Is it possible to disable FIPS tests?

Question

Is it possible to disable FIPS tests?

blackcross86 opened this issue 3 years ago · comments

How to disable tests in cmake (FIPS)

Alexander Scheel · Answer 1 · Mon Oct 25 2021 20:42:49 GMT+0800 (China Standard Time)

@blackcross86 If you set FIPS_ENABLED=1 in the environment (or pass -DFIPS_ENABLED=on or equivalent to CMake CLI) this will disable the FIPS tests. This is because in a system with FIPS mode enabled, the FIPS related tests don't work if you have certain NSS patches (around crypto-policies -- they don't work because you can't exit FIPS mode).

However, there's a bunch of collateral tests that also get disabled. Does this suffice or would you want a RUN_FIPS_TEST or similar environment variable?

Why not run the FIPS tests? Is your version of NSS not compiled with support for FIPS mode?

blackcross86 · Answer 2 · Mon Oct 25 2021 21:01:20 GMT+0800 (China Standard Time)

@cipherboy

I have such an error, FIPS_ENABLED = 1 is written but does not help

Alexander Scheel · Answer 3 · Mon Oct 25 2021 21:22:59 GMT+0800 (China Standard Time)

@blackcross86 Very interesting! What version of NSS out of curiosity?

blackcross86 · Answer 4 · Mon Oct 25 2021 21:25:06 GMT+0800 (China Standard Time)

@cipherboy 3.70

Marco Fargetta · Answer 5 · Fri Nov 11 2022 18:23:48 GMT+0800 (China Standard Time)

@blackcross86 did you get the test passing? If yes I will close the issues otherwise could you provide more info on the environment beside NSS which you already provided?