Return-Path: X-Original-To: apmail-tomcat-dev-archive@www.apache.org Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 09FBC12C31 for ; Sun, 11 May 2014 01:28:19 +0000 (UTC) Received: (qmail 98885 invoked by uid 500); 10 May 2014 22:34:53 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 98354 invoked by uid 500); 10 May 2014 22:34:49 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 97080 invoked by uid 99); 10 May 2014 22:34:40 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 10 May 2014 22:34:40 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 10 May 2014 13:07:07 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 7F8502388868 for ; Sat, 10 May 2014 13:06:47 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1593696 - in /tomcat/tc6.0.x/trunk: ./ java/org/apache/catalina/core/ java/org/apache/tomcat/jni/ webapps/docs/ webapps/docs/config/ Date: Sat, 10 May 2014 13:06:47 -0000 To: dev@tomcat.apache.org From: kkolinko@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20140510130647.7F8502388868@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: kkolinko Date: Sat May 10 13:06:46 2014 New Revision: 1593696 URL: http://svn.apache.org/r1593696 Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 Add more options for managing FIPS mode in the AprLifecycleListener. The minimum required version of Tomcat Native library is now 1.1.30. Modified: tomcat/tc6.0.x/trunk/ (props changed) tomcat/tc6.0.x/trunk/STATUS.txt tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/LocalStrings.properties tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml tomcat/tc6.0.x/trunk/webapps/docs/config/listeners.xml Propchange: tomcat/tc6.0.x/trunk/ ------------------------------------------------------------------------------ Merged /tomcat/trunk:r1590646 Merged /tomcat/tc7.0.x/trunk:r1590845 Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1593696&r1=1593695&r2=1593696&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Sat May 10 13:06:46 2014 @@ -28,40 +28,6 @@ None PATCHES PROPOSED TO BACKPORT: [ New proposals should be added at the end of the list ] -* Back-port patch to allow different kinds of FIPS configuration. - http://people.apache.org/~schultz/patches/tcnative.heartbleed.tomcat6.diff - http://svn.apache.org/viewvc?view=revision&revision=r1587379 - http://svn.apache.org/viewvc?view=revision&revision=r1587723 (adapt) - (Note: requires tcnative 1.1.30) - +1: schultz, markt, remm - -1: kkolinko: - a) I cannot test (without FIPS-enabled library), but from my code review - the new options will not work because you are not setting - "fipsModeActive" field in AprLifecycleListener. - - Thus AprLifecycleListener.isFIPSModeActive() will return false - and startup will be aborted. - - b) It needs backport of r1588102 as an Exception is thrown by native code - - c) "enterFipsMode = 1 != fipsModeState;" code and comment before it are wrong. - - FIPS_mode() function of OpenSSL is documented to return non-zero - value when in FIPS mode. You cannot expect it to be '1'. - Reference: - http://wiki.openssl.org/index.php/FIPS_mode%28%29 - Alternative patch is proposed below. - -* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 - Add more options for managing FIPS mode in the AprLifecycleListener. - Update to version 1.1.30 of Tomcat Native library. - (This feature requires TCNative 1.1.30) - (Reimplemented, based on earlier proposal by schultz) - https://people.apache.org/~kkolinko/patches/2014-04-27_tc6_56027_FIPSMode.patch - http://svn.apache.org/r1590845 (javadoc fixes) - +1: kkolinko, markt, fhanik - -1: - * Defensive coding around some XML activities that are triggered by web applications and are therefore at potential risk of a memory leak. http://people.apache.org/~markt/patches/2014-04-25-memory-leak-tc6-v1.patch Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java?rev=1593696&r1=1593695&r2=1593696&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java Sat May 10 13:06:46 2014 @@ -61,7 +61,7 @@ public class AprLifecycleListener protected static final int TCN_REQUIRED_MAJOR = 1; protected static final int TCN_REQUIRED_MINOR = 1; - protected static final int TCN_REQUIRED_PATCH = 17; + protected static final int TCN_REQUIRED_PATCH = 30; protected static final int TCN_RECOMMENDED_PV = 30; @@ -75,6 +75,22 @@ public class AprLifecycleListener protected static boolean aprAvailable = false; protected static boolean fipsModeActive = false; + /** + * The "FIPS mode" level that we use as the argument to OpenSSL method + * FIPS_mode_set() to enable FIPS mode and that we expect as + * the return value of FIPS_mode() when FIPS mode is enabled. + *

+ * In the future the OpenSSL library might grow support for different + * non-zero "FIPS" modes that specify different allowed subsets of ciphers + * or whatever, but nowadays only "1" is the supported value. + *

+ * @see OpenSSL method FIPS_mode_set() + * @see OpenSSL method FIPS_mode() + */ + private static final int FIPS_ON = 1; + + private static final int FIPS_OFF = 0; + protected static final Object lock = new Object(); public static boolean isAprAvailable() { @@ -112,7 +128,7 @@ public class AprLifecycleListener } } // Failure to initialize FIPS mode is fatal - if ("on".equalsIgnoreCase(FIPSMode) && !isFIPSModeActive()) { + if (!(null == FIPSMode || "off".equalsIgnoreCase(FIPSMode)) && !isFIPSModeActive()) { Error e = new Error( sm.getString("aprListener.initializeFIPSFailed")); // Log here, because thrown error might be not logged @@ -170,11 +186,11 @@ public class AprLifecycleListener try { String methodName = "initialize"; - Class paramTypes[] = new Class[1]; + Class paramTypes[] = new Class[1]; paramTypes[0] = String.class; Object paramValues[] = new Object[1]; paramValues[0] = null; - Class clazz = Class.forName("org.apache.tomcat.jni.Library"); + Class clazz = Class.forName("org.apache.tomcat.jni.Library"); Method method = clazz.getMethod(methodName, paramTypes); method.invoke(null, paramValues); major = clazz.getField("TCN_MAJOR_VERSION").getInt(null); @@ -234,15 +250,15 @@ public class AprLifecycleListener + minor + "." + patch)); } // Log APR flags - log.info(sm.getString("aprListener.flags", Library.APR_HAVE_IPV6, Library.APR_HAS_SENDFILE, - Library.APR_HAS_SO_ACCEPTFILTER, Library.APR_HAS_RANDOM)); + log.info(sm.getString("aprListener.flags", + Boolean.valueOf(Library.APR_HAVE_IPV6), + Boolean.valueOf(Library.APR_HAS_SENDFILE), + Boolean.valueOf(Library.APR_HAS_SO_ACCEPTFILTER), + Boolean.valueOf(Library.APR_HAS_RANDOM))); aprAvailable = true; } - private static void initializeSSL() - throws ClassNotFoundException, NoSuchMethodException, - IllegalAccessException, InvocationTargetException - { + private static void initializeSSL() throws Exception { if ("off".equalsIgnoreCase(SSLEngine)) { return; @@ -251,14 +267,15 @@ public class AprLifecycleListener //only once per VM return; } + sslInitialized = true; String methodName = "randSet"; - Class paramTypes[] = new Class[1]; + Class paramTypes[] = new Class[1]; paramTypes[0] = String.class; Object paramValues[] = new Object[1]; paramValues[0] = SSLRandomSeed; - Class clazz = Class.forName("org.apache.tomcat.jni.SSL"); + Class clazz = Class.forName("org.apache.tomcat.jni.SSL"); Method method = clazz.getMethod(methodName, paramTypes); method.invoke(null, paramValues); @@ -268,22 +285,61 @@ public class AprLifecycleListener method = clazz.getMethod(methodName, paramTypes); method.invoke(null, paramValues); - if("on".equalsIgnoreCase(FIPSMode)) { - log.info(sm.getString("aprListener.initializingFIPS")); + if (!(null == FIPSMode || "off".equalsIgnoreCase(FIPSMode))) { - int result = SSL.fipsModeSet(1); + fipsModeActive = false; - // success is defined as return value = 1 - if(1 == result) { - fipsModeActive = true; + final boolean enterFipsMode; + int fipsModeState = SSL.fipsModeGet(); - log.info(sm.getString("aprListener.initializeFIPSSuccess")); + if(log.isDebugEnabled()) { + log.debug(sm.getString("aprListener.currentFIPSMode", + Integer.valueOf(fipsModeState))); + } + + if ("on".equalsIgnoreCase(FIPSMode)) { + if (fipsModeState == FIPS_ON) { + log.info(sm.getString("aprListener.skipFIPSInitialization")); + fipsModeActive = true; + enterFipsMode = false; + } else { + enterFipsMode = true; + } + } else if ("require".equalsIgnoreCase(FIPSMode)) { + if (fipsModeState == FIPS_ON) { + fipsModeActive = true; + enterFipsMode = false; + } else { + throw new IllegalStateException( + sm.getString("aprListener.requireNotInFIPSMode")); + } + } else if ("enter".equalsIgnoreCase(FIPSMode)) { + if (fipsModeState == FIPS_OFF) { + enterFipsMode = true; + } else { + throw new IllegalStateException(sm.getString( + "aprListener.enterAlreadyInFIPSMode", + Integer.valueOf(fipsModeState))); + } } else { - // This case should be handled by the native method, - // but we'll make absolutely sure, here. - String message = sm.getString("aprListener.initializeFIPSFailed"); - log.error(message); - throw new IllegalStateException(message); + throw new IllegalArgumentException(sm.getString( + "aprListener.wrongFIPSMode", FIPSMode)); + } + + if (enterFipsMode) { + log.info(sm.getString("aprListener.initializingFIPS")); + + fipsModeState = SSL.fipsModeSet(FIPS_ON); + if (fipsModeState != FIPS_ON) { + // This case should be handled by the native