[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
This bug was fixed in the package nss - 2:3.35-2ubuntu2.11 --- nss (2:3.35-2ubuntu2.11) bionic-security; urgency=medium * SECURITY UPDATE: Side-channel attack - debian/patches/CVE-2020-12400-and-6829-*.patch: use constant-time P-384 and P-521 in nss/lib/freebl/ecl/ecl-priv.h, nss/lib/freebl/ecl/ecl.c, nss/lib/freebl/ecl/ecl_spec384r1.c, nss/lib/freebl/freebl_base.gypi, nss/lib/freebl/manifest.mn, nss/test/ec/ectest.sh. - CVE-2020-12400 - CVE-2020-6829 * SECURITY UPDATE: Timing attack mitigation bypass - debian/patches/CVE-2020-12401.patch: remove unnecessary scalar padding in nss/lib/freebl/ec.c. - CVE-2020-12401 -- leo.barb...@canonical.com (Leonidas S. Barbosa) Wed, 05 Aug 2020 15:58:41 -0300 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
This bug was fixed in the package nss - 2:3.49.1-1ubuntu1.4 --- nss (2:3.49.1-1ubuntu1.4) focal-security; urgency=medium * SECURITY UPDATE: Side-channel attack - debian/patches/CVE-2020-12400-and-6829-*.patch: use constant-time P-384 and P-521 in nss/lib/freebl/ecl/ecl-priv.h, nss/lib/freebl/ecl/ecl.c, nss/lib/freebl/ecl/ecl_spec384r1.c, nss/lib/freebl/freebl_base.gypi, nss/lib/freebl/manifest.mn, nss/test/ec/ectest.sh. - CVE-2020-12400 - CVE-2020-6829 * SECURITY UPDATE: Timing attack mitigation bypass - debian/patches/CVE-2020-12401.patch: remove unnecessary scalar padding in nss/lib/freebl/ec.c. - CVE-2020-12401 -- leo.barb...@canonical.com (Leonidas S. Barbosa) Wed, 05 Aug 2020 15:28:48 -0300 ** Changed in: nss (Ubuntu Focal) Status: Fix Committed => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-12400 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-12401 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-6829 ** Changed in: nss (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
** Tags added: sts-sponsor-dgadomski -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
I tested libnss3 2:3.49.1-1ubuntu1.3 on focal, however this was not done in FIPS-mode (as there are no FIPS packages for focal available). I did not find a way to trigger the signature verification outside FIPS mode, but in normal usecase (FIPS disabled) everything works as expected, no regressions noted. ** Tags removed: verification-needed verification-needed-focal ** Tags added: verification-done verification-done-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
Tested with 2:3.35-2ubuntu2.10 on 18.04: sudo chronyd -d 2020-07-23T08:40:19Z chronyd version 3.2 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SECHASH +SIGND +ASYNCDNS +IPV6 -DEBUG) 2020-07-23T08:40:19Z Frequency -1.068 +/- 0.045 ppm read from /var/lib/chrony/chrony.drift (no failed assertions, no crashes) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
Hello Dariusz, or anyone else affected, Accepted nss into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nss/2:3.35-2ubuntu2.10 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: nss (Ubuntu Bionic) Status: In Progress => Fix Committed ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
Hello Dariusz, or anyone else affected, Accepted nss into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nss/2:3.49.1-1ubuntu1.3 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-focal. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: nss (Ubuntu Focal) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
** Merge proposal unlinked: https://code.launchpad.net/~sergiodj/ubuntu/+source/nss/+git/nss/+merge/387608 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
This bug was fixed in the package nss - 2:3.49.1-1ubuntu4 --- nss (2:3.49.1-1ubuntu4) groovy; urgency=medium * Symlink chk files to fix self-verification in FIPS mode (LP: #1885562) -- Dariusz Gadomski Wed, 01 Jul 2020 14:48:13 +0200 ** Changed in: nss (Ubuntu Groovy) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
** Merge proposal linked: https://code.launchpad.net/~sergiodj/ubuntu/+source/nss/+git/nss/+merge/387608 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
** Description changed: + [Impact] + + * Prevents using some parts of nss in FIPS mode - e.g. + libfreeblpriv3.so (failed asserts). The library during initialization + tries to verify it's own binaries against signatures in chk files + shipped along with it (created at build time). They are installed at + /usr/lib/$(DEB_HOST_MULTIARCH)/nss while it tries to look for them at + /usr/lib/$(DEB_HOST_MULTIARCH). + + [Test Case] + + * Setup Ubuntu 18.04 in FIPS mode. + * sudo apt install chrony + * sudo chronyd -d + * chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed. + + [Regression Potential] + + * Fix introduces 2 new artifacts to the filesystem (symlinks to the chk + files). It may cause alerts in e.g. CI systems. + + [Other Info] + Original bug description: + In FIPS mode there are some additional checks performed. They lead to verifying binaries signatures. Those signatures are shipped in the libnss3 package as *.chk files installed in /usr/lib/$(DEB_HOST_MULTIARCH)/nss. Along with those files are the libraries themselves (libfreebl3.so libfreeblpriv3.so libnssckbi.so libnssdbm3.so libsoftokn3.so). Those libraries are symlinked to be present in /usr/lib/$(DEB_HOST_MULTIARCH): ls -l /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so lrwxrwxrwx 1 root root 21 Jun 10 18:54 /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so -> nss/libfreeblpriv3.so The client binaries are linked against the symlinks, so when the verification happens (lib/freebl/shvfy.c) the mkCheckFileName function takes path to the symlink to the shlib and replaces the .so extension with .chk. Then it tries to open that file. Obviosly it fails, because the actual file is in /usr/lib/$(DEB_HOST_MULTIARCH)/nss. [Test case] sudo apt install chrony sudo chronyd -d chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed. Potential solutions: Solution A: Drop the /usr/lib/$(DEB_HOST_MULTIARCH)/nss directory and put all signatures and libs in /usr/lib/$(DEB_HOST_MULTIARCH). Solution B: Create symlinks to *.chk files in /usr/lib/$(DEB_HOST_MULTIARCH) (like it is done for *.so). Solution C: Implement and upstream NSS feature of resolving symlinks and looking for *.chk where the symlinks lead to. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
** Also affects: nss (Ubuntu Groovy) Importance: Medium Assignee: Dariusz Gadomski (dgadomski) Status: In Progress ** Also affects: nss (Ubuntu Focal) Importance: Undecided Status: New ** Changed in: nss (Ubuntu Focal) Assignee: (unassigned) => Dariusz Gadomski (dgadomski) ** Changed in: nss (Ubuntu Focal) Importance: Undecided => Medium ** Changed in: nss (Ubuntu Focal) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
Reviewed patches and they look good to me. However, in the future, we should consider another possibility: disable FIPS mode for libNSS3 by default, since that lib isn't FIPS-certified. This can prevent customers from mistakenly think the opposite. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
As discussed with Richard outside LP: we agreed that adding symlinks is an acceptable solution to this problem. Debdiffs linked. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
** Changed in: nss (Ubuntu) Assignee: Richard Maciel Costa (richardmaciel) => Dariusz Gadomski (dgadomski) ** Changed in: nss (Ubuntu Bionic) Assignee: Richard Maciel Costa (richardmaciel) => Dariusz Gadomski (dgadomski) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
** Changed in: nss (Ubuntu) Status: New => In Progress ** Changed in: nss (Ubuntu Bionic) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
@richardmaciel please let me know if I can help you with anything with regard to this bug. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
The patches I've uploaded implement the Solution B from the description. It actually applies only to Bionic, but I believe it's worth having it in Focal if it gets FIPS certification and for Groovy - to keep it for the future releases. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
Bionic debdiff reupload ** Patch added: "bionic.debdiff" https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+attachment/5388756/+files/bionic.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
groovy fix ** Patch added: "groovy.debdiff" https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+attachment/5388751/+files/groovy.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
SRU proposal for Focal May be useful if it gets FIPS-certified. ** Patch added: "focal.debdiff" https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+attachment/5388752/+files/focal.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
Focal debdiff reupload ** Patch added: "focal.debdiff" https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+attachment/5388755/+files/focal.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
Groovy debdiff re-upload ** Patch added: "groovy.debdiff" https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+attachment/5388754/+files/groovy.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
SRU proposal for bionic ** Patch removed: "focal.debdiff" https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+attachment/5388752/+files/focal.debdiff ** Patch removed: "groovy.debdiff" https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+attachment/5388751/+files/groovy.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
** Changed in: nss (Ubuntu) Assignee: (unassigned) => Richard Maciel Costa (richardmaciel) ** Changed in: nss (Ubuntu Bionic) Assignee: (unassigned) => Richard Maciel Costa (richardmaciel) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
** Description changed: In FIPS mode there are some additional checks performed. They lead to verifying binaries signatures. Those signatures are shipped in the libnss3 package as *.chk files installed in /usr/lib/$(DEB_HOST_MULTIARCH)/nss. Along with those files are the libraries themselves (libfreebl3.so libfreeblpriv3.so libnssckbi.so libnssdbm3.so libsoftokn3.so). Those libraries are symlinked to be present in /usr/lib/$(DEB_HOST_MULTIARCH): ls -l /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so lrwxrwxrwx 1 root root 21 Jun 10 18:54 /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so -> nss/libfreeblpriv3.so The client binaries are linked against the symlinks, so when the verification happens (lib/freebl/shvfy.c) the mkCheckFileName function takes path to the symlink to the shlib and replaces the .so extension with .chk. Then it tries to open that file. Obviosly it fails, because the actual file is in /usr/lib/$(DEB_HOST_MULTIARCH)/nss. [Test case] sudo apt install chrony sudo chronyd -d chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed. Potential solutions: Solution A: Drop the /usr/lib/$(DEB_HOST_MULTIARCH)/nss directory and put all signatures and libs in /usr/lib/$(DEB_HOST_MULTIARCH). Solution B: + Create symlinks to *.chk files in /usr/lib/$(DEB_HOST_MULTIARCH) (like it is done for *.so). + + Solution C: Implement and upstream NSS feature of resolving symlinks and looking for *.chk where the symlinks lead to. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
I have briefly analyzed nss code - it uses the nspr library for, inter alia, file access abstraction. From what I saw in the docs it does not offer any form of symlink resolution, so it may be nontrivial to safely implement it in nss code. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
** Description changed: - When in FIPS mode there some additional checks performed. + In FIPS mode there are some additional checks performed. They lead to verifying binaries signatures. Those signatures are shipped in the libnss3 package as *.chk files installed in /usr/lib/$(DEB_HOST_MULTIARCH)/nss. Along with those files are the libraries themselves (libfreebl3.so libfreeblpriv3.so libnssckbi.so libnssdbm3.so libsoftokn3.so). Those libraries are symlinked to be present in /usr/lib/$(DEB_HOST_MULTIARCH): ls -l /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so lrwxrwxrwx 1 root root 21 Jun 10 18:54 /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so -> nss/libfreeblpriv3.so The client binaries are linked against the symlinks, so when the verification happens (lib/freebl/shvfy.c) the mkCheckFileName function takes path to the symlink to the shlib and replaces the .so extension with .chk. Then it tries to open that file. Obviosly it fails, because the actual file is in /usr/lib/$(DEB_HOST_MULTIARCH)/nss. [Test case] sudo apt install chrony sudo chronyd -d chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed. Potential solutions: Solution A: Drop the /usr/lib/$(DEB_HOST_MULTIARCH)/nss directory and put all signatures and libs in /usr/lib/$(DEB_HOST_MULTIARCH). Solution B: Implement and upstream NSS feature of resolving symlinks and looking for *.chk where the symlinks lead to. ** Changed in: nss (Ubuntu Bionic) Importance: Undecided => Medium ** Changed in: nss (Ubuntu) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
** Summary changed: - freebl_fipsSoftwareIntegrityTest fails in FIPS mode + [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode ** Tags added: sts -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs