v0.6.0
Highlighted Features
- AQC (Aranya QUIC Channels) - end-to-end encrypted communication channels. Data is sent via the QUIC transport using pre-shared rustls keys (PSKs). AQC is more secure than AFC which used the TCP transport.
- Aranya client <-> daemon IPC encryption.
- AFC (Aranya Fast Channels) has been removed and replaced by AQC.
Getting Started With AQC
We recommend that you run the Rust and C examples to get an idea of how to use the AQC APIs:
https://aranya-project.github.io/getting-started
https://github.com/aranya-project/aranya/tree/main/examples/c
https://github.com/aranya-project/aranya/tree/main/examples/rust
Note: we are actively working on adding documentation on how to use AQC to our documentation website. Please check back soon for more documentation on AQC:
https://aranya-project.github.io/
What We're Excited About With This Release
While AFC was already end-to-end encrypted with assurances provided by the Aranya graph, AQC provides an additional layer of security. All communications via QUIC channels are secured by TLS via the rustls library. We created our own fork of rustls to add support for using pre-shared keys (PSKs) instead of certificates. This allows us to use keys securely generated by the Aranya graph to secure TLS communications.
We're hoping this feature will eventually be upstreamed into rustls. There's an open issue for adding PSK support to rustls that we are actively contributing to:
rustls/rustls#174
rustls/rustls#2424
Coming Soon
- Cryptographically secure IDs for labels and roles to improve security.
- Custom roles that can be defined at runtime rather than hard-coded in the policy.
- Syncing over QUIC transport instead of TCP.
- Fact database prefix query deletion.
- Aranya graph command finalization.
What's Changed
- Bump aranya crate versions for release 0.6.0.
- aqc: initial implementation by @benz-spideroak in #214
- aqc: C API by @nikki-aranya #245
- aqc: finalize policy by @gknopf-aranya in #191
- aqc: pair PSKs with cipher suites by @elagergren-spideroak in #260
- aqc: rm peer from psk return by @gknopf-aranya in #255
- aqc: policy interface and scaffolding by @gknopf-aranya in #145
- aqc: additional tests by @djohnson-spideroak in #271
- aqc: return
PeerStreamfromtry_receive_streamand addsplitmethod. by @jdygert-spok in #272 - aqc: use rustls psk forks by @jdygert-spok in #273
- aqc: use let for large aqc effects by @gknopf-aranya in #196
- security: encrypt IPC data between client and daemon by @elagergren-spideroak in #202
- afc: remove AFC by @nikki-aranya in #223
- c-api: key bundle serialization by @gknopf-aranya in #203
- rust example: 101/create rust example app in example dir by @smckeon-so in #129
- rust example: Fix Tokio Vulnerability by @nikki-aranya in #246
- docs: keygen rustdocs by @djohnson-spideroak in #158
- docs: aranya-util rustdocs by @djohnson-spideroak in #201
aranya-clientAPI refactoring by @nikki-aranya in #114- naming: user -> device by @gknopf-aranya in #103
- mvp: factdb queries by @gknopf-aranya in #124
- mvp: sync now by @gknopf-aranya in #111
- aranya-client-capi: access to bytes in ids by @ssweetney-spok in #183
- (C API) Restrict field visibility. Safe wrappers by @ssweetney-spok in #206
- client: Refactor Tests by @nikki-aranya in #210
- daemon: split peer maps by graph by @jdygert-spok in #200
- Refactor
load_or_gen_key_wrap_keyby @jdygert-spok in #197 - client: add config to create_team, add_team by @djohnson-spideroak in #113
- C API: opaque and repr(c) cleanup by @ssweetney-spok in #215
Maintenance
- chore: update to Rust 1.85 by @jdygert-spok in #265
Bugfixes
- bugfix: ci: sccache patch by @gknopf-aranya in #170
- bugfix: Persist Net Identifiers Across Daemon Reboots by @nikki-aranya in #171
- chore: bump tokio for security fix by @jdygert-spok in #176
- ci: bump sccache by @jdygert-spok in #216
- ci: fix sync now test flake by @gknopf-aranya in #237
New Contributors
- @ssweetney-spok made their first contribution in #183
- @benz-spideroak made their first contribution in #214
Full Changelog: v0.5.1...v0.6.0
