Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oci: cas*: add blob verification #282

Merged
merged 4 commits into from
Dec 28, 2018
Merged

oci: cas*: add blob verification #282

merged 4 commits into from
Dec 28, 2018

Commits on Dec 28, 2018

  1. ci: add gosec to docker image 

    Signed-off-by: Aleksa Sarai <asarai@suse.de>
    @cyphar
    cyphar committed Dec 28, 2018
    Configuration menu
    Copy the full SHA
    bce1544 View commit details
    Browse the repository at this point in the history

  2. oci: cas*: add blob verification 

    Previously we didn't really check that blobs matched their hashes
directly -- most of the checks we did were based on layer DiffIDs and
similar checks.

Here we add a new casext.GetVerifiedBlob() API which wraps the
underlying reader with a VerifiedReadCloser that will verify that the
digest matches on EOF (or on Close). Users should be very careful to
ensure that they actually check all errors (such as when using
ioutil.Discard or when they do Close).

In addition, we add it to the underlying oci/cas/dir implementation
(just for safety). This adds effectively no overhead since
VerifiedReadCloser will not double-up on verification if the digest is
the same. We also add a basic verification of this as an integration and
some unit tests -- so that we can have some confidence it actually works
to protect against bad blobs.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
    @cyphar
    cyphar committed Dec 28, 2018
    Configuration menu
    Copy the full SHA
    a2fde1f View commit details
    Browse the repository at this point in the history

  3. pkg: hardening: expand to verify descriptor length 

    This is an improvement to the hardened VerifiedReadCloser, such that it
now also acts as a verified LimitedReader. First of all, it actually
means we now check the length of blobs according to their descriptors.
It also allows us to avoid reading further than strictly necessary, if
we already know that the read will fail. Unfortunately, the standard
cas/dir cannot really handle this new verification properly.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
    @cyphar
    cyphar committed Dec 28, 2018
    Configuration menu
    Copy the full SHA
    ad66299 View commit details
    Browse the repository at this point in the history

  4. CHANGELOG: update 

    Signed-off-by: Aleksa Sarai <asarai@suse.de>
    @cyphar
    cyphar committed Dec 28, 2018
    Configuration menu
    Copy the full SHA
    306cd09 View commit details
    Browse the repository at this point in the history