1#! /bin/bash
2#
3# This Source Code Form is subject to the terms of the Mozilla Public
4# License, v. 2.0. If a copy of the MPL was not distributed with this
5# file, You can obtain one at http://mozilla.org/MPL/2.0/.
6
7########################################################################
8# mozilla/security/nss/tests/fips/fips.sh
9#
10# Script to test basic functionallity of NSS in FIPS-compliant mode
11#
12# needs to work on all Unix and Windows platforms
13#
14# tests implemented:
15#
16# special strings
17# ---------------
18#
19########################################################################
20
21############################## fips_init ##############################
22# local shell function to initialize this script
23########################################################################
24fips_init()
25{
26  SCRIPTNAME=fips.sh      # sourced - $0 would point to all.sh
27
28  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
29      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
30  fi
31
32  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
33      cd ../common
34      . ./init.sh
35  fi
36  if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
37      cd ../cert
38      . ./cert.sh
39  fi
40  SCRIPTNAME=fips.sh
41  html_head "FIPS 140 Compliance Tests"
42
43  grep "SUCCESS: FIPS passed" $CERT_LOG_FILE >/dev/null || {
44      Exit 15 "Fatal - FIPS of cert.sh needs to pass first"
45  }
46
47  COPYDIR=${FIPSDIR}/copydir
48  CAVSDIR=${FIPSDIR}/cavs/tests
49  CAVSRUNDIR=${FIPSDIR}/cavs/scripts
50
51  R_FIPSDIR=../fips
52  P_R_FIPSDIR=../fips
53  R_COPYDIR=../fips/copydir
54
55  if [ -n "${MULTIACCESS_DBM}" ]; then
56     P_R_FIPSDIR="multiaccess:${D_FIPS}"
57  fi
58
59  mkdir -p ${FIPSDIR}
60  mkdir -p ${COPYDIR}
61  mkdir -p ${CAVSDIR}
62  mkdir -p ${CAVSRUNDIR}
63
64  cd ${FIPSDIR}
65}
66
67############################## fips_140 ##############################
68# local shell function to test basic functionality of NSS while in
69# FIPS 140 compliant mode
70########################################################################
71fips_140()
72{
73  echo "$SCRIPTNAME: Verify this module is in FIPS mode  -----------------"
74  echo "modutil -dbdir ${P_R_FIPSDIR} -list"
75  ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -list 2>&1
76  ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -chkfips true 2>&1
77  html_msg $? 0 "Verify this module is in FIPS mode (modutil -chkfips true)" "."
78
79  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
80  echo "certutil -d ${P_R_FIPSDIR} -L"
81  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1
82  html_msg $? 0 "List the FIPS module certificates (certutil -L)" "."
83
84  echo "$SCRIPTNAME: List the FIPS module keys -------------------------"
85  echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
86  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
87  html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
88
89  echo "$SCRIPTNAME: Attempt to list FIPS module keys with incorrect password"
90  echo "certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE}"
91  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE} 2>&1
92  RET=$?
93  html_msg $RET 255 "Attempt to list FIPS module keys with incorrect password (certutil -K)" "."
94  echo "certutil -K returned $RET"
95
96  echo "$SCRIPTNAME: Validate the certificate --------------------------"
97  echo "certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}"
98  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}
99  html_msg $? 0 "Validate the certificate (certutil -V -e)" "."
100
101  echo "$SCRIPTNAME: Export the certificate and key as a PKCS#12 file --"
102  echo "pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
103  ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
104  html_msg $? 0 "Export the certificate and key as a PKCS#12 file (pk12util -o)" "."
105
106  echo "$SCRIPTNAME: Export the certificate as a DER-encoded file ------"
107  echo "certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt"
108  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt 2>&1
109  html_msg $? 0 "Export the certificate as a DER (certutil -L -r)" "."
110
111  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
112  echo "certutil -d ${P_R_FIPSDIR} -L"
113  certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
114  ret=$?
115  echo "${certs}"
116  if [ ${ret} -eq 0 ]; then
117    echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
118    ret=$?
119  fi
120  html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
121
122
123  echo "$SCRIPTNAME: Delete the certificate and key from the FIPS module"
124  echo "certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE}"
125  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE} 2>&1
126  html_msg $? 0 "Delete the certificate and key from the FIPS module (certutil -F)" "."
127
128  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
129  echo "certutil -d ${P_R_FIPSDIR} -L"
130  certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
131  ret=$?
132  echo "${certs}"
133  if [ ${ret} -eq 0 ]; then
134    echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
135    if [ $? -eq 0 ]; then
136      ret=255
137    fi
138  fi
139  html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
140
141  echo "$SCRIPTNAME: List the FIPS module keys."
142  echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
143  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
144  # certutil -K now returns a failure if no keys are found. This verifies that
145  # our delete succeded.
146  html_msg $? 255 "List the FIPS module keys (certutil -K)" "."
147
148
149  echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file"
150  echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
151  ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
152  html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "."
153
154  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
155  echo "certutil -d ${P_R_FIPSDIR} -L"
156  certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
157  ret=$?
158  echo "${certs}"
159  if [ ${ret} -eq 0 ]; then
160    echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
161    ret=$?
162  fi
163  html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
164
165  echo "$SCRIPTNAME: List the FIPS module keys --------------------------"
166  echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
167  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
168  html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
169
170
171  echo "$SCRIPTNAME: Delete the certificate from the FIPS module"
172  echo "certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK}"
173  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK} 2>&1
174  html_msg $? 0 "Delete the certificate from the FIPS module (certutil -D)" "."
175
176  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
177  echo "certutil -d ${P_R_FIPSDIR} -L"
178  certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
179  ret=$?
180  echo "${certs}"
181  if [ ${ret} -eq 0 ]; then
182    echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
183    if [ $? -eq 0 ]; then
184      ret=255
185    fi
186  fi
187  html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
188
189
190  echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file"
191  echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
192  ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
193  html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "."
194
195  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
196  echo "certutil -d ${P_R_FIPSDIR} -L"
197  certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
198  ret=$?
199  echo "${certs}"
200  if [ ${ret} -eq 0 ]; then
201    echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
202    ret=$?
203  fi
204  html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
205
206  echo "$SCRIPTNAME: List the FIPS module keys --------------------------"
207  echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
208  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
209  html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
210
211
212  echo "$SCRIPTNAME: Run PK11MODE in FIPSMODE  -----------------"
213  echo "pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE}"
214  ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE}  2>&1
215  html_msg $? 0 "Run PK11MODE in FIPS mode (pk11mode)" "."
216
217  echo "$SCRIPTNAME: Run PK11MODE in Non FIPSMODE  -----------------"
218  echo "pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n"
219  ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n 2>&1
220  html_msg $? 0 "Run PK11MODE in Non FIPS mode (pk11mode -n)" "."
221
222  LIBDIR="${DIST}/${OBJDIR}/lib"
223  MANGLEDIR="${FIPSDIR}/mangle"
224
225  # There are different versions of cp command on different systems, some of them
226  # copies only symlinks, others doesn't have option to disable links, so there
227  # is needed to copy files one by one.
228  echo "mkdir ${MANGLEDIR}"
229  mkdir ${MANGLEDIR}
230  for lib in `ls ${LIBDIR}`; do
231    echo "cp ${LIBDIR}/${lib} ${MANGLEDIR}"
232    cp ${LIBDIR}/${lib} ${MANGLEDIR}
233  done
234
235  echo "$SCRIPTNAME: Detect mangled softoken--------------------------"
236  SOFTOKEN=${MANGLEDIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX}
237
238  echo "mangling ${SOFTOKEN}"
239  echo "mangle -i ${SOFTOKEN} -o -8 -b 5"
240  # If nss was built without softoken use the system installed one.
241  # It's location must be specified by the package maintainer.
242  if [ ! -e  ${MANGLEDIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ]; then
243    echo "cp ${SOFTOKEN_LIB_DIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ${MANGLEDIR}"
244    cp ${SOFTOKEN_LIB_DIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ${MANGLEDIR}
245  fi
246  ${BINDIR}/mangle -i ${SOFTOKEN} -o -8 -b 5 2>&1
247  if [ $? -eq 0 ]; then
248    if [ "${OS_ARCH}" = "WINNT" ]; then
249      DBTEST=`which dbtest`
250	  if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
251		DBTEST=`cygpath -m ${DBTEST}`
252		MANGLEDIR=`cygpath -u ${MANGLEDIR}`
253	  fi
254      echo "PATH=${MANGLEDIR} ${DBTEST} -r -d ${P_R_FIPSDIR}"
255      PATH="${MANGLEDIR}" ${DBTEST} -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
256      RESULT=$?
257    elif [ "${OS_ARCH}" = "HP-UX" ]; then
258      echo "SHLIB_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
259      LD_LIBRARY_PATH="" SHLIB_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
260      RESULT=$?
261    elif [ "${OS_ARCH}" = "AIX" ]; then
262      echo "LIBPATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
263      LIBPATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
264      RESULT=$?
265    elif [ "${OS_ARCH}" = "Darwin" ]; then
266      echo "DYLD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
267      DYLD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
268      RESULT=$?
269    else
270      echo "LD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
271      LD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
272      RESULT=$?
273    fi
274
275    html_msg ${RESULT} 46 "Init NSS with a corrupted library (dbtest -r)" "."
276  else
277    html_failed "Mangle ${DLL_PREFIX}softokn3.${DLL_SUFFIX}"
278  fi
279}
280
281fips_cavs()
282{
283    if [ "${CAVS_VECTORS}" = "all" ]; then
284        VECTORS=
285    elif [ "${CAVS_VECTORS}" = "" ]; then
286        VECTORS="aesgcm ecdsa hmac kas tls ike rng sha"
287    else
288        VECTORS=${CAVS_VECTORS}
289    fi
290    echo "Copying CAVS vectors"
291    cp -r ${QADIR}/fips/cavs_samples/* ${CAVSDIR}
292# we copy the scripts to the test directory because they are designed to run from their
293# own directory and we want any resulting core dumps to wind up in the test_results directory.
294    echo "Copying CAVS scripts"
295    cp -r ${QADIR}/fips/cavs_scripts/* ${CAVSRUNDIR}
296    echo "cd ${CAVSRUNDIR}"
297    cd ${CAVSRUNDIR}
298    echo "Running CAVS tests in ${CAVSDIR}"
299    ./runtest.sh ${CAVSDIR} run ${VECTORS}
300    echo "Verifying CAVS results in ${CAVSDIR}"
301    ./runtest.sh ${CAVSDIR} verify ${VECTORS}
302    RESULT=$?
303    html_msg $RESULT 0 "NIST CAVS test" "${CAVSDIR}"
304}
305
306############################## fips_cleanup ############################
307# local shell function to finish this script (no exit since it might be
308# sourced)
309########################################################################
310fips_cleanup()
311{
312  html "</TABLE><BR>"
313  cd ${QADIR}
314  . common/cleanup.sh
315}
316
317################## main #################################################
318
319fips_init
320fips_140
321fips_cavs
322fips_cleanup
323echo "fips.sh done"
324