diff options
author | Job Snijders <job@cvs.openbsd.org> | 2023-11-24 14:05:48 +0000 |
---|---|---|
committer | Job Snijders <job@cvs.openbsd.org> | 2023-11-24 14:05:48 +0000 |
commit | 76e4933ff56a4dae36fe0b9f4838fd048e0f9e60 (patch) | |
tree | 8ec774fc8e74e114f2e2d2afe0aef1435bd399b5 | |
parent | 1963d8e372c7d5a397013283ca55842f7816e156 (diff) |
Require files to be of a minimum size in the RRDP & RSYNC transports
Picked 100 bytes as a minimum, to accommodate future signature schemes
(such as the smaller P-256) and small files like empty CRLs.
With and OK claudio@ tb@
-rw-r--r-- | usr.sbin/rpki-client/extern.h | 5 | ||||
-rw-r--r-- | usr.sbin/rpki-client/rrdp_util.c | 16 | ||||
-rw-r--r-- | usr.sbin/rpki-client/rsync.c | 3 |
3 files changed, 19 insertions, 5 deletions
diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index e33c0e1018f..571b2d849de 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.194 2023/11/16 11:10:59 tb Exp $ */ +/* $OpenBSD: extern.h,v 1.195 2023/11/24 14:05:47 job Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -930,7 +930,8 @@ int mkpathat(int, const char *); /* Maximum acceptable URI length */ #define MAX_URI_LENGTH 2048 -/* Maximum acceptable file size */ +/* Min/Max acceptable file size */ +#define MIN_FILE_SIZE 100 #define MAX_FILE_SIZE 4000000 /* Maximum number of FileNameAndHash entries per RSC checklist. */ diff --git a/usr.sbin/rpki-client/rrdp_util.c b/usr.sbin/rpki-client/rrdp_util.c index 0565493b8c5..8486e416beb 100644 --- a/usr.sbin/rpki-client/rrdp_util.c +++ b/usr.sbin/rpki-client/rrdp_util.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rrdp_util.c,v 1.1 2021/11/24 15:24:16 claudio Exp $ */ +/* $OpenBSD: rrdp_util.c,v 1.2 2023/11/24 14:05:47 job Exp $ */ /* * Copyright (c) 2020 Nils Fisher <nils_fisher@hotmail.com> * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org> @@ -107,10 +107,22 @@ publish_done(struct rrdp *s, struct publish_xml *pxml) unsigned char *data = NULL; size_t datasz = 0; - if (pxml->data_length > 0) + switch (pxml->type) { + case PUB_ADD: + case PUB_UPD: + if (base64_decode_len(pxml->data_length, &datasz) == -1) + return -1; + if (datasz < MIN_FILE_SIZE) + return -1; if ((base64_decode(pxml->data, pxml->data_length, &data, &datasz)) == -1) return -1; + break; + case PUB_DEL: + if (pxml->data_length != 0) + return -1; + break; + } rrdp_publish_file(s, pxml, data, datasz); diff --git a/usr.sbin/rpki-client/rsync.c b/usr.sbin/rpki-client/rsync.c index 9b5710ca3ed..808a9207abc 100644 --- a/usr.sbin/rpki-client/rsync.c +++ b/usr.sbin/rpki-client/rsync.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsync.c,v 1.47 2023/11/23 13:01:15 job Exp $ */ +/* $OpenBSD: rsync.c,v 1.48 2023/11/24 14:05:47 job Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -147,6 +147,7 @@ exec_rsync(const char *prog, const char *bind_addr, char *uri, char *dst, args[i++] = (char *)prog; args[i++] = "-rtO"; args[i++] = "--no-motd"; + args[i++] = "--min-size=" STRINGIFY(MIN_FILE_SIZE); args[i++] = "--max-size=" STRINGIFY(MAX_FILE_SIZE); args[i++] = "--contimeout=" STRINGIFY(MAX_CONN_TIMEOUT); args[i++] = "--timeout=" STRINGIFY(MAX_IO_TIMEOUT); |