httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j..@apache.org
Subject svn commit: r963430 - in /httpd/httpd/branches/2.2.x: STATUS docs/manual/mod/mod_ssl.xml modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c modules/ssl/ssl_private.h modules/ssl/ssl_toolkit_compat.h
Date Mon, 12 Jul 2010 18:47:46 GMT
Author: jim
Date: Mon Jul 12 18:47:45 2010
New Revision: 963430

URL: http://svn.apache.org/viewvc?rev=963430&view=rev
Log:
  * Introduce SSLFIPS directive to support OpenSSL FIPS_mode; permits all
      builds of mod_ssl to use 'SSLFIPS off' for portability, but the proper
          build of openssl is required for 'SSLFIPS on'.  
              PR: 46270  [Dr Stephen Henson <steve openssl.org>, William Rowe]
                  Trunk patch: http://svn.apache.org/viewvc?rev=925980&view=rev
                                   http://svn.apache.org/viewvc?rev=926000&view=rev
                                                    http://svn.apache.org/viewvc?rev=926614&view=rev
                                                                     http://svn.apache.org/viewvc?rev=926619&view=rev
                                                                         2.2.x patch: http://people.apache.org/~wrowe/ssl-fips-2.2.patch
                                                                             +1: wrowe
                                                                                 minfrin:
Doesn't build on v2.2 until you add r926614. With r926614, +1.
                                                                                     wrowe:
Added both of rpluem's proposed patched, 926614 and 926619
                                                                                         +1:
drh, rjung, jim
                                                                                         
   rjung: We should add a note about the first version providing this
                                                                                         
              option in the docs page, like e.g. we did for SSLInsecureRenegotiation.
                                                                                         
                  wrowe asks; you mean <Compatibility> tag?  Yes, of course.



Modified:
    httpd/httpd/branches/2.2.x/STATUS
    httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml
    httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c
    httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c
    httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c
    httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h
    httpd/httpd/branches/2.2.x/modules/ssl/ssl_toolkit_compat.h

Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=963430&r1=963429&r2=963430&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Mon Jul 12 18:47:45 2010
@@ -86,23 +86,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  * Introduce SSLFIPS directive to support OpenSSL FIPS_mode; permits all
-    builds of mod_ssl to use 'SSLFIPS off' for portability, but the proper
-    build of openssl is required for 'SSLFIPS on'.  
-    PR: 46270  [Dr Stephen Henson <steve openssl.org>, William Rowe]
-    Trunk patch: http://svn.apache.org/viewvc?rev=925980&view=rev
-                 http://svn.apache.org/viewvc?rev=926000&view=rev
-                 http://svn.apache.org/viewvc?rev=926614&view=rev
-                 http://svn.apache.org/viewvc?rev=926619&view=rev
-    2.2.x patch: http://people.apache.org/~wrowe/ssl-fips-2.2.patch
-    +1: wrowe
-    minfrin: Doesn't build on v2.2 until you add r926614. With r926614, +1.
-    wrowe: Added both of rpluem's proposed patched, 926614 and 926619
-    +1: drh, rjung, jim
-    rjung: We should add a note about the first version providing this
-           option in the docs page, like e.g. we did for SSLInsecureRenegotiation.
-    wrowe asks; you mean <Compatibility> tag?  Yes, of course.
-
   *) mod_filter: enable filtering of errordocuments.  PR 48377
      http://svn.apache.org/viewvc?view=revision&revision=894041
      +1: niq, rjung, jim

Modified: httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml?rev=963430&r1=963429&r2=963430&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml Mon Jul 12 18:47:45 2010
@@ -502,6 +502,33 @@ Within HTTP/1.1. At this time no web bro
 </directivesynopsis>
 
 <directivesynopsis>
+<name>SSLFIPS</name>
+<description>SSL FIPS mode Switch</description>
+<syntax>SSLFIPS on|off</syntax>
+<default>SSLFIPS off</default>
+<contextlist><context>server config</context></contextlist>
+
+<usage>
+<p>
+This directive toggles the usage of the SSL library FIPS_mode flag.
+It must be set in the global server context and cannot be configured
+with conflicting settings (SSLFIPS on followed by SSLFIPS off or 
+similar).  The mode applies to all SSL library operations.
+</p>
+<p>
+If httpd was compiled against an SSL library which did not support
+the FIPS_mode flag, <code>SSLFIPS on</code> will fail.  Refer to the
+FIPS 140-2 Security Policy document of the SSL provider library for
+specific requirements to use mod_ssl in a FIPS 140-2 approved mode
+of operation; note that mod_ssl itself is not validated, but may be
+described as using FIPS 140-2 validated cryptographic module, when
+all components are assembled and operated under the guidelines imposed
+by the applicable Security Policy.
+</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
 <name>SSLProtocol</name>
 <description>Configure usable SSL protocol flavors</description>
 <syntax>SSLProtocol [+|-]<em>protocol</em> ...</syntax>

Modified: httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c?rev=963430&r1=963429&r2=963430&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c Mon Jul 12 18:47:45 2010
@@ -99,6 +99,9 @@ static const command_rec ssl_config_cmds
     SSL_CMD_SRV(Engine, TAKE1,
                 "SSL switch for the protocol engine "
                 "(`on', `off')")
+    SSL_CMD_SRV(FIPS, FLAG,
+                "Enable FIPS-140 mode "
+                "(`on', `off')")
     SSL_CMD_ALL(CipherSuite, TAKE1,
                 "Colon-delimited list of permitted SSL Ciphers "
                 "(`XXX:...:XXX' - see manual)")

Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c?rev=963430&r1=963429&r2=963430&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c Mon Jul 12 18:47:45 2010
@@ -175,6 +175,9 @@ static SSLSrvConfigRec *ssl_config_serve
 #ifndef OPENSSL_NO_TLSEXT
     sc->strict_sni_vhost_check = SSL_ENABLED_UNSET;
 #endif
+#ifdef HAVE_FIPS
+    sc->fips                   = UNSET;
+#endif
 
     modssl_ctx_init_proxy(sc, p);
 
@@ -269,6 +272,9 @@ void *ssl_config_server_merge(apr_pool_t
 #ifndef OPENSSL_NO_TLSEXT
     cfgMerge(strict_sni_vhost_check, SSL_ENABLED_UNSET);
 #endif
+#ifdef HAVE_FIPS
+    cfgMergeBool(fips);
+#endif
 
     modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
 
@@ -635,6 +641,29 @@ const char *ssl_cmd_SSLEngine(cmd_parms 
     return "Argument must be On, Off, or Optional";
 }
 
+const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag)
+{
+#ifdef HAVE_FIPS
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+#endif
+    const char *err;
+
+    if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+        return err;
+    }
+
+#ifdef HAVE_FIPS
+    if ((sc->fips != UNSET) && (sc->fips != (BOOL)(flag ? TRUE : FALSE)))
+        return "Conflicting SSLFIPS options, cannot be both On and Off";
+    sc->fips = flag ? TRUE : FALSE;
+#else
+    if (flag)
+        return "SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS";
+#endif
+
+    return NULL;
+}
+
 const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,
                                    void *dcfg,
                                    const char *arg)

Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c?rev=963430&r1=963429&r2=963430&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c Mon Jul 12 18:47:45 2010
@@ -79,12 +79,25 @@ static int ssl_tmp_key_init_rsa(server_r
 {
     SSLModConfigRec *mc = myModConfig(s);
 
+#ifdef HAVE_FIPS
+
+    if (FIPS_mode() && bits < 1024) {
+        mc->pTmpKeys[idx] = NULL;
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+                     "Init: Skipping generating temporary "
+                     "%d bit RSA private key in FIPS mode", bits);
+        return OK;
+    }
+
+#endif
+
     if (!(mc->pTmpKeys[idx] =
           RSA_generate_key(bits, RSA_F4, NULL, NULL)))
     {
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                      "Init: Failed to generate temporary "
                      "%d bit RSA private key", bits);
+        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
         return !OK;
     }
 
@@ -96,6 +109,18 @@ static int ssl_tmp_key_init_dh(server_re
 {
     SSLModConfigRec *mc = myModConfig(s);
 
+#ifdef HAVE_FIPS
+
+    if (FIPS_mode() && bits < 1024) {
+        mc->pTmpKeys[idx] = NULL;
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+                     "Init: Skipping generating temporary "
+                     "%d bit DH parameters in FIPS mode", bits);
+        return OK;
+    }
+
+#endif
+
     if (!(mc->pTmpKeys[idx] =
           ssl_dh_GetTmpParam(bits)))
     {
@@ -208,6 +233,11 @@ int ssl_init_Module(apr_pool_t *p, apr_p
             sc->server->pphrase_dialog_type = SSL_PPTYPE_BUILTIN;
         }
 
+#ifdef HAVE_FIPS
+        if (sc->fips == UNSET) {
+            sc->fips = FALSE;
+        }
+#endif
     }
 
 #if APR_HAS_THREADS
@@ -231,6 +261,26 @@ int ssl_init_Module(apr_pool_t *p, apr_p
      */
     ssl_rand_seed(base_server, ptemp, SSL_RSCTX_STARTUP, "Init: ");
 
+#ifdef HAVE_FIPS
+    if(sc->fips) {
+        if (!FIPS_mode()) {
+            if (FIPS_mode_set(1)) {
+                ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s,
+                             "Operating in SSL FIPS mode");
+            }
+            else {
+                ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, "FIPS mode failed");
+                ssl_log_ssl_error(APLOG_MARK, APLOG_EMERG, s);
+                ssl_die();
+            }
+        }
+    }
+    else {
+        ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s,
+                     "SSL FIPS mode disabled");
+    }
+#endif
+
     /*
      * read server private keys/public certs into memory.
      * decrypting any encrypted keys via configured SSLPassPhraseDialogs

Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h?rev=963430&r1=963429&r2=963430&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h Mon Jul 12 18:47:45 2010
@@ -479,6 +479,9 @@ struct SSLSrvConfigRec {
 #ifndef OPENSSL_NO_TLSEXT
     ssl_enabled_t    strict_sni_vhost_check;
 #endif
+#ifdef HAVE_FIPS
+    BOOL             fips;
+#endif
 };
 
 /**
@@ -562,6 +565,8 @@ const char  *ssl_cmd_SSLProxyMachineCert
 const char  *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag);
 const char  *ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag);
 
+const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag);
+
 /**  module initialization  */
 int          ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
 void         ssl_init_Engine(server_rec *, apr_pool_t *);

Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_toolkit_compat.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_toolkit_compat.h?rev=963430&r1=963429&r2=963430&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_toolkit_compat.h (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_toolkit_compat.h Mon Jul 12 18:47:45 2010
@@ -141,6 +141,10 @@ typedef int (modssl_read_bio_cb_fn)(char
 
 #define HAVE_SSL_X509V3_EXT_d2i
 
+#if (OPENSSL_VERSION_NUMBER >= 0x009080a0) && defined(OPENSSL_FIPS)
+#define HAVE_FIPS
+#endif
+
 #ifndef PEM_F_DEF_CALLBACK
 #ifdef PEM_F_PEM_DEF_CALLBACK
 /** In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */



Mime
View raw message