2003-06-16 17:59:23 +02:00
|
|
|
#include <iostream>
|
2008-05-21 13:17:31 +02:00
|
|
|
#include <cstring>
|
2003-06-16 17:59:23 +02:00
|
|
|
|
2023-02-01 13:34:32 +01:00
|
|
|
#include <openssl/crypto.h>
|
2006-02-13 20:52:43 +01:00
|
|
|
#include <openssl/md5.h>
|
|
|
|
|
#include <openssl/sha.h>
|
2003-06-15 15:41:32 +02:00
|
|
|
|
2020-06-02 17:52:13 +02:00
|
|
|
#include "args.hh"
|
2003-06-15 15:41:32 +02:00
|
|
|
#include "hash.hh"
|
2003-06-20 12:40:25 +02:00
|
|
|
#include "archive.hh"
|
2020-07-20 19:42:34 +02:00
|
|
|
#include "split.hh"
|
2003-06-15 15:41:32 +02:00
|
|
|
|
2005-01-13 18:39:26 +01:00
|
|
|
#include <sys/types.h>
|
|
|
|
|
#include <sys/stat.h>
|
|
|
|
|
#include <fcntl.h>
|
|
|
|
|
|
2024-01-03 21:02:20 +01:00
|
|
|
#include <sodium.h>
|
|
|
|
|
|
2006-09-04 23:06:23 +02:00
|
|
|
namespace nix {
|
|
|
|
|
|
2023-11-28 14:20:27 +01:00
|
|
|
static size_t regularHashSize(HashAlgorithm type) {
|
2020-06-19 20:41:33 +02:00
|
|
|
switch (type) {
|
2023-11-28 14:20:27 +01:00
|
|
|
case HashAlgorithm::MD5: return md5HashSize;
|
|
|
|
|
case HashAlgorithm::SHA1: return sha1HashSize;
|
|
|
|
|
case HashAlgorithm::SHA256: return sha256HashSize;
|
|
|
|
|
case HashAlgorithm::SHA512: return sha512HashSize;
|
2020-06-19 20:41:33 +02:00
|
|
|
}
|
|
|
|
|
abort();
|
|
|
|
|
}
|
2006-09-04 23:06:23 +02:00
|
|
|
|
2020-07-16 19:28:52 +02:00
|
|
|
|
2023-11-28 15:38:15 +01:00
|
|
|
const std::set<std::string> hashAlgorithms = {"md5", "sha1", "sha256", "sha512" };
|
2020-05-10 20:32:21 +02:00
|
|
|
|
2023-11-28 15:38:15 +01:00
|
|
|
const std::set<std::string> hashFormats = {"base64", "nix32", "base16", "sri" };
|
2020-05-10 20:32:21 +02:00
|
|
|
|
2023-11-28 14:20:27 +01:00
|
|
|
Hash::Hash(HashAlgorithm algo) : algo(algo)
|
2005-01-14 17:04:03 +01:00
|
|
|
{
|
2023-11-28 14:20:27 +01:00
|
|
|
hashSize = regularHashSize(algo);
|
2005-01-14 14:51:38 +01:00
|
|
|
assert(hashSize <= maxHashSize);
|
2005-01-14 17:04:03 +01:00
|
|
|
memset(hash, 0, maxHashSize);
|
2003-06-15 15:41:32 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2003-07-16 00:28:27 +02:00
|
|
|
bool Hash::operator == (const Hash & h2) const
|
2003-06-15 15:41:32 +02:00
|
|
|
{
|
2005-01-13 16:44:44 +01:00
|
|
|
if (hashSize != h2.hashSize) return false;
|
2003-06-15 15:41:32 +02:00
|
|
|
for (unsigned int i = 0; i < hashSize; i++)
|
|
|
|
|
if (hash[i] != h2.hash[i]) return false;
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2003-07-16 00:28:27 +02:00
|
|
|
bool Hash::operator != (const Hash & h2) const
|
2003-06-15 15:41:32 +02:00
|
|
|
{
|
|
|
|
|
return !(*this == h2);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2003-07-15 23:24:05 +02:00
|
|
|
bool Hash::operator < (const Hash & h) const
|
|
|
|
|
{
|
2017-06-24 02:17:45 +02:00
|
|
|
if (hashSize < h.hashSize) return true;
|
|
|
|
|
if (hashSize > h.hashSize) return false;
|
2003-07-15 23:24:05 +02:00
|
|
|
for (unsigned int i = 0; i < hashSize; i++) {
|
|
|
|
|
if (hash[i] < h.hash[i]) return true;
|
|
|
|
|
if (hash[i] > h.hash[i]) return false;
|
|
|
|
|
}
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2022-02-25 16:00:00 +01:00
|
|
|
const std::string base16Chars = "0123456789abcdef";
|
2006-03-09 18:07:25 +01:00
|
|
|
|
|
|
|
|
|
2022-02-25 16:00:00 +01:00
|
|
|
static std::string printHash16(const Hash & hash)
|
2003-06-15 15:41:32 +02:00
|
|
|
{
|
2023-03-29 11:54:27 +02:00
|
|
|
std::string buf;
|
|
|
|
|
buf.reserve(hash.hashSize * 2);
|
2005-01-14 17:04:03 +01:00
|
|
|
for (unsigned int i = 0; i < hash.hashSize; i++) {
|
2023-03-29 11:54:27 +02:00
|
|
|
buf.push_back(base16Chars[hash.hash[i] >> 4]);
|
|
|
|
|
buf.push_back(base16Chars[hash.hash[i] & 0x0f]);
|
2003-06-15 15:41:32 +02:00
|
|
|
}
|
2023-03-29 11:54:27 +02:00
|
|
|
return buf;
|
2003-06-15 15:41:32 +02:00
|
|
|
}
|
|
|
|
|
|
2015-02-03 18:35:11 +01:00
|
|
|
|
2005-01-14 17:04:03 +01:00
|
|
|
// omitted: E O U T
|
2023-11-28 15:38:15 +01:00
|
|
|
const std::string nix32Chars = "0123456789abcdfghijklmnpqrsvwxyz";
|
2005-01-14 17:04:03 +01:00
|
|
|
|
|
|
|
|
|
2022-02-25 16:00:00 +01:00
|
|
|
static std::string printHash32(const Hash & hash)
|
2005-01-14 17:04:03 +01:00
|
|
|
{
|
2016-07-21 18:39:32 +02:00
|
|
|
assert(hash.hashSize);
|
2016-01-27 17:18:20 +01:00
|
|
|
size_t len = hash.base32Len();
|
2016-04-20 14:12:38 +02:00
|
|
|
assert(len);
|
2005-11-16 09:27:06 +01:00
|
|
|
|
2022-02-25 16:00:00 +01:00
|
|
|
std::string s;
|
2015-02-03 18:35:11 +01:00
|
|
|
s.reserve(len);
|
|
|
|
|
|
2018-05-02 13:56:34 +02:00
|
|
|
for (int n = (int) len - 1; n >= 0; n--) {
|
2015-02-03 18:35:11 +01:00
|
|
|
unsigned int b = n * 5;
|
|
|
|
|
unsigned int i = b / 8;
|
|
|
|
|
unsigned int j = b % 8;
|
|
|
|
|
unsigned char c =
|
|
|
|
|
(hash.hash[i] >> j)
|
|
|
|
|
| (i >= hash.hashSize - 1 ? 0 : hash.hash[i + 1] << (8 - j));
|
2023-11-28 15:38:15 +01:00
|
|
|
s.push_back(nix32Chars[c & 0x1f]);
|
2005-01-14 17:04:03 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return s;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2022-02-25 16:00:00 +01:00
|
|
|
std::string printHash16or32(const Hash & hash)
|
2012-10-23 18:05:50 +02:00
|
|
|
{
|
2023-11-28 14:20:27 +01:00
|
|
|
assert(static_cast<char>(hash.algo));
|
2023-11-28 15:38:15 +01:00
|
|
|
return hash.to_string(hash.algo == HashAlgorithm::MD5 ? HashFormat::Base16 : HashFormat::Nix32, false);
|
2012-10-23 18:05:50 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2023-11-28 14:20:27 +01:00
|
|
|
std::string Hash::to_string(HashFormat hashFormat, bool includeAlgo) const
|
* Removed the `id' attribute hack.
* Formalise the notion of fixed-output derivations, i.e., derivations
for which a cryptographic hash of the output is known in advance.
Changes to such derivations should not propagate upwards through the
dependency graph. Previously this was done by specifying the hash
component of the output path through the `id' attribute, but this is
insecure since you can lie about it (i.e., you can specify any hash
and then produce a completely different output). Now the
responsibility for checking the output is moved from the builder to
Nix itself.
A fixed-output derivation can be created by specifying the
`outputHash' and `outputHashAlgo' attributes, the latter taking
values `md5', `sha1', and `sha256', and the former specifying the
actual hash in hexadecimal or in base-32 (auto-detected by looking
at the length of the attribute value). MD5 is included for
compatibility but should be considered deprecated.
* Removed the `drvPath' pseudo-attribute in derivation results. It's
no longer necessary.
* Cleaned up the support for multiple output paths in derivation store
expressions. Each output now has a unique identifier (e.g., `out',
`devel', `docs'). Previously there was no way to tell output paths
apart at the store expression level.
* `nix-hash' now has a flag `--base32' to specify that the hash should
be printed in base-32 notation.
* `fetchurl' accepts parameters `sha256' and `sha1' in addition to
`md5'.
* `nix-prefetch-url' now prints out a SHA-1 hash in base-32. (TODO: a
flag to specify the hash.)
2005-01-17 17:55:19 +01:00
|
|
|
{
|
2017-07-04 14:47:59 +02:00
|
|
|
std::string s;
|
2023-11-28 14:20:27 +01:00
|
|
|
if (hashFormat == HashFormat::SRI || includeAlgo) {
|
|
|
|
|
s += printHashAlgo(algo);
|
2023-10-13 03:48:15 +02:00
|
|
|
s += hashFormat == HashFormat::SRI ? '-' : ':';
|
* Removed the `id' attribute hack.
* Formalise the notion of fixed-output derivations, i.e., derivations
for which a cryptographic hash of the output is known in advance.
Changes to such derivations should not propagate upwards through the
dependency graph. Previously this was done by specifying the hash
component of the output path through the `id' attribute, but this is
insecure since you can lie about it (i.e., you can specify any hash
and then produce a completely different output). Now the
responsibility for checking the output is moved from the builder to
Nix itself.
A fixed-output derivation can be created by specifying the
`outputHash' and `outputHashAlgo' attributes, the latter taking
values `md5', `sha1', and `sha256', and the former specifying the
actual hash in hexadecimal or in base-32 (auto-detected by looking
at the length of the attribute value). MD5 is included for
compatibility but should be considered deprecated.
