test failure conditions

verify that updates are refused when the client is disallowed by allow-query, and update forwarding is refused when the client is is disallowed by update-forwarding. verify that "too many DNS UPDATEs" appears in the log file when too many simultaneous updates are processing. Related: CVE-2022-3094
2023-02-08 18:28:17 +01:00 · 2023-02-08 18:28:17 +01:00 · 25cbffd195
commit 25cbffd195
parent 1d416c2d77
2 changed files with 269 additions and 0 deletions
--- a/bind-9.16-CVE-2022-3094-test.patch
+++ b/bind-9.16-CVE-2022-3094-test.patch
@ -0,0 +1,266 @@
+From 3d84c651f823cb90b73fd736d32ad6de57b11610 Mon Sep 17 00:00:00 2001
+From: Evan Hunt <each@isc.org>
+Date: Wed, 9 Nov 2022 21:56:16 -0800
+Subject: [PATCH] test failure conditions
+
+verify that updates are refused when the client is disallowed by
+allow-query, and update forwarding is refused when the client is
+is disallowed by update-forwarding.
+
+verify that "too many DNS UPDATEs" appears in the log file when too
+many simultaneous updates are processing.
+
+(cherry picked from commit b91339b80e5b82a56622c93cc1e3cca2d0c11bc0)
+---
+ bin/tests/system/nsupdate/ns1/named.conf.in   |  2 +
+ bin/tests/system/nsupdate/tests.sh            | 28 +++++++++++++
+ bin/tests/system/upforwd/clean.sh             |  2 +
+ .../ns3/{named.conf.in => named1.conf.in}     |  7 +++-
+ bin/tests/system/upforwd/ns3/named2.conf.in   | 41 +++++++++++++++++++
+ bin/tests/system/upforwd/setup.sh             |  2 +-
+ bin/tests/system/upforwd/tests.sh             | 40 ++++++++++++++++++
+ 7 files changed, 120 insertions(+), 2 deletions(-)
+ rename bin/tests/system/upforwd/ns3/{named.conf.in => named1.conf.in} (85%)
+ create mode 100644 bin/tests/system/upforwd/ns3/named2.conf.in
+
+diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
+index cb80269..228ad6a 100644
+--- a/bin/tests/system/nsupdate/ns1/named.conf.in
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
+@@ -20,6 +20,7 @@ options {
+ 	listen-on-v6 { none; };
+ 	recursion no;
+ 	notify yes;
+	update-quota 1;
+ };
+ 
+ key rndc_key {
+@@ -76,6 +77,7 @@ zone "other.nil" {
+ 	check-integrity no;
+ 	check-mx warn;
+ 	update-policy local;
+	allow-query { !10.53.0.2; any; };
+ 	allow-query-on { 10.53.0.1; 127.0.0.1; };
+ 	allow-transfer { any; };
+ };
+diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
+index f8994ff..4cabf8d 100755
+--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
+@@ -1069,6 +1069,34 @@ END
+ grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out-$n >/dev/null || ret=1
+ [ $ret = 0 ] || { echo_i "failed"; status=1; }
+ 
+n=$((n + 1))
+ret=0
+echo_i "check that update is rejected if query is not allowed ($n)"
+{
+  $NSUPDATE -d <<END
+  local 10.53.0.2
+  server 10.53.0.1 ${PORT}
+  update add reject.other.nil 3600 IN TXT Whatever
+  send
+END
+} > nsupdate.out.test$n 2>&1
+grep 'status: REFUSED' nsupdate.out.test$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that update is rejected if quota is exceeded ($n)"
+for loop in 1 2 3 4 5 6 7 8 9 10; do
+{
+  $NSUPDATE -l -p ${PORT} -k ns1/session.key > nsupdate.out.test$n-${loop} 2>&1 <<END
+  update add txt-$loop.other.nil 3600 IN TXT Whatever
+  send
+END
+} &
+done
+wait_for_log 10 "too many DNS UPDATEs queued" ns1/named.run || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ if $FEATURETEST --gssapi ; then
+   n=`expr $n + 1`
+   ret=0
+diff --git a/bin/tests/system/upforwd/clean.sh b/bin/tests/system/upforwd/clean.sh
+index 15cf423..832c727 100644
+--- a/bin/tests/system/upforwd/clean.sh
+++ b/bin/tests/system/upforwd/clean.sh
+@@ -24,3 +24,5 @@ rm -f Ksig0.example2.*
+ rm -f keyname
+ rm -f ns*/named.lock
+ rm -f ns1/example2.db
+rm -f nsupdate.out.*
+rm -f ns*/named.run.prev
+diff --git a/bin/tests/system/upforwd/ns3/named.conf.in b/bin/tests/system/upforwd/ns3/named1.conf.in
+similarity index 85%
+rename from bin/tests/system/upforwd/ns3/named.conf.in
+rename to bin/tests/system/upforwd/ns3/named1.conf.in
+index e81cd1a..83a490f 100644
+--- a/bin/tests/system/upforwd/ns3/named.conf.in
+++ b/bin/tests/system/upforwd/ns3/named1.conf.in
+@@ -22,10 +22,15 @@ options {
+ 	notify yes;
+ };
+ 
+include "../../common/rndc.key";
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+ zone "example" {
+ 	type slave;
+ 	file "example.bk";
+-	allow-update-forwarding { any; };
+	allow-update-forwarding { 10.53.0.1; };
+ 	masters { 10.53.0.1; };
+ };
+ 
+diff --git a/bin/tests/system/upforwd/ns3/named2.conf.in b/bin/tests/system/upforwd/ns3/named2.conf.in
+new file mode 100644
+index 0000000..992cd69
+--- /dev/null
+++ b/bin/tests/system/upforwd/ns3/named2.conf.in
+@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	update-quota 1;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "example" {
+	type slave;
+	file "example.bk";
+	allow-update-forwarding { any; };
+	masters { 10.53.0.1; };
+};
+diff --git a/bin/tests/system/upforwd/setup.sh b/bin/tests/system/upforwd/setup.sh
+index 74c7ba3..928902b 100644
+--- a/bin/tests/system/upforwd/setup.sh
+++ b/bin/tests/system/upforwd/setup.sh
+@@ -17,7 +17,7 @@ cp -f ns3/nomaster.db ns3/nomaster1.db
+ 
+ copy_setports ns1/named.conf.in ns1/named.conf
+ copy_setports ns2/named.conf.in ns2/named.conf
+-copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns3/named1.conf.in ns3/named.conf
+ 
+ #
+ # SIG(0) required cryptographic support which may not be configured.
+diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
+index f4c3216..ebc9ded 100644
+--- a/bin/tests/system/upforwd/tests.sh
+++ b/bin/tests/system/upforwd/tests.sh
+@@ -17,6 +17,7 @@ SYSTEMTESTTOP=..
+ . $SYSTEMTESTTOP/conf.sh
+ 
+ DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}"
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+ 
+ status=0
+ n=1
+@@ -69,6 +70,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+ echo_i "updating zone (signed) ($n)"
+ ret=0
+ $NSUPDATE -y hmac-sha256:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
+local 10.53.0.1
+ server 10.53.0.3 ${PORT}
+ update add updated.example. 600 A 10.10.10.1
+ update add updated.example. 600 TXT Foo
+@@ -116,6 +118,7 @@ n=`expr $n + 1`
+ echo_i "updating zone (unsigned) ($n)"
+ ret=0
+ $NSUPDATE -- - <<EOF || ret=1
+local 10.53.0.1
+ server 10.53.0.3 ${PORT}
+ update add unsigned.example. 600 A 10.10.10.1
+ update add unsigned.example. 600 TXT Foo
+@@ -161,6 +164,7 @@ while [ $count -lt 5 -a $ret -eq 0 ]
+ do
+ (
+ $NSUPDATE -- - <<EOF 
+local 10.53.0.1
+ server 10.53.0.3 ${PORT}
+ zone nomaster
+ update add unsigned.nomaster. 600 A 10.10.10.1
+@@ -181,6 +185,7 @@ then
+ 	ret=0
+ 	keyname=`cat keyname`
+ 	$NSUPDATE -k $keyname.private -- - <<EOF
+	local 10.53.0.1
+ 	server 10.53.0.3 ${PORT}
+ 	zone example2
+ 	update add unsigned.example2. 600 A 10.10.10.1
+@@ -194,5 +199,40 @@ EOF
+ 	n=`expr $n + 1`
+ fi
+ 
+echo_i "attempting an update that should be rejected by ACL ($n)"
+ret=0
+{
+        $NSUPDATE -- - << EOF
+        local 10.53.0.2
+        server 10.53.0.3 ${PORT}
+        update add another.unsigned.example. 600 A 10.10.10.2
+        update add another.unsigned.example. 600 TXT Bar
+        send
+EOF
+} > nsupdate.out.$n 2>&1
+grep REFUSED nsupdate.out.$n > /dev/null || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+n=$((n + 1))
+ret=0
+echo_i "attempting updates that should exceed quota ($n)"
+# lower the update quota to 1.
+copy_setports ns3/named2.conf.in ns3/named.conf
+$RNDCCMD 10.53.0.3 reconfig
+nextpart ns3/named.run > /dev/null
+for loop in 1 2 3 4 5 6 7 8 9 10; do
+{
+  $NSUPDATE -- - > /dev/null 2>&1 <<END
+  local 10.53.0.1
+  server 10.53.0.3 ${PORT}
+  update add txt-$loop.unsigned.example 300 IN TXT Whatever
+  send
+END
+} &
+done
+wait_for_log 10 "too many DNS UPDATEs queued" ns3/named.run || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ echo_i "exit status: $status"
+ [ $status -eq 0 ] || exit 1
+-- 
+2.39.2
+
--- a/bind.spec
+++ b/bind.spec
@ -171,6 +171,7 @@ Patch192: bind-9.11-rh2133889.patch
 Patch193: bind-9.16-CVE-2022-3094-1.patch
 Patch194: bind-9.16-CVE-2022-3094-2.patch
 Patch195: bind-9.16-CVE-2022-3094-3.patch
+Patch196: bind-9.16-CVE-2022-3094-test.patch

 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
@ -576,6 +577,7 @@ are used for building ISC DHCP.
 %patch193 -p1 -b .CVE-2022-3094
 %patch194 -p1 -b .CVE-2022-3094
 %patch195 -p1 -b .CVE-2022-3094
+%patch196 -p1 -b .CVE-2022-3094-test


 mkdir lib/dns/tests/testdata/dstrandom
@ -1631,6 +1633,7 @@ rm -rf ${RPM_BUILD_ROOT}
 %changelog
 * Wed Feb 08 2023 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-9
 - Prevent flooding with UPDATE requests (CVE-2022-3094)
+- include upstream test for that change

 * Thu Oct 13 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-8
 - Correct regression preventing bind-dyndb-ldap build (#2133889)