openssh bugs - Aug 2017 - [Bug 2763] New: Broken parsing of link-local addresses

https://bugzilla.mindrot.org/show_bug.cgi?id=2763

            Bug ID: 2763
           Summary: Broken parsing of link-local addresses
           Product: Portable OpenSSH
           Version: 7.5p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: uzytkownik2 at gmail.com

I'm trying to connect through veth to link-local address. However ssh
tries to resolve it:

% ssh 'fe80::1' -v -v -v -S none
OpenSSH_7.5p1-hpn14v12lpk, OpenSSL 1.0.2l  25 May 2017
debug1: Reading configuration data /home/mpiechotka/.ssh/config
debug1: /home/mpiechotka/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "fe80::1" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to fe80::1 [fe80::1] port 22.
debug1: connect to address fe80::1 port 22: Invalid argument
ssh: connect to host fe80::1 port 22: Invalid argument
% ssh 'fe80::1%xe-<NAME>' -v -v -v -S none
OpenSSH_7.5p1-hpn14v12lpk, OpenSSL 1.0.2l  25 May 2017
debug1: Reading configuration data /home/mpiechotka/.ssh/config
debug1: /home/mpiechotka/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "fe80::1%xe-<NAME>" port 22
ssh: Could not resolve hostname fe80::1%xe-<NAME>: Name or service not
known

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2763

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au

--- Comment #1 from Darren Tucker <dtucker at zip.com.au> ---
(In reply to Maciej Piechotka from comment #0)
> OpenSSH_7.5p1-hpn14v12lpk
That is a set of third party modifications that is not supported by the
openssh team.  Can you reproduce the problem with the stock code from
openssh.com?

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2763

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
(In reply to Maciej Piechotka from comment #0)
> I'm trying to connect through veth to link-local address. However
> ssh tries to resolve it:
> 
> % ssh 'fe80::1' -v -v -v -S none
This link-local address is missing its interface scope
> OpenSSH_7.5p1-hpn14v12lpk, OpenSSL 1.0.2l  25 May 2017
This isn't what we ship - it contains vendor patches. Please try to
reproduce your problems with unpatched OpenSSH, or report the problems
to your vendor.
> % ssh 'fe80::1%xe-<NAME>' -v -v -v -S none
I don't know what this syntax is for specifying the interface scope,
but plain interface names work fine:

[djm at argon ~]$ ssh fe80::744b:fff:d37:8a4a%em1
The authenticity of host 'fe80::744b:fff:d37:8a4a%em1
(fe80::744b:fff:d37:8a4a%em1)' can't be established.

Perhaps your libc getaddrinfo(3) doesn't know about your interface
naming scheme?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2763

Maciej Piechotka <uzytkownik2 at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Broken parsing of           |Broken parsing of
                   |link-local addresses        |link-local addresses when
                   |                            |interface contains
                   |                            |upper-case letter

--- Comment #3 from Maciej Piechotka <uzytkownik2 at gmail.com> ---
(In reply to Damien Miller from comment #2)
> (In reply to Maciej Piechotka from comment #0)
> > I'm trying to connect through veth to link-local address. However
> > ssh tries to resolve it:
> > 
> > % ssh 'fe80::1' -v -v -v -S none
> 
> This link-local address is missing its interface scope
> 
Yes, I was just showing as completeness that IPv6 is working.
> > OpenSSH_7.5p1-hpn14v12lpk, OpenSSL 1.0.2l  25 May 2017
> 
> This isn't what we ship - it contains vendor patches. Please try to
> reproduce your problems with unpatched OpenSSH, or report the
> problems to your vendor.
> 
> > % ssh 'fe80::1%xe-<NAME>' -v -v -v -S none
> 
> I don't know what this syntax is for specifying the interface scope,
> but plain interface names work fine:
> 
xe-<NAME> is the name of interface. Edit: I can connect without upper
case letter in interface name.
> [djm at argon ~]$ ssh fe80::744b:fff:d37:8a4a%em1
> The authenticity of host 'fe80::744b:fff:d37:8a4a%em1
> (fe80::744b:fff:d37:8a4a%em1)' can't be established.
> 
> Perhaps your libc getaddrinfo(3) doesn't know about your interface
> naming scheme?
It works with ping so I find it unlikely. Is ssh tries to normalize
address by converting all upper case letters to lower case.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2763

--- Comment #4 from Maciej Piechotka <uzytkownik2 at gmail.com>
---
> > [djm at argon ~]$ ssh fe80::744b:fff:d37:8a4a%em1
> > The authenticity of host 'fe80::744b:fff:d37:8a4a%em1
> > (fe80::744b:fff:d37:8a4a%em1)' can't be established.
> > 
> > Perhaps your libc getaddrinfo(3) doesn't know about your interface
> > naming scheme?
> 
> It works with ping so I find it unlikely. Is ssh tries to normalize
> address by converting all upper case letters to lower case.
I confirmed by gdb that getaddrinfo is called with lower case which is
called by resolve_host. I think the guilty line is (I used git master):

1021:     lowercase(host);

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2763

--- Comment #5 from Maciej Piechotka <uzytkownik2 at gmail.com> ---
Ping. I don't know why the line is there so I'm unable to send a patch
fixing it but it shouldn't be hard to fix. I'm not sure about OpenBSD
but it seems to be broken on any system where interfaces as
case-sensitive.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2763

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3068|                            |ok?(dtucker at zip.com.au)
              Flags|                            |

--- Comment #6 from Damien Miller <djm at mindrot.org> ---
Created attachment 3068
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3068&action=edit
don't lowercase hostnames that look like addresses

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2763

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3068|ok?(dtucker at zip.com.au)     |ok+
              Flags|                            |

--- Comment #7 from Darren Tucker <dtucker at zip.com.au> ---
Comment on attachment 3068
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3068
don't lowercase hostnames that look like addresses
>+	memset(&hints, 0, sizeof(hints));
maybe bzero?
>+	if ((gaierr = getaddrinfo(name, strport, &hints, &res)) != 0)
gaierr is never used.


otherwise ok.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2763

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3068|0                           |1
        is obsolete|                            |
   Attachment #3086|                            |ok?
              Flags|                            |

--- Comment #8 from Damien Miller <djm at mindrot.org> ---
Created attachment 3086
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3086&action=edit
don't lowercase but explicitly canonicalise address

I just realised that the previous patch will cause problems for people
who have learned hostkeys for IPv6 addresses and then subsequently
attempt to connect to them but using upper-case addresses, e.g.

ssh FE80::1%lo0

This skips the lowercasing for addresses but still sends them through a
getaddrinfo()/getnameinfo() wash to render them in canonical form. This
should preserve uppercase interface scopes (modulo bugs in libc).

It also aborts hostname canonicalisation for address-like strings that
don't parse as addresses, such as addresses with unrecognised interface
scoping.

BTW, Darren - someone replaced all the bzero() calls with memset() in
OpenSSH a while back. I complained at the time, but I don't want to be
the guy who adds the first one back in :/

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2763

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3086|ok?                         |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2763

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |2782

--- Comment #9 from Damien Miller <djm at mindrot.org> ---
Fix committed, this will be in OpenSSH 7.7


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2782
[Bug 2782] Tracking bug for OpenSSH 7.7 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2763

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2763

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #10 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after release of OpenSSH 7.7.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.