* Removed the `drvPath' pseudo-attribute in derivation results. It's
no longer necessary.
* Cleaned up the support for multiple output paths in derivation store
expressions. Each output now has a unique identifier (e.g., `out',
`devel', `docs'). Previously there was no way to tell output paths
apart at the store expression level.
* `nix-hash' now has a flag `--base32' to specify that the hash should
be printed in base-32 notation.
* `fetchurl' accepts parameters `sha256' and `sha1' in addition to
`md5'.
* `nix-prefetch-url' now prints out a SHA-1 hash in base-32. (TODO: a
flag to specify the hash.)
2005-01-17 17:55:19 +01:00
|
|
|
}
|
2023-10-10 12:53:01 +02:00
|
|
|
switch (hashFormat) {
|
2023-10-13 03:48:15 +02:00
|
|
|
case HashFormat::Base16:
|
2017-07-04 14:47:59 +02:00
|
|
|
s += printHash16(*this);
|
|
|
|
|
break;
|
2023-11-28 15:38:15 +01:00
|
|
|
case HashFormat::Nix32:
|
2017-07-04 14:47:59 +02:00
|
|
|
s += printHash32(*this);
|
|
|
|
|
break;
|
2023-10-13 03:48:15 +02:00
|
|
|
case HashFormat::Base64:
|
|
|
|
|
case HashFormat::SRI:
|
2023-03-28 18:20:33 +02:00
|
|
|
s += base64Encode(std::string_view((const char *) hash, hashSize));
|
2017-07-04 14:47:59 +02:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
return s;
|
* Removed the `id' attribute hack.
* Formalise the notion of fixed-output derivations, i.e., derivations
for which a cryptographic hash of the output is known in advance.
Changes to such derivations should not propagate upwards through the
dependency graph. Previously this was done by specifying the hash
component of the output path through the `id' attribute, but this is
insecure since you can lie about it (i.e., you can specify any hash
and then produce a completely different output). Now the
responsibility for checking the output is moved from the builder to
Nix itself.
A fixed-output derivation can be created by specifying the
`outputHash' and `outputHashAlgo' attributes, the latter taking
values `md5', `sha1', and `sha256', and the former specifying the
actual hash in hexadecimal or in base-32 (auto-detected by looking
at the length of the attribute value). MD5 is included for
compatibility but should be considered deprecated.
* Removed the `drvPath' pseudo-attribute in derivation results. It's
no longer necessary.
* Cleaned up the support for multiple output paths in derivation store
expressions. Each output now has a unique identifier (e.g., `out',
`devel', `docs'). Previously there was no way to tell output paths
apart at the store expression level.
* `nix-hash' now has a flag `--base32' to specify that the hash should
be printed in base-32 notation.
* `fetchurl' accepts parameters `sha256' and `sha1' in addition to
`md5'.
* `nix-prefetch-url' now prints out a SHA-1 hash in base-32. (TODO: a
flag to specify the hash.)
2005-01-17 17:55:19 +01:00
|
|
|
}
|
|
|
|
|
|
2023-11-28 14:20:27 +01:00
|
|
|
Hash Hash::dummy(HashAlgorithm::SHA256);
|
2020-08-05 21:11:49 +02:00
|
|
|
|
2020-07-02 17:11:18 +02:00
|
|
|
Hash Hash::parseSRI(std::string_view original) {
|
2020-07-01 23:32:06 +02:00
|
|
|
auto rest = original;
|
|
|
|
|
|
|
|
|
|
// Parse the has type before the separater, if there was one.
|
2020-07-03 01:16:57 +02:00
|
|
|
auto hashRaw = splitPrefixTo(rest, '-');
|
2020-07-01 23:32:06 +02:00
|
|
|
if (!hashRaw)
|
|
|
|
|
throw BadHash("hash '%s' is not SRI", original);
|
2023-11-28 14:20:27 +01:00
|
|
|
HashAlgorithm parsedType = parseHashAlgo(*hashRaw);
|
* Removed the `id' attribute hack.
* Formalise the notion of fixed-output derivations, i.e., derivations
for which a cryptographic hash of the output is known in advance.
Changes to such derivations should not propagate upwards through the
dependency graph. Previously this was done by specifying the hash
component of the output path through the `id' attribute, but this is
insecure since you can lie about it (i.e., you can specify any hash
and then produce a completely different output). Now the
responsibility for checking the output is moved from the builder to
Nix itself.
A fixed-output derivation can be created by specifying the
`outputHash' and `outputHashAlgo' attributes, the latter taking
values `md5', `sha1', and `sha256', and the former specifying the
actual hash in hexadecimal or in base-32 (auto-detected by looking
at the length of the attribute value). MD5 is included for
compatibility but should be considered deprecated.
* Removed the `drvPath' pseudo-attribute in derivation results. It's
no longer necessary.
* Cleaned up the support for multiple output paths in derivation store
expressions. Each output now has a unique identifier (e.g., `out',
`devel', `docs'). Previously there was no way to tell output paths
apart at the store expression level.
* `nix-hash' now has a flag `--base32' to specify that the hash should
be printed in base-32 notation.
* `fetchurl' accepts parameters `sha256' and `sha1' in addition to
`md5'.
* `nix-prefetch-url' now prints out a SHA-1 hash in base-32. (TODO: a
flag to specify the hash.)
