diff options
Diffstat (limited to 'src/util/fipstools/inject-hash/inject-hash.go')
-rw-r--r-- | src/util/fipstools/inject-hash/inject-hash.go | 175 |
1 files changed, 175 insertions, 0 deletions
diff --git a/src/util/fipstools/inject-hash/inject-hash.go b/src/util/fipstools/inject-hash/inject-hash.go new file mode 100644 index 00000000..14418a38 --- /dev/null +++ b/src/util/fipstools/inject-hash/inject-hash.go @@ -0,0 +1,175 @@ +// Copyright (c) 2017, Google Inc. +// +// Permission to use, copy, modify, and/or distribute this software for any +// purpose with or without fee is hereby granted, provided that the above +// copyright notice and this permission notice appear in all copies. +// +// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY +// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION +// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN +// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +// inject-hash parses an archive containing a file object file. It finds a FIPS +// module inside that object, calculates its hash and replaces the default hash +// value in the object with the calculated value. +package main + +import ( + "bytes" + "crypto/hmac" + "crypto/sha512" + "debug/elf" + "errors" + "flag" + "fmt" + "io" + "io/ioutil" + "os" + + "boringssl.googlesource.com/boringssl/util/fipstools/fipscommon" +) + +func do(outPath, oInput string, arInput string) error { + var objectBytes []byte + if len(arInput) > 0 { + if len(oInput) > 0 { + return fmt.Errorf("-in-archive and -in-object are mutually exclusive") + } + + arFile, err := os.Open(arInput) + if err != nil { + return err + } + defer arFile.Close() + + ar, err := fipscommon.ParseAR(arFile) + if err != nil { + return err + } + + if len(ar) != 1 { + return fmt.Errorf("expected one file in archive, but found %d", len(ar)) + } + + for _, contents := range ar { + objectBytes = contents + } + } else if len(oInput) > 0 { + var err error + if objectBytes, err = ioutil.ReadFile(oInput); err != nil { + return err + } + } else { + return fmt.Errorf("exactly one of -in-archive or -in-object is required") + } + + object, err := elf.NewFile(bytes.NewReader(objectBytes)) + if err != nil { + return errors.New("failed to parse object: " + err.Error()) + } + + // Find the .text section. + + var textSection *elf.Section + var textSectionIndex elf.SectionIndex + for i, section := range object.Sections { + if section.Name == ".text" { + textSectionIndex = elf.SectionIndex(i) + textSection = section + break + } + } + + if textSection == nil { + return errors.New("failed to find .text section in object") + } + + // Find the starting and ending symbols for the module. + + var startSeen, endSeen bool + var start, end uint64 + + symbols, err := object.Symbols() + if err != nil { + return errors.New("failed to parse symbols: " + err.Error()) + } + + for _, symbol := range symbols { + if symbol.Section != textSectionIndex { + continue + } + + switch symbol.Name { + case "BORINGSSL_bcm_text_start": + if startSeen { + return errors.New("duplicate start symbol found") + } + startSeen = true + start = symbol.Value + case "BORINGSSL_bcm_text_end": + if endSeen { + return errors.New("duplicate end symbol found") + } + endSeen = true + end = symbol.Value + default: + continue + } + } + + if !startSeen || !endSeen { + return errors.New("could not find module boundaries in object") + } + + if max := textSection.Size; start > max || start > end || end > max { + return fmt.Errorf("invalid module boundaries: start: %x, end: %x, max: %x", start, end, max) + } + + // Extract the module from the .text section and hash it. + + text := textSection.Open() + if _, err := text.Seek(int64(start), 0); err != nil { + return errors.New("failed to seek to module start in .text: " + err.Error()) + } + moduleText := make([]byte, end-start) + if _, err := io.ReadFull(text, moduleText); err != nil { + return errors.New("failed to read .text: " + err.Error()) + } + + var zeroKey [64]byte + mac := hmac.New(sha512.New, zeroKey[:]) + mac.Write(moduleText) + calculated := mac.Sum(nil) + + // Replace the default hash value in the object with the calculated + // value and write it out. + + offset := bytes.Index(objectBytes, fipscommon.UninitHashValue[:]) + if offset < 0 { + return errors.New("did not find uninitialised hash value in object file") + } + + if bytes.Index(objectBytes[offset+1:], fipscommon.UninitHashValue[:]) >= 0 { + return errors.New("found two occurrences of uninitialised hash value in object file") + } + + copy(objectBytes[offset:], calculated) + + return ioutil.WriteFile(outPath, objectBytes, 0644) +} + +func main() { + arInput := flag.String("in-archive", "", "Path to a .a file") + oInput := flag.String("in-object", "", "Path to a .o file") + outPath := flag.String("o", "", "Path to output object") + + flag.Parse() + + if err := do(*outPath, *oInput, *arInput); err != nil { + fmt.Fprintf(os.Stderr, "%s\n", err) + os.Exit(1) + } +} |