summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJulian Andres Klode <jak@debian.org>2016-03-13 12:21:09 +0100
committerJulian Andres Klode <jak@debian.org>2016-03-13 13:01:14 +0100
commit51c04562559d0924aa52cc8c9b69901bc8a5c945 (patch)
treef31a91a41932f61a444c39374afadf43a3484bed
parente457c94165c9c4dfef8cea7c2f716700d1c84b3f (diff)
Do not consider SHA1 usable
SHA1 is not reasonably secure anymore, so we should not consider it usable anymore. The test suite is adjusted to account for this.
-rw-r--r--apt-pkg/contrib/hashes.cc3
-rw-r--r--test/integration/framework2
-rwxr-xr-xtest/integration/test-apt-ftparchive-by-hash4
-rwxr-xr-xtest/integration/test-partial-file-support2
-rwxr-xr-xtest/integration/test-ubuntu-bug-1098738-apt-get-source-md5sum37
-rw-r--r--test/libapt/hashsums_test.cc9
6 files changed, 37 insertions, 20 deletions
diff --git a/apt-pkg/contrib/hashes.cc b/apt-pkg/contrib/hashes.cc
index 5c0023dc7..f2b91501e 100644
--- a/apt-pkg/contrib/hashes.cc
+++ b/apt-pkg/contrib/hashes.cc
@@ -133,7 +133,8 @@ APT_PURE bool HashString::usable() const /*{{{*/
{
return (
(Type != "Checksum-FileSize") &&
- (Type != "MD5Sum")
+ (Type != "MD5Sum") &&
+ (Type != "SHA1")
);
}
/*}}}*/
diff --git a/test/integration/framework b/test/integration/framework
index a0eeb6d45..ffec06641 100644
--- a/test/integration/framework
+++ b/test/integration/framework
@@ -390,7 +390,7 @@ EOF
echo "Apt::Cmd::Disable-Script-Warning \"1\";" > rootdir/etc/apt/apt.conf.d/apt-binary
echo 'Acquire::Connect::AddrConfig "false";' > rootdir/etc/apt/apt.conf.d/connect-addrconfig
configcompression '.' 'gz' #'bz2' 'lzma' 'xz'
- confighashes 'SHA1' # these are tests, not security best-practices
+ confighashes 'SHA256' # these are tests, not security best-practices
# create some files in /tmp and look at user/group to get what this means
TEST_DEFAULT_USER="$(id -un)"
diff --git a/test/integration/test-apt-ftparchive-by-hash b/test/integration/test-apt-ftparchive-by-hash
index c7aeea0f9..d08b94290 100755
--- a/test/integration/test-apt-ftparchive-by-hash
+++ b/test/integration/test-apt-ftparchive-by-hash
@@ -2,7 +2,7 @@
set -e
verify_by_hash() {
- for hash_gen in SHA1:sha1sum SHA256:sha256sum SHA512:sha512sum; do
+ for hash_gen in SHA256:sha256sum SHA512:sha512sum; do
hash=$(echo ${hash_gen} | cut -f1 -d:)
gen=$(echo ${hash_gen} | cut -f2 -d:)
testsuccess stat aptarchive/dists/unstable/main/binary-i386/by-hash/$hash/$($gen aptarchive/dists/unstable/main/binary-i386/Packages | cut -f1 -d' ')
@@ -18,7 +18,7 @@ TESTDIR="$(readlink -f "$(dirname "$0")")"
setupenvironment
configarchitecture 'i386'
configcompression 'gz' '.'
-confighashes 'SHA1' 'SHA256' 'SHA512'
+confighashes 'SHA256' 'SHA512'
# enable by-hash in apt-ftparchive
echo 'APT::FTPArchive::DoByHash "1";' >> aptconfig.conf
diff --git a/test/integration/test-partial-file-support b/test/integration/test-partial-file-support
index 8cfc3f2d3..e2d2743b3 100755
--- a/test/integration/test-partial-file-support
+++ b/test/integration/test-partial-file-support
@@ -80,7 +80,7 @@ followuprequest() {
webserverconfig 'aptwebserver::support::content-range' 'false'
copysource $TESTFILE 1M $DOWN
- testdownloadfile 'completely downloaded file' "${1}/testfile" "$DOWN" '=' "SHA1:$(sha1sum "$TESTFILE" | cut -d' ' -f 1)"
+ testdownloadfile 'completely downloaded file' "${1}/testfile" "$DOWN" '=' "SHA256:$(sha256sum "$TESTFILE" | cut -d' ' -f 1)"
testwebserverlaststatuscode '416' "$DOWNLOADLOG"
webserverconfig 'aptwebserver::support::content-range' 'true'
diff --git a/test/integration/test-ubuntu-bug-1098738-apt-get-source-md5sum b/test/integration/test-ubuntu-bug-1098738-apt-get-source-md5sum
index 015a803bc..7ac993d39 100755
--- a/test/integration/test-ubuntu-bug-1098738-apt-get-source-md5sum
+++ b/test/integration/test-ubuntu-bug-1098738-apt-get-source-md5sum
@@ -17,6 +17,15 @@ Files:
9604ba9427a280db542279d9ed78400b 3 pkg-md5-ok_1.0.dsc
db5570bf61464b46e2bde31ed61a7dc6 3 pkg-md5-ok_1.0.tar.gz
+Package: pkg-sha1-ok
+Binary: pkg-sha1-ok
+Version: 1.0
+Maintainer: Joe Sixpack <joe@example.org>
+Architecture: all
+Files:
+ 324f464e6151a92cf57b26ef95dcfcf2059a8c44 3 pkg-sha1-ok_1.0.dsc
+ 680254bad1d7ca0d65ec46aaa315d363abf6a50a 3 pkg-sha1-ok_1.0.tar.gz
+
Package: pkg-sha256-ok
Binary: pkg-sha256-ok
Version: 1.0
@@ -139,7 +148,7 @@ Checksums-Sha256:
EOF
# create fetchable files
-for x in 'pkg-md5-ok' 'pkg-sha256-ok' 'pkg-sha256-bad' 'pkg-no-md5' \
+for x in 'pkg-md5-ok' 'pkg-sha1-ok' 'pkg-sha256-ok' 'pkg-sha256-bad' 'pkg-no-md5' \
'pkg-mixed-ok' 'pkg-mixed-sha1-bad' 'pkg-mixed-sha2-bad' \
'pkg-md5-agree' 'pkg-md5-disagree' 'pkg-sha256-disagree' \
'pkg-md5-bad'; do
@@ -230,6 +239,7 @@ Download complete and in download only mode" aptget source --allow-unauthenticat
}
testnohash pkg-md5-ok
+testnohash pkg-sha1-ok
testok pkg-sha256-ok
testkeep pkg-sha256-ok
@@ -255,29 +265,28 @@ testfailure --nomsg test -e pkg-no-md5_1.0.dsc -a -e pkg-no-md5_1.0.tar.gz
# deal with cases in which we haven't for all files the same checksum type
# mostly pathologic as this shouldn't happen, but just to be sure
-testok pkg-mixed-ok
-testfailureequal "Reading package lists...
