Files

T

History

xah30 a070da0be9 feat(singbox-aura,tools): Go port of Aura UDP client + KAT bridge to Rust

Lays the foundation for sing-box mobile clients (Option B from
docs/sing-box.md): an independent Go module that speaks the AuraVPN wire
protocol byte-for-byte. Proof of equivalence is in KAT tests cross-loaded
from a Rust-side deterministic vector exporter.

- tools/export-kat (new Rust bin in workspace): captures a handshake +
  derived keys + a sealed datagram record + a knock token using seeded
  RNGs (rand::rngs::StdRng + ml-kem's *_deterministic public API), emits
  JSON. Reproducible byte-for-byte.
- singbox-aura/ (new Go module, ~3000 LOC, 22 files):
  - aura/frame: 5-byte protocol header + Frame{Data,Ping,Pong,Close,
    Control} + magic envelope (0xAA,0xAA,0xC0,0x01) — encode/decode
    matching aura-proto::frame.
  - aura/crypto: hybrid X25519 + ML-KEM-768 (stdlib crypto/ecdh +
    crypto/mlkem on Go 1.24+; falls back to circl on older Go via a
    documented swap), HKDF-SHA256 derive_session_keys, ChaCha20-Poly1305
    with the **LE(u64 counter) || [0;4]** nonce scheme that matches
    aura-crypto::AeadKey/AeadSession.
  - aura/handshake: client_handshake state machine reproducing protocol.md
    §6.2 exactly (CH→SH→ServerAuth→ClientAuth→Finished×2; transcript hash;
    ECDSA-P256 transcript signature; HMAC-SHA256 Finished).
  - aura/session: DatagramSender/Receiver + 64-wide sliding replay window.
  - aura/transport: reliable HS-adapter (DTLS-flight retransmit) + UDP
    datagram data path + 16-byte HMAC port-knock with ±1-minute window.
  - aura/outbound: sing-box-shaped shim (interface signatures only — sing-
    box upstream registration is one more step, documented in README).
  - cmd/aura-client: standalone Go binary; reads client.toml via
    pelletier/go-toml/v2 and connects to a real aura server. Validates
    end-to-end interop with the Rust side.
- KAT: 6 comparisons against Rust vectors — session_keys (HKDF), hybrid
  KEM ek/encaps roundtrip, c2s + s2c Finished HMAC, sealed datagram
  record at seq=2 (incl. 16-byte Poly1305 tag), knock token. All byte-
  for-byte.

Go: 29 tests across 5 packages, all green. Only deps: golang.org/x/crypto
and pelletier/go-toml/v2. Rust: 293 tests still green; tools/export-kat
added to workspace members.

v1 limits documented in singbox-aura/README.md: UDP-only (no TCP/QUIC
fallback yet), no cell padding / cover traffic, no relay/exit role, no
multi-hop, sing-box upstream-registration sketch (vendor sagernet/sing-box +
init() RegisterOutbound) for follow-up.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-27 21:14:23 +03:00

aura

feat(singbox-aura,tools): Go port of Aura UDP client + KAT bridge to Rust

2026-05-27 21:14:23 +03:00

cmd/aura-client

feat(singbox-aura,tools): Go port of Aura UDP client + KAT bridge to Rust

2026-05-27 21:14:23 +03:00

kat

feat(singbox-aura,tools): Go port of Aura UDP client + KAT bridge to Rust

2026-05-27 21:14:23 +03:00

go.mod

feat(singbox-aura,tools): Go port of Aura UDP client + KAT bridge to Rust

2026-05-27 21:14:23 +03:00

go.sum

feat(singbox-aura,tools): Go port of Aura UDP client + KAT bridge to Rust

2026-05-27 21:14:23 +03:00

README.md

feat(singbox-aura,tools): Go port of Aura UDP client + KAT bridge to Rust

2026-05-27 21:14:23 +03:00

README.md

singbox-aura

A Go port of the AuraVPN client, byte-for-byte compatible with the Rust server in crates/aura-transport/src/udp.rs. Scope of v1:

the UDP transport only (the primary path), with the same wire layout (0x01 HS + 0x02 DATA) and the same DTLS-flight-style reliable handshake adapter,
the client side of the Aura handshake (hybrid X25519 + ML-KEM-768, HKDF-SHA256, mutual ECDSA-P256 / SHA-256 X.509),
the datagram data path with the sliding-window replay check,
an optional port-knock prefix on HS datagrams,
a tiny CLI (cmd/aura-client) that loads a TOML config and dials a Rust-side server, and
a sing-box-shaped outbound shim (aura/outbound) that does not yet import the sing-box module — see aura/outbound/README.md for the next step.

