1#! /bin/bash 2# 3# This Source Code Form is subject to the terms of the Mozilla Public 4# License, v. 2.0. If a copy of the MPL was not distributed with this 5# file, You can obtain one at http://mozilla.org/MPL/2.0/. 6 7######################################################################## 8# mozilla/security/nss/tests/fips/fips.sh 9# 10# Script to test basic functionallity of NSS in FIPS-compliant mode 11# 12# needs to work on all Unix and Windows platforms 13# 14# tests implemented: 15# 16# special strings 17# --------------- 18# 19######################################################################## 20 21############################## fips_init ############################## 22# local shell function to initialize this script 23######################################################################## 24fips_init() 25{ 26 SCRIPTNAME=fips.sh # sourced - $0 would point to all.sh 27 28 if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for 29 CLEANUP="${SCRIPTNAME}" # cleaning this script will do it 30 fi 31 32 if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then 33 cd ../common 34 . ./init.sh 35 fi 36 if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here 37 cd ../cert 38 . ./cert.sh 39 fi 40 SCRIPTNAME=fips.sh 41 html_head "FIPS 140 Compliance Tests" 42 43 grep "SUCCESS: FIPS passed" $CERT_LOG_FILE >/dev/null || { 44 Exit 15 "Fatal - FIPS of cert.sh needs to pass first" 45 } 46 47 COPYDIR=${FIPSDIR}/copydir 48 CAVSDIR=${FIPSDIR}/cavs/tests 49 CAVSRUNDIR=${FIPSDIR}/cavs/scripts 50 51 R_FIPSDIR=../fips 52 P_R_FIPSDIR=../fips 53 R_COPYDIR=../fips/copydir 54 55 if [ -n "${MULTIACCESS_DBM}" ]; then 56 P_R_FIPSDIR="multiaccess:${D_FIPS}" 57 fi 58 59 mkdir -p ${FIPSDIR} 60 mkdir -p ${COPYDIR} 61 mkdir -p ${CAVSDIR} 62 mkdir -p ${CAVSRUNDIR} 63 64 cd ${FIPSDIR} 65} 66 67############################## fips_140 ############################## 68# local shell function to test basic functionality of NSS while in 69# FIPS 140 compliant mode 70######################################################################## 71fips_140() 72{ 73 echo "$SCRIPTNAME: Verify this module is in FIPS mode -----------------" 74 echo "modutil -dbdir ${P_R_FIPSDIR} -list" 75 ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -list 2>&1 76 ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -chkfips true 2>&1 77 html_msg $? 0 "Verify this module is in FIPS mode (modutil -chkfips true)" "." 78 79 echo "$SCRIPTNAME: List the FIPS module certificates -----------------" 80 echo "certutil -d ${P_R_FIPSDIR} -L" 81 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1 82 html_msg $? 0 "List the FIPS module certificates (certutil -L)" "." 83 84 echo "$SCRIPTNAME: List the FIPS module keys -------------------------" 85 echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" 86 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 87 html_msg $? 0 "List the FIPS module keys (certutil -K)" "." 88 89 echo "$SCRIPTNAME: Attempt to list FIPS module keys with incorrect password" 90 echo "certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE}" 91 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE} 2>&1 92 RET=$? 93 html_msg $RET 255 "Attempt to list FIPS module keys with incorrect password (certutil -K)" "." 94 echo "certutil -K returned $RET" 95 96 echo "$SCRIPTNAME: Validate the certificate --------------------------" 97 echo "certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}" 98 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE} 99 html_msg $? 0 "Validate the certificate (certutil -V -e)" "." 100 101 echo "$SCRIPTNAME: Export the certificate and key as a PKCS#12 file --" 102 echo "pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}" 103 ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1 104 html_msg $? 0 "Export the certificate and key as a PKCS#12 file (pk12util -o)" "." 105 106 echo "$SCRIPTNAME: Export the certificate as a DER-encoded file ------" 107 echo "certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt" 108 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt 2>&1 109 html_msg $? 0 "Export the certificate as a DER (certutil -L -r)" "." 110 111 echo "$SCRIPTNAME: List the FIPS module certificates -----------------" 112 echo "certutil -d ${P_R_FIPSDIR} -L" 113 certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` 114 ret=$? 115 echo "${certs}" 116 if [ ${ret} -eq 0 ]; then 117 echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null 118 ret=$? 119 fi 120 html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." 121 122 123 echo "$SCRIPTNAME: Delete the certificate and key from the FIPS module" 124 echo "certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE}" 125 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE} 2>&1 126 html_msg $? 0 "Delete the certificate and key from the FIPS module (certutil -F)" "." 127 128 echo "$SCRIPTNAME: List the FIPS module certificates -----------------" 129 echo "certutil -d ${P_R_FIPSDIR} -L" 130 certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` 131 ret=$? 132 echo "${certs}" 133 if [ ${ret} -eq 0 ]; then 134 echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null 135 if [ $? -eq 0 ]; then 136 ret=255 137 fi 138 fi 139 html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." 140 141 echo "$SCRIPTNAME: List the FIPS module keys." 142 echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" 143 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 144 # certutil -K now returns a failure if no keys are found. This verifies that 145 # our delete succeded. 146 html_msg $? 255 "List the FIPS module keys (certutil -K)" "." 147 148 149 echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file" 150 echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}" 151 ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1 152 html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "." 153 154 echo "$SCRIPTNAME: List the FIPS module certificates -----------------" 155 echo "certutil -d ${P_R_FIPSDIR} -L" 156 certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` 157 ret=$? 158 echo "${certs}" 159 if [ ${ret} -eq 0 ]; then 160 echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null 161 ret=$? 162 fi 163 html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." 164 165 echo "$SCRIPTNAME: List the FIPS module keys --------------------------" 166 echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" 167 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 168 html_msg $? 0 "List the FIPS module keys (certutil -K)" "." 169 170 171 echo "$SCRIPTNAME: Delete the certificate from the FIPS module" 172 echo "certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK}" 173 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK} 2>&1 174 html_msg $? 0 "Delete the certificate from the FIPS module (certutil -D)" "." 175 176 echo "$SCRIPTNAME: List the FIPS module certificates -----------------" 177 echo "certutil -d ${P_R_FIPSDIR} -L" 178 certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` 179 ret=$? 180 echo "${certs}" 181 if [ ${ret} -eq 0 ]; then 182 echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null 183 if [ $? -eq 0 ]; then 184 ret=255 185 fi 186 fi 187 html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." 188 189 190 echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file" 191 echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}" 192 ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1 193 html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "." 194 195 echo "$SCRIPTNAME: List the FIPS module certificates -----------------" 196 echo "certutil -d ${P_R_FIPSDIR} -L" 197 certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` 198 ret=$? 199 echo "${certs}" 200 if [ ${ret} -eq 0 ]; then 201 echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null 202 ret=$? 203 fi 204 html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." 205 206 echo "$SCRIPTNAME: List the FIPS module keys --------------------------" 207 echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" 208 ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 209 html_msg $? 0 "List the FIPS module keys (certutil -K)" "." 210 211 212 echo "$SCRIPTNAME: Run PK11MODE in FIPSMODE -----------------" 213 echo "pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE}" 214 ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE} 2>&1 215 html_msg $? 