File: README.FIPS

package info (click to toggle)
socat 1.7.3.2-2
  • links: PTS
  • area: main
  • in suites: bullseye, buster, sid
  • size: 3,888 kB
  • sloc: ansic: 28,032; sh: 11,782; makefile: 146
file content (67 lines) | stat: -rw-r--r-- 2,655 bytes parent folder | download | duplicates (8)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67

David Acker has patched socat to add OpenSSL FIPS.
See http://oss-institute.org/fips-faq.html and
http://linuxdevices.com/news/NS4742716157.html for more information.

The patch that is integrated into socat 1.5 does the following:

Add support for LDFLAGS in Makefile.  LDFLAGS can be specified on the
configure command line and then will be carried over into the make.

Add fips support.  Requires OpenSSL 0.9.7j-fips-dev from
http://www.openssl.org/source/OpenSSL-fips-1.0.tar.gz built with fips
support turned on. use ./Configure fips [os-arc], for example
./Configure fips linux-pentium

The LDFLAGS is needed to point a build against a library
located in a non-standard location.  For example, if you download and
build openssl manually, it gets installed in /usr/local/ssl by default.

The FIPS support patches involve adding an option to enable/disable fips
in configure (enabled by default), checking the system for FIPS support
during configure, and then adding a fips option to socats openssl address
to turn on fips mode.  The openssl binary uses an environment variable 
instead of a command line flag.
FIPS mode requires both a compile time flag of OPENSSL_FIPS and a
runtime call of FIPS_mode_set(1).  Fips mode requires building with the 
fipsld script provided by OpenSSL. FIPS tracks the pid of the process that 
initializes things so after a fork, the child must reinitialize.  When the 
ssl code detects a forks occur and if FIPS mode was enabled, it reinitializes 
FIPS by disabling and then enabling it again.

To produce Davids enviroment, do the following:
To build openssl
download  OpenSSL 0.9.7j-fips-dev from
http://www.openssl.org/source/OpenSSL-fips-1.0.tar.gz
tar xzf OpenSSL-fips-1.0.tar.gz
cd openssl
./Configure fips linux-pentium
make
make test
(become root)
make install
This leaves an install in /usr/local/ssl

To build socat:
setup directory with socat 1.5 or higher.
cd socat-1.5.0.0
./configure CPPFLAGS=-I/usr/local/ssl/include/ LDFLAGS=-L/usr/local/ssl/lib/ FIPSLD=/usr/local/ssl/bin/fipsld
make
(become root)
make install

To run tests we make sure the new openssl is used:

export PATH=/usr/local/ssl/bin:$PATH
./test.sh fips

There are two tests in test.sh that depend on fips:

OPENSSL_FIPS_BOTHAUTH performs a SSL client to server connection with
certificate based authentication in both directions. If it works FIPS mode
seems to be ok.

OPENSSL_FIPS_SECURITY generates a certificaet/key pair without fips support. It
then tries a SSL connection in "normal" mode which is expected to work. In the
second phase it uses fips mode with these credentials which is expected to
fail. If so, the test succeeded.