test failure conditions

verify that updates are refused when the client is disallowed by
allow-query, and update forwarding is refused when the client is
is disallowed by update-forwarding.

verify that "too many DNS UPDATEs" appears in the log file when too
many simultaneous updates are processing.

Related: CVE-2022-3094
This commit is contained in:
Petr Menšík 2023-02-08 18:28:17 +01:00
parent 1d416c2d77
commit 25cbffd195
2 changed files with 269 additions and 0 deletions

View File

@ -0,0 +1,266 @@
From 3d84c651f823cb90b73fd736d32ad6de57b11610 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Wed, 9 Nov 2022 21:56:16 -0800
Subject: [PATCH] test failure conditions
verify that updates are refused when the client is disallowed by
allow-query, and update forwarding is refused when the client is
is disallowed by update-forwarding.
verify that "too many DNS UPDATEs" appears in the log file when too
many simultaneous updates are processing.
(cherry picked from commit b91339b80e5b82a56622c93cc1e3cca2d0c11bc0)
---
bin/tests/system/nsupdate/ns1/named.conf.in | 2 +
bin/tests/system/nsupdate/tests.sh | 28 +++++++++++++
bin/tests/system/upforwd/clean.sh | 2 +
.../ns3/{named.conf.in => named1.conf.in} | 7 +++-
bin/tests/system/upforwd/ns3/named2.conf.in | 41 +++++++++++++++++++
bin/tests/system/upforwd/setup.sh | 2 +-
bin/tests/system/upforwd/tests.sh | 40 ++++++++++++++++++
7 files changed, 120 insertions(+), 2 deletions(-)
rename bin/tests/system/upforwd/ns3/{named.conf.in => named1.conf.in} (85%)
create mode 100644 bin/tests/system/upforwd/ns3/named2.conf.in
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
index cb80269..228ad6a 100644
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
@@ -20,6 +20,7 @@ options {
listen-on-v6 { none; };
recursion no;
notify yes;
+ update-quota 1;
};
key rndc_key {
@@ -76,6 +77,7 @@ zone "other.nil" {
check-integrity no;
check-mx warn;
update-policy local;
+ allow-query { !10.53.0.2; any; };
allow-query-on { 10.53.0.1; 127.0.0.1; };
allow-transfer { any; };
};
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index f8994ff..4cabf8d 100755
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -1069,6 +1069,34 @@ END
grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out-$n >/dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
+n=$((n + 1))
+ret=0
+echo_i "check that update is rejected if query is not allowed ($n)"
+{
+ $NSUPDATE -d <<END
+ local 10.53.0.2
+ server 10.53.0.1 ${PORT}
+ update add reject.other.nil 3600 IN TXT Whatever
+ send
+END
+} > nsupdate.out.test$n 2>&1
+grep 'status: REFUSED' nsupdate.out.test$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that update is rejected if quota is exceeded ($n)"
+for loop in 1 2 3 4 5 6 7 8 9 10; do
+{
+ $NSUPDATE -l -p ${PORT} -k ns1/session.key > nsupdate.out.test$n-${loop} 2>&1 <<END
+ update add txt-$loop.other.nil 3600 IN TXT Whatever
+ send
+END
+} &
+done
+wait_for_log 10 "too many DNS UPDATEs queued" ns1/named.run || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
if $FEATURETEST --gssapi ; then
n=`expr $n + 1`
ret=0
diff --git a/bin/tests/system/upforwd/clean.sh b/bin/tests/system/upforwd/clean.sh
index 15cf423..832c727 100644
--- a/bin/tests/system/upforwd/clean.sh
+++ b/bin/tests/system/upforwd/clean.sh
@@ -24,3 +24,5 @@ rm -f Ksig0.example2.*
rm -f keyname
rm -f ns*/named.lock
rm -f ns1/example2.db
+rm -f nsupdate.out.*
+rm -f ns*/named.run.prev
diff --git a/bin/tests/system/upforwd/ns3/named.conf.in b/bin/tests/system/upforwd/ns3/named1.conf.in
similarity index 85%
rename from bin/tests/system/upforwd/ns3/named.conf.in
rename to bin/tests/system/upforwd/ns3/named1.conf.in
index e81cd1a..83a490f 100644
--- a/bin/tests/system/upforwd/ns3/named.conf.in
+++ b/bin/tests/system/upforwd/ns3/named1.conf.in
@@ -22,10 +22,15 @@ options {
notify yes;
};
+include "../../common/rndc.key";
+controls {
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
zone "example" {
type slave;
file "example.bk";
- allow-update-forwarding { any; };
+ allow-update-forwarding { 10.53.0.1; };
masters { 10.53.0.1; };
};
diff --git a/bin/tests/system/upforwd/ns3/named2.conf.in b/bin/tests/system/upforwd/ns3/named2.conf.in
new file mode 100644
index 0000000..992cd69
--- /dev/null
+++ b/bin/tests/system/upforwd/ns3/named2.conf.in
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ query-source address 10.53.0.3;
+ notify-source 10.53.0.3;
+ transfer-source 10.53.0.3;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.3; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify yes;
+ update-quota 1;
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+controls {
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "example" {
+ type slave;
+ file "example.bk";
+ allow-update-forwarding { any; };
+ masters { 10.53.0.1; };
+};
diff --git a/bin/tests/system/upforwd/setup.sh b/bin/tests/system/upforwd/setup.sh
index 74c7ba3..928902b 100644
--- a/bin/tests/system/upforwd/setup.sh
+++ b/bin/tests/system/upforwd/setup.sh
@@ -17,7 +17,7 @@ cp -f ns3/nomaster.db ns3/nomaster1.db
copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named.conf.in ns2/named.conf
-copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns3/named1.conf.in ns3/named.conf
#
# SIG(0) required cryptographic support which may not be configured.
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
index f4c3216..ebc9ded 100644
--- a/bin/tests/system/upforwd/tests.sh
+++ b/bin/tests/system/upforwd/tests.sh
@@ -17,6 +17,7 @@ SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}"
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
status=0
n=1
@@ -69,6 +70,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
echo_i "updating zone (signed) ($n)"
ret=0
$NSUPDATE -y hmac-sha256:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
+local 10.53.0.1
server 10.53.0.3 ${PORT}
update add updated.example. 600 A 10.10.10.1
update add updated.example. 600 TXT Foo
@@ -116,6 +118,7 @@ n=`expr $n + 1`
echo_i "updating zone (unsigned) ($n)"
ret=0
$NSUPDATE -- - <<EOF || ret=1
+local 10.53.0.1
server 10.53.0.3 ${PORT}
update add unsigned.example. 600 A 10.10.10.1
update add unsigned.example. 600 TXT Foo
@@ -161,6 +164,7 @@ while [ $count -lt 5 -a $ret -eq 0 ]
do
(
$NSUPDATE -- - <<EOF
+local 10.53.0.1
server 10.53.0.3 ${PORT}
zone nomaster
update add unsigned.nomaster. 600 A 10.10.10.1
@@ -181,6 +185,7 @@ then
ret=0
keyname=`cat keyname`
$NSUPDATE -k $keyname.private -- - <<EOF
+ local 10.53.0.1
server 10.53.0.3 ${PORT}
zone example2
update add unsigned.example2. 600 A 10.10.10.1
@@ -194,5 +199,40 @@ EOF
n=`expr $n + 1`
fi
+echo_i "attempting an update that should be rejected by ACL ($n)"
+ret=0
+{
+ $NSUPDATE -- - << EOF
+ local 10.53.0.2
+ server 10.53.0.3 ${PORT}
+ update add another.unsigned.example. 600 A 10.10.10.2
+ update add another.unsigned.example. 600 TXT Bar
+ send
+EOF
+} > nsupdate.out.$n 2>&1
+grep REFUSED nsupdate.out.$n > /dev/null || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+n=$((n + 1))
+ret=0
+echo_i "attempting updates that should exceed quota ($n)"
+# lower the update quota to 1.
+copy_setports ns3/named2.conf.in ns3/named.conf
+$RNDCCMD 10.53.0.3 reconfig
+nextpart ns3/named.run > /dev/null
+for loop in 1 2 3 4 5 6 7 8 9 10; do
+{
+ $NSUPDATE -- - > /dev/null 2>&1 <<END
+ local 10.53.0.1
+ server 10.53.0.3 ${PORT}
+ update add txt-$loop.unsigned.example 300 IN TXT Whatever
+ send
+END
+} &
+done
+wait_for_log 10 "too many DNS UPDATEs queued" ns3/named.run || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
--
2.39.2

View File

@ -171,6 +171,7 @@ Patch192: bind-9.11-rh2133889.patch
Patch193: bind-9.16-CVE-2022-3094-1.patch
Patch194: bind-9.16-CVE-2022-3094-2.patch
Patch195: bind-9.16-CVE-2022-3094-3.patch
Patch196: bind-9.16-CVE-2022-3094-test.patch
# SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch
@ -576,6 +577,7 @@ are used for building ISC DHCP.
%patch193 -p1 -b .CVE-2022-3094
%patch194 -p1 -b .CVE-2022-3094
%patch195 -p1 -b .CVE-2022-3094
%patch196 -p1 -b .CVE-2022-3094-test
mkdir lib/dns/tests/testdata/dstrandom
@ -1631,6 +1633,7 @@ rm -rf ${RPM_BUILD_ROOT}
%changelog
* Wed Feb 08 2023 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-9
- Prevent flooding with UPDATE requests (CVE-2022-3094)
- include upstream test for that change
* Thu Oct 13 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-8
- Correct regression preventing bind-dyndb-ldap build (#2133889)