Closed Bug 1552767 Opened 5 years ago Closed 5 years ago

tests: skip TLS 1.3 tests under FIPS mode

Categories

(NSS :: Test, enhancement, P1)

enhancement

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: ueno, Assigned: ueno)

Details

Attachments

(1 file)

We realized that TLS 1.3 tests are failing when FIPS mode is enabled, because HKDF is currently implemented using the prohibited PKCS #11 functions, namely PK11_ExtractKeyValue, PK11_ImportSymKey:
https://searchfox.org/mozilla-central/source/security/nss/lib/ssl/tls13hkdf.c#55
https://searchfox.org/mozilla-central/source/security/nss/lib/ssl/tls13hkdf.c#93

Bob is working on the PKCS #11 side so those code can be eventually moved to softoken, but it would take some time. I'm attaching a patch that disables the TLS 1.3 tests for now.

Note that the reason why this wasn't caught by the CI is that it currently runs only "fips" tests (not "ssl"):
https://searchfox.org/mozilla-central/source/security/nss/automation/taskcluster/graph/src/extend.js#432

Attachment #9065979 - Flags: review?(rrelyea)
Attachment #9065979 - Flags: review?(rrelyea) → review+
Assignee: nobody → dueno
Status: NEW → ASSIGNED
Type: defect → enhancement
Priority: -- → P1

There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:ueno, could you have a look please?
For more information, please visit auto_nag documentation.

Flags: needinfo?(dueno)
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Flags: needinfo?(dueno)
Resolution: --- → FIXED
Target Milestone: --- → 3.45
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: