If we have passed the private key, don't copy it implicitly

Fixes #16197

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16199)

diff --git a/apps/req.c b/apps/req.c
index eb286f8a8e150c12f8eb53f7c85a78f7393cb633..5524092f2c442a7c7f63eca044468ad10bdf81e9 100644 (file)
--- a/apps/req.c
+++ b/apps/req.c
@@ -686,7 +686,7 @@ int req_main(int argc, char **argv)
         EVP_PKEY_CTX_free(genctx);
         genctx = NULL;
     }
-    if (keyout == NULL) {
+    if (keyout == NULL && keyfile == NULL) {
         keyout = NCONF_get_string(req_conf, section, KEYFILE);
         if (keyout == NULL)
             ERR_clear_error();

diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in
index 7897610818037ca7011da2c58f47797ae57455f1..75d0da1743bd1d4c29e455b27e5d04ea593e9273 100644 (file)
--- a/doc/man1/openssl-req.pod.in
+++ b/doc/man1/openssl-req.pod.in
@@ -205,11 +205,12 @@ See L<openssl-format-options(1)> for details.
 =item B<-keyout> I<filename>
 
 This gives the filename to write any private key to that has been newly created
-or read from B<-key>.
-If the B<-keyout> option is not given the filename specified in the
-configuration file with the B<default_keyfile> option is used, if present.
-If a new key is generated and no filename is specified
-the key is written to standard output.
+or read from B<-key>.  If neither the B<-keyout> option nor the B<-key> option
+are given then the filename specified in the configuration file with the
+B<default_keyfile> option is used, if present.  Thus, if you want to write the
+private key and the B<-key> option is provided, you should provide the
+B<-keyout> option explicitly.  If a new key is generated and no filename is
+specified the key is written to standard output.
 
 =item B<-noenc>