commit f5826919bceab23393e19fd68e71004b847cf676 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

esdm: 0.6.0 -> 1.0.0

ESDM 1.0.0 contains robustness and feature improvements.
Besides support for accelerated crypto operations with Botan or OpenSSL,
options which we used in practical deployments were added and/or made
explicit.

Changelog: https://github.com/smuellerDD/esdm/blob/master/CHANGES.md

Signed-off-by: Markus Theil <theil.markus@gmail.com>

Markus Theil 2 years ago f5826919 79c799f5

+60 -18

1 changed file

expand all

unified split

pkgs

os-specific

linux

esdm

default.nix

+60 -18

pkgs/os-specific/linux/esdm/default.nix

··· 9 9 , ninja 10 10 , libselinux 11 11 , jitterentropy 12 - # A more detailed explaination of the following meson build options can be found 13 - # in the source code of esdm. 14 - # A brief explanation is given: 12 + , botan3 13 + , openssl 14 + , libkcapi 15 + 16 + # A more detailed explaination of the following meson build options can be found 17 + # in the source code of esdm. 18 + # A brief explanation is given. 19 + 20 + # general options 15 21 , selinux ? false # enable selinux support 16 22 , drngHashDrbg ? true # set the default drng callback 17 23 , drngChaCha20 ? false # set the default drng callback 18 24 , ais2031 ? false # set the seeding strategy to be compliant with AIS 20/31 25 + , sp80090c ? false # set compliance with NIST SP800-90C 26 + , cryptoBackend ? "botan" # set backend for hash and drbg operations 19 27 , linuxDevFiles ? true # enable linux /dev/random and /dev/urandom support 20 28 , linuxGetRandom ? true # enable linux getrandom support 21 - , esJitterRng ? true # enable support for the entropy source: jitter rng 29 + , hashSha512 ? false # set the conditioning hash: SHA2-512 30 + , hashSha3_512 ? true # set the conditioning hash: SHA3-512 31 + , openSSLRandProvider ? true # build ESDM provider for OpenSSL 3.x 32 + , botanRng ? true # build ESDM class for Botan 3.x 33 + 34 + # client-related options (handle with care, consult source code and meson options) 35 + # leave as is if in doubt 36 + , connectTimeoutExponent ? 28 # (1 << EXPONENT nanoseconds) 37 + , rxTxTimeoutExponent ? 28 # (1 << EXPONENT nanoseconds) 38 + , reconnectAttempts ? 10 # how often to attempt unix socket connection before giving up 39 + 40 + # entropy sources 41 + , esJitterRng ? true # enable support for the entropy source: jitter rng (running in user space) 42 + , esJitterRngEntropyRate ? 256 # amount of entropy to account for jitter rng source 43 + , esJitterRngKernel ? true # enable support for the entropy source: jitter rng (running in kernel space) 44 + , esJitterRngKernelEntropyRate ? 256 # amount of entropy to account for kernel jitter rng source 22 45 , esCPU ? true # enable support for the entropy source: cpu-based entropy 46 + , esCPUEntropyRate ? 8 # amount of entropy to account for cpu rng source 23 47 , esKernel ? true # enable support for the entropy source: kernel-based entropy 48 + , esKernelEntropyRate ? 128 # amount of entropy to account for kernel-based source 24 49 , esIRQ ? false # enable support for the entropy source: interrupt-based entropy 50 + , esIRQEntropyRate ? 256 # amount of entropy to account for interrupt-based source (only set irq XOR sched != 0) 25 51 , esSched ? false # enable support for the entropy source: scheduler-based entropy 52 + , esSchedEntropyRate ? 0 # amount of entropy to account for interrupt-based source (only set irq XOR sched != 0) 26 53 , esHwrand ? true # enable support for the entropy source: /dev/hwrng 27 - , hashSha512 ? false # set the conditioning hash: SHA2-512 28 - , hashSha3_512 ? true # set the conditioning hash: SHA3-512 54 + , esHwrandEntropyRate ? 128 # amount of entropy to account for /dev/hwrng-based sources 29 55 }: 30 56 31 57 assert drngHashDrbg != drngChaCha20; 32 58 assert hashSha512 != hashSha3_512; 59 + assert cryptoBackend == "openssl" || cryptoBackend == "botan" || cryptoBackend == "builtin" "Unsupported ESDM crypto backend"; 33 60 34 61 stdenv.mkDerivation rec { 35 62 pname = "esdm"; 36 - version = "0.6.0"; 63 + version = "1.0.0"; 37 64 38 65 src = fetchFromGitHub { 39 66 owner = "smuellerDD"; 40 67 repo = "esdm"; 41 68 rev = "v${version}"; 42 - sha256 = "sha256-swBKVb5gnND76w2ULT+5hR/jVOqxEe4TAB1gyaLKE9Q="; 69 + sha256 = "sha256-q6TGL1agltV9CFfcA6hZszVwGIBBngs22ZqhQgc9FeM="; 43 70 }; 44 71 45 - patches = [ 46 - (fetchpatch { 47 - name = "arm64.patch"; 48 - url = "https://github.com/smuellerDD/esdm/commit/86b93a0ddf684448aba152c8f1b3baf40a6d41c0.patch"; 49 - sha256 = "sha256-gjp13AEsDNj23fcGanAAn2KCbYKA0cphhf4mCxek9Yg="; 50 - }) 51 - ]; 52 - 53 72 nativeBuildInputs = [ meson pkg-config ninja ]; 54 - buildInputs = [ protobufc fuse3 jitterentropy ] 55 - ++ lib.optional selinux libselinux; 73 + buildInputs = [ protobufc ] 74 + ++ lib.optional (cryptoBackend == "botan" || botanRng) botan3 75 + ++ lib.optional (cryptoBackend == "openssl" || openSSLRandProvider) openssl 76 + ++ lib.optional selinux libselinux 77 + ++ lib.optional esJitterRng jitterentropy 78 + ++ lib.optional linuxDevFiles fuse3 79 + ++ lib.optional esJitterRngKernel libkcapi; 56 80 57 81 mesonFlags = [ 58 82 (lib.mesonBool "b_lto" false) 83 + (lib.mesonBool "fips140" false) 59 84 (lib.mesonBool "ais2031" ais2031) 85 + (lib.mesonBool "sp80090c" sp80090c) 86 + (lib.mesonEnable "node" true) # multiple DRNGs 87 + (lib.mesonOption "threading_max_threads" (toString 64)) 88 + (lib.mesonOption "crypto_backend" cryptoBackend) 60 89 (lib.mesonEnable "linux-devfiles" linuxDevFiles) 61 90 (lib.mesonEnable "linux-getrandom" linuxGetRandom) 91 + (lib.mesonOption "client-connect-timeout-exponent" (toString connectTimeoutExponent)) 92 + (lib.mesonOption "client-rx-tx-timeout-exponent" (toString rxTxTimeoutExponent)) 93 + (lib.mesonOption "client-reconnect-attempts" (toString reconnectAttempts)) 62 94 (lib.mesonEnable "es_jent" esJitterRng) 95 + (lib.mesonOption "es_jent_entropy_rate" (toString esJitterRngEntropyRate)) 96 + (lib.mesonEnable "es_jent_kernel" esJitterRngKernel) 97 + (lib.mesonOption "es_jent_kernel_entropy_rate" (toString esJitterRngKernelEntropyRate)) 63 98 (lib.mesonEnable "es_cpu" esCPU) 99 + (lib.mesonOption "es_cpu_entropy_rate" (toString esCPUEntropyRate)) 64 100 (lib.mesonEnable "es_kernel" esKernel) 101 + (lib.mesonOption "es_kernel_entropy_rate" (toString esKernelEntropyRate)) 65 102 (lib.mesonEnable "es_irq" esIRQ) 103 + (lib.mesonOption "es_irq_entropy_rate" (toString esIRQEntropyRate)) 66 104 (lib.mesonEnable "es_sched" esSched) 105 + (lib.mesonOption "es_sched_entropy_rate" (toString esSchedEntropyRate)) 67 106 (lib.mesonEnable "es_hwrand" esHwrand) 107 + (lib.mesonOption "es_hwrand_entropy_rate" (toString esHwrandEntropyRate)) 68 108 (lib.mesonEnable "hash_sha512" hashSha512) 69 109 (lib.mesonEnable "hash_sha3_512" hashSha3_512) 70 110 (lib.mesonEnable "selinux" selinux) 71 111 (lib.mesonEnable "drng_hash_drbg" drngHashDrbg) 72 112 (lib.mesonEnable "drng_chacha20" drngChaCha20) 113 + (lib.mesonEnable "openssl-rand-provider" openSSLRandProvider) 114 + (lib.mesonEnable "botan-rng" botanRng) 73 115 ]; 74 116 75 117 doCheck = true;