Ensure that the rpkiManifest is a file in the caRepository

discussed with jca and job ok claudio
2025-01-03 06:45:37 -08:00 · 2024-07-08 15:31:58 +00:00 · 2024-07-08 15:31:58 +00:00 · 2e5628f880
commit 2e5628f880
parent 39ab19dff5
1 changed files with 3 additions and 2 deletions
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: cert.c,v 1.149 2024/07/08 15:31:11 tb Exp $ */
+/*	$OpenBSD: cert.c,v 1.150 2024/07/08 15:31:58 tb Exp $ */
 /*
 * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
 * Copyright (c) 2021 Job Snijders <job@openbsd.org>
@ -615,7 +615,8 @@ sbgp_sia(const char *fn, struct cert *cert, X509_EXTENSION *ext)
 		goto out;
 	}

-	if (strstr(cert->mft, cert->repo) != cert->mft) {
+	if (strstr(cert->mft, cert->repo) != cert->mft ||
+	    cert->mft + strlen(cert->repo) != mftfilename) {
 		warnx("%s: RFC 6487 section 4.8.8: SIA: "
 		    "conflicting URIs for caRepository and rpkiManifest", fn);
 		goto out;