From dc6e7624154809340fb38fc884ad30d840a3ff5e Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sun, 9 Jul 2017 23:20:35 -0500
Subject: allow p % 24 == 23 when generator == 2 in DH_check (#3768)

* allow p % 24 == 23 when generator == 2 in DH_check

* short url

* update and expand comments

* even better language!
---
 src/_cffi_src/openssl/dh.py                         |  2 ++
 src/cryptography/hazmat/backends/openssl/backend.py | 17 +++++++++++++++--
 2 files changed, 17 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/_cffi_src/openssl/dh.py b/src/_cffi_src/openssl/dh.py
index be761b97..7ab06ae9 100644
--- a/src/_cffi_src/openssl/dh.py
+++ b/src/_cffi_src/openssl/dh.py
@@ -10,6 +10,8 @@ INCLUDES = """
 
 TYPES = """
 typedef ... DH;
+
+const long DH_NOT_SUITABLE_GENERATOR;
 """
 
 FUNCTIONS = """
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 878bbe43..6c9ef84f 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -1776,8 +1776,21 @@ class Backend(object):
         res = self._lib.Cryptography_DH_check(dh_cdata, codes)
         self.openssl_assert(res == 1)
 
-        if codes[0] != 0:
-            raise ValueError("DH private numbers did not pass safety checks.")
+        # DH_check will return DH_NOT_SUITABLE_GENERATOR if p % 24 does not
+        # equal 11 when the generator is 2 (a quadratic nonresidue).
+        # We want to ignore that error because p % 24 == 23 is also fine.
+        # Specifically, g is then a quadratic residue. Within the context of
+        # Diffie-Hellman this means it can only generate half the possible
+        # values. That sounds bad, but quadratic nonresidues leak a bit of
+        # the key to the attacker in exchange for having the full key space
+        # available. See: https://crypto.stackexchange.com/questions/12961
+        if codes[0] != 0 and not (
+            parameter_numbers.g == 2 and
+            codes[0] ^ self._lib.DH_NOT_SUITABLE_GENERATOR == 0
+        ):
+            raise ValueError(
+                "DH private numbers did not pass safety checks."
+            )
 
         evp_pkey = self._dh_cdata_to_evp_pkey(dh_cdata)
 
-- 
cgit v1.2.3