sts-sponsors team mailing list archive

Thread
Date
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

To: sts-sponsors@xxxxxxxxxxxxxxxxxxx
From: Dariusz Gadomski <1885562@xxxxxxxxxxxxxxxxxx>
Date: Fri, 17 Jul 2020 06:44:18 -0000
Reply-to: Bug 1885562 <1885562@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Description changed:

+ [Impact]
+ 
+  * Prevents using some parts of nss in FIPS mode - e.g.
+ libfreeblpriv3.so (failed asserts). The library during initialization
+ tries to verify it's own binaries against signatures in chk files
+ shipped along with it (created at build time). They are installed at
+ /usr/lib/$(DEB_HOST_MULTIARCH)/nss while it tries to look for them at
+ /usr/lib/$(DEB_HOST_MULTIARCH).
+ 
+ [Test Case]
+ 
+  * Setup Ubuntu 18.04 in FIPS mode.
+  * sudo apt install chrony
+  * sudo chronyd -d
+  * chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed.
+ 
+ [Regression Potential]
+ 
+  * Fix introduces 2 new artifacts to the filesystem (symlinks to the chk
+ files). It may cause alerts in e.g. CI systems.
+ 
+ [Other Info]
+ Original bug description:
+ 
  In FIPS mode there are some additional checks performed.
  
  They lead to verifying binaries signatures. Those signatures are shipped
  in the libnss3 package as *.chk files installed in
  /usr/lib/$(DEB_HOST_MULTIARCH)/nss. Along with those files are the
  libraries themselves (libfreebl3.so  libfreeblpriv3.so  libnssckbi.so
  libnssdbm3.so  libsoftokn3.so).
  
  Those libraries are symlinked to be present in /usr/lib/$(DEB_HOST_MULTIARCH):
  ls -l /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so
  lrwxrwxrwx 1 root root 21 Jun 10 18:54 /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so -> nss/libfreeblpriv3.so
  
  The client binaries are linked against the symlinks, so when the verification happens (lib/freebl/shvfy.c) the mkCheckFileName function takes path to the symlink to the shlib and replaces the .so extension with .chk.
  Then it tries to open that file. Obviosly it fails, because the actual file is in /usr/lib/$(DEB_HOST_MULTIARCH)/nss.
  
  [Test case]
  sudo apt install chrony
  sudo chronyd -d
  chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed.
  
  Potential solutions:
  Solution A:
  Drop the /usr/lib/$(DEB_HOST_MULTIARCH)/nss directory and put all signatures and libs in /usr/lib/$(DEB_HOST_MULTIARCH).
  
  Solution B:
  Create symlinks to *.chk files in /usr/lib/$(DEB_HOST_MULTIARCH) (like it is done for *.so).
  
  Solution C:
  Implement and upstream NSS feature of resolving symlinks and looking for *.chk where the symlinks lead to.

-- 
You received this bug notification because you are a member of STS
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1885562

Title:
  [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

Status in nss package in Ubuntu:
  In Progress
Status in nss source package in Bionic:
  In Progress
Status in nss source package in Focal:
  In Progress
Status in nss source package in Groovy:
  In Progress

Bug description:
  [Impact]

   * Prevents using some parts of nss in FIPS mode - e.g.
  libfreeblpriv3.so (failed asserts). The library during initialization
  tries to verify it's own binaries against signatures in chk files
  shipped along with it (created at build time). They are installed at
  /usr/lib/$(DEB_HOST_MULTIARCH)/nss while it tries to look for them at
  /usr/lib/$(DEB_HOST_MULTIARCH).

  [Test Case]

   * Setup Ubuntu 18.04 in FIPS mode.
   * sudo apt install chrony
   * sudo chronyd -d
   * chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed.

  [Regression Potential]

   * Fix introduces 2 new artifacts to the filesystem (symlinks to the
  chk files). It may cause alerts in e.g. CI systems.

  [Other Info]
  Original bug description:

  In FIPS mode there are some additional checks performed.

  They lead to verifying binaries signatures. Those signatures are
  shipped in the libnss3 package as *.chk files installed in
  /usr/lib/$(DEB_HOST_MULTIARCH)/nss. Along with those files are the
  libraries themselves (libfreebl3.so  libfreeblpriv3.so  libnssckbi.so
  libnssdbm3.so  libsoftokn3.so).

  Those libraries are symlinked to be present in /usr/lib/$(DEB_HOST_MULTIARCH):
  ls -l /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so
  lrwxrwxrwx 1 root root 21 Jun 10 18:54 /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so -> nss/libfreeblpriv3.so

  The client binaries are linked against the symlinks, so when the verification happens (lib/freebl/shvfy.c) the mkCheckFileName function takes path to the symlink to the shlib and replaces the .so extension with .chk.
  Then it tries to open that file. Obviosly it fails, because the actual file is in /usr/lib/$(DEB_HOST_MULTIARCH)/nss.

  [Test case]
  sudo apt install chrony
  sudo chronyd -d
  chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed.

  Potential solutions:
  Solution A:
  Drop the /usr/lib/$(DEB_HOST_MULTIARCH)/nss directory and put all signatures and libs in /usr/lib/$(DEB_HOST_MULTIARCH).

  Solution B:
  Create symlinks to *.chk files in /usr/lib/$(DEB_HOST_MULTIARCH) (like it is done for *.so).

  Solution C:
  Implement and upstream NSS feature of resolving symlinks and looking for *.chk where the symlinks lead to.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions