When in FIPS mode there some additional checks performed.
They lead to verifying binaries signatures. Those signatures are shipped in the libnss3 package as *.chk files installed in /usr/lib/$(DEB_HOST_MULTIARCH)/nss. Along with those files are the libraries themselves (libfreebl3.so libfreeblpriv3.so libnssckbi.so libnssdbm3.so libsoftokn3.so).
Those libraries are symlinked to be present in /usr/lib/$(DEB_HOST_MULTIARCH):
ls -l /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so
lrwxrwxrwx 1 root root 21 Jun 10 18:54 /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so -> nss/libfreeblpriv3.so
The binaries are linked against the symlinks, so when the verification happens (lib/freebl/shvfy.c) the mkCheckFileName function takes path to the symlink to the shlib and replaces the .so extension with .chk.
Then it tries to open that file. Obviosly it fails, because the actual file is in /usr/lib/$(DEB_HOST_MULTIARCH)/nss.
Potential solutions:
Solution A:
Drop the /usr/lib/$(DEB_HOST_MULTIARCH)/nss directory and put all signatures and libs in /usr/lib/$(DEB_HOST_MULTIARCH).
Solution B:
Implement and upstream NSS feature of resolving symlinks and looking for *.chk where the symlinks lead to.
When in FIPS mode there some additional checks performed.
They lead to verifying binaries signatures. Those signatures are shipped in the libnss3 package as *.chk files installed in /usr/lib/ $(DEB_HOST_ MULTIARCH) /nss. Along with those files are the libraries themselves (libfreebl3.so libfreeblpriv3.so libnssckbi.so libnssdbm3.so libsoftokn3.so).
Those libraries are symlinked to be present in /usr/lib/ $(DEB_HOST_ MULTIARCH) : x86_64- linux-gnu/ libfreeblpriv3. so x86_64- linux-gnu/ libfreeblpriv3. so -> nss/libfreeblpr iv3.so
ls -l /usr/lib/
lrwxrwxrwx 1 root root 21 Jun 10 18:54 /usr/lib/
The binaries are linked against the symlinks, so when the verification happens (lib/freebl/ shvfy.c) the mkCheckFileName function takes path to the symlink to the shlib and replaces the .so extension with .chk. $(DEB_HOST_ MULTIARCH) /nss.
Then it tries to open that file. Obviosly it fails, because the actual file is in /usr/lib/
[Test case]
sudo apt install chrony
sudo chronyd -d
chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed.
Potential solutions: $(DEB_HOST_ MULTIARCH) /nss directory and put all signatures and libs in /usr/lib/ $(DEB_HOST_ MULTIARCH) .
Solution A:
Drop the /usr/lib/
Solution B:
Implement and upstream NSS feature of resolving symlinks and looking for *.chk where the symlinks lead to.