diff options
| author | David Kalnischkies <david@kalnischkies.de> | 2015-05-18 22:15:06 +0200 |
|---|---|---|
| committer | David Kalnischkies <david@kalnischkies.de> | 2015-05-18 22:15:06 +0200 |
| commit | 6bf93605fdb8e858d3f0a79a124c1d39f760094d (patch) | |
| tree | 4f1fb6549db04d6b39845e8587316460b493f249 /test/integration/test-releasefile-verification | |
| parent | 8eafc759544298211cd0bfaa3919afc0fadd47d1 (diff) | |
treat older Release files than we already have as an IMSHit
Valid-Until protects us from long-living downgrade attacks, but not all
repositories have it and an attacker could still use older but still
valid files to downgrade us. While this makes it sounds like a security
improvement now, its a bit theoretical at best as an attacker with
capabilities to pull this off could just as well always keep us days
(but in the valid period) behind and always knows which state we have,
as we tell him with the If-Modified-Since header. This is also why this
is 'silently' ignored and treated as an IMSHit rather than screamed at
the user as this can at best be an annoyance for attackers.
An error here would 'regularily' be encountered by users by out-of-sync
mirrors serving a single run (e.g. load balancer) or in two consecutive
runs on the other hand, so it would just help teaching people ignore it.
That said, most of the code churn is caused by enforcing this additional
requirement. Crisscross from InRelease to Release.gpg is e.g. very
unlikely in practice, but if we would ignore it an attacker could
sidestep it this way.
Diffstat (limited to 'test/integration/test-releasefile-verification')
| -rwxr-xr-x | test/integration/test-releasefile-verification | 70 |
1 files changed, 27 insertions, 43 deletions
diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification index 363b7fe5b..469ed34d2 100755 --- a/test/integration/test-releasefile-verification +++ b/test/integration/test-releasefile-verification @@ -91,25 +91,9 @@ touch aptarchive/apt.deb PKGFILE="${TESTDIR}/$(echo "$(basename $0)" | sed 's#^test-#Packages-#')" -updatesuccess() { - local LOG='update.log' - if aptget update >$LOG 2>&1 || grep -q -E '^(W|E): ' $LOG; then - msgpass - else - cat $LOG - msgfail - fi -} - -updatefailure() { - local LOG='update.log' - aptget update >$LOG 2>&1 || true - if grep -q -E "$1" $LOG; then - msgpass - else - cat $LOG - msgfail - fi +updatewithwarnings() { + testwarning aptget update + testsuccess grep -E "$1" rootdir/tmp/testwarning.output } runtest() { @@ -117,8 +101,8 @@ runtest() { rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Joe Sixpack' find aptarchive/ -name "$DELETEFILE" -delete - msgtest 'Cold archive signed by' 'Joe Sixpack' - updatesuccess + msgmsg 'Cold archive signed by' 'Joe Sixpack' + testsuccess aptget update testsuccessequal "$(cat ${PKGFILE}) " aptcache show apt installaptold @@ -126,8 +110,8 @@ runtest() { prepare ${PKGFILE}-new signreleasefiles 'Joe Sixpack' find aptarchive/ -name "$DELETEFILE" -delete - msgtest 'Good warm archive signed by' 'Joe Sixpack' - updatesuccess + msgmsg 'Good warm archive signed by' 'Joe Sixpack' + testsuccess aptget update testsuccessequal "$(cat ${PKGFILE}-new) " aptcache show apt installaptnew @@ -137,8 +121,8 @@ runtest() { cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg signreleasefiles 'Rex Expired' find aptarchive/ -name "$DELETEFILE" -delete - msgtest 'Cold archive signed by' 'Rex Expired' - updatefailure '^W: .* KEYEXPIRED' + msgmsg 'Cold archive signed by' 'Rex Expired' + updatewithwarnings '^W: .* KEYEXPIRED' testsuccessequal "$(cat ${PKGFILE}) " aptcache show apt failaptold @@ -148,8 +132,8 @@ runtest() { rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Marvin Paranoid' find aptarchive/ -name "$DELETEFILE" -delete - msgtest 'Cold archive signed by' 'Marvin Paranoid' - updatefailure '^W: .* NO_PUBKEY' + msgmsg 'Cold archive signed by' 'Marvin Paranoid' + updatewithwarnings '^W: .* NO_PUBKEY' testsuccessequal "$(cat ${PKGFILE}) " aptcache show apt failaptold @@ -162,8 +146,8 @@ runtest() { done signreleasefiles 'Joe Sixpack' find aptarchive/ -name "$DELETEFILE" -delete - msgtest 'Bad warm archive signed by' 'Joe Sixpack' - updatesuccess + msgmsg 'Bad warm archive signed by' 'Joe Sixpack' + testsuccess aptget update testsuccessequal "$(cat ${PKGFILE}-new) " aptcache show apt installaptnew @@ -173,8 +157,8 @@ runtest() { rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Joe Sixpack' find aptarchive/ -name "$DELETEFILE" -delete - msgtest 'Cold archive signed by' 'Joe Sixpack' - updatesuccess + msgmsg 'Cold archive signed by' 'Joe Sixpack' + testsuccess aptget update testsuccessequal "$(cat ${PKGFILE}) " aptcache show apt installaptold @@ -182,8 +166,8 @@ runtest() { prepare ${PKGFILE}-new signreleasefiles 'Marvin Paranoid' find aptarchive/ -name "$DELETEFILE" -delete - msgtest 'Good warm archive signed by' 'Marvin Paranoid' - updatefailure '^W: .* NO_PUBKEY' + msgmsg 'Good warm archive signed by' 'Marvin Paranoid' + updatewithwarnings '^W: .* NO_PUBKEY' testsuccessequal "$(cat ${PKGFILE}) " aptcache show apt installaptold @@ -192,8 +176,8 @@ runtest() { cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg signreleasefiles 'Rex Expired' find aptarchive/ -name "$DELETEFILE" -delete - msgtest 'Good warm archive signed by' 'Rex Expired' - updatefailure '^W: .* KEYEXPIRED' + msgmsg 'Good warm archive signed by' 'Rex Expired' + updatewithwarnings '^W: .* KEYEXPIRED' testsuccessequal "$(cat ${PKGFILE}) " aptcache show apt installaptold @@ -202,8 +186,8 @@ runtest() { prepare ${PKGFILE}-new signreleasefiles find aptarchive/ -name "$DELETEFILE" -delete - msgtest 'Good warm archive signed by' 'Joe Sixpack' - updatesuccess + msgmsg 'Good warm archive signed by' 'Joe Sixpack' + testsuccess aptget update testsuccessequal "$(cat ${PKGFILE}-new) " aptcache show apt installaptnew @@ -213,24 +197,24 @@ runtest2() { prepare ${PKGFILE} rm -rf rootdir/var/lib/apt/lists signreleasefiles 'Joe Sixpack' - msgtest 'Cold archive signed by' 'Joe Sixpack' - updatesuccess + msgmsg 'Cold archive signed by' 'Joe Sixpack' + testsuccess aptget update # New .deb but now an unsigned archive. For example MITM to circumvent # package verification. prepare ${PKGFILE}-new find aptarchive/ -name InRelease -delete find aptarchive/ -name Release.gpg -delete - msgtest 'Warm archive signed by' 'nobody' - updatesuccess + msgmsg 'Warm archive signed by' 'nobody' + updatewithwarnings 'W: .* no longer signed.' testsuccessequal "$(cat ${PKGFILE}-new) " aptcache show apt failaptnew # Unsigned archive from the beginning must also be detected. rm -rf rootdir/var/lib/apt/lists - msgtest 'Cold archive signed by' 'nobody' - updatesuccess + msgmsg 'Cold archive signed by' 'nobody' + updatewithwarnings 'W: .* is not signed.' testsuccessequal "$(cat ${PKGFILE}-new) " aptcache show apt failaptnew |