Do not match RFC 5114 groups without q as it is significant

Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14189)
author: Tomas Mraz <tomas@openssl.org> 2021-02-15 15:26:14 +0100
committer: Matt Caswell <matt@openssl.org> 2021-02-16 10:12:02 +0000
commit: c9e955dd50f30f46555ff837b0bbae63433cef40 (patch)
tree: 724f45ebbbe51dfd59ab7866a280cf5bdb3c5142 /crypto/ffc
parent: 62829f9f26bf248f29be9604870bbe46f946927a (diff)
download: openssl-new-c9e955dd50f30f46555ff837b0bbae63433cef40.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/crypto/ffc/ffc_dh.c b/crypto/ffc/ffc_dh.c
index 313466b0ea..948c61d988 100644
--- a/crypto/ffc/ffc_dh.c
+++ b/crypto/ffc/ffc_dh.c
@@ -110,7 +110,9 @@ const DH_NAMED_GROUP *ossl_ffc_numbers_to_dh_named_group(const BIGNUM *p,
         if (BN_cmp(p, dh_named_groups[i].p) == 0
             && BN_cmp(g, dh_named_groups[i].g) == 0
             /* Verify q is correct if it exists */
-            && (q == NULL || BN_cmp(q, dh_named_groups[i].q) == 0))
+            && ((q != NULL && BN_cmp(q, dh_named_groups[i].q) == 0)
+                /* Do not match RFC 5114 groups without q */
+                || (q == NULL && dh_named_groups[i].uid > 3)))
             return &dh_named_groups[i];
     }
     return NULL;
author	Tomas Mraz <tomas@openssl.org>	2021-02-15 15:26:14 +0100
committer	Matt Caswell <matt@openssl.org>	2021-02-16 10:12:02 +0000
commit	c9e955dd50f30f46555ff837b0bbae63433cef40 (patch)
tree	724f45ebbbe51dfd59ab7866a280cf5bdb3c5142 /crypto/ffc
parent	62829f9f26bf248f29be9604870bbe46f946927a (diff)
download	openssl-new-c9e955dd50f30f46555ff837b0bbae63433cef40.tar.gz