On Fri, Apr 28, 2023 at 10:07:09AM -0600, Bob Beck wrote:
> This splits the existing boringssl port into two branches, one
> for the head (the existing port) and a new port for the FIPS
> certified branch of boringssl.
I can take care of merging identical stuff into Makefile.inc if desired.
After the split, I'll also fix go's /tmp usage to aid in BTI transition.
Bob and I hacked up the split together and package upgrade from old
boringssl to new boringssl-head worked, but I'd appreciate a second pair
of porter eyes on the quirk/conflict/pkgpath bits.
>
> ok?
>
>
> Index: devel/quirks/Makefile
> ===================================================================
> RCS file: /cvs/ports/devel/quirks/Makefile,v
> retrieving revision 1.1508
> diff -u -p -u -p -r1.1508 Makefile
> --- devel/quirks/Makefile 22 Apr 2023 16:33:54 -0000 1.1508
> +++ devel/quirks/Makefile 28 Apr 2023 15:29:28 -0000
> @@ -3,7 +3,7 @@ CATEGORIES = devel databases
> DISTFILES =
>
> # API.rev
> -PKGNAME = quirks-6.124
> +PKGNAME = quirks-6.125
> PKG_ARCH = *
> MAINTAINER = Marc Espie <es...@openbsd.org>
>
> Index: devel/quirks/files/Quirks.pm
> ===================================================================
> RCS file: /cvs/ports/devel/quirks/files/Quirks.pm,v
> retrieving revision 1.1519
> diff -u -p -u -p -r1.1519 Quirks.pm
> --- devel/quirks/files/Quirks.pm 22 Apr 2023 16:33:54 -0000 1.1519
> +++ devel/quirks/files/Quirks.pm 28 Apr 2023 15:30:35 -0000
> @@ -778,6 +778,7 @@ my $stem_extensions = {
> # 7.4
> 'aarch64-none-elf-gcc-linaro' => 'aarch64-none-elf-gcc',
> 'arm-none-eabi-gcc-linaro' => 'arm-none-eabi-gcc',
> + 'boringssl' => 'boringssl-head',
> };
>
> my $obsolete_reason = {};
> Index: security/boringssl/Makefile
> ===================================================================
> RCS file: /cvs/ports/security/boringssl/Makefile,v
> retrieving revision 1.5
> diff -u -p -u -p -r1.5 Makefile
> --- security/boringssl/Makefile 26 Apr 2023 15:10:07 -0000 1.5
> +++ security/boringssl/Makefile 28 Apr 2023 16:00:04 -0000
> @@ -1,52 +1,5 @@
> -NOT_FOR_ARCHS = ${BE_ARCHS}
> +SUBDIR =
> +SUBDIR += fips
> +SUBDIR += head
>
> -COMMENT = fork of OpenSSL that is designed to meet Google's needs
> -
> -GH_ACCOUNT = google
> -GH_PROJECT = boringssl
> -GH_COMMIT = de2d610a341f5a4b8c222425890537cb84c91400
> -DISTNAME = boringssl-20230425
> -
> -MASTER_SITES0 = https://proxy.golang.org/
> -
> -DISTFILES += ${GH_DISTFILE}
> -# can't use GH_DISTFILE because EXTRACT_ONLY does not understand DISTFILES {}
> -EXTRACT_ONLY =
> ${DISTNAME}-${GH_COMMIT:C/(........).*/\1/}${EXTRACT_SUFX}
> -
> -BORING_GOMOD += golang.org/x/crypto v0.6.0
> -BORING_GOMOD += golang.org/x/net v0.7.0
> -BORING_GOMOD += golang.org/x/sys v0.5.0
> -BORING_GOMOD += golang.org/x/term v0.5.0
> -
> -.for _modpath _modver in ${BORING_GOMOD}
> -DISTFILES += go_modules/{}${_modpath}/@v/${_modver}.zip:0
> -DISTFILES += go_modules/{}${_modpath}/@v/${_modver}.mod:0
> -.endfor
> -
> -CATEGORIES = security
> -
> -MAINTAINER = Bob Beck <b...@openbsd.org>, \
> - Theo Buehler <t...@openbsd.org>
> -
> -# ISC
> -PERMIT_PACKAGE = Yes
> -
> -WANTLIB += ${COMPILER_LIBCXX} c m
> -
> -# C++14
> -COMPILER = base-clang ports-gcc
> -
> -MODULES = devel/cmake
> -CONFIGURE_ARGS += -DCMAKE_INSTALL_PREFIX=${PREFIX}/eboringssl
> -
> -BUILD_DEPENDS = lang/go
> -
> -PORTHOME = ${WRKDIR}
> -TEST_ENV = GOPROXY=file://${FULLDISTDIR}/go_modules
> -
> -FIX_CLEANUP_PERMISSIONS = Yes
> -
> -do-test:
> - ${SETENV} ${ALL_TEST_ENV} ninja -C ${WRKBUILD} -j ${MAKE_JOBS} run_tests
> -
> -.include <bsd.port.mk>
> +.include <bsd.port.subdir.mk>
> Index: security/boringssl/distinfo
> ===================================================================
> RCS file: security/boringssl/distinfo
> diff -N security/boringssl/distinfo
> --- security/boringssl/distinfo 26 Apr 2023 14:55:23 -0000 1.2
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,18 +0,0 @@
> -SHA256 (boringssl-20230425-de2d610a.tar.gz) =
> 2Bu5eOgBxqNUcTDevIpOjPGgJ/GBatu1ZtbVDTCDppQ=
> -SHA256 (go_modules/golang.org/x/crypto/@v/v0.6.0.mod) =
> G2poNFWjuIK2rFPyJ1KWDoe9kQQKlNbyxcthJh4jidg=
> -SHA256 (go_modules/golang.org/x/crypto/@v/v0.6.0.zip) =
> gcqIrzcc/1qERCuijiPY9CzME4fI/hUuVeh7pK+eGsc=
> -SHA256 (go_modules/golang.org/x/net/@v/v0.7.0.mod) =
> Qex26iFy8+4wMeOPmlNZOaWE1rs170gIVP3LjCAmcBs=
> -SHA256 (go_modules/golang.org/x/net/@v/v0.7.0.zip) =
> BgVSBkUmqQrJsL3OK6CrNFkt7MlCjRRBw8lyL4U80pA=
> -SHA256 (go_modules/golang.org/x/sys/@v/v0.5.0.mod) =
> 8DMzMJb+GY8xUd7tk/LeunTlC7/nc5E0BFvDt85KUCQ=
> -SHA256 (go_modules/golang.org/x/sys/@v/v0.5.0.zip) =
> z0czasG/Z1+m1t1axTmbAUPFE0BMRJ+j8zgKWBI8eQg=
> -SHA256 (go_modules/golang.org/x/term/@v/v0.5.0.mod) =
> DW9YIoqtwaZSjmdV2gGFFlZuOuXFIB963hdz9W+o2TQ=
> -SHA256 (go_modules/golang.org/x/term/@v/v0.5.0.zip) =
> fYnEmrQTBpUBKKD0t8Z/uOLS9jfs6OAk5s840XozGTs=
> -SIZE (boringssl-20230425-de2d610a.tar.gz) = 32281549
> -SIZE (go_modules/golang.org/x/crypto/@v/v0.6.0.mod) = 171
> -SIZE (go_modules/golang.org/x/crypto/@v/v0.6.0.zip) = 1761232
> -SIZE (go_modules/golang.org/x/net/@v/v0.7.0.mod) = 123
> -SIZE (go_modules/golang.org/x/net/@v/v0.7.0.zip) = 1559354
> -SIZE (go_modules/golang.org/x/sys/@v/v0.5.0.mod) = 33
> -SIZE (go_modules/golang.org/x/sys/@v/v0.5.0.zip) = 1886681
> -SIZE (go_modules/golang.org/x/term/@v/v0.5.0.mod) = 67
> -SIZE (go_modules/golang.org/x/term/@v/v0.5.0.zip) = 19924
> Index: security/boringssl/fips/Makefile
> ===================================================================
> RCS file: security/boringssl/fips/Makefile
> diff -N security/boringssl/fips/Makefile
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ security/boringssl/fips/Makefile 28 Apr 2023 15:59:02 -0000
> @@ -0,0 +1,31 @@
> +NOT_FOR_ARCHS = ${BE_ARCHS}
> +
> +COMMENT = fork of OpenSSL that is designed to meet Google's needs
> +
> +GH_ACCOUNT = google
> +GH_PROJECT = boringssl
> +GH_COMMIT = 0c6f40132b828e92ba365c6b7680e32820c63fa7
> +DISTNAME = boringssl-fips-20220613
> +
> +CATEGORIES = security
> +
> +MAINTAINER = Bob Beck <b...@openbsd.org>, \
> + Theo Buehler <t...@openbsd.org>
> +
> +# ISC
> +PERMIT_PACKAGE = Yes
> +
> +WANTLIB += ${COMPILER_LIBCXX} c m
> +
> +# C++14
> +COMPILER = base-clang ports-gcc
> +
> +MODULES = devel/cmake
> +CONFIGURE_ARGS += -DCMAKE_INSTALL_PREFIX=${PREFIX}/eboringssl
> +
> +# XXX picked up for tests, needs more love
> +BUILD_DEPENDS = lang/go
> +
> +PORTHOME = ${WRKSRC}
> +
> +.include <bsd.port.mk>
> Index: security/boringssl/fips/distinfo
> ===================================================================
> RCS file: security/boringssl/fips/distinfo
> diff -N security/boringssl/fips/distinfo
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ security/boringssl/fips/distinfo 28 Apr 2023 15:59:02 -0000
> @@ -0,0 +1,2 @@
> +SHA256 (boringssl-fips-20220613-0c6f4013.tar.gz) =
> 74Cpfr7wVFH9ONvafKkwSW+uetEI8yA/iAXwjCXJSlE=
> +SIZE (boringssl-fips-20220613-0c6f4013.tar.gz) = 30902288
> Index: security/boringssl/fips/patches/patch-CMakeLists_txt
> ===================================================================
> RCS file: security/boringssl/fips/patches/patch-CMakeLists_txt
> diff -N security/boringssl/fips/patches/patch-CMakeLists_txt
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ security/boringssl/fips/patches/patch-CMakeLists_txt 28 Apr 2023
> 15:59:02 -0000
> @@ -0,0 +1,12 @@
> +Index: CMakeLists.txt
> +--- CMakeLists.txt.orig
> ++++ CMakeLists.txt
> +@@ -132,7 +132,7 @@ endif()
> + if(CMAKE_COMPILER_IS_GNUCXX OR CLANG)
> + # Note clang-cl is odd and sets both CLANG and MSVC. We base our
> configuration
> + # primarily on our normal Clang one.
> +- set(C_CXX_FLAGS "-Werror -Wformat=2 -Wsign-compare
> -Wmissing-field-initializers -Wwrite-strings -Wvla -Wshadow")
> ++ set(C_CXX_FLAGS "-Werror -Wformat=2 -Wsign-compare
> -Wmissing-field-initializers -Wwrite-strings -Wshadow")
> + if(MSVC)
> + # clang-cl sets different default warnings than clang. It also treats
> -Wall
> + # as -Weverything, to match MSVC. Instead -W3 is the alias for -Wall.
> Index: security/boringssl/fips/patches/patch-crypto_CMakeLists_txt
> ===================================================================
> RCS file: security/boringssl/fips/patches/patch-crypto_CMakeLists_txt
> diff -N security/boringssl/fips/patches/patch-crypto_CMakeLists_txt
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ security/boringssl/fips/patches/patch-crypto_CMakeLists_txt 28 Apr
> 2023 15:59:02 -0000
> @@ -0,0 +1,14 @@
> +Index: crypto/CMakeLists.txt
> +--- crypto/CMakeLists.txt.orig
> ++++ crypto/CMakeLists.txt
> +@@ -266,8 +266,10 @@ add_library(
> + cpu_aarch64_apple.c
> + cpu_aarch64_fuchsia.c
> + cpu_aarch64_linux.c
> ++ cpu_aarch64_openbsd.c
> + cpu_aarch64_win.c
> + cpu_arm_linux.c
> ++ cpu_arm_openbsd.c
> + cpu_arm.c
> + cpu_intel.c
> + cpu_ppc64le.c
> Index: security/boringssl/fips/patches/patch-crypto_CMakeLists_txt.orig
> ===================================================================
> RCS file: security/boringssl/fips/patches/patch-crypto_CMakeLists_txt.orig
> diff -N security/boringssl/fips/patches/patch-crypto_CMakeLists_txt.orig
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ security/boringssl/fips/patches/patch-crypto_CMakeLists_txt.orig 28 Apr
> 2023 15:59:02 -0000
> @@ -0,0 +1,16 @@
> +Index: crypto/CMakeLists.txt
> +--- crypto/CMakeLists.txt.orig
> ++++ crypto/CMakeLists.txt
> +@@ -126,10 +126,12 @@ add_library(
> + conf/conf.c
> + cpu_aarch64_apple.c
> + cpu_aarch64_freebsd.c
> ++ cpu_aarch64_openbsd.c
> + cpu_aarch64_fuchsia.c
> + cpu_aarch64_linux.c
> + cpu_aarch64_win.c
> + cpu_arm_freebsd.c
> ++ cpu_arm_openbsd.c
> + cpu_arm_linux.c
> + cpu_arm.c
> + cpu_intel.c
> Index: security/boringssl/fips/patches/patch-crypto_cpu_aarch64_openbsd_c
> ===================================================================
> RCS file: security/boringssl/fips/patches/patch-crypto_cpu_aarch64_openbsd_c
> diff -N security/boringssl/fips/patches/patch-crypto_cpu_aarch64_openbsd_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ security/boringssl/fips/patches/patch-crypto_cpu_aarch64_openbsd_c
> 28 Apr 2023 15:59:02 -0000
> @@ -0,0 +1,61 @@
> +Index: crypto/cpu_aarch64_openbsd.c
> +--- crypto/cpu_aarch64_openbsd.c.orig
> ++++ crypto/cpu_aarch64_openbsd.c
> +@@ -0,0 +1,57 @@
> ++/* Copyright (c) 2022, Robert Nagy <rob...@openbsd.org>
> ++ *
> ++ * Permission to use, copy, modify, and/or distribute this software for any
> ++ * purpose with or without fee is hereby granted, provided that the above
> ++ * copyright notice and this permission notice appear in all copies.
> ++ *
> ++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
> ++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
> ++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
> ANY
> ++ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
> ++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
> ACTION
> ++ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
> ++ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
> ++
> ++#include <openssl/cpu.h>
> ++
> ++#if defined(OPENSSL_AARCH64) && defined(OPENSSL_OPENBSD) && \
> ++ !defined(OPENSSL_STATIC_ARMCAP)
> ++
> ++#include <sys/sysctl.h>
> ++#include <machine/cpu.h>
> ++#include <machine/armreg.h>
> ++#include <stdio.h>
> ++
> ++#include <openssl/arm_arch.h>
> ++
> ++#include "internal.h"
> ++
> ++extern uint32_t OPENSSL_armcap_P;
> ++
> ++void OPENSSL_cpuid_setup(void) {
> ++ int isar0_mib[] = { CTL_MACHDEP, CPU_ID_AA64ISAR0 };
> ++ size_t len = sizeof(uint64_t);
> ++ uint64_t cpu_id = 0;
> ++
> ++ if (sysctl(isar0_mib, 2, &cpu_id, &len, NULL, 0) < 0)
> ++ return;
> ++
> ++ OPENSSL_armcap_P |= ARMV7_NEON;
> ++
> ++ if (ID_AA64ISAR0_AES(cpu_id) >= ID_AA64ISAR0_AES_BASE)
> ++ OPENSSL_armcap_P |= ARMV8_AES;
> ++
> ++ if (ID_AA64ISAR0_AES(cpu_id) >= ID_AA64ISAR0_AES_PMULL)
> ++ OPENSSL_armcap_P |= ARMV8_PMULL;
> ++
> ++ if (ID_AA64ISAR0_SHA1(cpu_id) >= ID_AA64ISAR0_SHA1_BASE)
> ++ OPENSSL_armcap_P |= ARMV8_SHA1;
> ++
> ++ if (ID_AA64ISAR0_SHA2(cpu_id) >= ID_AA64ISAR0_SHA2_BASE)
> ++ OPENSSL_armcap_P |= ARMV8_SHA256;
> ++
> ++ if (ID_AA64ISAR0_SHA2(cpu_id) >= ID_AA64ISAR0_SHA2_512)
> ++ OPENSSL_armcap_P |= ARMV8_SHA512;
> ++}
> ++
> ++#endif // OPENSSL_AARCH64 && OPENSSL_OPENBSD && !OPENSSL_STATIC_ARMCAP
> Index: security/boringssl/fips/patches/patch-crypto_cpu_arm_openbsd_c
> ===================================================================
> RCS file: security/boringssl/fips/patches/patch-crypto_cpu_arm_openbsd_c
> diff -N security/boringssl/fips/patches/patch-crypto_cpu_arm_openbsd_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ security/boringssl/fips/patches/patch-crypto_cpu_arm_openbsd_c 28 Apr
> 2023 15:59:02 -0000
> @@ -0,0 +1,38 @@
> +Index: crypto/cpu_arm_openbsd.c
> +--- crypto/cpu_arm_openbsd.c.orig
> ++++ crypto/cpu_arm_openbsd.c
> +@@ -0,0 +1,34 @@
> ++/* Copyright (c) 2023, Google Inc.
> ++ *
> ++ * Permission to use, copy, modify, and/or distribute this software for any
> ++ * purpose with or without fee is hereby granted, provided that the above
> ++ * copyright notice and this permission notice appear in all copies.
> ++ *
> ++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
> ++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
> ++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
> ANY
> ++ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
> ++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
> ACTION
> ++ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
> ++ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
> ++
> ++#include "internal.h"
> ++
> ++#if defined(OPENSSL_ARM) && defined(OPENSSL_OPENBSD) && \
> ++ !defined(OPENSSL_STATIC_ARMCAP)
> ++#include <stdio.h>
> ++
> ++#include <openssl/arm_arch.h>
> ++
> ++extern uint32_t OPENSSL_armcap_P;
> ++
> ++void OPENSSL_cpuid_setup(void) {
> ++ unsigned long hwcap = 0, hwcap2 = 0;
> ++
> ++ // OpenBSD does not support arm32 machines without NEON
> ++ OPENSSL_armcap_P |= ARMV7_NEON;
> ++
> ++ // OpenBSD does not support v8 features on non aarch64
> ++}
> ++
> ++#endif // OPENSSL_ARM && OPENSSL_OPENBSD && !OPENSSL_STATIC_ARMCAP
> Index: security/boringssl/fips/patches/patch-crypto_fipsmodule_rand_urandom_c
> ===================================================================
> RCS file:
> security/boringssl/fips/patches/patch-crypto_fipsmodule_rand_urandom_c
> diff -N security/boringssl/fips/patches/patch-crypto_fipsmodule_rand_urandom_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ security/boringssl/fips/patches/patch-crypto_fipsmodule_rand_urandom_c
> 28 Apr 2023 15:59:02 -0000
> @@ -0,0 +1,28 @@
> +Index: crypto/fipsmodule/rand/urandom.c
> +--- crypto/fipsmodule/rand/urandom.c.orig
> ++++ crypto/fipsmodule/rand/urandom.c
> +@@ -71,6 +71,12 @@
> + #endif
> + #endif
> +
> ++#if defined(OPENSSL_OPENBSD)
> ++// getentropy exists in any supported version of OpenBSD
> ++#define OPENBSD_GETENTROPY
> ++#include <unistd.h>
> ++#endif
> ++
> + #include <openssl/thread.h>
> + #include <openssl/mem.h>
> +
> +@@ -334,6 +340,11 @@ static int fill_with_entropy(uint8_t *out, size_t len,
> + r = boringssl_getrandom(out, len, getrandom_flags);
> + #elif defined(FREEBSD_GETRANDOM)
> + r = getrandom(out, len, getrandom_flags);
> ++#elif defined(OPENBSD_GETENTROPY)
> ++ {
> ++ size_t todo = len <= 256 ? len : 256;
> ++ return getentropy(out, todo) != 0 ? -1 : (ssize_t)todo;
> ++ }
> + #elif defined(OPENSSL_MACOS)
> + if (__builtin_available(macos 10.12, *)) {
> + // |getentropy| can only request 256 bytes at a time.
> Index:
> security/boringssl/fips/patches/patch-crypto_fipsmodule_rand_urandom_c.orig
> ===================================================================
> RCS file:
> security/boringssl/fips/patches/patch-crypto_fipsmodule_rand_urandom_c.orig
> diff -N
> security/boringssl/fips/patches/patch-crypto_fipsmodule_rand_urandom_c.orig
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++
> security/boringssl/fips/patches/patch-crypto_fipsmodule_rand_urandom_c.orig
> 28 Apr 2023 15:59:02 -0000
> @@ -0,0 +1,28 @@
> +Index: crypto/fipsmodule/rand/urandom.c
> +--- crypto/fipsmodule/rand/urandom.c.orig
> ++++ crypto/fipsmodule/rand/urandom.c
> +@@ -68,6 +68,12 @@
> + #include <sys/random.h>
> + #endif
> +
> ++#if defined(OPENSSL_OPENBSD)
> ++// getentropy exists in any supported version of OpenBSD
> ++#define OPENBSD_GETENTROPY
> ++#include <unistd.h>
> ++#endif
> ++
> + #include <openssl/thread.h>
> + #include <openssl/mem.h>
> +
> +@@ -300,6 +306,11 @@ static int fill_with_entropy(uint8_t *out, size_t len,
> + r = boringssl_getrandom(out, len, getrandom_flags);
> + #elif defined(FREEBSD_GETRANDOM)
> + r = getrandom(out, len, getrandom_flags);
> ++#elif defined(OPENBSD_GETENTROPY)
> ++ {
> ++ size_t todo = len <= 256 ? len : 256;
> ++ return getentropy(out, todo) != 0 ? -1 : (ssize_t)todo;
> ++ }
> + #elif defined(OPENSSL_MACOS)
> + if (__builtin_available(macos 10.12, *)) {
> + // |getentropy| can only request 256 bytes at a time.
> Index: security/boringssl/fips/patches/patch-include_openssl_base_h
> ===================================================================
> RCS file: security/boringssl/fips/patches/patch-include_openssl_base_h
> diff -N security/boringssl/fips/patches/patch-include_openssl_base_h
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ security/boringssl/fips/patches/patch-include_openssl_base_h 28 Apr
> 2023 15:59:02 -0000
> @@ -0,0 +1,14 @@
> +Index: include/openssl/base.h
> +--- include/openssl/base.h.orig
> ++++ include/openssl/base.h
> +@@ -166,6 +166,10 @@ extern "C" {
> + #define OPENSSL_FREEBSD
> + #endif
> +
> ++#if defined(__OpenBSD__)
> ++#define OPENSSL_OPENBSD
> ++#endif
> ++
> + // BoringSSL requires platform's locking APIs to make internal global state
> + // thread-safe, including the PRNG. On some single-threaded embedded
> platforms,
> + // locking APIs may not exist, so this dependency may be disabled with the
> Index: security/boringssl/fips/patches/patch-include_openssl_base_h.orig
> ===================================================================
> RCS file: security/boringssl/fips/patches/patch-include_openssl_base_h.orig
> diff -N security/boringssl/fips/patches/patch-include_openssl_base_h.orig
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ security/boringssl/fips/patches/patch-include_openssl_base_h.orig 28 Apr
> 2023 15:59:02 -0000
> @@ -0,0 +1,14 @@
> +Index: include/openssl/base.h
> +--- include/openssl/base.h.orig
> ++++ include/openssl/base.h
> +@@ -164,6 +164,10 @@ extern "C" {
> + #define OPENSSL_FREEBSD
> + #endif
> +
> ++#if defined(__OpenBSD__)
> ++#define OPENSSL_OPENBSD
> ++#endif
> ++
> + // BoringSSL requires platform's locking APIs to make internal global state
> + // thread-safe, including the PRNG. On some single-threaded embedded
> platforms,
> + // locking APIs may not exist, so this dependency may be disabled with the
> Index: security/boringssl/fips/patches/patch-include_openssl_thread_h
> ===================================================================
> RCS file: security/boringssl/fips/patches/patch-include_openssl_thread_h
> diff -N security/boringssl/fips/patches/patch-include_openssl_thread_h
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ security/boringssl/fips/patches/patch-include_openssl_thread_h 28 Apr
> 2023 15:59:02 -0000
> @@ -0,0 +1,11 @@
> +Index: include/openssl/thread.h
> +--- include/openssl/thread.h.orig
> ++++ include/openssl/thread.h
> +@@ -78,6 +78,7 @@ typedef union crypto_mutex_st {
> + void *handle;
> + } CRYPTO_MUTEX;
> + #elif !defined(__GLIBC__)
> ++#include <pthread.h>
> + typedef pthread_rwlock_t CRYPTO_MUTEX;
> + #else
> + // On glibc, |pthread_rwlock_t| is hidden under feature flags, and we can't
> Index: security/boringssl/fips/pkg/DESCR
> ===================================================================
> RCS file: security/boringssl/fips/pkg/DESCR
> diff -N security/boringssl/fips/pkg/DESCR
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ security/boringssl/fips/pkg/DESCR 28 Apr 2023 15:59:02 -0000
> @@ -0,0 +1,7 @@
> +Although BoringSSL is an open source project, it is not intended for
> +general use, as OpenSSL is. We don't recommend that third parties
> +depend upon it. Doing so is likely to be frustrating because there are
> +no guarantees of API or ABI stability.
