On Fri, Apr 28, 2023 at 05:46:03PM +0100, Stuart Henderson wrote: > Haven't checked (I'm away for the weekend) but I don't think "+@conflict > boringssl-2*" will work, it should follow packages-specs(7) syntax. Probably > just "@conflict boringssl-*" or alternatively just call the package for head > "boringssl" as before and don't bother with the @conflict or quirks just the > @pkgpath. > > Would it be worth installing fips under a different dir/filenames so the two > don't conflict? >
Yes, the agreement is this is fine, which makes things much simpler this keeps the head named boringssl-foo and makes fips named boringssl-fips-foo ok? Index: Makefile =================================================================== RCS file: /cvs/ports/security/boringssl/Makefile,v retrieving revision 1.5 diff -u -p -u -p -r1.5 Makefile --- Makefile 26 Apr 2023 15:10:07 -0000 1.5 +++ Makefile 28 Apr 2023 16:00:04 -0000 @@ -1,52 +1,5 @@ -NOT_FOR_ARCHS = ${BE_ARCHS} +SUBDIR = +SUBDIR += fips +SUBDIR += head -COMMENT = fork of OpenSSL that is designed to meet Google's needs - -GH_ACCOUNT = google -GH_PROJECT = boringssl -GH_COMMIT = de2d610a341f5a4b8c222425890537cb84c91400 -DISTNAME = boringssl-20230425 - -MASTER_SITES0 = https://proxy.golang.org/ - -DISTFILES += ${GH_DISTFILE} -# can't use GH_DISTFILE because EXTRACT_ONLY does not understand DISTFILES {} -EXTRACT_ONLY = ${DISTNAME}-${GH_COMMIT:C/(........).*/\1/}${EXTRACT_SUFX} - -BORING_GOMOD += golang.org/x/crypto v0.6.0 -BORING_GOMOD += golang.org/x/net v0.7.0 -BORING_GOMOD += golang.org/x/sys v0.5.0 -BORING_GOMOD += golang.org/x/term v0.5.0 - -.for _modpath _modver in ${BORING_GOMOD} -DISTFILES += go_modules/{}${_modpath}/@v/${_modver}.zip:0 -DISTFILES += go_modules/{}${_modpath}/@v/${_modver}.mod:0 -.endfor - -CATEGORIES = security - -MAINTAINER = Bob Beck <b...@openbsd.org>, \ - Theo Buehler <t...@openbsd.org> - -# ISC -PERMIT_PACKAGE = Yes - -WANTLIB += ${COMPILER_LIBCXX} c m - -# C++14 -COMPILER = base-clang ports-gcc - -MODULES = devel/cmake -CONFIGURE_ARGS += -DCMAKE_INSTALL_PREFIX=${PREFIX}/eboringssl - -BUILD_DEPENDS = lang/go - -PORTHOME = ${WRKDIR} -TEST_ENV = GOPROXY=file://${FULLDISTDIR}/go_modules - -FIX_CLEANUP_PERMISSIONS = Yes - -do-test: - ${SETENV} ${ALL_TEST_ENV} ninja -C ${WRKBUILD} -j ${MAKE_JOBS} run_tests - -.include <bsd.port.mk> +.include <bsd.port.subdir.mk> Index: distinfo =================================================================== RCS file: distinfo diff -N distinfo --- distinfo 26 Apr 2023 14:55:23 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,18 +0,0 @@ -SHA256 (boringssl-20230425-de2d610a.tar.gz) = 2Bu5eOgBxqNUcTDevIpOjPGgJ/GBatu1ZtbVDTCDppQ= -SHA256 (go_modules/golang.org/x/crypto/@v/v0.6.0.mod) = G2poNFWjuIK2rFPyJ1KWDoe9kQQKlNbyxcthJh4jidg= -SHA256 (go_modules/golang.org/x/crypto/@v/v0.6.0.zip) = gcqIrzcc/1qERCuijiPY9CzME4fI/hUuVeh7pK+eGsc= -SHA256 (go_modules/golang.org/x/net/@v/v0.7.0.mod) = Qex26iFy8+4wMeOPmlNZOaWE1rs170gIVP3LjCAmcBs= -SHA256 (go_modules/golang.org/x/net/@v/v0.7.0.zip) = BgVSBkUmqQrJsL3OK6CrNFkt7MlCjRRBw8lyL4U80pA= -SHA256 (go_modules/golang.org/x/sys/@v/v0.5.0.mod) = 8DMzMJb+GY8xUd7tk/LeunTlC7/nc5E0BFvDt85KUCQ= -SHA256 (go_modules/golang.org/x/sys/@v/v0.5.0.zip) = z0czasG/Z1+m1t1axTmbAUPFE0BMRJ+j8zgKWBI8eQg= -SHA256 (go_modules/golang.org/x/term/@v/v0.5.0.mod) = DW9YIoqtwaZSjmdV2gGFFlZuOuXFIB963hdz9W+o2TQ= -SHA256 (go_modules/golang.org/x/term/@v/v0.5.0.zip) = fYnEmrQTBpUBKKD0t8Z/uOLS9jfs6OAk5s840XozGTs= -SIZE (boringssl-20230425-de2d610a.tar.gz) = 32281549 -SIZE (go_modules/golang.org/x/crypto/@v/v0.6.0.mod) = 171 -SIZE (go_modules/golang.org/x/crypto/@v/v0.6.0.zip) = 1761232 -SIZE (go_modules/golang.org/x/net/@v/v0.7.0.mod) = 123 -SIZE (go_modules/golang.org/x/net/@v/v0.7.0.zip) = 1559354 -SIZE (go_modules/golang.org/x/sys/@v/v0.5.0.mod) = 33 -SIZE (go_modules/golang.org/x/sys/@v/v0.5.0.zip) = 1886681 -SIZE (go_modules/golang.org/x/term/@v/v0.5.0.mod) = 67 -SIZE (go_modules/golang.org/x/term/@v/v0.5.0.zip) = 19924 Index: fips/Makefile =================================================================== RCS file: fips/Makefile diff -N fips/Makefile --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ fips/Makefile 28 Apr 2023 16:59:05 -0000 @@ -0,0 +1,31 @@ +NOT_FOR_ARCHS = ${BE_ARCHS} + +COMMENT = fork of OpenSSL that is designed to meet Google's needs + +GH_ACCOUNT = google +GH_PROJECT = boringssl +GH_COMMIT = 0c6f40132b828e92ba365c6b7680e32820c63fa7 +DISTNAME = boringssl-fips-20220613 + +CATEGORIES = security + +MAINTAINER = Bob Beck <b...@openbsd.org>, \ + Theo Buehler <t...@openbsd.org> + +# ISC +PERMIT_PACKAGE = Yes + +WANTLIB += ${COMPILER_LIBCXX} c m + +# C++14 +COMPILER = base-clang ports-gcc + +MODULES = devel/cmake +CONFIGURE_ARGS += -DCMAKE_INSTALL_PREFIX=${PREFIX}/eboringssl-fips + +# XXX picked up for tests, needs more love +BUILD_DEPENDS = lang/go + +PORTHOME = ${WRKSRC} + +.include <bsd.port.mk> Index: fips/distinfo =================================================================== RCS file: fips/distinfo diff -N fips/distinfo --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ fips/distinfo 28 Apr 2023 15:59:02 -0000 @@ -0,0 +1,2 @@ +SHA256 (boringssl-fips-20220613-0c6f4013.tar.gz) = 74Cpfr7wVFH9ONvafKkwSW+uetEI8yA/iAXwjCXJSlE= +SIZE (boringssl-fips-20220613-0c6f4013.tar.gz) = 30902288 Index: fips/patches/patch-CMakeLists_txt =================================================================== RCS file: fips/patches/patch-CMakeLists_txt diff -N fips/patches/patch-CMakeLists_txt --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ fips/patches/patch-CMakeLists_txt 28 Apr 2023 15:59:02 -0000 @@ -0,0 +1,12 @@ +Index: CMakeLists.txt +--- CMakeLists.txt.orig ++++ CMakeLists.txt +@@ -132,7 +132,7 @@ endif() + if(CMAKE_COMPILER_IS_GNUCXX OR CLANG) + # Note clang-cl is odd and sets both CLANG and MSVC. We base our configuration + # primarily on our normal Clang one. +- set(C_CXX_FLAGS "-Werror -Wformat=2 -Wsign-compare -Wmissing-field-initializers -Wwrite-strings -Wvla -Wshadow") ++ set(C_CXX_FLAGS "-Werror -Wformat=2 -Wsign-compare -Wmissing-field-initializers -Wwrite-strings -Wshadow") + if(MSVC) + # clang-cl sets different default warnings than clang. It also treats -Wall + # as -Weverything, to match MSVC. Instead -W3 is the alias for -Wall. Index: fips/patches/patch-crypto_CMakeLists_txt =================================================================== RCS file: fips/patches/patch-crypto_CMakeLists_txt diff -N fips/patches/patch-crypto_CMakeLists_txt --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ fips/patches/patch-crypto_CMakeLists_txt 28 Apr 2023 15:59:02 -0000 @@ -0,0 +1,14 @@ +Index: crypto/CMakeLists.txt +--- crypto/CMakeLists.txt.orig ++++ crypto/CMakeLists.txt +@@ -266,8 +266,10 @@ add_library( + cpu_aarch64_apple.c + cpu_aarch64_fuchsia.c + cpu_aarch64_linux.c ++ cpu_aarch64_openbsd.c + cpu_aarch64_win.c + cpu_arm_linux.c ++ cpu_arm_openbsd.c + cpu_arm.c + cpu_intel.c + cpu_ppc64le.c Index: fips/patches/patch-crypto_cpu_aarch64_openbsd_c =================================================================== RCS file: fips/patches/patch-crypto_cpu_aarch64_openbsd_c diff -N fips/patches/patch-crypto_cpu_aarch64_openbsd_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ fips/patches/patch-crypto_cpu_aarch64_openbsd_c 28 Apr 2023 15:59:02 -0000 @@ -0,0 +1,61 @@ +Index: crypto/cpu_aarch64_openbsd.c +--- crypto/cpu_aarch64_openbsd.c.orig ++++ crypto/cpu_aarch64_openbsd.c +@@ -0,0 +1,57 @@ ++/* Copyright (c) 2022, Robert Nagy <rob...@openbsd.org> ++ * ++ * Permission to use, copy, modify, and/or distribute this software for any ++ * purpose with or without fee is hereby granted, provided that the above ++ * copyright notice and this permission notice appear in all copies. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES ++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF ++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY ++ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES ++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION ++ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN ++ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ ++ ++#include <openssl/cpu.h> ++ ++#if defined(OPENSSL_AARCH64) && defined(OPENSSL_OPENBSD) && \ ++ !defined(OPENSSL_STATIC_ARMCAP) ++ ++#include <sys/sysctl.h> ++#include <machine/cpu.h> ++#include <machine/armreg.h> ++#include <stdio.h> ++ ++#include <openssl/arm_arch.h> ++ ++#include "internal.h" ++ ++extern uint32_t OPENSSL_armcap_P; ++ ++void OPENSSL_cpuid_setup(void) { ++ int isar0_mib[] = { CTL_MACHDEP, CPU_ID_AA64ISAR0 }; ++ size_t len = sizeof(uint64_t); ++ uint64_t cpu_id = 0; ++ ++ if (sysctl(isar0_mib, 2, &cpu_id, &len, NULL, 0) < 0) ++ return; ++ ++ OPENSSL_armcap_P |= ARMV7_NEON; ++ ++ if (ID_AA64ISAR0_AES(cpu_id) >= ID_AA64ISAR0_AES_BASE) ++ OPENSSL_armcap_P |= ARMV8_AES; ++ ++ if (ID_AA64ISAR0_AES(cpu_id) >= ID_AA64ISAR0_AES_PMULL) ++ OPENSSL_armcap_P |= ARMV8_PMULL; ++ ++ if (ID_AA64ISAR0_SHA1(cpu_id) >= ID_AA64ISAR0_SHA1_BASE) ++ OPENSSL_armcap_P |= ARMV8_SHA1; ++ ++ if (ID_AA64ISAR0_SHA2(cpu_id) >= ID_AA64ISAR0_SHA2_BASE) ++ OPENSSL_armcap_P |= ARMV8_SHA256; ++ ++ if (ID_AA64ISAR0_SHA2(cpu_id) >= ID_AA64ISAR0_SHA2_512) ++ OPENSSL_armcap_P |= ARMV8_SHA512; ++} ++ ++#endif // OPENSSL_AARCH64 && OPENSSL_OPENBSD && !OPENSSL_STATIC_ARMCAP Index: fips/patches/patch-crypto_cpu_arm_openbsd_c =================================================================== RCS file: fips/patches/patch-crypto_cpu_arm_openbsd_c diff -N fips/patches/patch-crypto_cpu_arm_openbsd_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ fips/patches/patch-crypto_cpu_arm_openbsd_c 28 Apr 2023 15:59:02 -0000 @@ -0,0 +1,38 @@ +Index: crypto/cpu_arm_openbsd.c +--- crypto/cpu_arm_openbsd.c.orig ++++ crypto/cpu_arm_openbsd.c +@@ -0,0 +1,34 @@ ++/* Copyright (c) 2023, Google Inc. ++ * ++ * Permission to use, copy, modify, and/or distribute this software for any ++ * purpose with or without fee is hereby granted, provided that the above ++ * copyright notice and this permission notice appear in all copies. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES ++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF ++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY ++ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES ++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION ++ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN ++ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ ++ ++#include "internal.h" ++ ++#if defined(OPENSSL_ARM) && defined(OPENSSL_OPENBSD) && \ ++ !defined(OPENSSL_STATIC_ARMCAP) ++#include <stdio.h> ++ ++#include <openssl/arm_arch.h> ++ ++extern uint32_t OPENSSL_armcap_P; ++ ++void OPENSSL_cpuid_setup(void) { ++ unsigned long hwcap = 0, hwcap2 = 0; ++ ++ // OpenBSD does not support arm32 machines without NEON ++ OPENSSL_armcap_P |= ARMV7_NEON; ++ ++ // OpenBSD does not support v8 features on non aarch64 ++} ++ ++#endif // OPENSSL_ARM && OPENSSL_OPENBSD && !OPENSSL_STATIC_ARMCAP Index: fips/patches/patch-crypto_fipsmodule_rand_urandom_c =================================================================== RCS file: fips/patches/patch-crypto_fipsmodule_rand_urandom_c diff -N fips/patches/patch-crypto_fipsmodule_rand_urandom_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ fips/patches/patch-crypto_fipsmodule_rand_urandom_c 28 Apr 2023 15:59:02 -0000 @@ -0,0 +1,28 @@ +Index: crypto/fipsmodule/rand/urandom.c +--- crypto/fipsmodule/rand/urandom.c.orig ++++ crypto/fipsmodule/rand/urandom.c +@@ -71,6 +71,12 @@ + #endif + #endif + ++#if defined(OPENSSL_OPENBSD) ++// getentropy exists in any supported version of OpenBSD ++#define OPENBSD_GETENTROPY ++#include <unistd.h> ++#endif ++ + #include <openssl/thread.h> + #include <openssl/mem.h> + +@@ -334,6 +340,11 @@ static int fill_with_entropy(uint8_t *out, size_t len, + r = boringssl_getrandom(out, len, getrandom_flags); + #elif defined(FREEBSD_GETRANDOM) + r = getrandom(out, len, getrandom_flags); ++#elif defined(OPENBSD_GETENTROPY) ++ { ++ size_t todo = len <= 256 ? len : 256; ++ return getentropy(out, todo) != 0 ? -1 : (ssize_t)todo; ++ } + #elif defined(OPENSSL_MACOS) + if (__builtin_available(macos 10.12, *)) { + // |getentropy| can only request 256 bytes at a time. Index: fips/patches/patch-include_openssl_base_h =================================================================== RCS file: fips/patches/patch-include_openssl_base_h diff -N fips/patches/patch-include_openssl_base_h --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ fips/patches/patch-include_openssl_base_h 28 Apr 2023 15:59:02 -0000 @@ -0,0 +1,14 @@ +Index: include/openssl/base.h +--- include/openssl/base.h.orig ++++ include/openssl/base.h +@@ -166,6 +166,10 @@ extern "C" { + #define OPENSSL_FREEBSD + #endif + ++#if defined(__OpenBSD__) ++#define OPENSSL_OPENBSD ++#endif ++ + // BoringSSL requires platform's locking APIs to make internal global state + // thread-safe, including the PRNG. On some single-threaded embedded platforms, + // locking APIs may not exist, so this dependency may be disabled with the Index: fips/patches/patch-include_openssl_thread_h =================================================================== RCS file: fips/patches/patch-include_openssl_thread_h diff -N fips/patches/patch-include_openssl_thread_h --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ fips/patches/patch-include_openssl_thread_h 28 Apr 2023 15:59:02 -0000 @@ -0,0 +1,11 @@ +Index: include/openssl/thread.h +--- include/openssl/thread.h.orig ++++ include/openssl/thread.h +@@ -78,6 +78,7 @@ typedef union crypto_mutex_st { + void *handle; + } CRYPTO_MUTEX; + #elif !defined(__GLIBC__) ++#include <pthread.h> + typedef pthread_rwlock_t CRYPTO_MUTEX; + #else + // On glibc, |pthread_rwlock_t| is hidden under feature flags, and we can't Index: fips/pkg/DESCR =================================================================== RCS file: fips/pkg/DESCR diff -N fips/pkg/DESCR --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ fips/pkg/DESCR 28 Apr 2023 15:59:02 -0000 @@ -0,0 +1,7 @@ +Although BoringSSL is an open source project, it is not intended for +general use, as OpenSSL is. We don't recommend that third parties +depend upon it. Doing so is likely to be frustrating because there are +no guarantees of API or ABI stability. + +This is the FIPS branch of boringssl used by Google where FIPS +certification is required. Index: fips/pkg/PLIST =================================================================== RCS file: fips/pkg/PLIST diff -N fips/pkg/PLIST --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ fips/pkg/PLIST 28 Apr 2023 17:08:06 -0000 @@ -0,0 +1,95 @@ +@option is-branch +eboringssl-fips/ +eboringssl-fips/bin/ +@bin eboringssl-fips/bin/bssl +eboringssl-fips/include/ +eboringssl-fips/include/openssl/ +eboringssl-fips/include/openssl/aead.h +eboringssl-fips/include/openssl/aes.h +eboringssl-fips/include/openssl/arm_arch.h +eboringssl-fips/include/openssl/asn1.h +eboringssl-fips/include/openssl/asn1_mac.h +eboringssl-fips/include/openssl/asn1t.h +eboringssl-fips/include/openssl/base.h +eboringssl-fips/include/openssl/base64.h +eboringssl-fips/include/openssl/bio.h +eboringssl-fips/include/openssl/blake2.h +eboringssl-fips/include/openssl/blowfish.h +eboringssl-fips/include/openssl/bn.h +eboringssl-fips/include/openssl/buf.h +eboringssl-fips/include/openssl/buffer.h +eboringssl-fips/include/openssl/bytestring.h +eboringssl-fips/include/openssl/cast.h +eboringssl-fips/include/openssl/chacha.h +eboringssl-fips/include/openssl/cipher.h +eboringssl-fips/include/openssl/cmac.h +eboringssl-fips/include/openssl/conf.h +eboringssl-fips/include/openssl/cpu.h +eboringssl-fips/include/openssl/crypto.h +eboringssl-fips/include/openssl/ctrdrbg.h +eboringssl-fips/include/openssl/curve25519.h +eboringssl-fips/include/openssl/des.h +eboringssl-fips/include/openssl/dh.h +eboringssl-fips/include/openssl/digest.h +eboringssl-fips/include/openssl/dsa.h +eboringssl-fips/include/openssl/dtls1.h +eboringssl-fips/include/openssl/e_os2.h +eboringssl-fips/include/openssl/ec.h +eboringssl-fips/include/openssl/ec_key.h +eboringssl-fips/include/openssl/ecdh.h +eboringssl-fips/include/openssl/ecdsa.h +eboringssl-fips/include/openssl/engine.h +eboringssl-fips/include/openssl/err.h +eboringssl-fips/include/openssl/evp.h +eboringssl-fips/include/openssl/evp_errors.h +eboringssl-fips/include/openssl/ex_data.h +eboringssl-fips/include/openssl/hkdf.h +eboringssl-fips/include/openssl/hmac.h +eboringssl-fips/include/openssl/hpke.h +eboringssl-fips/include/openssl/hrss.h +eboringssl-fips/include/openssl/is_boringssl.h +eboringssl-fips/include/openssl/lhash.h +eboringssl-fips/include/openssl/md4.h +eboringssl-fips/include/openssl/md5.h +eboringssl-fips/include/openssl/mem.h +eboringssl-fips/include/openssl/nid.h +eboringssl-fips/include/openssl/obj.h +eboringssl-fips/include/openssl/obj_mac.h +eboringssl-fips/include/openssl/objects.h +eboringssl-fips/include/openssl/opensslconf.h +eboringssl-fips/include/openssl/opensslv.h +eboringssl-fips/include/openssl/ossl_typ.h +eboringssl-fips/include/openssl/pem.h +eboringssl-fips/include/openssl/pkcs12.h +eboringssl-fips/include/openssl/pkcs7.h +eboringssl-fips/include/openssl/pkcs8.h +eboringssl-fips/include/openssl/poly1305.h +eboringssl-fips/include/openssl/pool.h +eboringssl-fips/include/openssl/rand.h +eboringssl-fips/include/openssl/rc4.h +eboringssl-fips/include/openssl/ripemd.h +eboringssl-fips/include/openssl/rsa.h +eboringssl-fips/include/openssl/safestack.h +eboringssl-fips/include/openssl/service_indicator.h +eboringssl-fips/include/openssl/sha.h +eboringssl-fips/include/openssl/siphash.h +eboringssl-fips/include/openssl/span.h +eboringssl-fips/include/openssl/srtp.h +eboringssl-fips/include/openssl/ssl.h +eboringssl-fips/include/openssl/ssl3.h +eboringssl-fips/include/openssl/stack.h +eboringssl-fips/include/openssl/thread.h +eboringssl-fips/include/openssl/tls1.h +eboringssl-fips/include/openssl/trust_token.h +eboringssl-fips/include/openssl/type_check.h +eboringssl-fips/include/openssl/x509.h +eboringssl-fips/include/openssl/x509_vfy.h +eboringssl-fips/include/openssl/x509v3.h +eboringssl-fips/lib/ +eboringssl-fips/lib/cmake/ +eboringssl-fips/lib/cmake/OpenSSL/ +eboringssl-fips/lib/cmake/OpenSSL/OpenSSLConfig.cmake +eboringssl-fips/lib/cmake/OpenSSL/OpenSSLTargets${MODCMAKE_BUILD_SUFFIX} +eboringssl-fips/lib/cmake/OpenSSL/OpenSSLTargets.cmake +@static-lib eboringssl-fips/lib/libcrypto.a +@static-lib eboringssl-fips/lib/libssl.a Index: head/Makefile =================================================================== RCS file: head/Makefile diff -N head/Makefile --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ head/Makefile 28 Apr 2023 16:59:33 -0000 @@ -0,0 +1,31 @@ +NOT_FOR_ARCHS = ${BE_ARCHS} + +COMMENT = fork of OpenSSL that is designed to meet Google's needs + +GH_ACCOUNT = google +GH_PROJECT = boringssl +GH_COMMIT = de2d610a341f5a4b8c222425890537cb84c91400 +DISTNAME = boringssl-20230425 + +CATEGORIES = security + +MAINTAINER = Bob Beck <b...@openbsd.org>, \ + Theo Buehler <t...@openbsd.org> + +# ISC +PERMIT_PACKAGE = Yes + +WANTLIB += ${COMPILER_LIBCXX} c m + +# C++14 +COMPILER = base-clang ports-gcc + +MODULES = devel/cmake +CONFIGURE_ARGS += -DCMAKE_INSTALL_PREFIX=${PREFIX}/eboringssl + +# XXX picked up for tests, needs more love +BUILD_DEPENDS = lang/go + +PORTHOME = ${WRKSRC} + +.include <bsd.port.mk> Index: head/distinfo =================================================================== RCS file: head/distinfo diff -N head/distinfo --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ head/distinfo 28 Apr 2023 17:02:04 -0000 @@ -0,0 +1,2 @@ +SHA256 (boringssl-20230425-de2d610a.tar.gz) = 2Bu5eOgBxqNUcTDevIpOjPGgJ/GBatu1ZtbVDTCDppQ= +SIZE (boringssl-20230425-de2d610a.tar.gz) = 32281549 Index: head/patches/patch-CMakeLists_txt =================================================================== RCS file: head/patches/patch-CMakeLists_txt diff -N head/patches/patch-CMakeLists_txt --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ head/patches/patch-CMakeLists_txt 28 Apr 2023 15:59:06 -0000 @@ -0,0 +1,12 @@ +Index: CMakeLists.txt +--- CMakeLists.txt.orig ++++ CMakeLists.txt +@@ -139,7 +139,7 @@ set(CMAKE_C_STANDARD_REQUIRED ON) + if(CMAKE_COMPILER_IS_GNUCXX OR CLANG) + # Note clang-cl is odd and sets both CLANG and MSVC. We base our configuration + # primarily on our normal Clang one. +- set(C_CXX_FLAGS "-Werror -Wformat=2 -Wsign-compare -Wmissing-field-initializers -Wwrite-strings -Wvla -Wshadow -Wtype-limits") ++ set(C_CXX_FLAGS "-Werror -Wformat=2 -Wsign-compare -Wmissing-field-initializers -Wwrite-strings -Wshadow -Wtype-limits") + if(MSVC) + # clang-cl sets different default warnings than clang. It also treats -Wall + # as -Weverything, to match MSVC. Instead -W3 is the alias for -Wall. Index: head/patches/patch-crypto_CMakeLists_txt =================================================================== RCS file: head/patches/patch-crypto_CMakeLists_txt diff -N head/patches/patch-crypto_CMakeLists_txt --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ head/patches/patch-crypto_CMakeLists_txt 28 Apr 2023 15:59:06 -0000 @@ -0,0 +1,16 @@ +Index: crypto/CMakeLists.txt +--- crypto/CMakeLists.txt.orig ++++ crypto/CMakeLists.txt +@@ -126,10 +126,12 @@ add_library( + conf/conf.c + cpu_aarch64_apple.c + cpu_aarch64_freebsd.c ++ cpu_aarch64_openbsd.c + cpu_aarch64_fuchsia.c + cpu_aarch64_linux.c + cpu_aarch64_win.c + cpu_arm_freebsd.c ++ cpu_arm_openbsd.c + cpu_arm_linux.c + cpu_arm.c + cpu_intel.c Index: head/patches/patch-crypto_cpu_aarch64_openbsd_c =================================================================== RCS file: head/patches/patch-crypto_cpu_aarch64_openbsd_c diff -N head/patches/patch-crypto_cpu_aarch64_openbsd_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ head/patches/patch-crypto_cpu_aarch64_openbsd_c 28 Apr 2023 15:59:06 -0000 @@ -0,0 +1,61 @@ +Index: crypto/cpu_aarch64_openbsd.c +--- crypto/cpu_aarch64_openbsd.c.orig ++++ crypto/cpu_aarch64_openbsd.c +@@ -0,0 +1,57 @@ ++/* Copyright (c) 2022, Robert Nagy <rob...@openbsd.org> ++ * ++ * Permission to use, copy, modify, and/or distribute this software for any ++ * purpose with or without fee is hereby granted, provided that the above ++ * copyright notice and this permission notice appear in all copies. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES ++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF ++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY ++ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES ++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION ++ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN ++ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ ++ ++#include <openssl/cpu.h> ++ ++#if defined(OPENSSL_AARCH64) && defined(OPENSSL_OPENBSD) && \ ++ !defined(OPENSSL_STATIC_ARMCAP) ++ ++#include <sys/sysctl.h> ++#include <machine/cpu.h> ++#include <machine/armreg.h> ++#include <stdio.h> ++ ++#include <openssl/arm_arch.h> ++ ++#include "internal.h" ++ ++extern uint32_t OPENSSL_armcap_P; ++ ++void OPENSSL_cpuid_setup(void) { ++ int isar0_mib[] = { CTL_MACHDEP, CPU_ID_AA64ISAR0 }; ++ size_t len = sizeof(uint64_t); ++ uint64_t cpu_id = 0; ++ ++ if (sysctl(isar0_mib, 2, &cpu_id, &len, NULL, 0) < 0) ++ return; ++ ++ OPENSSL_armcap_P |= ARMV7_NEON; ++ ++ if (ID_AA64ISAR0_AES(cpu_id) >= ID_AA64ISAR0_AES_BASE) ++ OPENSSL_armcap_P |= ARMV8_AES; ++ ++ if (ID_AA64ISAR0_AES(cpu_id) >= ID_AA64ISAR0_AES_PMULL) ++ OPENSSL_armcap_P |= ARMV8_PMULL; ++ ++ if (ID_AA64ISAR0_SHA1(cpu_id) >= ID_AA64ISAR0_SHA1_BASE) ++ OPENSSL_armcap_P |= ARMV8_SHA1; ++ ++ if (ID_AA64ISAR0_SHA2(cpu_id) >= ID_AA64ISAR0_SHA2_BASE) ++ OPENSSL_armcap_P |= ARMV8_SHA256; ++ ++ if (ID_AA64ISAR0_SHA2(cpu_id) >= ID_AA64ISAR0_SHA2_512) ++ OPENSSL_armcap_P |= ARMV8_SHA512; ++} ++ ++#endif // OPENSSL_AARCH64 && OPENSSL_OPENBSD && !OPENSSL_STATIC_ARMCAP Index: head/patches/patch-crypto_cpu_arm_openbsd_c =================================================================== RCS file: head/patches/patch-crypto_cpu_arm_openbsd_c diff -N head/patches/patch-crypto_cpu_arm_openbsd_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ head/patches/patch-crypto_cpu_arm_openbsd_c 28 Apr 2023 15:59:06 -0000 @@ -0,0 +1,38 @@ +Index: crypto/cpu_arm_openbsd.c +--- crypto/cpu_arm_openbsd.c.orig ++++ crypto/cpu_arm_openbsd.c +@@ -0,0 +1,34 @@ ++/* Copyright (c) 2023, Google Inc. ++ * ++ * Permission to use, copy, modify, and/or distribute this software for any ++ * purpose with or without fee is hereby granted, provided that the above ++ * copyright notice and this permission notice appear in all copies. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES ++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF ++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY ++ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES ++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION ++ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN ++ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ ++ ++#include "internal.h" ++ ++#if defined(OPENSSL_ARM) && defined(OPENSSL_OPENBSD) && \ ++ !defined(OPENSSL_STATIC_ARMCAP) ++#include <stdio.h> ++ ++#include <openssl/arm_arch.h> ++ ++extern uint32_t OPENSSL_armcap_P; ++ ++void OPENSSL_cpuid_setup(void) { ++ unsigned long hwcap = 0, hwcap2 = 0; ++ ++ // OpenBSD does not support arm32 machines without NEON ++ OPENSSL_armcap_P |= ARMV7_NEON; ++ ++ // OpenBSD does not support v8 features on non aarch64 ++} ++ ++#endif // OPENSSL_ARM && OPENSSL_OPENBSD && !OPENSSL_STATIC_ARMCAP Index: head/patches/patch-crypto_fipsmodule_rand_urandom_c =================================================================== RCS file: head/patches/patch-crypto_fipsmodule_rand_urandom_c diff -N head/patches/patch-crypto_fipsmodule_rand_urandom_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ head/patches/patch-crypto_fipsmodule_rand_urandom_c 28 Apr 2023 15:59:06 -0000 @@ -0,0 +1,28 @@ +Index: crypto/fipsmodule/rand/urandom.c +--- crypto/fipsmodule/rand/urandom.c.orig ++++ crypto/fipsmodule/rand/urandom.c +@@ -68,6 +68,12 @@ + #include <sys/random.h> + #endif + ++#if defined(OPENSSL_OPENBSD) ++// getentropy exists in any supported version of OpenBSD ++#define OPENBSD_GETENTROPY ++#include <unistd.h> ++#endif ++ + #include <openssl/thread.h> + #include <openssl/mem.h> + +@@ -300,6 +306,11 @@ static int fill_with_entropy(uint8_t *out, size_t len, + r = boringssl_getrandom(out, len, getrandom_flags); + #elif defined(FREEBSD_GETRANDOM) + r = getrandom(out, len, getrandom_flags); ++#elif defined(OPENBSD_GETENTROPY) ++ { ++ size_t todo = len <= 256 ? len : 256; ++ return getentropy(out, todo) != 0 ? -1 : (ssize_t)todo; ++ } + #elif defined(OPENSSL_MACOS) + if (__builtin_available(macos 10.12, *)) { + // |getentropy| can only request 256 bytes at a time. Index: head/patches/patch-include_openssl_base_h =================================================================== RCS file: head/patches/patch-include_openssl_base_h diff -N head/patches/patch-include_openssl_base_h --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ head/patches/patch-include_openssl_base_h 28 Apr 2023 15:59:06 -0000 @@ -0,0 +1,14 @@ +Index: include/openssl/base.h +--- include/openssl/base.h.orig ++++ include/openssl/base.h +@@ -164,6 +164,10 @@ extern "C" { + #define OPENSSL_FREEBSD + #endif + ++#if defined(__OpenBSD__) ++#define OPENSSL_OPENBSD ++#endif ++ + // BoringSSL requires platform's locking APIs to make internal global state + // thread-safe, including the PRNG. On some single-threaded embedded platforms, + // locking APIs may not exist, so this dependency may be disabled with the Index: head/patches/patch-include_openssl_thread_h =================================================================== RCS file: head/patches/patch-include_openssl_thread_h