httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From b..@apache.org
Subject svn commit: r190120 - in /httpd/httpd/branches/fips-dev: ./ build/ include/ modules/ssl/ server/ srclib/apr-util/ srclib/apr-util/crypto/ support/
Date Sat, 11 Jun 2005 14:14:56 GMT
Author: ben
Date: Sat Jun 11 07:14:56 2005
New Revision: 190120

URL: http://svn.apache.org/viewcvs?rev=190120&view=rev
Log:
Add --enable-fips, FIPSify everything.

Modified:
    httpd/httpd/branches/fips-dev/README-FIPS
    httpd/httpd/branches/fips-dev/build/program.mk
    httpd/httpd/branches/fips-dev/configure.in
    httpd/httpd/branches/fips-dev/include/http_main.h
    httpd/httpd/branches/fips-dev/include/util_md5.h
    httpd/httpd/branches/fips-dev/modules/ssl/mod_ssl.c
    httpd/httpd/branches/fips-dev/modules/ssl/ssl_engine_config.c
    httpd/httpd/branches/fips-dev/modules/ssl/ssl_engine_init.c
    httpd/httpd/branches/fips-dev/modules/ssl/ssl_engine_rand.c
    httpd/httpd/branches/fips-dev/modules/ssl/ssl_private.h
    httpd/httpd/branches/fips-dev/server/Makefile.in
    httpd/httpd/branches/fips-dev/server/core.c
    httpd/httpd/branches/fips-dev/server/util_md5.c
    httpd/httpd/branches/fips-dev/srclib/apr-util/configure.in
    httpd/httpd/branches/fips-dev/srclib/apr-util/crypto/apr_md4.c
    httpd/httpd/branches/fips-dev/srclib/apr-util/crypto/apr_md5.c
    httpd/httpd/branches/fips-dev/srclib/apr-util/crypto/apr_sha1.c
    httpd/httpd/branches/fips-dev/support/htdbm.c
    httpd/httpd/branches/fips-dev/support/htdigest.c
    httpd/httpd/branches/fips-dev/support/htpasswd.c

Modified: httpd/httpd/branches/fips-dev/README-FIPS
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/fips-dev/README-FIPS?rev=190120&r1=190119&r2=190120&view=diff
==============================================================================
--- httpd/httpd/branches/fips-dev/README-FIPS (original)
+++ httpd/httpd/branches/fips-dev/README-FIPS Sat Jun 11 07:14:56 2005
@@ -21,7 +21,11 @@
 
 Note this branch includes apr and apr-util, while the authors figure out what
 to do about apr MD5 and other fips issues are resolved.  That work will be
-submitted to the apr project, once the least distruptive change is ascertained.
+submitted to the apr project, once the least distruptive change is
+ascertained.
+
+Note also that even with FIPS mode is off, operations using MD5 are
+not possible.
 
 Stuff FIPS requires
 -------------------
@@ -32,3 +36,5 @@
 code).
 
 Certificates: must be signed using SHA-1.
+
+Passwords: must be SHA-1 hashed.

Modified: httpd/httpd/branches/fips-dev/build/program.mk
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/fips-dev/build/program.mk?rev=190120&r1=190119&r2=190120&view=diff
==============================================================================
--- httpd/httpd/branches/fips-dev/build/program.mk (original)
+++ httpd/httpd/branches/fips-dev/build/program.mk Sat Jun 11 07:14:56 2005
@@ -16,7 +16,15 @@
 # The build environment was provided by Sascha Schumann.
 
 PROGRAM_OBJECTS = $(PROGRAM_SOURCES:.c=.lo)
+TOP=/home/ben/work/openssl-0.9.7
+
+# XXX: I don't know how to work out the correct path for the real executable
+TO_FINGERPRINT = $(PROGRAM_NAME:httpd=.libs/lt-httpd)
+FINGERPRINT = $(TO_FINGERPRINT).sha1
 
 $(PROGRAM_NAME): $(PROGRAM_DEPENDENCIES) $(PROGRAM_OBJECTS)
 	$(PROGRAM_PRELINK)
 	$(LINK) $(PROGRAM_LDFLAGS) $(PROGRAM_OBJECTS) $(PROGRAM_LDADD)
+# blearg - force libtool to do its stupid magic
+	-./$(PROGRAM_NAME) --help
+	TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a $(TO_FINGERPRINT) >
$(FINGERPRINT)

Modified: httpd/httpd/branches/fips-dev/configure.in
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/fips-dev/configure.in?rev=190120&r1=190119&r2=190120&view=diff
==============================================================================
--- httpd/httpd/branches/fips-dev/configure.in (original)
+++ httpd/httpd/branches/fips-dev/configure.in Sat Jun 11 07:14:56 2005
@@ -18,6 +18,10 @@
 sinclude(build/find_apu.m4)
 sinclude(acinclude.m4)
 
+dnl Allow FIPS mode
+AC_ARG_ENABLE(fips,[Enable FIPS mode (i.e. disable or replace all crypto)],
+	[AC_DEFINE([AP_FIPS],1,[Set to 1 if FIPS mode is enabled])])
+
 dnl XXX we can't just use AC_PREFIX_DEFAULT because that isn't subbed in
 dnl by configure until it is too late.  Is that how it should be or not?
 dnl Something seems broken here.                                               
@@ -106,8 +110,11 @@
 esac  
 
 if test "$apu_found" = "reconfig"; then
+  if test "${enable_fips+set}" = set; then
+    fips_option="--enable-fips"
+  fi
   APR_SUBDIR_CONFIG(srclib/apr-util,
-                    [--with-apr=../apr --prefix=$prefix --exec-prefix=$exec_prefix --libdir=$libdir
--includedir=$includedir --bindir=$bindir],
+                    [--with-apr=../apr --prefix=$prefix --exec-prefix=$exec_prefix --libdir=$libdir
--includedir=$includedir --bindir=$bindir $fips_option],
                     [--enable-layout=*|\'--enable-layout=*])
   dnl We must be the last to build and the first to be cleaned
   AP_BUILD_SRCLIB_DIRS="$AP_BUILD_SRCLIB_DIRS apr-util"

Modified: httpd/httpd/branches/fips-dev/include/http_main.h
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/fips-dev/include/http_main.h?rev=190120&r1=190119&r2=190120&view=diff
==============================================================================
--- httpd/httpd/branches/fips-dev/include/http_main.h (original)
+++ httpd/httpd/branches/fips-dev/include/http_main.h Sat Jun 11 07:14:56 2005
@@ -35,6 +35,7 @@
 
 /** The name of the Apache executable */
 AP_DECLARE_DATA extern const char *ap_server_argv0;
+AP_DECLARE_DATA extern const char *ap_server_full_argv0;
 /** The global server's ServerRoot */
 AP_DECLARE_DATA extern const char *ap_server_root;
 

Modified: httpd/httpd/branches/fips-dev/include/util_md5.h
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/fips-dev/include/util_md5.h?rev=190120&r1=190119&r2=190120&view=diff
==============================================================================
--- httpd/httpd/branches/fips-dev/include/util_md5.h (original)
+++ httpd/httpd/branches/fips-dev/include/util_md5.h Sat Jun 11 07:14:56 2005
@@ -26,7 +26,20 @@
  */
 
 #include "apr_md5.h"
+#include "ap_config_auto.h"
 
+#ifdef AP_FIPS
+/**
+ * Create a SHA-1 checksum of a string of binary data
+ * @param a Pool to allocate out of
+ * @param buf Buffer to generate checksum for
+ * @param len The length of the buffer
+ * @return The checksum in hex
+ * @deffunc char *ap_md5_binary(apr_pool_t *a, const unsigned char *buf, int len)
+ */
+AP_DECLARE(char *) ap_sha1_binary(apr_pool_t *a, const unsigned char *buf, int len);
+
+#else
 /**
  * Create an MD5 checksum of a given string
  * @param a Pool to allocate out of
@@ -62,6 +75,8 @@
  * @deffunc char *ap_md5digest(apr_pool_t *p, apr_file_t *infile)
  */
 AP_DECLARE(char *) ap_md5digest(apr_pool_t *p, apr_file_t *infile);
+
+#endif /*ndef AP_FIPS */
 
 #ifdef __cplusplus
 }

Modified: httpd/httpd/branches/fips-dev/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/fips-dev/modules/ssl/mod_ssl.c?rev=190120&r1=190119&r2=190120&view=diff
==============================================================================
--- httpd/httpd/branches/fips-dev/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/branches/fips-dev/modules/ssl/mod_ssl.c Sat Jun 11 07:14:56 2005
@@ -99,9 +99,11 @@
     SSL_CMD_SRV(Engine, TAKE1,
                 "SSL switch for the protocol engine "
                 "(`on', `off')")
+#ifdef AP_FIPS
     SSL_CMD_SRV(FIPS, TAKE1,
 		"Enable FIPS-140 compliance "
                 "(`on', `off')")
+#endif
     SSL_CMD_ALL(CipherSuite, TAKE1,
                 "Colon-delimited list of permitted SSL Ciphers "
                 "(`XXX:...:XXX' - see manual)")
@@ -343,7 +345,7 @@
     SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
     SSL *ssl;
     SSLConnRec *sslconn = myConnConfig(c);
-    char *vhost_md5;
+    char *vhost_digest;
     modssl_ctx_t *mctx;
 
     /*
@@ -373,14 +375,20 @@
         return DECLINED; /* XXX */
     }
 
-    vhost_md5 = ap_md5_binary(c->pool, (unsigned char *)sc->vhost_id,
-                              sc->vhost_id_len);
-
-    if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_md5,
+#ifdef AP_FIPS
+    vhost_digest = ap_sha1_binary(c->pool, (unsigned char *)sc->vhost_id,
+				  sc->vhost_id_len);
+#else
+    vhost_digest = ap_md5_binary(c->pool, (unsigned char *)sc->vhost_id,
+				 sc->vhost_id_len);
+#endif
+    
+/* Using only 32 bytes is deliberate */
+    if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_digest,
                                     APR_MD5_DIGESTSIZE*2))
     {
         ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
-                      "Unable to set session id context to `%s'", vhost_md5);
+                      "Unable to set session id context to `%s'", vhost_digest);
         ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
 
         c->aborted = 1;

Modified: httpd/httpd/branches/fips-dev/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/fips-dev/modules/ssl/ssl_engine_config.c?rev=190120&r1=190119&r2=190120&view=diff
==============================================================================
--- httpd/httpd/branches/fips-dev/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/branches/fips-dev/modules/ssl/ssl_engine_config.c Sat Jun 11 07:14:56 2005
@@ -254,7 +254,9 @@
 
     cfgMerge(mc, NULL);
     cfgMerge(enabled, SSL_ENABLED_UNSET);
+#ifdef AP_FIPS
     cfgMerge(fips, SSL_FIPS_UNSET); // FIPS-XXX: make more than one setting an error?
+#endif
     cfgMergeBool(proxy_enabled);
     cfgMergeInt(session_cache_timeout);
     cfgMergeBool(cipher_server_pref);
@@ -619,6 +621,8 @@
 
     return "Argument must be On, Off, or Optional";
 }
+
+#ifdef AP_FIPS
 // FIPS-XXX: this is global, i.e. can only be set once, not per-server.
 const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, const char *arg)
 {
@@ -635,6 +639,7 @@
 
     return "Argument must be On or Off";
 }
+#endif
 
 const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,
                                    void *dcfg,

Modified: httpd/httpd/branches/fips-dev/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/fips-dev/modules/ssl/ssl_engine_init.c?rev=190120&r1=190119&r2=190120&view=diff
==============================================================================
--- httpd/httpd/branches/fips-dev/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/branches/fips-dev/modules/ssl/ssl_engine_init.c Sat Jun 11 07:14:56 2005
@@ -87,9 +87,9 @@
     MODSSL_TMP_KEY_FREE(mc, type, SSL_TMP_KEY_##type##_512); \
     MODSSL_TMP_KEY_FREE(mc, type, SSL_TMP_KEY_##type##_1024)
 
+#if AP_FIPS
 /* FIPS-140 prevents automatic rekeying in child processes, so we have
  * to do it */
-
 static void fips_rand_reseed(server_rec *s, apr_pool_t *ptemp)
 {
     static int rand_seeded;
@@ -100,6 +100,7 @@
 	rand_seeded=1;
     }
 }
+#endif
 
 static void ssl_tmp_keys_free(server_rec *s)
 {
@@ -227,8 +228,10 @@
             sc->enabled = SSL_ENABLED_FALSE;
         }
 
+#ifdef AP_FIPS
 	if(sc->fips == SSL_FIPS_UNSET)
 	    sc->enabled = SSL_FIPS_FALSE;
+#endif
 
         if (sc->proxy_enabled == UNSET) {
             sc->proxy_enabled = FALSE;
@@ -265,6 +268,7 @@
      */
     ssl_rand_seed(base_server, ptemp, SSL_RSCTX_STARTUP, "Init: ");
 
