]>
Commit | Line | Data |
---|---|---|
631a7dc7 MV |
1 | #!/bin/sh |
2 | # | |
3 | # ensure we never fallback from a signed to a unsigned repo | |
4 | # | |
5 | # hash checks are done in | |
6 | # | |
7 | set -e | |
8 | ||
9 | simulate_mitm_and_inject_evil_package() | |
10 | { | |
6bf93605 | 11 | redatereleasefiles '+1 hour' |
631a7dc7 MV |
12 | rm -f $APTARCHIVE/dists/unstable/InRelease |
13 | rm -f $APTARCHIVE/dists/unstable/Release.gpg | |
14 | inject_evil_package | |
15 | } | |
16 | ||
17 | inject_evil_package() | |
18 | { | |
19 | cat > $APTARCHIVE/dists/unstable/main/binary-i386/Packages <<EOF | |
20 | Package: evil | |
21 | Installed-Size: 29 | |
22 | Maintainer: Joe Sixpack <joe@example.org> | |
23 | Architecture: all | |
24 | Version: 1.0 | |
25 | Filename: pool/evil_1.0_all.deb | |
26 | Size: 1270 | |
27 | Description: an autogenerated evil package | |
28 | EOF | |
29 | # avoid ims hit | |
30 | touch -d '+1hour' aptarchive/dists/unstable/main/binary-i386/Packages | |
448c38bd | 31 | compressfile aptarchive/dists/unstable/main/binary-i386/Packages |
631a7dc7 MV |
32 | } |
33 | ||
34 | assert_update_is_refused_and_last_good_state_used() | |
35 | { | |
1da3b7b8 | 36 | testfailuremsg "E: The repository 'file:${APTARCHIVE} unstable Release' is no longer signed." aptget update |
631a7dc7 MV |
37 | |
38 | assert_repo_is_intact | |
39 | } | |
40 | ||
41 | assert_repo_is_intact() | |
42 | { | |
25b86db1 | 43 | testsuccessequal "foo/unstable 2.0 all" apt list -q |
846bc058 DK |
44 | testsuccess aptget install -y -s foo |
45 | testfailure aptget install -y evil | |
46 | testsuccess aptget source foo --print-uris | |
631a7dc7 MV |
47 | |
48 | LISTDIR=rootdir/var/lib/apt/lists | |
49 | if ! ( ls $LISTDIR/*InRelease >/dev/null 2>&1 || | |
50 | ls $LISTDIR/*Release.gpg >/dev/null 2>&1 ); then | |
51 | echo "Can not find InRelease/Release.gpg in $(ls $LISTDIR)" | |
52 | msgfail | |
53 | fi | |
54 | } | |
55 | ||
56 | setupaptarchive_with_lists_clean() | |
57 | { | |
58 | setupaptarchive --no-update | |
4fa34122 | 59 | rm -rf rootdir/var/lib/apt/lists |
631a7dc7 MV |
60 | } |
61 | ||
62 | test_from_inrelease_to_unsigned() | |
63 | { | |
64 | # setup archive with InRelease file | |
65 | setupaptarchive_with_lists_clean | |
66 | testsuccess aptget update | |
846bc058 | 67 | listcurrentlistsdirectory > lists.before |
631a7dc7 MV |
68 | |
69 | simulate_mitm_and_inject_evil_package | |
70 | assert_update_is_refused_and_last_good_state_used | |
846bc058 | 71 | testfileequal lists.before "$(listcurrentlistsdirectory)" |
631a7dc7 MV |
72 | } |
73 | ||
74 | test_from_release_gpg_to_unsigned() | |
75 | { | |
76 | # setup archive with Release/Release.gpg (but no InRelease) | |
77 | setupaptarchive_with_lists_clean | |
78 | rm $APTARCHIVE/dists/unstable/InRelease | |
79 | testsuccess aptget update | |
846bc058 | 80 | listcurrentlistsdirectory > lists.before |
631a7dc7 MV |
81 | |
82 | simulate_mitm_and_inject_evil_package | |
83 | assert_update_is_refused_and_last_good_state_used | |
846bc058 | 84 | testfileequal lists.before "$(listcurrentlistsdirectory)" |
631a7dc7 MV |
85 | } |
86 | ||
c99fe2e1 MV |
87 | test_from_inrelease_to_unsigned_with_override() |
88 | { | |
89 | # setup archive with InRelease file | |
90 | setupaptarchive_with_lists_clean | |
448c38bd | 91 | testsuccess aptget update |
c99fe2e1 MV |
92 | |
93 | # simulate moving to a unsigned but otherwise valid repo | |
94 | simulate_mitm_and_inject_evil_package | |
448c38bd DK |
95 | generatereleasefiles '+2 hours' |
96 | find $APTARCHIVE -name '*Packages*' -exec touch -d '+2 hours' {} \; | |
c99fe2e1 MV |
97 | |
98 | # and ensure we can update to it (with enough force) | |
4fa34122 | 99 | testwarning aptget update --allow-insecure-repositories \ |
448c38bd | 100 | -o Acquire::AllowDowngradeToInsecureRepositories=1 -o Debug::pkgAcquire::Worker=1 -o Debug::pkgAcquire::Auth=1 |
c99fe2e1 | 101 | # but that the individual packages are still considered untrusted |
25b86db1 | 102 | testfailureequal "WARNING: The following packages cannot be authenticated! |
c99fe2e1 MV |
103 | evil |
104 | E: There are problems and -y was used without --force-yes" aptget install -qq -y evil | |
105 | } | |
106 | ||
631a7dc7 MV |
107 | test_cve_2012_0214() |
108 | { | |
109 | # see https://bugs.launchpad.net/ubuntu/+source/apt/+bug/947108 | |
110 | # | |
111 | # it was possible to MITM the download so that InRelease/Release.gpg | |
112 | # are not delivered (404) and a altered Release file was send | |
113 | # | |
114 | # apt left the old InRelease file in /var/lib/apt/lists and downloaded | |
115 | # the unauthenticated Release file too giving the false impression that | |
116 | # Release was authenticated | |
117 | # | |
118 | # Note that this is pretty much impossible nowdays because: | |
119 | # a) InRelease is left as is, not split to InRelease/Release as it was | |
120 | # in the old days | |
121 | # b) we refuse to go from signed->unsigned | |
122 | # | |
123 | # Still worth having a regression test the simulates the condition | |
124 | ||
125 | # setup archive with InRelease | |
126 | setupaptarchive_with_lists_clean | |
127 | testsuccess aptget update | |
846bc058 | 128 | listcurrentlistsdirectory > lists.before |
631a7dc7 MV |
129 | |
130 | # do what CVE-2012-0214 did | |
131 | rm $APTARCHIVE/dists/unstable/InRelease | |
132 | rm $APTARCHIVE/dists/unstable/Release.gpg | |
133 | inject_evil_package | |
134 | # build valid Release file | |
135 | aptftparchive -qq release ./aptarchive > aptarchive/dists/unstable/Release | |
136 | ||
137 | assert_update_is_refused_and_last_good_state_used | |
846bc058 | 138 | testfileequal lists.before "$(listcurrentlistsdirectory)" |
631a7dc7 MV |
139 | |
140 | # ensure there is no _Release file downloaded | |
141 | testfailure ls rootdir/var/lib/apt/lists/*_Release | |
142 | } | |
143 | ||
144 | test_subvert_inrelease() | |
145 | { | |
146 | # setup archive with InRelease | |
147 | setupaptarchive_with_lists_clean | |
148 | testsuccess aptget update | |
846bc058 | 149 | listcurrentlistsdirectory > lists.before |
631a7dc7 MV |
150 | |
151 | # replace InRelease with something else | |
152 | mv $APTARCHIVE/dists/unstable/Release $APTARCHIVE/dists/unstable/InRelease | |
153 | ||
25b86db1 | 154 | testfailureequal "W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease Does not start with a cleartext signature |
631a7dc7 MV |
155 | |
156 | E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq | |
157 | ||
158 | # ensure we keep the repo | |
846bc058 | 159 | testfileequal lists.before "$(listcurrentlistsdirectory)" |
631a7dc7 MV |
160 | assert_repo_is_intact |
161 | } | |
162 | ||
163 | test_inrelease_to_invalid_inrelease() | |
164 | { | |
165 | # setup archive with InRelease | |
166 | setupaptarchive_with_lists_clean | |
167 | testsuccess aptget update | |
846bc058 | 168 | listcurrentlistsdirectory > lists.before |
631a7dc7 MV |
169 | |
