From: Claudio Jeker <cjeker@diehard.n-r-g.com>
Subject: Re: rpki-client: fix shortlist and skiplist checks
To: Theo Buehler <tb@theobuehler.org>
Cc: tech@openbsd.org
Date: Fri, 8 May 2026 22:28:58 +0200

On Fri, May 08, 2026 at 07:10:39PM +0200, Theo Buehler wrote:
> Ensure that each le->fqdn is fully matched. If the the host in the SIA
> is short and matches a prefix of an FQDN in the shortlist or skiplist,
> the current checks in queue_add_from_cert() will incorrectly trigger.
> 
> Compute the host length once and ensure that it is an exact case
> sensitive match, rather than only a prefix by checking the length.
> 
> Index: main.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/main.c,v
> diff -u -p -r1.305 main.c
> --- main.c	11 Apr 2026 12:02:50 -0000	1.305
> +++ main.c	8 May 2026 17:05:52 -0000
> @@ -517,22 +517,25 @@ queue_add_from_cert(const struct cert *c
>  	struct fqdnlistentry	*le;
>  	char			*nfile, *npath, *host;
>  	const char		*uri, *repouri, *file;
> -	size_t			 repourisz;
> +	size_t			 hostsz, repourisz;
>  	int			 shortlisted = 0;
>  
>  	if (strncmp(cert->repo, RSYNC_PROTO, RSYNC_PROTO_LEN) != 0)
>  		errx(1, "unexpected protocol");
>  	host = cert->repo + RSYNC_PROTO_LEN;
> +	hostsz = strcspn(host, "/");
>  
>  	LIST_FOREACH(le, &skiplist, entry) {
> -		if (strncasecmp(host, le->fqdn, strcspn(host, "/")) == 0) {
> +		if (strlen(le->fqdn) == hostsz &&
> +		    strncasecmp(host, le->fqdn, hostsz) == 0) {
>  			warnx("skipping %s (listed in skiplist)", cert->repo);
>  			return;
>  		}
>  	}
>  
>  	LIST_FOREACH(le, &shortlist, entry) {
> -		if (strncasecmp(host, le->fqdn, strcspn(host, "/")) == 0) {
> +		if (strlen(le->fqdn) == hostsz &&
> +		    strncasecmp(host, le->fqdn, hostsz) == 0) {
>  			shortlisted = 1;
>  			break;
>  		}
> 

OK claudio@

-- 
:wq Claudio