https://gitlab.synchro.net/main/sbbs/-/commit/90c0fe97d40e233d74210d18
Modified Files:
src/ssh/kex/dh-gex-sha256.c src/ssh/test/dssh_test_internal.h dssh_test_ossl.c dssh_test_ossl.h test_alloc.c test_transport.c
Log Message:
DH-GEX coverage: thread-local ossl filter, client iterate, server tests

Add per-thread ossl injection filter: _Thread_local ossl_this_thread
defaults to true (all threads participate, backward compatible). dssh_test_ossl_exclude_thread() lets a thread opt out so its ossl
calls pass straight through without incrementing the counter. This
enables two-threaded KEX tests where only one side is injected.

ossl/kex_client iterate: two-threaded DH-GEX with the server thread
excluded from injection. Covers all client-side ossl failure paths (BN_CTX_new, BN_new, BN_rand, BN_mod_exp, EVP_Digest*, verify).

DH-GEX server targeted tests (10 tests in test_transport.c):
- NULL pubkey/sign function pointers
- recv failure (no packets / partial packets)
- wrong msg_type for GEX_REQUEST and GEX_INIT
- short GEX_REQUEST payload
- NULL provider / provider returning error
- invalid e value (e=0)

DH-GEX helper tests (3 tests in test_transport.c):
- serialize_bn_mpint malloc failure via alloc injection
- serialize_bn_mpint with BN value 0 (bn_bytes == 0 branch)
- compute_exchange_hash alloc iterate (serialize_bn_mpint mres
failures covering all 5 ok && (mres == 0) False branches)

Source cleanup in dh-gex-sha256.c:
- parse_bn_mpint: wrap dead dssh_parse_uint32 check in
#ifndef DSSH_TESTING (matching ssh-arch.c pattern)
- compute_exchange_hash: fold int ok = EVP_DigestInit_ex(...)
to eliminate dead ok && short-circuit on first use
- compute_exchange_hash made DSSH_TESTABLE for direct testing

DH-GEX branch coverage: 78.52% → 90.80% (55 → 23 missed).
Overall: 83.56% → 85.71% (414 → 359 missed).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---
￭ Synchronet ￭ Vertrauen ￭ Home of Synchronet ￭ [vert/cvs/bbs].synchro.net