Comment 7 for bug 1951251

So, I debugged the server to see what is going on. Essentially the server is - for some reason - generating the P and (sometimes) G parameters of the Diffie-Hellman exchange wrongly. When the server tries to pinpoint the correct group, it always fail, because the group decision depends on correct P and G.

If you're willing to check it out, the function which decides the match group is dh_match_group, in the OpenSSL source, crypto/dh/dh_rfc7919.c

Note, however, that the Diffie Hellman parameters are already wrong at that point.

The relevant bt stack is this one:
(gdb) bt
#0 dh_match_group (dh=0x555555870fd0, qout=0x0, lout=0x555555870fe8) at ../crypto/dh/dh_rfc7919.c:74
#1 0x00007ffff6ea03e3 in dh_cache_nid (dh=0x555555870fd0) at ../crypto/dh/dh_rfc7919.c:149
#2 0x00007ffff6e9e58d in DH_set0_pqg (dh=0x555555870fd0, p=0x5555558721a0, q=0x0, g=0x555555872f00) at ../crypto/dh/dh_lib.c:212
#3 0x00005555555d69bd in dh_new_group (gen=0x555555872f00, modulus=0x5555558721a0) at ../../dh.c:331
#4 0x000055555558d96f in mm_choose_dh (min=2048, nbits=8192, max=8192) at ../../monitor_wrap.c:216
#5 0x00005555555e0e22 in input_kex_dh_gex_request (type=34, seq=1, ssh=0x555555874b40) at ../../kexgexs.c:100
#6 0x00005555555ce4de in ssh_dispatch_run (ssh=0x555555874b40, mode=0, done=0x555555878080) at ../../dispatch.c:113
#7 0x00005555555ce583 in ssh_dispatch_run_fatal (ssh=0x555555874b40, mode=0, done=0x555555878080) at ../../dispatch.c:133
#8 0x000055555556716d in do_ssh2_kex () at ../../sshd.c:2536
#9 0x00005555555669d9 in main (ac=7, av=0x55555584f820) at ../../sshd.c:2316

On the mm_choose_dh function of OpenSSH, the parameters are collected by using mm_request_receive_expect and extracted by using sshbuf_get_bignum2.