gnu: nss: Update to 3.101.4.

* gnu/packages/nss.scm (nss): Update to 3.101.4.

Change-Id: I2a0d98f045034f66e0fea687696c77c64f4c853a

2 files changed, 55 insertions, 7 deletions

diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 4a2765e813..e351286630 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -42,7 +42,9 @@
   #:use-module (gnu packages compression)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages sqlite)
-  #:use-module (gnu packages time))
+  #:use-module (gnu packages time)
+  #:use-module (srfi srfi-1)
+  #:use-module (srfi srfi-26))
 
 (define-public nspr
   (package
@@ -103,7 +105,7 @@ in the Mozilla clients.")
     ;; IMPORTANT: Also update and test the nss-certs package, which duplicates
     ;; version and source to avoid a top-level variable reference & module
     ;; cycle.
-    (version "3.99")
+    (version "3.101.4")
     (source (origin
               (method url-fetch)
               (uri (let ((version-with-underscores
@@ -114,11 +116,12 @@ in the Mozilla clients.")
                       "nss-" version ".tar.gz")))
               (sha256
                (base32
-                "1g89ig40gfi1sp02gybvl2z818lawcnrqjzsws36cdva834c5maw"))
+                "1sqvh49qi9vq55sbg42c5n0kz6w6ni383hgiyhaym6drsmbzb86a"))
               ;; Create nss.pc and nss-config.
               (patches (search-patches "nss-3.56-pkgconfig.patch"
                                        "nss-getcwd-nonnull.patch"
-                                       "nss-increase-test-timeout.patch"))
+                                       "nss-increase-test-timeout.patch"
+                                       "nss-disable-broken-tests.patch"))
               (modules '((guix build utils)))
               (snippet
                '(begin
@@ -171,6 +174,13 @@ in the Mozilla clients.")
                         (target-ppc32?)))
       #:phases
       #~(modify-phases %standard-phases
+          ;; The "PayPalEE.cert" certificate expires every six months, leading
+          ;; to test failures:
+          ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>.  To work
+          ;; around that, set the time to roughly the release date.
+          (add-after 'unpack 'set-release-date
+            (lambda _
+              (setenv "GUIX_NSS_RELEASE_DATE" "2025-02-05")))
           (replace 'configure
             (lambda _
               (setenv "CC" #$(cc-for-target))
@@ -250,13 +260,15 @@ in the Mozilla clients.")
     (properties '((timeout . 216000)))  ;60 hours
 
     (home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
-    (synopsis "Network Security Services")
+    (synopsis "Network Security Services (ESR)")
     (description
      "Network Security Services (@dfn{NSS}) is a set of libraries designed to
 support cross-platform development of security-enabled client and server
 applications.  Applications built with NSS can support SSL v2 and v3, TLS,
 PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other
-security standards.")
+security standards.
+
+This package tracks the Extended Support Release (ESR) channel.")
     (license license:mpl2.0)))
 
 ;; nss-rapid tracks the rapid release channel.  Unless your package requires a
@@ -281,7 +293,10 @@ security standards.")
                      "nss-" version ".tar.gz")))
              (sha256
               (base32
-               "09xfndqj07wy28l7jnk01gqa4bh55nz6cldlp5qpg8120k211mlw"))))
+               "09xfndqj07wy28l7jnk01gqa4bh55nz6cldlp5qpg8120k211mlw"))
+             (patches
+              (remove (cut string-contains <> "nss-disable-broken-tests.patch")
+                      (origin-patches (package-source nss))))))
    (arguments
     (substitute-keyword-arguments (package-arguments nss)
       ((#:phases phases)
diff --git a/gnu/packages/patches/nss-disable-broken-tests.patch b/gnu/packages/patches/nss-disable-broken-tests.patch
new file mode 100644
index 0000000000..8d6e101471
--- /dev/null
+++ b/gnu/packages/patches/nss-disable-broken-tests.patch
@@ -0,0 +1,33 @@
+These tests are broken in 3.101.3.
+
+See https://bugzilla.mozilla.org/show_bug.cgi?id=1964304
+
+--- nss-3.101.3/nss/tests/tools/tools.sh	1969-12-31 16:00:01.000000000 -0800
++++ nss-3.101.3/nss/tests/tools/tools.sh	2025-05-05 16:36:47.835447542 -0700
+@@ -540,26 +540,6 @@
+   ret=$?
+   html_msg $ret 0 "Importing private key pbmac1 hmac-sha-512 from PKCS#12 file"
+   check_tmpfile
+-
+-  echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-iter.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234'"
+-  ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-iter.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' 2>&1
+-  ret=$?
+-  html_msg $ret 19 "Fail to list private key with bad iterator"
+-  check_tmpfile
+-
+-  echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-salt.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234'"
+-  ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-salt.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' 2>&1
+-  ret=$?
+-  echo "Fail to list private key with bad salt val=$ret"
+-  html_msg $ret 19 "Fail to import private key with bad salt"
+-  check_tmpfile
+-
+-  echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-no-length.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234'"
+-  ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-no-length.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' 2>&1
+-  ret=$?
+-  echo "Fail to import private key with no length val=$ret"
+-  html_msg $ret 19 "Fail to import private key with no length"
+-  check_tmpfile
+ }
+ 
+ ############################## tools_p12 ###############################
\ No newline at end of file