Include NAR size in fingerprint computation
This is not strictly needed for integrity (since we already include the NAR hash in the fingerprint) but it helps against endless data attacks [1]. (However, this will also require download-from-binary-cache.pl to bail out if it receives more than the specified number of bytes.) [1] https://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.pdf
This commit is contained in:
parent
8c8750ae66
commit
f19b4abfb2
3 changed files with 5 additions and 6 deletions
2
Makefile
2
Makefile
|
@ -25,7 +25,7 @@ makefiles = \
|
|||
|
||||
GLOBAL_CXXFLAGS += -std=c++0x -g -Wall
|
||||
|
||||
include Makefile.config
|
||||
-include Makefile.config
|
||||
|
||||
OPTIMIZE = 1
|
||||
|
||||
|
|
|
@ -377,7 +377,6 @@ EOF
|
|||
}
|
||||
|
||||
|
||||
|
||||
# Delete all old manifests downloaded from a given URL.
|
||||
sub deleteOldManifests {
|
||||
my ($url, $curUrlFile) = @_;
|
||||
|
@ -399,14 +398,14 @@ sub deleteOldManifests {
|
|||
# signatures. It contains the store path, the SHA-256 hash of the
|
||||
# contents of the path, and the references.
|
||||
sub fingerprintPath {
|
||||
my ($storePath, $narHash, $references) = @_;
|
||||
my ($storePath, $narHash, $narSize, $references) = @_;
|
||||
die if substr($storePath, 0, length($Nix::Config::storeDir)) ne $Nix::Config::storeDir;
|
||||
die if substr($narHash, 0, 7) ne "sha256:";
|
||||
die if length($narHash) != 59;
|
||||
foreach my $ref (@{$references}) {
|
||||
die if substr($ref, 0, length($Nix::Config::storeDir)) ne $Nix::Config::storeDir;
|
||||
}
|
||||
return "1;" . $storePath . ";" . $narHash . ";" . join(",", @{$references});
|
||||
return "1;" . $storePath . ";" . $narHash . ";" . $narSize . ";" . join(",", @{$references});
|
||||
}
|
||||
|
||||
|
||||
|
@ -464,7 +463,7 @@ sub parseNARInfo {
|
|||
}
|
||||
|
||||
my $fingerprint = fingerprintPath(
|
||||
$storePath, $narHash,
|
||||
$storePath, $narHash, $narSize,
|
||||
[ map { "$Nix::Config::storeDir/$_" } @refs ]);
|
||||
|
||||
if (!checkSignature($publicKey, decode_base64($sig64), $fingerprint)) {
|
||||
|
|
|
@ -257,7 +257,7 @@ for (my $n = 0; $n < scalar @storePaths2; $n++) {
|
|||
chomp $s;
|
||||
my ($keyName, $secretKey) = split ":", $s;
|
||||
die "invalid secret key file ‘$secretKeyFile’\n" unless defined $keyName && defined $secretKey;
|
||||
my $fingerprint = fingerprintPath($storePath, $narHash, $refs);
|
||||
my $fingerprint = fingerprintPath($storePath, $narHash, $narSize, $refs);
|
||||
my $sig = encode_base64(signString(decode_base64($secretKey), $fingerprint), "");
|
||||
$info .= "Sig: $keyName:$sig\n";
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue