From edd3c8d151315c2ca4214cd0fff7006d54eb5475 Mon Sep 17 00:00:00 2001
From: teoberi <admin@eduaicta.ro>
Date: Mon, 22 Apr 2024 12:13:34 +0300
Subject: [PATCH 1/4] Update filecheck.sh (Fortify)

Added detailed results for Fortify: N/A, Partial
---
 src/functions/filecheck.sh | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/functions/filecheck.sh b/src/functions/filecheck.sh
index 0229119..197e285 100644
--- a/src/functions/filecheck.sh
+++ b/src/functions/filecheck.sh
@@ -138,10 +138,18 @@ filecheck() {
   FS_cnt_unchecked=$(grep -cFxf <(sort <<< "${FS_func_libc}") <(sort <<< "${FS_func}"))
   FS_cnt_total=$((FS_cnt_unchecked + FS_cnt_checked))
 
-  if [[ $FS_cnt_checked -eq $FS_cnt_total ]]; then
-    echo_message '\033[32mYes\033[m' 'Yes,' ' fortify_source="yes" ' '"fortify_source":"yes",'
+  if [[ "${FS_cnt_total}" == "0" ]]; then
+    echo_message "\033[32mN/A\033[m" "N/A," ' fortify_source="n/a" ' '"fortify_source":"n/a",'
   else
-    echo_message "\033[31mNo\033[m" "No," ' fortify_source="no" ' '"fortify_source":"no",'
+    if [[ $FS_cnt_checked -eq $FS_cnt_total ]]; then
+      echo_message '\033[32mYes\033[m' 'Yes,' ' fortify_source="yes" ' '"fortify_source":"yes",'
+    else
+      if [[ "${FS_cnt_checked}" == "0" ]]; then
+        echo_message "\033[31mNo\033[m" "No," ' fortify_source="no" ' '"fortify_source":"no",'
+      else
+        echo_message "\033[33mPartial\033[m" "Partial," ' fortify_source="partial" ' '"fortify_source":"partial",'
+      fi
+    fi
   fi
   echo_message "\t${FS_cnt_checked}\t" "${FS_cnt_checked}", "fortified=\"${FS_cnt_checked}\" " "\"fortified\":\"${FS_cnt_checked}\","
   echo_message "\t${FS_cnt_total}\t\t" "${FS_cnt_total}" "fortify-able=\"${FS_cnt_total}\"" "\"fortify-able\":\"${FS_cnt_total}\""

From 9a36b4b8ad8cb4c25e086147c3be584dd63b4906 Mon Sep 17 00:00:00 2001
From: teoberi <admin@eduaicta.ro>
Date: Mon, 22 Apr 2024 12:25:27 +0300
Subject: [PATCH 2/4] Update hardening-checks.sh (Fortify)

Add cases for "N/A" and "Partial"
---
 tests/hardening-checks.sh | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/tests/hardening-checks.sh b/tests/hardening-checks.sh
index ba3f252..ec7c383 100755
--- a/tests/hardening-checks.sh
+++ b/tests/hardening-checks.sh
@@ -252,7 +252,7 @@ echo "Symbols validation tests passed"
 
 #============================================
 
-echo "Starting Foritfy check"
+echo "Starting Fortify check"
 # Yes
 for bin in all all32 all_cl all_cl32; do
   if [[ $("${PARENT}"/checksec --file="${DIR}/binaries/${bin}" --format=csv | cut -d, -f8) != "Yes" ]]; then
@@ -267,6 +267,20 @@ for bin in none none32 none_cl none_cl32; do
     exit 1
   fi
 done
+# N/A
+for bin in rel.o rel32.o rel_cl.o rel_cl32.o; do
+  if [[ $("${PARENT}"/checksec --file="${DIR}/binaries/${bin}" --format=csv | cut -d, -f8) != "N/A" ]]; then
+    echo "No Fortify validation failed on \"${bin}\": $("${PARENT}"/checksec --file="${DIR}/binaries/${bin}" --format=csv | cut -d, -f8)"
+    exit 1
+  fi
+done
+# Partial
+for bin in rel.o rel32.o rel_cl.o rel_cl32.o; do
+  if [[ $("${PARENT}"/checksec --file="${DIR}/binaries/${bin}" --format=csv | cut -d, -f8) != "Partial" ]]; then
+    echo "No Fortify validation failed on \"${bin}\": $("${PARENT}"/checksec --file="${DIR}/binaries/${bin}" --format=csv | cut -d, -f8)"
+    exit 1
+  fi
+done
 echo "Fortify validation tests passed"
 
 #============================================

From 7b6b249b989002419460c099fb23c2450e27102f Mon Sep 17 00:00:00 2001
From: teoberi <admin@eduaicta.ro>
Date: Thu, 25 Apr 2024 09:01:51 +0300
Subject: [PATCH 3/4] Update build_binaries.sh (fix Fortify for "Partial" case)

Change -D_FORTIFY_SOURCE=3 for binaries all, all_cl, all32 and all_cl32
Change -D_FORTIFY_SOURCE=1 for binaries partial, partial_cl, partial32 and partial_cl32
---
 tests/binaries/build_binaries.sh | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/tests/binaries/build_binaries.sh b/tests/binaries/build_binaries.sh
index 0b5e5bd..e352814 100755
--- a/tests/binaries/build_binaries.sh
+++ b/tests/binaries/build_binaries.sh
@@ -4,9 +4,9 @@ set -x
 export PATH=$PATH:/zig/
 
 # All hardening features on (except for CFI and SafeStack)
-gcc -o all test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s
+gcc -o all test.c -w -D_FORTIFY_SOURCE=3 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s
 # Partial RELRO
-gcc -o partial test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z lazy -z noexecstack -s
+gcc -o partial test.c -w -D_FORTIFY_SOURCE=1 -fstack-protector-strong -fpie -O2 -z relro -z lazy -z noexecstack -s
 # RPATH
 gcc -o rpath test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s -Wl,-rpath,./ -Wl,--disable-new-dtags
 # RUNPATH
@@ -21,8 +21,8 @@ gcc -shared -fPIC -o dso.so test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-stro
 clang -o cfi test.c -w -flto -fsanitize=cfi -fvisibility=default
 clang -o sstack test.c -w -fsanitize=safe-stack
 # clang instead of gcc
-clang -o all_cl test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s
-clang -o partial_cl test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z lazy -z noexecstack -s
+clang -o all_cl test.c -w -D_FORTIFY_SOURCE=3 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s
+clang -o partial_cl test.c -w -D_FORTIFY_SOURCE=1 -fstack-protector-strong -fpie -O2 -z relro -z lazy -z noexecstack -s
 clang -o rpath_cl test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s -Wl,-rpath,./ -Wl,--disable-new-dtags
 clang -o runpath_cl test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s -Wl,-rpath,./ -Wl,--enable-new-dtags
 clang -o none_cl test.c -w -D_FORTIFY_SOURCE=0 -fno-stack-protector -no-pie -O2 -z norelro -z lazy -z execstack
@@ -31,8 +31,8 @@ clang -shared -fPIC -o dso_cl.so test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector
 
 # 32-bit use zig for cross compile
 # zig cc --target=x86-linux-gnu
-gcc -m32 -o all32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s
-gcc -m32 -o partial32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z lazy -z noexecstack -s
+gcc -m32 -o all32 test.c -w -D_FORTIFY_SOURCE=3 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s
+gcc -m32 -o partial32 test.c -w -D_FORTIFY_SOURCE=1 -fstack-protector-strong -fpie -O2 -z relro -z lazy -z noexecstack -s
 gcc -m32 -o rpath32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s -Wl,-rpath,./ -Wl,--disable-new-dtags
 gcc -m32 -o runpath32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s -Wl,-rpath,./ -Wl,--enable-new-dtags
 gcc -m32 -o none32 test.c -w -D_FORTIFY_SOURCE=0 -fno-stack-protector -no-pie -O2 -z norelro -z lazy -z execstack
@@ -41,8 +41,8 @@ gcc -m32 -shared -fPIC -o dso32.so test.c -w -D_FORTIFY_SOURCE=2 -fstack-protect
 
 clang -m32 -o cfi32 test.c -w -flto -fsanitize=cfi -fvisibility=default
 clang -m32 -o sstack32 test.c -w -fsanitize=safe-stack
-clang -m32 -o all_cl32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s
-clang -m32 -o partial_cl32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z lazy -z noexecstack -s
+clang -m32 -o all_cl32 test.c -w -D_FORTIFY_SOURCE=3 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s
+clang -m32 -o partial_cl32 test.c -w -D_FORTIFY_SOURCE=1 -fstack-protector-strong -fpie -O2 -z relro -z lazy -z noexecstack -s
 clang -m32 -o rpath_cl32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s -Wl,-rpath,./ -Wl,--disable-new-dtags
 clang -m32 -o runpath_cl32 test.c -w -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -O2 -z relro -z now -z noexecstack -pie -s -Wl,-rpath,./ -Wl,--enable-new-dtags
 clang -m32 -o none_cl32 test.c -w -D_FORTIFY_SOURCE=0 -fno-stack-protector -no-pie -O2 -z norelro -z lazy -z execstack

From d7a370450e8bc6fb0be19ff21b14c364423a2b66 Mon Sep 17 00:00:00 2001
From: teoberi <admin@eduaicta.ro>
Date: Thu, 25 Apr 2024 09:23:08 +0300
Subject: [PATCH 4/4] Update hardening-checks.sh (fix Fortify "Partial" case)

Change the binaries being tested
---
 tests/hardening-checks.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/hardening-checks.sh b/tests/hardening-checks.sh
index ec7c383..e2adfea 100755
--- a/tests/hardening-checks.sh
+++ b/tests/hardening-checks.sh
@@ -275,7 +275,7 @@ for bin in rel.o rel32.o rel_cl.o rel_cl32.o; do
   fi
 done
 # Partial
-for bin in rel.o rel32.o rel_cl.o rel_cl32.o; do
+for bin in partial partial32 partial_cl partial_cl32; do
   if [[ $("${PARENT}"/checksec --file="${DIR}/binaries/${bin}" --format=csv | cut -d, -f8) != "Partial" ]]; then
     echo "No Fortify validation failed on \"${bin}\": $("${PARENT}"/checksec --file="${DIR}/binaries/${bin}" --format=csv | cut -d, -f8)"
     exit 1