2005-01-17 17:55:19 +01:00
|
|
|
|
2020-07-02 17:09:04 +02:00
|
|
|
return Hash(rest, parsedType, true);
|
2020-06-30 20:10:30 +02:00
|
|
|
}
|
|
|
|
|
|
2020-07-03 01:10:11 +02:00
|
|
|
// Mutates the string to eliminate the prefixes when found
|
2023-11-28 14:20:27 +01:00
|
|
|
static std::pair<std::optional<HashAlgorithm>, bool> getParsedTypeAndSRI(std::string_view & rest)
|
2022-02-25 16:00:00 +01:00
|
|
|
{
|
2020-07-03 01:10:11 +02:00
|
|
|
bool isSRI = false;
|
|
|
|
|
|
2022-04-06 19:28:12 +02:00
|
|
|
// Parse the hash type before the separator, if there was one.
|
2023-11-28 14:20:27 +01:00
|
|
|
std::optional<HashAlgorithm> optParsedType;
|
2020-07-03 01:10:11 +02:00
|
|
|
{
|
2020-07-03 01:16:57 +02:00
|
|
|
auto hashRaw = splitPrefixTo(rest, ':');
|
2020-07-03 01:10:11 +02:00
|
|
|
|
|
|
|
|
if (!hashRaw) {
|
2020-07-03 01:16:57 +02:00
|
|
|
hashRaw = splitPrefixTo(rest, '-');
|
2020-07-03 01:10:11 +02:00
|
|
|
if (hashRaw)
|
|
|
|
|
isSRI = true;
|
|
|
|
|
}
|
|
|
|
|
if (hashRaw)
|
2023-11-28 14:20:27 +01:00
|
|
|
optParsedType = parseHashAlgo(*hashRaw);
|
2020-07-03 01:10:11 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return {optParsedType, isSRI};
|
|
|
|
|
}
|
|
|
|
|
|
2020-07-02 17:21:00 +02:00
|
|
|
Hash Hash::parseAnyPrefixed(std::string_view original)
|
2020-07-02 00:34:18 +02:00
|
|
|
{
|
2020-07-02 17:21:00 +02:00
|
|
|
auto rest = original;
|
2020-07-02 17:29:33 +02:00
|
|
|
auto [optParsedType, isSRI] = getParsedTypeAndSRI(rest);
|
2020-07-02 17:21:00 +02:00
|
|
|
|
|
|
|
|
// Either the string or user must provide the type, if they both do they
|
|
|
|
|
// must agree.
|
|
|
|
|
if (!optParsedType)
|
2020-07-20 19:43:19 +02:00
|
|
|
throw BadHash("hash '%s' does not include a type", rest);
|
2020-07-02 17:21:00 +02:00
|
|
|
|
|
|
|
|
return Hash(rest, *optParsedType, isSRI);
|
2020-07-02 00:34:18 +02:00
|
|
|
}
|
2020-06-30 20:10:30 +02:00
|
|
|
|
2023-11-28 14:20:27 +01:00
|
|
|
Hash Hash::parseAny(std::string_view original, std::optional<HashAlgorithm> optAlgo)
|
2011-12-02 12:47:06 +01:00
|
|
|
{
|
2020-07-02 16:58:29 +02:00
|
|
|
auto rest = original;
|
2020-07-02 17:29:33 +02:00
|
|
|
auto [optParsedType, isSRI] = getParsedTypeAndSRI(rest);
|
2011-12-02 12:47:06 +01:00
|
|
|
|
2020-06-19 20:41:33 +02:00
|
|
|
// Either the string or user must provide the type, if they both do they
|
|
|
|
|
// must agree.
|
2023-11-28 14:20:27 +01:00
|
|
|
if (!optParsedType && !optAlgo)
|
2020-10-28 20:45:57 +01:00
|
|
|
throw BadHash("hash '%s' does not include a type, nor is the type otherwise known from context", rest);
|
2023-11-28 14:20:27 +01:00
|
|
|
else if (optParsedType && optAlgo && *optParsedType != *optAlgo)
|
|
|
|
|
throw BadHash("hash '%s' should have type '%s'", original, printHashAlgo(*optAlgo));
|
2020-06-19 20:41:33 +02:00
|
|
|
|
2023-11-28 14:20:27 +01:00
|
|
|
HashAlgorithm hashAlgo = optParsedType ? *optParsedType : *optAlgo;
|
|
|
|
|
return Hash(rest, hashAlgo, isSRI);
|
2020-07-02 00:34:18 +02:00
|
|
|
}
|
2020-07-01 23:32:06 +02:00
|
|
|
|
2023-11-28 14:20:27 +01:00
|
|
|
Hash Hash::parseNonSRIUnprefixed(std::string_view s, HashAlgorithm algo)
|
2020-07-02 17:34:40 +02:00
|
|
|
{
|
2023-11-28 14:20:27 +01:00
|
|
|
return Hash(s, algo, false);
|
2020-07-02 17:34:40 +02:00
|
|
|
}
|
|
|
|
|
|
2023-11-28 14:20:27 +01:00
|
|
|
Hash::Hash(std::string_view rest, HashAlgorithm algo, bool isSRI)
|
|
|
|
|
: Hash(algo)
|
2020-07-01 23:32:06 +02:00
|
|
|
{
|
2020-07-01 23:50:34 +02:00
|
|
|
if (!isSRI && rest.size() == base16Len()) {
|
2017-07-04 14:47:59 +02:00
|
|
|
|
|
|
|
|
auto parseHexDigit = [&](char c) {
|
|
|
|
|
if (c >= '0' && c <= '9') return c - '0';
|
|
|
|
|
if (c >= 'A' && c <= 'F') return c - 'A' + 10;
|
|
|
|
|
