From ed77a25c53ed6afd41372838f205a98a561a89fb Mon Sep 17 00:00:00 2001
From: Tom Yu <tlyu@mit.edu>
Date: Thu, 28 Mar 2013 19:09:04 -0400
Subject: [PATCH] Ignore missing Q in dh_params

Some implementations don't send the required Q value in dh_params, so
allow it to be absent.

ticket: 7596
target_version: 1.11.3
tags: pullup
---
 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 7186ce857f..c39a9a7d22 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -2997,9 +2997,9 @@ pkinit_decode_dh_params(DH ** a, unsigned char **pp, unsigned int len)
         }
 
     }
-    M_ASN1_D2I_get_x(ASN1_INTEGER, aip, d2i_ASN1_INTEGER);
-    if (aip == NULL)
-        return NULL;
+    M_ASN1_D2I_get_opt(aip, d2i_ASN1_INTEGER, V_ASN1_INTEGER);
+    if (aip == NULL || ai.data == NULL)
+        (*a)->q = NULL;
     else {
         (*a)->q = ASN1_INTEGER_to_BN(aip, NULL);
         if ((*a)->q == NULL)
@@ -3322,7 +3322,7 @@ pkinit_check_dh_params(BIGNUM * p1, BIGNUM * p2, BIGNUM * g1, BIGNUM * q1)
         if (!BN_cmp(g1, g2)) {
             q2 = BN_new();
             BN_rshift1(q2, p1);
-            if (!BN_cmp(q1, q2)) {
+            if (q1 == NULL || !BN_cmp(q1, q2)) {
                 pkiDebug("good %d dhparams\n", BN_num_bits(p1));
                 retval = 0;
             } else
-- 
2.47.2