[ tor-browser ].git.dasho

fips.sh (13094B)
      1 #! /bin/bash
      2 #
      3 # This Source Code Form is subject to the terms of the Mozilla Public
      4 # License, v. 2.0. If a copy of the MPL was not distributed with this
      5 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
      6 
      7 ########################################################################
      8 # mozilla/security/nss/tests/fips/fips.sh
      9 #
     10 # Script to test basic functionallity of NSS in FIPS-compliant mode
     11 #
     12 # needs to work on all Unix and Windows platforms
     13 #
     14 # tests implemented:
     15 #
     16 # special strings
     17 # ---------------
     18 #
     19 ########################################################################
     20 
     21 ############################## fips_init ##############################
     22 # local shell function to initialize this script
     23 ########################################################################
     24 fips_init()
     25 {
     26  SCRIPTNAME=fips.sh      # sourced - $0 would point to all.sh
     27 
     28  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
     29      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
     30  fi
     31 
     32  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
     33      cd ../common
     34      . ./init.sh
     35  fi
     36  if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
     37      cd ../cert
     38      . ./cert.sh
     39  fi
     40  SCRIPTNAME=fips.sh
     41  html_head "FIPS 140 Compliance Tests"
     42 
     43  grep "SUCCESS: FIPS passed" $CERT_LOG_FILE >/dev/null || {
     44      Exit 15 "Fatal - FIPS of cert.sh needs to pass first"
     45  }
     46 
     47  COPYDIR=${FIPSDIR}/copydir
     48  CAVSDIR=${FIPSDIR}/cavs/tests
     49  CAVSRUNDIR=${FIPSDIR}/cavs/scripts
     50 
     51  R_FIPSDIR=../fips
     52  P_R_FIPSDIR=../fips
     53  R_COPYDIR=../fips/copydir
     54 
     55  if [ -n "${MULTIACCESS_DBM}" ]; then
     56     P_R_FIPSDIR="multiaccess:${D_FIPS}"
     57  fi
     58 
     59  mkdir -p ${FIPSDIR}
     60  mkdir -p ${COPYDIR}
     61  mkdir -p ${CAVSDIR}
     62  mkdir -p ${CAVSRUNDIR}
     63 
     64  cd ${FIPSDIR}
     65 }
     66 
     67 ############################## fips_140 ##############################
     68 # local shell function to test basic functionality of NSS while in
     69 # FIPS 140 compliant mode
     70 ########################################################################
     71 fips_140()
     72 {
     73  echo "$SCRIPTNAME: Verify this module is in FIPS mode  -----------------"
     74  echo "modutil -dbdir ${P_R_FIPSDIR} -list"
     75  ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -list 2>&1
     76  ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -chkfips true 2>&1
     77  html_msg $? 0 "Verify this module is in FIPS mode (modutil -chkfips true)" "."
     78 
     79  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
     80  echo "certutil -d ${P_R_FIPSDIR} -L"
     81  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1
     82  html_msg $? 0 "List the FIPS module certificates (certutil -L)" "."
     83 
     84  echo "$SCRIPTNAME: List the FIPS module keys -------------------------"
     85  echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
     86  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
     87  html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
     88 
     89  echo "$SCRIPTNAME: Attempt to list FIPS module keys with incorrect password"
     90  echo "certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE}"
     91  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE} 2>&1
     92  RET=$?
     93  html_msg $RET 255 "Attempt to list FIPS module keys with incorrect password (certutil -K)" "."
     94  echo "certutil -K returned $RET"
     95 
     96  echo "$SCRIPTNAME: Validate the certificate --------------------------"
     97  echo "certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}"
     98  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}
     99  html_msg $? 0 "Validate the certificate (certutil -V -e)" "."
    100 
    101  echo "$SCRIPTNAME: Export the certificate and key as a PKCS#12 file --"
    102  echo "pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
    103  ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
    104  html_msg $? 0 "Export the certificate and key as a PKCS#12 file (pk12util -o)" "."
    105 
    106  echo "$SCRIPTNAME: Export the certificate as a DER-encoded file ------"
    107  echo "certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt"
    108  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt 2>&1
    109  html_msg $? 0 "Export the certificate as a DER (certutil -L -r)" "."
    110 
    111  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
    112  echo "certutil -d ${P_R_FIPSDIR} -L"
    113  certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
    114  ret=$?
    115  echo "${certs}"
    116  if [ ${ret} -eq 0 ]; then
    117    echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
    118    ret=$?
    119  fi
    120  html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
    121 
    122 
    123  echo "$SCRIPTNAME: Delete the certificate and key from the FIPS module"
    124  echo "certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE}"
    125  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE} 2>&1
    126  html_msg $? 0 "Delete the certificate and key from the FIPS module (certutil -F)" "."
    127 
    128  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
    129  echo "certutil -d ${P_R_FIPSDIR} -L"
    130  certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
    131  ret=$?
    132  echo "${certs}"
    133  if [ ${ret} -eq 0 ]; then
    134    echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
    135    if [ $? -eq 0 ]; then
    136      ret=255
    137    fi
    138  fi
    139  html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
    140 
    141  echo "$SCRIPTNAME: List the FIPS module keys."
    142  echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
    143  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
    144  # certutil -K now returns a failure if no keys are found. This verifies that
    145  # our delete succeded.
    146  html_msg $? 255 "List the FIPS module keys (certutil -K)" "."
    147 
    148 
    149  echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file"
    150  echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
    151  ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
    152  html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "."
    153 
    154  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
    155  echo "certutil -d ${P_R_FIPSDIR} -L"
    156  certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
    157  ret=$?
    158  echo "${certs}"
    159  if [ ${ret} -eq 0 ]; then
    160    echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
    161    ret=$?
    162  fi
    163  html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
    164 
    165  echo "$SCRIPTNAME: List the FIPS module keys --------------------------"
    166  echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
    167  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
    168  html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
    169 
    170 
    171  echo "$SCRIPTNAME: Delete the certificate from the FIPS module"
    172  echo "certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK}"
    173  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK} 2>&1
    174  html_msg $? 0 "Delete the certificate from the FIPS module (certutil -D)" "."
    175 
    176  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
    177  echo "certutil -d ${P_R_FIPSDIR} -L"
    178  certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
    179  ret=$?
    180  echo "${certs}"
    181  if [ ${ret} -eq 0 ]; then
    182    echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
    183    if [ $? -eq 0 ]; then
    184      ret=255
    185    fi
    186  fi
    187  html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
    188 
    189 
    190  echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file"
    191  echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
    192  ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
    193  html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "."
    194 
    195  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
    196  echo "certutil -d ${P_R_FIPSDIR} -L"
    197  certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
    198  ret=$?
    199  echo "${certs}"
    200  if [ ${ret} -eq 0 ]; then
    201    echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
    202    ret=$?
    203  fi
    204  html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
    205 
    206  echo "$SCRIPTNAME: List the FIPS module keys --------------------------"
    207  echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
    208  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
    209  html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
    210 
    211 
    212  echo "$SCRIPTNAME: Run PK11MODE in FIPSMODE  -----------------"
    213  echo "pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE}"
    214  ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE}  2>&1
    215  html_msg $? 0 "Run PK11MODE in FIPS mode (pk11mode)" "."
    216 
    217  echo "$SCRIPTNAME: Run PK11MODE in Non FIPSMODE  -----------------"
    218  echo "pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n"
    219  ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n 2>&1
    220  html_msg $? 0 "Run PK11MODE in Non FIPS mode (pk11mode -n)" "."
    221 
    222  LIBDIR="${DIST}/${OBJDIR}/lib"
    223  MANGLEDIR="${FIPSDIR}/mangle"
    224 
    225  # There are different versions of cp command on different systems, some of them
    226  # copies only symlinks, others doesn't have option to disable links, so there
    227  # is needed to copy files one by one.
    228  echo "mkdir ${MANGLEDIR}"
    229  mkdir ${MANGLEDIR}
    230  for lib in `ls ${LIBDIR}`; do
    231    echo "cp ${LIBDIR}/${lib} ${MANGLEDIR}"
    232    cp ${LIBDIR}/${lib} ${MANGLEDIR}
    233  done
    234 
    235  echo "$SCRIPTNAME: Detect mangled softoken--------------------------"
    236  SOFTOKEN=${MANGLEDIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX}
    237 
    238  echo "mangling ${SOFTOKEN}"
    239  echo "mangle -i ${SOFTOKEN} -o -8 -b 5"
    240  # If nss was built without softoken use the system installed one.
    241  # It's location must be specified by the package maintainer.
    242  if [ ! -e  ${MANGLEDIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ]; then
    243    echo "cp ${SOFTOKEN_LIB_DIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ${MANGLEDIR}"
    244    echo "cp ${SOFTOKEN_LIB_DIR}/${DLL_PREFIX}softokn3.chk ${MANGLEDIR}"
    245    cp ${SOFTOKEN_LIB_DIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ${MANGLEDIR}
    246  fi
    247  ${BINDIR}/mangle -i ${SOFTOKEN} -o -8 -b 5 2>&1
    248  if [ $? -eq 0 ]; then
    249    if [ "${OS_ARCH}" = "WINNT" ]; then
    250      DBTEST=`which dbtest`
    251   if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
    252 	DBTEST=`cygpath -m ${DBTEST}`
    253 	MANGLEDIR=`cygpath -u ${MANGLEDIR}`
    254   fi
    255      echo "PATH=${MANGLEDIR} ${DBTEST} -r -d ${P_R_FIPSDIR}"
    256      PATH="${MANGLEDIR}" ${DBTEST} -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
    257      RESULT=$?
    258    elif [ "${OS_ARCH}" = "HP-UX" ]; then
    259      echo "SHLIB_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
    260      LD_LIBRARY_PATH="" SHLIB_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
    261      RESULT=$?
    262    elif [ "${OS_ARCH}" = "AIX" ]; then
    263      echo "LIBPATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
    264      LIBPATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
    265      RESULT=$?
    266    elif [ "${OS_ARCH}" = "Darwin" ]; then
    267      echo "DYLD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
    268      DYLD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
    269      RESULT=$?
    270    else
    271      echo "LD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
    272      LD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
    273      RESULT=$?
    274    fi
    275 
    276    html_msg ${RESULT} 46 "Init NSS with a corrupted library (dbtest -r)" "."
    277  else
    278    html_failed "Mangle ${DLL_PREFIX}softokn3.${DLL_SUFFIX}"
    279  fi
    280 
    281  # use the normal test patch to see if we can sign with shlibsign using
    282  # fips.
    283  echo "shlibsign -V -F -o ${MANGLEDIR}/test -i ${SOFTOKEN}"
    284  ${BINDIR}/shlibsign -V -F -o ${MANGLEDIR}/test -i ${SOFTOKEN}
    285  RESULT=$?
    286  html_msg ${RESULT} 0 "shlibsign -F (shlibsign in FIPS mode)" "."
    287 }
    288 
    289 fips_cavs()
    290 {
    291    if [ "${CAVS_VECTORS}" = "all" ]; then
    292        VECTORS=
    293    elif [ "${CAVS_VECTORS}" = "" ]; then
    294        VECTORS="aesgcm ecdsa hmac kas tls ike rng sha"
    295    else
    296        VECTORS=${CAVS_VECTORS}
    297    fi
    298    echo "Copying CAVS vectors"
    299    cp -r ${QADIR}/fips/cavs_samples/* ${CAVSDIR}
    300 # we copy the scripts to the test directory because they are designed to run from their
    301 # own directory and we want any resulting core dumps to wind up in the test_results directory.
    302    echo "Copying CAVS scripts"
    303    cp -r ${QADIR}/fips/cavs_scripts/* ${CAVSRUNDIR}
    304    echo "cd ${CAVSRUNDIR}"
    305    cd ${CAVSRUNDIR}
    306    echo "Running CAVS tests in ${CAVSDIR}"
    307    ./runtest.sh ${CAVSDIR} run ${VECTORS}
    308    echo "Verifying CAVS results in ${CAVSDIR}"
    309    ./runtest.sh ${CAVSDIR} verify ${VECTORS}
    310    RESULT=$?
    311    html_msg $RESULT 0 "NIST CAVS test" "${CAVSDIR}"
    312 }
    313 
    314 ############################## fips_cleanup ############################
    315 # local shell function to finish this script (no exit since it might be
    316 # sourced)
    317 ########################################################################
    318 fips_cleanup()
    319 {
    320  html "</TABLE><BR>"
    321  cd ${QADIR}
    322  . common/cleanup.sh
    323 }
    324 
    325 ################## main #################################################
    326 
    327 fips_init
    328 fips_140
    329 fips_cavs
    330 fips_cleanup
    331 echo "fips.sh done"
	tor-browser The Tor Browser
	git clone https://git.dasho.dev/tor-browser.git
	Log \| Files \| Refs \| README \| LICENSE