doublegate
diff --git a/‎CHANGELOG.md‎
Lines changed: 72 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 72 additions & 0 deletions
diff --git a/‎Cargo.toml‎
Lines changed: 4 additions & 2 deletions b/‎Cargo.toml‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎crates/wraith-core/src/frame.rs‎
Lines changed: 1 addition & 1 deletion b/‎crates/wraith-core/src/frame.rs‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎crates/wraith-core/src/migration.rs‎
Lines changed: 1 addition & 1 deletion b/‎crates/wraith-core/src/migration.rs‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎crates/wraith-crypto/src/random.rs‎
Lines changed: 1 addition & 1 deletion b/‎crates/wraith-crypto/src/random.rs‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎crates/wraith-obfuscation/Cargo.toml‎
Lines changed: 7 additions & 0 deletions b/‎crates/wraith-obfuscation/Cargo.toml‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎crates/wraith-obfuscation/benches/obfuscation.rs‎
Lines changed: 206 additions & 0 deletions b/‎crates/wraith-obfuscation/benches/obfuscation.rs‎
Lines changed: 206 additions & 0 deletions
@@ -13,6 +13,78 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+**Phase 4 Part II - Obfuscation & Stealth - COMPLETE ✅ (2025-11-30):**
+
+This release completes Phase 4 Part II, delivering comprehensive traffic obfuscation with packet padding, timing obfuscation, cover traffic generation, and protocol mimicry to defeat deep packet inspection and traffic analysis.
+
+#### Packet Padding Engine (Sprint 4.1, 21 SP)
+
+Complete packet padding implementation with 5 modes and adaptive selection:
+
+- **5 Padding Modes**:
+  - `None` - No padding (maximum performance)
+  - `PowerOfTwo` - Round to next power of 2 (15% overhead)
+  - `SizeClasses` - Fixed size classes: 128, 512, 1024, 4096, 8192, 16384 bytes (10% overhead)
+  - `ConstantRate` - Always maximum size (50% overhead, maximum privacy)
+  - `Statistical` - Geometric distribution-based random padding (20% overhead)
+- **Adaptive Profile Selection**: Automatic mode selection based on threat level (Low, Medium, High, Paranoid)
+- **Overhead Estimation**: Real-time overhead calculation for each mode
+- **30 comprehensive tests** covering all padding modes and adaptive selection
+
+#### Timing Obfuscation (Sprint 4.2, 13 SP)
+
+Advanced timing obfuscation with 5 distribution modes and traffic shaping:
+
+- **5 Timing Modes**:
+  - `None` - No delay (baseline)
+  - `Fixed` - Constant delay
+  - `Uniform` - Uniform random distribution
+  - `Normal` - Normal (Gaussian) distribution
+  - `Exponential` - Exponential distribution (Poisson process simulation)
+- **Traffic Shaper**: Rate-controlled packet timing with configurable PPS limits
+- **Statistical Distributions**: Integration with `rand_distr` for authentic traffic patterns
+- **29 comprehensive tests** including distribution validation and traffic shaping
+
+#### Protocol Mimicry (Sprint 4.3, 34 SP)
+
+Three complete protocol wrappers for traffic obfuscation:
+
+- **TLS 1.3 Record Layer Mimicry** (20 tests):
+  - Application data wrapping with authentic TLS 1.3 records
+  - Fake handshake generation (ClientHello, ServerHello, Finished)
+  - Sequence number tracking for realistic sessions
+  - Content type 23 (application_data) with version 0x0303
+- **WebSocket Binary Frame Wrapping** (21 tests):
+  - Binary frame encoding with FIN bit and opcode 0x02
+  - Client masking support with random masking keys
+  - Extended length encoding (126 for 16-bit, 127 for 64-bit lengths)
+  - Payload masking XOR operation
+- **DNS-over-HTTPS Tunneling** (22 tests):
+  - base64url encoding for DNS query parameters
+  - DNS query packet generation with EDNS0 OPT records
+  - Payload embedding in EDNS data field
+  - Query/response parsing with comprehensive validation
+
+#### Testing & Benchmarks (Sprint 4.4, 8 SP)
+
+- **130 unit tests** across all obfuscation modules
+- **37 doctests** for API documentation examples
+- **Criterion benchmarks**:
+  - Padding engine performance (all 5 modes)
+  - TLS record wrapping/unwrapping
+  - WebSocket frame operations
+  - DoH tunnel encoding/decoding
+  - Timing obfuscator delay generation
+- **Total test coverage**: 167 tests passing
+
+**Quality Gates:**
+- ✅ All 597 workspace tests passing
+- ✅ Clippy clean (zero warnings)
+- ✅ rustfmt compliant
+- ✅ Comprehensive documentation with examples
+
+---
+
 **Phase 4 Part I - Optimization & Hardening - COMPLETE ✅ (2025-11-30):**
 
 This release completes Phase 4 Part I, delivering high-performance kernel bypass features and comprehensive security hardening across the entire protocol stack.
 
@@ -51,10 +51,11 @@ x25519-dalek = { version = "2.0", features = ["static_secrets"] }
 ed25519-dalek = { version = "2.1", features = ["rand_core"] }
 blake3 = "1.5"
 snow = "0.10"
-rand = "0.9"
+rand = "0.8"
 rand_core = "0.6"
+rand_distr = "0.4"
 zeroize = { version = "1.7", features = ["derive"] }
-getrandom = "0.3"
+getrandom = "0.2"
 
 # Kernel interfaces
 # Note: io-uring is Linux-only - used via target-specific dependencies in wraith-transport
@@ -64,6 +65,7 @@ socket2 = "0.6"
 # Serialization
 bincode = "1.3"
 serde = { version = "1.0", features = ["derive"] }
+base64 = "0.22"
 
 # CLI
 clap = { version = "4.4", features = ["derive"] }
 
@@ -589,7 +589,7 @@ impl FrameBuilder {
 
         // Write random padding
         let mut padding = vec![0u8; padding_len];
-        getrandom::fill(&mut padding).expect("CSPRNG failure");
+        getrandom::getrandom(&mut padding).expect("CSPRNG failure");
         buf.extend_from_slice(&padding);
 
         Ok(buf)
 
@@ -55,7 +55,7 @@ impl PathValidator {
     /// Returns 8-byte challenge data to send to peer
     pub fn initiate_challenge(&mut self, path_id: u64) -> [u8; 8] {
         let mut challenge = [0u8; 8];
-        getrandom::fill(&mut challenge).expect("getrandom failed");
+        getrandom::getrandom(&mut challenge).expect("getrandom failed");
 
         self.pending_challenges
             .insert(challenge, (path_id, Instant::now()));
 
@@ -10,7 +10,7 @@ use crate::CryptoError;
 ///
 /// Returns [`CryptoError::RandomFailed`] if the underlying OS CSPRNG fails.
 pub fn fill_random(buf: &mut [u8]) -> Result<(), CryptoError> {
-    getrandom::fill(buf).map_err(|_| CryptoError::RandomFailed)
+    getrandom::getrandom(buf).map_err(|_| CryptoError::RandomFailed)
 }
 
 /// Generate a random 32-byte array.
 
@@ -11,9 +11,16 @@ authors.workspace = true
 [dependencies]
 wraith-crypto = { workspace = true }
 rand = { workspace = true }
+rand_distr = { workspace = true }
 getrandom = { workspace = true }
 thiserror = { workspace = true }
 tracing = { workspace = true }
+base64 = { workspace = true }
 
 [dev-dependencies]
 proptest = { workspace = true }
+criterion = { workspace = true }
+
+[[bench]]
+name = "obfuscation"
+harness = false
@@ -0,0 +1,206 @@
+//! Benchmarks for WRAITH obfuscation layer.
+
+use criterion::{Criterion, Throughput, black_box, criterion_group, criterion_main};
+use wraith_obfuscation::*;
+
+fn bench_padding(c: &mut Criterion) {
+    let mut group = c.benchmark_group("padding");
+
+    for size in [128, 512, 1024, 4096] {
+        let data = vec![0u8; size];
+        group.throughput(Throughput::Bytes(size as u64));
+
+        group.bench_with_input(format!("size_classes_{}", size), &data, |b, data| {
+            let mut engine = PaddingEngine::new(PaddingMode::SizeClasses);
+            b.iter(|| {
+                let mut buf = data.clone();
+                let target = engine.padded_size(data.len());
+                engine.pad(&mut buf, target);
+                black_box(buf);
+            });
+        });
+
+        group.bench_with_input(format!("statistical_{}", size), &data, |b, data| {
+            let mut engine = PaddingEngine::new(PaddingMode::Statistical);
+            b.iter(|| {
+                let mut buf = data.clone();
+                let target = engine.padded_size(data.len());
+                engine.pad(&mut buf, target);
+                black_box(buf);
+            });
+        });
+    }
+
+    group.finish();
+}
+
+fn bench_tls_wrap(c: &mut Criterion) {
+    let mut group = c.benchmark_group("tls_mimicry");
+
+    for size in [128, 512, 1024, 4096] {
+        let payload = vec![0u8; size];
+        group.throughput(Throughput::Bytes(size as u64));
+
+        group.bench_with_input(format!("wrap_{}", size), &payload, |b, payload| {
+            let mut wrapper = TlsRecordWrapper::new();
+            b.iter(|| {
+                let wrapped = wrapper.wrap(black_box(payload));
+                black_box(wrapped);
+            });
+        });
+
+        group.bench_with_input(format!("unwrap_{}", size), &payload, |b, payload| {
+            let mut wrapper = TlsRecordWrapper::new();
+            let record = wrapper.wrap(payload);
+            b.iter(|| {
+                let unwrapped = wrapper.unwrap(black_box(&record)).unwrap();
+                black_box(unwrapped);
+            });
+        });
+    }
+
+    group.finish();
+}
+
+fn bench_websocket_wrap(c: &mut Criterion) {
+    let mut group = c.benchmark_group("websocket_mimicry");
+
+    for size in [128, 512, 1024, 4096] {
+        let payload = vec![0u8; size];
+        group.throughput(Throughput::Bytes(size as u64));
+
+        group.bench_with_input(format!("wrap_server_{}", size), &payload, |b, payload| {
+            let wrapper = WebSocketFrameWrapper::new(false);
+            b.iter(|| {
+                let wrapped = wrapper.wrap(black_box(payload));
+                black_box(wrapped);
+            });
+        });
+
+        group.bench_with_input(format!("wrap_client_{}", size), &payload, |b, payload| {
+            let wrapper = WebSocketFrameWrapper::new(true);
+            b.iter(|| {
+                let wrapped = wrapper.wrap(black_box(payload));
+                black_box(wrapped);
+            });
+        });
+    }
+
+    group.finish();
+}
+
+fn bench_doh_tunnel(c: &mut Criterion) {
+    let mut group = c.benchmark_group("doh_tunnel");
+
+    for size in [128, 512, 1024, 4096] {
+        let payload = vec![0u8; size];
+        group.throughput(Throughput::Bytes(size as u64));
+
+        group.bench_with_input(format!("create_query_{}", size), &payload, |b, payload| {
+            let tunnel = DohTunnel::new("https://dns.example.com/dns-query".to_string());
+            b.iter(|| {
+                let query = tunnel.create_dns_query(black_box("test.com"), black_box(payload));
+                black_box(query);
+            });
+        });
+
+        group.bench_with_input(
+            format!("parse_response_{}", size),
+            &payload,
+            |b, payload| {
+                let tunnel = DohTunnel::new("https://dns.example.com/dns-query".to_string());
+                let query = tunnel.create_dns_query("test.com", payload);
+                b.iter(|| {
+                    let parsed = tunnel.parse_dns_response(black_box(&query)).unwrap();
+                    black_box(parsed);
+                });
+            },
+        );
+    }
+
+    group.finish();
+}
+
+fn bench_timing_obfuscator(c: &mut Criterion) {
+    let mut group = c.benchmark_group("timing");
+
+    use std::time::Duration;
+
+    group.bench_function("none", |b| {
+        let mut obfuscator = TimingObfuscator::new(TimingMode::None);
+        b.iter(|| {
+            let delay = obfuscator.next_delay();
+            black_box(delay);
+        });
+    });
+
+    group.bench_function("fixed", |b| {
+        let mut obfuscator = TimingObfuscator::new(TimingMode::Fixed(Duration::from_millis(10)));
+        b.iter(|| {
+            let delay = obfuscator.next_delay();
+            black_box(delay);
+        });
+    });
+
+    group.bench_function("uniform", |b| {
+        let mut obfuscator = TimingObfuscator::new(TimingMode::Uniform {
+            min: Duration::from_millis(5),
+            max: Duration::from_millis(15),
+        });
+        b.iter(|| {
+            let delay = obfuscator.next_delay();
+            black_box(delay);
+        });
+    });
+
+    group.bench_function("normal", |b| {
+        let mut obfuscator = TimingObfuscator::new(TimingMode::Normal {
+            mean: Duration::from_millis(10),
+            stddev: Duration::from_millis(2),
+        });
+        b.iter(|| {
+            let delay = obfuscator.next_delay();
+            black_box(delay);
+        });
+    });
+
+    group.bench_function("exponential", |b| {
+        let mut obfuscator = TimingObfuscator::new(TimingMode::Exponential {
+            mean: Duration::from_millis(10),
+        });
+        b.iter(|| {
+            let delay = obfuscator.next_delay();
+            black_box(delay);
+        });
+    });
+
+    group.finish();
+}
+
+fn bench_adaptive_profile(c: &mut Criterion) {
+    c.bench_function("profile_from_threat_level", |b| {
+        b.iter(|| {
+            let profile = ObfuscationProfile::from_threat_level(black_box(ThreatLevel::High));
+            black_box(profile);
+        });
+    });
+
+    c.bench_function("profile_estimated_overhead", |b| {
+        let profile = ObfuscationProfile::from_threat_level(ThreatLevel::High);
+        b.iter(|| {
+            let overhead = profile.estimated_overhead();
+            black_box(overhead);
+        });
+    });
+}
+
+criterion_group!(
+    benches,
+    bench_padding,
+    bench_tls_wrap,
+    bench_websocket_wrap,
+    bench_doh_tunnel,
+    bench_timing_obfuscator,
+    bench_adaptive_profile
+);
+criterion_main!(benches);
Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@ use crate::CryptoError;`
`10`	`10`	`///`
`11`	`11`	/// Returns [`CryptoError::RandomFailed`] if the underlying OS CSPRNG fails.
`12`	`12`	`pub fn fill_random(buf: &mut [u8]) -> Result<(), CryptoError> {`
`13`		`- getrandom::fill(buf).map_err(\|_\| CryptoError::RandomFailed)`
	`13`	`+ getrandom::getrandom(buf).map_err(\|_\| CryptoError::RandomFailed)`
`14`	`14`	`}`
`15`	`15`
`16`	`16`	`/// Generate a random 32-byte array.`