From 507932a7323b1c4a43e3ae58a00389463159da8f Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sun, 9 Jul 2017 09:42:03 -0500
Subject: [PATCH] update and expand comments

---
 src/cryptography/hazmat/backends/openssl/backend.py | 10 +++++++---
 tests/hazmat/primitives/test_dh.py                  |  5 +++++
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 919d8dba1c4b..5c5d01d9efd9 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -1777,9 +1777,13 @@ def load_dh_private_numbers(self, numbers):
         self.openssl_assert(res == 1)
 
         # DH_check will return DH_NOT_SUITABLE_GENERATOR if p % 24 does not
-        # equal 11 when the generator is 2. We want to ignore that error
-        # because p % 24 == 23 is also fine. See:
-        # https://crypto.stackexchange.com/questions/12961
+        # equal 11 when the generator is 2 (a quadratic nonresidue).
+        # We want to ignore that error because p % 24 == 23 is also fine.
+        # Specifically, it is a quadratic residue. Within the context of
+        # Diffie-Hellman this means it can only generate half the possible
+        # values. That sounds bad, but quadratic nonresidues leak a bit of
+        # the key to the attacker in exchange for having the full key space
+        # available. See: https://crypto.stackexchange.com/questions/12961
         if codes[0] != 0 and not (
             parameter_numbers.g == 2 and
             codes[0] ^ self._lib.DH_NOT_SUITABLE_GENERATOR == 0
diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py
index 7abb85efe81f..fa658ae5ed66 100644
--- a/tests/hazmat/primitives/test_dh.py
+++ b/tests/hazmat/primitives/test_dh.py
@@ -221,6 +221,11 @@ def test_convert_to_numbers(self, backend, with_q):
                           dh.DHPrivateKeyWithSerialization)
 
     def test_numbers_unsupported_parameters(self, backend):
+        # p is set to 21 because when calling private_key we want it to
+        # fail the DH_check call OpenSSL does. Originally this was 23, but
+        # we are allowing p % 24 to == 23 with this PR (see #3768 for more)
+        # By setting it to 21 it fails later in DH_check in a primality check
+        # which triggers the code path we want to test
         params = dh.DHParameterNumbers(21, 2)
         public = dh.DHPublicNumbers(1, params)
         private = dh.DHPrivateNumbers(2, public)