https://gitlab.synchro.net/main/sbbs/-/commit/2080be53f439dce31f032b92
Modified Files:
src/ssh/README.md src/ssh/comp/none.c src/ssh/kex/curve25519-sha256.c dh-gex-sha256.c src/ssh/key_algo/rsa-sha2-256.c rsa-sha2-256.h ssh-ed25519.c ssh-ed25519.h src/ssh/server.c ssh-auth.c ssh-auth.h ssh-trans.c ssh-trans.h
Log Message:
DeuceSSH: per-algorithm key contexts, key management API, security hardening

Key management:
- Move key_algo_ctx from per-session to per-algorithm registration
entry, enabling multiple host keys simultaneously
- Server KEXINIT only advertises algorithms with loaded keys (haskey
filtering with EVP_PKEY type validation)
- Key load/save functions no longer take a session parameter
- Add passphrase support via pem_password_cb (AES-256-CBC encryption)
- Add save_key_file, save_pub_file (OpenSSH format), get_pub_str
(size-query pattern) for both ed25519 and rsa-sha2-256
- auth_publickey() no longer takes explicit ctx parameter

Security hardening (from systematic audit of all built-in modules):
- OPENSSL_cleanse on X25519 shared secrets before free
- BN_clear_free for DH private exponents (x, y) and shared secret K
- Cleanse serialize_bn_mpint temp buffers and exchange hash mpbuf
- Validate algorithm names in verify() for both ed25519 and RSA
(was skipping over without checking)
- Reject trailing data in key/sig blobs in both verify() functions
- Check EVP_PKEY_get_raw_public_key and EVP_PKEY_derive returns
- Bump sig_buf 256->1024 and k_s_buf 512->1024 for RSA-4096
- Fix compression interface: uint8_t *bufsz -> size_t *bufsz
- Check fprintf/fclose returns in save_key_file/save_pub_file
- Initialize ka->ctx = NULL in both register functions

Tested: DeuceSSH<->DeuceSSH, OpenSSH 9.9 client/server,
Synchronet/cryptlib (DH-GEX + RSA + AES-256-CTR + HMAC-SHA-256).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---
￭ Synchronet ￭ Vertrauen ￭ Home of Synchronet ￭ [vert/cvs/bbs].synchro.net