[Pkg-openssl-devel] Bug#915612: Bug#915612: openssl: "genrsa" changed command line interface in stretch-security update

[Kurt Roeckx]

On Wed, Dec 05, 2018 at 10:03:50PM +0100, Sebastian Andrzej Siewior wrote:
> On 2018-12-05 11:09:25 [+0100], Manuel Montecelo wrote:
> > the subcommand genrsa changed interface from its previous version, and does not
> > accept -config or -batch options anymore:
> …
> 
> > I worked around the issue in other ways, and I know that "genpkey" is supposed
> > to supercede "genrsa", but this problem might affect scripts that the users
> > cannot easily change, and it's OK-ish for major versions but would be nice to
> > not affect systems with stable-security updates.
> > 
> > For reference, command that used to work:
> > 
> >  openssl genrsa -out "${KEY_FILE}" 4096 -config "${CONFIG_FILE}" -batch
> > 
> > As a workaround with "genrsa":
> > 
> >  OPENSSL_CONF="${CONFIG_FILE}" openssl genrsa -out "${KEY_FILE}" 4096
> 
> Are you sure that the workaround vs
> 	openssl genrsa -out "${KEY_FILE}" 4096
> 
> makes a difference? 
> 
> I'm asking because bisect identifies commit 847997f98c28b ("Check # of
> arguments for remaining commands.") as the one that introduced the
> regression. This change only adds the error if you specify invalid
> arguments. Both `-config' and `-batch' are not part of accepted
> arguments.
> So I think 1.1.0f should produce the same result with or without those
> two options. Is it true?

It stops parsing for options when it doesn't find an argument that
start with a '-', so 4096 is not an option anymore, but it tries
to convert it to the number of bits. Everything after that was
just ignored, now it gives an error.

Also note that the manpage does put [numbits] at the end of the
arguments. It was clear to me that it needs to be the last
argument, but I can at least see why it might not be clear.


Kurt