Adding upstream version 110.0.1.upstream/110.0.1upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

17 files changed, 1025 insertions, 0 deletions

diff --git a/security/nss/tests/fips/cavs_scripts/README b/security/nss/tests/fips/cavs_scripts/README
new file mode 100644
index 0000000000..17dc32d6b1
--- /dev/null
+++ b/security/nss/tests/fips/cavs_scripts/README
@@ -0,0 +1,41 @@
+These scripts are used to run fipstest on a directory of CAVS vectors.
+
+individual cipher scripts:
+aesgcm.sh aes.sh dsa.sh ecdsa.sh hmac.sh ike.sh kas.sh
+kbkdf.sh rng.sh rsa.sh sha.sh tdea.sh tls.sh
+
+Each individual cipher script handles all the tests in a particular directory.
+The scripts have 2 modes:
+  1) run [default] which generates the .rsp file from the .req file.
+  2) verify  which verify the generated .req file, either from a pregenerated
+.fax file, or by running the appropriate fipstest verify function. The latter
+is used for output that's non-deterministic (like randomly generated keys, or
+signatures with random elements in them like DSA).
+
+The verify scripts return 0 on success and non-zero on failure.
+
+The validate1.sh script is used by these individual cipher scripts to make
+sure .rsp and .fax files are identical, sans some expected differences like
+white space or comment differences. It returns 0 on success or non-zero on
+failure.
+
+When the scripts use fipstest to validate a .resp file, it uses grep to look
+for failure cases. grep returns '1' if no failures are found and '1' if
+failures or found. The scripts switches this back to 0 for success and 1 for
+failure with the command 'test 1 = $?` which returns 0 if $? is 1 and 1 if $?
+is 0.
+
+To run and individual cipher test, just type:
+   ./{script}.sh {path-to-cavs-root}
+
+to verify with an individual cipher test, just type:
+  ./{script}.sh {path-to-cavs-root} verify
+
+You can run all the cipher scripts with the runtest.sh:
+   ./runtest.sh {path-to-cavs-root}
+
+And you can verify the result with:
+  ./runtest.sh {path-to-cavs-root} verify
+Or
+  ./validate.sh {patch-to-cavs-root}
+
diff --git a/security/nss/tests/fips/cavs_scripts/aes.sh b/security/nss/tests/fips/cavs_scripts/aes.sh
new file mode 100755
index 0000000000..133b4730cf
--- /dev/null
+++ b/security/nss/tests/fips/cavs_scripts/aes.sh
@@ -0,0 +1,118 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+#
+# A Bourne shell script for running the NIST AES Algorithm Validation Suite
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+
+BASEDIR=${1-.}
+TESTDIR=${BASEDIR}/AES
+COMMAND=${2-run}
+REQDIR=${TESTDIR}/req
+RSPDIR=${TESTDIR}/resp
+
+cbc_kat_requests="
+CBCGFSbox128.req
+CBCGFSbox192.req
+CBCGFSbox256.req
+CBCKeySbox128.req
+CBCKeySbox192.req
+CBCKeySbox256.req
+CBCVarKey128.req
+CBCVarKey192.req
+CBCVarKey256.req
+CBCVarTxt128.req
+CBCVarTxt192.req
+CBCVarTxt256.req
+"
+
+cbc_mct_requests="
+CBCMCT128.req
+CBCMCT192.req
+CBCMCT256.req
+"
+
+cbc_mmt_requests="
+CBCMMT128.req
+CBCMMT192.req
+CBCMMT256.req
+"
+
+ecb_kat_requests="
+ECBGFSbox128.req
+ECBGFSbox192.req
+ECBGFSbox256.req
+ECBKeySbox128.req
+ECBKeySbox192.req
+ECBKeySbox256.req
+ECBVarKey128.req
+ECBVarKey192.req
+ECBVarKey256.req
+ECBVarTxt128.req
+ECBVarTxt192.req
+ECBVarTxt256.req
+"
+
+ecb_mct_requests="
+ECBMCT128.req
+ECBMCT192.req
+ECBMCT256.req
+"
+
+ecb_mmt_requests="
+ECBMMT128.req
+ECBMMT192.req
+ECBMMT256.req
+"
+
+if [ ${COMMAND} = "verify" ]; then
+    result=0;
+    for request in $cbc_kat_requests $cbc_mct_requests $cbc_mmt_requests $ecb_kat_requests $ecb_mct_requests $ecb_mmt_requests; do
+	sh ./validate1.sh ${TESTDIR} $request
+	last_result=$?
