nixpkgs/pkgs/development/libraries/wolfssl/default.nix
2023-11-12 09:38:30 +01:00

116 lines
3.5 KiB
Nix

{ lib
, stdenv
, fetchFromGitHub
, fetchpatch
, Security
, autoreconfHook
, util-linux
, openssl
, cacert
# The primary --enable-XXX variant. 'all' enables most features, but causes build-errors for some software,
# requiring to build a special variant for that software. Example: 'haproxy'
, variant ? "all"
, extraConfigureFlags ? []
, enableLto ? !(stdenv.isDarwin || stdenv.hostPlatform.isStatic || stdenv.cc.isClang)
}:
stdenv.mkDerivation (finalAttrs: {
pname = "wolfssl-${variant}";
version = "5.6.4";
src = fetchFromGitHub {
owner = "wolfSSL";
repo = "wolfssl";
rev = "refs/tags/v${finalAttrs.version}-stable";
hash = "sha256-a9a3ca4Zb/XTS5YfPJwnXPYbDjmgD8qylhPQg5pjzJM=";
};
patches = [
(fetchpatch {
name = "fix-expected-test-response.patch";
url = "https://github.com/wolfSSL/wolfssl/commit/ca694938fd053a8557f9f08b1b4265292d8bef65.patch";
hash = "sha256-ETxszjjEMk0WdYgXHWTxTaWZPpyDs9jdko0jtkjzgwI=";
})
];
postPatch = ''
patchShebangs ./scripts
# ocsp stapling tests require network access, so skip them
sed -i -e'2s/.*/exit 77/' scripts/ocsp-stapling.test
# ensure test detects musl-based systems too
substituteInPlace scripts/ocsp-stapling2.test \
--replace '"linux-gnu"' '"linux-"'
'';
configureFlags = [
"--enable-${variant}"
"--enable-reproducible-build"
] ++ lib.optionals (variant == "all") [
# Extra feature flags to add while building the 'all' variant.
# Since they conflict while building other variants, only specify them for this one.
"--enable-pkcs11"
"--enable-writedup"
"--enable-base64encode"
] ++ [
# We're not on tiny embedded machines.
# Increase TLS session cache from 33 sessions to 20k.
"--enable-bigcache"
# Use WolfSSL's Single Precision Math with timing-resistant cryptography.
"--enable-sp=yes${lib.optionalString (stdenv.hostPlatform.isx86_64 || stdenv.hostPlatform.isAarch) ",asm"}"
"--enable-sp-math-all"
"--enable-harden"
] ++ lib.optionals (stdenv.hostPlatform.isx86_64) [
# Enable AVX/AVX2/AES-NI instructions, gated by runtime detection via CPUID.
"--enable-intelasm"
"--enable-aesni"
] ++ lib.optionals (stdenv.isAarch64 && stdenv.isDarwin) [
# No runtime detection under ARM and no platform function checks like for X86.
# However, all ARM macOS systems have the supported extensions autodetected in the configure script.
"--enable-armasm=inline"
] ++ extraConfigureFlags;
# LTO should help with the C implementations.
env.NIX_CFLAGS_COMPILE = lib.optionalString enableLto "-flto";
env.NIX_LDFLAGS_COMPILE = lib.optionalString enableLto "-flto";
outputs = [
"dev"
"doc"
"lib"
"out"
];
propagatedBuildInputs = lib.optionals stdenv.isDarwin [
Security
];
nativeBuildInputs = [
autoreconfHook
util-linux
];
doCheck = true;
nativeCheckInputs = [
openssl
cacert
];
postInstall = ''
# fix recursive cycle:
# wolfssl-config points to dev, dev propagates bin
moveToOutput bin/wolfssl-config "$dev"
# moveToOutput also removes "$out" so recreate it
mkdir -p "$out"
'';
meta = with lib; {
description = "A small, fast, portable implementation of TLS/SSL for embedded devices";
homepage = "https://www.wolfssl.com/";
changelog = "https://github.com/wolfSSL/wolfssl/releases/tag/v${finalAttrs.version}-stable";
platforms = platforms.all;
license = licenses.gpl2Plus;
maintainers = with maintainers; [ fab vifino ];
};
})