Refactor TLS fallback tests to remove unnecessary client hello assertions

- Removed assertions for expected client hello messages in multiple TLS fallback tests to streamline the test logic. - Updated the tests to focus on verifying the trailing TLS records received after the fallback. - Enhanced the masking functionality by adding shape hardening features, including dynamic padding based on sent data size. - Modified the relay_to_mask function to accommodate new parameters for shape hardening. - Updated masking security tests to reflect changes in the relay_to_mask function signature.
2026-04-17 02:24:10 +03:00 · 2026-03-20 22:44:39 +04:00
parent 3abde52de8
commit 0eca535955
16 changed files with 3354 additions and 346 deletions
--- a/src/config/defaults.rs
+++ b/src/config/defaults.rs
@@ -514,6 +514,18 @@ pub(crate) fn default_alpn_enforce() -> bool {
    true
 }

+pub(crate) fn default_mask_shape_hardening() -> bool {
+    false
+}
+
+pub(crate) fn default_mask_shape_bucket_floor_bytes() -> usize {
+    512
+}
+
+pub(crate) fn default_mask_shape_bucket_cap_bytes() -> usize {
+    4096
+}
+
 pub(crate) fn default_stun_servers() -> Vec<String> {
    vec![
        "stun.l.google.com:5349".to_string(),
--- a/src/config/hot_reload.rs
+++ b/src/config/hot_reload.rs
@@ -580,6 +580,11 @@ fn warn_non_hot_changes(old: &ProxyConfig, new: &ProxyConfig, non_hot_changed: b
        || old.censorship.tls_full_cert_ttl_secs != new.censorship.tls_full_cert_ttl_secs
        || old.censorship.alpn_enforce != new.censorship.alpn_enforce
        || old.censorship.mask_proxy_protocol != new.censorship.mask_proxy_protocol
+        || old.censorship.mask_shape_hardening != new.censorship.mask_shape_hardening
+        || old.censorship.mask_shape_bucket_floor_bytes
+            != new.censorship.mask_shape_bucket_floor_bytes
+        || old.censorship.mask_shape_bucket_cap_bytes
+            != new.censorship.mask_shape_bucket_cap_bytes
    {
        warned = true;
        warn!("config reload: censorship settings changed; restart required");
--- a/src/config/types.rs
+++ b/src/config/types.rs
@@ -1394,6 +1394,19 @@ pub struct AntiCensorshipConfig {
    /// Allows the backend to see the real client IP.
    #[serde(default)]
    pub mask_proxy_protocol: u8,
+
+    /// Enable shape-channel hardening on mask backend path by padding
+    /// client->mask stream tail to configured buckets on stream end.
+    #[serde(default = "default_mask_shape_hardening")]
+    pub mask_shape_hardening: bool,
+
+    /// Minimum bucket size for mask shape hardening padding.
+    #[serde(default = "default_mask_shape_bucket_floor_bytes")]
+    pub mask_shape_bucket_floor_bytes: usize,
+
+    /// Maximum bucket size for mask shape hardening padding.
+    #[serde(default = "default_mask_shape_bucket_cap_bytes")]
+    pub mask_shape_bucket_cap_bytes: usize,
 }

 impl Default for AntiCensorshipConfig {
@@ -1415,6 +1428,9 @@ impl Default for AntiCensorshipConfig {
            tls_full_cert_ttl_secs: default_tls_full_cert_ttl_secs(),
            alpn_enforce: default_alpn_enforce(),
            mask_proxy_protocol: 0,
+            mask_shape_hardening: default_mask_shape_hardening(),
+            mask_shape_bucket_floor_bytes: default_mask_shape_bucket_floor_bytes(),
+            mask_shape_bucket_cap_bytes: default_mask_shape_bucket_cap_bytes(),
        }
    }
 }