From 423ab177c8037d7fbf392d30ca3c47b17fe32c6d Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Fri, 14 Feb 2014 16:24:31 +0100
Subject: [PATCH] use the key length from configuration file if req -newkey rsa
 is invoked

---
 openssl-1.0.1e-req-keylen.patch | 38 +++++++++++++++++++++++++++++++++
 openssl.spec                    |  9 ++++++--
 2 files changed, 45 insertions(+), 2 deletions(-)
 create mode 100644 openssl-1.0.1e-req-keylen.patch

diff --git a/openssl-1.0.1e-req-keylen.patch b/openssl-1.0.1e-req-keylen.patch
new file mode 100644
index 0000000..1574bb8
--- /dev/null
+++ b/openssl-1.0.1e-req-keylen.patch
@@ -0,0 +1,38 @@
+diff -up openssl-1.0.1e/apps/req.c.keylen openssl-1.0.1e/apps/req.c
+--- openssl-1.0.1e/apps/req.c.keylen	2014-02-12 14:58:29.000000000 +0100
++++ openssl-1.0.1e/apps/req.c	2014-02-14 13:52:48.692325000 +0100
+@@ -644,6 +644,12 @@ bad:
+ 		if (inrand)
+ 			app_RAND_load_files(inrand);
+ 
++		if (newkey <= 0)
++			{
++			if (!NCONF_get_number(req_conf,SECTION,BITS, &newkey))
++				newkey=DEFAULT_KEY_LENGTH;
++			}
++
+ 		if (keyalg)
+ 			{
+ 			genctx = set_keygen_ctx(bio_err, keyalg, &pkey_type, &newkey,
+@@ -651,12 +657,6 @@ bad:
+ 			if (!genctx)
+ 				goto end;
+ 			}
+-	
+-		if (newkey <= 0)
+-			{
+-			if (!NCONF_get_number(req_conf,SECTION,BITS, &newkey))
+-				newkey=DEFAULT_KEY_LENGTH;
+-			}
+ 
+ 		if (newkey < MIN_KEY_LENGTH && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA))
+ 			{
+@@ -1649,6 +1649,8 @@ static EVP_PKEY_CTX *set_keygen_ctx(BIO
+ 				keylen = atol(p + 1);
+ 				*pkeylen = keylen;
+ 				}
++			else
++				keylen = *pkeylen;
+ 			}
+ 		else if (p)
+ 			paramfile = p + 1;
diff --git a/openssl.spec b/openssl.spec
index 605d1c3..c8d3dd9 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -23,7 +23,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.1e
-Release: 40%{?dist}
+Release: 41%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -81,6 +81,7 @@ Patch75: openssl-1.0.1e-compat-symbols.patch
 Patch76: openssl-1.0.1e-new-fips-reqs.patch
 Patch77: openssl-1.0.1e-weak-ciphers.patch
 Patch78: openssl-1.0.1e-3des-strength.patch
+Patch79: openssl-1.0.1e-req-keylen.patch
 # Backported fixes including security fixes
 Patch81: openssl-1.0.1-beta2-padlock64.patch
 Patch82: openssl-1.0.1e-backports.patch
@@ -204,6 +205,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
 %patch76 -p1 -b .fips-reqs
 %patch77 -p1 -b .weak-ciphers
 %patch78 -p1 -b .3des-strength
+%patch79 -p1 -b .keylen
 
 %patch81 -p1 -b .padlock64
 %patch82 -p1 -b .backports
@@ -478,7 +480,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun libs -p /sbin/ldconfig
 
 %changelog
-* Thu Feb  6 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-40
+* Fri Feb 14 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-41
+- use the key length from configuration file if req -newkey rsa is invoked
+
+* Thu Feb 13 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-40
 - print ephemeral key size negotiated in TLS handshake (#1057715)
 - add DH_compute_key_padded needed for FIPS CAVS testing