global buf size mtu based config and protocol rename

This commit is contained in:
2026-03-25 16:03:11 +07:00
parent 743c6bf05c
commit a213c01158
30 changed files with 102 additions and 92 deletions
+196
View File
@@ -0,0 +1,196 @@
use crate::crypto::session::SessionKeys;
use crate::nrxp::errors::{ErrorAction, ErrorStage, TlsError};
use crate::nrxp::parser::parser::Parser;
use crate::tlseng::extension::ExtensionStack;
use crate::tlseng::handshake::{ClientHello, HelloHeader, ServerHello};
use crate::tlseng::profile::{BrowserProfile, ServerProfile};
use crate::tlseng::tls_record::TlsRecord;
use crate::tlseng::types::{ContentType, HelloType};
use crate::tlseng::ApplicationData;
use bytes::{Bytes, BytesMut};
pub trait TlsInterceptor {
type Output;
fn start_process(buffer: &mut BytesMut) -> Result<Option<Self::Output>, TlsError> {
match TlsRecord::parse(buffer) {
Ok(Some(record)) => Self::handle_record(record),
Ok(None) => Ok(None),
Err(e) => Err(e),
}
}
fn handle_record(record: TlsRecord) -> Result<Option<Self::Output>, TlsError>;
}
pub enum HandshakeMessage {
Client {
base: ClientHello,
extensions: ExtensionStack,
},
Server {
base: ServerHello,
extensions: ExtensionStack,
},
}
impl HandshakeMessage {
pub fn random(&self) -> [u8; 32] {
match self {
Self::Client { base, .. } => base.random,
Self::Server { base, .. } => base.random,
}
}
pub fn extensions(&self) -> &ExtensionStack {
match self {
Self::Client { extensions, .. } => extensions,
Self::Server { extensions, .. } => extensions,
}
}
}
impl TlsInterceptor for HandshakeMessage {
type Output = HandshakeMessage;
fn handle_record(record: TlsRecord) -> Result<Option<Self::Output>, TlsError> {
if record.content_type != ContentType::Handshake {
return Err(TlsError::new(
ErrorStage::Handshake("Expected Handshake record"),
ErrorAction::Drop,
record.serialize(),
));
}
let mut payload = BytesMut::from(record.payload.as_ref());
if let Some(header) = HelloHeader::parse(&mut payload)? {
match header.header_type {
HelloType::Client => {
if let Some(hello) = ClientHello::parse(&mut payload)? {
let ext =
ExtensionStack::parse(&mut BytesMut::from(hello.extensions.as_ref()))?
.ok_or_else(|| {
TlsError::new(
ErrorStage::Handshake("Ext Err"),
ErrorAction::Drop,
Bytes::new(),
)
})?;
return Ok(Some(HandshakeMessage::Client {
base: hello,
extensions: ext,
}));
}
}
HelloType::Server => {
if let Some(hello) = ServerHello::parse(&mut payload)? {
let ext =
ExtensionStack::parse(&mut BytesMut::from(hello.extensions.as_ref()))?
.ok_or_else(|| {
TlsError::new(
ErrorStage::Handshake("Ext Err"),
ErrorAction::Drop,
Bytes::new(),
)
})?;
return Ok(Some(HandshakeMessage::Server {
base: hello,
extensions: ext,
}));
}
}
}
}
Ok(None)
}
}
impl TlsInterceptor for ApplicationData {
type Output = ApplicationData;
fn handle_record(record: TlsRecord) -> Result<Option<Self::Output>, TlsError> {
if record.content_type != ContentType::ApplicationData {
return Err(TlsError::new(
ErrorStage::ApplicationData("Expected AppData record"),
ErrorAction::Drop,
record.serialize(),
));
}
Ok(Some(ApplicationData {
_len: record.payload.len(),
payload: record.payload,
