Enhance TLS Emulator with ALPN Support and Add Adversarial Tests

- Modified `build_emulated_server_hello` to accept ALPN (Application-Layer Protocol Negotiation) as an optional parameter, allowing for the embedding of ALPN markers in the application data payload. - Implemented logic to handle oversized ALPN values and ensure they do not interfere with the application data payload. - Added new security tests in `emulator_security_tests.rs` to validate the behavior of the ALPN embedding, including scenarios for oversized ALPN and preference for certificate payloads over ALPN markers. - Introduced `send_adversarial_tests.rs` to cover edge cases and potential issues in the middle proxy's send functionality, ensuring robustness against various failure modes. - Updated `middle_proxy` module to include new test modules and ensure proper handling of writer commands during data transmission.
2026-04-26 06:54:09 +03:00 · 2026-03-18 17:04:50 +04:00
parent 97d4a1c5c8
commit 20e205189c
20 changed files with 2935 additions and 113 deletions
--- a/src/proxy/handshake.rs
+++ b/src/proxy/handshake.rs
@@ -241,7 +241,26 @@ fn auth_probe_record_failure_with_state(
            rounds += 1;
            if rounds > 8 {
                auth_probe_note_saturation(now);
-                return;
+                let mut eviction_candidate: Option<(IpAddr, u32, Instant)> = None;
+                for entry in state.iter().take(AUTH_PROBE_PRUNE_SCAN_LIMIT) {
+                    let key = *entry.key();
+                    let fail_streak = entry.value().fail_streak;
+                    let last_seen = entry.value().last_seen;
+                    match eviction_candidate {
+                        Some((_, current_fail, current_seen))
+                            if fail_streak > current_fail
+                                || (fail_streak == current_fail && last_seen >= current_seen) =>
+                        {
+                        }
+                        _ => eviction_candidate = Some((key, fail_streak, last_seen)),
+                    }
+                }
+
+                let Some((evict_key, _, _)) = eviction_candidate else {
+                    return;
+                };
+                state.remove(&evict_key);
+                break;
            }

            let mut stale_keys = Vec::new();
@@ -518,6 +537,7 @@ pub struct HandshakeSuccess {
    /// Client address
    pub peer: SocketAddr,
    /// Whether TLS was used
+    
    pub is_tls: bool,
 }

@@ -716,7 +736,11 @@ where
    R: AsyncRead + Unpin + Send,
    W: AsyncWrite + Unpin + Send,
 {
-    trace!(peer = %peer, handshake = ?hex::encode(handshake), "MTProto handshake bytes");
+    trace!(
+        peer = %peer,
+        handshake_head = %hex::encode(&handshake[..8]),
+        "MTProto handshake prefix"
+    );

    let throttle_now = Instant::now();
    if auth_probe_should_apply_preauth_throttle(peer.ip(), throttle_now) {
@@ -916,6 +940,7 @@ pub fn encrypt_tg_nonce_with_ciphers(nonce: &[u8; HANDSHAKE_LEN]) -> (Vec<u8>, A
 }

 /// Encrypt nonce for sending to Telegram (legacy function for compatibility)
+
 pub fn encrypt_tg_nonce(nonce: &[u8; HANDSHAKE_LEN]) -> Vec<u8> {
    let (encrypted, _, _) = encrypt_tg_nonce_with_ciphers(nonce);
    encrypted