+	result=`expr $result + $last_result`
+    done
+    exit $result
+fi
+
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
+
+for request in $cbc_kat_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest aes kat cbc ${REQDIR}/$request > ${RSPDIR}/$response
+done
+for request in $cbc_mct_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest aes mct cbc ${REQDIR}/$request > ${RSPDIR}/$response
+done
+for request in $cbc_mmt_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest aes mmt cbc ${REQDIR}/$request > ${RSPDIR}/$response
+done
+for request in $ecb_kat_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest aes kat ecb ${REQDIR}/$request > ${RSPDIR}/$response
+done
+for request in $ecb_mct_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest aes mct ecb ${REQDIR}/$request > ${RSPDIR}/$response
+done
+for request in $ecb_mmt_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest aes mmt ecb ${REQDIR}/$request > ${RSPDIR}/$response
+done
+exit 0
diff --git a/security/nss/tests/fips/cavs_scripts/aesgcm.sh b/security/nss/tests/fips/cavs_scripts/aesgcm.sh
new file mode 100755
index 0000000000..4b35276abd
--- /dev/null
+++ b/security/nss/tests/fips/cavs_scripts/aesgcm.sh
@@ -0,0 +1,76 @@
+#!/bin/sh
+# 
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# A Bourne shell script for running the NIST AES Algorithm Validation Suite
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+
+BASEDIR=${1-.}
+TESTDIR=${BASEDIR}/AES_GCM
+COMMAND=${2-run}
+REQDIR=${TESTDIR}/req
+RSPDIR=${TESTDIR}/resp
+
+gcm_decrypt_requests="
+gcmDecrypt128.req
+gcmDecrypt192.req
+gcmDecrypt256.req
+"
+
+gcm_encrypt_extiv_requests="
+gcmEncryptExtIV128.req
+gcmEncryptExtIV192.req
+gcmEncryptExtIV256.req
+"
+gcm_encrypt_intiv_requests="
+"
+
+#gcm_encrypt_intiv_requests="
+#gcmEncryptIntIV128.req
+#gcmEncryptIntIV192.req
+#gcmEncryptIntIV256.req
+#"
+
+if [ ${COMMAND} = "verify" ]; then
+    result=0
+    for request in $gcm_decrypt_requests $gcm_encrypt_extiv_requests; do
+	sh ./validate1.sh ${TESTDIR} $request ' ' '-e /Reason:/d'
+	last_result=$?
+	result=`expr $result + $last_result`
+    done
+    for request in $gcm_encrypt_intiv_requests; do
+	name=`basename $request .req`
+    	echo ">>>>>  $name"
+        fipstest aes gcm decrypt ${RSPDIR}/$name.rsp | grep FAIL
+	test 1 = $?
+	last_result=$?
+	result=`expr $result + $last_result`
+    done
+    exit $result
+fi
+
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
+
+for request in $gcm_decrypt_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest aes gcm decrypt ${REQDIR}/$request > ${RSPDIR}/$response
+done
+for request in $gcm_encrypt_intiv_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest aes gcm encrypt_intiv ${REQDIR}/$request > ${RSPDIR}/$response
+done
+for request in $gcm_encrypt_extiv_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest aes gcm encrypt_extiv ${REQDIR}/$request > ${RSPDIR}/$response
+done
+exit 0
diff --git a/security/nss/tests/fips/cavs_scripts/dsa.sh b/security/nss/tests/fips/cavs_scripts/dsa.sh
new file mode 100755
index 0000000000..6858e3cf7c
--- /dev/null
+++ b/security/nss/tests/fips/cavs_scripts/dsa.sh
@@ -0,0 +1,88 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# A Bourne shell script for running the NIST DSA Validation System
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+BASEDIR=${1-.}
+TESTDIR=${BASEDIR}/DSA2
+COMMAND=${2-run}
+REQDIR=${TESTDIR}/req
+RSPDIR=${TESTDIR}/resp
+
+
+#
+# several of the DSA tests do use known answer tests to verify the result.
+# in those cases, feed generated tests back into the fipstest tool and
+# see if we can verify those value. NOTE: th PQGVer and SigVer tests verify
+# the dsa pqgver and dsa sigver functions, so we know they can detect errors
+# in those PQGGen and SigGen. Only the KeyPair verify is potentially circular.
+#
+if [ ${COMMAND} = "verify" ]; then
+    result=0
+# verify generated keys
+    name=KeyPair
+    echo ">>>>>  $name"
+    fipstest dsa keyver ${RSPDIR}/$name.rsp | grep ^Result.=.F
+    test 1 = $?
+    last_result=$?
+    result=`expr $result + $last_result`
+# verify generated pqg values
+    name=PQGGen
+    echo ">>>>>  $name"
+    fipstest dsa pqgver ${RSPDIR}/$name.rsp | grep ^Result.=.F
+    test 1 = $?
+    last_result=$?
+    result=`expr $result + $last_result`
+# verify PQGVer with known answer
+    sh ./validate1.sh ${TESTDIR} PQGVer1863.req ' ' '-e /^Result.=.F/s;.(.*);; -e /^Result.=.P/s;.(.*);;'
+    last_result=$?
+    result=`expr $result + $last_result`
+# verify signatures
+    name=SigGen
+    echo ">>>>>  $name"
+    fipstest dsa sigver ${RSPDIR}/$name.rsp | grep ^Result.=.F
+    test 1 = $?
+    last_result=$?
+    result=`expr $result + $last_result`
+# verify SigVer with known answer
+    sh ./validate1.sh ${TESTDIR} SigVer.req ' ' '-e /^X.=/d -e /^Result.=.F/s;.(.*);;'
+    last_result=$?
+    result=`expr $result + $last_result`
+    exit $result
+fi
+
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
+
+request=KeyPair.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dsa keypair ${REQDIR}/$request > ${RSPDIR}/$response
+
+request=PQGGen.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dsa pqggen ${REQDIR}/$request > ${RSPDIR}/$response
+
+request=PQGVer1863.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dsa pqgver ${REQDIR}/$request > ${RSPDIR}/$response
+
+request=SigGen.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dsa siggen ${REQDIR}/$request > ${RSPDIR}/$response
+
+request=SigVer.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dsa sigver ${REQDIR}/$request > ${RSPDIR}/$response
+exit 0
diff --git a/security/nss/tests/fips/cavs_scripts/ecdsa.sh b/security/nss/tests/fips/cavs_scripts/ecdsa.sh
new file mode 100755
index 0000000000..fb7387ef44
--- /dev/null
+++ b/security/nss/tests/fips/cavs_scripts/ecdsa.sh
@@ -0,0 +1,74 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# A Bourne shell script for running the NIST ECDSA Validation System
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+BASEDIR=${1-.}
+TESTDIR=${BASEDIR}/ECDSA2
+COMMAND=${2-run}
+REQDIR=${TESTDIR}/req
+RSPDIR=${TESTDIR}/resp
+
+#
+# several of the ECDSA tests do not use known answer tests to verify the result.
+# In those cases, feed generated tests back into the fipstest tool and
+# see if we can verify those value. NOTE:  PQGVer and SigVer tests verify
+# the dsa pqgver and dsa sigver functions, so we know they can detect errors
+# in those PQGGen and SigGen. Only the KeyPair verify is potentially circular.
+#
+if [ ${COMMAND} = "verify" ]; then
+    result=0;
+# verify generated keys
+    name=KeyPair
+    echo ">>>>>  $name"
+    fipstest ecdsa keyver ${RSPDIR}/$name.rsp | grep ^Result.=.F
+    test 1 = $?
+    last_result=$?
+    result=`expr $result + $last_result`
+    sh ./validate1.sh ${TESTDIR} PKV.req ' ' '-e /^X.=/d -e /^Result.=.F/s;.(.*);; -e /^Result.=.P/s;.(.*);;'
+    last_result=$?
+    result=`expr $result + $last_result`
+# verify signatures
+    name=SigGen
+    echo ">>>>>  $name"
+    fipstest ecdsa sigver ${RSPDIR}/$name.rsp | grep ^Result.=.F
+    test 1 = $?
+    last_result=$?
+    result=`expr $result + $last_result`
+# verify SigVer with known answer
+    sh ./validate1.sh ${TESTDIR} SigVer.req ' ' '-e /^X.=/d -e /^Result.=.F/s;.(.*);; -e /^Result.=.P/s;.(.*);;'
+    last_result=$?
+    result=`expr $result + $last_result`
+    exit $result
+fi
+
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
+
+request=KeyPair.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdsa keypair ${REQDIR}/$request > ${RSPDIR}/$response
+
+request=PKV.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdsa pkv ${REQDIR}/$request > ${RSPDIR}/$response
+
+request=SigGen.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdsa siggen ${REQDIR}/$request > ${RSPDIR}/$response
+
+request=SigVer.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdsa sigver ${REQDIR}/$request > ${RSPDIR}/$response
+exit 0
diff --git a/security/nss/tests/fips/cavs_scripts/hmac.sh b/security/nss/tests/fips/cavs_scripts/hmac.sh
new file mode 100755
index 0000000000..b414311e5a
--- /dev/null
+++ b/security/nss/tests/fips/cavs_scripts/hmac.sh
@@ -0,0 +1,42 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# A Bourne shell script for running the NIST HMAC Algorithm Validation Suite
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+
+BASEDIR=${1-.}
+TESTDIR=${BASEDIR}/HMAC
+COMMAND=${2-run}
+REQDIR=${TESTDIR}/req
+RSPDIR=${TESTDIR}/resp
+
+hmac_requests="
+HMAC.req
+"
+
+if [ ${COMMAND} = "verify" ]; then
+    result=0
+    for request in $hmac_requests; do
+	sh ./validate1.sh ${TESTDIR} $request
+	last_result=$?
+        result=`expr $result + $last_result`
+    done
+    exit $result
+fi
+
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
+
+for request in $hmac_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest hmac ${REQDIR}/$request > ${RSPDIR}/$response
+done
+exit 0
diff --git a/security/nss/tests/fips/cavs_scripts/ike.sh b/security/nss/tests/fips/cavs_scripts/ike.sh
new file mode 100755
index 0000000000..777f61dda8
--- /dev/null
+++ b/security/nss/tests/fips/cavs_scripts/ike.sh
@@ -0,0 +1,50 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# A Bourne shell script for running the NIST RNG Validation Suite
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+BASEDIR=${1-.}
+TESTDIR=${BASEDIR}/IKE
+COMMAND=${2-run}
+REQDIR=${TESTDIR}/req
+RSPDIR=${TESTDIR}/resp
+
+ike_requests="
+ikev1_dsa.req
+ikev1_psk.req
+ikev2.req
+"
+
+if [ ${COMMAND} = "verify" ]; then
+    result=0
+    for request in $ike_requests; do
+	sh ./validate1.sh ${TESTDIR} $request
+	last_result=$?
+	result=`expr $result + $last_result`
+    done
+    exit $result
+fi
+
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
+
+request=ikev1_dsa.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ikev1 ${REQDIR}/$request > ${RSPDIR}/$response
+request=ikev1_psk.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ikev1-psk ${REQDIR}/$request > ${RSPDIR}/$response
+request=ikev2.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ikev2 ${REQDIR}/$request > ${RSPDIR}/$response
+exit 0;
diff --git a/security/nss/tests/fips/cavs_scripts/kas.sh b/security/nss/tests/fips/cavs_scripts/kas.sh
new file mode 100755
index 0000000000..9f0dee1c14
--- /dev/null
+++ b/security/nss/tests/fips/cavs_scripts/kas.sh
@@ -0,0 +1,112 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# A Bourne shell script for running the NIST DSA Validation System
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+BASEDIR=${1-.}
+TESTDIR=${BASEDIR}/KAS
+COMMAND=${2-run}
+REQDIR=${TESTDIR}/req
+RSPDIR=${TESTDIR}/resp
+
+
+#
+if [ ${COMMAND} = "verify" ]; then
+    result=0
+    # ecdh init
+    name=KASFunctionTest_ECCEphemeralUnified_NOKC_ZZOnly_init
+    echo ">>>>>  $name"
+    fipstest ecdh init-verify ${RSPDIR}/$name.rsp | grep ^Result.=.F
+    test 1 = $?
+    last_result=$?
