git: 616156f8e6ea - stable/14 - secure: hook up libecc as libpkgecc
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 11 Jan 2025 02:48:55 UTC
The branch stable/14 has been updated by kevans:
URL: https://cgit.FreeBSD.org/src/commit/?id=616156f8e6eaefe5e3e0df6621129f4bf9003344
commit 616156f8e6eaefe5e3e0df6621129f4bf9003344
Author: Kyle Evans <kevans@FreeBSD.org>
AuthorDate: 2025-01-01 21:10:27 +0000
Commit: Kyle Evans <kevans@FreeBSD.org>
CommitDate: 2025-01-11 02:48:24 +0000
secure: hook up libecc as libpkgecc
libecc is not intended to be general use, other applications should
really be using openssl. pkg(7) uses libecc to align with the pkg(8)
project and its goals. This will be used in the upcoming support for
ECC in pkg(7).
Reviewed by: emaste
(cherry picked from commit 05427f4639bcf2703329a9be9d25ec09bb782742)
---
secure/lib/Makefile | 2 +-
secure/lib/libpkgecc/Makefile | 137 +++++++++++++++++++++++++++++++++
secure/lib/libpkgecc/pkg_libecc_rand.c | 22 ++++++
share/mk/src.libnames.mk | 4 +
4 files changed, 164 insertions(+), 1 deletion(-)
diff --git a/secure/lib/Makefile b/secure/lib/Makefile
index b4b586fa6585..bc659916e152 100644
--- a/secure/lib/Makefile
+++ b/secure/lib/Makefile
@@ -1,7 +1,7 @@
.include <src.opts.mk>
-SUBDIR=
+SUBDIR= libpkgecc
.if ${MK_OPENSSL} != "no"
SUBDIR+=libcrypto libssl
.if ${MK_OPENSSH} != "no"
diff --git a/secure/lib/libpkgecc/Makefile b/secure/lib/libpkgecc/Makefile
new file mode 100644
index 000000000000..476cd8635aeb
--- /dev/null
+++ b/secure/lib/libpkgecc/Makefile
@@ -0,0 +1,137 @@
+
+# STOP - This is not a general purpose library and is only for use by pkg(7)
+# to align with the implementation in pkg(8).
+LIB= pkgecc
+INTERNALLIB=
+
+.PATH: $(SRCTOP)/crypto/libecc
+SRCS+= pkg_libecc_rand.c
+
+# curves_mod_src
+.PATH: $(SRCTOP)/crypto/libecc/src/curves
+SRCS+= aff_pt.c \
+ aff_pt_montgomery.c \
+ ec_edwards.c \
+ ec_montgomery.c \
+ ec_params.c \
+ ec_shortw.c \
+ aff_pt_edwards.c \
+ curves.c \
+ prj_pt.c
+
+# utils_ec_src
+.PATH: $(SRCTOP)/crypto/libecc/src/utils
+SRCS+= print_curves.c
+
+# fp_mod_src
+.PATH: $(SRCTOP)/crypto/libecc/src/fp
+SRCS+= fp_add.c \
+ fp.c \
+ fp_montgomery.c \
+ fp_mul.c \
+ fp_mul_redc1.c \
+ fp_pow.c \
+ fp_rand.c \
+ fp_sqrt.c
+
+# nn_mod_src
+.PATH: $(SRCTOP)/crypto/libecc/src/nn
+SRCS+= nn_add.c \
+ nn.c \
+ nn_div.c \
+ nn_logical.c \
+ nn_modinv.c \
+ nn_mod_pow.c \
+ nn_mul.c \
+ nn_mul_redc1.c \
+ nn_rand.c
+
+# utils_arith_src
+SRCS+= utils.c \
+ utils_rand.c \
+ print_buf.c \
+ print_fp.c \
+ print_nn.c
+
+## libsign bits
+# hash_mod_src
+.PATH: $(SRCTOP)/crypto/libecc/src/hash
+SRCS+= hash_algs.c \
+ sm3.c \
+ streebog.c \
+ ripemd160.c \
+ belt-hash.c \
+ hmac.c \
+ bash224.c \
+ bash256.c \
+ bash384.c \
