nexmon – Blame information for rev 1
?pathlinks?
| Rev | Author | Line No. | Line |
|---|---|---|---|
| 1 | office | 1 | |
| 2 | David Acker has patched socat to add OpenSSL FIPS. |
||
| 3 | See http://oss-institute.org/fips-faq.html and |
||
| 4 | http://linuxdevices.com/news/NS4742716157.html for more information. |
||
| 5 | |||
| 6 | The patch that is integrated into socat 1.5 does the following: |
||
| 7 | |||
| 8 | Add support for LDFLAGS in Makefile. LDFLAGS can be specified on the |
||
| 9 | configure command line and then will be carried over into the make. |
||
| 10 | |||
| 11 | Add fips support. Requires OpenSSL 0.9.7j-fips-dev from |
||
| 12 | http://www.openssl.org/source/OpenSSL-fips-1.0.tar.gz built with fips |
||
| 13 | support turned on. use ./Configure fips [os-arc], for example |
||
| 14 | ./Configure fips linux-pentium |
||
| 15 | |||
| 16 | The LDFLAGS is needed to point a build against a library |
||
| 17 | located in a non-standard location. For example, if you download and |
||
| 18 | build openssl manually, it gets installed in /usr/local/ssl by default. |
||
| 19 | |||
| 20 | The FIPS support patches involve adding an option to enable/disable fips |
||
| 21 | in configure (enabled by default), checking the system for FIPS support |
||
| 22 | during configure, and then adding a fips option to socats openssl address |
||
| 23 | to turn on fips mode. The openssl binary uses an environment variable |
||
| 24 | instead of a command line flag. |
||
| 25 | FIPS mode requires both a compile time flag of OPENSSL_FIPS and a |
||
| 26 | runtime call of FIPS_mode_set(1). Fips mode requires building with the |
||
| 27 | fipsld script provided by OpenSSL. FIPS tracks the pid of the process that |
||
| 28 | initializes things so after a fork, the child must reinitialize. When the |
||
| 29 | ssl code detects a forks occur and if FIPS mode was enabled, it reinitializes |
||
| 30 | FIPS by disabling and then enabling it again. |
||
| 31 | |||
| 32 | To produce Davids enviroment, do the following: |
||
| 33 | To build openssl |
||
| 34 | download OpenSSL 0.9.7j-fips-dev from |
||
| 35 | http://www.openssl.org/source/OpenSSL-fips-1.0.tar.gz |
||
| 36 | tar xzf OpenSSL-fips-1.0.tar.gz |
||
| 37 | cd openssl |
||
| 38 | ./Configure fips linux-pentium |
||
| 39 | make |
||
| 40 | make test |
||
| 41 | (become root) |
||
| 42 | make install |
||
| 43 | This leaves an install in /usr/local/ssl |
||
| 44 | |||
| 45 | To build socat: |
||
| 46 | setup directory with socat 1.5 or higher. |
||
| 47 | cd socat-1.5.0.0 |
||
| 48 | ./configure CPPFLAGS=-I/usr/local/ssl/include/ LDFLAGS=-L/usr/local/ssl/lib/ FIPSLD=/usr/local/ssl/bin/fipsld |
||
| 49 | make |
||
| 50 | (become root) |
||
| 51 | make install |
||
| 52 | |||
| 53 | To run tests we make sure the new openssl is used: |
||
| 54 | |||
| 55 | export PATH=/usr/local/ssl/bin:$PATH |
||
| 56 | ./test.sh fips |
||
| 57 | |||
| 58 | There are two tests in test.sh that depend on fips: |
||
| 59 | |||
| 60 | OPENSSL_FIPS_BOTHAUTH performs a SSL client to server connection with |
||
| 61 | certificate based authentication in both directions. If it works FIPS mode |
||
| 62 | seems to be ok. |
||
| 63 | |||
| 64 | OPENSSL_FIPS_SECURITY generates a certificaet/key pair without fips support. It |
||
| 65 | then tries a SSL connection in "normal" mode which is expected to work. In the |
||
| 66 | second phase it uses fips mode with these credentials which is expected to |
||
| 67 | fail. If so, the test succeeded. |