> +
> +This is the FIPS branch of boringssl used by Google where FIPS
> +certification is required.
> Index: security/boringssl/fips/pkg/PLIST
> ===================================================================
> RCS file: security/boringssl/fips/pkg/PLIST
> diff -N security/boringssl/fips/pkg/PLIST
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ security/boringssl/fips/pkg/PLIST 28 Apr 2023 15:59:02 -0000
> @@ -0,0 +1,97 @@
> +@conflict boringssl-head-*
> +@conflict boringssl-2*
> +@option is-branch
> +eboringssl/
> +eboringssl/bin/
> +@bin eboringssl/bin/bssl
> +eboringssl/include/
> +eboringssl/include/openssl/
> +eboringssl/include/openssl/aead.h
> +eboringssl/include/openssl/aes.h
> +eboringssl/include/openssl/arm_arch.h
> +eboringssl/include/openssl/asn1.h
> +eboringssl/include/openssl/asn1_mac.h
> +eboringssl/include/openssl/asn1t.h
> +eboringssl/include/openssl/base.h
> +eboringssl/include/openssl/base64.h
> +eboringssl/include/openssl/bio.h
> +eboringssl/include/openssl/blake2.h
> +eboringssl/include/openssl/blowfish.h
> +eboringssl/include/openssl/bn.h
> +eboringssl/include/openssl/buf.h
> +eboringssl/include/openssl/buffer.h
> +eboringssl/include/openssl/bytestring.h
> +eboringssl/include/openssl/cast.h
> +eboringssl/include/openssl/chacha.h
> +eboringssl/include/openssl/cipher.h
> +eboringssl/include/openssl/cmac.h
> +eboringssl/include/openssl/conf.h
> +eboringssl/include/openssl/cpu.h
> +eboringssl/include/openssl/crypto.h
> +eboringssl/include/openssl/ctrdrbg.h
> +eboringssl/include/openssl/curve25519.h
> +eboringssl/include/openssl/des.h
> +eboringssl/include/openssl/dh.h
> +eboringssl/include/openssl/digest.h
> +eboringssl/include/openssl/dsa.h
> +eboringssl/include/openssl/dtls1.h
> +eboringssl/include/openssl/e_os2.h
> +eboringssl/include/openssl/ec.h
> +eboringssl/include/openssl/ec_key.h
> +eboringssl/include/openssl/ecdh.h
> +eboringssl/include/openssl/ecdsa.h
> +eboringssl/include/openssl/engine.h
> +eboringssl/include/openssl/err.h
> +eboringssl/include/openssl/evp.h
> +eboringssl/include/openssl/evp_errors.h
> +eboringssl/include/openssl/ex_data.h
> +eboringssl/include/openssl/hkdf.h
> +eboringssl/include/openssl/hmac.h
> +eboringssl/include/openssl/hpke.h
> +eboringssl/include/openssl/hrss.h
> +eboringssl/include/openssl/is_boringssl.h
> +eboringssl/include/openssl/lhash.h
> +eboringssl/include/openssl/md4.h
> +eboringssl/include/openssl/md5.h
> +eboringssl/include/openssl/mem.h
> +eboringssl/include/openssl/nid.h
> +eboringssl/include/openssl/obj.h
> +eboringssl/include/openssl/obj_mac.h
> +eboringssl/include/openssl/objects.h
> +eboringssl/include/openssl/opensslconf.h
> +eboringssl/include/openssl/opensslv.h
> +eboringssl/include/openssl/ossl_typ.h
> +eboringssl/include/openssl/pem.h
> +eboringssl/include/openssl/pkcs12.h
> +eboringssl/include/openssl/pkcs7.h
> +eboringssl/include/openssl/pkcs8.h
> +eboringssl/include/openssl/poly1305.h
> +eboringssl/include/openssl/pool.h
> +eboringssl/include/openssl/rand.h
> +eboringssl/include/openssl/rc4.h
> +eboringssl/include/openssl/ripemd.h
> +eboringssl/include/openssl/rsa.h
> +eboringssl/include/openssl/safestack.h
> +eboringssl/include/openssl/service_indicator.h
> +eboringssl/include/openssl/sha.h
> +eboringssl/include/openssl/siphash.h
> +eboringssl/include/openssl/span.h
> +eboringssl/include/openssl/srtp.h
> +eboringssl/include/openssl/ssl.h
> +eboringssl/include/openssl/ssl3.h
> +eboringssl/include/openssl/stack.h
> +eboringssl/include/openssl/thread.h
> +eboringssl/include/openssl/tls1.h
> +eboringssl/include/openssl/trust_token.h
> +eboringssl/include/openssl/type_check.h
> +eboringssl/include/openssl/x509.h
> +eboringssl/include/openssl/x509_vfy.h
> +eboringssl/include/openssl/x509v3.h
> +eboringssl/lib/
> +eboringssl/lib/cmake/
> +eboringssl/lib/cmake/OpenSSL/
> +eboringssl/lib/cmake/OpenSSL/OpenSSLConfig.cmake
> +eboringssl/lib/cmake/OpenSSL/OpenSSLTargets${MODCMAKE_BUILD_SUFFIX}
> +eboringssl/lib/cmake/OpenSSL/OpenSSLTargets.cmake
> +@static-lib eboringssl/lib/libcrypto.a
> +@static-lib eboringssl/lib/libssl.a
> Index: security/boringssl/head/Makefile
> ===================================================================
> RCS file: security/boringssl/head/Makefile
> diff -N security/boringssl/head/Makefile
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ security/boringssl/head/Makefile 28 Apr 2023 15:59:06 -0000
> @@ -0,0 +1,31 @@
> +NOT_FOR_ARCHS = ${BE_ARCHS}
> +
> +COMMENT = fork of OpenSSL that is designed to meet Google's needs
> +
> +GH_ACCOUNT = google
> +GH_PROJECT = boringssl
> +GH_COMMIT = de2d610a341f5a4b8c222425890537cb84c91400
> +DISTNAME = boringssl-head-20230425
> +
> +CATEGORIES = security
> +
> +MAINTAINER = Bob Beck <b...@openbsd.org>, \
> + Theo Buehler <t...@openbsd.org>
> +
> +# ISC
> +PERMIT_PACKAGE = Yes
> +
> +WANTLIB += ${COMPILER_LIBCXX} c m
> +
> +# C++14
> +COMPILER = base-clang ports-gcc
> +
> +MODULES = devel/cmake
> +CONFIGURE_ARGS += -DCMAKE_INSTALL_PREFIX=${PREFIX}/eboringssl
> +
> +# XXX picked up for tests, needs more love
> +BUILD_DEPENDS = lang/go
> +
> +PORTHOME = ${WRKSRC}
> +
> +.include <bsd.port.mk>
> Index: security/boringssl/head/distinfo
> ===================================================================
> RCS file: security/boringssl/head/distinfo
> diff -N security/boringssl/head/distinfo
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ security/boringssl/head/distinfo 28 Apr 2023 15:59:06 -0000
> @@ -0,0 +1,2 @@
> +SHA256 (boringssl-head-20230425-de2d610a.tar.gz) =
> 2Bu5eOgBxqNUcTDevIpOjPGgJ/GBatu1ZtbVDTCDppQ=
> +SIZE (boringssl-head-20230425-de2d610a.tar.gz) = 32281549
> Index: security/boringssl/head/patches/patch-CMakeLists_txt
> ===================================================================
> RCS file: security/boringssl/head/patches/patch-CMakeLists_txt
> diff -N security/boringssl/head/patches/patch-CMakeLists_txt
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ security/boringssl/head/patches/patch-CMakeLists_txt 28 Apr 2023
> 15:59:06 -0000
> @@ -0,0 +1,12 @@
> +Index: CMakeLists.txt
> +--- CMakeLists.txt.orig
> ++++ CMakeLists.txt
> +@@ -139,7 +139,7 @@ set(CMAKE_C_STANDARD_REQUIRED ON)
> + if(CMAKE_COMPILER_IS_GNUCXX OR CLANG)
> + # Note clang-cl is odd and sets both CLANG and MSVC. We base our
> configuration
> + # primarily on our normal Clang one.