Why this exists

Mobile sing-box embeds the Go core; it cannot easily spawn a Rust helper. Implementing the AuraVPN protocol natively in Go is the only path to a phone-friendly client. This module is that implementation.

Layout

singbox-aura/
├── go.mod / go.sum
├── README.md
├── aura/
│   ├── frame/           - 5-byte header + Frame{Data,Ping,Pong,Close} + control envelope
│   ├── crypto/          - hybrid KEM + HKDF + ChaCha20-Poly1305 (LE(u64)||0x00000000 nonce)
│   ├── handshake/       - client side of the §6.2 state machine
│   ├── session/         - replay window + DatagramSender/Receiver
│   ├── transport/       - reliable UDP HS adapter + post-HS data path + knock token
│   └── outbound/        - sing-box-shaped wrapper (no sing-box dep yet — see its README)
├── cmd/aura-client/     - standalone CLI
└── kat/vectors.json     - KAT exported from `tools/export-kat` (Rust)

Build + test

Requires Go 1.24+ (stdlib crypto/mlkem). On older Go you would swap the post-quantum imports in aura/crypto/kem.go to github.com/cloudflare/circl/kem/mlkem/mlkem768 — the rest of the package is dialect-agnostic.

# from the workspace root
cargo run -p export-kat                        # writes singbox-aura/kat/vectors.json
cd singbox-aura
go build ./...
go test ./...

aura/crypto/crypto_test.go loads kat/vectors.json and asserts byte-for-byte that:

HKDF reproduces both session keys,
the hybrid decapsulate reproduces the two halves of the shared secret,
HMAC-SHA256(c2s, transcript) and HMAC-SHA256(s2c, transcript) match the Rust outputs,
one ChaCha20-Poly1305 datagram record (seq=2, frame = Data{stream=0, payload="hello"}) matches the Rust sealed bytes, including the 16-byte Poly1305 tag,
the 16-byte port-knock token for a fixed minute matches the Rust value.

If any of these diverges, the Go port has a byte-level interop bug — fix it before proceeding.

Standalone CLI

cmd/aura-client mirrors a thin slice of the production Rust client.toml:

[client]
server_addr = "203.0.113.10:443"
sni = "cdn.example.com"

[pki]
ca_cert = "~/.aura/ca.crt"
cert    = "~/.aura/client.crt"
key     = "~/.aura/client.key"

[transport.knock]
enabled = false                       # set to match the server
knock_secret_source = "ca_fingerprint"

To dial a local Rust server (see aura server --config server.toml in the parent workspace):

./aura-client --config client.toml --message "hello aura"

The CLI completes the post-quantum handshake and sends one application packet. It exits after the send; this is intentional — proving the wire path is the v1 deliverable.

Integrating as a sing-box outbound

See aura/outbound/README.md for the registration sketch. The summary:

Vendor github.com/sagernet/sing-box.
In a tiny adapter package, call sing-box.RegisterOutbound(outbound.Tag, ...).
Translate the chosen option.Outbound JSON schema into handshake.ClientConfig + transport.Options.
The packet path is opaque IP — the sing-box router writes IP packets to the returned net.PacketConn; the same conn yields incoming packets on ReadFrom.

Known limitations (v1)

These are intentionally out of scope and tracked as follow-ups:

No TCP/443 or QUIC fallback — only UDP. The Rust dialer's order = [udp, tcp, quic] fallback chain is not ported.
No relay / exit role — client-only. Multi-hop / onion routing is a separate project.
No cell padding — [transport.obfuscate] and the HTTPS_SIZE_BUCKETS padding profile are not emitted; the wire is just 0x02 || rec_len || sealed_record.
No cover traffic — the idle-time Frame::Ping chaff in cover_traffic_loop is not ported.
No CRL push handling — the control-envelope decoder is in aura/frame/control.go, but the client does not process CrlPush envelopes (they are not currently sent on the data path the standalone CLI exercises).
Single-peer server — the Go client connects to one server at a time. The Rust v2 master-loop multi-peer demuxer is server-side and is not relevant to a client port.

Each is a contained patch from this scaffold; the KAT-vector regime makes additions safe.