From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id aJoDBBEeLGYkqgAA62LTzQ:P1 (envelope-from ) for ; Fri, 26 Apr 2024 23:35:13 +0200 Received: from aspmx1.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id aJoDBBEeLGYkqgAA62LTzQ (envelope-from ) for ; Fri, 26 Apr 2024 23:35:13 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1714167313; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=hBayBD7CfLzF90cS2LY2geVelmdi13R/cIow6NdhbjM=; b=aQxPPorii8SrVBQauvXchaGR6Hh37FE/jO3rZmzbJ5smLN6Ez5ca3shK5XNnuXMgMphsas yiiphCwr6iYxqH64s/0thTTecGxzuK0rzKVb+9ZezjCv3T06FJ51LDRXeRgmku1PLKMl11 YBgbg2LnF69y4quvjm4DQa7t9b/1HCskCbQ90bht1uhU7mlBnzv83IqNt4nBoMDtGQU+tb G4LAbL8DiZBEhvTZpM7CPcjJL230FwFc4wYjpSlASp3CVVkcxmrQrueO9wvxReMtaRhGtz wH7XOYc4lbK1+9CRvPdUN75b80//lPa9sXC9166uoNR3m5pKoqy2O2qsRJzmjw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Seal: i=1; s=key1; d=yhetil.org; t=1714167313; a=rsa-sha256; cv=none; b=pkb/frs7ejcvr+Z9TUlCQXz+aDZZD22iYlHv3Ci61m0OHK8ggLGiJSzbO6EbDFlyEk/j5r azlmVHpCfpcIVASThR4Rcwra81EQWKL+k3Xhtd0Kq2Qt4OW+bW+QGUvI25A4y9IQEGlTCT uPsHkjg0TXJJFng1+eRTXijXR85TYoQR0MH3lQkOcL8rrYmARp2goOg2rd8FFyf/yIKg3y WEb7ywW+hbe8yZaCE3REMe3ZMMAmHcmEMQLE7rtTP7yjzZl0yqs65Ml7StVXGL4xVipPml RWUbJ6UUL+N8/mu3JUhU6iMzdNREWfaBcqV0O2jt3JyUZwzNn48amsINj2T5DQ== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C4E5351ED5 for ; Fri, 26 Apr 2024 23:35:12 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1s0TDA-00053w-Rx; Fri, 26 Apr 2024 17:34:28 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1s0TD8-00052T-Bq for guix-devel@gnu.org; Fri, 26 Apr 2024 17:34:26 -0400 Received: from vmi993448.contaboserver.net ([194.163.141.236] helo=mutix.org) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1s0TD6-00033w-4Q for guix-devel@gnu.org; Fri, 26 Apr 2024 17:34:25 -0400 Received: from [86.132.246.87] (host81-152-149-149.range81-152.btcentralplus.com [81.152.149.149]) (Authenticated sender: cdo) by mutix.org (Postfix) with ESMTPSA id 96364A63B0A; Fri, 26 Apr 2024 23:34:18 +0200 (CEST) From: Christina O'Donnell To: 40316@debbugs.gnu.org Cc: guix-devel@gnu.org, steve@futurile.net, zhengjunjie@iscas.ac.cn, Christina O'Donnell Subject: [PATCH 6/6] WIP: nss: Attempting to resolve FIPS regression. Date: Fri, 26 Apr 2024 22:34:02 +0100 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=194.163.141.236; envelope-from=cdo@mutix.org; helo=mutix.org X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -4.89 X-Spam-Score: -4.89 X-Migadu-Queue-Id: C4E5351ED5 X-Migadu-Scanner: mx13.migadu.com X-TUID: XP1KoNAwCiAx There are 51 new test failures which all appear to be related to FIPS. For example: modutil -dbdir /tmp/guix-build-nss-3.99.drv-0/nss-3.99/tests_results/security/localhost.1/fips -fips true WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q ' to abort, or to continue: A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has occurred with the token or slot. ERROR: Unable to switch FIPS modes. cert.sh: #291: Enable FIPS mode on database for FIPS PUB 140 Test Certificate (11) - FAILED cert.sh ERROR: Enable FIPS mode on database for FIPS PUB 140 Test Certificate failed 11 Change-Id: If0d57bb9e129eb862fae1a28d9779c6100e0a23d --- gnu/packages/nss.scm | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm index 80667d8affe..a8fb6965c2c 100644 --- a/gnu/packages/nss.scm +++ b/gnu/packages/nss.scm @@ -134,6 +134,10 @@ (define-public nss (delete-file-recursively "nss/lib/sqlite"))))) (build-system gnu-build-system) (outputs '("out" "bin")) + ;; (search-paths + ;; (list (search-path-specification + ;; (variable "LD_LIBRARY_PATH") + ;; (files '("lib"))))) (arguments (list #:make-flags @@ -161,12 +165,15 @@ (define-public nss #$@(if (%current-target-system) #~("CROSS_COMPILE=1") #~()) + (string-append "NSS_FORCE_FIPS=1") + (string-append "NSPR_LIB_DIR=" + (string-append #$nspr "/lib")) (string-append "NSPR_INCLUDE_DIR=" (search-input-directory %build-inputs "include/nspr")) ;; Add $out/lib/nss to RPATH. (string-append "RPATH=" rpath) - (string-append "LDFLAGS=" rpath))) + (string-append "LDFLAGS=" rpath " -L" #$nspr "/lib"))) #:modules '((guix build gnu-build-system) (guix build utils) (ice-9 ftw) @@ -203,6 +210,8 @@ (define-public nss (setenv "DOMSUF" "localdomain") (setenv "USE_IP" "TRUE") (setenv "IP_ADDRESS" "127.0.0.1") + ;; (setenv "LD_LIBRARY_PATH" + ;; (string-append (getenv "LD_LIBRARY_PATH"))) ;; The "PayPalEE.cert" certificate expires every six months, ;; leading to test failures: -- 2.41.0