]>
Commit | Line | Data |
---|---|---|
631a7dc7 MV |
1 | #!/bin/sh |
2 | # | |
3 | # ensure we never fallback from a signed to a unsigned repo | |
4 | # | |
5 | # hash checks are done in | |
6 | # | |
7 | set -e | |
8 | ||
9 | simulate_mitm_and_inject_evil_package() | |
10 | { | |
6bf93605 | 11 | redatereleasefiles '+1 hour' |
63c71412 DK |
12 | rm -f "$APTARCHIVE/dists/unstable/InRelease" |
13 | rm -f "$APTARCHIVE/dists/unstable/Release.gpg" | |
631a7dc7 MV |
14 | inject_evil_package |
15 | } | |
16 | ||
17 | inject_evil_package() | |
18 | { | |
63c71412 | 19 | cat > "$APTARCHIVE/dists/unstable/main/binary-i386/Packages" <<EOF |
631a7dc7 MV |
20 | Package: evil |
21 | Installed-Size: 29 | |
22 | Maintainer: Joe Sixpack <joe@example.org> | |
23 | Architecture: all | |
24 | Version: 1.0 | |
25 | Filename: pool/evil_1.0_all.deb | |
26 | Size: 1270 | |
27 | Description: an autogenerated evil package | |
28 | EOF | |
29 | # avoid ims hit | |
30 | touch -d '+1hour' aptarchive/dists/unstable/main/binary-i386/Packages | |
448c38bd | 31 | compressfile aptarchive/dists/unstable/main/binary-i386/Packages |
631a7dc7 MV |
32 | } |
33 | ||
34 | assert_update_is_refused_and_last_good_state_used() | |
35 | { | |
002b1bc4 | 36 | testfailuremsg "E: The repository 'file:${APTARCHIVE} unstable Release' is no longer signed. |
83960341 | 37 | N: Updating from such a repository can't be done securely, and is therefore disabled by default. |
87d6947d | 38 | N: See apt-secure(8) manpage for repository creation and user configuration details." aptget update |
631a7dc7 MV |
39 | |
40 | assert_repo_is_intact | |
41 | } | |
42 | ||
43 | assert_repo_is_intact() | |
44 | { | |
2b0660b5 | 45 | testsuccessequal "foo/unstable 2.0 all" apt list -qq |
846bc058 DK |
46 | testsuccess aptget install -y -s foo |
47 | testfailure aptget install -y evil | |
48 | testsuccess aptget source foo --print-uris | |
631a7dc7 MV |
49 | |
50 | LISTDIR=rootdir/var/lib/apt/lists | |
63c71412 | 51 | testempty find "$LISTDIR" -name 'InRelease' -o -name 'Release.gpg' |
631a7dc7 MV |
52 | } |
53 | ||
54 | setupaptarchive_with_lists_clean() | |
55 | { | |
56 | setupaptarchive --no-update | |
4fa34122 | 57 | rm -rf rootdir/var/lib/apt/lists |
631a7dc7 MV |
58 | } |
59 | ||
60 | test_from_inrelease_to_unsigned() | |
61 | { | |
62 | # setup archive with InRelease file | |
63 | setupaptarchive_with_lists_clean | |
64 | testsuccess aptget update | |
846bc058 | 65 | listcurrentlistsdirectory > lists.before |
631a7dc7 MV |
66 | |
67 | simulate_mitm_and_inject_evil_package | |
68 | assert_update_is_refused_and_last_good_state_used | |
846bc058 | 69 | testfileequal lists.before "$(listcurrentlistsdirectory)" |
631a7dc7 MV |
70 | } |
71 | ||
72 | test_from_release_gpg_to_unsigned() | |
73 | { | |
74 | # setup archive with Release/Release.gpg (but no InRelease) | |
75 | setupaptarchive_with_lists_clean | |
63c71412 | 76 | rm "$APTARCHIVE/dists/unstable/InRelease" |
631a7dc7 | 77 | testsuccess aptget update |
846bc058 | 78 | listcurrentlistsdirectory > lists.before |
631a7dc7 MV |
79 | |
80 | simulate_mitm_and_inject_evil_package | |
81 | assert_update_is_refused_and_last_good_state_used | |
846bc058 | 82 | testfileequal lists.before "$(listcurrentlistsdirectory)" |
631a7dc7 MV |
83 | } |
84 | ||
c99fe2e1 MV |
85 | test_from_inrelease_to_unsigned_with_override() |
86 | { | |
87 | # setup archive with InRelease file | |
88 | setupaptarchive_with_lists_clean | |
448c38bd | 89 | testsuccess aptget update |
c99fe2e1 MV |
90 | |
91 | # simulate moving to a unsigned but otherwise valid repo | |
92 | simulate_mitm_and_inject_evil_package | |
448c38bd | 93 | generatereleasefiles '+2 hours' |
63c71412 | 94 | find "$APTARCHIVE" -name '*Packages*' -exec touch -d '+2 hours' {} \; |
c99fe2e1 MV |
95 | |
96 | # and ensure we can update to it (with enough force) | |
4fa34122 | 97 | testwarning aptget update --allow-insecure-repositories \ |
448c38bd | 98 | -o Acquire::AllowDowngradeToInsecureRepositories=1 -o Debug::pkgAcquire::Worker=1 -o Debug::pkgAcquire::Auth=1 |
c99fe2e1 | 99 | # but that the individual packages are still considered untrusted |
25b86db1 | 100 | testfailureequal "WARNING: The following packages cannot be authenticated! |
c99fe2e1 | 101 | evil |
b381a482 | 102 | E: There were unauthenticated packages and -y was used without --allow-unauthenticated" aptget install -qq -y evil |
c99fe2e1 MV |
103 | } |
104 | ||
631a7dc7 MV |
105 | test_cve_2012_0214() |
106 | { | |
107 | # see https://bugs.launchpad.net/ubuntu/+source/apt/+bug/947108 | |
108 | # | |
109 | # it was possible to MITM the download so that InRelease/Release.gpg | |
110 | # are not delivered (404) and a altered Release file was send | |
111 | # | |
112 | # apt left the old InRelease file in /var/lib/apt/lists and downloaded | |
113 | # the unauthenticated Release file too giving the false impression that | |
114 | # Release was authenticated | |
115 | # | |
3a8776a3 | 116 | # Note that this is pretty much impossible nowadays because: |
631a7dc7 MV |
117 | # a) InRelease is left as is, not split to InRelease/Release as it was |
118 | # in the old days | |
119 | # b) we refuse to go from signed->unsigned | |
120 | # | |
121 | # Still worth having a regression test the simulates the condition | |
122 | ||
123 | # setup archive with InRelease | |
124 | setupaptarchive_with_lists_clean | |
125 | testsuccess aptget update | |
846bc058 | 126 | listcurrentlistsdirectory > lists.before |
631a7dc7 MV |
127 | |
128 | # do what CVE-2012-0214 did | |
63c71412 DK |
129 | rm "$APTARCHIVE/dists/unstable/InRelease" |
130 | rm "$APTARCHIVE/dists/unstable/Release.gpg" | |
631a7dc7 MV |
131 | inject_evil_package |
132 | # build valid Release file | |
133 | aptftparchive -qq release ./aptarchive > aptarchive/dists/unstable/Release | |
134 | ||
135 | assert_update_is_refused_and_last_good_state_used | |
846bc058 | 136 | testfileequal lists.before "$(listcurrentlistsdirectory)" |
631a7dc7 MV |
137 | |
138 | # ensure there is no _Release file downloaded | |
139 | testfailure ls rootdir/var/lib/apt/lists/*_Release | |
140 | } | |
141 | ||
142 | test_subvert_inrelease() | |
143 | { | |
144 | # setup archive with InRelease | |
145 | setupaptarchive_with_lists_clean | |
146 | testsuccess aptget update | |
846bc058 | 147 | listcurrentlistsdirectory > lists.before |
631a7dc7 MV |
148 | |
149 | # replace InRelease with something else | |
63c71412 | 150 | mv "$APTARCHIVE/dists/unstable/Release" "$APTARCHIVE/dists/unstable/InRelease" |
631a7dc7 | 151 | |
dd676dc7 DK |
152 | testfailuremsg "W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?) |
153 | E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update | |
631a7dc7 MV |
154 | |
155 | # ensure we keep the repo | |
846bc058 | 156 | testfileequal lists.before "$(listcurrentlistsdirectory)" |
631a7dc7 MV |
157 | assert_repo_is_intact |
158 | } | |
159 | ||
160 | test_inrelease_to_invalid_inrelease() | |
161 | { | |
162 | # setup archive with InRelease | |
163 | setupaptarchive_with_lists_clean | |
164 | testsuccess aptget update | |
846bc058 | 165 | listcurrentlistsdirectory > lists.before |
631a7dc7 MV |
166 | |
167 | # now remove InRelease and subvert Release do no longer verify | |
63c71412 | 168 | sed -i 's/^Codename:.*/Codename: evil!/' "$APTARCHIVE/dists/unstable/InRelease" |
631a7dc7 MV |
169 | inject_evil_package |
170 | ||
1da3b7b8 | 171 | testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> |
4dbfe436 | 172 | W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> |
631a7dc7 MV |
173 | W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq |
174 | ||
175 | # ensure we keep the repo | |
846bc058 DK |
176 | testfailure grep 'evil' rootdir/var/lib/apt/lists/*InRelease |
177 | testfileequal lists.before "$(listcurrentlistsdirectory)" | |
631a7dc7 | 178 | assert_repo_is_intact |
631a7dc7 MV |
179 | } |
180 | ||
181 | test_release_gpg_to_invalid_release_release_gpg() | |
182 | { | |
183 | # setup archive with InRelease | |
184 | setupaptarchive_with_lists_clean | |
63c71412 | 185 | rm "$APTARCHIVE/dists/unstable/InRelease" |
631a7dc7 | 186 | testsuccess aptget update |
846bc058 | 187 | listcurrentlistsdirectory > lists.before |
631a7dc7 MV |
188 | |
189 | # now subvert Release do no longer verify | |
63c71412 | 190 | echo "Some evil data" >> "$APTARCHIVE/dists/unstable/Release" |
631a7dc7 MV |
191 | inject_evil_package |
192 | ||
1da3b7b8 | 193 | testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable Release: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> |
03aa0847 | 194 | W: Failed to fetch file:${APTARCHIVE}/dists/unstable/Release.gpg The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> |
8beef749 | 195 | W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq |
631a7dc7 | 196 | |
846bc058 DK |
197 | testfailure grep 'evil' rootdir/var/lib/apt/lists/*Release |
198 | testfileequal lists.before "$(listcurrentlistsdirectory)" | |
631a7dc7 | 199 | assert_repo_is_intact |
631a7dc7 MV |
200 | } |
201 | ||
202 | ||
203 | TESTDIR=$(readlink -f $(dirname $0)) | |
204 | . $TESTDIR/framework | |
205 | ||
206 | setupenvironment | |
207 | configarchitecture "i386" | |
208 | ||
209 | # a "normal" package with source and binary | |
210 | buildsimplenativepackage 'foo' 'all' '2.0' | |
211 | ||
212 | # setup the archive and ensure we have a single package that installs fine | |
213 | setupaptarchive | |
63c71412 | 214 | APTARCHIVE="$(readlink -f ./aptarchive)" |
631a7dc7 MV |
215 | assert_repo_is_intact |
216 | ||
217 | # test the various cases where a repo may go from signed->unsigned | |
218 | msgmsg "test_from_inrelease_to_unsigned" | |
219 | test_from_inrelease_to_unsigned | |
220 | ||
221 | msgmsg "test_from_release_gpg_to_unsigned" | |
222 | test_from_release_gpg_to_unsigned | |
223 | ||
224 | # ensure we do not regress on CVE-2012-0214 | |
225 | msgmsg "test_cve_2012_0214" | |
226 | test_cve_2012_0214 | |
227 | ||
228 | # ensure InRelase can not be subverted | |
229 | msgmsg "test_subvert_inrelease" | |
230 | test_subvert_inrelease | |
231 | ||
232 | # ensure we revert to last good state if InRelease does not verify | |
233 | msgmsg "test_inrelease_to_invalid_inrelease" | |
234 | test_inrelease_to_invalid_inrelease | |
235 | ||
236 | # ensure we revert to last good state if Release/Release.gpg does not verify | |
237 | msgmsg "test_release_gpg_to_invalid_release_release_gpg" | |
238 | test_release_gpg_to_invalid_release_release_gpg | |
c99fe2e1 | 239 | |
846bc058 DK |
240 | # ensure we can override the downgrade error |
241 | msgmsg "test_from_inrelease_to_unsigned_with_override" | |
c99fe2e1 | 242 | test_from_inrelease_to_unsigned_with_override |