Bug 806588 - Disable SSL PKCS #11 bypass at build time
Disable SSL PKCS #11 bypass at build time
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: nss (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Elio Maldonado Batiz
Fedora Extras Quality Assurance
: Patch
Depends On:
Blocks: 689918 689919
  Show dependency treegraph
 
Reported: 2012-03-25 00:52 EDT by Elio Maldonado Batiz
Modified: 2012-12-18 22:11 EST (History)
3 users (show)

See Also:
Fixed In Version: nss-3.14-9.fc19, nss-3.14-6.fc18
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-11-27 00:03:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Disables ssl bypass at build time (12.83 KB, patch)
2012-03-25 14:58 EDT, Elio Maldonado Batiz
no flags Details | Diff
Disable ssl pkcs11 layer bypass at build time (13.16 KB, patch)
2012-03-30 18:33 EDT, Elio Maldonado Batiz
no flags Details | Diff
Disable sslbypass at build time (14.78 KB, patch)
2012-04-14 14:34 EDT, Elio Maldonado Batiz
no flags Details | Diff
Disable ssl pkcs11 bypass at build time and preserve ABI (18.24 KB, patch)
2012-05-14 14:20 EDT, Elio Maldonado Batiz
no flags Details | Diff
Disable ssl pkcs #11 bypass at buitime (23.20 KB, patch)
2012-06-26 18:06 EDT, Elio Maldonado Batiz
no flags Details | Diff
Disable ssl pkcs #11 bypass at buildtime (23.37 KB, patch)
2012-06-27 10:19 EDT, Elio Maldonado Batiz
rrelyea: review-
Details | Diff
Return failure if caller mistakenly requests bypass at runtime (742 bytes, patch)
2012-11-09 18:30 EST, Elio Maldonado Batiz
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Mozilla Foundation 745281 None None None Never

  None (edit)
Description Elio Maldonado Batiz 2012-03-25 00:52:52 EDT
Description of problem: The environment variable SSLBYPASS when set allows NSS SSL/TLS to bypass the PKCS #11 layer. The user is advised to not set this variable if FIPS is enabled. We do not support the SSLBYPASS, neither in Fedora nor in RHEL, and so we should disable the feature at build time. 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.
2.
3.
  
Actual results:

Expected results:

Additional info:
Comment 1 Elio Maldonado Batiz 2012-03-25 14:58:57 EDT
Created attachment 572564 [details]
Disables ssl bypass at build time
Comment 2 Elio Maldonado Batiz 2012-03-28 20:15:09 EDT
Comment on attachment 572564 [details]
Disables ssl bypass at build time

My own comment: NSS_ALLOW_SSLBYPASS is too long, no need for the NSS_ in front to disambiguate as this is not a runtime environment variable but a build time variable.
Comment 3 Elio Maldonado Batiz 2012-03-30 18:33:13 EDT
Created attachment 574100 [details]
Disable ssl pkcs11 layer bypass at build time
Comment 4 Elio Maldonado Batiz 2012-03-30 18:38:20 EDT
Comment on attachment 574100 [details]
Disable ssl pkcs11 layer bypass at build time

One must add export NSS_NOSSLBYPASS=1
to the %build section of nss.spec to trigger CFLAGS +=NOSSLBYPASS
Comment 5 Elio Maldonado Batiz 2012-04-14 14:34:17 EDT
Created attachment 577475 [details]
Disable sslbypass at build time
Comment 6 Kai Engert (:kaie) 2012-04-17 20:01:18 EDT
Elio, I reviewed the patch in the upstream bug, is that sufficient?
Comment 7 Elio Maldonado Batiz 2012-04-17 21:15:54 EDT
Kai, I don't think so. That's because this patch for Fedora disables SSLBYPASS unconditionally whereas the upstream patch requires the package maintainer to setting the build time environment variable to activate the disabling. Thanks for the prompt review on the upstream one.
Comment 8 Elio Maldonado Batiz 2012-04-18 11:32:36 EDT
On second thought, for the sake of consistency I should rely on the upstream patch instead. I should submit the upstream one suitably one adapted for 3.13.4 and with the modifications that Kai suggested upstream. It makes life easier.
Comment 9 Kai Engert (:kaie) 2012-04-19 09:22:11 EDT
Comment on attachment 577475 [details]
Disable sslbypass at build time

(In reply to comment #8)
> for the sake of consistency I should rely on the upstream patch instead

I understand this patch is now obsolete.
Comment 10 Elio Maldonado Batiz 2012-05-14 14:20:38 EDT
Created attachment 584430 [details]
Disable ssl pkcs11 bypass at build time and preserve ABI

Submitting for upstream review as well.
Comment 11 Elio Maldonado Batiz 2012-05-15 19:30:01 EDT
Comment on attachment 584430 [details]
Disable ssl pkcs11 bypass at build time and preserve ABI

Cancelling the request for review due to upstream feedback.
Comment 12 Elio Maldonado Batiz 2012-06-26 16:41:52 EDT
After modifications and expansion the patch has been approved and committed upstream for nss-3.14.
Comment 13 Elio Maldonado Batiz 2012-06-26 18:06:36 EDT
Created attachment 594623 [details]
Disable ssl pkcs #11 bypass at buitime

This is a backport to nss-3.13.5 of the changes committed upstream for nss-3.14.
Requires adding 'export NSS_NO_PKCS11_BYPASS=1' to the %build section of nss.spec for it to take effect as the default is to allow bypass to occur as before.
Comment 14 Elio Maldonado Batiz 2012-06-27 10:19:32 EDT
Created attachment 594787 [details]
Disable ssl pkcs #11 bypass at buildtime

Follows the upstream one a bit more closely.
Comment 15 Bob Relyea 2012-06-28 19:04:27 EDT
Comment on attachment 594787 [details]
Disable ssl pkcs #11 bypass at buildtime

r-

Well this would work, sort of, but rather than

if (bypass) {
#ifndef NO_BYPASS
  code
#endif
} else {


I'd like to see

#ifdef NO_BYPASS
if (bypass) {
    code
} else
#endif
{
Comment 16 Elio Maldonado Batiz 2012-06-28 19:18:32 EDT
Bob, please make those comments also in the bug 
https://bugzilla.mozilla.org/show_bug.cgi?id=745281

The multicolor explanation on a whiteboard of the three styles was very clear and to the point.
Comment 17 Elio Maldonado Batiz 2012-11-09 18:23:42 EST
The upstram bug https://bugzilla.mozilla.org/show_bug.cgi?id=745281
was fixed in nss-3.14 to which we have rebased nss in fedora. That is the bulck of the work but a small part remains. The upstream fix was to provide the option of disabling SSL PKCS #11 bypass at build time. What remains is mostly for the downstream nss packager maintainer exersize his option. Add to the %build section of the nss.spc file:

NSS_NO_PKCS11_BYPASS=1
export NSS_NO_PKCS11_BYPASS
Comment 18 Elio Maldonado Batiz 2012-11-09 18:30:49 EST
Created attachment 641885 [details]
Return failure if caller mistakenly requests bypass at runtime

Besides disabling bypass at buildtime, also protect user from mistajenly trying to enable it via the environment variable. Fedora has never supported bypass so compatibility is not an issue
Comment 19 Fedora Update System 2012-11-09 22:34:16 EST
nss-softokn-3.14-1.fc18, nss-util-3.14-1.fc18, nss-3.14-6.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/FEDORA-2012-17351/nss-3.14-6.fc18,nss-softokn-3.14-1.fc18,nss-util-3.14-1.fc18
Comment 20 Fedora Update System 2012-11-13 14:05:58 EST
Package nss-softokn-3.14-1.fc18, nss-util-3.14-1.fc18, nss-3.14-6.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing nss-softokn-3.14-1.fc18 nss-util-3.14-1.fc18 nss-3.14-6.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-17351/nss-3.14-6.fc18,nss-softokn-3.14-1.fc18,nss-util-3.14-1.fc18
then log in and leave karma (feedback).
Comment 21 Fedora Update System 2012-11-21 15:53:55 EST
Package nss-util-3.14-1.fc18, nss-3.14-7.fc18, nss-softokn-3.14-5.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing nss-util-3.14-1.fc18 nss-3.14-7.fc18 nss-softokn-3.14-5.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-17351/nss-3.14-7.fc18,nss-softokn-3.14-5.fc18,nss-util-3.14-1.fc18
then log in and leave karma (feedback).
Comment 22 Fedora Update System 2012-11-23 22:42:15 EST
nss-util-3.14-1.fc17,nss-softokn-3.14-5.fc17,nss-3.14-7.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/nss-util-3.14-1.fc17,nss-softokn-3.14-5.fc17,nss-3.14-7.fc17
Comment 23 Fedora Update System 2012-11-27 00:03:53 EST
nss-util-3.14-1.fc18, nss-3.14-7.fc18, nss-softokn-3.14-5.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 24 Fedora Update System 2012-12-11 23:33:25 EST
nss-util-3.14-1.fc17, nss-softokn-3.14-5.fc17, nss-3.14-7.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 25 Fedora Update System 2012-12-18 22:11:49 EST
nss-util-3.14-1.fc16,nss-softokn-3.14-5.fc16,nss-3.14-7.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/nss-util-3.14-1.fc16,nss-softokn-3.14-5.fc16,nss-3.14-7.fc16

Note You need to log in before you can comment on or make changes to this bug.