[gnutls-help] Compiling with the FIPS option

jonetsu at teksavvy.com jonetsu at teksavvy.com
Wed Jan 14 03:28:20 CET 2015


On Tue, 13 Jan 2015 14:25:21 +0100
Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:

Hello,

Thanks for the reply.  It did made some progress, but it's still not
there.  I have adjusted the lib path using ldconfig, and I have gotten
the fipshmac utility from Red Hat's fipscheck package (1.4.1) and
generated a .hmac file.  Details below.  The error now seems to
revolve around not agreeing witht he fipshmac utility.

Basically. hiding all symlinks except one, the libs in /usr/local/lib/
are:

 libfipscheck.la*
 libfipscheck.so.1.2.1*
 libgnutls.la*
 libgnutls-openssl.la*
 libgnutls-openssl.so.27.0.2*
 libgnutls.so.28.41.3*
 libgnutlsxx.la*
 libgnutlsxx.so.28.1.0*
 libgnutls.so.28 -> libgnutls.so.28.41.3*

fipshmac is run in this way:

% fipshmac -d /usr/local/lib /usr/local/lib/libgnutls.so.28.*.*

And will generate in /usr/local/lib/ :

% libgnutls.so.28.41.3.hmac

Which contains:

1a9863c56622f4abeb8b58671f4036ae44131a932058299c14c7f115cbaf16fd

% gnutls-cli looks for /usr/local/lib/.libgnutls.so.28.hmac, so I rename
the hmac file:

% mv libgnutls.so.28.41.3.hmac .libgnutls.so.28.hmac


% ldd $(which gnutls-cli)
 [...]
 libgnutls.so.28 => /usr/local/lib/libgnutls.so.28 (0x00007f3fd6f64000)
 [...]
 
% gnutls-cli --fips140-mod
[...]
gnutls[2]: Loading: /usr/local/lib/libgnutls.so.28
gnutls[2]: Calculated MAC for libgnutls.so.28 does not match
gnutls[3]: ASSERT: fips.c:234
gnutls[3]: ASSERT: fips.c:358
[...]
library is in FIPS140-2 mode

Please note that I haven't generated the HMAC for nettle nor gmp yet,
since the nature of the error so far.  

The fipscheck utility has also a problem verifying the file, as it
returns a value of 13, when ran like this:

% fipscheck .libgnutls.so.28.hmac
fipscheck .libgnutls.so.28.hmac
% echo $?
13


What adjustments should now be done in order to get gnutls working in
FIPS mode ?

> You don't really need the FIPS140 mode. The library works much
> better without it, as it is not restricted to NIST-approved
> algorithms and random number generators.

Is the restriction the only drawback or is there currently a problem
using gnutls in FIPS mode ?

Regards.




More information about the Gnutls-help mailing list