> +- set(C_CXX_FLAGS "-Werror -Wformat=2 -Wsign-compare
> -Wmissing-field-initializers -Wwrite-strings -Wvla -Wshadow -Wtype-limits")
> ++ set(C_CXX_FLAGS "-Werror -Wformat=2 -Wsign-compare
> -Wmissing-field-initializers -Wwrite-strings -Wshadow -Wtype-limits")
> + if(MSVC)
> + # clang-cl sets different default warnings than clang. It also treats
> -Wall
> + # as -Weverything, to match MSVC. Instead -W3 is the alias for -Wall.
> Index: security/boringssl/head/patches/patch-crypto_CMakeLists_txt
> ===================================================================
> RCS file: security/boringssl/head/patches/patch-crypto_CMakeLists_txt
> diff -N security/boringssl/head/patches/patch-crypto_CMakeLists_txt
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ security/boringssl/head/patches/patch-crypto_CMakeLists_txt 28 Apr
> 2023 15:59:06 -0000
> @@ -0,0 +1,16 @@
> +Index: crypto/CMakeLists.txt
> +--- crypto/CMakeLists.txt.orig
> ++++ crypto/CMakeLists.txt
> +@@ -126,10 +126,12 @@ add_library(
> + conf/conf.c
> + cpu_aarch64_apple.c
> + cpu_aarch64_freebsd.c
> ++ cpu_aarch64_openbsd.c
> + cpu_aarch64_fuchsia.c
> + cpu_aarch64_linux.c
> + cpu_aarch64_win.c
> + cpu_arm_freebsd.c
> ++ cpu_arm_openbsd.c
> + cpu_arm_linux.c
> + cpu_arm.c
> + cpu_intel.c
> Index: security/boringssl/head/patches/patch-crypto_cpu_aarch64_openbsd_c
> ===================================================================
> RCS file: security/boringssl/head/patches/patch-crypto_cpu_aarch64_openbsd_c
> diff -N security/boringssl/head/patches/patch-crypto_cpu_aarch64_openbsd_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ security/boringssl/head/patches/patch-crypto_cpu_aarch64_openbsd_c
> 28 Apr 2023 15:59:06 -0000
> @@ -0,0 +1,61 @@
> +Index: crypto/cpu_aarch64_openbsd.c
> +--- crypto/cpu_aarch64_openbsd.c.orig
> ++++ crypto/cpu_aarch64_openbsd.c
> +@@ -0,0 +1,57 @@
> ++/* Copyright (c) 2022, Robert Nagy <rob...@openbsd.org>
> ++ *
> ++ * Permission to use, copy, modify, and/or distribute this software for any
> ++ * purpose with or without fee is hereby granted, provided that the above
> ++ * copyright notice and this permission notice appear in all copies.
> ++ *
> ++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
> ++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
> ++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
> ANY
> ++ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
> ++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
> ACTION
> ++ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
> ++ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
> ++
> ++#include <openssl/cpu.h>
> ++
> ++#if defined(OPENSSL_AARCH64) && defined(OPENSSL_OPENBSD) && \
> ++ !defined(OPENSSL_STATIC_ARMCAP)
> ++
> ++#include <sys/sysctl.h>
> ++#include <machine/cpu.h>
> ++#include <machine/armreg.h>
> ++#include <stdio.h>
> ++
> ++#include <openssl/arm_arch.h>
> ++
> ++#include "internal.h"
> ++
> ++extern uint32_t OPENSSL_armcap_P;
> ++
> ++void OPENSSL_cpuid_setup(void) {
> ++ int isar0_mib[] = { CTL_MACHDEP, CPU_ID_AA64ISAR0 };
> ++ size_t len = sizeof(uint64_t);
> ++ uint64_t cpu_id = 0;
> ++
> ++ if (sysctl(isar0_mib, 2, &cpu_id, &len, NULL, 0) < 0)
> ++ return;
> ++
> ++ OPENSSL_armcap_P |= ARMV7_NEON;
> ++
> ++ if (ID_AA64ISAR0_AES(cpu_id) >= ID_AA64ISAR0_AES_BASE)
> ++ OPENSSL_armcap_P |= ARMV8_AES;
> ++
> ++ if (ID_AA64ISAR0_AES(cpu_id) >= ID_AA64ISAR0_AES_PMULL)
> ++ OPENSSL_armcap_P |= ARMV8_PMULL;
> ++
> ++ if (ID_AA64ISAR0_SHA1(cpu_id) >= ID_AA64ISAR0_SHA1_BASE)
> ++ OPENSSL_armcap_P |= ARMV8_SHA1;
> ++
> ++ if (ID_AA64ISAR0_SHA2(cpu_id) >= ID_AA64ISAR0_SHA2_BASE)
> ++ OPENSSL_armcap_P |= ARMV8_SHA256;
> ++
> ++ if (ID_AA64ISAR0_SHA2(cpu_id) >= ID_AA64ISAR0_SHA2_512)
> ++ OPENSSL_armcap_P |= ARMV8_SHA512;
> ++}
> ++
> ++#endif // OPENSSL_AARCH64 && OPENSSL_OPENBSD && !OPENSSL_STATIC_ARMCAP
> Index: security/boringssl/head/patches/patch-crypto_cpu_arm_openbsd_c
> ===================================================================
> RCS file: security/boringssl/head/patches/patch-crypto_cpu_arm_openbsd_c
> diff -N security/boringssl/head/patches/patch-crypto_cpu_arm_openbsd_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ security/boringssl/head/patches/patch-crypto_cpu_arm_openbsd_c 28 Apr
> 2023 15:59:06 -0000
> @@ -0,0 +1,38 @@
> +Index: crypto/cpu_arm_openbsd.c
> +--- crypto/cpu_arm_openbsd.c.orig
> ++++ crypto/cpu_arm_openbsd.c
> +@@ -0,0 +1,34 @@
> ++/* Copyright (c) 2023, Google Inc.
> ++ *
> ++ * Permission to use, copy, modify, and/or distribute this software for any
> ++ * purpose with or without fee is hereby granted, provided that the above
> ++ * copyright notice and this permission notice appear in all copies.
> ++ *
> ++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
> ++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
> ++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
> ANY
> ++ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
> ++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
> ACTION
> ++ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
> ++ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
> ++
> ++#include "internal.h"
> ++
> ++#if defined(OPENSSL_ARM) && defined(OPENSSL_OPENBSD) && \
> ++ !defined(OPENSSL_STATIC_ARMCAP)
> ++#include <stdio.h>
> ++
> ++#include <openssl/arm_arch.h>
> ++
> ++extern uint32_t OPENSSL_armcap_P;
> ++
> ++void OPENSSL_cpuid_setup(void) {
> ++ unsigned long hwcap = 0, hwcap2 = 0;
> ++
> ++ // OpenBSD does not support arm32 machines without NEON
> ++ OPENSSL_armcap_P |= ARMV7_NEON;
> ++
> ++ // OpenBSD does not support v8 features on non aarch64
> ++}
> ++
> ++#endif // OPENSSL_ARM && OPENSSL_OPENBSD && !OPENSSL_STATIC_ARMCAP
> Index: security/boringssl/head/patches/patch-crypto_fipsmodule_rand_urandom_c
> ===================================================================
> RCS file:
> security/boringssl/head/patches/patch-crypto_fipsmodule_rand_urandom_c
> diff -N security/boringssl/head/patches/patch-crypto_fipsmodule_rand_urandom_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ security/boringssl/head/patches/patch-crypto_fipsmodule_rand_urandom_c
> 28 Apr 2023 15:59:06 -0000
> @@ -0,0 +1,28 @@
> +Index: crypto/fipsmodule/rand/urandom.c
> +--- crypto/fipsmodule/rand/urandom.c.orig
> ++++ crypto/fipsmodule/rand/urandom.c
> +@@ -68,6 +68,12 @@
> + #include <sys/random.h>
> + #endif
> +
> ++#if defined(OPENSSL_OPENBSD)
> ++// getentropy exists in any supported version of OpenBSD
> ++#define OPENBSD_GETENTROPY
> ++#include <unistd.h>
> ++#endif
> ++
> + #include <openssl/thread.h>
> + #include <openssl/mem.h>
> +
> +@@ -300,6 +306,11 @@ static int fill_with_entropy(uint8_t *out, size_t len,
> + r = boringssl_getrandom(out, len, getrandom_flags);
> + #elif defined(FREEBSD_GETRANDOM)
> + r = getrandom(out, len, getrandom_flags);
> ++#elif defined(OPENBSD_GETENTROPY)
> ++ {
> ++ size_t todo = len <= 256 ? len : 256;
> ++ return getentropy(out, todo) != 0 ? -1 : (ssize_t)todo;
> ++ }
> + #elif defined(OPENSSL_MACOS)
> + if (__builtin_available(macos 10.12, *)) {
> + // |getentropy| can only request 256 bytes at a time.
> Index: security/boringssl/head/patches/patch-include_openssl_base_h
> ===================================================================
> RCS file: security/boringssl/head/patches/patch-include_openssl_base_h
> diff -N security/boringssl/head/patches/patch-include_openssl_base_h
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ security/boringssl/head/patches/patch-include_openssl_base_h 28 Apr
> 2023 15:59:06 -0000
> @@ -0,0 +1,14 @@
> +Index: include/openssl/base.h
> +--- include/openssl/base.h.orig
> ++++ include/openssl/base.h
> +@@ -164,6 +164,10 @@ extern "C" {
> + #define OPENSSL_FREEBSD
> + #endif
> +
> ++#if defined(__OpenBSD__)
> ++#define OPENSSL_OPENBSD
> ++#endif
> ++
> + // BoringSSL requires platform's locking APIs to make internal global state
> + // thread-safe, including the PRNG. On some single-threaded embedded
> platforms,
> + // locking APIs may not exist, so this dependency may be disabled with the
> Index: security/boringssl/head/patches/patch-include_openssl_thread_h
> ===================================================================
> RCS file: security/boringssl/head/patches/patch-include_openssl_thread_h
> diff -N security/boringssl/head/patches/patch-include_openssl_thread_h
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ security/boringssl/head/patches/patch-include_openssl_thread_h 28 Apr
> 2023 15:59:06 -0000
> @@ -0,0 +1,11 @@
> +Index: include/openssl/thread.h
> +--- include/openssl/thread.h.orig
> ++++ include/openssl/thread.h
> +@@ -78,6 +78,7 @@ typedef union crypto_mutex_st {
> + void *handle;
> + } CRYPTO_MUTEX;
> + #elif !defined(__GLIBC__)
> ++#include <pthread.h>
> + typedef pthread_rwlock_t CRYPTO_MUTEX;
> + #else
> + // On glibc, |pthread_rwlock_t| is hidden under feature flags, and we can't
> Index: security/boringssl/head/pkg/DESCR
> ===================================================================
> RCS file: security/boringssl/head/pkg/DESCR
> diff -N security/boringssl/head/pkg/DESCR
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ security/boringssl/head/pkg/DESCR 28 Apr 2023 15:59:06 -0000
> @@ -0,0 +1,4 @@
> +Although BoringSSL is an open source project, it is not intended for
> +general use, as OpenSSL is. We don't recommend that third parties
> +depend upon it. Doing so is likely to be frustrating because there are
> +no guarantees of API or ABI stability.
> Index: security/boringssl/head/pkg/PLIST
> ===================================================================
> RCS file: security/boringssl/head/pkg/PLIST
> diff -N security/boringssl/head/pkg/PLIST
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ security/boringssl/head/pkg/PLIST 28 Apr 2023 15:59:06 -0000
> @@ -0,0 +1,101 @@
> +@conflict boringssl-fips-*
> +@conflict boringssl-2*
> +@pkgpath security/boringssl
> +@option is-branch
> +eboringssl/
> +eboringssl/bin/
> +@bin eboringssl/bin/bssl
> +eboringssl/include/
> +eboringssl/include/openssl/
> +eboringssl/include/openssl/aead.h
> +eboringssl/include/openssl/aes.h
> +eboringssl/include/openssl/arm_arch.h
> +eboringssl/include/openssl/asn1.h
> +eboringssl/include/openssl/asn1_mac.h
> +eboringssl/include/openssl/asn1t.h
> +eboringssl/include/openssl/base.h
> +eboringssl/include/openssl/base64.h
> +eboringssl/include/openssl/bio.h
> +eboringssl/include/openssl/blake2.h
> +eboringssl/include/openssl/blowfish.h
> +eboringssl/include/openssl/bn.h
> +eboringssl/include/openssl/buf.h
> +eboringssl/include/openssl/buffer.h
> +eboringssl/include/openssl/bytestring.h
> +eboringssl/include/openssl/cast.h
> +eboringssl/include/openssl/chacha.h
> +eboringssl/include/openssl/cipher.h
> +eboringssl/include/openssl/cmac.h
> +eboringssl/include/openssl/conf.h
> +eboringssl/include/openssl/cpu.h
> +eboringssl/include/openssl/crypto.h
> +eboringssl/include/openssl/ctrdrbg.h
> +eboringssl/include/openssl/curve25519.h
> +eboringssl/include/openssl/des.h
> +eboringssl/include/openssl/dh.h
> +eboringssl/include/openssl/digest.h
> +eboringssl/include/openssl/dsa.h
> +eboringssl/include/openssl/dtls1.h
> +eboringssl/include/openssl/e_os2.h
> +eboringssl/include/openssl/ec.h
> +eboringssl/include/openssl/ec_key.h
> +eboringssl/include/openssl/ecdh.h
> +eboringssl/include/openssl/ecdsa.h
> +eboringssl/include/openssl/engine.h
> +eboringssl/include/openssl/err.h
> +eboringssl/include/openssl/evp.h
> +eboringssl/include/openssl/evp_errors.h
> +eboringssl/include/openssl/ex_data.h
> +eboringssl/include/openssl/hkdf.h
> +eboringssl/include/openssl/hmac.h
> +eboringssl/include/openssl/hpke.h
> +eboringssl/include/openssl/hrss.h
> +eboringssl/include/openssl/is_boringssl.h
> +eboringssl/include/openssl/kdf.h
> +eboringssl/include/openssl/kyber.h
> +eboringssl/include/openssl/lhash.h
> +eboringssl/include/openssl/md4.h
> +eboringssl/include/openssl/md5.h
> +eboringssl/include/openssl/mem.h
> +eboringssl/include/openssl/nid.h
> +eboringssl/include/openssl/obj.h
> +eboringssl/include/openssl/obj_mac.h
> +eboringssl/include/openssl/objects.h
> +eboringssl/include/openssl/opensslconf.h
> +eboringssl/include/openssl/opensslv.h
> +eboringssl/include/openssl/ossl_typ.h
> +eboringssl/include/openssl/pem.h
> +eboringssl/include/openssl/pkcs12.h
> +eboringssl/include/openssl/pkcs7.h
> +eboringssl/include/openssl/pkcs8.h
> +eboringssl/include/openssl/poly1305.h
> +eboringssl/include/openssl/pool.h
> +eboringssl/include/openssl/rand.h
> +eboringssl/include/openssl/rc4.h
> +eboringssl/include/openssl/ripemd.h
> +eboringssl/include/openssl/rsa.h
> +eboringssl/include/openssl/safestack.h
> +eboringssl/include/openssl/service_indicator.h
> +eboringssl/include/openssl/sha.h
> +eboringssl/include/openssl/siphash.h
> +eboringssl/include/openssl/span.h
> +eboringssl/include/openssl/srtp.h
> +eboringssl/include/openssl/ssl.h
> +eboringssl/include/openssl/ssl3.h
> +eboringssl/include/openssl/stack.h
> +eboringssl/include/openssl/thread.h
> +eboringssl/include/openssl/time.h
> +eboringssl/include/openssl/tls1.h
> +eboringssl/include/openssl/trust_token.h
> +eboringssl/include/openssl/type_check.h
> +eboringssl/include/openssl/x509.h
> +eboringssl/include/openssl/x509_vfy.h
> +eboringssl/include/openssl/x509v3.h
> +eboringssl/lib/
> +eboringssl/lib/cmake/
> +eboringssl/lib/cmake/OpenSSL/
> +eboringssl/lib/cmake/OpenSSL/OpenSSLConfig.cmake
> +eboringssl/lib/cmake/OpenSSL/OpenSSLTargets${MODCMAKE_BUILD_SUFFIX}
> +eboringssl/lib/cmake/OpenSSL/OpenSSLTargets.cmake
> +@static-lib eboringssl/lib/libcrypto.a
> +@static-lib eboringssl/lib/libssl.a
> Index: security/boringssl/patches/patch-CMakeLists_txt
> ===================================================================
> RCS file: security/boringssl/patches/patch-CMakeLists_txt
> diff -N security/boringssl/patches/patch-CMakeLists_txt
> --- security/boringssl/patches/patch-CMakeLists_txt 25 Apr 2023 19:16:30
> -0000 1.1.1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,12 +0,0 @@
> -Index: CMakeLists.txt
> ---- CMakeLists.txt.orig
> -+++ CMakeLists.txt
> -@@ -139,7 +139,7 @@ set(CMAKE_C_STANDARD_REQUIRED ON)
> - if(CMAKE_COMPILER_IS_GNUCXX OR CLANG)
> - # Note clang-cl is odd and sets both CLANG and MSVC. We base our
> configuration
> - # primarily on our normal Clang one.
> -- set(C_CXX_FLAGS "-Werror -Wformat=2 -Wsign-compare
> -Wmissing-field-initializers -Wwrite-strings -Wvla -Wshadow -Wtype-limits")
> -+ set(C_CXX_FLAGS "-Werror -Wformat=2 -Wsign-compare
> -Wmissing-field-initializers -Wwrite-strings -Wshadow -Wtype-limits")
> - if(MSVC)
> - # clang-cl sets different default warnings than clang. It also treats
> -Wall
> - # as -Weverything, to match MSVC. Instead -W3 is the alias for -Wall.
> Index: security/boringssl/patches/patch-crypto_CMakeLists_txt
> ===================================================================
> RCS file: security/boringssl/patches/patch-crypto_CMakeLists_txt
> diff -N security/boringssl/patches/patch-crypto_CMakeLists_txt
> --- security/boringssl/patches/patch-crypto_CMakeLists_txt 25 Apr 2023
> 19:16:30 -0000 1.1.1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,16 +0,0 @@
> -Index: crypto/CMakeLists.txt
> ---- crypto/CMakeLists.txt.orig
> -+++ crypto/CMakeLists.txt
> -@@ -126,10 +126,12 @@ add_library(
> - conf/conf.c
> - cpu_aarch64_apple.c
> - cpu_aarch64_freebsd.c
> -+ cpu_aarch64_openbsd.c
> - cpu_aarch64_fuchsia.c
> - cpu_aarch64_linux.c
> - cpu_aarch64_win.c
> - cpu_arm_freebsd.c
> -+ cpu_arm_openbsd.c
> - cpu_arm_linux.c
> - cpu_arm.c
> - cpu_intel.c
> Index: security/boringssl/patches/patch-crypto_cpu_aarch64_openbsd_c
> ===================================================================
> RCS file: security/boringssl/patches/patch-crypto_cpu_aarch64_openbsd_c
> diff -N security/boringssl/patches/patch-crypto_cpu_aarch64_openbsd_c
> --- security/boringssl/patches/patch-crypto_cpu_aarch64_openbsd_c 25 Apr
> 2023 19:16:30 -0000 1.1.1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,61 +0,0 @@
> -Index: crypto/cpu_aarch64_openbsd.c
> ---- crypto/cpu_aarch64_openbsd.c.orig
> -+++ crypto/cpu_aarch64_openbsd.c
> -@@ -0,0 +1,57 @@
> -+/* Copyright (c) 2022, Robert Nagy <rob...@openbsd.org>
> -+ *
> -+ * Permission to use, copy, modify, and/or distribute this software for any
> -+ * purpose with or without fee is hereby granted, provided that the above
> -+ * copyright notice and this permission notice appear in all copies.
> -+ *
> -+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
> -+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
> -+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
> ANY
> -+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
> -+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
> ACTION
> -+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
> -+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
> -+
> -+#include <openssl/cpu.h>
> -+
> -+#if defined(OPENSSL_AARCH64) && defined(OPENSSL_OPENBSD) && \
> -+ !defined(OPENSSL_STATIC_ARMCAP)
> -+
> -+#include <sys/sysctl.h>
> -+#include <machine/cpu.h>
> -+#include <machine/armreg.h>
> -+#include <stdio.h>
> -+
> -+#include <openssl/arm_arch.h>
> -+
> -+#include "internal.h"
> -+
> -+extern uint32_t OPENSSL_armcap_P;
> -+
> -+void OPENSSL_cpuid_setup(void) {
> -+ int isar0_mib[] = { CTL_MACHDEP, CPU_ID_AA64ISAR0 };
> -+ size_t len = sizeof(uint64_t);
> -+ uint64_t cpu_id = 0;
> -+
> -+ if (sysctl(isar0_mib, 2, &cpu_id, &len, NULL, 0) < 0)
> -+ return;
> -+
> -+ OPENSSL_armcap_P |= ARMV7_NEON;
> -+
> -+ if (ID_AA64ISAR0_AES(cpu_id) >= ID_AA64ISAR0_AES_BASE)
> -+ OPENSSL_armcap_P |= ARMV8_AES;
> -+
> -+ if (ID_AA64ISAR0_AES(cpu_id) >= ID_AA64ISAR0_AES_PMULL)
> -+ OPENSSL_armcap_P |= ARMV8_PMULL;
> -+
> -+ if (ID_AA64ISAR0_SHA1(cpu_id) >= ID_AA64ISAR0_SHA1_BASE)
> -+ OPENSSL_armcap_P |= ARMV8_SHA1;
> -+
> -+ if (ID_AA64ISAR0_SHA2(cpu_id) >= ID_AA64ISAR0_SHA2_BASE)
> -+ OPENSSL_armcap_P |= ARMV8_SHA256;
> -+
> -+ if (ID_AA64ISAR0_SHA2(cpu_id) >= ID_AA64ISAR0_SHA2_512)
> -+ OPENSSL_armcap_P |= ARMV8_SHA512;
> -+}
> -+
> -+#endif // OPENSSL_AARCH64 && OPENSSL_OPENBSD && !OPENSSL_STATIC_ARMCAP
> Index: security/boringssl/patches/patch-crypto_cpu_arm_openbsd_c
> ===================================================================
> RCS file: security/boringssl/patches/patch-crypto_cpu_arm_openbsd_c
> diff -N security/boringssl/patches/patch-crypto_cpu_arm_openbsd_c
> --- security/boringssl/patches/patch-crypto_cpu_arm_openbsd_c 25 Apr 2023
> 19:16:30 -0000 1.1.1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,38 +0,0 @@
> -Index: crypto/cpu_arm_openbsd.c
> ---- crypto/cpu_arm_openbsd.c.orig
> -+++ crypto/cpu_arm_openbsd.c
> -@@ -0,0 +1,34 @@
> -+/* Copyright (c) 2023, Google Inc.
> -+ *
> -+ * Permission to use, copy, modify, and/or distribute this software for any
> -+ * purpose with or without fee is hereby granted, provided that the above
> -+ * copyright notice and this permission notice appear in all copies.
> -+ *
> -+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
> -+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
> -+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
> ANY
> -+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
> -+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
> ACTION
> -+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
> -+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
> -+
> -+#include "internal.h"
> -+
> -+#if defined(OPENSSL_ARM) && defined(OPENSSL_OPENBSD) && \
> -+ !defined(OPENSSL_STATIC_ARMCAP)
> -+#include <stdio.h>
> -+
> -+#include <openssl/arm_arch.h>
> -+
> -+extern uint32_t OPENSSL_armcap_P;
> -+
> -+void OPENSSL_cpuid_setup(void) {
> -+ unsigned long hwcap = 0, hwcap2 = 0;
> -+
> -+ // OpenBSD does not support arm32 machines without NEON
> -+ OPENSSL_armcap_P |= ARMV7_NEON;
> -+
> -+ // OpenBSD does not support v8 features on non aarch64
> -+}
> -+
> -+#endif // OPENSSL_ARM && OPENSSL_OPENBSD && !OPENSSL_STATIC_ARMCAP
> Index: security/boringssl/patches/patch-crypto_fipsmodule_rand_urandom_c
> ===================================================================
> RCS file: security/boringssl/patches/patch-crypto_fipsmodule_rand_urandom_c
> diff -N security/boringssl/patches/patch-crypto_fipsmodule_rand_urandom_c
> --- security/boringssl/patches/patch-crypto_fipsmodule_rand_urandom_c 25 Apr
> 2023 19:16:30 -0000 1.1.1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,28 +0,0 @@
> -Index: crypto/fipsmodule/rand/urandom.c
> ---- crypto/fipsmodule/rand/urandom.c.orig
> -+++ crypto/fipsmodule/rand/urandom.c
> -@@ -68,6 +68,12 @@
> - #include <sys/random.h>
> - #endif
> -
> -+#if defined(OPENSSL_OPENBSD)
> -+// getentropy exists in any supported version of OpenBSD
> -+#define OPENBSD_GETENTROPY
> -+#include <unistd.h>
> -+#endif
> -+
> - #include <openssl/thread.h>
> - #include <openssl/mem.h>
> -
> -@@ -300,6 +306,11 @@ static int fill_with_entropy(uint8_t *out, size_t len,
> - r = boringssl_getrandom(out, len, getrandom_flags);
> - #elif defined(FREEBSD_GETRANDOM)
> - r = getrandom(out, len, getrandom_flags);
> -+#elif defined(OPENBSD_GETENTROPY)
> -+ {
> -+ size_t todo = len <= 256 ? len : 256;
> -+ return getentropy(out, todo) != 0 ? -1 : (ssize_t)todo;
> -+ }
> - #elif defined(OPENSSL_MACOS)
> - if (__builtin_available(macos 10.12, *)) {
> - // |getentropy| can only request 256 bytes at a time.
