parent
c155b2de68
commit
864e18c0c8
@ -1,2 +1,2 @@
|
||||
550367762a653ac5ed0eb04b316d06517650a925 SOURCES/bind-9.11.13.tar.gz
|
||||
ff6ad0d3f9282a77786e93eb889154008ef1ccdf SOURCES/bind-9.11.20.tar.gz
|
||||
a164fcad1d64d6b5fab5034928cb7260f1fa8fdd SOURCES/random.data
|
||||
|
@ -1,2 +1,2 @@
|
||||
SOURCES/bind-9.11.13.tar.gz
|
||||
SOURCES/bind-9.11.20.tar.gz
|
||||
SOURCES/random.data
|
||||
|
@ -1,292 +0,0 @@
|
||||
From a64853318ade406ef0db744918bb2828cf0a6247 Mon Sep 17 00:00:00 2001
|
||||
From: Stephen Morris <stephen@isc.org>
|
||||
Date: Thu, 5 Mar 2020 18:46:46 +0000
|
||||
Subject: [PATCH] Add test for reduction in number of fetches
|
||||
|
||||
Add a system test that counts how many address fetches are made
|
||||
for different numbers of NS records and checks that the number
|
||||
are successfully limited.
|
||||
|
||||
(cherry picked from commit 5fb65f45443225180296b361a12be0fead5049f2)
|
||||
---
|
||||
bin/tests/system/resolver/clean.sh | 4 +-
|
||||
bin/tests/system/resolver/ns4/named.conf.in | 5 ++
|
||||
bin/tests/system/resolver/ns4/root.db | 4 +
|
||||
bin/tests/system/resolver/ns4/sourcens.db | 89 +++++++++++++++++++++
|
||||
bin/tests/system/resolver/ns5/named.conf.in | 9 ++-
|
||||
bin/tests/system/resolver/ns6/named.conf.in | 15 ++++
|
||||
bin/tests/system/resolver/ns6/targetns.db | 23 ++++++
|
||||
bin/tests/system/resolver/tests.sh | 34 ++++++++
|
||||
8 files changed, 180 insertions(+), 3 deletions(-)
|
||||
create mode 100644 bin/tests/system/resolver/ns4/sourcens.db
|
||||
create mode 100644 bin/tests/system/resolver/ns6/targetns.db
|
||||
|
||||
diff --git a/bin/tests/system/resolver/clean.sh b/bin/tests/system/resolver/clean.sh
|
||||
index 4dfde1f3e7..b3e4bc0b5d 100644
|
||||
--- a/bin/tests/system/resolver/clean.sh
|
||||
+++ b/bin/tests/system/resolver/clean.sh
|
||||
@@ -17,8 +17,7 @@ rm -f */named.memstats
|
||||
rm -f */named.run
|
||||
rm -f */ans.run
|
||||
rm -f */*.jdb
|
||||
-rm -f dig.out dig.out.*
|
||||
-rm -f dig.*.out.*
|
||||
+rm -f dig.out dig.out.* dig.*.out.*
|
||||
rm -f dig.*.foo.*
|
||||
rm -f dig.*.bar.*
|
||||
rm -f dig.*.prime.*
|
||||
@@ -28,6 +27,7 @@ rm -f ns6/example.net.db.signed ns6/example.net.db
|
||||
rm -f ns6/ds.example.net.db.signed ns6/ds.example.net.db
|
||||
rm -f ns6/dsset-ds.example.net*
|
||||
rm -f ns6/dsset-example.net* ns6/example.net.db.signed.jnl
|
||||
+rm -f ns6/named.stats*
|
||||
rm -f ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl
|
||||
rm -f ns7/server.db ns7/server.db.jnl
|
||||
rm -f resolve.out.*.test*
|
||||
diff --git a/bin/tests/system/resolver/ns4/named.conf.in b/bin/tests/system/resolver/ns4/named.conf.in
|
||||
index c679dc3151..56fe5d0dd8 100644
|
||||
--- a/bin/tests/system/resolver/ns4/named.conf.in
|
||||
+++ b/bin/tests/system/resolver/ns4/named.conf.in
|
||||
@@ -50,6 +50,11 @@ zone "broken" {
|
||||
file "broken.db";
|
||||
};
|
||||
|
||||
+zone "sourcens" {
|
||||
+ type master;
|
||||
+ file "sourcens.db";
|
||||
+};
|
||||
+
|
||||
key rndc_key {
|
||||
secret "1234abcd8765";
|
||||
algorithm hmac-sha256;
|
||||
diff --git a/bin/tests/system/resolver/ns4/root.db b/bin/tests/system/resolver/ns4/root.db
|
||||
index 721765d1be..ae541340da 100644
|
||||
--- a/bin/tests/system/resolver/ns4/root.db
|
||||
+++ b/bin/tests/system/resolver/ns4/root.db
|
||||
@@ -24,3 +24,7 @@ example.net. NS ns.example.net.
|
||||
ns.example.net. A 10.53.0.6
|
||||
no-questions. NS ns.no-questions.
|
||||
ns.no-questions. A 10.53.0.8
|
||||
+sourcens. NS ns.sourcens.
|
||||
+ns.sourcens. A 10.53.0.4
|
||||
+targetns. NS ns.targetns.
|
||||
+ns.targetns. A 10.53.0.6
|
||||
diff --git a/bin/tests/system/resolver/ns4/sourcens.db b/bin/tests/system/resolver/ns4/sourcens.db
|
||||
new file mode 100644
|
||||
index 0000000000..b02cc6e835
|
||||
--- /dev/null
|
||||
+++ b/bin/tests/system/resolver/ns4/sourcens.db
|
||||
@@ -0,0 +1,89 @@
|
||||
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
+;
|
||||
+; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
+; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
+;
|
||||
+; See the COPYRIGHT file distributed with this work for additional
|
||||
+; information regarding copyright ownership.
|
||||
+
|
||||
+; This zone contains a set of delegations with varying numbers of NS
|
||||
+; records. This is used to check that BIND is limiting the number of
|
||||
+; NS records it follows when resolving a delegation. It tests all
|
||||
+; numbers of NS records up to twice the number followed.
|
||||
+
|
||||
+$TTL 60
|
||||
+@ IN SOA marka.isc.org. ns.server. (
|
||||
+ 2010 ; serial
|
||||
+ 600 ; refresh
|
||||
+ 600 ; retry
|
||||
+ 1200 ; expire
|
||||
+ 600 ; minimum
|
||||
+ )
|
||||
+@ NS ns
|
||||
+ns A 10.53.0.4
|
||||
+
|
||||
+target1 NS ns.fake11.targetns.
|
||||
+
|
||||
+target2 NS ns.fake21.targetns.
|
||||
+ NS ns.fake22.targetns.
|
||||
+
|
||||
+target3 NS ns.fake31.targetns.
|
||||
+ NS ns.fake32.targetns.
|
||||
+ NS ns.fake33.targetns.
|
||||
+
|
||||
+target4 NS ns.fake41.targetns.
|
||||
+ NS ns.fake42.targetns.
|
||||
+ NS ns.fake43.targetns.
|
||||
+ NS ns.fake44.targetns.
|
||||
+
|
||||
+target5 NS ns.fake51.targetns.
|
||||
+ NS ns.fake52.targetns.
|
||||
+ NS ns.fake53.targetns.
|
||||
+ NS ns.fake54.targetns.
