Compare commits

..
25 Commits
Author SHA1 Message Date
DuProcess bab3f777dc Harden SDK stream ids and duplicate opens
ci / test (push) Has been cancelled
ci / fuzz-smoke (push) Has been cancelled
ci / windows-client (push) Has been cancelled
ci / package-release (linux-x86_64, ubuntu-latest) (push) Has been cancelled
ci / package-release (macos-aarch64, macos-14) (push) Has been cancelled
ci / package-release (macos-x86_64, macos-13) (push) Has been cancelled
ci / package-release (windows-x86_64, windows-latest) (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
2026-07-09 19:19:07 -04:00
DuProcess 039dc641b3 Fix resumed copy truncation
ci / test (push) Has been cancelled
ci / fuzz-smoke (push) Has been cancelled
ci / windows-client (push) Has been cancelled
ci / package-release (linux-x86_64, ubuntu-latest) (push) Has been cancelled
ci / package-release (macos-aarch64, macos-14) (push) Has been cancelled
ci / package-release (macos-x86_64, macos-13) (push) Has been cancelled
ci / package-release (windows-x86_64, windows-latest) (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
2026-07-09 19:10:17 -04:00
DuProcess 4c9e31fd16 Harden alternate screen tracking
ci / test (push) Has been cancelled
ci / fuzz-smoke (push) Has been cancelled
ci / windows-client (push) Has been cancelled
ci / package-release (linux-x86_64, ubuntu-latest) (push) Has been cancelled
ci / package-release (macos-aarch64, macos-14) (push) Has been cancelled
ci / package-release (macos-x86_64, macos-13) (push) Has been cancelled
ci / package-release (windows-x86_64, windows-latest) (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
2026-07-07 20:37:16 -04:00
DuProcess c1c672b188 Bump release candidate to rc8
ci / test (push) Has been cancelled
ci / fuzz-smoke (push) Has been cancelled
ci / windows-client (push) Has been cancelled
ci / package-release (linux-x86_64, ubuntu-latest) (push) Has been cancelled
ci / package-release (macos-aarch64, macos-14) (push) Has been cancelled
ci / package-release (macos-x86_64, macos-13) (push) Has been cancelled
ci / package-release (windows-x86_64, windows-latest) (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
2026-07-07 15:34:49 -04:00
DuProcess a23f610f20 Keep generated sessions alive across updates 2026-07-07 15:34:24 -04:00
DuProcess ff2b7fff2b Bump release candidate to rc7
ci / test (push) Has been cancelled
ci / fuzz-smoke (push) Has been cancelled
ci / windows-client (push) Has been cancelled
ci / package-release (linux-x86_64, ubuntu-latest) (push) Has been cancelled
ci / package-release (macos-aarch64, macos-14) (push) Has been cancelled
ci / package-release (macos-x86_64, macos-13) (push) Has been cancelled
ci / package-release (windows-x86_64, windows-latest) (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
2026-07-07 14:58:13 -04:00
DuProcess f4879090f6 Keep terminal focus reports local 2026-07-07 14:57:53 -04:00
DuProcess 37ec9fc520 Bump release candidate to rc6
ci / test (push) Has been cancelled
ci / fuzz-smoke (push) Has been cancelled
ci / windows-client (push) Has been cancelled
ci / package-release (linux-x86_64, ubuntu-latest) (push) Has been cancelled
ci / package-release (macos-aarch64, macos-14) (push) Has been cancelled
ci / package-release (macos-x86_64, macos-13) (push) Has been cancelled
ci / package-release (windows-x86_64, windows-latest) (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
2026-07-07 12:01:03 -04:00
DuProcess f3c7ec225d Repaint terminal after idle tab return 2026-07-07 12:00:40 -04:00
DuProcess d3c40a06ac Bump release candidate to rc5
ci / test (push) Has been cancelled
ci / fuzz-smoke (push) Has been cancelled
ci / windows-client (push) Has been cancelled
ci / package-release (linux-x86_64, ubuntu-latest) (push) Has been cancelled
ci / package-release (macos-aarch64, macos-14) (push) Has been cancelled
ci / package-release (macos-x86_64, macos-13) (push) Has been cancelled
ci / package-release (windows-x86_64, windows-latest) (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
2026-07-07 11:49:41 -04:00
DuProcess 6b12b3dfe0 Harden terminal reconnect packet handling 2026-07-07 11:48:59 -04:00
DuProcess b90c34dc17 Bump release candidate to rc4
ci / test (push) Has been cancelled
ci / fuzz-smoke (push) Has been cancelled
ci / windows-client (push) Has been cancelled
ci / package-release (linux-x86_64, ubuntu-latest) (push) Has been cancelled
ci / package-release (macos-aarch64, macos-14) (push) Has been cancelled
ci / package-release (macos-x86_64, macos-13) (push) Has been cancelled
ci / package-release (windows-x86_64, windows-latest) (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
2026-07-05 18:00:59 -04:00
DuProcess f205e0c128 Harden native auth and SDK datagram handling 2026-07-05 18:00:31 -04:00
DuProcess 92c94176bd Bump release candidate to rc3
ci / test (push) Has been cancelled
ci / fuzz-smoke (push) Has been cancelled
ci / windows-client (push) Has been cancelled
ci / package-release (linux-x86_64, ubuntu-latest) (push) Has been cancelled
ci / package-release (macos-aarch64, macos-14) (push) Has been cancelled
ci / package-release (macos-x86_64, macos-13) (push) Has been cancelled
ci / package-release (windows-x86_64, windows-latest) (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
2026-07-05 09:39:21 -04:00
DuProcess 4b2e9a62d5 Harden embedded transport under UDP churn
ci / test (push) Has been cancelled
ci / fuzz-smoke (push) Has been cancelled
ci / windows-client (push) Has been cancelled
ci / package-release (linux-x86_64, ubuntu-latest) (push) Has been cancelled
ci / package-release (macos-aarch64, macos-14) (push) Has been cancelled
ci / package-release (macos-x86_64, macos-13) (push) Has been cancelled
ci / package-release (windows-x86_64, windows-latest) (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
2026-07-05 09:37:44 -04:00
DuProcess 689d20f7e7 Bump release candidate to rc2
ci / test (push) Has been cancelled
ci / fuzz-smoke (push) Has been cancelled
ci / windows-client (push) Has been cancelled
ci / package-release (linux-x86_64, ubuntu-latest) (push) Has been cancelled
ci / package-release (macos-aarch64, macos-14) (push) Has been cancelled
ci / package-release (macos-x86_64, macos-13) (push) Has been cancelled
ci / package-release (windows-x86_64, windows-latest) (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
2026-07-04 23:00:18 -04:00
DuProcess 252f081a61 Suppress stale terminal mouse reports after reconnect
ci / test (push) Has been cancelled
ci / fuzz-smoke (push) Has been cancelled
ci / windows-client (push) Has been cancelled
ci / package-release (linux-x86_64, ubuntu-latest) (push) Has been cancelled
ci / package-release (macos-aarch64, macos-14) (push) Has been cancelled
ci / package-release (macos-x86_64, macos-13) (push) Has been cancelled
ci / package-release (windows-x86_64, windows-latest) (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
2026-07-04 22:56:32 -04:00
DuProcess b1e8326b0a Stop local benchmark holder leaks 2026-07-04 22:31:14 -04:00
DuProcess 3b4931aa8f Keep server alive on transient UDP send errors 2026-07-04 22:29:52 -04:00
DuProcess 5c54601cdf Prepare Dosh 1.0.0 rc1
ci / test (push) Has been cancelled
ci / fuzz-smoke (push) Has been cancelled
ci / windows-client (push) Has been cancelled
ci / package-release (linux-x86_64, ubuntu-latest) (push) Has been cancelled
ci / package-release (macos-aarch64, macos-14) (push) Has been cancelled
ci / package-release (macos-x86_64, macos-13) (push) Has been cancelled
ci / package-release (windows-x86_64, windows-latest) (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
2026-07-04 16:58:15 -04:00
DuProcess c085137250 Add hostile network TUI soak gate
ci / test (push) Has been cancelled
ci / fuzz-smoke (push) Has been cancelled
ci / windows-client (push) Has been cancelled
ci / package-release (linux-x86_64, ubuntu-latest) (push) Has been cancelled
ci / package-release (macos-aarch64, macos-14) (push) Has been cancelled
ci / package-release (macos-x86_64, macos-13) (push) Has been cancelled
ci / package-release (windows-x86_64, windows-latest) (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
2026-07-04 14:37:23 -04:00
DuProcess 237ad52bef Flush queued input after reconnect contact
ci / test (push) Has been cancelled
ci / fuzz-smoke (push) Has been cancelled
ci / windows-client (push) Has been cancelled
ci / package-release (linux-x86_64, ubuntu-latest) (push) Has been cancelled
ci / package-release (macos-aarch64, macos-14) (push) Has been cancelled
ci / package-release (macos-x86_64, macos-13) (push) Has been cancelled
ci / package-release (windows-x86_64, windows-latest) (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
2026-07-03 16:35:22 -04:00
DuProcess a8ba852f16 Keep Dosh server service alive
ci / test (push) Has been cancelled
ci / fuzz-smoke (push) Has been cancelled
ci / windows-client (push) Has been cancelled
ci / package-release (linux-x86_64, ubuntu-latest) (push) Has been cancelled
ci / package-release (macos-aarch64, macos-14) (push) Has been cancelled
ci / package-release (macos-x86_64, macos-13) (push) Has been cancelled
ci / package-release (windows-x86_64, windows-latest) (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
2026-07-03 14:51:47 -04:00
DuProcess f1a3de7730 Rate limit terminal gap resync
ci / test (push) Has been cancelled
ci / fuzz-smoke (push) Has been cancelled
ci / windows-client (push) Has been cancelled
ci / package-release (linux-x86_64, ubuntu-latest) (push) Has been cancelled
ci / package-release (macos-aarch64, macos-14) (push) Has been cancelled
ci / package-release (macos-x86_64, macos-13) (push) Has been cancelled
ci / package-release (windows-x86_64, windows-latest) (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
2026-07-03 10:19:53 -04:00
DuProcess 80699dcf9d Stabilize terminal frame recovery
ci / test (push) Has been cancelled
ci / fuzz-smoke (push) Has been cancelled
ci / windows-client (push) Has been cancelled
ci / package-release (linux-x86_64, ubuntu-latest) (push) Has been cancelled
ci / package-release (macos-aarch64, macos-14) (push) Has been cancelled
ci / package-release (macos-x86_64, macos-13) (push) Has been cancelled
ci / package-release (windows-x86_64, windows-latest) (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
2026-07-03 10:06:23 -04:00
18 changed files with 1870 additions and 180 deletions
Generated
+1 -1
View File
@@ -436,7 +436,7 @@ dependencies = [
[[package]] [[package]]
name = "dosh" name = "dosh"
version = "0.1.13" version = "1.0.0-rc11"
dependencies = [ dependencies = [
"anyhow", "anyhow",
"base64", "base64",
+1 -1
View File
@@ -1,6 +1,6 @@
[package] [package]
name = "dosh" name = "dosh"
version = "0.1.13" version = "1.0.0-rc11"
edition = "2024" edition = "2024"
license = "MIT" license = "MIT"
+20 -1
View File
@@ -1,4 +1,4 @@