+ bash512.c \
+ bash.c \
+ sha224.c \
+ sha256.c \
+ sha3-224.c \
+ sha3-256.c \
+ sha3-384.c \
+ sha3-512.c \
+ sha384.c \
+ sha3.c \
+ sha512-224.c \
+ sha512-256.c \
+ sha512.c \
+ sha512_core.c \
+ shake256.c \
+ shake.c
+
+# sig_mod_src
+.PATH: $(SRCTOP)/crypto/libecc/src/sig
+SRCS+= decdsa.c \
+ ecdsa.c \
+ ecfsdsa.c \
+ ecgdsa.c \
+ eckcdsa.c \
+ ecosdsa.c \
+ ecrdsa.c \
+ ecsdsa.c \
+ eddsa.c \
+ fuzzing_ecdsa.c \
+ fuzzing_ecgdsa.c \
+ fuzzing_ecrdsa.c \
+ ecdsa_common.c \
+ ecsdsa_common.c \
+ sig_algs.c \
+ sm2.c \
+ bign_common.c \
+ bign.c \
+ dbign.c \
+ bip0340.c
+
+# key_mod_src
+SRCS+= ec_key.c
+
+# utils_sign_src
+.PATH: $(SRCTOP)/crypto/libecc/src/sig
+SRCS+= print_keys.c
+
+# ecdh_mod_src
+.PATH: $(SRCTOP)/crypto/libecc/src/ecdh
+SRCS+= ecccdh.c \
+ x25519_448.c
+
+# external_deps
+.PATH: $(SRCTOP)/crypto/libecc/src/external_deps
+SRCS+= print.c
+
+CONFLICTS= -Dsha256_init=_libecc_sha256_init \
+ -Dsha256_update=_libecc_sha256_update \
+ -Dsha256_final=_libecc_sha256_final \
+ -Dsha512_224_init=_libecc_sha512_224_init \
+ -Dsha512_256_init=_libecc_sha512_256_init
+
+CFLAGS= -I$(SRCTOP)/crypto/libecc/include \
+ -ffreestanding \
+ -fno-builtin \
+ -DUSE_WARN_UNUSED_RET \
+ -DWITH_STDLIB \
+ $(CONFLICTS)
+
+.include <bsd.lib.mk>
diff --git a/secure/lib/libpkgecc/pkg_libecc_rand.c b/secure/lib/libpkgecc/pkg_libecc_rand.c
new file mode 100644
index 000000000000..c190c9094538
--- /dev/null
+++ b/secure/lib/libpkgecc/pkg_libecc_rand.c
@@ -0,0 +1,22 @@
+/* SPDX-License-Identifier: Unlicense */
+#include <sys/types.h>
+#include <stdlib.h>
+
+#include <libecc/external_deps/rand.h>
+
+int
+get_random(unsigned char *buf, uint16_t len)
+{
+
+ /*
+ * We need random numbers even in a sandbox, so we can't use
+ * /dev/urandom as the external_deps version of get_random() does on
+ * FreeBSD. arc4random_buf() is a better choice because it uses the
+ * underlying getrandom(2) instead of needing to open a device handle.
+ *
+ * We don't have any guarantees that this won't open a device on other
+ * platforms, but we also don't do any sandboxing on those platforms.
+ */
+ arc4random_buf(buf, len);
+ return 0;
+}
diff --git a/share/mk/src.libnames.mk b/share/mk/src.libnames.mk
index 9cba6c8cc7c3..837d6f842da3 100644
--- a/share/mk/src.libnames.mk
+++ b/share/mk/src.libnames.mk
@@ -61,6 +61,7 @@ _INTERNALLIBS= \
parse \
pe \
pfctl \
+ pkgecc \
pmcstat \
sl \
sm \
@@ -616,6 +617,9 @@ LIBBSNMPTOOLS?= ${LIBBSNMPTOOLSDIR}/libbsnmptools${PIE_SUFFIX}.a
LIBBE?= ${LIBBEDIR}/libbe${PIE_SUFFIX}.a
+LIBPKGECCDIR= ${_LIB_OBJTOP}/secure/lib/libpkgecc
+LIBPKGECC?= ${LIBPKGECCDIR}/libpkgecc${PIE_SUFFIX}.a
+
LIBPMCSTATDIR= ${_LIB_OBJTOP}/lib/libpmcstat
LIBPMCSTAT?= ${LIBPMCSTATDIR}/libpmcstat${PIE_SUFFIX}.a