diff options
author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2017-07-09 23:20:35 -0500 |
---|---|---|
committer | Laurens Van Houtven <_@lvh.io> | 2017-07-09 23:20:35 -0500 |
commit | dc6e7624154809340fb38fc884ad30d840a3ff5e (patch) | |
tree | 6a5228ff2fe869598cef62d9e6f5eabf873643c6 /src/cryptography/hazmat/backends/openssl/backend.py | |
parent | 9d5fc3e5dbe581e1fea9303e684ec9248936df55 (diff) | |
download | cryptography-dc6e7624154809340fb38fc884ad30d840a3ff5e.tar.gz cryptography-dc6e7624154809340fb38fc884ad30d840a3ff5e.tar.bz2 cryptography-dc6e7624154809340fb38fc884ad30d840a3ff5e.zip |
allow p % 24 == 23 when generator == 2 in DH_check (#3768)
* allow p % 24 == 23 when generator == 2 in DH_check
* short url
* update and expand comments
* even better language!
Diffstat (limited to 'src/cryptography/hazmat/backends/openssl/backend.py')
-rw-r--r-- | src/cryptography/hazmat/backends/openssl/backend.py | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 878bbe43..6c9ef84f 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -1776,8 +1776,21 @@ class Backend(object): res = self._lib.Cryptography_DH_check(dh_cdata, codes) self.openssl_assert(res == 1) - if codes[0] != 0: - raise ValueError("DH private numbers did not pass safety checks.") + # DH_check will return DH_NOT_SUITABLE_GENERATOR if p % 24 does not + # equal 11 when the generator is 2 (a quadratic nonresidue). + # We want to ignore that error because p % 24 == 23 is also fine. + # Specifically, g is then a quadratic residue. Within the context of + # Diffie-Hellman this means it can only generate half the possible + # values. That sounds bad, but quadratic nonresidues leak a bit of + # the key to the attacker in exchange for having the full key space + # available. See: https://crypto.stackexchange.com/questions/12961 + if codes[0] != 0 and not ( + parameter_numbers.g == 2 and + codes[0] ^ self._lib.DH_NOT_SUITABLE_GENERATOR == 0 + ): + raise ValueError( + "DH private numbers did not pass safety checks." + ) evp_pkey = self._dh_cdata_to_evp_pkey(dh_cdata) |