NixOS/nix
NixOS/nix
1
0
Fork 0
mirror of https://github.com/NixOS/nix synced 2024-09-19 10:50:24 -04:00
Code Activity

Ensure error messages don't leak private key

Browse source 
Since #8766, invalid base64 is rendered in errors, but we don't actually
want to show this in the case of an invalid private keys.
This commit is contained in:
John Ericson 2024-09-17 15:25:30 -04:00 committed by John Ericson
parent 0ed2ab0533
commit d8b36268c8
9 changed files with 68 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
src/libstore/machines.cc
View file

@ -159,8 +159,9 @@ static Machine parseBuilderLine(const std::set<std::string> & defaultSystems, co
const auto & str = tokens[fieldIndex]; const auto & str = tokens[fieldIndex];
try { try {
base64Decode(str); base64Decode(str);
} catch (const Error & e) { } catch (FormatError & e) {
throw FormatError("bad machine specification: a column #%lu in a row: '%s' is not valid base64 string: %s", fieldIndex, line, e.what()); e.addTrace({}, "while parsing machine specification at a column #%lu in a row: '%s'", fieldIndex, line);
throw;
} }
return str; return str;
}; };

14
src/libstore/ssh.cc
View file

@ -7,6 +7,16 @@
namespace nix { namespace nix {
static std::string parsePublicHostKey(std::string_view host, std::string_view sshPublicHostKey)
{
try {
return base64Decode(sshPublicHostKey);
} catch (Error & e) {
e.addTrace({}, "while decoding ssh public host key for host '%s'", host);
throw;
}
}
SSHMaster::SSHMaster( SSHMaster::SSHMaster(
std::string_view host, std::string_view host,
std::string_view keyFile, std::string_view keyFile,
@ -15,7 +25,7 @@ SSHMaster::SSHMaster(
: host(host) : host(host)
, fakeSSH(host == "localhost") , fakeSSH(host == "localhost")
, keyFile(keyFile) , keyFile(keyFile)
, sshPublicHostKey(sshPublicHostKey) , sshPublicHostKey(parsePublicHostKey(host, sshPublicHostKey))
, useMaster(useMaster && !fakeSSH) , useMaster(useMaster && !fakeSSH)
, compress(compress) , compress(compress)
, logFD(logFD) , logFD(logFD)
@ -39,7 +49,7 @@ void SSHMaster::addCommonSSHOpts(Strings & args)
std::filesystem::path fileName = state->tmpDir->path() / "host-key"; std::filesystem::path fileName = state->tmpDir->path() / "host-key";
auto p = host.rfind("@"); auto p = host.rfind("@");
std::string thost = p != std::string::npos ? std::string(host, p + 1) : host; std::string thost = p != std::string::npos ? std::string(host, p + 1) : host;
writeFile(fileName.string(), thost + " " + base64Decode(sshPublicHostKey) + "\n"); writeFile(fileName.string(), thost + " " + sshPublicHostKey + "\n");
args.insert(args.end(), {"-oUserKnownHostsFile=" + fileName.string()}); args.insert(args.end(), {"-oUserKnownHostsFile=" + fileName.string()});
} }
if (compress) if (compress)

3
src/libstore/ssh.hh
View file

@ -14,6 +14,9 @@ private:
const std::string host; const std::string host;
bool fakeSSH; bool fakeSSH;
const std::string keyFile; const std::string keyFile;
/**
* Raw bytes, not Base64 encoding.
*/
const std::string sshPublicHostKey; const std::string sshPublicHostKey;
const bool useMaster; const bool useMaster;
const bool compress; const bool compress;

17
src/libutil/signature/local-keys.cc
View file

@ -14,17 +14,22 @@ BorrowedCryptoValue BorrowedCryptoValue::parse(std::string_view s)
return {s.substr(0, colon), s.substr(colon + 1)}; return {s.substr(0, colon), s.substr(colon + 1)};
} }
Key::Key(std::string_view s) Key::Key(std::string_view s, bool sensitiveValue)
{ {
auto ss = BorrowedCryptoValue::parse(s); auto ss = BorrowedCryptoValue::parse(s);
name = ss.name; name = ss.name;
key = ss.payload; key = ss.payload;
if (name == "" || key == "") try {
throw Error("key is corrupt"); if (name == "" || key == "")
throw FormatError("key is corrupt");
key = base64Decode(key); key = base64Decode(key);
} catch (Error & e) {
e.addTrace({}, "while decoding key named '%s'", name);
throw;
}
} }
std::string Key::to_string() const std::string Key::to_string() const
@ -33,7 +38,7 @@ std::string Key::to_string() const
} }
SecretKey::SecretKey(std::string_view s) SecretKey::SecretKey(std::string_view s)
: Key(s) : Key{s, true}
{ {
if (key.size() != crypto_sign_SECRETKEYBYTES) if (key.size() != crypto_sign_SECRETKEYBYTES)
throw Error("secret key is not valid"); throw Error("secret key is not valid");
@ -66,7 +71,7 @@ SecretKey SecretKey::generate(std::string_view name)
} }
PublicKey::PublicKey(std::string_view s) PublicKey::PublicKey(std::string_view s)
: Key(s) : Key{s, false}
{ {
if (key.size() != crypto_sign_PUBLICKEYBYTES) if (key.size() != crypto_sign_PUBLICKEYBYTES)
throw Error("public key is not valid"); throw Error("public key is not valid");

