dest-unreach / socat / contrib / socat-fips

FIPS support for socat


David Acker has contributed a patch that allows to build socat with OpenSSL FIPS support, see his message below.


Apply this patch to socat source.



Message of the contributor

I have been working on a patch to add OpenSSL FIPS support to socat.
See and for more information.
Attached is a patch set to socat that does the following:

Add support for LDFLAGS in Makefile.  LDFLAGS can be specified on the
configure command line and the will be carried over into the make.

Add fips support.  Requires OpenSSL 0.9.7j-fips-dev from built with fips
support turned on. use ./Configure fips [os-arc], for example
./Configure fips linux-pentium

I would include it inline but some of the configure lines are quite long 
and I bet they would get line wrapped somewhere along the way.  Let me 
know if it would help to have the patch in a different format.

The LDFLAGS bit was needed so I could point a build against a library
located in a non-standard location.  For example, if you download and
build openssl manually, it gets installed in /usr/local/ssl by default.

The FIPS support patches involve adding an option to enable/disable fips
in configure (enabled by default), checking the system for FIPS support
during configure, and then adding a -f option to socat to turn on fips
mode.  The openssl binary uses an environment variable instead of a 
command line flag.  I thought we might want to be more clear when the 
user wanted the mode or not so I went with a command line flag.
FIPS mode requires both a compile time flag of OPENSSL_FIPS and a
runtime call of FIPS_mode_set(1).  Fips mode requires building with the 
fipsld script provided by OpenSSL. FIPS tracks the pid of the
process that initializes things so after a fork, the child must 
reinitialize.  When the ssl code detects a forks occur and if FIPS mode 
was enabled, it reintializes FIPS by disabling and then enabling it again.

All tests in pass in the following modes:
compiled without FIPS support
compiled with FIPS support but not turned on at command line
compiled with FIPS support and turned on at the command line

To produce my enviroment, I did the following:
To build openssl
download  OpenSSL 0.9.7j-fips-dev from
tar xzf OpenSSL-fips-1.0.tar.gz
cd openssl
./Configure fips linux-pentium
make test
(become root)
make install
This leaves an install in /usr/local/ssl

To build socat:
setup directory with socat plus the attached patches.
cd socat-1.4
./configure CPPFLAGS=-I/usr/local/ssl/include/
LDFLAGS=-L/usr/local/ssl/lib/ FIPSLD=/usr/local/ssl/bin/fipsld

make depend
(become root)
make install

To run tests we make sure the new openssl is used and that it is used in
fips mode.  The openssl binary checks an evironment variable to go into 
fips mode instead of using a command line option.  I pass -f to the 
socat calls to put them in fips mode.

export PATH=/usr/local/ssl/bin:$PATH
OPTS=-f ./


This patch is intended to be integrated into the next feature release following socat (thus, or
Please note that some aspects of the implementation might change then.