Do not consider SHA1 usable

SHA1 is not reasonably secure anymore, so we should not consider it
usable anymore. The test suite is adjusted to account for this.

diff --git a/apt-pkg/contrib/hashes.cc b/apt-pkg/contrib/hashes.cc
index 5c0023dc726414d31a080a36c61c6d769669219a..f2b91501e5a5aed23e2cab77ad666eec1485ea1b 100644 (file)
--- a/apt-pkg/contrib/hashes.cc
+++ b/apt-pkg/contrib/hashes.cc
@@ -133,7 +133,8 @@ APT_PURE bool HashString::usable() const                            /*{{{*/
 {
    return (
       (Type != "Checksum-FileSize") &&
-      (Type != "MD5Sum")
+      (Type != "MD5Sum") &&
+      (Type != "SHA1")
    );
 }
                                                                        /*}}}*/

diff --git a/test/integration/framework b/test/integration/framework
index a0eeb6d45e0faa457930b5e2f3a183bd4dc2981b..ffec06641c35e637cdcc569f6a6c41cf80bc6cff 100644 (file)
--- a/test/integration/framework
+++ b/test/integration/framework
@@ -390,7 +390,7 @@ EOF
        echo "Apt::Cmd::Disable-Script-Warning \"1\";" > rootdir/etc/apt/apt.conf.d/apt-binary
        echo 'Acquire::Connect::AddrConfig "false";' > rootdir/etc/apt/apt.conf.d/connect-addrconfig
        configcompression '.' 'gz' #'bz2' 'lzma' 'xz'
-       confighashes 'SHA1' # these are tests, not security best-practices
+       confighashes 'SHA256' # these are tests, not security best-practices
 
        # create some files in /tmp and look at user/group to get what this means
        TEST_DEFAULT_USER="$(id -un)"

diff --git a/test/integration/test-apt-ftparchive-by-hash b/test/integration/test-apt-ftparchive-by-hash
index c7aeea0f97f4216000de0678f5a36de17d6808f1..d08b94290acf25f4b1cc3bc269869a928bb186f8 100755 (executable)
--- a/test/integration/test-apt-ftparchive-by-hash
+++ b/test/integration/test-apt-ftparchive-by-hash
@@ -2,7 +2,7 @@
 set -e
 
 verify_by_hash() {
-    for hash_gen in SHA1:sha1sum SHA256:sha256sum SHA512:sha512sum; do
+    for hash_gen in SHA256:sha256sum SHA512:sha512sum; do
         hash=$(echo ${hash_gen} | cut -f1 -d:)
         gen=$(echo ${hash_gen} | cut -f2 -d:)
         testsuccess stat aptarchive/dists/unstable/main/binary-i386/by-hash/$hash/$($gen aptarchive/dists/unstable/main/binary-i386/Packages | cut -f1 -d' ')
@@ -18,7 +18,7 @@ TESTDIR="$(readlink -f "$(dirname "$0")")"
 setupenvironment
 configarchitecture 'i386'
 configcompression 'gz' '.'
-confighashes 'SHA1' 'SHA256' 'SHA512'
+confighashes 'SHA256' 'SHA512'
 
 # enable by-hash in apt-ftparchive
 echo 'APT::FTPArchive::DoByHash "1";' >> aptconfig.conf

diff --git a/test/integration/test-partial-file-support b/test/integration/test-partial-file-support
index 8cfc3f2d3c0dc2e13ea6c28f90831fdc166ab446..e2d2743b3cfefae7507a67cec072c872a205f4eb 100755 (executable)
--- a/test/integration/test-partial-file-support
+++ b/test/integration/test-partial-file-support
@@ -80,7 +80,7 @@ followuprequest() {
 
        webserverconfig 'aptwebserver::support::content-range' 'false'
        copysource $TESTFILE 1M $DOWN
-       testdownloadfile 'completely downloaded file' "${1}/testfile" "$DOWN" '=' "SHA1:$(sha1sum "$TESTFILE" | cut -d' ' -f 1)"
+       testdownloadfile 'completely downloaded file' "${1}/testfile" "$DOWN" '=' "SHA256:$(sha256sum "$TESTFILE" | cut -d' ' -f 1)"
        testwebserverlaststatuscode '416' "$DOWNLOADLOG"
        webserverconfig 'aptwebserver::support::content-range' 'true'
 

diff --git a/test/integration/test-ubuntu-bug-1098738-apt-get-source-md5sum b/test/integration/test-ubuntu-bug-1098738-apt-get-source-md5sum
index 015a803bc66a19b74dac5b2844c800ed9d8ab1a0..7ac993d395db96fe28c0f1926309cac33076c2fc 100755 (executable)
--- a/test/integration/test-ubuntu-bug-1098738-apt-get-source-md5sum
+++ b/test/integration/test-ubuntu-bug-1098738-apt-get-source-md5sum
@@ -17,6 +17,15 @@ Files:
  9604ba9427a280db542279d9ed78400b 3 pkg-md5-ok_1.0.dsc
  db5570bf61464b46e2bde31ed61a7dc6 3 pkg-md5-ok_1.0.tar.gz
 
+Package: pkg-sha1-ok
+Binary: pkg-sha1-ok
+Version: 1.0
+Maintainer: Joe Sixpack <joe@example.org>
+Architecture: all
+Files:
+ 324f464e6151a92cf57b26ef95dcfcf2059a8c44 3 pkg-sha1-ok_1.0.dsc
+ 680254bad1d7ca0d65ec46aaa315d363abf6a50a 3 pkg-sha1-ok_1.0.tar.gz
+
 Package: pkg-sha256-ok
 Binary: pkg-sha256-ok
 Version: 1.0
@@ -139,7 +148,7 @@ Checksums-Sha256:
 EOF
 
 # create fetchable files
-for x in 'pkg-md5-ok' 'pkg-sha256-ok' 'pkg-sha256-bad' 'pkg-no-md5' \
+for x in 'pkg-md5-ok' 'pkg-sha1-ok' 'pkg-sha256-ok' 'pkg-sha256-bad' 'pkg-no-md5' \
         'pkg-mixed-ok' 'pkg-mixed-sha1-bad' 'pkg-mixed-sha2-bad' \
         'pkg-md5-agree' 'pkg-md5-disagree' 'pkg-sha256-disagree' \
         'pkg-md5-bad'; do
@@ -230,6 +239,7 @@ Download complete and in download only mode" aptget source --allow-unauthenticat
 }
 
 testnohash pkg-md5-ok
+testnohash pkg-sha1-ok
 testok pkg-sha256-ok
 testkeep pkg-sha256-ok
 
@@ -255,29 +265,28 @@ testfailure --nomsg test -e pkg-no-md5_1.0.dsc -a -e pkg-no-md5_1.0.tar.gz
 
 # deal with cases in which we haven't for all files the same checksum type
 # mostly pathologic as this shouldn't happen, but just to be sure
-testok pkg-mixed-ok
-testfailureequal "Reading package lists...
-Need to get 6 B of source archives.
+testsuccessequal "Reading package lists...
+Skipping download of file 'pkg-mixed-ok_1.0.tar.gz' as requested hashsum is not available for authentication
+Need to get 3 B of source archives.
+Get:1 http://localhost:${APTHTTPPORT}  pkg-mixed-ok 1.0 (dsc) [3 B]
+Download complete and in download only mode" aptget source -d pkg-mixed-ok
+
+testsuccessequal  "Reading package lists...
+Skipping download of file 'pkg-mixed-sha1-bad_1.0.dsc' as requested hashsum is not available for authentication
+Need to get 3 B of source archives.
 Get:1 http://localhost:${APTHTTPPORT}  pkg-mixed-sha1-bad 1.0 (tar) [3 B]
-Get:2 http://localhost:${APTHTTPPORT}  pkg-mixed-sha1-bad 1.0 (dsc) [3 B]
-Err:2 http://localhost:${APTHTTPPORT}  pkg-mixed-sha1-bad 1.0 (dsc)
-  Hash Sum mismatch
-E: Failed to fetch http://localhost:${APTHTTPPORT}/pkg-mixed-sha1-bad_1.0.dsc  Hash Sum mismatch
-
-E: Failed to fetch some archives." aptget source -d pkg-mixed-sha1-bad
+Download complete and in download only mode" aptget source -d pkg-mixed-sha1-bad
 msgtest 'Only tar file is downloaded as the dsc has hashsum mismatch' 'pkg-mixed-sha1-bad'
 testsuccess --nomsg test ! -e pkg-mixed-sha1-bad_1.0.dsc -a -e pkg-mixed-sha1-bad_1.0.tar.gz
 testfailureequal "Reading package lists...
-Need to get 6 B of source archives.
+Skipping download of file 'pkg-mixed-sha2-bad_1.0.dsc' as requested hashsum is not available for authentication
+Need to get 3 B of source archives.
 Get:1 http://localhost:${APTHTTPPORT}  pkg-mixed-sha2-bad 1.0 (tar) [3 B]
 Err:1 http://localhost:${APTHTTPPORT}  pkg-mixed-sha2-bad 1.0 (tar)
   Hash Sum mismatch
-Get:2 http://localhost:${APTHTTPPORT}  pkg-mixed-sha2-bad 1.0 (dsc) [3 B]
 E: Failed to fetch http://localhost:${APTHTTPPORT}/pkg-mixed-sha2-bad_1.0.tar.gz  Hash Sum mismatch
 
 E: Failed to fetch some archives." aptget source -d pkg-mixed-sha2-bad
-msgtest 'Only dsc file is downloaded as the tar has hashsum mismatch' 'pkg-mixed-sha2-bad'
-testsuccess --nomsg test -e pkg-mixed-sha2-bad_1.0.dsc -a ! -e pkg-mixed-sha2-bad_1.0.tar.gz
 
 # it gets even more pathologic: multiple entries for one file, some even disagreeing!
 testnohash pkg-md5-agree

diff --git a/test/libapt/hashsums_test.cc b/test/libapt/hashsums_test.cc
index 033493f84e1bc4248b4fdd0d238b2f2b296d754e..705c0297d3c0cab8ebf6e0871df7926abe891db1 100644 (file)
--- a/test/libapt/hashsums_test.cc
+++ b/test/libapt/hashsums_test.cc
@@ -328,11 +328,18 @@ TEST(HashSumsTest, HashStringList)
    EXPECT_EQ(29, list.FileSize());
    EXPECT_TRUE(NULL != list.find("MD5Sum"));
    list.push_back(HashString("SHA1", "cacecbd74968bc90ea3342767e6b94f46ddbcafc"));
-   EXPECT_TRUE(list.usable());
+   EXPECT_FALSE(list.usable());
    EXPECT_EQ(3, list.size());
    EXPECT_EQ(29, list.FileSize());
    EXPECT_TRUE(NULL != list.find("MD5Sum"));
    EXPECT_TRUE(NULL != list.find("SHA1"));
+   list.push_back(HashString("SHA256", "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"));
+   EXPECT_TRUE(list.usable());
+   EXPECT_EQ(4, list.size());
+   EXPECT_EQ(29, list.FileSize());
+   EXPECT_TRUE(NULL != list.find("MD5Sum"));
+   EXPECT_TRUE(NULL != list.find("SHA1"));
+   EXPECT_TRUE(NULL != list.find("SHA256"));
 
    Hashes hashes;
    hashes.Add("The quick brown fox jumps over the lazy dog");