hex-search-modify: add tool used in FIPS validations.
Change-Id: I940875e06f13830f53532a430dd5b7a0d49248a1
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/71428
Auto-Submit: Adam Langley <agl@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: Adam Langley <agl@google.com>
diff --git a/util/fipstools/hex-search-modify.go b/util/fipstools/hex-search-modify.go
new file mode 100644
index 0000000..7d64591
--- /dev/null
+++ b/util/fipstools/hex-search-modify.go
@@ -0,0 +1,80 @@
+// Copyright (c) 2024, Google Inc.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+//go:build ignore
+
+// This trivial program is used to corrupt the FIPS module. This is done as
+// part of FIPS testing to show that the integrity check is effective.
+//
+// It finds the (sole) occurance of a given hex pattern in a file and flips the
+// first bit. The hex pattern is intended to be the output of running
+// `BORINGSSL_FIPS_SHOW_HASH=1 ninja bcm.o`, i.e. the integrity hash value of
+// the module. By flipping the first bit we ensure that the check will
+// mismatch.
+//
+// This is a simplier version of `break-hash.go` for when we're building with
+// BORINGSSL_FIPS_SHOW_HASH. (But we don't do that in all cases.)
+
+package main
+
+import (
+ "bytes"
+ "encoding/hex"
+ "fmt"
+ "io/ioutil"
+ "os"
+)
+
+func main() {
+ if len(os.Args) != 3 {
+ fmt.Fprintln(os.Stderr, "Usage: program <hex_string> <file_path>")
+ os.Exit(1)
+ }
+
+ hexString := os.Args[1]
+ filePath := os.Args[2]
+
+ // Decode hex string
+ searchBytes, err := hex.DecodeString(hexString)
+ if err != nil {
+ fmt.Fprintln(os.Stderr, "Error decoding hex string:", err)
+ os.Exit(1)
+ }
+
+ // Read file contents
+ content, err := ioutil.ReadFile(filePath)
+ if err != nil {
+ fmt.Fprintln(os.Stderr, "Error reading file:", err)
+ os.Exit(1)
+ }
+
+ // Search for the occurrence of the hex string
+ index := bytes.Index(content, searchBytes)
+ if index == -1 {
+ fmt.Fprintln(os.Stderr, "Hex string not found in the file")
+ os.Exit(1)
+ }
+
+ // Check for other occurrences
+ if bytes.Index(content[index+len(searchBytes):], searchBytes) != -1 {
+ fmt.Fprintln(os.Stderr, "Multiple occurrences of the hex string found")
+ os.Exit(1)
+ }
+
+ // Flip the first bit
+ content[index] ^= 0x80
+
+ // Write updated contents to stdout
+ os.Stdout.Write(content)
+}