forked from lix-project/lix
Make sodium a required dependency
This commit is contained in:
parent
9374c2baea
commit
0df69d96e0
10 changed files with 2 additions and 64 deletions
|
@ -10,7 +10,6 @@ EDITLINE_LIBS = @EDITLINE_LIBS@
|
||||||
ENABLE_S3 = @ENABLE_S3@
|
ENABLE_S3 = @ENABLE_S3@
|
||||||
GTEST_LIBS = @GTEST_LIBS@
|
GTEST_LIBS = @GTEST_LIBS@
|
||||||
HAVE_SECCOMP = @HAVE_SECCOMP@
|
HAVE_SECCOMP = @HAVE_SECCOMP@
|
||||||
HAVE_SODIUM = @HAVE_SODIUM@
|
|
||||||
LDFLAGS = @LDFLAGS@
|
LDFLAGS = @LDFLAGS@
|
||||||
LIBARCHIVE_LIBS = @LIBARCHIVE_LIBS@
|
LIBARCHIVE_LIBS = @LIBARCHIVE_LIBS@
|
||||||
LIBBROTLI_LIBS = @LIBBROTLI_LIBS@
|
LIBBROTLI_LIBS = @LIBBROTLI_LIBS@
|
||||||
|
|
|
@ -203,11 +203,7 @@ PKG_CHECK_MODULES([EDITLINE], [libeditline], [CXXFLAGS="$EDITLINE_CFLAGS $CXXFLA
|
||||||
])
|
])
|
||||||
|
|
||||||
# Look for libsodium, an optional dependency.
|
# Look for libsodium, an optional dependency.
|
||||||
PKG_CHECK_MODULES([SODIUM], [libsodium],
|
PKG_CHECK_MODULES([SODIUM], [libsodium], [CXXFLAGS="$SODIUM_CFLAGS $CXXFLAGS"])
|
||||||
[AC_DEFINE([HAVE_SODIUM], [1], [Whether to use libsodium for cryptography.])
|
|
||||||
CXXFLAGS="$SODIUM_CFLAGS $CXXFLAGS"
|
|
||||||
have_sodium=1], [have_sodium=])
|
|
||||||
AC_SUBST(HAVE_SODIUM, [$have_sodium])
|
|
||||||
|
|
||||||
# Look for liblzma, a required dependency.
|
# Look for liblzma, a required dependency.
|
||||||
PKG_CHECK_MODULES([LIBLZMA], [liblzma], [CXXFLAGS="$LIBLZMA_CFLAGS $CXXFLAGS"])
|
PKG_CHECK_MODULES([LIBLZMA], [liblzma], [CXXFLAGS="$LIBLZMA_CFLAGS $CXXFLAGS"])
|
||||||
|
|
|
@ -2,7 +2,6 @@ CC = @CC@
|
||||||
CFLAGS = @CFLAGS@
|
CFLAGS = @CFLAGS@
|
||||||
CXX = @CXX@
|
CXX = @CXX@
|
||||||
CXXFLAGS = @CXXFLAGS@
|
CXXFLAGS = @CXXFLAGS@
|
||||||
HAVE_SODIUM = @HAVE_SODIUM@
|
|
||||||
PACKAGE_NAME = @PACKAGE_NAME@
|
PACKAGE_NAME = @PACKAGE_NAME@
|
||||||
PACKAGE_VERSION = @PACKAGE_VERSION@
|
PACKAGE_VERSION = @PACKAGE_VERSION@
|
||||||
SODIUM_LIBS = @SODIUM_LIBS@
|
SODIUM_LIBS = @SODIUM_LIBS@
|
||||||
|
|
|
@ -40,11 +40,7 @@ AC_SUBST(perllibdir, [${libdir}/perl5/site_perl/$perlversion/$perlarchname])
|
||||||
AC_MSG_RESULT($perllibdir)
|
AC_MSG_RESULT($perllibdir)
|
||||||
|
|
||||||
# Look for libsodium, an optional dependency.
|
# Look for libsodium, an optional dependency.
|
||||||
PKG_CHECK_MODULES([SODIUM], [libsodium],
|
PKG_CHECK_MODULES([SODIUM], [libsodium], [CXXFLAGS="$SODIUM_CFLAGS $CXXFLAGS"])
|
||||||
[AC_DEFINE([HAVE_SODIUM], [1], [Whether to use libsodium for cryptography.])
|
|
||||||
CXXFLAGS="$SODIUM_CFLAGS $CXXFLAGS"
|
|
||||||
have_sodium=1], [have_sodium=])
|
|
||||||
AC_SUBST(HAVE_SODIUM, [$have_sodium])
|
|
||||||
|
|
||||||
# Check for the required Perl dependencies (DBI and DBD::SQLite).
|
# Check for the required Perl dependencies (DBI and DBD::SQLite).
|
||||||
perlFlags="-I$perllibdir"
|
perlFlags="-I$perllibdir"
|
||||||
|
|
|
@ -14,9 +14,7 @@
|
||||||
#include "util.hh"
|
#include "util.hh"
|
||||||
#include "crypto.hh"
|
#include "crypto.hh"
|
||||||
|
|
||||||
#if HAVE_SODIUM
|
|
||||||
#include <sodium.h>
|
#include <sodium.h>
|
||||||
#endif
|
|
||||||
|
|
||||||
|
|
||||||
using namespace nix;
|
using namespace nix;
|
||||||
|
@ -239,12 +237,8 @@ SV * convertHash(char * algo, char * s, int toBase32)
|
||||||
SV * signString(char * secretKey_, char * msg)
|
SV * signString(char * secretKey_, char * msg)
|
||||||
PPCODE:
|
PPCODE:
|
||||||
try {
|
try {
|
||||||
#if HAVE_SODIUM
|
|
||||||
auto sig = SecretKey(secretKey_).signDetached(msg);
|
auto sig = SecretKey(secretKey_).signDetached(msg);
|
||||||
XPUSHs(sv_2mortal(newSVpv(sig.c_str(), sig.size())));
|
XPUSHs(sv_2mortal(newSVpv(sig.c_str(), sig.size())));
|
||||||
#else
|
|
||||||
throw Error("Nix was not compiled with libsodium, required for signed binary cache support");
|
|
||||||
#endif
|
|
||||||
} catch (Error & e) {
|
} catch (Error & e) {
|
||||||
croak("%s", e.what());
|
croak("%s", e.what());
|
||||||
}
|
}
|
||||||
|
@ -253,7 +247,6 @@ SV * signString(char * secretKey_, char * msg)
|
||||||
int checkSignature(SV * publicKey_, SV * sig_, char * msg)
|
int checkSignature(SV * publicKey_, SV * sig_, char * msg)
|
||||||
CODE:
|
CODE:
|
||||||
try {
|
try {
|
||||||
#if HAVE_SODIUM
|
|
||||||
STRLEN publicKeyLen;
|
STRLEN publicKeyLen;
|
||||||
unsigned char * publicKey = (unsigned char *) SvPV(publicKey_, publicKeyLen);
|
unsigned char * publicKey = (unsigned char *) SvPV(publicKey_, publicKeyLen);
|
||||||
if (publicKeyLen != crypto_sign_PUBLICKEYBYTES)
|
if (publicKeyLen != crypto_sign_PUBLICKEYBYTES)
|
||||||
|
@ -265,9 +258,6 @@ int checkSignature(SV * publicKey_, SV * sig_, char * msg)
|
||||||
throw Error("signature is not valid");
|
throw Error("signature is not valid");
|
||||||
|
|
||||||
RETVAL = crypto_sign_verify_detached(sig, (unsigned char *) msg, strlen(msg), publicKey) == 0;
|
RETVAL = crypto_sign_verify_detached(sig, (unsigned char *) msg, strlen(msg), publicKey) == 0;
|
||||||
#else
|
|
||||||
throw Error("Nix was not compiled with libsodium, required for signed binary cache support");
|
|
||||||
#endif
|
|
||||||
} catch (Error & e) {
|
} catch (Error & e) {
|
||||||
croak("%s", e.what());
|
croak("%s", e.what());
|
||||||
}
|
}
|
||||||
|
|
|
@ -18,9 +18,7 @@
|
||||||
|
|
||||||
#include <openssl/crypto.h>
|
#include <openssl/crypto.h>
|
||||||
|
|
||||||
#if HAVE_SODIUM
|
|
||||||
#include <sodium.h>
|
#include <sodium.h>
|
||||||
#endif
|
|
||||||
|
|
||||||
|
|
||||||
namespace nix {
|
namespace nix {
|
||||||
|
@ -130,10 +128,8 @@ void initNix()
|
||||||
CRYPTO_set_locking_callback(opensslLockCallback);
|
CRYPTO_set_locking_callback(opensslLockCallback);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if HAVE_SODIUM
|
|
||||||
if (sodium_init() == -1)
|
if (sodium_init() == -1)
|
||||||
throw Error("could not initialise libsodium");
|
throw Error("could not initialise libsodium");
|
||||||
#endif
|
|
||||||
|
|
||||||
loadConfFile();
|
loadConfFile();
|
||||||
|
|
||||||
|
@ -283,9 +279,7 @@ void printVersion(const string & programName)
|
||||||
#if HAVE_BOEHMGC
|
#if HAVE_BOEHMGC
|
||||||
cfg.push_back("gc");
|
cfg.push_back("gc");
|
||||||
#endif
|
#endif
|
||||||
#if HAVE_SODIUM
|
|
||||||
cfg.push_back("signed-caches");
|
cfg.push_back("signed-caches");
|
||||||
#endif
|
|
||||||
std::cout << "System type: " << settings.thisSystem << "\n";
|
std::cout << "System type: " << settings.thisSystem << "\n";
|
||||||
std::cout << "Additional system types: " << concatStringsSep(", ", settings.extraPlatforms.get()) << "\n";
|
std::cout << "Additional system types: " << concatStringsSep(", ", settings.extraPlatforms.get()) << "\n";
|
||||||
std::cout << "Features: " << concatStringsSep(", ", cfg) << "\n";
|
std::cout << "Features: " << concatStringsSep(", ", cfg) << "\n";
|
||||||
|
|
|
@ -2,9 +2,7 @@
|
||||||
#include "util.hh"
|
#include "util.hh"
|
||||||
#include "globals.hh"
|
#include "globals.hh"
|
||||||
|
|
||||||
#if HAVE_SODIUM
|
|
||||||
#include <sodium.h>
|
#include <sodium.h>
|
||||||
#endif
|
|
||||||
|
|
||||||
namespace nix {
|
namespace nix {
|
||||||
|
|
||||||
|
@ -37,70 +35,46 @@ std::string Key::to_string() const
|
||||||
SecretKey::SecretKey(std::string_view s)
|
SecretKey::SecretKey(std::string_view s)
|
||||||
: Key(s)
|
: Key(s)
|
||||||
{
|
{
|
||||||
#if HAVE_SODIUM
|
|
||||||
if (key.size() != crypto_sign_SECRETKEYBYTES)
|
if (key.size() != crypto_sign_SECRETKEYBYTES)
|
||||||
throw Error("secret key is not valid");
|
throw Error("secret key is not valid");
|
||||||
#endif
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#if !HAVE_SODIUM
|
|
||||||
[[noreturn]] static void noSodium()
|
|
||||||
{
|
|
||||||
throw Error("Nix was not compiled with libsodium, required for signed binary cache support");
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
std::string SecretKey::signDetached(std::string_view data) const
|
std::string SecretKey::signDetached(std::string_view data) const
|
||||||
{
|
{
|
||||||
#if HAVE_SODIUM
|
|
||||||
