forked from lix-project/lix
Include NAR size in fingerprint computation
This is not strictly needed for integrity (since we already include the NAR hash in the fingerprint) but it helps against endless data attacks [1]. (However, this will also require download-from-binary-cache.pl to bail out if it receives more than the specified number of bytes.) [1] https://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.pdf
This commit is contained in:
parent
8c8750ae66
commit
f19b4abfb2
3 changed files with 5 additions and 6 deletions
2
Makefile
2
Makefile
|
@ -25,7 +25,7 @@ makefiles = \
|
||||||
|
|
||||||
GLOBAL_CXXFLAGS += -std=c++0x -g -Wall
|
GLOBAL_CXXFLAGS += -std=c++0x -g -Wall
|
||||||
|
|
||||||
include Makefile.config
|
-include Makefile.config
|
||||||
|
|
||||||
OPTIMIZE = 1
|
OPTIMIZE = 1
|
||||||
|
|
||||||
|
|
|
@ -377,7 +377,6 @@ EOF
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# Delete all old manifests downloaded from a given URL.
|
# Delete all old manifests downloaded from a given URL.
|
||||||
sub deleteOldManifests {
|
sub deleteOldManifests {
|
||||||
my ($url, $curUrlFile) = @_;
|
my ($url, $curUrlFile) = @_;
|
||||||
|
@ -399,14 +398,14 @@ sub deleteOldManifests {
|
||||||
# signatures. It contains the store path, the SHA-256 hash of the
|
# signatures. It contains the store path, the SHA-256 hash of the
|
||||||
# contents of the path, and the references.
|
# contents of the path, and the references.
|
||||||
sub fingerprintPath {
|
sub fingerprintPath {
|
||||||
my ($storePath, $narHash, $references) = @_;
|
my ($storePath, $narHash, $narSize, $references) = @_;
|
||||||
die if substr($storePath, 0, length($Nix::Config::storeDir)) ne $Nix::Config::storeDir;
|
die if substr($storePath, 0, length($Nix::Config::storeDir)) ne $Nix::Config::storeDir;
|
||||||
die if substr($narHash, 0, 7) ne "sha256:";
|
die if substr($narHash, 0, 7) ne "sha256:";
|
||||||
die if length($narHash) != 59;
|
die if length($narHash) != 59;
|
||||||
foreach my $ref (@{$references}) {
|
foreach my $ref (@{$references}) {
|
||||||
die if substr($ref, 0, length($Nix::Config::storeDir)) ne $Nix::Config::storeDir;
|
die if substr($ref, 0, length($Nix::Config::storeDir)) ne $Nix::Config::storeDir;
|
||||||
}
|
}
|
||||||
return "1;" . $storePath . ";" . $narHash . ";" . join(",", @{$references});
|
return "1;" . $storePath . ";" . $narHash . ";" . $narSize . ";" . join(",", @{$references});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -464,7 +463,7 @@ sub parseNARInfo {
|
||||||
}
|
}
|
||||||
|
|
||||||
my $fingerprint = fingerprintPath(
|
my $fingerprint = fingerprintPath(
|
||||||
$storePath, $narHash,
|
$storePath, $narHash, $narSize,
|
||||||
[ map { "$Nix::Config::storeDir/$_" } @refs ]);
|
[ map { "$Nix::Config::storeDir/$_" } @refs ]);
|
||||||
|
|
||||||
if (!checkSignature($publicKey, decode_base64($sig64), $fingerprint)) {
|
if (!checkSignature($publicKey, decode_base64($sig64), $fingerprint)) {
|
||||||
|
|
|
@ -257,7 +257,7 @@ for (my $n = 0; $n < scalar @storePaths2; $n++) {
|
||||||
chomp $s;
|
chomp $s;
|
||||||
my ($keyName, $secretKey) = split ":", $s;
|
my ($keyName, $secretKey) = split ":", $s;
|
||||||
die "invalid secret key file ‘$secretKeyFile’\n" unless defined $keyName && defined $secretKey;
|
die "invalid secret key file ‘$secretKeyFile’\n" unless defined $keyName && defined $secretKey;
|
||||||
my $fingerprint = fingerprintPath($storePath, $narHash, $refs);
|
my $fingerprint = fingerprintPath($storePath, $narHash, $narSize, $refs);
|
||||||
my $sig = encode_base64(signString(decode_base64($secretKey), $fingerprint), "");
|
my $sig = encode_base64(signString(decode_base64($secretKey), $fingerprint), "");
|
||||||
$info .= "Sig: $keyName:$sig\n";
|
$info .= "Sig: $keyName:$sig\n";
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue