Add launch hardening gates
This commit is contained in:
+18
-14
@@ -188,24 +188,28 @@ be evaluated honestly. Items here are *not* yet "green".
|
||||
half-finished handshakes on a TTL, and reports remaining capacity in
|
||||
`ServerHello`. It is covered by unit/integration tests, but still needs abusive
|
||||
real-host tuning before public hardening claims.
|
||||
- **Protocol VERSION compatibility policy is still simple.** The wire format pins a
|
||||
single protocol version: the packet header rejects any non-matching `VERSION` byte
|
||||
and the native handshake rejects any non-matching `protocol_version`. There is no
|
||||
multi-version negotiation yet, so cross-version interop and downgrade-resistance for
|
||||
future versions are still being designed. Today's behavior is fail-closed (reject),
|
||||
not silent downgrade.
|
||||
- **Fuzzing is smoke-tested in CI, not yet a deep campaign.** CI runs parser/auth
|
||||
fuzz targets briefly with nightly/cargo-fuzz when available. That catches obvious
|
||||
panics and parser robustness regressions; it is not a substitute for longer
|
||||
coverage-guided fuzz campaigns before public security claims.
|
||||
- **Protocol VERSION compatibility is intentionally single-version for v1.** The
|
||||
packet header rejects any non-matching `VERSION` byte and the native handshake
|
||||
rejects any non-matching `protocol_version`; peers get a named upgrade error, not
|
||||
a silent downgrade. `docs/PROTOCOL_VERSIONING.md` defines the bump rules and the
|
||||
post-v1 requirements for any future multi-version negotiation.
|
||||
- **Deep fuzzing still needs launch evidence.** CI runs parser/auth fuzz targets for
|
||||
20 seconds per target on push/PR and 300 seconds per target on weekly/manual runs
|
||||
when nightly/cargo-fuzz is available. That catches obvious panics and parser
|
||||
robustness regressions; public security claims should cite a completed
|
||||
`make fuzz-deep` or scheduled CI run with durations.
|
||||
- **User-key algorithm coverage now matches the v1 target.** Ed25519, ECDSA P-256,
|
||||
and compatibility RSA-SHA2 native auth are implemented for ssh-agent and OpenSSH
|
||||
identity files. RSA remains compatibility-only and deliberately rejects legacy
|
||||
SHA-1 `ssh-rsa` signatures.
|
||||
- **Hostile-network and long-soak integration tests are partial.** Roaming,
|
||||
retransmit, resize, and multi-client tests exist; a dedicated adversarial
|
||||
drop/reorder/replay suite and 30-minute-sleep soak (spec section 16) are still being
|
||||
expanded.
|
||||
- **Forwarded stream data is not yet reliable across arbitrary UDP loss.** Terminal
|
||||
frames have retransmit coverage; forwarding streams have flow control and
|
||||
replay/reorder tests, but dropped `StreamData` recovery requires stream
|
||||
retransmission before Dosh should claim TCP-forwarding parity on lossy links.
|
||||
- **Long-soak evidence is a launch gate.** Roaming, retransmit, resize, and
|
||||
multi-client tests exist, and `sleep_roaming_soak_30m` / `make soak-local` provide
|
||||
the 30-minute sleep/roaming gate. That gate should be run and published before
|
||||
public security/reliability claims.
|
||||
- **No external security review yet.** The spec's milestone 5 requires an external
|
||||
review checklist before public security claims. That review has not happened.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user