From f435f8247553656774dd1b2c88e9de5d59cab203 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 3 May 2016 15:11:14 +0200 Subject: [PATCH] Remove OpenSSL-based signing --- configure.ac | 4 -- perl/lib/Nix/Config.pm.in | 1 - perl/lib/Nix/CopyClosure.pm | 12 ++--- perl/lib/Nix/Store.xs | 6 +-- scripts/build-remote.pl.in | 6 +-- scripts/nix-copy-closure.in | 10 ++-- src/libstore/binary-cache-store.cc | 9 ++-- src/libstore/binary-cache-store.hh | 4 +- src/libstore/local-store.cc | 77 ++++-------------------------- src/libstore/local-store.hh | 7 ++- src/libstore/remote-store.cc | 9 ++-- src/libstore/remote-store.hh | 5 +- src/libstore/store-api.cc | 9 ++-- src/libstore/store-api.hh | 11 ++--- src/nix-daemon/nix-daemon.cc | 6 +-- src/nix-store/nix-store.cc | 18 +++---- 16 files changed, 52 insertions(+), 142 deletions(-) diff --git a/configure.ac b/configure.ac index 1215782a..0c28e92c 100644 --- a/configure.ac +++ b/configure.ac @@ -168,10 +168,6 @@ AC_SUBST(storedir) # Look for OpenSSL, a required dependency. -AC_PATH_PROG(openssl, openssl, openssl) # if not found, call openssl in $PATH -AC_SUBST(openssl) -AC_DEFINE_UNQUOTED(OPENSSL_PATH, ["$openssl"], [Path of the OpenSSL binary]) - PKG_CHECK_MODULES([OPENSSL], [libcrypto], [CXXFLAGS="$OPENSSL_CFLAGS $CXXFLAGS"]) diff --git a/perl/lib/Nix/Config.pm.in b/perl/lib/Nix/Config.pm.in index f985c5b0..3575d99c 100644 --- a/perl/lib/Nix/Config.pm.in +++ b/perl/lib/Nix/Config.pm.in @@ -14,7 +14,6 @@ $storeDir = $ENV{"NIX_STORE_DIR"} || "@storedir@"; $bzip2 = "@bzip2@"; $xz = "@xz@"; $curl = "@curl@"; -$openssl = "@openssl@"; $useBindings = "@perlbindings@" eq "yes"; diff --git a/perl/lib/Nix/CopyClosure.pm b/perl/lib/Nix/CopyClosure.pm index 800feb3b..1adce07a 100644 --- a/perl/lib/Nix/CopyClosure.pm +++ b/perl/lib/Nix/CopyClosure.pm @@ -10,7 +10,7 @@ use IPC::Open2; sub copyToOpen { - my ($from, $to, $sshHost, $storePaths, $includeOutputs, $dryRun, $sign, $useSubstitutes) = @_; + my ($from, $to, $sshHost, $storePaths, $includeOutputs, $dryRun, $useSubstitutes) = @_; $useSubstitutes = 0 if $dryRun || !defined $useSubstitutes; @@ -41,13 +41,13 @@ sub copyToOpen { # Send the "import paths" command. syswrite($to, pack("L /dev/null" or die; - exportPaths(fileno(SSH), $sign, @missing); + exportPaths(fileno(SSH), @missing); close SSH or die "copying store paths to remote machine ‘$sshHost’ failed: $?"; } } diff --git a/perl/lib/Nix/Store.xs b/perl/lib/Nix/Store.xs index 6723ca38..f0e99007 100644 --- a/perl/lib/Nix/Store.xs +++ b/perl/lib/Nix/Store.xs @@ -169,13 +169,13 @@ SV * followLinksToStorePath(char * path) RETVAL -void exportPaths(int fd, int sign, ...) +void exportPaths(int fd, ...) PPCODE: try { Paths paths; for (int n = 2; n < items; ++n) paths.push_back(SvPV_nolen(ST(n))); FdSink sink(fd); - store()->exportPaths(paths, sign, sink); + store()->exportPaths(paths, sink); } catch (Error & e) { croak("%s", e.what()); } @@ -185,7 +185,7 @@ void importPaths(int fd) PPCODE: try { FdSource source(fd); - store()->importPaths(false, source, 0); + store()->importPaths(source, 0); } catch (Error & e) { croak("%s", e.what()); } diff --git a/scripts/build-remote.pl.in b/scripts/build-remote.pl.in index bd8b4402..4bf42941 100755 --- a/scripts/build-remote.pl.in +++ b/scripts/build-remote.pl.in @@ -223,10 +223,6 @@ my @inputs = split /\s/, readline(STDIN); my @outputs = split /\s/, readline(STDIN); -my $maybeSign = ""; -$maybeSign = "--sign" if -e "$Nix::Config::confDir/signing-key.sec"; - - # Copy the derivation and its dependencies to the build machine. This # is guarded by an exclusive lock per machine to prevent multiple # build-remote instances from copying to a machine simultaneously. @@ -250,7 +246,7 @@ if ($@) { print STDERR "somebody is hogging $uploadLock, continuing...\n"; unlink $uploadLock; } -Nix::CopyClosure::copyToOpen($from, $to, $hostName, [ $drvPath, @inputs ], 0, 0, $maybeSign ne ""); +Nix::CopyClosure::copyToOpen($from, $to, $hostName, [ $drvPath, @inputs ], 0, 0); close UPLOADLOCK; diff --git a/scripts/nix-copy-closure.in b/scripts/nix-copy-closure.in index 9cbb4ede..0078d726 100755 --- a/scripts/nix-copy-closure.in +++ b/scripts/nix-copy-closure.in @@ -12,7 +12,7 @@ binmode STDERR, ":encoding(utf8)"; if (scalar @ARGV < 1) { print STDERR < 0) { print STDERR "copying ", scalar @missing, " missing paths from ‘$sshHost’...\n"; writeInt(5, $to); # == cmdExportPaths - writeInt($sign ? 1 : 0, $to); + writeInt(0, $to); # obsolete writeStrings(\@missing, $to); importPaths(fileno($from)); } diff --git a/src/libstore/binary-cache-store.cc b/src/libstore/binary-cache-store.cc index 411d1013..41b1fa02 100644 --- a/src/libstore/binary-cache-store.cc +++ b/src/libstore/binary-cache-store.cc @@ -156,10 +156,8 @@ void BinaryCacheStore::narFromPath(const Path & storePath, Sink & sink) sink((unsigned char *) nar->c_str(), nar->size()); } -void BinaryCacheStore::exportPath(const Path & storePath, bool sign, Sink & sink) +void BinaryCacheStore::exportPath(const Path & storePath, Sink & sink) { - assert(!sign); - auto res = queryPathInfo(storePath); narFromPath(storePath, sink); @@ -169,10 +167,9 @@ void BinaryCacheStore::exportPath(const Path & storePath, bool sign, Sink & sink sink << exportMagic << storePath << res->references << res->deriver << 0; } -Paths BinaryCacheStore::importPaths(bool requireSignature, Source & source, +Paths BinaryCacheStore::importPaths(Source & source, std::shared_ptr accessor) { - assert(!requireSignature); Paths res; while (true) { unsigned long long n = readLongLong(source); @@ -346,7 +343,7 @@ struct BinaryCacheStoreAccessor : public FSAccessor if (i != nars.end()) return {i->second, restPath}; StringSink sink; - store->exportPath(storePath, false, sink); + store->exportPath(storePath, sink); auto accessor = makeNarAccessor(sink.s); nars.emplace(storePath, accessor); diff --git a/src/libstore/binary-cache-store.hh b/src/libstore/binary-cache-store.hh index 46a38a1e..eb03c5f2 100644 --- a/src/libstore/binary-cache-store.hh +++ b/src/libstore/binary-cache-store.hh @@ -91,9 +91,9 @@ public: void narFromPath(const Path & path, Sink & sink) override; - void exportPath(const Path & path, bool sign, Sink & sink) override; + void exportPath(const Path & path, Sink & sink) override; - Paths importPaths(bool requireSignature, Source & source, + Paths importPaths(Source & source, std::shared_ptr accessor) override; Path importPath(Source & source, std::shared_ptr accessor); diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc index 01a11f11..42e4ab9f 100644 --- a/src/libstore/local-store.cc +++ b/src/libstore/local-store.cc @@ -1035,18 +1035,7 @@ struct HashAndWriteSink : Sink }; -static void checkSecrecy(const Path & path) -{ - struct stat st; - if (stat(path.c_str(), &st)) - throw SysError(format("getting status of ‘%1%’") % path); - if ((st.st_mode & (S_IRWXG | S_IRWXO)) != 0) - throw Error(format("file ‘%1%’ should be secret (inaccessible to everybody else)!") % path); -} - - -void LocalStore::exportPath(const Path & path, bool sign, - Sink & sink) +void LocalStore::exportPath(const Path & path, Sink & sink) { assertStorePath(path); @@ -1068,30 +1057,7 @@ void LocalStore::exportPath(const Path & path, bool sign, hashAndWriteSink << exportMagic << path << info->references << info->deriver; - if (sign) { - Hash hash = hashAndWriteSink.currentHash(); - - Path tmpDir = createTempDir(); - AutoDelete delTmp(tmpDir); - Path hashFile = tmpDir + "/hash"; - writeFile(hashFile, printHash(hash)); - - Path secretKey = settings.nixConfDir + "/signing-key.sec"; - checkSecrecy(secretKey); - - Strings args; - args.push_back("rsautl"); - args.push_back("-sign"); - args.push_back("-inkey"); - args.push_back(secretKey); - args.push_back("-in"); - args.push_back(hashFile); - string signature = runProgram(OPENSSL_PATH, true, args); - - hashAndWriteSink << 1 << signature; - - } else - hashAndWriteSink << 0; + hashAndWriteSink << 0; // backwards compatibility } @@ -1129,7 +1095,7 @@ Path LocalStore::createTempDirInStore() } -Path LocalStore::importPath(bool requireSignature, Source & source) +Path LocalStore::importPath(Source & source) { HashAndReadSource hashAndReadSource(source); @@ -1160,36 +1126,9 @@ Path LocalStore::importPath(bool requireSignature, Source & source) bool haveSignature = readInt(hashAndReadSource) == 1; - if (requireSignature && !haveSignature) - throw Error(format("imported archive of ‘%1%’ lacks a signature") % dstPath); - - if (haveSignature) { - string signature = readString(hashAndReadSource); - - if (requireSignature) { - Path sigFile = tmpDir + "/sig"; - writeFile(sigFile, signature); - - Strings args; - args.push_back("rsautl"); - args.push_back("-verify"); - args.push_back("-inkey"); - args.push_back(settings.nixConfDir + "/signing-key.pub"); - args.push_back("-pubin"); - args.push_back("-in"); - args.push_back(sigFile); - string hash2 = runProgram(OPENSSL_PATH, true, args); - - /* Note: runProgram() throws an exception if the signature - is invalid. */ - - if (printHash(hash) != hash2) - throw Error( - "signed hash doesn't match actual contents of imported " - "archive; archive could be corrupt, or someone is trying " - "to import a Trojan horse"); - } - } + if (haveSignature) + // Ignore legacy signature. + readString(hashAndReadSource); /* Do the actual import. */ @@ -1239,7 +1178,7 @@ Path LocalStore::importPath(bool requireSignature, Source & source) } -Paths LocalStore::importPaths(bool requireSignature, Source & source, +Paths LocalStore::importPaths(Source & source, std::shared_ptr accessor) { Paths res; @@ -1247,7 +1186,7 @@ Paths LocalStore::importPaths(bool requireSignature, Source & source, unsigned long long n = readLongLong(source); if (n == 0) break; if (n != 1) throw Error("input doesn't look like something created by ‘nix-store --export’"); - res.push_back(importPath(requireSignature, source)); + res.push_back(importPath(source)); } return res; } diff --git a/src/libstore/local-store.hh b/src/libstore/local-store.hh index 6f2341de..d3cde740 100644 --- a/src/libstore/local-store.hh +++ b/src/libstore/local-store.hh @@ -126,10 +126,9 @@ public: Path addTextToStore(const string & name, const string & s, const PathSet & references, bool repair = false) override; - void exportPath(const Path & path, bool sign, - Sink & sink) override; + void exportPath(const Path & path, Sink & sink) override; - Paths importPaths(bool requireSignature, Source & source, + Paths importPaths(Source & source, std::shared_ptr accessor) override; void buildPaths(const PathSet & paths, BuildMode buildMode) override; @@ -230,7 +229,7 @@ private: Path createTempDirInStore(); - Path importPath(bool requireSignature, Source & source); + Path importPath(Source & source); void checkDerivationOutputs(const Path & drvPath, const Derivation & drv); diff --git a/src/libstore/remote-store.cc b/src/libstore/remote-store.cc index 5a254a61..1616f98f 100644 --- a/src/libstore/remote-store.cc +++ b/src/libstore/remote-store.cc @@ -373,23 +373,20 @@ Path RemoteStore::addTextToStore(const string & name, const string & s, } -void RemoteStore::exportPath(const Path & path, bool sign, - Sink & sink) +void RemoteStore::exportPath(const Path & path, Sink & sink) { auto conn(connections->get()); - conn->to << wopExportPath << path << (sign ? 1 : 0); + conn->to << wopExportPath << path << 0; conn->processStderr(&sink); /* sink receives the actual data */ readInt(conn->from); } -Paths RemoteStore::importPaths(bool requireSignature, Source & source, +Paths RemoteStore::importPaths(Source & source, std::shared_ptr accessor) { auto conn(connections->get()); conn->to << wopImportPaths; - /* We ignore requireSignature, since the worker forces it to true - anyway. */ conn->processStderr(0, &source); return readStorePaths(conn->from); } diff --git a/src/libstore/remote-store.hh b/src/libstore/remote-store.hh index 8e45a744..f4fd96a6 100644 --- a/src/libstore/remote-store.hh +++ b/src/libstore/remote-store.hh @@ -58,10 +58,9 @@ public: Path addTextToStore(const string & name, const string & s, const PathSet & references, bool repair = false) override; - void exportPath(const Path & path, bool sign, - Sink & sink) override; + void exportPath(const Path & path, Sink & sink) override; - Paths importPaths(bool requireSignature, Source & source, + Paths importPaths(Source & source, std::shared_ptr accessor) override; void buildPaths(const PathSet & paths, BuildMode buildMode) override; diff --git a/src/libstore/store-api.cc b/src/libstore/store-api.cc index b03e4080..c6cc46c6 100644 --- a/src/libstore/store-api.cc +++ b/src/libstore/store-api.cc @@ -363,10 +363,10 @@ void copyStorePath(ref srcStore, ref dstStore, auto info = srcStore->queryPathInfo(storePath); StringSink sink; - srcStore->exportPaths({storePath}, false, sink); + srcStore->exportPaths({storePath}, sink); StringSource source(*sink.s); - dstStore->importPaths(false, source, 0); + dstStore->importPaths(source, 0); } @@ -406,12 +406,11 @@ string showPaths(const PathSet & paths) } -void Store::exportPaths(const Paths & paths, - bool sign, Sink & sink) +void Store::exportPaths(const Paths & paths, Sink & sink) { for (auto & i : paths) { sink << 1; - exportPath(i, sign, sink); + exportPath(i, sink); } sink << 0; } diff --git a/src/libstore/store-api.hh b/src/libstore/store-api.hh index 099aa1d6..95ad5136 100644 --- a/src/libstore/store-api.hh +++ b/src/libstore/store-api.hh @@ -270,21 +270,18 @@ public: virtual void narFromPath(const Path & path, Sink & sink) = 0; /* Export a store path, that is, create a NAR dump of the store - path and append its references and its deriver. Optionally, a - cryptographic signature (created by OpenSSL) of the preceding - data is attached. */ - virtual void exportPath(const Path & path, bool sign, - Sink & sink) = 0; + path and append its references and its deriver. */ + virtual void exportPath(const Path & path, Sink & sink) = 0; /* Export multiple paths in the format expected by ‘nix-store --import’. */ - void exportPaths(const Paths & paths, bool sign, Sink & sink); + void exportPaths(const Paths & paths, Sink & sink); /* Import a sequence of NAR dumps created by exportPaths() into the Nix store. Optionally, the contents of the NARs are preloaded into the specified FS accessor to speed up subsequent access. */ - virtual Paths importPaths(bool requireSignature, Source & source, + virtual Paths importPaths(Source & source, std::shared_ptr accessor) = 0; /* For each path, if it's a derivation, build it. Building a diff --git a/src/nix-daemon/nix-daemon.cc b/src/nix-daemon/nix-daemon.cc index 3c2e0521..60ad85a6 100644 --- a/src/nix-daemon/nix-daemon.cc +++ b/src/nix-daemon/nix-daemon.cc @@ -312,10 +312,10 @@ static void performOp(ref store, bool trusted, unsigned int clientVe case wopExportPath: { Path path = readStorePath(from); - bool sign = readInt(from) == 1; + readInt(from); // obsolete startWork(); TunnelSink sink(to); - store->exportPath(path, sign, sink); + store->exportPath(path, sink); stopWork(); to << 1; break; @@ -324,7 +324,7 @@ static void performOp(ref store, bool trusted, unsigned int clientVe case wopImportPaths: { startWork(); TunnelSource source(from); - Paths paths = store->importPaths(!trusted, source, 0); + Paths paths = store->importPaths(source, 0); stopWork(); to << paths; break; diff --git a/src/nix-store/nix-store.cc b/src/nix-store/nix-store.cc index 653a95f2..d63adaff 100644 --- a/src/nix-store/nix-store.cc +++ b/src/nix-store/nix-store.cc @@ -699,29 +699,25 @@ static void opRestore(Strings opFlags, Strings opArgs) static void opExport(Strings opFlags, Strings opArgs) { - bool sign = false; for (auto & i : opFlags) - if (i == "--sign") sign = true; - else throw UsageError(format("unknown flag ‘%1%’") % i); + throw UsageError(format("unknown flag ‘%1%’") % i); FdSink sink(STDOUT_FILENO); Paths sorted = store->topoSortPaths(PathSet(opArgs.begin(), opArgs.end())); reverse(sorted.begin(), sorted.end()); - store->exportPaths(sorted, sign, sink); + store->exportPaths(sorted, sink); } static void opImport(Strings opFlags, Strings opArgs) { - bool requireSignature = false; for (auto & i : opFlags) - if (i == "--require-signature") requireSignature = true; - else throw UsageError(format("unknown flag ‘%1%’") % i); + throw UsageError(format("unknown flag ‘%1%’") % i); if (!opArgs.empty()) throw UsageError("no arguments expected"); FdSource source(STDIN_FILENO); - Paths paths = store->importPaths(requireSignature, source, 0); + Paths paths = store->importPaths(source, 0); for (auto & i : paths) cout << format("%1%\n") % i << std::flush; @@ -909,16 +905,16 @@ static void opServe(Strings opFlags, Strings opArgs) case cmdImportPaths: { if (!writeAllowed) throw Error("importing paths is not allowed"); - store->importPaths(false, in, 0); + store->importPaths(in, 0); out << 1; // indicate success break; } case cmdExportPaths: { - bool sign = readInt(in); + readInt(in); // obsolete Paths sorted = store->topoSortPaths(readStorePaths(in)); reverse(sorted.begin(), sorted.end()); - store->exportPaths(sorted, sign, out); + store->exportPaths(sorted, out); break; }