16
src/libutil/signature/local-keys.hh
View file

@ -31,15 +31,19 @@ struct Key
std::string name; std::string name;
std::string key; std::string key;
/**
* Construct Key from a string in the format
* <name>:<key-in-base64>.
*/
Key(std::string_view s);
std::string to_string() const; std::string to_string() const;
protected: protected:
/**
* Construct Key from a string in the format
* <name>:<key-in-base64>.
*
* @param sensitiveValue Avoid displaying the raw Base64 in error
* messages to avoid leaking private keys.
*/
Key(std::string_view s, bool sensitiveValue);
Key(std::string_view name, std::string && key) Key(std::string_view name, std::string && key)
: name(name), key(std::move(key)) { } : name(name), key(std::move(key)) { }
}; };

7
src/libutil/util.cc
View file

@ -220,7 +220,7 @@ std::string base64Encode(std::string_view s)
} }
std::string base64Decode(std::string_view s) std::string base64Decode(std::string_view s, bool sensitiveValue)
{ {
constexpr char npos = -1; constexpr char npos = -1;
constexpr std::array<char, 256> base64DecodeChars = [&] { constexpr std::array<char, 256> base64DecodeChars = [&] {
@ -244,7 +244,10 @@ std::string base64Decode(std::string_view s)
char digit = base64DecodeChars[(unsigned char) c]; char digit = base64DecodeChars[(unsigned char) c];
if (digit == npos) { if (digit == npos) {
throw Error("invalid character in Base64 string: '%c' in '%s'", c, s.data()); auto msg = sensitiveValue
? "<redacted>"
: fmt("'%s'", s.data());
throw FormatError("invalid character in Base64 string: '%c' in %s", c, msg);
} }
bits += 6; bits += 6;

11
src/libutil/util.hh
View file

@ -172,10 +172,17 @@ constexpr char treeNull[] = " ";
/** /**
* Base64 encoding/decoding. * Encode arbitrary bytes as Base64.
*/ */
std::string base64Encode(std::string_view s); std::string base64Encode(std::string_view s);
std::string base64Decode(std::string_view s);
/**
* Decode arbitrary bytes to Base64.
*
* @param sensitiveValue Avoid displaying the raw Base64 in error messages,
* e.g. to avoid leaking private keys.
*/
std::string base64Decode(std::string_view s, bool sensitiveValue = false);
/** /**

2
tests/unit/libexpr/nix_api_expr.cc
View file

@ -8,7 +8,7 @@
#include "tests/nix_api_expr.hh" #include "tests/nix_api_expr.hh"
#include "tests/string_callback.hh" #include "tests/string_callback.hh"
#include "gmock/gmock.h" #include <gmock/gmock.h>
#include <gtest/gtest.h> #include <gtest/gtest.h>
namespace nixC { namespace nixC {

15
tests/unit/libutil/util.cc
View file

@ -6,6 +6,7 @@
#include <limits.h> #include <limits.h>
#include <gtest/gtest.h> #include <gtest/gtest.h>
#include <gmock/gmock.h>
#include <numeric> #include <numeric>
@ -99,7 +100,19 @@ TEST(base64Decode, decodeAString)
TEST(base64Decode, decodeThrowsOnInvalidChar) TEST(base64Decode, decodeThrowsOnInvalidChar)
{ {
ASSERT_THROW(base64Decode("cXVvZCBlcm_0IGRlbW9uc3RyYW5kdW0="), Error); ASSERT_THROW(base64Decode("cXVvZCBlcm_0IGRlbW9uc3RyYW5kdW0="), FormatError);
}
TEST(base64Decode, decodeThrowsNoLeak)
{
std::string msg = "cXVvZCBlcm_0IGRlbW9uc3RyYW5kdW0=";
try {
base64Decode(msg, true);
} catch (FormatError & e) {
EXPECT_THAT(e.msg(), testing::Not(testing::HasSubstr(msg)));
return;
}
EXPECT_TRUE(false);
} }
/* ---------------------------------------------------------------------------- /* ----------------------------------------------------------------------------