Commit e7abb070 authored by Mark Andrews's avatar Mark Andrews Committed by Michał Kępień

Merge branch '1703-tsig-verify-failure' into security-master

parents a53bc0b2 2a020ea9
......@@ -91,7 +91,9 @@
from the Git repository, run "autoreconf -fi" first.
[GL #4]
5390. [placeholder]
5390. [security] Replaying a TSIG BADTIME response as a request could
trigger an assertion failure. (CVE-2020-8617)
[GL #1703]
5389. [bug] Finish PKCS#11 code cleanup, fix a couple of smaller
bugs and use PKCS#11 v3.0 EdDSA macros and constants.
......
# Transaction ID
1122
# Standard query
0000
# Questions: 1, Additional: 1
0001 0000 0000 0001
# QNAME: isc.org
03 69 73 63 03 6F 72 67 00
# Type: A (Host Address)
0001
# Class: IN
0001
# Specially crafted TSIG Resource Record
# Name: "sha256"
06 73 68 61 32 35 36 00
# Type: TSIG (Transaction Signature)
00fa
# Class: ANY
00ff
# TTL: 0
00000000
# RdLen: 29
001d
# Algorithm Name: hmac-sha256
0b 68 6D 61 63 2D 73 68 61 32 35 36 00
# Time Signed: Jan 1, 1970 01:00:00.000000000 CET
00 00 00 00 00 00
# Fudge: 300
012c
# MAC Size: 0; MAC: empty
0000
# Original ID: 0
0000
# Error: BADSIG
0010
# Other Data Length: 0
0000
......@@ -212,5 +212,14 @@ ret=0
$KEYGEN -a hmac-sha256 -b 128 -n host example.net > keygen.out3 2>&1 && ret=1
grep "unknown algorithm" keygen.out3 > /dev/null || ret=1
echo_i "check that a 'BADTIME' response with 'QR=0' is handled as a request"
ret=0
$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp < badtime > /dev/null
$DIG -p ${PORT} @10.53.0.1 version.bind txt ch > dig.out.verify || ret=1
grep "status: NOERROR" dig.out.verify > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=1
fi
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
......@@ -14,7 +14,8 @@ Notes for BIND 9.17.2
Security Fixes
~~~~~~~~~~~~~~
- None.
- Replaying a TSIG BADTIME response as a request could trigger an
assertion failure. This was disclosed in CVE-2020-8617. [GL #1703]
Known Issues
~~~~~~~~~~~~
......
......@@ -1360,8 +1360,8 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
goto cleanup_context;
}
msg->verified_sig = 1;
} else if (tsig.error != dns_tsigerror_badsig &&
tsig.error != dns_tsigerror_badkey)
} else if (!response || (tsig.error != dns_tsigerror_badsig &&
tsig.error != dns_tsigerror_badkey))
{
tsig_log(msg->tsigkey, 2, "signature was empty");
return (DNS_R_TSIGVERIFYFAILURE);
......@@ -1409,7 +1409,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
}
}
if (tsig.error != dns_rcode_noerror) {
if (response && tsig.error != dns_rcode_noerror) {
msg->tsigstatus = tsig.error;
if (tsig.error == dns_tsigerror_badtime) {
ret = DNS_R_CLOCKSKEW;
......
......@@ -863,6 +863,7 @@
./bin/tests/system/tools/clean.sh SH 2017,2018,2019,2020
./bin/tests/system/tools/setup.sh SH 2019,2020
./bin/tests/system/tools/tests.sh SH 2017,2018,2019,2020
./bin/tests/system/tsig/badtime X 2020
./bin/tests/system/tsig/clean.sh SH 2005,2006,2007,2012,2014,2016,2018,2019,2020
./bin/tests/system/tsig/setup.sh SH 2016,2017,2018,2019,2020
./bin/tests/system/tsig/tests.sh SH 2005,2006,2007,2011,2012,2016,2018,2019,2020
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment