Add comprehensive security tests for masking and shape hardening features

- Introduced red-team expected-fail tests for client masking shape hardening. - Added integration tests for masking AB envelope blur to improve obfuscation. - Implemented masking security tests to validate the behavior of masking under various conditions. - Created tests for masking shape above-cap blur to ensure proper functionality. - Developed adversarial tests for masking shape hardening to evaluate robustness against attacks. - Added timing normalization security tests to assess the effectiveness of timing obfuscation. - Implemented red-team expected-fail tests for timing side-channel vulnerabilities.
2026-04-17 18:44:10 +03:00 · 2026-03-21 00:30:51 +04:00
parent 8814854ae4
commit bb355e916f
19 changed files with 1937 additions and 27 deletions
--- a/src/config/defaults.rs
+++ b/src/config/defaults.rs
@@ -515,7 +515,7 @@ pub(crate) fn default_alpn_enforce() -> bool {
 }

 pub(crate) fn default_mask_shape_hardening() -> bool {
-    false
+    true
 }

 pub(crate) fn default_mask_shape_bucket_floor_bytes() -> usize {
@@ -526,6 +526,26 @@ pub(crate) fn default_mask_shape_bucket_cap_bytes() -> usize {
    4096
 }

+pub(crate) fn default_mask_shape_above_cap_blur() -> bool {
+    false
+}
+
+pub(crate) fn default_mask_shape_above_cap_blur_max_bytes() -> usize {
+    512
+}
+
+pub(crate) fn default_mask_timing_normalization_enabled() -> bool {
+    false
+}
+
+pub(crate) fn default_mask_timing_normalization_floor_ms() -> u64 {
+    0
+}
+
+pub(crate) fn default_mask_timing_normalization_ceiling_ms() -> u64 {
+    0
+}
+
 pub(crate) fn default_stun_servers() -> Vec<String> {
    vec![
        "stun.l.google.com:5349".to_string(),