From 0df69d96e02ce4c9e17bd33333c5d78313341dd3 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Wed, 6 Jan 2021 17:56:53 +0100
Subject: [PATCH] Make sodium a required dependency

---
 Makefile.config.in      |  1 -
 configure.ac            |  6 +-----
 perl/Makefile.config.in |  1 -
 perl/configure.ac       |  6 +-----
 perl/lib/Nix/Store.xs   | 10 ----------
 src/libmain/shared.cc   |  6 ------
 src/libstore/crypto.cc  | 29 -----------------------------
 src/nix/sigs.cc         |  2 --
 tests/binary-cache.sh   |  4 ----
 tests/common.sh.in      |  1 -
 10 files changed, 2 insertions(+), 64 deletions(-)

diff --git a/Makefile.config.in b/Makefile.config.in
index 3845b3be0..d1e59e4e7 100644
--- a/Makefile.config.in
+++ b/Makefile.config.in
@@ -10,7 +10,6 @@ EDITLINE_LIBS = @EDITLINE_LIBS@
 ENABLE_S3 = @ENABLE_S3@
 GTEST_LIBS = @GTEST_LIBS@
 HAVE_SECCOMP = @HAVE_SECCOMP@
-HAVE_SODIUM = @HAVE_SODIUM@
 LDFLAGS = @LDFLAGS@
 LIBARCHIVE_LIBS = @LIBARCHIVE_LIBS@
 LIBBROTLI_LIBS = @LIBBROTLI_LIBS@
diff --git a/configure.ac b/configure.ac
index c1bfc9b53..2047ed8d2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -203,11 +203,7 @@ PKG_CHECK_MODULES([EDITLINE], [libeditline], [CXXFLAGS="$EDITLINE_CFLAGS $CXXFLA
 ])
 
 # Look for libsodium, an optional dependency.
-PKG_CHECK_MODULES([SODIUM], [libsodium],
-  [AC_DEFINE([HAVE_SODIUM], [1], [Whether to use libsodium for cryptography.])
-   CXXFLAGS="$SODIUM_CFLAGS $CXXFLAGS"
-   have_sodium=1], [have_sodium=])
-AC_SUBST(HAVE_SODIUM, [$have_sodium])
+PKG_CHECK_MODULES([SODIUM], [libsodium], [CXXFLAGS="$SODIUM_CFLAGS $CXXFLAGS"])
 
 # Look for liblzma, a required dependency.
 PKG_CHECK_MODULES([LIBLZMA], [liblzma], [CXXFLAGS="$LIBLZMA_CFLAGS $CXXFLAGS"])
diff --git a/perl/Makefile.config.in b/perl/Makefile.config.in
index c87d4817e..eccfbd9f6 100644
--- a/perl/Makefile.config.in
+++ b/perl/Makefile.config.in
@@ -2,7 +2,6 @@ CC = @CC@
 CFLAGS = @CFLAGS@
 CXX = @CXX@
 CXXFLAGS = @CXXFLAGS@
-HAVE_SODIUM = @HAVE_SODIUM@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 SODIUM_LIBS = @SODIUM_LIBS@
diff --git a/perl/configure.ac b/perl/configure.ac
index 255744afd..85183c005 100644
--- a/perl/configure.ac
+++ b/perl/configure.ac
@@ -40,11 +40,7 @@ AC_SUBST(perllibdir, [${libdir}/perl5/site_perl/$perlversion/$perlarchname])
 AC_MSG_RESULT($perllibdir)
 
 # Look for libsodium, an optional dependency.
-PKG_CHECK_MODULES([SODIUM], [libsodium],
-  [AC_DEFINE([HAVE_SODIUM], [1], [Whether to use libsodium for cryptography.])
-   CXXFLAGS="$SODIUM_CFLAGS $CXXFLAGS"
-   have_sodium=1], [have_sodium=])
-AC_SUBST(HAVE_SODIUM, [$have_sodium])
+PKG_CHECK_MODULES([SODIUM], [libsodium], [CXXFLAGS="$SODIUM_CFLAGS $CXXFLAGS"])
 
