naughtysoul/telemt
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

TLS Stream Tuning

Browse Source
This commit is contained in:
Alexey
2026-01-01 23:48:52 +03:00
parent 50658525cf
commit 0e096ca8fb
1 changed files with 277 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

277
src/transport/tls_stream.rs Normal file
View File

@@ -0,0 +1,277 @@
//! Fake TLS 1.3 stream wrappers
use bytes::{Bytes, BytesMut};
use std::io::{Error, ErrorKind, Result};
use std::pin::Pin;
use std::task::{Context, Poll};
use tokio::io::{AsyncRead, AsyncWrite, AsyncReadExt, AsyncWriteExt, ReadBuf};
use crate::protocol::constants::{
TLS_VERSION, TLS_RECORD_APPLICATION, TLS_RECORD_CHANGE_CIPHER,
MAX_TLS_CHUNK_SIZE,
};
use parking_lot::Mutex;
/// Reader that unwraps TLS 1.3 records
pub struct FakeTlsReader<R> {
upstream: R,
buffer: BytesMut,
pending_read: Option<PendingTlsRead>,
}
struct PendingTlsRead {
record_type: u8,
remaining: usize,
}
impl<R> FakeTlsReader<R> {
/// Create new fake TLS reader
pub fn new(upstream: R) -> Self {
Self {
upstream,
buffer: BytesMut::with_capacity(16384),
pending_read: None,
}
}
/// Get reference to upstream
pub fn get_ref(&self) -> &R {
&self.upstream
}
/// Get mutable reference to upstream
pub fn get_mut(&mut self) -> &mut R {
&mut self.upstream
}
/// Consume and return upstream
pub fn into_inner(self) -> R {
self.upstream
}
}
impl<R: AsyncRead + Unpin> FakeTlsReader<R> {
/// Read exactly n bytes through TLS layer
pub async fn read_exact(&mut self, n: usize) -> Result<Bytes> {
while self.buffer.len() < n {
let data = self.read_tls_record().await?;
if data.is_empty() {
return Err(Error::new(ErrorKind::UnexpectedEof, "Connection closed"));
}
self.buffer.extend_from_slice(&data);
}
Ok(self.buffer.split_to(n).freeze())
}
/// Read a single TLS record
async fn read_tls_record(&mut self) -> Result<Vec<u8>> {
loop {
// Read TLS record header (5 bytes)
let mut header = [0u8; 5];
self.upstream.read_exact(&mut header).await?;
let record_type = header[0];
let version = [header[1], header[2]];
let length = u16::from_be_bytes([header[3], header[4]]) as usize;
// Validate version
if version != TLS_VERSION {
return Err(Error::new(
ErrorKind::InvalidData,
format!("Invalid TLS version: {:02x?}", version),
));
}
// Read record body
let mut data = vec![0u8; length];
self.upstream.read_exact(&mut data).await?;
match record_type {
TLS_RECORD_CHANGE_CIPHER => continue, // Skip
TLS_RECORD_APPLICATION => return Ok(data),
_ => {
return Err(Error::new(
ErrorKind::InvalidData,
format!("Unexpected TLS record type: 0x{:02x}", record_type),
));
}
}
}
}
}
impl<R: AsyncRead + Unpin> AsyncRead for FakeTlsReader<R> {
fn poll_read(
mut self: Pin<&mut Self>,
cx: &mut Context<'_>,
buf: &mut ReadBuf<'_>,
) -> Poll<Result<()>> {
// Drain buffer first
if !self.buffer.is_empty() {
let to_copy = self.buffer.len().min(buf.remaining());
buf.put_slice(&self.buffer.split_to(to_copy));
return Poll::Ready(Ok(()));
}
// We need to read a TLS record, but poll_read doesn't support async/await
// So we'll do a simplified version that reads header synchronously
// Read header
let mut header = [0u8; 5];
let mut header_buf = ReadBuf::new(&mut header);
match Pin::new(&mut self.upstream).poll_read(cx, &mut header_buf) {
Poll::Ready(Ok(())) => {
if header_buf.filled().len() < 5 {
// Need more data - store what we have and return pending
// For simplicity, we'll just return empty
return Poll::Ready(Ok(()));
}
}
Poll::Ready(Err(e)) => return Poll::Ready(Err(e)),
Poll::Pending => return Poll::Pending,
}
let record_type = header[0];
let length = u16::from_be_bytes([header[3], header[4]]) as usize;
if record_type == TLS_RECORD_CHANGE_CIPHER {
// Skip this record, try again
cx.waker().wake_by_ref();
return Poll::Pending;
}
if record_type != TLS_RECORD_APPLICATION {
return Poll::Ready(Err(Error::new(
ErrorKind::InvalidData,
"Invalid TLS record type",
)));
}
// Read body
let mut body = vec![0u8; length];
let mut body_buf = ReadBuf::new(&mut body);
match Pin::new(&mut self.upstream).poll_read(cx, &mut body_buf) {
Poll::Ready(Ok(())) => {
let filled = body_buf.filled();
let to_copy = filled.len().min(buf.remaining());
buf.put_slice(&filled[..to_copy]);
if filled.len() > to_copy {
self.buffer.extend_from_slice(&filled[to_copy..]);
}
Poll::Ready(Ok(()))
}
Poll::Ready(Err(e)) => Poll::Ready(Err(e)),
Poll::Pending => Poll::Pending,
}
}
}
/// Writer that wraps data in TLS 1.3 records
pub struct FakeTlsWriter<W> {
upstream: W,
}
impl<W> FakeTlsWriter<W> {
/// Create new fake TLS writer
pub fn new(upstream: W) -> Self {
Self { upstream }
}
/// Get reference to upstream
pub fn get_ref(&self) -> &W {
&self.upstream
}
/// Get mutable reference to upstream
pub fn get_mut(&mut self) -> &mut W {
&mut self.upstream
}
/// Consume and return upstream
pub fn into_inner(self) -> W {
self.upstream
}
}
impl<W: AsyncWrite + Unpin> AsyncWrite for FakeTlsWriter<W> {
fn poll_write(
mut self: Pin<&mut Self>,
cx: &mut Context<'_>,
buf: &[u8],
) -> Poll<Result<usize>> {
// Build TLS record
let chunk_size = buf.len().min(MAX_TLS_CHUNK_SIZE);
let chunk = &buf[..chunk_size];
let mut record = Vec::with_capacity(5 + chunk_size);
record.push(TLS_RECORD_APPLICATION);
record.extend_from_slice(&TLS_VERSION);
record.push((chunk_size >> 8) as u8);
record.push(chunk_size as u8);
record.extend_from_slice(chunk);
match Pin::new(&mut self.upstream).poll_write(cx, &record) {
Poll::Ready(Ok(written)) => {
if written >= 5 {
Poll::Ready(Ok(written - 5))
} else {
Poll::Ready(Ok(0))
}
}
Poll::Ready(Err(e)) => Poll::Ready(Err(e)),
Poll::Pending => Poll::Pending,
}
}
fn poll_flush(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Result<()>> {
Pin::new(&mut self.upstream).poll_flush(cx)
}
fn poll_shutdown(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Result<()>> {
Pin::new(&mut self.upstream).poll_shutdown(cx)
}
}
impl<W: AsyncWrite + Unpin> FakeTlsWriter<W> {
/// Write all data wrapped in TLS records (async method)
pub async fn write_all_tls(&mut self, data: &[u8]) -> Result<()> {
for chunk in data.chunks(MAX_TLS_CHUNK_SIZE) {
let header = [
TLS_RECORD_APPLICATION,
TLS_VERSION[0],
TLS_VERSION[1],
(chunk.len() >> 8) as u8,
chunk.len() as u8,
];
self.upstream.write_all(&header).await?;
self.upstream.write_all(chunk).await?;
}
Ok(())
}
}
#[cfg(test)]
mod tests {
use super::*;
use tokio::io::duplex;
#[tokio::test]
async fn test_tls_stream_roundtrip() {
let (client, server) = duplex(4096);
let mut writer = FakeTlsWriter::new(client);
let mut reader = FakeTlsReader::new(server);
let original = b"Hello, fake TLS!";
writer.write_all_tls(original).await.unwrap();
writer.flush().await.unwrap();
let received = reader.read_exact(original.len()).await.unwrap();
assert_eq!(&received[..], original);
}
}