diff options
author | Matt Caswell <matt@openssl.org> | 2016-05-27 13:26:03 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2016-06-01 13:19:02 +0100 |
commit | eeb21772effdd385e44eed547d717f171487987e (patch) | |
tree | 940efbf972cabbe7e1853a578fd3e23df20cade9 /apps/dhparam.c | |
parent | b2b361f6afb55c501bedef664c1fdc0d71a91d4b (diff) |
Add dhparam sanity check and update DH_check documentation
The -check argument to dhparam should never identify any problems if we
have just generated the parameters. Add a sanity check for this and print
an error and fail if necessary.
Also updates the documentation for the -check argument, and the DH_check()
function.
RT#4244
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'apps/dhparam.c')
-rw-r--r-- | apps/dhparam.c | 25 |
1 files changed, 20 insertions, 5 deletions
diff --git a/apps/dhparam.c b/apps/dhparam.c index 350dd28196..f86e315599 100644 --- a/apps/dhparam.c +++ b/apps/dhparam.c @@ -270,15 +270,30 @@ int dhparam_main(int argc, char **argv) goto end; } if (i & DH_CHECK_P_NOT_PRIME) - printf("p value is not prime\n"); + BIO_printf(bio_err, "WARNING: p value is not prime\n"); if (i & DH_CHECK_P_NOT_SAFE_PRIME) - printf("p value is not a safe prime\n"); + BIO_printf(bio_err, "WARNING: p value is not a safe prime\n"); + if (i & DH_CHECK_Q_NOT_PRIME) + BIO_printf(bio_err, "WARNING: q value is not a prime\n"); + if (i & DH_CHECK_INVALID_Q_VALUE) + BIO_printf(bio_err, "WARNING: q value is invalid\n"); + if (i & DH_CHECK_INVALID_J_VALUE) + BIO_printf(bio_err, "WARNING: j value is invalid\n"); if (i & DH_UNABLE_TO_CHECK_GENERATOR) - printf("unable to check the generator value\n"); + BIO_printf(bio_err, + "WARNING: unable to check the generator value\n"); if (i & DH_NOT_SUITABLE_GENERATOR) - printf("the g value is not a generator\n"); + BIO_printf(bio_err, "WARNING: the g value is not a generator\n"); if (i == 0) - printf("DH parameters appear to be ok.\n"); + BIO_printf(bio_err, "DH parameters appear to be ok.\n"); + if (num != 0 && i != 0) { + /* + * We have generated parameters but DH_check() indicates they are + * invalid! This should never happen! + */ + BIO_printf(bio_err, "ERROR: Invalid parameters generated\n"); + goto end; + } } if (C) { unsigned char *data; |