update and expand comments

src/cryptography/hazmat/backends/openssl/backend.py

@@ -1777,9 +1777,13 @@ def load_dh_private_numbers(self, numbers):
         self.openssl_assert(res == 1)
 
         # DH_check will return DH_NOT_SUITABLE_GENERATOR if p % 24 does not
-        # equal 11 when the generator is 2. We want to ignore that error
-        # because p % 24 == 23 is also fine. See:
-        # https://crypto.stackexchange.com/questions/12961
+        # equal 11 when the generator is 2 (a quadratic nonresidue).
+        # We want to ignore that error because p % 24 == 23 is also fine.
+        # Specifically, it is a quadratic residue. Within the context of
+        # Diffie-Hellman this means it can only generate half the possible
+        # values. That sounds bad, but quadratic nonresidues leak a bit of
+        # the key to the attacker in exchange for having the full key space
+        # available. See: https://crypto.stackexchange.com/questions/12961
         if codes[0] != 0 and not (
             parameter_numbers.g == 2 and
             codes[0] ^ self._lib.DH_NOT_SUITABLE_GENERATOR == 0

tests/hazmat/primitives/test_dh.py

@@ -221,6 +221,11 @@ def test_convert_to_numbers(self, backend, with_q):
                           dh.DHPrivateKeyWithSerialization)
 
     def test_numbers_unsupported_parameters(self, backend):
+        # p is set to 21 because when calling private_key we want it to
+        # fail the DH_check call OpenSSL does. Originally this was 23, but
+        # we are allowing p % 24 to == 23 with this PR (see #3768 for more)
+        # By setting it to 21 it fails later in DH_check in a primality check
+        # which triggers the code path we want to test
         params = dh.DHParameterNumbers(21, 2)
         public = dh.DHPublicNumbers(1, params)
         private = dh.DHPrivateNumbers(2, public)