|
||||
+ NS ns.fake55.targetns.
|
||||
+
|
||||
+target6 NS ns.fake61.targetns.
|
||||
+ NS ns.fake62.targetns.
|
||||
+ NS ns.fake63.targetns.
|
||||
+ NS ns.fake64.targetns.
|
||||
+ NS ns.fake65.targetns.
|
||||
+ NS ns.fake66.targetns.
|
||||
+
|
||||
+target7 NS ns.fake71.targetns.
|
||||
+ NS ns.fake72.targetns.
|
||||
+ NS ns.fake73.targetns.
|
||||
+ NS ns.fake74.targetns.
|
||||
+ NS ns.fake75.targetns.
|
||||
+ NS ns.fake76.targetns.
|
||||
+ NS ns.fake77.targetns.
|
||||
+
|
||||
+target8 NS ns.fake81.targetns.
|
||||
+ NS ns.fake82.targetns.
|
||||
+ NS ns.fake83.targetns.
|
||||
+ NS ns.fake84.targetns.
|
||||
+ NS ns.fake85.targetns.
|
||||
+ NS ns.fake86.targetns.
|
||||
+ NS ns.fake87.targetns.
|
||||
+ NS ns.fake88.targetns.
|
||||
+
|
||||
+target9 NS ns.fake91.targetns.
|
||||
+ NS ns.fake92.targetns.
|
||||
+ NS ns.fake93.targetns.
|
||||
+ NS ns.fake94.targetns.
|
||||
+ NS ns.fake95.targetns.
|
||||
+ NS ns.fake96.targetns.
|
||||
+ NS ns.fake97.targetns.
|
||||
+ NS ns.fake98.targetns.
|
||||
+ NS ns.fake99.targetns.
|
||||
+
|
||||
+target10 NS ns.fake101.targetns.
|
||||
+ NS ns.fake102.targetns.
|
||||
+ NS ns.fake103.targetns.
|
||||
+ NS ns.fake104.targetns.
|
||||
+ NS ns.fake105.targetns.
|
||||
+ NS ns.fake106.targetns.
|
||||
+ NS ns.fake107.targetns.
|
||||
+ NS ns.fake108.targetns.
|
||||
+ NS ns.fake109.targetns.
|
||||
+ NS ns.fake1010.targetns.
|
||||
diff --git a/bin/tests/system/resolver/ns5/named.conf.in b/bin/tests/system/resolver/ns5/named.conf.in
|
||||
index 07205c9938..90818e4556 100644
|
||||
--- a/bin/tests/system/resolver/ns5/named.conf.in
|
||||
+++ b/bin/tests/system/resolver/ns5/named.conf.in
|
||||
@@ -46,4 +46,11 @@ zone "delegation-only" {
|
||||
type delegation-only;
|
||||
};
|
||||
|
||||
-include "trusted.conf";
|
||||
+key rndc_key {
|
||||
+ secret "1234abcd8765";
|
||||
+ algorithm hmac-sha256;
|
||||
+};
|
||||
+
|
||||
+controls {
|
||||
+ inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
||||
+};
|
||||
diff --git a/bin/tests/system/resolver/ns6/named.conf.in b/bin/tests/system/resolver/ns6/named.conf.in
|
||||
index 7df48558b8..4b01f9ba14 100644
|
||||
--- a/bin/tests/system/resolver/ns6/named.conf.in
|
||||
+++ b/bin/tests/system/resolver/ns6/named.conf.in
|
||||
@@ -22,6 +22,7 @@ options {
|
||||
recursion no;
|
||||
// minimal-responses yes;
|
||||
querylog yes;
|
||||
+ statistics-file "named.stats";
|
||||
/*
|
||||
* test that named loads with root-delegation-only that
|
||||
* has a exclude list.
|
||||
@@ -67,3 +68,17 @@ zone "delegation-only" {
|
||||
type master;
|
||||
file "delegation-only.db";
|
||||
};
|
||||
+
|
||||
+zone "targetns" {
|
||||
+ type master;
|
||||
+ file "targetns.db";
|
||||
+};
|
||||
+
|
||||
+key rndc_key {
|
||||
+ secret "1234abcd8765";
|
||||
+ algorithm hmac-sha256;
|
||||
+};
|
||||
+
|
||||
+controls {
|
||||
+ inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
||||
+};
|
||||
diff --git a/bin/tests/system/resolver/ns6/targetns.db b/bin/tests/system/resolver/ns6/targetns.db
|
||||
new file mode 100644
|
||||
index 0000000000..036e64580b
|
||||
--- /dev/null
|
||||
+++ b/bin/tests/system/resolver/ns6/targetns.db
|
||||
@@ -0,0 +1,23 @@
|
||||
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
+;
|
||||
+; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
+; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
+;
|
||||
+; See the COPYRIGHT file distributed with this work for additional
|
||||
+; information regarding copyright ownership.
|
||||
+
|
||||
+; In the test for checking how many NS records BIND will follow, this
|
||||
+; zone marks the server as the one to which the NS lookups will be
|
||||
+; directed.
|
||||
+
|
||||
+$TTL 300
|
||||
+@ IN SOA marka.isc.org. ns.server. (
|
||||
+ 2010 ; serial
|
||||
+ 600 ; refresh
|
||||
+ 600 ; retry
|
||||
+ 1200 ; expire
|
||||
+ 600 ; minimum
|
||||
+ )
|
||||
+ NS ns
|
||||
+ns A 10.53.0.6
|
||||
diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
|
||||
index 12d2819e30..178ba4d79b 100755
|
||||
--- a/bin/tests/system/resolver/tests.sh
|
||||
+++ b/bin/tests/system/resolver/tests.sh
|
||||
@@ -247,6 +247,40 @@ if [ -x ${RESOLVE} ] ; then
|
||||
status=`expr $status + $ret`
|
||||
fi
|
||||
|
||||
+n=`expr $n + 1`
|
||||
+echo_i "check that the resolver limits the number of NS records it follows in a referral response ($n)"
|
||||
+# ns5 is the recusor being tested. ns4 holds the sourcens zone containing names with varying numbers of NS
|
||||
+# records pointing to non-existent nameservers in the targetns zone on ns6.
|
||||
+ret=0
|
||||
+$RNDCCMD 10.53.0.5 flush || ret=1 # Ensure cache is empty before doing this test
|
||||
+for nscount in 1 2 3 4 5 6 7 8 9 10
|
||||
+do
|
||||
+ # Verify number of NS records at source server
|
||||
+ $DIG $DIGOPTS +norecurse @10.53.0.4 target${nscount}.sourcens ns > dig.ns4.out.${nscount}.${n}
|
||||
+ sourcerecs=`grep NS dig.ns4.out.${nscount}.${n} | grep -v ';' | wc -l`
|
||||
+ test $sourcerecs -eq $nscount || ret=1
|
||||
+ test $sourcerecs -eq $nscount || echo_i "NS count incorrect for target${nscount}.sourcens"
|
||||
+ # Expected queries = 2 * number of NS records, up to a maximum of 10.
|
||||
+ expected=`expr 2 \* $nscount`
|
||||
+ if [ $expected -gt 10 ]; then expected=10; fi
|
||||
+ # Work out the queries made by checking statistics on the target before and after the test
|
||||
+ $RNDCCMD 10.53.0.6 stats || ret=1
|
||||
+ initial_count=`awk '/responses sent/ {print $1}' ns6/named.stats`
|
||||
+ mv ns6/named.stats ns6/named.stats.initial.${nscount}.${n}
|
||||
+ $DIG $DIGOPTS @10.53.0.5 target${nscount}.sourcens A > dig.ns5.out.${nscount}.${n} || ret=1
|
||||
+ $RNDCCMD 10.53.0.6 stats || ret=1
|
||||
+ final_count=`awk '/responses sent/ {print $1}' ns6/named.stats`
|
||||
+ mv ns6/named.stats ns6/named.stats.final.${nscount}.${n}
|
||||
+ # Check number of queries during the test is as expected
|
||||
+ actual=`expr $final_count - $initial_count`
|
||||
+ if [ $actual -ne $expected ]; then
|
||||
+ echo_i "query count error: $nscount NS records: expected queries $expected, actual $actual"
|
||||
+ ret=1
|
||||
+ fi
|
||||
+done
|
||||
+if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
+status=`expr $status + $ret`
|
||||
+
|
||||
n=`expr $n + 1`
|
||||
echo_i "RT21594 regression test check setup ($n)"
|
||||
ret=0
|
||||
--
|
||||
2.21.1
|
||||
|
@ -1,78 +0,0 @@
|
||||
From eee06b7744c4999ec3c7cb0654f97a9b4c79f77f Mon Sep 17 00:00:00 2001
|
||||
From: Mark Andrews <marka@isc.org>
|
||||
Date: Wed, 25 Mar 2020 17:44:51 +1100
|
||||
Subject: [PATCH] Check that a 'BADTIME' response with 'QR=0' is handled as a
|
||||
request
|
||||
|
||||
(cherry picked from commit 67ba3f8f3ab2a748dff1e8a2029fde3bc84ec3f1)
|
||||
---
|
||||
bin/tests/system/tsig/badtime | 37 ++++++++++++++++++++++++++++++++++
|
||||
bin/tests/system/tsig/tests.sh | 9 +++++++++
|
||||
2 files changed, 46 insertions(+)
|
||||
create mode 100644 bin/tests/system/tsig/badtime
|
||||
|
||||
diff --git a/bin/tests/system/tsig/badtime b/bin/tests/system/tsig/badtime
|
||||
new file mode 100644
|
||||
index 0000000000..7926404cfb
|
||||
--- /dev/null
|
||||
+++ b/bin/tests/system/tsig/badtime
|
||||
@@ -0,0 +1,37 @@
|
||||
+# Transaction ID
|
||||
+1122
|
||||
+# Standard query
|
||||
+0000
|
||||
+# Questions: 1, Additional: 1
|
||||
+0001 0000 0000 0001
|
||||
+# QNAME: isc.org
|
||||
+03 69 73 63 03 6F 72 67 00
|
||||
+# Type: A (Host Address)
|
||||
+0001
|
||||
+# Class: IN
|
||||
+0001
|
||||
+# Specially crafted TSIG Resource Record
|
||||
+# Name: "sha256"
|
||||
+06 73 68 61 32 35 36 00
|
||||
+# Type: TSIG (Transaction Signature)
|
||||
+00fa
|
||||
+# Class: ANY
|
||||
+00ff
|
||||
+# TTL: 0
|
||||
+00000000
|
||||
+# RdLen: 29
|
||||
+001d
|
||||
+# Algorithm Name: hmac-sha256
|
||||
+0b 68 6D 61 63 2D 73 68 61 32 35 36 00
|
||||
+# Time Signed: Jan 1, 1970 01:00:00.000000000 CET
|
||||
+00 00 00 00 00 00
|
||||
+# Fudge: 300
|
||||
+012c
|
||||
+# MAC Size: 0; MAC: empty
|
||||
+0000
|
||||
+# Original ID: 0
|
||||
+0000
|
||||
+# Error: BADSIG
|
||||
+0010
|
||||
+# Other Data Length: 0
|
||||
+0000
|
||||
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
|
||||
index cade35bc1d..284aea1056 100644
|
||||
--- a/bin/tests/system/tsig/tests.sh
|
||||
+++ b/bin/tests/system/tsig/tests.sh
|
||||
@@ -233,5 +233,14 @@ if [ $ret -eq 1 ] ; then
|
||||
echo "I: failed"; status=1
|
||||
fi
|
||||
|
||||
+echo_i "check that a 'BADTIME' response with 'QR=0' is handled as a request"
|
||||
+ret=0
|
||||
+$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp < badtime > /dev/null
|
||||
+$DIG -p ${PORT} @10.53.0.1 version.bind txt ch > dig.out.verify || ret=1
|
||||
+grep "status: NOERROR" dig.out.verify > /dev/null || ret=1
|
||||
+if [ $ret -eq 1 ] ; then
|
||||
+ echo_i "failed"; status=1
|
||||
+fi
|
||||
+
|
||||
echo_i "exit status: $status"
|
||||
[ $status -eq 0 ] || exit 1
|
||||
--
|
||||
2.21.1
|
||||
|
@ -0,0 +1,57 @@
|
||||
From c5a9fd85a19a63f88a5f17c7e6d074ee22364093 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Tue, 18 Aug 2020 10:53:33 +0200
|
||||
Subject: [PATCH] Fix CVE-2020-8622
|
||||
|
||||
5476. [security] It was possible to trigger an assertion failure when
|
||||
verifying the response to a TSIG-signed request.
