From f19b4abfb2c238a98f749812c9ba294dd98d8bd0 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Tue, 17 Feb 2015 13:16:58 +0100
Subject: [PATCH] Include NAR size in fingerprint computation

This is not strictly needed for integrity (since we already include
the NAR hash in the fingerprint) but it helps against endless data
attacks [1]. (However, this will also require
download-from-binary-cache.pl to bail out if it receives more than the
specified number of bytes.)

[1] https://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.pdf
---
 Makefile                 | 2 +-
 perl/lib/Nix/Manifest.pm | 7 +++----
 scripts/nix-push.in      | 2 +-
 3 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/Makefile b/Makefile
index 08e4012f9..d8d4a7cc5 100644
--- a/Makefile
+++ b/Makefile
@@ -25,7 +25,7 @@ makefiles = \
 
 GLOBAL_CXXFLAGS += -std=c++0x -g -Wall
 
-include Makefile.config
+-include Makefile.config
 
 OPTIMIZE = 1
 
diff --git a/perl/lib/Nix/Manifest.pm b/perl/lib/Nix/Manifest.pm
index b82c82fb2..93c9c261d 100644
--- a/perl/lib/Nix/Manifest.pm
+++ b/perl/lib/Nix/Manifest.pm
@@ -377,7 +377,6 @@ EOF
 }
 
 
-
 # Delete all old manifests downloaded from a given URL.
 sub deleteOldManifests {
     my ($url, $curUrlFile) = @_;
@@ -399,14 +398,14 @@ sub deleteOldManifests {
 # signatures. It contains the store path, the SHA-256 hash of the
 # contents of the path, and the references.
 sub fingerprintPath {
-    my ($storePath, $narHash, $references) = @_;
+    my ($storePath, $narHash, $narSize, $references) = @_;
     die if substr($storePath, 0, length($Nix::Config::storeDir)) ne $Nix::Config::storeDir;
     die if substr($narHash, 0, 7) ne "sha256:";
     die if length($narHash) != 59;
     foreach my $ref (@{$references}) {
         die if substr($ref, 0, length($Nix::Config::storeDir)) ne $Nix::Config::storeDir;
     }
-    return "1;" . $storePath . ";" . $narHash . ";" . join(",", @{$references});
+    return "1;" . $storePath . ";" . $narHash . ";" . $narSize . ";" . join(",", @{$references});
 }
 
 
@@ -464,7 +463,7 @@ sub parseNARInfo {
         }
 
         my $fingerprint = fingerprintPath(
-            $storePath, $narHash,
+            $storePath, $narHash, $narSize,
             [ map { "$Nix::Config::storeDir/$_" } @refs ]);
 
         if (!checkSignature($publicKey, decode_base64($sig64), $fingerprint)) {
diff --git a/scripts/nix-push.in b/scripts/nix-push.in
index a060ea128..d5d3bc1e7 100755
--- a/scripts/nix-push.in
+++ b/scripts/nix-push.in
@@ -257,7 +257,7 @@ for (my $n = 0; $n < scalar @storePaths2; $n++) {
         chomp $s;
         my ($keyName, $secretKey) = split ":", $s;
         die "invalid secret key file ‘$secretKeyFile’\n" unless defined $keyName && defined $secretKey;
-        my $fingerprint = fingerprintPath($storePath, $narHash, $refs);
+        my $fingerprint = fingerprintPath($storePath, $narHash, $narSize, $refs);
         my $sig = encode_base64(signString(decode_base64($secretKey), $fingerprint), "");
         $info .= "Sig: $keyName:$sig\n";
     }