From 024ae3e4d09de1e53e9c73c8b57fadd486087db6 Mon Sep 17 00:00:00 2001
From: job <job@openbsd.org>
Date: Wed, 20 Mar 2024 04:36:30 +0000
Subject: [PATCH] Check whether filename and SIA match

Verify whether the filename as presented by the publication point (which
is unsigned information) matches the filename in the SIA attribute
(which is signed information). Based on RFC 6487 section 4.8.8.

with and OK tb@
---
 usr.sbin/rpki-client/x509.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c
index 86ba7689a47..962cd829d68 100644
--- a/usr.sbin/rpki-client/x509.c
+++ b/usr.sbin/rpki-client/x509.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509.c,v 1.82 2024/03/19 05:04:13 tb Exp $ */
+/*	$OpenBSD: x509.c,v 1.83 2024/03/20 04:36:30 job Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -536,7 +536,23 @@ x509_get_sia(X509 *x, const char *fn, char **sia)
 			continue;
 
 		if (strncasecmp(*sia, "rsync://", 8) == 0) {
+			const char *p = *sia + strlen("rsync://");
+			size_t fnlen, plen;
+
 			rsync_found = 1;
+
+			if (filemode)
+				continue;
+
+			fnlen = strlen(fn);
+			plen = strlen(p);
+
+			if (fnlen < plen || strcmp(p, fn + fnlen - plen) != 0) {
+				warnx("%s: mismatch between pathname and SIA "
+				    "(%s)", fn, *sia);
+				goto out;
+			}
+
 			continue;
 		}
 
-- 
2.20.1