|
||||
(CVE-2020-8622) [GL #2028]
|
||||
---
|
||||
lib/dns/message.c | 24 +++++++++++++-----------
|
||||
1 file changed, 13 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/lib/dns/message.c b/lib/dns/message.c
|
||||
index d9e341a..7c813a5 100644
|
||||
--- a/lib/dns/message.c
|
||||
+++ b/lib/dns/message.c
|
||||
@@ -1712,6 +1712,19 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
|
||||
msg->header_ok = 0;
|
||||
msg->question_ok = 0;
|
||||
|
||||
+ if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) {
|
||||
+ isc_buffer_usedregion(&origsource, &msg->saved);
|
||||
+ } else {
|
||||
+ msg->saved.length = isc_buffer_usedlength(&origsource);
|
||||
+ msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
|
||||
+ if (msg->saved.base == NULL) {
|
||||
+ return (ISC_R_NOMEMORY);
|
||||
+ }
|
||||
+ memmove(msg->saved.base, isc_buffer_base(&origsource),
|
||||
+ msg->saved.length);
|
||||
+ msg->free_saved = 1;
|
||||
+ }
|
||||
+
|
||||
isc_buffer_remainingregion(source, &r);
|
||||
if (r.length < DNS_MESSAGE_HEADERLEN)
|
||||
return (ISC_R_UNEXPECTEDEND);
|
||||
@@ -1787,17 +1800,6 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
|
||||
}
|
||||
|
||||
truncated:
|
||||
- if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0)
|
||||
- isc_buffer_usedregion(&origsource, &msg->saved);
|
||||
- else {
|
||||
- msg->saved.length = isc_buffer_usedlength(&origsource);
|
||||
- msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
|
||||
- if (msg->saved.base == NULL)
|
||||
- return (ISC_R_NOMEMORY);
|
||||
- memmove(msg->saved.base, isc_buffer_base(&origsource),
|
||||
- msg->saved.length);
|
||||
- msg->free_saved = 1;
|
||||
- }
|
||||
|
||||
if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
|
||||
return (DNS_R_RECOVERABLE);
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,400 @@
|
||||
From e8b7be1e1ff3e11bc8d592c3c8d6a0f0d69e9947 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Tue, 18 Aug 2020 10:54:39 +0200
|
||||
Subject: [PATCH] Fix CVE-2020-8623
|
||||
|
||||
5480. [security] When BIND 9 was compiled with native PKCS#11 support, it
|
||||
was possible to trigger an assertion failure in code
|
||||
determining the number of bits in the PKCS#11 RSA public
|
||||
key with a specially crafted packet. (CVE-2020-8623)
|
||||
[GL #2037]
|
||||
---
|
||||
lib/dns/pkcs11dh_link.c | 15 ++++++-
|
||||
lib/dns/pkcs11dsa_link.c | 8 +++-
|
||||
lib/dns/pkcs11rsa_link.c | 79 +++++++++++++++++++++++++--------
|
||||
lib/isc/include/pk11/internal.h | 3 +-
|
||||
lib/isc/pk11.c | 61 ++++++++++++++++---------
|
||||
5 files changed, 121 insertions(+), 45 deletions(-)
|
||||
|
||||
diff --git a/lib/dns/pkcs11dh_link.c b/lib/dns/pkcs11dh_link.c
|
||||
index e2b60ea..4cd8e32 100644
|
||||
--- a/lib/dns/pkcs11dh_link.c
|
||||
+++ b/lib/dns/pkcs11dh_link.c
|
||||
@@ -748,6 +748,7 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
CK_BYTE *prime = NULL, *base = NULL, *pub = NULL;
|
||||
CK_ATTRIBUTE *attr;
|
||||
int special = 0;
|
||||
+ unsigned int bits;
|
||||
isc_result_t result;
|
||||
|
||||
isc_buffer_remainingregion(data, &r);
|
||||
@@ -852,7 +853,11 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
pub = r.base;
|
||||
isc_region_consume(&r, publen);
|
||||
|
||||
- key->key_size = pk11_numbits(prime, plen_);
|
||||
+ result = pk11_numbits(prime, plen_, &bits);
|
||||
+ if (result != ISC_R_SUCCESS) {
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+ key->key_size = bits;
|
||||
|
||||
dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3);
|
||||
if (dh->repr == NULL)
|
||||
@@ -1012,6 +1017,7 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
dst_private_t priv;
|
||||
isc_result_t ret;
|
||||
int i;
|
||||
+ unsigned int bits;
|
||||
pk11_object_t *dh = NULL;
|
||||
CK_ATTRIBUTE *attr;
|
||||
isc_mem_t *mctx;
|
||||
@@ -1082,7 +1088,12 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
|
||||
attr = pk11_attribute_bytype(dh, CKA_PRIME);
|
||||
INSIST(attr != NULL);
|
||||
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
|
||||
+
|
||||
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
|
||||
+ if (ret != ISC_R_SUCCESS) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ key->key_size = bits;
|
||||
|
||||
return (ISC_R_SUCCESS);
|
||||
|
||||
diff --git a/lib/dns/pkcs11dsa_link.c b/lib/dns/pkcs11dsa_link.c
|
||||
index 12d707a..24d4c14 100644
|
||||
--- a/lib/dns/pkcs11dsa_link.c
|
||||
+++ b/lib/dns/pkcs11dsa_link.c
|
||||
@@ -983,6 +983,7 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
dst_private_t priv;
|
||||
isc_result_t ret;
|
||||
int i;
|
||||
+ unsigned int bits;
|
||||
pk11_object_t *dsa = NULL;
|
||||
CK_ATTRIBUTE *attr;
|
||||
isc_mem_t *mctx = key->mctx;
|
||||
@@ -1072,7 +1073,12 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
|
||||
attr = pk11_attribute_bytype(dsa, CKA_PRIME);
|
||||
INSIST(attr != NULL);
|
||||
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
|
||||
+
|
||||
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
|
||||
+ if (ret != ISC_R_SUCCESS) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ key->key_size = bits;
|
||||
|
||||
return (ISC_R_SUCCESS);
|
||||
|
||||
diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c
|
||||
index 6c280bf..86e136a 100644
|
||||
--- a/lib/dns/pkcs11rsa_link.c
|
||||
+++ b/lib/dns/pkcs11rsa_link.c
|
||||
@@ -337,6 +337,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
|
||||
key->key_alg == DST_ALG_RSASHA256 ||
|
||||
key->key_alg == DST_ALG_RSASHA512);
|
||||
#endif
|
||||
+ REQUIRE(maxbits <= RSA_MAX_PUBEXP_BITS);
|
||||
|
||||
/*
|
||||
* Reject incorrect RSA key lengths.
|
||||
@@ -381,6 +382,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
|
||||
for (attr = pk11_attribute_first(rsa);
|
||||
attr != NULL;
|
||||
attr = pk11_attribute_next(rsa, attr))
|
||||
+ {
|
||||
switch (attr->type) {
|
||||
case CKA_MODULUS:
|
||||
INSIST(keyTemplate[5].type == attr->type);
|
||||
@@ -401,12 +403,16 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
|
||||
memmove(keyTemplate[6].pValue, attr->pValue,
|
||||
attr->ulValueLen);
|
||||
keyTemplate[6].ulValueLen = attr->ulValueLen;
|
||||
- if (pk11_numbits(attr->pValue,
|
||||
- attr->ulValueLen) > maxbits &&
|
||||
- maxbits != 0)
|
||||
+ unsigned int bits;
|
||||
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen,
|
||||
+ &bits);
|
||||
+ if (ret != ISC_R_SUCCESS ||
|
||||
+ (bits > maxbits && maxbits != 0)) {
|
||||
DST_RET(DST_R_VERIFYFAILURE);
|
||||
+ }
|
||||
break;
|
||||
}
|
||||
+ }
|
||||
pk11_ctx->object = CK_INVALID_HANDLE;
|
||||
pk11_ctx->ontoken = false;
|
||||
PK11_RET(pkcs_C_CreateObject,
|
||||
@@ -1086,6 +1092,7 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
|
||||
keyTemplate[5].ulValueLen = attr->ulValueLen;
|
||||
break;
|
||||
case CKA_PUBLIC_EXPONENT:
|
||||
+ unsigned int bits;
|
||||
INSIST(keyTemplate[6].type == attr->type);
|
||||
keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
|
||||
attr->ulValueLen);
|
||||
@@ -1094,10 +1101,12 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
|
||||
memmove(keyTemplate[6].pValue, attr->pValue,
|
||||
attr->ulValueLen);
|
||||
keyTemplate[6].ulValueLen = attr->ulValueLen;
|
||||
- if (pk11_numbits(attr->pValue,
|
||||
- attr->ulValueLen)
|
||||
- > RSA_MAX_PUBEXP_BITS)
|
||||
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen,
|
||||
+ &bits);
|
||||
+ if (ret != ISC_R_SUCCESS || bits > RSA_MAX_PUBEXP_BITS)
|
||||
+ {
|
||||
DST_RET(DST_R_VERIFYFAILURE);
|
||||
+ }
|
||||
break;
|
||||
}
|
||||
pk11_ctx->object = CK_INVALID_HANDLE;
|
||||
@@ -1475,6 +1484,8 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
CK_BYTE *exponent = NULL, *modulus = NULL;
|
||||
CK_ATTRIBUTE *attr;
|
||||
unsigned int length;
|
||||
+ unsigned int bits;
|
||||
+ isc_result_t ret = ISC_R_SUCCESS;
|
||||
|
||||
isc_buffer_remainingregion(data, &r);
|
||||
if (r.length == 0)
|
||||
@@ -1492,9 +1503,7 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
|
||||
if (e_bytes == 0) {
|
||||
if (r.length < 2) {
|
||||
- isc_safe_memwipe(rsa, sizeof(*rsa));
|
||||
- isc_mem_put(key->mctx, rsa, sizeof(*rsa));
|
||||
- return (DST_R_INVALIDPUBLICKEY);
|
||||
+ DST_RET(DST_R_INVALIDPUBLICKEY);
|
||||
}
|
||||
e_bytes = (*r.base) << 8;
|
||||
isc_region_consume(&r, 1);
|
||||
@@ -1503,16 +1512,18 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
}
|
||||
|
||||
if (r.length < e_bytes) {
|
||||
- isc_safe_memwipe(rsa, sizeof(*rsa));
|
||||
- isc_mem_put(key->mctx, rsa, sizeof(*rsa));
|
||||
- return (DST_R_INVALIDPUBLICKEY);
|
||||
+ DST_RET(DST_R_INVALIDPUBLICKEY);
|
||||
}
|
||||
exponent = r.base;
|
||||
isc_region_consume(&r, e_bytes);
|
||||
modulus = r.base;
|
||||
mod_bytes = r.length;
|
||||
|
||||
- key->key_size = pk11_numbits(modulus, mod_bytes);
|
||||
+ ret = pk11_numbits(modulus, mod_bytes, &bits);
|
||||
+ if (ret != ISC_R_SUCCESS) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ key->key_size = bits;
|
||||
|
||||
isc_buffer_forward(data, length);
|
||||
|
||||
@@ -1562,9 +1573,12 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
rsa->repr,
|
||||
rsa->attrcnt * sizeof(*attr));
|
||||
}
|
||||
+ ret = ISC_R_NOMEMORY;
|
||||
+
|
||||
+ err:
|
||||
isc_safe_memwipe(rsa, sizeof(*rsa));
|
||||
isc_mem_put(key->mctx, rsa, sizeof(*rsa));
|
||||
- return (ISC_R_NOMEMORY);
|
||||
+ return (ret);
|
||||
}
|
||||
|
||||
static isc_result_t
|
||||
@@ -1743,6 +1757,7 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
|
||||
pk11_object_t *pubrsa;
|
||||
pk11_context_t *pk11_ctx = NULL;
|
||||
isc_result_t ret;
|
||||
+ unsigned int bits;
|
||||
|
||||
if (label == NULL)
|
||||
return (DST_R_NOENGINE);
|
||||
@@ -1829,7 +1844,11 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
|
||||
|
||||
attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
|
||||
INSIST(attr != NULL);
|
||||
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
|
||||
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
|
||||
+ if (ret != ISC_R_SUCCESS) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ key->key_size = bits;
|
||||
|
||||
return (ISC_R_SUCCESS);
|
||||
|
||||
@@ -1915,6 +1934,7 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
CK_ATTRIBUTE *attr;
|
||||
isc_mem_t *mctx = key->mctx;
|
||||
const char *engine = NULL, *label = NULL;
|
||||
+ unsigned int bits;
|
||||
|
||||
/* read private key file */
|
||||
ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
|
||||
@@ -2058,12 +2078,22 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
|
||||
attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
|
||||
INSIST(attr != NULL);
|
||||
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
|
||||
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
|
||||
+ if (ret != ISC_R_SUCCESS) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ key->key_size = bits;
|
||||
|
||||
attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
|
||||
INSIST(attr != NULL);
|
||||
- if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS)
|
||||
+
|
||||
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
|
||||
+ if (ret != ISC_R_SUCCESS) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (bits > RSA_MAX_PUBEXP_BITS) {
|
||||
DST_RET(ISC_R_RANGE);
|
||||
+ }
|
||||
|
||||
dst__privstruct_free(&priv, mctx);
|
||||
isc_safe_memwipe(&priv, sizeof(priv));
|
||||
@@ -2098,6 +2128,7 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||
pk11_context_t *pk11_ctx = NULL;
|
||||
isc_result_t ret;
|
||||
unsigned int i;
|
||||
+ unsigned int bits;
|
||||
|
||||
UNUSED(pin);
|
||||
|
||||
@@ -2192,12 +2223,22 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||
|
||||
attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
|
||||
INSIST(attr != NULL);
|
||||
- if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS)
|
||||
+
|
||||
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
|
||||
+ if (ret != ISC_R_SUCCESS) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (bits > RSA_MAX_PUBEXP_BITS) {
|
||||
DST_RET(ISC_R_RANGE);
|
||||
+ }
|
||||
|
||||
attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
|
||||
INSIST(attr != NULL);
|
||||
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
|
||||
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
|
||||
+ if (ret != ISC_R_SUCCESS) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ key->key_size = bits;
|
||||
|
||||
pk11_return_session(pk11_ctx);
|
||||
isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
|
||||
diff --git a/lib/isc/include/pk11/internal.h b/lib/isc/include/pk11/internal.h
|
||||
index 603712a..b9680bc 100644
|
||||
--- a/lib/isc/include/pk11/internal.h
|
||||
+++ b/lib/isc/include/pk11/internal.h
|
||||
@@ -27,7 +27,8 @@ void pk11_mem_put(void *ptr, size_t size);
|
||||
|
||||
CK_SLOT_ID pk11_get_best_token(pk11_optype_t optype);
|
||||
|
||||
-unsigned int pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt);
|
||||
+isc_result_t
|
||||
+pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits);
|
||||
|
||||
CK_ATTRIBUTE *pk11_attribute_first(const pk11_object_t *obj);
|
||||
|
||||
diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
|
||||
index 4b85527..9c450da 100644
|
||||
--- a/lib/isc/pk11.c
|
||||
+++ b/lib/isc/pk11.c
|
||||
@@ -982,13 +982,15 @@ pk11_get_best_token(pk11_optype_t optype) {
|
||||
return (token->slotid);
|
||||
}
|
||||
|
||||
-unsigned int
|
||||
-pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) {
|
||||
+isc_result_t
|
||||
+pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits) {
|
||||
unsigned int bitcnt, i;
|
||||
CK_BYTE top;
|
||||
|
||||
- if (bytecnt == 0)
|
||||
- return (0);
|
||||
+ if (bytecnt == 0) {
|
||||
+ *bits = 0;
|
||||
+ return (ISC_R_SUCCESS);
|
||||
+ }
|
||||
bitcnt = bytecnt * 8;
|
||||
for (i = 0; i < bytecnt; i++) {
|
||||
top = data[i];
|
||||
@@ -996,26 +998,41 @@ pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) {
|
||||
bitcnt -= 8;
|
||||
continue;
|
||||
}
|
||||
- if (top & 0x80)
|
||||
- return (bitcnt);
|
||||
- if (top & 0x40)
|
||||
- return (bitcnt - 1);
|
||||
- if (top & 0x20)
|
||||
- return (bitcnt - 2);
|
||||
- if (top & 0x10)
|
||||
- return (bitcnt - 3);
|
||||
- if (top & 0x08)
|
||||
- return (bitcnt - 4);
|
||||
- if (top & 0x04)
|
||||
- return (bitcnt - 5);
|
||||
- if (top & 0x02)
|
||||
- return (bitcnt - 6);
|
||||
- if (top & 0x01)
|
||||
- return (bitcnt - 7);
|
||||
+ if (top & 0x80) {
|
||||
+ *bits = bitcnt;
|
||||
+ return (ISC_R_SUCCESS);
|
||||
+ }
|
||||
+ if (top & 0x40) {
|
||||
+ *bits = bitcnt - 1;
|
||||
+ return (ISC_R_SUCCESS);
|
||||
+ }
|
||||
+ if (top & 0x20) {
|
||||
+ *bits = bitcnt - 2;
|
||||
+ return (ISC_R_SUCCESS);
|
||||
+ }
|
||||
+ if (top & 0x10) {
|
||||
+ *bits = bitcnt - 3;
|
||||
+ return (ISC_R_SUCCESS);
|
||||
+ }
|
||||
+ if (top & 0x08) {
|
||||
+ *bits = bitcnt - 4;
|
||||
+ return (ISC_R_SUCCESS);
|
||||
+ }
|
||||
+ if (top & 0x04) {
|
||||
+ *bits = bitcnt - 5;
|
||||
+ return (ISC_R_SUCCESS);
|
||||
+ }
|
||||
+ if (top & 0x02) {
|
||||
+ *bits = bitcnt - 6;
|
||||
+ return (ISC_R_SUCCESS);
|
||||
+ }
|
||||
+ if (top & 0x01) {
|
||||
+ *bits = bitcnt - 7;
|
||||
+ return (ISC_R_SUCCESS);
|
||||
+ }
|
||||
break;
|
||||
}
|
||||
- INSIST(0);
|
||||
- ISC_UNREACHABLE();
|
||||
+ return (ISC_R_RANGE);
|
||||
}
|
||||
|
||||
CK_ATTRIBUTE *
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,152 @@
|
||||
From 221fb11e658e7dea1be6dbfd25e149f2d131e4fb Mon Sep 17 00:00:00 2001
|
||||
From: Mark Andrews <marka@isc.org>
|
||||
Date: Wed, 29 Jul 2020 23:36:03 +1000
|
||||
Subject: [PATCH] Add a test for update-policy 'subdomain'
|
||||
|
||||
The new test checks that 'update-policy subdomain' is properly enforced.
|
||||
|
||||
(cherry picked from commit 393e8f643c02215fa4e6d4edf67be7d77085da0e)
|
||||
|
||||
Add a test for update-policy 'zonesub'
|
||||
|
||||
The new test checks that 'update-policy zonesub' is properly enforced.
|
||||
|
||||
(cherry picked from commit 58e560beb50873c699f3431cf57e215dc645d7aa)
|
||||
---
|
||||
bin/tests/system/nsupdate/ns1/named.conf.in | 12 +++++
|
||||
bin/tests/system/nsupdate/tests.sh | 60 +++++++++++++++++++--
|
||||
2 files changed, 68 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||
index 26b6b7c9ab..540a984842 100644
|
||||
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||
@@ -36,6 +36,16 @@ key altkey {
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
+key restricted.example.nil {
|
||||
+ algorithm hmac-md5;
|
||||
+ secret "1234abcd8765";
|
||||
+};
|
||||
+
|
||||
+key zonesub-key.example.nil {
|
||||
+ algorithm hmac-md5;
|
||||
+ secret "1234subk8765";
|
||||
+};
|
||||
+
|
||||
include "ddns.key";
|
||||
|
||||
zone "example.nil" {
|
||||
@@ -44,7 +54,9 @@ zone "example.nil" {
|
||||
check-integrity no;
|
||||
check-mx ignore;
|
||||
update-policy {
|
||||
+ grant zonesub-key.example.nil zonesub TXT;
|
||||
grant ddns-key.example.nil subdomain example.nil ANY;
|
||||
+ grant restricted.example.nil subdomain restricted.example.nil ANY;
|
||||
};
|
||||
allow-transfer { any; };
|
||||
};
|
||||
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
|
||||
index b08c5220e7..5f09e8c5bf 100755
|
||||
--- a/bin/tests/system/nsupdate/tests.sh
|
||||
+++ b/bin/tests/system/nsupdate/tests.sh
|
||||
@@ -428,7 +428,7 @@ EOF
|
||||
# this also proves that the server is still running.
|
||||
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec example.\
|
||||
@10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1
|
||||
-grep "ANSWER: 0" dig.out.ns3.$n > /dev/null || ret=1
|
||||
+grep "ANSWER: 0," dig.out.ns3.$n > /dev/null || ret=1
|
||||
grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
|
||||
[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
|
||||
@@ -443,7 +443,7 @@ EOF
|
||||
|
||||
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec nsec3param.test.\
|
||||
@10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1
|
||||
-grep "ANSWER: 1" dig.out.ns3.$n > /dev/null || ret=1
|
||||
+grep "ANSWER: 1," dig.out.ns3.$n > /dev/null || ret=1
|
||||
grep "3600.*NSEC3PARAM" dig.out.ns3.$n > /dev/null || ret=1
|
||||
grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
|
||||
[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
@@ -460,7 +460,7 @@ EOF
|
||||
_ret=1
|
||||
for i in 0 1 2 3 4 5 6 7 8 9; do
|
||||
$DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1
|
||||
- if grep "ANSWER: 2" dig.out.ns3.$n > /dev/null; then
|
||||
+ if grep "ANSWER: 2," dig.out.ns3.$n > /dev/null; then
|
||||
_ret=0
|
||||
break
|
||||
fi
|
||||
@@ -485,7 +485,7 @@ EOF
|
||||
_ret=1
|
||||
for i in 0 1 2 3 4 5 6 7 8 9; do
|
||||
$DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1
|
||||
- if grep "ANSWER: 1" dig.out.ns3.$n > /dev/null; then
|
||||
+ if grep "ANSWER: 1," dig.out.ns3.$n > /dev/null; then
|
||||
_ret=0
|
||||
break
|
||||
fi
|
||||
@@ -631,6 +631,58 @@ then
|
||||
echo_i "failed"; status=1
|
||||
fi
|
||||
|
||||
+n=`expr $n + 1`
|
||||
+ret=0
|
||||
+echo_i "check that 'update-policy subdomain' is properly enforced ($n)"
|
||||
+# "restricted.example.nil" matches "grant ... subdomain restricted.example.nil"
|
||||
+# and thus this UPDATE should succeed.
|
||||
+$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 || ret=1
|
||||
+server 10.53.0.1 ${PORT}
|
||||
+key restricted.example.nil 1234abcd8765
|
||||
+update add restricted.example.nil 0 IN TXT everywhere.
|
||||
+send
|
||||
+END
|
||||
+$DIG $DIGOPTS +tcp @10.53.0.1 restricted.example.nil TXT > dig.out.1.test$n || ret=1
|
||||
+grep "TXT.*everywhere" dig.out.1.test$n > /dev/null || ret=1
|
||||
+# "example.nil" does not match "grant ... subdomain restricted.example.nil" and
|
||||
+# thus this UPDATE should fail.
|
||||
+$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 && ret=1
|
||||
+server 10.53.0.1 ${PORT}
|
||||
+key restricted.example.nil 1234abcd8765
|
||||
+update add example.nil 0 IN TXT everywhere.
