upstream: DNS0x20[1] can randomise the case of domain names returned by

lookup to force some more uniqueness in queries to reduce the likelihood of
spoofing attacks succeeding.

Normally this should be hidden from the user by the resolver, but
in some cases it can leak through. When it does, it can mess up
ssh's CanonicalizePermittedCNAMEs.

Fix this by forcing the name we received from the system resolver to
lowercase.

bz3966, report and fix by Martin D Kealey

[1] https://datatracker.ietf.org/doc/html/draft-vixie-dnsext-dns0x20-00

OpenBSD-Commit-ID: e0b300d3b3af289e053d928380af71949f95bfb0

diff --git a/ssh.c b/ssh.c
index 943e1908eec4e82cc565c459455304d955bcce5f..91c16dcca5715dbedab3319f1e244bc01a39fae9 100644 (file)
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.631 2026/05/31 04:24:39 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.632 2026/05/31 05:55:21 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -399,6 +399,7 @@ check_follow_cname(int direct, char **namep, const char *cname)
                    "\"%s\" => \"%s\"", *namep, cname);
                free(*namep);
                *namep = xstrdup(cname);
+               lowercase(*namep);
                return 1;
        }
        return 0;