From 05427f4639bcf2703329a9be9d25ec09bb782742 Mon Sep 17 00:00:00 2001 From: Kyle Evans Date: Wed, 1 Jan 2025 15:10:27 -0600 Subject: [PATCH] secure: hook up libecc as libpkgecc libecc is not intended to be general use, other applications should really be using openssl. pkg(7) uses libecc to align with the pkg(8) project and its goals. This will be used in the upcoming support for ECC in pkg(7). Reviewed by: emaste Differential Revision: https://reviews.freebsd.org/D48117 --- secure/lib/Makefile | 2 +- secure/lib/libpkgecc/Makefile | 137 +++++++++++++++++++++++++ secure/lib/libpkgecc/pkg_libecc_rand.c | 22 ++++ share/mk/src.libnames.mk | 4 + 4 files changed, 164 insertions(+), 1 deletion(-) create mode 100644 secure/lib/libpkgecc/Makefile create mode 100644 secure/lib/libpkgecc/pkg_libecc_rand.c diff --git a/secure/lib/Makefile b/secure/lib/Makefile index 195fef28501..6364327d708 100644 --- a/secure/lib/Makefile +++ b/secure/lib/Makefile @@ -1,6 +1,6 @@ .include -SUBDIR= +SUBDIR= libpkgecc .if ${MK_OPENSSL} != "no" SUBDIR+=libcrypto libssl .if ${MK_OPENSSH} != "no" diff --git a/secure/lib/libpkgecc/Makefile b/secure/lib/libpkgecc/Makefile new file mode 100644 index 00000000000..476cd8635ae --- /dev/null +++ b/secure/lib/libpkgecc/Makefile @@ -0,0 +1,137 @@ + +# STOP - This is not a general purpose library and is only for use by pkg(7) +# to align with the implementation in pkg(8). +LIB= pkgecc +INTERNALLIB= + +.PATH: $(SRCTOP)/crypto/libecc +SRCS+= pkg_libecc_rand.c + +# curves_mod_src +.PATH: $(SRCTOP)/crypto/libecc/src/curves +SRCS+= aff_pt.c \ + aff_pt_montgomery.c \ + ec_edwards.c \ + ec_montgomery.c \ + ec_params.c \ + ec_shortw.c \ + aff_pt_edwards.c \ + curves.c \ + prj_pt.c + +# utils_ec_src +.PATH: $(SRCTOP)/crypto/libecc/src/utils +SRCS+= print_curves.c + +# fp_mod_src +.PATH: $(SRCTOP)/crypto/libecc/src/fp +SRCS+= fp_add.c \ + fp.c \ + fp_montgomery.c \ + fp_mul.c \ + fp_mul_redc1.c \ + fp_pow.c \ + fp_rand.c \ + fp_sqrt.c + +# nn_mod_src +.PATH: $(SRCTOP)/crypto/libecc/src/nn +SRCS+= nn_add.c \ + nn.c \ + nn_div.c \ + nn_logical.c \ + nn_modinv.c \ + nn_mod_pow.c \ + nn_mul.c \ + nn_mul_redc1.c \ + nn_rand.c + +# utils_arith_src +SRCS+= utils.c \ + utils_rand.c \ + print_buf.c \ + print_fp.c \ + print_nn.c + +## libsign bits +# hash_mod_src +.PATH: $(SRCTOP)/crypto/libecc/src/hash +SRCS+= hash_algs.c \ + sm3.c \ + streebog.c \ + ripemd160.c \ + belt-hash.c \ + hmac.c \ + bash224.c \ + bash256.c \ + bash384.c \ + bash512.c \ + bash.c \ + sha224.c \ + sha256.c \ + sha3-224.c \ + sha3-256.c \ + sha3-384.c \ + sha3-512.c \ + sha384.c \ + sha3.c \ + sha512-224.c \ + sha512-256.c \ + sha512.c \ + sha512_core.c \ + shake256.c \ + shake.c + +# sig_mod_src +.PATH: $(SRCTOP)/crypto/libecc/src/sig +SRCS+= decdsa.c \ + ecdsa.c \ + ecfsdsa.c \ + ecgdsa.c \ + eckcdsa.c \ + ecosdsa.c \ + ecrdsa.c \ + ecsdsa.c \ + eddsa.c \ + fuzzing_ecdsa.c \ + fuzzing_ecgdsa.c \ + fuzzing_ecrdsa.c \ + ecdsa_common.c \ + ecsdsa_common.c \ + sig_algs.c \ + sm2.c \ + bign_common.c \ + bign.c \ + dbign.c \ + bip0340.c + +# key_mod_src +SRCS+= ec_key.c + +# utils_sign_src +.PATH: $(SRCTOP)/crypto/libecc/src/sig +SRCS+= print_keys.c + +# ecdh_mod_src +.PATH: $(SRCTOP)/crypto/libecc/src/ecdh +SRCS+= ecccdh.c \ + x25519_448.c + +# external_deps +.PATH: $(SRCTOP)/crypto/libecc/src/external_deps +SRCS+= print.c + +CONFLICTS= -Dsha256_init=_libecc_sha256_init \ + -Dsha256_update=_libecc_sha256_update \ + -Dsha256_final=_libecc_sha256_final \ + -Dsha512_224_init=_libecc_sha512_224_init \ + -Dsha512_256_init=_libecc_sha512_256_init + +CFLAGS= -I$(SRCTOP)/crypto/libecc/include \ + -ffreestanding \ + -fno-builtin \ + -DUSE_WARN_UNUSED_RET \ + -DWITH_STDLIB \ + $(CONFLICTS) + +.include diff --git a/secure/lib/libpkgecc/pkg_libecc_rand.c b/secure/lib/libpkgecc/pkg_libecc_rand.c new file mode 100644 index 00000000000..c190c909453 --- /dev/null +++ b/secure/lib/libpkgecc/pkg_libecc_rand.c @@ -0,0 +1,22 @@ +/* SPDX-License-Identifier: Unlicense */ +#include +#include + +#include + +int +get_random(unsigned char *buf, uint16_t len) +{ + + /* + * We need random numbers even in a sandbox, so we can't use + * /dev/urandom as the external_deps version of get_random() does on + * FreeBSD. arc4random_buf() is a better choice because it uses the + * underlying getrandom(2) instead of needing to open a device handle. + * + * We don't have any guarantees that this won't open a device on other + * platforms, but we also don't do any sandboxing on those platforms. + */ + arc4random_buf(buf, len); + return 0; +} diff --git a/share/mk/src.libnames.mk b/share/mk/src.libnames.mk index f693e3ae7c1..02a495db771 100644 --- a/share/mk/src.libnames.mk +++ b/share/mk/src.libnames.mk @@ -64,6 +64,7 @@ _INTERNALLIBS= \ parse \ pe \ pfctl \ + pkgecc \ pmcstat \ sl \ sm \ @@ -644,6 +645,9 @@ LIBBSNMPTOOLS?= ${LIBBSNMPTOOLSDIR}/libbsnmptools${PIE_SUFFIX}.a LIBBE?= ${LIBBEDIR}/libbe${PIE_SUFFIX}.a +LIBPKGECCDIR= ${_LIB_OBJTOP}/secure/lib/libpkgecc +LIBPKGECC?= ${LIBPKGECCDIR}/libpkgecc${PIE_SUFFIX}.a + LIBPMCSTATDIR= ${_LIB_OBJTOP}/lib/libpmcstat LIBPMCSTAT?= ${LIBPMCSTATDIR}/libpmcstat${PIE_SUFFIX}.a