** Also affects: nss (Ubuntu Groovy)
   Importance: Medium
     Assignee: Dariusz Gadomski (dgadomski)
       Status: In Progress

** Also affects: nss (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Changed in: nss (Ubuntu Focal)
     Assignee: (unassigned) => Dariusz Gadomski (dgadomski)

** Changed in: nss (Ubuntu Focal)
   Importance: Undecided => Medium

** Changed in: nss (Ubuntu Focal)
       Status: New => In Progress

You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.

  [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

Status in nss package in Ubuntu:
  In Progress
Status in nss source package in Bionic:
  In Progress
Status in nss source package in Focal:
  In Progress
Status in nss source package in Groovy:
  In Progress

Bug description:
  In FIPS mode there are some additional checks performed.

  They lead to verifying binaries signatures. Those signatures are
  shipped in the libnss3 package as *.chk files installed in
  /usr/lib/$(DEB_HOST_MULTIARCH)/nss. Along with those files are the
  libraries themselves (libfreebl3.so  libfreeblpriv3.so  libnssckbi.so
  libnssdbm3.so  libsoftokn3.so).

  Those libraries are symlinked to be present in /usr/lib/$(DEB_HOST_MULTIARCH):
  ls -l /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so
  lrwxrwxrwx 1 root root 21 Jun 10 18:54 
/usr/lib/x86_64-linux-gnu/libfreeblpriv3.so -> nss/libfreeblpriv3.so

  The client binaries are linked against the symlinks, so when the verification 
happens (lib/freebl/shvfy.c) the mkCheckFileName function takes path to the 
symlink to the shlib and replaces the .so extension with .chk.
  Then it tries to open that file. Obviosly it fails, because the actual file 
is in /usr/lib/$(DEB_HOST_MULTIARCH)/nss.

  [Test case]
  sudo apt install chrony
  sudo chronyd -d
  chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed.

  Potential solutions:
  Solution A:
  Drop the /usr/lib/$(DEB_HOST_MULTIARCH)/nss directory and put all signatures 
and libs in /usr/lib/$(DEB_HOST_MULTIARCH).

  Solution B:
  Create symlinks to *.chk files in /usr/lib/$(DEB_HOST_MULTIARCH) (like it is 
done for *.so).

  Solution C:
  Implement and upstream NSS feature of resolving symlinks and looking for 
*.chk where the symlinks lead to.

To manage notifications about this bug go to:

Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to