]>
Commit | Line | Data |
---|---|---|
1 | #!/bin/sh | |
2 | # | |
3 | # ensure we never fallback from a signed to a unsigned repo | |
4 | # | |
5 | # hash checks are done in | |
6 | # | |
7 | set -e | |
8 | ||
9 | simulate_mitm_and_inject_evil_package() | |
10 | { | |
11 | rm -f $APTARCHIVE/dists/unstable/InRelease | |
12 | rm -f $APTARCHIVE/dists/unstable/Release.gpg | |
13 | inject_evil_package | |
14 | } | |
15 | ||
16 | inject_evil_package() | |
17 | { | |
18 | cat > $APTARCHIVE/dists/unstable/main/binary-i386/Packages <<EOF | |
19 | Package: evil | |
20 | Installed-Size: 29 | |
21 | Maintainer: Joe Sixpack <joe@example.org> | |
22 | Architecture: all | |
23 | Version: 1.0 | |
24 | Filename: pool/evil_1.0_all.deb | |
25 | Size: 1270 | |
26 | Description: an autogenerated evil package | |
27 | EOF | |
28 | # avoid ims hit | |
29 | touch -d '+1hour' aptarchive/dists/unstable/main/binary-i386/Packages | |
30 | } | |
31 | ||
32 | assert_update_is_refused_and_last_good_state_used() | |
33 | { | |
34 | testfailureequal "E: The repository 'file: unstable Release.gpg' is no longer signed." aptget update -qq | |
35 | ||
36 | assert_repo_is_intact | |
37 | } | |
38 | ||
39 | assert_repo_is_intact() | |
40 | { | |
41 | testsuccessequal "foo/unstable 2.0 all" apt list -q | |
42 | testsuccess aptget install -y -s foo | |
43 | testfailure aptget install -y evil | |
44 | testsuccess aptget source foo --print-uris | |
45 | ||
46 | LISTDIR=rootdir/var/lib/apt/lists | |
47 | if ! ( ls $LISTDIR/*InRelease >/dev/null 2>&1 || | |
48 | ls $LISTDIR/*Release.gpg >/dev/null 2>&1 ); then | |
49 | echo "Can not find InRelease/Release.gpg in $(ls $LISTDIR)" | |
50 | msgfail | |
51 | fi | |
52 | } | |
53 | ||
54 | setupaptarchive_with_lists_clean() | |
55 | { | |
56 | setupaptarchive --no-update | |
57 | rm -rf rootdir/var/lib/apt/lists | |
58 | } | |
59 | ||
60 | test_from_inrelease_to_unsigned() | |
61 | { | |
62 | # setup archive with InRelease file | |
63 | setupaptarchive_with_lists_clean | |
64 | testsuccess aptget update | |
65 | listcurrentlistsdirectory > lists.before | |
66 | ||
67 | simulate_mitm_and_inject_evil_package | |
68 | assert_update_is_refused_and_last_good_state_used | |
69 | testfileequal lists.before "$(listcurrentlistsdirectory)" | |
70 | } | |
71 | ||
72 | test_from_release_gpg_to_unsigned() | |
73 | { | |
74 | # setup archive with Release/Release.gpg (but no InRelease) | |
75 | setupaptarchive_with_lists_clean | |
76 | rm $APTARCHIVE/dists/unstable/InRelease | |
77 | testsuccess aptget update | |
78 | listcurrentlistsdirectory > lists.before | |
79 | ||
80 | simulate_mitm_and_inject_evil_package | |
81 | assert_update_is_refused_and_last_good_state_used | |
82 | testfileequal lists.before "$(listcurrentlistsdirectory)" | |
83 | } | |
84 | ||
85 | test_from_inrelease_to_unsigned_with_override() | |
86 | { | |
87 | # setup archive with InRelease file | |
88 | setupaptarchive_with_lists_clean | |
89 | # FIXME: is not what the server reported 4104 4106 | |
90 | testsuccess aptget update #-o Debug::pkgAcquire::Worker=1 | |
91 | ||
92 | # simulate moving to a unsigned but otherwise valid repo | |
93 | simulate_mitm_and_inject_evil_package | |
94 | generatereleasefiles | |
95 | ||
96 | # and ensure we can update to it (with enough force) | |
97 | testwarning aptget update --allow-insecure-repositories \ | |
98 | -o Acquire::AllowDowngradeToInsecureRepositories=1 | |
99 | # but that the individual packages are still considered untrusted | |
100 | testfailureequal "WARNING: The following packages cannot be authenticated! | |
101 | evil | |
102 | E: There are problems and -y was used without --force-yes" aptget install -qq -y evil | |
103 | } | |
104 | ||
105 | test_cve_2012_0214() | |
106 | { | |
107 | # see https://bugs.launchpad.net/ubuntu/+source/apt/+bug/947108 | |
108 | # | |
109 | # it was possible to MITM the download so that InRelease/Release.gpg | |
110 | # are not delivered (404) and a altered Release file was send | |
111 | # | |
112 | # apt left the old InRelease file in /var/lib/apt/lists and downloaded | |
113 | # the unauthenticated Release file too giving the false impression that | |
114 | # Release was authenticated | |
115 | # | |
116 | # Note that this is pretty much impossible nowdays because: | |
117 | # a) InRelease is left as is, not split to InRelease/Release as it was | |
118 | # in the old days | |
119 | # b) we refuse to go from signed->unsigned | |
120 | # | |
121 | # Still worth having a regression test the simulates the condition | |
122 | ||
123 | # setup archive with InRelease | |
124 | setupaptarchive_with_lists_clean | |
125 | testsuccess aptget update | |
126 | listcurrentlistsdirectory > lists.before | |
127 | ||
128 | # do what CVE-2012-0214 did | |
129 | rm $APTARCHIVE/dists/unstable/InRelease | |
130 | rm $APTARCHIVE/dists/unstable/Release.gpg | |
131 | inject_evil_package | |
132 | # build valid Release file | |
133 | aptftparchive -qq release ./aptarchive > aptarchive/dists/unstable/Release | |
134 | ||
135 | assert_update_is_refused_and_last_good_state_used | |
136 | testfileequal lists.before "$(listcurrentlistsdirectory)" | |
137 | ||
138 | # ensure there is no _Release file downloaded | |
139 | testfailure ls rootdir/var/lib/apt/lists/*_Release | |
140 | } | |
141 | ||
142 | test_subvert_inrelease() | |
143 | { | |
144 | # setup archive with InRelease | |
145 | setupaptarchive_with_lists_clean | |
146 | testsuccess aptget update | |
147 | listcurrentlistsdirectory > lists.before | |
148 | ||
149 | # replace InRelease with something else | |
150 | mv $APTARCHIVE/dists/unstable/Release $APTARCHIVE/dists/unstable/InRelease | |
151 | ||
152 | testfailureequal "W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease Does not start with a cleartext signature | |
153 | ||
154 | E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq | |
155 | ||
156 | # ensure we keep the repo | |
157 | testfileequal lists.before "$(listcurrentlistsdirectory)" | |
158 | assert_repo_is_intact | |
159 | } | |
160 | ||
161 | test_inrelease_to_invalid_inrelease() | |
162 | { | |
163 | # setup archive with InRelease | |
164 | setupaptarchive_with_lists_clean | |
165 | testsuccess aptget update | |
166 | listcurrentlistsdirectory > lists.before | |
167 | ||
168 | # now remove InRelease and subvert Release do no longer verify | |
169 | sed -i 's/Codename.*/Codename: evil!'/ $APTARCHIVE/dists/unstable/InRelease | |
170 | inject_evil_package | |
171 | ||
172 | testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file: unstable InRelease: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> | |
173 | ||
174 | W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> | |
175 | ||
176 | W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq | |
177 | ||
178 | # ensure we keep the repo | |
179 | testfailure grep 'evil' rootdir/var/lib/apt/lists/*InRelease | |
180 | testfileequal lists.before "$(listcurrentlistsdirectory)" | |
181 | assert_repo_is_intact | |
182 | } | |
183 | ||
184 | test_release_gpg_to_invalid_release_release_gpg() | |
185 | { | |
186 | # setup archive with InRelease | |
187 | setupaptarchive_with_lists_clean | |
188 | rm $APTARCHIVE/dists/unstable/InRelease | |
189 | testsuccess aptget update | |
190 | listcurrentlistsdirectory > lists.before | |
191 | ||
192 | # now subvert Release do no longer verify | |
193 | echo "Some evil data" >> $APTARCHIVE/dists/unstable/Release | |
194 | inject_evil_package | |
195 | ||
196 | testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file: unstable Release.gpg: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> | |
197 | ||
198 | W: Failed to fetch file:${APTARCHIVE}/dists/unstable/Release.gpg The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> | |
199 | ||
200 | W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq | |
201 | ||
202 | testfailure grep 'evil' rootdir/var/lib/apt/lists/*Release | |
203 | testfileequal lists.before "$(listcurrentlistsdirectory)" | |
204 | assert_repo_is_intact | |
205 | } | |
206 | ||
207 | ||
208 | TESTDIR=$(readlink -f $(dirname $0)) | |
209 | . $TESTDIR/framework | |
210 | ||
211 | setupenvironment | |
212 | configarchitecture "i386" | |
213 | ||
214 | # a "normal" package with source and binary | |
215 | buildsimplenativepackage 'foo' 'all' '2.0' | |
216 | ||
217 | # setup the archive and ensure we have a single package that installs fine | |
218 | setupaptarchive | |
219 | APTARCHIVE=$(readlink -f ./aptarchive) | |
220 | assert_repo_is_intact | |
221 | ||
222 | # test the various cases where a repo may go from signed->unsigned | |
223 | msgmsg "test_from_inrelease_to_unsigned" | |
224 | test_from_inrelease_to_unsigned | |
225 | ||
226 | msgmsg "test_from_release_gpg_to_unsigned" | |
227 | test_from_release_gpg_to_unsigned | |
228 | ||
229 | # ensure we do not regress on CVE-2012-0214 | |
230 | msgmsg "test_cve_2012_0214" | |
231 | test_cve_2012_0214 | |
232 | ||
233 | # ensure InRelase can not be subverted | |
234 | msgmsg "test_subvert_inrelease" | |
235 | test_subvert_inrelease | |
236 | ||
237 | # ensure we revert to last good state if InRelease does not verify | |
238 | msgmsg "test_inrelease_to_invalid_inrelease" | |
239 | test_inrelease_to_invalid_inrelease | |
240 | ||
241 | # ensure we revert to last good state if Release/Release.gpg does not verify | |
242 | msgmsg "test_release_gpg_to_invalid_release_release_gpg" | |
243 | test_release_gpg_to_invalid_release_release_gpg | |
244 | ||
245 | # ensure we can override the downgrade error | |
246 | msgmsg "test_from_inrelease_to_unsigned_with_override" | |
247 | test_from_inrelease_to_unsigned_with_override |