Implement aggressive shape hardening mode and related tests

2026-04-17 02:24:10 +03:00 · 2026-03-21 22:25:29 +04:00
parent c0a3e43aa8
commit e7e763888b
19 changed files with 637 additions and 46 deletions
--- a/src/config/defaults.rs
+++ b/src/config/defaults.rs
@@ -523,6 +523,10 @@ pub(crate) fn default_mask_shape_hardening() -> bool {
    true
 }

+pub(crate) fn default_mask_shape_hardening_aggressive_mode() -> bool {
+    false
+}
+
 pub(crate) fn default_mask_shape_bucket_floor_bytes() -> usize {
    512
 }
--- a/src/config/load.rs
+++ b/src/config/load.rs
@@ -406,6 +406,15 @@ impl ProxyConfig {
            ));
        }

+        if config.censorship.mask_shape_hardening_aggressive_mode
+            && !config.censorship.mask_shape_hardening
+        {
+            return Err(ProxyError::Config(
+                "censorship.mask_shape_hardening_aggressive_mode requires censorship.mask_shape_hardening = true"
+                    .to_string(),
+            ));
+        }
+
        if config.censorship.mask_shape_above_cap_blur
            && config.censorship.mask_shape_above_cap_blur_max_bytes == 0
        {
--- a/src/config/tests/load_mask_shape_security_tests.rs
+++ b/src/config/tests/load_mask_shape_security_tests.rs
@@ -194,3 +194,45 @@ mask_timing_normalization_ceiling_ms = 240

    remove_temp_config(&path);
 }
+
+#[test]
+fn load_rejects_aggressive_shape_mode_when_shape_hardening_disabled() {
+    let path = write_temp_config(
+        r#"
+[censorship]
+mask_shape_hardening = false
+mask_shape_hardening_aggressive_mode = true
+"#,
+    );
+
+    let err = ProxyConfig::load(&path)
+        .expect_err("aggressive shape hardening mode must require shape hardening enabled");
+    let msg = err.to_string();
+    assert!(
+        msg.contains("censorship.mask_shape_hardening_aggressive_mode requires censorship.mask_shape_hardening = true"),
+        "error must explain aggressive-mode prerequisite, got: {msg}"
+    );
+
+    remove_temp_config(&path);
+}
+
+#[test]
+fn load_accepts_aggressive_shape_mode_when_shape_hardening_enabled() {
+    let path = write_temp_config(
+        r#"
+[censorship]
+mask_shape_hardening = true
+mask_shape_hardening_aggressive_mode = true
+mask_shape_above_cap_blur = true
+mask_shape_above_cap_blur_max_bytes = 8
+"#,
+    );
+
+    let cfg = ProxyConfig::load(&path)
+        .expect("aggressive shape hardening mode should be accepted when prerequisites are met");
+    assert!(cfg.censorship.mask_shape_hardening);
+    assert!(cfg.censorship.mask_shape_hardening_aggressive_mode);
+    assert!(cfg.censorship.mask_shape_above_cap_blur);
+
+    remove_temp_config(&path);
+}
--- a/src/config/types.rs
+++ b/src/config/types.rs
@@ -1417,6 +1417,12 @@ pub struct AntiCensorshipConfig {
    #[serde(default = "default_mask_shape_hardening")]
    pub mask_shape_hardening: bool,

+    /// Opt-in aggressive shape hardening mode.
+    /// When enabled, masking may shape some backend-silent timeout paths and
+    /// enforces strictly positive above-cap blur when blur is enabled.
+    #[serde(default = "default_mask_shape_hardening_aggressive_mode")]
+    pub mask_shape_hardening_aggressive_mode: bool,
+
    /// Minimum bucket size for mask shape hardening padding.
    #[serde(default = "default_mask_shape_bucket_floor_bytes")]
    pub mask_shape_bucket_floor_bytes: usize,
@@ -1467,6 +1473,7 @@ impl Default for AntiCensorshipConfig {
            alpn_enforce: default_alpn_enforce(),
            mask_proxy_protocol: 0,
            mask_shape_hardening: default_mask_shape_hardening(),
+            mask_shape_hardening_aggressive_mode: default_mask_shape_hardening_aggressive_mode(),
            mask_shape_bucket_floor_bytes: default_mask_shape_bucket_floor_bytes(),
            mask_shape_bucket_cap_bytes: default_mask_shape_bucket_cap_bytes(),
            mask_shape_above_cap_blur: default_mask_shape_above_cap_blur(),