diff options
Diffstat (limited to 'security/nss/tests/fips/cavs_scripts')
| -rw-r--r-- | security/nss/tests/fips/cavs_scripts/README | 41 | ||||
| -rwxr-xr-x | security/nss/tests/fips/cavs_scripts/aes.sh | 118 | ||||
| -rwxr-xr-x | security/nss/tests/fips/cavs_scripts/aesgcm.sh | 76 | ||||
| -rwxr-xr-x | security/nss/tests/fips/cavs_scripts/dsa.sh | 88 | ||||
| -rwxr-xr-x | security/nss/tests/fips/cavs_scripts/ecdsa.sh | 74 | ||||
| -rwxr-xr-x | security/nss/tests/fips/cavs_scripts/hmac.sh | 42 | ||||
| -rwxr-xr-x | security/nss/tests/fips/cavs_scripts/ike.sh | 50 | ||||
| -rwxr-xr-x | security/nss/tests/fips/cavs_scripts/kas.sh | 112 | ||||
| -rw-r--r-- | security/nss/tests/fips/cavs_scripts/kbkdf.sh | 41 | ||||
| -rwxr-xr-x | security/nss/tests/fips/cavs_scripts/rng.sh | 41 | ||||
| -rwxr-xr-x | security/nss/tests/fips/cavs_scripts/rsa.sh | 57 | ||||
| -rwxr-xr-x | security/nss/tests/fips/cavs_scripts/runtest.sh | 24 | ||||
| -rwxr-xr-x | security/nss/tests/fips/cavs_scripts/sha.sh | 71 | ||||
| -rwxr-xr-x | security/nss/tests/fips/cavs_scripts/tdea.sh | 112 | ||||
| -rwxr-xr-x | security/nss/tests/fips/cavs_scripts/tls.sh | 41 | ||||
| -rwxr-xr-x | security/nss/tests/fips/cavs_scripts/validate.sh | 7 | ||||
| -rwxr-xr-x | security/nss/tests/fips/cavs_scripts/validate1.sh | 30 |
17 files changed, 1025 insertions, 0 deletions
diff --git a/security/nss/tests/fips/cavs_scripts/README b/security/nss/tests/fips/cavs_scripts/README new file mode 100644 index 0000000000..17dc32d6b1 --- /dev/null +++ b/security/nss/tests/fips/cavs_scripts/README @@ -0,0 +1,41 @@ +These scripts are used to run fipstest on a directory of CAVS vectors. + +individual cipher scripts: +aesgcm.sh aes.sh dsa.sh ecdsa.sh hmac.sh ike.sh kas.sh +kbkdf.sh rng.sh rsa.sh sha.sh tdea.sh tls.sh + +Each individual cipher script handles all the tests in a particular directory. +The scripts have 2 modes: + 1) run [default] which generates the .rsp file from the .req file. + 2) verify which verify the generated .req file, either from a pregenerated +.fax file, or by running the appropriate fipstest verify function. The latter +is used for output that's non-deterministic (like randomly generated keys, or +signatures with random elements in them like DSA). + +The verify scripts return 0 on success and non-zero on failure. + +The validate1.sh script is used by these individual cipher scripts to make +sure .rsp and .fax files are identical, sans some expected differences like +white space or comment differences. It returns 0 on success or non-zero on +failure. + +When the scripts use fipstest to validate a .resp file, it uses grep to look +for failure cases. grep returns '1' if no failures are found and '1' if +failures or found. The scripts switches this back to 0 for success and 1 for +failure with the command 'test 1 = $?` which returns 0 if $? is 1 and 1 if $? +is 0. + +To run and individual cipher test, just type: + ./{script}.sh {path-to-cavs-root} + +to verify with an individual cipher test, just type: + ./{script}.sh {path-to-cavs-root} verify + +You can run all the cipher scripts with the runtest.sh: + ./runtest.sh {path-to-cavs-root} + +And you can verify the result with: + ./runtest.sh {path-to-cavs-root} verify +Or + ./validate.sh {patch-to-cavs-root} + diff --git a/security/nss/tests/fips/cavs_scripts/aes.sh b/security/nss/tests/fips/cavs_scripts/aes.sh new file mode 100755 index 0000000000..133b4730cf --- /dev/null +++ b/security/nss/tests/fips/cavs_scripts/aes.sh @@ -0,0 +1,118 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# +# A Bourne shell script for running the NIST AES Algorithm Validation Suite +# +# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment +# variables appropriately so that the fipstest command and the NSPR and NSS +# shared libraries/DLLs are on the search path. Then run this script in the +# directory where the REQUEST (.req) files reside. The script generates the +# RESPONSE (.rsp) files in the same directory. + +BASEDIR=${1-.} +TESTDIR=${BASEDIR}/AES +COMMAND=${2-run} +REQDIR=${TESTDIR}/req +RSPDIR=${TESTDIR}/resp + +cbc_kat_requests=" +CBCGFSbox128.req +CBCGFSbox192.req +CBCGFSbox256.req +CBCKeySbox128.req +CBCKeySbox192.req +CBCKeySbox256.req +CBCVarKey128.req +CBCVarKey192.req +CBCVarKey256.req +CBCVarTxt128.req +CBCVarTxt192.req +CBCVarTxt256.req +" + +cbc_mct_requests=" +CBCMCT128.req +CBCMCT192.req +CBCMCT256.req +" + +cbc_mmt_requests=" +CBCMMT128.req +CBCMMT192.req +CBCMMT256.req +" + +ecb_kat_requests=" +ECBGFSbox128.req +ECBGFSbox192.req +ECBGFSbox256.req +ECBKeySbox128.req +ECBKeySbox192.req +ECBKeySbox256.req +ECBVarKey128.req +ECBVarKey192.req +ECBVarKey256.req +ECBVarTxt128.req +ECBVarTxt192.req +ECBVarTxt256.req +" + +ecb_mct_requests=" +ECBMCT128.req +ECBMCT192.req +ECBMCT256.req +" + +ecb_mmt_requests=" +ECBMMT128.req +ECBMMT192.req +ECBMMT256.req +" + +if [ ${COMMAND} = "verify" ]; then + result=0; + for request in $cbc_kat_requests $cbc_mct_requests $cbc_mmt_requests $ecb_kat_requests $ecb_mct_requests $ecb_mmt_requests; do + sh ./validate1.sh ${TESTDIR} $request + last_result=$? + result=`expr $result + $last_result` + done + exit $result +fi + +test -d "${RSPDIR}" || mkdir "${RSPDIR}" + +for request in $cbc_kat_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest aes kat cbc ${REQDIR}/$request > ${RSPDIR}/$response +done +for request in $cbc_mct_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest aes mct cbc ${REQDIR}/$request > ${RSPDIR}/$response +done +for request in $cbc_mmt_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest aes mmt cbc ${REQDIR}/$request > ${RSPDIR}/$response +done +for request in $ecb_kat_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest aes kat ecb ${REQDIR}/$request > ${RSPDIR}/$response +done +for request in $ecb_mct_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest aes mct ecb ${REQDIR}/$request > ${RSPDIR}/$response +done +for request in $ecb_mmt_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest aes mmt ecb ${REQDIR}/$request > ${RSPDIR}/$response +done +exit 0 diff --git a/security/nss/tests/fips/cavs_scripts/aesgcm.sh b/security/nss/tests/fips/cavs_scripts/aesgcm.sh new file mode 100755 index 0000000000..4b35276abd --- /dev/null +++ b/security/nss/tests/fips/cavs_scripts/aesgcm.sh @@ -0,0 +1,76 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# A Bourne shell script for running the NIST AES Algorithm Validation Suite +# +# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment +# variables appropriately so that the fipstest command and the NSPR and NSS +# shared libraries/DLLs are on the search path. Then run this script in the +# directory where the REQUEST (.req) files reside. The script generates the +# RESPONSE (.rsp) files in the same directory. + +BASEDIR=${1-.} +TESTDIR=${BASEDIR}/AES_GCM +COMMAND=${2-run} +REQDIR=${TESTDIR}/req +RSPDIR=${TESTDIR}/resp + +gcm_decrypt_requests=" +gcmDecrypt128.req +gcmDecrypt192.req +gcmDecrypt256.req +" + +gcm_encrypt_extiv_requests=" +gcmEncryptExtIV128.req +gcmEncryptExtIV192.req +gcmEncryptExtIV256.req +" +gcm_encrypt_intiv_requests=" +" + +#gcm_encrypt_intiv_requests=" +#gcmEncryptIntIV128.req +#gcmEncryptIntIV192.req +#gcmEncryptIntIV256.req +#" + +if [ ${COMMAND} = "verify" ]; then + result=0 + for request in $gcm_decrypt_requests $gcm_encrypt_extiv_requests; do + sh ./validate1.sh ${TESTDIR} $request ' ' '-e /Reason:/d' + last_result=$? + result=`expr $result + $last_result` + done + for request in $gcm_encrypt_intiv_requests; do + name=`basename $request .req` + echo ">>>>> $name" + fipstest aes gcm decrypt ${RSPDIR}/$name.rsp | grep FAIL + test 1 = $? + last_result=$? + result=`expr $result + $last_result` + done + exit $result +fi + +test -d "${RSPDIR}" || mkdir "${RSPDIR}" + +for request in $gcm_decrypt_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest aes gcm decrypt ${REQDIR}/$request > ${RSPDIR}/$response +done +for request in $gcm_encrypt_intiv_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest aes gcm encrypt_intiv ${REQDIR}/$request > ${RSPDIR}/$response +done +for request in $gcm_encrypt_extiv_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest aes gcm encrypt_extiv ${REQDIR}/$request > ${RSPDIR}/$response +done +exit 0 diff --git a/security/nss/tests/fips/cavs_scripts/dsa.sh b/security/nss/tests/fips/cavs_scripts/dsa.sh new file mode 100755 index 0000000000..6858e3cf7c --- /dev/null +++ b/security/nss/tests/fips/cavs_scripts/dsa.sh @@ -0,0 +1,88 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# A Bourne shell script for running the NIST DSA Validation System +# +# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment +# variables appropriately so that the fipstest command and the NSPR and NSS +# shared libraries/DLLs are on the search path. Then run this script in the +# directory where the REQUEST (.req) files reside. The script generates the +# RESPONSE (.rsp) files in the same directory. +BASEDIR=${1-.