unsigned char sig[crypto_sign_BYTES];
|
unsigned char sig[crypto_sign_BYTES];
|
||||||
unsigned long long sigLen;
|
unsigned long long sigLen;
|
||||||
crypto_sign_detached(sig, &sigLen, (unsigned char *) data.data(), data.size(),
|
crypto_sign_detached(sig, &sigLen, (unsigned char *) data.data(), data.size(),
|
||||||
(unsigned char *) key.data());
|
(unsigned char *) key.data());
|
||||||
return name + ":" + base64Encode(std::string((char *) sig, sigLen));
|
return name + ":" + base64Encode(std::string((char *) sig, sigLen));
|
||||||
#else
|
|
||||||
noSodium();
|
|
||||||
#endif
|
|
||||||
}
|
}
|
||||||
|
|
||||||
PublicKey SecretKey::toPublicKey() const
|
PublicKey SecretKey::toPublicKey() const
|
||||||
{
|
{
|
||||||
#if HAVE_SODIUM
|
|
||||||
unsigned char pk[crypto_sign_PUBLICKEYBYTES];
|
unsigned char pk[crypto_sign_PUBLICKEYBYTES];
|
||||||
crypto_sign_ed25519_sk_to_pk(pk, (unsigned char *) key.data());
|
crypto_sign_ed25519_sk_to_pk(pk, (unsigned char *) key.data());
|
||||||
return PublicKey(name, std::string((char *) pk, crypto_sign_PUBLICKEYBYTES));
|
return PublicKey(name, std::string((char *) pk, crypto_sign_PUBLICKEYBYTES));
|
||||||
#else
|
|
||||||
noSodium();
|
|
||||||
#endif
|
|
||||||
}
|
}
|
||||||
|
|
||||||
SecretKey SecretKey::generate(std::string_view name)
|
SecretKey SecretKey::generate(std::string_view name)
|
||||||
{
|
{
|
||||||
#if HAVE_SODIUM
|
|
||||||
unsigned char pk[crypto_sign_PUBLICKEYBYTES];
|
unsigned char pk[crypto_sign_PUBLICKEYBYTES];
|
||||||
unsigned char sk[crypto_sign_SECRETKEYBYTES];
|
unsigned char sk[crypto_sign_SECRETKEYBYTES];
|
||||||
if (crypto_sign_keypair(pk, sk) != 0)
|
if (crypto_sign_keypair(pk, sk) != 0)
|
||||||
throw Error("key generation failed");
|
throw Error("key generation failed");
|
||||||
|
|
||||||
return SecretKey(name, std::string((char *) sk, crypto_sign_SECRETKEYBYTES));
|
return SecretKey(name, std::string((char *) sk, crypto_sign_SECRETKEYBYTES));
|
||||||
#else
|
|
||||||
noSodium();
|
|
||||||
#endif
|
|
||||||
}
|
}
|
||||||
|
|
||||||
PublicKey::PublicKey(std::string_view s)
|
PublicKey::PublicKey(std::string_view s)
|
||||||
: Key(s)
|
: Key(s)
|
||||||
{
|
{
|
||||||
#if HAVE_SODIUM
|
|
||||||
if (key.size() != crypto_sign_PUBLICKEYBYTES)
|
if (key.size() != crypto_sign_PUBLICKEYBYTES)
|
||||||
throw Error("public key is not valid");
|
throw Error("public key is not valid");
|
||||||
#endif
|
|
||||||
}
|
}
|
||||||
|
|
||||||
bool verifyDetached(const std::string & data, const std::string & sig,
|
bool verifyDetached(const std::string & data, const std::string & sig,
|
||||||
const PublicKeys & publicKeys)
|
const PublicKeys & publicKeys)
|
||||||
{
|
{
|
||||||
#if HAVE_SODIUM
|
|
||||||
auto ss = split(sig);
|
auto ss = split(sig);
|
||||||
|
|
||||||
auto key = publicKeys.find(std::string(ss.first));
|
auto key = publicKeys.find(std::string(ss.first));
|
||||||
|
@ -113,9 +87,6 @@ bool verifyDetached(const std::string & data, const std::string & sig,
|
||||||
return crypto_sign_verify_detached((unsigned char *) sig2.data(),
|
return crypto_sign_verify_detached((unsigned char *) sig2.data(),
|
||||||
(unsigned char *) data.data(), data.size(),
|
(unsigned char *) data.data(), data.size(),
|
||||||
(unsigned char *) key->second.key.data()) == 0;
|
(unsigned char *) key->second.key.data()) == 0;
|
||||||
#else
|
|
||||||
noSodium();
|
|
||||||
#endif
|
|
||||||
}
|
}
|
||||||
|
|
||||||
PublicKeys getDefaultPublicKeys()
|
PublicKeys getDefaultPublicKeys()
|
||||||
|
|
|
@ -142,7 +142,6 @@ struct CmdSignPaths : StorePathsCommand
|
||||||
|
|
||||||
static auto rCmdSignPaths = registerCommand2<CmdSignPaths>({"store", "sign-paths"});
|
static auto rCmdSignPaths = registerCommand2<CmdSignPaths>({"store", "sign-paths"});
|
||||||
|
|
||||||
#if HAVE_SODIUM
|
|
||||||
struct CmdKeyGenerateSecret : Command
|
struct CmdKeyGenerateSecret : Command
|
||||||
{
|
{
|
||||||
std::optional<std::string> keyName;
|
std::optional<std::string> keyName;
|
||||||
|
@ -227,4 +226,3 @@ struct CmdKey : NixMultiCommand
|
||||||
};
|
};
|
||||||
|
|
||||||
static auto rCmdKey = registerCommand<CmdKey>("key");
|
static auto rCmdKey = registerCommand<CmdKey>("key");
|
||||||
#endif
|
|
||||||
|
|
|
@ -125,8 +125,6 @@ grep -q "copying path.*input-0" $TEST_ROOT/log
|
||||||
grep -q "copying path.*top" $TEST_ROOT/log
|
grep -q "copying path.*top" $TEST_ROOT/log
|
||||||
|
|
||||||
|
|
||||||
if [ -n "$HAVE_SODIUM" ]; then
|
|
||||||
|
|
||||||
# Create a signed binary cache.
|
# Create a signed binary cache.
|
||||||
clearCache
|
clearCache
|
||||||
clearCacheCache
|
clearCacheCache
|
||||||
|
@ -181,8 +179,6 @@ clearCacheCache
|
||||||
|
|
||||||
nix-store -r $outPath --substituters "file://$cacheDir2 file://$cacheDir" --trusted-public-keys "$publicKey"
|
nix-store -r $outPath --substituters "file://$cacheDir2 file://$cacheDir" --trusted-public-keys "$publicKey"
|
||||||
|
|
||||||
fi # HAVE_LIBSODIUM
|
|
||||||
|
|
||||||
|
|
||||||
unset _NIX_FORCE_HTTP
|
unset _NIX_FORCE_HTTP
|
||||||
|
|
||||||
|
|
|
@ -34,7 +34,6 @@ coreutils=@coreutils@
|
||||||
export dot=@dot@
|
export dot=@dot@
|
||||||
export SHELL="@bash@"
|
export SHELL="@bash@"
|
||||||
export PAGER=cat
|
export PAGER=cat
|
||||||
export HAVE_SODIUM="@HAVE_SODIUM@"
|
|
||||||
export busybox="@sandbox_shell@"
|
export busybox="@sandbox_shell@"
|
||||||
|
|
||||||
export version=@PACKAGE_VERSION@
|
export version=@PACKAGE_VERSION@
|
||||||
|
|
Loading…
Reference in a new issue