mirror of https://github.com/telemt/telemt.git
Compare commits
20 Commits
8b92b80b4a
...
80cb1bc221
| Author | SHA1 | Date |
|---|---|---|
Alexey
|
80cb1bc221 | |
|
Alexey
|
8461556b02 | |
|
Alexey
|
cfd516edf3 | |
|
Alexey
|
803c2c0492 | |
|
Alexey
|
b762bd029f | |
|
Alexey
|
761679d306 | |
|
Alexey
|
41668b153d | |
|
Alexey
|
1d2f88ad29 | |
|
Alexey
|
80917f5abc | |
|
Alexey
|
dc61d300ab | |
|
Alexey
|
ae16080de5 | |
|
Alexey
|
b8ca1fc166 | |
|
Alexey
|
f9986944df | |
|
Alexey
|
cb877c2bc3 | |
|
Vladislav Yaroslavlev
|
4426082c17 | |
|
Alexey
|
22097f8c7c | |
|
Alexey
|
1450af60a0 | |
|
Alexey
|
f1cc8d65f2 | |
|
Alexey
|
ec7e808daf | |
|
Alexey
|
e4b7e23e76 |
|
|
@ -23,7 +23,7 @@ jobs:
|
||||||
# GNU / glibc
|
# GNU / glibc
|
||||||
# ==========================
|
# ==========================
|
||||||
build-gnu:
|
build-gnu:
|
||||||
name: GNU ${{ matrix.target }}
|
name: GNU ${{ matrix.asset }}
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
container:
|
container:
|
||||||
|
|
@ -35,8 +35,15 @@ jobs:
|
||||||
include:
|
include:
|
||||||
- target: x86_64-unknown-linux-gnu
|
- target: x86_64-unknown-linux-gnu
|
||||||
asset: telemt-x86_64-linux-gnu
|
asset: telemt-x86_64-linux-gnu
|
||||||
|
cpu: baseline
|
||||||
|
|
||||||
|
- target: x86_64-unknown-linux-gnu
|
||||||
|
asset: telemt-x86_64-v3-linux-gnu
|
||||||
|
cpu: v3
|
||||||
|
|
||||||
- target: aarch64-unknown-linux-gnu
|
- target: aarch64-unknown-linux-gnu
|
||||||
asset: telemt-aarch64-linux-gnu
|
asset: telemt-aarch64-linux-gnu
|
||||||
|
cpu: generic
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
|
|
@ -72,11 +79,19 @@ jobs:
|
||||||
if [ "${{ matrix.target }}" = "aarch64-unknown-linux-gnu" ]; then
|
if [ "${{ matrix.target }}" = "aarch64-unknown-linux-gnu" ]; then
|
||||||
export CC=aarch64-linux-gnu-gcc
|
export CC=aarch64-linux-gnu-gcc
|
||||||
export CXX=aarch64-linux-gnu-g++
|
export CXX=aarch64-linux-gnu-g++
|
||||||
export RUSTFLAGS="-C linker=aarch64-linux-gnu-gcc"
|
export RUSTFLAGS="-C linker=aarch64-linux-gnu-gcc -C lto=fat -C panic=abort"
|
||||||
|
|
||||||
else
|
else
|
||||||
export CC=clang
|
export CC=clang
|
||||||
export CXX=clang++
|
export CXX=clang++
|
||||||
export RUSTFLAGS="-C linker=clang -C link-arg=-fuse-ld=lld"
|
|
||||||
|
if [ "${{ matrix.cpu }}" = "v3" ]; then
|
||||||
|
CPU_FLAGS="-C target-cpu=x86-64-v3"
|
||||||
|
else
|
||||||
|
CPU_FLAGS="-C target-cpu=x86-64"
|
||||||
|
fi
|
||||||
|
|
||||||
|
export RUSTFLAGS="-C linker=clang -C link-arg=-fuse-ld=lld -C lto=fat -C panic=abort $CPU_FLAGS"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
cargo build --release --target ${{ matrix.target }}
|
cargo build --release --target ${{ matrix.target }}
|
||||||
|
|
@ -102,32 +117,75 @@ jobs:
|
||||||
# MUSL
|
# MUSL
|
||||||
# ==========================
|
# ==========================
|
||||||
build-musl:
|
build-musl:
|
||||||
name: MUSL ${{ matrix.target }}
|
name: MUSL ${{ matrix.asset }}
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
container:
|
container:
|
||||||
image: rust:slim-bookworm
|
image: rust:slim-bookworm
|
||||||
|
|
||||||
strategy:
|
strategy:
|
||||||
fail-fast: false
|
fail-fast: false
|
||||||
matrix:
|
matrix:
|
||||||
include:
|
include:
|
||||||
- target: x86_64-unknown-linux-musl
|
- target: x86_64-unknown-linux-musl
|
||||||
asset: telemt-x86_64-linux-musl
|
asset: telemt-x86_64-linux-musl
|
||||||
|
cpu: baseline
|
||||||
|
|
||||||
