src/ssh/kex/dh-gex-sha256.c src/ssh/test/test_alloc.c

BBS:      TELESC.NET.BR
Assunto:  src/ssh/kex/dh-gex-sha256.c src/ssh/test/test_alloc.c
De:       Deuc¨
Data:     Thu, 23 Apr 2026 18:36:00 -0700
-----------------------------------------------------------
https://gitlab.synchro.net/main/sbbs/-/commit/7ef8523720fab936c3da6e86
Modified Files:
	src/ssh/kex/dh-gex-sha256.c src/ssh/test/test_alloc.c
Log Message:
DeuceSSH: reject weak DH-GEX groups below client_min

The client sends GEX_REQUEST(min=2048, n=4096, max=8192) but never
verified the bit-length of the server-provided p in GEX_GROUP.  RFC
4419 3 only SHOULDs that the server honor min; a hostile or
misconfigured server could downgrade to, say, a 768-bit group and the
client would complete the handshake, deriving session keys over a
Logjam-scale weak group before the host-key signature is checked.

Add a backend-neutral bit-length check in dhgex_client() before
ops->client_keygen(), so both the OpenSSL and Botan backends benefit
from a single fix.  Introduce a small mpint_bits() helper that walks
past the at-most-one 0x00 sign-pad byte and counts the remaining bits.
Reject with DSSH_ERROR_INVALID when |p| < client_min.

New negative test test_dhgex_client_group_too_small feeds a 768-bit p
through the existing bad_server_group_thread harness and confirms the
client rejects.

Co-Authored-By: Claude Opus 4.7 (1M context) 
n
---
  mSynchronetn  hgVertrauen n hHome of Synchronet n gh[vert/cvs/bbs].synchro.net

-----------------------------------------------------------
[Voltar]