fetchurl: only allow empty hash when cacert is available

We can use cacert to validate that the data passes SSL certificates.
Normally, this doesn’t happen because we already have the hash, but in
the hash = "" case we don’t.
This commit is contained in:
Matthew Bauer 2020-06-09 12:56:27 -05:00
parent a528cc1bca
commit 0046802ab6
3 changed files with 17 additions and 3 deletions

View file

@ -15,8 +15,14 @@ curl=(
--retry 3 --retry 3
--disable-epsv --disable-epsv
--cookie-jar cookies --cookie-jar cookies
--insecure
--user-agent "curl/$curlVersion Nixpkgs/$nixpkgsVersion" --user-agent "curl/$curlVersion Nixpkgs/$nixpkgsVersion"
)
if ! [ -f "$SSL_CERT_FILE" ]; then
curl+=(--insecure)
fi
curl+=(
$curlOpts $curlOpts
$NIX_CURL_FLAGS $NIX_CURL_FLAGS
) )

View file

@ -1,4 +1,6 @@
{ lib, buildPackages ? { inherit stdenvNoCC; }, stdenvNoCC, curl }: # Note that `curl' may be `null', in case of the native stdenvNoCC. { lib, buildPackages ? { inherit stdenvNoCC; }, stdenvNoCC
, curl # Note that `curl' may be `null', in case of the native stdenvNoCC.
, cacert ? null }:
let let
@ -112,7 +114,8 @@ let
else if sha512 != "" then { outputHashAlgo = "sha512"; outputHash = sha512; } else if sha512 != "" then { outputHashAlgo = "sha512"; outputHash = sha512; }
else if sha256 != "" then { outputHashAlgo = "sha256"; outputHash = sha256; } else if sha256 != "" then { outputHashAlgo = "sha256"; outputHash = sha256; }
else if sha1 != "" then { outputHashAlgo = "sha1"; outputHash = sha1; } else if sha1 != "" then { outputHashAlgo = "sha1"; outputHash = sha1; }
else { outputHashAlgo = "sha256"; outputHash = ""; }; else if cacert != null then { outputHashAlgo = "sha256"; outputHash = ""; }
else throw "fetchurl requires a hash for fixed-output derivation: ${lib.concatStringsSep ", " urls_}";
in in
stdenvNoCC.mkDerivation { stdenvNoCC.mkDerivation {
@ -134,6 +137,10 @@ stdenvNoCC.mkDerivation {
# New-style output content requirements. # New-style output content requirements.
inherit (hash_) outputHashAlgo outputHash; inherit (hash_) outputHashAlgo outputHash;
SSL_CERT_FILE = if hash_.outputHash == ""
then "${cacert}/etc/ssl/certs/ca-bundle.crt"
else "/no-cert-file.crt";
outputHashMode = if (recursiveHash || executable) then "recursive" else "flat"; outputHashMode = if (recursiveHash || executable) then "recursive" else "flat";
inherit curlOpts showURLs mirrorsFile postFetch downloadToTemp executable; inherit curlOpts showURLs mirrorsFile postFetch downloadToTemp executable;

View file

@ -331,6 +331,7 @@ in
then buildPackages.fetchurl # No need to do special overrides twice, then buildPackages.fetchurl # No need to do special overrides twice,
else makeOverridable (import ../build-support/fetchurl) { else makeOverridable (import ../build-support/fetchurl) {
inherit lib stdenvNoCC buildPackages; inherit lib stdenvNoCC buildPackages;
inherit cacert;
curl = buildPackages.curl.override (old: rec { curl = buildPackages.curl.override (old: rec {
# break dependency cycles # break dependency cycles
fetchurl = stdenv.fetchurlBoot; fetchurl = stdenv.fetchurlBoot;