if (c >= 'a' && c <= 'f') return c - 'a' + 10;
|
2020-07-01 23:50:34 +02:00
|
|
|
throw BadHash("invalid base-16 hash '%s'", rest);
|
2017-07-04 14:47:59 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
for (unsigned int i = 0; i < hashSize; i++) {
|
|
|
|
|
hash[i] =
|
2020-07-01 23:50:34 +02:00
|
|
|
parseHexDigit(rest[i * 2]) << 4
|
|
|
|
|
| parseHexDigit(rest[i * 2 + 1]);
|
2017-07-04 14:47:59 +02:00
|
|
|
}
|
2003-06-15 15:41:32 +02:00
|
|
|
}
|
2017-07-04 14:47:59 +02:00
|
|
|
|
2020-07-01 23:50:34 +02:00
|
|
|
else if (!isSRI && rest.size() == base32Len()) {
|
2017-07-04 14:47:59 +02:00
|
|
|
|
2020-07-01 23:50:34 +02:00
|
|
|
for (unsigned int n = 0; n < rest.size(); ++n) {
|
|
|
|
|
char c = rest[rest.size() - n - 1];
|
2017-07-04 14:47:59 +02:00
|
|
|
unsigned char digit;
|
2023-11-28 15:38:15 +01:00
|
|
|
for (digit = 0; digit < nix32Chars.size(); ++digit) /* !!! slow */
|
|
|
|
|
if (nix32Chars[digit] == c) break;
|
2017-07-04 14:47:59 +02:00
|
|
|
if (digit >= 32)
|
2020-07-01 23:50:34 +02:00
|
|
|
throw BadHash("invalid base-32 hash '%s'", rest);
|
2017-07-04 14:47:59 +02:00
|
|
|
unsigned int b = n * 5;
|
|
|
|
|
unsigned int i = b / 8;
|
|
|
|
|
unsigned int j = b % 8;
|
|
|
|
|
hash[i] |= digit << j;
|
|
|
|
|
|
|
|
|
|
if (i < hashSize - 1) {
|
|
|
|
|
hash[i + 1] |= digit >> (8 - j);
|
|
|
|
|
} else {
|
|
|
|
|
if (digit >> (8 - j))
|
2020-07-01 23:50:34 +02:00
|
|
|
throw BadHash("invalid base-32 hash '%s'", rest);
|
2017-07-04 14:47:59 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-07-01 23:50:34 +02:00
|
|
|
else if (isSRI || rest.size() == base64Len()) {
|
|
|
|
|
auto d = base64Decode(rest);
|
2018-02-19 17:44:30 +01:00
|
|
|
if (d.size() != hashSize)
|
2020-07-01 23:50:34 +02:00
|
|
|
throw BadHash("invalid %s hash '%s'", isSRI ? "SRI" : "base-64", rest);
|
2018-03-15 04:53:43 +01:00
|
|
|
assert(hashSize);
|
2017-07-04 14:47:59 +02:00
|
|
|
memcpy(hash, d.data(), hashSize);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
else
|
2023-11-28 14:20:27 +01:00
|
|
|
throw BadHash("hash '%s' has wrong length for hash algorithm '%s'", rest, printHashAlgo(this->algo));
|
2003-06-15 15:41:32 +02:00
|
|
|
}
|
|
|
|
|
|
2024-01-03 21:02:20 +01:00
|
|
|
Hash Hash::random(HashAlgorithm algo)
|
|
|
|
|
{
|
|
|
|
|
Hash hash(algo);
|
|
|
|
|
randombytes_buf(hash.hash, hash.hashSize);
|
|
|
|
|
return hash;
|
|
|
|
|
}
|
|
|
|
|
|
2023-11-28 14:20:27 +01:00
|
|
|
Hash newHashAllowEmpty(std::string_view hashStr, std::optional<HashAlgorithm> ha)
|
2020-06-12 17:09:42 +02:00
|
|
|
{
|
2020-06-12 19:00:48 +02:00
|
|
|
if (hashStr.empty()) {
|
2023-11-28 14:20:27 +01:00
|
|
|
if (!ha)
|
2020-06-18 23:58:27 +02:00
|
|
|
throw BadHash("empty hash requires explicit hash type");
|
2023-11-28 14:20:27 +01:00
|
|
|
Hash h(*ha);
|
2023-10-13 03:48:15 +02:00
|
|
|
warn("found empty hash, assuming '%s'", h.to_string(HashFormat::SRI, true));
|
2020-06-12 19:00:48 +02:00
|
|
|
return h;
|
2020-06-12 17:09:42 +02:00
|
|
|
} else
|
2023-11-28 14:20:27 +01:00
|
|
|
return Hash::parseAny(hashStr, ha);
|
2020-06-12 17:09:42 +02:00
|
|
|
}
|
|
|
|
|
|
2003-06-15 15:41:32 +02:00
|
|
|
|
2006-02-13 19:00:08 +01:00
|
|
|
union Ctx
|
2003-06-16 15:33:38 +02:00
|
|
|
{
|
2006-02-13 20:52:43 +01:00
|
|
|
MD5_CTX md5;
|
|
|
|
|
SHA_CTX sha1;
|
2005-01-14 13:03:04 +01:00
|
|
|
SHA256_CTX sha256;
|
2015-11-04 16:31:06 +01:00
|
|
|
SHA512_CTX sha512;
|
2005-01-13 18:39:26 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
2023-11-28 14:20:27 +01:00
|
|
|
static void start(HashAlgorithm ha, Ctx & ctx)
|
2005-01-13 18:39:26 +01:00
|
|
|
{
|
2023-11-28 14:20:27 +01:00
|
|
|
if (ha == HashAlgorithm::MD5) MD5_Init(&ctx.md5);
|
|
|
|
|
else if (ha == HashAlgorithm::SHA1) SHA1_Init(&ctx.sha1);
