- .cargo/config.toml: strip all clippy::* lints from rustflags; they are
unknown to rustc and produce spurious 'unknown lint' warnings on every
cargo build/check/test invocation. Only rustc-native lints (unsafe_code,
trivial_casts, rust_2018_idioms, etc.) remain. clippy lints must be
enforced exclusively via the cargo clippy invocation in CI.
- crypto/hash.rs: replace unreachable!() in sha256_hmac with
#[allow(clippy::expect_used)] + .expect(). unreachable!() triggers
clippy::panic which is globally denied; the structural infallibility of
HmacSha256::new_from_slice makes expect() correct here.
- protocol/obfuscation.rs: replace unreachable!() in generate_nonce with
#[allow(clippy::panic)] + panic!() and add adversarial-RNG regression
test that verifies the panic fires after MAX_NONCE_ATTEMPTS exhaustion.
- tls_front/fetcher.rs: fallback branch in build_client_config now calls
ClientConfig::builder_with_provider(provider) instead of
ClientConfig::builder(), preventing a silent crypto-backend switch from
ring to the global default in the error path.
- transport/middle_proxy/secret.rs: (1) add max_len < PROXY_SECRET_MIN_LEN
early guard at function entry so callers get an explicit validation error
before any HTTP round-trip; (2) replace data.len() + chunk.len() with
checked_add to prevent usize overflow bypassing the hard cap; (3) remove
temp file on write failure; (4) add six streaming-cap regression tests
covering cap rejection, overflow guard, and boundary acceptance.
Rebase the security hardening stack onto upstream/main after telemt/flow was
merged upstream. This keeps the transport, TLS fronting, middle-proxy, CI
policy, and regression-test changes in a clean PR branch without including
private .David_docs material.
- Remove unused imports across multiple modules
- Add #![allow(dead_code)] for public API items preserved for future use
- Add #![allow(deprecated)] for rand::Rng::gen_range usage
- Add #![allow(unused_assignments)] in main.rs
- Add #![allow(unreachable_code)] in network/stun.rs
- Prefix unused variables with underscore (_ip_tracker, _prefer_ipv6)
- Fix unused_must_use warning in tls_front/cache.rs
This ensures clean compilation without warnings while preserving
public API items that may be used in the future.
- Fixed tests that failed to compile due to mismatched generic parameters of HandshakeResult:
- Changed `HandshakeResult<i32>` to `HandshakeResult<i32, (), ()>`
- Changed `HandshakeResult::BadClient` to `HandshakeResult::BadClient { reader: (), writer: () }`
- Added Zeroize for all structures holding key material:
- AesCbc – key and IV are zeroized on drop
- SecureRandomInner – PRNG output buffer is zeroized on drop; local key copy in constructor is zeroized immediately after being passed to the cipher
- ObfuscationParams – all four key‑material fields are zeroized on drop
- HandshakeSuccess – all four key‑material fields are zeroized on drop
- Added protocol‑requirement documentation for legacy hashes (CodeQL suppression) in hash.rs (MD5/SHA‑1)
- Added documentation for zeroize limitations of AesCtr (opaque cipher state) in aes.rs
- Implemented silent‑mode logging and refactored initialization:
- Added LogLevel enum to config and CLI flags --silent / --log-level
- Added parse_cli() to handle --silent, --log-level, --help
- Restructured main.rs initialization order: CLI → config load → determine log level → init tracing
- Errors before tracing initialization are printed via eprintln!
- Proxy links (tg://) are printed via println! – always visible regardless of log level
- Configuration summary and operational messages are logged via info! (suppressed in silent mode)
- Connection processing errors are lowered to debug! (hidden in silent mode)
- Warning about default tls_domain moved to main (after tracing init)
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
David Osipov