From 1327d1915abd3e7aa2709bc194ed35c60bd95271 Mon Sep 17 00:00:00 2001
From: Taylor Hornby <taylor@defuse.ca>
Date: Tue, 5 Jul 2016 16:37:21 -0600
Subject: [PATCH] Add tests for security hardening features

---
 qa/zcash/check-security-hardening.sh | 39 ++++++++++++++++++++++++++++
 qa/zcash/full-test-suite.sh          |  1 +
 2 files changed, 40 insertions(+)
 create mode 100755 qa/zcash/check-security-hardening.sh

diff --git a/qa/zcash/check-security-hardening.sh b/qa/zcash/check-security-hardening.sh
new file mode 100755
index 000000000..0d63214de
--- /dev/null
+++ b/qa/zcash/check-security-hardening.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+set -e
+
+REPOROOT="$(readlink -f "$(dirname "$0")"/../../)"
+
+function test_basic_hardening {
+    if "${REPOROOT}/qa/zcash/checksec.sh" --file "$1" | grep -q "Full RELRO.*Canary found.*NX enabled.*No RPATH.*No RUNPATH"; then
+        echo PASS: "$1" has basic hardening features enabled.
+        return 0
+    else
+        echo FAIL: "$1" is missing basic hardening features.
+        "${REPOROOT}/qa/zcash/checksec.sh" --file "$1"
+        return 1
+    fi
+}
+
+function test_fortify_source {
+    if { "${REPOROOT}/qa/zcash/checksec.sh" --fortify-file "$1" | grep -q "FORTIFY_SOURCE support available.*Yes"; } &&
+       { "${REPOROOT}/qa/zcash/checksec.sh" --fortify-file "$1" | grep -q "Binary compiled with FORTIFY_SOURCE support.*Yes"; }; then
+        echo PASS: "$1" has FORTIFY_SOURCE.
+        return 0
+    else
+        echo FAIL: "$1" is missing FORTIFY_SOURCE.
+        return 1
+    fi
+}
+
+test_basic_hardening "${REPOROOT}/src/zcashd"
+test_basic_hardening "${REPOROOT}/src/zcash-cli"
+test_basic_hardening "${REPOROOT}/src/zcash-gtest"
+test_basic_hardening "${REPOROOT}/src/bitcoin-tx"
+
+# NOTE: checksec.sh does not reliably determine whether FORTIFY_SOURCE is
+# enabled for the entire binary. See issue #915.
+test_fortify_source "${REPOROOT}/src/zcashd"
+test_fortify_source "${REPOROOT}/src/zcash-cli"
+test_fortify_source "${REPOROOT}/src/zcash-gtest"
+test_fortify_source "${REPOROOT}/src/bitcoin-tx"
diff --git a/qa/zcash/full-test-suite.sh b/qa/zcash/full-test-suite.sh
index 8f307cfdf..7860b105a 100755
--- a/qa/zcash/full-test-suite.sh
+++ b/qa/zcash/full-test-suite.sh
@@ -26,6 +26,7 @@ function run_test_phase
 cd "${REPOROOT}"
 
 # Test phases:
+run_test_phase "${REPOROOT}/qa/zcash/check-security-hardening.sh"
 run_test_phase "${REPOROOT}/qa/zcash/ensure-no-dot-so-in-depends.py"
 
 # If make check fails, show test-suite.log as part of our run_test_phase