From a9940b6c14fa4dde25130e5e9e20e18ecdd31cd4 Mon Sep 17 00:00:00 2001
From: Anurag Rajawat <anuragsinghrajawat22@gmail.com>
Date: Mon, 20 May 2024 13:32:11 +0530
Subject: [PATCH] feat: Add support for FIPS 140-3 compliance check

Signed-off-by: Anurag Rajawat <anuragsinghrajawat22@gmail.com>
---
 Dockerfile       |  2 +-
 Makefile         |  2 +-
 config/addr.list |  1 +
 src/findings_tls | 49 ++++++++++++++++++++++++++++++++++++++++++++----
 src/tlsscan      | 12 +++++++-----
 5 files changed, 55 insertions(+), 11 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 111d8d5..4822dcd 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM ubuntu:latest
+FROM ubuntu:22.04
 
 RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends openssl ca-certificates curl netcat jq
 RUN curl -LO https://dl.k8s.io/release/v1.27.2/bin/linux/amd64/kubectl --output-dir /usr/local/bin/ && chmod +x /usr/local/bin/kubectl
diff --git a/Makefile b/Makefile
index 4372331..6842cdc 100644
--- a/Makefile
+++ b/Makefile
@@ -1,5 +1,5 @@
 build:
-	docker buildx build -t kubearmor/k8tls:latest .
+	docker build -t kubearmor/k8tls:latest .
 
 push:
 	docker push kubearmor/k8tls:latest
diff --git a/config/addr.list b/config/addr.list
index 89101f3..23ea328 100644
--- a/config/addr.list
+++ b/config/addr.list
@@ -10,3 +10,4 @@ dh480.badssl.com:443 BadSSL
 isunknownaddress.com:12345 LocalTest
 localhost:9090 webserver
 localhost:22 localssh
+apigateway-fips.us-east-1.amazonaws.com:443 AmazonAPIGateway
diff --git a/src/findings_tls b/src/findings_tls
index 5c8be6b..1702ec9 100644
--- a/src/findings_tls
+++ b/src/findings_tls
@@ -1,13 +1,52 @@
 #!/bin/bash
 
+contains() {
+  search_value="$1"
+  shift  # Remove the first argument (search value) from positional parameters
+  array=("$@")  # Remaining arguments become the array
+
+  for element in "${array[@]}"; do
+    if [[ "$element" == "$search_value" ]]; then
+      return 0
+    fi
+  done
+
+  return 1
+}
+
+is_fips_compliant() {
+	TLS_10_11_FIPS_CIPHERS=("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA")
+
+	TLS_12_FIPS_CIPHERS=("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" "TLS_ECDHE_ECDSA_WITH_AES_256_CCM" "TLS_ECDHE_ECDSA_WITH_AES_128_CCM" "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8" "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8" "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA")
+
+	TLS_13_FIPS_CIPHERS=("TLS_AES_256_GCM_SHA384" "TLS_AES_128_GCM_SHA256" "TLS_AES_128_CCM_SHA256" "TLS_AES_128_CCM_8_SHA256")
+
+	case "$TLS_Protocol_version" in
+	"TLSv1.3")
+		if contains "$TLS_Ciphersuite" "${TLS_13_FIPS_CIPHERS[@]}"; then
+		FIPS_140_3_Compliant="Yes"
+		fi
+		;;
+	"TLSv1.2")
+		if contains "$TLS_Ciphersuite" "${TLS_12_FIPS_CIPHERS[@]}"; then
+		FIPS_140_3_Compliant="Yes"
+		fi
+		;;
+	"TLSv1.1"|"TLSv1.0")
+		if contains "$TLS_Ciphersuite" "${TLS_10_11_FIPS_CIPHERS[@]}"; then
+		FIPS_140_3_Compliant="Yes"
+		fi
+		;;
+	esac
+}
+
 opensslscan()
 {
 	tmp=/tmp/tls.out
 	rm -f $tmp 2>/dev/null
 	timeout 2s openssl s_client -CApath /etc/ssl/certs/ -connect "$SVC_Address" -brief < /dev/null 2>$tmp
-#	echo "ret=$ret"
-#	cat $tmp
 	conn_estd=0
+	FIPS_140_3_Compliant="No"
 	while read line; do
 		[[ "$line" == "CONNECTION ESTABLISHED" ]] && conn_estd=1
 		[[ $conn_estd -ne 1 ]] && continue
@@ -18,6 +57,7 @@ opensslscan()
 		printf -v "TLS_$key" '%s' "$val"
 		TLS_Status="TLS"
 	done < $tmp
+	is_fips_compliant
 	[[ "$TLS_Verification_error" != "" ]] && TLS_Verification="$TLS_Verification_error"
 }
 
@@ -25,7 +65,7 @@ tls_csvreport()
 {
 	[[ "$csvout" == "" ]] && return
 	cat << EOF >> $csvout
-"$SVC_Name","$SVC_Address","$TLS_Status","$TLS_Protocol_version","$TLS_Ciphersuite","$TLS_Hash_used","$TLS_Signature_type","$TLS_Verification"
+"$SVC_Name","$SVC_Address","$TLS_Status","$TLS_Protocol_version","$TLS_Ciphersuite","$TLS_Hash_used","$TLS_Signature_type","$TLS_Verification","$FIPS_140_3_Compliant"
 EOF
 }
 
@@ -56,7 +96,8 @@ k8tls_tls_00chktls()
 					"severity": "critical",
 					"remediationEstEffort": "medium",
 					"solution": "enable TLS or transport security on the port.",
-					"status": "$status"
+					"status": "$status",
+					"fips_140_3_compliant": "$FIPS_140_3_Compliant"
 				}
 EOF
 }
diff --git a/src/tlsscan b/src/tlsscan
index 78e4859..ac0f2e2 100755
--- a/src/tlsscan
+++ b/src/tlsscan
@@ -57,7 +57,7 @@ csvheader()
 {
 	[[ "$csvout" == "" ]] && return
 	if [ ! -f "$csvout" ]; then
-		echo "Name,Address,Status,Version,Ciphersuite,Hash,Signature,Verification" > $csvout
+		echo "Name,Address,Status,Version,Ciphersuite,Hash,Signature,Verification,FIPS_140_3_Compliant" > $csvout
 	fi
 }
 
@@ -123,17 +123,19 @@ scansvc()
 
 getsummary()
 {
-	status_arr=( 
+	status_arr=(
 		"certificate has expired"
 		"self-signed certificate"
 		"insecure port"
-		"connection failure"
+		"connection failure",
+		"FIPS 140-3 compliant"
 	)
-	regex_arr=( 
+	regex_arr=(
 		"certificate has expired"
 		"self-signed certificate"
 		"PLAIN_TEXT"
-		"CONNFAIL"
+		"CONNFAIL",
+		"Yes"
 	)
 	echo "Status,Count" > $summcsv
 	for((i=0;;i++)); do