libnss3 reads fips_enabled flag and automatically switches to FIPS mode
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nss (Ubuntu) |
Fix Released
|
High
|
Vineetha Kamath | ||
Xenial |
Won't Fix
|
Undecided
|
Unassigned | ||
Bionic |
Won't Fix
|
Undecided
|
Unassigned | ||
Disco |
Won't Fix
|
Undecided
|
Unassigned | ||
Eoan |
Fix Released
|
High
|
Vineetha Kamath |
Bug Description
[IMPACT]
nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/
The proposed patch disables reading the /proc/sys/
The issue impacts libnss3 versions in eoan, disco, bionic and xenial.
lsb_release -rd
Description: Ubuntu Eoan Ermine (development branch)
Release: 19.10
Version: 2:3.45-1ubuntu1
lsb_release -rd
Description: Ubuntu Disco Dingo
Release: 19.04
Version: 2:3.42-1ubuntu2
lsb_release -rd
Description: Ubuntu Bionic Beaver
Release: 18.04
Version: 2:3.35-2ubuntu2.3
lsb_release -rd
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Version: 2:3.28.
[FIX]
This fix proposes to disable libnss3 reading proc/sys/
Users who do want to run the library in FIPS mode can do so by using the environment variable "NSS_FIPS". We propose to leave it as is so as not to regress anyone using this. The user who is using this option should be doing so with the awareness.
[TEST]
Tested on a xenial and bionic desktop ISO running FIPS enabled kernel and in FIPS mode. With the patch fix no crashes were observed when launching firefox browser.
Without the patch fix, firefox crashes.
Tested on a xenial and bionic desktop ISO running non-FIPS generic kernel. With the patch fix, firefox worked as expected and no changes were observed.
[REGRESSION POTENTIAL]
The regression potential for this is small. A FIPS kernel is required to
create /proc/sys/
Related branches
- Canonical Server: Pending requested
- Canonical Server Core Reviewers: Pending requested
-
Diff: 212443 lines (+105527/-55021) (has conflicts)243 files modifieddebian/changelog (+21/-0)
debian/libnss3.symbols (+1/-0)
nss/.hg_archival.txt (+3/-3)
nss/.taskcluster.yml (+1/-1)
nss/Makefile (+1/-0)
nss/automation/abi-check/expected-report-libnss3.so.txt (+31/-2)
nss/automation/abi-check/expected-report-libsmime3.so.txt (+11/-0)
nss/automation/abi-check/expected-report-libssl3.so.txt (+7/-19)
nss/automation/abi-check/previous-nss-release (+1/-1)
nss/automation/release/nspr-version.txt (+1/-1)
nss/automation/taskcluster/docker-gcc-4.4/Dockerfile (+1/-0)
nss/automation/taskcluster/docker-hacl/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc (+143/-0)
nss/automation/taskcluster/docker-hacl/Dockerfile (+2/-1)
nss/automation/taskcluster/docker-hacl/setup.sh (+7/-3)
nss/automation/taskcluster/graph/src/extend.js (+127/-28)
nss/automation/taskcluster/graph/src/queue.js (+9/-1)
