tjh.dev / nixpkgs
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
fork atom
nixpkgs / pkgs / development / libraries / wolfssl / default.nix
at fix-function-merge 110 lines 3.4 kB view raw
1{ lib 2, stdenv 3, fetchFromGitHub 4, Security 5, autoreconfHook 6, util-linux 7, openssl 8, cacert 9# The primary --enable-XXX variant. 'all' enables most features, but causes build-errors for some software, 10# requiring to build a special variant for that software. Example: 'haproxy' 11, variant ? "all" 12, extraConfigureFlags ? [] 13, enableLto ? !(stdenv.hostPlatform.isStatic || stdenv.cc.isClang) 14}: 15stdenv.mkDerivation (finalAttrs: { 16 pname = "wolfssl-${variant}"; 17 version = "5.7.2"; 18 19 src = fetchFromGitHub { 20 owner = "wolfSSL"; 21 repo = "wolfssl"; 22 rev = "refs/tags/v${finalAttrs.version}-stable"; 23 hash = "sha256-VTMVgBSDL6pw1eEKnxGzTdyQYWVbMd3mAnOnpAOKVhk="; 24 }; 25 26 postPatch = '' 27 patchShebangs ./scripts 28 # ocsp stapling tests require network access, so skip them 29 sed -i -e'2s/.*/exit 77/' scripts/ocsp-stapling.test 30 # ensure test detects musl-based systems too 31 substituteInPlace scripts/ocsp-stapling2.test \ 32 --replace '"linux-gnu"' '"linux-"' 33 ''; 34 35 configureFlags = [ 36 "--enable-${variant}" 37 "--enable-reproducible-build" 38 ] ++ lib.optionals (variant == "all") [ 39 # Extra feature flags to add while building the 'all' variant. 40 # Since they conflict while building other variants, only specify them for this one. 41 "--enable-pkcs11" 42 "--enable-writedup" 43 "--enable-base64encode" 44 ] ++ [ 45 # We're not on tiny embedded machines. 46 # Increase TLS session cache from 33 sessions to 20k. 47 "--enable-bigcache" 48 49 # Use WolfSSL's Single Precision Math with timing-resistant cryptography. 50 "--enable-sp=yes${lib.optionalString (stdenv.hostPlatform.isx86_64 || stdenv.hostPlatform.isAarch) ",asm"}" 51 "--enable-sp-math-all" 52 "--enable-harden" 53 ] ++ lib.optionals (stdenv.hostPlatform.isx86_64) [ 54 # Enable AVX/AVX2/AES-NI instructions, gated by runtime detection via CPUID. 55 "--enable-intelasm" 56 "--enable-aesni" 57 ] ++ lib.optionals (stdenv.isAarch64 && stdenv.isDarwin) [ 58 # No runtime detection under ARM and no platform function checks like for X86. 59 # However, all ARM macOS systems have the supported extensions autodetected in the configure script. 60 "--enable-armasm=inline" 61 ] ++ extraConfigureFlags; 62 63 # Breaks tls13 tests on aarch64-darwin. 64 hardeningDisable = lib.optionals (stdenv.isDarwin && stdenv.isAarch64) [ "zerocallusedregs" ]; 65 66 # LTO should help with the C implementations. 67 env.NIX_CFLAGS_COMPILE = lib.optionalString enableLto "-flto"; 68 env.NIX_LDFLAGS_COMPILE = lib.optionalString enableLto "-flto"; 69 70 outputs = [ 71 "dev" 72 "doc" 73 "lib" 74 "out" 75 ]; 76 77 propagatedBuildInputs = lib.optionals stdenv.isDarwin [ 78 Security 79 ]; 80 81 nativeBuildInputs = [ 82 autoreconfHook 83 util-linux 84 ]; 85 86 doCheck = true; 87 88 nativeCheckInputs = [ 89 openssl 90 cacert 91 ]; 92 93 postInstall = '' 94 # fix recursive cycle: 95 # wolfssl-config points to dev, dev propagates bin 96 moveToOutput bin/wolfssl-config "$dev" 97 # moveToOutput also removes "$out" so recreate it 98 mkdir -p "$out" 99 ''; 100 101 meta = with lib; { 102 description = "Small, fast, portable implementation of TLS/SSL for embedded devices"; 103 mainProgram = "wolfssl-config"; 104 homepage = "https://www.wolfssl.com/"; 105 changelog = "https://github.com/wolfSSL/wolfssl/releases/tag/v${finalAttrs.version}-stable"; 106 platforms = platforms.all; 107 license = licenses.gpl2Plus; 108 maintainers = with maintainers; [ fab vifino ]; 109 }; 110})