|
- target: x86_64-unknown-linux-musl
|
||||||
|
asset: telemt-x86_64-v3-linux-musl
|
||||||
|
cpu: v3
|
||||||
|
|
||||||
- target: aarch64-unknown-linux-musl
|
- target: aarch64-unknown-linux-musl
|
||||||
asset: telemt-aarch64-linux-musl
|
asset: telemt-aarch64-linux-musl
|
||||||
|
cpu: generic
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
- name: Install deps
|
- name: Install deps
|
||||||
run: |
|
run: |
|
||||||
apt-get update
|
apt-get update
|
||||||
apt-get install -y musl-tools pkg-config curl
|
apt-get install -y \
|
||||||
|
musl-tools \
|
||||||
|
pkg-config \
|
||||||
|
curl
|
||||||
|
|
||||||
|
- uses: actions/cache@v4
|
||||||
|
if: matrix.target == 'aarch64-unknown-linux-musl'
|
||||||
|
with:
|
||||||
|
path: ~/.musl-aarch64
|
||||||
|
key: musl-toolchain-aarch64-v1
|
||||||
|
|
||||||
|
- name: Install aarch64 musl toolchain
|
||||||
|
if: matrix.target == 'aarch64-unknown-linux-musl'
|
||||||
|
run: |
|
||||||
|
set -e
|
||||||
|
|
||||||
|
TOOLCHAIN_DIR="$HOME/.musl-aarch64"
|
||||||
|
ARCHIVE="aarch64-linux-musl-cross.tgz"
|
||||||
|
URL="https://github.com/telemt/telemt/releases/download/toolchains/$ARCHIVE"
|
||||||
|
|
||||||
|
if [ -x "$TOOLCHAIN_DIR/bin/aarch64-linux-musl-gcc" ]; then
|
||||||
|
echo "✅ MUSL toolchain cached"
|
||||||
|
else
|
||||||
|
echo "⬇️ Downloading MUSL toolchain..."
|
||||||
|
|
||||||
|
curl -fL \
|
||||||
|
--retry 5 \
|
||||||
|
--retry-delay 3 \
|
||||||
|
--connect-timeout 10 \
|
||||||
|
--max-time 120 \
|
||||||
|
-o "$ARCHIVE" "$URL"
|
||||||
|
|
||||||
|
mkdir -p "$TOOLCHAIN_DIR"
|
||||||
|
tar -xzf "$ARCHIVE" --strip-components=1 -C "$TOOLCHAIN_DIR"
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "$TOOLCHAIN_DIR/bin" >> $GITHUB_PATH
|
||||||
|
|
||||||
- name: Add rust target
|
- name: Add rust target
|
||||||
run: rustup target add ${{ matrix.target }}
|
run: rustup target add ${{ matrix.target }}
|
||||||
|
|
||||||
- uses: actions/cache@v4
|
- uses: actions/cache@v4
|
||||||
with:
|
with:
|
||||||
path: |
|
path: |
|
||||||
|
|
@ -135,31 +193,41 @@ jobs:
|
||||||
/usr/local/cargo/git
|
/usr/local/cargo/git
|
||||||
target
|
target
|
||||||
key: musl-${{ matrix.target }}-${{ hashFiles('**/Cargo.lock') }}
|
key: musl-${{ matrix.target }}-${{ hashFiles('**/Cargo.lock') }}
|
||||||
|
|
||||||
- name: Build
|
- name: Build
|
||||||
run: |
|
run: |
|
||||||
if [ "${{ matrix.target }}" = "aarch64-unknown-linux-musl" ]; then
|
if [ "${{ matrix.target }}" = "aarch64-unknown-linux-musl" ]; then
|
||||||
export CC=aarch64-linux-musl-gcc
|
export CC=aarch64-linux-musl-gcc
|
||||||
export RUSTFLAGS="-C target-feature=+crt-static -C linker=aarch64-linux-musl-gcc"
|
export CC_aarch64_unknown_linux_musl=aarch64-linux-musl-gcc
|
||||||
|
export RUSTFLAGS="-C target-feature=+crt-static -C linker=aarch64-linux-musl-gcc -C lto=fat -C panic=abort"
|
||||||
|
|
||||||
else
|
else
|
||||||
export CC=musl-gcc
|
export CC=musl-gcc
|
||||||
export RUSTFLAGS="-C target-feature=+crt-static"
|
export CC_x86_64_unknown_linux_musl=musl-gcc
|
||||||
|
|
||||||
|
if [ "${{ matrix.cpu }}" = "v3" ]; then
|
||||||
|
CPU_FLAGS="-C target-cpu=x86-64-v3"
|
||||||
|
else
|
||||||
|
CPU_FLAGS="-C target-cpu=x86-64"
|
||||||
|
fi
|
||||||
|
|
||||||
|
export RUSTFLAGS="-C target-feature=+crt-static -C lto=fat -C panic=abort $CPU_FLAGS"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
cargo build --release --target ${{ matrix.target }}
