GNU bug report logs - #40316
nss not reproducible

Previous Next

Package: guix;

Reported by: Danny Milosavljevic <dannym <at> scratchpost.org>

Date: Mon, 30 Mar 2020 02:36:21 UTC

Severity: normal

Merged with 30108, 33507

Full log

View this message in rfc822 format

From: Christina O'Donnell <cdo <at> mutix.org>
To: 40316 <at> debbugs.gnu.org
Cc: guix-devel <at> gnu.org, Christina O'Donnell <cdo <at> mutix.org>, zhengjunjie <at> iscas.ac.cn, steve <at> futurile.net
Subject: bug#40316: [PATCH 6/6] WIP: nss: Attempting to resolve FIPS regression.
Date: Fri, 26 Apr 2024 22:34:02 +0100

There are 51 new test failures which all appear to be related to FIPS.

For example:

modutil -dbdir /tmp/guix-build-nss-3.99.drv-0/nss-3.99/tests_results/security/localhost.1/fips -fips true

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has occurred with the token or slot.
ERROR: Unable to switch FIPS modes.
cert.sh: #291: Enable FIPS mode on database for FIPS PUB 140 Test Certificate (11)  - FAILED
cert.sh ERROR: Enable FIPS mode on database for FIPS PUB 140 Test Certificate failed 11

Change-Id: If0d57bb9e129eb862fae1a28d9779c6100e0a23d
---
 gnu/packages/nss.scm | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 80667d8affe..a8fb6965c2c 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -134,6 +134,10 @@ (define-public nss
                   (delete-file-recursively "nss/lib/sqlite")))))
     (build-system gnu-build-system)
     (outputs '("out" "bin"))
+    ;; (search-paths
+    ;;  (list (search-path-specification
+    ;;         (variable "LD_LIBRARY_PATH")
+    ;;         (files '("lib")))))
     (arguments
      (list
       #:make-flags
@@ -161,12 +165,15 @@ (define-public nss
                 #$@(if (%current-target-system)
                        #~("CROSS_COMPILE=1")
                        #~())
+                (string-append "NSS_FORCE_FIPS=1")
+                (string-append "NSPR_LIB_DIR="
+                               (string-append #$nspr "/lib"))
                 (string-append "NSPR_INCLUDE_DIR="
                                (search-input-directory %build-inputs
                                                        "include/nspr"))
                 ;; Add $out/lib/nss to RPATH.
                 (string-append "RPATH=" rpath)
-                (string-append "LDFLAGS=" rpath)))
+                (string-append "LDFLAGS=" rpath " -L" #$nspr "/lib")))
       #:modules '((guix build gnu-build-system)
                   (guix build utils)
                   (ice-9 ftw)
@@ -203,6 +210,8 @@ (define-public nss
                     (setenv "DOMSUF" "localdomain")
                     (setenv "USE_IP" "TRUE")
                     (setenv "IP_ADDRESS" "127.0.0.1")
+                    ;; (setenv "LD_LIBRARY_PATH"
+                    ;;         (string-append (getenv "LD_LIBRARY_PATH")))
 
                     ;; The "PayPalEE.cert" certificate expires every six months,
                     ;; leading to test failures:
-- 
2.41.0
This bug report was last modified 1 year and 29 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.