Make sodium a required dependency

This commit is contained in:
Eelco Dolstra 2021-01-06 17:56:53 +01:00
parent 9374c2baea
commit 0df69d96e0
10 changed files with 2 additions and 64 deletions

View file

@ -10,7 +10,6 @@ EDITLINE_LIBS = @EDITLINE_LIBS@
ENABLE_S3 = @ENABLE_S3@ ENABLE_S3 = @ENABLE_S3@
GTEST_LIBS = @GTEST_LIBS@ GTEST_LIBS = @GTEST_LIBS@
HAVE_SECCOMP = @HAVE_SECCOMP@ HAVE_SECCOMP = @HAVE_SECCOMP@
HAVE_SODIUM = @HAVE_SODIUM@
LDFLAGS = @LDFLAGS@ LDFLAGS = @LDFLAGS@
LIBARCHIVE_LIBS = @LIBARCHIVE_LIBS@ LIBARCHIVE_LIBS = @LIBARCHIVE_LIBS@
LIBBROTLI_LIBS = @LIBBROTLI_LIBS@ LIBBROTLI_LIBS = @LIBBROTLI_LIBS@

View file

@ -203,11 +203,7 @@ PKG_CHECK_MODULES([EDITLINE], [libeditline], [CXXFLAGS="$EDITLINE_CFLAGS $CXXFLA
]) ])
# Look for libsodium, an optional dependency. # Look for libsodium, an optional dependency.
PKG_CHECK_MODULES([SODIUM], [libsodium], PKG_CHECK_MODULES([SODIUM], [libsodium], [CXXFLAGS="$SODIUM_CFLAGS $CXXFLAGS"])
[AC_DEFINE([HAVE_SODIUM], [1], [Whether to use libsodium for cryptography.])
CXXFLAGS="$SODIUM_CFLAGS $CXXFLAGS"
have_sodium=1], [have_sodium=])
AC_SUBST(HAVE_SODIUM, [$have_sodium])
# Look for liblzma, a required dependency. # Look for liblzma, a required dependency.
PKG_CHECK_MODULES([LIBLZMA], [liblzma], [CXXFLAGS="$LIBLZMA_CFLAGS $CXXFLAGS"]) PKG_CHECK_MODULES([LIBLZMA], [liblzma], [CXXFLAGS="$LIBLZMA_CFLAGS $CXXFLAGS"])

View file

@ -2,7 +2,6 @@ CC = @CC@
CFLAGS = @CFLAGS@ CFLAGS = @CFLAGS@
CXX = @CXX@ CXX = @CXX@
CXXFLAGS = @CXXFLAGS@ CXXFLAGS = @CXXFLAGS@
HAVE_SODIUM = @HAVE_SODIUM@
PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_NAME = @PACKAGE_NAME@
PACKAGE_VERSION = @PACKAGE_VERSION@ PACKAGE_VERSION = @PACKAGE_VERSION@
SODIUM_LIBS = @SODIUM_LIBS@ SODIUM_LIBS = @SODIUM_LIBS@

View file

@ -40,11 +40,7 @@ AC_SUBST(perllibdir, [${libdir}/perl5/site_perl/$perlversion/$perlarchname])
AC_MSG_RESULT($perllibdir) AC_MSG_RESULT($perllibdir)
# Look for libsodium, an optional dependency. # Look for libsodium, an optional dependency.
PKG_CHECK_MODULES([SODIUM], [libsodium], PKG_CHECK_MODULES([SODIUM], [libsodium], [CXXFLAGS="$SODIUM_CFLAGS $CXXFLAGS"])
[AC_DEFINE([HAVE_SODIUM], [1], [Whether to use libsodium for cryptography.])
CXXFLAGS="$SODIUM_CFLAGS $CXXFLAGS"
have_sodium=1], [have_sodium=])
AC_SUBST(HAVE_SODIUM, [$have_sodium])
# Check for the required Perl dependencies (DBI and DBD::SQLite). # Check for the required Perl dependencies (DBI and DBD::SQLite).
perlFlags="-I$perllibdir" perlFlags="-I$perllibdir"

View file

@ -14,9 +14,7 @@
#include "util.hh" #include "util.hh"
#include "crypto.hh" #include "crypto.hh"
#if HAVE_SODIUM
#include <sodium.h> #include <sodium.h>
#endif
using namespace nix; using namespace nix;
@ -239,12 +237,8 @@ SV * convertHash(char * algo, char * s, int toBase32)
SV * signString(char * secretKey_, char * msg) SV * signString(char * secretKey_, char * msg)
PPCODE: PPCODE:
try { try {
#if HAVE_SODIUM
auto sig = SecretKey(secretKey_).signDetached(msg); auto sig = SecretKey(secretKey_).signDetached(msg);
XPUSHs(sv_2mortal(newSVpv(sig.c_str(), sig.size()))); XPUSHs(sv_2mortal(newSVpv(sig.c_str(), sig.size())));
#else
throw Error("Nix was not compiled with libsodium, required for signed binary cache support");
#endif
} catch (Error & e) { } catch (Error & e) {
croak("%s", e.what()); croak("%s", e.what());
} }
@ -253,7 +247,6 @@ SV * signString(char * secretKey_, char * msg)
int checkSignature(SV * publicKey_, SV * sig_, char * msg) int checkSignature(SV * publicKey_, SV * sig_, char * msg)
CODE: CODE:
try { try {
#if HAVE_SODIUM
STRLEN publicKeyLen; STRLEN publicKeyLen;
unsigned char * publicKey = (unsigned char *) SvPV(publicKey_, publicKeyLen); unsigned char * publicKey = (unsigned char *) SvPV(publicKey_, publicKeyLen);
if (publicKeyLen != crypto_sign_PUBLICKEYBYTES) if (publicKeyLen != crypto_sign_PUBLICKEYBYTES)
@ -265,9 +258,6 @@ int checkSignature(SV * publicKey_, SV * sig_, char * msg)
throw Error("signature is not valid"); throw Error("signature is not valid");
RETVAL = crypto_sign_verify_detached(sig, (unsigned char *) msg, strlen(msg), publicKey) == 0; RETVAL = crypto_sign_verify_detached(sig, (unsigned char *) msg, strlen(msg), publicKey) == 0;
#else
throw Error("Nix was not compiled with libsodium, required for signed binary cache support");
#endif
} catch (Error & e) { } catch (Error & e) {
croak("%s", e.what()); croak("%s", e.what());
} }

View file

@ -18,9 +18,7 @@
#include <openssl/crypto.h> #include <openssl/crypto.h>
#if HAVE_SODIUM
#include <sodium.h> #include <sodium.h>
#endif
namespace nix { namespace nix {
@ -130,10 +128,8 @@ void initNix()
CRYPTO_set_locking_callback(opensslLockCallback); CRYPTO_set_locking_callback(opensslLockCallback);
#endif #endif
#if HAVE_SODIUM
if (sodium_init() == -1) if (sodium_init() == -1)
throw Error("could not initialise libsodium"); throw Error("could not initialise libsodium");
#endif
loadConfFile(); loadConfFile();
@ -283,9 +279,7 @@ void printVersion(const string & programName)
#if HAVE_BOEHMGC #if HAVE_BOEHMGC
cfg.push_back("gc"); cfg.push_back("gc");
#endif #endif
#if HAVE_SODIUM
cfg.push_back("signed-caches"); cfg.push_back("signed-caches");
#endif
std::cout << "System type: " << settings.thisSystem << "\n"; std::cout << "System type: " << settings.thisSystem << "\n";
std::cout << "Additional system types: " << concatStringsSep(", ", settings.extraPlatforms.get()) << "\n"; std::cout << "Additional system types: " << concatStringsSep(", ", settings.extraPlatforms.get()) << "\n";
std::cout << "Features: " << concatStringsSep(", ", cfg) << "\n"; std::cout << "Features: " << concatStringsSep(", ", cfg) << "\n";

View file

@ -2,9 +2,7 @@
#include "util.hh" #include "util.hh"
#include "globals.hh" #include "globals.hh"
#if HAVE_SODIUM
#include <sodium.h> #include <sodium.h>
#endif
namespace nix { namespace nix {
@ -37,70 +35,46 @@ std::string Key::to_string() const
SecretKey::SecretKey(std::string_view s) SecretKey::SecretKey(std::string_view s)
: Key(s) : Key(s)
{ {
#if HAVE_SODIUM
if (key.size() != crypto_sign_SECRETKEYBYTES) if (key.size() != crypto_sign_SECRETKEYBYTES)
throw Error("secret key is not valid"); throw Error("secret key is not valid");
#endif
} }
#if !HAVE_SODIUM
[[noreturn]] static void noSodium()
{
throw Error("Nix was not compiled with libsodium, required for signed binary cache support");
}
#endif
std::string SecretKey::signDetached(std::string_view data) const std::string SecretKey::signDetached(std::string_view data) const
{ {
#if HAVE_SODIUM
unsigned char sig[crypto_sign_BYTES]; unsigned char sig[crypto_sign_BYTES];
unsigned long long sigLen; unsigned long long sigLen;
crypto_sign_detached(sig, &sigLen, (unsigned char *) data.data(), data.size(), crypto_sign_detached(sig, &sigLen, (unsigned char *) data.data(), data.size(),
(unsigned char *) key.data()); (unsigned char *) key.data());
return name + ":" + base64Encode(std::string((char *) sig, sigLen)); return name + ":" + base64Encode(std::string((char *) sig, sigLen));
#else
noSodium();
#endif
} }
PublicKey SecretKey::toPublicKey() const PublicKey SecretKey::toPublicKey() const
{ {
#if HAVE_SODIUM
unsigned char pk[crypto_sign_PUBLICKEYBYTES]; unsigned char pk[crypto_sign_PUBLICKEYBYTES];
crypto_sign_ed25519_sk_to_pk(pk, (unsigned char *) key.data()); crypto_sign_ed25519_sk_to_pk(pk, (unsigned char *) key.data());
return PublicKey(name, std::string((char *) pk, crypto_sign_PUBLICKEYBYTES)); return PublicKey(name, std::string((char *) pk, crypto_sign_PUBLICKEYBYTES));
#else
noSodium();
#endif
} }
SecretKey SecretKey::generate(std::string_view name) SecretKey SecretKey::generate(std::string_view name)
{ {
#if HAVE_SODIUM
unsigned char pk[crypto_sign_PUBLICKEYBYTES]; unsigned char pk[crypto_sign_PUBLICKEYBYTES];
unsigned char sk[crypto_sign_SECRETKEYBYTES]; unsigned char sk[crypto_sign_SECRETKEYBYTES];
if (crypto_sign_keypair(pk, sk) != 0) if (crypto_sign_keypair(pk, sk) != 0)
throw Error("key generation failed"); throw Error("key generation failed");
return SecretKey(name, std::string((char *) sk, crypto_sign_SECRETKEYBYTES)); return SecretKey(name, std::string((char *) sk, crypto_sign_SECRETKEYBYTES));
#else
noSodium();
#endif
} }
PublicKey::PublicKey(std::string_view s) PublicKey::PublicKey(std::string_view s)
: Key(s) : Key(s)
{ {
#if HAVE_SODIUM
if (key.size() != crypto_sign_PUBLICKEYBYTES) if (key.size() != crypto_sign_PUBLICKEYBYTES)
throw Error("public key is not valid"); throw Error("public key is not valid");
#endif
} }
bool verifyDetached(const std::string & data, const std::string & sig, bool verifyDetached(const std::string & data, const std::string & sig,
const PublicKeys & publicKeys) const PublicKeys & publicKeys)
{ {
#if HAVE_SODIUM
auto ss = split(sig); auto ss = split(sig);
auto key = publicKeys.find(std::string(ss.first)); auto key = publicKeys.find(std::string(ss.first));
@ -113,9 +87,6 @@ bool verifyDetached(const std::string & data, const std::string & sig,
return crypto_sign_verify_detached((unsigned char *) sig2.data(), return crypto_sign_verify_detached((unsigned char *) sig2.data(),
(unsigned char *) data.data(), data.size(), (unsigned char *) data.data(), data.size(),
(unsigned char *) key->second.key.data()) == 0; (unsigned char *) key->second.key.data()) == 0;
#else
noSodium();
#endif
} }
PublicKeys getDefaultPublicKeys() PublicKeys getDefaultPublicKeys()

View file

@ -142,7 +142,6 @@ struct CmdSignPaths : StorePathsCommand
static auto rCmdSignPaths = registerCommand2<CmdSignPaths>({"store", "sign-paths"}); static auto rCmdSignPaths = registerCommand2<CmdSignPaths>({"store", "sign-paths"});
#if HAVE_SODIUM
struct CmdKeyGenerateSecret : Command struct CmdKeyGenerateSecret : Command
{ {
std::optional<std::string> keyName; std::optional<std::string> keyName;
@ -227,4 +226,3 @@ struct CmdKey : NixMultiCommand
}; };
static auto rCmdKey = registerCommand<CmdKey>("key"); static auto rCmdKey = registerCommand<CmdKey>("key");
#endif

View file

@ -125,8 +125,6 @@ grep -q "copying path.*input-0" $TEST_ROOT/log
grep -q "copying path.*top" $TEST_ROOT/log grep -q "copying path.*top" $TEST_ROOT/log
if [ -n "$HAVE_SODIUM" ]; then
# Create a signed binary cache. # Create a signed binary cache.
clearCache clearCache
clearCacheCache clearCacheCache
@ -181,8 +179,6 @@ clearCacheCache
nix-store -r $outPath --substituters "file://$cacheDir2 file://$cacheDir" --trusted-public-keys "$publicKey" nix-store -r $outPath --substituters "file://$cacheDir2 file://$cacheDir" --trusted-public-keys "$publicKey"
fi # HAVE_LIBSODIUM
unset _NIX_FORCE_HTTP unset _NIX_FORCE_HTTP

View file

@ -34,7 +34,6 @@ coreutils=@coreutils@
export dot=@dot@ export dot=@dot@
export SHELL="@bash@" export SHELL="@bash@"
export PAGER=cat export PAGER=cat
export HAVE_SODIUM="@HAVE_SODIUM@"
export busybox="@sandbox_shell@" export busybox="@sandbox_shell@"
export version=@PACKAGE_VERSION@ export version=@PACKAGE_VERSION@