} +TESTDIR=${BASEDIR}/DSA2 +COMMAND=${2-run} +REQDIR=${TESTDIR}/req +RSPDIR=${TESTDIR}/resp + + +# +# several of the DSA tests do use known answer tests to verify the result. +# in those cases, feed generated tests back into the fipstest tool and +# see if we can verify those value. NOTE: th PQGVer and SigVer tests verify +# the dsa pqgver and dsa sigver functions, so we know they can detect errors +# in those PQGGen and SigGen. Only the KeyPair verify is potentially circular. +# +if [ ${COMMAND} = "verify" ]; then + result=0 +# verify generated keys + name=KeyPair + echo ">>>>> $name" + fipstest dsa keyver ${RSPDIR}/$name.rsp | grep ^Result.=.F + test 1 = $? + last_result=$? + result=`expr $result + $last_result` +# verify generated pqg values + name=PQGGen + echo ">>>>> $name" + fipstest dsa pqgver ${RSPDIR}/$name.rsp | grep ^Result.=.F + test 1 = $? + last_result=$? + result=`expr $result + $last_result` +# verify PQGVer with known answer + sh ./validate1.sh ${TESTDIR} PQGVer1863.req ' ' '-e /^Result.=.F/s;.(.*);; -e /^Result.=.P/s;.(.*);;' + last_result=$? + result=`expr $result + $last_result` +# verify signatures + name=SigGen + echo ">>>>> $name" + fipstest dsa sigver ${RSPDIR}/$name.rsp | grep ^Result.=.F + test 1 = $? + last_result=$? + result=`expr $result + $last_result` +# verify SigVer with known answer + sh ./validate1.sh ${TESTDIR} SigVer.req ' ' '-e /^X.=/d -e /^Result.=.F/s;.(.*);;' + last_result=$? + result=`expr $result + $last_result` + exit $result +fi + +test -d "${RSPDIR}" || mkdir "${RSPDIR}" + +request=KeyPair.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest dsa keypair ${REQDIR}/$request > ${RSPDIR}/$response + +request=PQGGen.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest dsa pqggen ${REQDIR}/$request > ${RSPDIR}/$response + +request=PQGVer1863.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest dsa pqgver ${REQDIR}/$request > ${RSPDIR}/$response + +request=SigGen.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest dsa siggen ${REQDIR}/$request > ${RSPDIR}/$response + +request=SigVer.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest dsa sigver ${REQDIR}/$request > ${RSPDIR}/$response +exit 0 diff --git a/security/nss/tests/fips/cavs_scripts/ecdsa.sh b/security/nss/tests/fips/cavs_scripts/ecdsa.sh new file mode 100755 index 0000000000..fb7387ef44 --- /dev/null +++ b/security/nss/tests/fips/cavs_scripts/ecdsa.sh @@ -0,0 +1,74 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# A Bourne shell script for running the NIST ECDSA Validation System +# +# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment +# variables appropriately so that the fipstest command and the NSPR and NSS +# shared libraries/DLLs are on the search path. Then run this script in the +# directory where the REQUEST (.req) files reside. The script generates the +# RESPONSE (.rsp) files in the same directory. +BASEDIR=${1-.} +TESTDIR=${BASEDIR}/ECDSA2 +COMMAND=${2-run} +REQDIR=${TESTDIR}/req +RSPDIR=${TESTDIR}/resp + +# +# several of the ECDSA tests do not use known answer tests to verify the result. +# In those cases, feed generated tests back into the fipstest tool and +# see if we can verify those value. NOTE: PQGVer and SigVer tests verify +# the dsa pqgver and dsa sigver functions, so we know they can detect errors +# in those PQGGen and SigGen. Only the KeyPair verify is potentially circular. +# +if [ ${COMMAND} = "verify" ]; then + result=0; +# verify generated keys + name=KeyPair + echo ">>>>> $name" + fipstest ecdsa keyver ${RSPDIR}/$name.rsp | grep ^Result.