external/boringssl: Sync to 5e578c9dba73460c3eb17f771c77fc8e36f7812e.
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/58e449904e248f34bdfc2be7a609c58bcb0257b7..5e578c9dba73460c3eb17f771c77fc8e36f7812e
Test: BoringSSL CTS Presubmits
Change-Id: Ic1541b034545fa58a284ca35134b3719303455c7
diff --git a/src/util/fipstools/inject-hash.go b/src/util/fipstools/inject-hash.go
new file mode 100644
index 0000000..688024d
--- /dev/null
+++ b/src/util/fipstools/inject-hash.go
@@ -0,0 +1,173 @@
+// Copyright (c) 2017, Google Inc.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+// inject-hash parses an archive containing a file object file. It finds a FIPS
+// module inside that object, calculates its hash and replaces the default hash
+// value in the object with the calculated value.
+package main
+
+import (
+ "bytes"
+ "crypto/hmac"
+ "crypto/sha512"
+ "debug/elf"
+ "errors"
+ "flag"
+ "fmt"
+ "io"
+ "io/ioutil"
+ "os"
+)
+
+func do(outPath, oInput string, arInput string) error {
+ var objectBytes []byte
+ if len(arInput) > 0 {
+ if len(oInput) > 0 {
+ return fmt.Errorf("-in-archive and -in-object are mutually exclusive")
+ }
+
+ arFile, err := os.Open(arInput)
+ if err != nil {
+ return err
+ }
+ defer arFile.Close()
+
+ ar, err := ParseAR(arFile)
+ if err != nil {
+ return err
+ }
+
+ if len(ar) != 1 {
+ return fmt.Errorf("expected one file in archive, but found %d", len(ar))
+ }
+
+ for _, contents := range ar {
+ objectBytes = contents
+ }
+ } else if len(oInput) > 0 {
+ var err error
+ if objectBytes, err = ioutil.ReadFile(oInput); err != nil {
+ return err
+ }
+ } else {
+ return fmt.Errorf("exactly one of -in-archive or -in-object is required")
+ }
+
+ object, err := elf.NewFile(bytes.NewReader(objectBytes))
+ if err != nil {
+ return errors.New("failed to parse object: " + err.Error())
+ }
+
+ // Find the .text section.
+
+ var textSection *elf.Section
+ var textSectionIndex elf.SectionIndex
+ for i, section := range object.Sections {
+ if section.Name == ".text" {
+ textSectionIndex = elf.SectionIndex(i)
+ textSection = section
+ break
+ }
+ }
+
+ if textSection == nil {
+ return errors.New("failed to find .text section in object")
+ }
+
+ // Find the starting and ending symbols for the module.
+
+ var startSeen, endSeen bool
+ var start, end uint64
+
+ symbols, err := object.Symbols()
+ if err != nil {
+ return errors.New("failed to parse symbols: " + err.Error())
+ }
+
+ for _, symbol := range symbols {
+ if symbol.Section != textSectionIndex {
+ continue
+ }
+
+ switch symbol.Name {
+ case "BORINGSSL_bcm_text_start":
+ if startSeen {
+ return errors.New("duplicate start symbol found")
+ }
+ startSeen = true
+ start = symbol.Value
+ case "BORINGSSL_bcm_text_end":
+ if endSeen {
+ return errors.New("duplicate end symbol found")
+ }
+ endSeen = true
+ end = symbol.Value
+ default:
+ continue
+ }
+ }
+
+ if !startSeen || !endSeen {
+ return errors.New("could not find module boundaries in object")
+ }
+
+ if max := textSection.Size; start > max || start > end || end > max {
+ return fmt.Errorf("invalid module boundaries: start: %x, end: %x, max: %x", start, end, max)
+ }
+
+ // Extract the module from the .text section and hash it.
+
+ text := textSection.Open()
+ if _, err := text.Seek(int64(start), 0); err != nil {
+ return errors.New("failed to seek to module start in .text: " + err.Error())
+ }
+ moduleText := make([]byte, end-start)
+ if _, err := io.ReadFull(text, moduleText); err != nil {
+ return errors.New("failed to read .text: " + err.Error())
+ }
+
+ var zeroKey [64]byte
+ mac := hmac.New(sha512.New, zeroKey[:])
+ mac.Write(moduleText)
+ calculated := mac.Sum(nil)
+
+ // Replace the default hash value in the object with the calculated
+ // value and write it out.
+
+ offset := bytes.Index(objectBytes, uninitHashValue[:])
+ if offset < 0 {
+ return errors.New("did not find uninitialised hash value in object file")
+ }
+
+ if bytes.Index(objectBytes[offset+1:], uninitHashValue[:]) >= 0 {
+ return errors.New("found two occurrences of uninitialised hash value in object file")
+ }
+
+ copy(objectBytes[offset:], calculated)
+
+ return ioutil.WriteFile(outPath, objectBytes, 0644)
+}
+
+func main() {
+ arInput := flag.String("in-archive", "", "Path to a .a file")
+ oInput := flag.String("in-object", "", "Path to a .o file")
+ outPath := flag.String("o", "", "Path to output object")
+
+ flag.Parse()
+
+ if err := do(*outPath, *oInput, *arInput); err != nil {
+ fmt.Fprintf(os.Stderr, "%s\n", err)
+ os.Exit(1)
+ }
+}