about summary refs log tree commit diff
diff options
context:
space:
mode:
authorEelco Dolstra <eelco.dolstra@logicblox.com>2015-02-17T12·16+0100
committerEelco Dolstra <eelco.dolstra@logicblox.com>2015-02-17T12·16+0100
commitf19b4abfb2c238a98f749812c9ba294dd98d8bd0 (patch)
treec135e5fcc4e1dc2722119c624adb80a6385f80c5
parent8c8750ae661559613ee357d5814505b933258aaf (diff)
Include NAR size in fingerprint computation
This is not strictly needed for integrity (since we already include
the NAR hash in the fingerprint) but it helps against endless data
attacks [1]. (However, this will also require
download-from-binary-cache.pl to bail out if it receives more than the
specified number of bytes.)

[1] https://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.pdf
-rw-r--r--Makefile2
-rw-r--r--perl/lib/Nix/Manifest.pm7
-rwxr-xr-xscripts/nix-push.in2
3 files changed, 5 insertions, 6 deletions
diff --git a/Makefile b/Makefile
index 08e4012f99b2..d8d4a7cc5768 100644
--- a/Makefile
+++ b/Makefile
@@ -25,7 +25,7 @@ makefiles = \
 
 GLOBAL_CXXFLAGS += -std=c++0x -g -Wall
 
-include Makefile.config
+-include Makefile.config
 
 OPTIMIZE = 1
 
diff --git a/perl/lib/Nix/Manifest.pm b/perl/lib/Nix/Manifest.pm
index b82c82fb253c..93c9c261ddc9 100644
--- a/perl/lib/Nix/Manifest.pm
+++ b/perl/lib/Nix/Manifest.pm
@@ -377,7 +377,6 @@ EOF
 }
 
 
-
 # Delete all old manifests downloaded from a given URL.
 sub deleteOldManifests {
     my ($url, $curUrlFile) = @_;
@@ -399,14 +398,14 @@ sub deleteOldManifests {
 # signatures. It contains the store path, the SHA-256 hash of the
 # contents of the path, and the references.
 sub fingerprintPath {
-    my ($storePath, $narHash, $references) = @_;
+    my ($storePath, $narHash, $narSize, $references) = @_;
     die if substr($storePath, 0, length($Nix::Config::storeDir)) ne $Nix::Config::storeDir;
     die if substr($narHash, 0, 7) ne "sha256:";
     die if length($narHash) != 59;
     foreach my $ref (@{$references}) {
         die if substr($ref, 0, length($Nix::Config::storeDir)) ne $Nix::Config::storeDir;
     }
-    return "1;" . $storePath . ";" . $narHash . ";" . join(",", @{$references});
+    return "1;" . $storePath . ";" . $narHash . ";" . $narSize . ";" . join(",", @{$references});
 }
 
 
@@ -464,7 +463,7 @@ sub parseNARInfo {
         }
 
         my $fingerprint = fingerprintPath(
-            $storePath, $narHash,
+            $storePath, $narHash, $narSize,
             [ map { "$Nix::Config::storeDir/$_" } @refs ]);
 
         if (!checkSignature($publicKey, decode_base64($sig64), $fingerprint)) {
diff --git a/scripts/nix-push.in b/scripts/nix-push.in
index a060ea128fd1..d5d3bc1e7e79 100755
--- a/scripts/nix-push.in
+++ b/scripts/nix-push.in
@@ -257,7 +257,7 @@ for (my $n = 0; $n < scalar @storePaths2; $n++) {
         chomp $s;
         my ($keyName, $secretKey) = split ":", $s;
         die "invalid secret key file ‘$secretKeyFile’\n" unless defined $keyName && defined $secretKey;
-        my $fingerprint = fingerprintPath($storePath, $narHash, $refs);
+        my $fingerprint = fingerprintPath($storePath, $narHash, $narSize, $refs);
         my $sig = encode_base64(signString(decode_base64($secretKey), $fingerprint), "");
         $info .= "Sig: $keyName:$sig\n";
     }