From d4985943b093a373cefb2769725820f88e6be9b3 Mon Sep 17 00:00:00 2001
From: Jeremy Norris <jeremy.norris@lbnetworks.co>
Date: Thu, 11 Jul 2024 10:18:44 -0500
Subject: [PATCH] Enforce DHGEX prime modulus bit length meets configured
 constraints.

---
 ChangeLog.md                             |  2 ++
 src/main/java/com/jcraft/jsch/DHGEX.java | 14 ++++++++------
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/ChangeLog.md b/ChangeLog.md
index 15569361..c9ca552e 100644
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -1,3 +1,5 @@
+* [0.2.19](https://github.com/mwiede/jsch/releases/tag/jsch-0.2.19)
+   * Enforce DHGEX prime modulus bit length meets configured constraints.
 * [0.2.18](https://github.com/mwiede/jsch/releases/tag/jsch-0.2.18)
    * Handle negated patterns according to ssh_config(5) by @bmiddaugh in https://github.com/mwiede/jsch/pull/565
 * [0.2.17](https://github.com/mwiede/jsch/releases/tag/jsch-0.2.17)
diff --git a/src/main/java/com/jcraft/jsch/DHGEX.java b/src/main/java/com/jcraft/jsch/DHGEX.java
index 15f9bd0f..393b0ba2 100644
--- a/src/main/java/com/jcraft/jsch/DHGEX.java
+++ b/src/main/java/com/jcraft/jsch/DHGEX.java
@@ -26,6 +26,8 @@
 
 package com.jcraft.jsch;
 
+import java.math.BigInteger;
+
 abstract class DHGEX extends KeyExchange {
 
   private static final int SSH_MSG_KEX_DH_GEX_GROUP = 31;
@@ -79,8 +81,7 @@ public void init(Session session, byte[] V_S, byte[] V_C, byte[] I_S, byte[] I_C
       min = Integer.parseInt(session.getConfig("dhgex_min"));
       max = Integer.parseInt(session.getConfig("dhgex_max"));
       preferred = Integer.parseInt(session.getConfig("dhgex_preferred"));
-      if (checkInvalidSize(min) || checkInvalidSize(max) || checkInvalidSize(preferred)
-          || preferred < min || max < preferred) {
+      if (min <= 0 || max <= 0 || preferred <= 0 || preferred < min || preferred > max) {
         throw new JSchException(
             "Invalid DHGEX sizes: min=" + min + " max=" + max + " preferred=" + preferred);
       }
@@ -127,6 +128,11 @@ public boolean next(Buffer _buf) throws Exception {
         p = _buf.getMPInt();
         g = _buf.getMPInt();
 
+        int bits = new BigInteger(1, p).bitLength();
+        if (bits < min || bits > max) {
+          return false;
+        }
+
         dh.setP(p);
         dh.setG(g);
         // The client responds with:
@@ -237,8 +243,4 @@ public boolean next(Buffer _buf) throws Exception {
   public int getState() {
     return state;
   }
-
-  static boolean checkInvalidSize(int size) {
-    return (size < 1024 || size > 8192 || size % 1024 != 0);
-  }
 }