4c7b3bfd73
SHA-512 is faster to calculate on 64-bit systems and we're only targetting 64-bit systems with FIPS. Change-Id: I5e9b8419ad4ddc72ec682c4193ffb17975d228e5 Reviewed-on: https://boringssl-review.googlesource.com/16025 Commit-Queue: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
174 lines
4.5 KiB
Go
174 lines
4.5 KiB
Go
// Copyright (c) 2017, Google Inc.
|
|
//
|
|
// Permission to use, copy, modify, and/or distribute this software for any
|
|
// purpose with or without fee is hereby granted, provided that the above
|
|
// copyright notice and this permission notice appear in all copies.
|
|
//
|
|
// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
|
|
// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
|
|
// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
|
|
// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
|
|
|
|
// inject-hash parses an archive containing a file object file. It finds a FIPS
|
|
// module inside that object, calculates its hash and replaces the default hash
|
|
// value in the object with the calculated value.
|
|
package main
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/hmac"
|
|
"crypto/sha512"
|
|
"debug/elf"
|
|
"errors"
|
|
"flag"
|
|
"fmt"
|
|
"io"
|
|
"io/ioutil"
|
|
"os"
|
|
)
|
|
|
|
func do(outPath, oInput string, arInput string) error {
|
|
var objectBytes []byte
|
|
if len(arInput) > 0 {
|
|
if len(oInput) > 0 {
|
|
return fmt.Errorf("-in-archive and -in-object are mutually exclusive")
|
|
}
|
|
|
|
arFile, err := os.Open(arInput)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer arFile.Close()
|
|
|
|
ar, err := ParseAR(arFile)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if len(ar) != 1 {
|
|
return fmt.Errorf("expected one file in archive, but found %d", len(ar))
|
|
}
|
|
|
|
for _, contents := range ar {
|
|
objectBytes = contents
|
|
}
|
|
} else if len(oInput) > 0 {
|
|
var err error
|
|
if objectBytes, err = ioutil.ReadFile(oInput); err != nil {
|
|
return err
|
|
}
|
|
} else {
|
|
return fmt.Errorf("exactly one of -in-archive or -in-object is required")
|
|
}
|
|
|
|
object, err := elf.NewFile(bytes.NewReader(objectBytes))
|
|
if err != nil {
|
|
return errors.New("failed to parse object: " + err.Error())
|
|
}
|
|
|
|
// Find the .text section.
|
|
|
|
var textSection *elf.Section
|
|
var textSectionIndex elf.SectionIndex
|
|
for i, section := range object.Sections {
|
|
if section.Name == ".text" {
|
|
textSectionIndex = elf.SectionIndex(i)
|
|
textSection = section
|
|
break
|
|
}
|
|
}
|
|
|
|
if textSection == nil {
|
|
return errors.New("failed to find .text section in object")
|
|
}
|
|
|
|
// Find the starting and ending symbols for the module.
|
|
|
|
var startSeen, endSeen bool
|
|
var start, end uint64
|
|
|
|
symbols, err := object.Symbols()
|
|
if err != nil {
|
|
return errors.New("failed to parse symbols: " + err.Error())
|
|
}
|
|
|
|
for _, symbol := range symbols {
|
|
if symbol.Section != textSectionIndex {
|
|
continue
|
|
}
|
|
|
|
switch symbol.Name {
|
|
case "BORINGSSL_bcm_text_start":
|
|
if startSeen {
|
|
return errors.New("duplicate start symbol found")
|
|
}
|
|
startSeen = true
|
|
start = symbol.Value
|
|
case "BORINGSSL_bcm_text_end":
|
|
if endSeen {
|
|
return errors.New("duplicate end symbol found")
|
|
}
|
|
endSeen = true
|
|
end = symbol.Value
|
|
default:
|
|
continue
|
|
}
|
|
}
|
|
|
|
if !startSeen || !endSeen {
|
|
return errors.New("could not find module boundaries in object")
|
|
}
|
|
|
|
if max := textSection.Size; start > max || start > end || end > max {
|
|
return fmt.Errorf("invalid module boundaries: start: %x, end: %x, max: %x", start, end, max)
|
|
}
|
|
|
|
// Extract the module from the .text section and hash it.
|
|
|
|
text := textSection.Open()
|
|
if _, err := text.Seek(int64(start), 0); err != nil {
|
|
return errors.New("failed to seek to module start in .text: " + err.Error())
|
|
}
|
|
moduleText := make([]byte, end-start)
|
|
if _, err := io.ReadFull(text, moduleText); err != nil {
|
|
return errors.New("failed to read .text: " + err.Error())
|
|
}
|
|
|
|
var zeroKey [64]byte
|
|
mac := hmac.New(sha512.New, zeroKey[:])
|
|
mac.Write(moduleText)
|
|
calculated := mac.Sum(nil)
|
|
|
|
// Replace the default hash value in the object with the calculated
|
|
// value and write it out.
|
|
|
|
offset := bytes.Index(objectBytes, uninitHashValue[:])
|
|
if offset < 0 {
|
|
return errors.New("did not find uninitialised hash value in object file")
|
|
}
|
|
|
|
if bytes.Index(objectBytes[offset+1:], uninitHashValue[:]) >= 0 {
|
|
return errors.New("found two occurrences of uninitialised hash value in object file")
|
|
}
|
|
|
|
copy(objectBytes[offset:], calculated)
|
|
|
|
return ioutil.WriteFile(outPath, objectBytes, 0644)
|
|
}
|
|
|
|
func main() {
|
|
arInput := flag.String("in-archive", "", "Path to a .a file")
|
|
oInput := flag.String("in-object", "", "Path to a .o file")
|
|
outPath := flag.String("o", "", "Path to output object")
|
|
|
|
flag.Parse()
|
|
|
|
if err := do(*outPath, *oInput, *arInput); err != nil {
|
|
fmt.Fprintf(os.Stderr, "%s\n", err)
|
|
os.Exit(1)
|
|
}
|
|
}
|