Skip to content

rekey: trigger highwater on per-key packet count#963

Open
ejohnstown wants to merge 1 commit intowolfSSL:masterfrom
ejohnstown:seq
Open

rekey: trigger highwater on per-key packet count#963
ejohnstown wants to merge 1 commit intowolfSSL:masterfrom
ejohnstown:seq

Conversation

@ejohnstown
Copy link
Copy Markdown
Contributor

@ejohnstown ejohnstown commented May 6, 2026

  • Track txMsgCount/rxMsgCount per key epoch and reset on NEW_KEYS; seq/peerSeq still wrap freely per RFC 4253 Sec 6.4.
  • Extend HighwaterCheck to fire highwaterCb when packet count crosses msgHighwaterMark (default 2^31, RFC 4344 Sec 3.1).
  • Add wolfSSH_CTX_SetMsgHighwater / SetMsgHighwater / GetMsgHighwater.

Issue: F-246

Copilot AI reviewed May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds per-key-epoch packet counters and a configurable packet-count “highwater” threshold to trigger the existing highwater callback (typically causing a rekey), aligning with RFC 4344 guidance on limiting packets per key.

Changes:

  • Track txMsgCount / rxMsgCount per key epoch and reset them on NEWKEYS.
  • Extend HighwaterCheck() to also fire the highwater callback when the per-key packet count reaches msgHighwaterMark (default 2^31).
  • Add public APIs to set/get the message highwater mark: wolfSSH_CTX_SetMsgHighwater(), wolfSSH_SetMsgHighwater(), wolfSSH_GetMsgHighwater().

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
wolfssh/ssh.h Adds public API declarations for configuring per-key packet-count highwater marks.
wolfssh/internal.h Adds msg-highwater defaults and new per-key packet counters/flags to internal structs.
src/ssh.c Implements the new msg-highwater set/get APIs.
src/internal.c Integrates msg-count checks into HighwaterCheck() and resets/increments msg counters across key epochs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/internal.c
Comment thread src/internal.c
@ejohnstown ejohnstown requested a review from Copilot May 6, 2026 00:56
Copilot AI reviewed May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread wolfssh/internal.h Outdated
Comment thread src/ssh.c
@ejohnstown
rekey: trigger highwater on per-key packet count
097dd4b 
- Track txMsgCount/rxMsgCount per key epoch and reset on NEW_KEYS;
  seq/peerSeq still wrap freely per RFC 4253 Sec 6.4.
- Extend HighwaterCheck to fire highwaterCb when packet count crosses
  msgHighwaterMark (default 2^31, RFC 4344 Sec 3.1).
- Add wolfSSH_CTX_SetMsgHighwater / SetMsgHighwater / GetMsgHighwater.

Issue: F-246
wolfSSL-Fenrir-bot
wolfSSL-Fenrir-bot reviewed May 7, 2026
View reviewed changes
Copy link
Copy Markdown

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #963

Scan targets checked: wolfssh-bugs, wolfssh-src

No new issues found in the changed files. ✅

padelsbach
padelsbach reviewed May 8, 2026
View reviewed changes
Comment thread src/internal.c
Comment thread wolfssh/ssh.h
@padelsbach
Copy link
Copy Markdown
Contributor

padelsbach commented May 8, 2026

can you add test cases for the new public api's?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@padelsbach padelsbach padelsbach left review comments

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left review comments

@JacobBarthelmeh JacobBarthelmeh Awaiting requested review from JacobBarthelmeh

At least 1 approving review is required to merge this pull request.

Assignees

@wolfSSL-Bot wolfSSL-Bot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ejohnstown @padelsbach @wolfSSL-Fenrir-bot @wolfSSL-Bot