1 files changed, 106 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/development/libraries/wolfssl/default.nix b/nixpkgs/pkgs/development/libraries/wolfssl/default.nix
new file mode 100644
index 000000000000..60a6e10c8334
--- /dev/null
+++ b/nixpkgs/pkgs/development/libraries/wolfssl/default.nix
@@ -0,0 +1,106 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, Security
+, autoreconfHook
+, util-linux
+, openssl
+, cacert
+# The primary --enable-XXX variant. 'all' enables most features, but causes build-errors for some software,
+# requiring to build a special variant for that software. Example: 'haproxy'
+, variant ? "all"
+, extraConfigureFlags ? []
+, enableLto ? !(stdenv.isDarwin || stdenv.hostPlatform.isStatic || stdenv.cc.isClang)
+}:
+stdenv.mkDerivation (finalAttrs: {
+  pname = "wolfssl-${variant}";
+  version = "5.6.6";
+
+  src = fetchFromGitHub {
+    owner = "wolfSSL";
+    repo = "wolfssl";
+    rev = "refs/tags/v${finalAttrs.version}-stable";
+    hash = "sha256-HXl8GgngC1J8Dlt7fXBrVRa+IV7thVr+MIpeuf3Khcg=";
+  };
+
+  postPatch = ''
+    patchShebangs ./scripts
+    # ocsp stapling tests require network access, so skip them
+    sed -i -e'2s/.*/exit 77/' scripts/ocsp-stapling.test
+    # ensure test detects musl-based systems too
+    substituteInPlace scripts/ocsp-stapling2.test \
+      --replace '"linux-gnu"' '"linux-"'
+  '';
+
+  configureFlags = [
+    "--enable-${variant}"
+    "--enable-reproducible-build"
+  ] ++ lib.optionals (variant == "all") [
+    # Extra feature flags to add while building the 'all' variant.
+    # Since they conflict while building other variants, only specify them for this one.
+    "--enable-pkcs11"
+    "--enable-writedup"
+    "--enable-base64encode"
+  ] ++ [
+    # We're not on tiny embedded machines.
+    # Increase TLS session cache from 33 sessions to 20k.
+    "--enable-bigcache"
+
+    # Use WolfSSL's Single Precision Math with timing-resistant cryptography.
+    "--enable-sp=yes${lib.optionalString (stdenv.hostPlatform.isx86_64 || stdenv.hostPlatform.isAarch) ",asm"}"
+    "--enable-sp-math-all"
+    "--enable-harden"
+  ] ++ lib.optionals (stdenv.hostPlatform.isx86_64) [
+    # Enable AVX/AVX2/AES-NI instructions, gated by runtime detection via CPUID.
+    "--enable-intelasm"
+    "--enable-aesni"
+  ] ++ lib.optionals (stdenv.isAarch64 && stdenv.isDarwin) [
+    # No runtime detection under ARM and no platform function checks like for X86.
+    # However, all ARM macOS systems have the supported extensions autodetected in the configure script.
+    "--enable-armasm=inline"
+  ] ++ extraConfigureFlags;
+
+  # LTO should help with the C implementations.
+  env.NIX_CFLAGS_COMPILE = lib.optionalString enableLto "-flto";
+  env.NIX_LDFLAGS_COMPILE = lib.optionalString enableLto "-flto";
+
+  outputs = [
+    "dev"
+    "doc"
+    "lib"
+    "out"
+  ];
+
+  propagatedBuildInputs = lib.optionals stdenv.isDarwin [
+    Security
+  ];
+
+  nativeBuildInputs = [
+    autoreconfHook
+    util-linux
+  ];
+
+  doCheck = true;
+
+  nativeCheckInputs = [
+    openssl
+    cacert
+  ];
+
+  postInstall = ''
+    # fix recursive cycle:
+    # wolfssl-config points to dev, dev propagates bin
+    moveToOutput bin/wolfssl-config "$dev"
+    # moveToOutput also removes "$out" so recreate it
+    mkdir -p "$out"
+  '';
+
+  meta = with lib; {
+    description = "A small, fast, portable implementation of TLS/SSL for embedded devices";
+    homepage = "https://www.wolfssl.com/";
+    changelog = "https://github.com/wolfSSL/wolfssl/releases/tag/v${finalAttrs.version}-stable";
+    platforms = platforms.all;
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ fab vifino ];
+  };
+})