dest-unreach / socat / contrib / socat-fips
Apply this patch to socat 1.4.3.1 source.
Hello, I have been working on a patch to add OpenSSL FIPS support to socat. See http://oss-institute.org/fips-faq.html and http://linuxdevices.com/news/NS4742716157.html for more information. Attached is a patch set to socat 1.4.3.1 that does the following: Add support for LDFLAGS in Makefile. LDFLAGS can be specified on the configure command line and the will be carried over into the make. Add fips support. Requires OpenSSL 0.9.7j-fips-dev from http://www.openssl.org/source/OpenSSL-fips-1.0.tar.gz built with fips support turned on. use ./Configure fips [os-arc], for example ./Configure fips linux-pentium I would include it inline but some of the configure lines are quite long and I bet they would get line wrapped somewhere along the way. Let me know if it would help to have the patch in a different format. The LDFLAGS bit was needed so I could point a build against a library located in a non-standard location. For example, if you download and build openssl manually, it gets installed in /usr/local/ssl by default. The FIPS support patches involve adding an option to enable/disable fips in configure (enabled by default), checking the system for FIPS support during configure, and then adding a -f option to socat to turn on fips mode. The openssl binary uses an environment variable instead of a command line flag. I thought we might want to be more clear when the user wanted the mode or not so I went with a command line flag. FIPS mode requires both a compile time flag of OPENSSL_FIPS and a runtime call of FIPS_mode_set(1). Fips mode requires building with the fipsld script provided by OpenSSL. FIPS tracks the pid of the process that initializes things so after a fork, the child must reinitialize. When the ssl code detects a forks occur and if FIPS mode was enabled, it reintializes FIPS by disabling and then enabling it again. All tests in test.sh pass in the following modes: compiled without FIPS support compiled with FIPS support but not turned on at command line compiled with FIPS support and turned on at the command line To produce my enviroment, I did the following: To build openssl download OpenSSL 0.9.7j-fips-dev from http://www.openssl.org/source/OpenSSL-fips-1.0.tar.gz tar xzf OpenSSL-fips-1.0.tar.gz cd openssl ./Configure fips linux-pentium make make test (become root) make install This leaves an install in /usr/local/ssl To build socat: setup directory with socat 1.4.3.1 plus the attached patches. cd socat-1.4 ./configure CPPFLAGS=-I/usr/local/ssl/include/ LDFLAGS=-L/usr/local/ssl/lib/ FIPSLD=/usr/local/ssl/bin/fipsld make depend make (become root) make install To run tests we make sure the new openssl is used and that it is used in fips mode. The openssl binary checks an evironment variable to go into fips mode instead of using a command line option. I pass -f to the socat calls to put them in fips mode. export PATH=/usr/local/ssl/bin:$PATH export OPENSSL_FIPS=1 OPTS=-f ./test.sh