Bug 1564499 - land NSS 777b6070fe76 UPGRADE_NSS_RELEASE, r=me
authorJ.C. Jones <jc@mozilla.com>
Mon, 05 Aug 2019 15:58:54 +0000
changeset 546917 7a4031897e6bd0d5e86a56e5cd727eef4c0f2558
parent 546916 698cd05deb4e1e62638be555c9a409197e6b16a9
child 546918 dba2c8019074a017293f708cec0292607c2e803c
child 546964 c72b357d60dd90d82452c496e37cb92b12bb74f6
push id11848
push userffxbld-merge
push dateMon, 26 Aug 2019 19:26:25 +0000
treeherdermozilla-beta@9b31bfdfac10 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersme
bugs1564499
milestone70.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1564499 - land NSS 777b6070fe76 UPGRADE_NSS_RELEASE, r=me
security/nss/TAG-INFO
security/nss/cmd/lib/secpwd.c
security/nss/cmd/pk11mode/pk11mode.c
security/nss/cmd/shlibsign/shlibsign.c
security/nss/coreconf/coreconf.dep
security/nss/gtests/softoken_gtest/softoken_gtest.cc
security/nss/lib/freebl/pqg.c
security/nss/lib/softoken/fipstokn.c
security/nss/lib/softoken/pkcs11.c
security/nss/lib/softoken/pkcs11i.h
security/nss/mach
security/nss/tests/fips/cavs_scripts/aes.sh
security/nss/tests/fips/cavs_scripts/aesgcm.sh
security/nss/tests/fips/cavs_scripts/dsa.sh
security/nss/tests/fips/cavs_scripts/ecdsa.sh
security/nss/tests/fips/cavs_scripts/hmac.sh
security/nss/tests/fips/cavs_scripts/ike.sh
security/nss/tests/fips/cavs_scripts/kas.sh
security/nss/tests/fips/cavs_scripts/rng.sh
security/nss/tests/fips/cavs_scripts/rsa.sh
security/nss/tests/fips/cavs_scripts/sha.sh
security/nss/tests/fips/cavs_scripts/tdea.sh
security/nss/tests/fips/cavs_scripts/tls.sh
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-a31fc0eefc4c
+777b6070fe76
--- a/security/nss/cmd/lib/secpwd.c
+++ b/security/nss/cmd/lib/secpwd.c
@@ -61,17 +61,17 @@ SEC_GetPassword(FILE *input, FILE *outpu
 #if defined(_WINDOWS)
     int isTTY = (input == stdin);
 #define echoOn(x)
 #define echoOff(x)
 #else
     int infd = fileno(input);
     int isTTY = isatty(infd);
 #endif
-    char phrase[200] = { '\0' }; /* ensure EOF doesn't return junk */
+    char phrase[500] = { '\0' }; /* ensure EOF doesn't return junk */
 
     for (;;) {
         /* Prompt for password */
         if (isTTY) {
             fprintf(output, "%s", prompt);
             fflush(output);
             echoOff(infd);
         }
--- a/security/nss/cmd/pk11mode/pk11mode.c
+++ b/security/nss/cmd/pk11mode/pk11mode.c
@@ -5224,17 +5224,17 @@ PKM_Digest(CK_FUNCTION_LIST_PTR pFunctio
     }
 
     return crv;
 }
 
 char *
 PKM_FilePasswd(char *pwFile)
 {
-    unsigned char phrase[200];
+    unsigned char phrase[500];
     PRFileDesc *fd;
     PRInt32 nb;
     int i;
 
     if (!pwFile)
         return 0;
 
     fd = PR_Open(pwFile, PR_RDONLY, 0);
--- a/security/nss/cmd/shlibsign/shlibsign.c
+++ b/security/nss/cmd/shlibsign/shlibsign.c
@@ -609,17 +609,17 @@ cleanup:
     }
 
     return crv;
 }
 
 static char *
 filePasswd(char *pwFile)
 {
-    unsigned char phrase[200];
+    unsigned char phrase[500];
     PRFileDesc *fd;
     PRInt32 nb;
     int i;
 
     if (!pwFile)
         return 0;
 
     fd = PR_Open(pwFile, PR_RDONLY, 0);
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,9 +5,8 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
-
--- a/security/nss/gtests/softoken_gtest/softoken_gtest.cc
+++ b/security/nss/gtests/softoken_gtest/softoken_gtest.cc
@@ -1,13 +1,14 @@
 #include "cert.h"
 #include "certdb.h"
 #include "nspr.h"
 #include "nss.h"
 #include "pk11pub.h"
+#include "secmod.h"
 #include "secerr.h"
 
 #include "nss_scoped_ptrs.h"
 #include "util.h"
 
 #define GTEST_HAS_RTTI 0
 #include "gtest/gtest.h"
 
@@ -114,16 +115,37 @@ TEST_F(SoftokenTest, CreateObjectChangeP
   EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr));
   EXPECT_EQ(SECSuccess, PK11_ChangePW(slot.get(), "", "password"));
   EXPECT_EQ(SECSuccess, PK11_Logout(slot.get()));
   ScopedPK11GenericObject obj(PK11_CreateGenericObject(
       slot.get(), attributes, PR_ARRAY_SIZE(attributes), true));
   EXPECT_EQ(nullptr, obj);
 }
 
+/* The size limit for a password is 500 characters as defined in pkcs11i.h */
+TEST_F(SoftokenTest, CreateObjectChangeToBigPassword) {
+  ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
+  ASSERT_TRUE(slot);
+  EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr));
+  EXPECT_EQ(
+      SECSuccess,
+      PK11_ChangePW(slot.get(), "",
+                    "rUIFIFr2bxKnbJbitsfkyqttpk6vCJzlYMNxcxXcaN37gSZKbLk763X7iR"
+                    "yeVNWZHQ02lSF69HYjzTyPW3318ZD0DBFMMbALZ8ZPZP73CIo5uIQlaowV"
+                    "IbP8eOhRYtGUqoLGlcIFNEYogV8Q3GN58VeBMs0KxrIOvPQ9s8SnYYkqvt"
+                    "zzgntmAvCgvk64x6eQf0okHwegd5wi6m0WVJytEepWXkP9J629FSa5kNT8"
+                    "FvL3jvslkiImzTNuTvl32fQDXXMSc8vVk5Q3mH7trMZM0VDdwHWYERjHbz"
+                    "kGxFgp0VhediHx7p9kkz6H6ac4et9sW4UkTnN7xhYc1Zr17wRSk2heQtcX"
+                    "oZJGwuzhiKm8A8wkuVxms6zO56P4JORIk8oaUW6lyNTLo2kWWnTA"));
+  EXPECT_EQ(SECSuccess, PK11_Logout(slot.get()));
+  ScopedPK11GenericObject obj(PK11_CreateGenericObject(
+      slot.get(), attributes, PR_ARRAY_SIZE(attributes), true));
+  EXPECT_EQ(nullptr, obj);
+}
+
 TEST_F(SoftokenTest, CreateObjectChangeToEmptyPassword) {
   ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
   ASSERT_TRUE(slot);
   EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, "password"));
   EXPECT_EQ(SECSuccess, PK11_ChangePW(slot.get(), "password", ""));
   // PK11_Logout returnes an error and SEC_ERROR_TOKEN_NOT_LOGGED_IN if the user
   // is not "logged in".
   EXPECT_EQ(SECFailure, PK11_Logout(slot.get()));
@@ -260,15 +282,109 @@ TEST_F(SoftokenNoDBTest, NeedUserInitNoD
   ASSERT_TRUE(slot);
   EXPECT_EQ(PR_FALSE, PK11_NeedUserInit(slot.get()));
 
   // When shutting down in here we have to release the slot first.
   slot = nullptr;
   ASSERT_EQ(SECSuccess, NSS_Shutdown());
 }
 