.PHONY: build test fmt clippy release-check install package-release package-release-linux package-release-windows publish-release bench-report bench-local bench-local-json bench-docker-ssh bench-docker-mosh fuzz-smoke fuzz-deep soak-local tui-harness .PHONY: build test fmt clippy release-check 1.0-check reconnect-check hostile-network-check persistence-check package-check install package-release package-release-linux package-release-windows publish-release bench-report bench-local bench-local-json bench-docker-ssh bench-docker-mosh fuzz-smoke fuzz-deep soak-local tui-harness
build: build:
cargo build --release cargo build --release
@@ -19,6 +19,25 @@ release-check:
cargo test cargo test
$(MAKE) tui-harness $(MAKE) tui-harness
1.0-check: release-check reconnect-check hostile-network-check persistence-check package-check
reconnect-check:
cargo test --test integration_smoke resume_updates_udp_endpoint_for_roaming -- --nocapture
DOSH_SOAK_SECONDS=$${DOSH_SOAK_SECONDS:-300} cargo test --test integration_smoke sleep_roaming_soak_30m -- --ignored --nocapture
hostile-network-check:
cargo test --test hostile_network -- --nocapture
DOSH_BADNET_SOAK_SECONDS=$${DOSH_BADNET_SOAK_SECONDS:-300} cargo test --test hostile_network bad_network_tui_work_soak_30m -- --ignored --nocapture
persistence-check:
cargo test --test integration_smoke session_survives_server_restart_same_shell_and_screen -- --nocapture
cargo test --test integration_smoke multiple_persistent_named_sessions_survive_restart_independently -- --nocapture
package-check:
$(MAKE) package-release-linux
$(MAKE) package-release-windows
sh scripts/verify-release-artifacts.sh
install: install:
sh install.sh --from-current sh install.sh --from-current
+1 -1
View File
@@ -426,7 +426,7 @@ Wants=network-online.target
[Service] [Service]
Type=simple Type=simple
ExecStart=$bindir/dosh-server serve ExecStart=$bindir/dosh-server serve
Restart=on-failure Restart=always
RestartSec=1 RestartSec=1
KillMode=process KillMode=process
+1 -1
View File
@@ -6,7 +6,7 @@ Wants=network-online.target
[Service] [Service]
Type=simple Type=simple
ExecStart=%h/.local/bin/dosh-server serve ExecStart=%h/.local/bin/dosh-server serve
Restart=on-failure Restart=always
RestartSec=1 RestartSec=1
KillMode=process KillMode=process
+2
View File
@@ -67,6 +67,7 @@ cleanup() {
kill "$server_pid" 2>/dev/null || true kill "$server_pid" 2>/dev/null || true
wait "$server_pid" 2>/dev/null || true wait "$server_pid" 2>/dev/null || true
fi fi
pkill -f "$server_bin hold --runtime-dir $home/sessions/run" 2>/dev/null || true
rm -rf "$home" rm -rf "$home"
} }
trap cleanup EXIT INT TERM trap cleanup EXIT INT TERM
@@ -86,6 +87,7 @@ scrollback = 5000
auth_ttl_secs = 30 auth_ttl_secs = 30
attach_ticket_ttl_secs = 3600 attach_ticket_ttl_secs = 3600
allow_attach_tickets = true allow_attach_tickets = true
persist_sessions = false
client_timeout_secs = 60 client_timeout_secs = 60
retransmit_window = 256 retransmit_window = 256
default_input_mode = "read-write" default_input_mode = "read-write"
+46
View File
@@ -0,0 +1,46 @@
#!/usr/bin/env sh
set -eu
repo_root="$(CDPATH= cd -- "$(dirname -- "$0")/.." && pwd)"
cd "$repo_root"
version="$(sed -n 's/^version = "\(.*\)"/\1/p' Cargo.toml | sed -n '1p')"
out_dir="${DOSH_PACKAGE_DIR:-target/dosh-release}"
artifact_version() {
artifact="$1"
case "$artifact" in
*.tar.gz)
tar -xOf "$artifact" dosh/VERSION 2>/dev/null | tr -d '\r\n'
;;
*.zip)
unzip -p "$artifact" dosh/VERSION 2>/dev/null | tr -d '\r\n'
;;
*)
return 1
;;
esac
}
failed=0
for artifact in \
"$out_dir/dosh-linux-x86_64.tar.gz" \
"$out_dir/dosh-macos-aarch64.tar.gz" \
"$out_dir/dosh-windows-x86_64.zip"; do
if [ ! -f "$artifact" ]; then
echo "missing release artifact: $artifact" >&2
failed=1
continue
fi
if [ ! -f "$artifact.sha256" ]; then
echo "missing release checksum: $artifact.sha256" >&2
failed=1
fi
actual="$(artifact_version "$artifact" || true)"
if [ "$actual" != "$version" ]; then
echo "artifact version mismatch: $artifact has ${actual:-unknown}, expected $version" >&2
failed=1
fi
done
exit "$failed"
+639 -63
View File
File diff suppressed because it is too large Load Diff
+208 -51
View File
@@ -28,6 +28,7 @@ use dosh::protocol::{
TicketAttachBody, TicketAttachEnvelope, TicketAttachOkEnvelope, TicketAttachBody, TicketAttachEnvelope, TicketAttachOkEnvelope,
}; };
use dosh::pty::{PtyHandle, PtyOutput, adopt_pty_from_fd, spawn_pty_session}; use dosh::pty::{PtyHandle, PtyOutput, adopt_pty_from_fd, spawn_pty_session};
use dosh::udp::is_transient_udp_send_error;
use sha2::{Digest, Sha256}; use sha2::{Digest, Sha256};
use std::collections::{BTreeMap, HashMap, HashSet, VecDeque}; use std::collections::{BTreeMap, HashMap, HashSet, VecDeque};
use std::fs; use std::fs;
@@ -51,6 +52,7 @@ const STREAM_INITIAL_WINDOW: usize = 1024 * 1024;
/// have accumulated since the last mirror. Keeps the atomic write off the /// have accumulated since the last mirror. Keeps the atomic write off the
/// per-packet hot path while bounding how much fresh output a crash can lose. /// per-packet hot path while bounding how much fresh output a crash can lose.
const SCREEN_PERSIST_BYTES: usize = 4096; const SCREEN_PERSIST_BYTES: usize = 4096;
const IMPLICIT_EMPTY_SESSION_GRACE_SECS: u64 = 300;
/// Sentinel `target_host` sent to the client on a server-initiated `StreamOpen` /// Sentinel `target_host` sent to the client on a server-initiated `StreamOpen`
/// that carries an SSH-agent connection (the client splices it into its local /// that carries an SSH-agent connection (the client splices it into its local
@@ -432,6 +434,7 @@ struct PendingStreamOpen {
attempts: u32, attempts: u32,
} }
#[derive(Clone)]
struct PendingNativeAuth { struct PendingNativeAuth {
client: dosh::native::NativeClientHello, client: dosh::native::NativeClientHello,
server: NativeServerHello, server: NativeServerHello,
@@ -510,15 +513,16 @@ impl ServerState {
Ok(()) Ok(())
} }
/// Whether a session named `name` should be backed by a persistent holder. /// Whether a session should be backed by a persistent holder.
/// ///
/// With persistence enabled, explicitly named sessions get a detached /// With persistence enabled, every interactive session gets a detached holder
/// holder. Implicit `term-<millis>-<pid>` sessions are one-off terminals /// so an update/restart of `dosh-server` behaves like a transient network
/// created by `dosh host`; users cannot intentionally reattach to them by /// break. Named sessions can sit empty for the normal client timeout.
/// name, so persisting them only leaves stale holders that can be /// Generated one-off sessions are also persisted, but cleanup gives them a
/// accidentally re-adopted after restarts. /// shorter empty grace period so invisible abandoned holders do not linger
fn should_persist_session(&self, name: &str) -> bool { /// indefinitely.
self.config.persist_sessions && !protocol::is_implicit_session_name(name) fn should_persist_session(&self, _name: &str) -> bool {
self.config.persist_sessions
} }
/// Spawn (or, in the persistent case, spawn-and-adopt) a PTY for a session. /// Spawn (or, in the persistent case, spawn-and-adopt) a PTY for a session.
@@ -606,20 +610,6 @@ impl ServerState {
if self.sessions.contains_key(&name) { if self.sessions.contains_key(&name) {
continue; continue;
} }
if !self.should_persist_session(&name) {
eprintln!(
"discarding stale implicit persistent session {name} (shell pid {})",
meta.shell_pid
);
persist::request_shutdown(&sessions_dir, &name, None);
if meta.shell_pid > 0 {
let _ = unsafe { libc::kill(meta.shell_pid, libc::SIGHUP) };
let _ = unsafe { libc::kill(meta.shell_pid, libc::SIGTERM) };
std::thread::sleep(Duration::from_millis(50));
let _ = unsafe { libc::kill(meta.shell_pid, libc::SIGKILL) };
}
continue;
}
let (pty, control) = match self.adopt_persistent_pty(&name) { let (pty, control) = match self.adopt_persistent_pty(&name) {
Ok(pair) => pair, Ok(pair) => pair,
Err(err) => { Err(err) => {
@@ -669,6 +659,7 @@ impl ServerState {
fn insert_client(&mut self, session_name: &str, client_id: [u8; 16], client: ClientState) { fn insert_client(&mut self, session_name: &str, client_id: [u8; 16], client: ClientState) {
if let Some(session) = self.sessions.get_mut(session_name) { if let Some(session) = self.sessions.get_mut(session_name) {
session.clients.insert(client_id, client); session.clients.insert(client_id, client);
session.empty_since = None;
self.client_index self.client_index
.insert(client_id, session_name.to_string()); .insert(client_id, session_name.to_string());
} }
@@ -863,6 +854,7 @@ async fn handle_packet(
| PacketKind::StreamEof | PacketKind::StreamEof
| PacketKind::StreamWindowAdjust | PacketKind::StreamWindowAdjust
| PacketKind::RekeyAck | PacketKind::RekeyAck
| PacketKind::Detach
if find_client_decrypt_key(state, &packet.header).is_err() => if find_client_decrypt_key(state, &packet.header).is_err() =>
{ {
send_reject_to_client(socket, peer, packet.header.conn_id, "unknown client").await send_reject_to_client(socket, peer, packet.header.conn_id, "unknown client").await
@@ -980,7 +972,7 @@ async fn handle_native_client_hello(
}; };
let body = protocol::to_body(&NativeServerHelloBody { hello })?; let body = protocol::to_body(&NativeServerHelloBody { hello })?;
let out = protocol::encode_plain(PacketKind::NativeServerHello, pending_id, 1, 0, &body)?; let out = protocol::encode_plain(PacketKind::NativeServerHello, pending_id, 1, 0, &body)?;
socket.send_to(&out, peer).await?; let _ = send_udp(socket, &out, peer).await?;
Ok(()) Ok(())
} }
@@ -991,8 +983,8 @@ async fn handle_native_user_auth(
packet: &protocol::Packet, packet: &protocol::Packet,
) -> Result<()> { ) -> Result<()> {
let pending = { let pending = {
let mut locked = state.lock().expect("server state poisoned"); let locked = state.lock().expect("server state poisoned");
locked.pending_native.remove(&packet.header.conn_id) locked.pending_native.get(&packet.header.conn_id).cloned()
}; };
let Some(pending) = pending else { let Some(pending) = pending else {
return send_reject_to_client(socket, peer, packet.header.conn_id, "unknown native auth") return send_reject_to_client(socket, peer, packet.header.conn_id, "unknown native auth")
@@ -1008,11 +1000,38 @@ async fn handle_native_user_auth(
.await; .await;
} }
if pending.created_at.elapsed() > Duration::from_secs(30) { if pending.created_at.elapsed() > Duration::from_secs(30) {
state
.lock()
.expect("server state poisoned")
.pending_native
.remove(&packet.header.conn_id);
return send_reject_to_client(socket, peer, packet.header.conn_id, "native auth expired") return send_reject_to_client(socket, peer, packet.header.conn_id, "native auth expired")
.await; .await;
} }
let body = protocol::decrypt_body(packet, &pending.session_key, CLIENT_TO_SERVER)?; let body = match protocol::decrypt_body(packet, &pending.session_key, CLIENT_TO_SERVER) {
let req: NativeUserAuthBody = protocol::from_body(&body)?; Ok(body) => body,
Err(_) => {
return send_reject_to_client(
socket,
peer,
packet.header.conn_id,
"native auth decrypt failed",
)
.await;
}
};
let req: NativeUserAuthBody = match protocol::from_body(&body) {
Ok(req) => req,
Err(_) => {
return send_reject_to_client(
