https://gitlab.synchro.net/main/sbbs/-/commit/5929267a9f0471fa537d2315
Modified Files:
src/ssh/CMakeLists.txt audit-hardening.md
Log Message:
Implement OpenSSF compiler hardening flags (33 of 34)

All flags from the OpenSSF Compiler Options Hardening Guide are now feature-probed at configure time via check_c_compiler_flag and check_linker_flag, supporting back to GCC 8 / Clang 7.

Compile-time: -Wformat=2, -Wimplicit-fallthrough,
-Werror=format-security, -Werror=implicit,
-Werror=incompatible-pointer-types, -Werror=int-conversion, -D_FORTIFY_SOURCE=3, -fstrict-flex-arrays=3,
-fstack-clash-protection, -fstack-protector-strong, -ftrivial-auto-var-init=zero, -fno-delete-null-pointer-checks, -fno-strict-overflow, -fno-strict-aliasing

GCC-only: -Wtrampolines, -Wbidi-chars=any,
-fzero-init-padding-bits=all

Architecture: -fcf-protection=full (x86_64),
-mbranch-protection=standard (aarch64)

Linker: -Wl,-z,nodlopen, -Wl,-z,noexecstack,
-Wl,--as-needed, -Wl,--no-copy-dt-needed-entries

Deferred: -Wconversion (requires code changes for signedness).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/3a6fded32d5a7b8597fddc22
Modified Files:
src/ssh/CMakeLists.txt audit-hardening.md src/ssh/kex/dh-gex-sha256.c src/ssh/key_algo/rsa-sha2-256.c src/ssh/ssh-arch.c ssh-auth.c ssh-trans.c src/ssh/test/test_algo_key.c test_alloc.c test_conn.c test_selftest.c
Log Message:
Enable -Wconversion: range-checked narrowing throughout

All implicit narrowing conversions replaced with range-checked
intermediate variables. Library code checks both lower and upper
bounds before every narrowing assignment, with overflow guards
before arithmetic. Test code uses explicit casts where safe.

Hardening audit now 34 of 34 OpenSSF flags.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net