xah30/AuraVPN
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1f82bc41c03d2acb2cd3ebcbbca0385c0f8ee15d
AuraVPN/singbox-aura/aura/crypto/aead.go
T
xah30 a070da0be9 feat(singbox-aura,tools): Go port of Aura UDP client + KAT bridge to Rust 
Lays the foundation for sing-box mobile clients (Option B from
docs/sing-box.md): an independent Go module that speaks the AuraVPN wire
protocol byte-for-byte. Proof of equivalence is in KAT tests cross-loaded
from a Rust-side deterministic vector exporter.

- tools/export-kat (new Rust bin in workspace): captures a handshake +
  derived keys + a sealed datagram record + a knock token using seeded
  RNGs (rand::rngs::StdRng + ml-kem's *_deterministic public API), emits
  JSON. Reproducible byte-for-byte.
- singbox-aura/ (new Go module, ~3000 LOC, 22 files):
  - aura/frame: 5-byte protocol header + Frame{Data,Ping,Pong,Close,
    Control} + magic envelope (0xAA,0xAA,0xC0,0x01) — encode/decode
    matching aura-proto::frame.
  - aura/crypto: hybrid X25519 + ML-KEM-768 (stdlib crypto/ecdh +
    crypto/mlkem on Go 1.24+; falls back to circl on older Go via a
    documented swap), HKDF-SHA256 derive_session_keys, ChaCha20-Poly1305
    with the **LE(u64 counter) || [0;4]** nonce scheme that matches
    aura-crypto::AeadKey/AeadSession.
  - aura/handshake: client_handshake state machine reproducing protocol.md
    §6.2 exactly (CH→SH→ServerAuth→ClientAuth→Finished×2; transcript hash;
    ECDSA-P256 transcript signature; HMAC-SHA256 Finished).
  - aura/session: DatagramSender/Receiver + 64-wide sliding replay window.
  - aura/transport: reliable HS-adapter (DTLS-flight retransmit) + UDP
    datagram data path + 16-byte HMAC port-knock with ±1-minute window.
  - aura/outbound: sing-box-shaped shim (interface signatures only — sing-
    box upstream registration is one more step, documented in README).
  - cmd/aura-client: standalone Go binary; reads client.toml via
    pelletier/go-toml/v2 and connects to a real aura server. Validates
    end-to-end interop with the Rust side.
- KAT: 6 comparisons against Rust vectors — session_keys (HKDF), hybrid
  KEM ek/encaps roundtrip, c2s + s2c Finished HMAC, sealed datagram
  record at seq=2 (incl. 16-byte Poly1305 tag), knock token. All byte-
  for-byte.

Go: 29 tests across 5 packages, all green. Only deps: golang.org/x/crypto
and pelletier/go-toml/v2. Rust: 293 tests still green; tools/export-kat
added to workspace members.

v1 limits documented in singbox-aura/README.md: UDP-only (no TCP/QUIC
fallback yet), no cell padding / cover traffic, no relay/exit role, no
multi-hop, sing-box upstream-registration sketch (vendor sagernet/sing-box +
init() RegisterOutbound) for follow-up.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-27 21:14:23 +03:00

103 lines
3.4 KiB
Go
Raw Blame History

package crypto
import (
"crypto/cipher"
"encoding/binary"
"fmt"
"golang.org/x/crypto/chacha20poly1305"
)
// NonceLen is the AEAD nonce length (96 bits for ChaCha20-Poly1305).
const NonceLen = 12
// NonceFor reproduces the AeadSession::nonce_for layout exactly:
//
// nonce[0..8] = LE(u64) counter
// nonce[8..12] = 0
//
// Both stream- and datagram-mode AEADs share this nonce derivation; the only difference is
// whether the counter is advanced lock-step (stream) or carried on the wire (datagram).
func NonceFor(counter uint64) [NonceLen]byte {
var n [NonceLen]byte
binary.LittleEndian.PutUint64(n[0:8], counter)
return n
}
// AeadKey wraps a 32-byte ChaCha20-Poly1305 key for explicit-nonce datagram use. The caller owns
// nonce uniqueness — Aura's datagram codec carries the counter on the wire as `seq`.
type AeadKey struct {
aead cipher.AEAD
}
// NewAeadKey builds an AeadKey from a 32-byte key. Returns an error if the key is the wrong
// size; ChaCha20-Poly1305 always wants 32.
func NewAeadKey(key []byte) (*AeadKey, error) {
if len(key) != SessionKeyLen {
return nil, fmt.Errorf("aead key must be %d bytes, got %d", SessionKeyLen, len(key))
}
a, err := chacha20poly1305.New(key)
if err != nil {
return nil, fmt.Errorf("chacha20poly1305.New: %w", err)
}
return &AeadKey{aead: a}, nil
}
// Seal encrypts plaintext under the nonce derived from counter, returning ciphertext||tag.
func (k *AeadKey) Seal(counter uint64, plaintext, aad []byte) []byte {
nonce := NonceFor(counter)
return k.aead.Seal(nil, nonce[:], plaintext, aad)
}
// Open authenticates and decrypts ciphertext (which must include the 16-byte Poly1305 tag).
// Returns the plaintext, or an error on authentication failure.
func (k *AeadKey) Open(counter uint64, ciphertext, aad []byte) ([]byte, error) {
nonce := NonceFor(counter)
out, err := k.aead.Open(nil, nonce[:], ciphertext, aad)
if err != nil {
return nil, fmt.Errorf("aead open: %w", err)
}
return out, nil
}
// AeadSession is the stream-mode counterpart: it holds the key plus a monotonically increasing
// 64-bit counter that advances on every Seal and Open. Used by the handshake's encrypted
// messages (ServerAuth, ClientAuth, Finished) so the two sides stay in lockstep without putting
// the counter on the wire.
type AeadSession struct {
key *AeadKey
counter uint64
}
// NewAeadSession starts a session at counter 0.
func NewAeadSession(rawKey []byte) (*AeadSession, error) {
k, err := NewAeadKey(rawKey)
if err != nil {
return nil, err
}
return &AeadSession{key: k, counter: 0}, nil
}
// Counter is the current counter (the nonce that the next Seal/Open will use). Test-only and
// used by Session.IntoDatagramParts to hand off the explicit-nonce key.
func (s *AeadSession) Counter() uint64 { return s.counter }
// Seal seals plaintext at the current counter then advances it.
func (s *AeadSession) Seal(plaintext, aad []byte) []byte {
ct := s.key.Seal(s.counter, plaintext, aad)
s.counter++
return ct
}
// Open verifies+decrypts ciphertext at the current counter then advances it (symmetric to Seal
// so a failed decrypt keeps the two ends aligned).
func (s *AeadSession) Open(ciphertext, aad []byte) ([]byte, error) {
pt, err := s.key.Open(s.counter, ciphertext, aad)
s.counter++
return pt, err
}
// IntoKey returns the underlying AeadKey so datagram-mode codecs can continue at the same
// counter without re-deriving anything (matches Rust's into_parts).
func (s *AeadSession) IntoKey() *AeadKey { return s.key }
Reference in New Issue View Git Blame Copy Permalink