From ecb618331c40c05f9b7c644bd74d2ab04c49f0c3 Mon Sep 17 00:00:00 2001 From: Jonathan Gray Date: Wed, 31 May 2017 06:46:58 +0000 Subject: ca_revoke() gets called two ways. Directly from ca_opt() with keyname set to the cert to revoke, and indirectly from ca_create() with a keyname set to NULL. ca_create() sets REQ_EXT so avoid setting it in ca_revoke() when keyname is NULL and the crl database is being initialised. Avoids "REQ_EXT already set" when creating a CA error introduced in rev 1.44 which set REQ_EXT unconditionally in ca_revoke(). --- usr.sbin/ikectl/ikeca.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/usr.sbin/ikectl/ikeca.c b/usr.sbin/ikectl/ikeca.c index 8b15b603ff4..08f96b5f705 100644 --- a/usr.sbin/ikectl/ikeca.c +++ b/usr.sbin/ikectl/ikeca.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikeca.c,v 1.44 2017/05/24 04:55:57 jsg Exp $ */ +/* $OpenBSD: ikeca.c,v 1.45 2017/05/31 06:46:57 jsg Exp $ */ /* * Copyright (c) 2010 Jonathan Gray @@ -900,7 +900,9 @@ ca_revoke(struct ca *ca, char *keyname) ca_setenv("$ENV::CADB", ca->index); ca_setenv("$ENV::CASERIAL", ca->serial); - ca_setenv("$ENV::REQ_EXT", "req"); + if (keyname) + ca_setenv("$ENV::REQ_EXT", ""); + ca_setcnf(ca, "ca-revoke"); if (keyname) { -- cgit v1.2.3