Add launch hardening gates

This commit is contained in:
DuProcess
2026-06-18 09:45:27 -04:00
parent 25d9a6aefa
commit d0d6f59cdf
11 changed files with 583 additions and 61 deletions
+18 -14
View File
@@ -188,24 +188,28 @@ be evaluated honestly. Items here are *not* yet "green".
half-finished handshakes on a TTL, and reports remaining capacity in
`ServerHello`. It is covered by unit/integration tests, but still needs abusive
real-host tuning before public hardening claims.
- **Protocol VERSION compatibility policy is still simple.** The wire format pins a
single protocol version: the packet header rejects any non-matching `VERSION` byte
and the native handshake rejects any non-matching `protocol_version`. There is no
multi-version negotiation yet, so cross-version interop and downgrade-resistance for
future versions are still being designed. Today's behavior is fail-closed (reject),
not silent downgrade.
- **Fuzzing is smoke-tested in CI, not yet a deep campaign.** CI runs parser/auth
fuzz targets briefly with nightly/cargo-fuzz when available. That catches obvious
panics and parser robustness regressions; it is not a substitute for longer
coverage-guided fuzz campaigns before public security claims.
- **Protocol VERSION compatibility is intentionally single-version for v1.** The
packet header rejects any non-matching `VERSION` byte and the native handshake
rejects any non-matching `protocol_version`; peers get a named upgrade error, not
a silent downgrade. `docs/PROTOCOL_VERSIONING.md` defines the bump rules and the
post-v1 requirements for any future multi-version negotiation.
- **Deep fuzzing still needs launch evidence.** CI runs parser/auth fuzz targets for
20 seconds per target on push/PR and 300 seconds per target on weekly/manual runs
when nightly/cargo-fuzz is available. That catches obvious panics and parser
robustness regressions; public security claims should cite a completed
`make fuzz-deep` or scheduled CI run with durations.
- **User-key algorithm coverage now matches the v1 target.** Ed25519, ECDSA P-256,
and compatibility RSA-SHA2 native auth are implemented for ssh-agent and OpenSSH
identity files. RSA remains compatibility-only and deliberately rejects legacy
SHA-1 `ssh-rsa` signatures.
- **Hostile-network and long-soak integration tests are partial.** Roaming,
retransmit, resize, and multi-client tests exist; a dedicated adversarial
drop/reorder/replay suite and 30-minute-sleep soak (spec section 16) are still being
expanded.
- **Forwarded stream data is not yet reliable across arbitrary UDP loss.** Terminal
frames have retransmit coverage; forwarding streams have flow control and
replay/reorder tests, but dropped `StreamData` recovery requires stream
retransmission before Dosh should claim TCP-forwarding parity on lossy links.
- **Long-soak evidence is a launch gate.** Roaming, retransmit, resize, and
multi-client tests exist, and `sleep_roaming_soak_30m` / `make soak-local` provide
the 30-minute sleep/roaming gate. That gate should be run and published before
public security/reliability claims.
- **No external security review yet.** The spec's milestone 5 requires an external
review checklist before public security claims. That review has not happened.