+#ifdef AP_FIPS
     /* Do this after randomness has been seeded */
     // XXX: also need to set FIPS mode for APR (i.e. exclude all crypto/randomness from APR)
     if(!fips_done) {
@@ -283,6 +287,7 @@
 	    ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, "FIPS mode disabled");
 	fips_done=1;
     }
+#endif
 
     /*
      * read server private keys/public certs into memory.
@@ -1230,8 +1235,9 @@
 
     /* open the mutex lockfile */
     ssl_mutex_reinit(s, p);
-
+#ifdef AP_FIPS
     fips_rand_reseed(s, p);
+#endif
 }
 
 #define MODSSL_CFG_ITEM_FREE(func, item) \

Modified: httpd/httpd/branches/fips-dev/modules/ssl/ssl_engine_rand.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/fips-dev/modules/ssl/ssl_engine_rand.c?rev=190120&r1=190119&r2=190120&view=diff
==============================================================================
--- httpd/httpd/branches/fips-dev/modules/ssl/ssl_engine_rand.c (original)
+++ httpd/httpd/branches/fips-dev/modules/ssl/ssl_engine_rand.c Sat Jun 11 07:14:56 2005
@@ -29,6 +29,10 @@
 
 #include "ssl_private.h"
 
+#ifdef AP_FIPS
+# include <openssl/fips_rand.h>
+#endif
+
 /*  _________________________________________________________________
 **
 **  Support for better seeding of SSL library's RNG
@@ -36,6 +40,8 @@
 */
 
 static int ssl_rand_choosenum(int, int);
+
+#ifdef AP_FIPS
 static int ssl_rand_feedfp(int, apr_pool_t *, apr_file_t *, int);
 
 /* Deal with the arcanity of the FIPS PRNG, which requires keying
@@ -54,6 +60,13 @@
     }
     RAND_seed(buf, num);
 }
+#else
+
+static int ssl_rand_feedfp(apr_pool_t *, apr_file_t *, int);
+
+# define inject_rand(fips, buf, num)    RAND_seed(buf, num)
+
+#endif
 
 int ssl_rand_seed(server_rec *s, apr_pool_t *p, ssl_rsctx_t nCtx, char *prefix)
 {
@@ -83,8 +96,12 @@
                 if (apr_file_open(&fp, pRandSeed->cpPath, 
                                   APR_READ, APR_OS_DEFAULT, p) != APR_SUCCESS)
                     continue;
+#ifdef AP_FIPS
                 nDone += ssl_rand_feedfp(sc->fips == SSL_FIPS_TRUE, p, fp,
 					 pRandSeed->nBytes);
+#else
+                nDone += ssl_rand_feedfp(p, fp, pRandSeed->nBytes);
+#endif
                 apr_file_close(fp);
             }
             else if (pRandSeed->nSrc == SSL_RSSRC_EXEC) {
@@ -99,8 +116,12 @@
 
                 if ((fp = ssl_util_ppopen(s, p, cmd, argv)) == NULL)
                     continue;
+#ifdef AP_FIPS
                 nDone += ssl_rand_feedfp(sc->fips == SSL_FIPS_TRUE, p, fp,
 					 pRandSeed->nBytes);
+#else
+                nDone += ssl_rand_feedfp(p, fp, pRandSeed->nBytes);
+#endif
                 ssl_util_ppclose(s, p, fp);
             }
 #ifdef HAVE_SSL_RAND_EGD
@@ -156,7 +177,11 @@
 
 #define BUFSIZE 8192
 
+#ifdef AP_FIPS
 static int ssl_rand_feedfp(int fips, apr_pool_t *p, apr_file_t *fp, int nReq)
+#else
+static int ssl_rand_feedfp(apr_pool_t *p, apr_file_t *fp, int nReq)
+#endif
 {
     apr_size_t nDone;
     unsigned char caBuf[BUFSIZE];

Modified: httpd/httpd/branches/fips-dev/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/fips-dev/modules/ssl/ssl_private.h?rev=190120&r1=190119&r2=190120&view=diff
==============================================================================
--- httpd/httpd/branches/fips-dev/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/branches/fips-dev/modules/ssl/ssl_private.h Sat Jun 11 07:14:56 2005
@@ -281,11 +281,13 @@
     SSL_ENABLED_OPTIONAL = 3
 } ssl_enabled_t;
 
+#ifdef AP_FIPS
 typedef enum {
     SSL_FIPS_UNSET	= UNSET,
     SSL_FIPS_FALSE	= 0,
     SSL_FIPS_TRUE	= 1
 } fips_enabled_t;
+#endif
 
 /*
  * Define the SSL requirement structure
@@ -442,7 +444,9 @@
 struct SSLSrvConfigRec {
     SSLModConfigRec *mc;
     ssl_enabled_t    enabled;
+#ifdef AP_FIPS
     fips_enabled_t   fips;
+#endif
     BOOL             proxy_enabled;
     const char      *vhost_id;
     int              vhost_id_len;

Modified: httpd/httpd/branches/fips-dev/server/Makefile.in
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/fips-dev/server/Makefile.in?rev=190120&r1=190119&r2=190120&view=diff
==============================================================================
--- httpd/httpd/branches/fips-dev/server/Makefile.in (original)
+++ httpd/httpd/branches/fips-dev/server/Makefile.in Sat Jun 11 07:14:56 2005
@@ -66,7 +66,7 @@
 	rm -f $$tmp
 
 exports.c: export_files
-	$(AWK) -f $(top_srcdir)/build/make_exports.awk `cat $?` > $@
+	$(AWK) -f $(top_srcdir)/build/make_exports.awk `cat $?` | $(top_srcdir)/build/fipsify_exports
$(top_srcdir)/include/ap_config_auto.h > $@
 
 export_vars.h: export_files
 	$(AWK) -f $(top_srcdir)/build/make_var_export.awk `cat $?` > $@

Modified: httpd/httpd/branches/fips-dev/server/core.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/fips-dev/server/core.c?rev=190120&r1=190119&r2=190120&view=diff
==============================================================================
--- httpd/httpd/branches/fips-dev/server/core.c (original)
+++ httpd/httpd/branches/fips-dev/server/core.c Sat Jun 11 07:14:56 2005
@@ -3501,8 +3501,14 @@
         } 
         else {
             if (bld_content_md5) {
+#ifndef AP_NO_FIPS
+		// FIPS-XXX: is it safe to continue despite this?
+		ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+			      "Can't do Content-MD5 in FIPS mode");
+#else
                 apr_table_setn(r->headers_out, "Content-MD5",
                                ap_md5digest(r->pool, fd));
+#endif
             }
 
             /* For platforms where the size of the file may be larger than

Modified: httpd/httpd/branches/fips-dev/server/util_md5.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/fips-dev/server/util_md5.c?rev=190120&r1=190119&r2=190120&view=diff
==============================================================================
--- httpd/httpd/branches/fips-dev/server/util_md5.c (original)
+++ httpd/httpd/branches/fips-dev/server/util_md5.c Sat Jun 11 07:14:56 2005
@@ -50,6 +50,38 @@
 #include "util_md5.h"
 #include "util_ebcdic.h"
 
+#ifdef AP_FIPS
+#include <openssl/sha.h>
+
+AP_DECLARE(char *) ap_sha1_binary(apr_pool_t *p, const unsigned char *buf, int length)
+{
+    const char *hex = "0123456789abcdef";
+    SHA_CTX my_sha1;
+    unsigned char hash[SHA_DIGEST_LENGTH];
+    char *r, result[SHA_DIGEST_LENGTH*2+1];
+    int i;
+
+    /*
+     * Take the SHA-1 hash of the string argument.
+     */
+
+    SHA1_Init(&my_sha1);
+#if APR_CHARSET_EBCDIC
+# error no EBCDIC support
+#endif
+    SHA1_Update(&my_sha1, buf, (unsigned int)length);
+    SHA1_Final(hash, &my_sha1);
+
+    for (i = 0, r = result; i < APR_MD5_DIGESTSIZE; i++) {
+	*r++ = hex[hash[i] >> 4];
+	*r++ = hex[hash[i] & 0xF];
+    }
+    *r = '\0';
+
+    return apr_pstrndup(p, result, SHA_DIGEST_LENGTH*2);
+}
+
+#else
 AP_DECLARE(char *) ap_md5_binary(apr_pool_t *p, const unsigned char *buf, int length)
 {
     const char *hex = "0123456789abcdef";
@@ -170,3 +202,4 @@
     return ap_md5contextTo64(p, &context);
 }
 
+#endif /*ndef AP_FIPS */

Modified: httpd/httpd/branches/fips-dev/srclib/apr-util/configure.in
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/fips-dev/srclib/apr-util/configure.in?rev=190120&r1=190119&r2=190120&view=diff
==============================================================================
--- httpd/httpd/branches/fips-dev/srclib/apr-util/configure.in (original)
+++ httpd/httpd/branches/fips-dev/srclib/apr-util/configure.in Sat Jun 11 07:14:56 2005
@@ -16,6 +16,10 @@
 sinclude(build/dbm.m4)
 sinclude(build/dbd.m4)
 
