[PATCH 6/6] WIP: nss: Attempting to resolve FIPS regression.

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 6/6] WIP: nss: Attempting to resolve FIPS regression.

From:	Christina O'Donnell
Subject:	[PATCH 6/6] WIP: nss: Attempting to resolve FIPS regression.
Date:	Fri, 26 Apr 2024 22:34:02 +0100

There are 51 new test failures which all appear to be related to FIPS.

For example:

modutil -dbdir 
/tmp/guix-build-nss-3.99.drv-0/nss-3.99/tests_results/security/localhost.1/fips 
-fips true

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has 
occurred with the token or slot.
ERROR: Unable to switch FIPS modes.
cert.sh: #291: Enable FIPS mode on database for FIPS PUB 140 Test Certificate 
(11)  - FAILED
cert.sh ERROR: Enable FIPS mode on database for FIPS PUB 140 Test Certificate 
failed 11

Change-Id: If0d57bb9e129eb862fae1a28d9779c6100e0a23d
---
 gnu/packages/nss.scm | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 80667d8affe..a8fb6965c2c 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -134,6 +134,10 @@ (define-public nss
                   (delete-file-recursively "nss/lib/sqlite")))))
     (build-system gnu-build-system)
     (outputs '("out" "bin"))
+    ;; (search-paths
+    ;;  (list (search-path-specification
+    ;;         (variable "LD_LIBRARY_PATH")
+    ;;         (files '("lib")))))
     (arguments
      (list
       #:make-flags
@@ -161,12 +165,15 @@ (define-public nss
                 #$@(if (%current-target-system)
                        #~("CROSS_COMPILE=1")
                        #~())
+                (string-append "NSS_FORCE_FIPS=1")
+                (string-append "NSPR_LIB_DIR="
+                               (string-append #$nspr "/lib"))
                 (string-append "NSPR_INCLUDE_DIR="
                                (search-input-directory %build-inputs
                                                        "include/nspr"))
                 ;; Add $out/lib/nss to RPATH.
                 (string-append "RPATH=" rpath)
-                (string-append "LDFLAGS=" rpath)))
+                (string-append "LDFLAGS=" rpath " -L" #$nspr "/lib")))
       #:modules '((guix build gnu-build-system)
                   (guix build utils)
                   (ice-9 ftw)
@@ -203,6 +210,8 @@ (define-public nss
                     (setenv "DOMSUF" "localdomain")
                     (setenv "USE_IP" "TRUE")
                     (setenv "IP_ADDRESS" "127.0.0.1")
+                    ;; (setenv "LD_LIBRARY_PATH"
+                    ;;         (string-append (getenv "LD_LIBRARY_PATH")))
 
                     ;; The "PayPalEE.cert" certificate expires every six 
months,
                     ;; leading to test failures:
-- 
2.41.0

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH 0/6] WIP: nss: Update to 3.99, Christina O'Donnell, 2024/04/26
- [PATCH 4/6] gnu: nss: Update to 3.99., Christina O'Donnell, 2024/04/26
- [PATCH 1/6] gnu: nss: Fix cross-compilation., Christina O'Donnell, 2024/04/26
- [PATCH 2/6] gnu: nspr: Fix cross-compilation., Christina O'Donnell, 2024/04/26
- [PATCH 3/6] gnu: nss: Make reproducible., Christina O'Donnell, 2024/04/26
- [PATCH 6/6] WIP: nss: Attempting to resolve FIPS regression., Christina O'Donnell <=
- [PATCH 5/6] gnu: nss-certs: Update to 3.99., Christina O'Donnell, 2024/04/26

Prev by Date: [PATCH 3/6] gnu: nss: Make reproducible.
Next by Date: [PATCH 5/6] gnu: nss-certs: Update to 3.99.
Previous by thread: [PATCH 3/6] gnu: nss: Make reproducible.
Next by thread: [PATCH 5/6] gnu: nss-certs: Update to 3.99.
Index(es):
- Date
- Thread