OpenBSD Mail Box: Re: Split boringssl port to head and fips branches.

On Fri, Apr 28, 2023 at 05:46:03PM +0100, Stuart Henderson wrote:
> Haven't checked (I'm away for the weekend) but I don't think "+@conflict
> boringssl-2*" will work, it should follow packages-specs(7) syntax. Probably
> just "@conflict boringssl-*" or alternatively just call the package for head
> "boringssl" as before and don't bother with the @conflict or quirks just the
> @pkgpath.
>
> Would it be worth installing fips under a different dir/filenames so the two
> don't conflict?
>

Yes, the agreement is this is fine, which makes things much simpler

this keeps the head named boringssl-foo and makes fips named
boringssl-fips-foo

ok?

Index: Makefile
===================================================================
RCS file: /cvs/ports/security/boringssl/Makefile,v
retrieving revision 1.5
diff -u -p -u -p -r1.5 Makefile
--- Makefile 26 Apr 2023 15:10:07 -0000 1.5
+++ Makefile 28 Apr 2023 16:00:04 -0000
@@ -1,52 +1,5 @@
-NOT_FOR_ARCHS = ${BE_ARCHS}
+SUBDIR =
+SUBDIR += fips
+SUBDIR += head

-COMMENT = fork of OpenSSL that is designed to meet Google's needs
-
-GH_ACCOUNT = google
-GH_PROJECT = boringssl
-GH_COMMIT = de2d610a341f5a4b8c222425890537cb84c91400
-DISTNAME = boringssl-20230425
-
-MASTER_SITES0 = https://proxy.golang.org/
-
-DISTFILES += ${GH_DISTFILE}
-# can't use GH_DISTFILE because EXTRACT_ONLY does not understand DISTFILES {}
-EXTRACT_ONLY = ${DISTNAME}-${GH_COMMIT:C/(........).*/\1/}${EXTRACT_SUFX}
-
-BORING_GOMOD += golang.org/x/crypto v0.6.0
-BORING_GOMOD += golang.org/x/net v0.7.0
-BORING_GOMOD += golang.org/x/sys v0.5.0
-BORING_GOMOD += golang.org/x/term v0.5.0
-
-.for _modpath _modver in ${BORING_GOMOD}
-DISTFILES += go_modules/{}${_modpath}/@v/${_modver}.zip:0
-DISTFILES += go_modules/{}${_modpath}/@v/${_modver}.mod:0
-.endfor
-
-CATEGORIES = security
-
-MAINTAINER = Bob Beck <beck@openbsd.org>, \
- Theo Buehler <tb@openbsd.org>
-
-# ISC
-PERMIT_PACKAGE = Yes
-
-WANTLIB += ${COMPILER_LIBCXX} c m
-
-# C++14
-COMPILER = base-clang ports-gcc
-
-MODULES = devel/cmake
-CONFIGURE_ARGS += -DCMAKE_INSTALL_PREFIX=${PREFIX}/eboringssl
-
-BUILD_DEPENDS = lang/go
-
-PORTHOME = ${WRKDIR}
-TEST_ENV = GOPROXY=file://${FULLDISTDIR}/go_modules
-
-FIX_CLEANUP_PERMISSIONS = Yes
-
-do-test:
- ${SETENV} ${ALL_TEST_ENV} ninja -C ${WRKBUILD} -j ${MAKE_JOBS} run_tests
-
-.include <bsd.port.mk>
+.include <bsd.port.subdir.mk>
Index: distinfo
===================================================================
RCS file: distinfo
diff -N distinfo
--- distinfo 26 Apr 2023 14:55:23 -0000 1.2
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,18 +0,0 @@
-SHA256 (boringssl-20230425-de2d610a.tar.gz) = 2Bu5eOgBxqNUcTDevIpOjPGgJ/GBatu1ZtbVDTCDppQ=
-SHA256 (go_modules/golang.org/x/crypto/@v/v0.6.0.mod) = G2poNFWjuIK2rFPyJ1KWDoe9kQQKlNbyxcthJh4jidg=
-SHA256 (go_modules/golang.org/x/crypto/@v/v0.6.0.zip) = gcqIrzcc/1qERCuijiPY9CzME4fI/hUuVeh7pK+eGsc=
-SHA256 (go_modules/golang.org/x/net/@v/v0.7.0.mod) = Qex26iFy8+4wMeOPmlNZOaWE1rs170gIVP3LjCAmcBs=
-SHA256 (go_modules/golang.org/x/net/@v/v0.7.0.zip) = BgVSBkUmqQrJsL3OK6CrNFkt7MlCjRRBw8lyL4U80pA=
-SHA256 (go_modules/golang.org/x/sys/@v/v0.5.0.mod) = 8DMzMJb+GY8xUd7tk/LeunTlC7/nc5E0BFvDt85KUCQ=
-SHA256 (go_modules/golang.org/x/sys/@v/v0.5.0.zip) = z0czasG/Z1+m1t1axTmbAUPFE0BMRJ+j8zgKWBI8eQg=
-SHA256 (go_modules/golang.org/x/term/@v/v0.5.0.mod) = DW9YIoqtwaZSjmdV2gGFFlZuOuXFIB963hdz9W+o2TQ=
-SHA256 (go_modules/golang.org/x/term/@v/v0.5.0.zip) = fYnEmrQTBpUBKKD0t8Z/uOLS9jfs6OAk5s840XozGTs=
-SIZE (boringssl-20230425-de2d610a.tar.gz) = 32281549
-SIZE (go_modules/golang.org/x/crypto/@v/v0.6.0.mod) = 171
-SIZE (go_modules/golang.org/x/crypto/@v/v0.6.0.zip) = 1761232
-SIZE (go_modules/golang.org/x/net/@v/v0.7.0.mod) = 123
-SIZE (go_modules/golang.org/x/net/@v/v0.7.0.zip) = 1559354
-SIZE (go_modules/golang.org/x/sys/@v/v0.5.0.mod) = 33
-SIZE (go_modules/golang.org/x/sys/@v/v0.5.0.zip) = 1886681
-SIZE (go_modules/golang.org/x/term/@v/v0.5.0.mod) = 67
-SIZE (go_modules/golang.org/x/term/@v/v0.5.0.zip) = 19924
Index: fips/Makefile
===================================================================
RCS file: fips/Makefile
diff -N fips/Makefile
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ fips/Makefile 28 Apr 2023 16:59:05 -0000
@@ -0,0 +1,31 @@
+NOT_FOR_ARCHS = ${BE_ARCHS}
+
+COMMENT = fork of OpenSSL that is designed to meet Google's needs
+
+GH_ACCOUNT = google
+GH_PROJECT = boringssl
+GH_COMMIT = 0c6f40132b828e92ba365c6b7680e32820c63fa7
+DISTNAME = boringssl-fips-20220613
+
+CATEGORIES = security
+
+MAINTAINER = Bob Beck <beck@openbsd.org>, \
+ Theo Buehler <tb@openbsd.org>
+
+# ISC
+PERMIT_PACKAGE = Yes
+
+WANTLIB += ${COMPILER_LIBCXX} c m
+
+# C++14
+COMPILER = base-clang ports-gcc
+
+MODULES = devel/cmake
+CONFIGURE_ARGS += -DCMAKE_INSTALL_PREFIX=${PREFIX}/eboringssl-fips
+
+# XXX picked up for tests, needs more love
+BUILD_DEPENDS = lang/go
+
+PORTHOME = ${WRKSRC}
+
+.include <bsd.port.mk>
Index: fips/distinfo
===================================================================
RCS file: fips/distinfo
diff -N fips/distinfo
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ fips/distinfo 28 Apr 2023 15:59:02 -0000
@@ -0,0 +1,2 @@
+SHA256 (boringssl-fips-20220613-0c6f4013.tar.gz) = 74Cpfr7wVFH9ONvafKkwSW+uetEI8yA/iAXwjCXJSlE=
+SIZE (boringssl-fips-20220613-0c6f4013.tar.gz) = 30902288
Index: fips/patches/patch-CMakeLists_txt
===================================================================
RCS file: fips/patches/patch-CMakeLists_txt
diff -N fips/patches/patch-CMakeLists_txt
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ fips/patches/patch-CMakeLists_txt 28 Apr 2023 15:59:02 -0000
@@ -0,0 +1,12 @@
+Index: CMakeLists.txt
+--- CMakeLists.txt.orig
++++ CMakeLists.txt
+@@ -132,7 +132,7 @@ endif()
+ if(CMAKE_COMPILER_IS_GNUCXX OR CLANG)
+ # Note clang-cl is odd and sets both CLANG and MSVC. We base our configuration
+ # primarily on our normal Clang one.
+- set(C_CXX_FLAGS "-Werror -Wformat=2 -Wsign-compare -Wmissing-field-initializers -Wwrite-strings -Wvla -Wshadow")