+dnl Allow FIPS mode
+AC_ARG_ENABLE(fips,[Enable FIPS mode (i.e. disable or replace all crypto)],
+	[AC_DEFINE([APU_FIPS],1,[Set to 1 if FIPS mode is enabled])])
+
 dnl Generate ./config.nice for reproducing runs of configure
 dnl 
 APR_CONFIG_NICE(config.nice)

Modified: httpd/httpd/branches/fips-dev/srclib/apr-util/crypto/apr_md4.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/fips-dev/srclib/apr-util/crypto/apr_md4.c?rev=190120&r1=190119&r2=190120&view=diff
==============================================================================
--- httpd/httpd/branches/fips-dev/srclib/apr-util/crypto/apr_md4.c (original)
+++ httpd/httpd/branches/fips-dev/srclib/apr-util/crypto/apr_md4.c Sat Jun 11 07:14:56 2005
@@ -41,6 +41,7 @@
 #include "apr_strings.h"
 #include "apr_md4.h"
 #include "apr_lib.h"
+#include "apu_config.h"
 
 #if APR_HAVE_STRING_H
 #include <string.h>
@@ -49,9 +50,10 @@
 #include <unistd.h>
 #endif
 
+#ifndef APU_FIPS
 /* Constants for MD4Transform routine.
  */
- 
+
 #define S11 3
 #define S12 7
 #define S13 11
@@ -402,3 +404,5 @@
     return APR_SUCCESS;
 }
 #endif
+
+#endif /*ndef APU_FIPS */

Modified: httpd/httpd/branches/fips-dev/srclib/apr-util/crypto/apr_md5.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/fips-dev/srclib/apr-util/crypto/apr_md5.c?rev=190120&r1=190119&r2=190120&view=diff
==============================================================================
--- httpd/httpd/branches/fips-dev/srclib/apr-util/crypto/apr_md5.c (original)
+++ httpd/httpd/branches/fips-dev/srclib/apr-util/crypto/apr_md5.c Sat Jun 11 07:14:56 2005
@@ -76,6 +76,13 @@
 #include <pthread.h>
 #endif
 
+/*
+ * Define the Magic String prefix that identifies a password as being
+ * hashed using our algorithm.
+ */
+static const char *apr1_id = "$apr1$";
+
+#ifndef APU_FIPS
 /* Constants for MD5Transform routine.
  */
 
@@ -462,12 +469,6 @@
 #endif
 
 /*
- * Define the Magic String prefix that identifies a password as being
- * hashed using our algorithm.
- */
-static const char *apr1_id = "$apr1$";
-
-/*
  * The following MD5 password encryption code was largely borrowed from
  * the FreeBSD 3.0 /usr/src/lib/libcrypt/crypt.c file, which is
  * licenced as stated at the top of this file.
@@ -665,6 +666,8 @@
 #endif
 #endif
 
+#endif /* ndef APU_FIPS */
+
 /*
  * Validate a plaintext password against a smashed one.  Uses either
  * crypt() (if available) or apr_md5_encode() or apr_sha1_base64(), depending
@@ -680,15 +683,22 @@
     char *crypt_pw;
 #endif
     if (!strncmp(hash, apr1_id, strlen(apr1_id))) {
+#ifdef APU_FIPS
+	return APR_EMISMATCH;
+#else
         /*
          * The hash was created using our custom algorithm.
          */
         apr_md5_encode(passwd, hash, sample, sizeof(sample));
+#endif
     }
     else if (!strncmp(hash, APR_SHA1PW_ID, APR_SHA1PW_IDLEN)) {
          apr_sha1_base64(passwd, strlen(passwd), sample);
     }
     else {
+#ifdef APU_FIPS
+	return APR_EMISMATCH;
+#else
         /*
          * It's not our algorithm, so feed it to crypt() if possible.
          */
@@ -728,6 +738,7 @@
         apr_cpystrn(sample, crypt_pw, sizeof(sample) - 1);
         crypt_mutex_unlock();
 #endif
+#endif /*ndef APU_FIPS */
     }
     return (strcmp(sample, hash) == 0) ? APR_SUCCESS : APR_EMISMATCH;
 }

Modified: httpd/httpd/branches/fips-dev/srclib/apr-util/crypto/apr_sha1.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/fips-dev/srclib/apr-util/crypto/apr_sha1.c?rev=190120&r1=190119&r2=190120&view=diff
==============================================================================
--- httpd/httpd/branches/fips-dev/srclib/apr-util/crypto/apr_sha1.c (original)
+++ httpd/httpd/branches/fips-dev/srclib/apr-util/crypto/apr_sha1.c Sat Jun 11 07:14:56 2005
@@ -48,11 +48,14 @@
 #include "apr_base64.h"
 #include "apr_strings.h"
 #include "apr_lib.h"
+#include "apu_config.h"
 #if APR_CHARSET_EBCDIC
 #include "apr_xlate.h"
 #endif /*APR_CHARSET_EBCDIC*/
 #include <string.h>
 
+#ifndef APU_FIPS
+
 /* a bit faster & bigger, if defined */
 #define UNROLL_LOOPS
 
@@ -344,7 +347,6 @@
     }
 }
 
-
 APU_DECLARE(void) apr_sha1_base64(const char *clear, int len, char *out)
 {
     int l;
@@ -370,3 +372,30 @@
      * output of base64 encoded SHA1 is always 28 chars + APR_SHA1PW_IDLEN
      */
 }
+#else /*def APR_FIPS */
+
+APU_DECLARE(void) apr_sha1_base64(const char *clear, int len, char *out)
+{
+    int l;
+    apr_byte_t digest[APR_SHA1_DIGESTSIZE];
+
+    if (strncmp(clear, APR_SHA1PW_ID, APR_SHA1PW_IDLEN) == 0) {
+	clear += APR_SHA1PW_IDLEN;
+    }
+
+    SHA1(clear, len, digest);
+
+    /* private marker. */
+    apr_cpystrn(out, APR_SHA1PW_ID, APR_SHA1PW_IDLEN + 1);
+
+    /* SHA1 hash is always 20 chars */
+    l = apr_base64_encode_binary(out + APR_SHA1PW_IDLEN, digest, sizeof(digest));
+    out[l + APR_SHA1PW_IDLEN] = '\0';
+
+    /*
+     * output of base64 encoded SHA1 is always 28 chars + APR_SHA1PW_IDLEN
+     */
+}
+
+#endif /*def APR_FIPS */
+

Modified: httpd/httpd/branches/fips-dev/support/htdbm.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/fips-dev/support/htdbm.c?rev=190120&r1=190119&r2=190120&view=diff
==============================================================================
--- httpd/httpd/branches/fips-dev/support/htdbm.c (original)
+++ httpd/httpd/branches/fips-dev/support/htdbm.c Sat Jun 11 07:14:56 2005
@@ -32,6 +32,7 @@
 #include "apr_md5.h"
 #include "apr_sha1.h"
 #include "apr_dbm.h"
+#include "ap_config_auto.h"
 
 #if APR_HAVE_STDLIB_H
 #include <stdlib.h>
@@ -63,7 +64,9 @@
 
 #define MAX_STRING_LEN 256
 #define ALG_PLAIN 0
-#define ALG_APMD5 1
+#ifndef AP_FIPS
+# define ALG_APMD5 1
+#endif
 #define ALG_APSHA 2
  
 #if APR_HAVE_CRYPT_H
@@ -161,8 +164,12 @@
     }
 #endif /*APR_CHARSET_EBCDIC*/
 
+#ifdef AP_FIPS
+    (*hdbm)->alg = ALG_APSHA;
+#else
     /* Set MD5 as default */
     (*hdbm)->alg = ALG_APMD5;
+#endif
     (*hdbm)->type = "default";
     return APR_SUCCESS;
 }
@@ -298,6 +305,7 @@
             apr_sha1_base64(htdbm->userpass,strlen(htdbm->userpass),cpw);
         break;
 
+#ifndef AP_FIPS
         case ALG_APMD5: 
             (void) srand((int) time((time_t *) NULL));
             to64(&salt[0], rand(), 8);
@@ -305,6 +313,8 @@
             apr_md5_encode((const char *)htdbm->userpass, (const char *)salt,
                             cpw, sizeof(cpw));
         break;
+#endif
+
         case ALG_PLAIN:
             /* XXX this len limitation is not in sync with any HTTPd len. */
             apr_cpystrn(cpw,htdbm->userpass,sizeof(cpw));
@@ -458,9 +468,11 @@
                 need_pwd = 0;
                 cmd = HTDBM_DELETE;
                 break;
+#ifndef AP_FIPS
             case 'm':
                 h->alg = ALG_APMD5;
                 break;
+#endif
             case 'p':
                 h->alg = ALG_PLAIN;
                 break;

