Remove DH check from load_dh_private_numbers

DH_check turns out to block some bad values, but not all. It also blocks some *good* values. This causes problems. Removing this check will fix pyca#3755 and pyca#3364
reaperhulk · Jul 7, 2017 · bfda4a8 · bfda4a8
1 parent 765a3e4
commit bfda4a8
Show file tree

Hide file tree

Showing 2 changed files with 0 additions and 15 deletions.
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -1772,13 +1772,6 @@ def load_dh_private_numbers(self, numbers):
         res = self._lib.DH_set0_key(dh_cdata, pub_key, priv_key)
         self.openssl_assert(res == 1)
 
-        codes = self._ffi.new("int[]", 1)
-        res = self._lib.Cryptography_DH_check(dh_cdata, codes)
-        self.openssl_assert(res == 1)
-
-        if codes[0] != 0:
-            raise ValueError("DH private numbers did not pass safety checks.")
-
         evp_pkey = self._dh_cdata_to_evp_pkey(dh_cdata)
 
         return _DHPrivateKey(self, dh_cdata, evp_pkey)

diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py
@@ -201,14 +201,6 @@ def test_convert_to_numbers(self, backend, with_q):
         assert isinstance(deserialized_private,
                           dh.DHPrivateKeyWithSerialization)
 
-    def test_numbers_unsupported_parameters(self, backend):
-        params = dh.DHParameterNumbers(23, 2)
-        public = dh.DHPublicNumbers(1, params)
-        private = dh.DHPrivateNumbers(2, public)
-
-        with pytest.raises(ValueError):
-            private.private_key(backend)
-
     @pytest.mark.parametrize("with_q", [False, True])
     def test_generate_dh(self, backend, with_q):
         if with_q: