codive-tunnel 0.1.0

Shared types and cryptography for secure tunneling
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253

# Codive Tunnel - Secure Tunneling Protocol Library

A Rust library providing end-to-end encrypted tunneling protocol types, cryptographic primitives, and wire format encoding for secure Codive communication.

## Overview

This crate is the shared foundation for the Codive tunneling system:

- **codive-relay** uses it for protocol parsing and message routing
- **codive-cli** uses it for encryption/decryption and tunnel client logic

## Features

### Cryptography
- **XChaCha20-Poly1305**: AEAD encryption with 256-bit keys
- **Random Nonces**: 24-byte nonces generated per message (no reuse risk)
- **Secure Key Handling**: `Zeroize` trait implementation for memory safety
- **URL-Safe Key Encoding**: Base64url encoding for key sharing via URL fragments

### Protocol
- **Control Messages**: Hello, Welcome, Ping, Pong, Close, Error
- **Data Messages**: HttpRequest, HttpResponse, HttpResponseChunk, RequestError
- **Wire Format**: Efficient binary encoding with message type headers
- **Routing Headers**: Request ID routing for encrypted responses

## Usage

Add to your `Cargo.toml`:
```toml
[dependencies]
codive-tunnel = { path = "../codive-tunnel" }
```

### Key Generation and Encryption

```rust
use codive_tunnel::{TunnelKey, TunnelCrypto};

// Generate a new encryption key
let key = TunnelKey::generate();

// Share via URL fragment (never sent to server)
let url = format!("https://tunnel.example.com#E2EKey={}", key.to_base64());

// Create crypto instance
let crypto = TunnelCrypto::new(&key);

// Encrypt data
let plaintext = b"Hello, World!";
let ciphertext = crypto.encrypt(plaintext)?;

// Decrypt data
let decrypted = crypto.decrypt(&ciphertext)?;
assert_eq!(plaintext.as_slice(), decrypted.as_slice());
```

### Protocol Messages

```rust
use codive_tunnel::{ControlMessage, DataMessage, WireMessage, PROTOCOL_VERSION};

// Create a Hello message
let hello = ControlMessage::Hello {
    version: PROTOCOL_VERSION,
    requested_id: Some("my-tunnel".to_string()),
    auth_token: Some("secret".to_string()),
};

// Encode for transmission
let encoded = WireMessage::encode_control(&hello)?;

// Decode received message
let decoded = WireMessage::decode_control(&encoded)?;
```

### HTTP Request/Response

```rust
use codive_tunnel::DataMessage;
use std::collections::HashMap;

// Create an HTTP request
let request = DataMessage::HttpRequest {
    request_id: "req-123".to_string(),
    method: "GET".to_string(),
    path: "/api/status".to_string(),
    headers: HashMap::new(),
    body: None,
};

// Serialize to JSON
let json = serde_json::to_vec(&request)?;

// Create a response
let response = DataMessage::HttpResponse {
    request_id: "req-123".to_string(),
    status: 200,
    headers: [("Content-Type".to_string(), "application/json".to_string())]
        .into_iter().collect(),
    body: Some(base64::encode(b"{\"status\":\"ok\"}")),
    streaming: false,
};
```

### Wire Message Format

```rust
use codive_tunnel::{WireMessage, message_type};

// Encode encrypted data with routing header
let wire_msg = WireMessage::encode_encrypted_with_routing(
    message_type::ENCRYPTED_RESPONSE,
    "request-id-123",
    encrypted_payload,
);

// Decode with routing header
let (msg_type, request_id, payload) =
    WireMessage::decode_encrypted_with_routing(&wire_msg)?;
```

## API Reference

### Types

| Type | Description |
|------|-------------|
| `TunnelKey` | 256-bit encryption key with Zeroize |
| `TunnelCrypto` | XChaCha20-Poly1305 encrypt/decrypt |
| `ControlMessage` | Protocol control messages (Hello, Welcome, etc.) |
| `DataMessage` | Data messages (HttpRequest, HttpResponse, etc.) |
| `WireMessage` | Binary wire format encoding/decoding |

### Control Messages

| Message | Direction | Purpose |
|---------|-----------|---------|
| `Hello` | Agent → Relay | Initial handshake with auth |
| `Welcome` | Relay → Agent | Tunnel ID and URL assignment |
| `Ping` | Both | Keep-alive request |
| `Pong` | Both | Keep-alive response |
| `Close` | Both | Graceful disconnect |
| `Error` | Relay → Agent | Error notification |
| `ClientConnected` | Relay → Agent | Client connected to tunnel |
| `ClientDisconnected` | Relay → Agent | Client disconnected |

### Data Messages

| Message | Direction | Purpose |
|---------|-----------|---------|
| `HttpRequest` | Relay → Agent | Incoming HTTP request |
| `HttpResponse` | Agent → Relay | HTTP response |
| `HttpResponseChunk` | Agent → Relay | Streaming response chunk |
| `RequestError` | Agent → Relay | Request processing error |

### Message Type Constants

```rust
pub mod message_type {
    pub const CONTROL: u8 = 0x00;
    pub const ENCRYPTED_REQUEST: u8 = 0x01;
    pub const ENCRYPTED_RESPONSE: u8 = 0x02;
    pub const ENCRYPTED_CHUNK: u8 = 0x03;
}
```

## Wire Protocol

### Binary Format

```
Control Messages:
┌─────────┬─────────────────────┐
│ 0x00    │ JSON payload        │
└─────────┴─────────────────────┘

Encrypted Messages:
┌─────────┬─────────────────────┐
│ type    │ encrypted payload   │
└─────────┴─────────────────────┘

Encrypted with Routing Header:
┌─────────┬─────────┬───────────────┬─────────────────────┐
│ type    │ id_len  │ request_id    │ encrypted payload   │
└─────────┴─────────┴───────────────┴─────────────────────┘
```

### Encryption Format

```
Ciphertext:
┌─────────────────────┬─────────────────────┬─────────────────────┐
│ nonce (24 bytes)    │ ciphertext          │ auth tag (16 bytes) │
└─────────────────────┴─────────────────────┴─────────────────────┘
```

## Security Considerations

### Key Exchange
- Keys are shared via URL fragment (`#E2EKey=...`)
- Fragments are never sent to the server in HTTP requests
- Keys should be rotated periodically for long-lived tunnels

### Memory Safety
- `TunnelKey` implements `Zeroize` and `ZeroizeOnDrop`
- Key material is cleared from memory when dropped
- No key logging in debug output (`Debug` shows `[REDACTED]`)

### Nonce Safety
- 24-byte random nonces (XChaCha20)
- Extremely low collision probability (2^-96)
- No nonce counter needed

## Testing

```bash
# Run all tests
cargo test -p codive-tunnel

# Run with output
cargo test -p codive-tunnel -- --nocapture

# Run specific test
cargo test -p codive-tunnel test_encrypt_decrypt
```

Test coverage: **62 tests**
- Crypto tests: Key generation, encryption, decryption, tampering detection
- Protocol tests: Message serialization, wire encoding
- Integration tests: Full E2E flows, streaming, error handling

## Dependencies

- `chacha20poly1305` - AEAD encryption
- `zeroize` - Secure memory clearing
- `rand` - Cryptographic RNG
- `base64` - URL-safe encoding
- `serde` / `serde_json` - Serialization

## Contributing

See the [codive-relay README](../codive-relay/README.md) for contribution guidelines.

### Adding New Message Types

1. Add variant to `ControlMessage` or `DataMessage` in `protocol.rs`
2. Update `serde` attributes if needed
3. Add tests for serialization roundtrip
4. Update wire format handling if binary encoding changes

## License

MIT License - see LICENSE file for details.