> Index: security/boringssl/patches/patch-include_openssl_base_h
> ===================================================================
> RCS file: security/boringssl/patches/patch-include_openssl_base_h
> diff -N security/boringssl/patches/patch-include_openssl_base_h
> --- security/boringssl/patches/patch-include_openssl_base_h 25 Apr 2023
> 19:16:30 -0000 1.1.1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,14 +0,0 @@
> -Index: include/openssl/base.h
> ---- include/openssl/base.h.orig
> -+++ include/openssl/base.h
> -@@ -164,6 +164,10 @@ extern "C" {
> - #define OPENSSL_FREEBSD
> - #endif
> -
> -+#if defined(__OpenBSD__)
> -+#define OPENSSL_OPENBSD
> -+#endif
> -+
> - // BoringSSL requires platform's locking APIs to make internal global state
> - // thread-safe, including the PRNG. On some single-threaded embedded
> platforms,
> - // locking APIs may not exist, so this dependency may be disabled with the
> Index: security/boringssl/patches/patch-include_openssl_thread_h
> ===================================================================
> RCS file: security/boringssl/patches/patch-include_openssl_thread_h
> diff -N security/boringssl/patches/patch-include_openssl_thread_h
> --- security/boringssl/patches/patch-include_openssl_thread_h 25 Apr 2023
> 19:16:30 -0000 1.1.1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,11 +0,0 @@
> -Index: include/openssl/thread.h
> ---- include/openssl/thread.h.orig
> -+++ include/openssl/thread.h
> -@@ -78,6 +78,7 @@ typedef union crypto_mutex_st {
> - void *handle;
> - } CRYPTO_MUTEX;
> - #elif !defined(__GLIBC__)
> -+#include <pthread.h>
> - typedef pthread_rwlock_t CRYPTO_MUTEX;
> - #else
> - // On glibc, |pthread_rwlock_t| is hidden under feature flags, and we can't
> Index: security/boringssl/pkg/DESCR
> ===================================================================
> RCS file: security/boringssl/pkg/DESCR
> diff -N security/boringssl/pkg/DESCR
> --- security/boringssl/pkg/DESCR 25 Apr 2023 19:16:30 -0000 1.1.1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,4 +0,0 @@
> -Although BoringSSL is an open source project, it is not intended for
> -general use, as OpenSSL is. We don't recommend that third parties
> -depend upon it. Doing so is likely to be frustrating because there are
> -no guarantees of API or ABI stability.
> Index: security/boringssl/pkg/PLIST
> ===================================================================
> RCS file: security/boringssl/pkg/PLIST
> diff -N security/boringssl/pkg/PLIST
> --- security/boringssl/pkg/PLIST 25 Apr 2023 19:16:30 -0000 1.1.1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,97 +0,0 @@
> -eboringssl/
> -eboringssl/bin/
> -@bin eboringssl/bin/bssl
> -eboringssl/include/
> -eboringssl/include/openssl/
> -eboringssl/include/openssl/aead.h
> -eboringssl/include/openssl/aes.h
> -eboringssl/include/openssl/arm_arch.h
> -eboringssl/include/openssl/asn1.h
> -eboringssl/include/openssl/asn1_mac.h
> -eboringssl/include/openssl/asn1t.h
> -eboringssl/include/openssl/base.h
> -eboringssl/include/openssl/base64.h
> -eboringssl/include/openssl/bio.h
> -eboringssl/include/openssl/blake2.h
> -eboringssl/include/openssl/blowfish.h
> -eboringssl/include/openssl/bn.h
> -eboringssl/include/openssl/buf.h
> -eboringssl/include/openssl/buffer.h
> -eboringssl/include/openssl/bytestring.h
> -eboringssl/include/openssl/cast.h
> -eboringssl/include/openssl/chacha.h
> -eboringssl/include/openssl/cipher.h
> -eboringssl/include/openssl/cmac.h
> -eboringssl/include/openssl/conf.h
> -eboringssl/include/openssl/cpu.h
> -eboringssl/include/openssl/crypto.h
> -eboringssl/include/openssl/ctrdrbg.h
> -eboringssl/include/openssl/curve25519.h
> -eboringssl/include/openssl/des.h
> -eboringssl/include/openssl/dh.h
> -eboringssl/include/openssl/digest.h
> -eboringssl/include/openssl/dsa.h
> -eboringssl/include/openssl/dtls1.h
> -eboringssl/include/openssl/e_os2.h
> -eboringssl/include/openssl/ec.h
> -eboringssl/include/openssl/ec_key.h
> -eboringssl/include/openssl/ecdh.h
> -eboringssl/include/openssl/ecdsa.h
> -eboringssl/include/openssl/engine.h
> -eboringssl/include/openssl/err.h
> -eboringssl/include/openssl/evp.h
> -eboringssl/include/openssl/evp_errors.h
> -eboringssl/include/openssl/ex_data.h
> -eboringssl/include/openssl/hkdf.h
> -eboringssl/include/openssl/hmac.h
> -eboringssl/include/openssl/hpke.h
> -eboringssl/include/openssl/hrss.h
> -eboringssl/include/openssl/is_boringssl.h
> -eboringssl/include/openssl/kdf.h
> -eboringssl/include/openssl/kyber.h
> -eboringssl/include/openssl/lhash.h
> -eboringssl/include/openssl/md4.h
> -eboringssl/include/openssl/md5.h
> -eboringssl/include/openssl/mem.h
> -eboringssl/include/openssl/nid.h
> -eboringssl/include/openssl/obj.h
> -eboringssl/include/openssl/obj_mac.h
> -eboringssl/include/openssl/objects.h
> -eboringssl/include/openssl/opensslconf.h
> -eboringssl/include/openssl/opensslv.h
> -eboringssl/include/openssl/ossl_typ.h
> -eboringssl/include/openssl/pem.h
> -eboringssl/include/openssl/pkcs12.h
> -eboringssl/include/openssl/pkcs7.h
> -eboringssl/include/openssl/pkcs8.h
> -eboringssl/include/openssl/poly1305.h
> -eboringssl/include/openssl/pool.h
> -eboringssl/include/openssl/rand.h
> -eboringssl/include/openssl/rc4.h
> -eboringssl/include/openssl/ripemd.h
> -eboringssl/include/openssl/rsa.h
> -eboringssl/include/openssl/safestack.h
> -eboringssl/include/openssl/service_indicator.h
> -eboringssl/include/openssl/sha.h
> -eboringssl/include/openssl/siphash.h
> -eboringssl/include/openssl/span.h
> -eboringssl/include/openssl/srtp.h
> -eboringssl/include/openssl/ssl.h
> -eboringssl/include/openssl/ssl3.h
> -eboringssl/include/openssl/stack.h
> -eboringssl/include/openssl/thread.h
> -eboringssl/include/openssl/time.h
> -eboringssl/include/openssl/tls1.h
> -eboringssl/include/openssl/trust_token.h
> -eboringssl/include/openssl/type_check.h
> -eboringssl/include/openssl/x509.h
> -eboringssl/include/openssl/x509_vfy.h
> -eboringssl/include/openssl/x509v3.h
> -eboringssl/lib/
> -eboringssl/lib/cmake/
> -eboringssl/lib/cmake/OpenSSL/
> -eboringssl/lib/cmake/OpenSSL/OpenSSLConfig.cmake
> -eboringssl/lib/cmake/OpenSSL/OpenSSLTargets${MODCMAKE_BUILD_SUFFIX}
> -eboringssl/lib/cmake/OpenSSL/OpenSSLTargets.cmake
> -@static-lib eboringssl/lib/libcrypto.a
> -@static-lib eboringssl/lib/libssl.a
>
