From: Alberto Leiva Popper <ydahhrk@gmail.com>
Date: Wed, 24 Jul 2019 16:51:50 +0000 (-0500)
Subject: Revert "Don't retry MFT download when EE is revoked (related to #11)"
X-Git-Tag: v1.0.0^2~18
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a6556bdf0bb20cc69e908908b96e53bb5838fc58;p=thirdparty%2FFORT-validator.git

Revert "Don't retry MFT download when EE is revoked (related to #11)"

This reverts commit 4e606bb81038154fc9cd6966590c57a7a6b01a3b.
---

diff --git a/src/object/certificate.c b/src/object/certificate.c
index eb98e400..b64926a0 100644
--- a/src/object/certificate.c
+++ b/src/object/certificate.c
@@ -643,8 +643,7 @@ certificate_validate_chain(X509 *cert, STACK_OF(X509_CRL) *crls)
 	    cert_revoked(X509_get_serialNumber(cert),
 	    sk_X509_CRL_value(crls, sk_X509_CRL_num(crls) - 1))) {
 		pr_err("Certificate validation failed: certificate is revoked");
-		X509_STORE_CTX_free(ctx);
-		return -EREVOKED;
+		goto abort;
 	}
 
 	/*
@@ -706,8 +705,7 @@ certificate_revoked_at_crldp(X509 *cert, struct certificate_refs *refs)
 
 	/* Everything OK so far, error 0 is valid */
 	if (cert_revoked(X509_get_serialNumber(cert), crl)) {
-		pr_err("Certificate validation failed: certificate is revoked at CRL");
-		error = -EREVOKED;
+		error = pr_err("Certificate validation failed: certificate is revoked at CRL");
 	}
 
 	X509_CRL_free(crl);
@@ -1552,13 +1550,7 @@ certificate_traverse(struct rpp *rpp_parent, struct rpki_uri *cert_uri)
 		error = handle_manifest(mft, rpp_parent_crl, &pp);
 		if (!mft_retry)
 			uri_refput(mft);
-		/*
-		 * Break when:
-		 * - No error
-		 * - No need to retry
-		 * - Manifest its ok, but EE is revoked
-		 */
-		if (!error || !mft_retry || error == -EREVOKED)
+		if (!error || !mft_retry)
 			break;
 
 		pr_info("Retrying repository download to discard 'transient inconsistency' manifest issue (see RFC 6481 section 5) '%s'",
diff --git a/src/object/certificate.h b/src/object/certificate.h
index 87db74e1..a11859c7 100644
--- a/src/object/certificate.h
+++ b/src/object/certificate.h
@@ -10,9 +10,6 @@
 #include "asn1/asn1c/ANY.h"
 #include "asn1/asn1c/SignatureValue.h"
 
-/* Certificate is valid but is revoked */
-#define EREVOKED		8100
-
 int certificate_load(struct rpki_uri *, X509 **);
 
 /**