commit 377a39f0a23899132e7fa61eab130547c631896f · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

Merge pull request #262594 from vifino/wolfssl-tweaks

wolfssl: ASM/AES-NI/SP Math support; easier variant override

authored by Robert Scott and committed by GitHub 2 years ago 377a39f0 c679700f

+46 -20

1 changed file

expand all

unified split

pkgs

development

libraries

wolfssl

default.nix

+46 -20

pkgs/development/libraries/wolfssl/default.nix

··· 5 5 , autoreconfHook 6 6 , util-linux 7 7 , openssl 8 + # The primary --enable-XXX variant. 'all' enables most features, but causes build-errors for some software, 9 + # requiring to build a special variant for that software. Example: 'haproxy' 10 + , variant ? "all" 11 + , extraConfigureFlags ? [] 12 + , enableLto ? !(stdenv.isDarwin || stdenv.hostPlatform.isStatic || stdenv.cc.isClang) 8 13 }: 9 - 10 - stdenv.mkDerivation rec { 11 - pname = "wolfssl"; 14 + stdenv.mkDerivation (finalAttrs: { 15 + pname = "wolfssl-${variant}"; 12 16 version = "5.6.3"; 13 17 14 18 src = fetchFromGitHub { 15 19 owner = "wolfSSL"; 16 20 repo = "wolfssl"; 17 - rev = "refs/tags/v${version}-stable"; 21 + rev = "refs/tags/v${finalAttrs.version}-stable"; 18 22 hash = "sha256-UN4zs+Rxh/bsLD1BQA+f1YN/UOJ6OB2HduhoetEp10Y="; 19 23 }; 20 24 21 25 postPatch = '' 22 26 patchShebangs ./scripts 23 - # ocsp tests require network access 24 - sed -i -e '/ocsp\.test/d' -e '/ocsp-stapling\.test/d' scripts/include.am 27 + # ocsp stapling tests require network access, so skip them 28 + sed -i -e'2s/.*/exit 77/' scripts/ocsp-stapling.test 25 29 # ensure test detects musl-based systems too 26 30 substituteInPlace scripts/ocsp-stapling2.test \ 27 31 --replace '"linux-gnu"' '"linux-"' 28 32 ''; 29 33 30 - # Almost same as Debian but for now using --enable-all --enable-reproducible-build instead of --enable-distro to ensure options.h gets installed 31 34 configureFlags = [ 32 - "--enable-all" 33 - "--enable-base64encode" 35 + "--enable-${variant}" 36 + "--enable-reproducible-build" 37 + ] ++ lib.optionals (variant == "all") [ 38 + # Extra feature flags to add while building the 'all' variant. 39 + # Since they conflict while building other variants, only specify them for this one. 34 40 "--enable-pkcs11" 35 41 "--enable-writedup" 36 - "--enable-reproducible-build" 37 - "--enable-tls13" 38 - ]; 42 + "--enable-base64encode" 43 + ] ++ [ 44 + # We're not on tiny embedded machines. 45 + # Increase TLS session cache from 33 sessions to 20k. 46 + "--enable-bigcache" 47 + 48 + # Use WolfSSL's Single Precision Math with timing-resistant cryptography. 49 + "--enable-sp=yes${lib.optionalString (!stdenv.isx86_32) ",asm"}" 50 + "--enable-sp-math-all" 51 + "--enable-harden" 52 + ] ++ lib.optionals (stdenv.hostPlatform.isx86_64) [ 53 + # Enable AVX/AVX2/AES-NI instructions, gated by runtime detection via CPUID. 54 + "--enable-intelasm" 55 + "--enable-aesni" 56 + ] ++ lib.optionals (stdenv.isAarch64 && stdenv.isDarwin) [ 57 + # No runtime detection under ARM and no platform function checks like for X86. 58 + # However, all ARM macOS systems have the supported extensions autodetected in the configure script. 59 + "--enable-armasm=inline" 60 + ] ++ extraConfigureFlags; 61 + 62 + # LTO should help with the C implementations. 63 + env.NIX_CFLAGS_COMPILE = lib.optionalString enableLto "-flto"; 64 + env.NIX_LDFLAGS_COMPILE = lib.optionalString enableLto "-flto"; 39 65 40 66 outputs = [ 41 67 "dev" ··· 60 86 ]; 61 87 62 88 postInstall = '' 63 - # fix recursive cycle: 64 - # wolfssl-config points to dev, dev propagates bin 65 - moveToOutput bin/wolfssl-config "$dev" 66 - # moveToOutput also removes "$out" so recreate it 67 - mkdir -p "$out" 89 + # fix recursive cycle: 90 + # wolfssl-config points to dev, dev propagates bin 91 + moveToOutput bin/wolfssl-config "$dev" 92 + # moveToOutput also removes "$out" so recreate it 93 + mkdir -p "$out" 68 94 ''; 69 95 70 96 meta = with lib; { 71 97 description = "A small, fast, portable implementation of TLS/SSL for embedded devices"; 72 98 homepage = "https://www.wolfssl.com/"; 73 - changelog = "https://github.com/wolfSSL/wolfssl/releases/tag/v${version}-stable"; 99 + changelog = "https://github.com/wolfSSL/wolfssl/releases/tag/v${finalAttrs.version}-stable"; 74 100 platforms = platforms.all; 75 101 license = licenses.gpl2Plus; 76 - maintainers = with maintainers; [ fab ]; 102 + maintainers = with maintainers; [ fab vifino ]; 77 103 }; 78 - } 104 + })