From 33634ade024ffaf2d06ca1854286e5374c311b92 Mon Sep 17 00:00:00 2001
From: Samuel Judson <sam@sjudson.com>
Date: Thu, 11 Jun 2026 20:51:25 -0400
Subject: [PATCH] Add more robust processing for DH parameters.

---
 src/rust/src/backend/dh.rs   | 28 ++++++++++++++++++----------
 src/rust/src/backend/keys.rs |  8 ++++----
 2 files changed, 22 insertions(+), 14 deletions(-)

diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs
index 2ad2d778dd23..7fc0ad2fffdc 100644
--- a/src/rust/src/backend/dh.rs
+++ b/src/rust/src/backend/dh.rs
@@ -55,18 +55,20 @@ fn generate_parameters(
 
 pub(crate) fn private_key_from_pkey(
     pkey: &openssl::pkey::PKeyRef<openssl::pkey::Private>,
-) -> DHPrivateKey {
-    DHPrivateKey {
+) -> CryptographyResult<DHPrivateKey> {
+    check_dh_parameters(&pkey.dh()?)?;
+    Ok(DHPrivateKey {
         pkey: pkey.to_owned(),
-    }
+    })
 }
 
 pub(crate) fn public_key_from_pkey(
     pkey: &openssl::pkey::PKeyRef<openssl::pkey::Public>,
-) -> DHPublicKey {
-    DHPublicKey {
+) -> CryptographyResult<DHPublicKey> {
+    check_dh_parameters(&pkey.dh()?)?;
+    Ok(DHPublicKey {
         pkey: pkey.to_owned(),
-    }
+    })
 }
 
 #[pyo3::pyfunction]
@@ -85,9 +87,9 @@ fn from_der_parameters(
         .transpose()?;
     let g = openssl::bn::BigNum::from_slice(asn1_params.g.as_bytes())?;
 
-    Ok(DHParameters {
-        dh: openssl::dh::Dh::from_pqg(p, q, g)?,
-    })
+    let dh = openssl::dh::Dh::from_pqg(p, q, g)?;
+    check_dh_parameters(&dh)?;
+    Ok(DHParameters { dh })
 }
 
 #[pyo3::pyfunction]
@@ -119,13 +121,19 @@ fn dh_parameters_from_numbers(
     let g = utils::py_int_to_bn(py, numbers.g.bind(py))?;
 
     let dh = openssl::dh::Dh::from_pqg(p, q, g)?;
+    check_dh_parameters(&dh)?;
+    Ok(dh)
+}
 
+fn check_dh_parameters<T: openssl::pkey::HasParams>(
+    dh: &openssl::dh::Dh<T>,
+) -> CryptographyResult<()> {
     if !dh.check_key()? {
         return Err(CryptographyError::from(
             pyo3::exceptions::PyValueError::new_err("Invalid DH parameters"),
         ));
     }
-    Ok(dh)
+    Ok(())
 }
 
 fn clone_dh<T: openssl::pkey::HasParams>(
diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs
index 5acebea690b1..5a26b3084682 100644
--- a/src/rust/src/backend/keys.rs
+++ b/src/rust/src/backend/keys.rs
@@ -168,7 +168,7 @@ fn private_key_from_pkey<'p>(
         openssl::pkey::Id::DSA => Ok(crate::backend::dsa::private_key_from_pkey(pkey)
             .into_pyobject(py)?
             .into_any()),
-        openssl::pkey::Id::DH => Ok(crate::backend::dh::private_key_from_pkey(pkey)
+        openssl::pkey::Id::DH => Ok(crate::backend::dh::private_key_from_pkey(pkey)?
             .into_pyobject(py)?
             .into_any()),
 
@@ -177,7 +177,7 @@ fn private_key_from_pkey<'p>(
             CRYPTOGRAPHY_IS_BORINGSSL,
             CRYPTOGRAPHY_IS_AWSLC
         )))]
-        openssl::pkey::Id::DHX => Ok(crate::backend::dh::private_key_from_pkey(pkey)
+        openssl::pkey::Id::DHX => Ok(crate::backend::dh::private_key_from_pkey(pkey)?
             .into_pyobject(py)?
             .into_any()),
         #[cfg(any(
@@ -366,7 +366,7 @@ fn public_key_from_pkey<'p>(
         openssl::pkey::Id::DSA => Ok(crate::backend::dsa::public_key_from_pkey(pkey)
             .into_pyobject(py)?
             .into_any()),
-        openssl::pkey::Id::DH => Ok(crate::backend::dh::public_key_from_pkey(pkey)
+        openssl::pkey::Id::DH => Ok(crate::backend::dh::public_key_from_pkey(pkey)?
             .into_pyobject(py)?
             .into_any()),
 
@@ -375,7 +375,7 @@ fn public_key_from_pkey<'p>(
             CRYPTOGRAPHY_IS_BORINGSSL,
             CRYPTOGRAPHY_IS_AWSLC
         )))]
-        openssl::pkey::Id::DHX => Ok(crate::backend::dh::public_key_from_pkey(pkey)
+        openssl::pkey::Id::DHX => Ok(crate::backend::dh::public_key_from_pkey(pkey)?
             .into_pyobject(py)?
             .into_any()),
         #[cfg(any(