++ set(C_CXX_FLAGS "-Werror -Wformat=2 -Wsign-compare -Wmissing-field-initializers -Wwrite-strings -Wshadow")
+ if(MSVC)
+ # clang-cl sets different default warnings than clang. It also treats -Wall
+ # as -Weverything, to match MSVC. Instead -W3 is the alias for -Wall.
Index: fips/patches/patch-crypto_CMakeLists_txt
===================================================================
RCS file: fips/patches/patch-crypto_CMakeLists_txt
diff -N fips/patches/patch-crypto_CMakeLists_txt
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ fips/patches/patch-crypto_CMakeLists_txt 28 Apr 2023 15:59:02 -0000
@@ -0,0 +1,14 @@
+Index: crypto/CMakeLists.txt
+--- crypto/CMakeLists.txt.orig
++++ crypto/CMakeLists.txt
+@@ -266,8 +266,10 @@ add_library(
+ cpu_aarch64_apple.c
+ cpu_aarch64_fuchsia.c
+ cpu_aarch64_linux.c
++ cpu_aarch64_openbsd.c
+ cpu_aarch64_win.c
+ cpu_arm_linux.c
++ cpu_arm_openbsd.c
+ cpu_arm.c
+ cpu_intel.c
+ cpu_ppc64le.c
Index: fips/patches/patch-crypto_cpu_aarch64_openbsd_c
===================================================================
RCS file: fips/patches/patch-crypto_cpu_aarch64_openbsd_c
diff -N fips/patches/patch-crypto_cpu_aarch64_openbsd_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ fips/patches/patch-crypto_cpu_aarch64_openbsd_c 28 Apr 2023 15:59:02 -0000
@@ -0,0 +1,61 @@
+Index: crypto/cpu_aarch64_openbsd.c
+--- crypto/cpu_aarch64_openbsd.c.orig
++++ crypto/cpu_aarch64_openbsd.c
+@@ -0,0 +1,57 @@
++/* Copyright (c) 2022, Robert Nagy <robert@openbsd.org>
++ *
++ * Permission to use, copy, modify, and/or distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
++ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
++ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
++ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
++
++#include <openssl/cpu.h>
++
++#if defined(OPENSSL_AARCH64) && defined(OPENSSL_OPENBSD) && \
++ !defined(OPENSSL_STATIC_ARMCAP)
++
++#include <sys/sysctl.h>
++#include <machine/cpu.h>
++#include <machine/armreg.h>
++#include <stdio.h>
++
++#include <openssl/arm_arch.h>
++
++#include "internal.h"
++
++extern uint32_t OPENSSL_armcap_P;
++
++void OPENSSL_cpuid_setup(void) {
++ int isar0_mib[] = { CTL_MACHDEP, CPU_ID_AA64ISAR0 };
++ size_t len = sizeof(uint64_t);
++ uint64_t cpu_id = 0;
++
++ if (sysctl(isar0_mib, 2, &cpu_id, &len, NULL, 0) < 0)
++ return;
++
++ OPENSSL_armcap_P |= ARMV7_NEON;
++
++ if (ID_AA64ISAR0_AES(cpu_id) >= ID_AA64ISAR0_AES_BASE)
++ OPENSSL_armcap_P |= ARMV8_AES;
++
++ if (ID_AA64ISAR0_AES(cpu_id) >= ID_AA64ISAR0_AES_PMULL)
++ OPENSSL_armcap_P |= ARMV8_PMULL;
++
++ if (ID_AA64ISAR0_SHA1(cpu_id) >= ID_AA64ISAR0_SHA1_BASE)
++ OPENSSL_armcap_P |= ARMV8_SHA1;
++
++ if (ID_AA64ISAR0_SHA2(cpu_id) >= ID_AA64ISAR0_SHA2_BASE)
++ OPENSSL_armcap_P |= ARMV8_SHA256;
++
++ if (ID_AA64ISAR0_SHA2(cpu_id) >= ID_AA64ISAR0_SHA2_512)
++ OPENSSL_armcap_P |= ARMV8_SHA512;
++}
++
++

OpenBSD Mail Box

Friday, April 28, 2023

Re: Split boringssl port to head and fips branches.

No comments:

Post a Comment