xah30/AuraVPN
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
65b26b555d0aaf25fd7dd28371297d13c9a60d4a
AuraVPN/crates/aura-transport/Cargo.toml
T
xah30 821f7711e7 feat(transport): real TLS-443 on the TCP backend (replaces HTTP/1.1 masquerade) 
The TCP fallback now does a full outer TLS handshake (tokio-rustls 0.26 over
rustls 0.23, ring provider) before the Aura proto handshake, exactly like the
QUIC backend: on the wire it is indistinguishable from genuine HTTPS until the
inner Aura mutual-auth handshake starts. Removes v1's "light HTTP masquerade"
limitation; the real security boundary remains the inner PQ handshake.

- aura-transport::tcp: dropped the HTTP/1.1 preamble helpers and TcpOpts
  fields (masquerade, host, user_agent, server_header). New flow:
  TlsAcceptor::accept (server) / TlsConnector::connect (client) →
  tokio::io::split(TlsStream) → server_handshake / client_handshake → Session.
  Client reuses crate::quic::AcceptAnyServerCert (outer SNI not authenticated;
  inner handshake is the security boundary). Outer server cert auto-sourced
  from proto_cfg.server_cert_pem (no API change for the CLI's bind).
- ALPN default: ["h2", "http/1.1"] (DEFAULT_TCP_ALPN, exported).
- TcpOpts: now just { alpn: Option<Vec<Vec<u8>>> }.
- TcpClient::connect gains an outer-SNI &str param; DialConfig.sni passes it
  through (separate from the inner proto_cfg.server_name).
- tokio-rustls 0.26 added as a transport-local dependency (not workspace).

CLI updates: removed dead host/user_agent/server_header wiring; mask rotation
no longer touches TCP outer parameters (TLS doesn't have a Host header on
the wire). [transport] masquerade kept as a no-op for back-compat with old
configs (documented).

3 new tcp_loopback tests (default ALPN end-to-end, custom ALPN, outer SNI
mismatch still connects = proves accept-any is in effect). Workspace: 142
tests passed (+1), clippy -D warnings clean, fmt clean.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-27 01:53:02 +03:00

33 lines
1.2 KiB
TOML
Raw Blame History

[package]
name = "aura-transport"
version.workspace = true
edition.workspace = true
license.workspace = true
description = "Aura transport: QUIC (quinn) endpoint, HTTPS/H3 mimicry, padding"
[dependencies]
aura-proto.workspace = true
aura-crypto.workspace = true
quinn.workspace = true
tokio.workspace = true
bytes.workspace = true
rustls.workspace = true
rustls-pki-types.workspace = true
rand.workspace = true
tracing.workspace = true
thiserror.workspace = true
anyhow.workspace = true
async-trait.workspace = true
# PEM (certificates + PKCS#8 keys) -> DER for the outer QUIC/TLS rustls config. Already resolved
# in the workspace lockfile (pulled transitively), so this adds no new version resolution.
rustls-pemfile = "2"
# Outer TLS-443 wrapper for the TCP transport (real HTTPS-on-the-wire camouflage; the security
# boundary is still the inner Aura handshake, just like for the QUIC backend). Local-only to this
# crate — not a new workspace dependency.
tokio-rustls = { version = "0.26", default-features = false, features = ["ring"] }
[dev-dependencies]
# The loopback integration test mints a CA + server/client certs to drive a real QUIC handshake.
aura-pki.workspace = true
tokio.workspace = true
Reference in New Issue View Git Blame Copy Permalink