cafkafk/lix
cafkafk/lix
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Include NAR size in fingerprint computation

Browse source 
This is not strictly needed for integrity (since we already include
the NAR hash in the fingerprint) but it helps against endless data
attacks [1]. (However, this will also require
download-from-binary-cache.pl to bail out if it receives more than the
specified number of bytes.)

[1] https://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.pdf
This commit is contained in:
Eelco Dolstra 2015-02-17 13:16:58 +01:00
parent 8c8750ae66
commit f19b4abfb2
3 changed files with 5 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Makefile
View file

@ -25,7 +25,7 @@ makefiles = \
GLOBAL_CXXFLAGS += -std=c++0x -g -Wall
include Makefile.config
-include Makefile.config
OPTIMIZE = 1

7
perl/lib/Nix/Manifest.pm
View file

@ -377,7 +377,6 @@ EOF
}
# Delete all old manifests downloaded from a given URL.
sub deleteOldManifests {
my ($url, $curUrlFile) = @_;
@ -399,14 +398,14 @@ sub deleteOldManifests {
# signatures. It contains the store path, the SHA-256 hash of the
# contents of the path, and the references.
sub fingerprintPath {
my ($storePath, $narHash, $references) = @_;
my ($storePath, $narHash, $narSize, $references) = @_;
die if substr($storePath, 0, length($Nix::Config::storeDir)) ne $Nix::Config::storeDir;
die if substr($narHash, 0, 7) ne "sha256:";
die if length($narHash) != 59;
foreach my $ref (@{$references}) {
die if substr($ref, 0, length($Nix::Config::storeDir)) ne $Nix::Config::storeDir;
}
return "1;" . $storePath . ";" . $narHash . ";" . join(",", @{$references});
return "1;" . $storePath . ";" . $narHash . ";" . $narSize . ";" . join(",", @{$references});
}
@ -464,7 +463,7 @@ sub parseNARInfo {
}
my $fingerprint = fingerprintPath(
$storePath, $narHash,
$storePath, $narHash, $narSize,
[ map { "$Nix::Config::storeDir/$_" } @refs ]);
if (!checkSignature($publicKey, decode_base64($sig64), $fingerprint)) {

2
scripts/nix-push.in
View file

@ -257,7 +257,7 @@ for (my $n = 0; $n < scalar @storePaths2; $n++) {
chomp $s;
my ($keyName, $secretKey) = split ":", $s;
die "invalid secret key file $secretKeyFile\n" unless defined $keyName && defined $secretKey;
my $fingerprint = fingerprintPath($storePath, $narHash, $refs);
my $fingerprint = fingerprintPath($storePath, $narHash, $narSize, $refs);
my $sig = encode_base64(signString(decode_base64($secretKey), $fingerprint), "");
$info .= "Sig: $keyName:$sig\n";
}