Account for full-word paddings in roundtrip tests

2026-06-18 08:58:30 +03:00 · 2026-06-14 19:38:54 +03:00
parent 2e26bfb86e
commit 04b8d8365c
3 changed files with 29 additions and 4 deletions
--- a/src/proxy/middle_relay/idle/read.rs
+++ b/src/proxy/middle_relay/idle/read.rs
@@ -331,7 +331,8 @@ where
        )
        .await?;

-        // Secure Intermediate: strip validated trailing padding bytes.
+        // Secure Intermediate strips only non-aligned tail padding; full-word
+        // padding is indistinguishable from payload in VersionD framing.
        if proto_tag == ProtoTag::Secure {
            payload.truncate(secure_payload_len);
        }
--- a/src/stream/frame_codec.rs
+++ b/src/stream/frame_codec.rs
@@ -523,6 +523,16 @@ mod tests {
    use tokio::io::duplex;
    use tokio_util::codec::{FramedRead, FramedWrite};

+    fn assert_secure_decoded_payload(decoded: &[u8], original: &[u8]) {
+        assert!(decoded.starts_with(original));
+        assert!(
+            (original.len()..=original.len() + 12).contains(&decoded.len()),
+            "Secure decoded payload may retain up to 12 bytes of full-word padding, got {}",
+            decoded.len()
+        );
+        assert_eq!(decoded.len() % 4, 0);
+    }
+
    #[tokio::test]
    async fn test_framed_abridged() {
        let (client, server) = duplex(4096);
@@ -565,7 +575,7 @@ mod tests {
        writer.send(frame).await.unwrap();

        let received = reader.next().await.unwrap().unwrap();
-        assert_eq!(&received.data[..], &original[..]);
+        assert_secure_decoded_payload(&received.data, &original);
    }

    #[tokio::test]
@@ -588,7 +598,11 @@ mod tests {
            writer.send(frame).await.unwrap();

            let received = reader.next().await.unwrap().unwrap();
-            assert_eq!(received.data.len(), 8);
+            if proto_tag == ProtoTag::Secure {
+                assert_secure_decoded_payload(&received.data, &original);
+            } else {
+                assert_eq!(received.data.len(), original.len());
+            }
        }
    }

--- a/src/stream/frame_stream.rs
+++ b/src/stream/frame_stream.rs
@@ -559,6 +559,16 @@ mod tests {
    use std::sync::Arc;
    use tokio::io::duplex;

+    fn assert_secure_decoded_payload(decoded: &[u8], original: &[u8]) {
+        assert!(decoded.starts_with(original));
+        assert!(
+            (original.len()..=original.len() + 12).contains(&decoded.len()),
+            "Secure decoded payload may retain up to 12 bytes of full-word padding, got {}",
+            decoded.len()
+        );
+        assert_eq!(decoded.len() % 4, 0);
+    }
+
    #[tokio::test]
    async fn test_abridged_roundtrip() {
        let (client, server) = duplex(1024);
@@ -625,7 +635,7 @@ mod tests {
        writer.flush().await.unwrap();

        let (received, _meta) = reader.read_frame().await.unwrap();
-        assert_eq!(received.len(), data.len());
+        assert_secure_decoded_payload(&received, &data);
    }

    #[tokio::test]