[gnutls-help] Compiling with the FIPS option

jonetsu at teksavvy.com jonetsu at teksavvy.com
Tue Jan 13 11:47:04 CET 2015 

Hello,

I'm trying to compile gnutls-3.3.11 with the FIPS option.  The host
already has a libgnutls.so.28 installed but, I'm using the default
location of /usr/local/lib/ so this should cause no problem.  But it
does.  Here are the details.

This is in two parts.  The first part is about the error in the
linking of gnutls-cli against the /usr/local/lib/ new install.  The
second part is about some HMAC files that are missing.

Help would be greatly appreciated !

Already in the host, (a Linux Mint 17 system, 64 bit) :

% dpkg -l | grep tls
  [...]
  libgnutls28:amd64  3.2.11-2ubuntu1

Compiling the source:

% ./configure --enable-fips140-mode

Option is really set:

  [...]
  FIPS140 mode:   yes

Building, installling:

% make
% make install

1)

Verifying that gnutls-cli is the new one from /usr/local/ :

% which gnutls-cli
/usr/local/bin/gnutls-cli

Verifying the lib link:

ldd /usr/local/bin/gnutls-cli
 libgnutls.so.28 => /usr/lib/x86_64-linux-gnu/libgnutls.so.28
(0x00007f6c2f0e9000)

Please note that it is linked against the host's library.

Verifying the FIPS option will then appropriately report an error:

% gnutls-cli --fips140-mode

gnutls-cli: relocation error: gnutls-cli: symbol
gnutls_fips140_mode_enabled, version GNUTLS_3_1_0 not defined in file
libgnutls.so.28 with link time reference

Why does it link to the lib in /usr/lib/x86_64-linux-gnu/ instead of
using its own in /usr/local ?



2) Re-do the host's link to point to the new lib:

libgnutls.so.28 -> /usr/local/lib/libgnutls.so.28

% gnutls-cli --fips140-mode
library is NOT in FIPS140-2 mode

OK.  Exporting the env. var.:

% export GNUTLS_FORCE_FIPS_MODE=1

% gnutls-cli --fips140-mode
Error in GnuTLS initialization: Error while performing self checks.
library is in FIPS140-2 mode

Now it goes that far.  When enabling some debug output, we see that it
fails trying to access soem HMAC files.  These files are nowhere to be
found, either on the host, or in the fresh sources.

% gnutls-cli --fips140-mode

gnutls[2]: Loading: /usr/lib/x86_64-linux-gnu/libgnutls.so.28

gnutls[2]: Could not open
/usr/lib/x86_64-linux-gnu/.libgnutls.so.28.hmac for MAC testing: Error
while reading file.

gnutls[2]: Could not open
/usr/lib/x86_64-linux-gnu/fipscheck/libgnutls.so.28.hmac for MAC
testing: Error while reading file.


How to get GnuTLS compiled in the right manner to have a FIPS build ?

Thanks.

More information about the Gnutls-help mailing list