From 501fc77f080e5a714046df07c1afe24e193d8155 Mon Sep 17 00:00:00 2001
From: job <job@openbsd.org>
Date: Sat, 16 May 2026 07:27:03 +0000
Subject: [PATCH] Limit the length of filenames as they appear in various ASN.1
 fields to 255

OK tb@
---
 usr.sbin/rpki-client/cert.c     | 5 ++---
 usr.sbin/rpki-client/extern.h   | 8 +++++++-
 usr.sbin/rpki-client/mft.c      | 6 ++++--
 usr.sbin/rpki-client/rsc.c      | 4 ++--
 usr.sbin/rpki-client/validate.c | 9 +++++++--
 5 files changed, 22 insertions(+), 10 deletions(-)

diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index d0afb50b21c..1b04b693e09 100644
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: cert.c,v 1.236 2026/05/02 10:36:21 tb Exp $ */
+/*	$OpenBSD: cert.c,v 1.237 2026/05/16 07:27:03 job Exp $ */
 /*
  * Copyright (c) 2022,2025 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Job Snijders <job@openbsd.org>
@@ -813,8 +813,7 @@ cert_ca_sia(const char *fn, struct cert *cert, const X509_EXTENSION *ext)
 	}
 	mftfilename++;
 	if (!valid_filename(mftfilename, strlen(mftfilename))) {
-		warnx("%s: SIA: rpkiManifest filename contains invalid "
-		    "characters", fn);
+		warnx("%s: SIA: rpkiManifest invalid filename", fn);
 		goto out;
 	}
 
diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h
index daa7583cf25..4124e0d37ec 100644
--- a/usr.sbin/rpki-client/extern.h
+++ b/usr.sbin/rpki-client/extern.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: extern.h,v 1.279 2026/05/01 11:22:24 tb Exp $ */
+/*	$OpenBSD: extern.h,v 1.280 2026/05/16 07:27:03 job Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -1056,6 +1056,12 @@ int	mkpathat(int, const char *);
 /* Maximum number of FileAndHash entries per manifest. */
 #define MAX_MANIFEST_ENTRIES	100000
 
+/*
+ * Maximum allowable filename length in various fields.
+ * Based on IEEE Std 1003.1 limits.h _XOPEN_NAME_MAX.
+ */
+#define MAX_FN_LENGTH		255
+
 /* Maximum number of Providers per ASPA object. */
 #define MAX_ASPA_PROVIDERS	10000
 
diff --git a/usr.sbin/rpki-client/mft.c b/usr.sbin/rpki-client/mft.c
index bdb824b25bc..e2740d6d202 100644
--- a/usr.sbin/rpki-client/mft.c
+++ b/usr.sbin/rpki-client/mft.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: mft.c,v 1.137 2026/05/05 09:33:15 tb Exp $ */
+/*	$OpenBSD: mft.c,v 1.138 2026/05/16 07:27:03 job Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -161,9 +161,11 @@ mft_parse_filehash(const char *fn, struct mft *mft, const FileAndHash *fh,
 	length = ASN1_STRING_length(fh->file);
 
 	if (!valid_mft_filename(data, length)) {
-		warnx("%s: RFC 9286 section 4.2.2: bad filename", fn);
+		warnx("%s: RFC 9286 section 4.2.2: FileAndHash with "
+		    "invalid filename", fn);
 		goto out;
 	}
+
 	file = strndup(data, length);
 	if (file == NULL)
 		err(1, NULL);
diff --git a/usr.sbin/rpki-client/rsc.c b/usr.sbin/rpki-client/rsc.c
index cb4cfcc3d70..c1a69ccc2f7 100644
--- a/usr.sbin/rpki-client/rsc.c
+++ b/usr.sbin/rpki-client/rsc.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: rsc.c,v 1.43 2025/12/02 10:34:48 tb Exp $ */
+/*	$OpenBSD: rsc.c,v 1.44 2026/05/16 07:27:03 job Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2022 Job Snijders <job@fastly.com>
@@ -270,7 +270,7 @@ rsc_parse_checklist(const char *fn, struct rsc *rsc,
 		length = ASN1_STRING_length(fh->fileName);
 
 		if (!valid_filename(data, length)) {
-			warnx("%s: RSC FileNameAndHash: bad filename", fn);
+			warnx("%s: RSC FileNameAndHash: invalid filename", fn);
 			return 0;
 		}
 
diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c
index 04ae161c48a..9c82deda048 100644
--- a/usr.sbin/rpki-client/validate.c
+++ b/usr.sbin/rpki-client/validate.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: validate.c,v 1.82 2026/01/13 21:36:17 job Exp $ */
+/*	$OpenBSD: validate.c,v 1.83 2026/05/16 07:27:03 job Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -218,7 +218,8 @@ valid_hash(unsigned char *buf, size_t len, const char *hash, size_t hlen)
 
 /*
  * Validate that a filename only contains characters from the POSIX portable
- * filename character set [A-Za-z0-9._-], see IEEE Std 1003.1-2013, 3.278.
+ * filename character set [A-Za-z0-9._-], and not longer than _XOPEN_NAME_MAX.
+ * see IEEE Std 1003.1-2013, 3.278, and implementation-defined constants.
  */
 int
 valid_filename(const char *fn, size_t len)
@@ -226,9 +227,13 @@ valid_filename(const char *fn, size_t len)
 	const unsigned char *c;
 	size_t i;
 
+	if (len > MAX_FN_LENGTH)
+		return 0;
+
 	for (c = fn, i = 0; i < len; i++, c++)
 		if (!isalnum(*c) && *c != '-' && *c != '_' && *c != '.')
 			return 0;
+
 	return 1;
 }