Preserve TLS-F Origin Record Choreography

Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
2026-06-11 21:41:43 +03:00 · 2026-06-11 13:51:58 +03:00
parent c4b58ad374
commit eba55e755d
3 changed files with 28 additions and 30 deletions
--- a/src/tls_front/emulator.rs
+++ b/src/tls_front/emulator.rs
@@ -74,19 +74,13 @@ fn ensure_payload_capacity(mut sizes: Vec<usize>, payload_len: usize) -> Vec<usi
 fn emulated_app_data_sizes(cached: &CachedTlsData) -> Vec<usize> {
    match cached.behavior_profile.source {
        TlsProfileSource::Raw | TlsProfileSource::Merged => {
-            return cached
-                .app_data_records_sizes
-                .first()
-                .copied()
-                .or_else(|| {
-                    cached
-                        .behavior_profile
-                        .app_data_record_sizes
-                        .first()
-                        .copied()
-                })
-                .map(|size| vec![size])
-                .unwrap_or_else(|| vec![cached.total_app_data_len.max(1024)]);
+            if !cached.behavior_profile.app_data_record_sizes.is_empty() {
+                return cached.behavior_profile.app_data_record_sizes.clone();
+            }
+            if !cached.app_data_records_sizes.is_empty() {
+                return cached.app_data_records_sizes.clone();
+            }
+            return vec![cached.total_app_data_len.max(1024)];
        }
        TlsProfileSource::Default | TlsProfileSource::Rustls => {}
    }
@@ -383,6 +377,7 @@ pub fn build_emulated_server_hello(
    // ALPN selection is encrypted inside EncryptedExtensions in real TLS 1.3.
    // Keeping the FakeTLS record body opaque avoids a stable plaintext marker.
    let _ = alpn;
+    let mut payload_offset = 0usize;
    for size in sizes {
        let mut rec = Vec::with_capacity(5 + size);
        rec.push(TLS_RECORD_APPLICATION);
@@ -392,10 +387,11 @@ pub fn build_emulated_server_hello(
        if let Some(payload) = selected_payload {
            if size > 17 {
                let body_len = size - 17;
-                let remaining = payload.len();
+                let remaining = payload.len().saturating_sub(payload_offset);
                let copy_len = remaining.min(body_len);
                if copy_len > 0 {
-                    rec.extend_from_slice(&payload[..copy_len]);
+                    rec.extend_from_slice(&payload[payload_offset..payload_offset + copy_len]);
+                    payload_offset += copy_len;
                }
                if body_len > copy_len {
                    rec.extend_from_slice(&rng.bytes(body_len - copy_len));
@@ -791,11 +787,15 @@ mod tests {

        let hello_len = u16::from_be_bytes([response[3], response[4]]) as usize;
        let ccs_start = 5 + hello_len;
-        let app_start = ccs_start + 6;
-        let app_len =
-            u16::from_be_bytes([response[app_start + 3], response[app_start + 4]]) as usize;
-        assert_eq!(response[app_start], TLS_RECORD_APPLICATION);
-        assert_eq!(app_len, 64);
-        assert_eq!(app_start + 5 + app_len, response.len());
+        let mut pos = ccs_start + 6;
+        let mut app_lens = Vec::new();
+        while pos + 5 <= response.len() {
+            let record_len = u16::from_be_bytes([response[pos + 3], response[pos + 4]]) as usize;
+            assert_eq!(response[pos], TLS_RECORD_APPLICATION);
+            app_lens.push(record_len);
+            pos += 5 + record_len;
+        }
+        assert_eq!(app_lens, vec![64, 3905, 537]);
+        assert_eq!(pos, response.len());
    }
 }
--- a/src/tls_front/fetcher.rs
+++ b/src/tls_front/fetcher.rs
@@ -1036,13 +1036,11 @@ where
    let mut app_sizes = behavior_profile.app_data_record_sizes.clone();
    app_sizes.extend_from_slice(&behavior_profile.ticket_record_sizes);
    let total_app_data_len = app_sizes.iter().sum::<usize>().max(1024);
-    let app_data_records_sizes = behavior_profile
-        .app_data_record_sizes
-        .first()
-        .copied()
-        .or_else(|| behavior_profile.ticket_record_sizes.first().copied())
-        .map(|size| vec![size])
-        .unwrap_or_else(|| vec![total_app_data_len]);
+    let app_data_records_sizes = if app_sizes.is_empty() {
+        vec![total_app_data_len]
+    } else {
+        app_sizes
+    };

    Ok(TlsFetchResult {
        server_hello_parsed: parsed,
--- a/src/tls_front/tests/emulator_profile_fidelity_security_tests.rs
+++ b/src/tls_front/tests/emulator_profile_fidelity_security_tests.rs
@@ -97,7 +97,7 @@ fn emulated_server_hello_does_not_emit_profile_ticket_tail_when_disabled() {
    );

    let app_records = record_lengths_by_type(&response, TLS_RECORD_APPLICATION);
-    assert_eq!(app_records, vec![1200]);
+    assert_eq!(app_records, vec![1200, 900]);
 }

 #[test]
@@ -120,5 +120,5 @@ fn emulated_server_hello_uses_profile_ticket_lengths_when_enabled() {
    );

    let app_records = record_lengths_by_type(&response, TLS_RECORD_APPLICATION);
-    assert_eq!(app_records, vec![1200, 220, 180]);
+    assert_eq!(app_records, vec![1200, 900, 220, 180]);
 }