On Tue, 13 Jan 2015 14:25:21 +0100 Nikos Mavrogiannopoulos <[email protected]> wrote:
Hello, Thanks for the reply. It did made some progress, but it's still not there. I have adjusted the lib path using ldconfig, and I have gotten the fipshmac utility from Red Hat's fipscheck package (1.4.1) and generated a .hmac file. Details below. The error now seems to revolve around not agreeing witht he fipshmac utility. Basically. hiding all symlinks except one, the libs in /usr/local/lib/ are: libfipscheck.la* libfipscheck.so.1.2.1* libgnutls.la* libgnutls-openssl.la* libgnutls-openssl.so.27.0.2* libgnutls.so.28.41.3* libgnutlsxx.la* libgnutlsxx.so.28.1.0* libgnutls.so.28 -> libgnutls.so.28.41.3* fipshmac is run in this way: % fipshmac -d /usr/local/lib /usr/local/lib/libgnutls.so.28.*.* And will generate in /usr/local/lib/ : % libgnutls.so.28.41.3.hmac Which contains: 1a9863c56622f4abeb8b58671f4036ae44131a932058299c14c7f115cbaf16fd % gnutls-cli looks for /usr/local/lib/.libgnutls.so.28.hmac, so I rename the hmac file: % mv libgnutls.so.28.41.3.hmac .libgnutls.so.28.hmac % ldd $(which gnutls-cli) [...] libgnutls.so.28 => /usr/local/lib/libgnutls.so.28 (0x00007f3fd6f64000) [...] % gnutls-cli --fips140-mod [...] gnutls[2]: Loading: /usr/local/lib/libgnutls.so.28 gnutls[2]: Calculated MAC for libgnutls.so.28 does not match gnutls[3]: ASSERT: fips.c:234 gnutls[3]: ASSERT: fips.c:358 [...] library is in FIPS140-2 mode Please note that I haven't generated the HMAC for nettle nor gmp yet, since the nature of the error so far. The fipscheck utility has also a problem verifying the file, as it returns a value of 13, when ran like this: % fipscheck .libgnutls.so.28.hmac fipscheck .libgnutls.so.28.hmac % echo $? 13 What adjustments should now be done in order to get gnutls working in FIPS mode ? > You don't really need the FIPS140 mode. The library works much > better without it, as it is not restricted to NIST-approved > algorithms and random number generators. Is the restriction the only drawback or is there currently a problem using gnutls in FIPS mode ? Regards. _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