 # Check for the required Perl dependencies (DBI and DBD::SQLite).
 perlFlags="-I$perllibdir"
diff --git a/perl/lib/Nix/Store.xs b/perl/lib/Nix/Store.xs
index 9e3b7d389..ad9042a2a 100644
--- a/perl/lib/Nix/Store.xs
+++ b/perl/lib/Nix/Store.xs
@@ -14,9 +14,7 @@
 #include "util.hh"
 #include "crypto.hh"
 
-#if HAVE_SODIUM
 #include <sodium.h>
-#endif
 
 
 using namespace nix;
@@ -239,12 +237,8 @@ SV * convertHash(char * algo, char * s, int toBase32)
 SV * signString(char * secretKey_, char * msg)
     PPCODE:
         try {
-#if HAVE_SODIUM
             auto sig = SecretKey(secretKey_).signDetached(msg);
             XPUSHs(sv_2mortal(newSVpv(sig.c_str(), sig.size())));
-#else
-            throw Error("Nix was not compiled with libsodium, required for signed binary cache support");
-#endif
         } catch (Error & e) {
             croak("%s", e.what());
         }
@@ -253,7 +247,6 @@ SV * signString(char * secretKey_, char * msg)
 int checkSignature(SV * publicKey_, SV * sig_, char * msg)
     CODE:
         try {
-#if HAVE_SODIUM
             STRLEN publicKeyLen;
             unsigned char * publicKey = (unsigned char *) SvPV(publicKey_, publicKeyLen);
             if (publicKeyLen != crypto_sign_PUBLICKEYBYTES)
@@ -265,9 +258,6 @@ int checkSignature(SV * publicKey_, SV * sig_, char * msg)
                 throw Error("signature is not valid");
 
             RETVAL = crypto_sign_verify_detached(sig, (unsigned char *) msg, strlen(msg), publicKey) == 0;
-#else
-            throw Error("Nix was not compiled with libsodium, required for signed binary cache support");
-#endif
         } catch (Error & e) {
             croak("%s", e.what());
         }
diff --git a/src/libmain/shared.cc b/src/libmain/shared.cc
index e9f067e35..6751a3744 100644
--- a/src/libmain/shared.cc
+++ b/src/libmain/shared.cc
@@ -18,9 +18,7 @@
 
 #include <openssl/crypto.h>
 
-#if HAVE_SODIUM
 #include <sodium.h>
-#endif
 
 
 namespace nix {
@@ -130,10 +128,8 @@ void initNix()
     CRYPTO_set_locking_callback(opensslLockCallback);
 #endif
 
-#if HAVE_SODIUM
     if (sodium_init() == -1)
         throw Error("could not initialise libsodium");
-#endif
 
     loadConfFile();
 
@@ -283,9 +279,7 @@ void printVersion(const string & programName)
 #if HAVE_BOEHMGC
         cfg.push_back("gc");
 #endif
-#if HAVE_SODIUM
         cfg.push_back("signed-caches");
-#endif
         std::cout << "System type: " << settings.thisSystem << "\n";
         std::cout << "Additional system types: " << concatStringsSep(", ", settings.extraPlatforms.get()) << "\n";
         std::cout << "Features: " << concatStringsSep(", ", cfg) << "\n";
diff --git a/src/libstore/crypto.cc b/src/libstore/crypto.cc
index 135ced277..1027469c9 100644
--- a/src/libstore/crypto.cc
+++ b/src/libstore/crypto.cc
@@ -2,9 +2,7 @@
 #include "util.hh"
 #include "globals.hh"
 
-#if HAVE_SODIUM
 #include <sodium.h>
-#endif
 
 namespace nix {
 
@@ -37,70 +35,46 @@ std::string Key::to_string() const
 SecretKey::SecretKey(std::string_view s)
     : Key(s)
 {
-#if HAVE_SODIUM
     if (key.size() != crypto_sign_SECRETKEYBYTES)
         throw Error("secret key is not valid");
-#endif
 }
 
-#if !HAVE_SODIUM
-[[noreturn]] static void noSodium()
-{
-    throw Error("Nix was not compiled with libsodium, required for signed binary cache support");
-}
-#endif
-
 std::string SecretKey::signDetached(std::string_view data) const
 {
-#if HAVE_SODIUM
     unsigned char sig[crypto_sign_BYTES];
     unsigned long long sigLen;
     crypto_sign_detached(sig, &sigLen, (unsigned char *) data.data(), data.size(),
         (unsigned char *) key.data());
     return name + ":" + base64Encode(std::string((char *) sig, sigLen));
-#else
-    noSodium();
-#endif
 }
 
