tests: skip TLS 1.3 tests under FIPS mode
Categories
(NSS :: Test, enhancement, P1)
Tracking
(Not tracked)
People
(Reporter: ueno, Assigned: ueno)
Details
Attachments
(1 file)
1.02 KB,
patch
|
rrelyea
:
review+
|
Details | Diff | Splinter Review |
We realized that TLS 1.3 tests are failing when FIPS mode is enabled, because HKDF is currently implemented using the prohibited PKCS #11 functions, namely PK11_ExtractKeyValue, PK11_ImportSymKey:
https://searchfox.org/mozilla-central/source/security/nss/lib/ssl/tls13hkdf.c#55
https://searchfox.org/mozilla-central/source/security/nss/lib/ssl/tls13hkdf.c#93
Bob is working on the PKCS #11 side so those code can be eventually moved to softoken, but it would take some time. I'm attaching a patch that disables the TLS 1.3 tests for now.
Note that the reason why this wasn't caught by the CI is that it currently runs only "fips" tests (not "ssl"):
https://searchfox.org/mozilla-central/source/security/nss/automation/taskcluster/graph/src/extend.js#432
Updated•5 years ago
|
Updated•5 years ago
|
Comment 1•5 years ago
|
||
There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:ueno, could you have a look please?
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 2•5 years ago
|
||
Description
•