=.F + test 1 = $? + last_result=$? + result=`expr $result + $last_result` + sh ./validate1.sh ${TESTDIR} PKV.req ' ' '-e /^X.=/d -e /^Result.=.F/s;.(.*);; -e /^Result.=.P/s;.(.*);;' + last_result=$? + result=`expr $result + $last_result` +# verify signatures + name=SigGen + echo ">>>>> $name" + fipstest ecdsa sigver ${RSPDIR}/$name.rsp | grep ^Result.=.F + test 1 = $? + last_result=$? + result=`expr $result + $last_result` +# verify SigVer with known answer + sh ./validate1.sh ${TESTDIR} SigVer.req ' ' '-e /^X.=/d -e /^Result.=.F/s;.(.*);; -e /^Result.=.P/s;.(.*);;' + last_result=$? + result=`expr $result + $last_result` + exit $result +fi + +test -d "${RSPDIR}" || mkdir "${RSPDIR}" + +request=KeyPair.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest ecdsa keypair ${REQDIR}/$request > ${RSPDIR}/$response + +request=PKV.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest ecdsa pkv ${REQDIR}/$request > ${RSPDIR}/$response + +request=SigGen.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest ecdsa siggen ${REQDIR}/$request > ${RSPDIR}/$response + +request=SigVer.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest ecdsa sigver ${REQDIR}/$request > ${RSPDIR}/$response +exit 0 diff --git a/security/nss/tests/fips/cavs_scripts/hmac.sh b/security/nss/tests/fips/cavs_scripts/hmac.sh new file mode 100755 index 0000000000..b414311e5a --- /dev/null +++ b/security/nss/tests/fips/cavs_scripts/hmac.sh @@ -0,0 +1,42 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# A Bourne shell script for running the NIST HMAC Algorithm Validation Suite +# +# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment +# variables appropriately so that the fipstest command and the NSPR and NSS +# shared libraries/DLLs are on the search path. Then run this script in the +# directory where the REQUEST (.req) files reside. The script generates the +# RESPONSE (.rsp) files in the same directory. + +BASEDIR=${1-.} +TESTDIR=${BASEDIR}/HMAC +COMMAND=${2-run} +REQDIR=${TESTDIR}/req +RSPDIR=${TESTDIR}/resp + +hmac_requests=" +HMAC.req +" + +if [ ${COMMAND} = "verify" ]; then + result=0 + for request in $hmac_requests; do + sh ./validate1.sh ${TESTDIR} $request + last_result=$? + result=`expr $result + $last_result` + done + exit $result +fi + +test -d "${RSPDIR}" || mkdir "${RSPDIR}" + +for request in $hmac_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest hmac ${REQDIR}/$request > ${RSPDIR}/$response +done +exit 0 diff --git a/security/nss/tests/fips/cavs_scripts/ike.sh b/security/nss/tests/fips/cavs_scripts/ike.sh new file mode 100755 index 0000000000..777f61dda8 --- /dev/null +++ b/security/nss/tests/fips/cavs_scripts/ike.sh @@ -0,0 +1,50 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# A Bourne shell script for running the NIST RNG Validation Suite +# +# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment +# variables appropriately so that the fipstest command and the NSPR and NSS +# shared libraries/DLLs are on the search path. Then run this script in the +# directory where the REQUEST (.req) files reside. The script generates the +# RESPONSE (.rsp) files in the same directory. +BASEDIR=${1-.} +TESTDIR=${BASEDIR}/IKE +COMMAND=${2-run} +REQDIR=${TESTDIR}/req +RSPDIR=${TESTDIR}/resp + +ike_requests=" +ikev1_dsa.req +ikev1_psk.req +ikev2.req +" + +if [ ${COMMAND} = "verify" ]; then + result=0 + for request in $ike_requests; do + sh ./validate1.sh ${TESTDIR} $request + last_result=$? + result=`expr $result + $last_result` + done + exit $result +fi + +test -d "${RSPDIR}" || mkdir "${RSPDIR}" + +request=ikev1_dsa.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest ikev1 ${REQDIR}/$request > ${RSPDIR}/$response +request=ikev1_psk.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest ikev1-psk ${REQDIR}/$request > ${RSPDIR}/$response +request=ikev2.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest ikev2 ${REQDIR}/$request > ${RSPDIR}/$response +exit 0; diff --git a/security/nss/tests/fips/cavs_scripts/kas.sh b/security/nss/tests/fips/cavs_scripts/kas.sh new file mode 100755 index 0000000000..9f0dee1c14 --- /dev/null +++ b/security/nss/tests/fips/cavs_scripts/kas.sh @@ -0,0 +1,112 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# A Bourne shell script for running the NIST DSA Validation System +# +# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment +# variables appropriately so that the fipstest command and the NSPR and NSS +# shared libraries/DLLs are on the search path. Then run this script in the +# directory where the REQUEST (.req) files reside. The script generates the +# RESPONSE (.rsp) files in the same directory. +BASEDIR=${1-.} +TESTDIR=${BASEDIR}/KAS +COMMAND=${2-run} +REQDIR=${TESTDIR}/req +RSPDIR=${TESTDIR}/resp + + +# +if [ ${COMMAND} = "verify" ]; then + result=0 + # ecdh init + name=KASFunctionTest_ECCEphemeralUnified_NOKC_ZZOnly_init + echo ">>>>> $name" + fipstest ecdh init-verify ${RSPDIR}/$name.rsp | grep ^Result.=.F + test 1 = $? + last_result=$? + result=`expr $result + $last_result` + # ecdh response + name=KASFunctionTest_ECCEphemeralUnified_NOKC_ZZOnly_resp + echo ">>>>> $name" + fipstest ecdh resp-verify ${RSPDIR}/$name.rsp | grep ^Result.=.F + test 1 = $? + last_result=$? + result=`expr $result + $last_result` + # ecdh init verify + sh ./validate1.sh ${TESTDIR} KASValidityTest_ECCEphemeralUnified_NOKC_ZZOnly_init.req ' ' '-e /^Result.=.F/s;.(.*);; -e /^Result.=.P/s;.(.*);;' + last_result=$? + result=`expr $result + $last_result` + # ecdh response verify + sh ./validate1.sh ${TESTDIR} KASValidityTest_ECCEphemeralUnified_NOKC_ZZOnly_resp.req ' ' '-e /^Result.=.F/s;.(.*);; -e /^Result.=.P/s;.(.*);;' + last_result=$? + result=`expr $result + $last_result` + # dh init + name=KASFunctionTest_FFCEphem_NOKC_ZZOnly_init + echo ">>>>> $name" + fipstest dh init-verify ${RSPDIR}/$name.rsp | grep ^Result.=.F + test 1 = $? + last_result=$? + result=`expr $result + $last_result` + # dh response + name=KASFunctionTest_FFCEphem_NOKC_ZZOnly_resp + echo ">>>>> $name" + fipstest dh resp-verify ${RSPDIR}/$name.rsp | grep ^Result.=.F + test 1 = $? + last_result=$? + result=`expr $result + $last_result` + # ecdh init verify + sh ./validate1.sh ${TESTDIR} KASValidityTest_FFCEphem_NOKC_ZZOnly_init.req ' ' '-e /^Result.=.F/s;.(.*);; -e /^Result.=.P/s;.(.*);;' + last_result=$? + result=`expr $result + $last_result` + # ecdh response verify + sh ./validate1.sh ${TESTDIR} KASValidityTest_FFCEphem_NOKC_ZZOnly_resp.req ' ' '-e /^Result.=.F/s;.(.*);; -e /^Result.=.P/s;.(.*);;' + last_result=$? + result=`expr $result + $last_result` + exit $result +fi + +test -d "${RSPDIR}" || mkdir "${RSPDIR}" + +request=KASFunctionTest_ECCEphemeralUnified_NOKC_ZZOnly_init.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest ecdh init-func ${REQDIR}/$request > ${RSPDIR}/$response + +request=KASFunctionTest_ECCEphemeralUnified_NOKC_ZZOnly_resp.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest ecdh resp-func ${REQDIR}/$request > ${RSPDIR}/$response + +request=KASValidityTest_ECCEphemeralUnified_NOKC_ZZOnly_init.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest ecdh init-verify ${REQDIR}/$request > ${RSPDIR}/$response + +request=KASValidityTest_ECCEphemeralUnified_NOKC_ZZOnly_resp.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest ecdh resp-verify ${REQDIR}/$request > ${RSPDIR}/$response + +request=KASFunctionTest_FFCEphem_NOKC_ZZOnly_init.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest dh init-func ${REQDIR}/$request > ${RSPDIR}/$response + +request=KASFunctionTest_FFCEphem_NOKC_ZZOnly_resp.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest dh resp-func ${REQDIR}/$request > ${RSPDIR}/$response + +request=KASValidityTest_FFCEphem_NOKC_ZZOnly_init.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest dh init-verify ${REQDIR}/$request > ${RSPDIR}/$response + +request=KASValidityTest_FFCEphem_NOKC_ZZOnly_resp.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest dh resp-verify ${REQDIR}/$request > ${RSPDIR}/$response +exit 0 diff --git a/security/nss/tests/fips/cavs_scripts/kbkdf.sh b/security/nss/tests/fips/cavs_scripts/kbkdf.sh new file mode 100644 index 0000000000..72b81ddaf8 --- /dev/null +++ b/security/nss/tests/fips/cavs_scripts/kbkdf.sh @@ -0,0 +1,41 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# A Bourne shell script for running the NIST SHA Algorithm Validation Suite +# +# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment +# variables appropriately so that the fipstest command and the NSPR and NSS +# shared libraries/DLLs are on the search path. Then run this script in the +# directory where the REQUEST (.req) files reside. The script generates the +# RESPONSE (.rsp) files in the same directory. +BASEDIR=${1-.} +TESTDIR=${BASEDIR}/KBKDF +COMMAND=${2-run} +REQDIR=${TESTDIR}/req +RSPDIR=${TESTDIR}/resp + +all_requests=" +KBKDFCounter.req +" + +if [ ${COMMAND} = "verify" ]; then + result=0 + for request in $all_requests; do + sh ./validate1.sh ${TESTDIR} $request + last_result=$? + result=`expr $result + $last_result` + done + exit $result +fi + +test -d "${RSPDIR}" || mkdir "${RSPDIR}" + +for request in $all_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest kbkdf ${REQDIR}/$request > ${RSPDIR}/$response +done +exit 0 diff --git a/security/nss/tests/fips/cavs_scripts/rng.sh b/security/nss/tests/fips/cavs_scripts/rng.sh new file mode 100755 index 0000000000..3a502f2675 --- /dev/null +++ b/security/nss/tests/fips/cavs_scripts/rng.sh @@ -0,0 +1,41 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# A Bourne shell script for running the NIST RNG Validation Suite +# +# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment +# variables appropriately so that the fipstest command and the NSPR and NSS +# shared libraries/DLLs are on the search path. Then run this script in the +# directory where the REQUEST (.req) files reside. The script generates the +# RESPONSE (.rsp) files in the same directory. +BASEDIR=${1-.} +TESTDIR=${BASEDIR}/DRBG800-90A +COMMAND=${2-run} +REQDIR=${TESTDIR}/req +RSPDIR=${TESTDIR}/resp + +drbg_requests=" +Hash_DRBG.req +" + +if [ ${COMMAND} = "verify" ]; then + result=0; + for request in $drbg_requests; do + sh ./validate1.sh ${TESTDIR} $request + last_result=$? + result=`expr $result + $last_result` + done + exit $result +fi + +test -d "${RSPDIR}" || mkdir "${RSPDIR}" + +for request in $drbg_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest drbg ${REQDIR}/$request > ${RSPDIR}/$response +done +exit 0 diff --git a/security/nss/tests/fips/cavs_scripts/rsa.sh b/security/nss/tests/fips/cavs_scripts/rsa.sh new file mode 100755 index 0000000000..46f726a9c5 --- /dev/null +++ b/security/nss/tests/fips/cavs_scripts/rsa.sh @@ -0,0 +1,57 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# A Bourne shell script for running the NIST RSA Validation System +# +# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment +# variables appropriately so that the fipstest command and the NSPR and NSS +# shared libraries/DLLs are on the search path. Then run this script in the +# directory where the REQUEST (.req) files reside. The script generates the +# RESPONSE (.rsp) files in the same directory. +BASEDIR=${1-.} +TESTDIR=${BASEDIR}/RSA2 +COMMAND=${2-run} +REQDIR=${TESTDIR}/req +RSPDIR=${TESTDIR}/resp + +if [ ${COMMAND} = "verify" ]; then + result=0 +#verify the signatures. The fax file does not have any known answers, so +#use our own verify function. + name=SigGen15_186-3 + echo ">>>>> $name" + fipstest rsa sigver ${RSPDIR}/$name.rsp | grep ^Result.=.F + test 1 = $? + last_result=$? + result=`expr $result + $last_result` +#The Fax file has the private exponent and the salt value, remove it +#also remove the false reason + sh ./validate1.sh ${TESTDIR} SigVer15_186-3.req ' ' '-e /^SaltVal/d -e/^d.=/d -e /^p.=/d -e /^q.=/d -e /^EM.with/d -e /^Result.=.F/s;.(.*);;' + last_result=$? + result=`expr $result + $last_result` +# +# currently don't have a way to verify the RSA keygen +# + exit $result +fi + +test -d "${RSPDIR}" || mkdir "${RSPDIR}" + +request=SigGen15_186-3.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest rsa siggen ${REQDIR}/$request > ${RSPDIR}/$response + +request=SigVer15_186-3.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest rsa sigver ${REQDIR}/$request > ${RSPDIR}/$response + +#request=KeyGen_186-3.req +request=KeyGen_RandomProbablyPrime3_3.