about summary refs log tree commit diff
path: root/nixpkgs/pkgs/development/libraries/wolfssl
diff options
context:
space:
mode:
authorAlyssa Ross <hi@alyssa.is>2023-10-31 22:19:45 +0100
committerAlyssa Ross <hi@alyssa.is>2023-10-31 22:19:45 +0100
commit78ba0c65b7bf9a64c12ca8c08f2e0220afdc8dbc (patch)
treefd9cfb92edfaa37c919be8d24063b8a6c6d94c83 /nixpkgs/pkgs/development/libraries/wolfssl
parent7e0c8fe656bbc2fcbdfc3e03a367d2c6ff389769 (diff)
parent0cbe9f69c234a7700596e943bfae7ef27a31b735 (diff)
downloadnixlib-78ba0c65b7bf9a64c12ca8c08f2e0220afdc8dbc.tar
nixlib-78ba0c65b7bf9a64c12ca8c08f2e0220afdc8dbc.tar.gz
nixlib-78ba0c65b7bf9a64c12ca8c08f2e0220afdc8dbc.tar.bz2
nixlib-78ba0c65b7bf9a64c12ca8c08f2e0220afdc8dbc.tar.lz
nixlib-78ba0c65b7bf9a64c12ca8c08f2e0220afdc8dbc.tar.xz
nixlib-78ba0c65b7bf9a64c12ca8c08f2e0220afdc8dbc.tar.zst
nixlib-78ba0c65b7bf9a64c12ca8c08f2e0220afdc8dbc.zip
Merge commit '0cbe9f69c234a7700596e943bfae7ef27a31b735' into HEAD
Diffstat (limited to 'nixpkgs/pkgs/development/libraries/wolfssl')
-rw-r--r--nixpkgs/pkgs/development/libraries/wolfssl/default.nix66


1 files changed, 46 insertions, 20 deletions
diff --git a/nixpkgs/pkgs/development/libraries/wolfssl/default.nix b/nixpkgs/pkgs/development/libraries/wolfssl/default.nix
index 4c60ccf6c8ba..35280e4b5eb3 100644
--- a/nixpkgs/pkgs/development/libraries/wolfssl/default.nix
+++ b/nixpkgs/pkgs/development/libraries/wolfssl/default.nix
@@ -5,37 +5,63 @@
 , autoreconfHook
 , util-linux
 , openssl
+# The primary --enable-XXX variant. 'all' enables most features, but causes build-errors for some software,
+# requiring to build a special variant for that software. Example: 'haproxy'
+, variant ? "all"
+, extraConfigureFlags ? []
+, enableLto ? !(stdenv.isDarwin || stdenv.hostPlatform.isStatic || stdenv.cc.isClang)
 }:
-
-stdenv.mkDerivation rec {
-  pname = "wolfssl";
+stdenv.mkDerivation (finalAttrs: {
+  pname = "wolfssl-${variant}";
   version = "5.6.3";
 
   src = fetchFromGitHub {
     owner = "wolfSSL";
     repo = "wolfssl";
-    rev = "refs/tags/v${version}-stable";
+    rev = "refs/tags/v${finalAttrs.version}-stable";
     hash = "sha256-UN4zs+Rxh/bsLD1BQA+f1YN/UOJ6OB2HduhoetEp10Y=";
   };
 
   postPatch = ''
     patchShebangs ./scripts
-    # ocsp tests require network access
-    sed -i -e '/ocsp\.test/d' -e '/ocsp-stapling\.test/d' scripts/include.am
+    # ocsp stapling tests require network access, so skip them
+    sed -i -e'2s/.*/exit 77/' scripts/ocsp-stapling.test
     # ensure test detects musl-based systems too
     substituteInPlace scripts/ocsp-stapling2.test \
       --replace '"linux-gnu"' '"linux-"'
   '';
 
-  # Almost same as Debian but for now using --enable-all --enable-reproducible-build instead of --enable-distro to ensure options.h gets installed
   configureFlags = [
-    "--enable-all"
-    "--enable-base64encode"
+    "--enable-${variant}"
+    "--enable-reproducible-build"
+  ] ++ lib.optionals (variant == "all") [
+    # Extra feature flags to add while building the 'all' variant.
+    # Since they conflict while building other variants, only specify them for this one.
     "--enable-pkcs11"
     "--enable-writedup"
-    "--enable-reproducible-build"
-    "--enable-tls13"
-  ];
+    "--enable-base64encode"
+  ] ++ [
+    # We're not on tiny embedded machines.
+    # Increase TLS session cache from 33 sessions to 20k.
+    "--enable-bigcache"
+
+    # Use WolfSSL's Single Precision Math with timing-resistant cryptography.
+    "--enable-sp=yes${lib.optionalString (!stdenv.isx86_32) ",asm"}"
+    "--enable-sp-math-all"
+    "--enable-harden"
+  ] ++ lib.optionals (stdenv.hostPlatform.isx86_64) [
+    # Enable AVX/AVX2/AES-NI instructions, gated by runtime detection via CPUID.
+    "--enable-intelasm"
+    "--enable-aesni"
+  ] ++ lib.optionals (stdenv.isAarch64 && stdenv.isDarwin) [
+    # No runtime detection under ARM and no platform function checks like for X86.
+    # However, all ARM macOS systems have the supported extensions autodetected in the configure script.
+    "--enable-armasm=inline"
+  ] ++ extraConfigureFlags;
+
+  # LTO should help with the C implementations.
+  env.NIX_CFLAGS_COMPILE = lib.optionalString enableLto "-flto";
+  env.NIX_LDFLAGS_COMPILE = lib.optionalString enableLto "-flto";
 
   outputs = [
     "dev"
@@ -60,19 +86,19 @@ stdenv.mkDerivation rec {
   ];
 
   postInstall = ''
-     # fix recursive cycle:
-     # wolfssl-config points to dev, dev propagates bin
-     moveToOutput bin/wolfssl-config "$dev"
-     # moveToOutput also removes "$out" so recreate it
-     mkdir -p "$out"
+    # fix recursive cycle:
+    # wolfssl-config points to dev, dev propagates bin
+    moveToOutput bin/wolfssl-config "$dev"
+    # moveToOutput also removes "$out" so recreate it
+    mkdir -p "$out"
   '';
 
   meta = with lib; {
     description = "A small, fast, portable implementation of TLS/SSL for embedded devices";
     homepage = "https://www.wolfssl.com/";
-    changelog = "https://github.com/wolfSSL/wolfssl/releases/tag/v${version}-stable";
+    changelog = "https://github.com/wolfSSL/wolfssl/releases/tag/v${finalAttrs.version}-stable";
     platforms = platforms.all;
     license = licenses.gpl2Plus;
-    maintainers = with maintainers; [ fab ];
+    maintainers = with maintainers; [ fab vifino ];
   };
-}
+})

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-16 23:41:35 +0000