-Need to get 6 B of source archives.
+testsuccessequal "Reading package lists...
+Skipping download of file 'pkg-mixed-ok_1.0.tar.gz' as requested hashsum is not available for authentication
+Need to get 3 B of source archives.
+Get:1 http://localhost:${APTHTTPPORT} pkg-mixed-ok 1.0 (dsc) [3 B]
+Download complete and in download only mode" aptget source -d pkg-mixed-ok
+
+testsuccessequal "Reading package lists...
+Skipping download of file 'pkg-mixed-sha1-bad_1.0.dsc' as requested hashsum is not available for authentication
+Need to get 3 B of source archives.
Get:1 http://localhost:${APTHTTPPORT} pkg-mixed-sha1-bad 1.0 (tar) [3 B]
-Get:2 http://localhost:${APTHTTPPORT} pkg-mixed-sha1-bad 1.0 (dsc) [3 B]
-Err:2 http://localhost:${APTHTTPPORT} pkg-mixed-sha1-bad 1.0 (dsc)
- Hash Sum mismatch
-E: Failed to fetch http://localhost:${APTHTTPPORT}/pkg-mixed-sha1-bad_1.0.dsc Hash Sum mismatch
-
-E: Failed to fetch some archives." aptget source -d pkg-mixed-sha1-bad
+Download complete and in download only mode" aptget source -d pkg-mixed-sha1-bad
msgtest 'Only tar file is downloaded as the dsc has hashsum mismatch' 'pkg-mixed-sha1-bad'
testsuccess --nomsg test ! -e pkg-mixed-sha1-bad_1.0.dsc -a -e pkg-mixed-sha1-bad_1.0.tar.gz
testfailureequal "Reading package lists...
-Need to get 6 B of source archives.
+Skipping download of file 'pkg-mixed-sha2-bad_1.0.dsc' as requested hashsum is not available for authentication
+Need to get 3 B of source archives.
Get:1 http://localhost:${APTHTTPPORT} pkg-mixed-sha2-bad 1.0 (tar) [3 B]
Err:1 http://localhost:${APTHTTPPORT} pkg-mixed-sha2-bad 1.0 (tar)
Hash Sum mismatch
-Get:2 http://localhost:${APTHTTPPORT} pkg-mixed-sha2-bad 1.0 (dsc) [3 B]
E: Failed to fetch http://localhost:${APTHTTPPORT}/pkg-mixed-sha2-bad_1.0.tar.gz Hash Sum mismatch
E: Failed to fetch some archives." aptget source -d pkg-mixed-sha2-bad
-msgtest 'Only dsc file is downloaded as the tar has hashsum mismatch' 'pkg-mixed-sha2-bad'
-testsuccess --nomsg test -e pkg-mixed-sha2-bad_1.0.dsc -a ! -e pkg-mixed-sha2-bad_1.0.tar.gz
# it gets even more pathologic: multiple entries for one file, some even disagreeing!
testnohash pkg-md5-agree
diff --git a/test/libapt/hashsums_test.cc b/test/libapt/hashsums_test.cc
index 033493f84..705c0297d 100644
--- a/test/libapt/hashsums_test.cc
+++ b/test/libapt/hashsums_test.cc
@@ -328,11 +328,18 @@ TEST(HashSumsTest, HashStringList)
EXPECT_EQ(29, list.FileSize());
EXPECT_TRUE(NULL != list.find("MD5Sum"));
list.push_back(HashString("SHA1", "cacecbd74968bc90ea3342767e6b94f46ddbcafc"));
- EXPECT_TRUE(list.usable());
+ EXPECT_FALSE(list.usable());
EXPECT_EQ(3, list.size());
EXPECT_EQ(29, list.FileSize());
EXPECT_TRUE(NULL != list.find("MD5Sum"));
EXPECT_TRUE(NULL != list.find("SHA1"));
+ list.push_back(HashString("SHA256", "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"));
+ EXPECT_TRUE(list.usable());
+ EXPECT_EQ(4, list.size());
+ EXPECT_EQ(29, list.FileSize());
+ EXPECT_TRUE(NULL != list.find("MD5Sum"));
+ EXPECT_TRUE(NULL != list.find("SHA1"));
+ EXPECT_TRUE(NULL != list.find("SHA256"));
Hashes hashes;
hashes.Add("The quick brown fox jumps over the lazy dog");