Skip to content

test: TLS SNI edge-case coverage for NameType, size, and trailing bytes#60

Merged
Zious11 merged 6 commits intodevelopfrom
worktree-issue-52-tls-sni-edge-cases
Apr 13, 2026
Merged

test: TLS SNI edge-case coverage for NameType, size, and trailing bytes#60
Zious11 merged 6 commits intodevelopfrom
worktree-issue-52-tls-sni-edge-cases

Conversation

@Zious11
Copy link
Copy Markdown
Owner

@Zious11 Zious11 commented Apr 10, 2026

Summary

Edge cases covered

Case Tests Pinned behavior
Non-zero NameType test_non_zero_name_type_sni_entry, test_non_zero_name_type_with_valid_first_entry tls_parser includes unknown types; extract_sni ignores type field
Large/oversized SNI test_large_sni_near_record_payload_limit, test_oversized_sni_exceeds_record_payload_limit 16KB parses; >18,432 rejected at record layer
Trailing bytes test_trailing_bytes_in_server_name_list tls_parser tolerates trailing garbage; first entry readable

Note on u16 boundary (65K SNI)

The issue mentioned testing at the u16 max (65,535 bytes). This is unreachable through the production code path — MAX_RECORD_PAYLOAD (18,432 bytes) rejects the record before SNI parsing begins. The test_oversized_sni_exceeds_record_payload_limit test pins the actual effective boundary.

Closes #52

Test plan

  • All 26 TLS analyzer tests pass
  • Full suite passes (176+ tests)
  • cargo clippy --all-targets clean
  • cargo fmt --check clean
  • Multi-agent PR review (test-analyzer, code-reviewer) — 1 issue fixed

Zious11 added 2 commits April 10, 2026 16:47
@Zious11
test: TLS SNI edge-case coverage for NameType, size, trailing bytes (#52
83b8a3c 
)

Add 5 tests and extend the fixture builder for issue #52's 3 edge cases:

Builder changes:
- Add build_client_hello_with_typed_sni_list(&[(u8, &[u8])]) for
  explicit NameType per entry (non-zero NameType testing)
- Refactor build_client_hello_with_sni_list to delegate to typed variant
- Add build_client_hello_with_raw_sni_ext for hand-crafted SNI framing

Tests added:
- test_non_zero_name_type_sni_entry: NameType=1 is included by
  tls_parser and treated as hostname by extract_sni (pinned)
- test_non_zero_name_type_with_valid_first_entry: mixed types,
  first entry (type 0) takes priority
- test_large_sni_near_record_payload_limit: 16KB hostname parses OK
- test_oversized_sni_exceeds_record_payload_limit: record rejected
  at 18,432-byte payload limit, parse error incremented
- test_trailing_bytes_in_server_name_list: tls_parser accepts
  malformed framing with trailing garbage (pinned)

Closes #52
@Zious11
fix: use checked_mul in raw SNI builder, clean stale comment
8ba7576 
Address code review: raw SNI extension builder now uses checked_mul(2)
for cipher byte length, consistent with the typed builder. Also fix
the self-correcting "name_len=11 (wait, 12 bytes)" comment.
@Zious11 Zious11 requested a review from Copilot April 10, 2026 20:51
Copilot AI reviewed Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds TLS SNI “pin” tests to cover edge cases called out in issue #52, ensuring the analyzer’s behavior is documented and future tls_parser upgrades that change parsing semantics are caught by CI.

Changes:

  • Refactors build_client_hello_with_sni_list to delegate to a new typed SNI builder that allows explicit NameType.
  • Adds a raw-SNI-extension ClientHello builder to craft malformed/non-standard SNI framing (e.g., trailing bytes).
  • Introduces 5 new tests covering non-zero NameType, large/oversized SNI vs MAX_RECORD_PAYLOAD, and trailing bytes in ServerNameList.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread tests/tls_analyzer_tests.rs
Comment thread tests/tls_analyzer_tests.rs Outdated
@Zious11
fix: use checked conversions in trailing-bytes test
3f2d442 
Address Copilot review: replace `as u16` casts with u16::try_from in
the trailing-bytes test for consistency with the builder functions.
@Zious11 Zious11 requested a review from Copilot April 10, 2026 21:23
Copilot AI reviewed Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread tests/tls_analyzer_tests.rs Outdated
Comment thread tests/tls_analyzer_tests.rs
@Zious11
fix: assert oversize test precondition; clarify large-SNI intent
45edd5b 
Address Copilot round 2 feedback:
- Add explicit payload-length assertion in the oversized-SNI test so
  fixture drift (overhead estimate changes) fails loudly instead of
  passing vacuously.
- Clarify in comment that the large-SNI test pins size-handling only
  and does not care about DNS label validity.
@Zious11 Zious11 requested a review from Copilot April 13, 2026 00:25
Copilot AI reviewed Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread tests/tls_analyzer_tests.rs
Comment thread tests/tls_analyzer_tests.rs
@Zious11
fix: local const for MAX_RECORD_PAYLOAD; clarify typed SNI doc
a30043b 
Address Copilot round 3:
- Add local const MAX_RECORD_PAYLOAD in the oversize test, mirroring
  the pattern used by test_non_utf8_sni_finding_fires_when_sni_counts_at_capacity
  for MAX_MAP_ENTRIES.
- Clarify the typed SNI builder doc: bytes are a hostname only for
  NameType=host_name(0); for other types the bytes are opaque
  ServerName payload per the RFC 6066 enum.
@Zious11 Zious11 requested a review from Copilot April 13, 2026 00:33
Copilot AI reviewed Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread tests/tls_analyzer_tests.rs Outdated
@Zious11
fix: type-agnostic panic message in typed SNI builder
fe20fd7 
Address Copilot round 4: the builder now accepts non-host_name(0)
NameTypes where bytes are opaque ServerName payload, so the panic
message should reference ServerName rather than RFC 6066 HostName.
@Zious11 Zious11 requested a review from Copilot April 13, 2026 00:37
Copilot AI reviewed Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Zious11 Zious11 merged commit 4169df0 into develop Apr 13, 2026
8 checks passed
@Zious11 Zious11 deleted the worktree-issue-52-tls-sni-edge-cases branch April 13, 2026 00:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

test: add TLS SNI edge-case coverage for non-zero NameType, max length, and trailing bytes

2 participants

@Zious11