bug#40316: [PATCH v2 5/6] gnu: nss: Attempt to disable FIPS.

[Christina O'Donnell]

gnu/packages/nss.scm (nss): Define NSS_FIPS_DISABLED to disable FIPS. This is
required because FIPS relies on libraries signed with shlibsign, which is 
inherently
non-determinstic.

This patch is an incomplete attempt to get the tests to succeed by disabling
inapplicable tests, i.e. tests that depend on FIPS.

I have passed NSS_FIPS_DISABLED=1 to the Makefile however it seems to be
ignoring it for no logical reason.

Change-Id: Ic111c9f290719e82b3ff69589f585384f2e74baa
Change-Id: Id5a59840fa22c013982ab53826f7e66b40bb5227
---
 gnu/packages/nss.scm                          |  8 ++++-
 .../patches/nss-disable-shlibsign.patch       | 33 +++++++++++++++++++
 2 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/nss-disable-shlibsign.patch

diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 6795e59d28..08e4cb06ee 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -124,7 +124,8 @@ (define-public nss
               ;; Create nss.pc and nss-config.
               (patches (search-patches "nss-3.56-pkgconfig.patch"
                                        "nss-getcwd-nonnull.patch"
-                                       "nss-increase-test-timeout.patch"))
+                                       "nss-increase-test-timeout.patch"
+                                       "nss-disable-shlibsign.patch"))
               (modules '((guix build utils)))
               (snippet
                '(begin
@@ -141,6 +142,9 @@ (define-public nss
                 (string-append "PREFIX=" #$output)
                 "NSDISTMODE=copy"
                 "NSS_USE_SYSTEM_SQLITE=1"
+                ;; No FIPS because it adds non-determinism.
+                "NSS_FIPS_DISABLED=1"
+                "NSS_NO_INIT_SUPPORT=1"
                 ;; The gtests fail to compile on riscv64.
                 ;; Skipping them doesn't affect the test suite.
                 #$@(if (target-riscv64?)
@@ -202,6 +206,8 @@ (define-public nss
                     (setenv "DOMSUF" "localdomain")
                     (setenv "USE_IP" "TRUE")
                     (setenv "IP_ADDRESS" "127.0.0.1")
+                    (setenv "NSS_CYCLES" "standard")
+                    (setenv "NSS_TESTS" "cipher lowhash libpkix cert dbtests 
tools sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests policy")
 
                     ;; The "PayPalEE.cert" certificate expires every six 
months,
                     ;; leading to test failures:
diff --git a/gnu/packages/patches/nss-disable-shlibsign.patch 
b/gnu/packages/patches/nss-disable-shlibsign.patch
new file mode 100644
index 0000000000..591af76449
--- /dev/null
+++ b/gnu/packages/patches/nss-disable-shlibsign.patch
@@ -0,0 +1,33 @@
+From 85b7cf166687cbfaf3e3764ed1ea9bb3b9404ef0 Mon Sep 17 00:00:00 2001
+Message-ID: 
<85b7cf166687cbfaf3e3764ed1ea9bb3b9404ef0.1714589168.git.cdo@mutix.org>
+From: Christina O'Donnell <cdo@mutix.org>
+Date: Wed, 1 May 2024 19:44:09 +0100
+Subject: [PATCH] nss: Disable shlibsign.
+
+This is required as it generates a new key each time it is run through a
+non-deterministic process.
+---
+ nss/cmd/shlibsign/sign.sh | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/nss/cmd/shlibsign/sign.sh b/nss/cmd/shlibsign/sign.sh
+index 5551c5f..baf1dea 100644
+--- a/nss/cmd/shlibsign/sign.sh
++++ b/nss/cmd/shlibsign/sign.sh
+@@ -45,7 +45,9 @@ WIN*)
+     export LIBRARY_PATH
+     ADDON_PATH=${1}/lib:${4}:$ADDON_PATH
+     export ADDON_PATH
+-    echo "${2}"/shlibsign -v -i "${5}"
+-    "${2}"/shlibsign -v -i "${5}"
++    # Disable lib signing as it generates its keys through a non-deterministic
++    # process.
++    # echo "${2}"/shlibsign -v -i "${5}"
++    # "${2}"/shlibsign -v -i "${5}"
+     ;;
+ esac
+
+base-commit: c9d74497ed5a5b0a0d3f7d609b1c15a3b810ee5b
+-- 
+2.41.0
+
-- 
2.41.0