Include NAR size in fingerprint computation
This is not strictly needed for integrity (since we already include the NAR hash in the fingerprint) but it helps against endless data attacks [1]. (However, this will also require download-from-binary-cache.pl to bail out if it receives more than the specified number of bytes.) [1] https://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.pdf
This commit is contained in:
parent
8c8750ae66
commit
f19b4abfb2
2
Makefile
2
Makefile
|
@ -25,7 +25,7 @@ makefiles = \
|
||||||
|
|
||||||
GLOBAL_CXXFLAGS += -std=c++0x -g -Wall
|
GLOBAL_CXXFLAGS += -std=c++0x -g -Wall
|
||||||
|
|
||||||
include Makefile.config
|
-include Makefile.config
|
||||||
|
|
||||||
OPTIMIZE = 1
|
OPTIMIZE = 1
|
||||||
|
|
||||||
|
|
|
@ -377,7 +377,6 @@ EOF
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# Delete all old manifests downloaded from a given URL.
|
# Delete all old manifests downloaded from a given URL.
|
||||||
sub deleteOldManifests {
|
sub deleteOldManifests {
|
||||||
my ($url, $curUrlFile) = @_;
|
my ($url, $curUrlFile) = @_;
|
||||||
|
@ -399,14 +398,14 @@ sub deleteOldManifests {
|
||||||
# signatures. It contains the store path, the SHA-256 hash of the
|
# signatures. It contains the store path, the SHA-256 hash of the
|
||||||
# contents of the path, and the references.
|
# contents of the path, and the references.
|
||||||
sub fingerprintPath {
|
sub fingerprintPath {
|
||||||
my ($storePath, $narHash, $references) = @_;
|
my ($storePath, $narHash, $narSize, $references) = @_;
|
||||||
die if substr($storePath, 0, length($Nix::Config::storeDir)) ne $Nix::Config::storeDir;
|
die if substr($storePath, 0, length($Nix::Config::storeDir)) ne $Nix::Config::storeDir;
|
||||||
die if substr($narHash, 0, 7) ne "sha256:";
|
die if substr($narHash, 0, 7) ne "sha256:";
|
||||||
die if length($narHash) != 59;
|
die if length($narHash) != 59;
|
||||||
foreach my $ref (@{$references}) {
|
foreach my $ref (@{$references}) {
|
||||||
die if substr($ref, 0, length($Nix::Config::storeDir)) ne $Nix::Config::storeDir;
|
die if substr($ref, 0, length($Nix::Config::storeDir)) ne $Nix::Config::storeDir;
|
||||||
}
|
}
|
||||||
return "1;" . $storePath . ";" . $narHash . ";" . join(",", @{$references});
|
return "1;" . $storePath . ";" . $narHash . ";" . $narSize . ";" . join(",", @{$references});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -464,7 +463,7 @@ sub parseNARInfo {
|
||||||
}
|
}
|
||||||
|
|
||||||
my $fingerprint = fingerprintPath(
|
my $fingerprint = fingerprintPath(
|
||||||
$storePath, $narHash,
|
$storePath, $narHash, $narSize,
|
||||||
[ map { "$Nix::Config::storeDir/$_" } @refs ]);
|
[ map { "$Nix::Config::storeDir/$_" } @refs ]);
|
||||||
|
|
||||||
if (!checkSignature($publicKey, decode_base64($sig64), $fingerprint)) {
|
if (!checkSignature($publicKey, decode_base64($sig64), $fingerprint)) {
|
||||||
|
|
|
@ -257,7 +257,7 @@ for (my $n = 0; $n < scalar @storePaths2; $n++) {
|
||||||
chomp $s;
|
chomp $s;
|
||||||
my ($keyName, $secretKey) = split ":", $s;
|
my ($keyName, $secretKey) = split ":", $s;
|
||||||
die "invalid secret key file ‘$secretKeyFile’\n" unless defined $keyName && defined $secretKey;
|
die "invalid secret key file ‘$secretKeyFile’\n" unless defined $keyName && defined $secretKey;
|
||||||
my $fingerprint = fingerprintPath($storePath, $narHash, $refs);
|
my $fingerprint = fingerprintPath($storePath, $narHash, $narSize, $refs);
|
||||||
my $sig = encode_base64(signString(decode_base64($secretKey), $fingerprint), "");
|
my $sig = encode_base64(signString(decode_base64($secretKey), $fingerprint), "");
|
||||||
$info .= "Sig: $keyName:$sig\n";
|
$info .= "Sig: $keyName:$sig\n";
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue