'openssl req -newkey rsa' ignores keylen set in the openssl config file
in the req section. It also misleadingly prints out the configured
keylen in 'Generating xxxx bit RSA private key.' message when it
generates the library hardcoded default of 1024 bits.
The attached patch fixes this bug.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
diff -up openssl-1.0.1e/apps/req.c.keylen openssl-1.0.1e/apps/req.c
--- openssl-1.0.1e/apps/req.c.keylen 2014-02-12 14:58:29.000000000 +0100
+++ openssl-1.0.1e/apps/req.c 2014-02-14 13:52:48.692325000 +0100
@@ -644,6 +644,12 @@ bad:
if (inrand)
app_RAND_load_files(inrand);
+ if (newkey <= 0)
+ {
+ if (!NCONF_get_number(req_conf,SECTION,BITS, &newkey))
+ newkey=DEFAULT_KEY_LENGTH;
+ }
+
if (keyalg)
{
genctx = set_keygen_ctx(bio_err, keyalg, &pkey_type, &newkey,
@@ -651,12 +657,6 @@ bad:
if (!genctx)
goto end;
}
-
- if (newkey <= 0)
- {
- if (!NCONF_get_number(req_conf,SECTION,BITS, &newkey))
- newkey=DEFAULT_KEY_LENGTH;
- }
if (newkey < MIN_KEY_LENGTH && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA))
{
@@ -1649,6 +1649,8 @@ static EVP_PKEY_CTX *set_keygen_ctx(BIO
keylen = atol(p + 1);
*pkeylen = keylen;
}
+ else
+ keylen = *pkeylen;
}
else if (p)
paramfile = p + 1;
