https://gitlab.synchro.net/main/sbbs/-/commit/0e370436f223521060667d48
Modified Files:
src/ssh/TODO.md src/ssh/kex/curve25519-sha256.c dh-gex-sha256.c src/ssh/key_algo/rsa-sha2-256.c ssh-ed25519.c src/ssh/ssh-conn.c ssh-trans.c
Log Message:
Remove all 31 #ifndef DSSH_TESTING dead-code guards

Every guarded check is now live code that can be reached and tested:
- Buffer size checks in sign/pubkey (ed25519, rsa-sha2-256)
- EVP_PKEY_id type validation in haskey (ed25519, rsa-sha2-256)
- serialize_bn_mpint buffer overflow check (dh-gex)
- KEX ka/verify/pubkey/sign NULL checks (curve25519, dh-gex)
- send_extended_data len > window/max_packet check (ssh-conn)
- demux_dispatch chan_type == 0 check (ssh-conn)
- Channel cleanup ch != NULL check (ssh-conn)
- rekey_time == 0 check (ssh-trans)
- enc->blocksize < 8 checks (ssh-trans)
- kex_selected/handler NULL check (ssh-trans)
- All cleanup != NULL checks in newkeys/transport_cleanup (ssh-trans)
- Namelist overflow checks in KEXINIT building (ssh-trans)
- remote_languages cleanup (ssh-trans)

Only one legitimate guard remains: dssh_parse_string() in ssh-arch.c
checks a dssh_parse_uint32() contract invariant.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/ff68af17f401a99d55f7c16d
Modified Files:
src/ssh/TODO.md src/ssh/kex/dh-gex-sha256.c src/ssh/ssh-arch.c ssh-auth.c ssh-trans.c
Log Message:
Fix serialize overflow checks that can wrap size_t on 32-bit

Convert all *pos + N > bufsz bounds checks to subtraction form
(*pos > bufsz || N > bufsz - *pos) to prevent size_t wraparound.
Also fix flush_pending_banner() strlen-to-uint32_t truncation and serialize_namelist_from_str() silent truncation to UINT32_MAX.

Closes TODO items 2, 7, 21.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/b028ed8294067c58f4376e0d
Modified Files:
src/ssh/TODO.md src/ssh/kex/dh-gex-sha256.c mlkem768x25519-sha256.c sntrup761x25519-sha512.c src/ssh/ssh-auth.c ssh-conn.c ssh-internal.h ssh-trans.c src/ssh/test/CMakeLists.txt dssh_test_internal.h test_algo_key.c test_auth.c
Log Message:
Fix 6 bugs: resource leaks, NULL guards, silent hang, banner drain (items 71-82)

- Item 71: dssh_session_accept_channel() and dssh_channel_accept_raw()
leaked the inc parameter on early-return error paths; added free(inc)
to all error returns after the NULL-arg check
- Item 72: dssh_transport_init() leaked tx_mtx when rx_mtx init failed;
split combined mtx_init || into two checks with proper cleanup
- Item 77: DH-GEX dhgex_handler() leaked BIGNUM p on malformed GEX_GROUP
size-check failures; added BN_free(p) before two early returns
- Item 78: sntrup761x25519 and mlkem768x25519 KEX handlers called
ka->verify/pubkey/sign without NULL guards; added the same checks
that curve25519 and dh-gex already had
- Item 80: Setup mailbox malloc failure in demux_dispatch() silently
dropped the message, leaving setup_recv() blocked forever; added
setup_error flag so setup_recv() returns DSSH_ERROR_ALLOC
- Item 82: Auth banner handling only drained one SSH_MSG_USERAUTH_BANNER;
changed if to while in get_methods_impl() and auth_server_impl() KBI
path per RFC 4252 s5.4

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net