feat(tls): add boot time timestamp constant and validation for SNI hostnames

- Introduced `BOOT_TIME_MAX_SECS` constant to define the maximum accepted boot-time timestamp. - Updated `validate_tls_handshake_at_time` to utilize the new boot time constant for timestamp validation. - Enhanced `extract_sni_from_client_hello` to validate SNI hostnames against specified criteria, rejecting invalid hostnames. - Added tests to ensure proper handling of boot time timestamps and SNI validation. feat(handshake): improve user secret decoding and ALPN enforcement - Refactored user secret decoding to provide better error handling and logging for invalid secrets. - Added tests for concurrent identical handshakes to ensure replay protection works as expected. - Implemented ALPN enforcement in handshake processing, rejecting unsupported protocols and allowing valid ones. fix(masking): implement timeout handling for masking operations - Added timeout handling for writing proxy headers and consuming client data in masking. - Adjusted timeout durations for testing to ensure faster feedback during unit tests. - Introduced tests to verify behavior when masking is disabled and when proxy header writes exceed the timeout. test(masking): add tests for slowloris connections and proxy header timeouts - Created tests to validate that slowloris connections are closed by consume timeout when masking is disabled. - Added a test for proxy header write timeout to ensure it returns false when the write operation does not complete.
2026-04-26 06:54:09 +03:00 · 2026-03-16 21:37:59 +04:00
parent 213ce4555a
commit e4a50f9286
7 changed files with 895 additions and 25 deletions
--- a/src/proxy/handshake.rs
+++ b/src/proxy/handshake.rs
@@ -3,7 +3,9 @@
 #![allow(dead_code)]

 use std::net::SocketAddr;
+use std::collections::HashSet;
 use std::sync::Arc;
+use std::sync::{Mutex, OnceLock};
 use std::time::Duration;
 use tokio::io::{AsyncRead, AsyncWrite, AsyncWriteExt};
 use tracing::{debug, warn, trace};
@@ -20,6 +22,56 @@ use crate::config::ProxyConfig;
 use crate::tls_front::{TlsFrontCache, emulator};

 const ACCESS_SECRET_BYTES: usize = 16;
+static INVALID_SECRET_WARNED: OnceLock<Mutex<HashSet<String>>> = OnceLock::new();
+
+fn warn_invalid_secret_once(name: &str, reason: &str, expected: usize, got: Option<usize>) {
+    let key = format!("{}:{}", name, reason);
+    let warned = INVALID_SECRET_WARNED.get_or_init(|| Mutex::new(HashSet::new()));
+    let should_warn = match warned.lock() {
+        Ok(mut guard) => guard.insert(key),
+        Err(_) => true,
+    };
+
+    if !should_warn {
+        return;
+    }
+
+    match got {
+        Some(actual) => {
+            warn!(
+                user = %name,
+                expected = expected,
+                got = actual,
+                "Skipping user: access secret has unexpected length"
+            );
+        }
+        None => {
+            warn!(
+                user = %name,
+                "Skipping user: access secret is not valid hex"
+            );
+        }
+    }
+}
+
+fn decode_user_secret(name: &str, secret_hex: &str) -> Option<Vec<u8>> {
+    match hex::decode(secret_hex) {
+        Ok(bytes) if bytes.len() == ACCESS_SECRET_BYTES => Some(bytes),
+        Ok(bytes) => {
+            warn_invalid_secret_once(
+                name,
+                "invalid_length",
+                ACCESS_SECRET_BYTES,
+                Some(bytes.len()),
+            );
+            None
+        }
+        Err(_) => {
+            warn_invalid_secret_once(name, "invalid_hex", ACCESS_SECRET_BYTES, None);
+            None
+        }
+    }
+}

 // Decide whether a client-supplied proto tag is allowed given the configured
 // proxy modes and the transport that carried the handshake.
@@ -51,8 +103,7 @@ fn decode_user_secrets(

    if let Some(preferred) = preferred_user
        && let Some(secret_hex) = config.access.users.get(preferred)
-        && let Ok(bytes) = hex::decode(secret_hex)
-        && bytes.len() == ACCESS_SECRET_BYTES
+        && let Some(bytes) = decode_user_secret(preferred, secret_hex)
    {
        secrets.push((preferred.to_string(), bytes));
    }
@@ -61,9 +112,7 @@ fn decode_user_secrets(
        if preferred_user.is_some_and(|preferred| preferred == name.as_str()) {
            continue;
        }
-        if let Ok(bytes) = hex::decode(secret_hex)
-            && bytes.len() == ACCESS_SECRET_BYTES
-        {
+        if let Some(bytes) = decode_user_secret(name, secret_hex) {
            secrets.push((name.clone(), bytes));
        }
    }
@@ -193,6 +242,9 @@ where
            Some(b"h2".to_vec())
        } else if alpn_list.iter().any(|p| p == b"http/1.1") {
            Some(b"http/1.1".to_vec())
+        } else if !alpn_list.is_empty() {
+            debug!(peer = %peer, "Client ALPN list has no supported protocol; using masking fallback");
+            return HandshakeResult::BadClient { reader, writer };
        } else {
            None
        }