stochastic-routing-extended 1.0.2

SRX (Stochastic Routing eXtended) — a next-generation VPN protocol with stochastic routing, DPI evasion, post-quantum cryptography, and multi-transport channel splitting
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370

//! QUIC transport with a default bidirectional stream plus optional additional
//! logical bidirectional streams on the same QUIC connection.

use std::net::SocketAddr;
use std::sync::Arc;

use async_trait::async_trait;
use bytes::Bytes;
use quinn::{ClientConfig, Connection, Endpoint, RecvStream, SendStream, ServerConfig};
use rustls::pki_types::{CertificateDer, PrivatePkcs8KeyDer};
use tokio::sync::Mutex;

use super::pinning::{CertPin, verify_peer_cert_pins};
use super::{Transport, TransportKind};
use crate::error::{SrxError, TransportError};
use crate::frame::{read_length_prefixed, write_length_prefixed};

/// One logical QUIC bidirectional stream carrying length-prefixed SRX payloads.
pub struct QuicStreamChannel {
    send: Arc<Mutex<Option<SendStream>>>,
    recv: Arc<Mutex<Option<RecvStream>>>,
}

impl QuicStreamChannel {
    fn from_bi(send: SendStream, recv: RecvStream) -> Self {
        Self {
            send: Arc::new(Mutex::new(Some(send))),
            recv: Arc::new(Mutex::new(Some(recv))),
        }
    }

    /// Send one length-prefixed payload on this stream.
    pub async fn send(&self, data: Bytes) -> crate::error::Result<()> {
        let mut g = self.send.lock().await;
        let s = g
            .as_mut()
            .ok_or(SrxError::Transport(TransportError::ChannelClosed))?;
        write_length_prefixed(s, &data).await
    }

    /// Receive one length-prefixed payload on this stream.
    pub async fn recv(&self) -> crate::error::Result<Bytes> {
        let mut g = self.recv.lock().await;
        let r = g
            .as_mut()
            .ok_or(SrxError::Transport(TransportError::ChannelClosed))?;
        let v = read_length_prefixed(r).await?;
        Ok(Bytes::from(v))
    }

    /// Check if both directions are still present.
    pub async fn is_healthy(&self) -> bool {
        self.send.lock().await.is_some() && self.recv.lock().await.is_some()
    }

    /// Close stream directions held by this channel.
    pub async fn close(&self) -> crate::error::Result<()> {
        let mut s = self.send.lock().await;
        if let Some(mut stream) = s.take() {
            let _ = stream.finish();
        }
        self.recv.lock().await.take();
        Ok(())
    }
}

/// QUIC transport using one default stream for [`Transport`] trait I/O,
/// while allowing additional logical streams on demand.
pub struct QuicTransport {
    conn: Arc<Connection>,
    default_stream: QuicStreamChannel,
}

impl QuicTransport {
    fn from_bi(conn: Connection, send: SendStream, recv: RecvStream) -> Self {
        Self {
            conn: Arc::new(conn),
            default_stream: QuicStreamChannel::from_bi(send, recv),
        }
    }

    /// Build a server [`ServerConfig`] and trust anchor (DER) for clients.
    pub fn server_config() -> crate::error::Result<(ServerConfig, CertificateDer<'static>)> {
        let cert = rcgen::generate_simple_self_signed(vec!["localhost".into()])
            .map_err(|e| SrxError::Transport(TransportError::ConnectionFailed(e.to_string())))?;
        let cert_der = CertificateDer::from(cert.cert);
        let key = PrivatePkcs8KeyDer::from(cert.signing_key.serialize_der());
        let server_config = ServerConfig::with_single_cert(vec![cert_der.clone()], key.into())
            .map_err(|e| SrxError::Transport(TransportError::ConnectionFailed(e.to_string())))?;
        Ok((server_config, cert_der))
    }

    /// Client [`ClientConfig`] trusting a single server certificate (e.g. from [`Self::server_config`]).
    pub fn client_config_trust_server(
        cert_der: &CertificateDer<'_>,
    ) -> crate::error::Result<ClientConfig> {
        let mut roots = rustls::RootCertStore::empty();
        roots
            .add(cert_der.clone())
            .map_err(|e| SrxError::Transport(TransportError::ConnectionFailed(e.to_string())))?;
        ClientConfig::with_root_certificates(Arc::new(roots))
            .map_err(|e| SrxError::Transport(TransportError::ConnectionFailed(e.to_string())))
    }