socket,
peer,
packet.header.conn_id,
"invalid native auth body",
)
.await;
}
};
if pending.client.requested_mode == "doctor" { if pending.client.requested_mode == "doctor" {
let check_result = { let check_result = {
let locked = state.lock().expect("server state poisoned"); let locked = state.lock().expect("server state poisoned");
@@ -1048,6 +1067,11 @@ async fn handle_native_user_auth(
.await; .await;
} }
}; };
state
.lock()
.expect("server state poisoned")
.pending_native
.remove(&packet.header.conn_id);
let body = protocol::to_body(&check)?; let body = protocol::to_body(&check)?;
let out = protocol::encode_encrypted( let out = protocol::encode_encrypted(
PacketKind::NativeAuthCheckOk, PacketKind::NativeAuthCheckOk,
@@ -1058,7 +1082,7 @@ async fn handle_native_user_auth(
SERVER_TO_CLIENT, SERVER_TO_CLIENT,
&body, &body,
)?; )?;
socket.send_to(&out, peer).await?; let _ = send_udp(socket, &out, peer).await?;
return Ok(()); return Ok(());
} }
@@ -1228,6 +1252,11 @@ async fn handle_native_user_auth(
if let Some((listener, path)) = agent_listener { if let Some((listener, path)) = agent_listener {
spawn_agent_forward(state, socket, client_id, listener, path); spawn_agent_forward(state, socket, client_id, listener, path);
} }
state
.lock()
.expect("server state poisoned")
.pending_native
.remove(&packet.header.conn_id);
let ok = NativeAuthOk { let ok = NativeAuthOk {
client_id, client_id,
@@ -1251,7 +1280,7 @@ async fn handle_native_user_auth(
SERVER_TO_CLIENT, SERVER_TO_CLIENT,
&body, &body,
)?; )?;
socket.send_to(&out, peer).await?; let _ = send_udp(socket, &out, peer).await?;
Ok(()) Ok(())
} }
@@ -1359,7 +1388,7 @@ async fn handle_bootstrap_attach(
SERVER_TO_CLIENT, SERVER_TO_CLIENT,
&body, &body,
)?; )?;
socket.send_to(&out, peer).await?; let _ = send_udp(socket, &out, peer).await?;
Ok(()) Ok(())
} }
@@ -1494,7 +1523,7 @@ async fn handle_ticket_attach(
}; };
let body = protocol::to_body(&envelope)?; let body = protocol::to_body(&envelope)?;
let out = protocol::encode_plain(PacketKind::AttachOk, client_id, 1, 0, &body)?; let out = protocol::encode_plain(PacketKind::AttachOk, client_id, 1, 0, &body)?;
socket.send_to(&out, peer).await?; let _ = send_udp(socket, &out, peer).await?;
Ok(()) Ok(())
} }
@@ -1512,7 +1541,7 @@ async fn send_reject_to_client(
reason: reason.to_string(), reason: reason.to_string(),
})?; })?;
let out = protocol::encode_plain(PacketKind::AttachReject, client_id, 0, 0, &body)?; let out = protocol::encode_plain(PacketKind::AttachReject, client_id, 0, 0, &body)?;
socket.send_to(&out, peer).await?; let _ = send_udp(socket, &out, peer).await?;
Ok(()) Ok(())
} }
@@ -1578,7 +1607,7 @@ async fn handle_resume(
SERVER_TO_CLIENT, SERVER_TO_CLIENT,
&body, &body,
)?; )?;
socket.send_to(&out, peer).await?; let _ = send_udp(socket, &out, peer).await?;
Ok(()) Ok(())
} }
@@ -1690,12 +1719,19 @@ async fn handle_ping(
SERVER_TO_CLIENT, SERVER_TO_CLIENT,
b"", b"",
)?; )?;
socket.send_to(&out, peer).await?; let _ = send_udp(socket, &out, peer).await?;
Ok(()) Ok(())
} }
async fn handle_detach(state: &Arc<Mutex<ServerState>>, packet: &protocol::Packet) -> Result<()> { async fn handle_detach(state: &Arc<Mutex<ServerState>>, packet: &protocol::Packet) -> Result<()> {
let (key, _) = find_client_decrypt_key(state, &packet.header)?;
let _ = protocol::decrypt_body(packet, &key, CLIENT_TO_SERVER)?;
let mut locked = state.lock().expect("server state poisoned"); let mut locked = state.lock().expect("server state poisoned");
if let Some(client) = locked.client_mut(&packet.header.conn_id) {
if !client.replay.accept(packet.header.seq) {
return Ok(());
}
}
locked.remove_client_everywhere(&packet.header.conn_id); locked.remove_client_everywhere(&packet.header.conn_id);
Ok(()) Ok(())
} }
@@ -1705,6 +1741,14 @@ fn remove_client(state: &Arc<Mutex<ServerState>>, client_id: [u8; 16]) {
locked.remove_client_everywhere(&client_id); locked.remove_client_everywhere(&client_id);
} }
async fn send_udp(socket: &UdpSocket, packet: &[u8], peer: SocketAddr) -> Result<bool> {
match socket.send_to(packet, peer).await {
Ok(_) => Ok(true),
Err(err) if is_transient_udp_send_error(&err) => Ok(false),
Err(err) => Err(err).with_context(|| format!("send UDP packet to {peer}")),
}
}
async fn handle_ack( async fn handle_ack(
state: &Arc<Mutex<ServerState>>, state: &Arc<Mutex<ServerState>>,
peer: SocketAddr, peer: SocketAddr,
@@ -2623,10 +2667,13 @@ async fn handle_file_request(
let (file, temp_path, written, atomic) = if resume && final_path.exists() { let (file, temp_path, written, atomic) = if resume && final_path.exists() {
let mut file = fs::OpenOptions::new() let mut file = fs::OpenOptions::new()
.read(true) .read(true)
.write(true)
.append(true) .append(true)
.open(&final_path) .open(&final_path)
.with_context(|| format!("open {}", final_path.display()))?; .with_context(|| format!("open {}", final_path.display()))?;
let written = file.metadata()?.len().min(size); let written = file.metadata()?.len().min(size);
file.set_len(written)
.with_context(|| format!("truncate {}", final_path.display()))?;
if written > 0 { if written > 0 {
let mut prefix = fs::File::open(&final_path)?; let mut prefix = fs::File::open(&final_path)?;
hash_exact_prefix(&mut prefix, written, &mut hasher)?; hash_exact_prefix(&mut prefix, written, &mut hasher)?;
@@ -3020,7 +3067,7 @@ async fn send_stream_open_to_client(
found found
}; };
if let Some((endpoint, packet)) = send { if let Some((endpoint, packet)) = send {
socket.send_to(&packet, endpoint).await?; let _ = send_udp(socket, &packet, endpoint).await?;
} }
Ok(()) Ok(())
} }
@@ -3114,7 +3161,7 @@ async fn queue_or_send_stream_data_to_client(
send send
}; };
if let Some((endpoint, packet)) = send { if let Some((endpoint, packet)) = send {
socket.send_to(&packet, endpoint).await?; let _ = send_udp(socket, &packet, endpoint).await?;
} }
Ok(()) Ok(())
} }
@@ -3189,7 +3236,7 @@ async fn flush_stream_pending_data_to_client(
let Some((endpoint, packet)) = send else { let Some((endpoint, packet)) = send else {
return Ok(()); return Ok(());
}; };
socket.send_to(&packet, endpoint).await?; let _ = send_udp(socket, &packet, endpoint).await?;
} }
} }
@@ -3333,7 +3380,7 @@ async fn send_stream_packet_to_client(
found found
}; };
if let Some((endpoint, packet)) = send { if let Some((endpoint, packet)) = send {
socket.send_to(&packet, endpoint).await?; let _ = send_udp(socket, &packet, endpoint).await?;
} }
Ok(()) Ok(())
} }
@@ -3435,7 +3482,7 @@ async fn broadcast_output(
} }
} }
for (endpoint, packet) in sends { for (endpoint, packet) in sends {
socket.send_to(&packet, endpoint).await?; let _ = send_udp(socket, &packet, endpoint).await?;
} }
Ok(()) Ok(())
} }
@@ -3488,7 +3535,7 @@ async fn broadcast_session_exit(
persist::remove_runtime_dir(&sessions_dir, &session_name); persist::remove_runtime_dir(&sessions_dir, &session_name);
} }
for (endpoint, packet) in sends { for (endpoint, packet) in sends {
socket.send_to(&packet, endpoint).await?; let _ = send_udp(socket, &packet, endpoint).await?;
} }
Ok(()) Ok(())
} }
@@ -3519,11 +3566,9 @@ async fn retransmit_pending(
if pending.output_seq <= client.last_acked { if pending.output_seq <= client.last_acked {
continue; continue;
} }
if now.duration_since(pending.last_sent) >= Duration::from_millis(200) if now.duration_since(pending.last_sent) >= Duration::from_millis(200) {
&& pending.attempts < 8
{
pending.last_sent = now; pending.last_sent = now;
pending.attempts += 1; pending.attempts = pending.attempts.saturating_add(1);
sends.push((client.endpoint, pending.packet.clone())); sends.push((client.endpoint, pending.packet.clone()));
} }
} }
@@ -3597,7 +3642,7 @@ async fn retransmit_pending(
sends sends
}; };
for (endpoint, packet) in sends { for (endpoint, packet) in sends {
socket.send_to(&packet, endpoint).await?; let _ = send_udp(socket, &packet, endpoint).await?;
} }
Ok(()) Ok(())
} }
@@ -3693,7 +3738,7 @@ async fn maybe_rekey_clients(
sends sends
}; };
for (endpoint, packet) in sends { for (endpoint, packet) in sends {
socket.send_to(&packet, endpoint).await?; let _ = send_udp(socket, &packet, endpoint).await?;
} }
Ok(()) Ok(())
} }
@@ -3789,9 +3834,9 @@ fn cleanup_disconnected_clients(state: &Arc<Mutex<ServerState>>) {
.iter() .iter()
.filter(|(name, session)| { .filter(|(name, session)| {
!prewarm.contains(name.as_str()) !prewarm.contains(name.as_str())
&& session && session.empty_since.is_some_and(|since| {
.empty_since now.duration_since(since) >= empty_session_timeout(name, timeout)
.is_some_and(|since| now.duration_since(since) >= timeout) })
}) })
.map(|(name, _)| name.clone()) .map(|(name, _)| name.clone())
.collect(); .collect();
@@ -3810,6 +3855,14 @@ fn cleanup_disconnected_clients(state: &Arc<Mutex<ServerState>>) {
} }
} }
fn empty_session_timeout(name: &str, configured_timeout: Duration) -> Duration {
if protocol::is_implicit_session_name(name) {
configured_timeout.min(Duration::from_secs(IMPLICIT_EMPTY_SESSION_GRACE_SECS))
} else {
configured_timeout
}
}
/// Select the client key (current or retained previous epoch) matching the /// Select the client key (current or retained previous epoch) matching the
/// packet header's `session_key_id`, so a packet sealed under the pre-rekey key /// packet header's `session_key_id`, so a packet sealed under the pre-rekey key
/// during the grace window still decrypts while an expired/stale epoch is /// during the grace window still decrypts while an expired/stale epoch is
@@ -3856,7 +3909,7 @@ mod tests {
use super::*; use super::*;
#[test] #[test]
fn persists_named_sessions_when_enabled() { fn persists_terminal_sessions_when_enabled() {
let (pty_tx, _rx) = mpsc::unbounded_channel(); let (pty_tx, _rx) = mpsc::unbounded_channel();
let config = ServerConfig { let config = ServerConfig {
persist_sessions: true, persist_sessions: true,
@@ -3866,7 +3919,7 @@ mod tests {
let state = ServerState::new(config, [0u8; 32], pty_tx); let state = ServerState::new(config, [0u8; 32], pty_tx);
assert!(state.should_persist_session("default")); // prewarmed assert!(state.should_persist_session("default")); // prewarmed
assert!(state.should_persist_session("work")); // explicitly named assert!(state.should_persist_session("work")); // explicitly named
assert!(!state.should_persist_session("term-1781470634216-76685")); // one-off terminal assert!(state.should_persist_session("term-1781470634216-76685")); // one-off update-survivable terminal
} }
#[test] #[test]
@@ -4021,6 +4074,12 @@ mod tests {
Some((key, "work".to_string())) Some((key, "work".to_string()))
); );
assert!(state.client_mut(&client_id).is_some()); assert!(state.client_mut(&client_id).is_some());
state.sessions.get_mut("work").unwrap().empty_since = Some(Instant::now());
state.insert_client("work", [7u8; 16], test_client_state([9u8; 32]));
assert!(
state.sessions["work"].empty_since.is_none(),
"reattach must clear empty-since so cleanup cannot reap a live session"
);
// Removing purges both the session map and the index. // Removing purges both the session map and the index.
assert!(state.remove_client_everywhere(&client_id)); assert!(state.remove_client_everywhere(&client_id));
@@ -4060,6 +4119,83 @@ mod tests {
assert!(locked.lookup_client(&client_id).is_none()); assert!(locked.lookup_client(&client_id).is_none());
} }
#[test]
fn implicit_empty_session_timeout_is_bounded_for_update_reconnect() {
let configured = Duration::from_secs(2_592_000);
let implicit = protocol::generate_implicit_session_name();
assert_eq!(
empty_session_timeout(&implicit, configured),
Duration::from_secs(IMPLICIT_EMPTY_SESSION_GRACE_SECS)
);
assert_eq!(
empty_session_timeout("work", configured),
configured,
"named sessions keep the normal long timeout"
);
assert_eq!(
empty_session_timeout(&implicit, Duration::from_secs(1)),
Duration::from_secs(1),
"tests/admins can still configure a shorter timeout"
);
}
#[tokio::test]
async fn forged_plaintext_detach_does_not_remove_client() {
let (pty_tx, _pty_rx) = mpsc::unbounded_channel();
let mut state = ServerState::new(ServerConfig::default(), [0u8; 32], pty_tx);
state
.ensure_session("work", 80, 24, "forward-only", &[])
.unwrap();
let client_id = [21u8; 16];
let session_key = [22u8; 32];
state.insert_client("work", client_id, test_client_state(session_key));
let state = Arc::new(Mutex::new(state));
let mut packet = protocol::decode(
&protocol::encode_plain(PacketKind::Detach, client_id, 1, 0, b"").unwrap(),
)
.unwrap();
packet.header.session_key_id = protocol::session_key_id(&session_key);
assert!(handle_detach(&state, &packet).await.is_err());
let locked = state.lock().unwrap();
assert!(
locked.lookup_client(&client_id).is_some(),
"plaintext detach with a copied key id must not remove a live client"
);
}
#[tokio::test]
async fn authenticated_detach_removes_client() {
let (pty_tx, _pty_rx) = mpsc::unbounded_channel();
let mut state = ServerState::new(ServerConfig::default(), [0u8; 32], pty_tx);
state
.ensure_session("work", 80, 24, "forward-only", &[])
.unwrap();
let client_id = [23u8; 16];
let session_key = [24u8; 32];
state.insert_client("work", client_id, test_client_state(session_key));
let state = Arc::new(Mutex::new(state));
let packet = protocol::decode(
&protocol::encode_encrypted(
PacketKind::Detach,
client_id,
1,
0,
&session_key,
CLIENT_TO_SERVER,
b"",
)
.unwrap(),
)
.unwrap();
handle_detach(&state, &packet).await.unwrap();
let locked = state.lock().unwrap();
assert!(locked.lookup_client(&client_id).is_none());
}
#[tokio::test] #[tokio::test]
async fn duplicate_stream_open_for_open_stream_resends_ok() { async fn duplicate_stream_open_for_open_stream_resends_ok() {
let (pty_tx, _pty_rx) = mpsc::unbounded_channel(); let (pty_tx, _pty_rx) = mpsc::unbounded_channel();
@@ -4538,4 +4674,25 @@ mod tests {
}; };
remote_bind_allowed(&config, "0.0.0.0").unwrap(); remote_bind_allowed(&config, "0.0.0.0").unwrap();
} }
#[cfg(unix)]
#[test]
fn server_udp_send_classifier_treats_network_roaming_errors_as_transient() {
for code in [
libc::EADDRNOTAVAIL,
libc::ECONNREFUSED,
libc::ECONNRESET,
libc::EHOSTDOWN,
libc::EHOSTUNREACH,
libc::ENETDOWN,
libc::ENETRESET,
libc::ENETUNREACH,
libc::ETIMEDOUT,
] {
assert!(
is_transient_udp_send_error(&std::io::Error::from_raw_os_error(code)),
"expected errno {code} to be transient"
);
}
}
} }
+1
View File
@@ -23,3 +23,4 @@ pub mod pty;
pub mod server; pub mod server;
pub mod ssh_agent; pub mod ssh_agent;
pub mod transport; pub mod transport;
pub mod udp;
+1 -1
View File
@@ -280,7 +280,7 @@ pub fn decode(input: &[u8]) -> Result<Packet> {
pub fn decrypt_body(packet: &Packet, key: &[u8; 32], direction: u32) -> Result<Vec<u8>> { pub fn decrypt_body(packet: &Packet, key: &[u8; 32], direction: u32) -> Result<Vec<u8>> {
if packet.header.flags & 1 == 0 { if packet.header.flags & 1 == 0 {
return Ok(packet.body.clone()); bail!("packet body is not encrypted");
} }
let nonce = crypto::nonce_from(direction, packet.header.seq); let nonce = crypto::nonce_from(direction, packet.header.seq);
let aad = packet.header.aad(); let aad = packet.header.aad();
+120 -6
View File
@@ -13,6 +13,7 @@ use crate::transport::{
DoshTransport, SessionEvent, SessionRole, SessionTransportConfig, TransportConfig, DoshTransport, SessionEvent, SessionRole, SessionTransportConfig, TransportConfig,
service_name_from_target, service_name_from_target,
}; };
use crate::udp::is_transient_udp_send_error;
use anyhow::{Context, Result, anyhow, bail}; use anyhow::{Context, Result, anyhow, bail};
use ed25519_dalek::SigningKey; use ed25519_dalek::SigningKey;
use std::collections::{HashMap, HashSet}; use std::collections::{HashMap, HashSet};
@@ -97,6 +98,7 @@ pub enum DoshServerEvent {
Ignored, Ignored,
} }
#[derive(Debug, Clone)]
struct PendingServerAuth { struct PendingServerAuth {
client: native::NativeClientHello, client: native::NativeClientHello,
server: NativeServerHello, server: NativeServerHello,
@@ -255,7 +257,7 @@ impl DoshServer {
}; };
let body = protocol::to_body(&NativeServerHelloBody { hello })?; let body = protocol::to_body(&NativeServerHelloBody { hello })?;
let out = protocol::encode_plain(PacketKind::NativeServerHello, pending_id, 1, 0, &body)?; let out = protocol::encode_plain(PacketKind::NativeServerHello, pending_id, 1, 0, &body)?;
self.socket.send_to(&out, peer).await?; let _ = send_udp(&self.socket, &out, peer).await?;
Ok(()) Ok(())
} }
@@ -327,7 +329,7 @@ impl DoshServer {
peer: SocketAddr, peer: SocketAddr,
packet: &protocol::Packet, packet: &protocol::Packet,
) -> Result<DoshServerEvent> { ) -> Result<DoshServerEvent> {
let Some(pending) = self.pending.remove(&packet.header.conn_id) else { let Some(pending) = self.pending.get(&packet.header.conn_id).cloned() else {
self.send_reject(peer, packet.header.conn_id, "unknown native auth") self.send_reject(peer, packet.header.conn_id, "unknown native auth")
.await?; .await?;
return Ok(DoshServerEvent::Ignored); return Ok(DoshServerEvent::Ignored);
@@ -338,13 +340,28 @@ impl DoshServer {
return Ok(DoshServerEvent::Ignored); return Ok(DoshServerEvent::Ignored);
} }
if pending.created_at.elapsed() > self.config.auth_timeout { if pending.created_at.elapsed() > self.config.auth_timeout {
self.pending.remove(&packet.header.conn_id);
self.send_reject(peer, packet.header.conn_id, "native auth expired") self.send_reject(peer, packet.header.conn_id, "native auth expired")
.await?; .await?;
return Ok(DoshServerEvent::Ignored); return Ok(DoshServerEvent::Ignored);
} }
let body = protocol::decrypt_body(packet, &pending.session_key, CLIENT_TO_SERVER)?; let body = match protocol::decrypt_body(packet, &pending.session_key, CLIENT_TO_SERVER) {
let req: NativeUserAuthBody = protocol::from_body(&body)?; Ok(body) => body,
Err(_) => {
self.send_reject(peer, packet.header.conn_id, "native auth decrypt failed")
.await?;
return Ok(DoshServerEvent::Ignored);
}
};
let req: NativeUserAuthBody = match protocol::from_body(&body) {
Ok(req) => req,
Err(_) => {
self.send_reject(peer, packet.header.conn_id, "invalid native auth body")
.await?;
return Ok(DoshServerEvent::Ignored);
}
};
let services = match self.verify_auth_and_services(&pending, &req.auth) { let services = match self.verify_auth_and_services(&pending, &req.auth) {
Ok(services) => services, Ok(services) => services,
Err(err) => { Err(err) => {
@@ -353,6 +370,7 @@ impl DoshServer {
return Ok(DoshServerEvent::Ignored); return Ok(DoshServerEvent::Ignored);
} }
}; };
self.pending.remove(&packet.header.conn_id);
let conn_id = crypto::random_16(); let conn_id = crypto::random_16();
let key_id = protocol::session_key_id(&pending.session_key); let key_id = protocol::session_key_id(&pending.session_key);
@@ -381,7 +399,7 @@ impl DoshServer {
SERVER_TO_CLIENT, SERVER_TO_CLIENT,
&body, &body,
)?; )?;
self.socket.send_to(&out, peer).await?; let _ = send_udp(&self.socket, &out, peer).await?;
let transport = DoshTransport::new( let transport = DoshTransport::new(
Arc::clone(&self.socket), Arc::clone(&self.socket),
@@ -428,7 +446,7 @@ impl DoshServer {
reason: reason.to_string(), reason: reason.to_string(),
})?; })?;
let out = protocol::encode_plain(PacketKind::AttachReject, conn_id, 0, 0, &body)?; let out = protocol::encode_plain(PacketKind::AttachReject, conn_id, 0, 0, &body)?;
self.socket.send_to(&out, peer).await?; let _ = send_udp(&self.socket, &out, peer).await?;
Ok(()) Ok(())
} }
@@ -439,6 +457,14 @@ impl DoshServer {
} }
} }
async fn send_udp(socket: &UdpSocket, packet: &[u8], peer: SocketAddr) -> Result<bool> {
match socket.send_to(packet, peer).await {
Ok(_) => Ok(true),
Err(err) if is_transient_udp_send_error(&err) => Ok(false),
Err(err) => Err(err).with_context(|| format!("send UDP packet to {peer}")),
}
}
fn validate_requested_services( fn validate_requested_services(
allowed_services: &HashSet<String>, allowed_services: &HashSet<String>,
requests: &[ForwardingRequest], requests: &[ForwardingRequest],
@@ -477,6 +503,7 @@ mod tests {
use super::*; use super::*;
use crate::client::DoshClient; use crate::client::DoshClient;
use crate::config::{ClientConfig, HostsConfig}; use crate::config::{ClientConfig, HostsConfig};
use crate::protocol::{CLIENT_TO_SERVER, NativeUserAuthBody};
use crate::transport::TransportEvent; use crate::transport::TransportEvent;
use ed25519_dalek::SigningKey; use ed25519_dalek::SigningKey;
@@ -588,4 +615,91 @@ mod tests {
} }
} }
} }
#[tokio::test]
async fn bad_native_auth_does_not_consume_pending_challenge() {
let dir = tempfile::tempdir().unwrap();
let host_key = dir.path().join("host_key");
let authorized_keys = dir.path().join("authorized_keys");
let signing = SigningKey::from_bytes(&[93u8; 32]);
let keypair = ssh_key::private::Ed25519Keypair::from(&signing);
let private =
ssh_key::PrivateKey::new(ssh_key::private::KeypairData::from(keypair), "").unwrap();
std::fs::write(
&authorized_keys,
format!("{}\n", private.public_key().to_openssh().unwrap()),
)
.unwrap();
let server_config = ServerConfig {
host_key: host_key.to_string_lossy().to_string(),
authorized_keys: vec![authorized_keys.to_string_lossy().to_string()],
..ServerConfig::default()
};
let server_config = DoshServerConfig::new(server_config)
.bind_addr("127.0.0.1:0".parse().unwrap())
.require_current_user(false);
let mut server = DoshServer::bind(server_config).await.unwrap();
let peer: SocketAddr = "127.0.0.1:9".parse().unwrap();
let (client_secret, client_public) = native::generate_native_ephemeral();
let hello = native::NativeClientHello {
protocol_version: native::NATIVE_PROTOCOL_VERSION,
client_random: crypto::random_32(),
client_ephemeral_public: client_public,
requested_host: "127.0.0.1".to_string(),
requested_user: "sdk-user".to_string(),
requested_session: "test".to_string(),
requested_mode: "forward-only".to_string(),
terminal_size: (80, 24),
supported_aead: vec!["chacha20poly1305".to_string()],
supported_user_key_algorithms: vec!["ssh-ed25519".to_string()],
cached_host_key_fingerprint: None,
attach_ticket_envelope: None,
requested_env: Vec::new(),
};
let (pending_id, server_hello) = server.build_server_hello(hello.clone(), peer).unwrap();
let session_key = native::derive_native_session_key(
&client_secret,
server_hello.server_ephemeral_public,
&hello,
&server_hello,
)
.unwrap();
let auth = native::sign_user_auth(&signing, &hello, &server_hello, Vec::new()).unwrap();
let body = protocol::to_body(&NativeUserAuthBody { auth }).unwrap();
let bad = protocol::encode_encrypted(
PacketKind::NativeUserAuth,
pending_id,
2,
1,
&[7u8; 32],
CLIENT_TO_SERVER,
&body,
)
.unwrap();
let bad = protocol::decode(&bad).unwrap();
assert!(matches!(
server.handle_user_auth(peer, &bad).await.unwrap(),
DoshServerEvent::Ignored
));
assert!(server.pending.contains_key(&pending_id));
let valid = protocol::encode_encrypted(
PacketKind::NativeUserAuth,
pending_id,
2,
1,
&session_key,
CLIENT_TO_SERVER,
&body,
)
.unwrap();
let valid = protocol::decode(&valid).unwrap();
assert!(matches!(
server.handle_user_auth(peer, &valid).await.unwrap(),
DoshServerEvent::Accepted(_)
));
assert!(!server.pending.contains_key(&pending_id));
}
} }
+302 -14
View File
@@ -19,6 +19,7 @@ use crate::protocol::{
self, CLIENT_TO_SERVER, PacketKind, ReplayWindow, SERVER_TO_CLIENT, StreamClose, StreamData, self, CLIENT_TO_SERVER, PacketKind, ReplayWindow, SERVER_TO_CLIENT, StreamClose, StreamData,
StreamOpen, StreamOpenOk, StreamOpenReject, StreamWindowAdjust, StreamOpen, StreamOpenOk, StreamOpenReject, StreamWindowAdjust,
}; };
use crate::udp::is_transient_udp_send_error;
use anyhow::{Result, anyhow, bail}; use anyhow::{Result, anyhow, bail};
use std::collections::{BTreeMap, HashMap, HashSet, VecDeque}; use std::collections::{BTreeMap, HashMap, HashSet, VecDeque};
use std::net::SocketAddr; use std::net::SocketAddr;
@@ -120,6 +121,10 @@ pub struct AcceptedService {
#[derive(Debug, Clone, PartialEq, Eq)] #[derive(Debug, Clone, PartialEq, Eq)]
pub enum TransportEvent { pub enum TransportEvent {
Open(IncomingStreamOpen), Open(IncomingStreamOpen),
DuplicateOpen {
stream_id: u64,
response: OutgoingStreamPacket,
},
OpenOk { OpenOk {
stream_id: u64, stream_id: u64,
flushed: Vec<OutgoingStreamPacket>, flushed: Vec<OutgoingStreamPacket>,
@@ -257,6 +262,12 @@ impl StreamMux {
} }
pub fn accept_open(&mut self, open: StreamOpen) -> Result<IncomingStreamOpen> { pub fn accept_open(&mut self, open: StreamOpen) -> Result<IncomingStreamOpen> {
if self.pending_opens.contains_key(&open.stream_id) {
bail!(
"stream {} collides with a local pending open",
open.stream_id
);
}
self.opened_streams.insert(open.stream_id); self.opened_streams.insert(open.stream_id);
self.send_credit self.send_credit
.entry(open.stream_id) .entry(open.stream_id)
@@ -308,8 +319,17 @@ impl StreamMux {
if bytes.is_empty() { if bytes.is_empty() {
return Ok(Vec::new()); return Ok(Vec::new());
} }
if !self.opened_streams.contains(&stream_id) if !self.opened_streams.contains(&stream_id) {
|| self.send_credit.get(&stream_id).copied().unwrap_or(0) < bytes.len() if self.pending_opens.contains_key(&stream_id) {
self.pending_data
.entry(stream_id)
.or_default()
.push_back(bytes);
return Ok(Vec::new());
}
bail!("stream {stream_id} is not open");
}
if self.send_credit.get(&stream_id).copied().unwrap_or(0) < bytes.len()
|| self || self
.pending_data .pending_data
.get(&stream_id) .get(&stream_id)
@@ -348,8 +368,8 @@ impl StreamMux {
&mut self, &mut self,
adjust: StreamWindowAdjust, adjust: StreamWindowAdjust,
) -> Result<Vec<OutgoingStreamPacket>> { ) -> Result<Vec<OutgoingStreamPacket>> {
self.ack_data(adjust.stream_id, adjust.received_offset); let acked_bytes = self.ack_data(adjust.stream_id, adjust.received_offset);
self.add_credit(adjust.stream_id, adjust.bytes as usize); self.add_credit(adjust.stream_id, acked_bytes);
self.flush_pending_data(adjust.stream_id) self.flush_pending_data(adjust.stream_id)
} }
@@ -366,6 +386,12 @@ impl StreamMux {
match kind { match kind {
PacketKind::StreamOpen => { PacketKind::StreamOpen => {
let open: StreamOpen = protocol::from_body(body)?; let open: StreamOpen = protocol::from_body(body)?;
if self.opened_streams.contains(&open.stream_id) {
return Ok(TransportEvent::DuplicateOpen {
stream_id: open.stream_id,
response: Self::open_ok(open.stream_id)?,
});
}
self.accept_open(open).map(TransportEvent::Open) self.accept_open(open).map(TransportEvent::Open)
} }
PacketKind::StreamOpenOk => { PacketKind::StreamOpenOk => {
@@ -556,9 +582,9 @@ impl StreamMux {
(chunks, consumed, *expected) (chunks, consumed, *expected)
} }
fn ack_data(&mut self, stream_id: u64, received_offset: u64) { fn ack_data(&mut self, stream_id: u64, received_offset: u64) -> usize {
let Some(sent) = self.sent_data.get_mut(&stream_id) else { let Some(sent) = self.sent_data.get_mut(&stream_id) else {
return; return 0;
}; };
let acked_offsets = sent let acked_offsets = sent
.iter() .iter()
@@ -567,12 +593,16 @@ impl StreamMux {
(end <= received_offset).then_some(*offset) (end <= received_offset).then_some(*offset)
}) })
.collect::<Vec<_>>(); .collect::<Vec<_>>();
let mut acked_bytes = 0usize;
for offset in acked_offsets { for offset in acked_offsets {
sent.remove(&offset); if let Some(chunk) = sent.remove(&offset) {
acked_bytes = acked_bytes.saturating_add(chunk.bytes.len());
}
} }
if sent.is_empty() { if sent.is_empty() {
self.sent_data.remove(&stream_id); self.sent_data.remove(&stream_id);
} }
acked_bytes
} }
fn add_credit(&mut self, stream_id: u64, bytes: usize) { fn add_credit(&mut self, stream_id: u64, bytes: usize) {
@@ -620,7 +650,7 @@ impl DoshTransport {
ack_seq: config.initial_ack, ack_seq: config.initial_ack,
replay: ReplayWindow::default(), replay: ReplayWindow::default(),
mux: StreamMux::new(config.stream), mux: StreamMux::new(config.stream),
next_stream_id: 1, next_stream_id: initial_stream_id(config.role),
last_contact: now, last_contact: now,
last_keepalive: now, last_keepalive: now,
} }
@@ -664,7 +694,10 @@ impl DoshTransport {
pub fn allocate_stream_id(&mut self) -> u64 { pub fn allocate_stream_id(&mut self) -> u64 {
let id = self.next_stream_id; let id = self.next_stream_id;
self.next_stream_id = self.next_stream_id.saturating_add(1).max(1); self.next_stream_id = self
.next_stream_id
.wrapping_add(1)
.max(initial_stream_id(self.role));
id id
} }
@@ -732,11 +765,17 @@ impl DoshTransport {
if packet.header.conn_id != self.conn_id { if packet.header.conn_id != self.conn_id {
continue; continue;
} }
let plain = match protocol::decrypt_body(
&packet,
&self.session_key,
self.role.recv_direction(),
) {
Ok(plain) => plain,
Err(_) => continue,
};
if !self.replay.accept(packet.header.seq) { if !self.replay.accept(packet.header.seq) {
continue; continue;
} }
let plain =
protocol::decrypt_body(&packet, &self.session_key, self.role.recv_direction())?;
self.peer_addr = peer; self.peer_addr = peer;
self.ack_seq = self.ack_seq.max(packet.header.seq); self.ack_seq = self.ack_seq.max(packet.header.seq);
self.last_contact = Instant::now(); self.last_contact = Instant::now();
@@ -751,14 +790,21 @@ impl DoshTransport {
datagram: &[u8], datagram: &[u8],
peer: SocketAddr, peer: SocketAddr,
) -> Result<SessionEvent> { ) -> Result<SessionEvent> {
let packet = protocol::decode(datagram)?; let packet = match protocol::decode(datagram) {
Ok(packet) => packet,
Err(_) => return Ok(SessionEvent::Ignored),
};
if packet.header.conn_id != self.conn_id { if packet.header.conn_id != self.conn_id {
return Ok(SessionEvent::Ignored); return Ok(SessionEvent::Ignored);
} }
let plain =
match protocol::decrypt_body(&packet, &self.session_key, self.role.recv_direction()) {
Ok(plain) => plain,
Err(_) => return Ok(SessionEvent::Ignored),
};
if !self.replay.accept(packet.header.seq) { if !self.replay.accept(packet.header.seq) {
return Ok(SessionEvent::Ignored); return Ok(SessionEvent::Ignored);
} }
let plain = protocol::decrypt_body(&packet, &self.session_key, self.role.recv_direction())?;
self.peer_addr = peer; self.peer_addr = peer;
self.ack_seq = self.ack_seq.max(packet.header.seq); self.ack_seq = self.ack_seq.max(packet.header.seq);
self.last_contact = Instant::now(); self.last_contact = Instant::now();
@@ -793,6 +839,9 @@ impl DoshTransport {
async fn send_followups(&mut self, event: &TransportEvent) -> Result<()> { async fn send_followups(&mut self, event: &TransportEvent) -> Result<()> {
match event { match event {
TransportEvent::DuplicateOpen { response, .. } => {
self.send_outgoing(response.clone()).await?;
}
TransportEvent::OpenOk { flushed, .. } TransportEvent::OpenOk { flushed, .. }
| TransportEvent::WindowAdjust { flushed, .. } => { | TransportEvent::WindowAdjust { flushed, .. } => {
for packet in flushed.clone() { for packet in flushed.clone() {
@@ -815,7 +864,12 @@ impl DoshTransport {
async fn send_kind(&mut self, kind: PacketKind, body: &[u8]) -> Result<()> { async fn send_kind(&mut self, kind: PacketKind, body: &[u8]) -> Result<()> {
let encoded = self.encode_kind(kind, body)?; let encoded = self.encode_kind(kind, body)?;
self.socket.send_to(&encoded, self.peer_addr).await?; if let Err(err) = self.socket.send_to(&encoded, self.peer_addr).await {
if is_transient_udp_send_error(&err) {
return Ok(());
}
return Err(err.into());
}
Ok(()) Ok(())
} }
@@ -834,6 +888,13 @@ impl DoshTransport {
} }
} }
fn initial_stream_id(role: SessionRole) -> u64 {
match role {
SessionRole::Client => 1,
SessionRole::Server => 1u64 << 63,
}
}
pub fn service_target(name: &str) -> Result<String> { pub fn service_target(name: &str) -> Result<String> {
if name.is_empty() if name.is_empty()
|| !name || !name
@@ -980,6 +1041,30 @@ mod tests {
assert_eq!(data.bytes, b"!"); assert_eq!(data.bytes, b"!");
} }
#[test]
fn cumulative_window_adjust_restores_credit_even_if_delta_was_lost() {
let mut mux = StreamMux::new(TransportConfig {
initial_window: 5,
retransmit_after: Duration::from_secs(1),
..TransportConfig::default()
});
mux.open_stream(1, "@dosh-test", 0).unwrap();
mux.handle_open_ok(StreamOpenOk { stream_id: 1 }).unwrap();
assert_eq!(mux.send_data(1, b"hello".to_vec()).unwrap().len(), 1);
assert_eq!(mux.send_credit[&1], 0);
let flushed = mux
.handle_window_adjust(StreamWindowAdjust {
stream_id: 1,
received_offset: 5,
bytes: 0,
})
.unwrap();
assert!(flushed.is_empty());
assert_eq!(mux.send_credit[&1], 5);
assert_eq!(mux.send_data(1, b"!".to_vec()).unwrap().len(), 1);
}
#[test] #[test]
fn handle_packet_decodes_and_dispatches_stream_packets() { fn handle_packet_decodes_and_dispatches_stream_packets() {
let mut mux = StreamMux::new(TransportConfig::default()); let mut mux = StreamMux::new(TransportConfig::default());
@@ -1000,6 +1085,152 @@ mod tests {
); );
} }
#[test]
fn duplicate_stream_open_reacks_without_second_open_event() {
let mut mux = StreamMux::new(TransportConfig::default());
let open = StreamOpen {
stream_id: 9,
target_host: "@dosh-app".to_string(),
target_port: 0,
};
let body = protocol::to_body(&open).unwrap();
assert!(matches!(
mux.handle_packet(PacketKind::StreamOpen, &body).unwrap(),
TransportEvent::Open(_)
));
let duplicate = mux.handle_packet(PacketKind::StreamOpen, &body).unwrap();
match duplicate {
TransportEvent::DuplicateOpen {
stream_id,
response,
} => {
assert_eq!(stream_id, 9);
assert_eq!(response.kind, PacketKind::StreamOpenOk);
let ok: StreamOpenOk = decode(&response);
assert_eq!(ok.stream_id, 9);
}
other => panic!("unexpected duplicate open event {other:?}"),
}
}
#[test]
fn send_data_to_closed_or_unknown_stream_fails() {
let mut mux = StreamMux::new(TransportConfig::default());
mux.open_stream(1, "@dosh-test", 0).unwrap();
assert!(mux.send_data(1, b"queued".to_vec()).unwrap().is_empty());
mux.handle_open_ok(StreamOpenOk { stream_id: 1 }).unwrap();
mux.close_stream(1).unwrap();
assert!(mux.send_data(1, b"lost".to_vec()).is_err());
assert!(mux.send_data(99, b"lost".to_vec()).is_err());
}
#[tokio::test]
async fn session_transport_partitions_client_and_server_stream_ids() {
let client_socket = UdpSocket::bind("127.0.0.1:0").await.unwrap();
let server_socket = UdpSocket::bind("127.0.0.1:0").await.unwrap();
let client_addr = client_socket.local_addr().unwrap();
let server_addr = server_socket.local_addr().unwrap();
let key = [44u8; 32];
let conn_id = [8u8; 16];
let mut client = DoshTransport::new_owned(
client_socket,
SessionTransportConfig {
role: SessionRole::Client,
conn_id,
session_key: key,
peer_addr: server_addr,
initial_send_seq: 1,
initial_ack: 0,
stream: TransportConfig::default(),
},
);
let mut server = DoshTransport::new_owned(
server_socket,
SessionTransportConfig {
role: SessionRole::Server,
conn_id,
session_key: key,
peer_addr: client_addr,
initial_send_seq: 1,
initial_ack: 0,
stream: TransportConfig::default(),
},
);
assert_eq!(client.allocate_stream_id(), 1);
assert_eq!(client.allocate_stream_id(), 2);
assert_eq!(server.allocate_stream_id(), 1u64 << 63);
assert_eq!(server.allocate_stream_id(), (1u64 << 63) + 1);
}
#[tokio::test]
async fn session_transport_handles_simultaneous_opens_without_id_collision() {
let client_socket = UdpSocket::bind("127.0.0.1:0").await.unwrap();
let server_socket = UdpSocket::bind("127.0.0.1:0").await.unwrap();
let client_addr = client_socket.local_addr().unwrap();
let server_addr = server_socket.local_addr().unwrap();
let key = [45u8; 32];
let conn_id = [9u8; 16];
let mut client = DoshTransport::new_owned(
client_socket,
SessionTransportConfig {
role: SessionRole::Client,
conn_id,
session_key: key,
peer_addr: server_addr,
initial_send_seq: 1,
initial_ack: 0,
stream: TransportConfig::default(),
},
);
let mut server = DoshTransport::new_owned(
server_socket,
SessionTransportConfig {
role: SessionRole::Server,
conn_id,
session_key: key,
peer_addr: client_addr,
initial_send_seq: 1,
initial_ack: 0,
stream: TransportConfig::default(),
},
);
let client_stream = client.open_service("client_app").await.unwrap();
let server_stream = server.open_service("server_app").await.unwrap();
assert_ne!(client_stream, server_stream);
let server_seen = server.recv().await.unwrap();
let client_seen = client.recv().await.unwrap();
match server_seen {
SessionEvent::Stream(TransportEvent::Open(open)) => {
assert_eq!(open.stream_id, client_stream);
assert_eq!(open.target_host, "@dosh-client_app");
server.accept_stream(open.stream_id).await.unwrap();
}
other => panic!("unexpected server event {other:?}"),
}
match client_seen {
SessionEvent::Stream(TransportEvent::Open(open)) => {
assert_eq!(open.stream_id, server_stream);
assert_eq!(open.target_host, "@dosh-server_app");
client.accept_stream(open.stream_id).await.unwrap();
}
other => panic!("unexpected client event {other:?}"),
}
assert!(matches!(
client.recv().await.unwrap(),
SessionEvent::Stream(TransportEvent::OpenOk { stream_id, .. }) if stream_id == client_stream
));
assert!(matches!(
server.recv().await.unwrap(),
SessionEvent::Stream(TransportEvent::OpenOk { stream_id, .. }) if stream_id == server_stream
));
}
#[tokio::test] #[tokio::test]
async fn session_transport_opens_service_and_moves_data_over_encrypted_udp() { async fn session_transport_opens_service_and_moves_data_over_encrypted_udp() {
let client_socket = UdpSocket::bind("127.0.0.1:0").await.unwrap(); let client_socket = UdpSocket::bind("127.0.0.1:0").await.unwrap();
@@ -1096,4 +1327,61 @@ mod tests {
assert!(matches!(server.recv().await.unwrap(), SessionEvent::Ping)); assert!(matches!(server.recv().await.unwrap(), SessionEvent::Ping));
assert_eq!(server.peer_addr(), roaming_addr); assert_eq!(server.peer_addr(), roaming_addr);
} }
#[tokio::test]
async fn unauthenticated_datagram_does_not_poison_replay_window() {
let socket = UdpSocket::bind("127.0.0.1:0").await.unwrap();
let peer: SocketAddr = "127.0.0.1:9".parse().unwrap();
let key = [11u8; 32];
let wrong_key = [12u8; 32];
let conn_id = [4u8; 16];
let mut transport = DoshTransport::new_owned(
socket,
SessionTransportConfig {
role: SessionRole::Client,
conn_id,
session_key: key,
peer_addr: peer,
initial_send_seq: 1,
initial_ack: 0,
stream: TransportConfig::default(),
},
);
let bad = protocol::encode_encrypted(
PacketKind::Pong,
conn_id,
9,
0,
&wrong_key,
SERVER_TO_CLIENT,
b"",
)
.unwrap();
let valid = protocol::encode_encrypted(
PacketKind::Pong,
conn_id,
9,
0,
&key,
SERVER_TO_CLIENT,
b"",
)
.unwrap();
assert!(matches!(
transport
.handle_datagram(b"not a dosh packet", peer)
.await
.unwrap(),
SessionEvent::Ignored
));
assert!(matches!(
transport.handle_datagram(&bad, peer).await.unwrap(),
SessionEvent::Ignored
));
assert!(matches!(
transport.handle_datagram(&valid, peer).await.unwrap(),
SessionEvent::Pong
));
}
} }
+98
View File
@@ -0,0 +1,98 @@
//! UDP error classification shared by Dosh clients, servers, and embedders.
pub fn is_transient_udp_send_error(err: &std::io::Error) -> bool {
matches!(
err.kind(),
std::io::ErrorKind::Interrupted
| std::io::ErrorKind::TimedOut
| std::io::ErrorKind::WouldBlock
) || err.raw_os_error().is_some_and(is_transient_udp_os_error)
}
#[cfg(unix)]
fn is_transient_udp_os_error(code: i32) -> bool {
matches!(
code,
libc::EADDRNOTAVAIL
| libc::ECONNREFUSED
| libc::ECONNRESET
| libc::EHOSTDOWN
| libc::EHOSTUNREACH
| libc::ENETDOWN
| libc::ENETRESET
| libc::ENETUNREACH
| libc::ETIMEDOUT
)
}
#[cfg(windows)]
fn is_transient_udp_os_error(code: i32) -> bool {
matches!(
code,
10049 // WSAEADDRNOTAVAIL
| 10050 // WSAENETDOWN
| 10051 // WSAENETUNREACH
| 10052 // WSAENETRESET
| 10054 // WSAECONNRESET
| 10060 // WSAETIMEDOUT
| 10061 // WSAECONNREFUSED
| 10064 // WSAEHOSTDOWN
| 10065 // WSAEHOSTUNREACH
)
}
#[cfg(not(any(unix, windows)))]
fn is_transient_udp_os_error(_code: i32) -> bool {
false
}
#[cfg(test)]
mod tests {
use super::is_transient_udp_send_error;
#[test]
fn classifies_portable_transient_send_errors() {
for kind in [
std::io::ErrorKind::Interrupted,
std::io::ErrorKind::TimedOut,
std::io::ErrorKind::WouldBlock,
] {
assert!(is_transient_udp_send_error(&std::io::Error::from(kind)));
}
assert!(!is_transient_udp_send_error(&std::io::Error::from(
std::io::ErrorKind::PermissionDenied,
)));
}
#[cfg(unix)]
#[test]
fn classifies_unix_network_churn_as_transient() {
for code in [
libc::EADDRNOTAVAIL,
libc::ECONNREFUSED,
libc::ECONNRESET,
libc::EHOSTDOWN,
libc::EHOSTUNREACH,
libc::ENETDOWN,
libc::ENETRESET,
libc::ENETUNREACH,
libc::ETIMEDOUT,
] {
assert!(is_transient_udp_send_error(
&std::io::Error::from_raw_os_error(code)
));
}
}
#[cfg(windows)]
#[test]
fn classifies_windows_network_churn_as_transient() {
for code in [
10049, 10050, 10051, 10052, 10054, 10060, 10061, 10064, 10065,
] {
assert!(is_transient_udp_send_error(
&std::io::Error::from_raw_os_error(code)
));
}
}
}
+141 -9
View File
@@ -258,7 +258,8 @@ fn relay_loop(
let mut upstream = new_upstream(); let mut upstream = new_upstream();
let mut client_addr: Option<SocketAddr> = None; let mut client_addr: Option<SocketAddr> = None;
let mut rng = StdRng::seed_from_u64(seed); let mut rng = StdRng::seed_from_u64(seed);
let mut held: Option<(Vec<u8>, bool)> = None; // (packet, is_c2s) held for reorder let mut held_c2s: Option<Vec<u8>> = None;
let mut held_s2c: Option<Vec<u8>> = None;
let mut buf = [0u8; 65535]; let mut buf = [0u8; 65535];
loop { loop {
@@ -288,10 +289,9 @@ fn relay_loop(
&upstream, &upstream,
server_addr, server_addr,
packet, packet,
true,
&controls, &controls,
&mut rng, &mut rng,
&mut held, &mut held_c2s,
); );
} }
} }
@@ -310,7 +310,12 @@ fn relay_loop(
let drop_pct = controls.drop_s2c_percent.load(Ordering::SeqCst); let drop_pct = controls.drop_s2c_percent.load(Ordering::SeqCst);
if drop_pct == 0 || rng.gen_range(0..100) >= drop_pct { if drop_pct == 0 || rng.gen_range(0..100) >= drop_pct {
forward_with_effects( forward_with_effects(
&front, dst, packet, false, &controls, &mut rng, &mut held, &front,
dst,
packet,
&controls,
&mut rng,
&mut held_s2c,
); );
} }
} }
@@ -336,23 +341,22 @@ fn forward_with_effects(
out: &UdpSocket, out: &UdpSocket,
dst: SocketAddr, dst: SocketAddr,
packet: Vec<u8>, packet: Vec<u8>,
is_c2s: bool,
controls: &RelayControls, controls: &RelayControls,
rng: &mut StdRng, rng: &mut StdRng,
held: &mut Option<(Vec<u8>, bool)>, held: &mut Option<Vec<u8>>,
) { ) {
// Reorder: if armed, hold this packet and release the previously held one // Reorder: if armed, hold this packet and release the previously held one
// afterward (so two consecutive packets swap order). // afterward (so two consecutive packets swap order).
if controls.reorder_next.swap(false, Ordering::SeqCst) { if controls.reorder_next.swap(false, Ordering::SeqCst) {
if let Some((prev, _)) = held.take() { if let Some(prev) = held.take() {
let _ = out.send_to(&packet, dst); let _ = out.send_to(&packet, dst);
let _ = out.send_to(&prev, dst); let _ = out.send_to(&prev, dst);
return; return;
} }
*held = Some((packet, is_c2s)); *held = Some(packet);
return; return;
} }
if let Some((prev, _)) = held.take() { if let Some(prev) = held.take() {
let _ = out.send_to(&prev, dst); let _ = out.send_to(&prev, dst);
} }
@@ -767,6 +771,46 @@ fn wait_for_text(socket: &UdpSocket, key: &[u8; 32], needle: &str, millis: u64)
acc.contains(needle) acc.contains(needle)
} }
fn wait_for_text_with_ack(
socket: &UdpSocket,
relay: &Relay,
client_id: [u8; 16],
seq: &mut u64,
key: &[u8; 32],
needle: &str,
millis: u64,
) -> bool {
let prev = socket.read_timeout().unwrap();
socket
.set_read_timeout(Some(Duration::from_millis(100)))
.unwrap();
let deadline = Instant::now() + Duration::from_millis(millis);
let mut acc = String::new();
while Instant::now() < deadline {
if let Some((_header, frame)) = recv_frame(socket, key) {
acc.push_str(&String::from_utf8_lossy(&frame.bytes));
let ack = protocol::encode_encrypted(
PacketKind::Ack,
client_id,
*seq,
frame.output_seq,
key,
CLIENT_TO_SERVER,
b"",
)
.unwrap();
*seq += 1;
socket.send_to(&ack, relay.front_addr()).unwrap();
if acc.contains(needle) {
socket.set_read_timeout(prev).unwrap();
return true;
}
}
}
socket.set_read_timeout(prev).unwrap();
acc.contains(needle)
}
#[test] #[test]
fn session_survives_packet_loss_and_reorder() { fn session_survives_packet_loss_and_reorder() {
let dir = tempfile::tempdir().unwrap(); let dir = tempfile::tempdir().unwrap();
@@ -820,6 +864,94 @@ fn session_survives_packet_loss_and_reorder() {
); );
} }
#[test]
#[ignore = "30-minute hostile-network TUI soak; run with `DOSH_BADNET_SOAK_SECONDS=1800 cargo test --test hostile_network bad_network_tui_work_soak_30m -- --ignored --nocapture`"]
fn bad_network_tui_work_soak_30m() {
let soak_secs = std::env::var("DOSH_BADNET_SOAK_SECONDS")
.ok()
.and_then(|value| value.parse::<u64>().ok())
.unwrap_or(30 * 60);
let dir = tempfile::tempdir().unwrap();
let port = free_udp_port();
let config = write_server_config(&dir, port);
let mut server = start_server(&dir, &config);
let relay = Relay::spawn(port, 0xBADC0DEu64);
let (socket, bootstrap, ok) = attach_through_relay(&config, &relay);
relay.set_drop_c2s(15);
relay.set_drop_s2c(20);
relay.set_dup(10);
let deadline = Instant::now() + Duration::from_secs(soak_secs);
let mut seq = 2u64;
let mut iteration = 0u64;
while Instant::now() < deadline {
if iteration.is_multiple_of(2) {
relay.arm_reorder();
}
if iteration > 0 && iteration.is_multiple_of(7) {
let _ = relay.rebind_upstream();
}
if iteration > 0 && iteration.is_multiple_of(11) {
relay.set_drop_s2c(100);
thread::sleep(Duration::from_millis(750));
relay.set_drop_s2c(20);
}
let marker = format!("DOSH_BADNET_TUI_{iteration}");
let command = format!(
"stty -echo; \
printf '\\033[?1049h\\033[?2026h\\033[?25l'; \
for i in 1 2 3 4 5 6; do \
printf '\\033[%s;4H{} ⠀⠁⠃⠇⡇⣇⣧⣷⣿ █▇▆▅▄▃▂▁ %s\\033[0m' \"$i\" \"$i\"; \
done; \
printf '\\033[?25h\\033[?2026l\\033[?1049l'\n",
marker
);
let step_deadline = Instant::now() + Duration::from_secs(8);
let mut seen = false;
let mut attempts = 0;
while Instant::now() < step_deadline && attempts < 12 {
send_input(
&socket,
&relay,
ok.client_id,
seq,
0,
&bootstrap.session_key,
command.as_bytes(),
);
seq += 1;
attempts += 1;
if wait_for_text_with_ack(
&socket,
&relay,
ok.client_id,
&mut seq,
&bootstrap.session_key,
&marker,
500,
) {
seen = true;
break;
}
}
assert!(
seen,
"TUI marker {marker} did not arrive during hostile-network soak"
);
iteration += 1;
thread::sleep(Duration::from_millis(500));
}
relay.clear_impairments();
drop(relay);
let _ = server.kill();
let _ = server.wait();
}
#[test] #[test]
fn duplicated_and_replayed_input_is_applied_at_most_once() { fn duplicated_and_replayed_input_is_applied_at_most_once() {
let dir = tempfile::tempdir().unwrap(); let dir = tempfile::tempdir().unwrap();
+271 -31
View File
@@ -18,7 +18,8 @@ use dosh::crypto;
use dosh::native::{host_public_key, load_or_create_host_key, ssh_ed25519_public_blob, trust_host}; use dosh::native::{host_public_key, load_or_create_host_key, ssh_ed25519_public_blob, trust_host};
use dosh::protocol::{ use dosh::protocol::{
self, AttachOk, AttachReject, BootstrapAttachRequest, CLIENT_TO_SERVER, Frame, Input, self, AttachOk, AttachReject, BootstrapAttachRequest, CLIENT_TO_SERVER, Frame, Input,
PacketKind, Resize, ResumeRequest, SERVER_TO_CLIENT, PacketKind, Resize, ResumeRequest, SERVER_TO_CLIENT, TicketAttachBody, TicketAttachEnvelope,
TicketAttachOkEnvelope,
}; };
use ed25519_dalek::{Signer, SigningKey, VerifyingKey}; use ed25519_dalek::{Signer, SigningKey, VerifyingKey};
@@ -530,6 +531,75 @@ fn direct_attach_session(
(socket, bootstrap, ok) (socket, bootstrap, ok)
} }
fn ticket_attach_session(
socket: &UdpSocket,
port: u16,
bootstrap: &dosh::auth::BootstrapResponse,
session: &str,
mode: &str,
) -> AttachOk {
let client_nonce = crypto::random_12();
let request_key = crypto::hkdf32(
&bootstrap.attach_ticket_psk,
&client_nonce,
b"dosh/ticket-attach-request/v1",
)
.unwrap();
let body = protocol::to_body(&TicketAttachBody {
session: session.to_string(),
mode: mode.to_string(),
cols: 80,
rows: 24,
requested_env: Vec::new(),
})
.unwrap();
let ciphertext = crypto::seal(
&request_key,
&client_nonce,
b"dosh-ticket-attach-request-v1",
&body,
)
.unwrap();
let envelope = TicketAttachEnvelope {
ticket: bootstrap.attach_ticket.clone(),
client_nonce,
ciphertext,
};
let packet = protocol::encode_plain(
PacketKind::TicketAttachRequest,
[0u8; 16],
1,
0,
&protocol::to_body(&envelope).unwrap(),
)
.unwrap();
socket
.send_to(&packet, format!("127.0.0.1:{port}"))
.unwrap();
let mut buf = [0u8; 65535];
let (n, _) = socket.recv_from(&mut buf).unwrap();
let packet = protocol::decode(&buf[..n]).unwrap();
assert_eq!(packet.header.kind, PacketKind::AttachOk);
let envelope: TicketAttachOkEnvelope = protocol::from_body(&packet.body).unwrap();
let mut salt = Vec::with_capacity(24);
salt.extend_from_slice(&client_nonce);
salt.extend_from_slice(&envelope.server_nonce);
let response_key = crypto::hkdf32(
&bootstrap.attach_ticket_psk,
&salt,
b"dosh/ticket-attach-ok/v1",
)
.unwrap();
let plain = crypto::open(
&response_key,
&envelope.server_nonce,
b"dosh-ticket-attach-ok-v1",
&envelope.ciphertext,
)
.unwrap();
protocol::from_body(&plain).unwrap()
}
#[allow(clippy::too_many_arguments)] #[allow(clippy::too_many_arguments)]
fn send_encrypted( fn send_encrypted(
socket: &UdpSocket, socket: &UdpSocket,
@@ -1038,6 +1108,117 @@ fn native_file_copy_recursive_round_trip() {
let _ = server.wait(); let _ = server.wait();
} }
#[test]
fn native_file_copy_resume_truncates_oversized_destinations() {
let dir = tempfile::tempdir().unwrap();
let port = free_udp_port();
let config = write_server_config(&dir, port);
write_native_client_auth(&dir, &config);
let mut server = start_server(&dir, &config);
let client_bin = env!("CARGO_BIN_EXE_dosh-client");
let local_short = dir.path().join("short.txt");
fs::write(&local_short, b"short\n").unwrap();
let seed_remote = Command::new(client_bin)
.arg("--dosh-host")
.arg("127.0.0.1")
.arg("--dosh-port")
.arg(port.to_string())
.arg("exec")
.arg("local")
.arg("printf 'short\\nSTALE' > \"$HOME/resume-upload.txt\"")
.env("HOME", dir.path())
.output()
.unwrap();
assert!(
seed_remote.status.success(),
"seed remote failed: stdout={} stderr={}",
String::from_utf8_lossy(&seed_remote.stdout),
String::from_utf8_lossy(&seed_remote.stderr)
);
let resume_upload = Command::new(client_bin)
.arg("--dosh-host")
.arg("127.0.0.1")
.arg("--dosh-port")
.arg(port.to_string())
.arg("cp")
.arg("--resume")
.arg(&local_short)
.arg("local:resume-upload.txt")
.env("HOME", dir.path())
.output()
.unwrap();
assert!(
resume_upload.status.success(),
"resume upload failed: stdout={} stderr={}",
String::from_utf8_lossy(&resume_upload.stdout),
String::from_utf8_lossy(&resume_upload.stderr)
);
let cat_upload = Command::new(client_bin)
.arg("--dosh-host")
.arg("127.0.0.1")
.arg("--dosh-port")
.arg(port.to_string())
.arg("cat")
.arg("local:resume-upload.txt")
.env("HOME", dir.path())
.output()
.unwrap();
assert!(
cat_upload.status.success(),
"cat upload failed: stdout={} stderr={}",
String::from_utf8_lossy(&cat_upload.stdout),
String::from_utf8_lossy(&cat_upload.stderr)
);
assert_eq!(String::from_utf8_lossy(&cat_upload.stdout), "short\n");
let seed_download = Command::new(client_bin)
.arg("--dosh-host")
.arg("127.0.0.1")
.arg("--dosh-port")
.arg(port.to_string())
.arg("exec")
.arg("local")
.arg("printf 'tiny\\n' > \"$HOME/resume-download.txt\"")
.env("HOME", dir.path())
.output()
.unwrap();
assert!(
seed_download.status.success(),
"seed download failed: stdout={} stderr={}",
String::from_utf8_lossy(&seed_download.stdout),
String::from_utf8_lossy(&seed_download.stderr)
);
let local_download = dir.path().join("resume-download-local.txt");
fs::write(&local_download, b"tiny\nSTALE").unwrap();
let resume_download = Command::new(client_bin)
.arg("--dosh-host")
.arg("127.0.0.1")
.arg("--dosh-port")
.arg(port.to_string())
.arg("cp")
.arg("--resume")
.arg("local:resume-download.txt")
.arg(&local_download)
.env("HOME", dir.path())
.output()
.unwrap();
assert!(
resume_download.status.success(),
"resume download failed: stdout={} stderr={}",
String::from_utf8_lossy(&resume_download.stdout),
String::from_utf8_lossy(&resume_download.stderr)
);
assert_eq!(fs::read_to_string(&local_download).unwrap(), "tiny\n");
let _ = server.kill();
let _ = server.wait();
}
#[test] #[test]
fn native_exec_command_smoke() { fn native_exec_command_smoke() {
let dir = tempfile::tempdir().unwrap(); let dir = tempfile::tempdir().unwrap();
@@ -1392,18 +1573,10 @@ fn server_retransmits_unacked_output_frames() {
); );
let mut seen = Vec::new(); let mut seen = Vec::new();
let mut duplicate = None; let deadline = std::time::Instant::now() + Duration::from_secs(4);
let deadline = std::time::Instant::now() + Duration::from_secs(3);
while std::time::Instant::now() < deadline { while std::time::Instant::now() < deadline {
if let Some((header, frame)) = recv_frame(&socket, &bootstrap.session_key) { if let Some((header, frame)) = recv_frame(&socket, &bootstrap.session_key) {
if String::from_utf8_lossy(&frame.bytes).contains("DOSH_RETRANSMIT") { if String::from_utf8_lossy(&frame.bytes).contains("DOSH_RETRANSMIT") {
if seen
.iter()
.any(|(_, output_seq)| *output_seq == frame.output_seq)
{
duplicate = Some((header.seq, frame.output_seq));
break;
}
seen.push((header.seq, frame.output_seq)); seen.push((header.seq, frame.output_seq));
} }
} }
@@ -1412,9 +1585,18 @@ fn server_retransmits_unacked_output_frames() {
let _ = server.kill(); let _ = server.kill();
let _ = server.wait(); let _ = server.wait();
let max_same_output_seq = seen
.iter()
.map(|(_, output_seq)| {
seen.iter()
.filter(|(_, candidate)| candidate == output_seq)
.count()
})
.max()
.unwrap_or(0);
assert!( assert!(
duplicate.is_some(), max_same_output_seq >= 10,
"expected retransmitted same output seq, seen={seen:?}" "expected retransmission to continue past the old 8-attempt ceiling, seen={seen:?}"
); );
} }
@@ -2732,7 +2914,7 @@ fn session_survives_server_restart_same_shell_and_screen() {
} }
#[test] #[test]
fn implicit_session_does_not_create_restart_holder() { fn implicit_session_survives_update_restart_via_ticket_reattach() {
let dir = tempfile::tempdir().unwrap(); let dir = tempfile::tempdir().unwrap();
let sessions_dir = dir.path().join("sessions"); let sessions_dir = dir.path().join("sessions");
let port = free_udp_port(); let port = free_udp_port();
@@ -2742,21 +2924,34 @@ fn implicit_session_does_not_create_restart_holder() {
let mut server = start_server(&dir, &config); let mut server = start_server(&dir, &config);
let (socket, bootstrap, ok) = direct_attach_session(&config, port, "read-write", &session); let (socket, bootstrap, ok) = direct_attach_session(&config, port, "read-write", &session);
let key = bootstrap.session_key; let key = bootstrap.session_key;
type_line(&socket, port, &ok, &key, 2, "cd /tmp\n");
type_line( type_line(
&socket, &socket,
port, port,
&ok, &ok,
&key, &key,
2, 3,
"export IMPLICIT_MARK=implicit_restart_42\n", "export IMPLICIT_MARK=implicit_restart_42\n",
); );
let _ = collect_frame_text(&socket, &key, 1000); type_line(
&socket,
port,
&ok,
&key,
4,
"printf 'IMPLICIT_SCREEN_MARKER\\n'\n",
);
let pre = collect_frame_text(&socket, &key, 1500);
assert!(
pre.contains("IMPLICIT_SCREEN_MARKER"),
"implicit marker missing before restart: {pre:?}"
);
thread::sleep(Duration::from_secs(3)); thread::sleep(Duration::from_secs(3));
let shell_pid_before = holder_shell_pid(&sessions_dir, &session); let shell_pid_before = holder_shell_pid(&sessions_dir, &session);
assert!( assert!(
shell_pid_before.is_none(), shell_pid_before.is_some(),
"implicit sessions must not get persistent holders when persistence is enabled" "implicit sessions must get temporary holders so active clients survive updates"
); );
let _ = server.kill(); let _ = server.kill();
@@ -2764,34 +2959,78 @@ fn implicit_session_does_not_create_restart_holder() {
thread::sleep(Duration::from_millis(300)); thread::sleep(Duration::from_millis(300));
let mut server = start_server(&dir, &config); let mut server = start_server(&dir, &config);
let (socket2, bootstrap2, ok2) = direct_attach_session(&config, port, "read-write", &session);
let key2 = bootstrap2.session_key; let resume = ResumeRequest {
session: session.clone(),
last_rendered_seq: ok.initial_seq,
cols: 80,
rows: 24,
};
send_encrypted(
&socket,
port,
PacketKind::ResumeRequest,
ok.client_id,
5,
0,
&key,
&protocol::to_body(&resume).unwrap(),
);
let mut buf = [0u8; 65535];
let deadline = std::time::Instant::now() + Duration::from_secs(2);
loop {
assert!(
std::time::Instant::now() < deadline,
"old live resume did not receive unknown-client reject"
);
let (n, _) = socket.recv_from(&mut buf).unwrap();
let packet = protocol::decode(&buf[..n]).unwrap();
if packet.header.kind == PacketKind::Frame {
continue;
}
assert_eq!(packet.header.kind, PacketKind::AttachReject);
assert_eq!(packet.header.conn_id, ok.client_id);
break;
}
let ok2 = ticket_attach_session(&socket, port, &bootstrap, &session, "read-write");
let key2 = ok2.session_key;
let snapshot = String::from_utf8_lossy(&ok2.snapshot).to_string();
type_line( type_line(
&socket2, &socket,
port, port,
&ok2, &ok2,
&key2, &key2,
2, 2,
"printf 'IMPLICIT_MARK=%s\\n' \"$IMPLICIT_MARK\"\n", "printf 'IMPLICIT_MARK=%s PWD=%s\\n' \"$IMPLICIT_MARK\" \"$PWD\"\n",
); );
let post = collect_frame_text(&socket2, &key2, 2000); let post = collect_frame_text(&socket, &key2, 2000);
let shell_pid_after = holder_shell_pid(&sessions_dir, &session); let shell_pid_after = holder_shell_pid(&sessions_dir, &session);
let _ = server.kill(); let _ = server.kill();
let _ = server.wait(); let _ = server.wait();
kill_holder(&sessions_dir, &session);
assert!( assert!(
shell_pid_after.is_none(), snapshot.contains("IMPLICIT_SCREEN_MARKER"),
"implicit restart attach must stay ephemeral" "ticket reattach snapshot must repaint the exact pre-update screen, got {snapshot:?}"
);
assert_eq!(
shell_pid_after, shell_pid_before,
"implicit update reconnect must use the same holder shell"
); );
assert!( assert!(
post.contains("IMPLICIT_MARK=") && !post.contains("implicit_restart_42"), post.contains("IMPLICIT_MARK=implicit_restart_42"),
"implicit session must start fresh after server restart, got {post:?}" "implicit session env must survive update reconnect, got {post:?}"
);
assert!(
post.contains("PWD=/tmp"),
"implicit session cwd must survive update reconnect, got {post:?}"
); );
} }
#[test] #[test]
fn startup_discards_legacy_implicit_holders() { fn startup_readopts_implicit_holders_for_update_reconnect() {
let dir = tempfile::tempdir().unwrap(); let dir = tempfile::tempdir().unwrap();
let sessions_dir = dir.path().join("sessions"); let sessions_dir = dir.path().join("sessions");
let port = free_udp_port(); let port = free_udp_port();
@@ -2811,13 +3050,14 @@ fn startup_discards_legacy_implicit_holders() {
let _ = server.kill(); let _ = server.kill();
let _ = server.wait(); let _ = server.wait();
assert!( assert!(
holder_shell_pid(&sessions_dir, &session).is_none(), holder_shell_pid(&sessions_dir, &session).is_some(),
"startup must remove old implicit holder metadata" "startup must keep live implicit holders so active update reconnects can reattach"
); );
assert!( assert!(
unsafe { libc::kill(shell_pid, 0) } != 0, unsafe { libc::kill(shell_pid, 0) } == 0,
"startup must shut down old implicit holder shell" "startup must not shut down a live implicit holder before reconnect grace"
); );
kill_holder(&sessions_dir, &session);
} }
#[test] #[test]
+13
View File
@@ -58,6 +58,19 @@ fn encrypted_packet_round_trips() {
assert_eq!(plain, b"hello"); assert_eq!(plain, b"hello");
} }
#[test]
fn plaintext_packet_never_decrypts_as_authenticated_body() {
let key = crypto::random_32();
let mut decoded = protocol::decode(
&protocol::encode_plain(PacketKind::Input, crypto::random_16(), 1, 0, b"hello").unwrap(),
)
.unwrap();
decoded.header.session_key_id = protocol::session_key_id(&key);
let err = protocol::decrypt_body(&decoded, &key, CLIENT_TO_SERVER).unwrap_err();
assert!(err.to_string().contains("not encrypted"));
}
#[test] #[test]
fn encrypted_packet_rejects_wrong_session_key_id_before_decrypt() { fn encrypted_packet_rejects_wrong_session_key_id_before_decrypt() {
let key = crypto::random_32(); let key = crypto::random_32();
+4
View File
@@ -25,6 +25,10 @@ fn systemd_service_does_not_sandbox_remote_shells() {
let install = include_str!("../install.sh"); let install = include_str!("../install.sh");
for raw in [service, install] { for raw in [service, install] {
assert!(raw.contains("KillMode=process")); assert!(raw.contains("KillMode=process"));
assert!(
raw.contains("Restart=always"),
"dosh-server should come back after accidental SIGTERM while preserving child shells"
);
for directive in [ for directive in [
"NoNewPrivileges=", "NoNewPrivileges=",
"PrivateTmp=", "PrivateTmp=",