xah30
35d94dee33
Server now pushes its signed CRL to each connecting client right after the
handshake; the client verifies the signature against the CA and applies the
revocation list to its verifier (and caches it on disk for restarts).
Removes the v1 "CRL distributed out-of-band" honest limitation.
Wire (multiplexed over existing PacketConnection, no trait change):
control envelope = MAGIC[4]=[0xAA,0xAA,0xC0,0x01] || kind(u8) || u32_be(len)
|| payload. IPv4/IPv6 start with 0x4X/0x6X, so 0xAA cannot collide; an old
peer just drops it as a junk packet in the TUN — back-compat preserved.
- aura-proto: ControlKind { CrlPush, CrlAck, Unknown }, encode/decode_control_
envelope, CONTROL_ENVELOPE_MAGIC; 7 frame tests.
- aura-pki: CrlStore::{encode_signed, save_signed, decode_signed_verified,
load_signed_verified} — ECDSA-P256/SHA-256 from the CA private key against
a textual "CRL-Aura-v1" body + --SIGNATURE--; 7 signing tests. ring 0.17
added crate-local (already in lockfile via rustls-webpki).
- aura-cli: crl_push module — server pushes via conn.send_packet on accept;
client wraps the Arc<dyn PacketConnection> in AcceptPushedCrlConn which
sniffs the magic in recv_packet, verifies the signature, updates the
AuraCertVerifier, caches to disk. PkiSection gets ca_key, crl_push (default
true), accept_pushed_crl (default true).
- 5 in_band_crl integration tests via mock PacketConnection.
Workspace: 235 tests passed (+28), clippy -D warnings clean, fmt clean. v2
COMPLETE — all 9 honest v1 limitations resolved (except sing-box, per user).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
53 lines
1.8 KiB
TOML
53 lines
1.8 KiB
TOML
[package]
|
|
name = "aura-cli"
|
|
version.workspace = true
|
|
edition.workspace = true
|
|
license.workspace = true
|
|
description = "Aura CLI: client/server binary, PKI management, split-tunnel admin"
|
|
|
|
[lib]
|
|
name = "aura_cli"
|
|
path = "src/lib.rs"
|
|
|
|
[[bin]]
|
|
name = "aura"
|
|
path = "src/main.rs"
|
|
|
|
[dependencies]
|
|
aura-crypto.workspace = true
|
|
aura-pki.workspace = true
|
|
aura-proto.workspace = true
|
|
aura-transport.workspace = true
|
|
aura-tunnel.workspace = true
|
|
clap.workspace = true
|
|
tokio.workspace = true
|
|
toml.workspace = true
|
|
serde.workspace = true
|
|
# Admin IPC line protocol (JSON requests/responses over the Unix socket).
|
|
serde_json = "1"
|
|
# Parse CIDR rules from the split-tunnel config and the `route` admin commands.
|
|
ipnetwork.workspace = true
|
|
tracing.workspace = true
|
|
tracing-subscriber.workspace = true
|
|
anyhow.workspace = true
|
|
uuid.workspace = true
|
|
# The v2 client-side CRL-push interceptor implements `PacketConnection` on a wrapper struct;
|
|
# the trait uses async-trait in `aura-proto`, so an impl block here needs it too.
|
|
async-trait.workspace = true
|
|
|
|
# Unix-only: nix is used by the privilege-drop helper (`privdrop::drop_to_user`) to look up
|
|
# the target user via getpwnam and drop the real/effective/saved uid+gid after binding
|
|
# privileged sockets / creating the TUN. Linux uses setresuid/setresgid; macOS uses
|
|
# setgid/setuid (no setresuid in the BSD ABI). The "user" feature gates the User::from_name
|
|
# helper. No nix on Windows (privilege drop is a no-op there; see privdrop.rs).
|
|
[target.'cfg(unix)'.dependencies]
|
|
nix = { version = "0.29", default-features = false, features = ["user"] }
|
|
|
|
[dev-dependencies]
|
|
tokio.workspace = true
|
|
# Loopback + PKI-roundtrip tests build certificate chains for the verifier.
|
|
rustls-pki-types.workspace = true
|
|
x509-parser.workspace = true
|
|
# Per-client routing tests implement PacketIo / PacketConnection traits on in-memory mocks.
|
|
async-trait.workspace = true
|