Oh, "@option is-branch" can go away because the pkgname stem is different
(boringssl vs boringssl-fips). With that, ok sthen
--
Sent from a phone, apologies for poor formatting.
On 28 April 2023 18:22:15 Bob Beck <beck@obtuse.com> wrote:
> On Fri, Apr 28, 2023 at 05:46:03PM +0100, Stuart Henderson wrote:
>> Haven't checked (I'm away for the weekend) but I don't think "+@conflict
>> boringssl-2*" will work, it should follow packages-specs(7) syntax. Probably
>> just "@conflict boringssl-*" or alternatively just call the package for head
>> "boringssl" as before and don't bother with the @conflict or quirks just the
>> @pkgpath.
>>
>> Would it be worth installing fips under a different dir/filenames so the two
>> don't conflict?
>>
>
> Yes, the agreement is this is fine, which makes things much simpler
>
> this keeps the head named boringssl-foo and makes fips named
> boringssl-fips-foo
>
> ok?
>
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/security/boringssl/Makefile,v
> retrieving revision 1.5
> diff -u -p -u -p -r1.5 Makefile
> --- Makefile 26 Apr 2023 15:10:07 -0000 1.5
> +++ Makefile 28 Apr 2023 16:00:04 -0000
> @@ -1,52 +1,5 @@
> -NOT_FOR_ARCHS = ${BE_ARCHS}
> +SUBDIR =
> +SUBDIR += fips
> +SUBDIR += head
>
> -COMMENT = fork of OpenSSL that is designed to meet Google's needs
> -
> -GH_ACCOUNT = google
> -GH_PROJECT = boringssl
> -GH_COMMIT = de2d610a341f5a4b8c222425890537cb84c91400
> -DISTNAME = boringssl-20230425
> -
> -MASTER_SITES0 = https://proxy.golang.org/
> -
> -DISTFILES += ${GH_DISTFILE}
> -# can't use GH_DISTFILE because EXTRACT_ONLY does not understand DISTFILES {}
> -EXTRACT_ONLY = ${DISTNAME}-${GH_COMMIT:C/(........).*/\1/}${EXTRACT_SUFX}
> -
> -BORING_GOMOD += golang.org/x/crypto v0.6.0
> -BORING_GOMOD += golang.org/x/net v0.7.0
> -BORING_GOMOD += golang.org/x/sys v0.5.0
> -BORING_GOMOD += golang.org/x/term v0.5.0
> -
> -.for _modpath _modver in ${BORING_GOMOD}
> -DISTFILES += go_modules/{}${_modpath}/@v/${_modver}.zip:0
> -DISTFILES += go_modules/{}${_modpath}/@v/${_modver}.mod:0
> -.endfor
> -
> -CATEGORIES = security
> -
> -MAINTAINER = Bob Beck <beck@openbsd.org>, \
> - Theo Buehler <tb@openbsd.org>
> -
> -# ISC
> -PERMIT_PACKAGE = Yes
> -
> -WANTLIB += ${COMPILER_LIBCXX} c m
> -
> -# C++14
> -COMPILER = base-clang ports-gcc
> -
> -MODULES = devel/cmake
> -CONFIGURE_ARGS += -DCMAKE_INSTALL_PREFIX=${PREFIX}/eboringssl
> -
> -BUILD_DEPENDS = lang/go
> -
> -PORTHOME = ${WRKDIR}
> -TEST_ENV = GOPROXY=file://${FULLDISTDIR}/go_modules
> -
> -FIX_CLEANUP_PERMISSIONS = Yes
> -
> -do-test:
> - ${SETENV} ${ALL_TEST_ENV} ninja -C ${WRKBUILD} -j ${MAKE_JOBS} run_tests
> -
> -.include <bsd.port.mk>
> +.include <bsd.port.subdir.mk>
> Index: distinfo
> ===================================================================
> RCS file: distinfo
> diff -N distinfo
> --- distinfo 26 Apr 2023 14:55:23 -0000 1.2
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,18 +0,0 @@
> -SHA256 (boringssl-20230425-de2d610a.tar.gz) =
> 2Bu5eOgBxqNUcTDevIpOjPGgJ/GBatu1ZtbVDTCDppQ=
> -SHA256 (go_modules/golang.org/x/crypto/@v/v0.6.0.mod) =
> G2poNFWjuIK2rFPyJ1KWDoe9kQQKlNbyxcthJh4jidg=
> -SHA256 (go_modules/golang.org/x/crypto/@v/v0.6.0.zip) =
