wroclaw-git-backups/nix
1
0
Fork 0
mirror of https://github.com/NixOS/nix synced 2025-06-25 06:31:14 +02:00
Code Activity

Include NAR size in fingerprint computation

Browse source 
This is not strictly needed for integrity (since we already include
the NAR hash in the fingerprint) but it helps against endless data
attacks [1]. (However, this will also require
download-from-binary-cache.pl to bail out if it receives more than the
specified number of bytes.)

[1] https://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.pdf
This commit is contained in:
Eelco Dolstra 2015-02-17 13:16:58 +01:00
parent 8c8750ae66
commit f19b4abfb2
3 changed files with 5 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

7
perl/lib/Nix/Manifest.pm
View file

@ -377,7 +377,6 @@ EOF
}
# Delete all old manifests downloaded from a given URL.
sub deleteOldManifests {
my ($url, $curUrlFile) = @_;
@ -399,14 +398,14 @@ sub deleteOldManifests {
# signatures. It contains the store path, the SHA-256 hash of the
# contents of the path, and the references.
sub fingerprintPath {
my ($storePath, $narHash, $references) = @_;
my ($storePath, $narHash, $narSize, $references) = @_;
die if substr($storePath, 0, length($Nix::Config::storeDir)) ne $Nix::Config::storeDir;
die if substr($narHash, 0, 7) ne "sha256:";
die if length($narHash) != 59;
foreach my $ref (@{$references}) {
die if substr($ref, 0, length($Nix::Config::storeDir)) ne $Nix::Config::storeDir;
}
return "1;" . $storePath . ";" . $narHash . ";" . join(",", @{$references});
return "1;" . $storePath . ";" . $narHash . ";" . $narSize . ";" . join(",", @{$references});
}
@ -464,7 +463,7 @@ sub parseNARInfo {
}
my $fingerprint = fingerprintPath(
$storePath, $narHash,
$storePath, $narHash, $narSize,
[ map { "$Nix::Config::storeDir/$_" } @refs ]);
if (!checkSignature($publicKey, decode_base64($sig64), $fingerprint)) {