On Mon, Nov 20, 2023 at 05:15:16AM -0700, Florian Obser wrote:
> CVSROOT: /cvs
> Module name: src
> Changes by: flor...@cvs.openbsd.org 2023/11/20 05:15:16
>
> Modified files:
> lib/libc/asr : asr_private.h asr_utils.c getaddrinfo_async.c
> gethostnamadr_async.c
>
> Log message:
> localhost is either 127.0.0.1 or ::1, nothing else.
>
> RFC 6761, 6.3 Domain Name Reservation Considerations for "localhost.":
> 3. Name resolution APIs and libraries SHOULD recognize localhost
> names as special and SHOULD always return the IP loopback address
> for address queries and negative responses for all other query
> types. Name resolution APIs SHOULD NOT send queries for
> localhost names to their configured caching DNS server(s).
>
> This makes sure that the getaddrinfo(3) and gethostbyname(3) family of
> functions always return the loopback address and do not send queries
> to name servers. This includes "localhost", "localhost." and
> everything under ".localhost" and ".localhost.".
>
> For example, a host underneath the .com.ar zone will per default have
> a search list of "com.ar.". resolv.conf(5) has a default of "lookup
> bind file". Both combined will result in lookups for "localhost" to
> not return 127.0.0.1 because localhost.com.ar is registered in DNS.
>
> It has been known for decades that this is a problem, especially for
> localhost.
>
> Problem recently spotted by gonzalo@ and debugged by sthen@
>
> Testing sthen, gonzalo
> Input & OK phessler, eric, millert
> OK sthen, kn, deraadt
Seeing two new failures. The offending pf rule:
pass in inet6 proto tcp to port 25 divert-to localhost port 8025
pfctl complains about:
stdin:10: divert-to address family mismatch
Changing localhost to ::1 makes it pass again. Is this expected or a
regression? The ipsecctl failure looks like a symptom of the same
problem.
> sbin/ipsecctl
Exit: 1
Duration: 00:00:06
Log: 181-sbin-ipsecctl.log
==== ike ====
cat /home/src/regress/sbin/ipsecctl/ike56.in | sed -e
's,DIR,/home/src/regress/sbin/ipsecctl,g' | /sbin/ipsecctl -nv -f - | diff -u
/home/src/regress/sbin/ipsecctl/ike56.ok /dev/stdin
stdin: 1: source/destination address families do not match
ipsecctl: Syntax error in config file: ipsec rules not loaded
--- /home/src/regress/sbin/ipsecctl/ike56.ok Fri Sep 2 12:58:24 2016
+++ /dev/stdin Tue Nov 21 02:26:19 2023
@@ -1,33 +0,0 @@
-C set [Phase 1]:127.0.0.1=peer-127.0.0.1 force
-C set [peer-127.0.0.1]:Phase=1 force
-C set [peer-127.0.0.1]:Address=127.0.0.1 force
-C set [peer-127.0.0.1]:Configuration=phase1-peer-127.0.0.1 force
-C set [phase1-peer-127.0.0.1]:EXCHANGE_TYPE=ID_PROT force
-C add
[phase1-peer-127.0.0.1]:Transforms=phase1-transform-peer-127.0.0.1-RSA_SIG-SHA-AES128-MODP_3072
force
-C set
[phase1-transform-peer-127.0.0.1-RSA_SIG-SHA-AES128-MODP_3072]:AUTHENTICATION_METHOD=RSA_SIG
force
-C set
[phase1-transform-peer-127.0.0.1-RSA_SIG-SHA-AES128-MODP_3072]:HASH_ALGORITHM=SHA
force
-C set
[phase1-transform-peer-127.0.0.1-RSA_SIG-SHA-AES128-MODP_3072]:ENCRYPTION_ALGORITHM=AES_CBC
force
-C set
[phase1-transform-peer-127.0.0.1-RSA_SIG-SHA-AES128-MODP_3072]:KEY_LENGTH=128,128:256
force
-C set
[phase1-transform-peer-127.0.0.1-RSA_SIG-SHA-AES128-MODP_3072]:GROUP_DESCRIPTION=MODP_3072
force
-C set
[phase1-transform-peer-127.0.0.1-RSA_SIG-SHA-AES128-MODP_3072]:Life=LIFE_MAIN_MODE
force
-C set [from-127.0.0.1-to-127.0.0.1]:Phase=2 force
-C set [from-127.0.0.1-to-127.0.0.1]:ISAKMP-peer=peer-127.0.0.1 force
-C set
[from-127.0.0.1-to-127.0.0.1]:Configuration=phase2-from-127.0.0.1-to-127.0.0.1
force
-C set [from-127.0.0.1-to-127.0.0.1]:Local-ID=from-127.0.0.1 force
-C set [from-127.0.0.1-to-127.0.0.1]:Remote-ID=to-127.0.0.1 force
-C set [phase2-from-127.0.0.1-to-127.0.0.1]:EXCHANGE_TYPE=QUICK_MODE force
-C set
[phase2-from-127.0.0.1-to-127.0.0.1]:Suites=phase2-suite-from-127.0.0.1-to-127.0.0.1
force
-C set
[phase2-suite-from-127.0.0.1-to-127.0.0.1]:Protocols=phase2-protocol-from-127.0.0.1-to-127.0.0.1
force
-C set [phase2-protocol-from-127.0.0.1-to-127.0.0.1]:PROTOCOL_ID=IPSEC_ESP force
-C set
[phase2-protocol-from-127.0.0.1-to-127.0.0.1]:Transforms=phase2-transform-from-127.0.0.1-to-127.0.0.1-AES128-SHA2_256-MODP_3072-TUNNEL
force
-C set
[phase2-transform-from-127.0.0.1-to-127.0.0.1-AES128-SHA2_256-MODP_3072-TUNNEL]:TRANSFORM_ID=AES
force
-C set
[phase2-transform-from-127.0.0.1-to-127.0.0.1-AES128-SHA2_256-MODP_3072-TUNNEL]:KEY_LENGTH=128,128:256
force
-C set
[phase2-transform-from-127.0.0.1-to-127.0.0.1-AES128-SHA2_256-MODP_3072-TUNNEL]:ENCAPSULATION_MODE=TUNNEL
force
-C set
[phase2-transform-from-127.0.0.1-to-127.0.0.1-AES128-SHA2_256-MODP_3072-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256
force
-C set
[phase2-transform-from-127.0.0.1-to-127.0.0.1-AES128-SHA2_256-MODP_3072-TUNNEL]:GROUP_DESCRIPTION=MODP_3072
force
-C set
[phase2-transform-from-127.0.0.1-to-127.0.0.1-AES128-SHA2_256-MODP_3072-TUNNEL]:Life=LIFE_QUICK_MODE
force
-C set [from-127.0.0.1]:ID-type=IPV4_ADDR force
-C set [from-127.0.0.1]:Address=127.0.0.1 force
-C set [to-127.0.0.1]:ID-type=IPV4_ADDR force
-C set [to-127.0.0.1]:Address=127.0.0.1 force
-C add [Phase 2]:Passive-Connections=from-127.0.0.1-to-127.0.0.1
*** Error 1 in . (Makefile:79 'ike56')
FAILED
> sbin/pfctl
Exit: 1
Duration: 00:00:26
Log: 388-sbin-pfctl.log
==== pf ====
doas -n ifconfig lo1000000 create
doas -n ifconfig tun1000000 create
doas -n ifconfig tun1000001 create
/sbin/pfctl -o none -nv -f - < /home/src/regress/sbin/pfctl/pf104.in | diff -u
/home/src/regress/sbin/pfctl/pf104.ok /dev/stdin
stdin:10: divert-to address family mismatch
--- /home/src/regress/sbin/pfctl/pf104.ok Tue May 19 19:16:20 2015
+++ /dev/stdin Tue Nov 21 04:30:00 2023
@@ -1,7 +0,0 @@
-pass in inet proto tcp from any to any port = 25 flags S/SA divert-to
127.0.0.1 port 8025
-pass in inet proto tcp from any to any port = 25 flags S/SA divert-to
127.0.0.1 port 8025
-pass in inet proto tcp from any to any port = 25 flags S/SA divert-to
127.0.0.1 port 8025
-pass in inet proto tcp from any to any port = 25 flags S/SA divert-to
127.0.0.1 port 8025
-pass in inet6 proto tcp from any to any port = 25 flags S/SA divert-to ::1
port 8025
-pass in inet6 proto tcp from any to any port = 25 flags S/SA divert-to ::1
port 8025
-pass in inet6 proto tcp from any to any port = 25 flags S/SA divert-to ::1
port 8025
*** Error 1 in . (Makefile:106 'pf104')
FAILED
==== pfcmdfail ====
doas -n ifconfig lo1000000 create
doas -n ifconfig tun1000000 create
doas -n ifconfig tun1000001 create
doas -n /sbin/pfctl `cat /home/src/regress/sbin/pfctl/pfcmdfail1.opts` -f - <
/home/src/regress/sbin/pfctl/pfcmdfail1.in 2>&1 | diff -u
/home/src/regress/sbin/pfctl/pfcmdfail1.ok /dev/stdin
--- /home/src/regress/sbin/pfctl/pfcmdfail1.ok Sun Aug 13 04:20:43 2017
+++ /dev/stdin Tue Nov 21 04:30:20 2023
@@ -1,2 +0,0 @@
-no IP address found for localhost
-stdin:1: could not parse host specification
*** Error 1 in . (Makefile:281 'pfcmdfail1')
FAILED
