From 08b57c67f3609340ff703fe2782d7058acf2529e Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Thu, 27 Feb 2014 10:17:13 +1100
Subject:    - djm@cvs.openbsd.org 2014/02/26 20:18:37      [ssh.c]     
 bz#2205: avoid early hostname lookups unless canonicalisation is enabled;    
  ok dtucker@ markus@

---
 ChangeLog |  7 +++++++
 ssh.c     | 30 ++++++++++++++++++++++++------
 2 files changed, 31 insertions(+), 6 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 48d49dea1..84833fb3c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+20140227
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2014/02/26 20:18:37
+     [ssh.c]
+     bz#2205: avoid early hostname lookups unless canonicalisation is enabled;
+     ok dtucker@ markus@
+
 20140224
  - OpenBSD CVS Sync
    - djm@cvs.openbsd.org 2014/02/07 06:55:54
diff --git a/ssh.c b/ssh.c
index b7dbea2b6..1e6cb9000 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.400 2014/02/23 20:11:36 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.401 2014/02/26 20:18:37 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -899,12 +899,20 @@ main(int ac, char **av)
 		addrs = resolve_canonicalize(&host, options.port);
 
 	/*
-	 * If canonicalization not requested, or if it failed then try to
-	 * resolve the bare hostname name using the system resolver's usual
-	 * search rules. Skip the lookup if a ProxyCommand is being used
-	 * unless the user has specifically requested canonicalisation.
+	 * If CanonicalizePermittedCNAMEs have been specified but
+	 * other canonicalization did not happen (by not being requested
+	 * or by failing with fallback) then the hostname may still be changed
+	 * as a result of CNAME following. 
+	 *
+	 * Try to resolve the bare hostname name using the system resolver's
+	 * usual search rules and then apply the CNAME follow rules.
+	 *
+	 * Skip the lookup if a ProxyCommand is being used unless the user
+	 * has specifically requested canonicalisation for this case via
+	 * CanonicalizeHostname=always
 	 */
-	if (addrs == NULL && (option_clear_or_none(options.proxy_command) ||
+	if (addrs == NULL && options.num_permitted_cnames != 0 &&
+	    (option_clear_or_none(options.proxy_command) ||
             options.canonicalize_hostname == SSH_CANONICALISE_ALWAYS)) {
 		if ((addrs = resolve_host(host, options.port, 1,
 		    cname, sizeof(cname))) == NULL)
@@ -1000,6 +1008,16 @@ main(int ac, char **av)
 	if (options.control_path != NULL)
 		muxclient(options.control_path);
 
+	/*
+	 * If hostname canonicalisation was not enabled, then we may not
+	 * have yet resolved the hostname. Do so now.
+	 */
+	if (addrs == NULL && options.proxy_command == NULL) {
+		if ((addrs = resolve_host(host, options.port, 1,
+		    cname, sizeof(cname))) == NULL)
+			cleanup_exit(255); /* resolve_host logs the error */
+	}
+
 	timeout_ms = options.connection_timeout * 1000;
 
 	/* Open a connection to the remote host. */
-- 
cgit v1.2.3