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest rsa keypair ${REQDIR}/$request > ${RSPDIR}/$response diff --git a/security/nss/tests/fips/cavs_scripts/runtest.sh b/security/nss/tests/fips/cavs_scripts/runtest.sh new file mode 100755 index 0000000000..96dc5fb34f --- /dev/null +++ b/security/nss/tests/fips/cavs_scripts/runtest.sh @@ -0,0 +1,24 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +TESTDIR=${1-.} +COMMAND=${2-run} +DEFAULT_TESTS="aes aesgcm dsa ecdsa hmac kas kbkdf tls ike rng rsa sha tdea" +shift; +shift; +TESTS=${@-$DEFAULT_TESTS} +result=0 +for i in $TESTS +do + echo "********************Running $i tests" + sh ./${i}.sh ${TESTDIR} ${COMMAND} + last_result=$? + if [ $last_result != 0 ]; then + echo "CAVS test $i had $last_result failure(s)" + fi + result=`expr $result + $last_result` +done +exit $result diff --git a/security/nss/tests/fips/cavs_scripts/sha.sh b/security/nss/tests/fips/cavs_scripts/sha.sh new file mode 100755 index 0000000000..5e692339d1 --- /dev/null +++ b/security/nss/tests/fips/cavs_scripts/sha.sh @@ -0,0 +1,71 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# A Bourne shell script for running the NIST SHA Algorithm Validation Suite +# +# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment +# variables appropriately so that the fipstest command and the NSPR and NSS +# shared libraries/DLLs are on the search path. Then run this script in the +# directory where the REQUEST (.req) files reside. The script generates the +# RESPONSE (.rsp) files in the same directory. +BASEDIR=${1-.} +TESTDIR=${BASEDIR}/SHA +COMMAND=${2-run} +REQDIR=${TESTDIR}/req +RSPDIR=${TESTDIR}/resp + +sha_ShortMsg_requests=" +SHA1ShortMsg.req +SHA224ShortMsg.req +SHA256ShortMsg.req +SHA384ShortMsg.req +SHA512ShortMsg.req +" + +sha_LongMsg_requests=" +SHA1LongMsg.req +SHA224LongMsg.req +SHA256LongMsg.req +SHA384LongMsg.req +SHA512LongMsg.req +" + +sha_Monte_requests=" +SHA1Monte.req +SHA224Monte.req +SHA256Monte.req +SHA384Monte.req +SHA512Monte.req +" + +if [ ${COMMAND} = "verify" ]; then + result=0 + for request in $sha_ShortMsg_requests $sha_LongMsg_requests $sha_Monte_requests; do + sh ./validate1.sh ${TESTDIR} $request + last_result=$? + result=`expr $result + $last_result` + done + exit $result +fi + +test -d "${RSPDIR}" || mkdir "${RSPDIR}" + +for request in $sha_ShortMsg_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest sha ${REQDIR}/$request > ${RSPDIR}/$response +done +for request in $sha_LongMsg_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest sha ${REQDIR}/$request > ${RSPDIR}/$response +done +for request in $sha_Monte_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest sha ${REQDIR}/$request > ${RSPDIR}/$response +done +exit 0 diff --git a/security/nss/tests/fips/cavs_scripts/tdea.sh b/security/nss/tests/fips/cavs_scripts/tdea.sh new file mode 100755 index 0000000000..c7d17bb6f6 --- /dev/null +++ b/security/nss/tests/fips/cavs_scripts/tdea.sh @@ -0,0 +1,112 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# A Bourne shell script for running the NIST tdea Algorithm Validation Suite +# +# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment +# variables appropriately so that the fipstest command and the NSPR and NSS +# shared libraries/DLLs are on the search path. Then run this script in the +# directory where the REQUEST (.req) files reside. The script generates the +# RESPONSE (.rsp) files in the same directory. + +BASEDIR=${1-.} +TESTDIR=${BASEDIR}/TDES +COMMAND=${2-run} +REQDIR=${TESTDIR}/req +RSPDIR=${TESTDIR}/resp + +#CBC_Known_Answer_tests +#Initial Permutation KAT +#Permutation Operation KAT +#Subsitution Table KAT +#Variable Key KAT +#Variable PlainText KAT +cbc_kat_requests=" +TCBCinvperm.req +TCBCpermop.req +TCBCsubtab.req +TCBCvarkey.req +TCBCvartext.req +" + +#CBC Monte Carlo KATs +cbc_monte_requests=" +TCBCMonte1.req +TCBCMonte2.req +TCBCMonte3.req +" +#Multi-block Message KATs +cbc_mmt_requests=" +TCBCMMT1.req +TCBCMMT2.req +TCBCMMT3.req +" + +ecb_kat_requests=" +TECBinvperm.req +TECBpermop.req +TECBsubtab.req +TECBvarkey.req +TECBvartext.req +" + +ecb_monte_requests=" +TECBMonte1.req +TECBMonte2.req +TECBMonte3.req +" + +ecb_mmt_requests=" +TECBMMT1.req +TECBMMT2.req +TECBMMT3.req +" + + +if [ ${COMMAND} = "verify" ]; then + result=0 + for request in $cbc_kat_requests $cbc_monte_requests $cbc_mmt_requests $ecb_kat_requests $ecb_monte_requests $ecb_mmt_requests + do + sh ./validate1.sh ${TESTDIR} $request "-e /^NumKeys/d" + last_result=$? + result=`expr $result + $last_result` + done + exit $result +fi + +test -d "${RSPDIR}" || mkdir "${RSPDIR}" + +for request in $cbc_kat_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest tdea kat cbc ${REQDIR}/$request > ${RSPDIR}/$response +done +for request in $cbc_mmt_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest tdea mmt cbc ${REQDIR}/$request > ${RSPDIR}/$response +done +for request in $cbc_monte_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest tdea mct cbc ${REQDIR}/$request > ${RSPDIR}/$response +done +for request in $ecb_kat_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest tdea kat ecb ${REQDIR}/$request > ${RSPDIR}/$response +done +for request in $ecb_mmt_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest tdea mmt ecb ${REQDIR}/$request > ${RSPDIR}/$response +done +for request in $ecb_monte_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest tdea mct ecb ${REQDIR}/$request > ${RSPDIR}/$response +done +exit 0 diff --git a/security/nss/tests/fips/cavs_scripts/tls.sh b/security/nss/tests/fips/cavs_scripts/tls.sh new file mode 100755 index 0000000000..a08e62dfce --- /dev/null +++ b/security/nss/tests/fips/cavs_scripts/tls.sh @@ -0,0 +1,41 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# A Bourne shell script for running the NIST RNG Validation Suite +# +# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment +# variables appropriately so that the fipstest command and the NSPR and NSS +# shared libraries/DLLs are on the search path. Then run this script in the +# directory where the REQUEST (.req) files reside. The script generates the +# RESPONSE (.rsp) files in the same directory. +BASEDIR=${1-.} +TESTDIR=${BASEDIR}/KDF135 +COMMAND=${2-run} +REQDIR=${TESTDIR}/req +RSPDIR=${TESTDIR}/resp + +tls_requests=" +tls.req +" + +if [ ${COMMAND} = "verify" ]; then + result=0 + for request in $tls_requests; do + sh ./validate1.sh ${TESTDIR} $request + last_result=$? + result=`expr $result + $last_result` + done + exit $result +fi + +test -d "${RSPDIR}" || mkdir "${RSPDIR}" + +for request in $tls_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest tls ${REQDIR}/$request > ${RSPDIR}/$response +done +exit 0 diff --git a/security/nss/tests/fips/cavs_scripts/validate.sh b/security/nss/tests/fips/cavs_scripts/validate.sh new file mode 100755 index 0000000000..f9e55c56d2 --- /dev/null +++ b/security/nss/tests/fips/cavs_scripts/validate.sh @@ -0,0 +1,7 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +sh ./runtest.sh ${1-.} verify diff --git a/security/nss/tests/fips/cavs_scripts/validate1.sh b/security/nss/tests/fips/cavs_scripts/validate1.sh new file mode 100755 index 0000000000..c4db819775 --- /dev/null +++ b/security/nss/tests/fips/cavs_scripts/validate1.sh @@ -0,0 +1,30 @@ +#!/bin/sh +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# Validate1.sh is a helper shell script that each of the base test shell +# scripts call to help validate that the generated response (response) +# matches the known answer response (fax). Sometimes (depending on the +# individual tests) there are extraneous output in either or both response +# and fax files. These allow the caller to pass in additional sed commands +# to clear out those extraneous outputs before we compare the two files. +# The sed line always clears out Windows line endings, replaces tabs with +# spaces, and removed comments. +# +TESTDIR=${1-.} +request=${2} +extraneous_response=${3} +extraneous_fax=${4} +name=`basename $request .req` +echo ">>>>> $name" +sed -e 's;
;;g' -e 's; ; ;g' -e '/^#/d' $extraneous_response ${TESTDIR}/resp/${name}.rsp > /tmp/y1 +# if we didn't generate any output, flag that as an error +size=`sum /tmp/y1 | awk '{ print $NF }'` +if [ $size -eq 0 ]; then + echo "${TESTDIR}/resp/${name}.rsp: empty" + exit 1; +fi +sed -e 's;
;;g' -e 's; ; ;g' -e '/^#/d' $extraneous_fax ${TESTDIR}/fax/${name}.fax > /tmp/y2 +diff -i -w -B /tmp/y1 /tmp/y2 |