[gnutls-help] Compiling with the FIPS option

Nikos Mavrogiannopoulos nmav at gnutls.org
Tue Jan 13 14:25:21 CET 2015


On Tue, Jan 13, 2015 at 11:47 AM, jonetsu at teksavvy.com
<jonetsu at teksavvy.com> wrote:
> Hello,
> I'm trying to compile gnutls-3.3.11 with the FIPS option.  The host
> already has a libgnutls.so.28 installed but, I'm using the default
> location of /usr/local/lib/ so this should cause no problem.  But it
> does.  Here are the details.
> This is in two parts.  The first part is about the error in the
> linking of gnutls-cli against the /usr/local/lib/ new install.  The
> second part is about some HMAC files that are missing.
[...]
> Verifying that gnutls-cli is the new one from /usr/local/ :
> Verifying the lib link:
> ldd /usr/local/bin/gnutls-cli
>  libgnutls.so.28 => /usr/lib/x86_64-linux-gnu/libgnutls.so.28
> (0x00007f6c2f0e9000)
> Please note that it is linked against the host's library.

You need to run ldconfig after installation of gnutls. After you did that, if
you had /usr/local/lib in ld.so.conf it should be linked correctly.

> 2) Re-do the host's link to point to the new lib:
> libgnutls.so.28 -> /usr/local/lib/libgnutls.so.28
> % gnutls-cli --fips140-mode
> library is NOT in FIPS140-2 mode

For gnutls to enter FIPS mode, one the following should be in place:
1. environment variable GNUTLS_FORCE_FIPS_MODE=1
2. /proc/sys/crypto/fips_enabled must contain "1"
   and /etc/system-fips must exist.

> % gnutls-cli --fips140-mode
> Error in GnuTLS initialization: Error while performing self checks.
> library is in FIPS140-2 mode
> Now it goes that far.  When enabling some debug output, we see that it
> fails trying to access soem HMAC files.  These files are nowhere to be
> found, either on the host, or in the fresh sources.

FIPS requires consistency check of the crypto libraries on startup and this
is the purpose of the hmac files. These files should be generated on
the installed
system. There is the fipshmac utility you can use (that support was
made for RHEL
where this utility is available), and you need to do something like
fipshmac -d /usr/local/lib /usr/local/lib/libgnutls.so.28.*.*
prepend a dot (.) to the .hmac file name.

Repeat that for nettle and gmp.

> How to get GnuTLS compiled in the right manner to have a FIPS build ?

You don't really need the FIPS140 mode. The library works much better
without it, as it is not restricted to NIST-approved algorithms and
random number generators.

regards,
Nikos



More information about the Gnutls-help mailing list