    /// Client [`ClientConfig`] with Mozilla webpki roots (public CAs).
    pub fn client_config_webpki() -> crate::error::Result<ClientConfig> {
        let mut roots = rustls::RootCertStore::empty();
        roots.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
        ClientConfig::with_root_certificates(Arc::new(roots))
            .map_err(|e| SrxError::Transport(TransportError::ConnectionFailed(e.to_string())))
    }

    /// Connect from `bind` to `server`, open one default bidirectional stream.
    pub async fn connect(
        bind: SocketAddr,
        server: SocketAddr,
        server_name: &str,
        server_cert_der: &CertificateDer<'_>,
    ) -> crate::error::Result<Self> {
        Self::connect_pinned(bind, server, server_name, server_cert_der, &[]).await
    }

    /// Same as [`Self::connect`], but additionally enforces certificate pinning.
    pub async fn connect_pinned(
        bind: SocketAddr,
        server: SocketAddr,
        server_name: &str,
        server_cert_der: &CertificateDer<'_>,
        pins: &[CertPin],
    ) -> crate::error::Result<Self> {
        let mut endpoint = Endpoint::client(bind)
            .map_err(|e| SrxError::Transport(TransportError::ConnectionFailed(e.to_string())))?;
        let cfg = Self::client_config_trust_server(server_cert_der)?;
        endpoint.set_default_client_config(cfg);
        let conn = endpoint
            .connect(server, server_name)
            .map_err(|e| SrxError::Transport(TransportError::ConnectionFailed(e.to_string())))?
            .await
            .map_err(|e| SrxError::Transport(TransportError::ConnectionFailed(e.to_string())))?;
        Self::verify_connection_pins(&conn, pins)?;
        let (send, recv) = conn
            .open_bi()
            .await
            .map_err(|e| SrxError::Transport(TransportError::ConnectionFailed(e.to_string())))?;
        Ok(Self::from_bi(conn, send, recv))
    }

    /// Server side: wait for the peer to open the default bidirectional stream.
    pub async fn accept_bi(conn: Connection) -> crate::error::Result<Self> {
        let (send, recv) = conn
            .accept_bi()
            .await
            .map_err(|e| SrxError::Transport(TransportError::ConnectionFailed(e.to_string())))?;
        Ok(Self::from_bi(conn, send, recv))
    }

    /// Open an additional logical bidirectional stream on this QUIC connection.
    pub async fn open_stream(&self) -> crate::error::Result<QuicStreamChannel> {
        let (send, recv) =
            self.conn.open_bi().await.map_err(|e| {
                SrxError::Transport(TransportError::ConnectionFailed(e.to_string()))
            })?;
        Ok(QuicStreamChannel::from_bi(send, recv))
    }

    /// Accept an inbound logical bidirectional stream opened by the peer.
    pub async fn accept_stream(&self) -> crate::error::Result<QuicStreamChannel> {
        let (send, recv) =
            self.conn.accept_bi().await.map_err(|e| {
                SrxError::Transport(TransportError::ConnectionFailed(e.to_string()))
            })?;
        Ok(QuicStreamChannel::from_bi(send, recv))
    }

    fn verify_connection_pins(conn: &Connection, pins: &[CertPin]) -> crate::error::Result<()> {
        if pins.is_empty() {
            return Ok(());
        }

        let identity = conn.peer_identity().ok_or_else(|| {
            SrxError::Transport(TransportError::ConnectionFailed(
                "missing QUIC peer identity for pin verification".into(),
            ))
        })?;
        let certs = identity
            .downcast::<Vec<CertificateDer<'static>>>()
            .map_err(|_| {
                SrxError::Transport(TransportError::ConnectionFailed(
                    "unexpected QUIC peer identity type for pin verification".into(),
                ))
            })?;
        verify_peer_cert_pins(Some(certs.as_slice()), pins)
    }
}

#[async_trait]
impl Transport for QuicTransport {
    fn kind(&self) -> TransportKind {
        TransportKind::Quic
    }

    async fn send(&self, data: Bytes) -> crate::error::Result<()> {
        self.default_stream.send(data).await
    }

    async fn recv(&self) -> crate::error::Result<Bytes> {
        self.default_stream.recv().await
    }

    async fn is_healthy(&self) -> bool {
        self.default_stream.is_healthy().await
    }

    async fn close(&self) -> crate::error::Result<()> {
        self.default_stream.close().await
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn client_config_webpki_builds() {
        assert!(QuicTransport::client_config_webpki().is_ok());
    }

    #[tokio::test]
    async fn quic_length_prefixed_roundtrip() {
        let (server_config, cert_der) = QuicTransport::server_config().unwrap();
        let listen = SocketAddr::from(([127, 0, 0, 1], 0));
        let endpoint = Endpoint::server(server_config, listen).unwrap();
        let server_addr = endpoint.local_addr().unwrap();

        let server = tokio::spawn(async move {
            let incoming = endpoint.accept().await.expect("accept");
            let conn = incoming.await.expect("conn");
            let t = QuicTransport::accept_bi(conn).await.expect("bi");
            let got = t.recv().await.expect("recv");
            assert_eq!(got.as_ref(), b"quic-ping");
            t.send(Bytes::from_static(b"quic-pong"))
                .await
                .expect("send");
            let _ = t.recv().await;
        });

        let client = QuicTransport::connect(
            SocketAddr::from(([127, 0, 0, 1], 0)),
            server_addr,
            "localhost",
            &cert_der,
        )
        .await
        .expect("client connect");

        client
            .send(Bytes::from_static(b"quic-ping"))
            .await
            .expect("send");
        let reply = client.recv().await.expect("recv");
        assert_eq!(reply.as_ref(), b"quic-pong");
        client.close().await.ok();

        server.await.unwrap();
    }

    #[tokio::test]
    async fn quic_pinned_rejects_wrong_pin() {
        let (server_config, cert_der) = QuicTransport::server_config().unwrap();
        let listen = SocketAddr::from(([127, 0, 0, 1], 0));
        let endpoint = Endpoint::server(server_config, listen).unwrap();
        let server_addr = endpoint.local_addr().unwrap();
        let wrong_pin = [0x33u8; 32];

        let server = tokio::spawn(async move {
            let incoming = endpoint.accept().await.expect("accept");
            let _ = incoming.await;
        });

        let res = QuicTransport::connect_pinned(
            SocketAddr::from(([127, 0, 0, 1], 0)),
            server_addr,
            "localhost",
            &cert_der,
            &[wrong_pin],
        )
        .await;
        assert!(res.is_err(), "expected pin mismatch");

        server.abort();
    }

    #[tokio::test]
    async fn quic_multi_stream_roundtrip() {
        let (server_config, cert_der) = QuicTransport::server_config().unwrap();
        let endpoint =
            Endpoint::server(server_config, SocketAddr::from(([127, 0, 0, 1], 0))).unwrap();
        let server_addr = endpoint.local_addr().unwrap();

        let server = tokio::spawn(async move {
            let incoming = endpoint.accept().await.expect("accept");
            let conn = incoming.await.expect("conn");
            let server_t = QuicTransport::accept_bi(conn)
                .await
                .expect("default stream");

            let got = server_t.recv().await.expect("default recv");
            assert_eq!(got.as_ref(), b"default-ping");
            server_t
                .send(Bytes::from_static(b"default-pong"))
                .await
                .expect("default send");

            let s1 = server_t.accept_stream().await.expect("accept stream1");
            let got1 = s1.recv().await.expect("recv stream1");
            assert_eq!(got1.as_ref(), b"stream-1");
            s1.send(Bytes::from_static(b"ack-1"))
                .await
                .expect("send stream1");

            let s2 = server_t.accept_stream().await.expect("accept stream2");
            let got2 = s2.recv().await.expect("recv stream2");
            assert_eq!(got2.as_ref(), b"stream-2");
            s2.send(Bytes::from_static(b"ack-2"))
                .await
                .expect("send stream2");

            // Keep connection alive until client confirms it received all acks.
            let done = server_t.recv().await.expect("done recv");
            assert_eq!(done.as_ref(), b"done");
        });

        let client_t = QuicTransport::connect(
            SocketAddr::from(([127, 0, 0, 1], 0)),
            server_addr,
            "localhost",
            &cert_der,
        )
        .await
        .expect("client connect");

        client_t
            .send(Bytes::from_static(b"default-ping"))
            .await
            .expect("default send");
        let default_reply = client_t.recv().await.expect("default recv");
        assert_eq!(default_reply.as_ref(), b"default-pong");

        let c1 = client_t.open_stream().await.expect("open stream1");
        c1.send(Bytes::from_static(b"stream-1"))
            .await
            .expect("send stream1");
        let ack1 = c1.recv().await.expect("recv stream1");
        assert_eq!(ack1.as_ref(), b"ack-1");

        let c2 = client_t.open_stream().await.expect("open stream2");
        c2.send(Bytes::from_static(b"stream-2"))
            .await
            .expect("send stream2");
        let ack2 = c2.recv().await.expect("recv stream2");
        assert_eq!(ack2.as_ref(), b"ack-2");

        client_t
            .send(Bytes::from_static(b"done"))
            .await
            .expect("done send");

        server.await.unwrap();
    }
}