CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2026/04/29 05:14:11
Modified files:
usr.sbin/rpki-client: parser.c
Log message:
rpki-client: properly ignore missing unsupported files in -n mode
RFC 9286 section 6.5 mandates that we fetch all the files in a manifest
fileList and validate their hashes. By design, RRDP will ship all the
available files whereas in rsync we decided to fetch only the files of
types we explicitly support. While we check the hashes of unsupported
files, they won't be copied into the cache of validated files.
Since unsupported files are not in the validated cache and may or may
not be present in the temporary directory of fetched objects, there is
logic that ensures that the hashes of all available files are correct
and attempts to avoid an error for files absent from both directories.
Whether all the above decisions in both, standards and our code, are
fully sound is not entirely clear.
Be that as it may, Job observed that this logic was incorrect in noop mode
where no temporary directory is available. This resulted in rejecting the
one manifest that still lists a Ghostbuster's record (RFC 6493) and as a
consequence marking the corresponding CA incorrectly non-functional. This
is a clear bug and this is fixed in this commit by adding a special case
for noop mode.
Further refinements may follow.
ok claudio job
