Add adversarial tests for MTProto handshake and enhance masking functionality

- Introduced multiple adversarial tests for MTProto handshake to ensure robustness against replay attacks, invalid mutations, and concurrent flooding. - Implemented a function to build proxy headers based on the specified version, improving the handling of masking protocols. - Added tests to validate the behavior of the masking functionality under various conditions, including unknown proxy protocol versions and oversized payloads. - Enhanced relay tests to ensure stability and performance under high load and half-close scenarios.
2026-04-18 02:54:10 +03:00 · 2026-03-20 18:48:19 +04:00
parent 9dce748679
commit babd902d95
8 changed files with 1254 additions and 34 deletions
--- a/src/config/load.rs
+++ b/src/config/load.rs
@@ -334,6 +334,24 @@ impl ProxyConfig {
            ));
        }

+        let handshake_timeout_ms = config
+            .timeouts
+            .client_handshake
+            .checked_mul(1000)
+            .ok_or_else(|| {
+                ProxyError::Config(
+                    "timeouts.client_handshake is too large to validate milliseconds budget"
+                        .to_string(),
+                )
+            })?;
+
+        if config.censorship.server_hello_delay_max_ms >= handshake_timeout_ms {
+            return Err(ProxyError::Config(
+                "censorship.server_hello_delay_max_ms must be < timeouts.client_handshake * 1000"
+                    .to_string(),
+            ));
+        }
+
        if config.timeouts.relay_client_idle_soft_secs == 0 {
            return Err(ProxyError::Config(
                "timeouts.relay_client_idle_soft_secs must be > 0".to_string(),
@@ -977,6 +995,10 @@ impl ProxyConfig {
 #[path = "load_idle_policy_tests.rs"]
 mod load_idle_policy_tests;

+#[cfg(test)]
+#[path = "load_security_tests.rs"]
+mod load_security_tests;
+
 #[cfg(test)]
 mod tests {
    use super::*;