https://gitlab.synchro.net/main/sbbs/-/commit/7ef8523720fab936c3da6e86
Modified Files:
src/ssh/kex/dh-gex-sha256.c src/ssh/test/test_alloc.c
Log Message:
DeuceSSH: reject weak DH-GEX groups below client_min
The client sends GEX_REQUEST(min=2048, n=4096, max=8192) but never
verified the bit-length of the server-provided p in GEX_GROUP. RFC
4419 §3 only SHOULDs that the server honor min; a hostile or
misconfigured server could downgrade to, say, a 768-bit group and the
client would complete the handshake, deriving session keys over a
Logjam-scale weak group before the host-key signature is checked.
Add a backend-neutral bit-length check in dhgex_client() before ops->client_keygen(), so both the OpenSSL and Botan backends benefit
from a single fix. Introduce a small mpint_bits() helper that walks
past the at-most-one 0x00 sign-pad byte and counts the remaining bits.
Reject with DSSH_ERROR_INVALID when |p| < client_min.
New negative test test_dhgex_client_group_too_small feeds a 768-bit p
through the existing bad_server_group_thread harness and confirms the
client rejects.
Co-Authored-By: Claude Opus 4.7 (1M context) <
[email protected]>
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)