Replace inject_hash.go with C inject_hash on MacOS

CMakeLists.txt

@@ -1107,7 +1107,7 @@ if(BUILD_TESTING)
       add_custom_target(fips_specific_tests_if_any)
     endif()
 
-    # Add macho parser tests if FIPS and on MacOS
+    # Add relevant tests if FIPS and on MacOS
     if(FIPS AND APPLE)
       add_custom_target(
         macho_parser_tests
@@ -1116,6 +1116,14 @@ if(BUILD_TESTING)
         DEPENDS test_macho_parser
       )
       add_dependencies(fips_specific_tests_if_any macho_parser_tests)
+
+      add_custom_target(
+        inject_hash_tests
+        COMMAND test_inject_hash
+        WORKING_DIRECTORY ${PROJECT_BINARY_DIR}/util/fipstools/inject_hash/tests/
+        DEPENDS test_inject_hash
+      )
+      add_dependencies(fips_specific_tests_if_any inject_hash_tests)
     endif()
 
     # Read util/go_tests.txt into a CMake variable.

crypto/CMakeLists.txt

@@ -315,6 +315,12 @@ else()
   file(COPY ${GENERATE_CODE_ROOT}/err_data.c DESTINATION ${CMAKE_CURRENT_BINARY_DIR}/)
 endif()
 
+# We need to create a object library off of the generated err_data.c in so we can mark it as a dependency for our C inject hash implementation
+if(FIPS)
+  add_library(generated_err_data OBJECT err_data.c)
+  target_include_directories(generated_err_data PRIVATE ${PROJECT_SOURCE_DIR}/include)
+endif()
+
 set(DILITHIUM_SOURCES)
 if(ENABLE_DILITHIUM)
   set(
@@ -585,7 +591,6 @@ add_library(
   decrepit/x509/x509_decrepit.c
 
   ${CRYPTO_ARCH_SOURCES}
-  ${CRYPTO_ARCH_OBJECTS}
 )
 
 target_compile_definitions(crypto_objects PRIVATE BORINGSSL_IMPLEMENTATION)
@@ -654,24 +659,35 @@ if(FIPS_SHARED)
 
     build_libcrypto(crypto $<TARGET_OBJECTS:generated_fipsmodule>)
   else()
-    # On Apple and Linux platforms inject_hash.go can parse libcrypto and inject
+    # On Apple and Linux platforms inject_hash.go (inject_hash for Apple) can parse libcrypto and inject
     # the hash directly into the final library.
     build_libcrypto(crypto $<TARGET_OBJECTS:fipsmodule>)
     if (APPLE)
-      set(INJECT_HASH_APPLE_FLAG "-apple")
-    endif()
+      # Add subdirectory that handles building a stripped-down version of AWS-LC for use in calculating and injecting the FIPS integrity hash
+      add_subdirectory(fips_hashing)
+      add_subdirectory(${PROJECT_SOURCE_DIR}/util/fipstools/inject_hash inject_hash)
 
-    add_custom_command(
-      TARGET crypto POST_BUILD
-      COMMAND ${GO_EXECUTABLE} run
-      ${PROJECT_SOURCE_DIR}/util/fipstools/inject_hash/inject_hash.go
-      -o $<TARGET_FILE:crypto> -in-object $<TARGET_FILE:crypto> ${INJECT_HASH_APPLE_FLAG}
-      # The DEPENDS argument to a POST_BUILD rule appears to be ignored. Thus
-      # go_executable isn't used (as it doesn't get built), but we list this
-      # dependency anyway in case it starts working in some CMake version.
-      DEPENDS ../util/fipstools/inject_hash/inject_hash.go
-      WORKING_DIRECTORY ${PROJECT_SOURCE_DIR}
+      set(INJECT_HASH_APPLE_FLAG "-f")
+      add_custom_command(
+        TARGET crypto POST_BUILD
+        COMMAND inject_hash
+        -p $<TARGET_FILE:crypto> -o $<TARGET_FILE:crypto> ${INJECT_HASH_APPLE_FLAG}
+        DEPENDS inject_hash
+        WORKING_DIRECTORY ${PROJECT_SOURCE_DIR}
     )
+    else()
+      add_custom_command(
+        TARGET crypto POST_BUILD
+        COMMAND ${GO_EXECUTABLE} run
+        ${PROJECT_SOURCE_DIR}/util/fipstools/inject_hash/go/inject_hash.go
+        -o $<TARGET_FILE:crypto> -in-object $<TARGET_FILE:crypto> ${INJECT_HASH_APPLE_FLAG}
+        # The DEPENDS argument to a POST_BUILD rule appears to be ignored. Thus
+        # go_executable isn't used (as it doesn't get built), but we list this
+        # dependency anyway in case it starts working in some CMake version.
+        DEPENDS ../util/fipstools/inject_hash/go/inject_hash.go
+        WORKING_DIRECTORY ${PROJECT_SOURCE_DIR}
+      )
+    endif()
 
     # On macOS 11 and higher on Apple Silicon, codesigning is mandatory for
     # binaries to run. This applies to both executables and dylibs. An ad-hoc

crypto/fips_hashing/CMakeLists.txt

@@ -0,0 +1,23 @@
+if(FIPS AND APPLE)
+  add_definitions(-DOPENSSL_NO_ASM=1)
+  remove_definitions(-DBORINGSSL_FIPS -DFIPS_ENTROPY_SOURCE_JITTER_CPU -DFIPS_ENTROPY_SOURCE_PASSIVE)
+
+  add_library(
+    fips_hashing
+
+    STATIC
+
+    fips_hashing.c
+
+    ../mem.c
+    ../thread_none.c
+    ../thread_pthread.c
+
+    ../err/err.c
+    $<TARGET_OBJECTS:generated_err_data>
+    ../decrepit/ripemd/ripemd.c
+  )
+
+  SET_TARGET_PROPERTIES(fips_hashing PROPERTIES LINKER_LANGUAGE C)
+  target_include_directories(fips_hashing PUBLIC $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/include>)
+endif()

crypto/fips_hashing/fips_hashing.c

@@ -0,0 +1,16 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0 OR ISC
+
+#include "../fipsmodule/delocate.h"
+
+#include "../fipsmodule/evp/p_hmac.c"
+#include "../fipsmodule/digest/digest.c"
+#include "../fipsmodule/digest/digests.c"
+#include "../fipsmodule/hmac/hmac.c"
+#include "../fipsmodule/md4/md4.c"
+#include "../fipsmodule/md5/md5.c"
+#include "../fipsmodule/sha/keccak1600.c"
+#include "../fipsmodule/sha/sha1.c"
+#include "../fipsmodule/sha/sha256.c"
+#include "../fipsmodule/sha/sha3.c"
+#include "../fipsmodule/sha/sha512.c"

crypto/fipsmodule/CMakeLists.txt

@@ -404,7 +404,7 @@ if(FIPS_DELOCATE)
   set_target_properties(bcm_hashunset PROPERTIES LINKER_LANGUAGE C)
 
   go_executable(inject_hash
-                boringssl.googlesource.com/boringssl/util/fipstools/inject_hash)
+                boringssl.googlesource.com/boringssl/util/fipstools/inject_hash/go)
   add_custom_command(
     OUTPUT bcm.o
     COMMAND ./inject_hash -o bcm.o -in-archive $<TARGET_FILE:bcm_hashunset>

util/fipstools/CMakeLists.txt

@@ -7,5 +7,6 @@ if(FIPS AND BUILD_TESTING)
   target_link_libraries(test_fips crypto)
   target_include_directories(test_fips BEFORE PRIVATE ${PROJECT_BINARY_DIR}/symbol_prefix_include)
 
+  add_subdirectory(inject_hash/tests)
   add_subdirectory(inject_hash/macho_parser/tests)
 endif()

util/fipstools/inject_hash/CMakeLists.txt

@@ -0,0 +1,11 @@
+if(FIPS AND APPLE)
+    add_executable(
+        inject_hash
+
+        inject_hash.c
+        inject_hash_lib.c
+        macho_parser/macho_parser.c
+    )
+    target_link_libraries(inject_hash PUBLIC fips_hashing)
+    target_include_directories(inject_hash PRIVATE ${PROJECT_SOURCE_DIR}/include)
+endif()

util/fipstools/inject_hash/macho_parser/common.h → util/fipstools/inject_hash/common.h

@@ -3,6 +3,10 @@
 
 #ifndef COMMON_H
 #define COMMON_H
+#ifdef __cplusplus
+extern "C"
+{
+#endif
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -14,4 +18,11 @@
     fprintf(stderr, "\n"); \
 } while(0)
 
+int inject_hash_no_write(const char *o_input, int apple_flag,
+                         uint8_t **object_bytes, size_t *object_bytes_size);
+int inject_hash(int argc, char *argv[]);
+
+#ifdef __cplusplus
+} // extern "C"
+#endif
 #endif

util/fipstools/inject_hash/inject_hash.c

@@ -0,0 +1,11 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0 OR ISC
+
+#include "common.h"
+
+int main(int argc, char *argv[]) {
+    if (!inject_hash(argc, argv)) {
+        exit(EXIT_FAILURE);
+    }
+    exit(EXIT_SUCCESS);
+}