1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
{ lib
, stdenv
, fetchFromGitHub
, Security
, autoreconfHook
, util-linux
, openssl
, cacert
# The primary --enable-XXX variant. 'all' enables most features, but causes build-errors for some software,
# requiring to build a special variant for that software. Example: 'haproxy'
, variant ? "all"
, extraConfigureFlags ? []
, enableLto ? !(stdenv.isDarwin || stdenv.hostPlatform.isStatic || stdenv.cc.isClang)
}:
stdenv.mkDerivation (finalAttrs: {
pname = "wolfssl-${variant}";
version = "5.6.6";
src = fetchFromGitHub {
owner = "wolfSSL";
repo = "wolfssl";
rev = "refs/tags/v${finalAttrs.version}-stable";
hash = "sha256-HXl8GgngC1J8Dlt7fXBrVRa+IV7thVr+MIpeuf3Khcg=";
};
postPatch = ''
patchShebangs ./scripts
# ocsp stapling tests require network access, so skip them
sed -i -e'2s/.*/exit 77/' scripts/ocsp-stapling.test
# ensure test detects musl-based systems too
substituteInPlace scripts/ocsp-stapling2.test \
--replace '"linux-gnu"' '"linux-"'
'';
configureFlags = [
"--enable-${variant}"
"--enable-reproducible-build"
] ++ lib.optionals (variant == "all") [
# Extra feature flags to add while building the 'all' variant.
# Since they conflict while building other variants, only specify them for this one.
"--enable-pkcs11"
"--enable-writedup"
"--enable-base64encode"
] ++ [
# We're not on tiny embedded machines.
# Increase TLS session cache from 33 sessions to 20k.
"--enable-bigcache"
# Use WolfSSL's Single Precision Math with timing-resistant cryptography.
"--enable-sp=yes${lib.optionalString (stdenv.hostPlatform.isx86_64 || stdenv.hostPlatform.isAarch) ",asm"}"
"--enable-sp-math-all"
"--enable-harden"
] ++ lib.optionals (stdenv.hostPlatform.isx86_64) [
# Enable AVX/AVX2/AES-NI instructions, gated by runtime detection via CPUID.
"--enable-intelasm"
"--enable-aesni"
] ++ lib.optionals (stdenv.isAarch64 && stdenv.isDarwin) [
# No runtime detection under ARM and no platform function checks like for X86.
# However, all ARM macOS systems have the supported extensions autodetected in the configure script.
"--enable-armasm=inline"
] ++ extraConfigureFlags;
# LTO should help with the C implementations.
env.NIX_CFLAGS_COMPILE = lib.optionalString enableLto "-flto";
env.NIX_LDFLAGS_COMPILE = lib.optionalString enableLto "-flto";
outputs = [
"dev"
"doc"
"lib"
"out"
];
propagatedBuildInputs = lib.optionals stdenv.isDarwin [
Security
];
nativeBuildInputs = [
autoreconfHook
util-linux
];
doCheck = true;
nativeCheckInputs = [
openssl
cacert
];
postInstall = ''
# fix recursive cycle:
# wolfssl-config points to dev, dev propagates bin
moveToOutput bin/wolfssl-config "$dev"
# moveToOutput also removes "$out" so recreate it
mkdir -p "$out"
'';
meta = with lib; {
description = "A small, fast, portable implementation of TLS/SSL for embedded devices";
homepage = "https://www.wolfssl.com/";
changelog = "https://github.com/wolfSSL/wolfssl/releases/tag/v${finalAttrs.version}-stable";
platforms = platforms.all;
license = licenses.gpl2Plus;
maintainers = with maintainers; [ fab vifino ];
};
})
|