No Description
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Travis Burtrum 268432bf42 Add OpenSSL snihost option for TLS SNI extension 3 years ago
Config Final fixes before release 1.7.3.0 4 years ago
doc Add OpenSSL snihost option for TLS SNI extension 3 years ago
BUGREPORTS socat V1.6.0.0 (initial GIT commit) 11 years ago
CHANGES version 1.7.3.0 4 years ago
COPYING libwrap only logs to syslog; actual COPYING file 5 years ago
COPYING.OpenSSL socat V1.6.0.0 (initial GIT commit) 11 years ago
DEVELOPMENT Made code async-signal-safe 4 years ago
EXAMPLES minor corrections of docu and test.sh; o-append 10 years ago
FAQ FAQ: SIGTTOU problem and solution 11 years ago
FILES socat V1.6.0.0 (initial GIT commit) 11 years ago
Makefile.in Final fixes before release 1.7.3.0 4 years ago
PORTING socat V1.6.0.0 (initial GIT commit) 11 years ago
README version 1.7.3.0 4 years ago
README.FIPS socat V1.6.0.0 (initial GIT commit) 11 years ago
SECURITY socat V1.6.0.0 (initial GIT commit) 11 years ago
VERSION version 1.7.3.0 4 years ago
compat.h environ variable from C runtime is not declared on all systems 4 years ago
config.h.in Port to Openindiana 4 years ago
configure.ac struct cmsghdr.cmsg is system dependend; more print format corrections 5 years ago
configure.in Function cfmakeraw() is simulated when missing 4 years ago
daemon.sh replaced RCS ID's by source file names 11 years ago
dalan.c Support for NetBSD 5.1 4 years ago
dalan.h replaced RCS ID's by source file names 11 years ago
error.c Port to Openindiana 4 years ago
error.h Made code async-signal-safe 4 years ago
fdname.c Ubuntu Oneiric: OpenSSL w/o SSLv2, bsd/libutil.h, unused vars 7 years ago
filan.c Red Hat issue 1020203: configure checks fail with some compilers 5 years ago
filan.h merged features ioctl, setsockopt, generic-socket 10 years ago
filan_main.c Corrected help text for filan -L 4 years ago
ftp.sh replaced RCS ID's by source file names 11 years ago
gatherinfo.sh replaced RCS ID's by source file names 11 years ago
hostan.c Corrected some configure --disable 4 years ago
hostan.h replaced RCS ID's by source file names 11 years ago
install-sh socat V1.6.0.0 (initial GIT commit) 11 years ago
mail.sh version 1.7.1.0 10 years ago
mytypes.h Prevent multiple definition of bool,Min(),Max() (MacOS X) 4 years ago
nestlex.c fixed a stack overflow vulnerability with long command line args 8 years ago
nestlex.h replaced RCS ID's by source file names 11 years ago
procan-cdefs.c struct cmsghdr.cmsg is system dependend; more print format corrections 5 years ago
procan.c Increased field width for ulimit values from 16 to 24 digits 5 years ago
procan.h procan prints C defines important for socat 11 years ago
procan_main.c Made code async-signal-safe 4 years ago
proxy.sh replaced RCS ID's by source file names 11 years ago
proxyecho.sh minor corrections of docu and test.sh; o-append 10 years ago
readline-test.sh ported generic socket to *BSD; minor improvements 10 years ago
readline.sh replaced RCS ID's by source file names 11 years ago
snprinterr.c Made code async-signal-safe 4 years ago
snprinterr.h Made code async-signal-safe 4 years ago
socat.c Debian Bug 764251: Set the build timestamp to a deterministic time 4 years ago
socat.spec version 1.7.3.0 4 years ago
socat_buildscript_for_android.sh Android build script with pty code 5 years ago
socks4a-echo.sh replaced RCS ID's by source file names 11 years ago
socks4echo.sh replaced RCS ID's by source file names 11 years ago
sslcls.c Added TLS methods support 4 years ago
sslcls.h Added TLS methods support 4 years ago
sycls.c Made code async-signal-safe 4 years ago
sycls.h struct cmsghdr.cmsg is system dependend; more print format corrections 5 years ago
sysincludes.h Support for NetBSD 5.1 4 years ago
sysutils.c Check OpenSSL peers commonName+subjectAltName; new option openssl-commonname 4 years ago
sysutils.h Check OpenSSL peers commonName+subjectAltName; new option openssl-commonname 4 years ago
test.sh Final fixes before release 1.7.3.0 4 years ago
testcert.conf Generate testcert.conf and testcert6.conf in test.sh 4 years ago
utils.c Check OpenSSL peers commonName+subjectAltName; new option openssl-commonname 4 years ago
utils.h Red Hat issue 1020203: configure checks fail with some compilers 5 years ago
vsnprintf_r.c Made code async-signal-safe 4 years ago
vsnprintf_r.h Made code async-signal-safe 4 years ago
xio-ascii.c Red Hat issue 1021958: fixed a bug with faulty buffer/data length calculation in xio-ascii.c:_xiodump() 5 years ago
xio-ascii.h merged features ancillary, envvar 10 years ago
xio-creat.c replaced RCS ID's by source file names 11 years ago
xio-creat.h replaced RCS ID's by source file names 11 years ago
xio-exec.c Ubuntu Oneiric: OpenSSL w/o SSLv2, bsd/libutil.h, unused vars 7 years ago
xio-exec.h replaced RCS ID's by source file names 11 years ago
xio-ext2.c replaced RCS ID's by source file names 11 years ago
xio-ext2.h replaced RCS ID's by source file names 11 years ago
xio-fd.c on some 64bit systems a compiler warning "cast from pointer to integer of different size" was issued on some option definitions 9 years ago
xio-fd.h new address options shut-null, null-eof 10 years ago
xio-fdnum.c replaced RCS ID's by source file names 11 years ago
xio-fdnum.h replaced RCS ID's by source file names 11 years ago
xio-file.c replaced RCS ID's by source file names 11 years ago
xio-file.h replaced RCS ID's by source file names 11 years ago
xio-gopen.c fixed a bug where socat might crash when connecting to a unix domain socket using address GOPEN 8 years ago
xio-gopen.h replaced RCS ID's by source file names 11 years ago
xio-interface.c added struct sockaddr_ll to union sockaddr_union to avoid "strict aliasing" 9 years ago
xio-interface.h new address "interface" for transparent network interface handling 10 years ago
xio-ip.c Red Hat issue: socat 1.7.2.4 build failure missing linux/errqueue.h 4 years ago
xio-ip.h merged features ioctl, setsockopt, generic-socket 10 years ago
xio-ip4.c Red Hat issue 1022063: out-of-range shifts on net mask bits 5 years ago
xio-ip4.h merged features ioctl, setsockopt, generic-socket 10 years ago
xio-ip6.c Red Hat issue 1020203: configure checks fail with some compilers 5 years ago
xio-ip6.h merged features ioctl, setsockopt, generic-socket 10 years ago
xio-ipapp.c Fixed memory leaks 4 years ago
xio-ipapp.h reworked so-type, so-prototype 10 years ago
xio-listen.c Port to Openindiana 4 years ago
xio-listen.h new option max-children that limits the number of concurrent child processes 7 years ago
xio-named.c some file system bases addresses failed to apply file options 5 years ago
xio-named.h replaced RCS ID's by source file names 11 years ago
xio-openssl.c Add OpenSSL snihost option for TLS SNI extension 3 years ago
xio-openssl.h Add OpenSSL snihost option for TLS SNI extension 3 years ago
xio-pipe.c some file system bases addresses failed to apply file options 5 years ago
xio-pipe.h replaced RCS ID's by source file names 11 years ago
xio-process.c struct cmsghdr.cmsg is system dependend; more print format corrections 5 years ago
xio-process.h Red Hat issue 1021429: getgroupent fails with large number of groups 5 years ago
xio-progcall.c Print error on useless fdout,fdin options 4 years ago
xio-progcall.h EXEC and SYSTEM with stderr injected socat messages into the data stream 11 years ago
xio-proxy.c struct cmsghdr.cmsg is system dependend; more print format corrections 5 years ago
xio-proxy.h replaced RCS ID's by source file names 11 years ago
xio-pty.c Red Hat issue 1020203: configure checks fail with some compilers 5 years ago
xio-pty.h replaced RCS ID's by source file names 11 years ago
xio-rawip.c merged features ioctl, setsockopt, generic-socket 10 years ago
xio-rawip.h replaced RCS ID's by source file names 11 years ago
xio-readline.c Red Hat issue 1022048: strncpy hardening 5 years ago
xio-readline.h replaced RCS ID's by source file names 11 years ago
xio-sctp.c merged feature sctp streams 10 years ago
xio-sctp.h merged feature sctp streams 10 years ago
xio-socket.c Check OpenSSL peers commonName+subjectAltName; new option openssl-commonname 4 years ago
xio-socket.h new address options shut-null, null-eof 10 years ago
xio-socks.c struct cmsghdr.cmsg is system dependend; more print format corrections 5 years ago
xio-socks.h replaced RCS ID's by source file names 11 years ago
xio-stdio.c corrected option handling with stdio 11 years ago
xio-stdio.h replaced RCS ID's by source file names 11 years ago
xio-streams.c new address options i-pop-all, i-push 10 years ago
xio-streams.h new address options i-pop-all, i-push 10 years ago
xio-system.c Address SYSTEM, when terminating, shutted down its parent addresses 4 years ago
xio-system.h replaced RCS ID's by source file names 11 years ago
xio-tcp.c replaced RCS ID's by source file names 11 years ago
xio-tcp.h replaced RCS ID's by source file names 11 years ago
xio-tcpwrap.c merged features ancillary, envvar 10 years ago
xio-tcpwrap.h replaced RCS ID's by source file names 11 years ago
xio-termios.c Added option rawer for pty 4 years ago
xio-termios.h Function cfmakeraw() is simulated when missing 4 years ago
xio-tun.c Red Hat issue 1022048: strncpy hardening 5 years ago
xio-tun.h replaced RCS ID's by source file names 11 years ago
xio-udp.c struct cmsghdr.cmsg is system dependend; more print format corrections 5 years ago
xio-udp.h replaced RCS ID's by source file names 11 years ago
xio-unix.c Fixed bind with abstract unix domain sockets (Linux) 4 years ago
xio-unix.h merged feature protocol-type 10 years ago
xio.h Port to Openindiana 4 years ago
xioclose.c removed END_UNLINK (not yet needed) 9 years ago
xioconfig.h Red Hat issue 1020203: configure checks fail with some compilers 5 years ago
xiodiag.c replaced RCS ID's by source file names 11 years ago
xiodiag.h replaced RCS ID's by source file names 11 years ago
xioexit.c Final fixes before release 1.7.3.0 4 years ago
xiohelp.c version 1.7.0.1 10 years ago
xiohelp.h replaced RCS ID's by source file names 11 years ago
xioinitialize.c typos in docu and source 7 years ago
xiolayer.c on some 64bit systems a compiler warning "cast from pointer to integer of different size" was issued on some option definitions 9 years ago
xiolayer.h new address option "escape" allows to break a socat instance 10 years ago
xiolockfile.c handle partial write()'s without data loss 7 years ago
xiolockfile.h replaced RCS ID's by source file names 11 years ago
xiomodes.h new address options i-pop-all, i-push 10 years ago
xioopen.c adapted conditionals to genericsocket, interface 10 years ago
xioopen.h merged feature sctp streams 10 years ago
xioopts.c Add OpenSSL snihost option for TLS SNI extension 3 years ago
xioopts.h Add OpenSSL snihost option for TLS SNI extension 3 years ago
xioparam.c Red Hat issue 1022048: strncpy hardening 5 years ago
xioread.c added struct sockaddr_ll to union sockaddr_union to avoid "strict aliasing" 9 years ago
xioshutdown.c Made code async-signal-safe 4 years ago
xiosigchld.c Made code async-signal-safe 4 years ago
xiosignal.c Made code async-signal-safe 4 years ago
xiosysincludes.h replaced RCS ID's by source file names 11 years ago
xiowrite.c handle partial write()'s without data loss 7 years ago

