From 5cff41ea66c1dd4e60bd255b0f68d7d1f8d22383 Mon Sep 17 00:00:00 2001
Message-Id: <5cff41ea66c1dd4e60bd255b0f68d7d1f8d22383.1714992066.git.mdw@distorted.org.uk>
From: Mark Wooding <mdw@chiark.greenend.org.uk>
Date: Sun, 25 Dec 2011 23:46:39 +0000
Subject: [PATCH 1/1] keyfunc.sh.in (prepare): Indicate that an ACL check isn't
 necessary.
Organization: Straylight/Edgeware

From: Mark Wooding <mdw@distorted.org.uk>

---
 keyfunc.sh.in | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/keyfunc.sh.in b/keyfunc.sh.in
index bad5af1..f134198 100644
--- a/keyfunc.sh.in
+++ b/keyfunc.sh.in
@@ -426,7 +426,8 @@ k_verify () { notsupp verify; }
 prepare () {
   key=$1 op=$2
   ## Prepare for a crypto operation OP, using the KEY.  This validates the
-  ## key label, reads the profile, and checks the access-control list.
+  ## key label, reads the profile, and checks the access-control list.  If OP
+  ## is `-' then allow the operation unconditionally.
 
   ## Find the key properties.
   parse_keylabel "$key"
@@ -436,6 +437,7 @@ prepare () {
 
   ## Check whether we're allowed to do this thing.  This is annoyingly
   ## fiddly.
+  case $op in -) return ;; esac
   eval acl=\${kprop_acl_$op-!owner}
   verdict=forbid
   while :; do
-- 
[mdw]