util/fipstools/inject-hash.go - boringssl - Git at Google

 // Copyright (c) 2017, Google Inc.
 //
 // Permission to use, copy, modify, and/or distribute this software for any
 // purpose with or without fee is hereby granted, provided that the above
 // copyright notice and this permission notice appear in all copies.
 //
 // THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 // WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 // MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
 // SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 // WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

 // inject-hash parses an archive containing a file object file. It finds a FIPS
 // module inside that object, calculates its hash and replaces the default hash
 // value in the object with the calculated value.
 package main

 import (
 	"bytes"
 	"crypto/hmac"
 	"crypto/sha512"
 	"debug/elf"
 	"errors"
 	"flag"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"os"
 )

 func do(outPath, oInput string, arInput string) error {
 	var objectBytes []byte
 	if len(arInput) > 0 {
 		if len(oInput) > 0 {
 			return fmt.Errorf("-in-archive and -in-object are mutually exclusive")
 		}

 		arFile, err := os.Open(arInput)
 		if err != nil {
 			return err
 		}
 		defer arFile.Close()

 		ar, err := ParseAR(arFile)
 		if err != nil {
 			return err
 		}

 		if len(ar) != 1 {
 			return fmt.Errorf("expected one file in archive, but found %d", len(ar))
 		}

 		for _, contents := range ar {
 			objectBytes = contents
 		}
 	} else if len(oInput) > 0 {
 		var err error
 		if objectBytes, err = ioutil.ReadFile(oInput); err != nil {
 			return err
 		}
 	} else {
 		return fmt.Errorf("exactly one of -in-archive or -in-object is required")
 	}

 	object, err := elf.NewFile(bytes.NewReader(objectBytes))
 	if err != nil {
 		return errors.New("failed to parse object: " + err.Error())
 	}

 	// Find the .text section.

 	var textSection *elf.Section
 	var textSectionIndex elf.SectionIndex
 	for i, section := range object.Sections {
 		if section.Name == ".text" {
 			textSectionIndex = elf.SectionIndex(i)
 			textSection = section
 			break
 		}
 	}

 	if textSection == nil {
 		return errors.New("failed to find .text section in object")
 	}

 	// Find the starting and ending symbols for the module.

 	var startSeen, endSeen bool
 	var start, end uint64

 	symbols, err := object.Symbols()
 	if err != nil {
 		return errors.New("failed to parse symbols: " + err.Error())
 	}

 	for _, symbol := range symbols {
 		if symbol.Section != textSectionIndex {
 			continue
 		}

 		switch symbol.Name {
 		case "BORINGSSL_bcm_text_start":
 			if startSeen {
 				return errors.New("duplicate start symbol found")
 			}
 			startSeen = true
 			start = symbol.Value
 		case "BORINGSSL_bcm_text_end":
 			if endSeen {
 				return errors.New("duplicate end symbol found")
 			}
 			endSeen = true
 			end = symbol.Value
 		default:
 			continue
 		}
 	}

 	if !startSeen || !endSeen {
 		return errors.New("could not find module boundaries in object")
 	}

 	if max := textSection.Size; start > max || start > end || end > max {
 		return fmt.Errorf("invalid module boundaries: start: %x, end: %x, max: %x", start, end, max)
 	}

 	// Extract the module from the .text section and hash it.

 	text := textSection.Open()
 	if _, err := text.Seek(int64(start), 0); err != nil {
 		return errors.New("failed to seek to module start in .text: " + err.Error())
 	}
 	moduleText := make([]byte, end-start)
 	if _, err := io.ReadFull(text, moduleText); err != nil {
 		return errors.New("failed to read .text: " + err.Error())
 	}

 	var zeroKey [64]byte
 	mac := hmac.New(sha512.New, zeroKey[:])
 	mac.Write(moduleText)
 	calculated := mac.Sum(nil)

 	// Replace the default hash value in the object with the calculated
 	// value and write it out.

 	offset := bytes.Index(objectBytes, uninitHashValue[:])
 	if offset < 0 {
 		return errors.New("did not find uninitialised hash value in object file")
 	}

 	if bytes.Index(objectBytes[offset+1:], uninitHashValue[:]) >= 0 {
 		return errors.New("found two occurrences of uninitialised hash value in object file")
 	}

 	copy(objectBytes[offset:], calculated)

 	return ioutil.WriteFile(outPath, objectBytes, 0644)
 }

 func main() {
 	arInput := flag.String("in-archive", "", "Path to a .a file")
 	oInput := flag.String("in-object", "", "Path to a .o file")
 	outPath := flag.String("o", "", "Path to output object")

 	flag.Parse()

 	if err := do(*outPath, *oInput, *arInput); err != nil {
 		fmt.Fprintf(os.Stderr, "%s\n", err)
 		os.Exit(1)
 	}
 }
	// Copyright (c) 2017, Google Inc.
	//
	// Permission to use, copy, modify, and/or distribute this software for any
	// purpose with or without fee is hereby granted, provided that the above
	// copyright notice and this permission notice appear in all copies.
	//
	// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
	// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
	// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
	// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

	// inject-hash parses an archive containing a file object file. It finds a FIPS
	// module inside that object, calculates its hash and replaces the default hash
	// value in the object with the calculated value.
	package main

	import (
	"bytes"
	"crypto/hmac"
	"crypto/sha512"
	"debug/elf"
	"errors"
	"flag"
	"fmt"
	"io"
	"io/ioutil"
	"os"
	)

	func do(outPath, oInput string, arInput string) error {
	var objectBytes []byte
	if len(arInput) > 0 {
	if len(oInput) > 0 {
	return fmt.Errorf("-in-archive and -in-object are mutually exclusive")
	}

	arFile, err := os.Open(arInput)
	if err != nil {
	return err
	}
	defer arFile.Close()

	ar, err := ParseAR(arFile)
	if err != nil {
	return err
	}

	if len(ar) != 1 {
	return fmt.Errorf("expected one file in archive, but found %d", len(ar))
	}

	for _, contents := range ar {
	objectBytes = contents
	}
	} else if len(oInput) > 0 {
	var err error
	if objectBytes, err = ioutil.ReadFile(oInput); err != nil {
	return err
	}
	} else {
	return fmt.Errorf("exactly one of -in-archive or -in-object is required")
	}

	object, err := elf.NewFile(bytes.NewReader(objectBytes))
	if err != nil {
	return errors.New("failed to parse object: " + err.Error())
	}

	// Find the .text section.

	var textSection *elf.Section
	var textSectionIndex elf.SectionIndex
	for i, section := range object.Sections {
	if section.Name == ".text" {
	textSectionIndex = elf.SectionIndex(i)
	textSection = section
	break
	}
	}

	if textSection == nil {
	return errors.New("failed to find .text section in object")
	}

	// Find the starting and ending symbols for the module.

	var startSeen, endSeen bool
	var start, end uint64

	symbols, err := object.Symbols()
	if err != nil {
	return errors.New("failed to parse symbols: " + err.Error())
	}

	for _, symbol := range symbols {
	if symbol.Section != textSectionIndex {
	continue
	}

	switch symbol.Name {
	case "BORINGSSL_bcm_text_start":
	if startSeen {
	return errors.New("duplicate start symbol found")
	}
	startSeen = true
	start = symbol.Value
	case "BORINGSSL_bcm_text_end":
	if endSeen {
	return errors.New("duplicate end symbol found")
	}
	endSeen = true
	end = symbol.Value
	default:
	continue
	}
	}

	if !startSeen \|\| !endSeen {
	return errors.New("could not find module boundaries in object")
	}

	if max := textSection.Size; start > max \|\| start > end \|\| end > max {
	return fmt.Errorf("invalid module boundaries: start: %x, end: %x, max: %x", start, end, max)
	}

	// Extract the module from the .text section and hash it.

	text := textSection.Open()
	if _, err := text.Seek(int64(start), 0); err != nil {
	return errors.New("failed to seek to module start in .text: " + err.Error())
	}
	moduleText := make([]byte, end-start)
	if _, err := io.ReadFull(text, moduleText); err != nil {
	return errors.New("failed to read .text: " + err.Error())
	}

	var zeroKey [64]byte
	mac := hmac.New(sha512.New, zeroKey[:])
	mac.Write(moduleText)
	calculated := mac.Sum(nil)

	// Replace the default hash value in the object with the calculated
	// value and write it out.

	offset := bytes.Index(objectBytes, uninitHashValue[:])
	if offset < 0 {
	return errors.New("did not find uninitialised hash value in object file")
	}

	if bytes.Index(objectBytes[offset+1:], uninitHashValue[:]) >= 0 {
	return errors.New("found two occurrences of uninitialised hash value in object file")
	}

	copy(objectBytes[offset:], calculated)

	return ioutil.WriteFile(outPath, objectBytes, 0644)
	}

	func main() {
	arInput := flag.String("in-archive", "", "Path to a .a file")
	oInput := flag.String("in-object", "", "Path to a .o file")
	outPath := flag.String("o", "", "Path to output object")

	flag.Parse()

	if err := do(outPath, oInput, *arInput); err != nil {
	fmt.Fprintf(os.Stderr, "%s\n", err)
	os.Exit(1)
	}
	}