Keep rolling

Author: justsmth

crypto/CMakeLists.txt

@@ -630,31 +630,21 @@ if(FIPS_SHARED)
   # Rewrite libcrypto.so, libcrypto.dylib, or crypto.dll to inject the correct module
   # hash value. For now we support the FIPS build only on Linux, macOS, iOS, and Windows.
   if(MSVC)
-    # On Windows we use capture_hash.go to capture the computed integrity value that bcm.o prints to generate the
-    # correct value in generated_fips_shared_support.c. See FIPS.md for a full explanation of the process
-    build_libcrypto(NAME precrypto MODULE_SOURCE $<TARGET_OBJECTS:fipsmodule>)
-    add_executable(fips_empty_main fipsmodule/fips_empty_main.c)
-    target_link_libraries(fips_empty_main PUBLIC precrypto)
-    target_add_awslc_include_paths(TARGET fips_empty_main SCOPE PRIVATE)
-    add_custom_command(OUTPUT generated_fips_shared_support.c
-            COMMAND ${GO_EXECUTABLE} run
-            ${AWSLC_SOURCE_DIR}/util/fipstools/capture_hash/capture_hash.go
-            -in-executable $<TARGET_FILE:fips_empty_main> > generated_fips_shared_support.c
-            WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
-            DEPENDS fips_empty_main ${AWSLC_SOURCE_DIR}/util/fipstools/capture_hash/capture_hash.go
-            )
-    add_library(
-      generated_fipsmodule
-
-      OBJECT
-
-      generated_fips_shared_support.c
-      ${AWSLC_SOURCE_DIR}/crypto/fipsmodule/cpucap/cpucap.c
-    )
-    target_compile_definitions(generated_fipsmodule PRIVATE BORINGSSL_IMPLEMENTATION S2N_BN_HIDE_SYMBOLS)
-    target_add_awslc_include_paths(TARGET generated_fipsmodule SCOPE PRIVATE)
+    # On Windows, inject_hash.go parses the PE DLL to find the .fipstx and
+    # .fipsco sections, computes the integrity hash, and replaces the
+    # placeholder value directly in the DLL file.  This single-DLL approach
+    # avoids the hash mismatch that occurs with the two-DLL capture_hash
+    # method on ARM64 where mandatory ASLR causes the linker to resolve
+    # COFF relocations to different addresses in precrypto.dll vs crypto.dll.
+    build_libcrypto(NAME crypto MODULE_SOURCE $<TARGET_OBJECTS:fipsmodule> SET_OUTPUT_NAME)
 
-    build_libcrypto(NAME crypto MODULE_SOURCE $<TARGET_OBJECTS:generated_fipsmodule> SET_OUTPUT_NAME)
+    add_custom_command(
+      TARGET crypto POST_BUILD
+      COMMAND ${GO_EXECUTABLE} run
+      ${AWSLC_SOURCE_DIR}/util/fipstools/inject_hash/inject_hash.go
+      -o $<TARGET_FILE:crypto> -in-object $<TARGET_FILE:crypto>
+      WORKING_DIRECTORY ${AWSLC_SOURCE_DIR}
+    )
   else()
     # On Apple and Linux platforms inject_hash.go can parse libcrypto and inject
     # the hash directly into the final library.

crypto/fipsmodule/bcm.c

@@ -23,9 +23,6 @@
 #include <sys/mman.h>
 #include <unistd.h>
 #endif
-#if defined(BORINGSSL_FIPS) && defined(OPENSSL_WINDOWS)
-#include <windows.h>
-#endif
 
 // On Windows place the bcm code in a specific section that uses Grouped Sections
 // to control the order. $b section will place bcm in between the start/end markers
@@ -299,93 +296,6 @@ static void BORINGSSL_bcm_power_on_self_test(void) {
 }
 
 #if !defined(OPENSSL_ASAN)
-
-#if defined(OPENSSL_WINDOWS) && defined(OPENSSL_AARCH64) && \
-    defined(BORINGSSL_SHARED_LIBRARY)
-// On ARM64 Windows, ASLR is mandatory and cannot be disabled. The PE loader
-// applies base relocations to absolute address references within the .fipstx
-// and .fipsco sections, making the in-memory content dependent on the DLL's
-// load address. The FIPS build uses capture_hash.go to compute the integrity
-// hash from precrypto.dll loaded in one process, then embeds that hash in
-// crypto.dll which loads in a different process at a different ASLR address.
-// To make the hash deterministic we copy each FIPS section and reverse the
-// base relocations before hashing.
-//
-// |buf| is a copy of the section content, |buf_size| its length,
-// |section_rva| the section's RVA in the PE image, |delta| is
-// actual_base - preferred_base, and |reloc_table|/|reloc_table_size|
-// describe the PE base relocation directory.  |out_count| receives the
-// number of fixups that were reversed.
-static void fips_undo_base_relocations(
-    uint8_t *buf, size_t buf_size, uintptr_t section_rva, intptr_t delta,
-    const uint8_t *reloc_table, size_t reloc_table_size,
-    size_t *out_count) {
-  const uint8_t *reloc_ptr = reloc_table;
-  const uint8_t *reloc_end = reloc_table + reloc_table_size;
-  size_t count_undone = 0;
-
-  while (reloc_ptr + sizeof(IMAGE_BASE_RELOCATION) <= reloc_end) {
-    const IMAGE_BASE_RELOCATION *block = (const IMAGE_BASE_RELOCATION *)reloc_ptr;
-    if (block->SizeOfBlock < sizeof(IMAGE_BASE_RELOCATION) ||
-        reloc_ptr + block->SizeOfBlock > reloc_end) {
-      break;
-    }
-
-    DWORD page_rva = block->VirtualAddress;
-    DWORD count =
-        (block->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);
-    const WORD *entries = (const WORD *)(reloc_ptr + sizeof(IMAGE_BASE_RELOCATION));
-
-    for (DWORD i = 0; i < count; i++) {
-      int type = entries[i] >> 12;
-      DWORD offset = entries[i] & 0xFFF;
-      uintptr_t reloc_rva = (uintptr_t)page_rva + offset;
-
-      if (reloc_rva < section_rva ||
-          reloc_rva >= section_rva + buf_size) {
-        continue;
-      }
-
-      size_t buf_offset = (size_t)(reloc_rva - section_rva);
-
-      switch (type) {
-        case IMAGE_REL_BASED_ABSOLUTE:
-          break;
-        case IMAGE_REL_BASED_DIR64:
-          if (buf_offset + sizeof(uint64_t) <= buf_size) {
-            uint64_t val;
-            memcpy(&val, buf + buf_offset, sizeof(val));
-            val -= (uint64_t)delta;
-            memcpy(buf + buf_offset, &val, sizeof(val));
-            count_undone++;
-          }
-          break;
-        case IMAGE_REL_BASED_HIGHLOW:
-          if (buf_offset + sizeof(uint32_t) <= buf_size) {
-            uint32_t val;
-            memcpy(&val, buf + buf_offset, sizeof(val));
-            val -= (uint32_t)delta;
-            memcpy(buf + buf_offset, &val, sizeof(val));
-            count_undone++;
-          }
-          break;
-        default:
-          fprintf(stderr, "  RELOC: unhandled type %d at RVA 0x%llx\n",
-                  type, (unsigned long long)reloc_rva);
-          count_undone++;
-          break;
-      }
-    }
-
-    reloc_ptr += block->SizeOfBlock;
-  }
-
-  if (out_count) {
-    *out_count = count_undone;
-  }
-}
-#endif  // OPENSSL_WINDOWS && OPENSSL_AARCH64 && BORINGSSL_SHARED_LIBRARY
-
 int BORINGSSL_integrity_test(void) {
   const uint8_t *const start = BORINGSSL_bcm_text_start;
   const uint8_t *const end = BORINGSSL_bcm_text_end;
@@ -423,42 +333,6 @@ int BORINGSSL_integrity_test(void) {
   assert_not_within(rodata_start, &OPENSSL_armcap_P, "OPENSSL_armcap_P", rodata_end);
 #endif
 
-  // Diagnostic output for FIPS integrity test debugging. This helps diagnose
-  // issues where the hash captured from precrypto differs from the hash
-  // computed at runtime from crypto (e.g. Windows ARM64 FIPS shared builds).
-  // capture_hash.go uses pattern-based parsing, so extra output here is safe.
-#if defined(BORINGSSL_SHARED_LIBRARY)
-  {
-    const uint8_t *const hash_addr = BORINGSSL_bcm_text_hash;
-    const int hash_in_rodata =
-        (hash_addr >= rodata_start && hash_addr < rodata_end) ? 1 : 0;
-    const int hash_in_text =
-        (hash_addr >= start && hash_addr < end) ? 1 : 0;
-    fprintf(stderr, "FIPS integrity diagnostics:\n");
-    fprintf(stderr, "  text:   %p - %p (size: 0x%llx)\n",
-            (const void *)start, (const void *)end,
-            (unsigned long long)(end - start));
-    fprintf(stderr, "  rodata: %p - %p (size: 0x%llx)\n",
-            (const void *)rodata_start, (const void *)rodata_end,
-            (unsigned long long)(rodata_end - rodata_start));
-    fprintf(stderr, "  BORINGSSL_bcm_text_hash @ %p (in_rodata=%d, in_text=%d)\n",
-            (const void *)hash_addr, hash_in_rodata, hash_in_text);
-    fprintf(stderr, "  text  first 8 bytes: %02x%02x%02x%02x%02x%02x%02x%02x\n",
-            start[0], start[1], start[2], start[3],
-            start[4], start[5], start[6], start[7]);
-    fprintf(stderr, "  text  last  8 bytes: %02x%02x%02x%02x%02x%02x%02x%02x\n",
-            end[-8], end[-7], end[-6], end[-5],
-            end[-4], end[-3], end[-2], end[-1]);
-    fprintf(stderr, "  rodata first 8 bytes: %02x%02x%02x%02x%02x%02x%02x%02x\n",
-            rodata_start[0], rodata_start[1], rodata_start[2], rodata_start[3],
-            rodata_start[4], rodata_start[5], rodata_start[6], rodata_start[7]);
-    fprintf(stderr, "  rodata last  8 bytes: %02x%02x%02x%02x%02x%02x%02x%02x\n",
-            rodata_end[-8], rodata_end[-7], rodata_end[-6], rodata_end[-5],
-            rodata_end[-4], rodata_end[-3], rodata_end[-2], rodata_end[-1]);
-    fflush(stderr);
-  }
-#endif
-
   // Per FIPS 140-3 we have to perform the CAST of the HMAC used for integrity
   // check before the integrity check itself. So we first call
   // SHA-256 and HMAC-SHA256
@@ -485,145 +359,15 @@ int BORINGSSL_integrity_test(void) {
 #endif
 #if defined(BORINGSSL_SHARED_LIBRARY)
   uint64_t length = end - start;
-  uint64_t rodata_length = rodata_end - rodata_start;
   uint8_t buffer[sizeof(length)];
-
-#if defined(OPENSSL_WINDOWS) && defined(OPENSSL_AARCH64)
-  // On ARM64 Windows, ASLR is mandatory.  Undo PE base relocations in
-  // temporary copies of the FIPS sections so the hash is load-address
-  // independent.  See the comment above fips_undo_base_relocations().
-  //
-  // IMPORTANT: The PE loader overwrites OptionalHeader.ImageBase in memory
-  // with the actual load address, so reading it from the in-memory PE header
-  // always gives delta==0.  We must read the *original* ImageBase from the
-  // DLL file on disk to obtain the true preferred base.
-  uint8_t *text_copy = NULL;
-  uint8_t *rodata_copy = NULL;
-  const uint8_t *text_to_hash = start;
-  const uint8_t *rodata_to_hash = rodata_start;
-
-  HMODULE fips_module = NULL;
-  if (GetModuleHandleExW(
-          GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
-              GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT,
-          (LPCWSTR)start, &fips_module)) {
-    const uintptr_t actual_base = (uintptr_t)fips_module;
-
-    // Read the preferred ImageBase from the DLL file on disk.
-    uintptr_t preferred_base = actual_base;  // fallback: assume no relocation
-    wchar_t dll_path[MAX_PATH];
-    if (GetModuleFileNameW(fips_module, dll_path, MAX_PATH) != 0) {
-      HANDLE hFile = CreateFileW(dll_path, GENERIC_READ, FILE_SHARE_READ,
-                                 NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL,
-                                 NULL);
-      if (hFile != INVALID_HANDLE_VALUE) {
-        IMAGE_DOS_HEADER file_dos_header;
-        DWORD bytes_read = 0;
-        if (ReadFile(hFile, &file_dos_header, sizeof(file_dos_header),
-                     &bytes_read, NULL) &&
-            bytes_read == sizeof(file_dos_header) &&
-            file_dos_header.e_magic == IMAGE_DOS_SIGNATURE) {
-          LARGE_INTEGER nt_offset;
-          nt_offset.QuadPart = file_dos_header.e_lfanew;
-          if (SetFilePointerEx(hFile, nt_offset, NULL, FILE_BEGIN)) {
-            IMAGE_NT_HEADERS file_nt_headers;
-            if (ReadFile(hFile, &file_nt_headers, sizeof(file_nt_headers),
-                         &bytes_read, NULL) &&
-                bytes_read == sizeof(file_nt_headers) &&
-                file_nt_headers.Signature == IMAGE_NT_SIGNATURE) {
-              preferred_base =
-                  (uintptr_t)file_nt_headers.OptionalHeader.ImageBase;
-            }
-          }
-        }
-        CloseHandle(hFile);
-      }
-    }
-
-    const intptr_t delta = (intptr_t)(actual_base - preferred_base);
-    const IMAGE_DOS_HEADER *dos_header =
-        (const IMAGE_DOS_HEADER *)fips_module;
-    const IMAGE_NT_HEADERS *nt_headers = (const IMAGE_NT_HEADERS *)(
-        (const uint8_t *)fips_module + dos_header->e_lfanew);
-
-    fprintf(stderr, "FIPS reloc-undo: actual_base=%p preferred_base(file)=%p delta=0x%llx\n",
-            (const void *)actual_base, (const void *)preferred_base,
-            (unsigned long long)delta);
-
-    if (delta != 0) {
-      const IMAGE_DATA_DIRECTORY *reloc_dir =
-          &nt_headers->OptionalHeader
-               .DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
-      fprintf(stderr, "FIPS reloc-undo: reloc_dir RVA=0x%lx Size=0x%lx\n",
-              (unsigned long)reloc_dir->VirtualAddress,
-              (unsigned long)reloc_dir->Size);
-      if (reloc_dir->Size > 0) {
-        const uint8_t *reloc_table =
-            (const uint8_t *)fips_module + reloc_dir->VirtualAddress;
-
-        text_copy = malloc((size_t)length);
-        rodata_copy = malloc((size_t)rodata_length);
-        if (text_copy != NULL && rodata_copy != NULL) {
-          memcpy(text_copy, start, (size_t)length);
-          memcpy(rodata_copy, rodata_start, (size_t)rodata_length);
-
-          const uintptr_t text_rva = (uintptr_t)start - actual_base;
-          const uintptr_t rodata_rva = (uintptr_t)rodata_start - actual_base;
-
-          size_t text_reloc_count = 0, rodata_reloc_count = 0;
-          fips_undo_base_relocations(text_copy, (size_t)length, text_rva,
-                                     delta, reloc_table, reloc_dir->Size,
-                                     &text_reloc_count);
-          fips_undo_base_relocations(rodata_copy, (size_t)rodata_length,
-                                     rodata_rva, delta, reloc_table,
-                                     reloc_dir->Size, &rodata_reloc_count);
-          text_to_hash = text_copy;
-          rodata_to_hash = rodata_copy;
-          fprintf(stderr, "FIPS reloc-undo: undid %zu text + %zu rodata relocations\n",
-                  text_reloc_count, rodata_reloc_count);
-          fprintf(stderr, "FIPS reloc-undo: text  first 8 after undo: "
-                  "%02x%02x%02x%02x%02x%02x%02x%02x\n",
-                  text_copy[0], text_copy[1], text_copy[2], text_copy[3],
-                  text_copy[4], text_copy[5], text_copy[6], text_copy[7]);
-          fprintf(stderr, "FIPS reloc-undo: rodata first 8 after undo: "
-                  "%02x%02x%02x%02x%02x%02x%02x%02x\n",
-                  rodata_copy[0], rodata_copy[1], rodata_copy[2], rodata_copy[3],
-                  rodata_copy[4], rodata_copy[5], rodata_copy[6], rodata_copy[7]);
-        } else {
-          fprintf(stderr, "FIPS reloc-undo: malloc failed\n");
-        }
-      }
-    } else {
-      fprintf(stderr, "FIPS reloc-undo: delta==0, hashing directly from memory\n");
-    }
-  } else {
-    fprintf(stderr, "FIPS reloc-undo: GetModuleHandleExW failed (err=%lu)\n",
-            GetLastError());
-  }
-
-  fprintf(stderr, "FIPS reloc-undo: hashing from %s\n",
-          (text_to_hash == start) ? "MEMORY (no undo)" : "UNRELOCATED COPY");
-  fflush(stderr);
-
   CRYPTO_store_u64_le(buffer, length);
   HMAC_Update(&hmac_ctx, buffer, sizeof(length));
-  HMAC_Update(&hmac_ctx, text_to_hash, (size_t)length);
+  HMAC_Update(&hmac_ctx, start, length);
 
-  CRYPTO_store_u64_le(buffer, rodata_length);
-  HMAC_Update(&hmac_ctx, buffer, sizeof(length));
-  HMAC_Update(&hmac_ctx, rodata_to_hash, (size_t)rodata_length);
-
-  free(text_copy);
-  free(rodata_copy);
-#else
+  length = rodata_end - rodata_start;
   CRYPTO_store_u64_le(buffer, length);
   HMAC_Update(&hmac_ctx, buffer, sizeof(length));
-  HMAC_Update(&hmac_ctx, start, (size_t)length);
-
-  CRYPTO_store_u64_le(buffer, rodata_length);
-  HMAC_Update(&hmac_ctx, buffer, sizeof(length));
-  HMAC_Update(&hmac_ctx, rodata_start, (size_t)rodata_length);
-#endif  // OPENSSL_WINDOWS && OPENSSL_AARCH64
+  HMAC_Update(&hmac_ctx, rodata_start, length);
 #else
   HMAC_Update(&hmac_ctx, start, end - start);
 #endif