Skip to content

ssh: tighten DH bounds to 1<e<p-1 and add K check#11303

Open
u3s wants to merge 1 commit into
erlang:maintfrom
u3s:kuba/ssh/kpef_limits/OTP-20229
Open

ssh: tighten DH bounds to 1<e<p-1 and add K check#11303
u3s wants to merge 1 commit into
erlang:maintfrom
u3s:kuba/ssh/kpef_limits/OTP-20229

Conversation

@u3s

@u3s u3s commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Tighten e/f validation from inclusive [1, p-1] to strict (1 < e < p-1) on all plain-DH and GEX paths. Add missing 1 < K < p-1 check on the plain-DH client path (handle_kexdh_reply), matching what the GEX code already enforced.

The RFCs (4253 §8, 4419 §3) only require inclusive bounds for e/f, but OpenSSH and Go both enforce strict bounds. The K check on plain DH is defense-in-depth — with safe primes and strict e/f, K ∈ {1, p-1} cannot occur, but the check guards against crypto backend bugs at zero cost.

No interop risk: no legitimate peer sends e ∈ {0, 1, p-1, p}.

@u3s u3s self-assigned this Jun 29, 2026
@u3s u3s added the team:PS Assigned to OTP team PS label Jun 29, 2026
@github-actions

github-actions Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

CT Test Results

    2 files     29 suites   30m 16s ⏱️
  508 tests   501 ✅  7 💤 0 ❌
1 717 runs  1 688 ✅ 29 💤 0 ❌

Results for commit 96862ad.

♻️ This comment has been updated with latest results.

To speed up review, make sure that you have read Contributing to Erlang/OTP and that all checks pass.

See the TESTING and DEVELOPMENT HowTo guides for details about how to run test locally.

Artifacts

// Erlang/OTP Github Action Bot

Tighten e/f validation from inclusive [1, p-1] to strict (1 < e < p-1)
on all plain-DH and GEX paths. Add missing 1 < K < p-1 check on the
plain-DH client path (handle_kexdh_reply), matching what the GEX code
already enforced.

The RFCs (4253 §8, 4419 §3) only require inclusive bounds for e/f, but
OpenSSH and Go both enforce strict bounds. The K check on plain DH is
defense-in-depth — with safe primes and strict e/f, K ∈ {1, p-1} cannot
occur, but the check guards against crypto backend bugs at zero cost.

No interop risk: no legitimate peer sends e ∈ {0, 1, p-1, p}.
@u3s u3s force-pushed the kuba/ssh/kpef_limits/OTP-20229 branch from 1fcf187 to 96862ad Compare June 29, 2026 13:07
@u3s u3s added the testing currently being tested, tag is used by OTP internal CI label Jun 29, 2026
@Mikaka27 Mikaka27 self-requested a review July 7, 2026 19:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

team:PS Assigned to OTP team PS testing currently being tested, tag is used by OTP internal CI

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants