unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: Christina O'Donnell <cdo@mutix.org>
To: 40316@debbugs.gnu.org
Cc: guix-devel@gnu.org, steve@futurile.net, zhengjunjie@iscas.ac.cn,
	Christina O'Donnell <cdo@mutix.org>
Subject: [PATCH 6/6] WIP: nss: Attempting to resolve FIPS regression.
Date: Fri, 26 Apr 2024 22:34:02 +0100	[thread overview]
Message-ID: <bfed33ceadbd21b2688266f5e3a2918332c264c9.1714166213.git.cdo@mutix.org> (raw)
In-Reply-To: <cover.1714166213.git.cdo@mutix.org>

There are 51 new test failures which all appear to be related to FIPS.

For example:

modutil -dbdir /tmp/guix-build-nss-3.99.drv-0/nss-3.99/tests_results/security/localhost.1/fips -fips true

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has occurred with the token or slot.
ERROR: Unable to switch FIPS modes.
cert.sh: #291: Enable FIPS mode on database for FIPS PUB 140 Test Certificate (11)  - FAILED
cert.sh ERROR: Enable FIPS mode on database for FIPS PUB 140 Test Certificate failed 11

Change-Id: If0d57bb9e129eb862fae1a28d9779c6100e0a23d
---
 gnu/packages/nss.scm | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 80667d8affe..a8fb6965c2c 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -134,6 +134,10 @@ (define-public nss
                   (delete-file-recursively "nss/lib/sqlite")))))
     (build-system gnu-build-system)
     (outputs '("out" "bin"))
+    ;; (search-paths
+    ;;  (list (search-path-specification
+    ;;         (variable "LD_LIBRARY_PATH")
+    ;;         (files '("lib")))))
     (arguments
      (list
       #:make-flags
@@ -161,12 +165,15 @@ (define-public nss
                 #$@(if (%current-target-system)
                        #~("CROSS_COMPILE=1")
                        #~())
+                (string-append "NSS_FORCE_FIPS=1")
+                (string-append "NSPR_LIB_DIR="
+                               (string-append #$nspr "/lib"))
                 (string-append "NSPR_INCLUDE_DIR="
                                (search-input-directory %build-inputs
                                                        "include/nspr"))
                 ;; Add $out/lib/nss to RPATH.
                 (string-append "RPATH=" rpath)
-                (string-append "LDFLAGS=" rpath)))
+                (string-append "LDFLAGS=" rpath " -L" #$nspr "/lib")))
       #:modules '((guix build gnu-build-system)
                   (guix build utils)
                   (ice-9 ftw)
@@ -203,6 +210,8 @@ (define-public nss
                     (setenv "DOMSUF" "localdomain")
                     (setenv "USE_IP" "TRUE")
                     (setenv "IP_ADDRESS" "127.0.0.1")
+                    ;; (setenv "LD_LIBRARY_PATH"
+                    ;;         (string-append (getenv "LD_LIBRARY_PATH")))
 
                     ;; The "PayPalEE.cert" certificate expires every six months,
                     ;; leading to test failures:
-- 
2.41.0



  parent reply	other threads:[~2024-04-26 21:35 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20200329131611.38448a58@scratchpost.org>
2024-04-26 21:33 ` [PATCH 0/6] WIP: nss: Update to 3.99 Christina O'Donnell
2024-04-26 21:33   ` bug#40316: [PATCH 1/6] gnu: nss: Fix cross-compilation Christina O'Donnell
2024-04-26 21:33   ` bug#40316: [PATCH 2/6] gnu: nspr: " Christina O'Donnell
2024-04-26 21:33   ` [PATCH 3/6] gnu: nss: Make reproducible Christina O'Donnell
2024-04-26 21:34   ` [PATCH 4/6] gnu: nss: Update to 3.99 Christina O'Donnell
2024-04-26 21:34   ` [PATCH 5/6] gnu: nss-certs: " Christina O'Donnell
2024-04-26 21:34   ` Christina O'Donnell [this message]
2024-05-02  8:15   ` bug#40316: nss not reproducible Ludovic Courtès
2024-05-02 15:20     ` Christina O'Donnell
2024-05-06 10:12       ` Ludovic Courtès
2024-05-06 11:37         ` Christina O'Donnell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bfed33ceadbd21b2688266f5e3a2918332c264c9.1714166213.git.cdo@mutix.org \
    --to=cdo@mutix.org \
    --cc=40316@debbugs.gnu.org \
    --cc=guix-devel@gnu.org \
    --cc=steve@futurile.net \
    --cc=zhengjunjie@iscas.ac.cn \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).