security: harden handshake/masking flows and add adversarial regressions

- forward valid-TLS/invalid-MTProto clients to mask backend in both client paths\n- harden TLS validation against timing and clock edge cases\n- move replay tracking behind successful authentication to avoid cache pollution\n- tighten secret decoding and key-material handling paths\n- add dedicated security test modules for tls/client/handshake/masking\n- include production-path regression for ClientHandler fallback behavior
2026-04-17 18:44:10 +03:00 · 2026-03-16 20:04:41 +04:00
parent dcab19a64f
commit 6ffbc51fb0
11 changed files with 2669 additions and 502 deletions
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -23,6 +23,7 @@ crc32fast = "1.4"
 crc32c = "0.6"
 zeroize = { version = "1.8", features = ["derive"] }
 subtle = "2.6"
+static_assertions = "1.1"

 # Network
 socket2 = { version = "0.5", features = ["all"] }
@@ -70,7 +71,6 @@ tokio-test = "0.4"
 criterion = "0.5"
 proptest = "1.4"
 futures = "0.3"
-static_assertions = "1.1"

 [[bench]]
 name = "crypto_bench"