From: Theo Buehler <tb@theobuehler.org>
Subject: rpki-client: fix shortlist and skiplist checks
To: tech@openbsd.org
Date: Fri, 8 May 2026 19:10:39 +0200

Ensure that each le->fqdn is fully matched. If the the host in the SIA
is short and matches a prefix of an FQDN in the shortlist or skiplist,
the current checks in queue_add_from_cert() will incorrectly trigger.

Compute the host length once and ensure that it is an exact case
sensitive match, rather than only a prefix by checking the length.

Index: main.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/main.c,v
diff -u -p -r1.305 main.c
--- main.c	11 Apr 2026 12:02:50 -0000	1.305
+++ main.c	8 May 2026 17:05:52 -0000
@@ -517,22 +517,25 @@ queue_add_from_cert(const struct cert *c
 	struct fqdnlistentry	*le;
 	char			*nfile, *npath, *host;
 	const char		*uri, *repouri, *file;
-	size_t			 repourisz;
+	size_t			 hostsz, repourisz;
 	int			 shortlisted = 0;
 
 	if (strncmp(cert->repo, RSYNC_PROTO, RSYNC_PROTO_LEN) != 0)
 		errx(1, "unexpected protocol");
 	host = cert->repo + RSYNC_PROTO_LEN;
+	hostsz = strcspn(host, "/");
 
 	LIST_FOREACH(le, &skiplist, entry) {
-		if (strncasecmp(host, le->fqdn, strcspn(host, "/")) == 0) {
+		if (strlen(le->fqdn) == hostsz &&
+		    strncasecmp(host, le->fqdn, hostsz) == 0) {
 			warnx("skipping %s (listed in skiplist)", cert->repo);
 			return;
 		}
 	}
 
 	LIST_FOREACH(le, &shortlist, entry) {
-		if (strncasecmp(host, le->fqdn, strcspn(host, "/")) == 0) {
+		if (strlen(le->fqdn) == hostsz &&
+		    strncasecmp(host, le->fqdn, hostsz) == 0) {
 			shortlisted = 1;
 			break;
 		}