about summary refs log tree commit diff
path: root/perl/lib
diff options
context:
space:
mode:
authorEelco Dolstra <eelco.dolstra@logicblox.com>2015-02-17T12·16+0100
committerEelco Dolstra <eelco.dolstra@logicblox.com>2015-02-17T12·16+0100
commitf19b4abfb2c238a98f749812c9ba294dd98d8bd0 (patch)
treec135e5fcc4e1dc2722119c624adb80a6385f80c5 /perl/lib
parent8c8750ae661559613ee357d5814505b933258aaf (diff)
Include NAR size in fingerprint computation
This is not strictly needed for integrity (since we already include
the NAR hash in the fingerprint) but it helps against endless data
attacks [1]. (However, this will also require
download-from-binary-cache.pl to bail out if it receives more than the
specified number of bytes.)

[1] https://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.pdf
Diffstat (limited to 'perl/lib')
-rw-r--r--perl/lib/Nix/Manifest.pm7
1 files changed, 3 insertions, 4 deletions
diff --git a/perl/lib/Nix/Manifest.pm b/perl/lib/Nix/Manifest.pm
index b82c82fb253c..93c9c261ddc9 100644
--- a/perl/lib/Nix/Manifest.pm
+++ b/perl/lib/Nix/Manifest.pm
@@ -377,7 +377,6 @@ EOF
 }
 
 
-
 # Delete all old manifests downloaded from a given URL.
 sub deleteOldManifests {
     my ($url, $curUrlFile) = @_;
@@ -399,14 +398,14 @@ sub deleteOldManifests {
 # signatures. It contains the store path, the SHA-256 hash of the
 # contents of the path, and the references.
 sub fingerprintPath {
-    my ($storePath, $narHash, $references) = @_;
+    my ($storePath, $narHash, $narSize, $references) = @_;
     die if substr($storePath, 0, length($Nix::Config::storeDir)) ne $Nix::Config::storeDir;
     die if substr($narHash, 0, 7) ne "sha256:";
     die if length($narHash) != 59;
     foreach my $ref (@{$references}) {
         die if substr($ref, 0, length($Nix::Config::storeDir)) ne $Nix::Config::storeDir;
     }
-    return "1;" . $storePath . ";" . $narHash . ";" . join(",", @{$references});
+    return "1;" . $storePath . ";" . $narHash . ";" . $narSize . ";" . join(",", @{$references});
 }
 
 
@@ -464,7 +463,7 @@ sub parseNARInfo {
         }
 
         my $fingerprint = fingerprintPath(
-            $storePath, $narHash,
+            $storePath, $narHash, $narSize,
             [ map { "$Nix::Config::storeDir/$_" } @refs ]);
 
         if (!checkSignature($publicKey, decode_base64($sig64), $fingerprint)) {