chromium/updater: Fix usage of insecure MD5 hashes

The title of https://github.com/NixOS/nix/issues/802 says it all:

    Is it time to deprecate md5?

Of course it is - we shouldn't use MD5 for our beautiful updater, but
switch to SHA1 instead. It's the future!

       .    .          .       .           .
  .              .        .          .               .
    .    .           .           .        .-.   .         .     .
           -------     ______             | `\                .
.   ______   .            '   ``-..-.-,.-.`.  `----._______
           .  -------   .   . `.`.-=,'='-===| SHA1  \______`--._
 --------------      ---   .  ..-.-.-=-.-===|   ____________.--"
               ---------  . . .- .,==-'`-'-./  /__----'^  `^  `^  `^
   ____   -----     --  ____   ' . _____   \______[=>  =>  =>  =>
         .                   .       .                .
   .          .     .     .              .        .          .

Signed-off-by: aszlig <aszlig@nix.build>
This commit is contained in:
aszlig 2019-04-01 00:00:00 +00:00
parent d8c7f0bd3f
commit ed8f3b5fa3
No known key found for this signature in database
GPG Key ID: 684089CE67EBB691

View File

@ -97,13 +97,13 @@ in rec {
builtins.tryEval (builtins.fetchurl url) builtins.tryEval (builtins.fetchurl url)
... except that tryEval on fetchurl isn't working and doesn't catch errors ... except that tryEval on fetchurl isn't working and doesn't catch
for fetchurl, so we go for a different approach. errors for fetchurl, so we go for a different approach.
We only have fixed-output derivations that can have networking access, so We only have fixed-output derivations that can have networking access, so
we abuse MD5 and its weaknesses to forge a fixed-output derivation which we abuse SHA1 and its weaknesses to forge a fixed-output derivation which
is not so fixed, because it emits different contents that have the same is not so fixed, because it emits different contents that have the same
MD5 hash. SHA1 hash.
Using this method, we can distinguish whether the URL is available or Using this method, we can distinguish whether the URL is available or
whether it's not based on the actual content. whether it's not based on the actual content.
@ -111,25 +111,50 @@ in rec {
So let's use tryEval as soon as it's working with fetchurl in Nix. So let's use tryEval as soon as it's working with fetchurl in Nix.
*/ */
tryFetch = url: let tryFetch = url: let
mkBin = b: runCommand "binary-blurb" { inherit b; } '' # SHA1 hash collisions from https://shattered.io/static/shattered.pdf:
h="$(echo "$b" | sed -e ':r;N;$!br;s/[^ \n][^ \n]/\\x&/g;s/[ \n]//g')" collisions = runCommand "sha1-collisions" {
echo -ne "$h" > "$out" outputs = [ "out" "good" "bad" ];
''; base64 = ''
QlpoOTFBWSZTWbL5V5MABl///////9Pv///v////+/////HDdK739/677r+W3/75rUNr4
# Both MD5 hash collision examples are from: Aa/AAAAAAACgEVTRtQDQAaA0AAyGmjTQGmgAAANGgAaMIAYgGgAABo0AAAAAADQAIAGQ0
# https://en.wikipedia.org/wiki/MD5#Collision_vulnerabilities MgDIGmjQA0DRk0AaMQ0DQAGIANGgAAGRoNGQMRpo0GIGgBoGQAAIAGQ0MgDIGmjQA0DRk
hashCollTrue = mkBin '' 0AaMQ0DQAGIANGgAAGRoNGQMRpo0GIGgBoGQAAIAGQ0MgDIGmjQA0DRk0AaMQ0DQAGIAN
d131dd02c5e6eec4 693d9a0698aff95c 2fcab58712467eab 4004583eb8fb7f89 GgAAGRoNGQMRpo0GIGgBoGQAAIAGQ0MgDIGmjQA0DRk0AaMQ0DQAGIANGgAAGRoNGQMRp
55ad340609f4b302 83e488832571415a 085125e8f7cdc99f d91dbdf280373c5b o0GIGgBoGQAABVTUExEZATTICnkxNR+p6E09JppoyamjGhkm0ammIyaekbUejU9JiGnqZ
d8823e3156348f5b ae6dacd436c919c6 dd53e2b487da03fd 02396306d248cda0 qaaDxJ6m0JkZMQ2oaYmJ6gxqMyE2TUzJqfItligtJQJfYbl9Zy9QjQuB5mHQRdSSXCCTH
e99f33420f577ee8 ce54b67080a80d1e c69821bcb6a88393 96f9652b6ff72a70 MgmSDYmdOoOmLTBJWiCpOhMQYpQlOYpJjn+wQUJSTCEpOMekaFaaNB6glCC0hKEJdHr6B
''; mUIHeph7YxS8WJYyGwgWnMTFJBDFSxSCCYljiEk7HZgJzJVDHJxMgY6tCEIIWgsKSlSZ0
S8GckoIIF+551Ro4RCw260VCEpWJSlpWx/PMrLyVoyhWMAneDilBcUIeZ1j6NCkus0qUC
hashCollFalse = mkBin '' Wnahhk5KT4GpWMh3vm2nJWjTL9Qg+84iExBJhNKpbV9tvEN265t3fu/TKkt4rXFTsV+Nc
d131dd02c5e6eec4 693d9a0698aff95c 2fcab50712467eab 4004583eb8fb7f89 upJXhOhOhJMQQktrqt4K8mSh9M2DAO2X7uXGVL9YQxUtzQmS7uBndL7M6R7vX869VxqPu
55ad340609f4b302 83e4888325f1415a 085125e8f7cdc99f d91dbd7280373c5b renSuHYNq1yTXOfNWLwgvKlRlFYqLCs6OChDp0HuTzCWscmGudLyqUuwVGG75nmyZhKpJ
d8823e3156348f5b ae6dacd436c919c6 dd53e23487da03fd 02396306d248cda0 yOE/pOZyHyrZxGM51DYIN+Jc8yVJgAykxKCEtW55MlfudLg3KG6TtozalunXrroSxUpVL
e99f33420f577ee8 ce54b67080280d1e c69821bcb6a88393 96f965ab6ff72a70 StWrWLFihMnVpkyZOrQnUrE6xq1CGtJlbAb5ShMbV1CZgqlKC0wCFCpMmUKSEkvFLaZC8
wHOCVAlvzaJQ/T+XLb5Dh5TNM67p6KZ4e4ZSGyVENx2O27LzrTIteAreTkMZpW95GS0CE
JYhMc4nToTJ0wQhKEyddaLb/rTqmgJSlkpnALxMhlNmuKEpkEkqhKUoEq3SoKUpIQcDgW
lC0rYahMmLuPQ0fHqZaF4v2W8IoJ2EhMhYmSw7qql27WJS+G4rUplToFi2rSv0NSrVvDU
pltQ8Lv6F8pXyxmFBSxiLSxglNC4uvXVKmAtusXy4YXGX1ixedEvXF1aX6t8adYnYCpC6
rW1ZzdZYlCCxKEv8vpbqdSsXl8v1jCQv0KEPxPTa/5rtWSF1dSgg4z4KjfIMNtgwWoWLE
sRhKxsSA9ji7V5LRPwtumeQ8V57UtFSPIUmtQdOQfseI2Ly1DMtk4Jl8n927w34zrWG6P
i4jzC82js/46Rt2IZoadWxOtMInS2xYmcu8mOw9PLYxQ4bdfFw3ZPf/g2pzSwZDhGrZAl
9lqky0W+yeanadC037xk496t0Dq3ctfmqmjgie8ln9k6Q0K1krb3dK9el4Xsu44LpGcen
r2eQZ1s1IhOhnE56WnXf0BLWn9Xz15fMkzi4kpVxiTKGEpffErEEMvEeMZhUl6yD1SdeJ
YbxzGNM3ak2TAaglLZlDCVnoM6wV5DRrycwF8Zh/fRsdmhkMfAO1duwknrsFwrzePWeMw
l107DWzymxdQwiSXx/lncnn75jL9mUzw2bUDqj20LTgtawxK2SlQg1CCZDQMgSpEqLjRM
sykM9zbSIUqil0zNk7Nu+b5J0DKZlhl9CtpGKgX5uyp0idoJ3we9bSrY7PupnUL5eWiDp
V5mmnNUhOnYi8xyClkLbNmAXyoWk7GaVrM2umkbpqHDzDymiKjetgzTocWNsJ2E0zPcfh
t46J4ipaXGCfF7fuO0a70c82bvqo3HceIcRlshgu73seO8BqlLIap2z5jTOY+T2ucCnBt
Atva3aHdchJg9AJ5YdKHz7LoA3VKmeqxAlFyEnQLBxB2PAhAZ8KvmuR6ELXws1Qr13Nd1
i4nsp189jqvaNzt+0nEnIaniuP1+/UOZdyfoZh57ku8sYHKdvfW/jYSUks+0rK+qtte+p
y8jWL9cOJ0fV8rrH/t+85/p1z2N67p/ZsZ3JmdyliL7lrNxZUlx0MVIl6PxXOUuGOeArW
3vuEvJ2beoh7SGyZKHKbR2bBWO1d49JDIcVM6lQtu9UO8ec8pOnXmkcponBPLNM2CwZ9k
NC/4ct6rQkPkQHMcV/8XckU4UJCy+VeTA==
'';
} ''
echo "$base64" | base64 -d | tar xj
mv good.pdf "$good"
mv bad.pdf "$bad"
touch "$out"
''; '';
cacheVal = let cacheVal = let
@ -137,31 +162,40 @@ in rec {
timeSlice = builtins.currentTime / 600; timeSlice = builtins.currentTime / 600;
in "${urlHash}-${toString timeSlice}"; in "${urlHash}-${toString timeSlice}";
successBin = stdenv.mkDerivation {
name = "tryfetch-${cacheVal}";
inherit url;
outputHash = "79054025255fb1a26e4bc422aef54eb4";
outputHashMode = "flat";
outputHashAlgo = "md5";
nativeBuildInputs = [ curl ];
preferLocalBuild = true;
buildCommand = ''
if SSL_CERT_FILE="${cacert}/etc/ssl/certs/ca-bundle.crt" \
curl -s -L -f -I "$url" > /dev/null; then
cat "${hashCollTrue}" > "$out"
else
cat "${hashCollFalse}" > "$out"
fi
'';
impureEnvVars = lib.fetchers.proxyImpureEnvVars;
};
in { in {
success = builtins.readFile successBin == builtins.readFile hashCollTrue; success = import (runCommand "check-success" {
result = stdenv.mkDerivation {
name = "tryfetch-${cacheVal}";
inherit url;
outputHash = "d00bbe65d80f6d53d5c15da7c6b4f0a655c5a86a";
outputHashMode = "flat";
outputHashAlgo = "sha1";
nativeBuildInputs = [ curl ];
preferLocalBuild = true;
inherit (collisions) good bad;
buildCommand = ''
if SSL_CERT_FILE="${cacert}/etc/ssl/certs/ca-bundle.crt" \
curl -s -L -f -I "$url" > /dev/null; then
cp "$good" "$out"
else
cp "$bad" "$out"
fi
'';
impureEnvVars = lib.fetchers.proxyImpureEnvVars;
};
inherit (collisions) good;
} ''
if cmp -s "$result" "$good"; then
echo true > "$out"
else
echo false > "$out"
fi
'');
value = builtins.fetchurl url; value = builtins.fetchurl url;
}; };