[openssl] use the key length from configuration file if req -newkey rsa is invoked
Tomáš Mráz
tmraz at fedoraproject.org
Fri Feb 14 15:23:56 UTC 2014
commit 423ab177c8037d7fbf392d30ca3c47b17fe32c6d
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date: Fri Feb 14 16:24:31 2014 +0100
use the key length from configuration file if req -newkey rsa is invoked
openssl-1.0.1e-req-keylen.patch | 38 ++++++++++++++++++++++++++++++++++++++
openssl.spec | 9 +++++++--
2 files changed, 45 insertions(+), 2 deletions(-)
---
diff --git a/openssl-1.0.1e-req-keylen.patch b/openssl-1.0.1e-req-keylen.patch
new file mode 100644
index 0000000..1574bb8
--- /dev/null
+++ b/openssl-1.0.1e-req-keylen.patch
@@ -0,0 +1,38 @@
+diff -up openssl-1.0.1e/apps/req.c.keylen openssl-1.0.1e/apps/req.c
+--- openssl-1.0.1e/apps/req.c.keylen 2014-02-12 14:58:29.000000000 +0100
++++ openssl-1.0.1e/apps/req.c 2014-02-14 13:52:48.692325000 +0100
+@@ -644,6 +644,12 @@ bad:
+ if (inrand)
+ app_RAND_load_files(inrand);
+
++ if (newkey <= 0)
++ {
++ if (!NCONF_get_number(req_conf,SECTION,BITS, &newkey))
++ newkey=DEFAULT_KEY_LENGTH;
++ }
++
+ if (keyalg)
+ {
+ genctx = set_keygen_ctx(bio_err, keyalg, &pkey_type, &newkey,
+@@ -651,12 +657,6 @@ bad:
+ if (!genctx)
+ goto end;
+ }
+-
+- if (newkey <= 0)
+- {
+- if (!NCONF_get_number(req_conf,SECTION,BITS, &newkey))
+- newkey=DEFAULT_KEY_LENGTH;
+- }
+
+ if (newkey < MIN_KEY_LENGTH && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA))
+ {
+@@ -1649,6 +1649,8 @@ static EVP_PKEY_CTX *set_keygen_ctx(BIO
+ keylen = atol(p + 1);
+ *pkeylen = keylen;
+ }
++ else
++ keylen = *pkeylen;
+ }
+ else if (p)
+ paramfile = p + 1;
diff --git a/openssl.spec b/openssl.spec
index 605d1c3..c8d3dd9 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -23,7 +23,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.0.1e
-Release: 40%{?dist}
+Release: 41%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -81,6 +81,7 @@ Patch75: openssl-1.0.1e-compat-symbols.patch
Patch76: openssl-1.0.1e-new-fips-reqs.patch
Patch77: openssl-1.0.1e-weak-ciphers.patch
Patch78: openssl-1.0.1e-3des-strength.patch
+Patch79: openssl-1.0.1e-req-keylen.patch
# Backported fixes including security fixes
Patch81: openssl-1.0.1-beta2-padlock64.patch
Patch82: openssl-1.0.1e-backports.patch
@@ -204,6 +205,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
%patch76 -p1 -b .fips-reqs
%patch77 -p1 -b .weak-ciphers
%patch78 -p1 -b .3des-strength
+%patch79 -p1 -b .keylen
%patch81 -p1 -b .padlock64
%patch82 -p1 -b .backports
@@ -478,7 +480,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun libs -p /sbin/ldconfig
%changelog
-* Thu Feb 6 2014 Tomáš Mráz <tmraz at redhat.com> 1.0.1e-40
+* Fri Feb 14 2014 Tomáš Mráz <tmraz at redhat.com> 1.0.1e-41
+- use the key length from configuration file if req -newkey rsa is invoked
+
+* Thu Feb 13 2014 Tomáš Mráz <tmraz at redhat.com> 1.0.1e-40
- print ephemeral key size negotiated in TLS handshake (#1057715)
- add DH_compute_key_padded needed for FIPS CAVS testing
More information about the scm-commits
mailing list