diff -N head/patches/patch-include_openssl_thread_h --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ head/patches/patch-include_openssl_thread_h 28 Apr 2023 15:59:06 -0000 @@ -0,0 +1,11 @@ +Index: include/openssl/thread.h +--- include/openssl/thread.h.orig ++++ include/openssl/thread.h +@@ -78,6 +78,7 @@ typedef union crypto_mutex_st { + void *handle; + } CRYPTO_MUTEX; + #elif !defined(__GLIBC__) ++#include <pthread.h> + typedef pthread_rwlock_t CRYPTO_MUTEX; + #else + // On glibc, |pthread_rwlock_t| is hidden under feature flags, and we can't Index: head/pkg/DESCR =================================================================== RCS file: head/pkg/DESCR diff -N head/pkg/DESCR --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ head/pkg/DESCR 28 Apr 2023 15:59:06 -0000 @@ -0,0 +1,4 @@ +Although BoringSSL is an open source project, it is not intended for +general use, as OpenSSL is. We don't recommend that third parties +depend upon it. Doing so is likely to be frustrating because there are +no guarantees of API or ABI stability. Index: head/pkg/PLIST =================================================================== RCS file: head/pkg/PLIST diff -N head/pkg/PLIST --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ head/pkg/PLIST 28 Apr 2023 17:08:07 -0000 @@ -0,0 +1,99 @@ +@option is-branch +@pkgpath security/boringssl +eboringssl/ +eboringssl/bin/ +@bin eboringssl/bin/bssl +eboringssl/include/ +eboringssl/include/openssl/ +eboringssl/include/openssl/aead.h +eboringssl/include/openssl/aes.h +eboringssl/include/openssl/arm_arch.h +eboringssl/include/openssl/asn1.h +eboringssl/include/openssl/asn1_mac.h +eboringssl/include/openssl/asn1t.h +eboringssl/include/openssl/base.h +eboringssl/include/openssl/base64.h +eboringssl/include/openssl/bio.h +eboringssl/include/openssl/blake2.h +eboringssl/include/openssl/blowfish.h +eboringssl/include/openssl/bn.h +eboringssl/include/openssl/buf.h +eboringssl/include/openssl/buffer.h +eboringssl/include/openssl/bytestring.h +eboringssl/include/openssl/cast.h +eboringssl/include/openssl/chacha.h +eboringssl/include/openssl/cipher.h +eboringssl/include/openssl/cmac.h +eboringssl/include/openssl/conf.h +eboringssl/include/openssl/cpu.h +eboringssl/include/openssl/crypto.h +eboringssl/include/openssl/ctrdrbg.h +eboringssl/include/openssl/curve25519.h +eboringssl/include/openssl/des.h +eboringssl/include/openssl/dh.h +eboringssl/include/openssl/digest.h +eboringssl/include/openssl/dsa.h +eboringssl/include/openssl/dtls1.h +eboringssl/include/openssl/e_os2.h +eboringssl/include/openssl/ec.h +eboringssl/include/openssl/ec_key.h +eboringssl/include/openssl/ecdh.h +eboringssl/include/openssl/ecdsa.h +eboringssl/include/openssl/engine.h +eboringssl/include/openssl/err.h +eboringssl/include/openssl/evp.h +eboringssl/include/openssl/evp_errors.h +eboringssl/include/openssl/ex_data.h +eboringssl/include/openssl/hkdf.h +eboringssl/include/openssl/hmac.h +eboringssl/include/openssl/hpke.h +eboringssl/include/openssl/hrss.h +eboringssl/include/openssl/is_boringssl.h +eboringssl/include/openssl/kdf.h +eboringssl/include/openssl/kyber.h +eboringssl/include/openssl/lhash.h +eboringssl/include/openssl/md4.h +eboringssl/include/openssl/md5.h +eboringssl/include/openssl/mem.h +eboringssl/include/openssl/nid.h +eboringssl/include/openssl/obj.h +eboringssl/include/openssl/obj_mac.h +eboringssl/include/openssl/objects.h +eboringssl/include/openssl/opensslconf.h +eboringssl/include/openssl/opensslv.h +eboringssl/include/openssl/ossl_typ.h +eboringssl/include/openssl/pem.h +eboringssl/include/openssl/pkcs12.h +eboringssl/include/openssl/pkcs7.h +eboringssl/include/openssl/pkcs8.h +eboringssl/include/openssl/poly1305.h +eboringssl/include/openssl/pool.h +eboringssl/include/openssl/rand.h +eboringssl/include/openssl/rc4.h +eboringssl/include/openssl/ripemd.h +eboringssl/include/openssl/rsa.h +eboringssl/include/openssl/safestack.h +eboringssl/include/openssl/service_indicator.h +eboringssl/include/openssl/sha.h +eboringssl/include/openssl/siphash.h +eboringssl/include/openssl/span.h +eboringssl/include/openssl/srtp.h +eboringssl/include/openssl/ssl.h +eboringssl/include/openssl/ssl3.h +eboringssl/include/openssl/stack.h +eboringssl/include/openssl/thread.h +eboringssl/include/openssl/time.h +eboringssl/include/openssl/tls1.h +eboringssl/include/openssl/trust_token.h +eboringssl/include/openssl/type_check.h +eboringssl/include/openssl/x509.h +eboringssl/include/openssl/x509_vfy.h +eboringssl/include/openssl/x509v3.h +eboringssl/lib/ +eboringssl/lib/cmake/ +eboringssl/lib/cmake/OpenSSL/ +eboringssl/lib/cmake/OpenSSL/OpenSSLConfig.cmake +eboringssl/lib/cmake/OpenSSL/OpenSSLTargets${MODCMAKE_BUILD_SUFFIX} +eboringssl/lib/cmake/OpenSSL/OpenSSLTargets.cmake +@static-lib eboringssl/lib/libcrypto.a +@static-lib eboringssl/lib/libssl.a Index: patches/patch-CMakeLists_txt =================================================================== RCS file: patches/patch-CMakeLists_txt diff -N patches/patch-CMakeLists_txt --- patches/patch-CMakeLists_txt 25 Apr 2023 19:16:30 -0000 1.1.1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,12 +0,0 @@ -Index: CMakeLists.txt ---- CMakeLists.txt.orig -+++ CMakeLists.txt -@@ -139,7 +139,7 @@ set(CMAKE_C_STANDARD_REQUIRED ON) - if(CMAKE_COMPILER_IS_GNUCXX OR CLANG) - # Note clang-cl is odd and sets both CLANG and MSVC. We base our configuration - # primarily on our normal Clang one. -- set(C_CXX_FLAGS "-Werror -Wformat=2 -Wsign-compare -Wmissing-field-initializers -Wwrite-strings -Wvla -Wshadow -Wtype-limits") -+ set(C_CXX_FLAGS "-Werror -Wformat=2 -Wsign-compare -Wmissing-field-initializers -Wwrite-strings -Wshadow -Wtype-limits") - if(MSVC) - # clang-cl sets different default warnings than clang. It also treats -Wall - # as -Weverything, to match MSVC. Instead -W3 is the alias for -Wall. Index: patches/patch-crypto_CMakeLists_txt =================================================================== RCS file: patches/patch-crypto_CMakeLists_txt diff -N patches/patch-crypto_CMakeLists_txt --- patches/patch-crypto_CMakeLists_txt 25 Apr 2023 19:16:30 -0000 1.1.1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,16 +0,0 @@ -Index: crypto/CMakeLists.txt ---- crypto/CMakeLists.txt.orig -+++ crypto/CMakeLists.txt -@@ -126,10 +126,12 @@ add_library( - conf/conf.c - cpu_aarch64_apple.c - cpu_aarch64_freebsd.c -+ cpu_aarch64_openbsd.c - cpu_aarch64_fuchsia.c - cpu_aarch64_linux.c - cpu_aarch64_win.c - cpu_arm_freebsd.c -+ cpu_arm_openbsd.c - cpu_arm_linux.c - cpu_arm.c - cpu_intel.c Index: patches/patch-crypto_cpu_aarch64_openbsd_c =================================================================== RCS file: patches/patch-crypto_cpu_aarch64_openbsd_c diff -N patches/patch-crypto_cpu_aarch64_openbsd_c --- patches/patch-crypto_cpu_aarch64_openbsd_c 25 Apr 2023 19:16:30 -0000 1.1.1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,61 +0,0 @@ -Index: crypto/cpu_aarch64_openbsd.c ---- crypto/cpu_aarch64_openbsd.c.orig -+++ crypto/cpu_aarch64_openbsd.c -@@ -0,0 +1,57 @@ -+/* Copyright (c) 2022, Robert Nagy <rob...@openbsd.org> -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY -+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION -+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN -+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -+ -+#include <openssl/cpu.h> -+ -+#if defined(OPENSSL_AARCH64) && defined(OPENSSL_OPENBSD) && \ -+ !defined(OPENSSL_STATIC_ARMCAP) -+ -+#include <sys/sysctl.h> -+#include <machine/cpu.h> -+#include <machine/armreg.h> -+#include <stdio.h> -+ -+#include <openssl/arm_arch.h> -+ -+#include "internal.h" -+ -+extern uint32_t OPENSSL_armcap_P; -+ -+void OPENSSL_cpuid_setup(void) { -+ int isar0_mib[] = { CTL_MACHDEP, CPU_ID_AA64ISAR0 }; -+ size_t len = sizeof(uint64_t); -+ uint64_t cpu_id = 0; -+ -+ if (sysctl(isar0_mib, 2, &cpu_id, &len, NULL, 0) < 0) -+ return; -+ -+ OPENSSL_armcap_P |= ARMV7_NEON; -+ -+ if (ID_AA64ISAR0_AES(cpu_id) >= ID_AA64ISAR0_AES_BASE) -+ OPENSSL_armcap_P |= ARMV8_AES; -+ -+ if (ID_AA64ISAR0_AES(cpu_id) >= ID_AA64ISAR0_AES_PMULL) -+ OPENSSL_armcap_P |= ARMV8_PMULL; -+ -+ if (ID_AA64ISAR0_SHA1(cpu_id) >= ID_AA64ISAR0_SHA1_BASE) -+ OPENSSL_armcap_P |= ARMV8_SHA1; -+ -+ if (ID_AA64ISAR0_SHA2(cpu_id) >= ID_AA64ISAR0_SHA2_BASE) -+ OPENSSL_armcap_P |= ARMV8_SHA256; -+ -+ if (ID_AA64ISAR0_SHA2(cpu_id) >= ID_AA64ISAR0_SHA2_512) -+ OPENSSL_armcap_P |= ARMV8_SHA512; -+} -+ -+#endif // OPENSSL_AARCH64 && OPENSSL_OPENBSD && !OPENSSL_STATIC_ARMCAP Index: patches/patch-crypto_cpu_arm_openbsd_c =================================================================== RCS file: patches/patch-crypto_cpu_arm_openbsd_c diff -N patches/patch-crypto_cpu_arm_openbsd_c --- patches/patch-crypto_cpu_arm_openbsd_c 25 Apr 2023 19:16:30 -0000 1.1.1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,38 +0,0 @@ -Index: crypto/cpu_arm_openbsd.c ---- crypto/cpu_arm_openbsd.c.orig -+++ crypto/cpu_arm_openbsd.c -@@ -0,0 +1,34 @@ -+/* Copyright (c) 2023, Google Inc. -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY -+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION -+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN -+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -+ -+#include "internal.h" -+ -+#if defined(OPENSSL_ARM) && defined(OPENSSL_OPENBSD) && \ -+ !defined(OPENSSL_STATIC_ARMCAP) -+#include <stdio.h> -+ -+#include <openssl/arm_arch.h> -+ -+extern uint32_t OPENSSL_armcap_P; -+ -+void OPENSSL_cpuid_setup(void) { -+ unsigned long hwcap = 0, hwcap2 = 0; -+ -+ // OpenBSD does not support arm32 machines without NEON -+ OPENSSL_armcap_P |= ARMV7_NEON; -+ -+ // OpenBSD does not support v8 features on non aarch64 -+} -+ -+#endif // OPENSSL_ARM && OPENSSL_OPENBSD && !OPENSSL_STATIC_ARMCAP Index: patches/patch-crypto_fipsmodule_rand_urandom_c =================================================================== RCS file: patches/patch-crypto_fipsmodule_rand_urandom_c diff -N patches/patch-crypto_fipsmodule_rand_urandom_c --- patches/patch-crypto_fipsmodule_rand_urandom_c 25 Apr 2023 19:16:30 -0000 1.1.1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,28 +0,0 @@ -Index: crypto/fipsmodule/rand/urandom.c ---- crypto/fipsmodule/rand/urandom.c.orig -+++ crypto/fipsmodule/rand/urandom.c -@@ -68,6 +68,12 @@ - #include <sys/random.h> - #endif - -+#if defined(OPENSSL_OPENBSD) -+// getentropy exists in any supported version of OpenBSD -+#define OPENBSD_GETENTROPY -+#include <unistd.h> -+#endif -+ - #include <openssl/thread.h> - #include <openssl/mem.h> - -@@ -300,6 +306,11 @@ static int fill_with_entropy(uint8_t *out, size_t len, - r = boringssl_getrandom(out, len, getrandom_flags); - #elif defined(FREEBSD_GETRANDOM) - r = getrandom(out, len, getrandom_flags); -+#elif defined(OPENBSD_GETENTROPY) -+ { -+ size_t todo = len <= 256 ? len : 256; -+ return getentropy(out, todo) != 0 ? -1 : (ssize_t)todo; -+ } - #elif defined(OPENSSL_MACOS) - if (__builtin_available(macos 10.12, *)) { - // |getentropy| can only request 256 bytes at a time. Index: patches/patch-include_openssl_base_h =================================================================== RCS file: patches/patch-include_openssl_base_h diff -N patches/patch-include_openssl_base_h --- patches/patch-include_openssl_base_h 25 Apr 2023 19:16:30 -0000 1.1.1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,14 +0,0 @@ -Index: include/openssl/base.h ---- include/openssl/base.h.orig -+++ include/openssl/base.h -@@ -164,6 +164,10 @@ extern "C" { - #define OPENSSL_FREEBSD - #endif - -+#if defined(__OpenBSD__) -+#define OPENSSL_OPENBSD -+#endif -+ - // BoringSSL requires platform's locking APIs to make internal global state - // thread-safe, including the PRNG. On some single-threaded embedded platforms, - // locking APIs may not exist, so this dependency may be disabled with the Index: patches/patch-include_openssl_thread_h =================================================================== RCS file: patches/patch-include_openssl_thread_h diff -N patches/patch-include_openssl_thread_h --- patches/patch-include_openssl_thread_h 25 Apr 2023 19:16:30 -0000 1.1.1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,11 +0,0 @@ -Index: include/openssl/thread.h ---- include/openssl/thread.h.orig -+++ include/openssl/thread.h -@@ -78,6 +78,7 @@ typedef union crypto_mutex_st { - void *handle; - } CRYPTO_MUTEX; - #elif !defined(__GLIBC__) -+#include <pthread.h> - typedef pthread_rwlock_t CRYPTO_MUTEX; - #else - // On glibc, |pthread_rwlock_t| is hidden under feature flags, and we can't Index: pkg/DESCR =================================================================== RCS file: pkg/DESCR diff -N pkg/DESCR --- pkg/DESCR 25 Apr 2023 19:16:30 -0000 1.1.1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,4 +0,0 @@ -Although BoringSSL is an open source project, it is not intended for -general use, as OpenSSL is. We don't recommend that third parties -depend upon it. Doing so is likely to be frustrating because there are -no guarantees of API or ABI stability. Index: pkg/PLIST =================================================================== RCS file: pkg/PLIST diff -N pkg/PLIST --- pkg/PLIST 25 Apr 2023 19:16:30 -0000 1.1.1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,97 +0,0 @@ -eboringssl/ -eboringssl/bin/ -@bin eboringssl/bin/bssl -eboringssl/include/ -eboringssl/include/openssl/ -eboringssl/include/openssl/aead.h -eboringssl/include/openssl/aes.h -eboringssl/include/openssl/arm_arch.h -eboringssl/include/openssl/asn1.h -eboringssl/include/openssl/asn1_mac.h -eboringssl/include/openssl/asn1t.h -eboringssl/include/openssl/base.h -eboringssl/include/openssl/base64.h -eboringssl/include/openssl/bio.h -eboringssl/include/openssl/blake2.h -eboringssl/include/openssl/blowfish.h -eboringssl/include/openssl/bn.h -eboringssl/include/openssl/buf.h -eboringssl/include/openssl/buffer.h -eboringssl/include/openssl/bytestring.h -eboringssl/include/openssl/cast.h -eboringssl/include/openssl/chacha.h -eboringssl/include/openssl/cipher.h -eboringssl/include/openssl/cmac.h -eboringssl/include/openssl/conf.h -eboringssl/include/openssl/cpu.h -eboringssl/include/openssl/crypto.h -eboringssl/include/openssl/ctrdrbg.h -eboringssl/include/openssl/curve25519.h -eboringssl/include/openssl/des.h -eboringssl/include/openssl/dh.h -eboringssl/include/openssl/digest.h -eboringssl/include/openssl/dsa.h -eboringssl/include/openssl/dtls1.h -eboringssl/include/openssl/e_os2.h -eboringssl/include/openssl/ec.h -eboringssl/include/openssl/ec_key.h -eboringssl/include/openssl/ecdh.h -eboringssl/include/openssl/ecdsa.h -eboringssl/include/openssl/engine.h -eboringssl/include/openssl/err.h -eboringssl/include/openssl/evp.h -eboringssl/include/openssl/evp_errors.h -eboringssl/include/openssl/ex_data.h -eboringssl/include/openssl/hkdf.h -eboringssl/include/openssl/hmac.h -eboringssl/include/openssl/hpke.h -eboringssl/include/openssl/hrss.h -eboringssl/include/openssl/is_boringssl.h -eboringssl/include/openssl/kdf.h -eboringssl/include/openssl/kyber.h -eboringssl/include/openssl/lhash.h -eboringssl/include/openssl/md4.h -eboringssl/include/openssl/md5.h -eboringssl/include/openssl/mem.h -eboringssl/include/openssl/nid.h -eboringssl/include/openssl/obj.h -eboringssl/include/openssl/obj_mac.h -eboringssl/include/openssl/objects.h -eboringssl/include/openssl/opensslconf.h -eboringssl/include/openssl/opensslv.h -eboringssl/include/openssl/ossl_typ.h -eboringssl/include/openssl/pem.h -eboringssl/include/openssl/pkcs12.h -eboringssl/include/openssl/pkcs7.h -eboringssl/include/openssl/pkcs8.h -eboringssl/include/openssl/poly1305.h -eboringssl/include/openssl/pool.h -eboringssl/include/openssl/rand.h -eboringssl/include/openssl/rc4.h -eboringssl/include/openssl/ripemd.h -eboringssl/include/openssl/rsa.h -eboringssl/include/openssl/safestack.h -eboringssl/include/openssl/service_indicator.h -eboringssl/include/openssl/sha.h -eboringssl/include/openssl/siphash.h -eboringssl/include/openssl/span.h -eboringssl/include/openssl/srtp.h -eboringssl/include/openssl/ssl.h -eboringssl/include/openssl/ssl3.h -eboringssl/include/openssl/stack.h -eboringssl/include/openssl/thread.h -eboringssl/include/openssl/time.h -eboringssl/include/openssl/tls1.h -eboringssl/include/openssl/trust_token.h -eboringssl/include/openssl/type_check.h -eboringssl/include/openssl/x509.h -eboringssl/include/openssl/x509_vfy.h -eboringssl/include/openssl/x509v3.h -eboringssl/lib/ -eboringssl/lib/cmake/ -eboringssl/lib/cmake/OpenSSL/ -eboringssl/lib/cmake/OpenSSL/OpenSSLConfig.cmake -eboringssl/lib/cmake/OpenSSL/OpenSSLTargets${MODCMAKE_BUILD_SUFFIX} -eboringssl/lib/cmake/OpenSSL/OpenSSLTargets.cmake -@static-lib eboringssl/lib/libcrypto.a -@static-lib eboringssl/lib/libssl.a