test/integration/test-apt-update-stale

   1 #!/bin/sh
   2 #
   3 # Ensure that a MITM can not stale the Packages/Sources without
   4 # raising a error message. Note that the Release file is protected
   5 # via the "Valid-Until" header
   6 #
   7 set -e
   8
   9 TESTDIR=$(readlink -f $(dirname $0))
  10 . $TESTDIR/framework
  11
  12 setupenvironment
  13 configarchitecture "i386"
  14
  15 insertpackage 'unstable' 'foo' 'all' '1.0'
  16
  17 setupaptarchive
  18 changetowebserver
  19 aptget update -qq
  20 listcurrentlistsdirectory > lists.before
  21
  22 # insert new version
  23 mkdir aptarchive/dists/unstable/main/binary-i386/saved
  24 cp -p aptarchive/dists/unstable/main/binary-i386/Packages* \
  25      aptarchive/dists/unstable/main/binary-i386/saved
  26 insertpackage 'unstable' 'foo' 'all' '2.0'
  27
  28 compressfile aptarchive/dists/unstable/main/binary-i386/Packages
  29 # ensure that we do not get a I-M-S hit for the Release file
  30
  31 generatereleasefiles '+1hour'
  32 signreleasefiles
  33
  34 # but now only deliver the previous Packages file instead of the new one
  35 # (simulating a stale attack)
  36 cp -p aptarchive/dists/unstable/main/binary-i386/saved/Packages* \
  37      aptarchive/dists/unstable/main/binary-i386/
  38
  39 # ensure this raises an error
  40 testequal "W: Failed to fetch http://localhost:8080/dists/unstable/main/binary-i386/Packages  Hash Sum mismatch
  41
  42 E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
  43 testfileequal lists.before "$(listcurrentlistsdirectory)"