[gnutls-help] Compiling with the FIPS option

[Nikos Mavrogiannopoulos]

On Wed, Jan 14, 2015 at 3:28 AM, jonetsu at teksavvy.com
<jonetsu at teksavvy.com> wrote:
> On Tue, 13 Jan 2015 14:25:21 +0100
> Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
>
> Hello,
> Thanks for the reply.  It did made some progress, but it's still not
> there.  I have adjusted the lib path using ldconfig, and I have gotten
> the fipshmac utility from Red Hat's fipscheck package (1.4.1) and
> generated a .hmac file.  Details below.  The error now seems to
> revolve around not agreeing witht he fipshmac utility.

Correct, I forgot about it. You'll need to patch gnutls' fips.c to use a key
that agrees with the fipscheck package. I.e., apply the following patch:

diff --git a/lib/fips.c b/lib/fips.c
index b99da2d..ac74533 100644
--- a/lib/fips.c
+++ b/lib/fips.c
@@ -107,7 +107,7 @@ void _gnutls_fips_mode_reset_zombie(void)
 #define HOGWEED_LIBRARY_NAME "libhogweed.so.2"
 #define GMP_LIBRARY_NAME "libgmp.so.10"

-static const char fips_key[] = "I'd rather be skiing";
+static const char fips_key[] = "orboDeJITITejsirpADONivirpUkvarP";

 #define HMAC_SUFFIX ".hmac"
 #define HMAC_SIZE 32

>> You don't really need the FIPS140 mode. The library works much
>> better without it, as it is not restricted to NIST-approved
>> algorithms and random number generators.
> Is the restriction the only drawback or is there currently a problem
> using gnutls in FIPS mode ?

I'm referring to the restrictions. There is no other known problem in
FIPS140-2 mode.

regards,
Nikos