projects / apt.git / blame
| Commit | Line | Data |
|---|---|---|
| 631a7dc7 MV |
1 | #!/bin/sh |
| 2 | # | |
| 3 | # ensure we never fallback from a signed to a unsigned repo | |
| 4 | # | |
| 5 | # hash checks are done in | |
| 6 | # | |
| 7 | set -e | |
| 8 | ||
| 9 | simulate_mitm_and_inject_evil_package() | |
| 10 | { | |
| 6bf93605 | 11 | redatereleasefiles '+1 hour' |
| 631a7dc7 MV |
12 | rm -f $APTARCHIVE/dists/unstable/InRelease |
| 13 | rm -f $APTARCHIVE/dists/unstable/Release.gpg | |
| 14 | inject_evil_package | |
| 15 | } | |
| 16 | ||
| 17 | inject_evil_package() | |
| 18 | { | |
| 19 | cat > $APTARCHIVE/dists/unstable/main/binary-i386/Packages <<EOF | |
| 20 | Package: evil | |
| 21 | Installed-Size: 29 | |
| 22 | Maintainer: Joe Sixpack <joe@example.org> | |
| 23 | Architecture: all | |
| 24 | Version: 1.0 | |
| 25 | Filename: pool/evil_1.0_all.deb | |
| 26 | Size: 1270 | |
| 27 | Description: an autogenerated evil package | |
| 28 | EOF | |
| 29 | # avoid ims hit | |
| 30 | touch -d '+1hour' aptarchive/dists/unstable/main/binary-i386/Packages | |
| 448c38bd | 31 | compressfile aptarchive/dists/unstable/main/binary-i386/Packages |
| 631a7dc7 MV |
32 | } |
| 33 | ||
| 34 | assert_update_is_refused_and_last_good_state_used() | |
| 35 | { | |
| 1da3b7b8 | 36 | testfailuremsg "E: The repository 'file:${APTARCHIVE} unstable Release' is no longer signed." aptget update |
| 631a7dc7 MV |
37 | |
| 38 | assert_repo_is_intact | |
| 39 | } | |
| 40 | ||
| 41 | assert_repo_is_intact() | |
| 42 | { | |
| 25b86db1 | 43 | testsuccessequal "foo/unstable 2.0 all" apt list -q |
| 846bc058 DK |
44 | testsuccess aptget install -y -s foo |
| 45 | testfailure aptget install -y evil | |
| 46 | testsuccess aptget source foo --print-uris | |
| 631a7dc7 MV |
47 | |
| 48 | LISTDIR=rootdir/var/lib/apt/lists | |
| 49 | if ! ( ls $LISTDIR/*InRelease >/dev/null 2>&1 || | |
| 50 | ls $LISTDIR/*Release.gpg >/dev/null 2>&1 ); then | |
| 51 | echo "Can not find InRelease/Release.gpg in $(ls $LISTDIR)" | |
| 52 | msgfail | |
| 53 | fi | |
| 54 | } | |
| 55 | ||
| 56 | setupaptarchive_with_lists_clean() | |
| 57 | { | |
| 58 | setupaptarchive --no-update | |
| 4fa34122 | 59 | rm -rf rootdir/var/lib/apt/lists |
| 631a7dc7 MV |
60 | } |
| 61 | ||
| 62 | test_from_inrelease_to_unsigned() | |
| 63 | { | |
| 64 | # setup archive with InRelease file | |
| 65 | setupaptarchive_with_lists_clean | |
| 66 | testsuccess aptget update | |
| 846bc058 | 67 | listcurrentlistsdirectory > lists.before |
| 631a7dc7 MV |
68 | |
| 69 | simulate_mitm_and_inject_evil_package | |
| 70 | assert_update_is_refused_and_last_good_state_used | |
| 846bc058 | 71 | testfileequal lists.before "$(listcurrentlistsdirectory)" |
| 631a7dc7 MV |
72 | } |
| 73 | ||
| 74 | test_from_release_gpg_to_unsigned() | |
| 75 | { | |
| 76 | # setup archive with Release/Release.gpg (but no InRelease) | |
| 77 | setupaptarchive_with_lists_clean | |
| 78 | rm $APTARCHIVE/dists/unstable/InRelease | |
| 79 | testsuccess aptget update | |
| 846bc058 | 80 | listcurrentlistsdirectory > lists.before |
| 631a7dc7 MV |
81 | |
| 82 | simulate_mitm_and_inject_evil_package | |
| 83 | assert_update_is_refused_and_last_good_state_used | |
| 846bc058 | 84 | testfileequal lists.before "$(listcurrentlistsdirectory)" |
| 631a7dc7 MV |
85 | } |
| 86 | ||
| c99fe2e1 MV |
87 | test_from_inrelease_to_unsigned_with_override() |
| 88 | { | |
| 89 | # setup archive with InRelease file | |
| 90 | setupaptarchive_with_lists_clean | |
| 448c38bd | 91 | testsuccess aptget update |
| c99fe2e1 MV |
92 | |
| 93 | # simulate moving to a unsigned but otherwise valid repo | |
| 94 | simulate_mitm_and_inject_evil_package | |
| 448c38bd DK |
95 | generatereleasefiles '+2 hours' |
| 96 | find $APTARCHIVE -name '*Packages*' -exec touch -d '+2 hours' {} \; | |
| c99fe2e1 MV |
97 | |
| 98 | # and ensure we can update to it (with enough force) | |
| 4fa34122 | 99 | testwarning aptget update --allow-insecure-repositories \ |
| 448c38bd | 100 | -o Acquire::AllowDowngradeToInsecureRepositories=1 -o Debug::pkgAcquire::Worker=1 -o Debug::pkgAcquire::Auth=1 |
| c99fe2e1 | 101 | # but that the individual packages are still considered untrusted |
| 25b86db1 | 102 | testfailureequal "WARNING: The following packages cannot be authenticated! |
| c99fe2e1 MV |
103 | evil |
| 104 | E: There are problems and -y was used without --force-yes" aptget install -qq -y evil | |
| 105 | } | |
| 106 | ||
| 631a7dc7 MV |
107 | test_cve_2012_0214() |
| 108 | { | |
| 109 | # see https://bugs.launchpad.net/ubuntu/+source/apt/+bug/947108 | |
| 110 | # | |
| 111 | # it was possible to MITM the download so that InRelease/Release.gpg | |
| 112 | # are not delivered (404) and a altered Release file was send | |
| 113 | # | |
| 114 | # apt left the old InRelease file in /var/lib/apt/lists and downloaded | |
| 115 | # the unauthenticated Release file too giving the false impression that | |
| 116 | # Release was authenticated | |
| 117 | # | |
| 118 | # Note that this is pretty much impossible nowdays because: | |
| 119 | # a) InRelease is left as is, not split to InRelease/Release as it was | |
| 120 | # in the old days | |
| 121 | # b) we refuse to go from signed->unsigned | |
| 122 | # | |
| 123 | # Still worth having a regression test the simulates the condition | |
| 124 | ||
| 125 | # setup archive with InRelease | |
| 126 | setupaptarchive_with_lists_clean | |
| 127 | testsuccess aptget update | |
| 846bc058 | 128 | listcurrentlistsdirectory > lists.before |
| 631a7dc7 MV |
129 | |
| 130 | # do what CVE-2012-0214 did | |
| 131 | rm $APTARCHIVE/dists/unstable/InRelease | |
| 132 | rm $APTARCHIVE/dists/unstable/Release.gpg | |
| 133 | inject_evil_package | |
| 134 | # build valid Release file | |
| 135 | aptftparchive -qq release ./aptarchive > aptarchive/dists/unstable/Release | |
| 136 | ||
| 137 | assert_update_is_refused_and_last_good_state_used | |
| 846bc058 | 138 | testfileequal lists.before "$(listcurrentlistsdirectory)" |
| 631a7dc7 MV |
139 | |
| 140 | # ensure there is no _Release file downloaded | |
| 141 | testfailure ls rootdir/var/lib/apt/lists/*_Release | |
| 142 | } | |
| 143 | ||
| 144 | test_subvert_inrelease() | |
| 145 | { | |
| 146 | # setup archive with InRelease | |
| 147 | setupaptarchive_with_lists_clean | |
| 148 | testsuccess aptget update | |
| 846bc058 | 149 | listcurrentlistsdirectory > lists.before |
| 631a7dc7 MV |
150 | |
| 151 | # replace InRelease with something else | |
| 152 | mv $APTARCHIVE/dists/unstable/Release $APTARCHIVE/dists/unstable/InRelease | |
| 153 | ||
| dd676dc7 DK |
154 | testfailuremsg "W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?) |
| 155 | E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update | |
| 631a7dc7 MV |
156 | |
| 157 | # ensure we keep the repo | |
| 846bc058 | 158 | testfileequal lists.before "$(listcurrentlistsdirectory)" |
| 631a7dc7 MV |
159 | assert_repo_is_intact |
| 160 | } | |
| 161 | ||
| 162 | test_inrelease_to_invalid_inrelease() | |
| 163 | { | |
| 164 | # setup archive with InRelease | |
| 165 | setupaptarchive_with_lists_clean | |
| 166 | testsuccess aptget update | |
| 846bc058 | 167 | listcurrentlistsdirectory > lists.before |
| 631a7dc7 MV |
