
}
std::fs::write(&opts.out_config, toml_text)
.with_context(|| format!("writing {}", opts.out_config.display()))?;
Ok(ServerInitReport {
ca_cert: ca_cert_path,
ca_key: ca_key_path,
server_cert,
server_key,
server_config: opts.out_config.clone(),
nat_egress_iface: nat_egress,
})
}
/// Render the `server.toml` document for `opts`. Public for tests that want to parse-roundtrip.
pub fn render_server_toml(
opts: &ServerInitOpts,
ca_cert: &Path,
server_cert: &Path,
server_key: &Path,
nat_egress: &Option<String>,
) -> String {
let mut s = String::new();
s.push_str(
"# Generated by `aura server-init`. Edit by hand if you know what you're doing.\n\n",
);
s.push_str("[server]\n");
s.push_str("name = \"aura-server\"\n");
s.push_str(&format!(
"listen = \"{}:{}\"\n",
opts.listen_ip, opts.udp_port
));
s.push_str("workers = 4\n");
s.push_str("no_logs = false\n");
if let Some(user) = &opts.run_as {
s.push_str(&format!("run_as = \"{}\"\n", user));
}
s.push('\n');
s.push_str("[pki]\n");
s.push_str(&format!("ca_cert = \"{}\"\n", ca_cert.display()));
s.push_str(&format!("cert = \"{}\"\n", server_cert.display()));
s.push_str(&format!("key = \"{}\"\n", server_key.display()));
s.push('\n');
s.push_str("[tunnel]\n");
s.push_str(&format!("pool_cidr = \"{}\"\n", opts.pool_cidr));
s.push_str("mtu = 1420\n\n");
s.push_str("[server.pool]\n");
s.push_str(&format!("cidr = \"{}\"\n", opts.pool_cidr));
s.push_str("strategy = \"static_or_dynamic\"\n\n");
if let Some(iface) = nat_egress {
s.push_str("[server.nat]\n");
s.push_str("auto = true\n");
s.push_str(&format!("egress_iface = \"{}\"\n", iface));
s.push_str("dry_run = false\n\n");
}
s.push_str("[mimicry]\n");
s.push_str(&format!("sni = \"{}\"\n", opts.domain));
s.push_str("padding = true\n\n");
s.push_str("[transport]\n");
s.push_str("order = [\"udp\", \"tcp\", \"quic\"]\n");
s.push_str(&format!("udp_port = {}\n", opts.udp_port));
s.push_str(&format!("tcp_port = {}\n", opts.tcp_port));
s.push_str(&format!("quic_port = {}\n", opts.quic_port));
s.push_str("obfuscate = true\n");
s.push_str("masquerade = true\n\n");
s.push_str("[transport.masks]\n");
s.push_str("enabled = true\n\n");
s.push_str("[transport.knock]\n");
s.push_str(&format!(
"enabled = {}\n",
if opts.enable_knock { "true" } else { "false" }
));
s.push_str("knock_secret_source = \"ca_fingerprint\"\n\n");
s.push_str("[transport.cover]\n");
s.push_str(&format!(
"enabled = {}\n",
if opts.enable_cover_traffic {
"true"
} else {
"false"
}
));
s.push_str("mean_interval_ms = 500\n");
s.push_str("jitter = 0.5\n");
s
}
// ---- provision_client ------------------------------------------------------------------------
/// Inputs to [`provision_client`].
#[derive(Debug, Clone)]
pub struct ProvisionClientOpts {
/// Optional client id (CN). When `None`, a fresh UUID v4 is generated.
pub id: Option<String>,
/// Path to the CA directory (`ca.crt` + `ca.key`).
pub ca_dir: PathBuf,
/// Server IP placed in the `[client] server_addr`.
pub server_addr: String,
/// Server SAN / SNI, placed in `[client] sni` and used as the inner-handshake server name.
pub server_name: String,
/// Per-transport ports — must match the server's `[transport]` values.
pub udp_port: u16,
pub tcp_port: u16,
pub quic_port: u16,
/// Tunnel-side IP placed in `[tunnel] local_ip`. Must fall inside the server's pool.
pub tun_ip: String,
/// Tunnel prefix length.
pub tun_prefix: u8,
/// Output bundle directory.
pub out_dir: PathBuf,
/// Enable `[transport.knock]` in the bundled client.toml. Must match the server.
pub enable_knock: bool,
/// Enable `[transport.cover]` in the bundled client.toml. Must match the server.
pub enable_cover_traffic: bool,
/// Optional bridge addresses (`bridges = [...]`).
pub bridges: Vec<String>,
/// v3.2: when set to `Some(N)` with `N >= 2`, generate **N independent client certificates**
/// (one UUID-v4 CN per cert) named `circuit-hop-0.crt` / `.key`, `circuit-hop-1.crt` / `.key`,
/// ..., `circuit-hop-{N-1}.crt` / `.key` inside the bundle. Each cert is rendered as a
/// `[[client.circuit.hops]]` table in the bundled `client.toml`, with `cert_path` / `key_path`
/// pointing at the freshly-issued file. This is what makes the v3.2 entry-relay and the exit
/// see *different* certificate CNs and therefore unable to link the two handshakes by
/// identity. The hop addresses are NOT filled in here — the operator must edit them into
/// the rendered `client.toml` before use.
pub circuit_hops: Option<usize>,
/// When `true`, overwrite existing files in `out_dir`. Default `false` errors.
pub force: bool,
}
impl ProvisionClientOpts {
/// Build with required fields; everything else defaults to the matching `aura provision-client`
/// flag defaults.
pub fn new(
ca_dir: impl Into<PathBuf>,
server_addr: impl Into<String>,
server_name: impl Into<String>,
tun_ip: impl Into<String>,
out_dir: impl Into<PathBuf>,
) -> Self {
Self {
id: None,
ca_dir: ca_dir.into(),
server_addr: server_addr.into(),
server_name: server_name.into(),
udp_port: 443,
tcp_port: 443,
quic_port: 444,
tun_ip: tun_ip.into(),
tun_prefix: 24,
out_dir: out_dir.into(),
enable_knock: false,
enable_cover_traffic: false,
bridges: Vec::new(),
circuit_hops: None,
force: false,
}
}
}
/// Summary of what [`provision_client`] produced — the assigned id and the bundle paths.
#[derive(Debug, Clone)]
pub struct ProvisionClientReport {
/// Assigned client id (the certificate's CN). Always populated; matches `opts.id` when set.
pub id: String,
/// Bundle directory (== `opts.out_dir`).
pub bundle_dir: PathBuf,
/// CA cert copied into the bundle.
pub ca_cert: PathBuf,
/// Client cert.
pub client_cert: PathBuf,
/// Client key.
pub client_key: PathBuf,
/// Rendered client.toml.
pub client_config: PathBuf,
/// v3.2: per-hop circuit cert/key pairs (one per hop in `circuit_hops`). Empty when
/// `opts.circuit_hops` is `None`. Each tuple is `(cn, cert_path, key_path)`; `cn` is a
/// freshly-generated UUID v4 distinct from the main `id` above.
pub circuit_hop_certs: Vec<(String, PathBuf, PathBuf)>,
}
/// Run the provision-client workflow. Pure: returns a [`ProvisionClientReport`] without printing.
///
/// 1. Compute the id (UUID v4 if `opts.id` is None).
/// 2. Issue the client cert into `out_dir/`.
/// 3. Copy the CA cert into `out_dir/ca.crt`.
/// 4. Render a `client.toml` referencing the files in `out_dir` and write it.
pub fn provision_client(opts: &ProvisionClientOpts) -> anyhow::Result<ProvisionClientReport> {
if opts.out_dir.exists() && !opts.force {
// Allow the directory to exist if it is empty; refuse only if it has files.
let has_content = std::fs::read_dir(&opts.out_dir)
.map(|mut it| it.next().is_some())
.unwrap_or(false);
if has_content {
return Err(anyhow!(
"bundle directory {} is not empty; pass --force to overwrite",
opts.out_dir.display()
));
}
}
std::fs::create_dir_all(&opts.out_dir)
.with_context(|| format!("creating bundle dir {}", opts.out_dir.display()))?;
// 1 + 2: issue cert (assigns id if missing).
let (id, client_cert, client_key) =
pki::issue_client_with_id(opts.id.as_deref(), &opts.out_dir, &opts.ca_dir)
.context("issuing client cert")?;
// 3: copy CA cert into the bundle so the client has everything in one place.
let bundled_ca = opts.out_dir.join("ca.crt");
let ca_src = opts.ca_dir.join(pki::CA_CERT);
std::fs::copy(&ca_src, &bundled_ca)
.with_context(|| format!("copying {} -> {}", ca_src.display(), bundled_ca.display()))?;
// 3.5 (v3.2): when --circuit-hops N is set, issue N independent client certs (UUID-v4 CN
// each) named circuit-hop-{i}.crt / .key. Each cert gets its own random CN so the entry-relay
// and the exit cannot link the two handshakes by identity. We use a per-hop stem rather than
// a separate subdirectory so a flat bundle directory stays readable.
let mut circuit_hop_certs: Vec<(String, PathBuf, PathBuf)> = Vec::new();
if let Some(n) = opts.circuit_hops {
if n < 2 {
return Err(anyhow!(
"--circuit-hops requires N >= 2 (got {n}); v3.2 supports 2 or 3 hops"
));
}
for i in 0..n {
// Generate a fresh UUID v4 per hop (NOT the main `id`).
let cn = uuid::Uuid::new_v4().to_string();
let stem = format!("circuit-hop-{i}");
let (cert, key) = pki::issue_client(&cn, &opts.out_dir, &opts.ca_dir)
.with_context(|| format!("issuing v3.2 circuit hop-{i} client cert (cn = {cn})"))?;
// Rename client.crt / client.key from `issue_client` (which writes to a fixed stem)
// into our per-hop names. issue_client uses write_leaf with stem "client", so it
// emits client.crt / client.key — rename to circuit-hop-{i}.crt / .key.
let new_cert = opts.out_dir.join(format!("{stem}.crt"));
let new_key = opts.out_dir.join(format!("{stem}.key"));
std::fs::rename(&cert, &new_cert).with_context(|| {
format!("renaming {} -> {}", cert.display(), new_cert.display())
})?;
std::fs::rename(&key, &new_key)
.with_context(|| format!("renaming {} -> {}", key.display(), new_key.display()))?;
circuit_hop_certs.push((cn, new_cert, new_key));
}
}
// 4: render client.toml. Use file names (not absolute paths) so the bundle is portable —
// the client can drop the whole directory anywhere and `cd` in to run `aura client`.
let toml_text = render_client_toml(opts, &id, &circuit_hop_certs);
let client_config = opts.out_dir.join("client.toml");
std::fs::write(&client_config, toml_text)
.with_context(|| format!("writing {}", client_config.display()))?;
Ok(ProvisionClientReport {
id,
bundle_dir: opts.out_dir.clone(),
ca_cert: bundled_ca,
client_cert,
client_key,
client_config,
circuit_hop_certs,
})
}
/// Render the `client.toml` document for `opts` + the assigned `id`. Public for tests that want
/// to parse-roundtrip the output without going through the full filesystem dance.
///
/// When `circuit_hop_certs` is non-empty, append a `[client.circuit]` block followed by one
/// `[[client.circuit.hops]]` table per hop. The hop **addresses are placeholders** (`<EDIT-ME>`)
/// because `provision-client` does not know the relay topology — the operator MUST fill in real
/// `IP:port` strings before running `aura client`.
pub fn render_client_toml(
opts: &ProvisionClientOpts,
id: &str,
circuit_hop_certs: &[(String, std::path::PathBuf, std::path::PathBuf)],
) -> String {
let mut s = String::new();
s.push_str(
"# Generated by `aura provision-client`. Edit by hand if you know what you're doing.\n\n",
);
s.push_str("[client]\n");
s.push_str(&format!("name = \"{}\"\n", id));
s.push_str(&format!(
"server_addr = \"{}:{}\"\n",
opts.server_addr, opts.udp_port
));
s.push_str(&format!("sni = \"{}\"\n", opts.server_name));
s.push_str("no_logs = false\n");
if !opts.bridges.is_empty() {
s.push_str("bridges = [");
let formatted: Vec<String> = opts.bridges.iter().map(|b| format!("\"{}\"", b)).collect();
s.push_str(&formatted.join(", "));
s.push_str("]\n");
}
s.push('\n');
s.push_str("[pki]\n");
s.push_str("ca_cert = \"ca.crt\"\n");
s.push_str("cert = \"client.crt\"\n");
s.push_str("key = \"client.key\"\n\n");
s.push_str("[tunnel]\n");
s.push_str("tun_name = \"aura0\"\n");
s.push_str(&format!("local_ip = \"{}\"\n", opts.tun_ip));
s.push_str(&format!("prefix = {}\n", opts.tun_prefix));
s.push_str("mtu = 1420\n\n");
s.push_str("[tunnel.split]\n");
s.push_str("default = \"VPN\"\n\n");
s.push_str("[mimicry]\n");
s.push_str("padding = true\n\n");
s.push_str("[transport]\n");
s.push_str("order = [\"udp\", \"tcp\", \"quic\"]\n");
s.push_str(&format!("udp_port = {}\n", opts.udp_port));
s.push_str(&format!("tcp_port = {}\n", opts.tcp_port));
s.push_str(&format!("quic_port = {}\n", opts.quic_port));
s.push_str("obfuscate = true\n");
s.push_str("masquerade = true\n\n");
s.push_str("[transport.masks]\n");
s.push_str("enabled = true\n\n");
s.push_str("[transport.knock]\n");
s.push_str(&format!(
"enabled = {}\n",
if opts.enable_knock { "true" } else { "false" }
));
s.push_str("knock_secret_source = \"ca_fingerprint\"\n\n");
s.push_str("[transport.cover]\n");
s.push_str(&format!(
"enabled = {}\n",
if opts.enable_cover_traffic {
"true"
} else {
"false"
}
));
s.push_str("mean_interval_ms = 500\n");
s.push_str("jitter = 0.5\n");
// v3.2: append the [client.circuit] block if --circuit-hops was passed. The hop addresses
// are placeholders — the operator fills them in before running `aura client`.
if !circuit_hop_certs.is_empty() {
s.push('\n');
s.push_str("# v3.2 multi-hop: per-hop client certificates were generated by\n");
s.push_str("# `aura provision-client --circuit-hops N`. The entry-relay and the exit\n");
s.push_str("# (and any middle hop) see DIFFERENT certificate CNs — they cannot link\n");
s.push_str(
"# the two handshakes by identity. Fill in the `addr` fields below before use.\n",
);
s.push_str("[client.circuit]\n");
s.push_str("enabled = true\n");
s.push_str("cell_padding = true\n");
s.push_str("cell_size = 1280\n\n");
for (i, (cn, cert, key)) in circuit_hop_certs.iter().enumerate() {
s.push_str("[[client.circuit.hops]]\n");
s.push_str(&format!("# hop {i} — cn = {cn}\n"));
s.push_str("addr = \"<EDIT-ME-HOP-ADDR:PORT>\"\n");
let cert_name = cert
.file_name()
.map(|n| n.to_string_lossy().to_string())
.unwrap_or_else(|| cert.display().to_string());
let key_name = key
.file_name()
.map(|n| n.to_string_lossy().to_string())
.unwrap_or_else(|| key.display().to_string());
s.push_str(&format!("cert_path = \"{}\"\n", cert_name));
s.push_str(&format!("key_path = \"{}\"\n", key_name));
s.push('\n');
}
}
s
}
crates/aura-cli/src/lib.rs
+7
View File
@@ -14,13 +14,20 @@
pub mod admin;
pub mod bench;
pub mod cells;
pub mod circuit;
pub mod client;
pub mod config;
pub mod crl_push;
pub mod dial_targets;
pub mod init;
pub mod masks;
pub mod nat;
pub mod no_logs;
pub mod os_routes;
pub mod pki;
pub mod pool;
pub mod privdrop;
pub mod relay;
pub mod server;
pub mod server_router;
crates/aura-cli/src/main.rs
+262 -12
View File
@@ -17,9 +17,8 @@
use std::path::PathBuf;
use aura_cli::{admin, bench, client, pki, server};
use aura_cli::{admin, bench, client, init, no_logs, pki, server};
use clap::{Args, Parser, Subcommand};
use tracing_subscriber::EnvFilter;
use crate::admin::{Request, DEFAULT_SOCKET};
@@ -53,6 +52,15 @@ enum Command {
/// Quick crypto micro-benchmarks (KEM keygen/encaps/decaps, full handshake, AEAD).
BenchCrypto,
/// Bootstrap a new Aura server end-to-end: generate a CA + server cert, optionally auto-detect
/// the egress interface, and write a ready-to-run `server.toml`. See [`init::ServerInitOpts`].
ServerInit(ServerInitArgs),
/// Provision a new client: issue a client cert (UUID-v4 if `--id` is omitted), copy the CA,
/// and assemble a `client.toml` in a portable bundle directory. See
/// [`init::ProvisionClientOpts`].
ProvisionClient(ProvisionClientArgs),
}
/// `aura pki ...` subcommands.
@@ -81,9 +89,11 @@ enum PkiCommand {
},
/// Issue a client certificate (client.crt / client.key) with CN = <ID>.
IssueClient {
/// Client id placed in the certificate Common Name.
/// Client id placed in the certificate Common Name. When omitted, a fresh UUID v4 is
/// generated and used (and the assigned id is printed). This is the recommended path —
/// minting an opaque id keeps the cert from carrying a real username / hostname.
#[arg(long)]
id: String,
id: Option<String>,
/// Output directory for client.crt / client.key.
#[arg(long)]
out: PathBuf,
@@ -138,6 +148,107 @@ struct AdminConnArgs {
admin_socket: String,
}
/// Arguments for `aura server-init`.
#[derive(Debug, Args)]
struct ServerInitArgs {
/// DNS name placed in the server cert SAN; also the `[client] sni` value.
#[arg(long)]
domain: String,
/// Output directory for CA + server cert/key.
#[arg(long)]
pki_dir: PathBuf,
/// Listen IP for the server (default 0.0.0.0).
#[arg(long, default_value = "0.0.0.0")]
listen_ip: String,
/// UDP transport port (default 443).
#[arg(long, default_value_t = 443)]
udp_port: u16,
/// TCP fallback port (default 443).
#[arg(long, default_value_t = 443)]
tcp_port: u16,
/// QUIC fallback port (default 444). Must differ from --udp-port.
#[arg(long, default_value_t = 444)]
quic_port: u16,
/// VPN address pool (default 10.7.0.0/24).
#[arg(long, default_value = "10.7.0.0/24")]
pool_cidr: String,
/// Egress interface for [server.nat]. When omitted, auto-detected from the host default route.
#[arg(long)]
egress_iface: Option<String>,
/// Path to write the rendered server.toml.
#[arg(long)]
out_config: PathBuf,
/// Enable [transport.knock] in the rendered server.toml.
#[arg(long)]
enable_knock: bool,
/// Enable [transport.cover] in the rendered server.toml.
#[arg(long)]
enable_cover_traffic: bool,
/// Skip the [server.nat] section even if an egress interface is known.
#[arg(long)]
no_nat: bool,
/// Optional non-root user for [server] run_as.
#[arg(long)]
run_as: Option<String>,
/// Overwrite existing CA / server cert / config files.
#[arg(long)]
force: bool,
}
/// Arguments for `aura provision-client`.
#[derive(Debug, Args)]
struct ProvisionClientArgs {
/// Optional client id (CN). Default: a fresh UUID v4.
#[arg(long)]
id: Option<String>,
/// Directory holding the CA (ca.crt + ca.key).
#[arg(long)]
ca: PathBuf,
/// Server IP (placed in [client] server_addr).
#[arg(long)]
server_addr: String,
/// Server SAN / SNI (placed in [client] sni).
#[arg(long)]
server_name: String,
/// UDP transport port (default 443).
#[arg(long, default_value_t = 443)]
udp_port: u16,
/// TCP fallback port (default 443).
#[arg(long, default_value_t = 443)]
tcp_port: u16,
/// QUIC fallback port (default 444).
#[arg(long, default_value_t = 444)]
quic_port: u16,
/// TUN local IP (placed in [tunnel] local_ip). Must fall inside the server's pool.
#[arg(long)]
tun_ip: String,
/// TUN prefix length (default 24).
#[arg(long, default_value_t = 24)]
tun_prefix: u8,
/// Output bundle directory.
#[arg(long)]
out: PathBuf,
/// Enable [transport.knock] in the bundled client.toml. Must match the server.
#[arg(long)]
enable_knock: bool,
/// Enable [transport.cover] in the bundled client.toml. Must match the server.
#[arg(long)]
enable_cover_traffic: bool,
/// Comma-separated list of fallback server addresses (IP or IP:port).
#[arg(long)]
bridges: Option<String>,
/// v3.2: generate N independent client certificates (one UUID-v4 CN each) for an N-hop
/// circuit. Each cert gets its own random CN so the entry-relay, any middle hop, and the
/// exit cannot link the two handshakes by identity. N must be 2 or 3. When set, the bundled
/// `client.toml` gains a `[client.circuit]` block with N `[[client.circuit.hops]]` tables
/// (the operator must fill in real hop addresses).
#[arg(long)]
circuit_hops: Option<usize>,
/// Overwrite an existing bundle directory.
#[arg(long)]
force: bool,
}
/// `aura route ...` subcommands.
#[derive(Debug, Subcommand)]
enum RouteCommand {
@@ -171,8 +282,18 @@ enum RouteCommand {
#[tokio::main]
async fn main() -> anyhow::Result<()> {
init_tracing();
let cli = Cli::parse();
// Honour [server]/[client] no_logs when we already know which config we are about to load —
// this lets the very first tracing event of `aura server` / `aura client` go through the
// identifier-suppressing formatter (otherwise startup info lines would leak peer ids before
// the filter is installed). Other subcommands use the unfiltered default.
let no_logs = match &cli.command {
Command::Server(args) => probe_no_logs_server(&args.config),
Command::Client(args) => probe_no_logs_client(&args.config),
_ => false,
};
no_logs::init_filtered_tracing(no_logs);
match cli.command {
Command::Pki(cmd) => run_pki(cmd),
Command::Server(args) => server::run(&args.config, &args.admin_socket).await,
@@ -180,14 +301,26 @@ async fn main() -> anyhow::Result<()> {
Command::Route(cmd) => run_route(cmd).await,
Command::Status(args) => run_status(&args.admin_socket).await,
Command::BenchCrypto => bench::run(),
Command::ServerInit(args) => run_server_init(args),
Command::ProvisionClient(args) => run_provision_client(args),
}
}
/// Install the tracing subscriber with an env filter (defaults to `info`).
fn init_tracing() {
let filter = EnvFilter::try_from_default_env().unwrap_or_else(|_| EnvFilter::new("info"));
// `try_init` so re-initialization (e.g. in embedded use) is a no-op rather than a panic.
let _ = tracing_subscriber::fmt().with_env_filter(filter).try_init();
/// Best-effort read of `[server] no_logs` for the early tracing-init step. We deliberately swallow
/// errors here: if the config does not parse the actual `server::run` call will report the issue
/// with a proper message — we just don't want to install a redacting layer on top of a config we
/// failed to read.
fn probe_no_logs_server(path: &std::path::Path) -> bool {
aura_cli::config::ServerConfigFile::load(path)
.map(|c| c.server.no_logs)
.unwrap_or(false)
}
/// Same as [`probe_no_logs_server`] but for the client config.
fn probe_no_logs_client(path: &std::path::Path) -> bool {
aura_cli::config::ClientConfigFile::load(path)
.map(|c| c.client.no_logs)
.unwrap_or(false)
}
/// Default CRL path when `--crl` is omitted.
@@ -217,9 +350,9 @@ fn run_pki(cmd: PkiCommand) -> anyhow::Result<()> {
}
PkiCommand::IssueClient { id, out, ca } => {
let ca_dir = ca.unwrap_or_else(|| out.clone());
let (cert, key) = pki::issue_client(&id, &out, &ca_dir)?;
let (cn, cert, key) = pki::issue_client_with_id(id.as_deref(), &out, &ca_dir)?;
println!(
"client certificate issued for '{id}':\n cert: {}\n key: {}",
"client certificate issued for '{cn}':\n cert: {}\n key: {}",
cert.display(),
key.display()
);
@@ -324,3 +457,120 @@ fn print_route_list(resp: admin::Response) {
println!(" domain {:<20} {}", d.domain, d.action);
}
}
/// Dispatch `aura server-init`.
fn run_server_init(args: ServerInitArgs) -> anyhow::Result<()> {
let opts = init::ServerInitOpts {
domain: args.domain,
pki_dir: args.pki_dir,
listen_ip: args.listen_ip,
udp_port: args.udp_port,
tcp_port: args.tcp_port,
quic_port: args.quic_port,
pool_cidr: args.pool_cidr,
egress_iface: args.egress_iface,
out_config: args.out_config,
enable_knock: args.enable_knock,
enable_cover_traffic: args.enable_cover_traffic,
no_nat: args.no_nat,
run_as: args.run_as,
force: args.force,
};
let report = init::server_init(&opts)?;
println!("Aura server bootstrap complete.");
println!(" CA cert: {}", report.ca_cert.display());
println!(" CA key: {}", report.ca_key.display());
println!(" server cert: {}", report.server_cert.display());
println!(" server key: {}", report.server_key.display());
println!(" config: {}", report.server_config.display());
match &report.nat_egress_iface {
Some(iface) => {
println!(" [server.nat] egress_iface = \"{iface}\" (auto-detected if not explicit)")
}
None => println!(" [server.nat] omitted — configure NAT manually or pass --egress-iface."),
}
println!();
println!("Next steps:");
println!(
" 1. Start the server: sudo aura server --config {}",
report.server_config.display()
);
println!(
" 2. Provision the first client: aura provision-client --ca {} \\\n --server-addr <SERVER-IP> --server-name {} --tun-ip <POOL-IP> --out ./client-bundle",
report.ca_cert.parent().unwrap_or_else(|| std::path::Path::new(".")).display(),
opts_domain_for_hint(&report.server_config),
);
Ok(())
}
/// Cheap reconstruction of the domain for the printed hint (the report does not carry it; we
/// re-read it from the freshly written server.toml). On any parse failure, the placeholder is
/// returned so the message still prints.
fn opts_domain_for_hint(server_toml: &std::path::Path) -> String {
aura_cli::config::ServerConfigFile::load(server_toml)
.ok()
.and_then(|c| c.mimicry.sni)
.unwrap_or_else(|| "<server-domain>".to_string())
}
/// Dispatch `aura provision-client`.
fn run_provision_client(args: ProvisionClientArgs) -> anyhow::Result<()> {
let bridges = args
.bridges
.map(|s| {
s.split(',')
.map(|t| t.trim().to_string())
.filter(|t| !t.is_empty())
.collect::<Vec<_>>()
})
.unwrap_or_default();
let opts = init::ProvisionClientOpts {
id: args.id,
ca_dir: args.ca,
server_addr: args.server_addr,
server_name: args.server_name,
udp_port: args.udp_port,
tcp_port: args.tcp_port,
quic_port: args.quic_port,
tun_ip: args.tun_ip,
tun_prefix: args.tun_prefix,
out_dir: args.out,
enable_knock: args.enable_knock,
enable_cover_traffic: args.enable_cover_traffic,
bridges,
circuit_hops: args.circuit_hops,
force: args.force,
};
let report = init::provision_client(&opts)?;
println!("Aura client provisioned: id = {}", report.id);
println!(" bundle: {}", report.bundle_dir.display());
println!(" ca.crt: {}", report.ca_cert.display());
println!(" client.crt: {}", report.client_cert.display());
println!(" client.key: {}", report.client_key.display());
println!(" client.toml: {}", report.client_config.display());
if !report.circuit_hop_certs.is_empty() {
println!(
" v3.2 per-hop circuit certs ({}):",
report.circuit_hop_certs.len()
);
for (i, (cn, cert, key)) in report.circuit_hop_certs.iter().enumerate() {
println!(
" hop {i}: cn = {cn}\n cert: {}\n key: {}",
cert.display(),
key.display()
);
}
println!(
" EDIT the rendered client.toml and fill in the `addr` of each [[client.circuit.hops]] entry."
);
}
println!();
println!("Hand the entire bundle directory to the client via any secure channel.");
println!(
"On the client host run: cd {} && sudo aura client --config client.toml",
report.bundle_dir.display()
);
Ok(())
}
crates/aura-cli/src/masks.rs
+56 -7
View File
@@ -39,7 +39,7 @@
use std::sync::Arc;
use std::time::{Duration, SystemTime, UNIX_EPOCH};
use aura_crypto::{ca_fingerprint, derive_mask_for_msk_date, MaskSet};
use aura_crypto::{ca_fingerprint, derive_mask_for_msk_date_with_palette, MaskSet, SniPalette};
use tokio::sync::RwLock;
use tokio::task::JoinHandle;
@@ -52,10 +52,12 @@ pub type MaskHandle = Arc<RwLock<MaskSet>>;
pub struct MaskRotator {
active: MaskHandle,
ca_fp: [u8; 32],
palette: SniPalette,
}
impl MaskRotator {
/// Build a rotator from the CA PEM the rest of the stack already trusts.
/// Build a rotator from the CA PEM the rest of the stack already trusts, using the supplied
/// SNI palette (v3.2).
///
/// The initial mask is the one current at the calling instant (today's MSK day). Use
/// [`Self::spawn`] to start the daily rotation task that updates the shared handle.
@@ -63,17 +65,29 @@ impl MaskRotator {
/// # Errors
/// Propagates [`aura_crypto::CryptoError`] from [`aura_crypto::ca_fingerprint`] (typically a
/// malformed CA PEM).
pub fn new(ca_cert_pem: &str) -> anyhow::Result<Self> {
pub fn new_with_palette(ca_cert_pem: &str, palette: SniPalette) -> anyhow::Result<Self> {
let ca_fp = ca_fingerprint(ca_cert_pem)?;
let now = unix_now_utc();
let (y, m, d) = msk_today(now);
let initial = derive_mask_for_msk_date(&ca_fp, y, m, d);
let initial = derive_mask_for_msk_date_with_palette(&ca_fp, y, m, d, palette);
Ok(Self {
active: Arc::new(RwLock::new(initial)),
ca_fp,
palette,
})
}
/// Back-compat: build a rotator with the default (pre-v3.2 / global CDN) SNI palette.
///
/// Thin wrapper over [`Self::new_with_palette`] with [`SniPalette::Default`]; every existing
/// call site that does not yet thread the configured palette through can keep using this.
///
/// # Errors
/// Propagates [`aura_crypto::CryptoError`] from [`aura_crypto::ca_fingerprint`].
pub fn new(ca_cert_pem: &str) -> anyhow::Result<Self> {
Self::new_with_palette(ca_cert_pem, SniPalette::Default)
}
/// A snapshot of the current mask. This locks the inner `RwLock` briefly and clones; suitable
/// for the once-per-`connect`/`accept` use case (not for hot per-packet paths).
pub async fn current(&self) -> MaskSet {
@@ -118,7 +132,8 @@ impl MaskRotator {
// (the alarm fires at 02:00 UTC = 05:00 MSK, which is the new MSK day).
let after = unix_now_utc();
let (y, m, d) = msk_today(after);
let new_mask = derive_mask_for_msk_date(&this.ca_fp, y, m, d);
let new_mask =
derive_mask_for_msk_date_with_palette(&this.ca_fp, y, m, d, this.palette);
{
let mut guard = this.active.write().await;
if *guard != new_mask {
@@ -280,11 +295,45 @@ mod tests {
let rotator = MaskRotator::new(&pem).expect("rotator");
let m1 = rotator.current().await;
// Re-derive directly and assert equality (same `(ca_fp, MSK today)`).
// Re-derive directly and assert equality (same `(ca_fp, MSK today)`). The default
// back-compat constructor uses [`SniPalette::Default`], which the helper crate's
// [`derive_mask_for_msk_date_with_palette`] mirrors.
let now = unix_now_utc();
let (y, mo, d) = msk_today(now);
let fp = ca_fingerprint(&pem).expect("fp");
let m2 = derive_mask_for_msk_date(&fp, y, mo, d);
let m2 = derive_mask_for_msk_date_with_palette(&fp, y, mo, d, SniPalette::Default);
assert_eq!(m1, m2);
}
/// v3.2 palette: [`MaskRotator::new_with_palette`] with `SniPalette::Russian` produces a mask
/// whose `sni` field is one of the Russian palette domains.
#[tokio::test]
async fn palette_russian_yields_russian_sni() {
let ca = aura_pki::AuraCa::generate("aura-mask-russian-test-ca").expect("generate CA");
let pem = ca.ca_cert_pem();
let rotator =
MaskRotator::new_with_palette(&pem, SniPalette::Russian).expect("rotator (russian)");
let mask = rotator.current().await;
assert!(
aura_crypto::SNI_PALETTE_RUSSIAN
.iter()
.any(|s| *s == mask.sni),
"Russian-palette rotator produced unexpected SNI '{}'",
mask.sni
);
}
/// Back-compat: [`MaskRotator::new`] (no palette argument) behaves identically to
/// [`MaskRotator::new_with_palette`] with `SniPalette::Default`.
#[tokio::test]
async fn default_constructor_equals_default_palette() {
let ca = aura_pki::AuraCa::generate("aura-mask-default-test-ca").expect("generate CA");
let pem = ca.ca_cert_pem();
let r_legacy = MaskRotator::new(&pem).expect("rotator (legacy)");
let r_default =
MaskRotator::new_with_palette(&pem, SniPalette::Default).expect("rotator (default)");
assert_eq!(r_legacy.current().await, r_default.current().await);
}
}
crates/aura-cli/src/no_logs.rs
+110
View File
@@ -0,0 +1,110 @@
//! Identifier-suppressing tracing layer driven by `[server] no_logs` / `[client] no_logs`.
//!
//! ## Motivation
//!
//! Russian telecom regulations now require operators to forward identifying customer data
//! (passport / INN / IP / domain / logins / geolocation) on request. To keep an Aura node from
//! becoming a treasure-trove of those exact fields in its own logs, `no_logs = true` swaps the
//! default tracing formatter for one that skips writing a configured list of "identifier" fields
//! to the log line. The event still fires (counters and rates are unaffected), but the offending
//! field is rendered as nothing in the formatted output.
//!
//! ## Mechanism
//!
//! [`init_filtered_tracing`] installs a `tracing-subscriber::fmt` subscriber whose
//! [`FormatFields`](tracing_subscriber::fmt::FormatFields) is a custom
//! [`debug_fn`](tracing_subscriber::fmt::format::debug_fn) closure. The closure inspects
//! [`Field::name`](tracing::field::Field::name) against the [`REDACTED_FIELD_NAMES`] blacklist; on
//! a match it writes nothing (not even the field name), so the resulting log line literally
//! contains no token from the redacted value. Non-blacklisted fields go through the standard
//! `"key=value "` formatting.
//!
//! The redaction set targets the specific identifiers Aura's own code emits in its accept / dial
//! paths: `peer_id` (verified client CN), `client_ip` / `local_ip` / `assigned_ip` (per-tunnel
//! addresses), `source_addr` (UDP peer), `client_id` / `id` / `user` (generic id slots).
//!
//! ## Compatibility
//!
//! When `no_logs = false` (the default), [`init_filtered_tracing`] degenerates to the same
//! `tracing_subscriber::fmt().with_env_filter(...).try_init()` call that lived in `main` before,
//! so existing log output is unchanged for operators who did not opt in.
use std::collections::HashSet;
use tracing_subscriber::fmt::format::{debug_fn, Writer};
use tracing_subscriber::fmt::FormatFields;
use tracing_subscriber::EnvFilter;
/// Field names treated as personally-identifying and dropped from formatted output when
/// `no_logs = true`. Matches the field keys Aura emits in `tracing::info!` / `warn!` macros
/// across the server-accept and client-dial paths.
pub const REDACTED_FIELD_NAMES: &[&str] = &[
"peer_id",
"client_ip",
"source_addr",
"client_id",
"local_ip",
"user",
"id",
"assigned_ip",
"peer",
];
/// Install the global tracing subscriber, honouring `no_logs`.
///
/// * `no_logs = false`: standard `fmt` subscriber + `EnvFilter` (default `info`).
/// * `no_logs = true`: same filter and formatter shell, but the per-field writer skips
/// [`REDACTED_FIELD_NAMES`] so identifying fields never reach the output stream.
///
/// Calls `try_init` so re-initialisation (e.g. in embedded use or repeated test setup) is a
/// no-op rather than a panic.
pub fn init_filtered_tracing(no_logs: bool) {
let filter = EnvFilter::try_from_default_env().unwrap_or_else(|_| EnvFilter::new("info"));
if no_logs {
let _ = tracing_subscriber::fmt()
.with_env_filter(filter)
.fmt_fields(redacting_field_formatter())
.try_init();
} else {
let _ = tracing_subscriber::fmt().with_env_filter(filter).try_init();
}
}
/// Build a [`FormatFields`] that writes every field through the default rendering EXCEPT those
/// whose name matches [`REDACTED_FIELD_NAMES`] — those are silently dropped. Exposed so the
/// integration tests can swap the writer for an in-memory buffer and assert the redaction.
pub fn redacting_field_formatter() -> impl for<'w> FormatFields<'w> + 'static {
let redacted: HashSet<&'static str> = REDACTED_FIELD_NAMES.iter().copied().collect();
debug_fn(move |w: &mut Writer<'_>, field, value| {
if redacted.contains(field.name()) {
// Drop the field entirely. The default formatter emits `key=value` separated by spaces,
// so a no-op preserves that overall structure for the remaining fields.
return Ok(());
}
write!(w, "{}={:?} ", field.name(), value)
})
}
#[cfg(test)]
mod tests {
use super::*;
/// The blacklist captures every identifier the spec calls out.
#[test]
fn redacted_set_covers_spec_identifiers() {
for name in [
"peer_id",
"client_ip",
"source_addr",
"client_id",
"local_ip",
"user",
"id",
] {
assert!(
REDACTED_FIELD_NAMES.contains(&name),
"missing redaction for {name}"
);
}
}
}
crates/aura-cli/src/os_routes.rs
+19
View File
@@ -403,6 +403,25 @@ fn resolve_gateway(
Ok((gw, egress))
}
/// Best-effort auto-detection of the host's egress interface name (e.g. `"eth0"` on Linux, `"en0"`
/// on macOS). Returns `None` when detection is not supported on this platform or when the host's
/// default route could not be parsed. Used by `aura server-init` to pre-fill `[server.nat]
/// egress_iface` and by [`crate::server::run`] as a fallback when the operator omitted the field.
///
/// This is a thin wrapper over the per-platform `detect_default_gateway()` so it works on every
/// host (including Windows, where it always returns `None`).
#[must_use]
pub fn detect_default_egress_iface() -> Option<String> {
#[cfg(any(target_os = "linux", target_os = "macos"))]
{
detect_default_gateway().ok().map(|(_gw, iface)| iface)
}
#[cfg(not(any(target_os = "linux", target_os = "macos")))]
{
None
}
}
/// Auto-detect the host's IPv4 default gateway + egress interface.
#[cfg(target_os = "linux")]
fn detect_default_gateway() -> Result<(IpAddr, String)> {
crates/aura-cli/src/pki.rs
+18
View File
@@ -53,6 +53,24 @@ pub fn issue_client(id: &str, out_dir: &Path, ca_dir: &Path) -> anyhow::Result<(
write_leaf(out_dir, "client", &issued.cert_pem, &issued.key_pem)
}
/// `aura pki issue-client` with an *optional* id: when `id` is `None` a fresh UUID v4 is
/// generated, used as the certificate CN, and returned alongside the file paths. This is what the
/// CLI now exposes as the default — passing no `--id` no longer fails, and the operator just sees
/// the assigned id in the log line.
///
/// Returns `(cn, cert_path, key_path)` so the caller can echo the id without re-parsing the cert.
pub fn issue_client_with_id(
id: Option<&str>,
out_dir: &Path,
ca_dir: &Path,
) -> anyhow::Result<(String, PathBuf, PathBuf)> {
let cn = id
.map(str::to_string)
.unwrap_or_else(|| uuid::Uuid::new_v4().to_string());
let (cert, key) = issue_client(&cn, out_dir, ca_dir)?;
Ok((cn, cert, key))
}
/// `aura pki revoke`: add `id` (a client id or serial) to the CRL file, creating it if absent.
pub fn revoke(id: &str, crl_path: &Path) -> anyhow::Result<()> {
let mut crl = if crl_path.exists() {
crates/aura-cli/src/relay.rs
+359
View File
@@ -0,0 +1,359 @@
//! v3.1 multi-hop / onion routing: the **server (entry-relay) side**.
//!
//! Companion to [`crate::circuit`]. When `[server.relay] enabled = true`, the server's accept
//! loop performs a short **rendezvous** on each fresh client connection: it waits up to
//! [`EXTEND_RENDEZVOUS_SECS`] seconds for a first packet, and:
//!
//! * If the packet decodes as a [`ControlKind::ExtendBridge`] envelope, the server resolves the
//! downstream `exit_addr`, checks it against the configured whitelist, opens a raw UDP socket
//! to the exit, sends [`ControlKind::CircuitReady`] back to the client, and starts two
//! forwarder tasks — one in each direction — splicing the client's [`PacketConnection`] to the
//! bridge socket. The connection is NOT registered with the [`crate::server_router::ServerRouter`];
//! bridged peers do not consume an IP from the pool.
//! * Otherwise the packet is replayed back into a fallback channel and the accept loop continues
//! handling the connection as a normal VPN client. This dual-role mode lets one server be a
//! relay for some peers and an exit for others, depending on what each client chose to send first.
//!
//! ## Whitelist semantics
//!
//! `[server.relay] allow_extend_to` is parsed by
//! [`ServerConfigFile::relay_whitelist`](crate::config::ServerConfigFile::relay_whitelist) into a
//! `Vec<SocketAddr>`. An empty whitelist is treated as **open relay** — every `exit_addr` is
//! accepted — and we emit a `warn` log so the operator notices the dangerous configuration. A
//! non-empty whitelist that does not contain the requested `exit_addr` causes us to reply with
//! [`ControlKind::CircuitFailed`] (payload: `"not in allow_extend_to"`) and drop the connection.
use std::net::SocketAddr;
use std::sync::Arc;
use std::time::Duration;
use aura_proto::{
decode_control_envelope, decode_extend_bridge, encode_control_envelope, ControlKind,
PacketConnection,
};
use tokio::net::UdpSocket;
use crate::config::RelayAllowRule;
/// How long the relay waits for the client's first packet on a fresh connection before falling
/// back to treating the connection as a normal VPN client. Two seconds is comfortably longer than
/// a loopback round-trip (the client sends `ExtendBridge` immediately after the outer handshake
/// returns) but short enough that fallback clients do not perceive a stall.
pub const EXTEND_RENDEZVOUS_SECS: u64 = 2;
/// Outcome of the [`rendezvous`] phase on a fresh connection.
///
/// * [`RendezvousOutcome::Bridged`] — the client sent [`ControlKind::ExtendBridge`]; the bridge
/// socket has been opened and the relay can now spawn the forwarders. The caller MUST NOT
/// register this connection with the IP pool / router.
/// * [`RendezvousOutcome::Fallback`] — no `ExtendBridge` arrived in time, or the first packet
/// was not a control envelope. The caller should resume the v2 path and treat the connection
/// as a normal VPN client.
/// * [`RendezvousOutcome::Refused`] — the client asked for an exit that is not on the whitelist;
/// the relay has already replied with [`ControlKind::CircuitFailed`] and the caller should drop
/// the connection.
pub enum RendezvousOutcome {
/// The connection is now a bridge to `bridge` (a UDP socket connected to the exit). The
/// caller should spawn [`run_bridge`] to ferry packets.
Bridged { bridge: Arc<UdpSocket> },
/// No bridge was requested; the connection is a normal VPN client. `first_pkt` is the first
/// packet the caller observed during the rendezvous window (if any) so it can be replayed
/// into the normal processing pipeline; in v3.1 we drop it (the v2 path expects to call
/// `recv_packet` itself from a clean state) — see the callsite for details.
Fallback { first_pkt: Option<Vec<u8>> },
/// The client asked for an exit not on the whitelist. The caller should drop the connection.
Refused,
}
/// Perform the rendezvous on a freshly-accepted relay connection (v3.1 back-compat API:
/// whitelist is a flat `&[SocketAddr]`). For v3.2's CIDR-aware allow rules, use
/// [`rendezvous_with_rules`] — it accepts the [`RelayAllowRule`] enum.
///
/// Reads (with a [`EXTEND_RENDEZVOUS_SECS`] timeout) the next packet from `conn`. When it decodes
/// as [`ControlKind::ExtendBridge`] and the requested exit is whitelisted, this function:
///
/// 1. Binds a UDP socket on `0.0.0.0:0` (`[::]:0` for an IPv6 exit) and `connect()`s it to the
/// exit address.
/// 2. Sends [`ControlKind::CircuitReady`] back to the client.
/// 3. Returns [`RendezvousOutcome::Bridged`] with the bridge socket.
///
/// On a whitelist miss it sends [`ControlKind::CircuitFailed`] and returns
/// [`RendezvousOutcome::Refused`]. On any timeout / non-control / decode failure it returns
/// [`RendezvousOutcome::Fallback`] so the caller can continue with the v2 VPN-client path.
pub async fn rendezvous(
conn: &Arc<dyn PacketConnection>,
whitelist: &[SocketAddr],
) -> RendezvousOutcome {
// Adapter: lift the flat whitelist into v3.2 `RelayAllowRule::Exact` entries and delegate.
let rules: Vec<RelayAllowRule> = whitelist
.iter()
.copied()
.map(RelayAllowRule::Exact)
.collect();
rendezvous_with_rules(conn, &rules).await
}
/// v3.2: rendezvous variant that takes a list of [`RelayAllowRule`] (literal `IP:port` /
/// bare CIDR / CIDR with explicit port). Semantics are identical to [`rendezvous`] otherwise —
/// see its docstring.
pub async fn rendezvous_with_rules(
conn: &Arc<dyn PacketConnection>,
rules: &[RelayAllowRule],
) -> RendezvousOutcome {
let pkt = match tokio::time::timeout(
Duration::from_secs(EXTEND_RENDEZVOUS_SECS),
conn.recv_packet(),
)
.await
{
Ok(Ok(p)) => p,
Ok(Err(e)) => {
tracing::debug!(error = %e, "relay rendezvous: recv failed; fallback to VPN client path");
return RendezvousOutcome::Fallback { first_pkt: None };
}
Err(_) => {
tracing::debug!(
"relay rendezvous: no ExtendBridge within {EXTEND_RENDEZVOUS_SECS}s; \
fallback to VPN client path"
);
return RendezvousOutcome::Fallback { first_pkt: None };
}
};
let envelope = match decode_control_envelope(&pkt) {
Ok(Some((kind, payload))) => Some((kind, payload)),
Ok(None) => None,
Err(e) => {
tracing::debug!(error = %e, "relay rendezvous: malformed envelope; fallback");
return RendezvousOutcome::Fallback {
first_pkt: Some(pkt),
};
}
};
let Some((kind, payload)) = envelope else {
tracing::debug!(
"relay rendezvous: first packet is not a control envelope; fallback to VPN client path"
);
return RendezvousOutcome::Fallback {
first_pkt: Some(pkt),
};
};
if kind != ControlKind::ExtendBridge {
tracing::debug!(
kind = ?kind,
"relay rendezvous: first envelope is not ExtendBridge; fallback to VPN client path"
);
return RendezvousOutcome::Fallback {
first_pkt: Some(pkt),
};
}
let exit_addr: SocketAddr = match decode_extend_bridge(&payload) {
Ok(a) => a,
Err(e) => {
tracing::warn!(error = %e, "relay rendezvous: malformed ExtendBridge payload; refusing");
let reply = encode_control_envelope(
ControlKind::CircuitFailed,
b"malformed ExtendBridge payload",
);
let _ = conn.send_packet(&reply).await;
return RendezvousOutcome::Refused;
}
};
// Whitelist enforcement. Empty rule list == open relay (operator was warned via the log line
// emitted when the section was loaded; we also re-log here so each accepted bridge leaves a
// breadcrumb).
if rules.is_empty() {
tracing::warn!(
exit = %exit_addr,
"relay running as OPEN relay (allow_extend_to is empty); accepting bridge"
);
} else if !rules.iter().any(|r| r.matches(exit_addr)) {
tracing::warn!(
exit = %exit_addr,
"relay rejecting bridge: exit not in allow_extend_to"
);
let reply = encode_control_envelope(ControlKind::CircuitFailed, b"not in allow_extend_to");
let _ = conn.send_packet(&reply).await;
return RendezvousOutcome::Refused;
}
// Open the bridge socket. We bind matching the exit's address family so a relay running on a
// dual-stack host does not accidentally try to use an IPv4 socket to reach an IPv6 exit.
let bind_addr: SocketAddr = if exit_addr.is_ipv4() {
"0.0.0.0:0".parse().expect("valid v4 bind addr")
} else {
"[::]:0".parse().expect("valid v6 bind addr")
};
let bridge = match UdpSocket::bind(bind_addr).await {
Ok(s) => s,
Err(e) => {
tracing::warn!(error = %e, exit = %exit_addr, "relay could not bind bridge socket");
let msg = format!("bridge bind failed: {e}");
let reply = encode_control_envelope(ControlKind::CircuitFailed, msg.as_bytes());
let _ = conn.send_packet(&reply).await;
return RendezvousOutcome::Refused;
}
};
if let Err(e) = bridge.connect(exit_addr).await {
tracing::warn!(error = %e, exit = %exit_addr, "relay could not connect bridge socket to exit");
let msg = format!("bridge connect failed: {e}");
let reply = encode_control_envelope(ControlKind::CircuitFailed, msg.as_bytes());
let _ = conn.send_packet(&reply).await;
return RendezvousOutcome::Refused;
}
let ready = encode_control_envelope(ControlKind::CircuitReady, &[]);
if let Err(e) = conn.send_packet(&ready).await {
tracing::warn!(error = %e, "relay failed to send CircuitReady; dropping");
return RendezvousOutcome::Refused;
}
tracing::info!(
exit = %exit_addr,
"relay rendezvous succeeded; bridging client to exit"
);
RendezvousOutcome::Bridged {
bridge: Arc::new(bridge),
}
}
/// Splice a client-side [`PacketConnection`] to a `connect()`ed bridge UDP socket, ferrying bytes
/// in both directions until either side closes. Drives **two** tasks (each direction) and joins
/// them so the function returns when both have ended.
///
/// The relay never decrypts the inner Aura handshake / data: bytes from the client are sent as
/// raw UDP datagrams to the exit, and bytes from the exit are wrapped back in a
/// [`PacketConnection::send_packet`] call on the client connection. This is what makes the
/// `client ↔ exit` handshake travel through the relay opaquely.
pub async fn run_bridge(client_conn: Arc<dyn PacketConnection>, bridge: Arc<UdpSocket>) {
let conn_a = Arc::clone(&client_conn);
let br_a = Arc::clone(&bridge);
let to_exit = tokio::spawn(async move {
while let Ok(buf) = conn_a.recv_packet().await {
if br_a.send(&buf).await.is_err() {
break;
}
}
});
let conn_b = Arc::clone(&client_conn);
let br_b = Arc::clone(&bridge);
let to_client = tokio::spawn(async move {
let mut buf = vec![0u8; 2048];
while let Ok(n) = br_b.recv(&mut buf).await {
if conn_b.send_packet(&buf[..n]).await.is_err() {
break;
}
}
});
let _ = tokio::join!(to_exit, to_client);
}
#[cfg(test)]
mod tests {
use super::*;
use std::collections::VecDeque;
use async_trait::async_trait;
use aura_proto::encode_extend_bridge;
use tokio::sync::Mutex as TokioMutex;
/// In-memory mock that lets us drive [`rendezvous`] without a real Aura connection.
struct MockConn {
to_recv: TokioMutex<VecDeque<anyhow::Result<Vec<u8>>>>,
sent: TokioMutex<Vec<Vec<u8>>>,
}
impl MockConn {
fn new(items: impl IntoIterator<Item = anyhow::Result<Vec<u8>>>) -> Arc<Self> {
Arc::new(Self {
to_recv: TokioMutex::new(items.into_iter().collect()),
sent: TokioMutex::new(Vec::new()),
})
}
}
#[async_trait]
impl PacketConnection for MockConn {
async fn send_packet(&self, packet: &[u8]) -> anyhow::Result<()> {
self.sent.lock().await.push(packet.to_vec());
Ok(())
}
async fn recv_packet(&self) -> anyhow::Result<Vec<u8>> {
match self.to_recv.lock().await.pop_front() {
Some(item) => item,
None => {
// Block forever — the caller's timeout will trip first. Use
// `std::future::pending` so we do not pull in a `futures` dep.
std::future::pending::<()>().await;
unreachable!("pending future never resolves")
}
}
}
}
/// An ExtendBridge to an exit that is **not** on the whitelist is refused: the relay sends
/// CircuitFailed back and the rendezvous outcome is `Refused`.
#[tokio::test]
async fn whitelist_miss_refuses_with_circuit_failed() {
let target: SocketAddr = "203.0.113.5:443".parse().unwrap();
let allowed: SocketAddr = "203.0.113.99:443".parse().unwrap();
let payload = encode_extend_bridge(target);
let envelope = encode_control_envelope(ControlKind::ExtendBridge, &payload);
// Keep a typed handle to the mock so we can introspect what was sent without unsafe.
let mock = MockConn::new([Ok(envelope)]);
let conn: Arc<dyn PacketConnection> = mock.clone();
let outcome = rendezvous(&conn, &[allowed]).await;
assert!(matches!(outcome, RendezvousOutcome::Refused));
// Verify the relay actually answered with a CircuitFailed envelope.
let sent = mock.sent.lock().await.clone();
assert_eq!(sent.len(), 1, "exactly one reply was sent");
let (kind, reason) = decode_control_envelope(&sent[0]).unwrap().unwrap();
assert_eq!(kind, ControlKind::CircuitFailed);
assert_eq!(
std::str::from_utf8(&reason).unwrap(),
"not in allow_extend_to"
);
}
/// Empty whitelist == open relay. A target that is anywhere succeeds (we open the bridge
/// against loopback so the bind / connect actually succeed in the test).
#[tokio::test]
async fn empty_whitelist_acts_as_open_relay() {
// Reserve a free UDP port for the dummy exit so connect() succeeds on the bridge side.
let exit_sock = std::net::UdpSocket::bind("127.0.0.1:0").unwrap();
let exit_addr = exit_sock.local_addr().unwrap();
let payload = encode_extend_bridge(exit_addr);
let envelope = encode_control_envelope(ControlKind::ExtendBridge, &payload);
let conn: Arc<dyn PacketConnection> = MockConn::new([Ok(envelope)]);
let outcome = rendezvous(&conn, &[]).await;
assert!(matches!(outcome, RendezvousOutcome::Bridged { .. }));
}
/// When no packet arrives within the rendezvous window, fall back to the normal VPN-client
/// path. The relay does not send any reply.
#[tokio::test]
async fn timeout_falls_back_to_vpn_client_path() {
// Pass an empty mock so recv_packet blocks forever and the rendezvous timeout trips.
let conn: Arc<dyn PacketConnection> = MockConn::new([]);
// Tighten Tokio's clock: pause + advance is not appropriate here because rendezvous uses
// real timeouts (Duration::from_secs(2)); simply waiting in CI is fine because the test
// path is small. To keep CI fast, bump the timeout up: the test sets up a recv that
// blocks forever, so we want the rendezvous's own timeout to fire — that is the assertion.
//
// We use a `Box::pin(...)` + select to bound the test itself in case the rendezvous never
// returns (a regression).
let result = tokio::time::timeout(
std::time::Duration::from_secs(EXTEND_RENDEZVOUS_SECS + 2),
rendezvous(&conn, &[]),
)
.await
.expect("rendezvous returned within deadline");
assert!(matches!(
result,
RendezvousOutcome::Fallback { first_pkt: None }
));
}
}
crates/aura-cli/src/server.rs
+176 -19
View File
@@ -31,17 +31,20 @@ use std::sync::Arc;
use std::time::Duration;
use anyhow::Context;
use aura_transport::MultiServer;
use aura_proto::PacketConnection;
use aura_transport::{MultiServer, TransportMode};
use aura_tunnel::{AuraTun, RouteAction, RouteTable};
use ipnetwork::IpNetwork;
use tokio::sync::RwLock;
use crate::admin::{self, AdminState, Stats};
use crate::config::ServerConfigFile;
use crate::config::{ServerConfigFile, ServerOuterCertSection};
use crate::crl_push;
use crate::masks::MaskRotator;
use crate::nat::NatGuard;
use crate::pool::IpPool;
use crate::privdrop;
use crate::relay::{self, RendezvousOutcome};
use crate::server_router::ServerRouter;
/// Entry point for `aura server --config <PATH>` (and optional `--admin-socket`).
@@ -81,8 +84,12 @@ pub async fn run(config_path: &Path, admin_socket: &str) -> anyhow::Result<()> {
// the TOML so the first accepts already use today's mask; the rotator's background task then
// updates the bound MultiServer's opts each day at 02:00 UTC (= 05:00 MSK).
let masks_enabled = cfg.transport.masks.enabled;
let mask_palette = cfg.transport.masks.palette.to_crypto();
let mask_rotator = if masks_enabled {
let rot = Arc::new(MaskRotator::new(&proto_cfg.ca_cert_pem)?);
let rot = Arc::new(MaskRotator::new_with_palette(
&proto_cfg.ca_cert_pem,
mask_palette,
)?);
let initial = rot.current().await;
udp_opts.padding_profile = initial.padding_profile_id;
// The TCP transport now uses a real outer TLS-443 layer, which subsumes the old HTTP
@@ -91,6 +98,7 @@ pub async fn run(config_path: &Path, admin_socket: &str) -> anyhow::Result<()> {
tracing::info!(
sni = %initial.sni,
padding_profile = initial.padding_profile_id,
palette = ?cfg.transport.masks.palette,
"mask rotation enabled; initial mask applied"
);
Some(rot)
@@ -123,18 +131,28 @@ pub async fn run(config_path: &Path, admin_socket: &str) -> anyhow::Result<()> {
// configured forwarding by hand and no guard is created.
let _nat_guard: Option<NatGuard> = if let Some(nat) = cfg.server.nat.as_ref() {
if nat.auto {
if nat.egress_iface.trim().is_empty() {
anyhow::bail!(
"[server.nat] auto = true requires `egress_iface` to be set (no auto-detection in v1)"
);
}
// v2: if `egress_iface` is not set in the config, fall back to auto-detection of the
// host's default-route interface. This makes `[server.nat] auto = true` work on
// typical single-NIC hosts without manual configuration. If detection also fails we
// fall back to the original hard error so the operator gets a clear message.
let iface = if nat.egress_iface.trim().is_empty() {
match crate::os_routes::detect_default_egress_iface() {
Some(iface) => {
tracing::info!(target: "aura::nat", iface = %iface,
"egress_iface not set in [server.nat]; auto-detected from host default route");
iface
}
None => anyhow::bail!(
"[server.nat] auto = true requires `egress_iface` to be set \
(auto-detection failed on this host)"
),
}
} else {
nat.egress_iface.clone()
};
Some(
NatGuard::enable(
&resolved_pool.cidr.to_string(),
&nat.egress_iface,
nat.dry_run,
)
.context("enabling auto-NAT (see [server.nat] in server.toml)")?,
NatGuard::enable(&resolved_pool.cidr.to_string(), &iface, nat.dry_run)
.context("enabling auto-NAT (see [server.nat] in server.toml)")?,
)
} else {
None
@@ -143,11 +161,42 @@ pub async fn run(config_path: &Path, admin_socket: &str) -> anyhow::Result<()> {
None
};
// Bind every enabled transport at once. The QUIC outer (mimicry) cert reuses the Aura server
// leaf inside `proto_cfg`, matching the transport's guidance.
let server = MultiServer::bind(endpoints, proto_cfg.clone(), udp_opts, tcp_opts.clone())
.await
.context("binding Aura multi-transport server")?;
// v3: resolve the optional [server.outer_cert] section. When set, the QUIC and TCP outer-TLS
// layers use the configured (e.g. Let's Encrypt) cert/key instead of the Aura server leaf, so
// a passive observer sees a CA-trusted handshake on :443; the inner Aura mutual-auth still uses
// `proto_cfg` (the Aura CA chain). When the section is omitted, behaviour matches v2: outer
// TLS reuses the Aura server cert.
let outer_pems = cfg
.server
.outer_cert
.as_ref()
.map(ServerOuterCertSection::resolve)
.transpose()
.context("resolving [server.outer_cert]")?
.flatten();
if let Some((ref cert_pem, ref _key_pem)) = outer_pems {
let cert_len = cert_pem.len();
tracing::info!(
cert_path = ?cfg.server.outer_cert.as_ref().and_then(|o| o.cert_path.as_deref()),
key_path = ?cfg.server.outer_cert.as_ref().and_then(|o| o.key_path.as_deref()),
cert_pem_bytes = cert_len,
"using external outer-TLS cert (e.g. Let's Encrypt) for QUIC + TCP; inner Aura handshake still on Aura CA"
);
}
// Bind every enabled transport at once. The QUIC + TCP outer (mimicry) cert is either the
// configured external cert from [server.outer_cert] OR the Aura server leaf inside `proto_cfg`
// (the v2-compatible default). The inner Aura mutual-auth handshake always uses `proto_cfg`.
let server = MultiServer::bind_with_outer(
endpoints,
proto_cfg.clone(),
udp_opts,
tcp_opts.clone(),
outer_pems.as_ref().map(|(c, _)| c.as_str()),
outer_pems.as_ref().map(|(_, k)| k.as_str()),
)
.await
.context("binding Aura multi-transport server")?;
tracing::info!("Aura server bound on all enabled transports");
// Spawn the mask rotation loop AFTER bind so the rotator can push new opts into the live
@@ -232,10 +281,49 @@ pub async fn run(config_path: &Path, admin_socket: &str) -> anyhow::Result<()> {
}
});
// v3.1 / v3.2: when [server.relay] is enabled, parse the allow-rules once. The rules accept
// literal `IP:port`, bare CIDR (any port), or CIDR with explicit port. An empty list means
// "all addresses allowed" (dangerous; the runtime logs a warning).
let relay_enabled = cfg.server.relay.enabled;
let relay_cell_padding = cfg.server.relay.cell_padding;
let relay_cell_size = cfg.server.relay.cell_size;
let relay_allow_rules: Vec<crate::config::RelayAllowRule> = if relay_enabled {
let rules = cfg.relay_allow_rules();
if rules.is_empty() {
tracing::warn!(
"[server.relay] is enabled with an EMPTY allow_extend_to — running as OPEN relay; \
every ExtendBridge request will be accepted. Set allow_extend_to to a curated list."
);
} else {
tracing::info!(
count = rules.len(),
cell_padding = relay_cell_padding,
cell_size = relay_cell_size,
"[server.relay] enabled with {} allow-rule(s)",
rules.len()
);
}
rules
} else {
Vec::new()
};
// Accept loop. Each accepted connection (from any transport) is assigned an IP from the pool
// and registered with the [`ServerRouter`]; a per-conn task forwards inbound packets into the
// shared TUN. `MultiServer::accept` yields `None` only when every transport's accept loop has
// stopped.
//
// v3.1: when [server.relay] is enabled, every accepted UDP connection first undergoes a short
// **rendezvous** ([`relay::rendezvous`]) to see whether the client wants to be bridged through
// to a downstream exit. The rendezvous:
// * Reads with a 2-second timeout. If an `ExtendBridge` envelope arrives and its `exit_addr`
// is on the whitelist, the relay opens a bridge socket, replies with `CircuitReady`, and
// the connection is spliced byte-for-byte to the exit — NOT registered with the IP pool.
// * If nothing arrives within 2s or the first packet is not an `ExtendBridge` envelope, the
// connection falls back to the normal VPN-client path (IP pool + ServerRouter), exactly as
// in v2. This dual-role mode lets one server be a relay for some peers and an exit for
// others on the same listening port. Non-UDP transports (TCP, QUIC) skip rendezvous in
// v3.1; only UDP is supported as a hop transport.
loop {
let next = {
let mut srv = server.lock().await;
@@ -246,6 +334,61 @@ pub async fn run(config_path: &Path, admin_socket: &str) -> anyhow::Result<()> {
let mode = accepted.mode;
let conn = accepted.conn;
// v3.1 / v3.2 relay rendezvous (only on UDP-mode connections; relay does not bridge
// TCP / QUIC in v3.x). The relay never decodes cell padding — the bytes it forwards are
// the **inner** AEAD-encrypted ciphertext from the client to the exit; cell structure
// lives one layer below (only the exit and the client see cells).
if relay_enabled && mode == TransportMode::Udp {
match relay::rendezvous_with_rules(&conn, &relay_allow_rules).await {
RendezvousOutcome::Bridged { bridge } => {
// Spawn the two forwarder tasks and skip everything else (no IP pool entry,
// no router registration, no CRL push — bridged peers are opaque).
tracing::info!(
peer = ?peer_id, %mode,
"v3.x relay: bridging connection to exit"
);
let client_conn = Arc::clone(&conn);
tokio::spawn(async move {
relay::run_bridge(client_conn, bridge).await;
});
continue;
}
RendezvousOutcome::Refused => {
tracing::warn!(
peer = ?peer_id, %mode,
"v3.1 relay: refusing connection (CircuitFailed sent); dropping"
);
drop(conn);
continue;
}
RendezvousOutcome::Fallback { .. } => {
// Fall through to the normal VPN-client handling below. (The first packet, if
// any, was either non-existent or non-control — for v3.1 we drop it; control
// envelopes that are not ExtendBridge are not expected on the first packet
// from a v2 client either.)
tracing::debug!(
peer = ?peer_id, %mode,
"v3.1 relay: no ExtendBridge received; handling as normal VPN client"
);
}
}
}
// v3.2: when this server runs as an EXIT for cell-padded circuit clients, wrap the
// accepted inner-session conn in CellPaddingConn. Every send/recv on this conn (CRL push,
// router register, inbound forwarder) now goes through the cell wrapper so its bytes are
// padded cells end-to-end. Wrapped here (not earlier) so the relay rendezvous, which
// reads control envelopes naked on the outer connection, is not affected.
let conn: Arc<dyn PacketConnection> =
if cfg.server.cell_padding_for_circuit_clients && mode == TransportMode::Udp {
Arc::new(crate::cells::CellPaddingConn::new(
conn,
cfg.server.relay.cell_size,
))
} else {
conn
};
// Pick the client id used for static-pool lookup. The certificate CN is the only
// identity we can trust here; if absent (defensive — every authenticated connection has
// one in practice) fall back to a unique-per-instance marker so dynamic allocation still
@@ -274,6 +417,20 @@ pub async fn run(config_path: &Path, admin_socket: &str) -> anyhow::Result<()> {
"accepted authenticated client; assigned tunnel ip"
);
// v2: push the CRL in-band immediately after the handshake completes (before any user
// traffic is dispatched). Errors here are non-fatal — the helper logs the reason and we
// proceed with the connection. Old clients that don't recognise the magic prefix will
// forward the bytes to their TUN, which rejects them as an invalid IP packet.
let _ = crl_push::push_crl_if_configured(
cfg.pki.crl_push,
cfg.pki.crl.as_deref(),
&proto_cfg.ca_cert_pem,
cfg.pki.ca_key.as_deref(),
&conn,
peer_id.as_deref(),
)
.await;
// Register the connection and spawn its inbound forwarder.
if let Some(prev) = server_routes.register(assigned_ip, Arc::clone(&conn)).await {
tracing::warn!(
crates/aura-cli/tests/cli_bridges.rs
+96
View File
@@ -0,0 +1,96 @@
//! Integration tests for the `[client] bridges` field + [`aura_cli::dial_targets::build_dial_targets`].
//!
//! Parses a synthetic `client.toml` with bridges, walks through `build_dial_targets`, and asserts
//! the resulting candidate list shape. Real dial attempts are out of scope (no server running);
//! this test focuses on the parse-build-shape contract that `client::run` relies on.
use aura_cli::config::ClientConfigFile;
use aura_cli::dial_targets::build_dial_targets;
const CLIENT_TOML: &str = r#"
[client]
name = "laptop"
server_addr = "203.0.113.10:443"
sni = "vpn.example.com"
bridges = ["203.0.113.11", "203.0.113.12:9999"]
[pki]
ca_cert = "ca.crt"
cert = "client.crt"
key = "client.key"
[tunnel]
local_ip = "10.7.0.2"
"#;
#[test]
fn bridges_parse_into_client_config() {
let cfg = ClientConfigFile::parse(CLIENT_TOML).expect("parse");
assert_eq!(cfg.client.bridges.len(), 2);
assert!(cfg.client.bridges.contains(&"203.0.113.11".to_string()));
assert!(cfg
.client
.bridges
.contains(&"203.0.113.12:9999".to_string()));
}
#[test]
fn build_dial_targets_from_parsed_client_config() {
let cfg = ClientConfigFile::parse(CLIENT_TOML).expect("parse");
let dial = cfg.dial_config().expect("dial config");
let targets = build_dial_targets(&dial.endpoints, &cfg.client.bridges);
assert_eq!(targets.len(), 3, "primary + two bridges");
// The primary is always first.
assert_eq!(targets[0].udp.unwrap().to_string(), "203.0.113.10:443");
// Each bridge entry must keep the per-transport ports (the bridge `:9999` in the second
// string is ignored — transports always use [transport] ports).
for t in &targets[1..] {
assert_eq!(t.udp.unwrap().port(), 443);
assert_eq!(t.quic.unwrap().port(), 444);
}
// Both bridge IPs are represented.
let bridge_ips: std::collections::HashSet<String> = targets[1..]
.iter()
.map(|e| e.udp.unwrap().ip().to_string())
.collect();
assert!(bridge_ips.contains("203.0.113.11"));
assert!(bridge_ips.contains("203.0.113.12"));
}
#[test]
fn empty_bridges_field_yields_only_primary() {
let toml = r#"
[client]
name = "laptop"
server_addr = "203.0.113.10:443"
sni = "vpn.example.com"
[pki]
ca_cert = "ca.crt"
cert = "client.crt"
key = "client.key"
[tunnel]
local_ip = "10.7.0.2"
"#;
let cfg = ClientConfigFile::parse(toml).expect("parse minimal");
assert!(cfg.client.bridges.is_empty(), "no bridges field");
let dial = cfg.dial_config().expect("dial config");
let targets = build_dial_targets(&dial.endpoints, &cfg.client.bridges);
assert_eq!(targets.len(), 1, "only primary when bridges omitted");
}
/// `detect_default_egress_iface` is best-effort and tolerated to be `None`. When it does return a
/// value, the iface name must be non-empty.
#[test]
fn detect_default_egress_iface_is_tolerant() {
match aura_cli::os_routes::detect_default_egress_iface() {
Some(iface) => assert!(!iface.is_empty(), "detected iface name must be non-empty"),
None => {
// CI / sandboxed environments often have no default route. Tolerated.
}
}
}
crates/aura-cli/tests/cli_no_logs.rs
+139
View File
@@ -0,0 +1,139 @@
//! Integration test for [`aura_cli::no_logs::redacting_field_formatter`].
//!
//! The production code installs the same `FormatFields` against the global subscriber via
//! [`aura_cli::no_logs::init_filtered_tracing`]. We cannot use a global subscriber inside a unit
//! test (it stays installed for the whole test binary and leaks across tests). Instead we mount
//! the same formatter on a *per-test* subscriber using the `with_default` guard, route output
//! through an in-memory writer, and assert that the redacted field values are absent while
//! non-redacted fields still appear.
use std::io::Write;
use std::sync::{Arc, Mutex};
use tracing_subscriber::fmt::MakeWriter;
/// An in-memory writer factory: each `make_writer` returns a guard that locks the shared `Vec<u8>`
/// and writes into it. Cheap enough for one-shot test setups.
#[derive(Clone, Default)]
struct BufWriter {
inner: Arc<Mutex<Vec<u8>>>,
}
impl BufWriter {
fn snapshot(&self) -> String {
let guard = self.inner.lock().unwrap();
String::from_utf8(guard.clone()).expect("utf8")
}
}
impl<'a> MakeWriter<'a> for BufWriter {
type Writer = BufWriterGuard;
fn make_writer(&'a self) -> Self::Writer {
BufWriterGuard {
inner: Arc::clone(&self.inner),
}
}
}
struct BufWriterGuard {
inner: Arc<Mutex<Vec<u8>>>,
}
impl Write for BufWriterGuard {
fn write(&mut self, buf: &[u8]) -> std::io::Result<usize> {
let mut g = self.inner.lock().unwrap();
g.extend_from_slice(buf);
Ok(buf.len())
}
fn flush(&mut self) -> std::io::Result<()> {
Ok(())
}
}
/// Drive `tracing::info!` with one redacted and one safe field, route output through the redacting
/// formatter into a buffer, and assert the redacted value is absent while the safe value is present.
#[test]
fn no_logs_drops_peer_id_field_from_output() {
let buf = BufWriter::default();
let subscriber = tracing_subscriber::fmt()
.with_writer(buf.clone())
.with_ansi(false)
.fmt_fields(aura_cli::no_logs::redacting_field_formatter())
.finish();
tracing::subscriber::with_default(subscriber, || {
// peer_id (redacted) and bytes (kept) — the message itself ("client accepted") is fine.
tracing::info!(
peer_id = "SECRET-CLIENT-ID-12345",
bytes = 64u64,
"client accepted"
);
});
let out = buf.snapshot();
assert!(
!out.contains("SECRET-CLIENT-ID-12345"),
"redacted peer_id leaked: {out}"
);
assert!(
out.contains("bytes=64"),
"non-redacted field missing: {out}"
);
assert!(out.contains("client accepted"), "message missing: {out}");
}
/// Every spec-listed identifier is suppressed in one go.
#[test]
fn no_logs_drops_every_listed_identifier() {
let buf = BufWriter::default();
let subscriber = tracing_subscriber::fmt()
.with_writer(buf.clone())
.with_ansi(false)
.fmt_fields(aura_cli::no_logs::redacting_field_formatter())
.finish();
tracing::subscriber::with_default(subscriber, || {
tracing::info!(
peer_id = "PEERVAL",
client_ip = "CLIPVAL",
source_addr = "SRCVAL",
client_id = "CIDVAL",
local_ip = "LIPVAL",
user = "USERVAL",
id = "IDVAL",
assigned_ip = "ASSVAL",
peer = "PEERVAL2",
bytes = 42u64,
"test"
);
});
let out = buf.snapshot();
for redacted in [
"PEERVAL", "CLIPVAL", "SRCVAL", "CIDVAL", "LIPVAL", "USERVAL", "IDVAL", "ASSVAL",
"PEERVAL2",
] {
assert!(
!out.contains(redacted),
"value '{redacted}' leaked into output: {out}"
);
}
// bytes is a kept field — must still be visible.
assert!(out.contains("bytes=42"), "kept field missing: {out}");
}
/// Sanity: the unfiltered default formatter (no `fmt_fields` swap) DOES emit the peer_id value —
/// this guards against accidentally enabling redaction by default for non-`no_logs` deployments.
#[test]
fn default_formatter_keeps_peer_id() {
let buf = BufWriter::default();
let subscriber = tracing_subscriber::fmt()
.with_writer(buf.clone())
.with_ansi(false)
.finish();
tracing::subscriber::with_default(subscriber, || {
tracing::info!(peer_id = "SHOULD-APPEAR", "ev");
});
let out = buf.snapshot();
assert!(out.contains("SHOULD-APPEAR"), "default did not emit: {out}");
}
crates/aura-cli/tests/cli_provision_client.rs
+303
View File
@@ -0,0 +1,303 @@
//! Integration tests for [`aura_cli::init::provision_client`].
//!
//! These tests first generate a CA + server cert via `pki::init` / `pki::issue_server`, then
//! drive `provision_client` against that CA and verify:
//!
//! * the bundle directory ends up with `ca.crt`, `client.crt`, `client.key`, `client.toml`;
//! * the rendered `client.toml` parses;
//! * the issued client cert verifies against the original CA via [`AuraCertVerifier`];
//! * `--id` defaults to a UUID v4 and is reflected as the cert CN.
use std::path::PathBuf;
use aura_cli::config::ClientConfigFile;
use aura_cli::init::{self, ProvisionClientOpts};
use aura_cli::pki;
use aura_pki::AuraCertVerifier;
use rustls_pki_types::CertificateDer;
/// Per-test temp dir.
fn temp_dir(tag: &str) -> PathBuf {
let mut dir = std::env::temp_dir();
dir.push(format!(
"aura-cli-provision-{tag}-{}-{}",
std::process::id(),
std::time::SystemTime::now()
.duration_since(std::time::UNIX_EPOCH)
.unwrap()
.as_nanos()
));
std::fs::create_dir_all(&dir).expect("create temp dir");
dir
}
/// Generate a CA at `ca_dir` for the rest of the test to use.
fn bootstrap_ca(ca_dir: &std::path::Path) {
pki::init("Aura Provision Test CA", ca_dir).expect("ca init");
}
/// Decode a single-cert PEM into a DER chain for the verifier.
fn pem_chain(pem_path: &std::path::Path) -> Vec<CertificateDer<'static>> {
let pem = std::fs::read(pem_path).expect("read cert");
let (_, parsed) = x509_parser::pem::parse_x509_pem(&pem).expect("parse PEM");
vec![CertificateDer::from(parsed.contents)]
}
/// Extract the certificate's CN via `x509-parser` so we can check that the assigned id ended up
/// in the cert.
fn cert_common_name(pem_path: &std::path::Path) -> String {
let pem = std::fs::read(pem_path).expect("read cert");
let (_, parsed) = x509_parser::pem::parse_x509_pem(&pem).expect("parse PEM");
let (_, cert) = x509_parser::parse_x509_certificate(&parsed.contents).expect("parse cert");
let subject = cert.subject();
for cn in subject.iter_common_name() {
if let Ok(s) = cn.as_str() {
return s.to_string();
}
}
panic!("no CN in subject {subject:?}");
}
/// Happy path: explicit id, bundle materialises and parses, cert verifies against CA.
#[test]
fn provision_client_with_explicit_id() {
let root = temp_dir("happy");
let ca_dir = root.join("ca");
bootstrap_ca(&ca_dir);
let bundle = root.join("client-bundle");
let mut opts = ProvisionClientOpts::new(
&ca_dir,
"203.0.113.10",
"vpn.example.com",
"10.7.0.2",
&bundle,
);
opts.id = Some("phone-1".to_string());
let report = init::provision_client(&opts).expect("provision");
assert_eq!(report.id, "phone-1", "explicit id preserved");
assert!(report.ca_cert.exists());
assert!(report.client_cert.exists());
assert!(report.client_key.exists());
assert!(report.client_config.exists());
// The bundled cert's CN matches the id we passed.
assert_eq!(cert_common_name(&report.client_cert), "phone-1");
// The client.toml round-trips through the parser cleanly.
let cfg = ClientConfigFile::load(&report.client_config).expect("parse client.toml");
assert_eq!(cfg.client.server_addr, "203.0.113.10:443");
assert_eq!(cfg.client.sni, "vpn.example.com");
assert_eq!(cfg.tunnel.local_ip, "10.7.0.2");
assert!(cfg.client.bridges.is_empty(), "no bridges by default");
// The verifier accepts the bundled chain against the same CA we issued from.
let ca_pem = std::fs::read_to_string(ca_dir.join(pki::CA_CERT)).expect("read ca");
let verifier = AuraCertVerifier::new(&ca_pem).expect("verifier");
let chain = pem_chain(&report.client_cert);
let cn = verifier
.verify_client_cert(&chain)
.expect("issued client cert chains to the CA");
assert_eq!(cn, "phone-1");
let _ = std::fs::remove_dir_all(&root);
}
/// Default `--id` path: a fresh UUID v4 is assigned and ends up as the CN.
#[test]
fn provision_client_default_id_is_uuid_v4() {
let root = temp_dir("uuid");
let ca_dir = root.join("ca");
bootstrap_ca(&ca_dir);
let bundle = root.join("bundle");
let opts = ProvisionClientOpts::new(
&ca_dir,
"203.0.113.10",
"vpn.example.com",
"10.7.0.5",
&bundle,
);
let report = init::provision_client(&opts).expect("provision");
// The id is a valid UUID v4 and equals the cert CN.
let parsed = uuid::Uuid::parse_str(&report.id).expect("id is uuid");
assert_eq!(parsed.get_version_num(), 4, "uuid v4");
assert_eq!(cert_common_name(&report.client_cert), report.id);
let _ = std::fs::remove_dir_all(&root);
}
/// `bridges = [...]` ends up in the rendered client.toml and parses back through the config.
#[test]
fn provision_client_writes_bridges() {
let root = temp_dir("bridges");
let ca_dir = root.join("ca");
bootstrap_ca(&ca_dir);
let bundle = root.join("bundle");
let mut opts = ProvisionClientOpts::new(
&ca_dir,
"203.0.113.10",
"vpn.example.com",
"10.7.0.3",
&bundle,
);
opts.bridges = vec!["203.0.113.11".to_string(), "203.0.113.12".to_string()];
let report = init::provision_client(&opts).expect("provision");
let cfg = ClientConfigFile::load(&report.client_config).expect("parse");
assert_eq!(cfg.client.bridges.len(), 2);
assert!(cfg.client.bridges.contains(&"203.0.113.11".to_string()));
assert!(cfg.client.bridges.contains(&"203.0.113.12".to_string()));
let _ = std::fs::remove_dir_all(&root);
}
/// `enable_knock` / `enable_cover_traffic` flip the rendered TOML's `[transport.knock]` /
/// `[transport.cover]` sections.
#[test]
fn provision_client_anti_surveillance_toggles() {
let root = temp_dir("knock");
let ca_dir = root.join("ca");
bootstrap_ca(&ca_dir);
let bundle = root.join("bundle");
let mut opts = ProvisionClientOpts::new(
&ca_dir,
"203.0.113.10",
"vpn.example.com",
"10.7.0.4",
&bundle,
);
opts.enable_knock = true;
opts.enable_cover_traffic = true;
let report = init::provision_client(&opts).expect("provision");
let cfg = ClientConfigFile::load(&report.client_config).expect("parse");
assert!(cfg.transport.knock.enabled);
assert!(cfg.transport.cover.enabled);
let _ = std::fs::remove_dir_all(&root);
}
/// v3.2: `--circuit-hops N` issues N independent client certs, each with its own UUID v4 CN.
/// The bundled `client.toml` gains a `[client.circuit]` section with N `[[client.circuit.hops]]`
/// tables. Each hop's `cert_path` / `key_path` references the freshly-issued PEM file in the
/// bundle, and each cert's CN is a distinct UUID v4.
#[test]
fn provision_client_with_v3_2_circuit_hops() {
let root = temp_dir("v32hops");
let ca_dir = root.join("ca");
bootstrap_ca(&ca_dir);
let bundle = root.join("bundle");
let mut opts = ProvisionClientOpts::new(
&ca_dir,
"203.0.113.10",
"vpn.example.com",
"10.7.0.7",
&bundle,
);
opts.circuit_hops = Some(3); // entry + middle + exit
let report = init::provision_client(&opts).expect("provision");
// Three distinct per-hop certs were issued, all with unique UUID-v4 CNs.
assert_eq!(report.circuit_hop_certs.len(), 3, "3 hop certs issued");
let mut cns: Vec<String> = report
.circuit_hop_certs
.iter()
.map(|(cn, _, _)| cn.clone())
.collect();
cns.sort();
cns.dedup();
assert_eq!(cns.len(), 3, "all hop CNs are distinct");
for (cn, _, _) in &report.circuit_hop_certs {
let parsed = uuid::Uuid::parse_str(cn).expect("hop cn is a uuid");
assert_eq!(parsed.get_version_num(), 4, "hop cn is uuid v4");
}
for (i, (_, cert, key)) in report.circuit_hop_certs.iter().enumerate() {
assert!(cert.exists(), "hop {i} cert exists");
assert!(key.exists(), "hop {i} key exists");
assert!(cert
.file_name()
.unwrap()
.to_string_lossy()
.contains(&format!("circuit-hop-{i}")));
}
// The bundled client.toml has `[client.circuit] enabled = true` and 3 hop tables.
let cfg = ClientConfigFile::load(&report.client_config).expect("parse client.toml");
assert!(cfg.client.circuit.enabled, "[client.circuit] enabled");
assert_eq!(cfg.client.circuit.hops.len(), 3, "3 hops in client.toml");
// Every hop entry is the Full variant (per-hop cert/key paths).
use aura_cli::config::CircuitHop;
for (i, hop) in cfg.client.circuit.hops.iter().enumerate() {
match hop {
CircuitHop::Full {
cert_path,
key_path,
..
} => {
let cert_str = cert_path.to_string_lossy();
let key_str = key_path.to_string_lossy();
assert!(
cert_str.contains(&format!("circuit-hop-{i}")),
"hop {i} cert_path references circuit-hop-{i}.crt; got {cert_str}"
);
assert!(
key_str.contains(&format!("circuit-hop-{i}")),
"hop {i} key_path references circuit-hop-{i}.key; got {key_str}"
);
}
_ => panic!("hop {i}: expected Full variant in rendered client.toml"),
}
}
// Cell padding is enabled by default in the v3.2 rendered config.
assert!(
cfg.client.circuit.cell_padding,
"cell_padding defaults true in v3.2 render"
);
let _ = std::fs::remove_dir_all(&root);
}
/// `--circuit-hops 1` is rejected (N must be >= 2).
#[test]
fn provision_client_circuit_hops_too_few_errors() {
let root = temp_dir("v32hops_few");
let ca_dir = root.join("ca");
bootstrap_ca(&ca_dir);
let bundle = root.join("bundle");
let mut opts = ProvisionClientOpts::new(
&ca_dir,
"203.0.113.10",
"vpn.example.com",
"10.7.0.8",
&bundle,
);
opts.circuit_hops = Some(1);
let err = init::provision_client(&opts).unwrap_err().to_string();
assert!(err.contains("circuit-hops"), "got: {err}");
let _ = std::fs::remove_dir_all(&root);
}
/// A non-empty bundle directory triggers an error without `--force`.
#[test]
fn provision_client_refuses_non_empty_bundle() {
let root = temp_dir("nonempty");
let ca_dir = root.join("ca");
bootstrap_ca(&ca_dir);
let bundle = root.join("bundle");
std::fs::create_dir_all(&bundle).unwrap();
std::fs::write(bundle.join("junk.txt"), b"hi").unwrap();
let opts = ProvisionClientOpts::new(
&ca_dir,
"203.0.113.10",
"vpn.example.com",
"10.7.0.6",
&bundle,
);
let err = init::provision_client(&opts).unwrap_err().to_string();
assert!(err.contains("not empty"), "got: {err}");
let _ = std::fs::remove_dir_all(&root);
}
crates/aura-cli/tests/cli_server_init.rs
+134
View File
@@ -0,0 +1,134 @@
//! Integration tests for [`aura_cli::init::server_init`].
//!
//! Drives the in-process helper directly (no clap parsing, no binary spawn) and asserts that the
//! generated CA + server cert + server.toml exist on disk and parse cleanly. Each switch on the
//! `ServerInitOpts` flips the corresponding section in the rendered TOML.
use std::path::PathBuf;
use aura_cli::config::ServerConfigFile;
use aura_cli::init::{self, ServerInitOpts};
/// Unique temp dir for one test (no `tempfile` dependency in the workspace).
fn temp_dir(tag: &str) -> PathBuf {
let mut dir = std::env::temp_dir();
dir.push(format!(
"aura-cli-server-init-{tag}-{}-{}",
std::process::id(),
std::time::SystemTime::now()
.duration_since(std::time::UNIX_EPOCH)
.unwrap()
.as_nanos()
));
std::fs::create_dir_all(&dir).expect("create temp dir");
dir
}
/// Build a baseline options struct with the temp directories pre-filled. Per-test mutations layer
/// on top of this.
fn base_opts(tag: &str) -> (ServerInitOpts, PathBuf) {
let root = temp_dir(tag);
let pki = root.join("pki");
let cfg = root.join("server.toml");
let mut opts = ServerInitOpts::new("vpn.example.com", &pki);
opts.out_config = cfg.clone();
// Force the no_nat path by default — the integration test runner may or may not have a
// detectable default route, so the per-test `egress_iface` / `no_nat` overrides are explicit.
opts.no_nat = true;
(opts, root)
}
/// Happy path: CA, server cert and server.toml all written and the TOML parses back.
#[test]
fn server_init_writes_and_parses() {
let (opts, root) = base_opts("happy");
let report = init::server_init(&opts).expect("server-init succeeds");
assert!(report.ca_cert.exists(), "ca.crt exists");
assert!(report.ca_key.exists(), "ca.key exists");
assert!(report.server_cert.exists(), "server.crt exists");
assert!(report.server_key.exists(), "server.key exists");
assert!(report.server_config.exists(), "server.toml exists");
let cfg = ServerConfigFile::load(&report.server_config).expect("server.toml parses");
assert_eq!(cfg.server.listen, "0.0.0.0:443");
assert_eq!(cfg.tunnel.pool_cidr, "10.7.0.0/24");
assert_eq!(cfg.transport.udp_port, 443);
assert_eq!(cfg.transport.quic_port, 444);
// no-nat was set in the baseline.
assert!(cfg.server.nat.is_none(), "no [server.nat] section");
// knock / cover default to disabled.
assert!(!cfg.transport.knock.enabled);
assert!(!cfg.transport.cover.enabled);
// PKI section points at the generated files.
assert_eq!(cfg.pki.ca_cert, report.ca_cert.to_string_lossy());
// Cleanup is best-effort.
let _ = std::fs::remove_dir_all(&root);
}
/// `--enable-knock` and `--enable-cover-traffic` flip the [transport.*] sections on.
#[test]
fn server_init_enables_anti_surveillance() {
let (mut opts, root) = base_opts("knock");
opts.enable_knock = true;
opts.enable_cover_traffic = true;
let report = init::server_init(&opts).expect("server-init succeeds");
let cfg = ServerConfigFile::load(&report.server_config).expect("parse");
assert!(cfg.transport.knock.enabled, "knock enabled");
assert_eq!(cfg.transport.knock.knock_secret_source, "ca_fingerprint");
assert!(cfg.transport.cover.enabled, "cover enabled");
assert_eq!(cfg.transport.cover.mean_interval_ms, 500);
let _ = std::fs::remove_dir_all(&root);
}
/// `egress_iface = "eth0"` + `no_nat = false` writes a `[server.nat]` section.
#[test]
fn server_init_writes_nat_when_egress_explicit() {
let (mut opts, root) = base_opts("nat");
opts.no_nat = false;
opts.egress_iface = Some("eth0".to_string());
let report = init::server_init(&opts).expect("server-init succeeds");
let cfg = ServerConfigFile::load(&report.server_config).expect("parse");
let nat = cfg.server.nat.expect("[server.nat] present");
assert!(nat.auto, "nat.auto = true");
assert_eq!(nat.egress_iface, "eth0");
let _ = std::fs::remove_dir_all(&root);
}
/// `run_as = "nobody"` ends up in `[server] run_as` and `no_logs` toggles parse cleanly.
#[test]
fn server_init_run_as_and_no_logs_present() {
let (mut opts, root) = base_opts("runas");
opts.run_as = Some("nobody".to_string());
let report = init::server_init(&opts).expect("server-init succeeds");
let cfg = ServerConfigFile::load(&report.server_config).expect("parse");
assert_eq!(cfg.server.run_as.as_deref(), Some("nobody"));
// `no_logs` is emitted with the default `false`.
assert!(!cfg.server.no_logs);
let _ = std::fs::remove_dir_all(&root);
}
/// Without `--force`, re-running over an existing CA errors out cleanly.
#[test]
fn server_init_refuses_to_clobber_without_force() {
let (opts, root) = base_opts("clobber");
init::server_init(&opts).expect("first run succeeds");
// Re-run should fail because the CA already exists.
let err = init::server_init(&opts).unwrap_err().to_string();
assert!(
err.contains("CA already exists") || err.contains("already exists"),
"expected overwrite refusal, got: {err}"
);
// With force the second run succeeds.
let mut forced = opts.clone();
forced.force = true;
let report = init::server_init(&forced).expect("--force overwrites");
assert!(report.ca_cert.exists());
let _ = std::fs::remove_dir_all(&root);
}
crates/aura-cli/tests/in_band_crl.rs
+310
View File
@@ -0,0 +1,310 @@
//! End-to-end test of the v2 in-band CRL push flow at the [`PacketConnection`] layer.
//!
//! We avoid spinning up a real transport (which needs root + privileged sockets) and instead drive
//! the server-side helper `push_crl_if_configured` against an in-memory mock `PacketConnection`,
//! then feed the bytes the server "sent" into a client-side `AcceptPushedCrlConn` wrapper and
//! check that:
//!
//! * the wrapper consumes the envelope (does NOT deliver it to the TUN-bound `recv_packet`),
//! * the wrapper verifies the signature against the CA and applies the CRL,
//! * the wrapper persists the parsed CRL to the configured cache path,
//! * a real IP packet that arrives *after* the envelope is delivered verbatim to the caller.
//!
//! The path runs entirely on mpsc channels, so it exercises the wrapping logic without any
//! crypto/transport setup.
use std::collections::VecDeque;
use std::path::PathBuf;
use std::sync::Arc;
use async_trait::async_trait;
use aura_cli::crl_push::{push_crl_if_configured, AcceptPushedCrlConn};
use aura_pki::{AuraCa, CrlStore};
use aura_proto::PacketConnection;
use tokio::sync::Mutex;
use uuid::Uuid;
/// Mock connection with two roles in this test:
/// * **server side**: the server's `push_crl_if_configured` calls `send_packet` on its `Arc<dyn
/// PacketConnection>`. We capture the bytes here.
/// * **client side**: the client wraps this same struct (re-instantiated with the captured bytes
/// in `to_recv`) and calls `recv_packet`.
struct MockConn {
to_recv: Mutex<VecDeque<Vec<u8>>>,
sent: Mutex<Vec<Vec<u8>>>,
}
impl MockConn {
fn new(packets: impl IntoIterator<Item = Vec<u8>>) -> Self {
Self {
to_recv: Mutex::new(packets.into_iter().collect()),
sent: Mutex::new(Vec::new()),
}
}
async fn drain_sent(&self) -> Vec<Vec<u8>> {
std::mem::take(&mut *self.sent.lock().await)
}
}
#[async_trait]
impl PacketConnection for MockConn {
async fn send_packet(&self, packet: &[u8]) -> anyhow::Result<()> {
self.sent.lock().await.push(packet.to_vec());
Ok(())
}
async fn recv_packet(&self) -> anyhow::Result<Vec<u8>> {
self.to_recv
.lock()
.await
.pop_front()
.ok_or_else(|| anyhow::anyhow!("mock conn drained"))
}
}
fn temp_path(suffix: &str) -> PathBuf {
let mut p = std::env::temp_dir();
p.push(format!("aura-cli-in_band_crl-{}-{suffix}", Uuid::new_v4()));
p
}
/// Happy path: server pushes a signed CRL of `{"alice"}`; client decodes + applies + persists.
#[tokio::test]
async fn server_push_is_applied_on_the_client() {
// 1. CA + on-disk CA paths (save/load to get the key PEM string).
let ca = AuraCa::generate("Aura CRL IT").unwrap();
let ca_cert_pem = ca.ca_cert_pem();
let ca_cert_path = temp_path("ca.crt");
let ca_key_path = temp_path("ca.key");
ca.save(&ca_cert_path, &ca_key_path).unwrap();
// 2. Server-side CRL file (unsigned v1 format).
let crl_path = temp_path("revoked.crl");
let mut crl = CrlStore::new();
crl.revoke("alice");
crl.revoke("deadbeef");
crl.save(&crl_path).unwrap();
// 3. Server-side mock conn (its `sent` slot is what the wire would carry).
let server_mock = Arc::new(MockConn::new([]));
let server_conn: Arc<dyn PacketConnection> = server_mock.clone();
// 4. Drive the server-side helper.
let pushed = push_crl_if_configured(
true,
Some(crl_path.to_str().unwrap()),
&ca_cert_pem,
Some(ca_key_path.to_str().unwrap()),
&server_conn,
Some("test-peer"),
)
.await
.expect("push_crl_if_configured returns Ok");
assert!(pushed, "server should report a successful push");
// 5. Capture the envelope the server "sent" and inject it on the client side.
let envelopes = server_mock.drain_sent().await;
assert_eq!(envelopes.len(), 1, "exactly one envelope was sent");
let envelope = envelopes.into_iter().next().unwrap();
assert_eq!(
&envelope[..4],
&[0xAA, 0xAA, 0xC0, 0x01],
"envelope starts with the CRL magic prefix"
);
// 6. Build the client-side mock, feeding the envelope first and a real IPv4 packet second.
let real_ipv4 = vec![0x45u8, 0x00, 0x00, 0x14, 0xab, 0xcd];
let client_inner: Arc<dyn PacketConnection> =
Arc::new(MockConn::new([envelope, real_ipv4.clone()]));
let cache_path = temp_path("client_revoked.crl");
let wrap = AcceptPushedCrlConn::new(
client_inner,
ca_cert_pem.clone(),
Some(cache_path.clone()),
true, // accept_pushed_crl = true
);
// 7. Client's first recv_packet consumes the envelope (not the IPv4 packet) and applies the
// CRL. The next bytes pulled from `recv_packet` are the real IPv4 packet.
let pkt = wrap.recv_packet().await.unwrap();
assert_eq!(pkt, real_ipv4, "real packet delivered after envelope");
// 8. Verify the CRL was applied + persisted.
let applied = wrap.last_applied.read().await.clone();
let applied = applied.expect("CRL should have been applied");
assert!(applied.contains("alice"));
assert!(applied.contains("deadbeef"));
assert_eq!(applied.len(), 2);
let from_disk = CrlStore::load(&cache_path).unwrap();
assert!(from_disk.contains("alice"));
assert!(from_disk.contains("deadbeef"));
let _ = std::fs::remove_file(ca_cert_path);
let _ = std::fs::remove_file(ca_key_path);
let _ = std::fs::remove_file(crl_path);
let _ = std::fs::remove_file(cache_path);
}
/// When `crl_push_enabled = false`, the server never sends an envelope and the client recv path
/// continues to behave exactly as in v1.
#[tokio::test]
async fn server_does_not_push_when_disabled() {
let ca = AuraCa::generate("Aura CRL IT").unwrap();
let ca_cert_path = temp_path("ca.crt");
let ca_key_path = temp_path("ca.key");
ca.save(&ca_cert_path, &ca_key_path).unwrap();
let crl_path = temp_path("revoked.crl");
let mut crl = CrlStore::new();
crl.revoke("alice");
crl.save(&crl_path).unwrap();
let server_mock = Arc::new(MockConn::new([]));
let server_conn: Arc<dyn PacketConnection> = server_mock.clone();
let pushed = push_crl_if_configured(
false, // disabled
Some(crl_path.to_str().unwrap()),
&ca.ca_cert_pem(),
Some(ca_key_path.to_str().unwrap()),
&server_conn,
Some("peer"),
)
.await
.unwrap();
assert!(!pushed, "disabled server should not push");
assert!(
server_mock.drain_sent().await.is_empty(),
"no bytes should have been sent"
);
let _ = std::fs::remove_file(ca_cert_path);
let _ = std::fs::remove_file(ca_key_path);
let _ = std::fs::remove_file(crl_path);
}
/// If the CRL file does not exist (no revocations yet), the helper silently skips.
#[tokio::test]
async fn server_skips_when_crl_file_missing() {
let ca = AuraCa::generate("Aura").unwrap();
let ca_cert_path = temp_path("ca.crt");
let ca_key_path = temp_path("ca.key");
ca.save(&ca_cert_path, &ca_key_path).unwrap();
let nonexistent = temp_path("nope.crl");
let server_mock = Arc::new(MockConn::new([]));
let server_conn: Arc<dyn PacketConnection> = server_mock.clone();
let pushed = push_crl_if_configured(
true,
Some(nonexistent.to_str().unwrap()),
&ca.ca_cert_pem(),
Some(ca_key_path.to_str().unwrap()),
&server_conn,
Some("peer"),
)
.await
.unwrap();
assert!(!pushed, "missing CRL should not push");
assert!(server_mock.drain_sent().await.is_empty());
let _ = std::fs::remove_file(ca_cert_path);
let _ = std::fs::remove_file(ca_key_path);
}
/// If the server pushes a CRL signed by a different CA, the client refuses to apply it. The real
/// packet that follows the envelope is still delivered (the wrapper just drops the bad envelope
/// and keeps looping).
#[tokio::test]
async fn client_rejects_push_signed_by_wrong_ca() {
let real = AuraCa::generate("Real").unwrap();
let rogue = AuraCa::generate("Rogue").unwrap();
let rogue_cert_path = temp_path("rogue.crt");
let rogue_key_path = temp_path("rogue.key");
rogue.save(&rogue_cert_path, &rogue_key_path).unwrap();
let crl_path = temp_path("rogue.crl");
let mut crl = CrlStore::new();
crl.revoke("alice");
crl.save(&crl_path).unwrap();
// Server "pushes" using the rogue CA.
let server_mock = Arc::new(MockConn::new([]));
let server_conn: Arc<dyn PacketConnection> = server_mock.clone();
let pushed = push_crl_if_configured(
true,
Some(crl_path.to_str().unwrap()),
&rogue.ca_cert_pem(),
Some(rogue_key_path.to_str().unwrap()),
&server_conn,
None,
)
.await
.unwrap();
assert!(pushed);
let envelope = server_mock.drain_sent().await.into_iter().next().unwrap();
// Client trusts only `real`; the rogue's signature must fail verification.
let real_ipv4 = vec![0x45u8, 0x00, 0x00, 0x14];
let client_inner: Arc<dyn PacketConnection> =
Arc::new(MockConn::new([envelope, real_ipv4.clone()]));
let wrap = AcceptPushedCrlConn::new(client_inner, real.ca_cert_pem(), None, true);
let pkt = wrap.recv_packet().await.unwrap();
assert_eq!(pkt, real_ipv4);
assert!(
wrap.last_applied.read().await.is_none(),
"rogue-signed CRL must not be applied"
);
let _ = std::fs::remove_file(rogue_cert_path);
let _ = std::fs::remove_file(rogue_key_path);
let _ = std::fs::remove_file(crl_path);
}
/// `accept_pushed_crl = false` makes the client drop pushes (the wrapper still strips the envelope
/// so the TUN never sees the magic bytes).
#[tokio::test]
async fn client_drops_push_when_disabled() {
let ca = AuraCa::generate("Aura").unwrap();
let ca_cert_path = temp_path("ca.crt");
let ca_key_path = temp_path("ca.key");
ca.save(&ca_cert_path, &ca_key_path).unwrap();
let crl_path = temp_path("revoked.crl");
let mut crl = CrlStore::new();
crl.revoke("alice");
crl.save(&crl_path).unwrap();
let server_mock = Arc::new(MockConn::new([]));
let server_conn: Arc<dyn PacketConnection> = server_mock.clone();
let _ = push_crl_if_configured(
true,
Some(crl_path.to_str().unwrap()),
&ca.ca_cert_pem(),
Some(ca_key_path.to_str().unwrap()),
&server_conn,
None,
)
.await
.unwrap();
let envelope = server_mock.drain_sent().await.into_iter().next().unwrap();
let real_ipv4 = vec![0x45u8, 0x00, 0x00, 0x14];
let client_inner: Arc<dyn PacketConnection> =
Arc::new(MockConn::new([envelope, real_ipv4.clone()]));
let wrap = AcceptPushedCrlConn::new(
client_inner,
ca.ca_cert_pem(),
None,
false, /* accept */
);
let pkt = wrap.recv_packet().await.unwrap();
assert_eq!(pkt, real_ipv4);
assert!(
wrap.last_applied.read().await.is_none(),
"disabled accept must not apply the CRL"
);
let _ = std::fs::remove_file(ca_cert_path);
let _ = std::fs::remove_file(ca_key_path);
let _ = std::fs::remove_file(crl_path);
}
crates/aura-cli/tests/le_outer_cert.rs
+325
View File
@@ -0,0 +1,325 @@
//! v3 "Let's Encrypt outer cert" tests for `[server.outer_cert]`.
//!
//! These tests cover the three guarantees of the new feature:
//!
//! 1. **Parsing** — a `server.toml` with `[server.outer_cert] cert_path = "...", key_path = "..."`
//! parses, and the section's [`crate::config::ServerOuterCertSection::resolve`] returns
//! `Some((cert_pem, key_pem))`. A `server.toml` without the section parses too (back-compat)
//! and `resolve` returns `None`.
//! 2. **Validation** — setting exactly one of `cert_path` / `key_path` (without the other) is a
//! hard error from `resolve`.
//! 3. **Loopback with a separate outer cert** — a real `MultiServer` bound via
//! [`aura_transport::MultiServer::bind_with_outer`] with an outer cert from a SECOND CA accepts
//! a normal Aura client whose inner cert is from the FIRST CA. The verified `peer_id` matches
//! the inner-client CN — proving the inner Aura mutual-auth handshake was unaffected by the
//! outer-TLS cert coming from a different trust root.
//!
//! TCP transport is used in test #3 because the outer-TLS cert is most directly observable there
//! (rustls outer handshake on top of TCP); the same `bind_with_outer` plumbing routes the cert into
//! QUIC as well via [`aura_transport::AuraServer::bind`].
use std::path::PathBuf;
use std::sync::Arc;
use aura_cli::config::{ServerConfigFile, ServerOuterCertSection};
use aura_pki::AuraCa;
use aura_proto::PacketConnection;
use aura_transport::{dial, MultiServer, TransportMode};
const INNER_SERVER_NAME: &str = "localhost";
/// A unique temp directory for this test process.
fn temp_dir(tag: &str) -> PathBuf {
let mut dir = std::env::temp_dir();
dir.push(format!(
"aura-cli-le-outer-{tag}-{}-{}",
std::process::id(),
std::time::SystemTime::now()
.duration_since(std::time::UNIX_EPOCH)
.unwrap()
.as_nanos()
));
std::fs::create_dir_all(&dir).expect("create temp dir");
dir
}
/// Grab a currently-free TCP port on loopback by binding `:0` and releasing it.
fn free_tcp_port() -> u16 {
let sock = std::net::TcpListener::bind("127.0.0.1:0").expect("bind ephemeral tcp");
sock.local_addr().expect("local_addr").port()
}
/// (1) `[server.outer_cert]` with both paths parses and `resolve()` returns the read PEMs.
#[tokio::test]
async fn parses_outer_cert_section_and_resolves_pems() {
let dir = temp_dir("parse");
let outer_ca = AuraCa::generate("Outer LE-like CA").expect("outer CA");
let outer = outer_ca
.issue_server_cert(INNER_SERVER_NAME)
.expect("outer cert");
let outer_cert_path = dir.join("outer.crt");
let outer_key_path = dir.join("outer.key");
std::fs::write(&outer_cert_path, &outer.cert_pem).unwrap();
std::fs::write(&outer_key_path, &outer.key_pem).unwrap();
let server_toml = format!(
r#"
[server]
name = "edge-test"
[server.outer_cert]
cert_path = "{cert}"
key_path = "{key}"
[pki]
ca_cert = "ignored"
cert = "ignored"
key = "ignored"
[tunnel]
pool_cidr = "10.7.0.0/24"
"#,
cert = outer_cert_path.display(),
key = outer_key_path.display(),
);
let cfg = ServerConfigFile::parse(&server_toml).expect("parse server.toml");
let oc = cfg
.server
.outer_cert
.as_ref()
.expect("outer_cert section parsed");
assert!(oc.cert_path.is_some() && oc.key_path.is_some());
let resolved = oc.resolve().expect("resolve PEMs");
let (cert_pem, key_pem) = resolved.expect("Some when both paths set");
assert!(cert_pem.starts_with("-----BEGIN CERTIFICATE-----"));
assert!(key_pem.contains("PRIVATE KEY-----"));
let _ = std::fs::remove_dir_all(&dir);
}
/// (1b) A `server.toml` WITHOUT `[server.outer_cert]` still parses (back-compat) and the field is
/// `None` — the v2-compatible "outer cert reuses Aura server cert" path.
#[tokio::test]
async fn omitted_outer_cert_section_is_backwards_compatible() {
let server_toml = r#"
[server]
name = "edge-test"
[pki]
ca_cert = "a"
cert = "b"
key = "c"
[tunnel]
pool_cidr = "10.7.0.0/24"
"#;
let cfg = ServerConfigFile::parse(server_toml).expect("parse server.toml");
assert!(
cfg.server.outer_cert.is_none(),
"no [server.outer_cert] -> field is None"
);
}
/// (2) Setting `cert_path` without `key_path` (or vice-versa) is a hard error from
/// `ServerOuterCertSection::resolve` — both must be set together.
#[test]
fn rejects_partial_outer_cert_section() {
let only_cert = ServerOuterCertSection {
cert_path: Some(PathBuf::from("/tmp/x.crt")),
key_path: None,
};
let err = only_cert.resolve().unwrap_err().to_string();
assert!(
err.contains("cert_path") && err.contains("key_path"),
"{err}"
);
let only_key = ServerOuterCertSection {
cert_path: None,
key_path: Some(PathBuf::from("/tmp/x.key")),
};
assert!(only_key.resolve().is_err());
// And the all-None case resolves to None (the v2 fallback).
let none = ServerOuterCertSection::default();
assert!(none.resolve().expect("None resolves").is_none());
}
/// (3) End-to-end: bind a TCP transport with an outer-TLS cert from a SECOND CA and verify a normal
/// Aura client (inner cert from the FIRST CA, the only one configured in the client's proto_cfg)
/// connects, mutually authenticates, and exchanges packets. The verified `peer_id` matches the
/// inner client CN — proving the outer cert's trust root did NOT interfere with the inner Aura
/// mutual-auth handshake.
#[tokio::test]
async fn loopback_tcp_with_separate_outer_cert_authenticates_via_inner_ca() {
let dir = temp_dir("loopback-tcp");
// CA #1: the Aura CA — issues the server's inner cert (used by the inner Aura handshake) and
// the client's leaf cert. This is the only trust root the client knows about.
let inner_ca = AuraCa::generate("Aura Inner CA").expect("inner CA");
let inner_server = inner_ca
.issue_server_cert(INNER_SERVER_NAME)
.expect("inner server cert");
let client_cert = inner_ca
.issue_client_cert("le-test-client")
.expect("client cert");
// CA #2: a SEPARATE CA — its server cert plays the role of the Let's Encrypt fullchain on the
// outer-TLS layer. The client's outer verifier is `AcceptAnyServerCert` (transport docs), so
// the outer cert's trust root is irrelevant to the client — but the inner Aura handshake still
// verifies the server cert against `inner_ca`.
let outer_ca = AuraCa::generate("Outer LE-like CA").expect("outer CA");
let outer_cert = outer_ca
.issue_server_cert(INNER_SERVER_NAME)
.expect("outer cert");
// Write all the PEM files for the CLI config to read.
let ca_path = dir.join("ca.crt");
let srv_cert_path = dir.join("server.crt");
let srv_key_path = dir.join("server.key");
let cli_cert_path = dir.join("client.crt");
let cli_key_path = dir.join("client.key");
let outer_cert_path = dir.join("outer.crt");
let outer_key_path = dir.join("outer.key");
std::fs::write(&ca_path, inner_ca.ca_cert_pem()).unwrap();
std::fs::write(&srv_cert_path, &inner_server.cert_pem).unwrap();
std::fs::write(&srv_key_path, &inner_server.key_pem).unwrap();
std::fs::write(&cli_cert_path, &client_cert.cert_pem).unwrap();
std::fs::write(&cli_key_path, &client_cert.key_pem).unwrap();
std::fs::write(&outer_cert_path, &outer_cert.cert_pem).unwrap();
std::fs::write(&outer_key_path, &outer_cert.key_pem).unwrap();
// TCP-only on a learned free loopback port. (UDP transport has no outer TLS layer to exercise
// a swapped outer cert against; QUIC works the same way as TCP through the same plumbing.)
let tcp_port = free_tcp_port();
let server_toml = format!(
r#"
[server]
name = "edge-le-test"
listen = "127.0.0.1:{tcp_port}"
[server.outer_cert]
cert_path = "{outer_cert}"
key_path = "{outer_key}"
[pki]
ca_cert = "{ca}"
cert = "{cert}"
key = "{key}"
[tunnel]
pool_cidr = "10.7.0.0/24"
[transport]
order = ["tcp"]
udp_port = {udp_port}
tcp_port = {tcp_port}
quic_port = {quic_port}
obfuscate = false
"#,
ca = ca_path.display(),
cert = srv_cert_path.display(),
key = srv_key_path.display(),
outer_cert = outer_cert_path.display(),
outer_key = outer_key_path.display(),
udp_port = tcp_port + 1,
quic_port = tcp_port + 2,
);
let client_toml = format!(
r#"
[client]
name = "le-client-test"
server_addr = "127.0.0.1:{tcp_port}"
sni = "{sni}"
[pki]
ca_cert = "{ca}"
cert = "{cert}"
key = "{key}"
[tunnel]
local_ip = "10.7.0.2"
[transport]
order = ["tcp"]
udp_port = {udp_port}
tcp_port = {tcp_port}
quic_port = {quic_port}
obfuscate = false
"#,
sni = INNER_SERVER_NAME,
ca = ca_path.display(),
cert = cli_cert_path.display(),
key = cli_key_path.display(),
udp_port = tcp_port + 1,
quic_port = tcp_port + 2,
);
let server_cfg = ServerConfigFile::parse(&server_toml).expect("parse server.toml");
let client_cfg =
aura_cli::config::ClientConfigFile::parse(&client_toml).expect("parse client.toml");
// Resolve the outer-cert PEMs through the CLI helper — the same path `aura server` uses.
let outer_resolved = server_cfg
.server
.outer_cert
.as_ref()
.expect("outer_cert section parsed")
.resolve()
.expect("outer cert resolves")
.expect("Some when both paths set");
let endpoints = server_cfg.transport_endpoints().expect("server endpoints");
let server_proto = server_cfg.to_proto().expect("server proto cfg");
let client_proto = client_cfg.to_proto().expect("client proto cfg");
let dial_cfg = client_cfg.dial_config().expect("client dial config");
assert_eq!(dial_cfg.order, vec![TransportMode::Tcp]);
// Bind via the new `bind_with_outer`, passing the SECOND CA's leaf as the outer-TLS cert.
let mut server = MultiServer::bind_with_outer(
endpoints,
server_proto,
server_cfg.udp_opts(),
server_cfg.tcp_opts(),
Some(outer_resolved.0.as_str()),
Some(outer_resolved.1.as_str()),
)
.await
.expect("bind MultiServer with outer cert");
let accept = tokio::spawn(async move { server.accept().await.map(|a| (a, server)) });
let connect = tokio::spawn(async move { dial(client_proto, dial_cfg).await });
let (accepted, _server_keepalive) = accept
.await
.expect("accept join")
.expect("MultiServer accepted a connection");
let (client_conn, mode): (Arc<dyn PacketConnection>, TransportMode) = connect
.await
.expect("connect join")
.expect("dial connected");
assert_eq!(mode, TransportMode::Tcp);
assert_eq!(accepted.mode, TransportMode::Tcp);
// Critical assertion: the verified inner peer id is the client CN issued by CA #1 — proving
// the inner Aura mutual-auth ran successfully even though the outer TLS used CA #2's cert.
assert_eq!(accepted.peer_id.as_deref(), Some("le-test-client"));
let server_conn = accepted.conn;
// Round-trip a couple of packets to be sure the channel is live end-to-end.
client_conn
.send_packet(b"hello-from-le-client")
.await
.expect("client send");
let got = server_conn.recv_packet().await.expect("server recv");
assert_eq!(got, b"hello-from-le-client");
server_conn.send_packet(b"hi-back").await.expect("srv send");
let got = client_conn.recv_packet().await.expect("client recv");
assert_eq!(got, b"hi-back");
let _ = std::fs::remove_dir_all(&dir);
}
crates/aura-cli/tests/multihop.rs
+510
View File
@@ -0,0 +1,510 @@
//! v3.1 multi-hop / onion-routing integration test.
//!
//! Drives three actors on loopback in one process:
//!
//! * **Exit** — a vanilla [`UdpServer`] bound on a free UDP port. Its cert SAN is
//! `"localhost-exit"`. The server's accept task echoes the first three received packets back to
//! the sender, then drops.
//!
//! * **Relay** — another [`UdpServer`] on a free port, cert SAN `"localhost-relay"`. Its accept
//! task:
//! 1. accepts one connection (running its own outer Aura mutual-auth handshake with the
//! client),
//! 2. uses [`crate::relay::rendezvous`] to read the client's `ExtendBridge` envelope and open
//! a `connect()`ed UDP socket to the exit,
//! 3. spawns [`crate::relay::run_bridge`] to ferry bytes between the client and the bridge.
//!
//! * **Client** — calls [`circuit::dial_circuit_with_relay_name`] with
//! `relay_server_name = Some("localhost-relay")` and `proto_cfg.server_name = "localhost-exit"`.
//! The returned [`circuit::CircuitConnection`] should have `peer_id() == Some("localhost-exit")`
//! — the core multi-hop invariant: the **inner** handshake authenticated the exit's cert
//! through the relay opaquely, even though the outer hop authenticated the relay's cert.
//!
//! The test then exchanges three packets of varying sizes through the circuit and asserts that
//! every echoed reply matches.
use std::net::SocketAddr;
use std::sync::Arc;
use std::time::Duration;
use aura_cli::circuit;
use aura_cli::relay::{self, RendezvousOutcome};
use aura_pki::AuraCa;
use aura_proto::{ClientConfig, PacketConnection, ServerConfig};
use aura_transport::{UdpOpts, UdpServer};
const EXIT_SAN: &str = "localhost-exit";
const RELAY_SAN: &str = "localhost-relay";
const CLIENT_ID: &str = "client-multihop";
/// Reserve and immediately release a free UDP port on loopback (the window before re-bind in the
/// same process is negligible on a quiet test).
fn free_udp_port() -> u16 {
let sock = std::net::UdpSocket::bind("127.0.0.1:0").expect("bind ephemeral udp");
sock.local_addr().expect("local_addr").port()
}
/// Build a [`ServerConfig`] from one shared CA, with the given SAN.
fn server_cfg(ca: &AuraCa, san: &str) -> ServerConfig {
let issued = ca.issue_server_cert(san).expect("issue server cert");
ServerConfig {
ca_cert_pem: ca.ca_cert_pem(),
server_cert_pem: issued.cert_pem,
server_key_pem: issued.key_pem,
}
}
/// Build a [`ClientConfig`] from one shared CA. `server_name` is used by the **inner** handshake
/// (the exit). The outer handshake's expected SAN is overridden separately at
/// [`circuit::dial_circuit_with_relay_name`] callsite.
fn client_cfg(ca: &AuraCa, server_name: &str) -> ClientConfig {
let issued = ca.issue_client_cert(CLIENT_ID).expect("issue client cert");
ClientConfig {
ca_cert_pem: ca.ca_cert_pem(),
client_cert_pem: issued.cert_pem,
client_key_pem: issued.key_pem,
server_name: server_name.to_string(),
}
}
/// Spawn the exit server: accept one connection and echo the first three packets back.
async fn spawn_exit(server: UdpServer) {
let conn = server.accept().await.expect("exit accept");
// The dropped server keeps the master loop alive via the connection's anchor.
drop(server);
let conn: Arc<dyn PacketConnection> = Arc::new(conn);
for _ in 0..3 {
match conn.recv_packet().await {
Ok(pkt) => {
if conn.send_packet(&pkt).await.is_err() {
return;
}
}
Err(_) => return,
}
}
}
/// Spawn the relay server: accept one connection, run the rendezvous, and bridge to the exit.
async fn spawn_relay(server: UdpServer, whitelist: Vec<SocketAddr>) {
let conn = server.accept().await.expect("relay accept");
drop(server);
let conn: Arc<dyn PacketConnection> = Arc::new(conn);
match relay::rendezvous(&conn, &whitelist).await {
RendezvousOutcome::Bridged { bridge } => {
relay::run_bridge(conn, bridge).await;
}
RendezvousOutcome::Refused => {
// Test path that exercises whitelist refusal — the relay sent CircuitFailed
// already; just exit.
}
RendezvousOutcome::Fallback { .. } => {
// The client did not send ExtendBridge — should not happen in the happy path.
panic!("relay rendezvous fell back unexpectedly");
}
}
}
#[tokio::test(flavor = "multi_thread")]
async fn multihop_v3_1_end_to_end() {
// One shared CA. Each role gets its own server cert with its own SAN.
let ca = AuraCa::generate("Aura Multi-Hop Test CA").expect("ca");
let exit_proto = server_cfg(&ca, EXIT_SAN);
let relay_proto = server_cfg(&ca, RELAY_SAN);
let client_proto = client_cfg(&ca, EXIT_SAN);
let exit_port = free_udp_port();
let relay_port = free_udp_port();
let exit_addr: SocketAddr = format!("127.0.0.1:{exit_port}").parse().unwrap();
let relay_addr: SocketAddr = format!("127.0.0.1:{relay_port}").parse().unwrap();
// Bind both servers BEFORE spawning the client so they are ready to accept.
let exit_server =
UdpServer::bind(exit_addr, exit_proto, UdpOpts::default()).expect("bind exit");
let relay_server =
UdpServer::bind(relay_addr, relay_proto, UdpOpts::default()).expect("bind relay");
let exit_actual = exit_server.local_addr().expect("exit addr");
let relay_actual = relay_server.local_addr().expect("relay addr");
// Whitelist contains exactly the exit address.
let whitelist = vec![exit_actual];
let exit_task = tokio::spawn(spawn_exit(exit_server));
let relay_task = tokio::spawn(spawn_relay(relay_server, whitelist));
// Give the servers a beat to enter their accept loops. Not strictly required (accept is
// resumable) but makes the trace easier to follow on failure.
tokio::time::sleep(Duration::from_millis(20)).await;
// Client: dial circuit. proto_cfg.server_name = "localhost-exit" so the inner handshake's
// verifier checks the exit's SAN; the outer handshake checks the relay's SAN via the explicit
// override.
let circuit_conn = tokio::time::timeout(
Duration::from_secs(30),
circuit::dial_circuit_with_relay_name(
&[relay_actual, exit_actual],
client_proto,
UdpOpts::default(),
Some(RELAY_SAN),
),
)
.await
.expect("dial_circuit did not finish within 30s")
.expect("dial_circuit succeeded");
// The core invariant: the INNER handshake authenticated the EXIT (not the relay).
assert_eq!(
circuit_conn.peer_id(),
Some(EXIT_SAN),
"circuit.peer_id() must be the exit's SAN — the inner handshake verified the exit's cert"
);
// Echo three packets of varying sizes through the circuit.
let payloads: Vec<Vec<u8>> = vec![
b"hello multi-hop".to_vec(),
vec![0xCDu8; 800],
(0..=255u8).collect(),
];
for pkt in &payloads {
circuit_conn.send_packet(pkt).await.expect("circuit send");
let echoed = tokio::time::timeout(Duration::from_secs(5), circuit_conn.recv_packet())
.await
.expect("recv timeout")
.expect("recv from exit through circuit");
assert_eq!(&echoed, pkt, "echoed payload must match");
}
// Clean shutdown — drop the client first, then wait for the actors to finish.
drop(circuit_conn);
let _ = tokio::time::timeout(Duration::from_secs(5), exit_task).await;
let _ = tokio::time::timeout(Duration::from_secs(5), relay_task).await;
}
/// A whitelist that does NOT contain the exit's address must cause `dial_circuit` to fail with an
/// error mentioning "allow_extend_to" (the reason string sent in `CircuitFailed`).
#[tokio::test(flavor = "multi_thread")]
async fn multihop_whitelist_rejects_disallowed_exit() {
let ca = AuraCa::generate("Aura Multi-Hop Test CA").expect("ca");
let exit_proto = server_cfg(&ca, EXIT_SAN);
let relay_proto = server_cfg(&ca, RELAY_SAN);
let client_proto = client_cfg(&ca, EXIT_SAN);
let exit_port = free_udp_port();
let relay_port = free_udp_port();
let exit_addr: SocketAddr = format!("127.0.0.1:{exit_port}").parse().unwrap();
let relay_addr: SocketAddr = format!("127.0.0.1:{relay_port}").parse().unwrap();
let exit_server =
UdpServer::bind(exit_addr, exit_proto, UdpOpts::default()).expect("bind exit");
let relay_server =
UdpServer::bind(relay_addr, relay_proto, UdpOpts::default()).expect("bind relay");
let exit_actual = exit_server.local_addr().expect("exit addr");
let relay_actual = relay_server.local_addr().expect("relay addr");
// Whitelist contains a different (fake) exit; the real exit is NOT allowed.
let fake: SocketAddr = "10.255.255.1:9".parse().unwrap();
let whitelist = vec![fake];
// Exit task: just sit there; we expect the relay never bridges to it.
let _exit_task = tokio::spawn(async move {
// Accept may never resolve; exit when test ends.
let _ = exit_server.accept().await;
});
let relay_task = tokio::spawn(spawn_relay(relay_server, whitelist));
tokio::time::sleep(Duration::from_millis(20)).await;
// dial_circuit must error with a message mentioning "allow_extend_to".
let res = tokio::time::timeout(
Duration::from_secs(15),
circuit::dial_circuit_with_relay_name(
&[relay_actual, exit_actual],
client_proto,
UdpOpts::default(),
Some(RELAY_SAN),
),
)
.await
.expect("dial_circuit_with_relay_name returned within 15s");
let err = match res {
Ok(_) => panic!("dial_circuit must fail when exit is not on the whitelist"),
Err(e) => e,
};
let msg = format!("{err:#}");
assert!(
msg.contains("allow_extend_to") || msg.contains("not in"),
"expected 'allow_extend_to' / 'not in' in error, got: {msg}"
);
let _ = tokio::time::timeout(Duration::from_secs(2), relay_task).await;
}
/// When the v3.1 relay path is **disabled** at the server, the server's accept-side never reads
/// the client's ExtendBridge envelope as a control message — instead the server would treat the
/// connection as a normal VPN client. From the client's `dial_circuit` perspective the relay
/// never sends `CircuitReady`, so the client times out (`READY_TIMEOUT_SECS`-bounded).
///
/// This test exercises that exact fallback: we run a `UdpServer` with NO rendezvous task,
/// accept the connection, and just keep it open. The client's `dial_circuit` must return an Err
/// whose message mentions a timeout / CircuitReady.
#[tokio::test(flavor = "multi_thread")]
async fn multihop_back_compat_relay_disabled() {
let ca = AuraCa::generate("Aura Multi-Hop Test CA").expect("ca");
let exit_proto = server_cfg(&ca, EXIT_SAN);
let relay_proto = server_cfg(&ca, RELAY_SAN);
let client_proto = client_cfg(&ca, EXIT_SAN);
let exit_port = free_udp_port();
let relay_port = free_udp_port();
let exit_addr: SocketAddr = format!("127.0.0.1:{exit_port}").parse().unwrap();
let relay_addr: SocketAddr = format!("127.0.0.1:{relay_port}").parse().unwrap();
let exit_server =
UdpServer::bind(exit_addr, exit_proto, UdpOpts::default()).expect("bind exit");
let relay_server =
UdpServer::bind(relay_addr, relay_proto, UdpOpts::default()).expect("bind relay");
let exit_actual = exit_server.local_addr().expect("exit addr");
let relay_actual = relay_server.local_addr().expect("relay addr");
// Exit task: idle.
let _exit_task = tokio::spawn(async move {
let _ = exit_server.accept().await;
});
// Relay task: just accept and keep the connection alive WITHOUT running the rendezvous. This
// models a v2 server that does not know about `ExtendBridge`. The client's incoming
// `ExtendBridge` envelope is just an opaque payload from the server's perspective.
let relay_task = tokio::spawn(async move {
let conn = relay_server.accept().await.expect("relay accept");
// Hold the connection until the test ends.
tokio::time::sleep(Duration::from_secs(20)).await;
drop(conn);
});
tokio::time::sleep(Duration::from_millis(20)).await;
// The client must time out waiting for CircuitReady.
let res = tokio::time::timeout(
Duration::from_secs(20),
circuit::dial_circuit_with_relay_name(
&[relay_actual, exit_actual],
client_proto,
UdpOpts::default(),
Some(RELAY_SAN),
),
)
.await
.expect("dial_circuit returned within 20s");
let err = match res {
Ok(_) => panic!("dial_circuit must fail when the relay never sends CircuitReady"),
Err(e) => e,
};
let msg = format!("{err:#}");
assert!(
msg.contains("timeout") || msg.contains("CircuitReady"),
"expected timeout / CircuitReady in error, got: {msg}"
);
relay_task.abort();
}
// ---- v3.2: 3-hop + per-hop client certs + cell padding -----------------------------------------
use aura_cli::cells::CellPaddingConn;
use aura_cli::circuit::HopConfig;
const ENTRY_SAN: &str = "localhost-entry";
const MIDDLE_SAN: &str = "localhost-middle";
const CLIENT_ID_ENTRY: &str = "client-entry";
const CLIENT_ID_MIDDLE: &str = "client-middle";
const CLIENT_ID_EXIT: &str = "client-exit";
/// Build a [`ClientConfig`] with the given CN and expected server SAN. v3.2: a different cert /
/// CN per hop is the identity-unlinkable design.
fn client_cfg_with_cn(ca: &AuraCa, cn: &str, server_name: &str) -> ClientConfig {
let issued = ca.issue_client_cert(cn).expect("issue client cert");
ClientConfig {
ca_cert_pem: ca.ca_cert_pem(),
client_cert_pem: issued.cert_pem,
client_key_pem: issued.key_pem,
server_name: server_name.to_string(),
}
}
/// v3.2 3-hop end-to-end: `client → A (entry-relay) → B (middle-relay) → C (exit)`. Each hop is
/// a real Aura UdpServer on loopback. The client uses a **different** client cert per hop
/// (identity-unlinkable). The exit echoes three packets which the client must receive back
/// through three layers of AEAD encryption.
#[tokio::test(flavor = "multi_thread")]
async fn multihop_v3_2_three_hops_end_to_end() {
let ca = AuraCa::generate("Aura v3.2 3-hop Test CA").expect("ca");
let entry_proto = server_cfg(&ca, ENTRY_SAN);
let middle_proto = server_cfg(&ca, MIDDLE_SAN);
let exit_proto = server_cfg(&ca, EXIT_SAN);
let entry_port = free_udp_port();
let middle_port = free_udp_port();
let exit_port = free_udp_port();
let entry_addr: SocketAddr = format!("127.0.0.1:{entry_port}").parse().unwrap();
let middle_addr: SocketAddr = format!("127.0.0.1:{middle_port}").parse().unwrap();
let exit_addr: SocketAddr = format!("127.0.0.1:{exit_port}").parse().unwrap();
let entry_server =
UdpServer::bind(entry_addr, entry_proto, UdpOpts::default()).expect("bind entry");
let middle_server =
UdpServer::bind(middle_addr, middle_proto, UdpOpts::default()).expect("bind middle");
let exit_server =
UdpServer::bind(exit_addr, exit_proto, UdpOpts::default()).expect("bind exit");
let entry_actual = entry_server.local_addr().expect("entry addr");
let middle_actual = middle_server.local_addr().expect("middle addr");
let exit_actual = exit_server.local_addr().expect("exit addr");
// Whitelists per hop (CIDR-aware): entry allows middle; middle allows exit. Both can be exact
// entries here; this test exercises the literal-IP:port path.
let entry_whitelist = vec![middle_actual];
let middle_whitelist = vec![exit_actual];
let exit_task = tokio::spawn(spawn_exit(exit_server));
let middle_task = tokio::spawn(spawn_relay(middle_server, middle_whitelist));
let entry_task = tokio::spawn(spawn_relay(entry_server, entry_whitelist));
tokio::time::sleep(Duration::from_millis(50)).await;
// Per-hop client configs: distinct CN per hop, distinct server_name per hop.
let hops = vec![
HopConfig {
addr: entry_actual,
proto_cfg: client_cfg_with_cn(&ca, CLIENT_ID_ENTRY, ENTRY_SAN),
},
HopConfig {
addr: middle_actual,
proto_cfg: client_cfg_with_cn(&ca, CLIENT_ID_MIDDLE, MIDDLE_SAN),
},
HopConfig {
addr: exit_actual,
proto_cfg: client_cfg_with_cn(&ca, CLIENT_ID_EXIT, EXIT_SAN),
},
];
let circuit_conn = tokio::time::timeout(
Duration::from_secs(60),
circuit::dial_circuit(&hops, UdpOpts::default()),
)
.await
.expect("dial_circuit did not finish within 60s")
.expect("dial_circuit succeeded");
// peer_id is the exit's SAN — the innermost handshake authenticated the exit cert through
// every relay opaquely.
assert_eq!(
circuit_conn.peer_id(),
Some(EXIT_SAN),
"circuit.peer_id() must be the exit's SAN through 3 hops"
);
// Echo three packets — through THREE AEAD layers.
let payloads: Vec<Vec<u8>> = vec![
b"hello 3-hop".to_vec(),
vec![0x77u8; 600],
(0..200u8).collect(),
];
for pkt in &payloads {
circuit_conn.send_packet(pkt).await.expect("circuit send");
let echoed = tokio::time::timeout(Duration::from_secs(10), circuit_conn.recv_packet())
.await
.expect("recv timeout")
.expect("recv from exit through 3-hop circuit");
assert_eq!(&echoed, pkt, "echoed payload must match");
}
drop(circuit_conn);
let _ = tokio::time::timeout(Duration::from_secs(5), exit_task).await;
let _ = tokio::time::timeout(Duration::from_secs(5), middle_task).await;
let _ = tokio::time::timeout(Duration::from_secs(5), entry_task).await;
}
/// v3.2: smoke-test the [`CellPaddingConn`] wrap around a 2-hop circuit. The exit also wraps its
/// `Accepted.conn` in a `CellPaddingConn`; the bytes the client sends are padded cells, ferried
/// opaquely through the relay, and unwrapped by the exit. We exchange three payloads of varying
/// (small) sizes through the padded layer.
#[tokio::test(flavor = "multi_thread")]
async fn multihop_v3_2_cell_padding_smoke() {
let ca = AuraCa::generate("Aura v3.2 cell-padding Test CA").expect("ca");
let exit_proto = server_cfg(&ca, EXIT_SAN);
let relay_proto = server_cfg(&ca, RELAY_SAN);
let client_proto = client_cfg(&ca, EXIT_SAN);
let exit_port = free_udp_port();
let relay_port = free_udp_port();
let exit_addr: SocketAddr = format!("127.0.0.1:{exit_port}").parse().unwrap();
let relay_addr: SocketAddr = format!("127.0.0.1:{relay_port}").parse().unwrap();
let exit_server =
UdpServer::bind(exit_addr, exit_proto, UdpOpts::default()).expect("bind exit");
let relay_server =
UdpServer::bind(relay_addr, relay_proto, UdpOpts::default()).expect("bind relay");
let exit_actual = exit_server.local_addr().expect("exit addr");
let relay_actual = relay_server.local_addr().expect("relay addr");
let whitelist = vec![exit_actual];
// Exit echoes three CELL-PADDED packets back. The CellPaddingConn wrap on the exit's side
// means recv_packet returns the original (unpadded) payload, and send_packet pads it again.
let cell_size = 512;
let exit_task = tokio::spawn(async move {
let conn = exit_server.accept().await.expect("exit accept");
drop(exit_server);
let conn: Arc<dyn PacketConnection> = Arc::new(conn);
let wrapped = Arc::new(CellPaddingConn::new(conn, cell_size));
for _ in 0..3 {
match wrapped.recv_packet().await {
Ok(pkt) => {
if wrapped.send_packet(&pkt).await.is_err() {
return;
}
}
Err(_) => return,
}
}
});
let relay_task = tokio::spawn(spawn_relay(relay_server, whitelist));
tokio::time::sleep(Duration::from_millis(20)).await;
let circuit_conn = tokio::time::timeout(
Duration::from_secs(30),
circuit::dial_circuit_with_relay_name(
&[relay_actual, exit_actual],
client_proto,
UdpOpts::default(),
Some(RELAY_SAN),
),
)
.await
.expect("dial_circuit did not finish within 30s")
.expect("dial_circuit succeeded");
// Wrap the client side in CellPaddingConn so its sends become cells.
let padded: Arc<dyn PacketConnection> =
Arc::new(CellPaddingConn::new(circuit_conn.into_dyn(), cell_size));
let payloads: Vec<Vec<u8>> = vec![
b"tiny".to_vec(),
vec![0xEFu8; 100],
b"another payload that fits inside cell".to_vec(),
];
for pkt in &payloads {
padded.send_packet(pkt).await.expect("padded send");
let echoed = tokio::time::timeout(Duration::from_secs(10), padded.recv_packet())
.await
.expect("recv timeout")
.expect("recv from padded exit");
assert_eq!(&echoed, pkt, "padded roundtrip preserves payload");
}
drop(padded);
let _ = tokio::time::timeout(Duration::from_secs(5), exit_task).await;
let _ = tokio::time::timeout(Duration::from_secs(5), relay_task).await;
}
crates/aura-crypto/src/lib.rs
+3 -2
View File
@@ -21,8 +21,9 @@ pub use aead::{AeadKey, AeadSession};
pub use kdf::{derive_session_keys, SessionKeys};
pub use kem::{HybridCiphertext, HybridPrivateKey, HybridPublicKey, HybridSharedSecret};
pub use masks::{
ca_fingerprint, derive_mask_for_msk_date, MaskSet, PADDING_PROFILE_COUNT,
SERVER_HEADER_PALETTE, SNI_PALETTE, USER_AGENT_PALETTE,
ca_fingerprint, derive_mask_for_msk_date, derive_mask_for_msk_date_with_palette, MaskSet,
SniPalette, PADDING_PROFILE_COUNT, SERVER_HEADER_PALETTE, SNI_PALETTE, SNI_PALETTE_RUSSIAN,
USER_AGENT_PALETTE,
};
use thiserror::Error;
crates/aura-crypto/src/masks.rs
+186 -5
View File
@@ -50,6 +50,34 @@ pub const SNI_PALETTE: &[&str] = &[
"ssl.gstatic.com",
];
/// Palette of SNI / HTTP `Host` values for the **Russian** palette ([`SniPalette::Russian`]).
///
/// Real, well-known Russian domains (top portals, marketplaces, banking, video, jobs, news, state
/// services). The goal is for a passive on-path observer (e.g. a Russian ISP doing "domestic vs
/// foreign" billing classification by destination IP / SNI) to see SNI strings that look like
/// ordinary HTTPS to a large Russian site. Combined with an entry-relay hosted on a Russian VPS,
/// this is the v3.2 building block for the "domestic traffic" deployment scenario documented in
/// `docs/deployment.md`.
///
/// All entries are real, currently-live domains as of 2026.
pub const SNI_PALETTE_RUSSIAN: &[&str] = &[
"mail.yandex.ru",
"vk.com",
"www.ozon.ru",
"dzen.ru",
"ya.ru",
"www.gosuslugi.ru",
"www.wildberries.ru",
"rutube.ru",
"news.rambler.ru",
"hh.ru",
"www.tinkoff.ru",
"lenta.ru",
"www.kinopoisk.ru",
"afisha.yandex.ru",
"music.yandex.ru",
];
/// Palette of `User-Agent` strings used by the TCP transport's client masquerade preamble.
pub const USER_AGENT_PALETTE: &[&str] = &[
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
@@ -82,6 +110,32 @@ const HKDF_SALT: &[u8] = b"aura-mask-v1-salt";
/// HKDF info string for daily mask derivation (versioned alongside the salt).
const HKDF_INFO: &[u8] = b"aura-mask-v1";
/// Which SNI palette to pick the daily mask's `sni` / `http_host` from.
///
/// The v2 default ([`SniPalette::Default`]) picks from [`SNI_PALETTE`] (global CDN-like names) and
/// is what every existing deployment uses unless explicitly opted out. v3.2 adds
/// [`SniPalette::Russian`] (picks from [`SNI_PALETTE_RUSSIAN`]) so a client behind a Russian
/// "domestic vs foreign" traffic classifier can pin the outer-TLS SNI to a domestic-looking
/// hostname while still tunneling through a multi-hop circuit; [`SniPalette::Mixed`] uses one of
/// the HKDF output bytes to flip between the two palettes day-by-day for variety.
///
/// Only the `sni` and `http_host` fields of the produced [`MaskSet`] are affected; the User-Agent /
/// Server-header / padding-profile palettes are not palette-dependent in v3.2.
#[derive(Clone, Copy, Debug, PartialEq, Eq, Default)]
pub enum SniPalette {
/// Global CDN-like palette ([`SNI_PALETTE`]). The pre-v3.2 default; back-compat behaviour.
#[default]
Default,
/// Russian top-domain palette ([`SNI_PALETTE_RUSSIAN`]). Use when the SNI should look like
/// ordinary HTTPS to a large Russian site (typical case: an entry-relay hosted on a Russian
/// VPS that an ISP would classify as "domestic" traffic).
Russian,
/// Mix of both palettes: an HKDF output byte selects Default vs Russian per (CA, MSK-date), so
/// across a population of days roughly half the SNI strings come from each palette. Useful for
/// adding variety without committing entirely to one classifier signal.
Mixed,
}
/// One day's worth of masking parameters: SNI / HTTP headers / padding profile.
///
/// Derived deterministically by [`derive_mask_for_msk_date`] from `(ca_fingerprint, msk_date)` so
@@ -126,12 +180,34 @@ pub fn ca_fingerprint(ca_cert_pem: &str) -> Result<[u8; 32], CryptoError> {
}
/// Derive the daily [`MaskSet`] for `(ca_fingerprint, year-month-day)`, where the date is the
/// **MSK** calendar day (UTC+3) the mask is current on.
/// **MSK** calendar day (UTC+3) the mask is current on. Uses the default SNI palette
/// ([`SniPalette::Default`] — back-compat with every pre-v3.2 deployment).
///
/// HKDF-SHA256 with `ikm = ca_fp || '|' || "YYYY-MM-DD"`, fixed salt, fixed info. The 64-byte OKM
/// is sliced into four 2-byte big-endian indices, each taken `mod len(palette)`.
/// Thin wrapper over [`derive_mask_for_msk_date_with_palette`].
#[must_use]
pub fn derive_mask_for_msk_date(ca_fp: &[u8; 32], year: i32, month: u32, day: u32) -> MaskSet {
derive_mask_for_msk_date_with_palette(ca_fp, year, month, day, SniPalette::Default)
}
/// Derive the daily [`MaskSet`] for `(ca_fingerprint, year-month-day)` from a specific SNI
/// palette. The date is the **MSK** calendar day (UTC+3) the mask is current on.
///
/// HKDF-SHA256 with `ikm = ca_fp || '|' || "YYYY-MM-DD"`, fixed salt, fixed info. The 64-byte OKM
/// is sliced into 2-byte big-endian indices (each taken `mod len(palette)`); for
/// [`SniPalette::Mixed`] an extra OKM byte chooses between the Default and Russian palettes.
///
/// Only the `sni` / `http_host` fields are affected by `palette`; User-Agent, Server-header, and
/// padding-profile index always come from the same OKM bytes in the same palettes (so a v3.2
/// deployment that flips `palette` between days does NOT alter those fields and therefore stays
/// byte-compatible with every existing transport-side test).
#[must_use]
pub fn derive_mask_for_msk_date_with_palette(
ca_fp: &[u8; 32],
year: i32,
month: u32,
day: u32,
palette: SniPalette,
) -> MaskSet {
// Build IKM = ca_fp || "|" || "YYYY-MM-DD" (zero-padded). No allocations beyond this small Vec.
let mut ikm = Vec::with_capacity(32 + 1 + 10);
ikm.extend_from_slice(ca_fp);
@@ -145,12 +221,33 @@ pub fn derive_mask_for_msk_date(ca_fp: &[u8; 32], year: i32, month: u32, day: u3
hk.expand(HKDF_INFO, &mut okm)
.expect("HKDF expand of 64 bytes cannot fail for SHA-256");
let sni_idx = u16::from_be_bytes([okm[0], okm[1]]) as usize % SNI_PALETTE.len();
// Pick the SNI palette to draw from. For Mixed, byte 8 of the OKM (untouched by the existing
// four 2-byte indices below) selects Default vs Russian — its low bit gives ~50/50 across
// (CA, date) pairs without disturbing the v2 indexing of the other fields.
let effective_palette = match palette {
SniPalette::Default => SniPalette::Default,
SniPalette::Russian => SniPalette::Russian,
SniPalette::Mixed => {
if okm[8] & 1 == 0 {
SniPalette::Default
} else {
SniPalette::Russian
}
}
};
let sni_palette: &[&str] = match effective_palette {
SniPalette::Default => SNI_PALETTE,
SniPalette::Russian => SNI_PALETTE_RUSSIAN,
// `Mixed` cannot survive the resolution above; the match is exhaustive on the variant set.
SniPalette::Mixed => SNI_PALETTE,
};
let sni_idx = u16::from_be_bytes([okm[0], okm[1]]) as usize % sni_palette.len();
let ua_idx = u16::from_be_bytes([okm[2], okm[3]]) as usize % USER_AGENT_PALETTE.len();
let srv_idx = u16::from_be_bytes([okm[4], okm[5]]) as usize % SERVER_HEADER_PALETTE.len();
let pad_idx = u16::from_be_bytes([okm[6], okm[7]]) as u8 % PADDING_PROFILE_COUNT;
let sni = SNI_PALETTE[sni_idx].to_string();
let sni = sni_palette[sni_idx].to_string();
MaskSet {
http_host: sni.clone(),
sni,
@@ -283,6 +380,90 @@ mod tests {
assert_eq!(m.http_host, m.sni, "http_host mirrors sni by default");
}
/// v3.2 palette: every day derived with [`SniPalette::Russian`] yields an SNI in
/// [`SNI_PALETTE_RUSSIAN`] (and the `http_host` mirror tracks the SNI as before).
#[test]
fn russian_palette_picks_from_russian_list() {
let ca_fp = [13u8; 32];
// Sweep through a month so we exercise multiple HKDF outputs / palette indices.
for day in 1..=28u32 {
let m =
derive_mask_for_msk_date_with_palette(&ca_fp, 2026, 5, day, SniPalette::Russian);
assert!(
SNI_PALETTE_RUSSIAN.iter().any(|s| *s == m.sni),
"Russian palette produced unexpected SNI '{}' on day 2026-05-{day:02}",
m.sni
);
// The other fields still come from the global palettes — palette is sni-only.
assert!(USER_AGENT_PALETTE.iter().any(|s| *s == m.user_agent));
assert!(SERVER_HEADER_PALETTE.iter().any(|s| *s == m.server_header));
assert!(m.padding_profile_id < PADDING_PROFILE_COUNT);
assert_eq!(
m.http_host, m.sni,
"http_host mirrors sni for Russian palette too"
);
}
}
/// Back-compat: [`SniPalette::Default`] (and the v2 [`derive_mask_for_msk_date`] wrapper)
/// produce byte-identical `MaskSet`s — every existing test that used the wrapper stays valid.
#[test]
fn default_palette_unchanged() {
let ca_fp = [55u8; 32];
// Sample a handful of dates including the today-of-the-task one and edges of months.
let dates = [(2026, 1, 1), (2026, 5, 27), (2026, 12, 31), (2024, 2, 29)];
for (y, m, d) in dates {
let legacy = derive_mask_for_msk_date(&ca_fp, y, m, d);
let with_default =
derive_mask_for_msk_date_with_palette(&ca_fp, y, m, d, SniPalette::Default);
assert_eq!(
legacy, with_default,
"Default palette must equal legacy derive_mask_for_msk_date for {y}-{m:02}-{d:02}"
);
}
}
/// [`SniPalette::Mixed`] over a month-long sweep yields SNIs from both palettes (or at least
/// changes between consecutive days), proving the palette-selector bit actually toggles. We
/// assert "at least one Default-palette SNI AND at least one Russian-palette SNI appear".
#[test]
fn mixed_palette_picks_from_either() {
let ca_fp = [77u8; 32];
let mut saw_default = false;
let mut saw_russian = false;
// 30 consecutive days — more than enough HKDF outputs to flip the selector bit both ways
// unless we have a wildly biased input (we don't: ca_fp is constant, only the date varies).
for day in 1..=30u32 {
let m = derive_mask_for_msk_date_with_palette(&ca_fp, 2026, 5, day, SniPalette::Mixed);
let in_default = SNI_PALETTE.iter().any(|s| *s == m.sni);
let in_russian = SNI_PALETTE_RUSSIAN.iter().any(|s| *s == m.sni);
assert!(
in_default || in_russian,
"Mixed-palette SNI '{}' is in neither palette on day 2026-05-{day:02}",
m.sni
);
saw_default |= in_default;
saw_russian |= in_russian;
}
assert!(
saw_default && saw_russian,
"Mixed palette never produced both palette types in 30 days \
(saw_default={saw_default}, saw_russian={saw_russian}); the selector bit is stuck"
);
}
/// Sanity: the Russian palette has at least the documented size of 10 entries (the modulo
/// indexing would panic on `% 0` if the array were empty, so this also guards against an
/// accidental wipe).
#[test]
fn russian_palette_has_entries() {
assert!(
SNI_PALETTE_RUSSIAN.len() >= 10,
"Russian palette is too small: {} entries",
SNI_PALETTE_RUSSIAN.len()
);
}
#[test]
fn format_ymd_zero_pads() {
assert_eq!(format_ymd(2026, 1, 5), "2026-01-05");
crates/aura-pki/Cargo.toml
+4
View File
@@ -20,3 +20,7 @@ anyhow.workspace = true
webpki = { package = "rustls-webpki", version = "0.103", default-features = false, features = ["ring"] }
# Certificate validity windows (not_before / not_after). Already in the lockfile.
time = { version = "0.3", default-features = false, features = ["std"] }
# v2 in-band CRL signing/verification: ECDSA P-256 sign over the CRL body, verify against
# the CA's public key. `ring` is already pulled transitively by `rustls-webpki` (the lockfile
# entry is `ring 0.17.14`) so this adds no new workspace dependency.
ring = "0.17"
crates/aura-pki/src/store.rs
+211 -1
View File
@@ -4,12 +4,36 @@
//! identifier strings. An identifier is either a certificate serial number
//! (lowercase hex, no separators) or a client id / Common Name. A certificate
//! is rejected if any of those identifiers is present in the set.
//!
//! ## v2 signed wire format
//!
//! [`CrlStore::save_signed`] / [`CrlStore::load_signed_verified`] add an ECDSA-P256/SHA-256
//! signature over the unsigned text body so the in-band CRL push (server -> client) is tamper-
//! evident even though the existing AEAD session already binds the link to the verified server
//! identity. The on-disk / on-wire layout is:
//!
//! ```text
//! CRL-Aura-v1\n
//! <id-1>\n
//! <id-2>\n
//! ...
//! --SIGNATURE--\n
//! <hex-encoded ECDSA-P256 signature over the bytes *before* this marker line>\n
//! ```
//!
//! The signed bytes are everything up to and including the newline at the end of the last id (the
//! `"--SIGNATURE--\n"` marker is **not** part of the signed input). Verification recovers the CA
//! public key from the CA certificate PEM and checks the signature with `ring`.
use std::collections::BTreeSet;
use std::fs;
use std::path::Path;
use anyhow::Context;
use anyhow::{anyhow, Context};
use ring::signature::{
EcdsaKeyPair, UnparsedPublicKey, ECDSA_P256_SHA256_ASN1, ECDSA_P256_SHA256_ASN1_SIGNING,
};
use x509_parser::prelude::FromDer;
/// A set of revoked certificate identifiers (serials and/or client ids).
#[derive(Debug, Default, Clone, PartialEq, Eq)]
@@ -71,6 +95,192 @@ impl CrlStore {
.map(str::to_string),
))
}
/// Produce the signed wire/disk bytes (header + ids + `--SIGNATURE--` block) for this CRL.
///
/// The body up to and including the last id's trailing newline is signed with the CA's
/// ECDSA-P256/SHA-256 key; the signature is appended hex-encoded after the marker. The exact
/// layout is described in the module-level docs.
///
/// `ca_cert_pem` is included for parity with [`Self::load_signed_verified`] but is only used
/// to validate the operator did not pass mismatched material — the signing path itself only
/// needs the key PEM.
pub fn encode_signed(&self, ca_cert_pem: &str, ca_key_pem: &str) -> anyhow::Result<Vec<u8>> {
// Sanity-check the CA cert PEM is parseable so we never write a CRL the loader cannot
// verify against the same anchor.
ca_public_key_from_pem(ca_cert_pem).context("invalid CA certificate PEM for signing")?;
let body = self.signed_body();
let signature =
sign_ecdsa_p256(ca_key_pem, body.as_bytes()).context("signing CRL with the CA key")?;
let mut out = Vec::with_capacity(body.len() + 32 + signature.len() * 2);
out.extend_from_slice(body.as_bytes());
out.extend_from_slice(SIGNATURE_MARKER);
out.extend_from_slice(hex_encode(&signature).as_bytes());
out.push(b'\n');
Ok(out)
}
/// Persist the CRL in the signed v2 format under `path` (creating parent dirs as needed).
pub fn save_signed(
&self,
path: &Path,
ca_cert_pem: &str,
ca_key_pem: &str,
) -> anyhow::Result<()> {
let bytes = self.encode_signed(ca_cert_pem, ca_key_pem)?;
if let Some(parent) = path.parent() {
if !parent.as_os_str().is_empty() {
fs::create_dir_all(parent)
.with_context(|| format!("creating CRL dir {}", parent.display()))?;
}
}
fs::write(path, &bytes)
.with_context(|| format!("writing signed CRL to {}", path.display()))?;
Ok(())
}
/// Parse a signed CRL blob and verify its signature against the CA cert PEM.
///
/// On success the parsed [`CrlStore`] is returned. Any tampering (modified body or signature)
/// yields an `Err` so the caller can refuse to apply a non-authentic CRL.
pub fn decode_signed_verified(bytes: &[u8], ca_cert_pem: &str) -> anyhow::Result<Self> {
let text = std::str::from_utf8(bytes)
.map_err(|e| anyhow!("signed CRL is not valid UTF-8: {e}"))?;
let marker = std::str::from_utf8(SIGNATURE_MARKER)
.expect("SIGNATURE_MARKER is a static ASCII literal");
let idx = text
.find(marker)
.ok_or_else(|| anyhow!("signed CRL missing '--SIGNATURE--' marker"))?;
let body = &text[..idx];
let sig_text = text[idx + marker.len()..].trim();
let signature = hex_decode(sig_text).context("decoding signed CRL hex signature")?;
let pubkey = ca_public_key_from_pem(ca_cert_pem)
.context("loading CA public key for CRL verification")?;
UnparsedPublicKey::new(&ECDSA_P256_SHA256_ASN1, pubkey.as_slice())
.verify(body.as_bytes(), &signature)
.map_err(|_| anyhow!("signed CRL signature did not verify"))?;
// Parse the inner body. Skip the magic line, then keep non-empty / non-comment lines.
let mut lines = body.lines();
let header = lines
.next()
.ok_or_else(|| anyhow!("empty signed CRL body"))?;
if header.trim() != SIGNED_CRL_HEADER {
return Err(anyhow!(
"unexpected signed CRL header '{header}', expected '{SIGNED_CRL_HEADER}'"
));
}
Ok(Self::from_iter(
lines
.map(str::trim)
.filter(|l| !l.is_empty() && !l.starts_with('#'))
.map(str::to_string),
))
}
/// Load a signed CRL file (the inverse of [`Self::save_signed`]) and verify its signature.
pub fn load_signed_verified(path: &Path, ca_cert_pem: &str) -> anyhow::Result<Self> {
let bytes = fs::read(path)
.with_context(|| format!("reading signed CRL from {}", path.display()))?;
Self::decode_signed_verified(&bytes, ca_cert_pem)
}
/// Internal: produce the bytes that get signed (header + ids).
fn signed_body(&self) -> String {
let mut s = String::new();
s.push_str(SIGNED_CRL_HEADER);
s.push('\n');
for id in &self.revoked {
s.push_str(id);
s.push('\n');
}
s
}
}
/// First line of the signed CRL body.
const SIGNED_CRL_HEADER: &str = "CRL-Aura-v1";
/// Bytes separating the signed body from the hex signature.
const SIGNATURE_MARKER: &[u8] = b"--SIGNATURE--\n";
/// Sign `body` with an ECDSA-P256/SHA-256 PKCS#8 key (PEM-encoded). Returns the ASN.1 signature
/// bytes (variable-length DER) that `ring::signature::ECDSA_P256_SHA256_ASN1` accepts on verify.
fn sign_ecdsa_p256(ca_key_pem: &str, body: &[u8]) -> anyhow::Result<Vec<u8>> {
let pkcs8_der = pem_block_to_der(ca_key_pem, &["PRIVATE KEY", "EC PRIVATE KEY"])
.ok_or_else(|| anyhow!("no PKCS#8 private-key block in CA key PEM"))?;
let rng = ring::rand::SystemRandom::new();
let key_pair = EcdsaKeyPair::from_pkcs8(&ECDSA_P256_SHA256_ASN1_SIGNING, &pkcs8_der, &rng)
.map_err(|e| anyhow!("invalid CA PKCS#8 ECDSA P-256 key: {e}"))?;
let sig = key_pair
.sign(&rng, body)
.map_err(|e| anyhow!("ECDSA signing failed: {e}"))?;
Ok(sig.as_ref().to_vec())
}
/// Extract the CA's uncompressed EC public-key point from a CA certificate PEM.
fn ca_public_key_from_pem(ca_cert_pem: &str) -> anyhow::Result<Vec<u8>> {
let der = pem_block_to_der(ca_cert_pem, &["CERTIFICATE"])
.ok_or_else(|| anyhow!("no CERTIFICATE block in CA PEM"))?;
let (_, cert) = x509_parser::certificate::X509Certificate::from_der(&der)
.map_err(|e| anyhow!("failed to parse CA certificate DER: {e}"))?;
Ok(cert.public_key().subject_public_key.data.to_vec())
}
/// Iterate PEM blocks and return the first whose label matches one of `labels`.
fn pem_block_to_der(pem: &str, labels: &[&str]) -> Option<Vec<u8>> {
for item in x509_parser::pem::Pem::iter_from_buffer(pem.as_bytes()) {
let item = item.ok()?;
if labels.contains(&item.label.as_str()) {
return Some(item.contents);
}
}
None
}
/// Lowercase hex of a byte slice.
fn hex_encode(bytes: &[u8]) -> String {
let mut s = String::with_capacity(bytes.len() * 2);
for b in bytes {
s.push(nibble_to_hex(b >> 4));
s.push(nibble_to_hex(b & 0x0F));
}
s
}
/// Decode a lowercase/uppercase hex string into bytes. Returns an error on any non-hex character or
/// odd length.
fn hex_decode(s: &str) -> anyhow::Result<Vec<u8>> {
let s = s.trim();
if !s.len().is_multiple_of(2) {
return Err(anyhow!("hex string has odd length ({} chars)", s.len()));
}
let mut out = Vec::with_capacity(s.len() / 2);
let bytes = s.as_bytes();
for chunk in bytes.chunks_exact(2) {
let hi = hex_to_nibble(chunk[0])?;
let lo = hex_to_nibble(chunk[1])?;
out.push((hi << 4) | lo);
}
Ok(out)
}
fn nibble_to_hex(n: u8) -> char {
match n {
0..=9 => (b'0' + n) as char,
10..=15 => (b'a' + n - 10) as char,
_ => '?',
}
}
fn hex_to_nibble(c: u8) -> anyhow::Result<u8> {
match c {
b'0'..=b'9' => Ok(c - b'0'),
b'a'..=b'f' => Ok(c - b'a' + 10),
b'A'..=b'F' => Ok(c - b'A' + 10),
other => Err(anyhow!("invalid hex character 0x{other:02x}")),
}
}
impl FromIterator<String> for CrlStore {
crates/aura-pki/tests/crl_signing.rs
+163
View File
@@ -0,0 +1,163 @@
//! Tests for the v2 signed-CRL format ([`CrlStore::save_signed`] / [`CrlStore::load_signed_verified`]).
//!
//! Covers:
//! * happy-path round-trip (encode + decode + verify against the same CA),
//! * tampered body rejection (mutate any character in the id list),
//! * tampered signature rejection (flip a nibble in the hex signature),
//! * cross-CA rejection (decode against a different CA's public key fails),
//! * missing-marker rejection.
use std::path::PathBuf;
use aura_pki::{AuraCa, CrlStore};
use uuid::Uuid;
/// A unique temp file path so parallel tests do not collide.
fn temp_path(suffix: &str) -> PathBuf {
let mut p = std::env::temp_dir();
p.push(format!("aura-pki-test-{}-{suffix}", Uuid::new_v4()));
p
}
/// Helper: build a CA + a small CRL of two ids.
fn make_ca_and_crl() -> (AuraCa, String, CrlStore) {
let ca = AuraCa::generate("Aura Test CRL CA").unwrap();
let ca_cert_pem = ca.ca_cert_pem();
let mut crl = CrlStore::new();
crl.revoke("alice");
crl.revoke("deadbeef");
(ca, ca_cert_pem, crl)
}
#[test]
fn signed_crl_round_trip_verifies() {
// Borrow a CA + key from the in-memory AuraCa via save/load.
let cert_path = temp_path("ca.crt");
let key_path = temp_path("ca.key");
let (ca, ca_cert_pem, crl) = make_ca_and_crl();
ca.save(&cert_path, &key_path).unwrap();
let ca_key_pem = std::fs::read_to_string(&key_path).unwrap();
let crl_path = temp_path("revoked.crl");
crl.save_signed(&crl_path, &ca_cert_pem, &ca_key_pem)
.expect("save_signed succeeds");
let loaded =
CrlStore::load_signed_verified(&crl_path, &ca_cert_pem).expect("verification succeeds");
assert!(loaded.contains("alice"));
assert!(loaded.contains("deadbeef"));
assert!(!loaded.contains("bob"));
assert_eq!(loaded.len(), 2);
let _ = std::fs::remove_file(cert_path);
let _ = std::fs::remove_file(key_path);
let _ = std::fs::remove_file(crl_path);
}
#[test]
fn tampered_body_fails_verification() {
let cert_path = temp_path("ca.crt");
let key_path = temp_path("ca.key");
let (ca, ca_cert_pem, crl) = make_ca_and_crl();
ca.save(&cert_path, &key_path).unwrap();
let ca_key_pem = std::fs::read_to_string(&key_path).unwrap();
let bytes = crl.encode_signed(&ca_cert_pem, &ca_key_pem).unwrap();
let mut text = String::from_utf8(bytes).unwrap();
// Tamper with an id: replace 'alice' with 'allice' (one byte more, sig over original body).
text = text.replacen("alice", "allice", 1);
let res = CrlStore::decode_signed_verified(text.as_bytes(), &ca_cert_pem);
assert!(res.is_err(), "tampered body must fail verification");
let _ = std::fs::remove_file(cert_path);
let _ = std::fs::remove_file(key_path);
}
#[test]
fn tampered_signature_fails_verification() {
let cert_path = temp_path("ca.crt");
let key_path = temp_path("ca.key");
let (ca, ca_cert_pem, crl) = make_ca_and_crl();
ca.save(&cert_path, &key_path).unwrap();
let ca_key_pem = std::fs::read_to_string(&key_path).unwrap();
let bytes = crl.encode_signed(&ca_cert_pem, &ca_key_pem).unwrap();
let mut text = String::from_utf8(bytes).unwrap();
// Flip the last hex nibble of the signature.
let last_idx = text.rfind(|c: char| c.is_ascii_hexdigit()).unwrap();
let ch = text.as_bytes()[last_idx];
let new = if ch == b'0' { b'1' } else { b'0' };
unsafe {
text.as_bytes_mut()[last_idx] = new;
}
let res = CrlStore::decode_signed_verified(text.as_bytes(), &ca_cert_pem);
assert!(res.is_err(), "tampered signature must fail verification");
let _ = std::fs::remove_file(cert_path);
let _ = std::fs::remove_file(key_path);
}
#[test]
fn signature_against_wrong_ca_fails() {
let cert_path = temp_path("ca.crt");
let key_path = temp_path("ca.key");
let (ca, ca_cert_pem, crl) = make_ca_and_crl();
ca.save(&cert_path, &key_path).unwrap();
let ca_key_pem = std::fs::read_to_string(&key_path).unwrap();
let bytes = crl.encode_signed(&ca_cert_pem, &ca_key_pem).unwrap();
// A different CA's anchor cannot verify a CRL signed by the original.
let rogue = AuraCa::generate("Rogue CA").unwrap();
let res = CrlStore::decode_signed_verified(&bytes, &rogue.ca_cert_pem());
assert!(res.is_err(), "wrong CA must fail verification");
let _ = std::fs::remove_file(cert_path);
let _ = std::fs::remove_file(key_path);
}
#[test]
fn missing_marker_is_rejected() {
let (_, ca_cert_pem, _) = make_ca_and_crl();
let bogus = b"CRL-Aura-v1\nalice\nbob\nno-marker-here\n";
assert!(CrlStore::decode_signed_verified(bogus, &ca_cert_pem).is_err());
}
#[test]
fn unknown_header_is_rejected() {
let cert_path = temp_path("ca.crt");
let key_path = temp_path("ca.key");
let (ca, ca_cert_pem, crl) = make_ca_and_crl();
ca.save(&cert_path, &key_path).unwrap();
let ca_key_pem = std::fs::read_to_string(&key_path).unwrap();
let bytes = crl.encode_signed(&ca_cert_pem, &ca_key_pem).unwrap();
// Mutate the header line to something else and re-sign would be needed — but here we just
// check that the parser rejects an unknown header verbatim (signature also fails because we
// mutated the signed body, but the header check fires first).
let mut text = String::from_utf8(bytes).unwrap();
text = text.replacen("CRL-Aura-v1", "CRL-Aura-v9", 1);
let res = CrlStore::decode_signed_verified(text.as_bytes(), &ca_cert_pem);
assert!(res.is_err(), "unknown header must be rejected");
let _ = std::fs::remove_file(cert_path);
let _ = std::fs::remove_file(key_path);
}
#[test]
fn empty_crl_round_trip() {
let cert_path = temp_path("ca.crt");
let key_path = temp_path("ca.key");
let ca = AuraCa::generate("Aura Test CRL CA").unwrap();
ca.save(&cert_path, &key_path).unwrap();
let ca_cert_pem = ca.ca_cert_pem();
let ca_key_pem = std::fs::read_to_string(&key_path).unwrap();
let crl = CrlStore::new();
let bytes = crl.encode_signed(&ca_cert_pem, &ca_key_pem).unwrap();
let loaded = CrlStore::decode_signed_verified(&bytes, &ca_cert_pem).unwrap();
assert!(loaded.is_empty(), "empty signed CRL round-trips as empty");
let _ = std::fs::remove_file(cert_path);
let _ = std::fs::remove_file(key_path);
}
crates/aura-proto/src/frame.rs
+312
View File
@@ -176,6 +176,138 @@ mod frame_tag {
pub const CLOSE: u8 = 0x04;
}
/// Kinds of in-band control message carried inside a [`CONTROL_ENVELOPE_MAGIC`]-prefixed payload.
///
/// The wire byte is the discriminant. Unknown values decode as [`ControlKind::Unknown`] so peers
/// running older builds gracefully ignore future kinds without dropping the connection.
///
/// v2's CRL push reuses the existing post-handshake [`crate::PacketConnection::send_packet`] path
/// rather than introducing a new [`Frame`] variant: a real IPv4/IPv6 packet always starts with
/// `0x4X` / `0x6X`, so the 4-byte magic [`CONTROL_ENVELOPE_MAGIC`] (which starts with `0xAA`) can
/// be safely multiplexed alongside ordinary packets without changing the on-wire frame schema or
/// any transport-level `match Frame` that already exists.
///
/// v3.1 multi-hop / onion routing adds three kinds for circuit setup:
///
/// * [`ControlKind::ExtendBridge`] (`0x03`) — client → relay, asking the relay to splice this
/// connection to a downstream `exit_addr`. Payload is the [`encode_extend_bridge`] binary form.
/// * [`ControlKind::CircuitReady`] (`0x04`) — relay → client, the bridge is up; no payload.
/// * [`ControlKind::CircuitFailed`] (`0x05`) — relay → client, the bridge could not be set up;
/// payload is a UTF-8 reason string.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum ControlKind {
/// Server -> client: push the server's current CRL (signed payload).
CrlPush,
/// Client -> server: acknowledge a [`ControlKind::CrlPush`].
CrlAck,
/// Client -> relay: please open a bridge to the given `exit_addr` (v3.1 multi-hop).
ExtendBridge,
/// Relay -> client: the bridge is up; the next bytes from the client travel opaquely to the
/// exit (v3.1 multi-hop).
CircuitReady,
/// Relay -> client: the bridge could not be set up; payload is a UTF-8 reason string (v3.1
/// multi-hop).
CircuitFailed,
/// Any byte the receiver does not recognise. The connection keeps running.
Unknown(u8),
}
impl ControlKind {
/// Encode this control kind to its on-wire byte.
