Ignore missing Q in dh_params

Some implementations don't send the required Q value in dh_params, so
allow it to be absent.

ticket: 7596
target_version: 1.11.3
tags: pullup

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 7186ce857fda8648184ec279de96700e91429cba..c39a9a7d223d600e34e320b2b57e30664836a177 100644 (file)
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -2997,9 +2997,9 @@ pkinit_decode_dh_params(DH ** a, unsigned char **pp, unsigned int len)
         }
 
     }
-    M_ASN1_D2I_get_x(ASN1_INTEGER, aip, d2i_ASN1_INTEGER);
-    if (aip == NULL)
-        return NULL;
+    M_ASN1_D2I_get_opt(aip, d2i_ASN1_INTEGER, V_ASN1_INTEGER);
+    if (aip == NULL || ai.data == NULL)
+        (*a)->q = NULL;
     else {
         (*a)->q = ASN1_INTEGER_to_BN(aip, NULL);
         if ((*a)->q == NULL)
@@ -3322,7 +3322,7 @@ pkinit_check_dh_params(BIGNUM * p1, BIGNUM * p2, BIGNUM * g1, BIGNUM * q1)
         if (!BN_cmp(g1, g2)) {
             q2 = BN_new();
             BN_rshift1(q2, p1);
-            if (!BN_cmp(q1, q2)) {
+            if (q1 == NULL || !BN_cmp(q1, q2)) {
                 pkiDebug("good %d dhparams\n", BN_num_bits(p1));
                 retval = 0;
             } else