| blob | 0a8202839c364824294d1b5d3838e9e6d9edee52 |
1 { lib
2 , stdenv
3 , fetchFromGitHub
4 , Security
5 , autoreconfHook
6 , util-linux
7 , openssl
8 , cacert
9 # The primary --enable-XXX variant. 'all' enables most features, but causes build-errors for some software,
10 # requiring to build a special variant for that software. Example: 'haproxy'
11 , variant ? "all"
12 , extraConfigureFlags ? []
13 , enableARMCryptoExtensions ? stdenv.hostPlatform.isAarch64 && ((builtins.match "^.*\\+crypto.*$" stdenv.hostPlatform.gcc.arch) != null)
14 , enableLto ? !(stdenv.hostPlatform.isStatic || stdenv.cc.isClang)
15 }:
16 stdenv.mkDerivation (finalAttrs: {
17 pname = "wolfssl-${variant}";
18 version = "5.7.4";
20 src = fetchFromGitHub {
21 owner = "wolfSSL";
22 repo = "wolfssl";
23 rev = "refs/tags/v${finalAttrs.version}-stable";
24 hash = "sha256-/dtW1E1wYfQEuotclUEOK5+Vg4S7vt1xWhr1lEtu60w=";
25 };
27 postPatch = ''
28 patchShebangs ./scripts
29 # ensure test detects musl-based systems too
30 substituteInPlace scripts/ocsp-stapling2.test \
31 --replace '"linux-gnu"' '"linux-"'
32 '';
34 configureFlags = [
35 "--enable-${variant}"
36 "--enable-reproducible-build"
37 ] ++ lib.optionals (variant == "all") [
38 # Extra feature flags to add while building the 'all' variant.
39 # Since they conflict while building other variants, only specify them for this one.
40 "--enable-pkcs11"
41 "--enable-writedup"
42 "--enable-base64encode"
43 ] ++ [
44 # We're not on tiny embedded machines.
45 # Increase TLS session cache from 33 sessions to 20k.
46 "--enable-bigcache"
48 # Use WolfSSL's Single Precision Math with timing-resistant cryptography.
49 "--enable-sp=yes${lib.optionalString (stdenv.hostPlatform.isx86_64 || stdenv.hostPlatform.isAarch) ",asm"}"
50 "--enable-sp-math-all"
51 "--enable-harden"
52 ] ++ lib.optionals (stdenv.hostPlatform.isx86_64) [
53 # Enable AVX/AVX2/AES-NI instructions, gated by runtime detection via CPUID.
54 "--enable-intelasm"
55 "--enable-aesni"
56 ] ++ lib.optionals (stdenv.hostPlatform.isAarch64) [
57 # No runtime detection under ARM and no platform function checks like for X86.
58 (if enableARMCryptoExtensions
59 then "--enable-armasm=inline"
60 else "--disable-armasm")
61 ] ++ extraConfigureFlags;
63 # Breaks tls13 tests on aarch64-darwin.
64 hardeningDisable = lib.optionals (stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64) [ "zerocallusedregs" ];
66 # LTO should help with the C implementations.
67 env.NIX_CFLAGS_COMPILE = lib.optionalString enableLto "-flto";
68 env.NIX_LDFLAGS_COMPILE = lib.optionalString enableLto "-flto";
70 # Don't attempt connections to external services in the test suite.
71 env.WOLFSSL_EXTERNAL_TEST = "0";
73 outputs = [
74 "dev"
75 "doc"
76 "lib"
77 "out"
78 ];
80 propagatedBuildInputs = lib.optionals stdenv.hostPlatform.isDarwin [
81 Security
82 ];
84 nativeBuildInputs = [
85 autoreconfHook
86 util-linux
87 ];
89 doCheck = true;
91 nativeCheckInputs = [
92 openssl
93 cacert
94 ];
96 postInstall = ''
97 # fix recursive cycle:
98 # wolfssl-config points to dev, dev propagates bin
99 moveToOutput bin/wolfssl-config "$dev"
100 # moveToOutput also removes "$out" so recreate it
101 mkdir -p "$out"
102 '';
104 meta = with lib; {
105 description = "Small, fast, portable implementation of TLS/SSL for embedded devices";
106 mainProgram = "wolfssl-config";
107 homepage = "https://www.wolfssl.com/";
108 changelog = "https://github.com/wolfSSL/wolfssl/releases/tag/v${finalAttrs.version}-stable";
109 platforms = platforms.all;
110 license = licenses.gpl2Plus;
111 maintainers = with maintainers; [ fab vifino ];
112 };
113 })