From c180fb4ac5d3c96fa32685037930558faf93cac0 Mon Sep 17 00:00:00 2001 From: job Date: Fri, 4 Nov 2022 10:09:09 +0000 Subject: [PATCH] Catch bad characters in rpkiManifest filenames earlier on This improves the hard-to-read error: rpki-client: .rrdp/59B96A4C078FDCEDBB776D5BE8DF45EAC0149157547270EA7D4647A76611E145/rpki-rsync.us-east-2.amazonaws.com/volume/220c3ec2-ccf9-4b8a-bf61-fd4d1e151271/LAXNBPgDnLLjagP8++RFIoaMCGo.mft: RFC 6487 section 4.8.6: CRL: bad CRL distribution point extension rpki-client: rpki-rsync.us-east-2.amazonaws.com/volume/220c3ec2-ccf9-4b8a-bf61-fd4d1e151271/LAXNBPgDnLLjagP8++RFIoaMCGo.mft: no valid mft available to: rpki-client: rpki.ripe.net/repository/DEFAULT/ZMvVW3ZpjFaCVe2TtDEqMlyFk3E.cer: SIA: rpkiManifest filename contains invalid characters OK tb@ --- usr.sbin/rpki-client/cert.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index 32a9a255b73..641a5d6b7d7 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.93 2022/11/04 09:45:19 job Exp $ */ +/* $OpenBSD: cert.c,v 1.94 2022/11/04 10:09:09 job Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Job Snijders @@ -433,6 +433,7 @@ sbgp_sia(struct parse *p, X509_EXTENSION *ext) AUTHORITY_INFO_ACCESS *sia = NULL; ACCESS_DESCRIPTION *ad; ASN1_OBJECT *oid; + const char *mftfilename; int i, rc = 0; if (X509_EXTENSION_get_critical(ext)) { @@ -473,6 +474,14 @@ sbgp_sia(struct parse *p, X509_EXTENSION *ext) goto out; } + mftfilename = strrchr(p->res->mft, '/'); + if (mftfilename == NULL || !valid_filename(mftfilename + 1, + strlen(mftfilename) - 1)) { + warnx("%s: SIA: rpkiManifest filename contains invalid " + "characters", p->fn); + goto out; + } + if (strstr(p->res->mft, p->res->repo) != p->res->mft) { warnx("%s: RFC 6487 section 4.8.8: SIA: " "conflicting URIs for caRepository and rpkiManifest", -- 2.20.1