[gnutls-help] Compiling with the FIPS option
nmav at gnutls.org
Wed Jan 14 08:13:47 CET 2015
On Wed, Jan 14, 2015 at 3:28 AM, jonetsu at teksavvy.com
<jonetsu at teksavvy.com> wrote:
> On Tue, 13 Jan 2015 14:25:21 +0100
> Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
> Thanks for the reply. It did made some progress, but it's still not
> there. I have adjusted the lib path using ldconfig, and I have gotten
> the fipshmac utility from Red Hat's fipscheck package (1.4.1) and
> generated a .hmac file. Details below. The error now seems to
> revolve around not agreeing witht he fipshmac utility.
Correct, I forgot about it. You'll need to patch gnutls' fips.c to use a key
that agrees with the fipscheck package. I.e., apply the following patch:
diff --git a/lib/fips.c b/lib/fips.c
index b99da2d..ac74533 100644
@@ -107,7 +107,7 @@ void _gnutls_fips_mode_reset_zombie(void)
#define HOGWEED_LIBRARY_NAME "libhogweed.so.2"
#define GMP_LIBRARY_NAME "libgmp.so.10"
-static const char fips_key = "I'd rather be skiing";
+static const char fips_key = "orboDeJITITejsirpADONivirpUkvarP";
#define HMAC_SUFFIX ".hmac"
#define HMAC_SIZE 32
>> You don't really need the FIPS140 mode. The library works much
>> better without it, as it is not restricted to NIST-approved
>> algorithms and random number generators.
> Is the restriction the only drawback or is there currently a problem
> using gnutls in FIPS mode ?
I'm referring to the restrictions. There is no other known problem in
More information about the Gnutls-help