test(quic): add extended coverage tests for crypto module#1002
Merged
Conversation
Adds 88 deterministic, public-API-only unit tests targeting the lower-coverage branches in src/protocols/quic/crypto.cpp. Covers: - HKDF extract/expand/expand_label edge cases including empty-salt and empty-IKM error paths, zero-length expand, and label/context isolation - initial_keys::derive for QUIC v1 and v2 salts, version divergence, empty and max-length DCIDs, and secret propagation into keys - derive_keys with the is_client_keys flag verified as no-op - Packet protection AEAD round-trip across many packet numbers, empty and large payloads, and varying header sizes - Unprotect failure paths: truncated packet, modified header, wrong packet number, wrong key, wrong IV, corrupted tag, corrupted ciphertext - Header protection mask: short-sample rejection, key/sample isolation, determinism - Header protection protect/unprotect round-trip across long and short headers with packet number lengths 1-4, self-inverse XOR - quic_crypto public surface: set_keys monotonic level raising, ALPN wire-format rejection of overlong protocols, 0-RTT ticket and early-data gates, update_keys pre-handshake rejection, move semantics preserving keys - quic_keys / key_pair is_valid, clear, and equality operators All tests run in under one second total with no real network IO and no TLS handshake. Closes #993
Contributor
Coverage Report
Coverage DetailsFull HTML report is available as a build artifact. |
This was referenced Apr 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Summary
Adds 88 new GTest cases in a dedicated
quic_crypto_extended_test.cpptranslation unit targeting the low-coverage branches insrc/protocols/quic/crypto.cpp(line 59.5%, branch 22.5% per #993). Existing 25-case suite is untouched.Change Type
Affected Components
tests/unit/quic_crypto_extended_test.cpp(new, 1288 LOC, 88 tests across 9 suites)tests/CMakeLists.txt(one line to registernetwork_quic_crypto_extended_test)Why
Problem Solved
Issue #993 names specific weak areas in QUIC crypto coverage: AEAD error paths, HKDF failures, key derivation phases, packet-number encryption edge cases, key update, retry integrity tag validation, header protection. Branch coverage at 22.5% of 1060 branches is a latent security/correctness risk for a TLS/QUIC crypto path.
Related Issues
How
Implementation Highlights
Suites and what each covers:
HkdfExtractExtendedTestHkdfExpandExtendedTestHkdfExpandLabelExtendedTestInitialKeysExtendedTestPacketProtectionExtendedTestHpMaskExtendedTestHeaderProtectionExtendedTestQuicCryptoExtendedTestQuicKeysUtilityTestAll cases are deterministic, perform no real network IO, require no server certificates on disk, and use only the public API.
Branches intentionally not reached
Four branches genuinely require real TLS state and cannot be exercised from the public API without handshake simulation:
process_crypto_datacompletion branch — needs full handshakeupdate_keyssuccess branch — needshandshake_complete == trueinit_serversuccess branch — needs PEM cert+key on diskThese are documented in the test file's header comment.
Testing Done
network_quic_crypto_extended_test: 88/88 PASS in 5 ms (clang, macOS arm64, release preset)network_quic_crypto_module_test(original 25 cases): 25/25 PASS in 2 ms — no regressionTest Plan for Reviewers
Breaking Changes
None — test-only addition.