diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2015-02-17T12·16+0100 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2015-02-17T12·16+0100 |
commit | f19b4abfb2c238a98f749812c9ba294dd98d8bd0 (patch) | |
tree | c135e5fcc4e1dc2722119c624adb80a6385f80c5 | |
parent | 8c8750ae661559613ee357d5814505b933258aaf (diff) |
Include NAR size in fingerprint computation
This is not strictly needed for integrity (since we already include the NAR hash in the fingerprint) but it helps against endless data attacks [1]. (However, this will also require download-from-binary-cache.pl to bail out if it receives more than the specified number of bytes.) [1] https://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.pdf
-rw-r--r-- | Makefile | 2 | ||||
-rw-r--r-- | perl/lib/Nix/Manifest.pm | 7 | ||||
-rwxr-xr-x | scripts/nix-push.in | 2 |
3 files changed, 5 insertions, 6 deletions
diff --git a/Makefile b/Makefile index 08e4012f99b2..d8d4a7cc5768 100644 --- a/Makefile +++ b/Makefile @@ -25,7 +25,7 @@ makefiles = \ GLOBAL_CXXFLAGS += -std=c++0x -g -Wall -include Makefile.config +-include Makefile.config OPTIMIZE = 1 diff --git a/perl/lib/Nix/Manifest.pm b/perl/lib/Nix/Manifest.pm index b82c82fb253c..93c9c261ddc9 100644 --- a/perl/lib/Nix/Manifest.pm +++ b/perl/lib/Nix/Manifest.pm @@ -377,7 +377,6 @@ EOF } - # Delete all old manifests downloaded from a given URL. sub deleteOldManifests { my ($url, $curUrlFile) = @_; @@ -399,14 +398,14 @@ sub deleteOldManifests { # signatures. It contains the store path, the SHA-256 hash of the # contents of the path, and the references. sub fingerprintPath { - my ($storePath, $narHash, $references) = @_; + my ($storePath, $narHash, $narSize, $references) = @_; die if substr($storePath, 0, length($Nix::Config::storeDir)) ne $Nix::Config::storeDir; die if substr($narHash, 0, 7) ne "sha256:"; die if length($narHash) != 59; foreach my $ref (@{$references}) { die if substr($ref, 0, length($Nix::Config::storeDir)) ne $Nix::Config::storeDir; } - return "1;" . $storePath . ";" . $narHash . ";" . join(",", @{$references}); + return "1;" . $storePath . ";" . $narHash . ";" . $narSize . ";" . join(",", @{$references}); } @@ -464,7 +463,7 @@ sub parseNARInfo { } my $fingerprint = fingerprintPath( - $storePath, $narHash, + $storePath, $narHash, $narSize, [ map { "$Nix::Config::storeDir/$_" } @refs ]); if (!checkSignature($publicKey, decode_base64($sig64), $fingerprint)) { diff --git a/scripts/nix-push.in b/scripts/nix-push.in index a060ea128fd1..d5d3bc1e7e79 100755 --- a/scripts/nix-push.in +++ b/scripts/nix-push.in @@ -257,7 +257,7 @@ for (my $n = 0; $n < scalar @storePaths2; $n++) { chomp $s; my ($keyName, $secretKey) = split ":", $s; die "invalid secret key file ‘$secretKeyFile’\n" unless defined $keyName && defined $secretKey; - my $fingerprint = fingerprintPath($storePath, $narHash, $refs); + my $fingerprint = fingerprintPath($storePath, $narHash, $narSize, $refs); my $sig = encode_base64(signString(decode_base64($secretKey), $fingerprint), ""); $info .= "Sig: $keyName:$sig\n"; } |