From 3ea5d2fb0e9f5eee6ae9c03f010521b9f672b333 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Mon, 20 May 2019 11:09:19 +0200 Subject: [PATCH] Skip TLS 1.3 tests under FIPS mode --- nss-skip-tls13-fips.patch | 27 +++++++++++++++++++++++++++ nss.spec | 7 ++++++- 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 nss-skip-tls13-fips.patch diff --git a/nss-skip-tls13-fips.patch b/nss-skip-tls13-fips.patch new file mode 100644 index 0000000..4a7c707 --- /dev/null +++ b/nss-skip-tls13-fips.patch @@ -0,0 +1,27 @@ +# HG changeset patch +# User Daiki Ueno +# Date 1558341826 -7200 +# Mon May 20 10:43:46 2019 +0200 +# Node ID b447f0046807b718d2928d0e33313620d38a287a +# Parent 02ea5f29ac3c1f1c6e6eb4b655afd9b4fc075a9e +tests: skip TLS 1.3 tests under FIPS mode + +diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh +--- a/tests/ssl/ssl.sh ++++ b/tests/ssl/ssl.sh +@@ -393,6 +393,15 @@ ssl_auth() + echo "${testname}" | grep "TLS 1.3" > /dev/null + TLS13=$? + ++ # Currently TLS 1.3 tests are known to fail under FIPS mode, ++ # because HKDF is implemented using the PKCS #11 functions ++ # prohibited under FIPS mode. ++ if [ "${TLS13}" -eq 0 ] && \ ++ [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then ++ echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" ++ continue ++ fi ++ + if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then + echo "$SCRIPTNAME: skipping $testname (non-FIPS only)" + elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then diff --git a/nss.spec b/nss.spec index 856e11c..73f67cc 100644 --- a/nss.spec +++ b/nss.spec @@ -43,7 +43,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM", Summary: Network Security Services Name: nss Version: %{nss_version} -Release: 1%{?dist} +Release: 2%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Requires: nspr >= %{nspr_version} @@ -107,6 +107,8 @@ Patch3: nss-module-leak.patch # Once the buildroot aha been bootstrapped the patch may be removed # but it doesn't hurt to keep it. Patch4: iquote.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1552767 +Patch5: nss-skip-tls13-fips.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -871,6 +873,9 @@ update-crypto-policies &> /dev/null || : %changelog +* Mon May 20 2019 Daiki Ueno - 3.44.0-2 +- Skip TLS 1.3 tests under FIPS mode + * Fri May 17 2019 Daiki Ueno - 3.44.0-1 - Update to NSS 3.44