Reject weak hash algorithms as SRIs, and warn in any other cases
Fixes #114
Change-Id: Ib9e68edfed5c186a029531e1eb9bda9d2e338e54
This commit is contained in:
parent
2734a9cf94
commit
02c35ea9df
|
@ -129,6 +129,11 @@ roberth:
|
||||||
display_name: Robert Hensing
|
display_name: Robert Hensing
|
||||||
github: roberth
|
github: roberth
|
||||||
|
|
||||||
|
tcmal:
|
||||||
|
display_name: Aria
|
||||||
|
forgejo: tcmal
|
||||||
|
github: tcmal
|
||||||
|
|
||||||
thufschmitt:
|
thufschmitt:
|
||||||
display_name: Théophane Hufschmitt
|
display_name: Théophane Hufschmitt
|
||||||
github: thufschmitt
|
github: thufschmitt
|
||||||
|
|
11
doc/manual/rl-next/reject-weak-hashes.md
Normal file
11
doc/manual/rl-next/reject-weak-hashes.md
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
---
|
||||||
|
synopsis: "Weak hash algorithms are now rejected in SRI form, and cause a warning otherwise"
|
||||||
|
category: Breaking Changes
|
||||||
|
credits: tcmal
|
||||||
|
cls: [2110]
|
||||||
|
issues: [8982, fj#114]
|
||||||
|
---
|
||||||
|
|
||||||
|
MD5 and SHA-1 algorithms are now no longer allowed in SRI form, as specified in [the spec](https://w3c.github.io/webappsec-subresource-integrity/#hash-functions).
|
||||||
|
|
||||||
|
These hash types will also give a warning when used in other cases.
|
|
@ -8,6 +8,7 @@
|
||||||
#include "hash.hh"
|
#include "hash.hh"
|
||||||
#include "archive.hh"
|
#include "archive.hh"
|
||||||
#include "charptr-cast.hh"
|
#include "charptr-cast.hh"
|
||||||
|
#include "fmt.hh"
|
||||||
#include "logging.hh"
|
#include "logging.hh"
|
||||||
#include "split.hh"
|
#include "split.hh"
|
||||||
#include "strings.hh"
|
#include "strings.hh"
|
||||||
|
@ -210,6 +211,17 @@ Hash Hash::parseNonSRIUnprefixed(std::string_view s, HashType type)
|
||||||
Hash::Hash(std::string_view rest, HashType type, bool isSRI)
|
Hash::Hash(std::string_view rest, HashType type, bool isSRI)
|
||||||
: Hash(type)
|
: Hash(type)
|
||||||
{
|
{
|
||||||
|
if (type == HashType::MD5 || type == HashType::SHA1) {
|
||||||
|
if (isSRI) {
|
||||||
|
// Forbidden as per https://w3c.github.io/webappsec-csp/#grammardef-hash-algorithm
|
||||||
|
throw BadHash("%s values are not allowed in SRI hashes", printHashType(type));
|
||||||
|
} else {
|
||||||
|
logWarning({
|
||||||
|
.msg = HintFmt("%s hashes are considered weak, use a newer hashing algorithm instead. (value: %s)", Uncolored(printHashType(type)), rest)
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (!isSRI && rest.size() == base16Len()) {
|
if (!isSRI && rest.size() == base16Len()) {
|
||||||
|
|
||||||
auto parseHexDigit = [&](char c) {
|
auto parseHexDigit = [&](char c) {
|
||||||
|
|
|
@ -102,6 +102,5 @@ try3() {
|
||||||
h16=$(nix hash to-base16 "$sri")
|
h16=$(nix hash to-base16 "$sri")
|
||||||
[ "$h16" = "$2" ]
|
[ "$h16" = "$2" ]
|
||||||
}
|
}
|
||||||
try3 sha1 "800d59cfcd3c05e900cb4e214be48f6b886a08df" "vw46m23bizj4n8afrc0fj19wrp7mj3c0" "gA1Zz808BekAy04hS+SPa4hqCN8="
|
|
||||||
try3 sha256 "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad" "1b8m03r63zqhnjf7l5wnldhh7c134ap5vpj0850ymkq1iyzicy5s" "ungWv48Bz+pBQUDeXa4iI7ADYaOWF3qctBD/YfIAFa0="
|
try3 sha256 "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad" "1b8m03r63zqhnjf7l5wnldhh7c134ap5vpj0850ymkq1iyzicy5s" "ungWv48Bz+pBQUDeXa4iI7ADYaOWF3qctBD/YfIAFa0="
|
||||||
try3 sha512 "204a8fc6dda82f0a0ced7beb8e08a41657c16ef468b228a8279be331a703c33596fd15c13b1b07f9aa1d3bea57789ca031ad85c7a71dd70354ec631238ca3445" "12k9jiq29iyqm03swfsgiw5mlqs173qazm3n7daz43infy12pyrcdf30fkk3qwv4yl2ick8yipc2mqnlh48xsvvxl60lbx8vp38yji0" "IEqPxt2oLwoM7XvrjgikFlfBbvRosiioJ5vjMacDwzWW/RXBOxsH+aodO+pXeJygMa2Fx6cd1wNU7GMSOMo0RQ=="
|
try3 sha512 "204a8fc6dda82f0a0ced7beb8e08a41657c16ef468b228a8279be331a703c33596fd15c13b1b07f9aa1d3bea57789ca031ad85c7a71dd70354ec631238ca3445" "12k9jiq29iyqm03swfsgiw5mlqs173qazm3n7daz43infy12pyrcdf30fkk3qwv4yl2ick8yipc2mqnlh48xsvvxl60lbx8vp38yji0" "IEqPxt2oLwoM7XvrjgikFlfBbvRosiioJ5vjMacDwzWW/RXBOxsH+aodO+pXeJygMa2Fx6cd1wNU7GMSOMo0RQ=="
|
||||||
|
|
|
@ -191,6 +191,7 @@ functional_tests_scripts = [
|
||||||
'extra-sandbox-profile.sh',
|
'extra-sandbox-profile.sh',
|
||||||
'substitute-truncated-nar.sh',
|
'substitute-truncated-nar.sh',
|
||||||
'regression-484.sh',
|
'regression-484.sh',
|
||||||
|
'reject-weak-hashes.sh'
|
||||||
]
|
]
|
||||||
|
|
||||||
# Plugin tests require shared libraries support.
|
# Plugin tests require shared libraries support.
|
||||||
|
|
11
tests/functional/reject-weak-hashes.sh
Normal file
11
tests/functional/reject-weak-hashes.sh
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
source common.sh
|
||||||
|
|
||||||
|
expectStderr 1 nix hash to-sri md5-rrdBU2a35b2PM2ZO+n/zGw== \
|
||||||
|
| grepQuiet "md5 values are not allowed"
|
||||||
|
expectStderr 1 nix hash to-sri sha1-SXZKz6Po0xFryhnhSDvvOfAuBOo= \
|
||||||
|
| grepQuiet "sha1 values are not allowed"
|
||||||
|
|
||||||
|
nix hash to-sri --type md5 a180c3fe91680389c210c99def54d9e0 2>&1 \
|
||||||
|
| grepQuiet "md5 hashes are considered weak"
|
||||||
|
nix hash to-sri --type sha1 49764acfa3e8d3116bca19e1483bef39f02e04ea 2>&1 \
|
||||||
|
| grepQuiet "sha1 hashes are considered weak"
|
Loading…
Reference in a new issue