method, + // but we'll make absolutely sure, here. + String message = sm.getString("aprListener.initializeFIPSFailed"); + log.error(message); + throw new IllegalStateException(message); + } + + fipsModeActive = true; + log.info(sm.getString("aprListener.initializeFIPSSuccess")); } } Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/LocalStrings.properties URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/LocalStrings.properties?rev=1593696&r1=1593695&r2=1593696&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/LocalStrings.properties (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/LocalStrings.properties Sat May 10 13:06:46 2014 @@ -43,6 +43,11 @@ aprListener.aprDestroy=Failed shutdown o aprListener.sslInit=Failed to initialize the SSLEngine. aprListener.tcnValid=Loaded APR based Apache Tomcat Native library {0} using APR version {1}. aprListener.flags=APR capabilities: IPv6 [{0}], sendfile [{1}], accept filters [{2}], random [{3}]. +aprListener.currentFIPSMode=Current FIPS mode: {0} +aprListener.skipFIPSInitialization=Already in FIPS mode; skipping FIPS initialization. +aprListener.enterAlreadyInFIPSMode=AprLifecycleListener is configured to force entering FIPS mode, but library is already in FIPS mode ({0}) +aprListener.requireNotInFIPSMode=AprLifecycleListener is configured to require the library to already be in FIPS mode, but it was not in FIPS mode +aprListener.wrongFIPSMode=Unexpected value of FIPSMode option of AprLifecycleListener: "{0}" aprListener.initializingFIPS=Initializing FIPS mode... aprListener.initializeFIPSSuccess=Successfully entered FIPS mode aprListener.initializeFIPSFailed=Failed to enter FIPS mode Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1593696&r1=1593695&r2=1593696&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java Sat May 10 13:06:46 2014 @@ -229,13 +229,26 @@ public final class SSL { public static native int initialize(String engine); /** + * Get the status of FIPS Mode. + * + * @return FIPS_mode return code. It is 0 if OpenSSL is not + * in FIPS mode, 1 if OpenSSL is in FIPS Mode. + * @throws Exception If tcnative was not compiled with FIPS Mode available. + * @see OpenSSL method FIPS_mode() + */ + public static native int fipsModeGet() throws Exception; + + /** * Enable/Disable FIPS Mode. * * @param mode 1 - enable, 0 - disable * * @return FIPS_mode_set return code + * @throws Exception If tcnative was not compiled with FIPS Mode available, + * or if FIPS_mode_set() call returned an error value. + * @see OpenSSL method FIPS_mode_set() */ - public static native int fipsModeSet(int mode); + public static native int fipsModeSet(int mode) throws Exception; /** * Set source of entropy to use in SSL Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1593696&r1=1593695&r2=1593696&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Sat May 10 13:06:46 2014 @@ -47,6 +47,10 @@ + 56027: Add more options for managing FIPS mode in the + AprLifecycleListener. (schultz/kkolinko) + + 56082: Fix a concurrency bug in JULI's LogManager implementation. (markt) Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/listeners.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/listeners.xml?rev=1593696&r1=1593695&r2=1593696&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/webapps/docs/config/listeners.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/config/listeners.xml Sat May 10 13:06:46 2014 @@ -113,13 +113,18 @@ -

Set to on to instruct OpenSSL to go into FIPS mode. - FIPS mode requires you to have a FIPS-capable OpenSSL library which +

Set to on to request that OpenSSL be in FIPS mode + (if OpenSSL is already in FIPS mode, it will remain in FIPS mode). + Set to enter to force OpenSSL to enter FIPS mode (an error + will occur if OpenSSL is already in FIPS mode). + Set to require to require that OpenSSL already be + in FIPS mode (an error will occur if OpenSSL is not already in FIPS + mode).

+

FIPS mode requires you to have a FIPS-capable OpenSSL library which you must build yourself. - FIPS mode also requires Tomcat native library version 1.1.23 or later, - which must be built against the FIPS-compatible OpenSSL library. - If this attribute is "on", SSLEngine must be enabled as well. - The default value is off.

+ If this attribute is set to any of the above values, the SSLEngine + must be enabled as well.

+

The default value is off.

 --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org