nss/automation/taskcluster/graph/src/try_syntax.js (+12/-1)
nss/automation/taskcluster/scripts/build.sh (+6/-0)
nss/automation/taskcluster/scripts/build_gyp.sh (+7/-1)
nss/automation/taskcluster/scripts/build_nspr.sh (+6/-0)
nss/automation/taskcluster/scripts/build_softoken.sh (+3/-2)
nss/automation/taskcluster/scripts/check_abi.sh (+6/-0)
nss/automation/taskcluster/scripts/gen_coverage_report.sh (+6/-0)
nss/automation/taskcluster/scripts/run_coverity.sh (+7/-1)
nss/automation/taskcluster/scripts/run_scan_build.sh (+6/-0)
nss/automation/taskcluster/windows/build.sh (+6/-0)
nss/automation/taskcluster/windows/build_gyp.sh (+7/-1)
nss/build.sh (+70/-40)
nss/cmd/addbuiltin/addbuiltin.c (+62/-27)
nss/cmd/httpserv/httpserv.c (+1/-1)
nss/cmd/lib/Makefile (+1/-0)
nss/cmd/lib/derprint.c (+3/-1)
nss/cmd/lib/lib.gyp (+2/-1)
nss/cmd/lib/manifest.mn (+2/-0)
nss/cmd/lib/pk11table.c (+2/-0)
nss/cmd/lib/secpwd.c (+1/-1)
nss/cmd/lib/secutil.c (+208/-28)
nss/cmd/lib/secutil.h (+14/-0)
nss/cmd/p7env/p7env.c (+2/-2)
nss/cmd/pk11importtest/pk11importtest.c (+3/-1)
nss/cmd/pk11mode/pk11mode.c (+1/-1)
nss/cmd/pk12util/pk12util.c (+1/-0)
nss/cmd/platlibs.mk (+2/-2)
nss/cmd/selfserv/selfserv.c (+36/-6)
nss/cmd/shlibsign/shlibsign.c (+1/-1)
nss/cmd/strsclnt/strsclnt.c (+34/-7)
nss/cmd/symkeyutil/symkeyutil.c (+1/-1)
nss/cmd/tstclnt/tstclnt.c (+38/-3)
nss/cmd/vfyserv/vfyserv.c (+6/-1)
nss/coreconf/UNIX.mk (+1/-3)
nss/coreconf/WIN32.mk (+3/-10)
nss/coreconf/config.gypi (+1/-0)
nss/coreconf/nspr.sh (+18/-3)
nss/cpputil/freebl_scoped_ptrs.h (+33/-0)
nss/cpputil/nss_scoped_ptrs.h (+18/-17)
nss/cpputil/scoped_ptrs_util.h (+5/-0)
nss/cpputil/tls_parser.h (+1/-0)
nss/fuzz/fuzz.gyp (+1/-0)
nss/gtests/common/testvectors/curve25519-vectors.h (+63/-3)
nss/gtests/common/testvectors/kw-vectors.h (+1940/-0)
nss/gtests/der_gtest/der_quickder_unittest.cc (+38/-13)
nss/gtests/freebl_gtest/cmac_unittests.cc (+187/-0)
nss/gtests/freebl_gtest/freebl_gtest.gyp (+2/-0)
nss/gtests/freebl_gtest/mpi_unittest.cc (+1/-1)
nss/gtests/mozpkix_gtest/mozpkix_gtest.gyp (+1/-0)
nss/gtests/mozpkix_gtest/pkixder_input_tests.cpp (+4/-2)
nss/gtests/mozpkix_gtest/pkixder_universal_types_tests.cpp (+50/-0)
nss/gtests/pk11_gtest/manifest.mn (+5/-1)
nss/gtests/pk11_gtest/pk11_aes_cmac_unittest.cc (+91/-0)
nss/gtests/pk11_gtest/pk11_aes_gcm_unittest.cc (+60/-49)
nss/gtests/pk11_gtest/pk11_aeskeywrap_unittest.cc (+90/-100)
nss/gtests/pk11_gtest/pk11_aeskeywrappad_unittest.cc (+415/-0)
nss/gtests/pk11_gtest/pk11_cbc_unittest.cc (+217/-0)
nss/gtests/pk11_gtest/pk11_curve25519_unittest.cc (+67/-23)
nss/gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc (+67/-15)
nss/gtests/pk11_gtest/pk11_ecdsa_unittest.cc (+5/-0)
nss/gtests/pk11_gtest/pk11_ecdsa_vectors.h (+32/-0)
nss/gtests/pk11_gtest/pk11_find_certs_unittest.cc (+311/-111)
nss/gtests/pk11_gtest/pk11_gtest.gyp (+8/-2)
nss/gtests/pk11_gtest/pk11_import_unittest.cc (+25/-141)
nss/gtests/pk11_gtest/pk11_key_unittest.cc (+80/-0)
nss/gtests/pk11_gtest/pk11_keygen.cc (+143/-0)
nss/gtests/pk11_gtest/pk11_keygen.h (+34/-0)
nss/gtests/pk11_gtest/pk11_seed_cbc_unittest.cc (+71/-0)
nss/gtests/pk11_gtest/pk11_signature_test.h (+3/-0)
nss/gtests/softoken_gtest/manifest.mn (+10/-1)
nss/gtests/softoken_gtest/softoken_gtest.cc (+187/-0)
nss/gtests/softoken_gtest/softoken_gtest.gyp (+6/-0)
nss/gtests/softoken_gtest/softoken_nssckbi_testlib_gtest.cc (+124/-0)
nss/gtests/ssl_gtest/libssl_internals.c (+19/-0)
nss/gtests/ssl_gtest/libssl_internals.h (+2/-1)
nss/gtests/ssl_gtest/manifest.mn (+1/-0)
nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc (+41/-0)
nss/gtests/ssl_gtest/ssl_auth_unittest.cc (+153/-8)
nss/gtests/ssl_gtest/ssl_cert_ext_unittest.cc (+2/-2)
nss/gtests/ssl_gtest/ssl_cipherorder_unittest.cc (+241/-0)
nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc (+19/-0)
nss/gtests/ssl_gtest/ssl_extension_unittest.cc (+1/-1)
nss/gtests/ssl_gtest/ssl_fuzz_unittest.cc (+1/-1)
nss/gtests/ssl_gtest/ssl_gtest.gyp (+1/-0)
nss/gtests/ssl_gtest/ssl_record_unittest.cc (+36/-0)
nss/gtests/ssl_gtest/ssl_recordsize_unittest.cc (+3/-2)
nss/gtests/ssl_gtest/ssl_renegotiation_unittest.cc (+23/-0)
nss/gtests/ssl_gtest/ssl_resumption_unittest.cc (+105/-13)
nss/gtests/ssl_gtest/tls_agent.cc (+21/-17)
nss/gtests/ssl_gtest/tls_agent.h (+7/-6)
nss/gtests/ssl_gtest/tls_esni_unittest.cc (+1/-1)
nss/gtests/ssl_gtest/tls_subcerts_unittest.cc (+243/-33)
nss/help.txt (+6/-0)
nss/lib/certdb/certdb.c (+6/-20)
nss/lib/certdb/certt.h (+15/-0)
nss/lib/certdb/stanpcertdb.c (+11/-12)
nss/lib/certhigh/certvfy.c (+43/-23)
nss/lib/ckfw/builtins/README (+62/-1)
nss/lib/ckfw/builtins/certdata.txt (+313/-630)
nss/lib/ckfw/builtins/manifest.mn (+2/-0)
nss/lib/ckfw/builtins/nssckbi.h (+2/-2)
nss/lib/ckfw/builtins/testlib/Makefile (+52/-0)
nss/lib/ckfw/builtins/testlib/builtins-testlib.gyp (+64/-0)
nss/lib/ckfw/builtins/testlib/certdata-testlib.txt (+479/-0)
nss/lib/ckfw/builtins/testlib/config.mk (+38/-0)
nss/lib/ckfw/builtins/testlib/manifest.mn (+25/-0)
nss/lib/ckfw/builtins/testlib/nssckbi-testlib.rc (+52/-0)
nss/lib/ckfw/builtins/testlib/testcert_err_distrust.txt (+50/-0)
nss/lib/ckfw/builtins/testlib/testcert_no_distrust.txt (+50/-0)
nss/lib/ckfw/builtins/testlib/testcert_ok_distrust.txt (+50/-0)
nss/lib/ckfw/manifest.mn (+1/-1)
nss/lib/freebl/Makefile (+29/-1)
nss/lib/freebl/aes-armv8.c (+1168/-0)
nss/lib/freebl/aes-armv8.h (+103/-0)
nss/lib/freebl/aeskeywrap.c (+2/-1)
nss/lib/freebl/blapi.h (+1/-0)