0 "Run PK11MODE in FIPS mode (pk11mode)" "." 216 217 echo "$SCRIPTNAME: Run PK11MODE in Non FIPSMODE -----------------" 218 echo "pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n" 219 ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n 2>&1 220 html_msg $? 0 "Run PK11MODE in Non FIPS mode (pk11mode -n)" "." 221 222 LIBDIR="${DIST}/${OBJDIR}/lib" 223 MANGLEDIR="${FIPSDIR}/mangle" 224 225 # There are different versions of cp command on different systems, some of them 226 # copies only symlinks, others doesn't have option to disable links, so there 227 # is needed to copy files one by one. 228 echo "mkdir ${MANGLEDIR}" 229 mkdir ${MANGLEDIR} 230 for lib in `ls ${LIBDIR}`; do 231 echo "cp ${LIBDIR}/${lib} ${MANGLEDIR}" 232 cp ${LIBDIR}/${lib} ${MANGLEDIR} 233 done 234 235 echo "$SCRIPTNAME: Detect mangled softoken--------------------------" 236 SOFTOKEN=${MANGLEDIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} 237 238 echo "mangling ${SOFTOKEN}" 239 echo "mangle -i ${SOFTOKEN} -o -8 -b 5" 240 # If nss was built without softoken use the system installed one. 241 # It's location must be specified by the package maintainer. 242 if [ ! -e ${MANGLEDIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ]; then 243 echo "cp ${SOFTOKEN_LIB_DIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ${MANGLEDIR}" 244 cp ${SOFTOKEN_LIB_DIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ${MANGLEDIR} 245 fi 246 ${BINDIR}/mangle -i ${SOFTOKEN} -o -8 -b 5 2>&1 247 if [ $? -eq 0 ]; then 248 if [ "${OS_ARCH}" = "WINNT" ]; then 249 DBTEST=`which dbtest` 250 if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then 251 DBTEST=`cygpath -m ${DBTEST}` 252 MANGLEDIR=`cygpath -u ${MANGLEDIR}` 253 fi 254 echo "PATH=${MANGLEDIR} ${DBTEST} -r -d ${P_R_FIPSDIR}" 255 PATH="${MANGLEDIR}" ${DBTEST} -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 256 RESULT=$? 257 elif [ "${OS_ARCH}" = "HP-UX" ]; then 258 echo "SHLIB_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" 259 LD_LIBRARY_PATH="" SHLIB_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 260 RESULT=$? 261 elif [ "${OS_ARCH}" = "AIX" ]; then 262 echo "LIBPATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" 263 LIBPATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 264 RESULT=$? 265 elif [ "${OS_ARCH}" = "Darwin" ]; then 266 echo "DYLD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" 267 DYLD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 268 RESULT=$? 269 else 270 echo "LD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" 271 LD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 272 RESULT=$? 273 fi 274 275 html_msg ${RESULT} 46 "Init NSS with a corrupted library (dbtest -r)" "." 276 else 277 html_failed "Mangle ${DLL_PREFIX}softokn3.${DLL_SUFFIX}" 278 fi 279} 280 281fips_cavs() 282{ 283 if [ "${CAVS_VECTORS}" = "all" ]; then 284 VECTORS= 285 elif [ "${CAVS_VECTORS}" = "" ]; then 286 VECTORS="aesgcm ecdsa hmac kas tls ike rng sha" 287 else 288 VECTORS=${CAVS_VECTORS} 289 fi 290 echo "Copying CAVS vectors" 291 cp -r ${QADIR}/fips/cavs_samples/* ${CAVSDIR} 292# we copy the scripts to the test directory because they are designed to run from their 293# own directory and we want any resulting core dumps to wind up in the test_results directory. 294 echo "Copying CAVS scripts" 295 cp -r ${QADIR}/fips/cavs_scripts/* ${CAVSRUNDIR} 296 echo "cd ${CAVSRUNDIR}" 297 cd ${CAVSRUNDIR} 298 echo "Running CAVS tests in ${CAVSDIR}" 299 ./runtest.sh ${CAVSDIR} run ${VECTORS} 300 echo "Verifying CAVS results in ${CAVSDIR}" 301 ./runtest.sh ${CAVSDIR} verify ${VECTORS} 302 RESULT=$? 303 html_msg $RESULT 0 "NIST CAVS test" "${CAVSDIR}" 304} 305 306############################## fips_cleanup ############################ 307# local shell function to finish this script (no exit since it might be 308# sourced) 309######################################################################## 310fips_cleanup() 311{ 312 html "</TABLE><BR>" 313 cd ${QADIR} 314 . common/cleanup.sh 315} 316 317################## main ################################################# 318 319fips_init 320fips_140 321fips_cavs 322fips_cleanup 323echo "fips.sh done" 324