security: harden handshake/masking flows and add adversarial regressions

- forward valid-TLS/invalid-MTProto clients to mask backend in both client paths\n- harden TLS validation against timing and clock edge cases\n- move replay tracking behind successful authentication to avoid cache pollution\n- tighten secret decoding and key-material handling paths\n- add dedicated security test modules for tls/client/handshake/masking\n- include production-path regression for ClientHandler fallback behavior
2026-04-18 11:04:09 +03:00 · 2026-03-16 20:04:41 +04:00
parent dcab19a64f
commit 6ffbc51fb0
11 changed files with 2669 additions and 502 deletions
--- a/src/proxy/masking.rs
+++ b/src/proxy/masking.rs
@@ -194,55 +194,48 @@ async fn relay_to_mask<R, W, MR, MW>(
    initial_data: &[u8],
 )
 where
-    R: AsyncRead + Unpin + Send + 'static,
-    W: AsyncWrite + Unpin + Send + 'static,
-    MR: AsyncRead + Unpin + Send + 'static,
-    MW: AsyncWrite + Unpin + Send + 'static,
+    R: AsyncRead + Unpin + Send,
+    W: AsyncWrite + Unpin + Send,
+    MR: AsyncRead + Unpin + Send,
+    MW: AsyncWrite + Unpin + Send,
 {
    // Send initial data to mask host
    if mask_write.write_all(initial_data).await.is_err() {
        return;
    }

-    // Relay traffic
-    let c2m = tokio::spawn(async move {
-        let mut buf = vec![0u8; MASK_BUFFER_SIZE];
-        loop {
-            match reader.read(&mut buf).await {
-                Ok(0) | Err(_) => {
-                    let _ = mask_write.shutdown().await;
-                    break;
-                }
-                Ok(n) => {
-                    if mask_write.write_all(&buf[..n]).await.is_err() {
+    let mut client_buf = vec![0u8; MASK_BUFFER_SIZE];
+    let mut mask_buf = vec![0u8; MASK_BUFFER_SIZE];
+
+    loop {
+        tokio::select! {
+            client_read = reader.read(&mut client_buf) => {
+                match client_read {
+                    Ok(0) | Err(_) => {
+                        let _ = mask_write.shutdown().await;
                        break;
                    }
+                    Ok(n) => {
+                        if mask_write.write_all(&client_buf[..n]).await.is_err() {
+                            break;
+                        }
+                    }
+                }
+            }
+            mask_read_res = mask_read.read(&mut mask_buf) => {
+                match mask_read_res {
+                    Ok(0) | Err(_) => {
+                        let _ = writer.shutdown().await;
+                        break;
+                    }
+                    Ok(n) => {
+                        if writer.write_all(&mask_buf[..n]).await.is_err() {
+                            break;
+                        }
+                    }
                }
            }
        }
-    });
-
-    let m2c = tokio::spawn(async move {
-        let mut buf = vec![0u8; MASK_BUFFER_SIZE];
-        loop {
-            match mask_read.read(&mut buf).await {
-                Ok(0) | Err(_) => {
-                    let _ = writer.shutdown().await;
-                    break;
-                }
-                Ok(n) => {
-                    if writer.write_all(&buf[..n]).await.is_err() {
-                        break;
-                    }
-                }
-            }
-        }
-    });
-
-    // Wait for either to complete
-    tokio::select! {
-        _ = c2m => {}
-        _ = m2c => {}
    }
 }

@@ -255,3 +248,7 @@ async fn consume_client_data<R: AsyncRead + Unpin>(mut reader: R) {
        }
    }
 }
+
+#[cfg(test)]
+#[path = "masking_security_tests.rs"]
+mod security_tests;