nss/lib/freebl/blinit.c (+49/-1)
nss/lib/freebl/chacha20poly1305.c (+5/-0)
nss/lib/freebl/cmac.c (+322/-0)
nss/lib/freebl/cmac.h (+47/-0)
nss/lib/freebl/ctr.c (+12/-0)
nss/lib/freebl/drbg.c (+90/-9)
nss/lib/freebl/ec.c (+1/-1)
nss/lib/freebl/ecl/curve25519_32.c (+4/-0)
nss/lib/freebl/exports.gyp (+1/-0)
nss/lib/freebl/freebl.gyp (+68/-0)
nss/lib/freebl/freebl_base.gypi (+1/-0)
nss/lib/freebl/gcm-aarch64.c (+96/-0)
nss/lib/freebl/gcm.c (+27/-2)
nss/lib/freebl/gcm.h (+6/-0)
nss/lib/freebl/intel-aes.h (+3/-3)
nss/lib/freebl/intel-gcm-wrap.c (+31/-0)
nss/lib/freebl/ldvector.c (+10/-1)
nss/lib/freebl/loader.c (+51/-0)
nss/lib/freebl/loader.h (+15/-1)
nss/lib/freebl/manifest.mn (+3/-0)
nss/lib/freebl/mpi/README (+1/-0)
nss/lib/freebl/mpi/mpcpucache.c (+1/-1)
nss/lib/freebl/mpi/mpi.c (+30/-12)
nss/lib/freebl/mpi/mpi.h (+10/-1)
nss/lib/freebl/pqg.c (+4/-4)
nss/lib/freebl/rijndael.c (+17/-4)
nss/lib/freebl/rsapkcs.c (+13/-10)
nss/lib/freebl/seed.c (+26/-7)
nss/lib/freebl/verified/FStar.c (+1/-1)
nss/lib/freebl/verified/FStar.h (+1/-1)
nss/lib/freebl/verified/Hacl_Chacha20.c (+1/-1)
nss/lib/freebl/verified/Hacl_Chacha20.h (+1/-1)
nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c (+1/-1)
nss/lib/freebl/verified/Hacl_Chacha20_Vec128.h (+1/-1)
nss/lib/freebl/verified/Hacl_Curve25519.c (+1/-1)
nss/lib/freebl/verified/Hacl_Curve25519.h (+1/-1)
nss/lib/freebl/verified/Hacl_Poly1305_32.c (+1/-1)
nss/lib/freebl/verified/Hacl_Poly1305_32.h (+1/-1)
nss/lib/freebl/verified/Hacl_Poly1305_64.c (+1/-1)
nss/lib/freebl/verified/Hacl_Poly1305_64.h (+1/-1)
nss/lib/freebl/verified/kremlib.h (+1/-1)
nss/lib/freebl/verified/kremlib_base.h (+1/-1)
nss/lib/freebl/verified/vec128.h (+1/-1)
nss/lib/jar/jarfile.c (+26/-18)
nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapdefaultclient.c (+3/-2)
nss/lib/mozpkix/include/pkix/pkixder.h (+11/-0)
nss/lib/mozpkix/lib/pkixcert.cpp (+7/-12)
nss/lib/mozpkix/test-lib/pkixtestnss.cpp (+6/-5)
nss/lib/nss/nss.def (+7/-1)
nss/lib/nss/nss.h (+2/-2)
nss/lib/pk11wrap/debug_module.c (+2/-0)
nss/lib/pk11wrap/pk11cert.c (+87/-0)
nss/lib/pk11wrap/pk11load.c (+4/-6)
nss/lib/pk11wrap/pk11mech.c (+4/-0)
nss/lib/pk11wrap/pk11pk12.c (+4/-0)
nss/lib/pk11wrap/pk11pub.h (+8/-0)
nss/lib/pki/pki3hack.c (+42/-13)
nss/lib/smime/cmssiginfo.c (+82/-25)
nss/lib/softoken/fipstokn.c (+24/-4)
nss/lib/softoken/legacydb/lgattr.c (+1/-1)
nss/lib/softoken/pkcs11.c (+18/-8)
nss/lib/softoken/pkcs11c.c (+323/-69)
nss/lib/softoken/pkcs11i.h (+2/-2)
nss/lib/softoken/pkcs11u.c (+5/-18)
nss/lib/softoken/sdb.c (+1/-1)
nss/lib/softoken/softkver.h (+2/-2)
nss/lib/softoken/tlsprf.c (+1/-1)
nss/lib/sqlite/Makefile (+2/-0)
nss/lib/sqlite/README (+1/-1)
nss/lib/sqlite/sqlite.gyp (+9/-1)
nss/lib/sqlite/sqlite3.c (+90169/-52437)
nss/lib/sqlite/sqlite3.h (+3773/-611)
nss/lib/ssl/ssl3con.c (+283/-154)
nss/lib/ssl/ssl3ext.c (+3/-0)
nss/lib/ssl/ssl3exthandle.c (+8/-3)
nss/lib/ssl/sslexp.h (+39/-0)
nss/lib/ssl/sslimpl.h (+10/-6)
nss/lib/ssl/sslsock.c (+115/-0)
nss/lib/ssl/sslt.h (+7/-1)
nss/lib/ssl/tls13con.c (+23/-16)
nss/lib/ssl/tls13esni.c (+1/-1)
nss/lib/ssl/tls13subcerts.c (+184/-11)
nss/lib/util/nssutil.h (+2/-2)
nss/lib/util/pkcs11n.h (+2/-0)
nss/lib/util/pkcs11t.h (+3/-0)
nss/lib/util/quickder.c (+1/-1)
nss/lib/util/utilmod.c (+4/-1)
nss/mach (+11/-3)
nss/nss.gyp (+3/-0)
nss/tests/all.sh (+3/-9)
nss/tests/cert/cert.sh (+1/-1)
nss/tests/common/certsetup.sh (+9/-2)
nss/tests/common/cleanup.sh (+9/-2)
nss/tests/fips/cavs_scripts/aes.sh (+2/-0)
nss/tests/fips/cavs_scripts/aesgcm.sh (+2/-0)
nss/tests/fips/cavs_scripts/dsa.sh (+2/-0)
nss/tests/fips/cavs_scripts/ecdsa.sh (+2/-0)
nss/tests/fips/cavs_scripts/hmac.sh (+3/-0)
nss/tests/fips/cavs_scripts/ike.sh (+2/-0)
nss/tests/fips/cavs_scripts/kas.sh (+2/-0)
nss/tests/fips/cavs_scripts/rng.sh (+3/-0)
nss/tests/fips/cavs_scripts/rsa.sh (+2/-0)
nss/tests/fips/cavs_scripts/sha.sh (+2/-0)
nss/tests/fips/cavs_scripts/tdea.sh (+2/-0)
nss/tests/fips/cavs_scripts/tls.sh (+3/-0)
nss/tests/policy/policy.sh (+1/-1)
nss/tests/smime/smime.sh (+213/-22)
nss/tests/ssl/ssl.sh (+64/-9)
nss/tests/ssl_gtests/ssl_gtests.sh (+1/-0)
nss/tests/tlsfuzzer/config.json.in (+20/-0)
nss/tests/tlsfuzzer/tlsfuzzer.sh (+3/-3)
description: | updated |
description: | updated |
description: | updated |
summary: |
- firefox crash on a FIPS enabled machine due to libnss3 + Firefox crash on a FIPS enabled machine due to libnss3 |
Changed in nss (Ubuntu Xenial): | |
status: | New → Confirmed |
Changed in nss (Ubuntu Bionic): | |
status: | New → Confirmed |
Changed in nss (Ubuntu Disco): | |
status: | New → Confirmed |
Changed in nss (Ubuntu Eoan): | |
status: | New → Confirmed |
summary: |
- Firefox crash on a FIPS enabled machine due to libnss3 + libnss3 reads fips_enabled flag and automatically switches to FIPS mode |
description: | updated |
Changed in nss (Ubuntu Disco): | |
status: | Fix Committed → Won't Fix |
The build log and test runs for eoan build is on my test ppa /launchpad. net/~vineetha/ +archive/ ubuntu/ test-ppa/ +build/ 17312645
https:/
The build log and test runs for disco build is on my test ppa /launchpad. net/~vineetha/ +archive/ ubuntu/ test-ppa/ +build/ 17315636
https:/
The build log and test runs for bionic build is on my test ppa /launchpad. net/~vineetha/ +archive/ ubuntu/ test-ppa/ +build/ 17311607
https:/
The build log and test runs for xenial build is on my test ppa /launchpad. net/~vineetha/ +archive/ ubuntu/ test-ppa/ +build/ 17311225
https:/