Skip to content
GitLab
Menu
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
ISC Open Source Projects
BIND
Commits
e7abb070
Commit
e7abb070
authored
Apr 21, 2020
by
Mark Andrews
Committed by
Michał Kępień
May 19, 2020
Browse files
Merge branch '1703-tsig-verify-failure' into security-master
parents
a53bc0b2
2a020ea9
Changes
6
Hide whitespace changes
Inline
Side-by-side
CHANGES
View file @
e7abb070
...
...
@@ -91,7 +91,9 @@
from the Git repository, run "autoreconf -fi" first.
[GL #4]
5390. [placeholder]
5390. [security] Replaying a TSIG BADTIME response as a request could
trigger an assertion failure. (CVE-2020-8617)
[GL #1703]
5389. [bug] Finish PKCS#11 code cleanup, fix a couple of smaller
bugs and use PKCS#11 v3.0 EdDSA macros and constants.
...
...
bin/tests/system/tsig/badtime
0 → 100644
View file @
e7abb070
# Transaction ID
1122
# Standard query
0000
# Questions: 1, Additional: 1
0001 0000 0000 0001
# QNAME: isc.org
03 69 73 63 03 6F 72 67 00
# Type: A (Host Address)
0001
# Class: IN
0001
# Specially crafted TSIG Resource Record
# Name: "sha256"
06 73 68 61 32 35 36 00
# Type: TSIG (Transaction Signature)
00fa
# Class: ANY
00ff
# TTL: 0
00000000
# RdLen: 29
001d
# Algorithm Name: hmac-sha256
0b 68 6D 61 63 2D 73 68 61 32 35 36 00
# Time Signed: Jan 1, 1970 01:00:00.000000000 CET
00 00 00 00 00 00
# Fudge: 300
012c
# MAC Size: 0; MAC: empty
0000
# Original ID: 0
0000
# Error: BADSIG
0010
# Other Data Length: 0
0000
bin/tests/system/tsig/tests.sh
View file @
e7abb070
...
...
@@ -212,5 +212,14 @@ ret=0
$KEYGEN
-a
hmac-sha256
-b
128
-n
host example.net
>
keygen.out3 2>&1
&&
ret
=
1
grep
"unknown algorithm"
keygen.out3
>
/dev/null
||
ret
=
1
echo_i
"check that a 'BADTIME' response with 'QR=0' is handled as a request"
ret
=
0
$PERL
../packet.pl
-a
10.53.0.1
-p
${
PORT
}
-t
tcp < badtime
>
/dev/null
$DIG
-p
${
PORT
}
@10.53.0.1 version.bind txt ch
>
dig.out.verify
||
ret
=
1
grep
"status: NOERROR"
dig.out.verify
>
/dev/null
||
ret
=
1
if
[
$ret
-eq
1
]
;
then
echo_i
"failed"
;
status
=
1
fi
echo_i
"exit status:
$status
"
[
$status
-eq
0
]
||
exit
1
doc/notes/notes-current.rst
View file @
e7abb070
...
...
@@ -14,7 +14,8 @@ Notes for BIND 9.17.2
Security Fixes
~~~~~~~~~~~~~~
- None.
- Replaying a TSIG BADTIME response as a request could trigger an
assertion failure. This was disclosed in CVE-2020-8617. [GL #1703]
Known Issues
~~~~~~~~~~~~
...
...
lib/dns/tsig.c
View file @
e7abb070
...
...
@@ -1360,8 +1360,8 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
goto
cleanup_context
;
}
msg
->
verified_sig
=
1
;
}
else
if
(
tsig
.
error
!=
dns_tsigerror_badsig
&&
tsig
.
error
!=
dns_tsigerror_badkey
)
}
else
if
(
!
response
||
(
tsig
.
error
!=
dns_tsigerror_badsig
&&
tsig
.
error
!=
dns_tsigerror_badkey
)
)
{
tsig_log
(
msg
->
tsigkey
,
2
,
"signature was empty"
);
return
(
DNS_R_TSIGVERIFYFAILURE
);
...
...
@@ -1409,7 +1409,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
}
}
if
(
tsig
.
error
!=
dns_rcode_noerror
)
{
if
(
response
&&
tsig
.
error
!=
dns_rcode_noerror
)
{
msg
->
tsigstatus
=
tsig
.
error
;
if
(
tsig
.
error
==
dns_tsigerror_badtime
)
{
ret
=
DNS_R_CLOCKSKEW
;
...
...
util/copyrights
View file @
e7abb070
...
...
@@ -863,6 +863,7 @@
./bin/tests/system/tools/clean.sh SH 2017,2018,2019,2020
./bin/tests/system/tools/setup.sh SH 2019,2020
./bin/tests/system/tools/tests.sh SH 2017,2018,2019,2020
./bin/tests/system/tsig/badtime X 2020
./bin/tests/system/tsig/clean.sh SH 2005,2006,2007,2012,2014,2016,2018,2019,2020
./bin/tests/system/tsig/setup.sh SH 2016,2017,2018,2019,2020
./bin/tests/system/tsig/tests.sh SH 2005,2006,2007,2011,2012,2016,2018,2019,2020
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment