astelm
/
telemt
mirror of https://github.com/telemt/telemt.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
881 Commits 2 Branches 76 Tags 22 MiB
Commit Graph

881 Commits

Author SHA1 Message Date
David Osipov f754630172
fix: address all remaining Copilot review issues from PR-421 
- .cargo/config.toml: strip all clippy::* lints from rustflags; they are
  unknown to rustc and produce spurious 'unknown lint' warnings on every
  cargo build/check/test invocation.  Only rustc-native lints (unsafe_code,
  trivial_casts, rust_2018_idioms, etc.) remain.  clippy lints must be
  enforced exclusively via the cargo clippy invocation in CI.

- crypto/hash.rs: replace unreachable!() in sha256_hmac with
  #[allow(clippy::expect_used)] + .expect().  unreachable!() triggers
  clippy::panic which is globally denied; the structural infallibility of
  HmacSha256::new_from_slice makes expect() correct here.

- protocol/obfuscation.rs: replace unreachable!() in generate_nonce with
  #[allow(clippy::panic)] + panic!() and add adversarial-RNG regression
  test that verifies the panic fires after MAX_NONCE_ATTEMPTS exhaustion.

- tls_front/fetcher.rs: fallback branch in build_client_config now calls
  ClientConfig::builder_with_provider(provider) instead of
  ClientConfig::builder(), preventing a silent crypto-backend switch from
  ring to the global default in the error path.

- transport/middle_proxy/secret.rs: (1) add max_len < PROXY_SECRET_MIN_LEN
  early guard at function entry so callers get an explicit validation error
  before any HTTP round-trip; (2) replace data.len() + chunk.len() with
  checked_add to prevent usize overflow bypassing the hard cap; (3) remove
  temp file on write failure; (4) add six streaming-cap regression tests
  covering cap rejection, overflow guard, and boundary acceptance.
 2026-03-14 23:52:03 +04:00
David Osipov d7da0b3584
fix: log JoinErrors in reconnect_all; restore pub(crate) for EdgeConnectionsCacheEntry 
- pool_config.rs: replace silent .is_some() drain with while-let that logs
  JoinError, making panics in reconnect tasks visible in production logs.
  Add tokio regression test verifying panicking tasks yield JoinError.
- runtime_edge.rs: revert EdgeConnectionsCacheEntry visibility from pub to
  pub(crate); the type is internal to the api module and must not be
  exported beyond crate scope.
- Copilot issues for dashed lint names, unreachable!/clippy::panic, and
  tokio::rename atomicity were confirmed false positives via empirical
  cargo clippy runs and POSIX semantics analysis.
 2026-03-14 23:04:44 +04:00
David Osipov 3ec316fbcd
fix: enforce streaming cap before accumulation, unique tmp path, bounded reconnects, buffer zeroization, restrict type visibility 
- secret.rs: swap resp.bytes() for resp.chunk() loop; reject each chunk before
  it is appended so hard_cap is never exceeded in memory (OOM/DoS fix).
  Replace fixed ".tmp" suffix with unique_temp_path() (timestamp + atomic
  counter) to prevent concurrent-writer collisions on the cache file.

- pool_config.rs: add MAX_CONCURRENT_RECONNECTS=32 and batch the reconnect_all
  task spawn loop to prevent a thundering-herd burst on large pools.

- buffer_pool.rs: call fill(0u8) before clear() in return_buffer() to
  overwrite the initialized region of every returned buffer (OWASP ASVS L2
  V8.3.6). Add unsafe backing-byte test to verify zeroization at the
  allocation level, not merely via the safe len==0 API.

- api/events.rs, api/runtime_stats.rs: restrict ApiEventStore and
  MinimalCacheEntry from pub to pub(crate) — both are consumed only within
  the api module tree and should not be part of the public API surface.
 2026-03-14 22:45:01 +04:00
David Osipov 9f6c5aafd4
Reapply security hardening on top of upstream/main 
Rebase the security hardening stack onto upstream/main after telemt/flow was
merged upstream. This keeps the transport, TLS fronting, middle-proxy, CI
policy, and regression-test changes in a clean PR branch without including
private .David_docs material.
 2026-03-14 22:10:57 +04:00
Alexey dda31b3d2f
New Hot-Reload method + TLS-F New Methods + TLS-F/TCP-S Docs: merge pull request #420 from telemt/flow 
New Hot-Reload method + TLS-F New Methods + TLS-F/TCP-S Docs
 2026-03-14 20:45:47 +03:00
Alexey 7d5e1cb9e8
Rename TLS-F-TCP-s.ru.md to TLS-F-TCP-S.ru.md 2026-03-14 20:42:21 +03:00
Alexey 56e38e8d00
Update TLS-F-TCP-s.ru.md 2026-03-14 20:41:14 +03:00
Alexey 4677b43c6e
TLS-F New Methods 2026-03-14 20:38:24 +03:00
Alexey 4ddbb97908
Create TLS-F-TCP-s.ru.md 2026-03-14 20:29:12 +03:00
Alexey 8b0b47145d
New Hot-Reload method 2026-03-14 18:54:05 +03:00
Alexey f7e3ddcdb6
Update LICENSE 2026-03-14 16:02:40 +03:00
Alexey af5cff3304
Merge pull request #417 from telemt/licensing-md 
Update LICENSING.md
 2026-03-14 15:59:35 +03:00
Alexey cb9144bdb3
Update LICENSING.md 2026-03-14 15:59:21 +03:00
Alexey fa82634faf
Merge pull request #416 from telemt/license-1 
Update LICENSE
 2026-03-14 15:57:31 +03:00
Alexey 37b1a0289e
Update LICENSE 2026-03-14 15:56:31 +03:00
Alexey 9be33bcf93
Merge pull request #414 from telemt/license 
Update LICENSE
 2026-03-14 15:27:59 +03:00
Alexey bc9f691284
Merge branch 'license' of https://github.com/telemt/telemt into license 2026-03-14 15:23:43 +03:00
Alexey 58e5605f39
Telemt PL 3 на русском языке 2026-03-14 15:23:41 +03:00
Alexey 75a654c766
TELEMT-Lizenz 3 auf Deutsch 2026-03-14 15:23:24 +03:00
Alexey 2b058f7df7
Create LICENSE.en.md 2026-03-14 15:11:12 +03:00
Alexey 01af2999bb
Update LICENSE 2026-03-14 15:10:46 +03:00
Alexey c12d27f08a
Middle-End docs 2026-03-14 15:10:07 +03:00
Alexey 5e3408e80b
Update LICENSE 2026-03-14 15:08:14 +03:00
Alexey 052110618d
Merge pull request #413 from telemt/no-config-full 
Delete config.full.toml
 2026-03-14 14:55:57 +03:00
Alexey 47b8f0f656
Delete config.full.toml 2026-03-14 14:55:48 +03:00
Alexey 67b2e25e39
Merge pull request #396 from 13werwolf13/main 
systemd contrib
 2026-03-14 14:54:27 +03:00
Alexey 9a08b541ed
License:: merge pull request #412 from telemt/license 
License
 2026-03-14 14:48:06 +03:00
Alexey 04379b4374
Merge branch 'main' into license 2026-03-14 14:47:51 +03:00
Alexey 5cfb05b1f4
Update LICENSING.md 2026-03-14 14:47:21 +03:00
Alexey aa68ce531e
Update LICENSE 2026-03-14 14:42:36 +03:00
Alexey d4ce304a37
Update LICENSE 2026-03-14 14:40:10 +03:00
Alexey 8a579d9bda
Update LICENSE 2026-03-14 14:38:51 +03:00
Alexey 70cc6f22aa
Update LICENSE 2026-03-14 14:32:41 +03:00
Alexey 1674ba36b2
Update LICENSE 2026-03-14 14:31:57 +03:00
Alexey 0c1a5c24d5
Update LICENSE 2026-03-14 14:27:45 +03:00
Alexey 5df08300e2
Merge pull request #411 from telemt/license-1 
Update LICENSE
 2026-03-14 14:08:22 +03:00
Alexey 543a87e166
Update LICENSE 2026-03-14 14:08:08 +03:00
Alexey 519c8d276b
Merge pull request #410 from telemt/license 
Update LICENSING.md
 2026-03-14 14:03:39 +03:00
Alexey 4dc733d3e3
Create LICENSE 2026-03-14 14:03:29 +03:00
Alexey 4506f38bfb
Update LICENSING.md 2026-03-14 14:02:12 +03:00
Alexey b9a33c14bb
Merge pull request #409 from telemt/bump 
Update Cargo.toml
 2026-03-14 13:24:33 +03:00
Alexey 50caeb1803
Update Cargo.toml 2026-03-14 13:24:16 +03:00
Alexey e57a93880b
Src-IP in ME Routing + more strict bind_addresses + ME Gate fixes: merge pull request #408 from telemt/flow 
Src-IP in ME Routing + more strict bind_addresses + ME Gate fixes
 2026-03-14 13:22:09 +03:00
Alexey dbfc43395e
Merge pull request #407 from farton1983/patch-1 
Update QUICK_START_GUIDE.ru.md
 2026-03-14 13:11:28 +03:00
farton1983 89923dbaa2
Update QUICK_START_GUIDE.ru.md 2026-03-14 11:07:12 +03:00
Alexey 780fafa604
Src-IP in ME Routing + more strict bind_addresses 2026-03-14 02:20:51 +03:00
Alexey a15f74a6f9
Configured middle_proxy_nat_ip for ME Gate on strartup 2026-03-13 16:52:24 +03:00
Alexey 690635d904
Merge pull request #404 from telemt/readme 
Update README.md
 2026-03-12 23:57:51 +03:00
Alexey d1372c5c1b
Update README.md 2026-03-12 23:56:59 +03:00
Дмитрий Марков 5073248911
systemd contrib, add sysuser & tmpfiles configs, fix service 2026-03-12 12:47:03 +05:00