|
||||
+send
|
||||
+END
|
||||
+$DIG $DIGOPTS +tcp @10.53.0.1 example.nil TXT > dig.out.2.test$n || ret=1
|
||||
+grep "TXT.*everywhere" dig.out.2.test$n > /dev/null && ret=1
|
||||
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
+
|
||||
+n=`expr $n + 1`
|
||||
+ret=0
|
||||
+echo_i "check that 'update-policy zonesub' is properly enforced ($n)"
|
||||
+# grant zonesub-key.example.nil zonesub TXT;
|
||||
+# the A record update should be rejected as it is not in the type list
|
||||
+$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 && ret=1
|
||||
+server 10.53.0.1 ${PORT}
|
||||
+key zonesub-key.example.nil 1234subk8765
|
||||
+update add zonesub.example.nil 0 IN A 1.2.3.4
|
||||
+send
|
||||
+END
|
||||
+$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil A > dig.out.1.test$n || ret=1
|
||||
+grep "status: REFUSED" nsupdate.out1-$n > /dev/null || ret=1
|
||||
+grep "ANSWER: 0," dig.out.1.test$n > /dev/null || ret=1
|
||||
+# the TXT record update should be accepted as it is in the type list
|
||||
+$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 || ret=1
|
||||
+server 10.53.0.1 ${PORT}
|
||||
+key zonesub-key.example.nil 1234subk8765
|
||||
+update add zonesub.example.nil 0 IN TXT everywhere.
|
||||
+send
|
||||
+END
|
||||
+$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil TXT > dig.out.2.test$n || ret=1
|
||||
+grep "status: REFUSED" nsupdate.out2-$n > /dev/null && ret=1
|
||||
+grep "ANSWER: 1," dig.out.2.test$n > /dev/null || ret=1
|
||||
+grep "TXT.*everywhere" dig.out.2.test$n > /dev/null || ret=1
|
||||
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
+
|
||||
n=`expr $n + 1`
|
||||
ret=0
|
||||
echo_i "check that changes to the DNSKEY RRset TTL do not have side effects ($n)"
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,32 @@
|
||||
From e2aae621408c7622d094f13a67b928f911a2793b Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Tue, 18 Aug 2020 10:55:50 +0200
|
||||
Subject: [PATCH] Fix CVE-2020-8624
|
||||
|
||||
5481. [security] "update-policy" rules of type "subdomain" were
|
||||
incorrectly treated as "zonesub" rules, which allowed
|
||||
keys used in "subdomain" rules to update names outside
|
||||
of the specified subdomains. The problem was fixed by
|
||||
making sure "subdomain" rules are again processed as
|
||||
described in the ARM. (CVE-2020-8624) [GL #2055]
|
||||
---
|
||||
bin/named/zoneconf.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
|
||||
index 55f191b..b77a07c 100644
|
||||
--- a/bin/named/zoneconf.c
|
||||
+++ b/bin/named/zoneconf.c
|
||||
@@ -239,7 +239,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
|
||||
|
||||
str = cfg_obj_asstring(matchtype);
|
||||
CHECK(dns_ssu_mtypefromstring(str, &mtype));
|
||||
- if (mtype == dns_ssumatchtype_subdomain) {
|
||||
+ if (mtype == dns_ssumatchtype_subdomain &&
|
||||
+ strcasecmp(str, "zonesub") == 0) {
|
||||
usezone = true;
|
||||
}
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,35 +0,0 @@
|
||||
diff --git a/export-libs/Makefile b/export-libs/Makefile
|
||||
index df15ea8..13f416b 100644
|
||||
--- a/export-libs/Makefile
|
||||
+++ b/export-libs/Makefile
|
||||
@@ -404,20 +404,18 @@ installdirs:
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
|
||||
|
||||
install:: isc-config.sh installdirs
|
||||
- ${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}
|
||||
- rm -f ${DESTDIR}${bindir}/bind9-config
|
||||
- ln ${DESTDIR}${bindir}/isc-config.sh ${DESTDIR}${bindir}/bind9-config
|
||||
- ${INSTALL_DATA} ${top_srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1
|
||||
- rm -f ${DESTDIR}${mandir}/man1/bind9-config.1
|
||||
- ln ${DESTDIR}${mandir}/man1/isc-config.sh.1 ${DESTDIR}${mandir}/man1/bind9-config.1
|
||||
- ${INSTALL_DATA} ${top_srcdir}/bind.keys ${DESTDIR}${sysconfdir}
|
||||
+ ${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}/isc-export-config.sh
|
||||
+ rm -f ${DESTDIR}${bindir}/bind9-export-config
|
||||
+ ln ${DESTDIR}${bindir}/isc-export-config.sh ${DESTDIR}${bindir}/bind9-export-config
|
||||
+ ${INSTALL_DATA} ${top_srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1/isc-export-config.sh.1
|
||||
+ rm -f ${DESTDIR}${mandir}/man1/bind9-export-config.1
|
||||
+ ln ${DESTDIR}${mandir}/man1/isc-export-config.sh.1 ${DESTDIR}${mandir}/man1/bind9-export-config.1
|
||||
|
||||
uninstall::
|
||||
- rm -f ${DESTDIR}${sysconfdir}/bind.keys
|
||||
- rm -f ${DESTDIR}${mandir}/man1/bind9-config.1
|
||||
- rm -f ${DESTDIR}${mandir}/man1/isc-config.sh.1
|
||||
- rm -f ${DESTDIR}${bindir}/bind9-config
|
||||
- rm -f ${DESTDIR}${bindir}/isc-config.sh
|
||||
+ rm -f ${DESTDIR}${mandir}/man1/bind9-export-config.1
|
||||
+ rm -f ${DESTDIR}${mandir}/man1/isc-export-config.sh.1
|
||||
+ rm -f ${DESTDIR}${bindir}/bind9-export-config
|
||||
+ rm -f ${DESTDIR}${bindir}/isc-export-config.sh
|
||||
|
||||
tags:
|
||||
rm -f TAGS
|
@ -1,65 +0,0 @@
|
||||
From f9a37643528dc83b981156d0a1cf52e3d9a38322 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
|
||||
Date: Mon, 2 Dec 2019 15:15:06 +0100
|
||||
Subject: [PATCH] Fix GeoIP2 memory leak upon reconfiguration
|
||||
|
||||
Loaded GeoIP2 databases are only released when named is shut down, but
|
||||
not during server reconfiguration. This causes memory to be leaked
|
||||
every time "rndc reconfig" or "rndc reload" is used, as long as any
|
||||
GeoIP2 database is in use. Fix by releasing any loaded GeoIP2 databases
|
||||
before reloading them. Do not call dns_geoip_shutdown() until server
|
||||
shutdown as that function releases the memory context used for caching
|
||||
GeoIP2 lookup results.
|
||||
|
||||
(cherry picked from commit 670afbe84a87e202fa795079d9d6d1639bcf391d)
|
||||
(cherry picked from commit 95a5589fa2ac3956fecfef780158a2745718c860)
|
||||
---
|
||||
bin/named/geoip.c | 2 --
|
||||
bin/named/server.c | 6 ++++++
|
||||
2 files changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/bin/named/geoip.c b/bin/named/geoip.c
|
||||
index d560f8fbcf..0b11f6b803 100644
|
||||
--- a/bin/named/geoip.c
|
||||
+++ b/bin/named/geoip.c
|
||||
@@ -243,6 +243,4 @@ ns_geoip_shutdown(void) {
|
||||
ns_g_geoip->domain = NULL;
|
||||
}
|
||||
#endif /* HAVE_GEOIP2 */
|
||||
-
|
||||
- dns_geoip_shutdown();
|
||||
}
|
||||
diff --git a/bin/named/server.c b/bin/named/server.c
|
||||
index ebe7ad4702..4d7d2210ff 100644
|
||||
--- a/bin/named/server.c
|
||||
+++ b/bin/named/server.c
|
||||
@@ -72,6 +72,7 @@
|
||||
#include <dns/events.h>
|
||||
#include <dns/forward.h>
|
||||
#include <dns/fixedname.h>
|
||||
+#include <dns/geoip.h>
|
||||
#include <dns/journal.h>
|
||||
#include <dns/keytable.h>
|
||||
#include <dns/keyvalues.h>
|
||||
@@ -7684,6 +7685,10 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||
isc__socketmgr_setreserved(ns_g_socketmgr, reserved);
|
||||
|
||||
#if defined(HAVE_GEOIP) || defined(HAVE_GEOIP2)
|
||||
+ /*
|
||||
+ * Release any previously opened GeoIP2 databases.
|
||||
+ */
|
||||
+ ns_geoip_shutdown();
|
||||
/*
|
||||
* Initialize GeoIP databases from the configured location.
|
||||
* This should happen before configuring any ACLs, so that we
|
||||
@@ -9030,6 +9035,7 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
|
||||
#endif
|
||||
#if defined(HAVE_GEOIP) || defined(HAVE_GEOIP2)
|
||||
ns_geoip_shutdown();
|
||||
+ dns_geoip_shutdown();
|
||||
#endif /* HAVE_GEOIP || HAVE_GEOIP2 */
|
||||
|
||||
dns_db_detach(&server->in_roothints);
|
||||
--
|
||||
2.21.1
|
||||
|
@ -0,0 +1,31 @@
|
||||
From 30753514ac06111da5b677fe7cdbafd696b1d620 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Wed, 22 Jul 2020 18:55:02 +0200
|
||||
Subject: [PATCH] Prevent crash on dst initialization failure
|
||||
|
||||
server might be created, but not yet fully initialized, when fatal
|
||||
function is called. Check both server and task before attaching
|
||||
exclusive task.
|
||||
|
||||
(cherry picked from commit c5e7152cf04f75d0fe00163f076f4cc3cafce259)
|
||||
(cherry picked from commit 35fbfaa4981333286437f26557db26863d4c5299)
|
||||
---
|
||||
bin/named/server.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/bin/named/server.c b/bin/named/server.c
|
||||
index 3cd8daf99e..38780ad3d7 100644
|
||||
--- a/bin/named/server.c
|
||||
+++ b/bin/named/server.c
|
||||
@@ -9341,7 +9341,7 @@ ns_server_destroy(ns_server_t **serverp) {
|
||||
|
||||
static void
|
||||
fatal(ns_server_t *server, const char *msg, isc_result_t result) {
|
||||
- if (server != NULL) {
|
||||
+ if (server != NULL && server->task != NULL) {
|
||||
/*
|
||||
* Prevent races between the OpenSSL on_exit registered
|
||||
* function and any other OpenSSL calls from other tasks
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,90 +0,0 @@
|
||||
From 7e2d9531a79d289ee99dd436da14efb6d9a505fc Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
|
||||
Date: Wed, 3 Jun 2020 14:42:11 +0200
|
||||
Subject: [PATCH] Change the invalid CIDR from parser error to warning
|
||||
|
||||
In [RT #43367], the BIND 9 changed the strictness of address / prefix
|
||||
length checks:
|
||||
|
||||
Check prefixes in acls to make sure the address and
|
||||
prefix lengths are consistent. Warn only in
|
||||
BIND 9.11 and earlier.
|
||||
|
||||
Unfortunately, a regression slipped in and the check was made an error
|
||||
also in the BIND 9.11. This commit fixes the regression, but turning
|
||||
the error into a warning.
|
||||
---
|
||||
bin/tests/system/checkconf/tests.sh | 9 +++++++++
|
||||
...conf => warn-address-prefix-length-mismatch.conf} | 12 ++++++++++--
|
||||
lib/isccfg/parser.c | 9 ---------
|
||||
util/copyrights | 2 +-
|
||||
4 files changed, 20 insertions(+), 12 deletions(-)
|
||||
rename bin/tests/system/checkconf/{bad-ipv4-prefix-dotted2.conf => warn-address-prefix-length-mismatch.conf} (70%)
|
||||
|
||||
diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
|
||||
index 85fb4839e9..d2b0daa35c 100644
|
||||
--- a/bin/tests/system/checkconf/tests.sh
|
||||
+++ b/bin/tests/system/checkconf/tests.sh
|
||||
@@ -386,6 +386,15 @@ grep "dlv.isc.org has been shut down" < checkconf.out$n > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
+n=`expr $n + 1`
|
||||
+echo_i "check that invalid address/prefix length generates a warning ($n)"
|
||||
+ret=0
|
||||
+$CHECKCONF warn-address-prefix-length-mismatch.conf > checkconf.out$n 2>/dev/null || ret=1
|
||||
+LINES=$(grep -c "address/prefix length mismatch" < checkconf.out$n) || ret=1
|
||||
+[ "$LINES" -eq 8 ] || ret=1
|
||||
+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
|
||||
+status=`expr $status + $ret`
|
||||
+
|
||||
n=`expr $n + 1`
|
||||
echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' doesn't generates a warning ($n)"
|
||||
ret=0
|
||||
diff --git a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf b/bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf
|
||||
similarity index 70%
|
||||
rename from bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf
|
||||
rename to bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf
|
||||
index 2c768c7e1a..5e3bc3f6ee 100644
|
||||
--- a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf
|
||||
+++ b/bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf
|
||||
@@ -9,6 +9,14 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
-acl myacl {
|
||||
- 127.1/8; /* No-zero bits */
|
||||
+zone example {
|
||||
+ type master;
|
||||
+ file "example.db";
|
||||
+ auto-dnssec maintain;
|
||||
+ allow-update {
|
||||
+ 192.0.2.64/24;
|
||||
+ 192.0.2.128/24;
|
||||
+ 198.51.100.255/24;
|
||||
+ 203.0.113.2/24;
|
||||
+ };
|
||||
};
|
||||
diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c
|
||||
index e2af054661..44a1dfc37a 100644
|
||||
--- a/lib/isccfg/parser.c
|
||||
+++ b/lib/isccfg/parser.c
|
||||
@@ -2634,15 +2634,6 @@ cfg_parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type,
|
||||
"invalid prefix length");
|
||||
return (ISC_R_RANGE);
|
||||
}
|
||||
- result = isc_netaddr_prefixok(&netaddr, prefixlen);
|
||||
- if (result != ISC_R_SUCCESS) {
|
||||
- char buf[ISC_NETADDR_FORMATSIZE + 1];
|
||||
- isc_netaddr_format(&netaddr, buf, sizeof(buf));
|
||||
- cfg_parser_error(pctx, CFG_LOG_NOPREP,
|
||||
- "'%s/%u': address/prefix length "
|
||||
- "mismatch", buf, prefixlen);
|
||||
- return (ISC_R_FAILURE);
|
||||
- }
|
||||
} else {
|
||||
if (expectprefix) {
|
||||
cfg_parser_error(pctx, CFG_LOG_NEAR,
|
||||
--
|
||||
GitLab
|
||||
|