[openssl] master update

beldmit at gmail.com beldmit at gmail.com
Tue Aug 3 20:07:27 UTC 2021


The branch master has been updated
       via  6b38d7dc1bccc708279ca5091ebc28cd4bdf225d (commit)
      from  ab98861e919b8f8f7fee3f2d44ef3b4b05908a25 (commit)


- Log -----------------------------------------------------------------
commit 6b38d7dc1bccc708279ca5091ebc28cd4bdf225d
Author: Dmitry Belyavskiy <beldmit at gmail.com>
Date:   Mon Aug 2 17:00:51 2021 +0200

    If we have passed the private key, don't copy it implicitly
    
    Fixes #16197
    
    Reviewed-by: David von Oheimb <david.von.oheimb at siemens.com>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16199)

-----------------------------------------------------------------------

Summary of changes:
 apps/req.c                  |  2 +-
 doc/man1/openssl-req.pod.in | 11 ++++++-----
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/apps/req.c b/apps/req.c
index eb286f8a8e..5524092f2c 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -686,7 +686,7 @@ int req_main(int argc, char **argv)
         EVP_PKEY_CTX_free(genctx);
         genctx = NULL;
     }
-    if (keyout == NULL) {
+    if (keyout == NULL && keyfile == NULL) {
         keyout = NCONF_get_string(req_conf, section, KEYFILE);
         if (keyout == NULL)
             ERR_clear_error();
diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in
index 7897610818..75d0da1743 100644
--- a/doc/man1/openssl-req.pod.in
+++ b/doc/man1/openssl-req.pod.in
@@ -205,11 +205,12 @@ See L<openssl-format-options(1)> for details.
 =item B<-keyout> I<filename>
 
 This gives the filename to write any private key to that has been newly created
-or read from B<-key>.
-If the B<-keyout> option is not given the filename specified in the
-configuration file with the B<default_keyfile> option is used, if present.
-If a new key is generated and no filename is specified
-the key is written to standard output.
+or read from B<-key>.  If neither the B<-keyout> option nor the B<-key> option
+are given then the filename specified in the configuration file with the
+B<default_keyfile> option is used, if present.  Thus, if you want to write the
+private key and the B<-key> option is provided, you should provide the
+B<-keyout> option explicitly.  If a new key is generated and no filename is
+specified the key is written to standard output.
 
 =item B<-noenc>
 


More information about the openssl-commits mailing list