Index | Thread | Search

From:
Job Snijders <job@bsd.nl>
Subject:
rpki-client: limit the filename length in Manifest listings to something reasonable
To:
tech@openbsd.org
Date:
Wed, 13 May 2026 14:39:26 +0000

Download raw body.

Thread 
I think it is helpful to only consider CA material that can fit in
USTAR archives and reject exogenous names. If 99 characters isn't
enough, perhaps the CA should reconsider their filenaming scheme
approach. I regret not having thought of a SIZE(5..99) contraint when
the Manifest-bis RFC still was cooking as draft.

Throughout the ecosystem, the average filename length seems to be
somewhere between 31 and 56.

The below patch causes only one (very young) CA to be rejected.

	rpki-client: https://rrdp.twnic.tw/rrdp/notification.xml: pulling from network
	rpki-client: https://rrdp.twnic.tw/rrdp/notification.xml: notification file not modified (335d178e-beb8-467d-8728-ba45540b34c9#4217)
	rpki-client: https://rrdp.twnic.tw/rrdp/notification.xml: loaded from network
	rpki-client: .rrdp/66379FACF9122B9638D45427079C9669F95B694FE6F5DAA7A69F835F3C4ABDC6/rpkica.twnic.tw/rpki/ASNET/0/9832A7E4CF45729EDCD3681D0146E1ED3A4A40C3.mft: FileAndHash contains overly long filename
	rpki-client: rpkica.twnic.tw/rpki/ASNET/0/9832A7E4CF45729EDCD3681D0146E1ED3A4A40C3.mft: no valid manifest available

OK? Suggestions?

Index: extern.h
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v
diff -u -p -r1.279 extern.h
--- extern.h	1 May 2026 11:22:24 -0000	1.279
+++ extern.h	13 May 2026 14:27:23 -0000
@@ -1056,6 +1056,9 @@ int	mkpathat(int, const char *);
 /* Maximum number of FileAndHash entries per manifest. */
 #define MAX_MANIFEST_ENTRIES	100000
 
+/* Maximum filename length in Manifest FileAndHash listings. */
+#define MAX_MANIFEST_FN_LENGTH	99
+
 /* Maximum number of Providers per ASPA object. */
 #define MAX_ASPA_PROVIDERS	10000
 
Index: mft.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/mft.c,v
diff -u -p -r1.137 mft.c
--- mft.c	5 May 2026 09:33:15 -0000	1.137
+++ mft.c	13 May 2026 14:27:23 -0000
@@ -164,6 +164,11 @@ mft_parse_filehash(const char *fn, struc
 		warnx("%s: RFC 9286 section 4.2.2: bad filename", fn);
 		goto out;
 	}
+	if (length > MAX_MANIFEST_FN_LENGTH) {
+		warnx("%s: FileAndHash contains overly long filename", fn);
+		goto out;
+	}
+
 	file = strndup(data, length);
 	if (file == NULL)
 		err(1, NULL);