aboutsummaryrefslogtreecommitdiff
path: root/rcynic/rcynic.c
AgeCommit message (Collapse)Author
2013-07-30Log a warning if we accept an EE certificate whenRob Austein
allow_ee_without_signedObject is active. Fixes #591. svn path=/trunk/; revision=5445
2013-07-18GCC warning.Rob Austein
svn path=/trunk/; revision=5439
2013-06-27Report what we're doing before blocking select().Rob Austein
svn path=/trunk/; revision=5419
2013-06-27Flip default for allow-object-not-in-manifest to false.Rob Austein
svn path=/trunk/; revision=5418
2013-06-27Don't whine about stale CRLs and manifests that are only stale becauseRob Austein
we check them before running rsync when rsync-early is off. svn path=/trunk/; revision=5417
2013-06-14Pruning now keys off the validation_status database rather than theRob Austein
rsync_history database, which solves the problem of how to prune when we skip rsyncing publication points for which we have a cached current manifest. svn path=/trunk/; revision=5409
2013-06-14Experimental feature: skip rsync_tree() if we have a valid manifestRob Austein
and haven't yet reached its nextUpdate time. Disabled by default, doesn't yet handle pruning correctly, may give surprising results. svn path=/trunk/; revision=5408
2013-06-07NitRob Austein
svn path=/trunk/; revision=5379
2013-06-07Forgot a globfree().Rob Austein
svn path=/trunk/; revision=5378
2013-06-06Consolidate to a single event loop, queue up all TALs at start. ThisRob Austein
makes things run a lot faster with multiple trust anchors. svn path=/trunk/; revision=5377
2013-06-06Type signatures of rsync_*() and task_*() frameworkss should not be soRob Austein
tightly coupled to walk_cert(). Checkpoint along the way to adding handlers for the check_ta*() functions so that we can run multiple trust anchors in parallel. svn path=/trunk/; revision=5374
2013-06-06Reorganize TA handling code, add trust-anchor-directory directive.Rob Austein
Latter is not yet fully tested, so not yet ready for prime time. svn path=/trunk/; revision=5373
2013-03-25The URI in a TAL MUST be a certificate matching the RPKI profile,Rob Austein
which implies that its name must end in ".cer". Fixes #492. svn path=/trunk/; revision=5215
2013-03-21Examine both thisUpdate timestamp and number when comparing CRLs orRob Austein
manifests: report discrepancies, and blunder ahead with current generation when timestamp and number checks disagree, on theory that this indicates fat fingers rather than an attack. Closes #409. svn path=/trunk/; revision=5189
2013-03-11Check CRL issuer nae against issuing CA's subject name. Closes #459.Rob Austein
svn path=/trunk/; revision=5133
2013-01-29Check for empty RFC 3779 extensions. See #406.Rob Austein
svn path=/trunk/; revision=4981
2012-11-28Check signedObject URI when present. Closes #173.Rob Austein
svn path=/trunk/; revision=4922
2012-09-29Simplify loop.Rob Austein
svn path=/branches/tk274/; revision=4738
2012-09-29Clean up AVL_PARANOIA code.Rob Austein
svn path=/branches/tk274/; revision=4736
2012-09-19Move ASN.1 definitions for ROAs and Manifests to common header filesRob Austein
used by all the C programs. svn path=/branches/tk274/; revision=4725
2012-09-14Disable AVL_PARANOIA code.Rob Austein
svn path=/branches/tk274/; revision=4714
2012-09-14Add AVL index of validation_status database.Rob Austein
svn path=/branches/tk274/; revision=4713
2012-07-30Add -x option to control "XML summary" file name from command line.Rob Austein
Consolidate code that generates file:// URIs from filenames. svn path=/trunk/; revision=4613
2012-06-26Certificate UID fields forbidden by RPKI profile.Rob Austein
svn path=/trunk/; revision=4560
2012-06-24RFC 6485 contradicts RFCs 2630 and 3370, which make rsaEncryption theRob Austein
mandatory-to-support CMS signatureAlgorithm OID. All known existing RPKI engines and validators use CMS engines which follow the base CMS specifications, so this is almost certainly an error in RFC 6485. Allow either rsaEncryption or sha256WithRSAEncryption, pending resolution of this issue by the IETF SIDR WG. svn path=/trunk/; revision=4554
2012-06-23Check OID in CMS SignerInfo contentType attribute (conformance).Rob Austein
svn path=/trunk/; revision=4553
2012-06-22More CMS conformance checks, and fix a couple I got wrong yesterday.Rob Austein
svn path=/trunk/; revision=4551
2012-06-22Check CMS SignerInfo algorithm OIDs (conformance).Rob Austein
svn path=/trunk/; revision=4550
2012-06-22Check CMS for presence of CRLs (conformance).Rob Austein
svn path=/trunk/; revision=4549
2012-06-21Check for duplicate names in manifest (conformance).Rob Austein
svn path=/trunk/; revision=4548
2012-06-21Tighter checking of integer values in input data (conformance).Rob Austein
svn path=/trunk/; revision=4547
2012-06-15Handle all "partial transfer" (rsync code 23) errors the same way.Rob Austein
svn path=/trunk/; revision=4542
2012-06-13Missing directory at repository site is not a transfer failure.Rob Austein
svn path=/trunk/; revision=4538
2012-03-21Shut up about skipped rsync connections when rsync is disabled.Rob Austein
svn path=/trunk/; revision=4407
2012-03-09Move AKI checks to precede signature check, as AKI checks are cheaper.Rob Austein
svn path=/trunk/; revision=4392
2012-03-09Fix fencepost error in walk_ctx_loop_next(). This closes #219.Rob Austein
svn path=/trunk/; revision=4391
2012-03-02Add keep-lockfile, to simplify process queuing.Rob Austein
svn path=/trunk/; revision=4385
2012-03-01Record failure when we can't even parse a trust anchor, much lessRob Austein
check it (eg, recent AfriNIC incident). Fixes #187. svn path=/trunk/; revision=4382
2012-02-26Allow configuration of authenticated and unauthenticated directoriesRob Austein
from command line, to simplify use with alternate fetch mechanisms. svn path=/trunk/; revision=4371
2012-02-15Factor XML generation code out of main(), and don't overwrite old XMLRob Austein
file when we can't run to completion, eg, when some other process is sitting on our lock file. This closes #184. svn path=/trunk/; revision=4335
2012-02-14Downgrade "AIA doesn't match issuer" to a warning. Closes #188.Rob Austein
svn path=/trunk/; revision=4334
2012-02-14Apparently an old version of the res-certs specification allowedRob Austein
1024-bit RSA keys for EE certificates, or so some of the implementors believe, so downgrade that error to a warning for now. This is configurable using the "allow-1024-bit-ee-key" option and defaults to allowing such keys with a warning for now, but that default is subject to change. svn path=/trunk/; revision=4331
2012-02-03"Multiple rsync URIs in extension" should be warning, not error.Rob Austein
svn path=/trunk/; revision=4284
2012-02-02Tweak AIA/SIA/CRLDP checking again: don't accidently reject just forRob Austein
having an alternate URI, do check the whole extension rather than stopping on first success. svn path=/trunk/; revision=4280
2012-02-01AKI checks still weren't quite right.Rob Austein
svn path=/trunk/; revision=4277
2012-01-31Refactor CMS checks, which have gotten complex enough to be worthRob Austein
attempting to share between different kinds of signed objects. This closes #82. svn path=/trunk/; revision=4276
2012-01-31AKI extension is optional for self-signed RPKI certificates.Rob Austein
svn path=/trunk/; revision=4275
2012-01-26Back out over-zealous change introduced as part of [4267] --Rob Austein
apparently ASID extensions are legal in EE certificates for ROAs, although given the other constraints I can't think of a sane reason why this is allowed when so much else is nailed down. svn path=/trunk/; revision=4269
2012-01-26Conformance: Check SKI value.Rob Austein
svn path=/trunk/; revision=4268
2012-01-26Conformance: Check CMS SID against EE SKI in ROAs.Rob Austein
Use ASN1_INTEGER_cmp() instead of ASN1_INTEGER_get(), the latter's behavior is too quirky. Add config variable allowing compatability with manifest EE certs that have no SIA extension, which is a technical violation of the spec, albeit a harmless one as far as I can tell; at present, the default for this variable allows these manifests, at some point the default will flip to disallow, as a first step towards phasing this out. svn path=/trunk/; revision=4267
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-14 16:34:11 +0000