Re: Still confused about window adjust :-(

H.K. Kingston-Smith <HKK-S@xxxxxxxxx> wrote:
Thanks for your answers, which are most informative. However, I
believe that you are not addressing my two core issues here. Forget
about partial packets for a moment. Assuming that we have just sent
a complete SSH_MSG_CHANNEL_DATA packet of total length L, containing
a data string of length S, S < L, how does the window size change
after this? Does it decrease by S bytes? By L bytes? Something
else?

Window size is entirely about the actual channel data, not about the
SSH packets in which it is encapsulated, so it decreases by S bytes.
(Was this not already obvious from our previous discussions?)

About partial packets now. How can the SSH layer be sure that it
will get at least one complete SSH packet when reading data from the
network?

Indeed, it may not get a complete packet when doing a single network
read. So it continues to do network reads until it has managed to
put together a complete packet, and then it decrypts that packet,
verifies the MAC, and acts on it.

The receiving SSH layer doesn't need to look at network read
boundaries. It works solely on the basis of the stream of _data_
received. The first 8 bytes received (or more, depending on the
cipher block size) are decrypted to find the packet length and
padding values, which determines the total length of the current
packet. Then the receiver continues to read more data from the
network, waiting if necessary, until it has that much; it can then
decrypt the rest of the packet and verify the MAC. Then the next 8
bytes it receives are decrypted to find the next packet length, and
so on. So the only criterion is that the entire stream of data sent
down the SSH connection must be composed of complete packets
concatenated end-to-end. Anything else will confuse the decoder.

So if you really wanted to, you _could_ send part of a packet and
deliberately hold back the rest of it to send later; but if you did
that, then you would be committed to sending the rest of it before
you sent _anything else at all_. Also, the receiver wouldn't be able
to act on the partial packet, because it would be a security hazard
for it to do so without verifying the MAC. So while it's technically
_legal_, it's also totally pointless.
--
Simon Tatham "What a caterpillar calls the end of the
<anakin@xxxxxxxxx> world, a human calls a butterfly."
.