Zeroize for key + log refactor + fix tests

- Fixed tests that failed to compile due to mismatched generic parameters of HandshakeResult: - Changed `HandshakeResult<i32>` to `HandshakeResult<i32, (), ()>` - Changed `HandshakeResult::BadClient` to `HandshakeResult::BadClient { reader: (), writer: () }` - Added Zeroize for all structures holding key material: - AesCbc – key and IV are zeroized on drop - SecureRandomInner – PRNG output buffer is zeroized on drop; local key copy in constructor is zeroized immediately after being passed to the cipher - ObfuscationParams – all four key‑material fields are zeroized on drop - HandshakeSuccess – all four key‑material fields are zeroized on drop - Added protocol‑requirement documentation for legacy hashes (CodeQL suppression) in hash.rs (MD5/SHA‑1) - Added documentation for zeroize limitations of AesCtr (opaque cipher state) in aes.rs - Implemented silent‑mode logging and refactored initialization: - Added LogLevel enum to config and CLI flags --silent / --log-level - Added parse_cli() to handle --silent, --log-level, --help - Restructured main.rs initialization order: CLI → config load → determine log level → init tracing - Errors before tracing initialization are printed via eprintln! - Proxy links (tg://) are printed via println! – always visible regardless of log level - Configuration summary and operational messages are logged via info! (suppressed in silent mode) - Connection processing errors are lowered to debug! (hidden in silent mode) - Warning about default tls_domain moved to main (after tracing init) Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
2026-02-07 19:49:41 +03:00
parent b9428d9780
commit 92cedabc81
12 changed files with 355 additions and 225 deletions
--- a/src/main.rs
+++ b/src/main.rs
@@ -5,7 +5,7 @@ use std::sync::Arc;
 use std::time::Duration;
 use tokio::net::TcpListener;
 use tokio::signal;
-use tracing::{info, error, warn};
+use tracing::{info, error, warn, debug};
 use tracing_subscriber::{fmt, EnvFilter};

 mod config;
@@ -18,7 +18,7 @@ mod stream;
 mod transport;
 mod util;

-use crate::config::ProxyConfig;
+use crate::config::{ProxyConfig, LogLevel};
 use crate::proxy::ClientHandler;
 use crate::stats::{Stats, ReplayChecker};
 use crate::crypto::SecureRandom;
@@ -26,53 +26,129 @@ use crate::transport::{create_listener, ListenOptions, UpstreamManager};
 use crate::util::ip::detect_ip;
 use crate::stream::BufferPool;

+/// Parse command-line arguments.
+///
+/// Usage: telemt [config_path] [--silent] [--log-level <level>]
+///
+/// Returns (config_path, silent_flag, log_level_override)
+fn parse_cli() -> (String, bool, Option<String>) {
+    let mut config_path = "config.toml".to_string();
+    let mut silent = false;
+    let mut log_level: Option<String> = None;
+    
+    let args: Vec<String> = std::env::args().skip(1).collect();
+    let mut i = 0;
+    while i < args.len() {
+        match args[i].as_str() {
+            "--silent" | "-s" => {
+                silent = true;
+            }
+            "--log-level" => {
+                i += 1;
+                if i < args.len() {
+                    log_level = Some(args[i].clone());
+                }
+            }
+            s if s.starts_with("--log-level=") => {
+                log_level = Some(s.trim_start_matches("--log-level=").to_string());
+            }
+            "--help" | "-h" => {
+                eprintln!("Usage: telemt [config.toml] [OPTIONS]");
+                eprintln!();
+                eprintln!("Options:");
+                eprintln!("  --silent, -s            Suppress info logs (only warn/error)");
+                eprintln!("  --log-level <LEVEL>     Set log level: debug|verbose|normal|silent");
+                eprintln!("  --help, -h              Show this help");
+                std::process::exit(0);
+            }
+            s if !s.starts_with('-') => {
+                config_path = s.to_string();
+            }
+            other => {
+                eprintln!("Unknown option: {}", other);
+            }
+        }
+        i += 1;
+    }
+    
+    (config_path, silent, log_level)
+}
+
 #[tokio::main]
 async fn main() -> Result<(), Box<dyn std::error::Error>> {
-    // Initialize logging
-    fmt()
-        .with_env_filter(EnvFilter::from_default_env().add_directive("info".parse().unwrap()))
-        .init();
+    // 1. Parse CLI arguments
+    let (config_path, cli_silent, cli_log_level) = parse_cli();

-    // Load config
-    let config_path = std::env::args().nth(1).unwrap_or_else(|| "config.toml".to_string());
+    // 2. Load config (tracing not yet initialized — errors go to stderr)
    let config = match ProxyConfig::load(&config_path) {
        Ok(c) => c,
        Err(e) => {
-            // If config doesn't exist, try to create default
            if std::path::Path::new(&config_path).exists() {
-                error!("Failed to load config: {}", e);
+                eprintln!("[telemt] Error: Failed to load config '{}': {}", config_path, e);
                std::process::exit(1);
            } else {
                let default = ProxyConfig::default();
-                let toml = toml::to_string_pretty(&default).unwrap();
-                std::fs::write(&config_path, toml).unwrap();
-                info!("Created default config at {}", config_path);
+                let toml_str = toml::to_string_pretty(&default).unwrap();
+                std::fs::write(&config_path, toml_str).unwrap();
+                eprintln!("[telemt] Created default config at {}", config_path);
                default
            }
        }
    };
    
-    config.validate()?;
+    if let Err(e) = config.validate() {
+        eprintln!("[telemt] Error: Invalid configuration: {}", e);
+        std::process::exit(1);
+    }
+
+    // 3. Determine effective log level
+    //    Priority: RUST_LOG env > CLI flags > config file > default (normal)
+    let effective_log_level = if cli_silent {
+        LogLevel::Silent
+    } else if let Some(ref level_str) = cli_log_level {
+        LogLevel::from_str_loose(level_str)
+    } else {
+        config.general.log_level.clone()
+    };
    
-    // Log loaded configuration for debugging
-    info!("=== Configuration Loaded ===");
-    info!("TLS Domain: {}", config.censorship.tls_domain);
-    info!("Mask enabled: {}", config.censorship.mask);
-    info!("Mask host: {}", config.censorship.mask_host.as_deref().unwrap_or(&config.censorship.tls_domain));
-    info!("Mask port: {}", config.censorship.mask_port);
-    info!("Modes: classic={}, secure={}, tls={}", 
-        config.general.modes.classic, 
-        config.general.modes.secure, 
+    // 4. Initialize tracing
+    let filter = if std::env::var("RUST_LOG").is_ok() {
+        // RUST_LOG takes absolute priority
+        EnvFilter::from_default_env()
+    } else {
+        EnvFilter::new(effective_log_level.to_filter_str())
+    };
+    
+    fmt()
+        .with_env_filter(filter)
+        .init();
+    
+    // 5. Log startup info (operational — respects log level)
+    info!("Telemt MTProxy v{}", env!("CARGO_PKG_VERSION"));
+    info!("Log level: {}", effective_log_level);
+    info!(
+        "Modes: classic={} secure={} tls={}",
+        config.general.modes.classic,
+        config.general.modes.secure,
        config.general.modes.tls
    );
-    info!("============================");
+    info!("TLS domain: {}", config.censorship.tls_domain);
+    info!(
+        "Mask: {} -> {}:{}",
+        config.censorship.mask,
+        config.censorship.mask_host.as_deref().unwrap_or(&config.censorship.tls_domain),
+        config.censorship.mask_port
+    );
+    
+    if config.censorship.tls_domain == "www.google.com" {
+        warn!("Using default tls_domain (www.google.com). Consider setting a custom domain.");
+    }
    
    let config = Arc::new(config);
    let stats = Arc::new(Stats::new());
    let rng = Arc::new(SecureRandom::new());
    