 PublicKey SecretKey::toPublicKey() const
 {
-#if HAVE_SODIUM
     unsigned char pk[crypto_sign_PUBLICKEYBYTES];
     crypto_sign_ed25519_sk_to_pk(pk, (unsigned char *) key.data());
     return PublicKey(name, std::string((char *) pk, crypto_sign_PUBLICKEYBYTES));
-#else
-    noSodium();
-#endif
 }
 
 SecretKey SecretKey::generate(std::string_view name)
 {
-#if HAVE_SODIUM
     unsigned char pk[crypto_sign_PUBLICKEYBYTES];
     unsigned char sk[crypto_sign_SECRETKEYBYTES];
     if (crypto_sign_keypair(pk, sk) != 0)
         throw Error("key generation failed");
 
     return SecretKey(name, std::string((char *) sk, crypto_sign_SECRETKEYBYTES));
-#else
-    noSodium();
-#endif
 }
 
 PublicKey::PublicKey(std::string_view s)
     : Key(s)
 {
-#if HAVE_SODIUM
     if (key.size() != crypto_sign_PUBLICKEYBYTES)
         throw Error("public key is not valid");
-#endif
 }
 
 bool verifyDetached(const std::string & data, const std::string & sig,
     const PublicKeys & publicKeys)
 {
-#if HAVE_SODIUM
     auto ss = split(sig);
 
     auto key = publicKeys.find(std::string(ss.first));
@@ -113,9 +87,6 @@ bool verifyDetached(const std::string & data, const std::string & sig,
     return crypto_sign_verify_detached((unsigned char *) sig2.data(),
         (unsigned char *) data.data(), data.size(),
         (unsigned char *) key->second.key.data()) == 0;
-#else
-    noSodium();
-#endif
 }
 
 PublicKeys getDefaultPublicKeys()
diff --git a/src/nix/sigs.cc b/src/nix/sigs.cc
index b2e598ad5..14e2c9761 100644
--- a/src/nix/sigs.cc
+++ b/src/nix/sigs.cc
@@ -142,7 +142,6 @@ struct CmdSignPaths : StorePathsCommand
 
 static auto rCmdSignPaths = registerCommand2<CmdSignPaths>({"store", "sign-paths"});
 
-#if HAVE_SODIUM
 struct CmdKeyGenerateSecret : Command
 {
     std::optional<std::string> keyName;
@@ -227,4 +226,3 @@ struct CmdKey : NixMultiCommand
 };
 
 static auto rCmdKey = registerCommand<CmdKey>("key");
-#endif
diff --git a/tests/binary-cache.sh b/tests/binary-cache.sh
index 1a06404ed..355a37d97 100644
--- a/tests/binary-cache.sh
+++ b/tests/binary-cache.sh
@@ -125,8 +125,6 @@ grep -q "copying path.*input-0" $TEST_ROOT/log
 grep -q "copying path.*top" $TEST_ROOT/log
 
 
-if [ -n "$HAVE_SODIUM" ]; then
-
 # Create a signed binary cache.
 clearCache
 clearCacheCache
@@ -181,8 +179,6 @@ clearCacheCache
 
 nix-store -r $outPath --substituters "file://$cacheDir2 file://$cacheDir" --trusted-public-keys "$publicKey"
 
-fi # HAVE_LIBSODIUM
-
 
 unset _NIX_FORCE_HTTP
 
diff --git a/tests/common.sh.in b/tests/common.sh.in
index 5e00d64f1..5489c0c44 100644
--- a/tests/common.sh.in
+++ b/tests/common.sh.in
@@ -34,7 +34,6 @@ coreutils=@coreutils@
 export dot=@dot@
 export SHELL="@bash@"
 export PAGER=cat
-export HAVE_SODIUM="@HAVE_SODIUM@"
 export busybox="@sandbox_shell@"
 
 export version=@PACKAGE_VERSION@