Re: nss security update package ready for review
On 2016-12-01 10:06:46, Antoine Beaupré wrote:
> On 2016-11-30 23:59:32, Guido Günther wrote:
>> I remember the nss testsuite to run cleanly last time I checked a couple
>> of months ago so we should IMHO investigate.
>
> It seems that there are a lot of failing tests regarding FIPS support:
>
> [1034]anarcat@angela:nss-3.26.2$ grep 'FAILED$' /var/cache/pbuilder/build//cow.13026/tmp/buildd/nss-3.26.2/build.log
> cert.sh: #320: Enable FIPS mode on database for FIPS PUB 140 Test Certificate (11) - FAILED
> fips.sh: #830: Verify this module is in FIPS mode (modutil -chkfips true) . - FAILED
> fips.sh: #849: Run PK11MODE in FIPS mode (pk11mode) . - FAILED
> fips.sh: #850: Run PK11MODE in Non FIPS mode (pk11mode -n) . - FAILED
> fips.sh: #851: Init NSS with a corrupted library (dbtest -r) . - FAILED
> ssl.sh: #2681: (modutil -fips true) produced a returncode of 11, expected is 0 - FAILED
> ssl.sh: #2683: (grep "FIPS PKCS #11") produced a returncode of 1, expected is 0 - FAILED
> ssl.sh: #2684: (modutil -fips true) produced a returncode of 11, expected is 0 - FAILED
> ssl.sh: #2686: (grep "FIPS PKCS #11") produced a returncode of 1, expected is 0 - FAILED
> ssl.sh: #3144: (modutil -fips false) produced a returncode of 13, expected is 0 - FAILED
> ssl.sh: #3147: (modutil -fips false) produced a returncode of 13, expected is 0 - FAILED
> ssl.sh: #3150: (modutil -fips true) produced a returncode of 11, expected is 0 - FAILED
> ssl.sh: #3152: (grep "FIPS PKCS #11") produced a returncode of 1, expected is 0 - FAILED
> ssl.sh: #3153: (modutil -fips true) produced a returncode of 11, expected is 0 - FAILED
> ssl.sh: #3155: (grep "FIPS PKCS #11") produced a returncode of 1, expected is 0 - FAILED
> [1034]anarcat@angela:nss-3.26.2$ grep 'FAILED$' /var/cache/pbuilder/build//cow.13026/tmp/buildd/nss-3.26.2/build.log | wc
> 15 222 1279
>
> The test suite hasn't completed yet, so two more are missing... But
> basically, this looks like *all* FIPS-related issues, except for #851.
>
> Does that ring a bell to anyone?
Okay, researching this further shows that the test suite also failed
back in the 3.14.5-1+deb7u6 package i had lying around:
NSS variables:
--------------
HOST=angela
DOMSUF=(none)
BUILD_OPT=
USE_64=
NSS_CYCLES="standard"
NSS_TESTS=""
NSS_SSL_TESTS="crl bypass_normal normal_bypass fips_normal normal_fips iopr"
NSS_SSL_RUN="cov auth stress"
NSS_AIA_PATH=
NSS_AIA_HTTP=
NSS_AIA_OCSP=
IOPR_HOSTADDR_LIST=
PKITS_DATA=
Tests summary:
--------------
Passed: 1284
Failed: 11
Failed with core: 0
Unknown status: 0
I haven't looked in details at which test is failing exactly. I tried
disabling the *fips* tests in the 3.26.2 build, and this is the result:
SUMMARY:
========
NSS variables:
--------------
HOST=angela
DOMSUF=(none)
BUILD_OPT=
USE_X32=
USE_64=
NSS_CYCLES="standard"
NSS_TESTS=""
NSS_SSL_TESTS="crl bypass_normal normal_bypass iopr policy"
NSS_SSL_RUN="cov auth stapling stress"
NSS_AIA_PATH=
NSS_AIA_HTTP=
NSS_AIA_OCSP=
IOPR_HOSTADDR_LIST=
PKITS_DATA=
Tests summary:
--------------
Passed: 7459
Failed: 5
Failed with core: 0
ASan failures: 0
Unknown status: 0
What's interesting is that the test suite failures did not break the
build in previous releases.
Guido: did you remember which package had a passing test suite? :)
I wonder if this could not be some nspr interaction, since that was
updated as well...
A.
--
We will create a civilization of the Mind in Cyberspace. May it be more
humane and fair than the world your governments have made before.
- John Perry Barlow, 1996
A Declaration of Independence of Cyberspace
Reply to: