From 1edd63bfb13eed13bcd2f070810896a80add4a51 Mon Sep 17 00:00:00 2001 From: Alexey <247128645+axkurcom@users.noreply.github.com> Date: Thu, 11 Jun 2026 16:36:33 +0300 Subject: [PATCH] Rustfmt + Bump --- Cargo.lock | 2 +- Cargo.toml | 2 +- src/protocol/tests/tls_security_tests.rs | 23 +++++----------- src/protocol/tls.rs | 15 +++++------ src/proxy/handshake.rs | 11 ++++---- src/tls_front/emulator.rs | 6 ++--- src/tls_front/fetcher.rs | 34 ++++++++++++------------ src/tls_front/types.rs | 12 ++++++--- 8 files changed, 50 insertions(+), 55 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index f892e96..7ec5f97 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2938,7 +2938,7 @@ checksum = "7b2093cf4c8eb1e67749a6762251bc9cd836b6fc171623bd0a9d324d37af2417" [[package]] name = "telemt" -version = "3.4.15" +version = "3.4.16" dependencies = [ "aes", "anyhow", diff --git a/Cargo.toml b/Cargo.toml index c3ba7ec..1d09431 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "telemt" -version = "3.4.15" +version = "3.4.16" edition = "2024" [features] diff --git a/src/protocol/tests/tls_security_tests.rs b/src/protocol/tests/tls_security_tests.rs index da9679a..834837d 100644 --- a/src/protocol/tests/tls_security_tests.rs +++ b/src/protocol/tests/tls_security_tests.rs @@ -1849,10 +1849,7 @@ fn select_server_hello_cipher_suite_ignores_profile_tls12_cipher() { #[test] fn select_server_hello_cipher_suite_rejects_without_offered_tls13_suite() { let ch = build_client_hello_with_ciphers_and_exts(&[[0xc0, 0x2f]], Vec::new(), "example.com"); - assert_eq!( - select_server_hello_cipher_suite(&ch, [0x13, 0x01]), - None - ); + assert_eq!(select_server_hello_cipher_suite(&ch, [0x13, 0x01]), None); } #[test] @@ -1869,10 +1866,7 @@ fn select_server_hello_cipher_suite_rejects_malformed_clienthello() { let mut ch = build_client_hello_with_ciphers_and_exts(&[[0x13, 0x03]], Vec::new(), "example.com"); ch.truncate(12); - assert_eq!( - select_server_hello_cipher_suite(&ch, [0x13, 0x01]), - None - ); + assert_eq!(select_server_hello_cipher_suite(&ch, [0x13, 0x01]), None); } #[test] @@ -1974,9 +1968,8 @@ fn build_server_hello_key_share_prefers_profiled_x25519() { let ch = build_client_hello_with_exts(vec![(0x0033, key_share)], "example.com"); let rng = crate::crypto::SecureRandom::new(); - let server_key_share = - build_server_hello_key_share(&ch, Some(TLS_NAMED_GROUP_X25519), &rng) - .expect("profiled X25519 share must be selected when client offers it"); + let server_key_share = build_server_hello_key_share(&ch, Some(TLS_NAMED_GROUP_X25519), &rng) + .expect("profiled X25519 share must be selected when client offers it"); assert_eq!(server_key_share.group(), TLS_NAMED_GROUP_X25519); assert_eq!(server_key_share.key_exchange().len(), X25519_KEY_SHARE_LEN); @@ -1991,9 +1984,8 @@ fn build_server_hello_key_share_falls_back_from_bad_profiled_x25519_to_hybrid() let ch = build_client_hello_with_exts(vec![(0x0033, key_share)], "example.com"); let rng = crate::crypto::SecureRandom::new(); - let server_key_share = - build_server_hello_key_share(&ch, Some(TLS_NAMED_GROUP_X25519), &rng) - .expect("hybrid share must be selected when profiled X25519 is unavailable"); + let server_key_share = build_server_hello_key_share(&ch, Some(TLS_NAMED_GROUP_X25519), &rng) + .expect("hybrid share must be selected when profiled X25519 is unavailable"); assert_eq!(server_key_share.group(), TLS_NAMED_GROUP_X25519MLKEM768); assert_eq!( @@ -2032,8 +2024,7 @@ fn build_x25519mlkem768_server_key_share_rejects_all_zero_x25519_share() { #[test] fn select_server_hello_key_share_group_accepts_x25519_when_hybrid_is_absent() { - let key_share = - client_key_share_extension(&[(TLS_NAMED_GROUP_X25519, X25519_KEY_SHARE_LEN)]); + let key_share = client_key_share_extension(&[(TLS_NAMED_GROUP_X25519, X25519_KEY_SHARE_LEN)]); let ch = build_client_hello_with_exts(vec![(0x0033, key_share)], "example.com"); assert_eq!( diff --git a/src/protocol/tls.rs b/src/protocol/tls.rs index c19d8be..5119805 100644 --- a/src/protocol/tls.rs +++ b/src/protocol/tls.rs @@ -63,9 +63,9 @@ use super::constants::*; use crate::crypto::{SecureRandom, sha256_hmac}; -use ml_kem::{B32, EncapsulationKey as MlKemEncapsulationKey, Key as MlKemKey, MlKem768}; #[cfg(test)] use crate::error::ProxyError; +use ml_kem::{B32, EncapsulationKey as MlKemEncapsulationKey, Key as MlKemKey, MlKem768}; use std::time::{SystemTime, UNIX_EPOCH}; use subtle::ConstantTimeEq; use x25519_dalek::{X25519_BASEPOINT_BYTES, x25519}; @@ -617,8 +617,11 @@ pub(crate) fn build_x25519_server_key_share( handshake: &[u8], rng: &SecureRandom, ) -> Option> { - let client_key_exchange = - client_hello_key_share_group_entry(handshake, TLS_NAMED_GROUP_X25519, X25519_KEY_SHARE_LEN)?; + let client_key_exchange = client_hello_key_share_group_entry( + handshake, + TLS_NAMED_GROUP_X25519, + X25519_KEY_SHARE_LEN, + )?; let mut client_x25519 = [0u8; X25519_KEY_SHARE_LEN]; client_x25519.copy_from_slice(client_key_exchange); let (server_x25519_scalar, server_x25519_key) = gen_x25519_key_pair(rng); @@ -1271,11 +1274,7 @@ fn key_share_extension_group_entry<'a>( pos = key_exchange_end; } - if pos == shares_end { - found_group - } else { - None - } + if pos == shares_end { found_group } else { None } } fn client_hello_key_share_group_entry<'a>( diff --git a/src/proxy/handshake.rs b/src/proxy/handshake.rs index 40d465d..084fadc 100644 --- a/src/proxy/handshake.rs +++ b/src/proxy/handshake.rs @@ -1527,11 +1527,12 @@ where && matches!(client_tls_version, tls::ClientHelloTlsVersion::Tls12) { if let Some(cache) = tls_cache.as_ref() { - cache.take_full_cert_budget_for_ip( - peer.ip(), - Duration::from_secs(config.censorship.tls_full_cert_ttl_secs), - ) - .await + cache + .take_full_cert_budget_for_ip( + peer.ip(), + Duration::from_secs(config.censorship.tls_full_cert_ttl_secs), + ) + .await } else { true } diff --git a/src/tls_front/emulator.rs b/src/tls_front/emulator.rs index 9a5ee49..9e39bef 100644 --- a/src/tls_front/emulator.rs +++ b/src/tls_front/emulator.rs @@ -57,9 +57,9 @@ fn should_replay_profiled_server_hello_shape(cached: &CachedTlsData) -> bool { matches!( cached.behavior_profile.source, TlsProfileSource::Raw | TlsProfileSource::Merged - ) && cached.server_hello_template.is_replay_safe_tls13_shape( - effective_profiled_server_hello_record_len(cached), - ) + ) && cached + .server_hello_template + .is_replay_safe_tls13_shape(effective_profiled_server_hello_record_len(cached)) } /// Return the origin-profiled ServerHello key_share group when it is replay-safe. diff --git a/src/tls_front/fetcher.rs b/src/tls_front/fetcher.rs index 00e943e..8c3cb6c 100644 --- a/src/tls_front/fetcher.rs +++ b/src/tls_front/fetcher.rs @@ -9,9 +9,7 @@ use std::sync::atomic::{AtomicU64, Ordering}; use std::time::{Duration, Instant}; use anyhow::{Result, anyhow}; -use ml_kem::{ - DecapsulationKey as MlKemDecapsulationKey, KeyExport, MlKem768, Seed as MlKemSeed, -}; +use ml_kem::{DecapsulationKey as MlKemDecapsulationKey, KeyExport, MlKem768, Seed as MlKemSeed}; use tokio::io::{AsyncRead, AsyncReadExt, AsyncWrite, AsyncWriteExt}; use tokio::net::TcpStream; #[cfg(unix)] @@ -514,13 +512,11 @@ fn gen_x25519mlkem768_client_key_share( deterministic: bool, seed: &str, ) -> Option> { - let mlkem_key = gen_mlkem768_client_encapsulation_key( - rng, - deterministic, - &format!("{seed}:mlkem768"), - )?; + let mlkem_key = + gen_mlkem768_client_encapsulation_key(rng, deterministic, &format!("{seed}:mlkem768"))?; let x25519_key = gen_key_share(rng, deterministic, &format!("{seed}:x25519")); - let mut key_share = Vec::with_capacity(MLKEM768_CLIENT_ENCAPSULATION_KEY_LEN + x25519_key.len()); + let mut key_share = + Vec::with_capacity(MLKEM768_CLIENT_ENCAPSULATION_KEY_LEN + x25519_key.len()); key_share.extend_from_slice(&mlkem_key); key_share.extend_from_slice(&x25519_key); Some(key_share) @@ -661,8 +657,7 @@ fn build_client_hello( profile, TlsFetchProfile::ModernChromeLike | TlsFetchProfile::ModernFirefoxLike ) { - if let Some(key) = - gen_x25519mlkem768_client_key_share(rng, deterministic, &key_share_seed) + if let Some(key) = gen_x25519mlkem768_client_key_share(rng, deterministic, &key_share_seed) { push_client_key_share_entry(&mut keyshare, TLS_NAMED_GROUP_X25519MLKEM768, &key); } @@ -1531,10 +1526,9 @@ mod tests { use super::{ MLKEM768_CLIENT_ENCAPSULATION_KEY_LEN, ProfileCacheValue, TLS_NAMED_GROUP_X25519, - TLS_NAMED_GROUP_X25519MLKEM768, TlsFetchStrategy, X25519_KEY_SHARE_LEN, - build_client_hello, build_tls_fetch_proxy_header, derive_behavior_profile, - encode_tls13_certificate_message, fetch_via_rustls_stream, order_profiles, profile_alpn, - profile_cache, profile_cache_key, + TLS_NAMED_GROUP_X25519MLKEM768, TlsFetchStrategy, X25519_KEY_SHARE_LEN, build_client_hello, + build_tls_fetch_proxy_header, derive_behavior_profile, encode_tls13_certificate_message, + fetch_via_rustls_stream, order_profiles, profile_alpn, profile_cache, profile_cache_key, }; use crate::config::TlsFetchProfile; use crate::crypto::SecureRandom; @@ -1886,8 +1880,14 @@ mod tests { u16::from_be_bytes([key_share_data[pos + 2], key_share_data[pos + 3]]) as usize; pos += 4; let key = &key_share_data[pos..pos + key_len]; - assert_eq!(group, TLS_NAMED_GROUP_X25519, "second key_share group must be x25519"); - assert_eq!(key_len, X25519_KEY_SHARE_LEN, "x25519 key length must be 32"); + assert_eq!( + group, TLS_NAMED_GROUP_X25519, + "second key_share group must be x25519" + ); + assert_eq!( + key_len, X25519_KEY_SHARE_LEN, + "x25519 key length must be 32" + ); assert!( key.iter().any(|b| *b != 0), "x25519 key must not be all zero" diff --git a/src/tls_front/types.rs b/src/tls_front/types.rs index e03a2ba..e1ef0a7 100644 --- a/src/tls_front/types.rs +++ b/src/tls_front/types.rs @@ -217,7 +217,10 @@ impl TlsBehaviorProfile { /// Refresh cached visible ServerHello summary fields and quality. pub(crate) fn refresh_server_hello_summary(&mut self, server_hello: &ParsedServerHello) { let mut has_replay_safe_server_hello = false; - if matches!(self.source, TlsProfileSource::Raw | TlsProfileSource::Merged) { + if matches!( + self.source, + TlsProfileSource::Raw | TlsProfileSource::Merged + ) { if self.server_hello_record_len == 0 { self.server_hello_record_len = server_hello.record_body_len(); } @@ -236,9 +239,10 @@ impl TlsBehaviorProfile { /// Recompute the profile quality from current source and record-size evidence. fn refresh_quality(&mut self, has_replay_safe_server_hello: bool) { - let has_raw_server_hello = - matches!(self.source, TlsProfileSource::Raw | TlsProfileSource::Merged) - && has_replay_safe_server_hello; + let has_raw_server_hello = matches!( + self.source, + TlsProfileSource::Raw | TlsProfileSource::Merged + ) && has_replay_safe_server_hello; self.quality = if has_raw_server_hello && !self.app_data_record_sizes.is_empty() { TlsProfileQuality::RawStrict } else if has_raw_server_hello {