127 lines
3.6 KiB
Nix
127 lines
3.6 KiB
Nix
{
|
|
lib,
|
|
stdenv,
|
|
fetchFromGitHub,
|
|
Security,
|
|
autoreconfHook,
|
|
util-linux,
|
|
openssl,
|
|
cacert,
|
|
# The primary --enable-XXX variant. 'all' enables most features, but causes build-errors for some software,
|
|
# requiring to build a special variant for that software. Example: 'haproxy'
|
|
variant ? "all",
|
|
extraConfigureFlags ? [ ],
|
|
enableARMCryptoExtensions ?
|
|
stdenv.hostPlatform.isAarch64
|
|
&& ((builtins.match "^.*\\+crypto.*$" stdenv.hostPlatform.gcc.arch) != null),
|
|
enableLto ? !(stdenv.hostPlatform.isStatic || stdenv.cc.isClang),
|
|
}:
|
|
stdenv.mkDerivation (finalAttrs: {
|
|
pname = "wolfssl-${variant}";
|
|
version = "5.7.4";
|
|
|
|
src = fetchFromGitHub {
|
|
owner = "wolfSSL";
|
|
repo = "wolfssl";
|
|
rev = "refs/tags/v${finalAttrs.version}-stable";
|
|
hash = "sha256-/dtW1E1wYfQEuotclUEOK5+Vg4S7vt1xWhr1lEtu60w=";
|
|
};
|
|
|
|
postPatch = ''
|
|
patchShebangs ./scripts
|
|
# ensure test detects musl-based systems too
|
|
substituteInPlace scripts/ocsp-stapling2.test \
|
|
--replace '"linux-gnu"' '"linux-"'
|
|
'';
|
|
|
|
configureFlags =
|
|
[
|
|
"--enable-${variant}"
|
|
"--enable-reproducible-build"
|
|
]
|
|
++ lib.optionals (variant == "all") [
|
|
# Extra feature flags to add while building the 'all' variant.
|
|
# Since they conflict while building other variants, only specify them for this one.
|
|
"--enable-pkcs11"
|
|
"--enable-writedup"
|
|
"--enable-base64encode"
|
|
]
|
|
++ [
|
|
# We're not on tiny embedded machines.
|
|
# Increase TLS session cache from 33 sessions to 20k.
|
|
"--enable-bigcache"
|
|
|
|
# Use WolfSSL's Single Precision Math with timing-resistant cryptography.
|
|
"--enable-sp=yes${
|
|
lib.optionalString (stdenv.hostPlatform.isx86_64 || stdenv.hostPlatform.isAarch) ",asm"
|
|
}"
|
|
"--enable-sp-math-all"
|
|
"--enable-harden"
|
|
]
|
|
++ lib.optionals (stdenv.hostPlatform.isx86_64) [
|
|
# Enable AVX/AVX2/AES-NI instructions, gated by runtime detection via CPUID.
|
|
"--enable-intelasm"
|
|
"--enable-aesni"
|
|
]
|
|
++ lib.optionals (stdenv.hostPlatform.isAarch64) [
|
|
# No runtime detection under ARM and no platform function checks like for X86.
|
|
(if enableARMCryptoExtensions then "--enable-armasm=inline" else "--disable-armasm")
|
|
]
|
|
++ extraConfigureFlags;
|
|
|
|
# Breaks tls13 tests on aarch64-darwin.
|
|
hardeningDisable = lib.optionals (stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64) [
|
|
"zerocallusedregs"
|
|
];
|
|
|
|
# LTO should help with the C implementations.
|
|
env.NIX_CFLAGS_COMPILE = lib.optionalString enableLto "-flto";
|
|
env.NIX_LDFLAGS_COMPILE = lib.optionalString enableLto "-flto";
|
|
|
|
# Don't attempt connections to external services in the test suite.
|
|
env.WOLFSSL_EXTERNAL_TEST = "0";
|
|
|
|
outputs = [
|
|
"dev"
|
|
"doc"
|
|
"lib"
|
|
"out"
|
|
];
|
|
|
|
propagatedBuildInputs = lib.optionals stdenv.hostPlatform.isDarwin [
|
|
Security
|
|
];
|
|
|
|
nativeBuildInputs = [
|
|
autoreconfHook
|
|
util-linux
|
|
];
|
|
|
|
doCheck = true;
|
|
|
|
nativeCheckInputs = [
|
|
openssl
|
|
cacert
|
|
];
|
|
|
|
postInstall = ''
|
|
# fix recursive cycle:
|
|
# wolfssl-config points to dev, dev propagates bin
|
|
moveToOutput bin/wolfssl-config "$dev"
|
|
# moveToOutput also removes "$out" so recreate it
|
|
mkdir -p "$out"
|
|
'';
|
|
|
|
meta = with lib; {
|
|
description = "Small, fast, portable implementation of TLS/SSL for embedded devices";
|
|
mainProgram = "wolfssl-config";
|
|
homepage = "https://www.wolfssl.com/";
|
|
changelog = "https://github.com/wolfSSL/wolfssl/releases/tag/v${finalAttrs.version}-stable";
|
|
platforms = platforms.all;
|
|
license = licenses.gpl2Plus;
|
|
maintainers = with maintainers; [
|
|
fab
|
|
vifino
|
|
];
|
|
};
|
|
})
|