From nobody Wed Jan 01 21:11:39 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YNjFR5LDhz5jCpj;
	Wed, 01 Jan 2025 21:11:39 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4YNjFR37N8z4jlB;
	Wed,  1 Jan 2025 21:11:39 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1735765899;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=mGJtjBPe8g3o6nx3G+H8IR9yfNR+dVvqwQxKrrpMbMs=;
	b=tKOj2VK5MY6UJYxMhneZ7Ef8fZYNVElA/wyvuWVIpmj49Pii6Z0Y3lDwqI4UlZWf2aMwtI
	0QVoZpLqeyfuLas6/yBWSGMjtX7iR17sdBgrpZyWk+QPyIy/hyyUzZqmMN+1rXG8kTRWWx
	W505KrbNPSPrNcyQzw9sJC1tzSgN+fil4CfsX0OeygTRfhfkHG8j+rjbQaMpWvU3kb2AP4
	WR/lXpnZlRLy98kWd7YPKO864Ns1yRjTSZub9qfMakXXDKXjtaPaudOexIJ7MTRNdkEaLF
	zUUjSE5OC6VXtguapOZVHR1+EIDtY0m6+1/p6UQQYxPJmz5szNcarcfyTtgBZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1735765899;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=mGJtjBPe8g3o6nx3G+H8IR9yfNR+dVvqwQxKrrpMbMs=;
	b=aNTuF7F50wCvswKZWN9vLQ9zFsxmWohZjDI9cILORGngGamkyRRgMWSO4C7Qak/gXWJQKr
	nTMTc9QoFPG/V5yc1QlZL6XDWabjJdMQMW2cyT0MxEvOatCjFZJb8LLU3RcLKu/99+tiZA
	o0KzdR2BJHO7PGaydAiGdRFPnv3NsKY3/IlTzhVJ7PUiNX87hJjbjfzTybixhbC4E0Kjwn
	Cx0TLGsokOXC99Oby5V30CkdUYQMkrbuWe4InJX+wVZO4U+Q85ucFpJ1NmRh5p6kW5RHoM
	mXBTpr/IviAhSpcnQyO8jNWFH6Lv6vNVr1QcXbuvYiUHWG+t6MzAHaM6aetB9Q==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1735765899; a=rsa-sha256; cv=none;
	b=S3tZzutTHnjLdGwxX6FJJAvS9H8ZI+RnFc8q1Kf5SugGEXXibItFEP5SUhg/JVWlR3xEhr
	PlpW3fFdpE3XItt2Uc9XJaOeg5QJxS/YeBjCFbktIGEzTDNcd746aom7Nm/xv3FX6Ss+iZ
	7/IUj4vN7p/3QTdPQeURP6cW4Dp9zWLVMuw4EEHBVGH5HCVSdCrsjrumpSZ1LFzDQex6Rz
	KVxrOiXTEXz91GawRHepI9oyRmI0+ErYDYbMjBC2w1d97d6vepmAPCe7USZuD7OR36qleu
	q5oittNQYHF2uonaEyw2Qy4saIrCyMZNkEvMDX0o8TyezxmVBNC9D25e4WJSUw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YNjFR2htHzh3R;
	Wed,  1 Jan 2025 21:11:39 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 501LBdTj079974;
	Wed, 1 Jan 2025 21:11:39 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 501LBdmJ079971;
	Wed, 1 Jan 2025 21:11:39 GMT
	(envelope-from git)
Date: Wed, 1 Jan 2025 21:11:39 GMT
Message-Id: <202501012111.501LBdmJ079971@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kyle Evans <kevans@FreeBSD.org>
Subject: git: 05427f4639bc - main - secure: hook up libecc as
  libpkgecc
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kevans
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 05427f4639bcf2703329a9be9d25ec09bb782742
Auto-Submitted: auto-generated

The branch main has been updated by kevans:

URL: https://cgit.FreeBSD.org/src/commit/?id=05427f4639bcf2703329a9be9d25ec09bb782742

commit 05427f4639bcf2703329a9be9d25ec09bb782742
Author:     Kyle Evans <kevans@FreeBSD.org>
AuthorDate: 2025-01-01 21:10:27 +0000
Commit:     Kyle Evans <kevans@FreeBSD.org>
CommitDate: 2025-01-01 21:11:22 +0000

    secure: hook up libecc as libpkgecc
    
    libecc is not intended to be general use, other applications should
    really be using openssl.  pkg(7) uses libecc to align with the pkg(8)
    project and its goals.  This will be used in the upcoming support for
    ECC in pkg(7).
    
    Reviewed by:    emaste
    Differential Revision:  https://reviews.freebsd.org/D48117
---
 secure/lib/Makefile                    |   2 +-
 secure/lib/libpkgecc/Makefile          | 137 +++++++++++++++++++++++++++++++++
 secure/lib/libpkgecc/pkg_libecc_rand.c |  22 ++++++
 share/mk/src.libnames.mk               |   4 +
 4 files changed, 164 insertions(+), 1 deletion(-)

diff --git a/secure/lib/Makefile b/secure/lib/Makefile
index 195fef28501c..6364327d7088 100644
--- a/secure/lib/Makefile
+++ b/secure/lib/Makefile
@@ -1,6 +1,6 @@
 .include <src.opts.mk>
 
-SUBDIR= 
+SUBDIR= libpkgecc
 .if ${MK_OPENSSL} != "no"
 SUBDIR+=libcrypto libssl
 .if ${MK_OPENSSH} != "no"
diff --git a/secure/lib/libpkgecc/Makefile b/secure/lib/libpkgecc/Makefile
new file mode 100644
index 000000000000..476cd8635aeb
--- /dev/null
+++ b/secure/lib/libpkgecc/Makefile
@@ -0,0 +1,137 @@
+
+# STOP - This is not a general purpose library and is only for use by pkg(7)
+# to align with the implementation in pkg(8).
+LIB=	pkgecc
+INTERNALLIB=
+
+.PATH: $(SRCTOP)/crypto/libecc
+SRCS+=	pkg_libecc_rand.c
+
+# curves_mod_src
+.PATH:	$(SRCTOP)/crypto/libecc/src/curves
+SRCS+=	aff_pt.c \
+	aff_pt_montgomery.c \
+	ec_edwards.c \
+	ec_montgomery.c \
+	ec_params.c \
+	ec_shortw.c \
+	aff_pt_edwards.c \
+	curves.c \
+	prj_pt.c
+
+# utils_ec_src
+.PATH:	$(SRCTOP)/crypto/libecc/src/utils
+SRCS+=	print_curves.c
+
+# fp_mod_src
+.PATH:	$(SRCTOP)/crypto/libecc/src/fp
+SRCS+=	fp_add.c \
+	fp.c \
+	fp_montgomery.c \
+	fp_mul.c \
+	fp_mul_redc1.c \
+	fp_pow.c \
+	fp_rand.c \
+	fp_sqrt.c
+
+# nn_mod_src
+.PATH:	$(SRCTOP)/crypto/libecc/src/nn
+SRCS+=	nn_add.c \
+	nn.c \
+	nn_div.c \
+	nn_logical.c \
+	nn_modinv.c \
+	nn_mod_pow.c \
+	nn_mul.c \
+	nn_mul_redc1.c \
+	nn_rand.c
+
+# utils_arith_src
+SRCS+=	utils.c \
+	utils_rand.c \
+	print_buf.c \
+	print_fp.c \
+	print_nn.c
+
+## libsign bits
+# hash_mod_src
+.PATH:	$(SRCTOP)/crypto/libecc/src/hash
+SRCS+=	hash_algs.c \
+	sm3.c \
+	streebog.c \
+	ripemd160.c \
+	belt-hash.c \
+	hmac.c \
+	bash224.c \
+	bash256.c \
+	bash384.c \
+	bash512.c \
+	bash.c \
+	sha224.c \
+	sha256.c \
+	sha3-224.c \
+	sha3-256.c \
+	sha3-384.c \
+	sha3-512.c \
+	sha384.c \
+	sha3.c \
+	sha512-224.c \
+	sha512-256.c \
+	sha512.c \
+	sha512_core.c \
+	shake256.c \
+	shake.c
+
+# sig_mod_src
+.PATH:	$(SRCTOP)/crypto/libecc/src/sig
+SRCS+=	decdsa.c \
+	ecdsa.c \
+	ecfsdsa.c \
+	ecgdsa.c \
+	eckcdsa.c \
+	ecosdsa.c \
+	ecrdsa.c \
+	ecsdsa.c \
+	eddsa.c \
+	fuzzing_ecdsa.c \
+	fuzzing_ecgdsa.c \
+	fuzzing_ecrdsa.c \
+	ecdsa_common.c \
+	ecsdsa_common.c \
+	sig_algs.c \
+	sm2.c \
+	bign_common.c \
+	bign.c \
+	dbign.c \
+	bip0340.c
+
+# key_mod_src
+SRCS+=	ec_key.c
+
+# utils_sign_src
+.PATH:	$(SRCTOP)/crypto/libecc/src/sig
+SRCS+=	print_keys.c
+
+# ecdh_mod_src
+.PATH:	$(SRCTOP)/crypto/libecc/src/ecdh
+SRCS+=	ecccdh.c \
+	x25519_448.c
+
+# external_deps
+.PATH:	$(SRCTOP)/crypto/libecc/src/external_deps
+SRCS+=	print.c
+
+CONFLICTS=	-Dsha256_init=_libecc_sha256_init \
+		-Dsha256_update=_libecc_sha256_update \
+		-Dsha256_final=_libecc_sha256_final \
+		-Dsha512_224_init=_libecc_sha512_224_init \
+		-Dsha512_256_init=_libecc_sha512_256_init
+
+CFLAGS=		-I$(SRCTOP)/crypto/libecc/include \
+		-ffreestanding \
+		-fno-builtin \
+		-DUSE_WARN_UNUSED_RET \
+		-DWITH_STDLIB \
+		$(CONFLICTS)
+
+.include <bsd.lib.mk>
diff --git a/secure/lib/libpkgecc/pkg_libecc_rand.c b/secure/lib/libpkgecc/pkg_libecc_rand.c
new file mode 100644
index 000000000000..c190c9094538
--- /dev/null
+++ b/secure/lib/libpkgecc/pkg_libecc_rand.c
@@ -0,0 +1,22 @@
+/* SPDX-License-Identifier: Unlicense */
+#include <sys/types.h>
+#include <stdlib.h>
+
+#include <libecc/external_deps/rand.h>
+
+int
+get_random(unsigned char *buf, uint16_t len)
+{
+
+	/*
+	 * We need random numbers even in a sandbox, so we can't use
+	 * /dev/urandom as the external_deps version of get_random() does on
+	 * FreeBSD.  arc4random_buf() is a better choice because it uses the
+	 * underlying getrandom(2) instead of needing to open a device handle.
+	 *
+	 * We don't have any guarantees that this won't open a device on other
+	 * platforms, but we also don't do any sandboxing on those platforms.
+	 */
+	arc4random_buf(buf, len);
+	return 0;
+}
diff --git a/share/mk/src.libnames.mk b/share/mk/src.libnames.mk
index f693e3ae7c16..02a495db7711 100644
--- a/share/mk/src.libnames.mk
+++ b/share/mk/src.libnames.mk
@@ -64,6 +64,7 @@ _INTERNALLIBS=	\
 		parse \
 		pe \
 		pfctl \
+		pkgecc \
 		pmcstat \
 		sl \
 		sm \
@@ -644,6 +645,9 @@ LIBBSNMPTOOLS?=	${LIBBSNMPTOOLSDIR}/libbsnmptools${PIE_SUFFIX}.a
 
 LIBBE?=		${LIBBEDIR}/libbe${PIE_SUFFIX}.a
 
+LIBPKGECCDIR=	${_LIB_OBJTOP}/secure/lib/libpkgecc
+LIBPKGECC?=	${LIBPKGECCDIR}/libpkgecc${PIE_SUFFIX}.a
+
 LIBPMCSTATDIR=	${_LIB_OBJTOP}/lib/libpmcstat
 LIBPMCSTAT?=	${LIBPMCSTATDIR}/libpmcstat${PIE_SUFFIX}.a