|
cargo build --release --target ${{ matrix.target }}
|
||||||
|
|
||||||
- name: Package
|
- name: Package
|
||||||
run: |
|
run: |
|
||||||
mkdir -p dist
|
mkdir -p dist
|
||||||
cp target/${{ matrix.target }}/release/${{ env.BINARY_NAME }} dist/telemt
|
cp target/${{ matrix.target }}/release/${{ env.BINARY_NAME }} dist/telemt
|
||||||
|
|
||||||
cd dist
|
cd dist
|
||||||
tar -czf ${{ matrix.asset }}.tar.gz \
|
tar -czf ${{ matrix.asset }}.tar.gz \
|
||||||
--owner=0 --group=0 --numeric-owner \
|
--owner=0 --group=0 --numeric-owner \
|
||||||
telemt
|
telemt
|
||||||
|
|
||||||
sha256sum ${{ matrix.asset }}.tar.gz > ${{ matrix.asset }}.sha256
|
sha256sum ${{ matrix.asset }}.tar.gz > ${{ matrix.asset }}.sha256
|
||||||
|
|
||||||
- uses: actions/upload-artifact@v4
|
- uses: actions/upload-artifact@v4
|
||||||
with:
|
with:
|
||||||
name: ${{ matrix.asset }}
|
name: ${{ matrix.asset }}
|
||||||
|
|
@ -194,51 +262,48 @@ jobs:
|
||||||
prerelease: ${{ contains(github.ref, '-') }}
|
prerelease: ${{ contains(github.ref, '-') }}
|
||||||
|
|
||||||
# ==========================
|
# ==========================
|
||||||
# Docker (FROM RELEASE)
|
# Docker
|
||||||
# ==========================
|
# ==========================
|
||||||
docker:
|
docker:
|
||||||
name: Docker (from release)
|
name: Docker
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
needs: release
|
needs: [build-gnu, build-musl]
|
||||||
|
|
||||||
permissions:
|
permissions:
|
||||||
contents: read
|
contents: read
|
||||||
packages: write
|
packages: write
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
- name: Install gh
|
- uses: actions/download-artifact@v4
|
||||||
run: apt-get update && apt-get install -y gh
|
with:
|
||||||
|
path: dist
|
||||||
- name: Extract version
|
|
||||||
id: vars
|
- name: Extract binaries
|
||||||
run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
|
|
||||||
|
|
||||||
- name: Download binary
|
|
||||||
env:
|
|
||||||
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
run: |
|
run: |
|
||||||
mkdir dist
|
mkdir bin
|
||||||
|
|
||||||
gh release download ${{ steps.vars.outputs.VERSION }} \
|
tar -xzf dist/telemt-x86_64-linux-musl/telemt-x86_64-linux-musl.tar.gz -C bin
|
||||||
--repo ${{ github.repository }} \
|
mv bin/telemt bin/telemt-amd64
|
||||||
--pattern "telemt-x86_64-linux-musl.tar.gz" \
|
|
||||||
--dir dist
|
tar -xzf dist/telemt-aarch64-linux-musl/telemt-aarch64-linux-musl.tar.gz -C bin
|
||||||
|
mv bin/telemt bin/telemt-arm64
|
||||||
tar -xzf dist/telemt-x86_64-linux-musl.tar.gz -C dist
|
|
||||||
chmod +x dist/telemt
|
|
||||||
|
|
||||||
- uses: docker/setup-qemu-action@v3
|
- uses: docker/setup-qemu-action@v3
|
||||||
- uses: docker/setup-buildx-action@v3
|
- uses: docker/setup-buildx-action@v3
|
||||||
|
|
||||||
- uses: docker/login-action@v3
|
- uses: docker/login-action@v3
|
||||||
with:
|
with:
|
||||||
registry: ghcr.io
|
registry: ghcr.io
|
||||||
username: ${{ github.actor }}
|
username: ${{ github.actor }}
|
||||||
password: ${{ secrets.GITHUB_TOKEN }}
|
password: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
|
||||||
- name: Build & Push
|
- name: Extract version
|
||||||
|
id: vars
|
||||||
|
run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
|
||||||
|
|
||||||
|
- name: Build & Push (multi-arch)
|
||||||
uses: docker/build-push-action@v6
|
uses: docker/build-push-action@v6
|
||||||
with:
|
with:
|
||||||
context: .
|
context: .
|
||||||
|
|
@ -248,4 +313,5 @@ jobs:
|
||||||
ghcr.io/${{ github.repository }}:${{ steps.vars.outputs.VERSION }}
|
ghcr.io/${{ github.repository }}:${{ steps.vars.outputs.VERSION }}
|
||||||
ghcr.io/${{ github.repository }}:latest
|
ghcr.io/${{ github.repository }}:latest
|
||||||
build-args: |
|
build-args: |
|
||||||
BINARY=dist/telemt
|
BINARY_AMD64=bin/telemt-amd64
|
||||||
|
BINARY_ARM64=bin/telemt-arm64
|
||||||
|
|
|
||||||
|
|
@ -54,14 +54,20 @@ jobs:
|
||||||
uses: actions/cache@v4
|
uses: actions/cache@v4
|
||||||
with:
|
with:
|
||||||
path: |
|
path: |
|
||||||
|
~/.cargo/bin
|
||||||
~/.cargo/registry
|
~/.cargo/registry
|
||||||
~/.cargo/git
|
~/.cargo/git
|
||||||
target
|
target
|
||||||
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
|
key: ${{ runner.os }}-cargo-nextest-${{ hashFiles('**/Cargo.lock') }}
|
||||||
restore-keys: |
|
restore-keys: |
|
||||||
|
${{ runner.os }}-cargo-nextest-
|
||||||
${{ runner.os }}-cargo-
|
${{ runner.os }}-cargo-
|
||||||
|
|
||||||
- run: cargo test --verbose
|
- name: Install cargo-nextest
|
||||||
|
run: cargo install --locked cargo-nextest || true
|
||||||
|
|
||||||
|
- name: Run tests with nextest
|
||||||
|
run: cargo nextest run -j "$(nproc)"
|
||||||
|
|
||||||
# ==========================
|
# ==========================
|
||||||
# Clippy
|
# Clippy
|
||||||
|
|
@ -88,11 +94,13 @@ jobs:
|
||||||
~/.cargo/registry
|
~/.cargo/registry
|
||||||
~/.cargo/git
|
~/.cargo/git
|
||||||
target
|
target
|
||||||
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
|
key: ${{ runner.os }}-cargo-clippy-${{ hashFiles('**/Cargo.lock') }}
|
||||||
restore-keys: |
|
restore-keys: |
|
||||||
|
${{ runner.os }}-cargo-clippy-
|
||||||
${{ runner.os }}-cargo-
|
${{ runner.os }}-cargo-
|
||||||
|
|
||||||
- run: cargo clippy -- --cap-lints warn
|
- name: Run clippy
|
||||||
|
run: cargo clippy -j "$(nproc)" -- --cap-lints warn
|
||||||
|
|
||||||
# ==========================
|
# ==========================
|
||||||
# Udeps
|
# Udeps
|
||||||
|
|
@ -108,20 +116,24 @@ jobs:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
- uses: dtolnay/rust-toolchain@stable
|
- uses: dtolnay/rust-toolchain@stable
|
||||||
|
with:
|
||||||
|
components: rust-src
|
||||||
|
|
||||||
- name: Cache cargo
|
- name: Cache cargo
|
||||||
uses: actions/cache@v4
|
uses: actions/cache@v4
|
||||||
with:
|
with:
|
||||||
path: |
|
path: |
|
||||||
|
~/.cargo/bin
|
||||||
~/.cargo/registry
|
~/.cargo/registry
|
||||||
~/.cargo/git
|
~/.cargo/git
|
||||||
target
|
target
|
||||||
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
|
key: ${{ runner.os }}-cargo-udeps-${{ hashFiles('**/Cargo.lock') }}
|
||||||
restore-keys: |
|
restore-keys: |
|
||||||
|
${{ runner.os }}-cargo-udeps-
|
||||||
${{ runner.os }}-cargo-
|
${{ runner.os }}-cargo-
|
||||||
|
|
||||||
- name: Install cargo-udeps
|
- name: Install cargo-udeps
|
||||||
run: cargo install cargo-udeps || true
|
run: cargo install --locked cargo-udeps || true
|
||||||
|
|
||||||
# тоже не валит билд
|
- name: Run udeps
|
||||||
- run: cargo udeps || true
|
run: cargo udeps -j "$(nproc)" || true
|
||||||
|
|
|
||||||
|
|
@ -2793,7 +2793,7 @@ checksum = "7b2093cf4c8eb1e67749a6762251bc9cd836b6fc171623bd0a9d324d37af2417"
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "telemt"
|
name = "telemt"
|
||||||
version = "3.3.30"
|
version = "3.3.31"
|
||||||
dependencies = [
|
dependencies = [
|
||||||
"aes",
|
"aes",
|
||||||
"anyhow",
|
"anyhow",
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
[package]
|
[package]
|
||||||
name = "telemt"
|
name = "telemt"
|
||||||
version = "3.3.30"
|
version = "3.3.31"
|
||||||
edition = "2024"
|
edition = "2024"
|
||||||
|
|
||||||
|
[profile.release]
|
||||||
|
codegen-units = 1
|
||||||
|
|
||||||
[features]
|
[features]
|
||||||
redteam_offline_expected_fail = []
|
redteam_offline_expected_fail = []
|
||||||
|
|
||||||
|
|
@ -83,4 +86,6 @@ name = "crypto_bench"
|
||||||
harness = false
|
harness = false
|
||||||
|
|
||||||
[profile.release]
|
[profile.release]
|
||||||
lto = "thin"
|
lto = "fat"
|
||||||
|
codegen-units = 1
|
||||||
|
|
||||||
|
|
|
||||||
85
Dockerfile
85
Dockerfile
|
|
@ -1,47 +1,78 @@
|
||||||
# syntax=docker/dockerfile:1
|
# syntax=docker/dockerfile:1
|
||||||
|
|
||||||
ARG BINARY
|
ARG TARGETARCH
|
||||||
|
ARG BINARY_AMD64
|
||||||
|
ARG BINARY_ARM64
|
||||||
|
|
||||||
# ==========================
|
# ==========================
|
||||||
# Stage: minimal
|
# Minimal Image
|
||||||
# ==========================
|
# ==========================
|
||||||
FROM debian:12-slim AS minimal
|
FROM debian:12-slim AS minimal
|
||||||
|
|
||||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
ARG TARGETARCH
|
||||||
binutils \
|
ARG BINARY_AMD64
|
||||||
curl \
|
ARG BINARY_ARM64
|
||||||
ca-certificates \
|
|
||||||
&& rm -rf /var/lib/apt/lists/* \
|
RUN set -eux; \
|
||||||
|
apt-get update; \
|
||||||
|
apt-get install -y --no-install-recommends \
|
||||||
|
binutils \
|
||||||
|
curl \
|
||||||
|
xz-utils \
|
||||||
|
ca-certificates; \
|
||||||
|
rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
|
# --- Select correct binary ---
|
||||||
|
RUN set -eux; \
|
||||||
|
case "${TARGETARCH}" in \
|
||||||
|
amd64) BIN="${BINARY_AMD64}" ;; \
|
||||||
|
arm64) BIN="${BINARY_ARM64}" ;; \
|
||||||
|
*) echo "Unsupported TARGETARCH: ${TARGETARCH}" >&2; exit 1 ;; \
|
||||||
|
esac; \
|
||||||
|
echo "Using binary: $BIN"; \
|
||||||
|
test -f "$BIN"; \
|
||||||
|
cp "$BIN" /telemt
|
||||||
|
|
||||||
|
# --- Install UPX (arch-aware) ---
|
||||||
|
RUN set -eux; \
|
||||||
|
case "${TARGETARCH}" in \
|
||||||
|
amd64) UPX_ARCH="amd64" ;; \
|
||||||
|
arm64) UPX_ARCH="arm64" ;; \
|
||||||
|
*) echo "Unsupported TARGETARCH: ${TARGETARCH}" >&2; exit 1 ;; \
|
||||||
|
esac; \
|
||||||
\
|
\
|
||||||
&& curl -fL \
|
curl -fL \
|
||||||
--retry 5 \
|
--retry 5 \
|
||||||
--retry-delay 3 \
|
--retry-delay 3 \
|
||||||
--connect-timeout 10 \
|
--connect-timeout 10 \
|
||||||
--max-time 120 \
|
--max-time 120 \
|
||||||
-o /tmp/upx.tar.xz \
|
-o /tmp/upx.tar.xz \
|
||||||
https://github.com/telemt/telemt/releases/download/toolchains/upx-amd64_linux.tar.xz \
|
"https://github.com/telemt/telemt/releases/download/toolchains/upx-${UPX_ARCH}_linux.tar.xz"; \
|
||||||
&& tar -xf /tmp/upx.tar.xz -C /tmp \
|
\
|
||||||
&& mv /tmp/upx*/upx /usr/local/bin/upx \
|
tar -xf /tmp/upx.tar.xz -C /tmp; \
|
||||||
&& chmod +x /usr/local/bin/upx \
|
install -m 0755 /tmp/upx*/upx /usr/local/bin/upx; \
|
||||||
&& rm -rf /tmp/upx*
|
rm -rf /tmp/upx*
|
||||||
|
|
||||||
COPY ${BINARY} /telemt
|
# --- Optimize binary ---
|
||||||
|
RUN set -eux; \
|
||||||
RUN strip /telemt || true
|
test -f /telemt; \
|
||||||
RUN upx --best --lzma /telemt || true
|
strip --strip-unneeded /telemt || true; \
|
||||||
|
upx --best --lzma /telemt || true
|
||||||
|
|
||||||
# ==========================
|
# ==========================
|
||||||
# Debug image
|
# Debug Image
|
||||||
# ==========================
|
# ==========================
|
||||||
FROM debian:12-slim AS debug
|
FROM debian:12-slim AS debug
|
||||||
|
|
||||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
RUN set -eux; \
|
||||||
ca-certificates \
|
apt-get update; \
|
||||||
tzdata \
|
apt-get install -y --no-install-recommends \
|
||||||
curl \
|
ca-certificates \
|
||||||
iproute2 \
|
tzdata \
|
||||||
busybox \
|
curl \
|
||||||
&& rm -rf /var/lib/apt/lists/*
|
iproute2 \
|
||||||
|
busybox; \
|
||||||
|
rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
WORKDIR /app
|
WORKDIR /app
|
||||||
|
|
||||||
|
|
@ -54,7 +85,7 @@ ENTRYPOINT ["/app/telemt"]
|
||||||
CMD ["config.toml"]
|
CMD ["config.toml"]
|
||||||
|
|
||||||
# ==========================
|
# ==========================
|
||||||
# Production (REAL distroless)
|
# Production Distroless on MUSL
|
||||||
# ==========================
|
# ==========================
|
||||||
FROM gcr.io/distroless/static-debian12 AS prod
|
FROM gcr.io/distroless/static-debian12 AS prod
|
||||||
|
|
||||||
|
|
@ -68,4 +99,4 @@ USER nonroot:nonroot
|
||||||
EXPOSE 443 9090 9091
|
EXPOSE 443 9090 9091
|
||||||
|
|
||||||
ENTRYPOINT ["/app/telemt"]
|
ENTRYPOINT ["/app/telemt"]
|
||||||
CMD ["config.toml"]
|
CMD ["config.toml"]
|
||||||
|
|
|
||||||
|
|
@ -13,7 +13,7 @@ use std::sync::Arc;
|
||||||
use std::sync::{Mutex, OnceLock};
|
use std::sync::{Mutex, OnceLock};
|
||||||
use std::time::{Duration, Instant};
|
use std::time::{Duration, Instant};
|
||||||
use tokio::io::{AsyncRead, AsyncWrite, AsyncWriteExt};
|
use tokio::io::{AsyncRead, AsyncWrite, AsyncWriteExt};
|
||||||
use tracing::{debug, trace, warn};
|
use tracing::{debug, info, trace, warn};
|
||||||
use zeroize::{Zeroize, Zeroizing};
|
use zeroize::{Zeroize, Zeroizing};
|
||||||
|
|
||||||
use crate::config::{ProxyConfig, UnknownSniAction};
|
use crate::config::{ProxyConfig, UnknownSniAction};
|
||||||
|
|
@ -28,6 +28,8 @@ use rand::RngExt;
|
||||||
|
|
||||||
const ACCESS_SECRET_BYTES: usize = 16;
|
const ACCESS_SECRET_BYTES: usize = 16;
|
||||||
static INVALID_SECRET_WARNED: OnceLock<Mutex<HashSet<(String, String)>>> = OnceLock::new();
|
static INVALID_SECRET_WARNED: OnceLock<Mutex<HashSet<(String, String)>>> = OnceLock::new();
|
||||||
|
const UNKNOWN_SNI_WARN_COOLDOWN_SECS: u64 = 5;
|
||||||
|
static UNKNOWN_SNI_WARN_NEXT_ALLOWED: OnceLock<Mutex<Option<Instant>>> = OnceLock::new();
|
||||||
#[cfg(test)]
|
#[cfg(test)]
|
||||||
const WARNED_SECRET_MAX_ENTRIES: usize = 64;
|
const WARNED_SECRET_MAX_ENTRIES: usize = 64;
|
||||||
#[cfg(not(test))]
|
#[cfg(not(test))]
|
||||||
|
|
@ -86,6 +88,24 @@ fn auth_probe_saturation_state_lock()
|
||||||
.unwrap_or_else(|poisoned| poisoned.into_inner())
|
.unwrap_or_else(|poisoned| poisoned.into_inner())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fn unknown_sni_warn_state_lock() -> std::sync::MutexGuard<'static, Option<Instant>> {
|
||||||
|
UNKNOWN_SNI_WARN_NEXT_ALLOWED
|
||||||
|
.get_or_init(|| Mutex::new(None))
|
||||||
|
.lock()
|
||||||
|
.unwrap_or_else(|poisoned| poisoned.into_inner())
|
||||||
|
}
|
||||||
|
|
||||||
|
fn should_emit_unknown_sni_warn(now: Instant) -> bool {
|
||||||
|
let mut guard = unknown_sni_warn_state_lock();
|
||||||
|
if let Some(next_allowed) = *guard
|
||||||
|
&& now < next_allowed
|
||||||
|
{
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
*guard = Some(now + Duration::from_secs(UNKNOWN_SNI_WARN_COOLDOWN_SECS));
|
||||||
|
true
|
||||||
|
}
|
||||||
|
|
||||||
fn normalize_auth_probe_ip(peer_ip: IpAddr) -> IpAddr {
|
fn normalize_auth_probe_ip(peer_ip: IpAddr) -> IpAddr {
|
||||||
match peer_ip {
|
match peer_ip {
|
||||||
IpAddr::V4(ip) => IpAddr::V4(ip),
|
IpAddr::V4(ip) => IpAddr::V4(ip),
|
||||||
|
|
@ -412,6 +432,25 @@ fn auth_probe_test_lock() -> &'static Mutex<()> {
|
||||||
TEST_LOCK.get_or_init(|| Mutex::new(()))
|
TEST_LOCK.get_or_init(|| Mutex::new(()))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[cfg(test)]
|
||||||
|
fn unknown_sni_warn_test_lock() -> &'static Mutex<()> {
|
||||||
|
static TEST_LOCK: OnceLock<Mutex<()>> = OnceLock::new();
|
||||||
|
TEST_LOCK.get_or_init(|| Mutex::new(()))
|
||||||
|
}
|
||||||
|
|
||||||
|
#[cfg(test)]
|
||||||
|
fn clear_unknown_sni_warn_state_for_testing() {
|
||||||
|
if UNKNOWN_SNI_WARN_NEXT_ALLOWED.get().is_some() {
|
||||||
|
let mut guard = unknown_sni_warn_state_lock();
|
||||||
|
*guard = None;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#[cfg(test)]
|
||||||
|
fn should_emit_unknown_sni_warn_for_testing(now: Instant) -> bool {
|
||||||
|
should_emit_unknown_sni_warn(now)
|
||||||
|
}
|
||||||
|
|
||||||
#[cfg(test)]
|
#[cfg(test)]
|
||||||
fn clear_warned_secrets_for_testing() {
|
fn clear_warned_secrets_for_testing() {
|
||||||
if let Some(warned) = INVALID_SECRET_WARNED.get()
|
if let Some(warned) = INVALID_SECRET_WARNED.get()
|
||||||
|
|
@ -658,12 +697,25 @@ where
|
||||||
if client_sni.is_some() && matched_tls_domain.is_none() && preferred_user_hint.is_none() {
|
if client_sni.is_some() && matched_tls_domain.is_none() && preferred_user_hint.is_none() {
|
||||||
auth_probe_record_failure(peer.ip(), Instant::now());
|
auth_probe_record_failure(peer.ip(), Instant::now());
|
||||||
maybe_apply_server_hello_delay(config).await;
|
maybe_apply_server_hello_delay(config).await;
|
||||||
debug!(
|
let sni = client_sni.as_deref().unwrap_or_default();
|
||||||
peer = %peer,
|
let log_now = Instant::now();
|
||||||
sni = ?client_sni,
|
if should_emit_unknown_sni_warn(log_now) {
|
||||||
action = ?config.censorship.unknown_sni_action,
|
warn!(
|
||||||
"TLS handshake rejected by unknown SNI policy"
|
peer = %peer,
|
||||||
);
|
sni = %sni,
|
||||||
|
unknown_sni = true,
|
||||||
|
unknown_sni_action = ?config.censorship.unknown_sni_action,
|
||||||
|
"TLS handshake rejected by unknown SNI policy"
|
||||||
|
);
|
||||||
|
} else {
|
||||||
|
info!(
|
||||||
|
peer = %peer,
|
||||||
|
sni = %sni,
|
||||||
|
unknown_sni = true,
|
||||||
|
unknown_sni_action = ?config.censorship.unknown_sni_action,
|
||||||
|
"TLS handshake rejected by unknown SNI policy"
|
||||||
|
);
|
||||||
|
}
|
||||||
return match config.censorship.unknown_sni_action {
|
return match config.censorship.unknown_sni_action {
|
||||||
UnknownSniAction::Drop => HandshakeResult::Error(ProxyError::UnknownTlsSni),
|
UnknownSniAction::Drop => HandshakeResult::Error(ProxyError::UnknownTlsSni),
|
||||||
UnknownSniAction::Mask => HandshakeResult::BadClient { reader, writer },
|
UnknownSniAction::Mask => HandshakeResult::BadClient { reader, writer },
|
||||||
|
|
|
||||||
|
|
@ -1643,6 +1643,32 @@ fn auth_probe_capacity_fresh_full_map_still_tracks_newcomer_with_bounded_evictio
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn unknown_sni_warn_cooldown_first_event_is_warn_and_repeated_events_are_info_until_window_expires()
|
||||||
|
{
|
||||||
|
let _guard = unknown_sni_warn_test_lock()
|
||||||
|
.lock()
|
||||||
|
.unwrap_or_else(|poisoned| poisoned.into_inner());
|
||||||
|
clear_unknown_sni_warn_state_for_testing();
|
||||||
|
|
||||||
|
let now = Instant::now();
|
||||||
|
|
||||||
|
assert!(
|
||||||
|
should_emit_unknown_sni_warn_for_testing(now),
|
||||||
|
"first unknown SNI event must be eligible for WARN emission"
|
||||||
|
);
|
||||||
|
assert!(
|
||||||
|
!should_emit_unknown_sni_warn_for_testing(now + Duration::from_secs(1)),
|
||||||
|
"events inside cooldown window must be demoted from WARN to INFO"
|
||||||
|
);
|
||||||
|
assert!(
|
||||||
|
should_emit_unknown_sni_warn_for_testing(
|
||||||
|
now + Duration::from_secs(UNKNOWN_SNI_WARN_COOLDOWN_SECS)
|
||||||
|
),
|
||||||
|
"once cooldown expires, next unknown SNI event must be WARN-eligible again"
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn stress_auth_probe_full_map_churn_keeps_bound_and_tracks_newcomers() {
|
fn stress_auth_probe_full_map_churn_keeps_bound_and_tracks_newcomers() {
|
||||||
let _guard = auth_probe_test_lock()
|
let _guard = auth_probe_test_lock()
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue