Add m-esr52 at 52.6.0

1 files changed, 293 insertions, 0 deletions

diff --git a/security/nss/tests/fips/fips.sh b/security/nss/tests/fips/fips.sh
new file mode 100755
index 000000000..4153e61aa
--- /dev/null
+++ b/security/nss/tests/fips/fips.sh
@@ -0,0 +1,293 @@
+#! /bin/bash  
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+# mozilla/security/nss/tests/fips/fips.sh
+#
+# Script to test basic functionallity of NSS in FIPS-compliant mode
+#
+# needs to work on all Unix and Windows platforms
+#
+# tests implemented:
+#
+# special strings
+# ---------------
+#
+########################################################################
+
+############################## fips_init ##############################
+# local shell function to initialize this script 
+########################################################################
+fips_init()
+{
+  SCRIPTNAME=fips.sh      # sourced - $0 would point to all.sh
+
+  if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
+      CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
+  fi
+
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+      cd ../common
+      . ./init.sh
+  fi
+  if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
+      cd ../cert
+      . ./cert.sh
+  fi
+  SCRIPTNAME=fips.sh
+  html_head "FIPS 140 Compliance Tests"
+
+  grep "SUCCESS: FIPS passed" $CERT_LOG_FILE >/dev/null || {
+      Exit 15 "Fatal - FIPS of cert.sh needs to pass first"
+  }
+
+  COPYDIR=${FIPSDIR}/copydir
+
+  R_FIPSDIR=../fips
+  P_R_FIPSDIR=../fips
+  R_COPYDIR=../fips/copydir
+
+  if [ -n "${MULTIACCESS_DBM}" ]; then
+     P_R_FIPSDIR="multiaccess:${D_FIPS}"
+  fi
+
+  mkdir -p ${FIPSDIR}
+  mkdir -p ${COPYDIR}
+
+  cd ${FIPSDIR}
+}
+
+############################## fips_140 ##############################
+# local shell function to test basic functionality of NSS while in
+# FIPS 140 compliant mode
+########################################################################
+fips_140()
+{
+  echo "$SCRIPTNAME: Verify this module is in FIPS mode  -----------------"
+  echo "modutil -dbdir ${P_R_FIPSDIR} -list"
+  ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -list 2>&1
+  ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -chkfips true 2>&1
+  html_msg $? 0 "Verify this module is in FIPS mode (modutil -chkfips true)" "."
+
+  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
+  echo "certutil -d ${P_R_FIPSDIR} -L"
+  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1
+  html_msg $? 0 "List the FIPS module certificates (certutil -L)" "."
+
+  echo "$SCRIPTNAME: List the FIPS module keys -------------------------"
+  echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
+  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
+  html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
+
+  echo "$SCRIPTNAME: Attempt to list FIPS module keys with incorrect password"
+  echo "certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE}"
+  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE} 2>&1
+  RET=$?
+  html_msg $RET 255 "Attempt to list FIPS module keys with incorrect password (certutil -K)" "."
+  echo "certutil -K returned $RET"
+
+  echo "$SCRIPTNAME: Validate the certificate --------------------------"
+  echo "certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}"
+  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}
+  html_msg $? 0 "Validate the certificate (certutil -V -e)" "."
+
+  echo "$SCRIPTNAME: Export the certificate and key as a PKCS#12 file --"
+  echo "pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
+  ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
+  html_msg $? 0 "Export the certificate and key as a PKCS#12 file (pk12util -o)" "."
+
+  echo "$SCRIPTNAME: Export the certificate as a DER-encoded file ------"
+  echo "certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt"
+  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt 2>&1
+  html_msg $? 0 "Export the certificate as a DER (certutil -L -r)" "."
+
+  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
+  echo "certutil -d ${P_R_FIPSDIR} -L"
+  certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
+  ret=$?
+  echo "${certs}" 
+  if [ ${ret} -eq 0 ]; then
+    echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
+    ret=$?
+  fi
+  html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
+
+
+  echo "$SCRIPTNAME: Delete the certificate and key from the FIPS module"
+  echo "certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE}"
+  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE} 2>&1
+  html_msg $? 0 "Delete the certificate and key from the FIPS module (certutil -F)" "."
+
+  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
+  echo "certutil -d ${P_R_FIPSDIR} -L"
+  certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
+  ret=$?
+  echo "${certs}" 
+  if [ ${ret} -eq 0 ]; then
+    echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
+    if [ $? -eq 0 ]; then
+      ret=255
+    fi
+  fi
+  html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
+
+  echo "$SCRIPTNAME: List the FIPS module keys."
+  echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
+  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
+  # certutil -K now returns a failure if no keys are found. This verifies that
+  # our delete succeded.
+  html_msg $? 255 "List the FIPS module keys (certutil -K)" "."
+
+
+  echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file"
+  echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
+  ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
+  html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "."
+
+  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
+  echo "certutil -d ${P_R_FIPSDIR} -L"
+  certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
+  ret=$?
+  echo "${certs}" 
+  if [ ${ret} -eq 0 ]; then
+    echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
+    ret=$?
+  fi
+  html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
+
+  echo "$SCRIPTNAME: List the FIPS module keys --------------------------"
+  echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
+  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
+  html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
+
+
+  echo "$SCRIPTNAME: Delete the certificate from the FIPS module"
+  echo "certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK}"
+  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK} 2>&1
+  html_msg $? 0 "Delete the certificate from the FIPS module (certutil -D)" "."
+
+  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
+  echo "certutil -d ${P_R_FIPSDIR} -L"
+  certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
+  ret=$?
+  echo "${certs}" 
+  if [ ${ret} -eq 0 ]; then
+    echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
+    if [ $? -eq 0 ]; then
+      ret=255
+    fi
+  fi
+  html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
+
+
+  echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file"
+  echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}"
+  ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1
+  html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "."
+
+  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
+  echo "certutil -d ${P_R_FIPSDIR} -L"
+  certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1`
+  ret=$?
+  echo "${certs}" 
+  if [ ${ret} -eq 0 ]; then
+    echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null
+    ret=$?
+  fi
+  html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "."
+
+  echo "$SCRIPTNAME: List the FIPS module keys --------------------------"
+  echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}"
+  ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1
+  html_msg $? 0 "List the FIPS module keys (certutil -K)" "."
+
+
+  echo "$SCRIPTNAME: Run PK11MODE in FIPSMODE  -----------------"
+  echo "pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE}"
+  ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE}  2>&1
+  html_msg $? 0 "Run PK11MODE in FIPS mode (pk11mode)" "."
+
+  echo "$SCRIPTNAME: Run PK11MODE in Non FIPSMODE  -----------------"
+  echo "pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n"
+  ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n 2>&1
+  html_msg $? 0 "Run PK11MODE in Non FIPS mode (pk11mode -n)" "."
+
+  LIBDIR="${DIST}/${OBJDIR}/lib"
+  MANGLEDIR="${FIPSDIR}/mangle"
+   
+  # There are different versions of cp command on different systems, some of them 
+  # copies only symlinks, others doesn't have option to disable links, so there
+  # is needed to copy files one by one. 
+  echo "mkdir ${MANGLEDIR}"
+  mkdir ${MANGLEDIR}
+  for lib in `ls ${LIBDIR}`; do
+    echo "cp ${LIBDIR}/${lib} ${MANGLEDIR}"
+    cp ${LIBDIR}/${lib} ${MANGLEDIR}
+  done
+    
+  echo "$SCRIPTNAME: Detect mangled softoken--------------------------"
+  SOFTOKEN=${MANGLEDIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX}
+
+  echo "mangling ${SOFTOKEN}"
+  echo "mangle -i ${SOFTOKEN} -o -8 -b 5"
+  # If nss was built without softoken use the system installed one.
+  # It's location must be specified by the package maintainer.
+  if [ ! -e  ${MANGLEDIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ]; then
+    echo "cp ${SOFTOKEN_LIB_DIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ${MANGLEDIR}"
+    cp ${SOFTOKEN_LIB_DIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ${MANGLEDIR}
+  fi
+  ${BINDIR}/mangle -i ${SOFTOKEN} -o -8 -b 5 2>&1
+  if [ $? -eq 0 ]; then
+    if [ "${OS_ARCH}" = "WINNT" ]; then
+      DBTEST=`which dbtest`
+	  if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then
+		DBTEST=`cygpath -m ${DBTEST}`
+		MANGLEDIR=`cygpath -u ${MANGLEDIR}`
+	  fi
+      echo "PATH=${MANGLEDIR} ${DBTEST} -r -d ${P_R_FIPSDIR}"
+      PATH="${MANGLEDIR}" ${DBTEST} -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
+      RESULT=$?
+    elif [ "${OS_ARCH}" = "HP-UX" ]; then
+      echo "SHLIB_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
+      LD_LIBRARY_PATH="" SHLIB_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
+      RESULT=$?
+    elif [ "${OS_ARCH}" = "AIX" ]; then
+      echo "LIBPATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
+      LIBPATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
+      RESULT=$?
+    elif [ "${OS_ARCH}" = "Darwin" ]; then
+      echo "DYLD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
+      DYLD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
+      RESULT=$?
+    else
+      echo "LD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}"
+      LD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1
+      RESULT=$?
+    fi  
+
+    html_msg ${RESULT} 46 "Init NSS with a corrupted library (dbtest -r)" "."
+  else
+    html_failed "Mangle ${DLL_PREFIX}softokn3.${DLL_SUFFIX}"
+  fi
+}
+
+############################## fips_cleanup ############################
+# local shell function to finish this script (no exit since it might be 
+# sourced)
+########################################################################
+fips_cleanup()
+{
+  html "</TABLE><BR>"
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+################## main #################################################
+
+fips_init
+fips_140
+fips_cleanup
+echo "fips.sh done"