From 3ea5d2fb0e9f5eee6ae9c03f010521b9f672b333 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Mon, 20 May 2019 11:09:19 +0200
Subject: [PATCH] Skip TLS 1.3 tests under FIPS mode

---
 nss-skip-tls13-fips.patch | 27 +++++++++++++++++++++++++++
 nss.spec                  |  7 ++++++-
 2 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 nss-skip-tls13-fips.patch

diff --git a/nss-skip-tls13-fips.patch b/nss-skip-tls13-fips.patch
new file mode 100644
index 0000000..4a7c707
--- /dev/null
+++ b/nss-skip-tls13-fips.patch
@@ -0,0 +1,27 @@
+# HG changeset patch
+# User Daiki Ueno <dueno@redhat.com>
+# Date 1558341826 -7200
+#      Mon May 20 10:43:46 2019 +0200
+# Node ID b447f0046807b718d2928d0e33313620d38a287a
+# Parent  02ea5f29ac3c1f1c6e6eb4b655afd9b4fc075a9e
+tests: skip TLS 1.3 tests under FIPS mode
+
+diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
+--- a/tests/ssl/ssl.sh
++++ b/tests/ssl/ssl.sh
+@@ -393,6 +393,15 @@ ssl_auth()
+       echo "${testname}" | grep "TLS 1.3" > /dev/null
+       TLS13=$?
+ 
++      # Currently TLS 1.3 tests are known to fail under FIPS mode,
++      # because HKDF is implemented using the PKCS #11 functions
++      # prohibited under FIPS mode.
++      if [ "${TLS13}" -eq 0 ] && \
++	 [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
++          echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
++          continue
++      fi
++
+       if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then
+           echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
+       elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
diff --git a/nss.spec b/nss.spec
index 856e11c..73f67cc 100644
--- a/nss.spec
+++ b/nss.spec
@@ -43,7 +43,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          1%{?dist}
+Release:          2%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}
@@ -107,6 +107,8 @@ Patch3:           nss-module-leak.patch
 # Once the buildroot aha been bootstrapped the patch may be removed
 # but it doesn't hurt to keep it.
 Patch4:           iquote.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1552767
+Patch5:           nss-skip-tls13-fips.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -871,6 +873,9 @@ update-crypto-policies &> /dev/null || :
 
 
 %changelog
+* Mon May 20 2019 Daiki Ueno <dueno@redhat.com> - 3.44.0-2
+- Skip TLS 1.3 tests under FIPS mode
+
 * Fri May 17 2019 Daiki Ueno <dueno@redhat.com> - 3.44.0-1
 - Update to NSS 3.44