-
Notifications
You must be signed in to change notification settings - Fork 29
/
Copy pathcheck-fips
executable file
·156 lines (138 loc) · 3.93 KB
/
check-fips
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
#!/bin/bash
set -euo pipefail
shopt -qs failglob
for opt in "$@"; do
optarg="$(expr "${opt}" : '[^=]*=\(.*\)')"
case "${opt}" in
--target=*) TARGET="${optarg}" ;;
--bindir=*) BINDIR="${optarg}" ;;
--fips-bindir=*) FIPS_BINDIR="${optarg}" ;;
--libexecdir=*) LIBEXECDIR="${optarg}" ;;
--fips-libexecdir=*) FIPS_LIBEXECDIR="${optarg}" ;;
esac
done
STRINGS="${TARGET}-strings"
BUILDROOT_BINDIR="${RPM_BUILD_ROOT}${BINDIR}"
BUILDROOT_FIPS_BINDIR="${RPM_BUILD_ROOT}${FIPS_BINDIR}"
BUILDROOT_LIBEXECDIR="${RPM_BUILD_ROOT}${LIBEXECDIR}"
BUILDROOT_FIPS_LIBEXECDIR="${RPM_BUILD_ROOT}${FIPS_LIBEXECDIR}"
if [ ! -d "${BUILDROOT_BINDIR}" ] && [ ! -d "${BUILDROOT_LIBEXECDIR}" ] ; then
echo "no binaries found, skipping FIPS check"
exit 0
fi
is_go_bin() {
local bin
bin="${1:?}"
go version "${bin}" 2>&1 | grep -Fqw -v 'not a Go executable'
}
uses_go_crypto_tls() {
local bin output
bin="${1:?}"
output="$("${STRINGS}" "${bin}")"
grep -Fqw -m1 'crypto/tls' <<<"${output}"
}
uses_go_boring_crypto() {
local bin output
bin="${1:?}"
output="$("${STRINGS}" "${bin}")"
grep -Fq -m1 'goboringcrypto' <<<"${output}"
}
check_go_bin() {
local b f
b="${1:?}"
f="${2:?}"
if uses_go_crypto_tls "${b}" ; then
if [ -s "${f}" ] ; then
echo "${b} uses Go crypto/tls and FIPS build found in ${f}"
(( found+=1 ))
if uses_go_boring_crypto "${b}" ; then
echo "${b} is built with FIPS crypto rather than standard crypto" >&2
(( miscompiled+=1 ))
fi
if ! uses_go_boring_crypto "${f}"; then
echo "${f} is built with standard crypto rather than FIPS crypto" >&2
(( miscompiled+=1 ))
fi
else
echo "${b} uses Go crypto/tls but no FIPS build found in ${f}" >&2
(( not_found+=1 ))
fi
fi
}
is_rust_bin() {
local bin output
bin="${1:?}"
output="$("${STRINGS}" "${bin}")"
grep -Fq -m1 -e 'rust_alloc' -e 'rust_begin' <<<"${output}"
}
uses_ring() {
local bin output
bin="${1:?}"
output="$("${STRINGS}" "${bin}")"
grep -Fq -m1 '/ring' <<<"${output}"
}
uses_aws_lc_rs() {
local bin output
bin="${1:?}"
output="$("${STRINGS}" "${bin}")"
grep -Fq -m1 'aws-lc-rs' <<<"${output}"
}
uses_aws_lc_fips_sys() {
local bin output
bin="${1:?}"
output="$("${STRINGS}" "${bin}")"
grep -Fq -m1 'aws-lc-fips-sys' <<<"${output}"
}
check_rust_bin() {
local b f
b="${1:?}"
f="${2:?}"
if uses_aws_lc_rs "${b}"; then
if [ -s "${f}" ] ; then
echo "${b} uses aws-lc-rs and FIPS build found in ${f}"
(( found+=1 ))
if uses_aws_lc_fips_sys "${b}" ; then
echo "${b} is built with aws-lc-rs in FIPS mode rather than standard aws-lc-rs" >&2
(( miscompiled+=1 ))
fi
if ! uses_aws_lc_fips_sys "${f}"; then
echo "${f} is built with standard aws-lc-rs rather than in FIPS mode" >&2
(( miscompiled+=1 ))
fi
else
echo "${b} uses aws-lc-rs but no FIPS build found in ${f}" >&2
(( not_found+=1 ))
fi
else
if uses_ring "${b}"; then
echo "${b} must use aws-lc-rs" >&2
(( miscompiled+=1 ))
fi
fi
}
found=0
not_found=0
miscompiled=0
for b in $(find "${BUILDROOT_BINDIR}" "${BUILDROOT_LIBEXECDIR}" -type f -executable) ; do
f="${b/${BUILDROOT_BINDIR}/${BUILDROOT_FIPS_BINDIR}}"
f="${f/${BUILDROOT_LIBEXECDIR}/${BUILDROOT_FIPS_LIBEXECDIR}}"
if is_go_bin "${b}"; then
check_go_bin "${b}" "${f}"
elif is_rust_bin "${b}"; then
check_rust_bin "${b}" "${f}"
fi
done
if [ "${found}" -gt 0 ] ; then
[ "${found}" -eq 1 ] && what="binary" || what="binaries"
echo "Found ${found} ${what} built for FIPS."
fi
if [ "${not_found}" -gt 0 ] ; then
[ "${not_found}" -eq 1 ] && what="binary" || what="binaries"
echo "Could not find ${not_found} ${what} built for FIPS." >&2
exit 1
fi
if [ "${miscompiled}" -gt 0 ] ; then
[ "${miscompiled}" -eq 1 ] && what="binary" || what="binaries"
echo "Found ${miscompiled} ${what} using the wrong crypto." >&2
exit 1
fi