|
|
|
|
|
else if (ha == HashAlgorithm::SHA256) SHA256_Init(&ctx.sha256);
|
|
|
|
|
else if (ha == HashAlgorithm::SHA512) SHA512_Init(&ctx.sha512);
|
2005-01-13 18:39:26 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2023-11-28 14:20:27 +01:00
|
|
|
static void update(HashAlgorithm ha, Ctx & ctx,
|
|
|
|
|
std::string_view data)
|
2005-01-13 18:39:26 +01:00
|
|
|
{
|
2023-11-28 14:20:27 +01:00
|
|
|
if (ha == HashAlgorithm::MD5) MD5_Update(&ctx.md5, data.data(), data.size());
|
|
|
|
|
else if (ha == HashAlgorithm::SHA1) SHA1_Update(&ctx.sha1, data.data(), data.size());
|
|
|
|
|
else if (ha == HashAlgorithm::SHA256) SHA256_Update(&ctx.sha256, data.data(), data.size());
|
|
|
|
|
else if (ha == HashAlgorithm::SHA512) SHA512_Update(&ctx.sha512, data.data(), data.size());
|
2005-01-13 18:39:26 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2023-11-28 14:20:27 +01:00
|
|
|
static void finish(HashAlgorithm ha, Ctx & ctx, unsigned char * hash)
|
2005-01-13 18:39:26 +01:00
|
|
|
{
|
2023-11-28 14:20:27 +01:00
|
|
|
if (ha == HashAlgorithm::MD5) MD5_Final(hash, &ctx.md5);
|
|
|
|
|
else if (ha == HashAlgorithm::SHA1) SHA1_Final(hash, &ctx.sha1);
|
|
|
|
|
else if (ha == HashAlgorithm::SHA256) SHA256_Final(hash, &ctx.sha256);
|
|
|
|
|
else if (ha == HashAlgorithm::SHA512) SHA512_Final(hash, &ctx.sha512);
|
2005-01-13 18:39:26 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2023-11-28 14:20:27 +01:00
|
|
|
Hash hashString(HashAlgorithm ha, std::string_view s)
|
2005-01-13 18:39:26 +01:00
|
|
|
{
|
|
|
|
|
Ctx ctx;
|
2023-11-28 14:20:27 +01:00
|
|
|
Hash hash(ha);
|
|
|
|
|
start(ha, ctx);
|
|
|
|
|
update(ha, ctx, s);
|
|
|
|
|
finish(ha, ctx, hash.hash);
|
2003-06-16 15:33:38 +02:00
|
|
|
return hash;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2023-11-28 14:20:27 +01:00
|
|
|
Hash hashFile(HashAlgorithm ha, const Path & path)
|
2003-06-15 15:41:32 +02:00
|
|
|
{
|
2023-11-28 14:20:27 +01:00
|
|
|
HashSink sink(ha);
|
2018-03-30 00:56:13 +02:00
|
|
|
readFile(path, sink);
|
|
|
|
|
return sink.finish().first;
|
2003-06-15 15:41:32 +02:00
|
|
|
}
|
2003-06-16 17:59:23 +02:00
|
|
|
|
|
|
|
|
|
2023-11-28 14:20:27 +01:00
|
|
|
HashSink::HashSink(HashAlgorithm ha) : ha(ha)
|
2003-06-16 17:59:23 +02:00
|
|
|
{
|
2007-02-21 15:31:42 +01:00
|
|
|
ctx = new Ctx;
|
2010-11-16 18:11:46 +01:00
|
|
|
bytes = 0;
|
2023-11-28 14:20:27 +01:00
|
|
|
start(ha, *ctx);
|
2007-02-21 15:31:42 +01:00
|
|
|
}
|
2015-02-03 18:35:11 +01:00
|
|
|
|
2007-02-21 15:31:42 +01:00
|
|
|
HashSink::~HashSink()
|
|
|
|
|
{
|
2011-12-15 17:19:53 +01:00
|
|
|
bufPos = 0;
|
2007-02-21 15:31:42 +01:00
|
|
|
delete ctx;
|
|
|
|
|
}
|
2003-06-16 17:59:23 +02:00
|
|
|
|
2023-04-07 09:16:40 +02:00
|
|
|
void HashSink::writeUnbuffered(std::string_view data)
|
2007-02-21 15:31:42 +01:00
|
|
|
{
|
2020-12-02 14:00:43 +01:00
|
|
|
bytes += data.size();
|
2023-11-28 14:20:27 +01:00
|
|
|
update(ha, *ctx, data);
|
2007-02-21 15:31:42 +01:00
|
|
|
}
|
2003-06-16 17:59:23 +02:00
|
|
|
|
2010-11-16 18:11:46 +01:00
|
|
|
HashResult HashSink::finish()
|
2003-06-16 17:59:23 +02:00
|
|
|
{
|
2011-12-15 17:19:53 +01:00
|
|
|
flush();
|
2023-11-28 14:20:27 +01:00
|
|
|
Hash hash(ha);
|
|
|
|
|
nix::finish(ha, *ctx, hash.hash);
|
2010-11-16 18:11:46 +01:00
|
|
|
return HashResult(hash, bytes);
|
2003-06-16 17:59:23 +02:00
|
|
|
}
|
2005-01-14 17:04:03 +01:00
|
|
|
|
2011-12-15 17:19:53 +01:00
|
|
|
HashResult HashSink::currentHash()
|
|
|
|
|
{
|
|
|
|
|
flush();
|
|
|
|
|
Ctx ctx2 = *ctx;
|
2023-11-28 14:20:27 +01:00
|
|
|
Hash hash(ha);
|
|
|
|
|
nix::finish(ha, ctx2, hash.hash);
|
2011-12-15 17:19:53 +01:00
|
|
|
return HashResult(hash, bytes);
|
|
|
|
|
}
|
|
|
|
|
|
2005-01-14 17:04:03 +01:00
|
|