Modified: httpd/httpd/branches/fips-dev/support/htdigest.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/fips-dev/support/htdigest.c?rev=190120&r1=190119&r2=190120&view=diff
==============================================================================
--- httpd/httpd/branches/fips-dev/support/htdigest.c (original)
+++ httpd/httpd/branches/fips-dev/support/htdigest.c Sat Jun 11 07:14:56 2005
@@ -33,6 +33,9 @@
 #include "apr_general.h"
 #include "apr_signal.h"
 #include "apr_strings.h"        /* for apr_pstrdup() */
+#include "ap_config_auto.h"
+
+#ifndef AP_FIPS
 
 #define APR_WANT_STDIO
 #define APR_WANT_STRFUNC
@@ -289,3 +292,13 @@
 
     return 0;
 }
+
+#else /*def AP_FIPS */
+
+int main(int argc, const char * const argv[])
+{
+    fprintf(stderr,"HTTP Digest uses MD5 and so is not available if FIPS mode.\n");
+    exit(1);
+}
+
+#endif

Modified: httpd/httpd/branches/fips-dev/support/htpasswd.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/fips-dev/support/htpasswd.c?rev=190120&r1=190119&r2=190120&view=diff
==============================================================================
--- httpd/httpd/branches/fips-dev/support/htpasswd.c (original)
+++ httpd/httpd/branches/fips-dev/support/htpasswd.c Sat Jun 11 07:14:56 2005
@@ -45,6 +45,7 @@
 #include "apr_file_io.h"
 #include "apr_general.h"
 #include "apr_signal.h"
+#include "ap_config_auto.h"
 
 #if APR_HAVE_STDIO_H
 #include <stdio.h>
@@ -82,8 +83,10 @@
 
 #define MAX_STRING_LEN 256
 #define ALG_PLAIN 0
-#define ALG_CRYPT 1
-#define ALG_APMD5 2
+#ifndef AP_FIPS
+# define ALG_CRYPT 1
+# define ALG_APMD5 2
+#endif
 #define ALG_APSHA 3 
 
 #define ERR_FILEPERM 1
@@ -132,7 +135,9 @@
     char cpw[120];
     char pwin[MAX_STRING_LEN];
     char pwv[MAX_STRING_LEN];
+#ifndef AP_FIPS
     char salt[9];
+#endif
     apr_size_t bufsize;
 
     if (passwd != NULL) {
@@ -161,6 +166,7 @@
         apr_sha1_base64(pw,strlen(pw),cpw);
         break;
 
+#ifndef AP_FIPS
     case ALG_APMD5: 
         (void) srand((int) time((time_t *) NULL));
         to64(&salt[0], rand(), 8);
@@ -169,13 +175,14 @@
         apr_md5_encode((const char *)pw, (const char *)salt,
                      cpw, sizeof(cpw));
         break;
+#endif
 
     case ALG_PLAIN:
         /* XXX this len limitation is not in sync with any HTTPd len. */
         apr_cpystrn(cpw,pw,sizeof(cpw));
         break;
 
-#if !(defined(WIN32) || defined(NETWARE))
+#if !(defined(WIN32) || defined(NETWARE)) && !defined(AP_FIPS)
     case ALG_CRYPT:
     default:
         (void) srand((int) time((time_t *) NULL));
@@ -306,18 +313,20 @@
                 *mask |= APHTP_NOFILE;
                 args_left--;
             }
+#ifndef AP_FIPS
             else if (*arg == 'm') {
                 *alg = ALG_APMD5;
             }
+            else if (*arg == 'd') {
+                *alg = ALG_CRYPT;
+            }
+#endif
             else if (*arg == 's') {
                 *alg = ALG_APSHA;
             }
             else if (*arg == 'p') {
                 *alg = ALG_PLAIN;
             }
-            else if (*arg == 'd') {
-                *alg = ALG_CRYPT;
-            }
             else if (*arg == 'b') {
                 *mask |= APHTP_NONINTERACTIVE;
                 args_left++;
@@ -400,7 +409,11 @@
     char *scratch, cp[MAX_STRING_LEN];
     int found = 0;
     int i;
+#ifdef AP_FIPS
+    int alg = ALG_APSHA;
+#else
     int alg = ALG_CRYPT;
+#endif
     int mask = 0;
     apr_pool_t *pool;
     int existing_file = 0;



Mime
View raw message