Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
32 changes: 32 additions & 0 deletions docs/demo-evidence/STORY-145/AC-001-002-direction-carry-drain.tape
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
Output demos/story-145/AC-001-002-direction-carry-drain.webm

Set FontFamily "Menlo"
Set FontSize 18
Set Width 1200
Set Height 600
Set Theme "Catppuccin Mocha"
Set WindowBar Colorful
Set BorderRadius 8
Set Padding 20
Set Framerate 30
Set PlaybackSpeed 1.0

# AC-145-001 / AC-145-002
# Direction-parameterized carry drain + C2S/S2C carry isolation
#
# proptest_vp039_direction_isolation: delivers fragmented ClientHello (C2S) and
# fragmented ServerHello (S2C) in interleaved order; each direction drains its
# own carry buffer independently; both client_hello_seen and server_hello_seen
# end true; parse_errors == 0; both carry buffers drain to zero.

Hide
Type "cd /Users/zious/Documents/GITHUB/wirerust/.worktrees/story-145-tls-serverhello-symmetry"
Enter
Show

Type "# AC-145-001/002: fragmented ServerHello S2C carry drain + direction isolation"
Enter
Sleep 1s
Type "cargo test --test tls_analyzer_tests story_145::proptest_vp039_direction_isolation"
Enter
Sleep 5s
Binary file not shown.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
34 changes: 34 additions & 0 deletions docs/demo-evidence/STORY-145/AC-003-cross-flow-isolation.tape
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
Output demos/story-145/AC-003-cross-flow-isolation.webm

Set FontFamily "Menlo"
Set FontSize 18
Set Width 1200
Set Height 600
Set Theme "Catppuccin Mocha"
Set WindowBar Colorful
Set BorderRadius 8
Set Padding 20
Set Framerate 30
Set PlaybackSpeed 1.0

# AC-145-003: Cross-flow isolation
#
# test_BC_2_07_041_cross_flow_isolation: two concurrent flows analyzed by one
# TlsAnalyzer instance.
# Flow A: complete single-record ClientHello (SNI=a.example) + complete S2C ServerHello
# Flow B: fragmented 2-record ClientHello (SNI=b.example) + fragmented 2-record S2C ServerHello
#
# Asserts: both flows have server_hello_seen==true; sni_counts has exactly 2
# entries (no cross-flow bleed); ja3s_counts >= 1; parse_errors == 0.

Hide
Type "cd /Users/zious/Documents/GITHUB/wirerust/.worktrees/story-145-tls-serverhello-symmetry"
Enter
Show

Type "# AC-145-003: two concurrent flows with fragmented ServerHellos -- no cross-flow bleed"
Enter
Sleep 1s
Type "cargo test --test tls_analyzer_tests story_145::test_BC_2_07_041_cross_flow_isolation"
Enter
Sleep 5s
Binary file not shown.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
42 changes: 42 additions & 0 deletions docs/demo-evidence/STORY-145/AC-005-single-record-regression.tape
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
Output demos/story-145/AC-005-single-record-regression.webm

Set FontFamily "Menlo"
Set FontSize 18
Set Width 1200
Set Height 600
Set Theme "Catppuccin Mocha"
Set WindowBar Colorful
Set BorderRadius 8
Set Padding 20
Set Framerate 30
Set PlaybackSpeed 1.0

# AC-145-005: Single-record ServerHello regression check
#
# Verifies that adding S2C carry-buffer drain logic does NOT break analysis
# of a normal (non-fragmented) single-record ServerHello.
#
# Part 1: unit test -- test_parse_server_hello sends a complete single-record
# ServerHello in S2C direction and asserts server_hello_seen == true.
#
# Part 2: CLI smoke -- wirerust analyze on a real TLS 1.2 pcap still
# produces a triage report with no errors.

Hide
Type "cd /Users/zious/Documents/GITHUB/wirerust/.worktrees/story-145-tls-serverhello-symmetry"
Enter
Show

Type "# AC-145-005: single-record ServerHello regression -- unit test"
Enter
Sleep 1s
Type "cargo test --test tls_analyzer_tests test_parse_server_hello"
Enter
Sleep 5s

Type "# AC-145-005: CLI smoke -- real TLS 1.2 pcap analyzed without error"
Enter
Sleep 1s
Type "./target/release/wirerust analyze tests/fixtures/tls12-aes256gcm.pcap"
Enter
Sleep 3s
Binary file not shown.
119 changes: 119 additions & 0 deletions docs/demo-evidence/STORY-145/evidence-report.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,119 @@
# Demo Evidence Report — STORY-145

**Story:** TLS ServerHello direction-symmetry handshake reassembly
**Date:** 2026-06-30
**Product:** wirerust (CLI, Rust)
**Recording tool:** VHS 0.11.0 + ffmpeg 8.1

---

## Summary

STORY-145 extends the TLS handshake-message reassembly carry-buffer mechanism
(introduced in STORY-144 for ClientHello/ClientToServer) to the ServerToClient
direction. A ServerHello fragmented across multiple TLS records is now
reassembled so JA3S extraction and detection work correctly. All four STORY-145
acceptance tests pass; three VHS terminal recordings provide per-AC visual evidence.

---

## Per-AC Demo Recordings

| AC | Test / command | Recording | Duration | Size | Result |
|----|----------------|-----------|----------|------|--------|
| AC-145-001, AC-145-002 | `proptest_vp039_direction_isolation` | [WebM](AC-001-002-direction-carry-drain.webm) [GIF](AC-001-002-direction-carry-drain.gif) | 14s | 136K / 537K | ok |
| AC-145-003 | `test_BC_2_07_041_cross_flow_isolation` | [WebM](AC-003-cross-flow-isolation.webm) [GIF](AC-003-cross-flow-isolation.gif) | 15s | 136K / 472K | ok |
| AC-145-005 | `test_parse_server_hello` + CLI pcap smoke | [WebM](AC-005-single-record-regression.webm) [GIF](AC-005-single-record-regression.gif) | 23s | 266K / 1.3M | ok |

---

## AC Coverage Detail

### AC-145-001 + AC-145-002: Direction-parameterized carry drain & C2S/S2C isolation

**Recording:** `AC-001-002-direction-carry-drain.webm`

**What is shown:** `proptest_vp039_direction_isolation` — a property-based test
that runs at multiple random split points. Three parallel analyzer instances
receive the same fragmented ClientHello (C2S) and fragmented ServerHello (S2C):
one interleaved, one C2S-only, one S2C-only. After full delivery the test asserts:

- `client_hello_seen == true` (C2S carry drain — STORY-144 path)
- `server_hello_seen == true` (S2C carry drain — **STORY-145 path**)
- `sni_counts` non-empty (SNI extracted from fragmented ClientHello)
- `ja3s_counts` non-empty (JA3S extracted from fragmented ServerHello)
- `parse_errors == 0`
- both `client_hs_carry_len == 0` and `server_hs_carry_len == 0` after full delivery

Terminal output visible: `test story_145::proptest_vp039_direction_isolation ... ok`
`test result: ok. 1 passed; 0 failed`

---

### AC-145-003: Cross-flow isolation (two concurrent fragmented-ServerHello flows)

**Recording:** `AC-003-cross-flow-isolation.webm`

**What is shown:** `test_BC_2_07_041_cross_flow_isolation` — one `TlsAnalyzer`
instance processes two flows simultaneously:

- **Flow A** (seed=10): complete single-record ClientHello (`a.example`) + complete S2C ServerHello
- **Flow B** (seed=20): fragmented 2-record ClientHello (`b.example`) + fragmented 2-record S2C ServerHello

Assertions verified: both `server_hello_seen == true`; `sni_counts` has exactly
2 entries (a.example + b.example, no cross-flow bleed); `ja3s_counts >= 1`; all
carry buffers drain to zero; `parse_errors == 0`.

Terminal output visible: `test story_145::test_BC_2_07_041_cross_flow_isolation ... ok`

---

### AC-145-005: Single-record ServerHello regression check

**Recording:** `AC-005-single-record-regression.webm`

**What is shown (two parts):**

1. **Unit test:** `test_parse_server_hello` — delivers a complete single-record
ServerHello in `Direction::ServerToClient` and asserts `server_hello_seen == true`.
Confirms the new carry-drain code path does not break non-fragmented delivery.

2. **CLI smoke test:** `wirerust analyze tests/fixtures/tls12-aes256gcm.pcap` —
real TLS 1.2 capture produces a valid WIRERUST TRIAGE REPORT (Packets: 9,
TLS: 9) with no parse errors in the output.

Terminal output visible: `test test_parse_server_hello ... ok` followed by the
CLI triage report.

---

## AC-145-004: Not separately recorded

AC-145-004 (overflow guard — `server_hs_carry` clears on Step-1 overflow and
recovers on subsequent complete ServerHello) is covered by
`test_vp039_server_carry_overflow_clear_and_recover` and
`test_vp039_server_body_len_spoof`, both of which pass in the full test suite.
These are overflow/error-path tests exercising internal guard invariants; they
produce no user-observable CLI output distinguishable from a normal pass.
Full suite evidence: `cargo test --test tls_analyzer_tests story_145` →
`4 passed; 0 failed`.

---

## VHS Tape Scripts

| Script | AC |
|--------|----|
| [AC-001-002-direction-carry-drain.tape](AC-001-002-direction-carry-drain.tape) | AC-145-001, AC-145-002 |
| [AC-003-cross-flow-isolation.tape](AC-003-cross-flow-isolation.tape) | AC-145-003 |
| [AC-005-single-record-regression.tape](AC-005-single-record-regression.tape) | AC-145-005 |

---

## Demo Toolchain

| Tool | Version |
|------|---------|
| VHS | 0.11.0 |
| ffmpeg | 8.1 |
| Rust / cargo | stable (incremental build, pre-compiled) |
Loading