> gcqIrzcc/1qERCuijiPY9CzME4fI/hUuVeh7pK+eGsc=
> -SHA256 (go_modules/golang.org/x/net/@v/v0.7.0.mod) =
> Qex26iFy8+4wMeOPmlNZOaWE1rs170gIVP3LjCAmcBs=
> -SHA256 (go_modules/golang.org/x/net/@v/v0.7.0.zip) =
> BgVSBkUmqQrJsL3OK6CrNFkt7MlCjRRBw8lyL4U80pA=
> -SHA256 (go_modules/golang.org/x/sys/@v/v0.5.0.mod) =
> 8DMzMJb+GY8xUd7tk/LeunTlC7/nc5E0BFvDt85KUCQ=
> -SHA256 (go_modules/golang.org/x/sys/@v/v0.5.0.zip) =
> z0czasG/Z1+m1t1axTmbAUPFE0BMRJ+j8zgKWBI8eQg=
> -SHA256 (go_modules/golang.org/x/term/@v/v0.5.0.mod) =
> DW9YIoqtwaZSjmdV2gGFFlZuOuXFIB963hdz9W+o2TQ=
> -SHA256 (go_modules/golang.org/x/term/@v/v0.5.0.zip) =
> fYnEmrQTBpUBKKD0t8Z/uOLS9jfs6OAk5s840XozGTs=
> -SIZE (boringssl-20230425-de2d610a.tar.gz) = 32281549
> -SIZE (go_modules/golang.org/x/crypto/@v/v0.6.0.mod) = 171
> -SIZE (go_modules/golang.org/x/crypto/@v/v0.6.0.zip) = 1761232
> -SIZE (go_modules/golang.org/x/net/@v/v0.7.0.mod) = 123
> -SIZE (go_modules/golang.org/x/net/@v/v0.7.0.zip) = 1559354
> -SIZE (go_modules/golang.org/x/sys/@v/v0.5.0.mod) = 33
> -SIZE (go_modules/golang.org/x/sys/@v/v0.5.0.zip) = 1886681
> -SIZE (go_modules/golang.org/x/term/@v/v0.5.0.mod) = 67
> -SIZE (go_modules/golang.org/x/term/@v/v0.5.0.zip) = 19924
> Index: fips/Makefile
> ===================================================================
> RCS file: fips/Makefile
> diff -N fips/Makefile
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ fips/Makefile 28 Apr 2023 16:59:05 -0000
> @@ -0,0 +1,31 @@
> +NOT_FOR_ARCHS = ${BE_ARCHS}
> +
> +COMMENT = fork of OpenSSL that is designed to meet Google's needs
> +
> +GH_ACCOUNT = google
> +GH_PROJECT = boringssl
> +GH_COMMIT = 0c6f40132b828e92ba365c6b7680e32820c63fa7
> +DISTNAME = boringssl-fips-20220613
> +
> +CATEGORIES = security
> +
> +MAINTAINER = Bob Beck <beck@openbsd.org>, \
> + Theo Buehler <tb@openbsd.org>
> +
> +# ISC
> +PERMIT_PACKAGE = Yes
> +
> +WANTLIB += ${COMPILER_LIBCXX} c m
> +
> +# C++14
> +COMPILER = base-clang ports-gcc
> +
> +MODULES = devel/cmake
> +CONFIGURE_ARGS += -DCMAKE_INSTALL_PREFIX=${PREFIX}/eboringssl-fips
> +
> +# XXX picked up for tests, needs more love
> +BUILD_DEPENDS = lang/go
> +
> +PORTHOME = ${WRKSRC}
> +
> +.include <bsd.port.mk>
> Index: fips/distinfo
> ===================================================================
> RCS file: fips/distinfo
> diff -N fips/distinfo
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ fips/distinfo 28 Apr 2023 15:59:02 -0000
> @@ -0,0 +1,2 @@
> +SHA256 (boringssl-fips-20220613-0c6f4013.tar.gz) =
> 74Cpfr7wVFH9ONvafKkwSW+uetEI8yA/iAXwjCXJSlE=
> +SIZE (boringssl-fips-20220613-0c6f4013.tar.gz) = 30902288
> Index: fips/patches/patch-CMakeLists_txt
> ===================================================================
> RCS file: fips/patches/patch-CMakeLists_txt
> diff -N fips/patches/patch-CMakeLists_txt
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ fips/patches/patch-CMakeLists_txt 28 Apr 2023 15:59:02 -0000
> @@ -0,0 +1,12 @@
> +Index: CMakeLists.txt
> +--- CMakeLists.txt.orig
> ++++ CMakeLists.txt
> +@@ -132,7 +132,7 @@ endif()
> + if(CMAKE_COMPILER_IS_GNUCXX OR CLANG)
> + # Note clang-cl is odd and sets both CLANG and MSVC. We base our
> configuration
> + # primarily on our normal Clang one.
> +- set(C_CXX_FLAGS "-Werror -Wformat=2 -Wsign-compare
> -Wmissing-field-initializers -Wwrite-strings -Wvla -Wshadow")
> ++ set(C_CXX_FLAGS "-Werror -Wformat=2 -Wsign-compare
> -Wmissing-field-initializers -Wwrite-strings -Wshadow")
> + if(MSVC)
> + # clang-cl sets different default warnings than clang. It also treats
> -Wall
> + # as -Weverything, to match MSVC. Instead -W3 is the alias for -Wall.
> Index: fips/patches/patch-crypto_CMakeLists_txt
> ===================================================================
> RCS file: fips/patches/patch-crypto_CMakeLists_txt
> diff -N fips/patches/patch-crypto_CMakeLists_txt
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ fips/patches/patch-crypto_CMakeLists_txt 28 Apr 2023 15:59:02 -0000
> @@ -0,0 +1,14 @@
> +Index: crypto/CMakeLists.txt
> +--- crypto/CMakeLists.txt.orig
> ++++ crypto/CMakeLists.txt
> +@@ -266,8 +266,10 @@ add_library(
> + cpu_aarch64_apple.c
> + cpu_aarch64_fuchsia.c
> + cpu_aarch64_linux.c
> ++ cpu_aarch64_openbsd.c
> + cpu_aarch64_win.c
> + cpu_arm_linux.c
> ++ cpu_arm_openbsd.c
> + cpu_arm.c
> + cpu_intel.c
> + cpu_ppc64le.c
> Index: fips/patches/patch-crypto_cpu_aarch64_openbsd_c
> ===================================================================
> RCS file: fips/patches/patch-crypto_cpu_aarch64_openbsd_c
> diff -N fips/patches/patch-crypto_cpu_aarch64_openbsd_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ fips/patches/patch-crypto_cpu_aarch64_openbsd_c 28 Apr 2023 15:59:02 -0000
> @@ -0,0 +1,61 @@
> +Index: crypto/cpu_aarch64_openbsd.c
> +--- crypto/cpu_aarch64_openbsd.c.orig
> ++++ crypto/cpu_aarch64_openbsd.c
> +@@ -0,0 +1,57 @@
> ++/* Copyright (c) 2022, Robert Nagy <robert@openbsd.org>
> ++ *
> ++ * Permission to use, copy, modify, and/or distribute this software for any
> ++ * purpose with or without fee is hereby granted, provided that the above
> ++ * copyright notice and this permission notice appear in all copies.
> ++ *
> ++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
> ++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
> ++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE
> FOR ANY
> ++ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
> ++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
> ACTION
> ++ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
> ++ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
> ++
> ++#include <openssl/cpu.h>
> ++
> ++#if defined(OPENSSL_AARCH64) && defined(OPENSSL_OPENBSD) && \
> ++ !defined(OPENSSL_STATIC_ARMCAP)
> ++
> ++#include <sys/sysctl.h>
> ++#include <machine/cpu.h>
> ++#include <machine/armreg.h>
> ++#include <stdio.h>
> ++
> ++#include <openssl/arm_arch.h>
> ++
> ++#include "internal.h"
> ++
> ++extern uint32_t OPENSSL_armcap_P;
> ++
> ++void OPENSSL_cpuid_setup(void) {
> ++ int isar0_mib[] = { CTL_MACHDEP, CPU_ID_AA64ISAR0 };
> ++ size_t len = sizeof(uint64_t);
> ++ uint64_t cpu_id = 0;
> ++
> ++ if (sysctl(isar0_mib, 2, &cpu_id, &len, NULL, 0) < 0)
> ++ return;
> ++
> ++ OPENSSL_armcap_P |= ARMV7_NEON;
> ++
> ++ if (ID_AA64ISAR0_AES(cpu_id) >= ID_AA64ISAR0_AES_BASE)
> ++ OPENSSL_armcap_P |= ARMV8_AES;
> ++
> ++ if (ID_AA64ISAR0_AES(cpu_id) >= ID_AA64ISAR0_AES_PMULL)
> ++ OPENSSL_armcap_P |= ARMV8_PMULL;
> ++
> ++ if (ID_AA64ISAR0_SHA1(cpu_id) >= ID_AA64ISAR0_SHA1_BASE)
> ++ OPENSSL_armcap_P |= ARMV8_SHA1;
> ++
> ++ if (ID_AA64ISAR0_SHA2(cpu_id) >= ID_AA64ISAR0_SHA2_BASE)
> ++ OPENSSL_armcap_P |= ARMV8_SHA256;
> ++
> ++ if (ID_AA64ISAR0_SHA2(cpu_id) >= ID_AA64ISAR0_SHA2_512)
> ++ OPENSSL_armcap_P |= ARMV8_SHA512;
> ++}
> ++
> ++
No comments:
Post a Comment