From f19b4abfb2c238a98f749812c9ba294dd98d8bd0 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Tue, 17 Feb 2015 13:16:58 +0100
Subject: Include NAR size in fingerprint computation

This is not strictly needed for integrity (since we already include
the NAR hash in the fingerprint) but it helps against endless data
attacks [1]. (However, this will also require
download-from-binary-cache.pl to bail out if it receives more than the
specified number of bytes.)

[1] https://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.pdf
---
 scripts/nix-push.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'scripts')

diff --git a/scripts/nix-push.in b/scripts/nix-push.in
index a060ea128fd1..d5d3bc1e7e79 100755
--- a/scripts/nix-push.in
+++ b/scripts/nix-push.in
@@ -257,7 +257,7 @@ for (my $n = 0; $n < scalar @storePaths2; $n++) {
         chomp $s;
         my ($keyName, $secretKey) = split ":", $s;
         die "invalid secret key file ‘$secretKeyFile’\n" unless defined $keyName && defined $secretKey;
-        my $fingerprint = fingerprintPath($storePath, $narHash, $refs);
+        my $fingerprint = fingerprintPath($storePath, $narHash, $narSize, $refs);
         my $sig = encode_base64(signString(decode_base64($secretKey), $fingerprint), "");
         $info .= "Sig: $keyName:$sig\n";
     }
-- 
cgit 1.4.1