-    // Initialize global ReplayChecker
-    // Using sharded implementation for better concurrency
+    // Initialize ReplayChecker
    let replay_checker = Arc::new(ReplayChecker::new(
        config.access.replay_check_len,
        Duration::from_secs(config.access.replay_window_secs),
@@ -81,20 +157,20 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Initialize Upstream Manager
    let upstream_manager = Arc::new(UpstreamManager::new(config.upstreams.clone()));
    
-    // Initialize Buffer Pool
-    // 16KB buffers, max 4096 buffers (~64MB total cached)
+    // Initialize Buffer Pool (16KB buffers, max 4096 cached ≈ 64MB)
    let buffer_pool = Arc::new(BufferPool::with_config(16 * 1024, 4096));
    
-    // Start Health Checks
+    // Start health checks
    let um_clone = upstream_manager.clone();
    tokio::spawn(async move {
        um_clone.run_health_checks().await;
    });

-    // Detect public IP if needed (once at startup)
+    // Detect public IP (once at startup)
    let detected_ip = detect_ip().await;
+    debug!("Detected IPs: v4={:?} v6={:?}", detected_ip.ipv4, detected_ip.ipv6);

-    // Start Listeners
+    // 6. Start listeners
    let mut listeners = Vec::new();
    
    for listener_conf in &config.server.listeners {
@@ -122,33 +198,33 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
                    listener_conf.ip
                };

-                // Show links for configured users
+                // 7. Print proxy links (always visible — uses println!, not tracing)
                if !config.show_link.is_empty() {
-                    info!("--- Proxy Links for {} ---", public_ip);
+                    println!("--- Proxy Links ({}) ---", public_ip);
                    for user_name in &config.show_link {
                        if let Some(secret) = config.access.users.get(user_name) {
-                            info!("User: {}", user_name);
+                            println!("[{}]", user_name);

                            if config.general.modes.classic {
-                                info!("  Classic: tg://proxy?server={}&port={}&secret={}", 
+                                println!("  Classic: tg://proxy?server={}&port={}&secret={}", 
                                    public_ip, config.server.port, secret);
                            }

                            if config.general.modes.secure {
-                                info!("  DD:      tg://proxy?server={}&port={}&secret=dd{}", 
+                                println!("  DD:      tg://proxy?server={}&port={}&secret=dd{}", 
                                    public_ip, config.server.port, secret);
                            }

                            if config.general.modes.tls {
                                let domain_hex = hex::encode(&config.censorship.tls_domain);
-                                info!("  EE-TLS:  tg://proxy?server={}&port={}&secret=ee{}{}", 
+                                println!("  EE-TLS:  tg://proxy?server={}&port={}&secret=ee{}{}", 
                                    public_ip, config.server.port, secret, domain_hex);
                            }
                        } else {
-                            warn!("User '{}' specified in show_link not found in users list", user_name);
+                            warn!("User '{}' in show_link not found in users", user_name);
                        }
                    }
-                    info!("-----------------------------------");
+                    println!("------------------------");
                }
                
                listeners.push(listener);
@@ -164,7 +240,7 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
        std::process::exit(1);
    }

-    // Accept loop
+    // 8. Accept loop
    for listener in listeners {
        let config = config.clone();
        let stats = stats.clone();
@@ -195,7 +271,7 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
                                buffer_pool,
                                rng
                            ).run().await {
-                                // Log only relevant errors
+                                debug!(peer = %peer_addr, error = %e, "Connection error");
                            }
                        });
                    }
@@ -208,7 +284,7 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
        });
    }

-    // Wait for signal
+    // 9. Wait for shutdown signal
    match signal::ctrl_c().await {
        Ok(()) => info!("Shutting down..."),
        Err(e) => error!("Signal error: {}", e),