Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1781903

Summary: `ipsec newhostkey` fails with 'ipsec rsasigkey: key pair generation failed: "-8187"'
Product: Red Hat Enterprise Linux 6 Reporter: James Cassell <fedoraproject>
Component: libreswanAssignee: Paul Wouters <pwouters>
Status: CLOSED ERRATA QA Contact: Jaroslav Aster <jaster>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 6.10CC: cww, jaster, mthacker, omoris, pvrabec, pwouters, qe-baseos-security, sbroz, toneata
Target Milestone: rcKeywords: EasyFix, Patch, Regression, Reproducer, ZStream
Target Release: ---Flags: mthacker: needinfo+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-01-28 09:18:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Use 65537 as the public exponent. pwouters: review+

Description James Cassell 2019-12-10 20:59:40 UTC 
Description of problem:
`ipsec newhostkey` fails with 'ipsec rsasigkey: key pair generation failed: "-8187"'


Version-Release number of selected component (if applicable):
nss-softokn-3.44.0-5.el6_10.src.rpm


How reproducible:
100%


Steps to Reproduce:
1. yum install libreswan
2. yum upgrade nss*
3. ipsec initnss
4. ipsec newhostkey --verbose --output /etc/ipsec.d/host.secrets


Actual results:
getting 64 random seed bytes for NSS from /dev/random...
ipsec rsasigkey: key pair generation failed: "-8187"


Expected results:
getting 64 random seed bytes for NSS from /dev/random...
Generated RSA key pair using the NSS database
output...


Additional info:
- Seems to have been caused by https://bugzilla.redhat.com/show_bug.cgi?id=1723002
- Can workaround by downgrading nss* packages:
# yum downgrade nss{,-sysinit,-tools,-util}-3.36.0-9.el6_10 nss-softokn*3.14.3-23.3.el6_8
Comment 3 Stepan Broz 2019-12-11 12:50:53 UTC 
I had a look on this and was able to reproduce everything locally, and I think I now understand the root cause of the issue.

 There was a recent rebase (used higher upstream version) of the "nss" and "nss-softokn" version we ship with RHEL-6 to satisfy the requirements for Firefox 68 ESR (BZ#1743628); the packages were released as part of RHEA-2019:3280 [1], . However, while the updated versions brought many improvements in, there appears to be a regression with "libreswan".

Libreswan 3.15 uses a hard-wired "exponent" (e = 3) for the rsasigkeys: 

File: rsasigkey.c
75: #define E       3               /* standard public exponent */
76: /* #define F4	65537 */	/* possible future public exponent, Fermat's 4th number */
... lines omitted ...
416: /*
417:  * generate an RSA signature key
418:  *
419:  * e is fixed at 3, without discussion.  That would not be wise if these
420:  * keys were to be used for encryption, but for signatures there are some
421:  * real speed advantages.
422:  * See also: https://www.imperialviolet.org/2012/03/16/rsae.html
423:  */
424: void rsasigkey(int nbits, int seedbits, char *configdir, char *password)
425: {
426: 	SECStatus rv;
427: 	PK11RSAGenParams rsaparams = { nbits, (long) E };


But the newer nss-softokn-freebl insists on a F4 exponent (65537) as the minimum:

File: rsa.c
265: /*
266: ** Generate and return a new RSA public and private key.
267: **  Both keys are encoded in a single RSAPrivateKey structure.
268: **  "cx" is the random number generator context
269: **  "keySizeInBits" is the size of the key to be generated, in bits.
270: **     512, 1024, etc.
271: **  "publicExponent" when not NULL is a pointer to some data that
272: **     represents the public exponent to use. The data is a byte
273: **     encoded integer, in "big endian" order.
274: */
275: RSAPrivateKey *
276: RSA_NewKey(int keySizeInBits, SECItem *publicExponent)
277: {
... lines omitted ...
290:     /* Require key size to be a multiple of 16 bits. */
291:     if (!publicExponent || keySizeInBits % 16 != 0 ||
292:         BAD_RSA_KEY_SIZE((unsigned int)keySizeInBits / 8, publicExponent->len)) {
293:         PORT_SetError(SEC_ERROR_INVALID_ARGS);
294:         return NULL;
295:     }
296:     /* 1.  Set the public exponent and check if it's uneven and greater than 2.*/
297:     MP_DIGITS(&e) = 0;
298:     CHECK_MPI_OK(mp_init(&e));
299:     SECITEM_TO_MPINT(*publicExponent, &e);
300:     if (mp_iseven(&e) || !(mp_cmp_d(&e, 2) > 0)) {
301:         PORT_SetError(SEC_ERROR_INVALID_ARGS);
302:         goto cleanup;
303:     }
304: #ifndef NSS_FIPS_DISABLED
305:     /* Check that the exponent is not smaller than 65537  */
306:     if (mp_cmp_d(&e, 0x10001) < 0) {
307:         PORT_SetError(SEC_ERROR_INVALID_ARGS);
308:         goto cleanup;
309:     }
310: #endif


Running the "ipsec newhostkey" ("/usr/libexec/ipsec/rsasigkey") under gdb shows:

Breakpoint 1, RSA_NewKey (keySizeInBits=4096, publicExponent=0x7fffffffc6e0) at rsa.c:306
306	    if (mp_cmp_d(&e, 0x10001) < 0) {

(gdb) print e
$1 = {sign = 0, alloc = 64, used = 1, dp = 0x5555557c2d60}
(gdb) print e->dp
$2 = (mp_digit *) 0x5555557c2d60
(gdb) print *e->dp
$3 = 3

(gdb) next
307	        PORT_SetError(SEC_ERROR_INVALID_ARGS);

... a few nexts later:

ipsec rsasigkey: key pair generation failed: "-8187"
567	}
(gdb) 
main (argc=13, argv=0x7fffffffe3b8) at /usr/src/debug/libreswan-3.15/programs/rsasigkey/rsasigkey.c:413
413		exit(0);


Finding the error code explanation:

File: secerr.h
10: #define SEC_ERROR_BASE (-0x2000)
11: #define SEC_ERROR_LIMIT (SEC_ERROR_BASE + 1000)
12: 
13: #define IS_SEC_ERROR(code) \
14:     (((code) >= SEC_ERROR_BASE) && ((code) < SEC_ERROR_LIMIT))
15: 
16: #ifndef NO_SECURITY_ERROR_ENUM
17: typedef enum {
18:     SEC_ERROR_IO = SEC_ERROR_BASE + 0,
19:     SEC_ERROR_LIBRARY_FAILURE = SEC_ERROR_BASE + 1,
20:     SEC_ERROR_BAD_DATA = SEC_ERROR_BASE + 2,
21:     SEC_ERROR_OUTPUT_LEN = SEC_ERROR_BASE + 3,
22:     SEC_ERROR_INPUT_LEN = SEC_ERROR_BASE + 4,
23:     SEC_ERROR_INVALID_ARGS = SEC_ERROR_BASE + 5,


Error is SEC_ERROR_BASE + 5 = -0x2000 + 5 = -8192 + 5 = -8187 = SEC_ERROR_INVALID_ARGS


And while it is nss-softokn causing the regression, I believe it would be easier to fix in "libreswan".
Comment 4 Stepan Broz 2019-12-11 15:28:38 UTC 
Created attachment 1644002 [details]
Use 65537 as the public exponent.

I wrote this quick patch that uses 65537 as the public exponent. Upstream has used a similar approach, but has also other changes, e.g. bundle() is missing.

I have modified bundle() to support and use 3 octets long public exponents.
Comment 5 Paul Wouters 2019-12-12 03:13:10 UTC 
Comment on attachment 1644002 [details]
Use 65537 as the public exponent.

This patch or something very similar to this is the right way to fix this issue
Comment 22 errata-xmlrpc 2020-01-28 09:18:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0257