test failure conditions

verify that updates are refused when the client is disallowed by
allow-query, and update forwarding is refused when the client is
is disallowed by update-forwarding.

verify that "too many DNS UPDATEs" appears in the log file when too
many simultaneous updates are processing.

Related: CVE-2022-3094

bind-9.16-CVE-2022-3094-test.patch

@@ -0,0 +1,266 @@
+From 3d84c651f823cb90b73fd736d32ad6de57b11610 Mon Sep 17 00:00:00 2001
+From: Evan Hunt <each@isc.org>
+Date: Wed, 9 Nov 2022 21:56:16 -0800
+Subject: [PATCH] test failure conditions
+
+verify that updates are refused when the client is disallowed by
+allow-query, and update forwarding is refused when the client is
+is disallowed by update-forwarding.
+
+verify that "too many DNS UPDATEs" appears in the log file when too
+many simultaneous updates are processing.
+
+(cherry picked from commit b91339b80e5b82a56622c93cc1e3cca2d0c11bc0)
+---
+ bin/tests/system/nsupdate/ns1/named.conf.in   |  2 +
+ bin/tests/system/nsupdate/tests.sh            | 28 +++++++++++++
+ bin/tests/system/upforwd/clean.sh             |  2 +
+ .../ns3/{named.conf.in => named1.conf.in}     |  7 +++-
+ bin/tests/system/upforwd/ns3/named2.conf.in   | 41 +++++++++++++++++++
+ bin/tests/system/upforwd/setup.sh             |  2 +-
+ bin/tests/system/upforwd/tests.sh             | 40 ++++++++++++++++++
+ 7 files changed, 120 insertions(+), 2 deletions(-)
+ rename bin/tests/system/upforwd/ns3/{named.conf.in => named1.conf.in} (85%)
+ create mode 100644 bin/tests/system/upforwd/ns3/named2.conf.in
+
+diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
+index cb80269..228ad6a 100644
+--- a/bin/tests/system/nsupdate/ns1/named.conf.in
++++ b/bin/tests/system/nsupdate/ns1/named.conf.in
+@@ -20,6 +20,7 @@ options {
+ 	listen-on-v6 { none; };
+ 	recursion no;
+ 	notify yes;
++	update-quota 1;
+ };
+ 
+ key rndc_key {
+@@ -76,6 +77,7 @@ zone "other.nil" {
+ 	check-integrity no;
+ 	check-mx warn;
+ 	update-policy local;
++	allow-query { !10.53.0.2; any; };
+ 	allow-query-on { 10.53.0.1; 127.0.0.1; };
+ 	allow-transfer { any; };
+ };
+diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
+index f8994ff..4cabf8d 100755
+--- a/bin/tests/system/nsupdate/tests.sh
++++ b/bin/tests/system/nsupdate/tests.sh
+@@ -1069,6 +1069,34 @@ END
+ grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out-$n >/dev/null || ret=1
+ [ $ret = 0 ] || { echo_i "failed"; status=1; }
+ 
++n=$((n + 1))
++ret=0
++echo_i "check that update is rejected if query is not allowed ($n)"
++{
++  $NSUPDATE -d <<END
++  local 10.53.0.2
++  server 10.53.0.1 ${PORT}
++  update add reject.other.nil 3600 IN TXT Whatever
++  send
++END
++} > nsupdate.out.test$n 2>&1
++grep 'status: REFUSED' nsupdate.out.test$n > /dev/null || ret=1
++[ $ret = 0 ] || { echo_i "failed"; status=1; }
++
++n=$((n + 1))
++ret=0
++echo_i "check that update is rejected if quota is exceeded ($n)"
++for loop in 1 2 3 4 5 6 7 8 9 10; do
++{
++  $NSUPDATE -l -p ${PORT} -k ns1/session.key > nsupdate.out.test$n-${loop} 2>&1 <<END
++  update add txt-$loop.other.nil 3600 IN TXT Whatever
++  send
++END
++} &
++done
++wait_for_log 10 "too many DNS UPDATEs queued" ns1/named.run || ret=1
++[ $ret = 0 ] || { echo_i "failed"; status=1; }
++
+ if $FEATURETEST --gssapi ; then
+   n=`expr $n + 1`
+   ret=0
+diff --git a/bin/tests/system/upforwd/clean.sh b/bin/tests/system/upforwd/clean.sh
+index 15cf423..832c727 100644
+--- a/bin/tests/system/upforwd/clean.sh
++++ b/bin/tests/system/upforwd/clean.sh
+@@ -24,3 +24,5 @@ rm -f Ksig0.example2.*
+ rm -f keyname
+ rm -f ns*/named.lock
+ rm -f ns1/example2.db
++rm -f nsupdate.out.*
++rm -f ns*/named.run.prev
+diff --git a/bin/tests/system/upforwd/ns3/named.conf.in b/bin/tests/system/upforwd/ns3/named1.conf.in
+similarity index 85%
+rename from bin/tests/system/upforwd/ns3/named.conf.in
+rename to bin/tests/system/upforwd/ns3/named1.conf.in
+index e81cd1a..83a490f 100644
+--- a/bin/tests/system/upforwd/ns3/named.conf.in
++++ b/bin/tests/system/upforwd/ns3/named1.conf.in
+@@ -22,10 +22,15 @@ options {
+ 	notify yes;
+ };
+ 
++include "../../common/rndc.key";
++controls {
++	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
++};
++
+ zone "example" {
+ 	type slave;
+ 	file "example.bk";
+-	allow-update-forwarding { any; };
++	allow-update-forwarding { 10.53.0.1; };
+ 	masters { 10.53.0.1; };
+ };
+ 
+diff --git a/bin/tests/system/upforwd/ns3/named2.conf.in b/bin/tests/system/upforwd/ns3/named2.conf.in
+new file mode 100644
+index 0000000..992cd69
+--- /dev/null
++++ b/bin/tests/system/upforwd/ns3/named2.conf.in
+@@ -0,0 +1,41 @@
++/*
++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++ *
++ * SPDX-License-Identifier: MPL-2.0
++ *
++ * This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0.  If a copy of the MPL was not distributed with this
++ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
++ *
++ * See the COPYRIGHT file distributed with this work for additional
++ * information regarding copyright ownership.
++ */
++
++options {
++	query-source address 10.53.0.3;
++	notify-source 10.53.0.3;
++	transfer-source 10.53.0.3;
++	port @PORT@;
++	pid-file "named.pid";
++	listen-on { 10.53.0.3; };
++	listen-on-v6 { none; };
++	recursion no;
++	notify yes;
++	update-quota 1;
++};
++
++key rndc_key {
++	secret "1234abcd8765";
++	algorithm hmac-sha256;
++};
++
++controls {
++	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
++};
++
++zone "example" {
++	type slave;
++	file "example.bk";
++	allow-update-forwarding { any; };
++	masters { 10.53.0.1; };
++};
+diff --git a/bin/tests/system/upforwd/setup.sh b/bin/tests/system/upforwd/setup.sh
+index 74c7ba3..928902b 100644
+--- a/bin/tests/system/upforwd/setup.sh
++++ b/bin/tests/system/upforwd/setup.sh
+@@ -17,7 +17,7 @@ cp -f ns3/nomaster.db ns3/nomaster1.db
+ 
+ copy_setports ns1/named.conf.in ns1/named.conf
+ copy_setports ns2/named.conf.in ns2/named.conf
+-copy_setports ns3/named.conf.in ns3/named.conf
++copy_setports ns3/named1.conf.in ns3/named.conf
+ 
+ #
+ # SIG(0) required cryptographic support which may not be configured.
+diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
+index f4c3216..ebc9ded 100644
+--- a/bin/tests/system/upforwd/tests.sh
++++ b/bin/tests/system/upforwd/tests.sh
+@@ -17,6 +17,7 @@ SYSTEMTESTTOP=..
+ . $SYSTEMTESTTOP/conf.sh
+ 
+ DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}"
++RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+ 
+ status=0
+ n=1
+@@ -69,6 +70,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+ echo_i "updating zone (signed) ($n)"
+ ret=0
+ $NSUPDATE -y hmac-sha256:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
++local 10.53.0.1
+ server 10.53.0.3 ${PORT}
+ update add updated.example. 600 A 10.10.10.1
+ update add updated.example. 600 TXT Foo
+@@ -116,6 +118,7 @@ n=`expr $n + 1`
+ echo_i "updating zone (unsigned) ($n)"
+ ret=0
+ $NSUPDATE -- - <<EOF || ret=1
++local 10.53.0.1
+ server 10.53.0.3 ${PORT}
+ update add unsigned.example. 600 A 10.10.10.1
+ update add unsigned.example. 600 TXT Foo
+@@ -161,6 +164,7 @@ while [ $count -lt 5 -a $ret -eq 0 ]
+ do
+ (
+ $NSUPDATE -- - <<EOF 
++local 10.53.0.1
+ server 10.53.0.3 ${PORT}
+ zone nomaster
+ update add unsigned.nomaster. 600 A 10.10.10.1
+@@ -181,6 +185,7 @@ then
+ 	ret=0
+ 	keyname=`cat keyname`
+ 	$NSUPDATE -k $keyname.private -- - <<EOF
++	local 10.53.0.1
+ 	server 10.53.0.3 ${PORT}
+ 	zone example2
+ 	update add unsigned.example2. 600 A 10.10.10.1
+@@ -194,5 +199,40 @@ EOF
+ 	n=`expr $n + 1`
+ fi
+ 
++echo_i "attempting an update that should be rejected by ACL ($n)"
++ret=0
++{
++        $NSUPDATE -- - << EOF
++        local 10.53.0.2
++        server 10.53.0.3 ${PORT}
++        update add another.unsigned.example. 600 A 10.10.10.2
++        update add another.unsigned.example. 600 TXT Bar
++        send
++EOF
++} > nsupdate.out.$n 2>&1
++grep REFUSED nsupdate.out.$n > /dev/null || ret=1
++if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
++n=`expr $n + 1`
++
++n=$((n + 1))
++ret=0
++echo_i "attempting updates that should exceed quota ($n)"
++# lower the update quota to 1.
++copy_setports ns3/named2.conf.in ns3/named.conf
++$RNDCCMD 10.53.0.3 reconfig
++nextpart ns3/named.run > /dev/null
++for loop in 1 2 3 4 5 6 7 8 9 10; do
++{
++  $NSUPDATE -- - > /dev/null 2>&1 <<END
++  local 10.53.0.1
++  server 10.53.0.3 ${PORT}
++  update add txt-$loop.unsigned.example 300 IN TXT Whatever
++  send
++END
++} &
++done
++wait_for_log 10 "too many DNS UPDATEs queued" ns3/named.run || ret=1
++[ $ret = 0 ] || { echo_i "failed"; status=1; }
++
+ echo_i "exit status: $status"
+ [ $status -eq 0 ] || exit 1
+-- 
+2.39.2
+

bind.spec

@@ -171,6 +171,7 @@ Patch192: bind-9.11-rh2133889.patch
 Patch193: bind-9.16-CVE-2022-3094-1.patch
 Patch194: bind-9.16-CVE-2022-3094-2.patch
 Patch195: bind-9.16-CVE-2022-3094-3.patch
+Patch196: bind-9.16-CVE-2022-3094-test.patch
 
 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -576,6 +577,7 @@ are used for building ISC DHCP.
 %patch193 -p1 -b .CVE-2022-3094
 %patch194 -p1 -b .CVE-2022-3094
 %patch195 -p1 -b .CVE-2022-3094
+%patch196 -p1 -b .CVE-2022-3094-test
 
 
 mkdir lib/dns/tests/testdata/dstrandom
@@ -1631,6 +1633,7 @@ rm -rf ${RPM_BUILD_ROOT}
 %changelog
 * Wed Feb 08 2023 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-9
 - Prevent flooding with UPDATE requests (CVE-2022-3094)
+- include upstream test for that change
 
 * Thu Oct 13 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-8
 - Correct regression preventing bind-dyndb-ldap build (#2133889)