Fixing terrapin, again

pmeunier

May 29, 2024, 8:15 PM

EZTTZ6OWY4X4COIXNQZFE3C7G6F36XOVCST7PXU7THFNSPRKNWWAC

Dependencies

• [2] D6H7OWTT Fixing the terrapin attack mitigation
• [3] 662ZS5JF Version 0.33.2
• [4] 2Q3SZY2C Version bump
• [5] ORSEEVB5 Version bump
• [6] 7FRJYUI6 Reboot because of a bad change
• [7] 432ETREA If tokio::select! returns an error, return it
• [8] G3FNNIIU Limiting the amount of messages that can be buffered while rekeying to two channel windows
• [9] PDTFLA4Y Version 0.30.7
• [10] 7Y2ROIVZ Version bump
• [11] ASD7JVBE Do not read past the size of the buffer (after Tokio 0.3)
• [12] WXZWQLGL Correct negotiation without OpenSSL
• [13] VYDCQWSF Version 0.30.6
• [14] E2SB74SV Version 0.30.3
• [15] FT67GGO4 Version bump (Pijul and Thrussh)
• [16] OQZGSEWM Buffering non-kex packets received after issuing a KEXINIT
• [17] TFYJ3P2A Version 0.30.8/0.19.4, and solving conflicts
• [18] BRDS7STA Adding method `send_channel_msg` to client::Session, to make it easier to write handlers
• [19] CQSPFH4H Version 0.30.4
• [20] 2VTUKRLJ Version
• [21] KNLLUDOI Correct usage of `tokio::select!`
• [22] CWHVPLXN Version bump
• [23] 2WEO7OZL Version updates: getting rid of anyhow + moving to Tokio 1.0
• [24] DJT33BQE Version bump
• [25] 634OYCNM Tokio 0.3
• [*] 2SFWWZ2R Rearm reading future on empty packet, and respond to server-initiated key re-exchange

Change contents

• edit in thrussh/src/server/mod.rs at line 33
  [3.204329]→[3.204329:204351](∅→∅)
  − pub use self::kex::*;
• replacement in thrussh/src/server/mod.rs at line 495
  [3.34]→[3.34:88](∅→∅)
  − let (stream_read, buffer) = match r {
  [3.34]

  [3.88]
  + let (stream_read, mut buffer) = match r {
• edit in thrussh/src/server/mod.rs at line 518
  [3.219713]

  [27.0]
  +
• edit in thrussh/src/server/mod.rs at line 525
  [27.210]

  [27.210]
  + if buffer.strict && buf[0] == crate::msg::NEWKEYS {

  + buffer.seqn = std::num::Wrapping(0u32);

  + }
• edit in thrussh/src/server/mod.rs at line 692
  [3.225097]

  [3.225097]
  + // if session.common.read_buffer.strict {

  + // session.common.read_buffer.seqn = 0;

  + // }
• edit in thrussh/src/server/kex.rs at line 117
  [3.229940]

  [3.229940]
  +

  + if write_buffer.strict {

  + write_buffer.seqn = std::num::Wrapping(0);

  + }

  +
• replacement in thrussh/src/client/mod.rs at line 863
  [3.265]→[3.265:323](∅→∅)
  − let (stream_read, buffer) = match r {
  [3.265]

  [3.323]
  + let (stream_read, mut buffer) = match r {
• edit in thrussh/src/client/mod.rs at line 886
  [27.716]

  [27.716]
  + if buffer.strict && buf[0] == crate::msg::NEWKEYS {

  + buffer.seqn = std::num::Wrapping(0u32);

  + }
• edit in thrussh/src/client/encrypted.rs at line 87
  [3.387459]

  [3.387459]
  +

  +

  + if self.common.write_buffer.strict {

  + self.common.write_buffer.seqn = std::num::Wrapping(0);

  + }

  +
• replacement in thrussh/Cargo.toml at line 5
  [3.426214]→[2.2591:2610](∅→∅)
  − version = "0.35.1"
  [3.426214]

  [3.426233]
  + version = "0.35.3"