168 | |
| 169 | # now remove InRelease and subvert Release do no longer verify | |
| 448c38bd | 170 | sed -i 's/^Codename:.*/Codename: evil!/' $APTARCHIVE/dists/unstable/InRelease |
| 631a7dc7 MV |
171 | inject_evil_package |
| 172 | ||
| 1da3b7b8 | 173 | testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> |
| 4dbfe436 | 174 | W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> |
| 631a7dc7 MV |
175 | W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq |
| 176 | ||
| 177 | # ensure we keep the repo | |
| 846bc058 DK |
178 | testfailure grep 'evil' rootdir/var/lib/apt/lists/*InRelease |
| 179 | testfileequal lists.before "$(listcurrentlistsdirectory)" | |
| 631a7dc7 | 180 | assert_repo_is_intact |
| 631a7dc7 MV |
181 | } |
| 182 | ||
| 183 | test_release_gpg_to_invalid_release_release_gpg() | |
| 184 | { | |
| 185 | # setup archive with InRelease | |
| 186 | setupaptarchive_with_lists_clean | |
| 187 | rm $APTARCHIVE/dists/unstable/InRelease | |
| 188 | testsuccess aptget update | |
| 846bc058 | 189 | listcurrentlistsdirectory > lists.before |
| 631a7dc7 MV |
190 | |
| 191 | # now subvert Release do no longer verify | |
| 192 | echo "Some evil data" >> $APTARCHIVE/dists/unstable/Release | |
| 193 | inject_evil_package | |
| 194 | ||
| 1da3b7b8 | 195 | testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable Release: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> |
| 03aa0847 | 196 | W: Failed to fetch file:${APTARCHIVE}/dists/unstable/Release.gpg The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> |
| 8beef749 | 197 | W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq |
| 631a7dc7 | 198 | |
| 846bc058 DK |
199 | testfailure grep 'evil' rootdir/var/lib/apt/lists/*Release |
| 200 | testfileequal lists.before "$(listcurrentlistsdirectory)" | |
| 631a7dc7 | 201 | assert_repo_is_intact |
| 631a7dc7 MV |
202 | } |
| 203 | ||
| 204 | ||
| 205 | TESTDIR=$(readlink -f $(dirname $0)) | |
| 206 | . $TESTDIR/framework | |
| 207 | ||
| 208 | setupenvironment | |
| 209 | configarchitecture "i386" | |
| 210 | ||
| 211 | # a "normal" package with source and binary | |
| 212 | buildsimplenativepackage 'foo' 'all' '2.0' | |
| 213 | ||
| 214 | # setup the archive and ensure we have a single package that installs fine | |
| 215 | setupaptarchive | |
| 216 | APTARCHIVE=$(readlink -f ./aptarchive) | |
| 217 | assert_repo_is_intact | |
| 218 | ||
| 219 | # test the various cases where a repo may go from signed->unsigned | |
| 220 | msgmsg "test_from_inrelease_to_unsigned" | |
| 221 | test_from_inrelease_to_unsigned | |
| 222 | ||
| 223 | msgmsg "test_from_release_gpg_to_unsigned" | |
| 224 | test_from_release_gpg_to_unsigned | |
| 225 | ||
| 226 | # ensure we do not regress on CVE-2012-0214 | |
| 227 | msgmsg "test_cve_2012_0214" | |
| 228 | test_cve_2012_0214 | |
| 229 | ||
| 230 | # ensure InRelase can not be subverted | |
| 231 | msgmsg "test_subvert_inrelease" | |
| 232 | test_subvert_inrelease | |
| 233 | ||
| 234 | # ensure we revert to last good state if InRelease does not verify | |
| 235 | msgmsg "test_inrelease_to_invalid_inrelease" | |
| 236 | test_inrelease_to_invalid_inrelease | |
| 237 | ||
| 238 | # ensure we revert to last good state if Release/Release.gpg does not verify | |
| 239 | msgmsg "test_release_gpg_to_invalid_release_release_gpg" | |
| 240 | test_release_gpg_to_invalid_release_release_gpg | |
| c99fe2e1 | 241 | |
| 846bc058 DK |
242 | # ensure we can override the downgrade error |
| 243 | msgmsg "test_from_inrelease_to_unsigned_with_override" | |
| c99fe2e1 | 244 | test_from_inrelease_to_unsigned_with_override |