On Tue, Nov 21, 2023 at 09:21:03AM +0100, Florian Obser wrote:
> On 2023-11-21 08:04 +01, Anton Lindqvist <[email protected]> wrote:
> > On Mon, Nov 20, 2023 at 05:15:16AM -0700, Florian Obser wrote:
> >> CVSROOT: /cvs
> >> Module name: src
> >> Changes by: [email protected] 2023/11/20 05:15:16
> >>
> >> Modified files:
> >> lib/libc/asr : asr_private.h asr_utils.c getaddrinfo_async.c
> >> gethostnamadr_async.c
> >>
> >> Log message:
> >> localhost is either 127.0.0.1 or ::1, nothing else.
> >>
> >> RFC 6761, 6.3 Domain Name Reservation Considerations for "localhost.":
> >> 3. Name resolution APIs and libraries SHOULD recognize localhost
> >> names as special and SHOULD always return the IP loopback address
> >> for address queries and negative responses for all other query
> >> types. Name resolution APIs SHOULD NOT send queries for
> >> localhost names to their configured caching DNS server(s).
> >>
> >> This makes sure that the getaddrinfo(3) and gethostbyname(3) family of
> >> functions always return the loopback address and do not send queries
> >> to name servers. This includes "localhost", "localhost." and
> >> everything under ".localhost" and ".localhost.".
> >>
> >> For example, a host underneath the .com.ar zone will per default have
> >> a search list of "com.ar.". resolv.conf(5) has a default of "lookup
> >> bind file". Both combined will result in lookups for "localhost" to
> >> not return 127.0.0.1 because localhost.com.ar is registered in DNS.
> >>
> >> It has been known for decades that this is a problem, especially for
> >> localhost.
> >>
> >> Problem recently spotted by gonzalo@ and debugged by sthen@
> >>
> >> Testing sthen, gonzalo
> >> Input & OK phessler, eric, millert
> >> OK sthen, kn, deraadt
> >
> > Seeing two new failures. The offending pf rule:
> >
> > pass in inet6 proto tcp to port 25 divert-to localhost port 8025
> >
> > pfctl complains about:
> >
> > stdin:10: divert-to address family mismatch
> >
> > Changing localhost to ::1 makes it pass again. Is this expected or a
> > regression? The ipsecctl failure looks like a symptom of the same
> > problem.
>
> We were a bit too enthusiastic short-circuiting "localhost". It has to
> fail if AI_NUMERICHOST is set, because "localhost" is not an IP address.
>
> This makes the pfctl and ipsecctl regress tests pass again. (At least
> with a non-weird /etc/resolv.conf).
>
> OK?
Fixes the tests here as well; ok anton@ FWIW
> diff --git getaddrinfo_async.c getaddrinfo_async.c
> index f85d541398a..2e5898b6411 100644
> --- getaddrinfo_async.c
> +++ getaddrinfo_async.c
> @@ -115,7 +115,7 @@ getaddrinfo_async_run(struct asr_query *as, struct
> asr_result *ar)
> char fqdn[MAXDNAME];
> const char *str;
> struct addrinfo *ai;
> - int i, family, r, is_localhost;
> + int i, family, r, is_localhost = 0;
> FILE *f;
> union {
> struct sockaddr sa;
> @@ -228,7 +228,8 @@ getaddrinfo_async_run(struct asr_query *as, struct
> asr_result *ar)
>
> ar->ar_gai_errno = 0;
>
> - is_localhost = _asr_is_localhost(as->as.ai.hostname);
> + if (!(ai->ai_flags & AI_NUMERICHOST))
> + is_localhost = _asr_is_localhost(as->as.ai.hostname);
> /*
> * If hostname is NULL, "localhost" or falls within the
> * ".localhost." domain, use local address.
>
>
> >
> >> sbin/ipsecctl
> > Exit: 1
> > Duration: 00:00:06
> > Log: 181-sbin-ipsecctl.log
> >
> > ==== ike ====
> > cat /home/src/regress/sbin/ipsecctl/ike56.in | sed -e
> > 's,DIR,/home/src/regress/sbin/ipsecctl,g' | /sbin/ipsecctl -nv -f - |
> > diff -u /home/src/regress/sbin/ipsecctl/ike56.ok /dev/stdin
> > stdin: 1: source/destination address families do not match
> > ipsecctl: Syntax error in config file: ipsec rules not loaded
> > --- /home/src/regress/sbin/ipsecctl/ike56.ok Fri Sep 2 12:58:24 2016
> > +++ /dev/stdin Tue Nov 21 02:26:19 2023
> > @@ -1,33 +0,0 @@
> > -C set [Phase 1]:127.0.0.1=peer-127.0.0.1 force
> > -C set [peer-127.0.0.1]:Phase=1 force
> > -C set [peer-127.0.0.1]:Address=127.0.0.1 force
> > -C set [peer-127.0.0.1]:Configuration=phase1-peer-127.0.0.1 force
> > -C set [phase1-peer-127.0.0.1]:EXCHANGE_TYPE=ID_PROT force
> > -C add
> > [phase1-peer-127.0.0.1]:Transforms=phase1-transform-peer-127.0.0.1-RSA_SIG-SHA-AES128-MODP_3072
> > force
> > -C set
> > [phase1-transform-peer-127.0.0.1-RSA_SIG-SHA-AES128-MODP_3072]:AUTHENTICATION_METHOD=RSA_SIG
> > force
> > -C set
> > [phase1-transform-peer-127.0.0.1-RSA_SIG-SHA-AES128-MODP_3072]:HASH_ALGORITHM=SHA
> > force
> > -C set
> > [phase1-transform-peer-127.0.0.1-RSA_SIG-SHA-AES128-MODP_3072]:ENCRYPTION_ALGORITHM=AES_CBC
> > force
> > -C set
> > [phase1-transform-peer-127.0.0.1-RSA_SIG-SHA-AES128-MODP_3072]:KEY_LENGTH=128,128:256
> > force
> > -C set
> > [phase1-transform-peer-127.0.0.1-RSA_SIG-SHA-AES128-MODP_3072]:GROUP_DESCRIPTION=MODP_3072
> > force
> > -C set
> > [phase1-transform-peer-127.0.0.1-RSA_SIG-SHA-AES128-MODP_3072]:Life=LIFE_MAIN_MODE
> > force
> > -C set [from-127.0.0.1-to-127.0.0.1]:Phase=2 force
> > -C set [from-127.0.0.1-to-127.0.0.1]:ISAKMP-peer=peer-127.0.0.1 force
> > -C set
> > [from-127.0.0.1-to-127.0.0.1]:Configuration=phase2-from-127.0.0.1-to-127.0.0.1
> > force
> > -C set [from-127.0.0.1-to-127.0.0.1]:Local-ID=from-127.0.0.1 force
> > -C set [from-127.0.0.1-to-127.0.0.1]:Remote-ID=to-127.0.0.1 force
> > -C set [phase2-from-127.0.0.1-to-127.0.0.1]:EXCHANGE_TYPE=QUICK_MODE force
> > -C set
> > [phase2-from-127.0.0.1-to-127.0.0.1]:Suites=phase2-suite-from-127.0.0.1-to-127.0.0.1
> > force
> > -C set
> > [phase2-suite-from-127.0.0.1-to-127.0.0.1]:Protocols=phase2-protocol-from-127.0.0.1-to-127.0.0.1
> > force
> > -C set [phase2-protocol-from-127.0.0.1-to-127.0.0.1]:PROTOCOL_ID=IPSEC_ESP
> > force
> > -C set
> > [phase2-protocol-from-127.0.0.1-to-127.0.0.1]:Transforms=phase2-transform-from-127.0.0.1-to-127.0.0.1-AES128-SHA2_256-MODP_3072-TUNNEL
> > force
> > -C set
> > [phase2-transform-from-127.0.0.1-to-127.0.0.1-AES128-SHA2_256-MODP_3072-TUNNEL]:TRANSFORM_ID=AES
> > force
> > -C set
> > [phase2-transform-from-127.0.0.1-to-127.0.0.1-AES128-SHA2_256-MODP_3072-TUNNEL]:KEY_LENGTH=128,128:256
> > force
> > -C set
> > [phase2-transform-from-127.0.0.1-to-127.0.0.1-AES128-SHA2_256-MODP_3072-TUNNEL]:ENCAPSULATION_MODE=TUNNEL
> > force
> > -C set
> > [phase2-transform-from-127.0.0.1-to-127.0.0.1-AES128-SHA2_256-MODP_3072-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256
> > force
> > -C set
> > [phase2-transform-from-127.0.0.1-to-127.0.0.1-AES128-SHA2_256-MODP_3072-TUNNEL]:GROUP_DESCRIPTION=MODP_3072
> > force
> > -C set
> > [phase2-transform-from-127.0.0.1-to-127.0.0.1-AES128-SHA2_256-MODP_3072-TUNNEL]:Life=LIFE_QUICK_MODE
> > force
> > -C set [from-127.0.0.1]:ID-type=IPV4_ADDR force
> > -C set [from-127.0.0.1]:Address=127.0.0.1 force
> > -C set [to-127.0.0.1]:ID-type=IPV4_ADDR force
> > -C set [to-127.0.0.1]:Address=127.0.0.1 force
> > -C add [Phase 2]:Passive-Connections=from-127.0.0.1-to-127.0.0.1
> > *** Error 1 in . (Makefile:79 'ike56')
> > FAILED
> >
> >> sbin/pfctl
> > Exit: 1
> > Duration: 00:00:26
> > Log: 388-sbin-pfctl.log
> >
> > ==== pf ====
> > doas -n ifconfig lo1000000 create
> > doas -n ifconfig tun1000000 create
> > doas -n ifconfig tun1000001 create
> > /sbin/pfctl -o none -nv -f - < /home/src/regress/sbin/pfctl/pf104.in |
> > diff -u /home/src/regress/sbin/pfctl/pf104.ok /dev/stdin
> > stdin:10: divert-to address family mismatch
> > --- /home/src/regress/sbin/pfctl/pf104.ok Tue May 19 19:16:20 2015
> > +++ /dev/stdin Tue Nov 21 04:30:00 2023
> > @@ -1,7 +0,0 @@
> > -pass in inet proto tcp from any to any port = 25 flags S/SA divert-to
> > 127.0.0.1 port 8025
> > -pass in inet proto tcp from any to any port = 25 flags S/SA divert-to
> > 127.0.0.1 port 8025
> > -pass in inet proto tcp from any to any port = 25 flags S/SA divert-to
> > 127.0.0.1 port 8025
> > -pass in inet proto tcp from any to any port = 25 flags S/SA divert-to
> > 127.0.0.1 port 8025
> > -pass in inet6 proto tcp from any to any port = 25 flags S/SA divert-to ::1
> > port 8025
> > -pass in inet6 proto tcp from any to any port = 25 flags S/SA divert-to ::1
> > port 8025
> > -pass in inet6 proto tcp from any to any port = 25 flags S/SA divert-to ::1
> > port 8025
> > *** Error 1 in . (Makefile:106 'pf104')
> > FAILED
> >
> > ==== pfcmdfail ====
> > doas -n ifconfig lo1000000 create
> > doas -n ifconfig tun1000000 create
> > doas -n ifconfig tun1000001 create
> > doas -n /sbin/pfctl `cat /home/src/regress/sbin/pfctl/pfcmdfail1.opts`
> > -f - < /home/src/regress/sbin/pfctl/pfcmdfail1.in 2>&1 | diff -u
> > /home/src/regress/sbin/pfctl/pfcmdfail1.ok /dev/stdin
> > --- /home/src/regress/sbin/pfctl/pfcmdfail1.ok Sun Aug 13 04:20:43 2017
> > +++ /dev/stdin Tue Nov 21 04:30:20 2023
> > @@ -1,2 +0,0 @@
> > -no IP address found for localhost
> > -stdin:1: could not parse host specification
> > *** Error 1 in . (Makefile:281 'pfcmdfail1')
> > FAILED
>
> --
> In my defence, I have been left unsupervised.
