[gnutls-help] Set up FIPS with gnutls 3.8.9

[Daiki Ueno]

Hello,

Sorry for the late reply.

akendo <akendo at akendo.eu> writes:

> Hi everyone,
>
> I tried to enable the fips mode with gnutls 3.8.9 and failed to get it
> started. My compiler flags
> are the default compiler flags for Debian. Since I use the Debian
> packages for Trixie as a sample
> build process.
>
> All I do is adding the parameter:
>
> --enable-fips140-mode
>
> The package build is going well, and I receive a package. However,
> after the installation of the
> package, I get the following error message:
>
>     gnutls-cli github.com -p443
>     Error in GnuTLS initialization: Error while performing self checks.
>     global_init: Error while performing self checks
>
> By setting GNUTLS_NO_IMPLICIT_INIT the global_init error message goes
> away. When I check for the
> fips-mode, gnutls-cli reports that this is working.
>
>     export GNUTLS_NO_IMPLICIT_INIT=1; gnutls-cli --fips140-mode
>     library is in FIPS140-2 mode
>
>     gnutls-cli github.com -p443
>     |<1>| FIPS140-2 self testing part 2 failed
>
>
> Reading through the documentation, I noticed that there is the
> statement regarding the self-test
> that it's possible to provide a –-with-fips140-key for the
> self-test. Does this key have to be of
> special length since it It should be an HMAC key, correct?
>
> I'm just not sure if that's going to help here, anyone has some suggestion?
>
> My workaround is as of now to set GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS=1

To get the FIPS integrity check work, you would need ".hmac" files
installed alongside the GnuTLS and the dependent libraries. The file can
be generated with the "fipshmac" utility which should be built under
lib/.

For example, if you have installed the library as
/usr/lib/x86_64-linux-gnu/libgnutls.so.30, you can calculate the content
of the .hmac file with:

  lib/fipshmac /usr/lib/x86_64-linux-gnu/libgnutls.so.30

Then save it to /usr/lib/x86_64-linux-gnu/.libgnutls.so.30.hmac.

Regards,
-- 
Daiki Ueno