ca_revoke() gets called two ways. Directly from ca_opt() with keyname

set to the cert to revoke, and indirectly from ca_create() with a
keyname set to NULL.

ca_create() sets REQ_EXT so avoid setting it in ca_revoke() when keyname
is NULL and the crl database is being initialised.

Avoids "REQ_EXT already set" when creating a CA error introduced
in rev 1.44 which set REQ_EXT unconditionally in ca_revoke().

diff --git a/usr.sbin/ikectl/ikeca.c b/usr.sbin/ikectl/ikeca.c
index 8b15b60..08f96b5 100644 (file)
--- a/usr.sbin/ikectl/ikeca.c
+++ b/usr.sbin/ikectl/ikeca.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ikeca.c,v 1.44 2017/05/24 04:55:57 jsg Exp $  */
+/*     $OpenBSD: ikeca.c,v 1.45 2017/05/31 06:46:57 jsg Exp $  */
 
 /*
  * Copyright (c) 2010 Jonathan Gray <jsg@openbsd.org>
@@ -900,7 +900,9 @@ ca_revoke(struct ca *ca, char *keyname)
 
        ca_setenv("$ENV::CADB", ca->index);
        ca_setenv("$ENV::CASERIAL", ca->serial);
-       ca_setenv("$ENV::REQ_EXT", "req");
+       if (keyname)
+               ca_setenv("$ENV::REQ_EXT", "");
+
        ca_setcnf(ca, "ca-revoke");
 
        if (keyname) {