1// Copyright (c) 2017, Google Inc. 2// 3// Permission to use, copy, modify, and/or distribute this software for any 4// purpose with or without fee is hereby granted, provided that the above 5// copyright notice and this permission notice appear in all copies. 6// 7// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 15// inject_hash parses an archive containing a file object file. It finds a FIPS 16// module inside that object, calculates its hash and replaces the default hash 17// value in the object with the calculated value. 18package main 19 20import ( 21 "bytes" 22 "crypto/hmac" 23 "crypto/sha512" 24 "debug/elf" 25 "errors" 26 "flag" 27 "fmt" 28 "io" 29 "io/ioutil" 30 "os" 31 32 "boringssl.googlesource.com/boringssl/util/ar" 33 "boringssl.googlesource.com/boringssl/util/fipstools/fipscommon" 34) 35 36func do(outPath, oInput string, arInput string) error { 37 var objectBytes []byte 38 if len(arInput) > 0 { 39 if len(oInput) > 0 { 40 return fmt.Errorf("-in-archive and -in-object are mutually exclusive") 41 } 42 43 arFile, err := os.Open(arInput) 44 if err != nil { 45 return err 46 } 47 defer arFile.Close() 48 49 ar, err := ar.ParseAR(arFile) 50 if err != nil { 51 return err 52 } 53 54 if len(ar) != 1 { 55 return fmt.Errorf("expected one file in archive, but found %d", len(ar)) 56 } 57 58 for _, contents := range ar { 59 objectBytes = contents 60 } 61 } else if len(oInput) > 0 { 62 var err error 63 if objectBytes, err = ioutil.ReadFile(oInput); err != nil { 64 return err 65 } 66 } else { 67 return fmt.Errorf("exactly one of -in-archive or -in-object is required") 68 } 69 70 object, err := elf.NewFile(bytes.NewReader(objectBytes)) 71 if err != nil { 72 return errors.New("failed to parse object: " + err.Error()) 73 } 74 75 // Find the .text section. 76 77 var textSection *elf.Section 78 var textSectionIndex elf.SectionIndex 79 for i, section := range object.Sections { 80 if section.Name == ".text" { 81 textSectionIndex = elf.SectionIndex(i) 82 textSection = section 83 break 84 } 85 } 86 87 if textSection == nil { 88 return errors.New("failed to find .text section in object") 89 } 90 91 // Find the starting and ending symbols for the module. 92 93 var startSeen, endSeen bool 94 var start, end uint64 95 96 symbols, err := object.Symbols() 97 if err != nil { 98 return errors.New("failed to parse symbols: " + err.Error()) 99 } 100 101 for _, symbol := range symbols { 102 if symbol.Section != textSectionIndex { 103 continue 104 } 105 106 switch symbol.Name { 107 case "BORINGSSL_bcm_text_start": 108 if startSeen { 109 return errors.New("duplicate start symbol found") 110 } 111 startSeen = true 112 start = symbol.Value 113 case "BORINGSSL_bcm_text_end": 114 if endSeen { 115 return errors.New("duplicate end symbol found") 116 } 117 endSeen = true 118 end = symbol.Value 119 default: 120 continue 121 } 122 } 123 124 if !startSeen || !endSeen { 125 return errors.New("could not find module boundaries in object") 126 } 127 128 if max := textSection.Size; start > max || start > end || end > max { 129 return fmt.Errorf("invalid module boundaries: start: %x, end: %x, max: %x", start, end, max) 130 } 131 132 // Extract the module from the .text section and hash it. 133 134 text := textSection.Open() 135 if _, err := text.Seek(int64(start), 0); err != nil { 136 return errors.New("failed to seek to module start in .text: " + err.Error()) 137 } 138 moduleText := make([]byte, end-start) 139 if _, err := io.ReadFull(text, moduleText); err != nil { 140 return errors.New("failed to read .text: " + err.Error()) 141 } 142 143 var zeroKey [64]byte 144 mac := hmac.New(sha512.New, zeroKey[:]) 145 mac.Write(moduleText) 146 calculated := mac.Sum(nil) 147 148 // Replace the default hash value in the object with the calculated 149 // value and write it out. 150 151 offset := bytes.Index(objectBytes, fipscommon.UninitHashValue[:]) 152 if offset < 0 { 153 return errors.New("did not find uninitialised hash value in object file") 154 } 155 156 if bytes.Index(objectBytes[offset+1:], fipscommon.UninitHashValue[:]) >= 0 { 157 return errors.New("found two occurrences of uninitialised hash value in object file") 158 } 159 160 copy(objectBytes[offset:], calculated) 161 162 return ioutil.WriteFile(outPath, objectBytes, 0644) 163} 164 165func main() { 166 arInput := flag.String("in-archive", "", "Path to a .a file") 167 oInput := flag.String("in-object", "", "Path to a .o file") 168 outPath := flag.String("o", "", "Path to output object") 169 170 flag.Parse() 171 172 if err := do(*outPath, *oInput, *arInput); err != nil { 173 fmt.Fprintf(os.Stderr, "%s\n", err) 174 os.Exit(1) 175 } 176} 177