xah30/AuraVPN
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5e553b79dfdb07da0732daf4d5e9c6f68d32f40d
AuraVPN/Cargo.toml
T
xah30 a070da0be9 feat(singbox-aura,tools): Go port of Aura UDP client + KAT bridge to Rust 
Lays the foundation for sing-box mobile clients (Option B from
docs/sing-box.md): an independent Go module that speaks the AuraVPN wire
protocol byte-for-byte. Proof of equivalence is in KAT tests cross-loaded
from a Rust-side deterministic vector exporter.

- tools/export-kat (new Rust bin in workspace): captures a handshake +
  derived keys + a sealed datagram record + a knock token using seeded
  RNGs (rand::rngs::StdRng + ml-kem's *_deterministic public API), emits
  JSON. Reproducible byte-for-byte.
- singbox-aura/ (new Go module, ~3000 LOC, 22 files):
  - aura/frame: 5-byte protocol header + Frame{Data,Ping,Pong,Close,
    Control} + magic envelope (0xAA,0xAA,0xC0,0x01) — encode/decode
    matching aura-proto::frame.
  - aura/crypto: hybrid X25519 + ML-KEM-768 (stdlib crypto/ecdh +
    crypto/mlkem on Go 1.24+; falls back to circl on older Go via a
    documented swap), HKDF-SHA256 derive_session_keys, ChaCha20-Poly1305
    with the **LE(u64 counter) || [0;4]** nonce scheme that matches
    aura-crypto::AeadKey/AeadSession.
  - aura/handshake: client_handshake state machine reproducing protocol.md
    §6.2 exactly (CH→SH→ServerAuth→ClientAuth→Finished×2; transcript hash;
    ECDSA-P256 transcript signature; HMAC-SHA256 Finished).
  - aura/session: DatagramSender/Receiver + 64-wide sliding replay window.
  - aura/transport: reliable HS-adapter (DTLS-flight retransmit) + UDP
    datagram data path + 16-byte HMAC port-knock with ±1-minute window.
  - aura/outbound: sing-box-shaped shim (interface signatures only — sing-
    box upstream registration is one more step, documented in README).
  - cmd/aura-client: standalone Go binary; reads client.toml via
    pelletier/go-toml/v2 and connects to a real aura server. Validates
    end-to-end interop with the Rust side.
- KAT: 6 comparisons against Rust vectors — session_keys (HKDF), hybrid
  KEM ek/encaps roundtrip, c2s + s2c Finished HMAC, sealed datagram
  record at seq=2 (incl. 16-byte Poly1305 tag), knock token. All byte-
  for-byte.

Go: 29 tests across 5 packages, all green. Only deps: golang.org/x/crypto
and pelletier/go-toml/v2. Rust: 293 tests still green; tools/export-kat
added to workspace members.

v1 limits documented in singbox-aura/README.md: UDP-only (no TCP/QUIC
fallback yet), no cell padding / cover traffic, no relay/exit role, no
multi-hop, sing-box upstream-registration sketch (vendor sagernet/sing-box +
init() RegisterOutbound) for follow-up.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-27 21:14:23 +03:00

90 lines
2.3 KiB
TOML
Raw Blame History

[workspace]
members = [
"crates/aura-crypto",
"crates/aura-pki",
"crates/aura-proto",
"crates/aura-transport",
"crates/aura-tunnel",
"crates/aura-cli",
"tools/export-kat",
]
resolver = "2"
[workspace.package]
version = "0.1.0"
edition = "2021"
license = "MIT"
authors = ["Aura"]
description = "Aura — hybrid post-quantum VPN protocol over QUIC"
[workspace.dependencies]
# Internal crates
aura-crypto = { path = "crates/aura-crypto" }
aura-pki = { path = "crates/aura-pki" }
aura-proto = { path = "crates/aura-proto" }
aura-transport = { path = "crates/aura-transport" }
aura-tunnel = { path = "crates/aura-tunnel" }
# PQ + classic crypto (ml-kem = FIPS 203 ML-KEM-768, replaces spec's pqcrypto-kyber)
ml-kem = { version = "0.3", features = ["zeroize"] }
x25519-dalek = { version = "2", features = ["static_secrets"] }
# KDF / AEAD / hashing
hkdf = "0.12"
hmac = "0.12"
sha2 = "0.10"
chacha20poly1305 = { version = "0.10", features = ["stream"] }
rand = "0.8"
rand_core = "0.6"
zeroize = { version = "1.7", features = ["derive"] }
subtle = "2"
# PKI / X.509
rcgen = "0.14"
rustls = { version = "0.23", features = ["ring"] }
rustls-pki-types = "1"
x509-parser = "0.16"
uuid = { version = "1", features = ["v4"] }
# Transport
quinn = "0.11"
tokio = { version = "1", features = ["full"] }
bytes = "1"
# TUN (Unix: Linux + macOS)
tun = { version = "0.8", features = ["async"] }
# Windows-specific (version declared here untargeted; referenced under crate [target.'cfg(windows)'] tables)
wintun = "0.5"
windows = { version = "0.57", features = [
"Win32_Foundation",
"Win32_NetworkManagement_IpHelper",
"Win32_NetworkManagement_Ndis",
"Win32_Networking_WinSock",
] }
# Serialization
serde = { version = "1", features = ["derive"] }
bincode = "1"
toml = "0.8"
# DNS / net
hickory-resolver = "0.24"
ipnetwork = "0.20"
# CLI / observability / errors
clap = { version = "4", features = ["derive"] }
tracing = "0.1"
tracing-subscriber = { version = "0.3", features = ["env-filter"] }
anyhow = "1"
thiserror = "1"
async-trait = "0.1"
# Dev / bench
criterion = "0.5"
hex = "0.4"
[profile.release]
opt-level = 3
lto = "thin"
Reference in New Issue View Git Blame Copy Permalink