From 7fbfde7677ed8808828bf00ff01c937ca04bdda2 Mon Sep 17 00:00:00 2001
From: Norbert Pocs <norbertp@openssl.org>
Date: Tue, 12 May 2026 15:16:04 +0200
Subject: [PATCH] Match the local q DHX parameter against the peer's q

As FFC/DH peer public key validation uses the peer's q value instead
of checking against the local q, we must also check that these
q values match when setting the peer's public key.

Fixes CVE-2026-42770

Signed-off-by: Norbert Pocs <norbertp@openssl.org>

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun  8 19:56:27 2026
(cherry picked from commit 29b9df160cc5f20ee3907cce0cb271b982846bce)
---
 providers/implementations/exchange/dh_exch.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/providers/implementations/exchange/dh_exch.c b/providers/implementations/exchange/dh_exch.c
index bb2d355c81..668602a5e5 100644
--- a/providers/implementations/exchange/dh_exch.c
+++ b/providers/implementations/exchange/dh_exch.c
@@ -115,10 +115,13 @@ static int dh_match_params(DH *priv, DH *peer)
     int ret;
+    int ignore_q = 1;
     FFC_PARAMS *dhparams_priv = ossl_dh_get0_params(priv);
     FFC_PARAMS *dhparams_peer = ossl_dh_get0_params(peer);
 
+    if (dhparams_priv != NULL && dhparams_priv->q != NULL)
+         ignore_q = 0;
     ret = dhparams_priv != NULL
           && dhparams_peer != NULL
-          && ossl_ffc_params_cmp(dhparams_priv, dhparams_peer, 1);
+          && ossl_ffc_params_cmp(dhparams_priv, dhparams_peer, ignore_q);
     if (!ret)
         ERR_raise(ERR_LIB_PROV, PROV_R_MISMATCHING_DOMAIN_PARAMETERS);
     return ret;
-- 
2.52.0.windows.1