Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-58260

shlibsign is broken in FIPS mode [rhel-9.6]

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • nss-3.101.0-10.el9_2
    • No
    • Low
    • ZStream
    • 1
    • rhel-security-crypto
    • ssg_security
    • 19
    • 21
    • 0.5
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto24Q4
    • Approved Blocker
    • Hide

      shlibsign can generate a HMAC in FIPS mode (like it used to in 3.90)

      Show
      shlibsign can generate a HMAC in FIPS mode (like it used to in 3.90)
    • Pass
    • Enabled
    • Automated
    • Bug Fix
    • Hide
      .`shlibsign` now works in FIPS mode

      Before this update, the `shlibsign` program did not work in FIPS mode. Consequently, when you rebuilt an NSS library in FIPS mode, you had to leave FIPS mode to sign the library. The program has been fixed, and you can now use `shlibsign` in FIPS mode.
      Show
      .`shlibsign` now works in FIPS mode Before this update, the `shlibsign` program did not work in FIPS mode. Consequently, when you rebuilt an NSS library in FIPS mode, you had to leave FIPS mode to sign the library. The program has been fixed, and you can now use `shlibsign` in FIPS mode.
    • Done
    • None

      NSS 3.101 shlibsign is not working in FIPS mode:

      # rpm -q nss
      # nss-3.101.0-7.el9_2
      # /usr/lib64/nss/unsupported-tools/shlibsign -v -o test -i /usr/lib64/libsoftokn3.so
      moduleSpec configdir='' certPrefix='' keyPrefix='' secmod='' flags=noCertDB, noModDB
      Library File: /usr/lib64/libsoftokn3.so
      Check File: test
      Generate an HMAC key ...
      HMAC key generation failed: 0x00000013, CKR_ATTRIBUTE_VALUE_INVALID
      NSPR error code: -8191: Unknown code ___f 1
      

      It used to work in 3.90:

      [root@rhel-9-5-0-20240828-2 ~]# rpm -q nss
      nss-3.90.0-7.el9_4.x86_64
      [root@rhel-9-5-0-20240828-2 ~]# /usr/lib64/nss/unsupported-tools/shlibsign -v -o test -i /usr/lib64/libsoftokn3.so
      moduleSpec configdir='' certPrefix='' keyPrefix='' secmod='' flags=noCertDB, noModDB
      Library File: /usr/lib64/libsoftokn3.so
      Check File: test
      Generate an HMAC key ...
      Library File Size: 360504 bytes
        key: 32 bytes
          16 e4 47 da 70 04 d7 f1 3a bb
          f5 06 fc 6b cb 9b 0c 3a cf 6f
          c7 18 90 ea 31 6e ac 1b fb 1c
          60 40
        signature: 32 bytes
          83 17 74 9b 42 52 ad dd c1 1c
          f7 8b cd ba b7 fc fb 74 01 b4
          57 3d 17 b3 6d 2c f9 92 a4 00
          70 ed
      

      but failed the same with -F option.

      And it works when NSC_GetFunctionList is used instead of C_GetFunctionList:

      Breakpoint 3, main (argc=<optimized out>, argv=<optimized out>)
          at /usr/src/debug/nss-3.101.0-7.el9_2.x86_64/nss/cmd/shlibsign/shlibsign.c:1428
      1428	        pC_GetFunctionList = (CK_C_GetFunctionList)
      (gdb) s
      PR_FindFunctionSymbol (lib=lib@entry=0x555555560150, raw_name=raw_name@entry=0x5555555593c8 "C_GetFunctionList")
          at linking/../../../../nspr/pr/src/linking/prlink.c:844
      844	{
      (gdb) set raw_name="NSC_GetFunctionList"
      (gdb) cont
      Continuing.
      moduleSpec configdir='' certPrefix='' keyPrefix='' secmod='' flags=noCertDB, noModDB
      Library File: /usr/lib64/libsoftokn3.so
      Check File: test
      Generate an HMAC key ...
      Library File Size: 368784 bytes
      

      Note that shlibsign is shipped under /usr/lib*/nss/unsupported-tools

              rrelyea Robert Relyea
              asosedki@redhat.com Alexander Sosedkin
              Robert Relyea Robert Relyea
              Alexander Sosedkin Alexander Sosedkin
              Mirek Jahoda Mirek Jahoda
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: