libnss3 reads fips_enabled flag and automatically switches to FIPS mode

Bug #1837734 reported by Vineetha Kamath on 2019-07-24
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
nss (Ubuntu)
Status tracked in Eoan
Xenial
Undecided
Unassigned
Bionic
Undecided
Unassigned
Disco
Undecided
Unassigned
Eoan
High
Vineetha Kamath

Bug Description

[IMPACT]
nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode.

The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it.

The issue impacts libnss3 versions in eoan, disco, bionic and xenial.

lsb_release -rd
Description: Ubuntu Eoan Ermine (development branch)
Release: 19.10

Version: 2:3.45-1ubuntu1

lsb_release -rd
Description: Ubuntu Disco Dingo
Release: 19.04

Version: 2:3.42-1ubuntu2

lsb_release -rd
Description: Ubuntu Bionic Beaver
Release: 18.04

Version: 2:3.35-2ubuntu2.3

lsb_release -rd
Description: Ubuntu 16.04.3 LTS
Release: 16.04

Version: 2:3.28.4-0ubuntu0.16.04

[FIX]
This fix proposes to disable libnss3 reading proc/sys/crypto/fips_enabled. We only want fips certified modules reading this file and running in fips mode. libnss3 is not one of our fips certified modules, so should not be reading this along with our fips certified modules to determine whether to run in fips mode.

Users who do want to run the library in FIPS mode can do so by using the environment variable "NSS_FIPS". We propose to leave it as is so as not to regress anyone using this. The user who is using this option should be doing so with the awareness.

[TEST]
Tested on a xenial and bionic desktop ISO running FIPS enabled kernel and in FIPS mode. With the patch fix no crashes were observed when launching firefox browser.
Without the patch fix, firefox crashes.

Tested on a xenial and bionic desktop ISO running non-FIPS generic kernel. With the patch fix, firefox worked as expected and no changes were observed.

[REGRESSION POTENTIAL]
The regression potential for this is small. A FIPS kernel is required to
create /proc/sys/crypto/fips_enabled and it is not available in standard ubuntu archive. For users forcing FIPS through environment variable, nothing has changed.

description: updated
Vineetha Kamath (vineetha) wrote :

The build log and test runs for eoan build is on my test ppa
https://launchpad.net/~vineetha/+archive/ubuntu/test-ppa/+build/17312645

The build log and test runs for disco build is on my test ppa
https://launchpad.net/~vineetha/+archive/ubuntu/test-ppa/+build/17315636

The build log and test runs for bionic build is on my test ppa
https://launchpad.net/~vineetha/+archive/ubuntu/test-ppa/+build/17311607

The build log and test runs for xenial build is on my test ppa
https://launchpad.net/~vineetha/+archive/ubuntu/test-ppa/+build/17311225

Vineetha Kamath (vineetha) wrote :

debdiff.eoan

Vineetha Kamath (vineetha) wrote :

debdiff.disco

Vineetha Kamath (vineetha) wrote :
Vineetha Kamath (vineetha) wrote :

debdiff.xenial

description: updated
description: updated
description: updated
summary: - firefox crash on a FIPS enabled machine due to libnss3
+ Firefox crash on a FIPS enabled machine due to libnss3
Changed in nss (Ubuntu Xenial):
status: New → Confirmed
Changed in nss (Ubuntu Bionic):
status: New → Confirmed
Changed in nss (Ubuntu Disco):
status: New → Confirmed
Changed in nss (Ubuntu Eoan):
status: New → Confirmed
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiffs. Uploaded to eoan and to previous releases for processing by the SRU team, with slight versioning adjustment and the bug tag added to the changelog.

Thanks!

Changed in nss (Ubuntu Xenial):
status: Confirmed → In Progress
Changed in nss (Ubuntu Bionic):
status: Confirmed → In Progress
Changed in nss (Ubuntu Disco):
status: Confirmed → In Progress
Changed in nss (Ubuntu Eoan):
status: Confirmed → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss - 2:3.45-1ubuntu2

---------------
nss (2:3.45-1ubuntu2) eoan; urgency=medium

  * Disable reading fips_enabled flag in FIPS mode. libnss is
    not a FIPS certified library. (LP: #1837734)

 -- Vineetha Kamath <email address hidden> Tue, 23 Jul 2019 20:58:12 +0000

Changed in nss (Ubuntu Eoan):
status: Fix Committed → Fix Released

Hello Vineetha, or anyone else affected,

Accepted nss into disco-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nss/2:3.42-1ubuntu2.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-disco to verification-done-disco. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-disco. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in nss (Ubuntu Disco):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-disco
Changed in nss (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed-bionic
Brian Murray (brian-murray) wrote :

Hello Vineetha, or anyone else affected,

Accepted nss into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nss/2:3.35-2ubuntu2.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Brian Murray (brian-murray) wrote :

Hello Vineetha, or anyone else affected,

Accepted nss into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nss/2:3.28.4-0ubuntu0.16.04.7 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in nss (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed-xenial

Test failed on xenial 16.04: https://paste.ubuntu.com/p/qbmkGS5RSB/

Already shared latest info and straces with Vineetha.

tags: added: verification-failed-xenial
removed: verification-needed-disco verification-needed-xenial
tags: added: verification-needed-disco

All autopkgtests for the newly accepted nss (2:3.35-2ubuntu2.4) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

openjdk-8/8u222-b10-1ubuntu1~18.04.1 (i386)
chrony/3.2-4ubuntu4.2 (arm64, ppc64el, armhf, i386, amd64, s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#nss

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

summary: - Firefox crash on a FIPS enabled machine due to libnss3
+ libnss3 reads fips_enabled flag and automatically switches to FIPS mode
description: updated
Vineetha Kamath (vineetha) wrote :

The SRU was originally filed since firefox crashed due to libnss3 automatically entering FIPS mode. Firefox uses bundled nss and hence a fix is being worked into firefox library to address the crash.

libnss3 does not need this change. Upon careful examination of code, the code to read "fips_enabled" does not get compiled on Ubuntu.

The version of nss in the proposed pocket of Xenial that was purported to fix this bug report has been removed because one or more bugs that were to be fixed by the upload have failed verification and been in this state for more than 10 days.

Changed in nss (Ubuntu Xenial):
status: Fix Committed → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers