Add test case into dnssec system test for new regression

https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11195 Resolves: RHEL-123307
2025-11-04 14:24:41 +01:00 · 2025-11-04 14:24:41 +01:00 · 060ccdf9e2
commit 060ccdf9e2
parent 5244b44cf3
2 changed files with 174 additions and 0 deletions
--- a/bind-9.20-CVE-2025-8677-dual-signing-test.patch
+++ b/bind-9.20-CVE-2025-8677-dual-signing-test.patch
@ -0,0 +1,172 @@
+From 1cbe670c421ca866fe8cbde661801e89e254a46d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Sat, 1 Nov 2025 12:00:59 +0100
+Subject: [PATCH] Add a system test with one good and one bad algorithm
+
+The case where there would be one supported algorithm and one already
+unsupported (like RSAMD5 or RSASHA1) was missing.
+
+(cherry picked from commit 3aa6f585e0466700e5d4b64fffccf883bb1c21dd)
+---
+ bin/tests/system/dnssec/ns2/example.db.in  |  4 +++
+ bin/tests/system/dnssec/ns2/sign.sh        |  3 ++-
+ bin/tests/system/dnssec/ns3/named.conf.in  |  6 +++++
+ bin/tests/system/dnssec/ns3/sign.sh        | 31 ++++++++++++++++++++++
+ bin/tests/system/dnssec/ns3/template.db.in | 27 +++++++++++++++++++
+ bin/tests/system/dnssec/tests.sh           | 11 ++++++++
+ bin/tests/system/dnssec/tests_sh_dnssec.py |  1 +
+ 7 files changed, 82 insertions(+), 1 deletion(-)
+ create mode 100644 bin/tests/system/dnssec/ns3/template.db.in
+
+diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in
+index f711f5823f..63d41e5e00 100644
+--- a/bin/tests/system/dnssec/ns2/example.db.in
+++ b/bin/tests/system/dnssec/ns2/example.db.in
+@@ -168,4 +168,8 @@ ns.managed-future	A	10.53.0.3
+ revkey			NS	ns.revkey
+ ns.revkey		A	10.53.0.3
+ 
+; A secure subdomain with extra bad key
+extrabadkey		NS	ns3.extrabadkey
+ns3.extrabadkey		A	10.53.0.3
+
+ dname-at-apex-nsec3	NS	ns3
+diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
+index b60e82a631..eb008067a4 100644
+--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
+@@ -62,7 +62,8 @@ for subdomain in secure badds bogus dynamic keyless nsec3 optout \
+   ttlpatch split-dnssec split-smart expired expiring upper lower \
+   dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \
+   dnskey-nsec3-unknown managed-future revkey \
+-  dname-at-apex-nsec3 occluded; do
+  dname-at-apex-nsec3 occluded rsasha1 rsasha1-1024 \
+  extrabadkey; do
+   cp "../ns3/dsset-$subdomain.example." .
+ done
+ 
+diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in
+index 680cff58d5..3536046319 100644
+--- a/bin/tests/system/dnssec/ns3/named.conf.in
+++ b/bin/tests/system/dnssec/ns3/named.conf.in
+@@ -84,6 +84,12 @@ zone "insecure2.example" {
+ 	allow-update { any; };
+ };
+ 
+zone "extrabadkey.example" {
+	type primary;
+	file "extrabadkey.example.db.signed";
+	allow-update { any; };
+};
+
+ zone "insecure.nsec3.example" {
+ 	type primary;
+ 	file "insecure.nsec3.example.db";
+diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh
+index 14fc709bfb..743a0e4121 100644
+--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
+@@ -673,3 +673,34 @@ $DSFROMKEY "$dnskeyname.key" >"dsset-delegation.${zone}."
+ cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \
+   "${dnskeyname}.key" "dsset-delegation.${zone}." >"$zonefile"
+ "$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
+
+#
+#
+#
+zone=extrabadkey.example.
+infile=template.db.in
+zonefile=extrabadkey.example.db
+
+# Add KSK and ZSK that we will mangle to RSAMD5
+ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile"
+"$SIGNER" -g -O full -o "$zone" "$zonefile" >/dev/null 2>&1
+
+# Mangle the signatures to RSAMD5 and save them for future use
+sed -ne "s/\(IN[[:space:]]*RRSIG[[:space:]]*[A-Z]*\) $DEFAULT_ALGORITHM_NUMBER /\1 1 /p" < "$zonefile.signed" > "$zonefile.signed.rsamd5"
+
+# Now add normal KSK and ZSK to the zone file
+ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile"
+
+# Mangle the DNSKEY algorithm numbers and add them to the signed zone file
+cat "$ksk.key" "$zsk.key" | sed -e "s/\(IN[[:space:]]*DNSKEY[[:space:]]*[0-9]* 3\) $DEFAULT_ALGORITHM_NUMBER /\1 1 /" >> "$zonefile"
+
+# Sign normally
+"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
+
+# Add the mangled signatures to signed zone file
+cat "$zonefile.signed.rsamd5" >> "$zonefile.signed"
+rm "$zonefile.signed.rsamd5"
+diff --git a/bin/tests/system/dnssec/ns3/template.db.in b/bin/tests/system/dnssec/ns3/template.db.in
+new file mode 100644
+index 0000000000..f603e448ff
+--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/template.db.in
+@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns3
+ns3			A	10.53.0.3
+
+a			A	10.0.0.1
+a.b			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
+index b58b11a5c7..d3690eee6b 100644
+--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
+@@ -4497,5 +4497,16 @@ n=$((n + 1))
+ if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+ status=$((status + ret))
+ 
+echo_i "checking extra-bad-algorithm positive validation ($n)"
+ret=0
+dig_with_opts +noauth a.extrabadkey.example. @10.53.0.3 A >dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.extrabadkey.example. @10.53.0.4 A >dig.out.ns4.test$n || ret=1
+digcomp --lc dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+ echo_i "exit status: $status"
+ [ $status -eq 0 ] || exit 1
+diff --git a/bin/tests/system/dnssec/tests_sh_dnssec.py b/bin/tests/system/dnssec/tests_sh_dnssec.py
+index 529a4a0e10..f731ea2ab4 100644
+--- a/bin/tests/system/dnssec/tests_sh_dnssec.py
+++ b/bin/tests/system/dnssec/tests_sh_dnssec.py
+@@ -92,6 +92,7 @@ pytestmark = pytest.mark.extra_artifacts(
+         "ns3/example.bk",
+         "ns3/expired.example.db",
+         "ns3/expiring.example.db",
+        "ns3/extrabadkey.example.db",
+         "ns3/future.example.db",
+         "ns3/keyless.example.db",
+         "ns3/kskonly.example.db",
+-- 
+2.51.1
+
--- a/bind.spec
+++ b/bind.spec
@ -154,6 +154,8 @@ Patch224: bind-9.18-CVE-2025-40778.patch
 Patch225: bind-9.18-CVE-2025-40780.patch
 # https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11194
 Patch226: bind-9.20-CVE-2025-8677-dual-signing.patch
+# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11195
+Patch227: bind-9.20-CVE-2025-8677-dual-signing-test.patch

 %{?systemd_ordering}
 # https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers