From cee53a786830b1d0106c98dd71e3e0f090c5e242 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Mart=C3=AD?= Date: Thu, 25 May 2023 22:41:20 +0100 Subject: [PATCH] make GarbleActionID a full sha256 hash This is in preparation for the switch to Go's cache package, whose ActionID type is also a full sha256 hash with 32 bytes. We were using "short" hashes as shown by `go tool buildid`, since that was consistent and 15 bytes was generally enough. --- hash.go | 21 ++++++++++----------- main.go | 2 +- shared.go | 3 ++- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/hash.go b/hash.go index cfa73ce..25f5af1 100644 --- a/hash.go +++ b/hash.go @@ -47,11 +47,8 @@ func decodeBuildIDHash(str string) []byte { } // encodeBuildIDHash encodes a build ID hash in base64, just like cmd/go does. -func encodeBuildIDHash(h []byte) string { - if len(h) != buildIDHashLength { - panic(fmt.Sprintf("hashToString expects a hash of length %d, got %d", buildIDHashLength, len(h))) - } - return base64.RawURLEncoding.EncodeToString(h) +func encodeBuildIDHash(h [sha256.Size]byte) string { + return base64.RawURLEncoding.EncodeToString(h[:buildIDHashLength]) } func alterToolVersion(tool string, args []string) error { @@ -101,7 +98,7 @@ var ( // // This includes garble's own version, obtained via its own binary's content ID, // as well as any other options which affect a build, such as GOGARBLE and -tiny. -func addGarbleToHash(inputHash []byte) []byte { +func addGarbleToHash(inputHash []byte) [sha256.Size]byte { // Join the two content IDs together into a single base64-encoded sha256 // sum. This includes the original tool's content ID, and garble's own // content ID. @@ -119,8 +116,9 @@ func addGarbleToHash(inputHash []byte) []byte { appendFlags(hasher, true) // addGarbleToHash returns the sum buffer, so we need a new copy. // Otherwise the next use of the global sumBuffer would conflict. - sumBuffer := make([]byte, 0, sha256.Size) - return hasher.Sum(sumBuffer)[:buildIDHashLength] + var sumBuffer [sha256.Size]byte + hasher.Sum(sumBuffer[:0]) + return sumBuffer } // appendFlags writes garble's own flags to w in string form. @@ -202,7 +200,7 @@ func toUpper(b byte) byte { return b - ('a' - 'A') } func runtimeHashWithCustomSalt(salt []byte) uint32 { hasher.Reset() if !flagSeed.present() { - hasher.Write(sharedCache.ListedPackages["runtime"].GarbleActionID) + hasher.Write(sharedCache.ListedPackages["runtime"].GarbleActionID[:]) } else { hasher.Write(flagSeed.bytes) } @@ -225,7 +223,7 @@ func entryOffKey() uint32 { func hashWithPackage(pkg *listedPackage, name string) string { if !flagSeed.present() { - return hashWithCustomSalt(pkg.GarbleActionID, name) + return hashWithCustomSalt(pkg.GarbleActionID[:], name) } // Use a separator at the end of ImportPath as a salt, // to ensure that "pkgfoo.bar" and "pkg.foobar" don't both hash @@ -239,7 +237,8 @@ func hashWithStruct(strct *types.Struct, fieldName string) string { // struct type "canonical"? fieldsSalt := []byte(strct.String()) if !flagSeed.present() { - fieldsSalt = addGarbleToHash(fieldsSalt) + withGarbleHash := addGarbleToHash(fieldsSalt) + fieldsSalt = withGarbleHash[:] } return hashWithCustomSalt(fieldsSalt, fieldName) } diff --git a/main.go b/main.go index 0b10efe..799689b 100644 --- a/main.go +++ b/main.go @@ -951,7 +951,7 @@ func transformCompile(args []string) ([]string, error) { } // Literal obfuscation uses math/rand, so seed it deterministically. - randSeed := curPkg.GarbleActionID + randSeed := curPkg.GarbleActionID[:] if flagSeed.present() { randSeed = flagSeed.bytes } diff --git a/shared.go b/shared.go index 431e403..2b35e8e 100644 --- a/shared.go +++ b/shared.go @@ -5,6 +5,7 @@ package main import ( "bytes" + "crypto/sha256" "encoding/gob" "encoding/json" "errors" @@ -166,7 +167,7 @@ type listedPackage struct { // with Garble's own inputs as per addGarbleToHash. // It is set even when ToObfuscate is false, as it is also used for random // seeds and build cache paths, and not just to obfuscate names. - GarbleActionID []byte `json:"-"` + GarbleActionID [sha256.Size]byte `json:"-"` // ToObfuscate records whether the package should be obfuscated. // When true, GarbleActionID must not be empty.