If we have passed the private key, don't copy it implicitly

Fixes #16197 Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16199)
2025-01-30 14:01:55 +08:00 · 2021-08-02 17:00:51 +02:00 · 2021-08-02 17:00:51 +02:00 · 6b38d7dc1b
commit 6b38d7dc1b
parent ab98861e91
2 changed files with 7 additions and 6 deletions
--- a/apps/req.c
+++ b/apps/req.c
@ -686,7 +686,7 @@ int req_main(int argc, char **argv)
        EVP_PKEY_CTX_free(genctx);
        genctx = NULL;
    }
-    if (keyout == NULL) {
+    if (keyout == NULL && keyfile == NULL) {
        keyout = NCONF_get_string(req_conf, section, KEYFILE);
        if (keyout == NULL)
            ERR_clear_error();
--- a/doc/man1/openssl-req.pod.in
+++ b/doc/man1/openssl-req.pod.in
@ -205,11 +205,12 @@ See L<openssl-format-options(1)> for details.
 =item B<-keyout> I<filename>

 This gives the filename to write any private key to that has been newly created
-or read from B<-key>.
-If the B<-keyout> option is not given the filename specified in the
-configuration file with the B<default_keyfile> option is used, if present.
-If a new key is generated and no filename is specified
-the key is written to standard output.
+or read from B<-key>.  If neither the B<-keyout> option nor the B<-key> option
+are given then the filename specified in the configuration file with the
+B<default_keyfile> option is used, if present.  Thus, if you want to write the
+private key and the B<-key> option is provided, you should provide the
+B<-keyout> option explicitly.  If a new key is generated and no filename is
+specified the key is written to standard output.

 =item B<-noenc>