170 | # now remove InRelease and subvert Release do no longer verify | |
448c38bd | 171 | sed -i 's/^Codename:.*/Codename: evil!/' $APTARCHIVE/dists/unstable/InRelease |
631a7dc7 MV |
172 | inject_evil_package |
173 | ||
1da3b7b8 | 174 | testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> |
631a7dc7 | 175 | |
4dbfe436 | 176 | W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> |
631a7dc7 MV |
177 | |
178 | W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq | |
179 | ||
180 | # ensure we keep the repo | |
846bc058 DK |
181 | testfailure grep 'evil' rootdir/var/lib/apt/lists/*InRelease |
182 | testfileequal lists.before "$(listcurrentlistsdirectory)" | |
631a7dc7 | 183 | assert_repo_is_intact |
631a7dc7 MV |
184 | } |
185 | ||
186 | test_release_gpg_to_invalid_release_release_gpg() | |
187 | { | |
188 | # setup archive with InRelease | |
189 | setupaptarchive_with_lists_clean | |
190 | rm $APTARCHIVE/dists/unstable/InRelease | |
191 | testsuccess aptget update | |
846bc058 | 192 | listcurrentlistsdirectory > lists.before |
631a7dc7 MV |
193 | |
194 | # now subvert Release do no longer verify | |
195 | echo "Some evil data" >> $APTARCHIVE/dists/unstable/Release | |
196 | inject_evil_package | |
197 | ||
1da3b7b8 | 198 | testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable Release: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> |
8beef749 | 199 | |
03aa0847 | 200 | W: Failed to fetch file:${APTARCHIVE}/dists/unstable/Release.gpg The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> |
8beef749 MV |
201 | |
202 | W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq | |
631a7dc7 | 203 | |
846bc058 DK |
204 | testfailure grep 'evil' rootdir/var/lib/apt/lists/*Release |
205 | testfileequal lists.before "$(listcurrentlistsdirectory)" | |
631a7dc7 | 206 | assert_repo_is_intact |
631a7dc7 MV |
207 | } |
208 | ||
209 | ||
210 | TESTDIR=$(readlink -f $(dirname $0)) | |
211 | . $TESTDIR/framework | |
212 | ||
213 | setupenvironment | |
214 | configarchitecture "i386" | |
215 | ||
216 | # a "normal" package with source and binary | |
217 | buildsimplenativepackage 'foo' 'all' '2.0' | |
218 | ||
219 | # setup the archive and ensure we have a single package that installs fine | |
220 | setupaptarchive | |
221 | APTARCHIVE=$(readlink -f ./aptarchive) | |
222 | assert_repo_is_intact | |
223 | ||
224 | # test the various cases where a repo may go from signed->unsigned | |
225 | msgmsg "test_from_inrelease_to_unsigned" | |
226 | test_from_inrelease_to_unsigned | |
227 | ||
228 | msgmsg "test_from_release_gpg_to_unsigned" | |
229 | test_from_release_gpg_to_unsigned | |
230 | ||
231 | # ensure we do not regress on CVE-2012-0214 | |
232 | msgmsg "test_cve_2012_0214" | |
233 | test_cve_2012_0214 | |
234 | ||
235 | # ensure InRelase can not be subverted | |
236 | msgmsg "test_subvert_inrelease" | |
237 | test_subvert_inrelease | |
238 | ||
239 | # ensure we revert to last good state if InRelease does not verify | |
240 | msgmsg "test_inrelease_to_invalid_inrelease" | |
241 | test_inrelease_to_invalid_inrelease | |
242 | ||
243 | # ensure we revert to last good state if Release/Release.gpg does not verify | |
244 | msgmsg "test_release_gpg_to_invalid_release_release_gpg" | |
245 | test_release_gpg_to_invalid_release_release_gpg | |
c99fe2e1 | 246 | |
846bc058 DK |
247 | # ensure we can override the downgrade error |
248 | msgmsg "test_from_inrelease_to_unsigned_with_override" | |
c99fe2e1 | 249 | test_from_inrelease_to_unsigned_with_override |