|
- // Copyright (c) 2017, Google Inc.
- //
- // Permission to use, copy, modify, and/or distribute this software for any
- // purpose with or without fee is hereby granted, provided that the above
- // copyright notice and this permission notice appear in all copies.
- //
- // THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- // WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- // MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- // SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- // WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
- // break-hash parses an ELF binary containing the FIPS module and corrupts the
- // first byte of the module. This should cause the integrity check to fail.
- package main
-
- import (
- "bytes"
- "crypto/hmac"
- "crypto/sha512"
- "debug/elf"
- "encoding/hex"
- "errors"
- "fmt"
- "io/ioutil"
- "os"
- )
-
- func do(outPath, inPath string) error {
- objectBytes, err := ioutil.ReadFile(inPath)
- if err != nil {
- return err
- }
-
- object, err := elf.NewFile(bytes.NewReader(objectBytes))
- if err != nil {
- return errors.New("failed to parse object: " + err.Error())
- }
-
- // Find the .text section.
- var textSection *elf.Section
- var textSectionIndex elf.SectionIndex
- for i, section := range object.Sections {
- if section.Name == ".text" {
- textSectionIndex = elf.SectionIndex(i)
- textSection = section
- break
- }
- }
-
- if textSection == nil {
- return errors.New("failed to find .text section in object")
- }
-
- symbols, err := object.Symbols()
- if err != nil {
- return errors.New("failed to parse symbols: " + err.Error())
- }
-
- // Find the start and end markers of the module.
- var startSeen, endSeen bool
- var start, end uint64
-
- for _, symbol := range symbols {
- if symbol.Section != textSectionIndex {
- continue
- }
-
- switch symbol.Name {
- case "BORINGSSL_bcm_text_start":
- if startSeen {
- return errors.New("duplicate start symbol found")
- }
- startSeen = true
- start = symbol.Value
- case "BORINGSSL_bcm_text_end":
- if endSeen {
- return errors.New("duplicate end symbol found")
- }
- endSeen = true
- end = symbol.Value
- default:
- continue
- }
- }
-
- if !startSeen || !endSeen {
- return errors.New("could not find module in object")
- }
-
- moduleText := make([]byte, end-start)
- if n, err := textSection.ReadAt(moduleText, int64(start-textSection.Addr)); err != nil {
- return fmt.Errorf("failed to read from module start (at %d of %d) in .text: %s", start, textSection.Size, err)
- } else if n != len(moduleText) {
- return fmt.Errorf("short read from .text: wanted %d, got %d", len(moduleText), n)
- }
-
- // In order to match up the module start with the raw ELF contents,
- // search for the first 256 bytes and assume that will be unique.
- offset := bytes.Index(objectBytes, moduleText[:256])
- if offset < 0 {
- return errors.New("did not find module prefix in object file")
- }
-
- if bytes.Index(objectBytes[offset+1:], moduleText[:256]) >= 0 {
- return errors.New("found two occurrences of prefix in object file")
- }
-
- // Corrupt the module in the ELF.
- objectBytes[offset] ^= 1
-
- // Calculate the before and after hash of the module.
- var zeroKey [64]byte
- mac := hmac.New(sha512.New, zeroKey[:])
- mac.Write(moduleText)
- hashWas := mac.Sum(nil)
-
- moduleText[0] ^= 1
- mac.Reset()
- mac.Write(moduleText)
- newHash := mac.Sum(nil)
-
- fmt.Printf("Found start of module at offset 0x%x (VMA 0x%x):\n", start-textSection.Addr, start)
- fmt.Printf(hex.Dump(moduleText[:128]))
- fmt.Printf("\nHash of module was: %x\n", hashWas)
- fmt.Printf("Hash of corrupted module is: %x\n", newHash)
-
- return ioutil.WriteFile(outPath, objectBytes, 0755)
- }
-
- func main() {
- if len(os.Args) != 3 {
- usage()
- os.Exit(1)
- }
-
- if err := do(os.Args[2], os.Args[1]); err != nil {
- fmt.Fprintf(os.Stderr, "%s\n", err)
- os.Exit(1)
- }
- }
-
- func usage() {
- fmt.Fprintf(os.Stderr, "Usage: %s <input binary> <output path>\n", os.Args[0])
- }
|