}))
}
}
pub struct TlsBridge;
impl TlsBridge {
pub fn unpack_handshake(buffer: &mut BytesMut) -> Result<Option<HandshakeMessage>, TlsError> {
HandshakeMessage::start_process(buffer)
}
pub fn unpack_app_data(buffer: &mut BytesMut) -> Result<Option<ApplicationData>, TlsError> {
ApplicationData::start_process(buffer)
}
pub fn wrap_client_hello(profile: &BrowserProfile, host: &str, keys: &SessionKeys) -> Bytes {
ClientHello::make_client_hello(profile, host, keys)
}
pub fn wrap_server_hello(
client_msg: &HandshakeMessage,
keys: &mut SessionKeys,
profile: &ServerProfile,
) -> Result<Bytes, TlsError> {
if let HandshakeMessage::Client { base, extensions } = client_msg {
if base.session_id.len() != 32 {
return Err(TlsError::new(
ErrorStage::Handshake("Invalid SessionID len"),
ErrorAction::Drop,
Bytes::new(),
));
}
let mut received_tag = [0u8; 16];
received_tag.copy_from_slice(&base.session_id[16..32]);
if !keys.verify_auth_tag(&received_tag) {
netrunner_logger::warn!("Unauthorized ClientHello: Auth Tag mismatch");
return Err(TlsError::new(
ErrorStage::Handshake("Auth Failed"),
ErrorAction::Drop,
Bytes::new(),
));
}
keys.update_keys(base.random, extensions, true)
.map_err(|e| {
netrunner_logger::error!(error = %e, "Server failed key update");
TlsError::new(
ErrorStage::Handshake("Key Exchange Failed"),
ErrorAction::Drop,
Bytes::new(),
)
})?;
let server_pub_key = keys.ecdh.public_key.to_bytes();
Ok(ServerHello::make_server_hello(
base,
&server_pub_key,
keys.salt.get_local(),
profile,
))
} else {
Err(TlsError::new(
ErrorStage::Handshake("Expected ClientHello for SH generation"),
ErrorAction::Drop,
Bytes::new(),
))
}
}
pub fn pack_app_data(buffer: Bytes) -> Bytes {
TlsRecord::build_application_data(buffer)
}
}
+218
View File
@@ -0,0 +1,218 @@
use bytes::{Bytes, BytesMut};
use crate::crypto::aead::AeadPacker;
use crate::crypto::chacha::ChaChaCipher;
use crate::crypto::session::SessionKeys;
use crate::nrxp::codec::bridge::TlsBridge;
use crate::nrxp::codec::frame::{Frame, FrameHeader, FrameType, Padding};
use crate::nrxp::errors::{ErrorAction, ErrorStage, TlsError};
use crate::nrxp::parser::parser::Parser;
use crate::tlseng::profile::{BrowserProfile, ServerProfile};
pub struct Codec {
crypto: ChaChaCipher,
pub session_keys: SessionKeys,
staging: BytesMut,
}
impl Codec {
pub fn new(is_initiator: bool) -> Self {
Self {
crypto: ChaChaCipher::new(),
session_keys: SessionKeys::new(is_initiator),
staging: BytesMut::new(),
}
}
pub fn make_client_handshake(
&mut self,
profile: &BrowserProfile,
host: &str,
) -> Result<Bytes, TlsError> {
Ok(TlsBridge::wrap_client_hello(
profile,
host,
&self.session_keys,
))
}
pub fn make_server_handshake(&mut self, buffer: &mut BytesMut) -> Result<Bytes, TlsError> {
let client_msg = TlsBridge::unpack_handshake(buffer)?.ok_or_else(|| {
TlsError::new(
ErrorStage::Handshake("No CH"),
ErrorAction::Wait,
Bytes::new(),
)
})?;
let server_hello_record = TlsBridge::wrap_server_hello(
&client_msg,
&mut self.session_keys,
&ServerProfile::MODERN,
)?;
let (w_key, w_iv, r_key, r_iv) = self.session_keys.get_aead_parameters();
self.crypto.set_keys(w_key, w_iv, r_key, r_iv);
Ok(server_hello_record)
}
pub fn process_handshake(&mut self, buffer: &mut BytesMut) -> Result<(), TlsError> {
let mes_opt = TlsBridge::unpack_handshake(buffer)?;
let mes = mes_opt.ok_or_else(|| {
TlsError::new(
ErrorStage::Handshake("Incomplete record"),
ErrorAction::Wait,
Bytes::new(),
)
})?;
let (w_key, w_iv, r_key, r_iv) = self
.session_keys
.update_keys(mes.random(), mes.extensions(), false)
.map_err(|e| {
netrunner_logger::error!(error = %e, "Client failed to update keys from ServerHello");
TlsError::new(
ErrorStage::Handshake("Keys update error"),
ErrorAction::Drop,
Bytes::new(),
)
})?;
self.crypto.set_keys(w_key, w_iv, r_key, r_iv);
Ok(())
}
pub async fn try_handshake(&mut self, buffer: &mut BytesMut) -> Result<bool, TlsError> {
match self.process_handshake(buffer) {
Ok(_) => Ok(true),
Err(e) if e.action == ErrorAction::Wait => Ok(false),
Err(e) => Err(e),
}
}
fn outbound(
&mut self,
stream_id: u32,
frame_type: FrameType,
payload: Bytes,
) -> Result<Bytes, TlsError> {
let padding = Padding::generate_padding();
let tag = self.session_keys.generate_auth_tag();
netrunner_logger::debug!(
step = %(std::time::SystemTime::now().duration_since(std::time::UNIX_EPOCH).unwrap().as_secs() / 60),
auth_key_hash = %hex::encode(&self.session_keys.auth_key[..4]),
generated_tag = %hex::encode(&tag[..4]),
"OUTBOUND: Generated auth tag"
);
let header = FrameHeader {
auth_tag: [0u8; 16],
stream_id,
frame_type,
payload_len: payload.len() as u16,
padding_len: padding.len as u16,
};
let frame = Frame {
header,
payload,
padding: padding.data,
};
let mut frame_bytes = frame.into_bytes(&tag);
let encrypted_payload = self.crypto.encrypt(&mut frame_bytes).map_err(|e| {
netrunner_logger::error!("Encryption failed: {:?}", e);
TlsError::new(
ErrorStage::Tls("Encryption failed"),
ErrorAction::Drop,
Bytes::new(),
)
})?;
Ok(TlsBridge::pack_app_data(encrypted_payload))
}
pub fn encrypt_data(
&mut self,
stream_id: u32,
frame_type: FrameType,
data: Bytes,
) -> Result<Bytes, TlsError> {
self.outbound(stream_id, frame_type, data)
}
pub fn inbound(&mut self, buffer: &mut BytesMut) -> Result<Option<Frame>, TlsError> {
if !self.staging.is_empty() {
if let Some(frame) = self.try_parse_frame()? {
return Ok(Some(frame));
}
}
while let Some(app_data) = TlsBridge::unpack_app_data(buffer).map_err(|e| {
self.staging.clear();
e
})? {
let mut data_to_decrypt = BytesMut::from(app_data.payload);
let decrypted = self.crypto.decrypt(&mut data_to_decrypt).map_err(|_| {
self.staging.clear();
TlsError::new(
ErrorStage::Tls("Decr error"),
ErrorAction::Drop,
Bytes::new(),
)
})?;
if decrypted.len() < 16 {
self.staging.clear();
return Err(TlsError::new(
ErrorStage::Tls("Packet too short for auth"),
ErrorAction::Drop,
Bytes::new(),
));
}
let mut received_tag = [0u8; 16];
received_tag.copy_from_slice(&decrypted[..16]);
if !self.session_keys.verify_auth_tag(&received_tag) {
netrunner_logger::error!(
expected_hash = %hex::encode(&self.session_keys.auth_key[..4]),
received = %hex::encode(&received_tag[..4]),
"AUTH MISMATCH: Potential replay or MITM attack. Dropping connection."
);
self.staging.clear();
return Err(TlsError::new(
ErrorStage::Tls("Auth tag mismatch"),
ErrorAction::Drop,
Bytes::new(),
));
}
self.staging.extend_from_slice(&decrypted);
if let Some(frame) = self.try_parse_frame()? {
return Ok(Some(frame));
}
}
Ok(None)
}
fn try_parse_frame(&mut self) -> Result<Option<Frame>, TlsError> {
match Frame::parse(&mut self.staging) {
Ok(Some(frame)) => Ok(Some(frame)),
Ok(None) => Ok(None),
Err(_) => {
self.staging.clear();
Err(TlsError::new(
ErrorStage::Tls("Parse error"),
ErrorAction::Drop,
Bytes::new(),
))
}
}
}
}
+77
View File
@@ -0,0 +1,77 @@
use bytes::{BufMut, Bytes, BytesMut};
use rand::Rng;
use crate::nrxp::codec::MAX_PADDING_SIZE;
pub struct Padding {
pub len: u16,
pub data: Bytes,
}
impl Padding {
pub fn generate_padding() -> Padding {
let mut rng = rand::rng();
let random_u32: u32 = rng.next_u32();
let padding_len: u16 = (random_u32 % MAX_PADDING_SIZE) as u16;
let mut padding = vec![0u8; padding_len as usize];
rng.fill_bytes(&mut padding);
Padding {
len: padding_len,
data: Bytes::from(padding),
}
}
}
#[derive(Copy, Clone, Debug)]
pub enum FrameType {
Connect = 0x00,
Data = 0x01,
Close = 0x02,
Heartbeat = 0x03,
UdpConnect = 0x04,
UdpData = 0x05,
}
#[derive(Copy, Clone)]
pub struct FrameHeader {
pub auth_tag: [u8; 16],
pub stream_id: u32,
pub frame_type: FrameType,
pub payload_len: u16,
pub padding_len: u16,
}
pub struct Frame {
pub header: FrameHeader,
pub payload: Bytes,
pub padding: Bytes,
}
const AUTH_TAG_SIZE: u16 = 16;
const STREAM_ID_SIZE: u16 = 4;
const FRAME_TYPE_SIZE: u16 = 1;
const PAYLOAD_LEN_SIZE: u16 = 2;
const PADDING_LEN_SIZE: u16 = 2;
pub const FRAME_HEADER_SIZE: u16 =
AUTH_TAG_SIZE + STREAM_ID_SIZE + FRAME_TYPE_SIZE + PAYLOAD_LEN_SIZE + PADDING_LEN_SIZE;
impl Frame {
pub fn into_bytes(self, auth_key: &[u8; 16]) -> BytesMut {
let updated_padding = Padding::generate_padding();
let total_size = FRAME_HEADER_SIZE as usize + self.payload.len() + self.padding.len();
let mut buf = BytesMut::with_capacity(total_size);
buf.put_slice(auth_key);
buf.put_u32(self.header.stream_id);
buf.put_u8(self.header.frame_type as u8);
buf.put_u16(self.header.payload_len);
buf.put_u16(updated_padding.len);
buf.put(self.payload);
buf.put(updated_padding.data);
buf
}
}
+6
View File
@@ -0,0 +1,6 @@
mod bridge;
pub mod codec;
pub mod frame;
pub mod socks;
pub const MAX_PADDING_SIZE: u32 = 255;
+229
View File
@@ -0,0 +1,229 @@
use std::fmt;
use bytes::{BufMut, BytesMut};
use crate::nrxp::parser::parser::Parser;
pub const SOCKS5_VERSION: u8 = 0x05;
pub const REPLY_SUCCESS: u8 = 0x00;
pub const REPLY_AUTH_FAILURE: u8 = 0xFF;
pub const SOCKS5_MIN_HEADER: usize = 4;
pub const ATYP_IPV4: u8 = 0x01;
pub const ATYP_DOMAIN: u8 = 0x03;
pub const ATYP_IPV6: u8 = 0x04;
pub const IPV4_SIZE: usize = 4;
pub const IPV6_SIZE: usize = 16;
pub const PORT_SIZE: usize = 2;
#[derive(Debug)]
pub enum SocksRequest {
Handshake { methods: Vec<u8> },
Connect { command: u8, target: SocksTarget },
Unknown,
}
impl SocksRequest {
pub async fn handle_handshake<S>(
stream: &mut S,
buf: &mut BytesMut,
) -> Result<SocksTarget, String>
where
S: tokio::io::AsyncReadExt + tokio::io::AsyncWriteExt + Unpin,
{
loop {
if let Some(req) = Self::parse(buf)? {
if let SocksRequest::Handshake { .. } = req {
let mut reply = BytesMut::with_capacity(2);
SocksReply::HandshakeSelect { method: 0x00 }.write_to(&mut reply);
stream.write_all(&reply).await.map_err(|e| e.to_string())?;
break;
}
return Err("Expected Handshake, got something else".into());
}
if stream.read_buf(buf).await.map_err(|e| e.to_string())? == 0 {
return Err("Client closed during greeting".into());
}
}
loop {
if let Some(req) = Self::parse(buf)? {
if let SocksRequest::Connect { command, target } = req {
if command != 0x01 {
return Err(format!("Unsupported SOCKS command: 0x{:02X}", command));
}
return Ok(target);
}
}
if stream.read_buf(buf).await.map_err(|e| e.to_string())? == 0 {
return Err("Client closed during connect request".into());
}
}
}
pub async fn perform_client_handshake<S>(
stream: &mut S,
target_addr: &TargetAddress,
) -> Result<(), String>
where
S: tokio::io::AsyncReadExt + tokio::io::AsyncWriteExt + Unpin,
{
let greeting = [SOCKS5_VERSION, 0x01, 0x00];
stream
.write_all(&greeting)
.await
.map_err(|e| e.to_string())?;
let mut method_selection = [0u8; 2];
stream
.read_exact(&mut method_selection)
.await
.map_err(|e| e.to_string())?;
if method_selection[0] != SOCKS5_VERSION || method_selection[1] != 0x00 {
return Err(format!(
"Proxy rejected auth method or version: {:02X?}",
method_selection
));
}
let mut connect_req = BytesMut::with_capacity(32);
connect_req.put_u8(SOCKS5_VERSION);
connect_req.put_u8(0x01);
connect_req.put_u8(0x00);
match target_addr {
TargetAddress::Ipv4(ip, port) => {
connect_req.put_u8(ATYP_IPV4);
connect_req.put_slice(&ip.octets());
connect_req.put_u16(*port);
}
TargetAddress::Ipv6(ip, port) => {
connect_req.put_u8(ATYP_IPV6);
connect_req.put_slice(&ip.octets());
connect_req.put_u16(*port);
}
TargetAddress::Domain(host, port) => {
connect_req.put_u8(ATYP_DOMAIN);
let host_bytes = host.as_bytes();
connect_req.put_u8(host_bytes.len() as u8);
connect_req.put_slice(host_bytes);
connect_req.put_u16(*port);
}
}
stream
.write_all(&connect_req)
.await
.map_err(|e| e.to_string())?;
let mut reply_header = [0u8; 4];
stream
.read_exact(&mut reply_header)
.await
.map_err(|e| e.to_string())?;
if reply_header[1] != REPLY_SUCCESS {
return Err(format!(
"Proxy failed to connect, code: {:02X}",
reply_header[1]
));
}
let atyp = reply_header[3];
let remain_len = match atyp {
ATYP_IPV4 => IPV4_SIZE + PORT_SIZE,
ATYP_IPV6 => IPV6_SIZE + PORT_SIZE,
ATYP_DOMAIN => {
let len = stream.read_u8().await.map_err(|e| e.to_string())?;
len as usize + PORT_SIZE
}
_ => return Err("Unknown ATYP in proxy response".into()),
};
let mut discard = vec![0u8; remain_len];
stream
.read_exact(&mut discard)
.await
.map_err(|e| e.to_string())?;
Ok(())
}
}
#[derive(Debug)]
pub enum SocksReply {
HandshakeSelect {
method: u8,
},
ConnectResult {
reply_code: u8,
atyp: u8,
addr: [u8; 4],
port: u16,
},
}
#[derive(Debug, Clone)]
pub enum TargetAddress {
Ipv4(std::net::Ipv4Addr, u16),
Domain(String, u16),
Ipv6(std::net::Ipv6Addr, u16),
}
impl fmt::Display for TargetAddress {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
match self {
TargetAddress::Ipv4(addr, port) => write!(f, "{}:{}", addr, port),
TargetAddress::Domain(domain, port) => write!(f, "{}:{}", domain, port),
TargetAddress::Ipv6(addr, port) => write!(f, "[{}]:{}", addr, port),
}
}
}
#[derive(Debug)]
pub struct SocksTarget {
pub addr: TargetAddress,
}
impl SocksReply {
pub fn write_to(self, buf: &mut BytesMut) {
match self {
SocksReply::HandshakeSelect { method } => {
buf.put_u8(SOCKS5_VERSION);
buf.put_u8(method);
}
SocksReply::ConnectResult {
reply_code,
atyp,
addr,
port,
} => {
buf.put_u8(SOCKS5_VERSION);
buf.put_u8(reply_code);
buf.put_u8(0x00);
buf.put_u8(atyp);
buf.put_slice(&addr);
buf.put_u16(port);
}
}
}
}
impl SocksTarget {
pub fn to_string(&self) -> String {
match &self.addr {
TargetAddress::Ipv4(ip, port) => {
format!("{}:{}", ip, port)
}
TargetAddress::Ipv6(ip, port) => {
format!("[{}]:{}", ip, port)
}
TargetAddress::Domain(domain, port) => {
let clean_domain = domain.replace('\0', "");
format!("{}:{}", clean_domain, port)
}
}
}
}