]>
Commit | Line | Data |
---|---|---|
631a7dc7 MV |
1 | #!/bin/sh |
2 | # | |
3 | # ensure we never fallback from a signed to a unsigned repo | |
4 | # | |
5 | # hash checks are done in | |
6 | # | |
7 | set -e | |
8 | ||
9 | simulate_mitm_and_inject_evil_package() | |
10 | { | |
6bf93605 | 11 | redatereleasefiles '+1 hour' |
631a7dc7 MV |
12 | rm -f $APTARCHIVE/dists/unstable/InRelease |
13 | rm -f $APTARCHIVE/dists/unstable/Release.gpg | |
14 | inject_evil_package | |
15 | } | |
16 | ||
17 | inject_evil_package() | |
18 | { | |
19 | cat > $APTARCHIVE/dists/unstable/main/binary-i386/Packages <<EOF | |
20 | Package: evil | |
21 | Installed-Size: 29 | |
22 | Maintainer: Joe Sixpack <joe@example.org> | |
23 | Architecture: all | |
24 | Version: 1.0 | |
25 | Filename: pool/evil_1.0_all.deb | |
26 | Size: 1270 | |
27 | Description: an autogenerated evil package | |
28 | EOF | |
29 | # avoid ims hit | |
30 | touch -d '+1hour' aptarchive/dists/unstable/main/binary-i386/Packages | |
448c38bd | 31 | compressfile aptarchive/dists/unstable/main/binary-i386/Packages |
631a7dc7 MV |
32 | } |
33 | ||
34 | assert_update_is_refused_and_last_good_state_used() | |
35 | { | |
1da3b7b8 | 36 | testfailuremsg "E: The repository 'file:${APTARCHIVE} unstable Release' is no longer signed." aptget update |
631a7dc7 MV |
37 | |
38 | assert_repo_is_intact | |
39 | } | |
40 | ||
41 | assert_repo_is_intact() | |
42 | { | |
25b86db1 | 43 | testsuccessequal "foo/unstable 2.0 all" apt list -q |
846bc058 DK |
44 | testsuccess aptget install -y -s foo |
45 | testfailure aptget install -y evil | |
46 | testsuccess aptget source foo --print-uris | |
631a7dc7 MV |
47 | |
48 | LISTDIR=rootdir/var/lib/apt/lists | |
49 | if ! ( ls $LISTDIR/*InRelease >/dev/null 2>&1 || | |
50 | ls $LISTDIR/*Release.gpg >/dev/null 2>&1 ); then | |
51 | echo "Can not find InRelease/Release.gpg in $(ls $LISTDIR)" | |
52 | msgfail | |
53 | fi | |
54 | } | |
55 | ||
56 | setupaptarchive_with_lists_clean() | |
57 | { | |
58 | setupaptarchive --no-update | |
4fa34122 | 59 | rm -rf rootdir/var/lib/apt/lists |
631a7dc7 MV |
60 | } |
61 | ||
62 | test_from_inrelease_to_unsigned() | |
63 | { | |
64 | # setup archive with InRelease file | |
65 | setupaptarchive_with_lists_clean | |
66 | testsuccess aptget update | |
846bc058 | 67 | listcurrentlistsdirectory > lists.before |
631a7dc7 MV |
68 | |
69 | simulate_mitm_and_inject_evil_package | |
70 | assert_update_is_refused_and_last_good_state_used | |
846bc058 | 71 | testfileequal lists.before "$(listcurrentlistsdirectory)" |
631a7dc7 MV |
72 | } |
73 | ||
74 | test_from_release_gpg_to_unsigned() | |
75 | { | |
76 | # setup archive with Release/Release.gpg (but no InRelease) | |
77 | setupaptarchive_with_lists_clean | |
78 | rm $APTARCHIVE/dists/unstable/InRelease | |
79 | testsuccess aptget update | |
846bc058 | 80 | listcurrentlistsdirectory > lists.before |
631a7dc7 MV |
81 | |
82 | simulate_mitm_and_inject_evil_package | |
83 | assert_update_is_refused_and_last_good_state_used | |
846bc058 | 84 | testfileequal lists.before "$(listcurrentlistsdirectory)" |
631a7dc7 MV |
85 | } |
86 | ||
c99fe2e1 MV |
87 | test_from_inrelease_to_unsigned_with_override() |
88 | { | |
89 | # setup archive with InRelease file | |
90 | setupaptarchive_with_lists_clean | |
448c38bd | 91 | testsuccess aptget update |
c99fe2e1 MV |
92 | |
93 | # simulate moving to a unsigned but otherwise valid repo | |
94 | simulate_mitm_and_inject_evil_package | |