+#ifndef NSS_FIPS_DISABLED
+
+class SoftokenFipsTest : public SoftokenTest {
+ protected:
+  SoftokenFipsTest() : SoftokenTest("SoftokenFipsTest.d-") {}
+
+  virtual void SetUp() {
+    SoftokenTest::SetUp();
+
+    // Turn on FIPS mode (code borrowed from FipsMode in modutil/pk11.c)
+    char *internal_name;
+    ASSERT_FALSE(PK11_IsFIPS());
+    internal_name = PR_smprintf("%s", SECMOD_GetInternalModule()->commonName);
+    ASSERT_EQ(SECSuccess, SECMOD_DeleteInternalModule(internal_name));
+    PR_smprintf_free(internal_name);
+    ASSERT_TRUE(PK11_IsFIPS());
+  }
+};
+
+const std::vector<std::string> kFipsPasswordCases[] = {
+    // FIPS level1 -> level1 -> level1
+    {"", "", ""},
+    // FIPS level1 -> level1 -> level2
+    {"", "", "strong-_123"},
+    // FIXME: this should work: FIPS level1 -> level2 -> level2
+    // {"", "strong-_123", "strong-_456"},
+    // FIPS level2 -> level2 -> level2
+    {"strong-_123", "strong-_456", "strong-_123"}};
+
+const std::vector<std::string> kFipsPasswordBadCases[] = {
+    // FIPS level1 -> level2 -> level1
+    {"", "strong-_123", ""},
+    // FIPS level2 -> level1 -> level1
+    {"strong-_123", ""},
+    // FIPS level2 -> level2 -> level1
+    {"strong-_123", "strong-_456", ""},
+    // initialize with a weak password
+    {"weak"},
+    // FIPS level1 -> weak password
+    {"", "weak"},
+    // FIPS level2 -> weak password
+    {"strong-_123", "weak"}};
+
+class SoftokenFipsPasswordTest
+    : public SoftokenFipsTest,
+      public ::testing::WithParamInterface<std::vector<std::string>> {};
+
+class SoftokenFipsBadPasswordTest
+    : public SoftokenFipsTest,
+      public ::testing::WithParamInterface<std::vector<std::string>> {};
+
+TEST_P(SoftokenFipsPasswordTest, SetPassword) {
+  const std::vector<std::string> &passwords = GetParam();
+  ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
+  ASSERT_TRUE(slot);
+
+  auto it = passwords.begin();
+  auto prev_it = it;
+  EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, (*it).c_str()));
+  for (it++; it != passwords.end(); it++, prev_it++) {
+    EXPECT_EQ(SECSuccess,
+              PK11_ChangePW(slot.get(), (*prev_it).c_str(), (*it).c_str()));
+  }
+}
+
+TEST_P(SoftokenFipsBadPasswordTest, SetBadPassword) {
+  const std::vector<std::string> &passwords = GetParam();
+  ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
+  ASSERT_TRUE(slot);
+
+  auto it = passwords.begin();
+  auto prev_it = it;
+  SECStatus rv = PK11_InitPin(slot.get(), nullptr, (*it).c_str());
+  if (it + 1 == passwords.end())
+    EXPECT_EQ(SECFailure, rv);
+  else
+    EXPECT_EQ(SECSuccess, rv);
+  for (it++; it != passwords.end(); it++, prev_it++) {
+    rv = PK11_ChangePW(slot.get(), (*prev_it).c_str(), (*it).c_str());
+    if (it + 1 == passwords.end())
+      EXPECT_EQ(SECFailure, rv);
+    else
+      EXPECT_EQ(SECSuccess, rv);
+  }
+}
+
+INSTANTIATE_TEST_CASE_P(FipsPasswordCases, SoftokenFipsPasswordTest,
+                        ::testing::ValuesIn(kFipsPasswordCases));
+
+INSTANTIATE_TEST_CASE_P(BadFipsPasswordCases, SoftokenFipsBadPasswordTest,
+                        ::testing::ValuesIn(kFipsPasswordBadCases));
+
+#endif
+
 }  // namespace nss_test
 
 int main(int argc, char **argv) {
   ::testing::InitGoogleTest(&argc, argv);
 
   return RUN_ALL_TESTS();
 }
--- a/security/nss/lib/freebl/pqg.c
+++ b/security/nss/lib/freebl/pqg.c
@@ -885,17 +885,17 @@ findQfromSeed(
     const SECItem *seed,        /* input.  */
     mp_int *Q,                  /* input. */
     mp_int *Q_,                 /* output. */
     unsigned int *qseed_len,    /* output */
     HASH_HashType *hashtypePtr, /* output. Hash uses */
     pqgGenType *typePtr,        /* output. Generation Type used */
     unsigned int *qgen_counter) /* output. q_counter */
 {
-    HASH_HashType hashtype;
+    HASH_HashType hashtype = HASH_AlgNULL;
     SECItem firstseed = { 0, 0, 0 };
     SECItem qseed = { 0, 0, 0 };
     SECStatus rv;
 
     *qseed_len = 0; /* only set if FIPS186_3_ST_TYPE */
 
     /* handle legacy small DSA first can only be FIPS186_1_TYPE */
     if (L < 1024) {
@@ -1234,17 +1234,17 @@ pqg_ParamGen(unsigned int L, unsigned in
              unsigned int seedBytes, PQGParams **pParams, PQGVerify **pVfy)
 {
     unsigned int n;       /* Per FIPS 186, app 2.2. 186-3 app A.1.1.2 */
     unsigned int seedlen; /* Per FIPS 186-3 app A.1.1.2  (was 'g' 186-1)*/
     unsigned int counter; /* Per FIPS 186, app 2.2. 186-3 app A.1.1.2 */
     unsigned int offset;  /* Per FIPS 186, app 2.2. 186-3 app A.1.1.2 */
     unsigned int outlen;  /* Per FIPS 186-3, appendix A.1.1.2. */
     unsigned int maxCount;
-    HASH_HashType hashtype;
+    HASH_HashType hashtype = HASH_AlgNULL;
     SECItem *seed; /* Per FIPS 186, app 2.2. 186-3 app A.1.1.2 */
     PLArenaPool *arena = NULL;
     PQGParams *params = NULL;
     PQGVerify *verify = NULL;
     PRBool passed;
     SECItem hit = { 0, 0, 0 };
     SECItem firstseed = { 0, 0, 0 };
     SECItem qseed = { 0, 0, 0 };
@@ -1625,18 +1625,18 @@ PQG_VerifyParams(const PQGParams *params
     unsigned int g, n, L, N, offset, outlen;
     mp_int p0, P, Q, G, P_, Q_, G_, r, h;
     mp_err err = MP_OKAY;
     int j;
     unsigned int counter_max = 0; /* handle legacy L < 1024 */
     unsigned int qseed_len;
     unsigned int qgen_counter_ = 0;
     SECItem pseed_ = { 0, 0, 0 };
-    HASH_HashType hashtype;
-    pqgGenType type;
+    HASH_HashType hashtype = HASH_AlgNULL;
+    pqgGenType type = FIPS186_1_TYPE;
 
 #define CHECKPARAM(cond)      \
     if (!(cond)) {            \
         *result = SECFailure; \
         goto cleanup;         \
     }
     if (!params || !vfy || !result) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
--- a/security/nss/lib/softoken/fipstokn.c
+++ b/security/nss/lib/softoken/fipstokn.c
@@ -640,27 +640,47 @@ FC_InitPIN(CK_SESSION_HANDLE hSession,
 CK_RV
 FC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
           CK_ULONG usOldLen, CK_CHAR_PTR pNewPin, CK_ULONG usNewLen)
 {
     CK_RV rv;
 
     CHECK_FORK();
 
-    if ((rv = sftk_fipsCheck()) == CKR_OK &&
-        (rv = sftk_newPinCheck(pNewPin, usNewLen)) == CKR_OK) {
+    rv = sftk_fipsCheck();
+    if (rv != CKR_OK) {
+        goto loser;
+    }
+
+    if (isLevel2 || usNewLen > 0) {
+        rv = sftk_newPinCheck(pNewPin, usNewLen);
+        if (rv != CKR_OK) {
+            goto loser;
+        }
         rv = NSC_SetPIN(hSession, pOldPin, usOldLen, pNewPin, usNewLen);
-        if ((rv == CKR_OK) &&
-            (sftk_SlotIDFromSessionHandle(hSession) == FIPS_SLOT_ID)) {
+        if (rv != CKR_OK) {
+            goto loser;
+        }
+        if (sftk_SlotIDFromSessionHandle(hSession) == FIPS_SLOT_ID) {
             /* if we set the password in level1 we now go
              * to level2. NOTE: we don't allow the user to
              * go from level2 to level1 */
             isLevel2 = PR_TRUE;
         }
+    } else {
+        /* here both old and new passwords are empty, but we need to
+         * call NSC_SetPIN to force rekey the database entries */
+        PORT_Assert(usNewLen == 0);
+        rv = NSC_SetPIN(hSession, pOldPin, usOldLen, pNewPin, usNewLen);
+        if (rv != CKR_OK) {
+            goto loser;
+        }
     }
+
+loser:
     if (sftk_audit_enabled) {
         char msg[128];
         NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
         PR_snprintf(msg, sizeof msg,
                     "C_SetPIN(hSession=0x%08lX)=0x%08lX",
                     (PRUint32)hSession, (PRUint32)rv);
         sftk_LogAuditMessage(severity, NSS_AUDIT_SET_PIN, msg);
     }
--- a/security/nss/lib/softoken/pkcs11.c
+++ b/security/nss/lib/softoken/pkcs11.c
@@ -3895,17 +3895,20 @@ NSC_SetPIN(CK_SESSION_HANDLE hSession, C
     sftk_FreeSession(sp);
     sp = NULL;
 
     /* make sure the pins aren't too long */
     if ((ulNewLen > SFTK_MAX_PIN) || (ulOldLen > SFTK_MAX_PIN)) {
         crv = CKR_PIN_LEN_RANGE;
         goto loser;
     }
-    if (ulNewLen < (CK_ULONG)slot->minimumPinLen) {
+    /* check the length of new pin, unless both old and new passwords
+     * are empty */
+    if ((ulNewLen != 0 || ulOldLen != 0) &&
+        ulNewLen < (CK_ULONG)slot->minimumPinLen) {
         crv = CKR_PIN_LEN_RANGE;
         goto loser;
     }
 
     /* convert to null terminated string */
     PORT_Memcpy(newPinStr, pNewPin, ulNewLen);
     newPinStr[ulNewLen] = 0;
     PORT_Memcpy(oldPinStr, pOldPin, ulOldLen);
--- a/security/nss/lib/softoken/pkcs11i.h
+++ b/security/nss/lib/softoken/pkcs11i.h
@@ -454,17 +454,17 @@ struct SFTKItemTemplateStr {
 /* certdb (high bit == 1) */
 #define SFTK_TOKEN_TYPE_TRUST 0x40000000L
 #define SFTK_TOKEN_TYPE_CRL 0x50000000L
 #define SFTK_TOKEN_TYPE_SMIME 0x60000000L
 #define SFTK_TOKEN_TYPE_CERT 0x70000000L
 
 #define SFTK_TOKEN_KRL_HANDLE (SFTK_TOKEN_MAGIC | SFTK_TOKEN_TYPE_CRL | 1)
 /* how big (in bytes) a password/pin we can deal with */
-#define SFTK_MAX_PIN 255
+#define SFTK_MAX_PIN 500
 /* minimum password/pin length (in Unicode characters) in FIPS mode */
 #define FIPS_MIN_PIN 7
 
 /* slot ID's */
 #define NETSCAPE_SLOT_ID 1
 #define PRIVATE_KEY_SLOT_ID 2
 #define FIPS_SLOT_ID 3
 
--- a/security/nss/mach
+++ b/security/nss/mach
@@ -192,16 +192,23 @@ class coverityAction(argparse.Action):
 
     def cov_is_file_in_source(self, abs_path):
         if os.path.islink(abs_path):
             abs_path = os.path.realpath(abs_path)
         return abs_path
 
     def dump_cov_artifact(self, cov_results, source, output):
         import json
+
+        def relpath(path):
+            '''Build path relative to repository root'''
+            if path.startswith(cwd):
+                return os.path.relpath(path, cwd)
+            return path
+
         # Parse Coverity json into structured issues
         with open(cov_results) as f:
             result = json.load(f)
 
             # Parse the issues to a standard json format
             issues_dict = {'files': {}}
 
             files_list = issues_dict['files']
@@ -218,30 +225,31 @@ class coverityAction(argparse.Action):
                         'category': issue['checkerProperties']['category'],
                         'stateOnServer': issue['stateOnServer'],
                         'stack': []
                     }
                 }
 
                 # Embed all events into extra message
                 for event in issue['events']:
-                    dict_issue['extra']['stack'].append({'file_path': event['strippedFilePathname'],
+                    dict_issue['extra']['stack'].append({'file_path': relpath(event['strippedFilePathname']),
                                                          'line_number': event['lineNumber'],
                                                          'path_type': event['eventTag'],
                                                          'description': event['eventDescription']})
 
                 return dict_issue
 
             for issue in result['issues']:
                 path = self.cov_is_file_in_source(issue['strippedMainEventFilePathname'])
                 if path is None:
                     # Since we skip a result we should log it
                     print('Skipping CID: {0} from file: {1} since it\'s not related with the current patch.'.format(
                         issue['stateOnServer']['cid'], issue['strippedMainEventFilePathname']))
                     continue
+                path = relpath(path)
                 if path in files_list:
                     files_list[path]['warnings'].append(build_element(issue))
                 else:
                     files_list[path] = {'warnings': [build_element(issue)]}
 
             with open(output, 'w') as f:
                 json.dump(issues_dict, f)
 
--- a/security/nss/tests/fips/cavs_scripts/aes.sh
+++ b/security/nss/tests/fips/cavs_scripts/aes.sh
@@ -78,16 +78,18 @@ if [ ${COMMAND} = "verify" ]; then
     for request in $cbc_kat_requests $cbc_mct_requests $cbc_mmt_requests $ecb_kat_requests $ecb_mct_requests $ecb_mmt_requests; do
 	sh ./validate1.sh ${TESTDIR} $request
 	last_result=$?
 	result=`expr $result + $last_result`
     done
     exit $result
 fi
 
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
+
 for request in $cbc_kat_requests; do
     response=`echo $request | sed -e "s/req/rsp/"`
     echo $request $response
     fipstest aes kat cbc ${REQDIR}/$request > ${RSPDIR}/$response
 done
 for request in $cbc_mct_requests; do
     response=`echo $request | sed -e "s/req/rsp/"`
     echo $request $response
--- a/security/nss/tests/fips/cavs_scripts/aesgcm.sh
+++ b/security/nss/tests/fips/cavs_scripts/aesgcm.sh
@@ -51,16 +51,18 @@ if [ ${COMMAND} = "verify" ]; then
         fipstest aes gcm decrypt ${RSPDIR}/$name.rsp | grep FAIL
 	test 1 = $?
 	last_result=$?
 	result=`expr $result + $last_result`
     done
     exit $result
 fi
 
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
+
 for request in $gcm_decrypt_requests; do
     response=`echo $request | sed -e "s/req/rsp/"`
     echo $request $response
     fipstest aes gcm decrypt ${REQDIR}/$request > ${RSPDIR}/$response
 done
 for request in $gcm_encrypt_intiv_requests; do
     response=`echo $request | sed -e "s/req/rsp/"`
     echo $request $response
--- a/security/nss/tests/fips/cavs_scripts/dsa.sh
+++ b/security/nss/tests/fips/cavs_scripts/dsa.sh
@@ -54,16 +54,18 @@ if [ ${COMMAND} = "verify" ]; then
     result=`expr $result + $last_result`
 # verify SigVer with known answer
     sh ./validate1.sh ${TESTDIR} SigVer.req ' ' '-e /^X.=/d -e /^Result.=.F/s;.(.*);;'
     last_result=$?
     result=`expr $result + $last_result`
     exit $result
 fi
 
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
+
 request=KeyPair.req
 response=`echo $request | sed -e "s/req/rsp/"`
 echo $request $response
 fipstest dsa keypair ${REQDIR}/$request > ${RSPDIR}/$response
 
 request=PQGGen.req
 response=`echo $request | sed -e "s/req/rsp/"`
 echo $request $response
--- a/security/nss/tests/fips/cavs_scripts/ecdsa.sh
+++ b/security/nss/tests/fips/cavs_scripts/ecdsa.sh
@@ -45,16 +45,18 @@ if [ ${COMMAND} = "verify" ]; then
     result=`expr $result + $last_result`
 # verify SigVer with known answer
     sh ./validate1.sh ${TESTDIR} SigVer.req ' ' '-e /^X.=/d -e /^Result.=.F/s;.(.*);; -e /^Result.=.P/s;.(.*);;'
     last_result=$?
     result=`expr $result + $last_result`
     exit $result
 fi
 
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
+
 request=KeyPair.req
 response=`echo $request | sed -e "s/req/rsp/"`
 echo $request $response
 fipstest ecdsa keypair ${REQDIR}/$request > ${RSPDIR}/$response
 
 request=PKV.req
 response=`echo $request | sed -e "s/req/rsp/"`
 echo $request $response
--- a/security/nss/tests/fips/cavs_scripts/hmac.sh
+++ b/security/nss/tests/fips/cavs_scripts/hmac.sh
@@ -26,14 +26,17 @@ if [ ${COMMAND} = "verify" ]; then
     result=0
     for request in $hmac_requests; do
 	sh ./validate1.sh ${TESTDIR} $request
 	last_result=$?
         result=`expr $result + $last_result`
     done
     exit $result
 fi
+
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
+
 for request in $hmac_requests; do
     response=`echo $request | sed -e "s/req/rsp/"`
     echo $request $response
     fipstest hmac ${REQDIR}/$request > ${RSPDIR}/$response
 done
 exit 0
--- a/security/nss/tests/fips/cavs_scripts/ike.sh
+++ b/security/nss/tests/fips/cavs_scripts/ike.sh
@@ -28,16 +28,18 @@ if [ ${COMMAND} = "verify" ]; then
     for request in $ike_requests; do
 	sh ./validate1.sh ${TESTDIR} $request
 	last_result=$?
 	result=`expr $result + $last_result`
     done
     exit $result
 fi
 
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
+
 request=ikev1_dsa.req
 response=`echo $request | sed -e "s/req/rsp/"`
 echo $request $response
 fipstest ikev1 ${REQDIR}/$request > ${RSPDIR}/$response
 request=ikev1_psk.req
 response=`echo $request | sed -e "s/req/rsp/"`
 echo $request $response
 fipstest ikev1-psk ${REQDIR}/$request > ${RSPDIR}/$response
--- a/security/nss/tests/fips/cavs_scripts/kas.sh
+++ b/security/nss/tests/fips/cavs_scripts/kas.sh
@@ -63,16 +63,18 @@ if [ ${COMMAND} = "verify" ]; then
     result=`expr $result + $last_result`
     # ecdh response verify
     sh ./validate1.sh ${TESTDIR} KASValidityTest_FFCEphem_NOKC_ZZOnly_resp.req ' ' '-e /^Result.=.F/s;.(.*);; -e /^Result.=.P/s;.(.*);;'
     last_result=$?
     result=`expr $result + $last_result`
     exit $result
 fi
 
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
+
 request=KASFunctionTest_ECCEphemeralUnified_NOKC_ZZOnly_init.req
 response=`echo $request | sed -e "s/req/rsp/"`
 echo $request $response
 fipstest ecdh init-func ${REQDIR}/$request > ${RSPDIR}/$response
 
 request=KASFunctionTest_ECCEphemeralUnified_NOKC_ZZOnly_resp.req
 response=`echo $request | sed -e "s/req/rsp/"`
 echo $request $response
--- a/security/nss/tests/fips/cavs_scripts/rng.sh
+++ b/security/nss/tests/fips/cavs_scripts/rng.sh
@@ -25,14 +25,17 @@ if [ ${COMMAND} = "verify" ]; then
     result=0;
     for request in $drbg_requests; do
 	sh ./validate1.sh ${TESTDIR} $request
 	last_result=$?
 	result=`expr $result + $last_result`
     done
     exit $result
 fi
+
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
+
 for request in $drbg_requests; do
     response=`echo $request | sed -e "s/req/rsp/"`
     echo $request $response
     fipstest drbg ${REQDIR}/$request > ${RSPDIR}/$response
 done
 exit 0
--- a/security/nss/tests/fips/cavs_scripts/rsa.sh
+++ b/security/nss/tests/fips/cavs_scripts/rsa.sh
@@ -33,16 +33,18 @@ if [ ${COMMAND} = "verify" ]; then
     last_result=$?
     result=`expr $result + $last_result`
 #
 # currently don't have a way to verify the RSA keygen
 #
     exit $result
 fi
 
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
+
 request=SigGen15_186-3.req
 response=`echo $request | sed -e "s/req/rsp/"`
 echo $request $response
 fipstest rsa siggen ${REQDIR}/$request > ${RSPDIR}/$response
 
 request=SigVer15_186-3.req
 response=`echo $request | sed -e "s/req/rsp/"`
 echo $request $response
--- a/security/nss/tests/fips/cavs_scripts/sha.sh
+++ b/security/nss/tests/fips/cavs_scripts/sha.sh
@@ -46,16 +46,18 @@ if [ ${COMMAND} = "verify" ]; then
     for request in $sha_ShortMsg_requests $sha_LongMsg_requests $sha_Monte_requests; do
 	sh ./validate1.sh ${TESTDIR} $request
 	last_result=$?
 	result=`expr $result + $last_result`
     done
     exit $result
 fi
 
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
+
 for request in $sha_ShortMsg_requests; do
     response=`echo $request | sed -e "s/req/rsp/"`
     echo $request $response
     fipstest sha ${REQDIR}/$request > ${RSPDIR}/$response
 done
 for request in $sha_LongMsg_requests; do
     response=`echo $request | sed -e "s/req/rsp/"`
     echo $request $response
--- a/security/nss/tests/fips/cavs_scripts/tdea.sh
+++ b/security/nss/tests/fips/cavs_scripts/tdea.sh
@@ -72,16 +72,18 @@ if [ ${COMMAND} = "verify" ]; then
     do
 	sh ./validate1.sh ${TESTDIR} $request "-e /^NumKeys/d"
 	last_result=$?
 	result=`expr $result + $last_result`
     done
     exit $result
 fi
 
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
+
 for request in $cbc_kat_requests; do
     response=`echo $request | sed -e "s/req/rsp/"`
     echo $request $response
     fipstest tdea kat cbc ${REQDIR}/$request > ${RSPDIR}/$response
 done
 for request in $cbc_mmt_requests; do
     response=`echo $request | sed -e "s/req/rsp/"`
     echo $request $response
--- a/security/nss/tests/fips/cavs_scripts/tls.sh
+++ b/security/nss/tests/fips/cavs_scripts/tls.sh
@@ -25,14 +25,17 @@ if [ ${COMMAND} = "verify" ]; then
     result=0
     for request in $tls_requests; do
 	sh ./validate1.sh ${TESTDIR} $request
 	last_result=$?
 	result=`expr $result + $last_result`
     done
     exit $result
 fi
+
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
+
 for request in $tls_requests; do
     response=`echo $request | sed -e "s/req/rsp/"`
     echo $request $response
     fipstest tls ${REQDIR}/$request > ${RSPDIR}/$response
 done
 exit 0