diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
index d0e6cfdf86f87060bc1784fce44558c66288c0ba..cb8d1fc82f3a8ce394dc800bb7a91ca2e221612e 100644
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -248,6 +248,18 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key)
  */
 int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
 {
+    /* Don't do any checks at all with an excessively large modulus */
+    if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
+        ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
+        *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
+        return 0;
+    }
+
+    if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) {
+        *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
+        return 1;
+    }
+
     return ossl_ffc_validate_public_key(&dh->params, pub_key, ret);
 }
 
diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
index 4152397426cc939ca7214fc4db808835a7dcdb1c..f76ac0dd1463f14fc13e6cd8f48a008be60a5f8f 100644
--- a/crypto/dh/dh_err.c
+++ b/crypto/dh/dh_err.c
@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -54,6 +54,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = {
     {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
     "parameter encoding error"},
     {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
+    {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},
     {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
     {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
     "unable to check generator"},
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
index 4e9705beef733be699a249432217baefcc846ff1..982630a0b611f990a5b81a7dad62935228106af4 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -49,6 +49,12 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
         goto err;
     }
 
+    if (dh->params.q != NULL
+        && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
+        ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
+        goto err;
+    }
+
     if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
         ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
         return 0;
@@ -268,6 +274,12 @@ static int generate_key(DH *dh)
         return 0;
     }
 
+    if (dh->params.q != NULL
+        && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
+        ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
+        return 0;
+    }
+
     if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
         ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
         return 0;
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index aded91f6dfc9370020611b2327725120797b0681..34f94b91a82d2e10d91562f0bb74469f7bacb625 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -493,6 +493,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set
 DH_R_NO_PRIVATE_VALUE:100:no private value
 DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
 DH_R_PEER_KEY_ERROR:111:peer key error
+DH_R_Q_TOO_LARGE:130:q too large
 DH_R_SHARED_INFO_ERROR:113:shared info error
 DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
 DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index b178d1086473f1a42f43afa230aab949cac074a5..2dff3e66203e07cdf91e4ce38b82deb71f0321cb 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -218,6 +218,42 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx,
             return 0;
     }
 
+#ifndef FIPS_MODULE
+    /*
+     * Fix for CVE-2023-5363
+     * Passing in a size as part of the init call takes effect late
+     * so, force such to occur before the initialisation.
+     *
+     * The FIPS provider's internal library context is used in a manner
+     * such that this is not an issue.
+     */
+    if (params != NULL) {
+        OSSL_PARAM param_lens[3] = { OSSL_PARAM_END, OSSL_PARAM_END,
+                                     OSSL_PARAM_END };
+        OSSL_PARAM *q = param_lens;
+        const OSSL_PARAM *p;
+
+        p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN); 
+        if (p != NULL)
+            memcpy(q++, p, sizeof(*q));
+
+        /*
+         * Note that OSSL_CIPHER_PARAM_AEAD_IVLEN is a synomym for
+         * OSSL_CIPHER_PARAM_IVLEN so both are covered here.
+         */
+        p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_IVLEN);
+        if (p != NULL)
+            memcpy(q++, p, sizeof(*q));
+
+        if (q != param_lens) {
+            if (!EVP_CIPHER_CTX_set_params(ctx, param_lens)) {
+                ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH);
+                return 0;
+            }
+        }
+    }
+#endif
+
     if (enc) {
         if (ctx->cipher->einit == NULL) {
             ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
diff --git a/include/crypto/dherr.h b/include/crypto/dherr.h
index bb24d131eb8873257fc1105904529b88108b6056..519327f795742a8f19038e9e274b33c7f99a6061 100644
--- a/include/crypto/dherr.h
+++ b/include/crypto/dherr.h
@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/include/openssl/dh.h b/include/openssl/dh.h
index 36420f51d89ed07b8b024a4542689205f3662de4..cb0c9d0d5c9cc4815135d0cb6c03579ab4b0ef38 100644
--- a/include/openssl/dh.h
+++ b/include/openssl/dh.h
@@ -141,7 +141,7 @@ DECLARE_ASN1_ITEM(DHparams)
 #   define DH_GENERATOR_3          3
 #   define DH_GENERATOR_5          5
 
-/* DH_check error codes */
+/* DH_check error codes, some of them shared with DH_check_pub_key */
 /*
  * NB: These values must align with the equivalently named macros in
  * internal/ffc.h.
@@ -151,10 +151,10 @@ DECLARE_ASN1_ITEM(DHparams)
 #   define DH_UNABLE_TO_CHECK_GENERATOR    0x04
 #   define DH_NOT_SUITABLE_GENERATOR       0x08
 #   define DH_CHECK_Q_NOT_PRIME            0x10
-#   define DH_CHECK_INVALID_Q_VALUE        0x20
+#   define DH_CHECK_INVALID_Q_VALUE        0x20 /* +DH_check_pub_key */
 #   define DH_CHECK_INVALID_J_VALUE        0x40
 #   define DH_MODULUS_TOO_SMALL            0x80
-#   define DH_MODULUS_TOO_LARGE            0x100
+#   define DH_MODULUS_TOO_LARGE            0x100 /* +DH_check_pub_key */
 
 /* DH_check_pub_key error codes */
 #   define DH_CHECK_PUBKEY_TOO_SMALL       0x01
diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
index 5d2a762a96f8cdb16840a27f2ce572e4a4e2afd6..074a70145f9f5b42d5af6c87375a161440d5f5ba 100644
--- a/include/openssl/dherr.h
+++ b/include/openssl/dherr.h
@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -50,6 +50,7 @@
 #  define DH_R_NO_PRIVATE_VALUE                            100
 #  define DH_R_PARAMETER_ENCODING_ERROR                    105
 #  define DH_R_PEER_KEY_ERROR                              111
+#  define DH_R_Q_TOO_LARGE                                 130
 #  define DH_R_SHARED_INFO_ERROR                           113
 #  define DH_R_UNABLE_TO_CHECK_GENERATOR                   121