From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marius Bakke Subject: Re: [PATCHES] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461]. Date: Sat, 22 Apr 2017 09:40:13 +0200 Message-ID: <878tmsevqa.fsf@fastmail.com> References: <87y3uun261.fsf@netris.org> <87lgqtzlon.fsf@netris.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:52170) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1d1peY-0005pi-Ec for guix-devel@gnu.org; Sat, 22 Apr 2017 03:40:23 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d1peT-0007iX-OI for guix-devel@gnu.org; Sat, 22 Apr 2017 03:40:22 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:51809) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1d1peT-0007hU-DY for guix-devel@gnu.org; Sat, 22 Apr 2017 03:40:17 -0400 In-Reply-To: <87lgqtzlon.fsf@netris.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Mark H Weaver , guix-devel@gnu.org --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Mark H Weaver writes: > Mark H Weaver writes: > >> These patches update nss to 3.30.2 and disable long b64 tests which fail >> on some systems including armhf. I'll push them soon after some light >> testing. > > Unfortunately, even with "nss-increase-test-timeout.patch" and > "nss-disable-long-b64-tests.patch", the build still failed on armhf: > > https://hydra.gnu.org/build/2010324 > > It would be good to find a way to fix or work around this issue without > forcing rebuilds on other platforms. Also, I feel it's important to > always run tests on NSS on all platforms. Here is the relevant excerpt from the log: [ RUN ] SkipVariants/TlsSkipTest.SkipCertificateRsa/0 Version: TLS 1.1 server: Changing state from INIT to CONNECTING client: Changing state from INIT to CONNECTING Dropping handshake: 11 record old: [531] 020000510302f666481a7e6747c16e682f37345e569db0d06bdb08b5a8894ec8... record new: [89] 020000510302f666481a7e6747c16e682f37345e569db0d06bdb08b5a8894ec8... server: Original packet: [536] 1603020213020000510302f666481a7e6747c16e682f37345e569db0d06bdb08... server: Filtered packet: [94] 1603020059020000510302f666481a7e6747c16e682f37345e569db0d06bdb08... Alert: [2] 020a client: Alert sent: level=2 desc=10 client: Handshake failed with error SSL_ERROR_RX_UNEXPECTED_HELLO_DONE: SSL received an unexpected Server Hello Done handshake message. client: Changing state from CONNECTING to ERROR tls_connect.cc:238: Failure Value of: (client_->state() != TlsAgent::STATE_CONNECTING) && (server_->state() != TlsAgent::STATE_CONNECTING) Actual: false Expected: true tls_connect.cc:374: Failure Value of: server_->state() Actual: CONNECTING Expected: TlsAgent::STATE_ERROR Which is: ERROR [ FAILED ] SkipVariants/TlsSkipTest.SkipCertificateRsa/0, where GetParam() = ("TLS", 770) (50449 ms) This looks very similar to the random connect timeouts that prompted the "increase-test-timeouts" patch, except this time it took 50s instead of ~20s: https://lists.gnu.org/archive/html/guix-devel/2017-03/msg00412.html (search for '[ FAILED' in the build logs) I am 99% sure the attached patch will do the job. What do you think? --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0001-gnu-nss-Further-increase-test-timeouts-on-armhf.patch Content-Transfer-Encoding: quoted-printable From=20a6876365f2ee9a82452c3f364ee1cd94e44423c2 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Sat, 22 Apr 2017 09:25:36 +0200 Subject: [PATCH] gnu: nss: Further increase test timeouts on armhf. * gnu/packages/gnuzilla.scm (nss)[arguments]<#:phases>: Add a substitution when target platform is armhf. =2D-- gnu/packages/gnuzilla.scm | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index efe63adb4..37c2eb006 100644 =2D-- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -241,6 +241,16 @@ in the Mozilla clients.") `((setenv "USE_64" "1"))) (_ '())) + ;; The timeout values in "increase-test-timeouts" are still + ;; too low, so apply this workaround on armhf for now to avoid + ;; rebuilding on all platforms. This should be incorporated in + ;; the patch for the next update. + ;; https://lists.gnu.org/archive/html/guix-devel/2017-04/msg0= 0472.html + ,@(if (string-prefix? "armhf" (or (%current-target-system) + (%current-system))) + `((substitute* "nss/gtests/ssl_gtest/tls_connect.cc" + (("25000\\);") "60000);"))) + '()) #t)) (replace 'check (lambda _ =2D-=20 2.12.2 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlj7CN0ACgkQoqBt8qM6 VPpEVwf/Z04zd4wcutdFSXJhU6iJCdu50HDtrRj1jq9VQz9/vUqAee8NySVICuw7 darzTt/tZ21zAfPPXaQVk6YJ+qzMvSqIf8M7TwARmJJhRujnVu0XXoz1o5lynpG5 8wsHGecNb9eNgUSzPFNfn6Pj6Cz+Q37mUz1wp0vatiVeUz7LGR2neEAXTDD3uClN 2PUzBHNoWwY6deBYkMnBF5Gyglfl6BsEKsPgvMyAm49ZAIwBQDnZcWM1kqa7FXIR hRDvqBtKv3UzZETK5xuM3IqCWP3f3yehAm6EIWZjOaDsO7eBoVHB9FmmXAV2Icks +7vYbcNDbMG+mpbeq+QmkBK894jkog== =9Np5 -----END PGP SIGNATURE----- --==-=-=--