pyrox.dev
1{ lib
2, stdenv
3, fetchFromGitHub
4, fetchpatch
5, Security
6, autoreconfHook
7, util-linux
8, openssl
9, cacert
10# The primary --enable-XXX variant. 'all' enables most features, but causes build-errors for some software,
11# requiring to build a special variant for that software. Example: 'haproxy'
12, variant ? "all"
13, extraConfigureFlags ? []
14, enableLto ? !(stdenv.isDarwin || stdenv.hostPlatform.isStatic || stdenv.cc.isClang)
15}:
16stdenv.mkDerivation (finalAttrs: {
17 pname = "wolfssl-${variant}";
18 version = "5.6.4";
19
20 src = fetchFromGitHub {
21 owner = "wolfSSL";
22 repo = "wolfssl";
23 rev = "refs/tags/v${finalAttrs.version}-stable";
24 hash = "sha256-a9a3ca4Zb/XTS5YfPJwnXPYbDjmgD8qylhPQg5pjzJM=";
25 };
26
27 patches = [
28 (fetchpatch {
29 name = "fix-expected-test-response.patch";
30 url = "https://github.com/wolfSSL/wolfssl/commit/ca694938fd053a8557f9f08b1b4265292d8bef65.patch";
31 hash = "sha256-ETxszjjEMk0WdYgXHWTxTaWZPpyDs9jdko0jtkjzgwI=";
32 })
33 ];
34
35 postPatch = ''
36 patchShebangs ./scripts
37 # ocsp stapling tests require network access, so skip them
38 sed -i -e'2s/.*/exit 77/' scripts/ocsp-stapling.test
39 # ensure test detects musl-based systems too
40 substituteInPlace scripts/ocsp-stapling2.test \
41 --replace '"linux-gnu"' '"linux-"'
42 '';
43
44 configureFlags = [
45 "--enable-${variant}"
46 "--enable-reproducible-build"
47 ] ++ lib.optionals (variant == "all") [
48 # Extra feature flags to add while building the 'all' variant.
49 # Since they conflict while building other variants, only specify them for this one.
50 "--enable-pkcs11"
51 "--enable-writedup"
52 "--enable-base64encode"
53 ] ++ [
54 # We're not on tiny embedded machines.
55 # Increase TLS session cache from 33 sessions to 20k.
56 "--enable-bigcache"
57
58 # Use WolfSSL's Single Precision Math with timing-resistant cryptography.
59 "--enable-sp=yes${lib.optionalString (stdenv.hostPlatform.isx86_64 || stdenv.hostPlatform.isAarch) ",asm"}"
60 "--enable-sp-math-all"
61 "--enable-harden"
62 ] ++ lib.optionals (stdenv.hostPlatform.isx86_64) [
63 # Enable AVX/AVX2/AES-NI instructions, gated by runtime detection via CPUID.
64 "--enable-intelasm"
65 "--enable-aesni"
66 ] ++ lib.optionals (stdenv.isAarch64 && stdenv.isDarwin) [
67 # No runtime detection under ARM and no platform function checks like for X86.
68 # However, all ARM macOS systems have the supported extensions autodetected in the configure script.
69 "--enable-armasm=inline"
70 ] ++ extraConfigureFlags;
71
72 # LTO should help with the C implementations.
73 env.NIX_CFLAGS_COMPILE = lib.optionalString enableLto "-flto";
74 env.NIX_LDFLAGS_COMPILE = lib.optionalString enableLto "-flto";
75
76 outputs = [
77 "dev"
78 "doc"
79 "lib"
80 "out"
81 ];
82
83 propagatedBuildInputs = lib.optionals stdenv.isDarwin [
84 Security
85 ];
86
87 nativeBuildInputs = [
88 autoreconfHook
89 util-linux
90 ];
91
92 doCheck = true;
93
94 nativeCheckInputs = [
95 openssl
96 cacert
97 ];
98
99 postInstall = ''
100 # fix recursive cycle:
101 # wolfssl-config points to dev, dev propagates bin
102 moveToOutput bin/wolfssl-config "$dev"
103 # moveToOutput also removes "$out" so recreate it
104 mkdir -p "$out"
105 '';
106
107 meta = with lib; {
108 description = "A small, fast, portable implementation of TLS/SSL for embedded devices";
109 homepage = "https://www.wolfssl.com/";
110 changelog = "https://github.com/wolfSSL/wolfssl/releases/tag/v${finalAttrs.version}-stable";
111 platforms = platforms.all;
112 license = licenses.gpl2Plus;
113 maintainers = with maintainers; [ fab vifino ];
114 };
115})