+    result=`expr $result + $last_result`
+    # ecdh response
+    name=KASFunctionTest_ECCEphemeralUnified_NOKC_ZZOnly_resp
+    echo ">>>>>  $name"
+    fipstest ecdh resp-verify ${RSPDIR}/$name.rsp | grep ^Result.=.F
+    test 1 = $?
+    last_result=$?
+    result=`expr $result + $last_result`
+    # ecdh init verify
+    sh ./validate1.sh ${TESTDIR} KASValidityTest_ECCEphemeralUnified_NOKC_ZZOnly_init.req ' ' '-e /^Result.=.F/s;.(.*);; -e /^Result.=.P/s;.(.*);;'
+    last_result=$?
+    result=`expr $result + $last_result`
+    # ecdh response verify
+    sh ./validate1.sh ${TESTDIR} KASValidityTest_ECCEphemeralUnified_NOKC_ZZOnly_resp.req ' ' '-e /^Result.=.F/s;.(.*);; -e /^Result.=.P/s;.(.*);;'
+    last_result=$?
+    result=`expr $result + $last_result`
+    # dh init
+    name=KASFunctionTest_FFCEphem_NOKC_ZZOnly_init
+    echo ">>>>>  $name"
+    fipstest dh init-verify ${RSPDIR}/$name.rsp | grep ^Result.=.F
+    test 1 = $?
+    last_result=$?
+    result=`expr $result + $last_result`
+    # dh response
+    name=KASFunctionTest_FFCEphem_NOKC_ZZOnly_resp
+    echo ">>>>>  $name"
+    fipstest dh resp-verify ${RSPDIR}/$name.rsp | grep ^Result.=.F
+    test 1 = $?
+    last_result=$?
+    result=`expr $result + $last_result`
+    # ecdh init verify
+    sh ./validate1.sh ${TESTDIR} KASValidityTest_FFCEphem_NOKC_ZZOnly_init.req ' ' '-e /^Result.=.F/s;.(.*);; -e /^Result.=.P/s;.(.*);;'
+    last_result=$?
+    result=`expr $result + $last_result`
+    # ecdh response verify
+    sh ./validate1.sh ${TESTDIR} KASValidityTest_FFCEphem_NOKC_ZZOnly_resp.req ' ' '-e /^Result.=.F/s;.(.*);; -e /^Result.=.P/s;.(.*);;'
+    last_result=$?
+    result=`expr $result + $last_result`
+    exit $result
+fi
+
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
+
+request=KASFunctionTest_ECCEphemeralUnified_NOKC_ZZOnly_init.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdh init-func ${REQDIR}/$request > ${RSPDIR}/$response
+
+request=KASFunctionTest_ECCEphemeralUnified_NOKC_ZZOnly_resp.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdh resp-func ${REQDIR}/$request > ${RSPDIR}/$response
+
+request=KASValidityTest_ECCEphemeralUnified_NOKC_ZZOnly_init.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdh init-verify ${REQDIR}/$request > ${RSPDIR}/$response
+
+request=KASValidityTest_ECCEphemeralUnified_NOKC_ZZOnly_resp.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdh resp-verify ${REQDIR}/$request > ${RSPDIR}/$response
+
+request=KASFunctionTest_FFCEphem_NOKC_ZZOnly_init.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dh init-func ${REQDIR}/$request > ${RSPDIR}/$response
+
+request=KASFunctionTest_FFCEphem_NOKC_ZZOnly_resp.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dh resp-func ${REQDIR}/$request > ${RSPDIR}/$response
+
+request=KASValidityTest_FFCEphem_NOKC_ZZOnly_init.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dh init-verify ${REQDIR}/$request > ${RSPDIR}/$response
+
+request=KASValidityTest_FFCEphem_NOKC_ZZOnly_resp.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dh resp-verify ${REQDIR}/$request > ${RSPDIR}/$response
+exit 0
diff --git a/security/nss/tests/fips/cavs_scripts/kbkdf.sh b/security/nss/tests/fips/cavs_scripts/kbkdf.sh
new file mode 100644
index 0000000000..72b81ddaf8
--- /dev/null
+++ b/security/nss/tests/fips/cavs_scripts/kbkdf.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# A Bourne shell script for running the NIST SHA Algorithm Validation Suite
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+BASEDIR=${1-.}
+TESTDIR=${BASEDIR}/KBKDF
+COMMAND=${2-run}
+REQDIR=${TESTDIR}/req
+RSPDIR=${TESTDIR}/resp
+
+all_requests="
+KBKDFCounter.req
+"
+
+if [ ${COMMAND} = "verify" ]; then
+    result=0
+    for request in $all_requests; do
+        sh ./validate1.sh ${TESTDIR} $request
+        last_result=$?
+        result=`expr $result + $last_result`
+    done
+    exit $result
+fi
+
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
+
+for request in $all_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest kbkdf ${REQDIR}/$request > ${RSPDIR}/$response
+done
+exit 0
diff --git a/security/nss/tests/fips/cavs_scripts/rng.sh b/security/nss/tests/fips/cavs_scripts/rng.sh
new file mode 100755
index 0000000000..3a502f2675
--- /dev/null
+++ b/security/nss/tests/fips/cavs_scripts/rng.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# A Bourne shell script for running the NIST RNG Validation Suite
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+BASEDIR=${1-.}
+TESTDIR=${BASEDIR}/DRBG800-90A
+COMMAND=${2-run}
+REQDIR=${TESTDIR}/req
+RSPDIR=${TESTDIR}/resp
+
+drbg_requests="
+Hash_DRBG.req
+"
+
+if [ ${COMMAND} = "verify" ]; then
+    result=0;
+    for request in $drbg_requests; do
+	sh ./validate1.sh ${TESTDIR} $request
+	last_result=$?
+	result=`expr $result + $last_result`
+    done
+    exit $result
+fi
+
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
+
+for request in $drbg_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest drbg ${REQDIR}/$request > ${RSPDIR}/$response
+done
+exit 0
diff --git a/security/nss/tests/fips/cavs_scripts/rsa.sh b/security/nss/tests/fips/cavs_scripts/rsa.sh
new file mode 100755
index 0000000000..46f726a9c5
--- /dev/null
+++ b/security/nss/tests/fips/cavs_scripts/rsa.sh
@@ -0,0 +1,57 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# A Bourne shell script for running the NIST RSA Validation System
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+BASEDIR=${1-.}
+TESTDIR=${BASEDIR}/RSA2
+COMMAND=${2-run}
+REQDIR=${TESTDIR}/req
+RSPDIR=${TESTDIR}/resp
+
+if [ ${COMMAND} = "verify" ]; then
+    result=0
+#verify the signatures. The fax file does not have any known answers, so
+#use our own verify function.
+    name=SigGen15_186-3
+    echo ">>>>>  $name"
+    fipstest rsa sigver ${RSPDIR}/$name.rsp | grep ^Result.=.F
+    test 1 = $?
+    last_result=$?
+    result=`expr $result + $last_result`
+#The Fax file has the private exponent and the salt value, remove it
+#also remove the false reason
+    sh ./validate1.sh ${TESTDIR} SigVer15_186-3.req ' ' '-e /^SaltVal/d -e/^d.=/d -e /^p.=/d -e /^q.=/d -e /^EM.with/d -e /^Result.=.F/s;.(.*);;'
+    last_result=$?
+    result=`expr $result + $last_result`
+#
+# currently don't have a way to verify the RSA keygen
+#
+    exit $result
+fi
+
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
+
+request=SigGen15_186-3.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest rsa siggen ${REQDIR}/$request > ${RSPDIR}/$response
+
+request=SigVer15_186-3.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest rsa sigver ${REQDIR}/$request > ${RSPDIR}/$response
+
+#request=KeyGen_186-3.req
+request=KeyGen_RandomProbablyPrime3_3.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest rsa keypair ${REQDIR}/$request > ${RSPDIR}/$response
diff --git a/security/nss/tests/fips/cavs_scripts/runtest.sh b/security/nss/tests/fips/cavs_scripts/runtest.sh
new file mode 100755
index 0000000000..96dc5fb34f
--- /dev/null
+++ b/security/nss/tests/fips/cavs_scripts/runtest.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+TESTDIR=${1-.}
+COMMAND=${2-run}
+DEFAULT_TESTS="aes aesgcm dsa ecdsa hmac kas kbkdf tls ike rng rsa sha tdea"
+shift;
+shift;
+TESTS=${@-$DEFAULT_TESTS}
+result=0
+for i in $TESTS
+do
+    echo "********************Running $i tests"
+    sh ./${i}.sh ${TESTDIR} ${COMMAND}
+    last_result=$?
