Import tests for large DNS messages fix

Tests part of fixes of CVE-2023-4408. Related: RHEL-25348 ; Related: CVE-2023-4408
2024-02-19 12:35:59 +01:00 · 2024-02-19 12:35:59 +01:00 · b038cc79ce
commit b038cc79ce
parent 329c53c51c
3 changed files with 170 additions and 0 deletions
--- a/bind-9.16-CVE-2023-4408-test1.patch
+++ b/bind-9.16-CVE-2023-4408-test1.patch
@ -0,0 +1,88 @@
+From d258422d3e653621ce6340ba9af0153f8d4e8c07 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Sun, 11 Feb 2024 00:49:32 +0100
+Subject: [PATCH] Test case insensitive matching in isc_ht hash table
+ implementation
+
+The case insensitive matching in isc_ht was basically completely broken
+as only the hashvalue computation was case insensitive, but the key
+comparison was always case sensitive.
+
+Import only test part from upstream.
+
+(cherry picked from commit 175655b771fd17b06dfb8cfb29eaadf0f3b6a8b5)
+(cherry picked from upstream commit f493a8394102b0aeb101d5dc2f963004c8741175)
+---
+ lib/isc/tests/ht_test.c | 53 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 53 insertions(+)
+
+diff --git a/lib/isc/tests/ht_test.c b/lib/isc/tests/ht_test.c
+index 74d95c1..65502b5 100644
+--- a/lib/isc/tests/ht_test.c
+++ b/lib/isc/tests/ht_test.c
+@@ -334,9 +334,62 @@ isc_ht_iterator_test(void **state) {
+ 	test_ht_iterator();
+ }
+ 
+static void
+isc_ht_case(void **state) {
+	UNUSED(state);
+
+	isc_ht_t *ht = NULL;
+	void *f = NULL;
+	isc_result_t result = ISC_R_UNSET;
+
+	unsigned char lower[16] = { "test case" };
+	unsigned char same[16] = { "test case" };
+	unsigned char upper[16] = { "TEST CASE" };
+	unsigned char mixed[16] = { "tEsT CaSe" };
+
+	isc_ht_init(&ht, test_mctx, 8, ISC_HT_CASE_SENSITIVE);
+	assert_non_null(ht);
+
+	result = isc_ht_add(ht, lower, 16, (void *)lower);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = isc_ht_add(ht, same, 16, (void *)same);
+	assert_int_equal(result, ISC_R_EXISTS);
+
+	result = isc_ht_add(ht, upper, 16, (void *)upper);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = isc_ht_find(ht, mixed, 16, &f);
+	assert_int_equal(result, ISC_R_NOTFOUND);
+	assert_null(f);
+
+	isc_ht_destroy(&ht);
+	assert_null(ht);
+
+	isc_ht_init(&ht, test_mctx, 8, ISC_HT_CASE_INSENSITIVE);
+	assert_non_null(ht);
+
+	result = isc_ht_add(ht, lower, 16, (void *)lower);
+	assert_int_equal(result, ISC_R_SUCCESS);
+
+	result = isc_ht_add(ht, same, 16, (void *)same);
+	assert_int_equal(result, ISC_R_EXISTS);
+
+	result = isc_ht_add(ht, upper, 16, (void *)upper);
+	assert_int_equal(result, ISC_R_EXISTS);
+
+	result = isc_ht_find(ht, mixed, 16, &f);
+	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_ptr_equal(f, &lower);
+
+	isc_ht_destroy(&ht);
+	assert_null(ht);
+}
+
+ int
+ main(void) {
+ 	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(isc_ht_case),
+ 		cmocka_unit_test(isc_ht_20),
+ 		cmocka_unit_test(isc_ht_8),
+ 		cmocka_unit_test(isc_ht_1),
+-- 
+2.43.0
+
--- a/bind-9.16-CVE-2023-4408-test2.patch
+++ b/bind-9.16-CVE-2023-4408-test2.patch
@ -0,0 +1,75 @@
+From aa1b0fc4b24d26233db30c85ae3609e54e9fa6d2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Sun, 11 Feb 2024 09:13:43 +0100
+Subject: [PATCH] Add a system test for mixed-case data for the same owner
+
+We were missing a test where a single owner name would have multiple
+types with a different case.  The generated RRSIGs and NSEC records will
+then have different case than the signed records and message parser have
+to cope with that and treat everything as the same owner.
+