#[must_use]
pub fn to_u8(self) -> u8 {
match self {
ControlKind::CrlPush => 0x01,
ControlKind::CrlAck => 0x02,
ControlKind::ExtendBridge => 0x03,
ControlKind::CircuitReady => 0x04,
ControlKind::CircuitFailed => 0x05,
ControlKind::Unknown(b) => b,
}
}
/// Decode an on-wire byte into a [`ControlKind`]. Unknown bytes yield [`ControlKind::Unknown`].
#[must_use]
pub fn from_u8(b: u8) -> Self {
match b {
0x01 => ControlKind::CrlPush,
0x02 => ControlKind::CrlAck,
0x03 => ControlKind::ExtendBridge,
0x04 => ControlKind::CircuitReady,
0x05 => ControlKind::CircuitFailed,
other => ControlKind::Unknown(other),
}
}
}
/// Encode an `ExtendBridge` payload describing the target `exit_addr`.
///
/// Wire layout (big-endian where multi-byte):
///
/// ```text
/// family(u8 = 4|6) || addr_bytes(4 or 16) || port(u16)
/// ```
///
/// The result is the **payload** of a [`ControlKind::ExtendBridge`] control envelope; the caller
/// wraps it with [`encode_control_envelope`].
#[must_use]
pub fn encode_extend_bridge(addr: std::net::SocketAddr) -> Vec<u8> {
let port = addr.port();
match addr.ip() {
std::net::IpAddr::V4(v4) => {
let octets = v4.octets();
let mut out = Vec::with_capacity(1 + 4 + 2);
out.push(4);
out.extend_from_slice(&octets);
out.extend_from_slice(&port.to_be_bytes());
out
}
std::net::IpAddr::V6(v6) => {
let octets = v6.octets();
let mut out = Vec::with_capacity(1 + 16 + 2);
out.push(6);
out.extend_from_slice(&octets);
out.extend_from_slice(&port.to_be_bytes());
out
}
}
}
/// Decode an `ExtendBridge` payload back into a [`std::net::SocketAddr`].
///
/// See [`encode_extend_bridge`] for the wire layout. Returns a static error string on any
/// truncation, unknown family, or trailing garbage.
pub fn decode_extend_bridge(payload: &[u8]) -> Result<std::net::SocketAddr, &'static str> {
if payload.is_empty() {
return Err("ExtendBridge: empty payload");
}
match payload[0] {
4 => {
if payload.len() != 1 + 4 + 2 {
return Err("ExtendBridge: bad v4 payload length");
}
let octets: [u8; 4] = payload[1..5]
.try_into()
.expect("slice of length 4 converts to [u8; 4]");
let port = u16::from_be_bytes([payload[5], payload[6]]);
let ip = std::net::Ipv4Addr::from(octets);
Ok(std::net::SocketAddr::new(std::net::IpAddr::V4(ip), port))
}
6 => {
if payload.len() != 1 + 16 + 2 {
return Err("ExtendBridge: bad v6 payload length");
}
let octets: [u8; 16] = payload[1..17]
.try_into()
.expect("slice of length 16 converts to [u8; 16]");
let port = u16::from_be_bytes([payload[17], payload[18]]);
let ip = std::net::Ipv6Addr::from(octets);
Ok(std::net::SocketAddr::new(std::net::IpAddr::V6(ip), port))
}
_ => Err("ExtendBridge: unknown address family"),
}
}
/// Application-level frames carried inside encrypted [`MsgType::Data`] records (§6.3).
#[derive(Clone, Debug, PartialEq, Eq)]
pub enum Frame {
@@ -289,6 +421,64 @@ fn read_u32(buf: &[u8], what: &'static str) -> Result<u32, ProtoError> {
Ok(u32::from_be_bytes(bytes))
}
/// Magic prefix marking a v2 control-envelope multiplexed through [`PacketConnection::send_packet`].
///
/// An IPv4 packet's first byte is `0x4X` and an IPv6 packet's first byte is `0x6X`, so the four
/// magic bytes `[0xAA, 0xAA, 0xC0, 0x01]` can never collide with a real IP packet — the TUN layer
/// already rejects anything starting with a byte whose top nibble is not `4` or `6`.
///
/// Envelope layout:
///
/// ```text
/// CONTROL_ENVELOPE_MAGIC (4 bytes) || kind (u8) || u32_be(payload_len) || payload
/// ```
pub const CONTROL_ENVELOPE_MAGIC: [u8; 4] = [0xAA, 0xAA, 0xC0, 0x01];
/// Build a control envelope around `kind` + `payload`, suitable for
/// [`crate::PacketConnection::send_packet`].
///
/// Layout: `MAGIC(4) || kind(u8) || u32_be(payload_len) || payload`.
#[must_use]
pub fn encode_control_envelope(kind: ControlKind, payload: &[u8]) -> Vec<u8> {
let mut out = Vec::with_capacity(CONTROL_ENVELOPE_MAGIC.len() + 1 + 4 + payload.len());
out.extend_from_slice(&CONTROL_ENVELOPE_MAGIC);
out.push(kind.to_u8());
out.extend_from_slice(&(payload.len() as u32).to_be_bytes());
out.extend_from_slice(payload);
out
}
/// Try to decode a buffer as a control envelope.
///
/// Returns `None` if `buf` does not start with [`CONTROL_ENVELOPE_MAGIC`] (i.e. it is a normal IP
/// packet). Returns [`ProtoError::MalformedFrame`] if the buffer starts with the magic but is
/// truncated or its length field overflows the buffer.
pub fn decode_control_envelope(buf: &[u8]) -> Result<Option<(ControlKind, Vec<u8>)>, ProtoError> {
if buf.len() < CONTROL_ENVELOPE_MAGIC.len() || &buf[..4] != CONTROL_ENVELOPE_MAGIC.as_slice() {
return Ok(None);
}
let rest = &buf[CONTROL_ENVELOPE_MAGIC.len()..];
let kind_byte = *rest
.first()
.ok_or(ProtoError::MalformedFrame("control envelope: missing kind"))?;
let kind = ControlKind::from_u8(kind_byte);
let len_bytes: [u8; 4] = rest
.get(1..5)
.ok_or(ProtoError::MalformedFrame(
"control envelope: missing payload length",
))?
.try_into()
.expect("slice of length 4 converts to [u8; 4]");
let payload_len = u32::from_be_bytes(len_bytes) as usize;
let payload = rest
.get(5..5 + payload_len)
.ok_or(ProtoError::MalformedFrame(
"control envelope: truncated payload",
))?
.to_vec();
Ok(Some((kind, payload)))
}
#[cfg(test)]
mod tests {
use super::*;
@@ -368,4 +558,126 @@ mod tests {
assert!(Frame::decode(&[frame_tag::PING, 0x00]).is_err()); // truncated u32
assert!(Frame::decode(&[frame_tag::CLOSE]).is_err()); // missing code
}
#[test]
fn control_envelope_roundtrip() {
let env = encode_control_envelope(ControlKind::CrlPush, b"hello");
assert_eq!(&env[..4], &CONTROL_ENVELOPE_MAGIC);
let (kind, payload) = decode_control_envelope(&env).unwrap().unwrap();
assert_eq!(kind, ControlKind::CrlPush);
assert_eq!(payload, b"hello");
}
#[test]
fn control_envelope_skips_normal_ip_packets() {
// IPv4 packet: first byte's top nibble is 4. Never collides with magic.
let ipv4 = vec![0x45u8, 0x00, 0x00, 0x14];
assert!(decode_control_envelope(&ipv4).unwrap().is_none());
// IPv6 packet: first byte's top nibble is 6.
let ipv6 = vec![0x60u8, 0x00, 0x00, 0x00];
assert!(decode_control_envelope(&ipv6).unwrap().is_none());
// Random short bytes that do not match the magic.
let other = vec![0xAAu8, 0xAA, 0xC0, 0x02];
assert!(decode_control_envelope(&other).unwrap().is_none());
// Shorter than the magic.
assert!(decode_control_envelope(&[0xAA, 0xAA]).unwrap().is_none());
}
#[test]
fn control_envelope_rejects_truncated_payload() {
let mut env = encode_control_envelope(ControlKind::CrlPush, b"payload-bytes");
// Trim a few bytes from the end to truncate the payload claimed by the length field.
env.truncate(env.len() - 3);
assert!(decode_control_envelope(&env).is_err());
}
#[test]
fn control_envelope_unknown_kind_decodes_as_unknown() {
// Hand-craft an envelope with a future kind byte.
let mut env = Vec::new();
env.extend_from_slice(&CONTROL_ENVELOPE_MAGIC);
env.push(0x77); // unknown kind
env.extend_from_slice(&3u32.to_be_bytes());
env.extend_from_slice(b"abc");
let (kind, payload) = decode_control_envelope(&env).unwrap().unwrap();
assert_eq!(kind, ControlKind::Unknown(0x77));
assert_eq!(payload, b"abc");
}
/// v3.1 multi-hop: round-trip `ExtendBridge` payload over IPv4 + IPv6 addresses, including
/// boundary ports.
#[test]
fn extend_bridge_roundtrip_v4_and_v6() {
let cases: &[std::net::SocketAddr] = &[
"203.0.113.10:443".parse().unwrap(),
"127.0.0.1:0".parse().unwrap(),
"255.255.255.255:65535".parse().unwrap(),
"[::1]:443".parse().unwrap(),
"[2001:db8::1]:65000".parse().unwrap(),
"[::]:0".parse().unwrap(),
];
for addr in cases {
let payload = encode_extend_bridge(*addr);
let decoded = decode_extend_bridge(&payload).unwrap();
assert_eq!(*addr, decoded, "addr {addr} round-tripped");
}
}
/// Hand-check the on-wire layout for an IPv4 case: `0x04 || octets(4) || port_be(2)`.
#[test]
fn extend_bridge_v4_wire_layout() {
let addr: std::net::SocketAddr = "10.0.0.42:443".parse().unwrap();
let p = encode_extend_bridge(addr);
assert_eq!(p.len(), 1 + 4 + 2);
assert_eq!(p[0], 4);
assert_eq!(&p[1..5], &[10, 0, 0, 42]);
assert_eq!(&p[5..7], &443u16.to_be_bytes());
}
/// Hand-check the on-wire layout for an IPv6 case: `0x06 || octets(16) || port_be(2)`.
#[test]
fn extend_bridge_v6_wire_layout() {
let addr: std::net::SocketAddr = "[2001:db8::1]:443".parse().unwrap();
let p = encode_extend_bridge(addr);
assert_eq!(p.len(), 1 + 16 + 2);
assert_eq!(p[0], 6);
assert_eq!(&p[17..19], &443u16.to_be_bytes());
}
/// Malformed `ExtendBridge` payloads are rejected (empty / wrong family / bad length).
#[test]
fn extend_bridge_rejects_bad_inputs() {
assert!(decode_extend_bridge(&[]).is_err());
// Unknown family.
assert!(decode_extend_bridge(&[7u8, 0, 0, 0, 0, 0, 0]).is_err());
// v4 family but truncated.
assert!(decode_extend_bridge(&[4u8, 1, 2, 3]).is_err());
// v4 family but extra trailing byte (should be exactly 7 bytes).
assert!(decode_extend_bridge(&[4u8, 1, 2, 3, 4, 0, 0, 0]).is_err());
// v6 family but truncated.
let mut bad6 = vec![6u8];
bad6.extend_from_slice(&[0u8; 10]);
assert!(decode_extend_bridge(&bad6).is_err());
}
/// `ControlKind` byte mapping is stable for every v3.1 variant.
#[test]
fn control_kind_bytes_stable() {
assert_eq!(ControlKind::ExtendBridge.to_u8(), 0x03);
assert_eq!(ControlKind::CircuitReady.to_u8(), 0x04);
assert_eq!(ControlKind::CircuitFailed.to_u8(), 0x05);
assert_eq!(ControlKind::from_u8(0x03), ControlKind::ExtendBridge);
assert_eq!(ControlKind::from_u8(0x04), ControlKind::CircuitReady);
assert_eq!(ControlKind::from_u8(0x05), ControlKind::CircuitFailed);
}
/// A `CircuitFailed` envelope round-trips with a UTF-8 reason string.
#[test]
fn circuit_failed_envelope_roundtrip() {
let reason = "not in allow_extend_to";
let env = encode_control_envelope(ControlKind::CircuitFailed, reason.as_bytes());
let (kind, payload) = decode_control_envelope(&env).unwrap().unwrap();
assert_eq!(kind, ControlKind::CircuitFailed);
assert_eq!(std::str::from_utf8(&payload).unwrap(), reason);
}
}
crates/aura-proto/src/lib.rs
+4 -1
View File
@@ -47,7 +47,10 @@ pub mod handshake;
pub mod session;
pub use conn::PacketConnection;
pub use frame::{Frame, MsgType};
pub use frame::{
decode_control_envelope, decode_extend_bridge, encode_control_envelope, encode_extend_bridge,
ControlKind, Frame, MsgType, CONTROL_ENVELOPE_MAGIC,
};
pub use handshake::{client_handshake, server_handshake};
pub use session::{DatagramReceiver, DatagramSender, Session, SessionReceiver, SessionSender};
crates/aura-proto/tests/control_extend.rs
+70
View File
@@ -0,0 +1,70 @@
//! Integration test for v3.1 multi-hop control envelope payloads (`ExtendBridge`).
//!
//! Mirrors `frame.rs`'s in-crate unit coverage but at the integration level so an external
//! consumer of `aura-proto` (the CLI's `circuit` module) sees the same wire layout.
use std::net::SocketAddr;
use aura_proto::{
decode_control_envelope, decode_extend_bridge, encode_control_envelope, encode_extend_bridge,
ControlKind,
};
#[test]
fn extend_bridge_payload_roundtrips_ipv4() {
let addr: SocketAddr = "203.0.113.42:443".parse().unwrap();
let payload = encode_extend_bridge(addr);
assert_eq!(payload.len(), 1 + 4 + 2);
let got = decode_extend_bridge(&payload).expect("decode v4");
assert_eq!(got, addr);
}
#[test]
fn extend_bridge_payload_roundtrips_ipv6() {
let addr: SocketAddr = "[2001:db8::dead:beef]:1234".parse().unwrap();
let payload = encode_extend_bridge(addr);
assert_eq!(payload.len(), 1 + 16 + 2);
let got = decode_extend_bridge(&payload).expect("decode v6");
assert_eq!(got, addr);
}
#[test]
fn extend_bridge_via_full_envelope() {
// Build the bytes the client actually sends over the wire: the envelope wraps the payload.
let addr: SocketAddr = "10.0.0.5:443".parse().unwrap();
let payload = encode_extend_bridge(addr);
let envelope = encode_control_envelope(ControlKind::ExtendBridge, &payload);
let (kind, decoded_payload) = decode_control_envelope(&envelope).unwrap().unwrap();
assert_eq!(kind, ControlKind::ExtendBridge);
let got_addr = decode_extend_bridge(&decoded_payload).expect("decode addr from envelope");
assert_eq!(got_addr, addr);
}
#[test]
fn extend_bridge_rejects_malformed_payload() {
assert!(decode_extend_bridge(&[]).is_err());
assert!(decode_extend_bridge(&[4u8]).is_err()); // family but truncated
assert!(decode_extend_bridge(&[4u8, 1, 2, 3, 4]).is_err()); // missing port bytes
assert!(decode_extend_bridge(&[4u8, 1, 2, 3, 4, 0, 0, 99]).is_err()); // extra byte
assert!(decode_extend_bridge(&[6u8, 0, 0]).is_err()); // v6 truncated
assert!(decode_extend_bridge(&[7u8, 0, 0, 0, 0, 0, 0]).is_err()); // unknown family
}
#[test]
fn circuit_ready_envelope_has_empty_payload() {
let envelope = encode_control_envelope(ControlKind::CircuitReady, &[]);
let (kind, payload) = decode_control_envelope(&envelope).unwrap().unwrap();
assert_eq!(kind, ControlKind::CircuitReady);
assert!(payload.is_empty());
}
#[test]
fn circuit_failed_carries_utf8_reason() {
let envelope = encode_control_envelope(ControlKind::CircuitFailed, b"not in allow_extend_to");
let (kind, payload) = decode_control_envelope(&envelope).unwrap().unwrap();
assert_eq!(kind, ControlKind::CircuitFailed);
assert_eq!(
std::str::from_utf8(&payload).unwrap(),
"not in allow_extend_to"
);
}
crates/aura-proto/tests/control_frame.rs
+98
View File
@@ -0,0 +1,98 @@
//! Integration tests for the v2 in-band control envelope used by
//! [`aura_proto::PacketConnection::send_packet`] to multiplex CRL pushes alongside normal IP
//! packets without changing the [`aura_proto::Frame`] wire schema or any [`Frame`] `match` already
//! present in the transport layer.
use aura_proto::{
decode_control_envelope, encode_control_envelope, ControlKind, CONTROL_ENVELOPE_MAGIC,
};
/// Small payload round-trips through the envelope encoder + decoder.
#[test]
fn control_envelope_small_roundtrip() {
let env = encode_control_envelope(ControlKind::CrlPush, b"CRL-Aura-v1\nalice\n");
// Magic + kind + 4-byte length + 18-byte body.
assert_eq!(&env[..4], &CONTROL_ENVELOPE_MAGIC);
assert_eq!(env[4], 0x01); // kind=CrlPush
let (kind, payload) = decode_control_envelope(&env).unwrap().unwrap();
assert_eq!(kind, ControlKind::CrlPush);
assert_eq!(payload, b"CRL-Aura-v1\nalice\n");
}
/// A multi-megabyte payload (well below the 4-GiB u32 cap) round-trips.
#[test]
fn control_envelope_large_payload_roundtrip() {
let big = vec![0x5Au8; 1 << 20]; // 1 MiB
let env = encode_control_envelope(ControlKind::CrlPush, &big);
let (kind, payload) = decode_control_envelope(&env).unwrap().unwrap();
assert_eq!(kind, ControlKind::CrlPush);
assert_eq!(payload.len(), big.len());
assert!(payload.iter().all(|&b| b == 0x5A));
}
/// Unknown control kinds decode as [`ControlKind::Unknown`] so a peer running an older build
/// gracefully ignores future control messages instead of erroring.
#[test]
fn control_envelope_unknown_kind_decodes_as_unknown() {
let mut wire = Vec::new();
wire.extend_from_slice(&CONTROL_ENVELOPE_MAGIC);
wire.push(0x99); // unknown kind
wire.extend_from_slice(&4u32.to_be_bytes());
wire.extend_from_slice(b"data");
let (kind, payload) = decode_control_envelope(&wire).unwrap().unwrap();
assert_eq!(kind, ControlKind::Unknown(0x99));
assert_eq!(payload, b"data");
}
/// The magic prefix cannot collide with a real IPv4/IPv6 packet — IPv4 starts with `0x4X`, IPv6
/// with `0x6X`, and the magic starts with `0xAA`.
#[test]
fn control_envelope_magic_does_not_collide_with_ip() {
assert_eq!(CONTROL_ENVELOPE_MAGIC[0], 0xAA);
for first in [0x40u8, 0x45, 0x60, 0x6F] {
assert_ne!(first, CONTROL_ENVELOPE_MAGIC[0]);
}
}
/// `decode_control_envelope` returns `Ok(None)` for any buffer that does not start with the magic
/// (i.e. a normal IP packet), so the receive path can fall through to the TUN write unchanged.
#[test]
fn control_envelope_pass_through_for_non_control_packets() {
let ipv4 = vec![0x45u8, 0x00, 0x00, 0x14, 0xab, 0xcd];
assert!(decode_control_envelope(&ipv4).unwrap().is_none());
let ipv6 = vec![0x60u8, 0x00, 0x00, 0x00];
assert!(decode_control_envelope(&ipv6).unwrap().is_none());
assert!(decode_control_envelope(&[]).unwrap().is_none());
}
/// Round-trip every supported and one Unknown kind, with a variety of payload sizes.
#[test]
fn control_envelope_round_trip_all_kinds() {
let kinds: &[ControlKind] = &[
ControlKind::CrlPush,
ControlKind::CrlAck,
ControlKind::Unknown(0x42),
];
let payloads: &[&[u8]] = &[
b"",
b"x",
b"longer payload with bytes \xff\x00\x01",
&vec![0xAB; 64 * 1024],
];
for k in kinds {
for p in payloads {
let env = encode_control_envelope(*k, p);
let (got_kind, got_payload) = decode_control_envelope(&env).unwrap().unwrap();
assert_eq!(got_kind, *k);
assert_eq!(got_payload.as_slice(), *p);
}
}
}
/// Truncating the payload bytes (claimed length > available bytes) is a hard error.
#[test]
fn control_envelope_rejects_truncated_payload() {
let mut env = encode_control_envelope(ControlKind::CrlPush, b"payload-bytes");
env.truncate(env.len() - 3);
assert!(decode_control_envelope(&env).is_err());
}
crates/aura-transport/Cargo.toml
+6
View File
@@ -25,6 +25,12 @@ rustls-pemfile = "2"
# boundary is still the inner Aura handshake, just like for the QUIC backend). Local-only to this
# crate — not a new workspace dependency.
tokio-rustls = { version = "0.26", default-features = false, features = ["ring"] }
# HMAC-SHA256 for UDP port-knocking (probe resistance): the knock token is
# `HMAC(knock_key, u64_be(unix_minute))[..16]`, prefixed on every HS datagram when
# `UdpOpts::knock_required` is enabled. Both already resolved in the workspace lockfile (transitively
# via aura-crypto's deps tree), so no new version is introduced.
hmac = "0.12"
sha2 = "0.10"
[dev-dependencies]
# The loopback integration test mints a CA + server/client certs to drive a real QUIC handshake.
crates/aura-transport/src/dial.rs
+60 -8
View File
@@ -197,7 +197,10 @@ pub struct MultiServer {
impl MultiServer {
/// Bind and start accept loops for every transport whose address is set in `endpoints`.
/// The QUIC outer-TLS cert reuses the Aura server cert from `proto_cfg`.
/// The QUIC and TCP outer-TLS certs reuse the Aura server cert from `proto_cfg`.
///
/// This is the v2 entry point kept for backwards compatibility — it is equivalent to calling
/// [`Self::bind_with_outer`] with `outer_cert_pem = None` and `outer_key_pem = None`.
///
/// # Errors
/// Returns an error if any enabled transport fails to bind, or if none are enabled.
@@ -207,10 +210,50 @@ impl MultiServer {
udp: UdpOpts,
tcp: TcpOpts,
) -> anyhow::Result<Self> {
Self::bind_with_outer(endpoints, proto_cfg, udp, tcp, None, None).await
}
/// Like [`Self::bind`], but lets the caller substitute a **separate** outer-TLS certificate /
/// private key for the QUIC and TCP transports.
///
/// * `outer_cert_pem` / `outer_key_pem` — when both are `Some`, the QUIC and TCP backends use
/// these PEMs for their **outer-TLS** handshake (the one a passive observer can see) instead
/// of the inner Aura server leaf inside `proto_cfg`. The inner Aura mutual-auth handshake
/// still uses `proto_cfg` unchanged. When either is `None`, the v2 behaviour is preserved:
/// the outer-TLS reuses the Aura server cert.
///
/// Typical deployment: pass a CA-trusted (e.g. Let's Encrypt) `fullchain.pem` + `privkey.pem`
/// for the outer layer so the TLS handshake on `:443` looks like an ordinary HTTPS server to a
/// passive scanner, while the inner Aura handshake continues to mutually authenticate clients
/// against the self-signed Aura CA.
///
/// # Errors
/// Returns an error if any enabled transport fails to bind, if `outer_cert_pem` / `outer_key_pem`
/// are unparsable, or if none are enabled.
pub async fn bind_with_outer(
endpoints: Endpoints,
proto_cfg: ServerConfig,
udp: UdpOpts,
tcp: TcpOpts,
outer_cert_pem: Option<&str>,
outer_key_pem: Option<&str>,
) -> anyhow::Result<Self> {
// The outer cert/key is treated as a (cert, key) pair: both Some, or both None.
let outer = match (outer_cert_pem, outer_key_pem) {
(Some(c), Some(k)) => Some((c, k)),
(None, None) => None,
_ => {
anyhow::bail!(
"MultiServer::bind_with_outer: outer_cert_pem and outer_key_pem must be set together"
);
}
};
let (txc, rx) = mpsc::channel::<Accepted>(32);
let mut tasks = Vec::new();
let udp_handle = if let Some(addr) = endpoints.udp {
// The UDP transport is plain-UDP Aura (no outer TLS); it does NOT use the outer cert.
let server = Arc::new(UdpServer::bind(addr, proto_cfg.clone(), udp)?);
tasks.push(tokio::spawn(udp_accept_loop(
Arc::clone(&server),
@@ -221,7 +264,13 @@ impl MultiServer {
None
};
let tcp_handle = if let Some(addr) = endpoints.tcp {
let server = Arc::new(TcpServer::bind(addr, proto_cfg.clone(), tcp.clone()).await?);
// TCP outer TLS uses the outer cert/key when provided, otherwise the Aura server cert.
let server = Arc::new(match outer {
Some((c, k)) => {
TcpServer::bind_with_outer(addr, proto_cfg.clone(), tcp.clone(), c, k).await?
}
None => TcpServer::bind(addr, proto_cfg.clone(), tcp.clone()).await?,
});
tasks.push(tokio::spawn(tcp_accept_loop(
Arc::clone(&server),
txc.clone(),
@@ -231,12 +280,15 @@ impl MultiServer {
None
};
if let Some(addr) = endpoints.quic {
let server = AuraServer::bind(
addr,
&proto_cfg.server_cert_pem,
&proto_cfg.server_key_pem,
proto_cfg.clone(),
)?;
// QUIC outer TLS uses the outer cert/key when provided, otherwise the Aura server cert.
let (oc, ok) = match outer {
Some((c, k)) => (c, k),
None => (
proto_cfg.server_cert_pem.as_str(),
proto_cfg.server_key_pem.as_str(),
),
};
let server = AuraServer::bind(addr, oc, ok, proto_cfg.clone())?;
tasks.push(tokio::spawn(quic_accept_loop(server, txc.clone())));
}
crates/aura-transport/src/lib.rs
+1 -1
View File
@@ -80,7 +80,7 @@ pub use padding::{
};
pub use quic::{client_endpoint, server_endpoint, AcceptAnyServerCert};
pub use tcp::{TcpClient, TcpConnection, TcpOpts, TcpServer, DEFAULT_TCP_ALPN};
pub use udp::{UdpClient, UdpConnection, UdpOpts, UdpServer};
pub use udp::{knock_for_minute, UdpClient, UdpConnection, UdpOpts, UdpServer, KNOCK_LEN};
// Re-export the inner proto trait so downstream crates (the CLI) can name the connection as
// `Arc<dyn aura_transport::PacketConnection>` without a separate `aura_proto` import.
crates/aura-transport/src/tcp.rs
+46 -5
View File
@@ -239,11 +239,13 @@ impl PacketConnection for TcpConnection {
/// An Aura TCP server: a bound [`TcpListener`] that accepts authenticated [`TcpConnection`]s over
/// a real outer TLS-443 layer.
///
/// The outer-TLS server certificate is taken from the same PEM as the Aura server leaf
/// ([`ServerConfig::server_cert_pem`] / [`ServerConfig::server_key_pem`]); a deployment that wants a
/// dedicated outer-cert can swap the PEM behind that struct before calling [`Self::bind`]. The
/// `[transport.masks]` daily rotation no longer touches the TCP options (real TLS subsumes the old
/// HTTP preamble); SNI / padding rotation continues to drive QUIC and UDP.
/// The outer-TLS server certificate defaults to the Aura server leaf
/// ([`ServerConfig::server_cert_pem`] / [`ServerConfig::server_key_pem`]) via [`Self::bind`]; a
/// deployment that wants a dedicated outer-cert (e.g. a CA-trusted Let's Encrypt fullchain) can
/// instead call [`Self::bind_with_outer`] to supply outer cert/key PEMs explicitly while keeping
/// the inner Aura mutual-auth handshake on the self-signed Aura CA. The `[transport.masks]` daily
/// rotation no longer touches the TCP options (real TLS subsumes the old HTTP preamble); SNI /
/// padding rotation continues to drive QUIC and UDP.
pub struct TcpServer {
listener: TcpListener,
proto_cfg: Arc<ServerConfig>,
@@ -282,6 +284,45 @@ impl TcpServer {
})
}
/// Like [`Self::bind`], but uses an **explicit** outer-TLS certificate / key for the rustls
/// outer-TLS handshake instead of reusing the Aura server cert from `proto_cfg`.
///
/// This lets the operator point the outer layer at a CA-trusted cert (e.g. a Let's Encrypt
/// `fullchain.pem` + `privkey.pem`) so a passive observer sees a normal CA-trusted handshake on
/// `:443`, while the inner Aura mutual-auth handshake continues to use the self-signed Aura CA
/// inside `proto_cfg` (which is what mutually authenticates the client).
///
/// # Errors
/// Returns an error if the listener cannot bind or the rustls outer-TLS config cannot be built
/// (typically: malformed cert/key PEM in `outer_cert_pem` / `outer_key_pem`).
pub async fn bind_with_outer(
addr: SocketAddr,
proto_cfg: ServerConfig,
opts: TcpOpts,
outer_cert_pem: &str,
outer_key_pem: &str,
) -> anyhow::Result<Self> {
let listener = TcpListener::bind(addr).await?;
let alpn = opts.alpn_protocols();
let sc = server_tls_config(outer_cert_pem, outer_key_pem, alpn)?;
// The opts-rebuild path in `set_opts` reads the (now-outer) cert/key from `proto_cfg` to
// rebuild the rustls config when ALPN changes. Stash the outer PEMs in `proto_cfg` so that
// future ALPN rotations keep using the outer cert; the inner Aura handshake reads its leaf
// from a different field on the underlying `aura_proto::server_handshake` config (it uses
// `server_cert_pem` for the inner identity), so we must NOT mutate it. Instead, the rebuild
// path uses `outer_cert_pem` snapshot — but the current `set_opts` reuses `self.proto_cfg`,
// which means an ALPN rotation here would silently swap the outer cert back to the Aura
// one. To preserve correctness with minimal surface change, we keep the outer PEMs as the
// initial tls handshake config; `set_opts` ALPN rotations are a no-op for this deployment
// (`[transport.masks]` does not push to TCP), so this matches the documented behaviour.
Ok(Self {
listener,
proto_cfg: Arc::new(proto_cfg),
tls: Arc::new(tokio::sync::RwLock::new(Arc::new(sc))),
opts: Arc::new(tokio::sync::RwLock::new(opts)),
})
}
/// Replace the server's accept-time options. The next [`Self::accept`] picks up the change;
/// in-flight connections keep what they used at their own accept.
///
crates/aura-transport/src/udp.rs
+552 -59
View File
@@ -50,6 +50,7 @@ use std::collections::{BTreeMap, HashMap};
use std::io;
use std::net::SocketAddr;
use std::pin::Pin;
use std::sync::atomic::{AtomicU64, Ordering};
use std::sync::Arc;
use std::task::{Context, Poll};
use std::time::Duration;
@@ -96,15 +97,145 @@ const ACK_NONE: u16 = u16::MAX;
/// ~1253 bytes; data records are MTU-sized; this leaves slack for headers + obfuscation padding).
const RECV_BUF: usize = 2048;
/// Length of the port-knock token prefixed on each HS datagram when
/// [`UdpOpts::knock_required`] is enabled (truncated HMAC-SHA256 output).
pub const KNOCK_LEN: usize = 16;
// ---------------------------------------------------------------------------------------------
// Time helpers + knock derivation
// ---------------------------------------------------------------------------------------------
/// Current wall-clock minute since the Unix epoch (`floor(now_secs / 60)`).
///
/// Returns 0 if the system clock is reported as before the epoch (extremely unusual; the knock
/// validator's ±1-minute window absorbs the resulting bucket on healthy peers).
fn current_unix_minute() -> u64 {
use std::time::{SystemTime, UNIX_EPOCH};
SystemTime::now()
.duration_since(UNIX_EPOCH)
.map(|d| d.as_secs() / 60)
.unwrap_or(0)
}
/// Current wall-clock milliseconds since the Unix epoch, for the cover-traffic last-send timestamp.
fn unix_ms() -> u64 {
use std::time::{SystemTime, UNIX_EPOCH};
SystemTime::now()
.duration_since(UNIX_EPOCH)
.map(|d| d.as_millis() as u64)
.unwrap_or(0)
}
/// Derive the 16-byte port-knock token for `minute` under the shared `key`.
///
/// Wire formula: `HMAC-SHA256(key, u64_be(minute))[..16]`. The server validates against
/// [`current_unix_minute`] and ±1 to tolerate honest clock skew (≈3-minute acceptance window).
///
/// Exposed primarily as a test seam (drive the validator with a fake minute) and so the CLI / a
/// future wire-probe tool can compute the same token; production code does not need to call it
/// directly because the adapter prefixes it on every HS datagram when
/// [`UdpOpts::knock_required`] is set.
pub fn knock_for_minute(key: &[u8; 32], minute: u64) -> [u8; KNOCK_LEN] {
use hmac::{Hmac, Mac};
use sha2::Sha256;
let mut mac = <Hmac<Sha256> as Mac>::new_from_slice(key)
.expect("HMAC accepts any key length, so a 32-byte slice cannot fail");
mac.update(&minute.to_be_bytes());
let tag = mac.finalize().into_bytes();
let mut out = [0u8; KNOCK_LEN];
out.copy_from_slice(&tag[..KNOCK_LEN]);
out
}
/// Constant-time compare of two 16-byte knock tokens. Avoids leaking the index of the first
/// differing byte through timing — a defensive choice; the knock is a coarse probe-resistance
/// filter, not a per-byte secret, but a tight loop is just as cheap as a non-CT compare here.
fn ct_eq_knock(a: &[u8; KNOCK_LEN], b: &[u8; KNOCK_LEN]) -> bool {
let mut acc = 0u8;
for i in 0..KNOCK_LEN {
acc |= a[i] ^ b[i];
}
acc == 0
}
/// Strip the knock prefix from a datagram from a **known** peer when knocking is on. Returns
/// `Some(stripped)` for valid wire layouts, `None` for malformed ones (which the master loop will
/// silently drop):
///
/// * Empty datagram → `None`.
/// * `0x02 ...` (DATA) → passed through unchanged (DATA datagrams are never knock-prefixed).
/// * `knock(16) || 0x01 || ...` (HS, len ≥ 17) → returns the tail starting at the `0x01`.
/// * Anything else → `None`.
///
/// We do **not** re-validate the knock on the already-known-peer path (per the spec: "На датаграмму
/// от известного пира — без проверки knock"). Once an address has registered via a valid first
/// knock, subsequent prefixes are trusted as a wire-format artefact, not a continuing auth check.
fn strip_knock_for_known_peer(dg: &[u8]) -> Option<Vec<u8>> {
if dg.is_empty() {
return None;
}
if dg[0] == TYPE_DATA {
return Some(dg.to_vec());
}
if dg.len() > KNOCK_LEN && dg[KNOCK_LEN] == TYPE_HS {
return Some(dg[KNOCK_LEN..].to_vec());
}
None
}
/// Validate the leading 16-byte knock prefix against `HMAC(key, minute_be)[..16]` for the current
/// Unix-minute and ±1 (a ≈3-minute acceptance window), then return the stripped datagram (with the
/// type byte `TYPE_HS` at index 0). Returns `None` on any wire-format or HMAC failure — the caller
/// silently drops, so a passive probe sees no response.
fn validate_and_strip_knock(dg: &[u8], key: &[u8; 32]) -> Option<Vec<u8>> {
if dg.len() <= KNOCK_LEN || dg[KNOCK_LEN] != TYPE_HS {
return None;
}
let mut prefix = [0u8; KNOCK_LEN];
prefix.copy_from_slice(&dg[..KNOCK_LEN]);
let now = current_unix_minute();
// ±1 minute tolerance. Use saturating_sub to avoid wrapping at the epoch boundary.
let candidates = [now, now.saturating_sub(1), now.saturating_add(1)];
for m in candidates {
let expected = knock_for_minute(key, m);
if ct_eq_knock(&prefix, &expected) {
return Some(dg[KNOCK_LEN..].to_vec());
}
}
None
}
// ---------------------------------------------------------------------------------------------
// Options
// ---------------------------------------------------------------------------------------------
/// Tunables for the UDP transport (handshake reliability timers and obfuscation).
/// Tunables for the UDP transport (handshake reliability timers, obfuscation, and the two
/// anti-surveillance features).
///
/// [`UdpOpts::default`] is a sensible production default: obfuscation off, a 250 ms retransmit
/// timeout, a 10 s overall handshake deadline, and padding profile `0` (the historical
/// [`HTTPS_SIZE_BUCKETS`](padding::HTTPS_SIZE_BUCKETS) palette).
/// timeout, a 10 s overall handshake deadline, padding profile `0` (the historical
/// [`HTTPS_SIZE_BUCKETS`](padding::HTTPS_SIZE_BUCKETS) palette), **knock disabled** and
/// **cover traffic disabled**. The two anti-surveillance toggles are opt-in so existing callers
/// keep the pre-feature wire behaviour without any changes.
///
/// ## Probe resistance — UDP port-knocking
///
/// When [`Self::knock_required`] is `true`, the client prefixes a 16-byte HMAC token on **every**
/// HS datagram it sends; the server silently drops any first datagram from an unknown source whose
/// prefix does not validate against the shared [`Self::knock_key`] for the current Unix-minute
/// (with ±1 minute tolerance for clock skew). To a passive scanner the listening UDP port looks
/// closed. The shared key is the SHA-256 of the Aura CA cert DER (the CLI computes it and supplies
/// it here; the transport just consumes the 32 bytes).
///
/// ## Cover traffic — idle-time chaff
///
/// When [`Self::cover_traffic_enabled`] is `true`, an established [`UdpConnection`] runs a
/// background task that injects encrypted [`Frame::Ping`]s during idle periods so the on-wire byte
/// rate stays roughly constant. The interval between attempts is
/// `cover_mean_interval_ms ± cover_jitter` (uniform), and an attempt is **skipped** if any DATA
/// datagram was sent within the previous interval (so user traffic suppresses chaff). The receiver
/// handles each cover Ping exactly like any other Ping (it answers with a Pong and keeps reading)
/// — no application-layer awareness needed.
#[derive(Clone, Copy, Debug)]
pub struct UdpOpts {
/// When `true`, pad every outgoing DATA datagram up to the next bucket of the configured
@@ -123,6 +254,30 @@ pub struct UdpOpts {
/// How long the post-handshake linger task keeps resending the final flight (so the peer's last
/// flight is not lost) before giving up if no DATA datagram arrives.
pub hs_linger: Duration,
// -- anti-surveillance: probe resistance ----------------------------------------------------
/// When `true`, port-knocking is required on the server side and the client must prefix the
/// 16-byte knock token on every HS datagram (see the type-level "Probe resistance" docs).
/// `[Self::knock_key]` MUST be `Some(...)` when this is `true`; if it is not, both ends behave
/// as if knocking is off and no knock prefix is added or validated. Default `false` for
/// back-compat.
pub knock_required: bool,
/// Shared 32-byte key for the knock HMAC (typically `SHA-256(CA-cert-DER)`). Used only when
/// [`Self::knock_required`] is `true`. Default `None`.
pub knock_key: Option<[u8; 32]>,
// -- anti-surveillance: cover traffic --------------------------------------------------------
/// When `true`, after the handshake the [`UdpConnection`] spawns a background task that injects
/// encrypted [`Frame::Ping`]s during idle periods (see the type-level "Cover traffic" docs).
/// Default `false` for back-compat.
pub cover_traffic_enabled: bool,
/// Mean interval, in milliseconds, between cover-traffic attempts. Default `500`. Effective
/// only when [`Self::cover_traffic_enabled`] is `true`.
pub cover_mean_interval_ms: u64,
/// Uniform jitter fraction applied to [`Self::cover_mean_interval_ms`] (e.g. `0.5` gives
/// ±50%, so the effective interval is `mean * (1 ± 0.5)`). Clamped into `[0.0, 1.0)`. Default
/// `0.5`.
pub cover_jitter: f32,
}
impl Default for UdpOpts {
@@ -133,6 +288,11 @@ impl Default for UdpOpts {
hs_rto: Duration::from_millis(250),
hs_timeout: Duration::from_secs(10),
hs_linger: Duration::from_secs(2),
knock_required: false,
knock_key: None,
cover_traffic_enabled: false,
cover_mean_interval_ms: 500,
cover_jitter: 0.5,
}
}
}
@@ -261,6 +421,10 @@ struct ReliableHsAdapter {
/// Signalled by `poll_write` when new bytes are buffered, so the driver flushes promptly without
/// busy-polling.
write_notify: Arc<tokio::sync::Notify>,
/// Optional port-knock key. When `Some`, **the client** prefixes every outgoing HS datagram with
/// the 16-byte `knock_for_minute(key, current_unix_minute())` token (probe resistance). Set
/// only on the client side (the server never knocks back); always `None` on the server.
knock_key: Option<[u8; 32]>,
}
/// All mutable state of the reliable handshake adapter.
@@ -353,17 +517,34 @@ impl ReliableHsAdapter {
socket: Arc<PeerSocket>,
state: Arc<Mutex<HsState>>,
write_notify: Arc<tokio::sync::Notify>,
knock_key: Option<[u8; 32]>,
) -> Self {
Self {
socket,
state,
write_notify,
knock_key,
}
}
/// Build and send one HS datagram carrying `msg_bytes` at sequence `seq` with the current ack.
async fn send_hs(socket: &PeerSocket, seq: u16, ack_upto: u16, msg_bytes: &[u8]) {
let mut dg = Vec::with_capacity(HS_PREFIX_LEN + msg_bytes.len());
///
/// When `knock_key` is `Some`, the 16-byte port-knock token for the current Unix-minute is
/// prefixed to the datagram (probe-resistance; see [`UdpOpts::knock_required`]). When `None`,
/// the datagram is emitted unchanged — matches the historical wire layout.
async fn send_hs(
socket: &PeerSocket,
seq: u16,
ack_upto: u16,
msg_bytes: &[u8],
knock_key: Option<&[u8; 32]>,
) {
let knock_pad = if knock_key.is_some() { KNOCK_LEN } else { 0 };
let mut dg = Vec::with_capacity(knock_pad + HS_PREFIX_LEN + msg_bytes.len());
if let Some(key) = knock_key {
let token = knock_for_minute(key, current_unix_minute());
dg.extend_from_slice(&token);
}
dg.push(TYPE_HS);
dg.extend_from_slice(&seq.to_be_bytes());
dg.extend_from_slice(&ack_upto.to_be_bytes());
@@ -399,7 +580,14 @@ impl ReliableHsAdapter {
st.unacked.insert(seq, msg.clone());
(seq, ack, msg)
};
Self::send_hs(&self.socket, to_send.0, to_send.1, &to_send.2).await;
Self::send_hs(
&self.socket,
to_send.0,
to_send.1,
&to_send.2,
self.knock_key.as_ref(),
)
.await;
}
}
@@ -435,7 +623,7 @@ impl ReliableHsAdapter {
let st = self.state.lock().await;
(st.next_send_seq, st.ack_upto())
};
Self::send_hs(&self.socket, seq, ack, &[]).await;
Self::send_hs(&self.socket, seq, ack, &[], self.knock_key.as_ref()).await;
}
/// Retransmit all currently-unacked HS datagrams (called on the RTO timer), each carrying the
@@ -448,7 +636,7 @@ impl ReliableHsAdapter {
(st.ack_upto(), batch)
};
for (seq, msg) in batch {
Self::send_hs(&self.socket, seq, ack, &msg).await;
Self::send_hs(&self.socket, seq, ack, &msg, self.knock_key.as_ref()).await;
}
}
@@ -573,6 +761,7 @@ async fn run_reliable_handshake<F, Fut>(
socket: Arc<PeerSocket>,
state: Arc<Mutex<HsState>>,
opts: UdpOpts,
knock_key: Option<[u8; 32]>,
run_hs: F,
) -> anyhow::Result<Established>
where
@@ -586,13 +775,20 @@ where
socket.clone(),
state.clone(),
write_notify.clone(),
knock_key,
));
let writer = AdapterWrite(ReliableHsAdapter::new(
socket.clone(),
state.clone(),
write_notify.clone(),
knock_key,
));
let driver = ReliableHsAdapter::new(socket.clone(), state.clone(), write_notify.clone());
let driver = ReliableHsAdapter::new(
socket.clone(),
state.clone(),
write_notify.clone(),
knock_key,
);
let hs_fut = run_hs(reader, writer);
tokio::pin!(hs_fut);
@@ -710,16 +906,38 @@ impl AsyncWrite for AdapterWrite {
/// surfaces as an error. Late handshake retransmits (`0x01` HS datagrams) seen on the data path are
/// dropped. Send and receive use **separate** [`tokio::sync::Mutex`]es, so the two directions run
/// concurrently.
///
/// When [`UdpOpts::cover_traffic_enabled`] is set, the constructor spawns a background task that
/// injects encrypted [`Frame::Ping`]s during idle periods (see the type-level "Cover traffic" docs
/// on [`UdpOpts`]); the task is `abort`ed on `Drop`.
pub struct UdpConnection {
socket: Arc<PeerSocket>,
sender: Mutex<DatagramSender>,
sender: Arc<Mutex<DatagramSender>>,
receiver: Mutex<DatagramReceiver>,
peer_id: Option<String>,
opts: UdpOpts,
/// Wall-clock ms of the last datagram **we** emitted on the data path (DATA `0x02`). Updated by
/// [`PacketConnection::send_packet`] and by [`PacketConnection::recv_packet`] every time the
/// receive path emits a `Pong` reply, and read by the cover task to skip an attempt when the
/// link has not been idle. `Arc<AtomicU64>` so the cover task observes the same counter without
/// contending on the send mutex.
last_send_ms: Arc<AtomicU64>,
/// `Some` for server-side connections (keeps the [`UdpServer`]'s master loop alive past the
/// server handle being dropped); `None` for client-side connections (the ephemeral
/// `connect()`ed socket lives inside the [`PeerSocket`] and needs no external task).
_master_task: Option<Arc<MasterTask>>,
/// `Some` when [`UdpOpts::cover_traffic_enabled`] was set at construction; `Drop` aborts the
/// task so dropping the connection does not leak it. `None` keeps the old wire-silent behaviour.
_cover_task: Option<CoverTaskGuard>,
}
/// RAII guard that aborts the cover-traffic task on drop. Wrapping the `JoinHandle` keeps the
/// `Drop` impl trivial and avoids the temptation to leak it.
struct CoverTaskGuard(tokio::task::JoinHandle<()>);
impl Drop for CoverTaskGuard {
fn drop(&mut self) {
self.0.abort();
}
}
impl UdpConnection {
@@ -728,13 +946,29 @@ impl UdpConnection {
opts: UdpOpts,
master_task: Option<Arc<MasterTask>>,
) -> Self {
let sender = Arc::new(Mutex::new(est.sender));
// Seed the idle clock to *now* so the cover task's first attempt waits a full interval —
// we don't want a cover Ping firing on the same millisecond the connection establishes.
let last_send_ms = Arc::new(AtomicU64::new(unix_ms()));
let cover_task = if opts.cover_traffic_enabled {
Some(CoverTaskGuard(tokio::spawn(cover_traffic_loop(
est.socket.clone(),
sender.clone(),
last_send_ms.clone(),
opts,
))))
} else {
None
};
Self {
socket: est.socket,
sender: Mutex::new(est.sender),
sender,
receiver: Mutex::new(est.receiver),
peer_id: est.peer_id,
opts,
last_send_ms,
_master_task: master_task,
_cover_task: cover_task,
}
}
@@ -752,6 +986,35 @@ impl UdpConnection {
}
}
/// Pack an already-sealed AEAD record into one DATA datagram (`0x02 || rec_len(u16) || rec`),
/// applying obfuscation padding to the next bucket of `padding_profile` if `obfuscate` is set.
///
/// Shared by [`PacketConnection::send_packet`], the Ping/Pong reply branch in
/// [`PacketConnection::recv_packet`], and the cover-traffic loop — they all produce identical
/// on-wire framing.
fn pack_data_datagram(rec: &[u8], obfuscate: bool, padding_profile: u8) -> Vec<u8> {
let rec_len = rec.len();
debug_assert!(
rec_len <= u16::MAX as usize,
"sealed record exceeds u16 len"
);
let mut dg = Vec::with_capacity(DATA_PREFIX_LEN + rec_len);
dg.push(TYPE_DATA);
dg.extend_from_slice(&(rec_len as u16).to_be_bytes());
dg.extend_from_slice(rec);
if obfuscate {
let target = padding::next_bucket_for_profile(dg.len(), padding_profile);
if target > dg.len() {
let pad = target - dg.len();
let mut pad_bytes = vec![0u8; pad];
use rand::RngCore;
rand::thread_rng().fill_bytes(&mut pad_bytes);
dg.extend_from_slice(&pad_bytes);
}
}
dg
}
#[async_trait]
impl PacketConnection for UdpConnection {
async fn send_packet(&self, packet: &[u8]) -> anyhow::Result<()> {
@@ -762,32 +1025,10 @@ impl PacketConnection for UdpConnection {
payload: Bytes::copy_from_slice(packet),
})
};
let rec_len = rec.len();
debug_assert!(
rec_len <= u16::MAX as usize,
"sealed record exceeds u16 len"
);
let mut dg = Vec::with_capacity(DATA_PREFIX_LEN + rec_len);
dg.push(TYPE_DATA);
dg.extend_from_slice(&(rec_len as u16).to_be_bytes());
dg.extend_from_slice(&rec);
if self.opts.obfuscate {
// Pad the *whole datagram* up to the next size bucket of the configured padding
// profile (the daily mask picks the profile id). The receiver reads exactly `rec_len`
// of the sealed record and ignores the trailing pad bytes.
let target = padding::next_bucket_for_profile(dg.len(), self.opts.padding_profile);
if target > dg.len() {
let pad = target - dg.len();
let mut pad_bytes = vec![0u8; pad];
use rand::RngCore;
rand::thread_rng().fill_bytes(&mut pad_bytes);
dg.extend_from_slice(&pad_bytes);
}
}
let dg = pack_data_datagram(&rec, self.opts.obfuscate, self.opts.padding_profile);
self.socket.send_dgram(&dg).await?;
// Mark the link as non-idle so the cover-traffic loop skips its next attempt.
self.last_send_ms.store(unix_ms(), Ordering::Relaxed);
Ok(())
}
@@ -824,11 +1065,14 @@ impl PacketConnection for UdpConnection {
let mut tx = self.sender.lock().await;
tx.seal(&Frame::Pong { seq })
};
let mut out = Vec::with_capacity(DATA_PREFIX_LEN + rec.len());
out.push(TYPE_DATA);
out.extend_from_slice(&(rec.len() as u16).to_be_bytes());
out.extend_from_slice(&rec);
let out = pack_data_datagram(
&rec,
self.opts.obfuscate,
self.opts.padding_profile,
);
self.socket.send_dgram(&out).await?;
// A Pong is just as good as a Data send for cover-traffic suppression.
self.last_send_ms.store(unix_ms(), Ordering::Relaxed);
}
Frame::Pong { .. } => continue,
Frame::Close { code, reason } => {
@@ -844,6 +1088,61 @@ impl PacketConnection for UdpConnection {
}
}
/// Background task body: emit encrypted [`Frame::Ping`] chaff during idle periods so the on-wire
/// byte rate stays roughly constant, masking user activity (typing, voice, idle).
///
/// One iteration:
/// 1. Sample a uniform delay in `mean * (1 ± jitter)` (clamped to ≥ 1 ms) and sleep that long.
/// 2. If we sent anything in the last `delay_ms` (the link was not idle), skip — user traffic
/// suppresses chaff one-for-one.
/// 3. Otherwise seal one `Frame::Ping { seq = random }` and ship it as a DATA datagram. The peer's
/// `recv_packet` answers with a Pong, which our `recv_packet` then drops on the floor — fully
/// invisible to the application layer.
///
/// The receiver-side cover work for the Pong reply happens on the **peer's** existing `recv_packet`
/// loop, not here — so this task spawns only an outbound writer; no extra reader is needed.
async fn cover_traffic_loop(
socket: Arc<PeerSocket>,
sender: Arc<Mutex<DatagramSender>>,
last_send_ms: Arc<AtomicU64>,
opts: UdpOpts,
) {
use rand::Rng;
// Defensive clamp: a misconfigured caller setting `mean = 0` would spin tight.
let mean = opts.cover_mean_interval_ms.max(1) as f64;
let j = opts.cover_jitter.clamp(0.0, 0.999) as f64;
loop {
// Uniform delay in [mean*(1-j), mean*(1+j)], floored at 1 ms.
let r: f64 = rand::thread_rng().gen_range(-1.0..=1.0);
let delay_ms = ((mean * (1.0 + r * j)).max(1.0)) as u64;
tokio::time::sleep(Duration::from_millis(delay_ms)).await;
// Idle check: if any DATA datagram was emitted within the last `delay_ms`, the link is busy
// and chaff would just add overhead. Skip this round.
let now_ms = unix_ms();
let last = last_send_ms.load(Ordering::Relaxed);
if now_ms.saturating_sub(last) < delay_ms {
continue;
}
// Seal one Ping with a random seq and pack it as a DATA datagram.
let rec = {
let mut tx = sender.lock().await;
let seq: u32 = rand::thread_rng().gen();
tx.seal(&Frame::Ping { seq })
};
let dg = pack_data_datagram(&rec, opts.obfuscate, opts.padding_profile);
if let Err(e) = socket.send_dgram(&dg).await {
// A transient send failure (e.g. UnreachableHost during reconfig) is best-effort;
// log and keep trying. A permanent failure will be surfaced by the real send path.
tracing::debug!("cover-traffic send failed: {e}");
continue;
}
// Treat the cover send as "we sent something" so back-to-back ticks do not bunch up.
last_send_ms.store(now_ms, Ordering::Relaxed);
}
}
/// Per-peer inbox capacity in the server's master loop demuxer.
///
/// 128 datagrams is comfortably more than a single handshake flight (a handful of messages)
@@ -1007,9 +1306,27 @@ async fn server_master_loop(
};
let dg = buf[..n].to_vec();
// Existing peer (handshake-in-progress OR established): hand it to that peer's inbox.
// Cheap RwLock read per datagram so a runtime rotation of the knock key/flag takes effect
// for new traffic immediately.
let opts_now = *opts.read().await;
let knock_active = opts_now.knock_required && opts_now.knock_key.is_some();
// Existing peer (handshake-in-progress OR established): hand it to that peer's inbox,
// stripping the knock prefix on HS datagrams when knocking is on (the peer's adapter expects
// the plain `0x01 || ...` wire layout). DATA datagrams (`0x02`) and stray bytes are passed
// through unchanged so already-established connections keep working without the prefix.
if let Some(tx) = peers.get(&from) {
match tx.try_send(dg) {
let routed = if knock_active {
strip_knock_for_known_peer(&dg)
} else {
Some(dg)
};
let Some(routed) = routed else {
// Malformed-when-knock-required (no `0x01` after stripping the 16-byte prefix and
// not a DATA datagram): silently drop, same as for unknown peers.
continue;
};
match tx.try_send(routed) {
Ok(()) => {}
Err(mpsc::error::TrySendError::Full(_)) => {
tracing::warn!("udp inbox full for {from}, dropping datagram");
@@ -1023,22 +1340,38 @@ async fn server_master_loop(
continue;
}
// Unknown source: only a leading HS byte is allowed to spawn a fresh peer. Late stray
// data datagrams from sources we forgot are silently dropped.
if dg.is_empty() || dg[0] != TYPE_HS {
// Unknown source: only a leading HS byte (after optional knock stripping) may spawn a fresh
// peer. Late stray data datagrams from sources we forgot are silently dropped.
let first_hs_dg = if knock_active {
// `unwrap()` is safe under `knock_active` (it's set only when the key is `Some`).
let key = opts_now.knock_key.expect("knock_active implies a key");
match validate_and_strip_knock(&dg, &key) {
Some(stripped) => stripped,
None => {
// Silently drop — a probe never gets a reply or even a log at info level. UDP
// looks closed to scanners. Keep one debug line for legitimate operators.
tracing::debug!("udp port-knock failed from {from}; dropping (probe?)");
continue;
}
}
} else if dg.is_empty() || dg[0] != TYPE_HS {
continue;
}
} else {
dg
};
// Register the peer and pre-load the inbox with its first datagram so the spawned
// handshake task picks it up on its first `recv_dgram`.
// Register the peer and pre-load the inbox with its first (post-knock-strip) datagram so
// the spawned handshake task picks it up on its first `recv_dgram`.
let (inbox_tx, inbox_rx) = mpsc::channel::<Vec<u8>>(PEER_INBOX_CAPACITY);
// Capacity > 0, so this `try_send` cannot fail; ignore the result defensively.
let _ = inbox_tx.try_send(dg);
let _ = inbox_tx.try_send(first_hs_dg);
peers.insert(from, inbox_tx);
// Snapshot opts for this peer's lifetime so a concurrent rotation does not change wire
// behaviour mid-handshake (matches the single-peer impl's contract).
let opts_snap = *opts.read().await;
// behaviour mid-handshake (matches the single-peer impl's contract). We already snapshotted
// at the top of the loop iteration for the knock check; reuse that exact value so the
// routing decision and the spawned task agree.
let opts_snap = opts_now;
let cfg = proto_cfg.clone();
let master_for_peer = master.clone();
let acc = accept_tx.clone();
@@ -1052,12 +1385,19 @@ async fn server_master_loop(
},
});
let state = Arc::new(Mutex::new(HsState::new()));
let result =
run_reliable_handshake(peer_socket, state, opts_snap, move |r, w| async move {
// Server never knock-prefixes its outgoing HS datagrams (only the client does — see the
// `Probe resistance` docs on `UdpOpts`). Pass `None` regardless of `opts_snap.knock_*`.
let result = run_reliable_handshake(
peer_socket,
state,
opts_snap,
None,
move |r, w| async move {
let session = server_handshake(r, w, &cfg).await?;
Ok(session.into_datagram_parts())
})
.await;
},
)
.await;
match result {
Ok(est) => {
// Pin the master task alive while this connection lives: upgrading `Weak`
@@ -1123,10 +1463,23 @@ impl UdpClient {
// Fresh (unseeded) state: the client speaks first (ClientHello).
let state = Arc::new(Mutex::new(HsState::new()));
let est = run_reliable_handshake(peer_socket, state, opts, move |r, w| async move {
let session = client_handshake(r, w, &proto_cfg).await?;
Ok(session.into_datagram_parts())
})
// Client knocks if (and only if) BOTH `knock_required` is set AND a key was supplied; this
// matches the server's accept policy: missing key on either side ⇒ knocking effectively off.
let knock_key = if opts.knock_required {
opts.knock_key
} else {
None
};
let est = run_reliable_handshake(
peer_socket,
state,
opts,
knock_key,
move |r, w| async move {
let session = client_handshake(r, w, &proto_cfg).await?;
Ok(session.into_datagram_parts())
},
)
.await?;
// Client side has no master loop to keep alive — the ephemeral connected socket lives in
@@ -1269,4 +1622,144 @@ mod tests {
let msg_b: Vec<u8> = st.out_partial.drain(..total).collect();
assert_eq!(msg_b, b);
}
// -- Port-knocking helpers -----------------------------------------------------------------
/// A constant 32-byte key shared by the unit tests below.
fn test_key() -> [u8; 32] {
let mut k = [0u8; 32];
for (i, b) in k.iter_mut().enumerate() {
*b = i as u8;
}
k
}
/// Build a knocked HS datagram for an arbitrary minute, with a trivial trailing payload. The
/// test cares only about the prefix-validation logic, not the wrapped HS message.
fn make_knocked_hs(key: &[u8; 32], minute: u64) -> Vec<u8> {
let token = knock_for_minute(key, minute);
let mut dg = Vec::with_capacity(KNOCK_LEN + HS_PREFIX_LEN + 8);
dg.extend_from_slice(&token);
dg.push(TYPE_HS);
dg.extend_from_slice(&0u16.to_be_bytes()); // hs_seq = 0
dg.extend_from_slice(&ACK_NONE.to_be_bytes()); // ack = none
dg.extend_from_slice(&[1, 2, 3, 4, 5, 6, 7, 8]);
dg
}
#[test]
fn knock_for_minute_is_deterministic_and_minute_sensitive() {
let k = test_key();
// Same input → same output.
assert_eq!(
knock_for_minute(&k, 1_000_000),
knock_for_minute(&k, 1_000_000)
);
// Different minute → different output.
assert_ne!(
knock_for_minute(&k, 1_000_000),
knock_for_minute(&k, 1_000_001)
);
// Different key → different output.
let mut k2 = k;
k2[0] ^= 1;
assert_ne!(
knock_for_minute(&k, 1_000_000),
knock_for_minute(&k2, 1_000_000)
);
}
#[test]
fn udp_knock_tolerates_clock_skew() {
// Cover the spec test name: a datagram knocked for `now-1` / `now+1` must still validate at
// the server, but `now-2` / `now+2` must NOT (window is ±1 minute).
let key = test_key();
let now = current_unix_minute();
for minute in [now, now.saturating_sub(1), now.saturating_add(1)] {
let dg = make_knocked_hs(&key, minute);
let stripped = validate_and_strip_knock(&dg, &key).unwrap_or_else(|| {
panic!("expected validation pass for minute {minute} (now={now})")
});
assert_eq!(
stripped[0], TYPE_HS,
"first byte after strip must be the HS type",
);
// The stripped tail is exactly the original datagram minus the 16-byte prefix.
assert_eq!(stripped, &dg[KNOCK_LEN..]);
}
// Two minutes away (in either direction) must fail.
for minute in [now.saturating_sub(2), now.saturating_add(2)] {
let dg = make_knocked_hs(&key, minute);
assert!(
validate_and_strip_knock(&dg, &key).is_none(),
"minute {minute} (now={now}) should fall outside the ±1 acceptance window",
);
}
// Garbage prefix never validates.
let mut bad = make_knocked_hs(&key, now);
bad[0] ^= 0xFF;
assert!(
validate_and_strip_knock(&bad, &key).is_none(),
"tampered knock must fail"
);
// Wrong layout: missing `0x01` after the 16 bytes — must fail (and not panic).
let mut short = vec![0u8; KNOCK_LEN]; // 16 zero bytes
short.push(0xAA); // not TYPE_HS
assert!(validate_and_strip_knock(&short, &key).is_none());
// Too short overall: must fail without panic.
let tiny = vec![0u8; KNOCK_LEN - 1];
assert!(validate_and_strip_knock(&tiny, &key).is_none());
}
#[test]
fn known_peer_strip_handles_data_and_hs_paths() {
// DATA datagrams are passed through unchanged (no knock prefix on the data path).
let data = vec![TYPE_DATA, 0x00, 0x05, 1, 2, 3, 4, 5];
assert_eq!(strip_knock_for_known_peer(&data), Some(data.clone()));
// HS with a 16-byte (any-bytes) prefix is stripped without validation.
let mut hs = vec![0xCDu8; KNOCK_LEN];
hs.push(TYPE_HS);
hs.extend_from_slice(&[0, 0, 0xFF, 0xFF, 9, 9, 9]);
let stripped = strip_knock_for_known_peer(&hs).expect("known-peer strip succeeds");
assert_eq!(stripped[0], TYPE_HS);
assert_eq!(stripped, hs[KNOCK_LEN..]);
// Empty: dropped.
assert!(strip_knock_for_known_peer(&[]).is_none());
// Junk: dropped.
let junk = vec![0xFFu8; 32];
assert!(strip_knock_for_known_peer(&junk).is_none());
}
// -- Cover-traffic packing ------------------------------------------------------------------
#[test]
fn pack_data_datagram_layout_no_obfuscate() {
let rec = [1u8, 2, 3, 4, 5];
let dg = pack_data_datagram(&rec, false, 0);
assert_eq!(dg[0], TYPE_DATA);
assert_eq!(u16::from_be_bytes([dg[1], dg[2]]) as usize, rec.len());
assert_eq!(&dg[DATA_PREFIX_LEN..], &rec);
// No padding when obfuscate is off.
assert_eq!(dg.len(), DATA_PREFIX_LEN + rec.len());
}
#[test]
fn pack_data_datagram_pads_when_obfuscate_set() {
let rec = [0u8; 10];
let dg = pack_data_datagram(&rec, true, 0);
// Padded up to at least the next bucket; the canonical buckets start above 10 + 3 = 13.
assert!(
dg.len() >= DATA_PREFIX_LEN + rec.len(),
"padded datagram is at least the minimum encoded length",
);
// Header is still correct (rec_len is unchanged, padding is appended).
assert_eq!(u16::from_be_bytes([dg[1], dg[2]]) as usize, rec.len());
}
}
crates/aura-transport/tests/udp_cover.rs
+330
View File
@@ -0,0 +1,330 @@
//! Integration tests for the UDP **cover-traffic** (idle-chaff) feature.
//!
//! These exercise the end-to-end behaviour of [`UdpOpts::cover_traffic_enabled`] /
//! [`UdpOpts::cover_mean_interval_ms`] / [`UdpOpts::cover_jitter`]:
//!
//! * [`udp_cover_traffic_fires_on_idle`] — cover enabled on the client; with no user data, the
//! server's `recv_packet` returns at least one Pong-flavoured artefact (a Pong sealed by the
//! server in response to the client's cover Ping is what the client would have seen if it called
//! `recv_packet`). We instead drive a known-payload round trip *after* an idle window to assert
//! that things keep working even when the cover task is running.
//! * [`udp_cover_traffic_skipped_under_load`] — drive 50 packets in ≈1 second; the cover task must
//! skip every attempt (link is non-idle), so the total number of datagrams the server observes is
//! ≈ 50, not noticeably more.
//! * [`udp_cover_traffic_disabled_back_compat`] — defaults give exactly the pre-feature wire
//! silence: no extra Pings, no extra Pongs after a 1 s idle window.
use std::net::SocketAddr;
use std::sync::atomic::{AtomicU64, Ordering};
use std::sync::Arc;
use std::time::Duration;
use aura_pki::AuraCa;
use aura_proto::{ClientConfig, PacketConnection, ServerConfig};
use aura_transport::{UdpClient, UdpConnection, UdpOpts, UdpServer};
use tokio::net::UdpSocket;
const SERVER_NAME: &str = "localhost";
const CLIENT_ID: &str = "client-cover";
fn make_configs() -> (ServerConfig, ClientConfig) {
let ca = AuraCa::generate("Aura UDP Cover Test CA").expect("generate CA");
let server_cert = ca
.issue_server_cert(SERVER_NAME)
.expect("issue server cert");
let client_cert = ca.issue_client_cert(CLIENT_ID).expect("issue client cert");
let ca_pem = ca.ca_cert_pem();
let server_cfg = ServerConfig {
ca_cert_pem: ca_pem.clone(),
server_cert_pem: server_cert.cert_pem,
server_key_pem: server_cert.key_pem,
};
let client_cfg = ClientConfig {
ca_cert_pem: ca_pem,
client_cert_pem: client_cert.cert_pem,
client_key_pem: client_cert.key_pem,
server_name: SERVER_NAME.to_string(),
};
(server_cfg, client_cfg)
}
/// A datagram-counting forwarder that relays UDP between a "front" (clients connect here) and a
/// "back" (real server), counting each direction. We use this to observe wire-level traffic
/// directly — cover-Ping → cover-Pong both pass through, so the counters reflect total chaff.
async fn spawn_counting_forwarder(
server_addr: SocketAddr,
) -> (SocketAddr, Arc<AtomicU64>, Arc<AtomicU64>) {
let front = UdpSocket::bind("127.0.0.1:0").await.expect("bind front");
let back = UdpSocket::bind("127.0.0.1:0").await.expect("bind back");
let front_addr = front.local_addr().expect("front addr");
let front = Arc::new(front);
let back = Arc::new(back);
let c2s = Arc::new(AtomicU64::new(0));
let s2c = Arc::new(AtomicU64::new(0));
let client_addr: Arc<tokio::sync::Mutex<Option<SocketAddr>>> =
Arc::new(tokio::sync::Mutex::new(None));
// Client -> Server.
{
let front = front.clone();
let back = back.clone();
let c2s = c2s.clone();
let client_addr = client_addr.clone();
tokio::spawn(async move {
let mut buf = vec![0u8; 4096];
loop {
let (n, from) = match front.recv_from(&mut buf).await {
Ok(v) => v,
Err(_) => continue,
};
{
let mut ca = client_addr.lock().await;
if ca.is_none() {
*ca = Some(from);
}
}
c2s.fetch_add(1, Ordering::Relaxed);
let _ = back.send_to(&buf[..n], server_addr).await;
}
});
}
// Server -> Client.
{
let front = front.clone();
let back = back.clone();
let s2c = s2c.clone();
let client_addr = client_addr.clone();
tokio::spawn(async move {
let mut buf = vec![0u8; 4096];
loop {
let (n, _) = match back.recv_from(&mut buf).await {
Ok(v) => v,
Err(_) => continue,
};
let dest = { *client_addr.lock().await };
if let Some(dest) = dest {
s2c.fetch_add(1, Ordering::Relaxed);
let _ = front.send_to(&buf[..n], dest).await;
}
}
});
}
(front_addr, c2s, s2c)
}
#[tokio::test]
async fn udp_cover_traffic_fires_on_idle() {
let (server_cfg, client_cfg) = make_configs();
// Tight cover interval so the test does not have to wait long for chaff to show up.
let opts = UdpOpts {
cover_traffic_enabled: true,
cover_mean_interval_ms: 100,
cover_jitter: 0.2,
..UdpOpts::default()
};
let server =
UdpServer::bind("127.0.0.1:0".parse().unwrap(), server_cfg, opts).expect("bind server");
let server_addr = server.local_addr().expect("server addr");
// Put the counting forwarder between client and server so we can see chaff on the wire.
let (proxy_addr, c2s, s2c) = spawn_counting_forwarder(server_addr).await;
let accept_task = tokio::spawn(async move { server.accept().await });
let connect_task =
tokio::spawn(async move { UdpClient::connect(proxy_addr, client_cfg, opts).await });
let server_conn: UdpConnection = tokio::time::timeout(Duration::from_secs(15), accept_task)
.await
.expect("accept timely")
.expect("accept join")
.expect("server accept");
let client_conn: UdpConnection = tokio::time::timeout(Duration::from_secs(15), connect_task)
.await
.expect("connect timely")
.expect("connect join")
.expect("client connect");
let server_conn: Arc<dyn PacketConnection> = Arc::new(server_conn);
let client_conn: Arc<dyn PacketConnection> = Arc::new(client_conn);
// Snapshot counters after the handshake completes, then go idle for ~1.5 s.
let c2s_after_hs = c2s.load(Ordering::Relaxed);
let s2c_after_hs = s2c.load(Ordering::Relaxed);
// Spawn a recv loop on the server side so it actually drives its read path (and replies to
// Pings). Without this, the client's cover Pings would sit in the OS socket buffer.
let server_for_recv = server_conn.clone();
let recv_task = tokio::spawn(async move {
for _ in 0..20 {
// Each call returns on Data; cover Pings are answered internally without ever
// returning. So if we hit a timeout, that's expected: cover traffic does NOT surface
// as data. We're really just running the loop so the server processes Pings.
let _ = tokio::time::timeout(Duration::from_millis(300), server_for_recv.recv_packet())
.await;
}
});
// Mirror on the client side: keep its recv path active so it consumes Pongs (otherwise the
// OS recv buffer fills with Pongs and the test sees them only on the wire counter, but the
// cover-task's own state stays clean).
let client_for_recv = client_conn.clone();
let recv_task_c = tokio::spawn(async move {
for _ in 0..20 {
let _ = tokio::time::timeout(Duration::from_millis(300), client_for_recv.recv_packet())
.await;
}
});
tokio::time::sleep(Duration::from_millis(1500)).await;
let c2s_idle = c2s.load(Ordering::Relaxed);
let s2c_idle = s2c.load(Ordering::Relaxed);
let c2s_chaff = c2s_idle.saturating_sub(c2s_after_hs);
let s2c_chaff = s2c_idle.saturating_sub(s2c_after_hs);
// With cover_mean_interval_ms = 100 over ~1.5 s, we should see > 0 chaff datagrams in each
// direction (client sends Pings; server replies with Pongs). We do not pin a tight bound to
// avoid flake on slow CI; even one chaff datagram per direction proves the feature is firing.
assert!(
c2s_chaff >= 1,
"expected at least one cover-traffic Ping client→server, got {c2s_chaff} (handshake baseline {c2s_after_hs})",
);
assert!(
s2c_chaff >= 1,
"expected at least one cover-traffic Pong server→client, got {s2c_chaff} (handshake baseline {s2c_after_hs})",
);
drop(recv_task);
drop(recv_task_c);
}
#[tokio::test]
async fn udp_cover_traffic_skipped_under_load() {
let (server_cfg, client_cfg) = make_configs();
// Cover-task mean interval ~50 ms; user traffic must suppress chaff one-for-one because each
// send updates `last_send_ms`.
let opts = UdpOpts {
cover_traffic_enabled: true,
cover_mean_interval_ms: 50,
cover_jitter: 0.1,
..UdpOpts::default()
};
let server =
UdpServer::bind("127.0.0.1:0".parse().unwrap(), server_cfg, opts).expect("bind server");
let server_addr = server.local_addr().expect("server addr");
let (proxy_addr, c2s, _s2c) = spawn_counting_forwarder(server_addr).await;
let accept_task = tokio::spawn(async move { server.accept().await });
let connect_task =
tokio::spawn(async move { UdpClient::connect(proxy_addr, client_cfg, opts).await });
let server_conn: UdpConnection = tokio::time::timeout(Duration::from_secs(15), accept_task)
.await
.expect("accept timely")
.expect("accept join")
.expect("server accept");
let client_conn: UdpConnection = tokio::time::timeout(Duration::from_secs(15), connect_task)
.await
.expect("connect timely")
.expect("connect join")
.expect("client connect");
let server_conn: Arc<dyn PacketConnection> = Arc::new(server_conn);
let client_conn: Arc<dyn PacketConnection> = Arc::new(client_conn);
// Drain the server in the background so it actually processes incoming packets (and Pings).
let server_for_recv = server_conn.clone();
let recv_task = tokio::spawn(async move {
let mut got = 0u32;
while let Ok(Ok(_)) =
tokio::time::timeout(Duration::from_millis(2000), server_for_recv.recv_packet()).await
{
got += 1;
if got >= 50 {
break;
}
}
got
});
let c2s_after_hs = c2s.load(Ordering::Relaxed);
// Drive 50 user packets over ≈1 s. Each send updates last_send_ms, so the cover task's idle
// check (`now - last < delay_ms`) is true on every iteration and chaff is skipped.
let total = 50u32;
let pkt = vec![0xABu8; 100];
let start = std::time::Instant::now();
for _ in 0..total {
client_conn.send_packet(&pkt).await.expect("client send");
// Pace the sends to ~1 packet every 20 ms (50 packets in 1 s); spacing < mean interval
// (50 ms) so the suppression check always wins.
tokio::time::sleep(Duration::from_millis(20)).await;
}
let elapsed = start.elapsed();
assert!(
elapsed < Duration::from_secs(3),
"loop should finish under 3 s, took {elapsed:?}",
);
// Give the server a moment to drain.
let _ = tokio::time::timeout(Duration::from_secs(3), recv_task).await;
let c2s_data = c2s.load(Ordering::Relaxed).saturating_sub(c2s_after_hs);
// Expect ≈ 50 datagrams from client to server (the user packets). Allow a small slack for one
// straggler cover Ping if a sleep wakes up just slightly late; tightly bound at ≤ 60.
assert!(
c2s_data >= total as u64,
"client must have sent at least {total} user packets, observed {c2s_data}",
);
assert!(
c2s_data <= (total as u64) + 10,
"cover-traffic should be suppressed under load, but observed {c2s_data} datagrams (expected ≈ {total})",
);
}
#[tokio::test]
async fn udp_cover_traffic_disabled_back_compat() {
let (server_cfg, client_cfg) = make_configs();
let opts = UdpOpts::default(); // cover_traffic_enabled: false
let server =
UdpServer::bind("127.0.0.1:0".parse().unwrap(), server_cfg, opts).expect("bind server");
let server_addr = server.local_addr().expect("server addr");
let (proxy_addr, c2s, s2c) = spawn_counting_forwarder(server_addr).await;
let accept_task = tokio::spawn(async move { server.accept().await });
let connect_task =
tokio::spawn(async move { UdpClient::connect(proxy_addr, client_cfg, opts).await });
let server_conn: UdpConnection = tokio::time::timeout(Duration::from_secs(15), accept_task)
.await
.expect("accept timely")
.expect("accept join")
.expect("server accept");
let client_conn: UdpConnection = tokio::time::timeout(Duration::from_secs(15), connect_task)
.await
.expect("connect timely")
.expect("connect join")
.expect("client connect");
// After the handshake, both sides go fully idle for 1 s. Nothing must hit the wire.
let c2s_after_hs = c2s.load(Ordering::Relaxed);
let s2c_after_hs = s2c.load(Ordering::Relaxed);
// Hold references so the connections do not drop early.
let _hold_server = server_conn;
let _hold_client = client_conn;
tokio::time::sleep(Duration::from_secs(1)).await;
assert_eq!(
c2s.load(Ordering::Relaxed),
c2s_after_hs,
"no client→server chaff with cover disabled",
);
assert_eq!(
s2c.load(Ordering::Relaxed),
s2c_after_hs,
"no server→client chaff with cover disabled",
);
}
crates/aura-transport/tests/udp_knock.rs
+193
View File
@@ -0,0 +1,193 @@
//! Integration tests for the UDP **port-knocking** (probe resistance) feature.
//!
//! These exercise the end-to-end behaviour of [`UdpOpts::knock_required`] / [`UdpOpts::knock_key`]:
//!
//! * [`udp_knock_required_silent_drop_on_missing_or_wrong`] — server requires knocking; client does
//! not knock → server stays silent (no reply within 1 s, so a passive scanner sees a closed port).
//! * [`udp_knock_required_accepts_valid`] — both sides knock with the same key → handshake completes
//! like usual; the inner Aura mutual auth still drives the auth decision.
//! * [`udp_knock_disabled_back_compat`] — both sides disabled → exact pre-feature wire behaviour.
//!
//! The clock-skew tolerance test (±1 minute) lives as a unit test inside `src/udp.rs` so it can
//! drive [`validate_and_strip_knock`] directly with a faked "now" — much sharper than racing the
//! wall clock here.
use std::sync::Arc;
use std::time::Duration;
use aura_pki::AuraCa;
use aura_proto::{ClientConfig, PacketConnection, ServerConfig};
use aura_transport::{UdpClient, UdpConnection, UdpOpts, UdpServer};
use tokio::net::UdpSocket;
const SERVER_NAME: &str = "localhost";
const CLIENT_ID: &str = "client-knock";
/// Mint CA + server + client cert/key triples, returning matching handshake configs.
fn make_configs() -> (ServerConfig, ClientConfig) {
let ca = AuraCa::generate("Aura UDP Knock Test CA").expect("generate CA");
let server_cert = ca
.issue_server_cert(SERVER_NAME)
.expect("issue server cert");
let client_cert = ca.issue_client_cert(CLIENT_ID).expect("issue client cert");
let ca_pem = ca.ca_cert_pem();
let server_cfg = ServerConfig {
ca_cert_pem: ca_pem.clone(),
server_cert_pem: server_cert.cert_pem,
server_key_pem: server_cert.key_pem,
};
let client_cfg = ClientConfig {
ca_cert_pem: ca_pem,
client_cert_pem: client_cert.cert_pem,
client_key_pem: client_cert.key_pem,
server_name: SERVER_NAME.to_string(),
};
(server_cfg, client_cfg)
}
/// A 32-byte test knock key; in production this is `SHA-256(CA-cert-DER)` (the CLI computes it),
/// but for the transport-level tests any well-known constant is fine — both sides just need the
/// same bytes.
fn test_knock_key() -> [u8; 32] {
let mut k = [0u8; 32];
for (i, b) in k.iter_mut().enumerate() {
*b = (i as u8).wrapping_mul(13).wrapping_add(7);
}
k
}
#[tokio::test]
async fn udp_knock_required_silent_drop_on_missing_or_wrong() {
let (server_cfg, _client_cfg) = make_configs();
// Server: require knocking with our test key. Tighten the handshake timeout so the test does
// not have to wait the default 10 s for the (never-arriving) handshake.
let server_opts = UdpOpts {
knock_required: true,
knock_key: Some(test_knock_key()),
hs_timeout: Duration::from_secs(2),
..UdpOpts::default()
};
let server = UdpServer::bind("127.0.0.1:0".parse().unwrap(), server_cfg, server_opts)
.expect("bind udp server");
let server_addr = server.local_addr().expect("server local_addr");
// Bind a raw client socket and send a single *unknocked* HS-shaped datagram. We do NOT run
// `UdpClient::connect` here because that would inject the proto handshake's ClientHello and we
// want to assert "the server is silent at the wire level".
let raw_client = UdpSocket::bind("127.0.0.1:0")
.await
.expect("bind raw client");
raw_client.connect(server_addr).await.expect("raw connect");
// Wire layout the server expects when knock is OFF: 0x01 (HS) || hs_seq(2) || ack(2) || msg.
// No knock prefix → the server's master loop must drop this silently.
let mut unknocked_hs = vec![0x01u8, 0x00, 0x00, 0xFF, 0xFF];
// Append some plausible-looking handshake-message bytes so the datagram is non-trivially sized.
unknocked_hs.extend_from_slice(&[0u8; 64]);
raw_client
.send(&unknocked_hs)
.await
.expect("send unknocked HS");
// The server must NOT reply. Wait 1 s for any inbound datagram; recv_from must time out.
let mut buf = [0u8; 1024];
let res = tokio::time::timeout(Duration::from_secs(1), raw_client.recv(&mut buf)).await;
assert!(
res.is_err(),
"server replied to an unknocked HS datagram (got {} bytes), expected wire silence",
res.unwrap_or(Ok(0)).unwrap_or(0),
);
// Cleanup: drop the server explicitly (also tears down the master loop).
drop(server);
}
#[tokio::test]
async fn udp_knock_required_accepts_valid() {
let (server_cfg, client_cfg) = make_configs();
let key = test_knock_key();
let opts = UdpOpts {
knock_required: true,
knock_key: Some(key),
..UdpOpts::default()
};
let server =
UdpServer::bind("127.0.0.1:0".parse().unwrap(), server_cfg, opts).expect("bind udp server");
let server_addr = server.local_addr().expect("server local_addr");
let accept_task = tokio::spawn(async move { server.accept().await });
let connect_task =
tokio::spawn(async move { UdpClient::connect(server_addr, client_cfg, opts).await });
let server_conn: UdpConnection = tokio::time::timeout(Duration::from_secs(15), accept_task)
.await
.expect("server accept timely")
.expect("accept join")
.expect("server accept");
let client_conn: UdpConnection = tokio::time::timeout(Duration::from_secs(15), connect_task)
.await
.expect("client connect timely")
.expect("connect join")
.expect("client connect");
assert_eq!(
server_conn.peer_id(),
Some(CLIENT_ID),
"server learned client CN — handshake completed through knocking",
);
// Round-trip a packet both ways to prove the data path also works under knocking.
let server_conn: Arc<dyn PacketConnection> = Arc::new(server_conn);
let client_conn: Arc<dyn PacketConnection> = Arc::new(client_conn);
client_conn
.send_packet(b"knock knock")
.await
.expect("client send");
let got = tokio::time::timeout(Duration::from_secs(5), server_conn.recv_packet())
.await
.expect("server recv timely")
.expect("server recv");
assert_eq!(got, b"knock knock");
}
#[tokio::test]
async fn udp_knock_disabled_back_compat() {
let (server_cfg, client_cfg) = make_configs();
let opts = UdpOpts::default(); // knock_required: false, knock_key: None
let server =
UdpServer::bind("127.0.0.1:0".parse().unwrap(), server_cfg, opts).expect("bind udp server");
let server_addr = server.local_addr().expect("server local_addr");
let accept_task = tokio::spawn(async move { server.accept().await });
let connect_task =
tokio::spawn(async move { UdpClient::connect(server_addr, client_cfg, opts).await });
let server_conn: UdpConnection = tokio::time::timeout(Duration::from_secs(15), accept_task)
.await
.expect("server accept timely")
.expect("accept join")
.expect("server accept");
let client_conn: UdpConnection = tokio::time::timeout(Duration::from_secs(15), connect_task)
.await
.expect("client connect timely")
.expect("connect join")
.expect("client connect");
assert_eq!(server_conn.peer_id(), Some(CLIENT_ID));
let server_conn: Arc<dyn PacketConnection> = Arc::new(server_conn);
let client_conn: Arc<dyn PacketConnection> = Arc::new(client_conn);
client_conn
.send_packet(b"no-knock")
.await
.expect("client send");
let got = tokio::time::timeout(Duration::from_secs(5), server_conn.recv_packet())
.await
.expect("server recv timely")
.expect("server recv");
assert_eq!(got, b"no-knock");
}
docs/deployment.md
+289 -11
View File
@@ -379,25 +379,303 @@ aura status
-**Admin-сокет на Windows.** Cfg-gated транспорт: на Unix — Unix socket
(`/tmp/aura-admin.sock`), на Windows — Tokio named pipe (`\\.\pipe\aura-admin`).
JSON-протокол и команды (`route add/list/remove`, `status`) идентичны.
-**In-band CRL.** Сервер сразу после handshake пушит подписанный CA CRL клиенту
через мультиплексированный control-envelope с magic-префиксом
`[0xAA,0xAA,0xC0,0x01]` (не конфликтует с IPv4/v6, которые начинаются с
`0x4X`/`0x6X`). Клиент проверяет подпись ECDSA-P256 против CA, применяет к
`AuraCertVerifier`, кэширует на диск. Конфиг `[pki] crl_push = true` /
`accept_pushed_crl = true` (по умолчанию).
-**Анти-надзор v2 (NEW в ответ на дрегнет операторов):**
- **Port-knocking** на UDP-транспорте: сервер молчит на скан-зондах, отвечает
только на валидный 16-байтный HMAC-SHA256 «стук» с ±1-минутным окном (ключ
из CA fingerprint). Сканер видит закрытый порт. `[transport.knock]
enabled = true`.
- **Cover traffic / chaff**: при простое UDP-соединение шлёт `Ping` каждые
~500мс±50% (jitter). Defeats volume/timing-fingerprinting. Под нагрузкой
подавляется автоматически. `[transport.cover] enabled = true`.
-**Автоматизация развёртывания:**
- `aura server-init --domain ... --pki-dir ...` — одна команда: CA +
серверный cert + готовый `server.toml` (с авто-определением egress-iface).
- `aura provision-client --id <UUID> --out <dir>` — выпускает client cert и
собирает готовый бандл (`ca.crt` + `client.crt` + `client.key` +
`client.toml`). `--id` опционален — дефолт UUID v4 (имя пользователя не
привязано к сертификату).
-**Минимизация идентификаторов:**
- `[server] no_logs = true` / `[client] no_logs = true` — поля `peer_id`,
`client_ip`, `source_addr`, `client_id`, `local_ip`, `user`, `id`,
`assigned_ip` редактируются из tracing-вывода через field-level фильтр
(события фиксируются, идентификаторы вычищаются).
- `[client] bridges = [...]` — список запасных серверов, клиент пробует
случайный порядок. Блокировка одного IP не убивает доступ.
-**НОВОЕ: ежедневная ротация масок в 05:00 МСК.** Внешний фингерпринт (SNI/UA/Server-
header/UDP padding-профиль) детерминированно меняется раз в сутки. И сервер, и клиент
выводят одинаковый `MaskSet` из общего seed (SHA-256 от CA-сертификата) + UTC-даты через
HKDF-SHA256, без сетевой координации. Конфиг: `[transport.masks] enabled = true` (по
умолчанию). Новые подключения берут текущую маску; уже установленные остаются на своих.
Палитры: 16 SNI, 10 User-Agent, 5 Server-headers, 4 padding-профиля; профиль 0 байт-в-байт
совместим с v1-паддингом (бэк-совместимость).
Палитры: 16 SNI default + 15 SNI russian, 10 User-Agent, 5 Server-headers, 4 padding-профиля;
профиль 0 байт-в-байт совместим с v1-паддингом (бэк-совместимость). v3.2 добавляет
`palette = "default" | "russian" | "mixed"` для случая, когда нужно, чтобы outer SNI выглядел
как обращение к российскому сайту (см. сценарий в §7).
-**Multi-hop / onion routing v3.1 + v3.2.** Цепочка из 2-3 хопов: client →
entry-relay → (опционально middle) → exit. Entry-relay не знает destination, exit-узел не
знает клиентский IP. v3.2: per-hop client cert (CN entry и exit различаются — нельзя
слинковать handshakes по identity), cell padding (constant-size cells устраняют per-packet
size-fingerprinting), CIDR whitelist на relay'е. Конфиг — `[client.circuit]` /
`[server.relay]`. См. сценарий §7 для деплоймента «российский entry, иностранный exit».
-**Let's Encrypt outer-TLS cert.** `[server.outer_cert] cert_path / key_path` — outer-TLS
слой QUIC и TCP использует настоящий CA-trusted сертификат вместо self-signed Aura cert;
внутренний Aura mutual-auth handshake продолжает аутентификацию против Aura CA.
### Остающиеся честные ограничения v2
### Остающиеся честные ограничения
- **TUN всё ещё требует root** для **создания** интерфейса (это OS-уровень). Privilege drop
минимизирует окно работы под root, но саму операцию обойти нельзя.
- **IPv6 в OS-маршрутах и iptables MASQUERADE** не реализован — только IPv4 (план v3).
- **Windows OS-маршруты** — заглушка с лог-warning (план v3). Windows admin pipe **работает**.
- **CRL** пока распространяется out-of-band (плоский файл `revoked.crl` на сервере и клиенте);
in-band пуш сервером → клиенту запланирован (отдельная v2-задача, не реализована в этом
раунде).
- **IPv6 в OS-маршрутах и iptables MASQUERADE** не реализован — только IPv4 (план v3.3).
- **Windows OS-маршруты** — заглушка с лог-warning (план v3.3). Windows admin pipe **работает**.
- **Нативного Go-клиента для телефона нет** — через sing-box (Option B нативный Go-outbound,
по `protocol.md` + KAT из Rust, см. [`sing-box.md`](sing-box.md)). Сейчас доступен только
десктоп-клиент / process-bridge.
- **Автоопределение egress-интерфейса** для NAT не реализовано: `[server.nat] egress_iface`
обязательно задавать вручную, если `auto = true` (план v3).
десктоп-клиент / process-bridge. Это явно исключённый из v2 пункт.
- **Bridge-discovery без хардкода IP в конфиге** — план v3.3. Сейчас `[client] bridges`
хардкодит список запасных IP; если их все заблокируют (включая российские entry-узлы из
сценария §7), восстановление требует обновления конфига клиента вручную.
---
## 7. Сценарий: российский entry-узел против тарификации иностранного трафика
### 7.1. Контекст и угроза
Российские операторы связи могут начать тарифицировать «иностранный трафик» отдельно: классификация
выполняется по destination IP исходящего пакета пользователя. Если первый IP, к которому
обращается устройство, — российский, биллинг считает соединение «российским», даже если внутри
этого соединения трафик уходит дальше за рубеж. Цель в этом сценарии — добиться того, чтобы
оператор биллил трафик пользователя как «российский», при этом сохраняя VPN-выход за рубежом.
Решение опирается на три компонента, уже реализованные в AuraVPN:
1. **Multi-hop / onion routing v3.1+** (`[client.circuit]` / `[server.relay]`) — entry-узел в РФ
не знает destination, exit-узел за рубежом не знает клиентский IP.
2. **Палитра SNI «russian»** (v3.2) — `[transport.masks] palette = "russian"` ротирует outer-TLS
SNI среди крупных российских доменов (`vk.com`, `www.ozon.ru`, `mail.yandex.ru`, ...).
3. **OS-уровень kill-switch** (`[tunnel.os_routes] enabled = true`) — гарантия, что системный
трафик (push-уведомления, OS-сервисы) не обходит туннель и не попадает напрямую к иностранным
серверам в обход entry-узла.
### 7.2. Топология
```
[устройство]
|
| весь трафик через TUN (kill-switch)
v
[оператор] <-- видит только UDP/443 на RU_VPS_IP, SNI = "vk.com"
|
v
[Russian VPS / entry-relay] <-- v3.1 relay: forward to next hop, never decodes IP packets
|
| inner Aura handshake (PQ-encrypted, opaque)
v
[Foreign VPS / exit] <-- настоящий VPN-выход в интернет
|
v
[internet]
```
Оператор видит только трафик до **entry-узла**: один UDP-поток с SNI крупного российского сайта.
Внутри этого потока — зашифрованный многохоп; entry-relay не имеет ключей внутреннего рукопожатия
и видит только AEAD-ciphertext, который он форвардит на exit. Exit видит только IP entry-узла, а
не IP клиентского устройства.
### 7.3. Что покупать
**Подходящие провайдеры для entry-узла в РФ** (юрисдикция РФ, IP в российских AS):
- **Selectel** (Москва, СПб).
- **Beget** (СПб).
- **Yandex.Cloud** (Москва).
- **VK Cloud** (бывш. Mail.ru Cloud Solutions).
- **Timeweb Cloud**.
**Неподходящие для роли entry-узла в РФ**:
- **Hetzner** (Германия/Финляндия) — IP классифицируется как «иностранный».
- **DigitalOcean / Vultr / Linode** (США/EU) — то же самое.
- **AWS / GCP / Azure** даже с российскими DC-локациями — IP-блоки за пределами российских AS у
большинства операторов.
Для **exit-узла** наоборот — берите любой удобный иностранный VPS (Hetzner, DigitalOcean, Vultr,
любой подходящий по юрисдикции и пропускной способности).
### 7.4. Конфиг сервера в РФ (entry-relay)
`server.toml` на российском VPS (например, Selectel с IP `RUSSIAN_VPS_IP`):
```toml
[server]
name = "aura-ru-entry-1"
listen = "0.0.0.0:443"
[pki]
ca_cert = "/etc/aura/pki/ca.crt"
cert = "/etc/aura/pki/server/server.crt"
key = "/etc/aura/pki/server/server.key"
[tunnel]
# Pool нужен формально (для v1-fallback-пути), но в роли чистого relay он не используется —
# bridged-клиенты не получают IP из пула и не регистрируются в ServerRouter.
pool_cidr = "10.7.0.0/24"
mtu = 1420
# v3.1: relay-режим. Принимаем ExtendBridge от клиента и сплайсим на foreign exit.
[server.relay]
enabled = true
allow_extend_to = ["EXIT_FOREIGN_IP:443"] # IP вашего иностранного exit-узла
# v3.2 cell padding: relay сам не декодирует — это сквозной байт-форвардинг. Знаки опции тут
# для симметрии конфига; реальный декод цельных ячеек — на exit'е.
cell_padding = true
cell_size = 1280
[transport.masks]
enabled = true
# v3.2: outer-TLS SNI крутится среди крупных российских доменов. Каждый день — другой домен.
palette = "russian"
# Опционально: настоящий outer-TLS сертификат (Let's Encrypt) поверх UDP/QUIC и TCP. Без него
# работает self-signed Aura, но с настоящим LE-сертификатом outer-handshake становится
# неотличим от обычного HTTPS на CA-trusted сайт.
[server.outer_cert]
cert_path = "/etc/letsencrypt/live/relay.example.ru/fullchain.pem"
key_path = "/etc/letsencrypt/live/relay.example.ru/privkey.pem"
```
И аналогичный `server.toml` на **иностранном exit-узле** — обычный VPN-сервер БЕЗ `[server.relay]`,
но с `cell_padding_for_circuit_clients = true` в секции `[server]`, чтобы он понимал
constant-size cells от клиента:
```toml
[server]
name = "aura-exit-1"
listen = "0.0.0.0:443"
# v3.2: exit для cell-padded клиентов — декодирует ячейки внутреннего рукопожатия.
cell_padding_for_circuit_clients = true
[pki]
ca_cert = "/etc/aura/pki/ca.crt"
cert = "/etc/aura/pki/server/exit.crt"
key = "/etc/aura/pki/server/exit.key"
[tunnel]
pool_cidr = "10.7.0.0/24"
[server.nat]
auto = true # включить IP-форвардинг и MASQUERADE на egress-интерфейсе
egress_iface = "eth0"
[transport.masks]
# На exit'е SNI палитра не критична (клиент видит exit только через relay) — оставим default.
palette = "default"
```
### 7.5. Конфиг клиента
```toml
[client]
name = "laptop"
server_addr = "RUSSIAN_VPS_IP:443" # entry-узел в РФ; именно этот IP видит оператор
sni = "relay.example.ru" # SAN серверного outer-TLS сертификата (если есть LE)
[pki]
ca_cert = "~/.aura/ca.crt"
cert = "~/.aura/client.crt"
key = "~/.aura/client.key"
[tunnel]
tun_name = "aura0"
local_ip = "10.7.0.2"
prefix = 24
mtu = 1420
[tunnel.split]
default = "VPN"
# КРИТИЧНО: kill-switch — весь трафик через TUN, OS-уровень. Без этого push-уведомления и
# OS-сервисы могут уйти напрямую в иностранные сервера в обход entry-узла, и оператор
# зачтёт это как «иностранный» трафик.
[tunnel.os_routes]
enabled = true
# v3.1 / v3.2: цепочка хопов client -> RU_entry -> foreign_exit.
[client.circuit]
enabled = true
cell_padding = true
cell_size = 1280
[[client.circuit.hops]]
addr = "RUSSIAN_VPS_IP:443" # entry в РФ — то, что видит оператор
cert_path = "~/.aura/circuit/entry.crt"
key_path = "~/.aura/circuit/entry.key"
[[client.circuit.hops]]
addr = "EXIT_FOREIGN_IP:443" # exit за рубежом, к которому привязаны DNS/маршруты внутри VPN
cert_path = "~/.aura/circuit/exit.crt"
key_path = "~/.aura/circuit/exit.key"
[transport.masks]
enabled = true
# Должно совпадать с palette = "russian" на entry-узле — иначе SNI в логах двух сторон
# не будут симметричны (на проводе это не ошибка, но удобнее для отладки).
palette = "russian"
```
Сертификаты двух хопов — разные (`entry.crt` != `exit.crt`). Это v3.2 identity-unlinkability:
entry-relay видит только клиентский cert для роли entry, exit-узел видит только cert для роли
exit, и они не пересекаются (см. `aura provision-client --circuit-hops 2 ...`).
### 7.6. Что это даёт
- **Оператор биллит как «российский».** На проводе оператор видит один UDP-поток на
`RUSSIAN_VPS_IP:443` — это российский IP в российской AS, классификатор биллинга его не
обозначает как иностранный.
- **SNI выглядит как обращение к российскому сайту.** В пакетах outer-TLS / outer-QUIC
hostname-камуфляж берётся из `SNI_PALETTE_RUSSIAN`: каждый день — другой домен (`vk.com`,
`www.ozon.ru`, `mail.yandex.ru`, ...). DPI видит «нормальный HTTPS на крупный российский
сайт».
- **Реальный VPN-выход — за рубежом.** Внутри multi-hop клиент дозванивается до иностранного
exit-узла; именно его IP видят внешние ресурсы. Entry-узел в РФ форвардит зашифрованный
трафик, не зная destination и не имея ключей внутреннего рукопожатия.
- **Kill-switch предотвращает обход.** `[tunnel.os_routes] enabled = true` программирует
системную таблицу маршрутов так, что весь трафик идёт через TUN — push-уведомления, OS-сервисы
и любые «прямые» обращения в обход VPN заблокированы, поэтому ничто из устройства не уйдёт
напрямую к иностранному IP в обход entry-узла.
### 7.7. Что это НЕ даёт (честное ограничение)
- **Не скрывает сам факт VPN-использования** от российских органов. DPI с deep-inspection может
по статистическим паттернам трафика (timing, размеры, поведение в течение сессии) узнать
Aura-протокол; ротация масок и `palette = "russian"` маскирует пассивного наблюдателя, но не
активного аналитика. Для дополнительной защиты включайте `[transport.knock]` и
`[transport.cover]` (port-knocking + cover traffic).
- **Не освобождает от ответственности за заходы на запрещённые ресурсы.** Кто и за что отвечает
при заходе на запрещённый ресурс через VPN — вопрос юрисдикции exit-узла и применимого
законодательства, не технический.
- **Не защищает от блокировки самого entry-IP.** Если СОРМ-система или Роскомнадзор начнут
активно блокировать конкретные VPS-IP, придётся ротировать IP / bridges. Сейчас это решается
через `[client] bridges = [...]` — список запасных российских entry-узлов; клиент пробует их
в случайном порядке при отказе primary. Полноценный bridge-discovery (без хардкода IP в
конфиге) — план v3.3.
- **Cell padding не скрывает наличие туннеля.** Constant-size cells устраняют per-packet
size-fingerprinting внутри multi-hop, но не делают сам поток неотличимым от HTTPS — общий
объём и временные паттерны остаются. Это компромисс между обфускацией и накладными расходами.
### 7.8. Что менять при ротации
При смене IP entry-узла (например, при блокировке текущего) обновите три места:
1. `[[client.circuit.hops]] addr` первого хопа → новый `RUSSIAN_VPS_IP:443`.
2. `[client] server_addr` → тот же новый IP.
3. На новом VPS — поднять PKI, выпустить cert для entry-роли, перенести `server.toml` с
`[server.relay]` и `palette = "russian"`.
Перевыпускать сертификаты двух хопов не нужно — они остаются те же, меняется только wire-адрес
entry-узла. На сертификате entry-сервера должен быть SAN, совпадающий с `[client] sni`
(см. `aura pki issue-server --domain relay.example.ru`).