+    if [ $last_result != 0 ]; then
+	echo "CAVS test $i had $last_result failure(s)"
+    fi
+    result=`expr $result + $last_result`
+done
+exit $result
diff --git a/security/nss/tests/fips/cavs_scripts/sha.sh b/security/nss/tests/fips/cavs_scripts/sha.sh
new file mode 100755
index 0000000000..5e692339d1
--- /dev/null
+++ b/security/nss/tests/fips/cavs_scripts/sha.sh
@@ -0,0 +1,71 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# A Bourne shell script for running the NIST SHA Algorithm Validation Suite
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+BASEDIR=${1-.}
+TESTDIR=${BASEDIR}/SHA
+COMMAND=${2-run}
+REQDIR=${TESTDIR}/req
+RSPDIR=${TESTDIR}/resp
+
+sha_ShortMsg_requests="
+SHA1ShortMsg.req
+SHA224ShortMsg.req
+SHA256ShortMsg.req
+SHA384ShortMsg.req
+SHA512ShortMsg.req
+"
+
+sha_LongMsg_requests="
+SHA1LongMsg.req
+SHA224LongMsg.req
+SHA256LongMsg.req
+SHA384LongMsg.req
+SHA512LongMsg.req
+"
+
+sha_Monte_requests="
+SHA1Monte.req
+SHA224Monte.req
+SHA256Monte.req
+SHA384Monte.req
+SHA512Monte.req
+"
+
+if [ ${COMMAND} = "verify" ]; then
+    result=0
+    for request in $sha_ShortMsg_requests $sha_LongMsg_requests $sha_Monte_requests; do
+	sh ./validate1.sh ${TESTDIR} $request
+	last_result=$?
+	result=`expr $result + $last_result`
+    done
+    exit $result
+fi
+
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
+
+for request in $sha_ShortMsg_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest sha ${REQDIR}/$request > ${RSPDIR}/$response
+done
+for request in $sha_LongMsg_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest sha ${REQDIR}/$request > ${RSPDIR}/$response
+done
+for request in $sha_Monte_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest sha ${REQDIR}/$request > ${RSPDIR}/$response
+done
+exit 0
diff --git a/security/nss/tests/fips/cavs_scripts/tdea.sh b/security/nss/tests/fips/cavs_scripts/tdea.sh
new file mode 100755
index 0000000000..c7d17bb6f6
--- /dev/null
+++ b/security/nss/tests/fips/cavs_scripts/tdea.sh
@@ -0,0 +1,112 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# A Bourne shell script for running the NIST tdea Algorithm Validation Suite
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+
+BASEDIR=${1-.}
+TESTDIR=${BASEDIR}/TDES
+COMMAND=${2-run}
+REQDIR=${TESTDIR}/req
+RSPDIR=${TESTDIR}/resp
+
+#CBC_Known_Answer_tests
+#Initial Permutation KAT
+#Permutation Operation KAT
+#Subsitution Table KAT
+#Variable Key KAT
+#Variable PlainText KAT
+cbc_kat_requests="
+TCBCinvperm.req
+TCBCpermop.req
+TCBCsubtab.req
+TCBCvarkey.req
+TCBCvartext.req
+"
+
+#CBC Monte Carlo KATs
+cbc_monte_requests="
+TCBCMonte1.req
+TCBCMonte2.req
+TCBCMonte3.req
+"
+#Multi-block Message KATs
+cbc_mmt_requests="
+TCBCMMT1.req
+TCBCMMT2.req
+TCBCMMT3.req
+"
+
+ecb_kat_requests="
+TECBinvperm.req
+TECBpermop.req
+TECBsubtab.req
+TECBvarkey.req
+TECBvartext.req
+"
+
+ecb_monte_requests="
+TECBMonte1.req
+TECBMonte2.req
+TECBMonte3.req
+"
+
+ecb_mmt_requests="
+TECBMMT1.req
+TECBMMT2.req
+TECBMMT3.req
+"
+
+
+if [ ${COMMAND} = "verify" ]; then
+    result=0
+    for request in $cbc_kat_requests $cbc_monte_requests $cbc_mmt_requests $ecb_kat_requests $ecb_monte_requests $ecb_mmt_requests
+    do
+	sh ./validate1.sh ${TESTDIR} $request "-e /^NumKeys/d"
+	last_result=$?
+	result=`expr $result + $last_result`
+    done
+    exit $result
+fi
+
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
+
+for request in $cbc_kat_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest tdea kat cbc ${REQDIR}/$request > ${RSPDIR}/$response
+done
+for request in $cbc_mmt_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest tdea mmt cbc ${REQDIR}/$request > ${RSPDIR}/$response
+done
+for request in $cbc_monte_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest tdea mct cbc ${REQDIR}/$request > ${RSPDIR}/$response
+done
+for request in $ecb_kat_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest tdea kat ecb ${REQDIR}/$request > ${RSPDIR}/$response
+done
+for request in $ecb_mmt_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest tdea mmt ecb ${REQDIR}/$request > ${RSPDIR}/$response
+done
+for request in $ecb_monte_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest tdea mct ecb ${REQDIR}/$request > ${RSPDIR}/$response
+done
+exit 0
diff --git a/security/nss/tests/fips/cavs_scripts/tls.sh b/security/nss/tests/fips/cavs_scripts/tls.sh
new file mode 100755
index 0000000000..a08e62dfce
--- /dev/null
+++ b/security/nss/tests/fips/cavs_scripts/tls.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# A Bourne shell script for running the NIST RNG Validation Suite
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+BASEDIR=${1-.}
+TESTDIR=${BASEDIR}/KDF135
+COMMAND=${2-run}
+REQDIR=${TESTDIR}/req
+RSPDIR=${TESTDIR}/resp
+
+tls_requests="
+tls.req
+"
+
+if [ ${COMMAND} = "verify" ]; then
+    result=0
+    for request in $tls_requests; do
+	sh ./validate1.sh ${TESTDIR} $request
+	last_result=$?
+	result=`expr $result + $last_result`
+    done
+    exit $result
+fi
+
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
+
+for request in $tls_requests; do
+    response=`echo $request | sed -e "s/req/rsp/"`
+    echo $request $response
+    fipstest tls ${REQDIR}/$request > ${RSPDIR}/$response
+done
+exit 0
diff --git a/security/nss/tests/fips/cavs_scripts/validate.sh b/security/nss/tests/fips/cavs_scripts/validate.sh
new file mode 100755
index 0000000000..f9e55c56d2
--- /dev/null
+++ b/security/nss/tests/fips/cavs_scripts/validate.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+sh ./runtest.sh ${1-.} verify
diff --git a/security/nss/tests/fips/cavs_scripts/validate1.sh b/security/nss/tests/fips/cavs_scripts/validate1.sh
new file mode 100755
index 0000000000..c4db819775
--- /dev/null
+++ b/security/nss/tests/fips/cavs_scripts/validate1.sh
@@ -0,0 +1,30 @@
+#!/bin/sh
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# Validate1.sh is a helper shell script that each of the base test shell
+# scripts call to help validate that the generated response (response)
+# matches the known answer response (fax). Sometimes (depending on the
+# individual tests) there are extraneous output in either or both response
+# and fax files. These allow the caller to pass in additional sed commands
+# to clear out those extraneous outputs before we compare the two files.
+# The sed line always clears out Windows line endings, replaces tabs with
+# spaces, and removed comments.
+#
+TESTDIR=${1-.}
+request=${2}
+extraneous_response=${3}
+extraneous_fax=${4}
+name=`basename $request .req`
+echo ">>>>>  $name"
+sed -e 's;
;;g' -e 's;	; ;g' -e '/^#/d' $extraneous_response ${TESTDIR}/resp/${name}.rsp > /tmp/y1
+# if we didn't generate any output, flag that as an error
+size=`sum /tmp/y1 | awk '{ print $NF }'`
+if [ $size -eq 0 ]; then
+   echo "${TESTDIR}/resp/${name}.rsp: empty"
+   exit 1;
+fi
+sed -e 's;
;;g' -e 's;	; ;g' -e '/^#/d' $extraneous_fax ${TESTDIR}/fax/${name}.fax > /tmp/y2
+diff -i -w -B /tmp/y1 /tmp/y2