test failure conditions

verify that updates are refused when the client is disallowed by allow-query, and update forwarding is refused when the client is is disallowed by update-forwarding. verify that "too many DNS UPDATEs" appears in the log file when too many simultaneous updates are processing. Related: CVE-2022-3094
2023-02-08 18:28:17 +01:00 · 2023-02-08 18:28:17 +01:00 · 495baa1377
commit 495baa1377
parent a85d02f014
2 changed files with 274 additions and 0 deletions
--- a/bind-9.16-CVE-2022-3094-test.patch
+++ b/bind-9.16-CVE-2022-3094-test.patch
@ -0,0 +1,272 @@
+From 630529ea7d4587703008de1465021bdde2a3a971 Mon Sep 17 00:00:00 2001
+From: Evan Hunt <each@isc.org>
+Date: Wed, 9 Nov 2022 21:56:16 -0800
+Subject: [PATCH] test failure conditions
+
+verify that updates are refused when the client is disallowed by
+allow-query, and update forwarding is refused when the client is
+is disallowed by update-forwarding.
+
+verify that "too many DNS UPDATEs" appears in the log file when too
+many simultaneous updates are processing.
+
+(cherry picked from commit b91339b80e5b82a56622c93cc1e3cca2d0c11bc0)
+---
+ bin/tests/system/nsupdate/ns1/named.conf.in   |  2 +
+ bin/tests/system/nsupdate/tests.sh            | 28 +++++++++++++
+ bin/tests/system/upforwd/clean.sh             |  2 +
+ .../ns3/{named.conf.in => named1.conf.in}     | 13 ++++--
+ bin/tests/system/upforwd/ns3/named2.conf.in   | 41 +++++++++++++++++++
+ bin/tests/system/upforwd/setup.sh             |  2 +-
+ bin/tests/system/upforwd/tests.sh             | 39 ++++++++++++++++++
+ 7 files changed, 123 insertions(+), 4 deletions(-)
+ rename bin/tests/system/upforwd/ns3/{named.conf.in => named1.conf.in} (78%)
+ create mode 100644 bin/tests/system/upforwd/ns3/named2.conf.in
+
+diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
+index 436c97d..83fe884 100644
+--- a/bin/tests/system/nsupdate/ns1/named.conf.in
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
+@@ -21,6 +21,7 @@ options {
+ 	recursion no;
+ 	notify yes;
+ 	minimal-responses no;
+	update-quota 1;
+ };
+ 
+ acl named-acl {
+@@ -81,6 +82,7 @@ zone "other.nil" {
+ 	check-integrity no;
+ 	check-mx warn;
+ 	update-policy local;
+	allow-query { !10.53.0.2; any; };
+ 	allow-query-on { 10.53.0.1; 127.0.0.1; };
+ 	allow-transfer { any; };
+ };
+diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
+index b5f562f..13ba577 100755
+--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
+@@ -1268,6 +1268,34 @@ END
+ grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out-$n >/dev/null || ret=1
+ [ $ret = 0 ] || { echo_i "failed"; status=1; }
+ 
+n=$((n + 1))
+ret=0
+echo_i "check that update is rejected if query is not allowed ($n)"
+{
+  $NSUPDATE -d <<END
+  local 10.53.0.2
+  server 10.53.0.1 ${PORT}
+  update add reject.other.nil 3600 IN TXT Whatever
+  send
+END
+} > nsupdate.out.test$n 2>&1
+grep 'failed: REFUSED' nsupdate.out.test$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that update is rejected if quota is exceeded ($n)"
+for loop in 1 2 3 4 5 6 7 8 9 10; do
+{
+  $NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > /dev/null 2>&1 <<END
+  update add txt-$loop.other.nil 3600 IN TXT Whatever
+  send
+END
+} &
+done
+wait_for_log 10 "too many DNS UPDATEs queued" ns1/named.run || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ if ! $FEATURETEST --gssapi ; then
+   echo_i "SKIPPED: GSSAPI tests"
+ else
+diff --git a/bin/tests/system/upforwd/clean.sh b/bin/tests/system/upforwd/clean.sh
+index 2025252..12311df 100644
+--- a/bin/tests/system/upforwd/clean.sh
+++ b/bin/tests/system/upforwd/clean.sh
+@@ -29,3 +29,5 @@ rm -f keyname keyname.err
+ rm -f ns*/named.lock
+ rm -f ns1/example2.db
+ rm -f ns*/managed-keys.bind*
+rm -f nsupdate.out.*
+rm -f ns*/named.run.prev
+diff --git a/bin/tests/system/upforwd/ns3/named.conf.in b/bin/tests/system/upforwd/ns3/named1.conf.in
+similarity index 78%
+rename from bin/tests/system/upforwd/ns3/named.conf.in
+rename to bin/tests/system/upforwd/ns3/named1.conf.in
+index 7bd13d3..2f690ff 100644
+--- a/bin/tests/system/upforwd/ns3/named.conf.in
+++ b/bin/tests/system/upforwd/ns3/named1.conf.in
+@@ -28,20 +28,27 @@ key rndc_key {
+ };
+ 
+ controls {
+-        inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+ };
+ 
+ zone "example" {
+ 	type secondary;
+ 	file "example.bk";
+-	allow-update-forwarding { any; };
+	allow-update-forwarding { 10.53.0.1; };
+ 	primaries { 10.53.0.1; };
+ };
+ 
+ zone "example2" {
+ 	type secondary;
+ 	file "example2.bk";
+-	allow-update-forwarding { any; };
+	allow-update-forwarding { 10.53.0.1; };
+	primaries { 10.53.0.1; };
+};
+
+zone "example3" {
+	type secondary;
+	file "example3.bk";
+	allow-update-forwarding { 10.53.0.1; };
+ 	primaries { 10.53.0.1; };
+ };
+ 
+diff --git a/bin/tests/system/upforwd/ns3/named2.conf.in b/bin/tests/system/upforwd/ns3/named2.conf.in
+new file mode 100644
+index 0000000..86d7469
+--- /dev/null
+++ b/bin/tests/system/upforwd/ns3/named2.conf.in
+@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	update-quota 1;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "example" {
+	type secondary;
+	file "example.bk";
+	allow-update-forwarding { any; };
+	primaries { 10.53.0.1; };
+};
+diff --git a/bin/tests/system/upforwd/setup.sh b/bin/tests/system/upforwd/setup.sh
+index e748078..88ab28d 100644
+--- a/bin/tests/system/upforwd/setup.sh
+++ b/bin/tests/system/upforwd/setup.sh
+@@ -17,7 +17,7 @@ cp -f ns3/nomaster.db ns3/nomaster1.db
+ 
+ copy_setports ns1/named.conf.in ns1/named.conf
+ copy_setports ns2/named.conf.in ns2/named.conf
+-copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns3/named1.conf.in ns3/named.conf
+ 
+ if $FEATURETEST --enable-dnstap
+ then
+diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
+index 8062d68..20fc46f 100644
+--- a/bin/tests/system/upforwd/tests.sh
+++ b/bin/tests/system/upforwd/tests.sh
+@@ -80,6 +80,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+ echo_i "updating zone (signed) ($n)"
+ ret=0
+ $NSUPDATE -y hmac-sha256:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
+local 10.53.0.1
+ server 10.53.0.3 ${PORT}
+ update add updated.example. 600 A 10.10.10.1
+ update add updated.example. 600 TXT Foo
+@@ -138,6 +139,7 @@ fi
+ echo_i "updating zone (unsigned) ($n)"
+ ret=0
+ $NSUPDATE -- - <<EOF || ret=1
+local 10.53.0.1
+ server 10.53.0.3 ${PORT}
+ update add unsigned.example. 600 A 10.10.10.1
+ update add unsigned.example. 600 TXT Foo
+@@ -194,6 +196,7 @@ while [ $count -lt 5 -a $ret -eq 0 ]
+ do
+ (
+ $NSUPDATE -- - <<EOF 
+local 10.53.0.1
+ server 10.53.0.3 ${PORT}
+ zone nomaster
+ update add unsigned.nomaster. 600 A 10.10.10.1
+@@ -225,6 +228,7 @@ then
+ 	ret=0
+ 	keyname=`cat keyname`
+ 	$NSUPDATE -k $keyname.private -- - <<EOF
+	local 10.53.0.1
+ 	server 10.53.0.3 ${PORT}
+ 	zone example2
+ 	update add unsigned.example2. 600 A 10.10.10.1
+@@ -249,5 +253,40 @@ EOF
+ 	fi
+ fi
+ 
+echo_i "attempting an update that should be rejected by ACL ($n)"
+ret=0
+{
+        $NSUPDATE -- - << EOF
+        local 10.53.0.2
+        server 10.53.0.3 ${PORT}
+        update add another.unsigned.example. 600 A 10.10.10.2
+        update add another.unsigned.example. 600 TXT Bar
+        send
+EOF
+} > nsupdate.out.$n 2>&1
+grep REFUSED nsupdate.out.$n > /dev/null || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+n=$((n + 1))
+ret=0
+echo_i "attempting updates that should exceed quota ($n)"
+# lower the update quota to 1.
+copy_setports ns3/named2.conf.in ns3/named.conf
+rndc_reconfig ns3 10.53.0.3
+nextpart ns3/named.run > /dev/null
+for loop in 1 2 3 4 5 6 7 8 9 10; do
+{
+  $NSUPDATE -- - > /dev/null 2>&1 <<END
+  local 10.53.0.1
+  server 10.53.0.3 ${PORT}
+  update add txt-$loop.unsigned.example 300 IN TXT Whatever
+  send
+END
+} &
+done
+wait_for_log 10 "too many DNS UPDATEs queued" ns3/named.run || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ echo_i "exit status: $status"
+ [ $status -eq 0 ] || exit 1
+-- 
+2.39.1
+
--- a/bind.spec
+++ b/bind.spec
@ -119,6 +119,7 @@ Patch181:bind-9.16-rh2133889.patch
 Patch182: bind-9.16-CVE-2022-3094-1.patch
 Patch183: bind-9.16-CVE-2022-3094-2.patch
 Patch184: bind-9.16-CVE-2022-3094-3.patch
+Patch185: bind-9.16-CVE-2022-3094-test.patch

 %{?systemd_ordering}
 Requires:       coreutils
@ -431,6 +432,7 @@ in HTML and PDF format.
 %patch182 -p1 -b .CVE-2022-3094
 %patch183 -p1 -b .CVE-2022-3094
 %patch184 -p1 -b .CVE-2022-3094
+%patch185 -p1 -b .CVE-2022-3094-test

 %if %{with PKCS11}
 %patch135 -p1 -b .config-pkcs11