[VerusCoin.git] / qa / zcash / check-security-hardening.sh

#!/bin/bash

set -e

REPOROOT="$(readlink -f "$(dirname "$0")"/../../)"

function test_rpath_runpath {
    if "${REPOROOT}/qa/zcash/checksec.sh" --file "$1" | grep -q "No RPATH.*No RUNPATH"; then
        echo PASS: "$1" has no RPATH or RUNPATH.
        return 0
    else
        echo FAIL: "$1" has an RPATH or a RUNPATH.
        "${REPOROOT}/qa/zcash/checksec.sh" --file "$1"
        return 1
    fi
}

function test_fortify_source {
    if { "${REPOROOT}/qa/zcash/checksec.sh" --fortify-file "$1" | grep -q "FORTIFY_SOURCE support available.*Yes"; } &&
       { "${REPOROOT}/qa/zcash/checksec.sh" --fortify-file "$1" | grep -q "Binary compiled with FORTIFY_SOURCE support.*Yes"; }; then
        echo PASS: "$1" has FORTIFY_SOURCE.
        return 0
    else
        echo FAIL: "$1" is missing FORTIFY_SOURCE.
        return 1
    fi
}

# PIE, RELRO, Canary, and NX are tested by make check-security.
make -C "$REPOROOT/src" check-security

test_rpath_runpath "${REPOROOT}/src/zcashd"
test_rpath_runpath "${REPOROOT}/src/zcash-cli"
test_rpath_runpath "${REPOROOT}/src/zcash-gtest"
test_rpath_runpath "${REPOROOT}/src/zcash-tx"
test_rpath_runpath "${REPOROOT}/src/test/test_bitcoin"
test_rpath_runpath "${REPOROOT}/src/zcash/GenerateParams"

# NOTE: checksec.sh does not reliably determine whether FORTIFY_SOURCE is
# enabled for the entire binary. See issue #915.
test_fortify_source "${REPOROOT}/src/zcashd"
test_fortify_source "${REPOROOT}/src/zcash-cli"
test_fortify_source "${REPOROOT}/src/zcash-gtest"
test_fortify_source "${REPOROOT}/src/zcash-tx"
test_fortify_source "${REPOROOT}/src/test/test_bitcoin"
test_fortify_source "${REPOROOT}/src/zcash/GenerateParams"
Commit	Line	Data
1327d191 TH	1	#!/bin/bash
	2
	3	set -e
	4
	5	REPOROOT="$(readlink -f "$(dirname "$0")"/../../)"
	6
56734f4b TH	7	function test_rpath_runpath {
	8	if "${REPOROOT}/qa/zcash/checksec.sh" --file "$1" \| grep -q "No RPATH.*No RUNPATH"; then
	9	echo PASS: "$1" has no RPATH or RUNPATH.
1327d191 TH	10	return 0
1327d191 TH	11	else
56734f4b	12	echo FAIL: "$1" has an RPATH or a RUNPATH.
1327d191 TH	13	"${REPOROOT}/qa/zcash/checksec.sh" --file "$1"
	14	return 1
	15	fi
	16	}
	17
	18	function test_fortify_source {
	19	if { "${REPOROOT}/qa/zcash/checksec.sh" --fortify-file "$1" \| grep -q "FORTIFY_SOURCE support available.*Yes"; } &&
	20	{ "${REPOROOT}/qa/zcash/checksec.sh" --fortify-file "$1" \| grep -q "Binary compiled with FORTIFY_SOURCE support.*Yes"; }; then
	21	echo PASS: "$1" has FORTIFY_SOURCE.
	22	return 0
	23	else
	24	echo FAIL: "$1" is missing FORTIFY_SOURCE.
	25	return 1
	26	fi
	27	}
	28
56734f4b TH	29	# PIE, RELRO, Canary, and NX are tested by make check-security.
	30	make -C "$REPOROOT/src" check-security
	31
	32	test_rpath_runpath "${REPOROOT}/src/zcashd"
	33	test_rpath_runpath "${REPOROOT}/src/zcash-cli"
	34	test_rpath_runpath "${REPOROOT}/src/zcash-gtest"
5d985da5	35	test_rpath_runpath "${REPOROOT}/src/zcash-tx"
56734f4b TH	36	test_rpath_runpath "${REPOROOT}/src/test/test_bitcoin"
56734f4b TH	37	test_rpath_runpath "${REPOROOT}/src/zcash/GenerateParams"
1327d191 TH	38
	39	# NOTE: checksec.sh does not reliably determine whether FORTIFY_SOURCE is
	40	# enabled for the entire binary. See issue #915.
	41	test_fortify_source "${REPOROOT}/src/zcashd"
	42	test_fortify_source "${REPOROOT}/src/zcash-cli"
	43	test_fortify_source "${REPOROOT}/src/zcash-gtest"
5d985da5	44	test_fortify_source "${REPOROOT}/src/zcash-tx"
56734f4b TH	45	test_fortify_source "${REPOROOT}/src/test/test_bitcoin"
56734f4b TH	46	test_fortify_source "${REPOROOT}/src/zcash/GenerateParams"