From 55ace1c0e40acb8cd29381f209d714f4548666aa Mon Sep 17 00:00:00 2001
From: jsg <jsg@openbsd.org>
Date: Wed, 31 May 2017 06:46:57 +0000
Subject: [PATCH] ca_revoke() gets called two ways.  Directly from ca_opt()
 with keyname set to the cert to revoke, and indirectly from ca_create() with
 a keyname set to NULL.

ca_create() sets REQ_EXT so avoid setting it in ca_revoke() when keyname
is NULL and the crl database is being initialised.

Avoids "REQ_EXT already set" when creating a CA error introduced
in rev 1.44 which set REQ_EXT unconditionally in ca_revoke().
---
 usr.sbin/ikectl/ikeca.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/usr.sbin/ikectl/ikeca.c b/usr.sbin/ikectl/ikeca.c
index 8b15b603ff4..08f96b5f705 100644
--- a/usr.sbin/ikectl/ikeca.c
+++ b/usr.sbin/ikectl/ikeca.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikeca.c,v 1.44 2017/05/24 04:55:57 jsg Exp $	*/
+/*	$OpenBSD: ikeca.c,v 1.45 2017/05/31 06:46:57 jsg Exp $	*/
 
 /*
  * Copyright (c) 2010 Jonathan Gray <jsg@openbsd.org>
@@ -900,7 +900,9 @@ ca_revoke(struct ca *ca, char *keyname)
 
 	ca_setenv("$ENV::CADB", ca->index);
 	ca_setenv("$ENV::CASERIAL", ca->serial);
-	ca_setenv("$ENV::REQ_EXT", "req");
+	if (keyname)
+		ca_setenv("$ENV::REQ_EXT", "");
+
 	ca_setcnf(ca, "ca-revoke");
 
 	if (keyname) {
-- 
2.20.1