Hello, I'm trying to compile gnutls-3.3.11 with the FIPS option. The host already has a libgnutls.so.28 installed but, I'm using the default location of /usr/local/lib/ so this should cause no problem. But it does. Here are the details.
This is in two parts. The first part is about the error in the linking of gnutls-cli against the /usr/local/lib/ new install. The second part is about some HMAC files that are missing. Help would be greatly appreciated ! Already in the host, (a Linux Mint 17 system, 64 bit) : % dpkg -l | grep tls [...] libgnutls28:amd64 3.2.11-2ubuntu1 Compiling the source: % ./configure --enable-fips140-mode Option is really set: [...] FIPS140 mode: yes Building, installling: % make % make install 1) Verifying that gnutls-cli is the new one from /usr/local/ : % which gnutls-cli /usr/local/bin/gnutls-cli Verifying the lib link: ldd /usr/local/bin/gnutls-cli libgnutls.so.28 => /usr/lib/x86_64-linux-gnu/libgnutls.so.28 (0x00007f6c2f0e9000) Please note that it is linked against the host's library. Verifying the FIPS option will then appropriately report an error: % gnutls-cli --fips140-mode gnutls-cli: relocation error: gnutls-cli: symbol gnutls_fips140_mode_enabled, version GNUTLS_3_1_0 not defined in file libgnutls.so.28 with link time reference Why does it link to the lib in /usr/lib/x86_64-linux-gnu/ instead of using its own in /usr/local ? 2) Re-do the host's link to point to the new lib: libgnutls.so.28 -> /usr/local/lib/libgnutls.so.28 % gnutls-cli --fips140-mode library is NOT in FIPS140-2 mode OK. Exporting the env. var.: % export GNUTLS_FORCE_FIPS_MODE=1 % gnutls-cli --fips140-mode Error in GnuTLS initialization: Error while performing self checks. library is in FIPS140-2 mode Now it goes that far. When enabling some debug output, we see that it fails trying to access soem HMAC files. These files are nowhere to be found, either on the host, or in the fresh sources. % gnutls-cli --fips140-mode gnutls[2]: Loading: /usr/lib/x86_64-linux-gnu/libgnutls.so.28 gnutls[2]: Could not open /usr/lib/x86_64-linux-gnu/.libgnutls.so.28.hmac for MAC testing: Error while reading file. gnutls[2]: Could not open /usr/lib/x86_64-linux-gnu/fipscheck/libgnutls.so.28.hmac for MAC testing: Error while reading file. How to get GnuTLS compiled in the right manner to have a FIPS build ? Thanks. _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
