Bug 1884793

Summary: FTBFS: IKE CLASS_1563 fails gtest [rhel-7.9.z]
Product: Red Hat Enterprise Linux 7 Reporter: Pat Riehecky <riehecky>
Component: nssAssignee: Bob Relyea <rrelyea>
Status: CLOSED ERRATA QA Contact: Ivan Nikolchev <inikolch>
Severity: unspecified Docs Contact:
Priority: low    
Version: 7.9CC: hkario, inikolch, jhughes, jreznik, rrelyea, ssorce, tis
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-04-27 11:30:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Update gtests to expect small approved primes to fail
none
Update gtests to expect small approved primes to fail take 2 none

Description Pat Riehecky 2020-10-02 19:52:13 UTC 
Description of problem:
Trying to rebuild nss-3.53.1-3.el7_9 from source has unexpected errors.

Version-Release number of selected component (if applicable):nss-3.53.1-3.el7_9


How reproducible:100%


Steps to Reproduce:
1.try to rebuild nss-3.53.1-3.el7_9 within mock
2.
3.

Actual results:
        [----------] 66 tests from FipsDhCases/SoftokenFipsDhValidate
        [ RUN      ] FipsDhCases/SoftokenFipsDhValidate.DhVectors/0
        Test:IKE 1536
        param_type: IKE_APPROVED, key_class: CLASS_1536
        p: [192]
ffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74...
        g: [1] 02
        q: [0]
        pub_key: [0]
        softoken_gtest.cc:553: Failure
        Expected: (nullptr) != (priv_key.get()), actual: (nullptr) vs
NULL
        PK11_GenerateKeyPair failed: SEC_ERROR_INVALID_ARGS
        softoken_gtest.cc:555: Failure
        Expected: (nullptr) != (pub_tmp), actual: (nullptr) vs NULL
        softoken_gtest.cc:897: Failure
        Expected equality of these values:
          SECSuccess
            Which is: 0
          rv
            Which is: -1
        Test(IKE 1536) failed

        <snip>

        [  FAILED  ] FipsDhCases/SoftokenFipsDhValidate.DhVectors/0,
where GetParam() = 112-byte object <44-CF 45-00 00-00 00-00 00-00 00-00 
00-00 00-00 20-4D 46-00 00-00 00-00 C0-00 00-00 00-00 00-00 00-00 00-00 
00-00 00-00 A1-D4 45-00 00-00 00-00 01-00 00-00 00-00 00-00 00-00 00-00 
00-00 00-00 00-00 00-00 00-00 00-00 00-00 00-00 00-00 00-00 00-00 00-00 
00-00 00-00 00-00 00-00 00-00 00-00 00-00 00-00 00-00 00-00 01-00 00-00 
00-00 00-00> (189 ms)
        Test:IKE 1536 with subprime
        param_type: IKE_APPROVED, key_class: CLASS_1536
        p: [192]
ffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74...
        g: [1] 02
        q: [192]
7fffffffffffffffe487ed5110b4611a62633145c06e0e68948127044533e63a...
        pub_key: [0]
        softoken_gtest.cc:553: Failure
        Expected: (nullptr) != (priv_key.get()), actual: (nullptr) vs
NULL
        PK11_GenerateKeyPair failed: SEC_ERROR_INVALID_ARGS
        softoken_gtest.cc:555: Failure
        Expected: (nullptr) != (pub_tmp), actual: (nullptr) vs NULL
        softoken_gtest.cc:897: Failure
        Expected equality of these values:
          SECSuccess
            Which is: 0
          rv
            Which is: -1
        Test(IKE 1536 with subprime) failed
        [  FAILED  ] FipsDhCases/SoftokenFipsDhValidate.DhVectors/11,
where GetParam() = 112-byte object <28-CD 45-00 00-00 00-00 00-00 00-00 
00-00 00-00 20-4D 46-00 00-00 00-00 C0-00 00-00 00-00 00-00 00-00 00-00 
00-00 00-00 A1-D4 45-00 00-00 00-00 01-00 00-00 00-00 00-00 00-00 00-00 
00-00 00-00 60-10 46-00 00-00 00-00 C0-00 00-00 00-00 00-00 00-00 00-00 
00-00 00-00 00-00 00-00 00-00 00-00 00-00 00-00 00-00 00-00 01-00 00-00 
00-00 00-00> (204 ms)


Expected results:

Self-tests pass

Additional info:
Comment 2 Tuomo Soini 2020-10-02 19:58:58 UTC 
$ zgrep '^Test..*failed' build.log.gz 
Test(IKE 1536) failed
Test(IKE 1536 with subprime) failed
Test(IKE 1536) failed
Test(IKE 1536 with subprime) failed
Test(IKE 1536) failed
Test(IKE 1536 with subprime) failed
Test(IKE 1536) failed
Test(IKE 1536 with subprime) failed
Comment 3 Pat Riehecky 2020-10-02 20:18:39 UTC 
Per chat with Tumo Soini, looks like:


https://git.centos.org/rpms/nss-softokn/blob/c7/f/SOURCES/nss-softokn-3.53.1-no-small-primes.patch

Is the problem.
Comment 4 Bob Relyea 2020-10-02 22:20:41 UTC 
The problem is the gtest wasn't updated deal with the fact that IKE 1563 is not supposed to work in FIPS mode.
gtests run in nss, but the code for this is in nss-softokn. We'll probably pick this up if we need to make a new build of nss (along with updating the expired pay pal certificate). I'll include a patch for this issue in this bug.
Comment 5 Bob Relyea 2020-10-02 22:29:28 UTC 
Created attachment 1718536 [details]
Update gtests to expect small approved primes to fail
Comment 6 Tuomo Soini 2020-10-04 08:13:01 UTC 
Created attachment 1718726 [details]
Update gtests to expect small approved primes to fail take 2

First patch didn't patch both cases with same problem. Applying this same fix on other problem test fixed build.
Comment 8 Bob Relyea 2020-10-19 22:21:39 UTC 
AC: 
Sanity Only
Comment 10 Bob Relyea 2020-11-10 00:12:04 UTC 
We need zstream+ for this bug, thanks.
Comment 24 errata-xmlrpc 2021-04-27 11:30:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: nss security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1384