File: is_fips_supported.sh

package info (click to toggle)
duo-unix 1.11.3-1.2
  • links: PTS
  • area: main
  • in suites: sid, trixie
  • size: 2,892 kB
  • sloc: sh: 12,108; ansic: 9,223; python: 1,639; makefile: 156
file content (68 lines) | stat: -rwxr-xr-x 2,625 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
 
#!/bin/bash
# Script that will check if the current distro/distro version we're running in
# is capable of running FIPS tests.
# Returns 0 if it's capable of doing so, 1 otherwise.
# We also echo the return code before exiting since there's no good way to capture it
# without some actual output in cram :(

FIPS_VALIDATED_DISTROS=("centos8" "rhel8" "centos7" "rhel7" "centos6" "rhel6")

# We can't use uname since that won't work with Docker images.
# See https://stackoverflow.com/questions/31012297/uname-a-returning-the-same-in-docker-host-or-any-docker-container for more details.

# Try to get distro name/version from *-release files.
# This could be something like rhel-release, os-release, lsb_release...
if [ -f /etc/os-release ]; then
    # Covers most modern distros/versions
    . /etc/os-release
    OS=${ID,,} # force lowercase
    VER=${VERSION_ID%.*} # truncate decimal, if any, to get major version, eg. 7 in 7.5 or 16 from 16.04

elif [ -f /etc/lsb-release ]; then
    # Certain newer versions of Debian/Ubuntu
    . /etc/lsb-release
    OS=${DISTRIB_ID,,} # force lowercase
    VER=$DISTRIB_RELEASE

elif [ -f /etc/debian_version ]; then
    # Certain older versions of Debian
    OS="debian"
    VER=$(cat /etc/debian_version)

elif rpm -q centos-release > /dev/null 2>&1; then
    # Older versions of CentOS that have unconventional *-release files
    # without $ID, $VERSION_ID, or the like
    # eg. /etc/rhel-release on CentOS6 reads: CentOS release 6.9 (Final)
    OS="centos"
    VER=$(rpm -q --queryformat '%{VERSION}' centos-release)

elif rpm -q redhat-release-server > /dev/null 2>&1; then
    # Older versions of RHEL that have unconventional *-release files
    OS="rhel"
    VER=$(rpm -q --queryformat '%{RELEASE}' redhat-release-server | awk -F. '{print $1}')

else
    # It's a weird one! Assume it's probably not something we support.
    echo "1"
    exit 1
fi

# Assemble the name together
distro_name="$OS$VER"

# Check that this distro's in our list of supported FIPS distros
for i in "${FIPS_VALIDATED_DISTROS[@]}" ; do
    if [ "$distro_name" == "$i" ] ; then
        # If we are in a FIPS-validated distro, check for presence of FIPS headers
        # It's entirely possible we're in a FIPS-validated distro that still lacks FIPS headers,
        # eg. if the FIPS module isn't installed for some reason
        has_fips_headers=$(gcc -dM -include "openssl/crypto.h" -E - < /dev/null 2>/dev/null | grep '#define OPENSSL_FIPS')
        retcode="$?"
        echo $retcode
        exit $retcode
    fi
done

# We're not using a FIPS-validated distro. Return failure.
echo "1"
exit 1