From 5fbd294c208af4fc30e2bc6e23285dc7ee88a7d9 Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Sat, 16 Feb 2019 17:03:32 +0000
Subject: [PATCH] Add missing dh_validate_f in GSSAPI key exchange.

This checks that the public Diffie-Hellman value sent by the server is
not an obviously silly one like 1 or -1 (mod p). We already had the
validation function, and were using it in standard DH key exchange,
but the parallel code in the GSSAPI case missed it out.
---
 ssh2kex-client.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/ssh2kex-client.c b/ssh2kex-client.c
index 4b21b0b6..4ed074f1 100644
--- a/ssh2kex-client.c
+++ b/ssh2kex-client.c
@@ -474,6 +474,15 @@ void ssh2kex_coroutine(struct ssh2_transport_state *s, bool *aborted)
                  s->gss_stat == SSH_GSS_S_CONTINUE_NEEDED ||
                  !s->complete_rcvd);
 
+        {
+            const char *err = dh_validate_f(s->dh_ctx, s->f);
+            if (err) {
+                ssh_proto_error(s->ppl.ssh, "GSSAPI reply failed "
+                                "validation: %s", err);
+                *aborted = true;
+                return;
+            }
+        }
         s->K = dh_find_K(s->dh_ctx, s->f);
 
         /* We assume everything from now on will be quick, and it might