README.FIPS


David Acker has patched socat to add OpenSSL FIPS.
See http://oss-institute.org/fips-faq.html and
http://linuxdevices.com/news/NS4742716157.html for more information.

The patch that is integrated into socat 1.5 does the following:

Add support for LDFLAGS in Makefile. LDFLAGS can be specified on the
configure command line and then will be carried over into the make.

Add fips support. Requires OpenSSL 0.9.7j-fips-dev from
http://www.openssl.org/source/OpenSSL-fips-1.0.tar.gz built with fips
support turned on. use ./Configure fips [os-arc], for example
./Configure fips linux-pentium

The LDFLAGS is needed to point a build against a library
located in a non-standard location. For example, if you download and
build openssl manually, it gets installed in /usr/local/ssl by default.

The FIPS support patches involve adding an option to enable/disable fips
in configure (enabled by default), checking the system for FIPS support
during configure, and then adding a fips option to socats openssl address
to turn on fips mode. The openssl binary uses an environment variable
instead of a command line flag.
FIPS mode requires both a compile time flag of OPENSSL_FIPS and a
runtime call of FIPS_mode_set(1). Fips mode requires building with the
fipsld script provided by OpenSSL. FIPS tracks the pid of the process that
initializes things so after a fork, the child must reinitialize. When the
ssl code detects a forks occur and if FIPS mode was enabled, it reinitializes
FIPS by disabling and then enabling it again.

To produce Davids enviroment, do the following:
To build openssl
download OpenSSL 0.9.7j-fips-dev from
http://www.openssl.org/source/OpenSSL-fips-1.0.tar.gz
tar xzf OpenSSL-fips-1.0.tar.gz
cd openssl
./Configure fips linux-pentium
make
make test
(become root)
make install
This leaves an install in /usr/local/ssl

To build socat:
setup directory with socat 1.5 or higher.
cd socat-1.5.0.0
./configure CPPFLAGS=-I/usr/local/ssl/include/ LDFLAGS=-L/usr/local/ssl/lib/ FIPSLD=/usr/local/ssl/bin/fipsld
make
(become root)
make install

To run tests we make sure the new openssl is used:

export PATH=/usr/local/ssl/bin:$PATH
./test.sh fips

There are two tests in test.sh that depend on fips:

OPENSSL_FIPS_BOTHAUTH performs a SSL client to server connection with
certificate based authentication in both directions. If it works FIPS mode
seems to be ok.

OPENSSL_FIPS_SECURITY generates a certificaet/key pair without fips support. It
then tries a SSL connection in "normal" mode which is expected to work. In the
second phase it uses fips mode with these credentials which is expected to
fail. If so, the test succeeded.