1// Copyright (c) 2017, Google Inc.
2//
3// Permission to use, copy, modify, and/or distribute this software for any
4// purpose with or without fee is hereby granted, provided that the above
5// copyright notice and this permission notice appear in all copies.
6//
7// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15// inject_hash parses an archive containing a file object file. It finds a FIPS
16// module inside that object, calculates its hash and replaces the default hash
17// value in the object with the calculated value.
18package main
19
20import (
21	"bytes"
22	"crypto/hmac"
23	"crypto/sha512"
24	"debug/elf"
25	"errors"
26	"flag"
27	"fmt"
28	"io"
29	"io/ioutil"
30	"os"
31
32	"boringssl.googlesource.com/boringssl/util/ar"
33	"boringssl.googlesource.com/boringssl/util/fipstools/fipscommon"
34)
35
36func do(outPath, oInput string, arInput string) error {
37	var objectBytes []byte
38	if len(arInput) > 0 {
39		if len(oInput) > 0 {
40			return fmt.Errorf("-in-archive and -in-object are mutually exclusive")
41		}
42
43		arFile, err := os.Open(arInput)
44		if err != nil {
45			return err
46		}
47		defer arFile.Close()
48
49		ar, err := ar.ParseAR(arFile)
50		if err != nil {
51			return err
52		}
53
54		if len(ar) != 1 {
55			return fmt.Errorf("expected one file in archive, but found %d", len(ar))
56		}
57
58		for _, contents := range ar {
59			objectBytes = contents
60		}
61	} else if len(oInput) > 0 {
62		var err error
63		if objectBytes, err = ioutil.ReadFile(oInput); err != nil {
64			return err
65		}
66	} else {
67		return fmt.Errorf("exactly one of -in-archive or -in-object is required")
68	}
69
70	object, err := elf.NewFile(bytes.NewReader(objectBytes))
71	if err != nil {
72		return errors.New("failed to parse object: " + err.Error())
73	}
74
75	// Find the .text section.
76
77	var textSection *elf.Section
78	var textSectionIndex elf.SectionIndex
79	for i, section := range object.Sections {
80		if section.Name == ".text" {
81			textSectionIndex = elf.SectionIndex(i)
82			textSection = section
83			break
84		}
85	}
86
87	if textSection == nil {
88		return errors.New("failed to find .text section in object")
89	}
90
91	// Find the starting and ending symbols for the module.
92
93	var startSeen, endSeen bool
94	var start, end uint64
95
96	symbols, err := object.Symbols()
97	if err != nil {
98		return errors.New("failed to parse symbols: " + err.Error())
99	}
100
101	for _, symbol := range symbols {
102		if symbol.Section != textSectionIndex {
103			continue
104		}
105
106		switch symbol.Name {
107		case "BORINGSSL_bcm_text_start":
108			if startSeen {
109				return errors.New("duplicate start symbol found")
110			}
111			startSeen = true
112			start = symbol.Value
113		case "BORINGSSL_bcm_text_end":
114			if endSeen {
115				return errors.New("duplicate end symbol found")
116			}
117			endSeen = true
118			end = symbol.Value
119		default:
120			continue
121		}
122	}
123
124	if !startSeen || !endSeen {
125		return errors.New("could not find module boundaries in object")
126	}
127
128	if max := textSection.Size; start > max || start > end || end > max {
129		return fmt.Errorf("invalid module boundaries: start: %x, end: %x, max: %x", start, end, max)
130	}
131
132	// Extract the module from the .text section and hash it.
133
134	text := textSection.Open()
135	if _, err := text.Seek(int64(start), 0); err != nil {
136		return errors.New("failed to seek to module start in .text: " + err.Error())
137	}
138	moduleText := make([]byte, end-start)
139	if _, err := io.ReadFull(text, moduleText); err != nil {
140		return errors.New("failed to read .text: " + err.Error())
141	}
142
143	var zeroKey [64]byte
144	mac := hmac.New(sha512.New, zeroKey[:])
145	mac.Write(moduleText)
146	calculated := mac.Sum(nil)
147
148	// Replace the default hash value in the object with the calculated
149	// value and write it out.
150
151	offset := bytes.Index(objectBytes, fipscommon.UninitHashValue[:])
152	if offset < 0 {
153		return errors.New("did not find uninitialised hash value in object file")
154	}
155
156	if bytes.Index(objectBytes[offset+1:], fipscommon.UninitHashValue[:]) >= 0 {
157		return errors.New("found two occurrences of uninitialised hash value in object file")
158	}
159
160	copy(objectBytes[offset:], calculated)
161
162	return ioutil.WriteFile(outPath, objectBytes, 0644)
163}
164
165func main() {
166	arInput := flag.String("in-archive", "", "Path to a .a file")
167	oInput := flag.String("in-object", "", "Path to a .o file")
168	outPath := flag.String("o", "", "Path to output object")
169
170	flag.Parse()
171
172	if err := do(*outPath, *oInput, *arInput); err != nil {
173		fmt.Fprintf(os.Stderr, "%s\n", err)
174		os.Exit(1)
175	}
176}
177