|
|
|
|
|
|
Hash compressHash(const Hash & hash, unsigned int newSize)
|
|
|
|
|
{
|
2023-11-28 14:20:27 +01:00
|
|
|
Hash h(hash.algo);
|
2005-01-14 17:04:03 +01:00
|
|
|
h.hashSize = newSize;
|
|
|
|
|
for (unsigned int i = 0; i < hash.hashSize; ++i)
|
|
|
|
|
h.hash[i % newSize] ^= hash.hash[i];
|
|
|
|
|
return h;
|
|
|
|
|
}
|
* Removed the `id' attribute hack.
* Formalise the notion of fixed-output derivations, i.e., derivations
for which a cryptographic hash of the output is known in advance.
Changes to such derivations should not propagate upwards through the
dependency graph. Previously this was done by specifying the hash
component of the output path through the `id' attribute, but this is
insecure since you can lie about it (i.e., you can specify any hash
and then produce a completely different output). Now the
responsibility for checking the output is moved from the builder to
Nix itself.
A fixed-output derivation can be created by specifying the
`outputHash' and `outputHashAlgo' attributes, the latter taking
values `md5', `sha1', and `sha256', and the former specifying the
actual hash in hexadecimal or in base-32 (auto-detected by looking
at the length of the attribute value). MD5 is included for
compatibility but should be considered deprecated.
* Removed the `drvPath' pseudo-attribute in derivation results. It's
no longer necessary.
* Cleaned up the support for multiple output paths in derivation store
expressions. Each output now has a unique identifier (e.g., `out',
`devel', `docs'). Previously there was no way to tell output paths
apart at the store expression level.
* `nix-hash' now has a flag `--base32' to specify that the hash should
be printed in base-32 notation.
* `fetchurl' accepts parameters `sha256' and `sha1' in addition to
`md5'.
* `nix-prefetch-url' now prints out a SHA-1 hash in base-32. (TODO: a
flag to specify the hash.)
2005-01-17 17:55:19 +01:00
|
|
|
|
|
|
|
|
|
2023-10-09 05:03:16 +02:00
|
|
|
std::optional<HashFormat> parseHashFormatOpt(std::string_view hashFormatName)
|
|
|
|
|
{
|
|
|
|
|
if (hashFormatName == "base16") return HashFormat::Base16;
|
2023-11-28 15:38:15 +01:00
|
|
|
if (hashFormatName == "nix32") return HashFormat::Nix32;
|
|
|
|
|
if (hashFormatName == "base32") {
|
|
|
|
|
warn(R"("base32" is a deprecated alias for hash format "nix32".)");
|
|
|
|
|
return HashFormat::Nix32;
|
|
|
|
|
}
|
2023-10-09 05:03:16 +02:00
|
|
|
if (hashFormatName == "base64") return HashFormat::Base64;
|
|
|
|
|
if (hashFormatName == "sri") return HashFormat::SRI;
|
|
|
|
|
return std::nullopt;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
HashFormat parseHashFormat(std::string_view hashFormatName)
|
|
|
|
|
{
|
|
|
|
|
auto opt_f = parseHashFormatOpt(hashFormatName);
|
|
|
|
|
if (opt_f)
|
|
|
|
|
return *opt_f;
|
|
|
|
|
throw UsageError("unknown hash format '%1%', expect 'base16', 'base32', 'base64', or 'sri'", hashFormatName);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
std::string_view printHashFormat(HashFormat HashFormat)
|
|
|
|
|
{
|
|
|
|
|
switch (HashFormat) {
|
|
|
|
|
case HashFormat::Base64:
|
|
|
|
|
return "base64";
|
2023-11-28 15:38:15 +01:00
|
|
|
case HashFormat::Nix32:
|
|
|
|
|
return "nix32";
|
2023-10-09 05:03:16 +02:00
|
|
|
case HashFormat::Base16:
|
|
|
|
|
return "base16";
|
|
|
|
|
case HashFormat::SRI:
|
|
|
|
|
return "sri";
|
|
|
|
|
default:
|
|
|
|
|
// illegal hash base enum value internally, as opposed to external input
|
|
|
|
|
// which should be validated with nice error message.
|
|
|
|
|
assert(false);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-11-28 14:20:27 +01:00
|
|
|
std::optional<HashAlgorithm> parseHashAlgoOpt(std::string_view s)
|
* Removed the `id' attribute hack.
* Formalise the notion of fixed-output derivations, i.e., derivations
for which a cryptographic hash of the output is known in advance.
Changes to such derivations should not propagate upwards through the
dependency graph. Previously this was done by specifying the hash
component of the output path through the `id' attribute, but this is
insecure since you can lie about it (i.e., you can specify any hash
and then produce a completely different output). Now the
responsibility for checking the output is moved from the builder to
Nix itself.
A fixed-output derivation can be created by specifying the
`outputHash' and `outputHashAlgo' attributes, the latter taking
values `md5', `sha1', and `sha256', and the former specifying the
actual hash in hexadecimal or in base-32 (auto-detected by looking
at the length of the attribute value). MD5 is included for
compatibility but should be considered deprecated.
* Removed the `drvPath' pseudo-attribute in derivation results. It's
no longer necessary.
* Cleaned up the support for multiple output paths in derivation store
expressions. Each output now has a unique identifier (e.g., `out',
`devel', `docs'). Previously there was no way to tell output paths
apart at the store expression level.
* `nix-hash' now has a flag `--base32' to specify that the hash should
be printed in base-32 notation.
* `fetchurl' accepts parameters `sha256' and `sha1' in addition to
`md5'.
* `nix-prefetch-url' now prints out a SHA-1 hash in base-32. (TODO: a
flag to specify the hash.)
2005-01-17 17:55:19 +01:00
|
|
|
{
|
2023-11-28 14:20:27 +01:00
|
|
|
if (s == "md5") return HashAlgorithm::MD5;
|
|
|
|
|
if (s == "sha1") return HashAlgorithm::SHA1;
|
|
|
|
|
if (s == "sha256") return HashAlgorithm::SHA256;
|
|
|
|
|
if (s == "sha512") return HashAlgorithm::SHA512;
|
2023-10-09 04:53:47 +02:00
|
|
|
return std::nullopt;
|
* Removed the `id' attribute hack.
* Formalise the notion of fixed-output derivations, i.e., derivations
for which a cryptographic hash of the output is known in advance.
Changes to such derivations should not propagate upwards through the
dependency graph. Previously this was done by specifying the hash
component of the output path through the `id' attribute, but this is
insecure since you can lie about it (i.e., you can specify any hash
and then produce a completely different output). Now the
responsibility for checking the output is moved from the builder to
Nix itself.
A fixed-output derivation can be created by specifying the
`outputHash' and `outputHashAlgo' attributes, the latter taking
values `md5', `sha1', and `sha256', and the former specifying the
actual hash in hexadecimal or in base-32 (auto-detected by looking
at the length of the attribute value). MD5 is included for
compatibility but should be considered deprecated.
* Removed the `drvPath' pseudo-attribute in derivation results. It's
no longer necessary.
* Cleaned up the support for multiple output paths in derivation store
expressions. Each output now has a unique identifier (e.g., `out',
`devel', `docs'). Previously there was no way to tell output paths
apart at the store expression level.
* `nix-hash' now has a flag `--base32' to specify that the hash should
be printed in base-32 notation.
* `fetchurl' accepts parameters `sha256' and `sha1' in addition to
`md5'.
* `nix-prefetch-url' now prints out a SHA-1 hash in base-32. (TODO: a
flag to specify the hash.)
2005-01-17 17:55:19 +01:00
|
|
|
}
|
2006-09-04 23:06:23 +02:00
|
|
|
|
2023-11-28 14:20:27 +01:00
|
|
|
HashAlgorithm parseHashAlgo(std::string_view s)
|
2020-06-02 17:52:13 +02:00
|
|
|
{
|
2023-11-28 14:20:27 +01:00
|
|
|
auto opt_h = parseHashAlgoOpt(s);
|
2020-06-02 17:52:13 +02:00
|
|
|
if (opt_h)
|
|
|
|
|
return *opt_h;
|
|
|
|
|
else
|
2023-10-09 05:00:14 +02:00
|
|
|
throw UsageError("unknown hash algorithm '%1%', expect 'md5', 'sha1', 'sha256', or 'sha512'", s);
|
2020-06-02 17:52:13 +02:00
|
|
|
}
|
2015-02-03 18:35:11 +01:00
|
|
|
|
2023-11-28 14:20:27 +01:00
|
|
|
std::string_view printHashAlgo(HashAlgorithm ha)
|
2008-12-03 17:10:17 +01:00
|
|
|
{
|
2023-11-28 14:20:27 +01:00
|
|
|
switch (ha) {
|
|
|
|
|
case HashAlgorithm::MD5: return "md5";
|
|
|
|
|
case HashAlgorithm::SHA1: return "sha1";
|
|
|
|
|
case HashAlgorithm::SHA256: return "sha256";
|
|
|
|
|
case HashAlgorithm::SHA512: return "sha512";
|
2020-06-25 15:50:30 +02:00
|
|
|
default:
|
|
|
|
|
// illegal hash type enum value internally, as opposed to external input
|
|
|
|
|
// which should be validated with nice error message.
|
2020-07-02 18:24:11 +02:00
|
|
|
assert(false);
|
2020-06-02 17:52:13 +02:00
|
|
|
}
|
2008-12-03 17:10:17 +01:00
|
|
|
}
|
|
|
|
|
|
2006-09-04 23:06:23 +02:00
|
|
|
}
|