Return-Path: X-Original-To: apmail-tomcat-dev-archive@www.apache.org Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B110310778 for ; Tue, 15 Apr 2014 02:46:01 +0000 (UTC) Received: (qmail 2209 invoked by uid 500); 15 Apr 2014 02:45:58 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 1635 invoked by uid 500); 15 Apr 2014 02:45:57 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 1625 invoked by uid 99); 15 Apr 2014 02:45:56 -0000 Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 15 Apr 2014 02:45:56 +0000 Received: from localhost (HELO [IPv6:::1]) (127.0.0.1) (smtp-auth username timw, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Tue, 15 Apr 2014 02:45:56 +0000 Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) Subject: Re: svn commit: r1587379 - in /tomcat/trunk: java/org/apache/catalina/core/AprLifecycleListener.java java/org/apache/catalina/core/LocalStrings.properties java/org/apache/tomcat/jni/SSL.java webapps/docs/config/listeners.xml From: Tim Whittington In-Reply-To: <20140415011441.5835E23889E1@eris.apache.org> Date: Tue, 15 Apr 2014 14:45:54 +1200 Content-Transfer-Encoding: quoted-printable Message-Id: <252A9F7C-5D4C-4015-9241-0F4285A0B2B7@apache.org> References: <20140415011441.5835E23889E1@eris.apache.org> To: Tomcat Developers List X-Mailer: Apple Mail (2.1874) On 15/04/2014, at 1:14 pm, schultz@apache.org wrote: > Author: schultz > Date: Tue Apr 15 01:14:40 2014 > New Revision: 1587379 >=20 > URL: http://svn.apache.org/r1587379 > Log: > Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=3D56027 > Add more nuanced support for entering/requiring FIPS mode when using = APR connector. >=20 > Modified: > tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java > tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties > tomcat/trunk/java/org/apache/tomcat/jni/SSL.java > tomcat/trunk/webapps/docs/config/listeners.xml >=20 > Modified: = tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java > URL: = http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/Ap= rLifecycleListener.java?rev=3D1587379&r1=3D1587378&r2=3D1587379&view=3Ddif= f > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > --- = tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java = (original) > +++ = tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java Tue = Apr 15 01:14:40 2014 > @@ -70,6 +70,18 @@ public class AprLifecycleListener > protected static boolean aprInitialized =3D false; > protected static boolean aprAvailable =3D false; > protected static boolean fipsModeActive =3D false; > + /** > + * FIPS_mode documentation states that the return value will be > + * whatever value was originally passed-in to FIPS_mode_set(). > + * FIPS_mode_set docs say the argument should be non-zero to = enter > + * FIPS mode, and that upon success, the return value will be the > + * same as the argument passed-in. Docs also highly recommend > + * that the value "1" be used "to avoid compatibility issues". > + * In order to avoid the argument and check-value from getting = out > + * of sync for some reason, we are using the class constant > + * FIPS_ON here. > + */ > + private static final int FIPS_ON =3D 1; This looks like it belongs in SSL (as one of the valid return values of = SSL.fipsModeGet). Also, does FIPS_mode() always return 1 if FIPS mode is enabled at boot = (I see there=92s no adaptation of the return code in the TCN imll). > protected static final Object lock =3D new Object(); >=20 > @@ -110,7 +122,7 @@ public class AprLifecycleListener > } > } > // Failure to initialize FIPS mode is fatal > - if ("on".equalsIgnoreCase(FIPSMode) && = !isFIPSModeActive()) { > + if (!(null =3D=3D FIPSMode || = "off".equalsIgnoreCase(FIPSMode)) && !isFIPSModeActive()) { > Error e =3D new Error( > = sm.getString("aprListener.initializeFIPSFailed")); > // Log here, because thrown error might be not = logged > @@ -252,13 +264,59 @@ public class AprLifecycleListener > method =3D clazz.getMethod(methodName, paramTypes); > method.invoke(null, paramValues); >=20 > - if("on".equalsIgnoreCase(FIPSMode)) { > + final boolean enterFipsMode; > + > + if("on".equalsIgnoreCase(FIPSMode) > + || "require".equalsIgnoreCase(FIPSMode)) { > + // FIPS_mode documentation states that the return value = will be > + // whatever value was originally passed-in to = FIPS_mode_set(). > + // FIPS_mode_set docs say the argument should be non-zero = to enter > + // FIPS mode, and that upon success, the return value = will be the > + // same as the argument passed-in. Docs also highly = recommend > + // that the value "1" be used "to avoid compatibility = issues". > + // In order to avoid the argument and check-value from = getting out > + // of sync for some reason, we are using the class = constant > + // FIPS_ON here. > + final int fipsModeState =3D SSL.fipsModeGet(); I don=92t think this needs to be documented twice, and maybe not at all? Aren=92t we already handling the FIPS_* =91peculiarities' in TCN so that = SSL.fipsModeGet() has a sane 0/1 return code? > + > + if(log.isDebugEnabled()) > + log.debug(sm.getString("aprListener.currentFIPSMode", > + = Integer.valueOf(fipsModeState))); > + > + // Return values: 0=3DNot in FIPS mode, 1=3DIn FIPS mode, > + // exception if FIPS totally unavailable > + enterFipsMode =3D 1 !=3D fipsModeState; > + > + if("on".equalsIgnoreCase(FIPSMode)) { > + if(!enterFipsMode) > + = log.info(sm.getString("aprListener.skipFIPSInitialization")); > + } else if("require".equalsIgnoreCase(FIPSMode)) { > + if(enterFipsMode) { > + String message =3D = sm.getString("aprListener.alreadyInFIPSMode"); > + log.error(message); > + throw new IllegalStateException(message); > + } > + } > + } > + else if("enter".equalsIgnoreCase(FIPSMode)) { > + enterFipsMode =3D true; > + } else > + enterFipsMode =3D false; > + > + if(enterFipsMode) { > log.info(sm.getString("aprListener.initializingFIPS")); >=20 > - int result =3D SSL.fipsModeSet(1); > + // FIPS_mode_set docs say the argument should be non-zero = to enter > + // FIPS mode, and that upon success, the return value = will be the > + // same as the argument passed-in. Docs also highly = recommend > + // that the value "1" be used "to avoid compatibility = issues". > + // In order to avoid the argument and check-value from = getting out > + // of sync for some reason, we are using the class = constant > + // FIPS_ON here. Again, these docs look like they belong on SSL.fipsModeSet or in the TCN = implementation of that. > + final int result =3D SSL.fipsModeSet(FIPS_ON); >=20 > - // success is defined as return value =3D 1 > - if(1 =3D=3D result) { > + // success is defined as return value =3D last argument = to FIPS_mode_set() > + if(FIPS_ON =3D=3D result) { > fipsModeActive =3D true; >=20 > = log.info(sm.getString("aprListener.initializeFIPSSuccess")); >=20 > Modified: = tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties > URL: = http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/Lo= calStrings.properties?rev=3D1587379&r1=3D1587378&r2=3D1587379&view=3Ddiff > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > --- tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties = (original) > +++ tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties = Tue Apr 15 01:14:40 2014 > @@ -57,6 +57,9 @@ aprListener.aprDestroy=3DFailed shutdown o > aprListener.sslInit=3DFailed to initialize the SSLEngine. > aprListener.tcnValid=3DLoaded APR based Apache Tomcat Native library = {0} using APR version {1}. > aprListener.flags=3DAPR capabilities: IPv6 [{0}], sendfile [{1}], = accept filters [{2}], random [{3}]. > +aprListener.currentFIPSMode=3DCurrent FIPS mode: {0} > +aprListener.skipFIPSInitialization=3DAlready in FIPS mode; skipping = FIPS initialization. > +aprListener.alreadyInFIPSMode=3DAprLifecycleListener requested to = force entering FIPS mode, but FIPS mode was already enabled. > aprListener.initializingFIPS=3DInitializing FIPS mode... > aprListener.initializeFIPSSuccess=3DSuccessfully entered FIPS mode > aprListener.initializeFIPSFailed=3DFailed to enter FIPS mode >=20 > Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSL.java > URL: = http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSL.j= ava?rev=3D1587379&r1=3D1587378&r2=3D1587379&view=3Ddiff > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > --- tomcat/trunk/java/org/apache/tomcat/jni/SSL.java (original) > +++ tomcat/trunk/java/org/apache/tomcat/jni/SSL.java Tue Apr 15 = 01:14:40 2014 > @@ -230,6 +230,14 @@ public final class SSL { > public static native int initialize(String engine); >=20 > /** > + * Get the status of FIPS Mode. > + * > + * @return 0 If OpenSSL is not in FIPS mode, 1 if OpenSSL is in = FIPS Mode. > + * @throws Exception If tcnative was not compiled with FIPS Mode = available. > + */ > + public static native int fipsModeGet(); > + > + /** > * Enable/Disable FIPS Mode. > * > * @param mode 1 - enable, 0 - disable >=20 > Modified: tomcat/trunk/webapps/docs/config/listeners.xml > URL: = http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/listeners.xm= l?rev=3D1587379&r1=3D1587378&r2=3D1587379&view=3Ddiff > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > --- tomcat/trunk/webapps/docs/config/listeners.xml (original) > +++ tomcat/trunk/webapps/docs/config/listeners.xml Tue Apr 15 01:14:40 = 2014 > @@ -112,12 +112,22 @@ > >=20 > > -

Set to on to instruct OpenSSL to go into FIPS = mode. > +

Set to on to request that OpenSSL be in FIPS = mode > + (if OpenSSL is already in FIPS mode, it will remain in FIPS = mode). > + Set to enter to force OpenSSL to enter FIPS mode = (an error > + will occur if OpenSSL is already in FIPS mode). > + Set to require to require that OpenSSL = already be > + in FIPS mode (an error will occur if OpenSSL is not already = in FIPS > + mode). > FIPS mode requires you to have a FIPS-capable OpenSSL = library which > you must build yourself. > - FIPS mode also requires Tomcat native library version 1.1.23 = or later, > - which must be built against the FIPS-compatible = OpenSSL library. > - If this attribute is "on", SSLEngine must be enabled = as well. > + FIPSMode=3D"on" or = FIPSMode=3D"require" requires > + Tomcat native library version 1.1.30 or later, while > + FIPSMode=3D"enter" can probably be done with = Tomcat native > + library version 1.2.23 or later -- either of which must = be built > + against the FIPS-compatible OpenSSL library. > + If this attribute is set to any of the above values, = SSLEngine > + must be enabled as well for any effect. > The default value is off.

> >=20 >=20 Why the =91enter=92 and =91require=92 options? I can understand =91on=92 =3D=3D =91I want FIPS mode=92, but I don=92t = get how =91require=92 =3D=3D =91I require FIPS mode turned on before = Tomcat starts=92 affects Tomcat, and I don=92t get how =91enter=92 =3D=3D = =91Try FIPS mode or fail if already set=92 is useful. Also, it seems inconsistent given the above that =91off=92 does nothing = if TCN is already in FIPS mode at startup? Current behaviour would appear to be =91on=92 =3D=3D =91make sure it=92s = on *with bug=92, =91off=92 =3D=3D =91don=92t really care, will take = whatever=92? Would on/off still be sufficient, or do we need the four =91require=92, = =91support=92, =91not supported=92, =91initiate=92 options ala = transactions? cheers tim --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org