Add release evidence and audit packet
ci / test (push) Has been cancelled
ci / fuzz-smoke (push) Has been cancelled
ci / package-release (linux-x86_64, ubuntu-latest) (push) Has been cancelled
ci / package-release (macos-aarch64, macos-14) (push) Has been cancelled
ci / package-release (macos-x86_64, macos-13) (push) Has been cancelled
ci / package-release (windows-x86_64, windows-latest) (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
ci / test (push) Has been cancelled
ci / fuzz-smoke (push) Has been cancelled
ci / package-release (linux-x86_64, ubuntu-latest) (push) Has been cancelled
ci / package-release (macos-aarch64, macos-14) (push) Has been cancelled
ci / package-release (macos-x86_64, macos-13) (push) Has been cancelled
ci / package-release (windows-x86_64, windows-latest) (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
This commit is contained in:
@@ -0,0 +1,75 @@
|
||||
# Dosh Native v1 Audit Packet
|
||||
|
||||
This is the handoff checklist for an external security review.
|
||||
|
||||
## Scope
|
||||
|
||||
Review the security properties of Dosh native v1:
|
||||
|
||||
- Native UDP authentication and key exchange
|
||||
- Host key trust and known-host mismatch behavior
|
||||
- Authorized key parsing and policy enforcement
|
||||
- Transport encryption, replay protection, rekeying, resume, and stale packet handling
|
||||
- Attach ticket sealing/opening
|
||||
- TCP forwarding and agent forwarding authorization boundaries
|
||||
- Parser robustness for untrusted wire/config data
|
||||
|
||||
Primary files:
|
||||
|
||||
- `src/native.rs`
|
||||
- `src/protocol.rs`
|
||||
- `src/auth.rs`
|
||||
- `src/ssh_agent.rs`
|
||||
- `src/bin/dosh-client.rs`
|
||||
- `src/bin/dosh-server.rs`
|
||||
- `src/config.rs`
|
||||
- `tests/parser_robustness.rs`
|
||||
- `tests/protocol_auth.rs`
|
||||
- `tests/hostile_network.rs`
|
||||
- `tests/integration_smoke.rs`
|
||||
- `fuzz/fuzz_targets/*`
|
||||
|
||||
Primary docs:
|
||||
|
||||
- `docs/NATIVE_V1_SPEC.md`
|
||||
- `docs/THREAT_MODEL.md`
|
||||
- `docs/PROTOCOL_VERSIONING.md`
|
||||
- `docs/PUBLIC_READINESS.md`
|
||||
- `docs/RELEASE_EVIDENCE_2026-06-20.md`
|
||||
|
||||
## Required Reviewer Questions
|
||||
|
||||
1. Is the native handshake transcript complete enough to bind client/server keys,
|
||||
requested session, mode, env, and forwarding permissions?
|
||||
2. Are host-key trust transitions fail-closed, especially unknown vs mismatch vs
|
||||
explicit TOFU?
|
||||
3. Are authorized-key options parsed conservatively enough, and are unsupported
|
||||
options rejected safely?
|
||||
4. Can replayed, reordered, delayed, stale, or cross-epoch packets affect terminal
|
||||
input or forwarded streams more than once?
|
||||
5. Does key rotation preserve confidentiality without creating split-brain epoch
|
||||
states?
|
||||
6. Do attach tickets create any bearer-token replay or privilege-extension issue?
|
||||
7. Can UDP endpoint migration be abused for hijack or reflection?
|
||||
8. Are local/remote/dynamic TCP forwarding and agent forwarding gated correctly by
|
||||
client opt-in, server config, and authorized-key options?
|
||||
9. Are parser and packet-size limits sufficient against malicious inputs?
|
||||
10. Are there any unsafe assumptions in process/session persistence or holder
|
||||
adoption?
|
||||
|
||||
## Current Local Evidence
|
||||
|
||||
As of 2026-06-20:
|
||||
|
||||
- `cargo test`: `153 passed, 1 ignored`
|
||||
- `make soak-local`: passed 30-minute sleep/roaming soak
|
||||
- `make fuzz-smoke`: passed all configured fuzz targets for 20s each
|
||||
- `make bench-docker-mosh`: passed SSH, ControlMaster, native, cached, and Mosh
|
||||
comparison gates
|
||||
|
||||
## Explicit Non-Claims Before Audit
|
||||
|
||||
- No claim of generic SSH protocol replacement.
|
||||
- No claim of full Mosh compatibility.
|
||||
- No claim that native v1 is externally audited.
|
||||
- No claim that Windows server support is production-ready.
|
||||
Reference in New Issue
Block a user