After full world rebuild I started to receive this error on libreswan start. I use libressl 3.0.2 on my system. pluto[69418]: testing AES_GCM_16: pluto[69418]: empty string pluto[69418]: NSS: AEAD decryption using AES_GCM_16_128 and PK11_Decrypt() failed (SECERR: 2 (0x2): security library: received bad data.) pluto[69418]: NSS: AEAD encryption using AES_GCM_16_128 and PK11_Encrypt() failed (SECERR: 2 (0x2): security library: received bad data.) pluto[69418]: one block pluto[69418]: NSS: AEAD decryption using AES_GCM_16_128 and PK11_Decrypt() failed (SECERR: 2 (0x2): security library: received bad data.) pluto[69418]: NSS: AEAD encryption using AES_GCM_16_128 and PK11_Encrypt() failed (SECERR: 2 (0x2): security library: received bad data.) pluto[69418]: two blocks pluto[69418]: NSS: AEAD decryption using AES_GCM_16_128 and PK11_Decrypt() failed (SECERR: 2 (0x2): security library: received bad data.) pluto[69418]: NSS: AEAD encryption using AES_GCM_16_128 and PK11_Encrypt() failed (SECERR: 2 (0x2): security library: received bad data.) pluto[69418]: two blocks with associated data pluto[69418]: NSS: AEAD decryption using AES_GCM_16_128 and PK11_Decrypt() failed (SECERR: 2 (0x2): security library: received bad data.) pluto[69418]: NSS: AEAD encryption using AES_GCM_16_128 and PK11_Encrypt() failed (SECERR: 2 (0x2): security library: received bad data.) pluto[69418]: ABORT: ASSERTION FAILED: test_gcm_vectors(&ike_alg_encrypt_aes_gcm_16, aes_gcm_tests) (in test_ike_alg() at ike_alg_test.c:41) Reproducible: Always Portage 2.3.99 (python 3.8.2-final-0, default/linux/amd64/17.1/desktop/plasma/systemd, gcc-9.3.0, glibc-2.31-r2, 5.6.11-gentoomelf x86_64) ================================================================= System uname: Linux-5.6.11-gentoomelf-x86_64-AMD_Ryzen_7_3700X_8-Core_Processor-with-glibc2.2.5 KiB Mem: 32820704 total, 26711732 free KiB Swap: 15728636 total, 15728636 free Timestamp of repository gentoo: Thu, 07 May 2020 18:15:01 +0000 Head commit of repository gentoo: 459381bd21c151b04620257b6c51b8b8185ffcb3 Timestamp of repository libressl: Tue, 05 May 2020 22:08:48 +0000 Head commit of repository libressl: afc952440247e6c992adff059f4240b77928dfce Timestamp of repository rion: Fri, 01 May 2020 10:40:30 +0000 Head commit of repository rion: 562ff482c94128ac47217516870219ef4ec9a28a sh bash 5.0_p17 ld GNU ld (Gentoo 2.34 p1) 2.34.0 app-shells/bash: 5.0_p17::gentoo dev-java/java-config: 2.2.0-r4::gentoo dev-lang/perl: 5.30.2::gentoo dev-lang/python: 2.7.18::gentoo, 3.7.7-r2::gentoo, 3.8.2-r2::gentoo dev-util/cmake: 3.17.2::gentoo dev-util/pkgconfig: 0.29.2::gentoo sys-apps/baselayout: 2.7::gentoo sys-apps/sandbox: 2.18::gentoo sys-devel/autoconf: 2.13-r1::gentoo, 2.69-r5::gentoo sys-devel/automake: 1.16.2::gentoo sys-devel/binutils: 2.34::gentoo sys-devel/gcc: 9.3.0::gentoo sys-devel/gcc-config: 2.2.1::gentoo sys-devel/libtool: 2.4.6-r6::gentoo sys-devel/make: 4.3::gentoo sys-kernel/linux-headers: 5.6::gentoo (virtual/os-headers) sys-libs/glibc: 2.31-r2::gentoo Repositories: gentoo location: /usr/portage sync-type: rsync sync-uri: rsync://rsync2.ru.gentoo.org/gentoo-portage priority: -1000 sync-rsync-extra-opts: -4 sync-rsync-verify-max-age: 24 sync-rsync-verify-metamanifest: yes sync-rsync-verify-jobs: 1 libressl location: /var/db/repos/libressl sync-type: git sync-uri: https://github.com/gentoo-mirror/libressl.git masters: gentoo rion location: /var/db/repos/rion sync-type: git sync-uri: https://github.com/gentoo-mirror/rion.git masters: gentoo custom location: /usr/local/portage masters: gentoo priority: 70 Installed sets: @development, @fonts, @kdeapps, @nfc, @python-extra ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="@FREE freedist linux-fw-redistributable no-source-code MPEG-4 unRAR CC-BY-NC-ND-3.0 Samsung-EULA Skype-TOS BitstreamCyberbit MSttfEULA grass-ipafonts free-noncomm bh-luxi all-rights-reserved" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -march=znver2 " CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/ibus/component/simple.xml" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/openvpn/update-systemd-resolved /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -pipe -march=znver2 " DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--keep-going --quiet-build" ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://mirror.yandex.ru/gentoo-distfiles/" INSTALL_MASK="/etc/init.d/ /etc/xinetd.d/ /etc/hosts /etc/networks /etc/xdg/autostart/solaar.desktop" LANG="ru_RU.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="en en_GB ru ja" MAKEOPTS="-j17" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_EXTRA_OPTS="-4" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="X a52 aac acl acpi activities alsa amd64 anthy berkdb bluetooth branding btrfs bzip2 cacert cairo cdda cdr cjk cli crypt cryptsetup cups dbus declarative djvu dri dts dvd dvdr egl emboss encode exif ffmpeg flac fortran gdbm gif git gpg gpm gstreamer gtk ibus iconv icu idn ipv6 jpeg kde kipi kwallet lcms libnotify libressl libtirpc lm_sensors mad mng mp3 mp4 mpeg multilib ncurses nls nptl ogg opengl openmp opus pam pango pcre pdf phonon plasma png policykit ppds pulseaudio qml qt5 raw readline samba scanner sdl seccomp spell split-usr ssl startup-notification svg systemd tcpd tiff truetype udev udisks unicode upower usb v4l vaapi vorbis wayland widgets wxwidgets x264 x265 xattr xcb xcomposite xml xv xvid zlib" ABI_X86="64" ADA_TARGET="gnat_2018" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt sha sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3" CURL_SSL="libressl" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev" KERNEL="linux" L10N="en en-GB ru ja" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LLVM_TARGETS="X86 AMDGPU" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-2" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_7" PYTHON_TARGETS="python3_7 python3_8" RUBY_TARGETS="ruby27" SANE_BACKENDS="genesys" USERLAND="GNU" VIDEO_CARDS="radeon r600 amdgpu radeonsi" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, LC_ALL, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS
Apparently it needs USE_NSS_PRF=false
Looking at the referenced bug this should be fixed in libreswan 3.32 which I've just added. Can you verify that that version fixes the issue for you, and re-open if not?
No, it doesn't, they say the fix is in git master only. This is the fix: nss: move NSS_PKCS11_2_0_COMPAT define to ike_alg_encrypt_nss_gcm_ops.c https://github.com/libreswan/libreswan/commit/db7715407efa43cd2a66caed67c02d8f7bb90b35
see also https://github.com/libreswan/libreswan/issues/342 At least a dependency blocker should be added to libreswan for now: !dev-libs/nss-3.52.1-r1 Even better would be to quickly bump libreswan to include commit db7715 as a patch.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f089a9dbc70325b82be293afe46bf2c9a7c3e9e8 commit f089a9dbc70325b82be293afe46bf2c9a7c3e9e8 Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2020-06-27 06:15:13 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2020-06-27 06:15:30 +0000 net-vpn/libreswan: backport NSS compat patch Backport a patch for compatibility with newer NSS versions. Closes: https://bugs.gentoo.org/721686 Package-Manager: Portage-2.3.99, Repoman-2.3.23 Signed-off-by: Hans de Graaff <graaff@gentoo.org> .../files/libreswan-3.32-nss-compat.patch | 23 ++++ net-vpn/libreswan/libreswan-3.32-r1.ebuild | 117 +++++++++++++++++++++ 2 files changed, 140 insertions(+)
