From b67053e1736e5da02fa744e25e1077cb86bfd81c Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 31 May 2026 05:55:21 +0000 Subject: [PATCH] DNS0x20[1] can randomise the case of domain names returned by lookup to force some more uniqueness in queries to reduce the likelihood of spoofing attacks succeeding. Normally this should be hidden from the user by the resolver, but in some cases it can leak through. When it does, it can mess up ssh's CanonicalizePermittedCNAMEs. Fix this by forcing the name we received from the system resolver to lowercase. bz3966, report and fix by Martin D Kealey [1] https://datatracker.ietf.org/doc/html/draft-vixie-dnsext-dns0x20-00 --- usr.bin/ssh/ssh.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr.bin/ssh/ssh.c b/usr.bin/ssh/ssh.c index 6dbc8b41668..6e156131ef5 100644 --- a/usr.bin/ssh/ssh.c +++ b/usr.bin/ssh/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.631 2026/05/31 04:24:39 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.632 2026/05/31 05:55:21 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -387,6 +387,7 @@ check_follow_cname(int direct, char **namep, const char *cname) "\"%s\" => \"%s\"", *namep, cname); free(*namep); *namep = xstrdup(cname); + lowercase(*namep); return 1; } return 0;