https://gitlab.synchro.net/main/sbbs/-/commit/a06e7e2cb45f81116329b146
Modified Files:
src/ssh/kex/dh-gex-sha256.c src/ssh/ssh-internal.h ssh-trans.c src/ssh/test/dssh_test_internal.h test_transport.c
Log Message:
Expose version_tx, parse_bn_mpint, dh_value_valid for testing; add 12 tests

Move DSSH_TESTABLE macro definition from ssh-trans.c to ssh-internal.h
so all library source files can use it.

Expose three static functions via DSSH_TESTABLE:
- version_tx (ssh-trans.c): sends the SSH version identification line
- parse_bn_mpint (dh-gex-sha256.c): parses an mpint from wire format
- dh_value_valid (dh-gex-sha256.c): validates DH e/f in [1, p-1]

Add test accessors dssh_test_set_sw_version/set_version_comment to
bypass set_version validation for defense-in-depth testing.

New tests:
- version_tx TOOLONG with oversized version string
- version_tx TOOLONG with oversized comment
- parse_bn_mpint: valid, short header, truncated data
- dh_value_valid: zero, negative, equal to p, greater than p,
valid interior, boundary values (1 and p-1)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/c0bcf664ecd60723b2ff6b48
Modified Files:
src/ssh/kex/dh-gex-sha256.c src/ssh/test/dssh_test_internal.h test_transport.c
Log Message:
Add unit tests for formerly-guarded paths

Tests for code paths that were previously hidden behind
#ifndef DSSH_TESTING guards:

- guard/rekey_time_zero: rekey_needed returns false when rekey_time==0
- guard/blocksize_lt8: enc module with blocksize=1 (clamped to 8)
- guard/ed25519_sign_small_buf: sign with 4-byte buffer  TOOLONG
- guard/ed25519_pubkey_small_buf: pubkey with 4-byte buffer  TOOLONG
- guard/rsa_sign_small_buf: sign with 4-byte buffer  TOOLONG
- guard/rsa_pubkey_small_buf: pubkey with 4-byte buffer  TOOLONG
- guard/bn_mpint_small_buf: serialize_bn_mpint with 4-byte buffer  TOOLONG

Expose serialize_bn_mpint as DSSH_TESTABLE for direct testing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/90c0fe97d40e233d74210d18
Modified Files:
src/ssh/kex/dh-gex-sha256.c src/ssh/test/dssh_test_internal.h dssh_test_ossl.c dssh_test_ossl.h test_alloc.c test_transport.c
Log Message:
DH-GEX coverage: thread-local ossl filter, client iterate, server tests

Add per-thread ossl injection filter: _Thread_local ossl_this_thread
defaults to true (all threads participate, backward compatible). dssh_test_ossl_exclude_thread() lets a thread opt out so its ossl
calls pass straight through without incrementing the counter. This
enables two-threaded KEX tests where only one side is injected.

ossl/kex_client iterate: two-threaded DH-GEX with the server thread
excluded from injection. Covers all client-side ossl failure paths (BN_CTX_new, BN_new, BN_rand, BN_mod_exp, EVP_Digest*, verify).

DH-GEX server targeted tests (10 tests in test_transport.c):
- NULL pubkey/sign function pointers
- recv failure (no packets / partial packets)
- wrong msg_type for GEX_REQUEST and GEX_INIT
- short GEX_REQUEST payload
- NULL provider / provider returning error
- invalid e value (e=0)

DH-GEX helper tests (3 tests in test_transport.c):
- serialize_bn_mpint malloc failure via alloc injection
- serialize_bn_mpint with BN value 0 (bn_bytes == 0 branch)
- compute_exchange_hash alloc iterate (serialize_bn_mpint mres
failures covering all 5 ok && (mres == 0) False branches)

Source cleanup in dh-gex-sha256.c:
- parse_bn_mpint: wrap dead dssh_parse_uint32 check in
#ifndef DSSH_TESTING (matching ssh-arch.c pattern)
- compute_exchange_hash: fold int ok = EVP_DigestInit_ex(...)
to eliminate dead ok && short-circuit on first use
- compute_exchange_hash made DSSH_TESTABLE for direct testing

DH-GEX branch coverage: 78.52%  90.80% (55  23 missed).
Overall: 83.56%  85.71% (414  359 missed).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/405365deef5dbd0cfaadcde4
Modified Files:
src/ssh/kex/dh-gex-sha256.c src/ssh/test/dssh_test_alloc.c dssh_test_alloc.h test_alloc.c test_transport.c
Log Message:
dh-gex-sha256.c: 100% branch coverage

Thread-local alloc injection: add dssh_test_alloc_exclude_thread()
matching the ossl pattern, so server threads can opt out of library
malloc failure injection during two-threaded KEX tests.

alloc/kex_server iterate: single-threaded server KEX with library
alloc injection via dssh_test_alloc_fail_after(). Covers malloc
failures in serialize_bn_mpint, shared_secret, reply buffer, and
exchange_hash on the server path.

alloc/kex_client iterate: two-threaded KEX with server excluded
from alloc injection. Covers client-side malloc failures.

Client ka guard tests: two-threaded KEX with client's
key_algo_selected set to NULL or stub with NULL verify.

Client parse tests (7 tests via bad-server threads):
- recv GROUP failure (server closes before sending)
- GEX_GROUP empty / missing g
- GEX_REPLY wrong msg_type
- GEX_REPLY too short for K_S / K_S overrun
- GEX_REPLY f=0 (invalid DH value)
- GEX_REPLY too short for sig / sig overrun

Server ka==NULL targeted test.

Source cleanup: break client-side K_S and sig parse chains out of
|| expressions, guard dead dssh_parse_uint32 checks with
#ifndef DSSH_TESTING (same pattern as parse_bn_mpint line 60).

Result: dh-gex-sha256.c 246/246 branches covered (100.00%).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net