From 495baa1377feae5f7417720318601b54fedf66fd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Wed, 8 Feb 2023 18:28:17 +0100
Subject: [PATCH] test failure conditions

verify that updates are refused when the client is disallowed by
allow-query, and update forwarding is refused when the client is
is disallowed by update-forwarding.

verify that "too many DNS UPDATEs" appears in the log file when too
many simultaneous updates are processing.

Related: CVE-2022-3094
---
 bind-9.16-CVE-2022-3094-test.patch | 272 +++++++++++++++++++++++++++++
 bind.spec                          |   2 +
 2 files changed, 274 insertions(+)
 create mode 100644 bind-9.16-CVE-2022-3094-test.patch

diff --git a/bind-9.16-CVE-2022-3094-test.patch b/bind-9.16-CVE-2022-3094-test.patch
new file mode 100644
index 0000000..37b64de
--- /dev/null
+++ b/bind-9.16-CVE-2022-3094-test.patch
@@ -0,0 +1,272 @@
+From 630529ea7d4587703008de1465021bdde2a3a971 Mon Sep 17 00:00:00 2001
+From: Evan Hunt <each@isc.org>
+Date: Wed, 9 Nov 2022 21:56:16 -0800
+Subject: [PATCH] test failure conditions
+
+verify that updates are refused when the client is disallowed by
+allow-query, and update forwarding is refused when the client is
+is disallowed by update-forwarding.
+
+verify that "too many DNS UPDATEs" appears in the log file when too
+many simultaneous updates are processing.
+
+(cherry picked from commit b91339b80e5b82a56622c93cc1e3cca2d0c11bc0)
+---
+ bin/tests/system/nsupdate/ns1/named.conf.in   |  2 +
+ bin/tests/system/nsupdate/tests.sh            | 28 +++++++++++++
+ bin/tests/system/upforwd/clean.sh             |  2 +
+ .../ns3/{named.conf.in => named1.conf.in}     | 13 ++++--
+ bin/tests/system/upforwd/ns3/named2.conf.in   | 41 +++++++++++++++++++
+ bin/tests/system/upforwd/setup.sh             |  2 +-
+ bin/tests/system/upforwd/tests.sh             | 39 ++++++++++++++++++
+ 7 files changed, 123 insertions(+), 4 deletions(-)
+ rename bin/tests/system/upforwd/ns3/{named.conf.in => named1.conf.in} (78%)
+ create mode 100644 bin/tests/system/upforwd/ns3/named2.conf.in
+
+diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
+index 436c97d..83fe884 100644
+--- a/bin/tests/system/nsupdate/ns1/named.conf.in
++++ b/bin/tests/system/nsupdate/ns1/named.conf.in
+@@ -21,6 +21,7 @@ options {
+ 	recursion no;
+ 	notify yes;
+ 	minimal-responses no;
++	update-quota 1;
+ };
+ 
+ acl named-acl {
+@@ -81,6 +82,7 @@ zone "other.nil" {
+ 	check-integrity no;
+ 	check-mx warn;
+ 	update-policy local;
++	allow-query { !10.53.0.2; any; };
+ 	allow-query-on { 10.53.0.1; 127.0.0.1; };
+ 	allow-transfer { any; };
+ };
+diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
+index b5f562f..13ba577 100755
+--- a/bin/tests/system/nsupdate/tests.sh
++++ b/bin/tests/system/nsupdate/tests.sh
+@@ -1268,6 +1268,34 @@ END
+ grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out-$n >/dev/null || ret=1
+ [ $ret = 0 ] || { echo_i "failed"; status=1; }
+ 
++n=$((n + 1))
++ret=0
++echo_i "check that update is rejected if query is not allowed ($n)"
++{
++  $NSUPDATE -d <<END
++  local 10.53.0.2
++  server 10.53.0.1 ${PORT}
++  update add reject.other.nil 3600 IN TXT Whatever
++  send
++END
++} > nsupdate.out.test$n 2>&1
++grep 'failed: REFUSED' nsupdate.out.test$n > /dev/null || ret=1
++[ $ret = 0 ] || { echo_i "failed"; status=1; }
++
++n=$((n + 1))
++ret=0
++echo_i "check that update is rejected if quota is exceeded ($n)"
++for loop in 1 2 3 4 5 6 7 8 9 10; do
++{
++  $NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > /dev/null 2>&1 <<END
++  update add txt-$loop.other.nil 3600 IN TXT Whatever
++  send
++END
++} &
++done
++wait_for_log 10 "too many DNS UPDATEs queued" ns1/named.run || ret=1
++[ $ret = 0 ] || { echo_i "failed"; status=1; }
++
+ if ! $FEATURETEST --gssapi ; then
+   echo_i "SKIPPED: GSSAPI tests"
+ else
+diff --git a/bin/tests/system/upforwd/clean.sh b/bin/tests/system/upforwd/clean.sh
+index 2025252..12311df 100644
+--- a/bin/tests/system/upforwd/clean.sh
++++ b/bin/tests/system/upforwd/clean.sh
+@@ -29,3 +29,5 @@ rm -f keyname keyname.err
+ rm -f ns*/named.lock
+ rm -f ns1/example2.db
+ rm -f ns*/managed-keys.bind*
++rm -f nsupdate.out.*
++rm -f ns*/named.run.prev
+diff --git a/bin/tests/system/upforwd/ns3/named.conf.in b/bin/tests/system/upforwd/ns3/named1.conf.in
+similarity index 78%
+rename from bin/tests/system/upforwd/ns3/named.conf.in
+rename to bin/tests/system/upforwd/ns3/named1.conf.in
+index 7bd13d3..2f690ff 100644
+--- a/bin/tests/system/upforwd/ns3/named.conf.in
++++ b/bin/tests/system/upforwd/ns3/named1.conf.in
+@@ -28,20 +28,27 @@ key rndc_key {
+ };
+ 
+ controls {
+-        inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
++	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+ };
+ 
+ zone "example" {
+ 	type secondary;
+ 	file "example.bk";
+-	allow-update-forwarding { any; };
++	allow-update-forwarding { 10.53.0.1; };
+ 	primaries { 10.53.0.1; };
+ };
+ 
+ zone "example2" {
+ 	type secondary;
+ 	file "example2.bk";
+-	allow-update-forwarding { any; };
++	allow-update-forwarding { 10.53.0.1; };
++	primaries { 10.53.0.1; };
++};
++
++zone "example3" {
++	type secondary;
++	file "example3.bk";
++	allow-update-forwarding { 10.53.0.1; };
+ 	primaries { 10.53.0.1; };
+ };
+ 
+diff --git a/bin/tests/system/upforwd/ns3/named2.conf.in b/bin/tests/system/upforwd/ns3/named2.conf.in
+new file mode 100644
+index 0000000..86d7469
+--- /dev/null
++++ b/bin/tests/system/upforwd/ns3/named2.conf.in
+@@ -0,0 +1,41 @@
++/*
++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++ *
++ * SPDX-License-Identifier: MPL-2.0
++ *
++ * This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0.  If a copy of the MPL was not distributed with this
++ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
++ *
++ * See the COPYRIGHT file distributed with this work for additional
++ * information regarding copyright ownership.
++ */
++
++options {
++	query-source address 10.53.0.3;
++	notify-source 10.53.0.3;
++	transfer-source 10.53.0.3;
++	port @PORT@;
++	pid-file "named.pid";
++	listen-on { 10.53.0.3; };
++	listen-on-v6 { none; };
++	recursion no;
++	notify yes;
++	update-quota 1;
++};
++
++key rndc_key {
++	secret "1234abcd8765";
++	algorithm @DEFAULT_HMAC@;
++};
++
++controls {
++	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
++};
++
++zone "example" {
++	type secondary;
++	file "example.bk";
++	allow-update-forwarding { any; };
++	primaries { 10.53.0.1; };
++};
+diff --git a/bin/tests/system/upforwd/setup.sh b/bin/tests/system/upforwd/setup.sh
+index e748078..88ab28d 100644
+--- a/bin/tests/system/upforwd/setup.sh
++++ b/bin/tests/system/upforwd/setup.sh
+@@ -17,7 +17,7 @@ cp -f ns3/nomaster.db ns3/nomaster1.db
+ 
+ copy_setports ns1/named.conf.in ns1/named.conf
+ copy_setports ns2/named.conf.in ns2/named.conf
+-copy_setports ns3/named.conf.in ns3/named.conf
++copy_setports ns3/named1.conf.in ns3/named.conf
+ 
+ if $FEATURETEST --enable-dnstap
+ then
+diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
+index 8062d68..20fc46f 100644
+--- a/bin/tests/system/upforwd/tests.sh
++++ b/bin/tests/system/upforwd/tests.sh
+@@ -80,6 +80,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+ echo_i "updating zone (signed) ($n)"
+ ret=0
+ $NSUPDATE -y hmac-sha256:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
++local 10.53.0.1
+ server 10.53.0.3 ${PORT}
+ update add updated.example. 600 A 10.10.10.1
+ update add updated.example. 600 TXT Foo
+@@ -138,6 +139,7 @@ fi
+ echo_i "updating zone (unsigned) ($n)"
+ ret=0
+ $NSUPDATE -- - <<EOF || ret=1
++local 10.53.0.1
+ server 10.53.0.3 ${PORT}
+ update add unsigned.example. 600 A 10.10.10.1
+ update add unsigned.example. 600 TXT Foo
+@@ -194,6 +196,7 @@ while [ $count -lt 5 -a $ret -eq 0 ]
+ do
+ (
+ $NSUPDATE -- - <<EOF 
++local 10.53.0.1
+ server 10.53.0.3 ${PORT}
+ zone nomaster
+ update add unsigned.nomaster. 600 A 10.10.10.1
+@@ -225,6 +228,7 @@ then
+ 	ret=0
+ 	keyname=`cat keyname`
+ 	$NSUPDATE -k $keyname.private -- - <<EOF
++	local 10.53.0.1
+ 	server 10.53.0.3 ${PORT}
+ 	zone example2
+ 	update add unsigned.example2. 600 A 10.10.10.1
+@@ -249,5 +253,40 @@ EOF
+ 	fi
+ fi
+ 
++echo_i "attempting an update that should be rejected by ACL ($n)"
++ret=0
++{
++        $NSUPDATE -- - << EOF
++        local 10.53.0.2
++        server 10.53.0.3 ${PORT}
++        update add another.unsigned.example. 600 A 10.10.10.2
++        update add another.unsigned.example. 600 TXT Bar
++        send
++EOF
++} > nsupdate.out.$n 2>&1
++grep REFUSED nsupdate.out.$n > /dev/null || ret=1
++if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
++n=`expr $n + 1`
++
++n=$((n + 1))
++ret=0
++echo_i "attempting updates that should exceed quota ($n)"
++# lower the update quota to 1.
++copy_setports ns3/named2.conf.in ns3/named.conf
++rndc_reconfig ns3 10.53.0.3
++nextpart ns3/named.run > /dev/null
++for loop in 1 2 3 4 5 6 7 8 9 10; do
++{
++  $NSUPDATE -- - > /dev/null 2>&1 <<END
++  local 10.53.0.1
++  server 10.53.0.3 ${PORT}
++  update add txt-$loop.unsigned.example 300 IN TXT Whatever
++  send
++END
++} &
++done
++wait_for_log 10 "too many DNS UPDATEs queued" ns3/named.run || ret=1
++[ $ret = 0 ] || { echo_i "failed"; status=1; }
++
+ echo_i "exit status: $status"
+ [ $status -eq 0 ] || exit 1
+-- 
+2.39.1
+
diff --git a/bind.spec b/bind.spec
index 6f3a34e..bfded25 100644
--- a/bind.spec
+++ b/bind.spec
@@ -119,6 +119,7 @@ Patch181:bind-9.16-rh2133889.patch
 Patch182: bind-9.16-CVE-2022-3094-1.patch
 Patch183: bind-9.16-CVE-2022-3094-2.patch
 Patch184: bind-9.16-CVE-2022-3094-3.patch
+Patch185: bind-9.16-CVE-2022-3094-test.patch
 
 %{?systemd_ordering}
 Requires:       coreutils
@@ -431,6 +432,7 @@ in HTML and PDF format.
 %patch182 -p1 -b .CVE-2022-3094
 %patch183 -p1 -b .CVE-2022-3094
 %patch184 -p1 -b .CVE-2022-3094
+%patch185 -p1 -b .CVE-2022-3094-test
 
 %if %{with PKCS11}
 %patch135 -p1 -b .config-pkcs11