+(cherry picked from commit a114042059ecbbc94ae0f604ca681323a75af480)
+(cherry picked from upstream commit b9c10a194da3358204f5ba7d91e55332db435614)
+---
+ bin/tests/system/dnssec/ns3/secure.example.db.in |  5 +++++
+ bin/tests/system/dnssec/ns3/sign.sh              |  4 +++-
+ bin/tests/system/dnssec/tests.sh                 | 15 +++++++++++++++
+ 3 files changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/bin/tests/system/dnssec/ns3/secure.example.db.in b/bin/tests/system/dnssec/ns3/secure.example.db.in
+index 27f2b24..599566e 100644
+--- a/bin/tests/system/dnssec/ns3/secure.example.db.in
+++ b/bin/tests/system/dnssec/ns3/secure.example.db.in
+@@ -45,3 +45,8 @@ rrsigonly		A	10.0.0.29
+ cnameandkey		CNAME	@
+ cnamenokey		CNAME	@
+ dnameandkey		DNAME	@
+
+mixedcase		A	10.0.0.30
+mixedCASE		TXT	"mixed case"
+MIXEDcase		AAAA	2002::
+mIxEdCaSe		LOC	37 52 56.788 N 121 54 55.02 W 1120m 10m 100m 10m
+diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh
+index 80d412e..d94f382 100644
+--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
+@@ -86,7 +86,9 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
+ 
+ cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" > "$zonefile"
+ 
+-"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -P -D -o "$zone" "$zonefile" >/dev/null
+cat "$zonefile" "$zonefile".signed >"$zonefile".tmp
+mv "$zonefile".tmp "$zonefile".signed
+ 
+ zone=bogus.example.
+ infile=bogus.example.db.in
+diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
+index fe95c8d..0c03970 100644
+--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
+@@ -762,6 +762,21 @@ n=$((n+1))
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status+ret))
+ 
+echo_i "checking mixed-case positive validation ($n)"
+ret=0
+for type in a txt aaaa loc; do
+  dig_with_opts +noauth mixedcase.secure.example. \
+    @10.53.0.3 $type >dig.out.$type.ns3.test$n || ret=1
+  dig_with_opts +noauth mixedcase.secure.example. \
+    @10.53.0.4 $type >dig.out.$type.ns4.test$n || ret=1
+  digcomp --lc dig.out.$type.ns3.test$n dig.out.$type.ns4.test$n || ret=1
+  grep "status: NOERROR" dig.out.$type.ns4.test$n >/dev/null || ret=1
+  grep "flags:.*ad.*QUERY" dig.out.$type.ns4.test$n >/dev/null || ret=1
+done
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+ echo_i "checking multi-stage positive validation NSEC/NSEC3 ($n)"
+ ret=0
+ dig_with_opts +noauth a.nsec3.example. \
+-- 
+2.43.0
+
--- a/bind9.16.spec
+++ b/bind9.16.spec
@ -134,6 +134,10 @@ Patch195: bind-9.16-CVE-2023-5517.patch
 Patch196: bind-9.16-CVE-2023-5679.patch
 Patch197: bind-9.16-CVE-2023-6516.patch
 Patch198: bind-9.16-CVE-2023-50387.patch
+# https://gitlab.isc.org/isc-projects/bind9/commit/f493a8394102b0aeb101d5dc2f963004c8741175
+Patch199: bind-9.16-CVE-2023-4408-test1.patch
+# https://gitlab.isc.org/isc-projects/bind9/commit/b9c10a194da3358204f5ba7d91e55332db435614
+Patch200: bind-9.16-CVE-2023-4408-test2.patch

 %{?systemd_ordering}
 Requires:       coreutils
@ -452,6 +456,8 @@ in HTML and PDF format.
 %patch196 -p1 -b .CVE-2023-5679
 %patch197 -p1 -b .CVE-2023-6516
 %patch198 -p1 -b .CVE-2023-50387
+%patch199 -p1
+%patch200 -p1

 %if %{with PKCS11}
 %patch135 -p1 -b .config-pkcs11
@ -1180,6 +1186,7 @@ fi;
  condition (CVE-2023-6516)
 - Prevent increased CPU consumption in DNSSEC validator (CVE-2023-50387
  CVE-2023-50868)
+- Import tests for large DNS messages fix

 * Wed Sep 20 2023 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-0.16
 - Limit the amount of recursion possible in control channel (CVE-2023-3341)