Skip to content

DoProtoId: skip pre-version banner lines#959

Merged
padelsbach merged 1 commit intowolfSSL:masterfrom
ejohnstown:proto
Apr 29, 2026
Merged

DoProtoId: skip pre-version banner lines#959
padelsbach merged 1 commit intowolfSSL:masterfrom
ejohnstown:proto

Conversation

@ejohnstown
Copy link
Copy Markdown
Contributor

@ejohnstown ejohnstown commented Apr 28, 2026

  1. Client skips non-SSH lines (RFC 4253 4.2); server rejects them
  2. 255-byte per-line cap and 10-line cap (WOLFSSH_MAX_BANNER_LINES)
  3. 28 test vectors plus scripted-IO mock for WANT_READ resumption

Issue: F-606

Copilot AI review requested due to automatic review settings April 28, 2026 22:57
Copilot AI reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates SSH protocol identification parsing to follow RFC 4253 §4.2 by allowing clients to skip pre-version banner lines (while servers reject them), with explicit caps to prevent banner-based stalling.

Changes:

  • Add a configurable cap on pre-version banner lines (WOLFSSH_MAX_BANNER_LINES) and persist a banner-line counter in handshake state.
  • Replace the previous identification line read logic with a line-oriented reader enforcing the 255-octet per-line limit and supporting CRLF/LF terminators.
  • Add unit tests (including scripted non-blocking WANT_READ resumption) covering banner handling, limits, and error mappings.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
wolfssh/internal.h Adds WOLFSSH_MAX_BANNER_LINES, tracks banner line count in HandshakeInfo, and exposes wolfSSH_TestDoProtoId() for internal tests.
src/internal.c Implements GetInputLine() (255-byte cap) and updates DoProtoId() to skip/limit banner lines per endpoint role and to be robust across WANT_READ retries.
tests/unit.c Adds comprehensive DoProtoId unit tests plus a scripted IO recv mock to validate WANT_READ resumption and banner-line cap enforcement.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

padelsbach
padelsbach reviewed Apr 29, 2026
View reviewed changes
Comment thread src/internal.c Outdated
Comment thread src/internal.c Outdated
wolfSSL-Fenrir-bot
wolfSSL-Fenrir-bot reviewed Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #959

Scan targets checked: wolfssh-bugs, wolfssh-src

No new issues found in the changed files. ✅

@ejohnstown
DoProtoId: skip pre-version banner lines
bf06ead 
1. Client skips non-SSH lines (RFC 4253 4.2); server rejects them
2. 255-byte per-line cap and 10-line cap (WOLFSSH_MAX_BANNER_LINES)
3. 28 test vectors plus scripted-IO mock for WANT_READ resumption

Issue: F-606
@padelsbach padelsbach merged commit 4dcaf6e into wolfSSL:master Apr 29, 2026
131 checks passed
@ejohnstown ejohnstown deleted the proto branch April 30, 2026 18:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left review comments

@padelsbach padelsbach padelsbach approved these changes

Assignees

@wolfSSL-Bot wolfSSL-Bot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ejohnstown @padelsbach @wolfSSL-Fenrir-bot @wolfSSL-Bot