448c38bd DK |
95 | generatereleasefiles '+2 hours' |
96 | find $APTARCHIVE -name '*Packages*' -exec touch -d '+2 hours' {} \; | |
c99fe2e1 MV |
97 | |
98 | # and ensure we can update to it (with enough force) | |
4fa34122 | 99 | testwarning aptget update --allow-insecure-repositories \ |
448c38bd | 100 | -o Acquire::AllowDowngradeToInsecureRepositories=1 -o Debug::pkgAcquire::Worker=1 -o Debug::pkgAcquire::Auth=1 |
c99fe2e1 | 101 | # but that the individual packages are still considered untrusted |
25b86db1 | 102 | testfailureequal "WARNING: The following packages cannot be authenticated! |
c99fe2e1 | 103 | evil |
b381a482 | 104 | E: There were unauthenticated packages and -y was used without --allow-unauthenticated" aptget install -qq -y evil |
c99fe2e1 MV |
105 | } |
106 | ||
631a7dc7 MV |
107 | test_cve_2012_0214() |
108 | { | |
109 | # see https://bugs.launchpad.net/ubuntu/+source/apt/+bug/947108 | |
110 | # | |
111 | # it was possible to MITM the download so that InRelease/Release.gpg | |
112 | # are not delivered (404) and a altered Release file was send | |
113 | # | |
114 | # apt left the old InRelease file in /var/lib/apt/lists and downloaded | |
115 | # the unauthenticated Release file too giving the false impression that | |
116 | # Release was authenticated | |
117 | # | |
118 | # Note that this is pretty much impossible nowdays because: | |
119 | # a) InRelease is left as is, not split to InRelease/Release as it was | |
120 | # in the old days | |
121 | # b) we refuse to go from signed->unsigned | |
122 | # | |
123 | # Still worth having a regression test the simulates the condition | |
124 | ||
125 | # setup archive with InRelease | |
126 | setupaptarchive_with_lists_clean | |
127 | testsuccess aptget update | |
846bc058 | 128 | listcurrentlistsdirectory > lists.before |
631a7dc7 MV |
129 | |
130 | # do what CVE-2012-0214 did | |
131 | rm $APTARCHIVE/dists/unstable/InRelease | |
132 | rm $APTARCHIVE/dists/unstable/Release.gpg | |
133 | inject_evil_package | |
134 | # build valid Release file | |
135 | aptftparchive -qq release ./aptarchive > aptarchive/dists/unstable/Release | |
136 | ||
137 | assert_update_is_refused_and_last_good_state_used | |
846bc058 | 138 | testfileequal lists.before "$(listcurrentlistsdirectory)" |
631a7dc7 MV |
139 | |
140 | # ensure there is no _Release file downloaded | |
141 | testfailure ls rootdir/var/lib/apt/lists/*_Release | |
142 | } | |
143 | ||
144 | test_subvert_inrelease() | |
145 | { | |
146 | # setup archive with InRelease | |
147 | setupaptarchive_with_lists_clean | |
148 | testsuccess aptget update | |
846bc058 | 149 | listcurrentlistsdirectory > lists.before |
631a7dc7 MV |
150 | |
151 | # replace InRelease with something else | |
152 | mv $APTARCHIVE/dists/unstable/Release $APTARCHIVE/dists/unstable/InRelease | |
153 | ||
dd676dc7 DK |
154 | testfailuremsg "W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?) |
155 | E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update | |
631a7dc7 MV |
156 | |
157 | # ensure we keep the repo | |
846bc058 | 158 | testfileequal lists.before "$(listcurrentlistsdirectory)" |
631a7dc7 MV |
159 | assert_repo_is_intact |
160 | } | |
161 | ||
162 | test_inrelease_to_invalid_inrelease() | |
163 | { | |
164 | # setup archive with InRelease | |
165 | setupaptarchive_with_lists_clean | |
166 | testsuccess aptget update | |
846bc058 | 167 | listcurrentlistsdirectory > lists.before |
631a7dc7 MV |
168 | |
169 | # now remove InRelease and subvert Release do no longer verify | |
448c38bd | 170 | sed -i 's/^Codename:.*/Codename: evil!/' $APTARCHIVE/dists/unstable/InRelease |
631a7dc7 MV |
171 | inject_evil_package |
172 | ||
1da3b7b8 | 173 | testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> |
4dbfe436 | 174 | W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> |
631a7dc7 MV |
175 | W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq |
176 | ||
177 | # ensure we keep the repo | |
846bc058 DK |
178 | testfailure grep 'evil' rootdir/var/lib/apt/lists/*InRelease |
179 | testfileequal lists.before "$(listcurrentlistsdirectory)" | |
631a7dc7 | 180 | assert_repo_is_intact |
631a7dc7 MV |
181 | } |
182 | ||
183 | test_release_gpg_to_invalid_release_release_gpg() | |
184 | { | |
185 | # setup archive with InRelease | |
186 | setupaptarchive_with_lists_clean | |
187 | rm $APTARCHIVE/dists/unstable/InRelease | |
188 | testsuccess aptget update | |
846bc058 | 189 | listcurrentlistsdirectory > lists.before |
631a7dc7 MV |
190 | |
191 | # now subvert Release do no longer verify | |
192 | echo "Some evil data" >> $APTARCHIVE/dists/unstable/Release | |
193 | inject_evil_package | |
194 | ||
1da3b7b8 | 195 | testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable Release: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> |
03aa0847 | 196 | W: Failed to fetch file:${APTARCHIVE}/dists/unstable/Release.gpg The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> |
8beef749 | 197 | W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq |
631a7dc7 | 198 | |
846bc058 DK |
199 | testfailure grep 'evil' rootdir/var/lib/apt/lists/*Release |
200 | testfileequal lists.before "$(listcurrentlistsdirectory)" | |
631a7dc7 | 201 | assert_repo_is_intact |
631a7dc7 MV |
202 | } |
203 | ||
204 | ||
205 | TESTDIR=$(readlink -f $(dirname $0)) | |
206 | . $TESTDIR/framework | |
207 | ||
208 | setupenvironment | |
209 | configarchitecture "i386" | |
210 | ||
211 | # a "normal" package with source and binary | |
212 | buildsimplenativepackage 'foo' 'all' '2.0' | |
213 | ||
214 | # setup the archive and ensure we have a single package that installs fine | |
215 | setupaptarchive | |
216 | APTARCHIVE=$(readlink -f ./aptarchive) | |
217 | assert_repo_is_intact | |
218 | ||
219 | # test the various cases where a repo may go from signed->unsigned | |
220 | msgmsg "test_from_inrelease_to_unsigned" | |
221 | test_from_inrelease_to_unsigned | |
222 | ||
223 | msgmsg "test_from_release_gpg_to_unsigned" | |
224 | test_from_release_gpg_to_unsigned | |
225 | ||
226 | # ensure we do not regress on CVE-2012-0214 | |
227 | msgmsg "test_cve_2012_0214" | |
228 | test_cve_2012_0214 | |
229 | ||
230 | # ensure InRelase can not be subverted | |
231 | msgmsg "test_subvert_inrelease" | |
232 | test_subvert_inrelease | |
233 | ||
234 | # ensure we revert to last good state if InRelease does not verify | |
235 | msgmsg "test_inrelease_to_invalid_inrelease" | |
236 | test_inrelease_to_invalid_inrelease | |
237 | ||
238 | # ensure we revert to last good state if Release/Release.gpg does not verify | |
239 | msgmsg "test_release_gpg_to_invalid_release_release_gpg" | |
240 | test_release_gpg_to_invalid_release_release_gpg | |
c99fe2e1 | 241 | |
846bc058 DK |
242 | # ensure we can override the downgrade error |
243 | msgmsg "test_from_inrelease_to_unsigned_with_override" | |
c99fe2e1 | 244 | test_from_inrelease_to_unsigned_with_override |