diff options
author | Alyssa Ross <hi@alyssa.is> | 2023-10-31 22:19:45 +0100 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2023-10-31 22:19:45 +0100 |
commit | 78ba0c65b7bf9a64c12ca8c08f2e0220afdc8dbc (patch) | |
tree | fd9cfb92edfaa37c919be8d24063b8a6c6d94c83 /nixpkgs/pkgs/development/libraries/wolfssl | |
parent | 7e0c8fe656bbc2fcbdfc3e03a367d2c6ff389769 (diff) | |
parent | 0cbe9f69c234a7700596e943bfae7ef27a31b735 (diff) | |
download | nixlib-78ba0c65b7bf9a64c12ca8c08f2e0220afdc8dbc.tar nixlib-78ba0c65b7bf9a64c12ca8c08f2e0220afdc8dbc.tar.gz nixlib-78ba0c65b7bf9a64c12ca8c08f2e0220afdc8dbc.tar.bz2 nixlib-78ba0c65b7bf9a64c12ca8c08f2e0220afdc8dbc.tar.lz nixlib-78ba0c65b7bf9a64c12ca8c08f2e0220afdc8dbc.tar.xz nixlib-78ba0c65b7bf9a64c12ca8c08f2e0220afdc8dbc.tar.zst nixlib-78ba0c65b7bf9a64c12ca8c08f2e0220afdc8dbc.zip |
Merge commit '0cbe9f69c234a7700596e943bfae7ef27a31b735' into HEAD
Diffstat (limited to 'nixpkgs/pkgs/development/libraries/wolfssl')
-rw-r--r-- | nixpkgs/pkgs/development/libraries/wolfssl/default.nix | 66 |
1 files changed, 46 insertions, 20 deletions
diff --git a/nixpkgs/pkgs/development/libraries/wolfssl/default.nix b/nixpkgs/pkgs/development/libraries/wolfssl/default.nix index 4c60ccf6c8ba..35280e4b5eb3 100644 --- a/nixpkgs/pkgs/development/libraries/wolfssl/default.nix +++ b/nixpkgs/pkgs/development/libraries/wolfssl/default.nix @@ -5,37 +5,63 @@ , autoreconfHook , util-linux , openssl +# The primary --enable-XXX variant. 'all' enables most features, but causes build-errors for some software, +# requiring to build a special variant for that software. Example: 'haproxy' +, variant ? "all" +, extraConfigureFlags ? [] +, enableLto ? !(stdenv.isDarwin || stdenv.hostPlatform.isStatic || stdenv.cc.isClang) }: - -stdenv.mkDerivation rec { - pname = "wolfssl"; +stdenv.mkDerivation (finalAttrs: { + pname = "wolfssl-${variant}"; version = "5.6.3"; src = fetchFromGitHub { owner = "wolfSSL"; repo = "wolfssl"; - rev = "refs/tags/v${version}-stable"; + rev = "refs/tags/v${finalAttrs.version}-stable"; hash = "sha256-UN4zs+Rxh/bsLD1BQA+f1YN/UOJ6OB2HduhoetEp10Y="; }; postPatch = '' patchShebangs ./scripts - # ocsp tests require network access - sed -i -e '/ocsp\.test/d' -e '/ocsp-stapling\.test/d' scripts/include.am + # ocsp stapling tests require network access, so skip them + sed -i -e'2s/.*/exit 77/' scripts/ocsp-stapling.test # ensure test detects musl-based systems too substituteInPlace scripts/ocsp-stapling2.test \ --replace '"linux-gnu"' '"linux-"' ''; - # Almost same as Debian but for now using --enable-all --enable-reproducible-build instead of --enable-distro to ensure options.h gets installed configureFlags = [ - "--enable-all" - "--enable-base64encode" + "--enable-${variant}" + "--enable-reproducible-build" + ] ++ lib.optionals (variant == "all") [ + # Extra feature flags to add while building the 'all' variant. + # Since they conflict while building other variants, only specify them for this one. "--enable-pkcs11" "--enable-writedup" - "--enable-reproducible-build" - "--enable-tls13" - ]; + "--enable-base64encode" + ] ++ [ + # We're not on tiny embedded machines. + # Increase TLS session cache from 33 sessions to 20k. + "--enable-bigcache" + + # Use WolfSSL's Single Precision Math with timing-resistant cryptography. + "--enable-sp=yes${lib.optionalString (!stdenv.isx86_32) ",asm"}" + "--enable-sp-math-all" + "--enable-harden" + ] ++ lib.optionals (stdenv.hostPlatform.isx86_64) [ + # Enable AVX/AVX2/AES-NI instructions, gated by runtime detection via CPUID. + "--enable-intelasm" + "--enable-aesni" + ] ++ lib.optionals (stdenv.isAarch64 && stdenv.isDarwin) [ + # No runtime detection under ARM and no platform function checks like for X86. + # However, all ARM macOS systems have the supported extensions autodetected in the configure script. + "--enable-armasm=inline" + ] ++ extraConfigureFlags; + + # LTO should help with the C implementations. + env.NIX_CFLAGS_COMPILE = lib.optionalString enableLto "-flto"; + env.NIX_LDFLAGS_COMPILE = lib.optionalString enableLto "-flto"; outputs = [ "dev" @@ -60,19 +86,19 @@ stdenv.mkDerivation rec { ]; postInstall = '' - # fix recursive cycle: - # wolfssl-config points to dev, dev propagates bin - moveToOutput bin/wolfssl-config "$dev" - # moveToOutput also removes "$out" so recreate it - mkdir -p "$out" + # fix recursive cycle: + # wolfssl-config points to dev, dev propagates bin + moveToOutput bin/wolfssl-config "$dev" + # moveToOutput also removes "$out" so recreate it + mkdir -p "$out" ''; meta = with lib; { description = "A small, fast, portable implementation of TLS/SSL for embedded devices"; homepage = "https://www.wolfssl.com/"; - changelog = "https://github.com/wolfSSL/wolfssl/releases/tag/v${version}-stable"; + changelog = "https://github.com/wolfSSL/wolfssl/releases/tag/v${finalAttrs.version}-stable"; platforms = platforms.all; license = licenses.gpl2Plus; - maintainers = with maintainers; [ fab ]; + maintainers = with maintainers; [ fab vifino ]; }; -} +}) |