You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2010/03/22 07:55:16 UTC
svn commit: r925983 - in /httpd/httpd/branches/2.2.x: STATUS
docs/manual/mod/mod_ssl.xml modules/ssl/mod_ssl.c
modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c
modules/ssl/ssl_private.h modules/ssl/ssl_toolkit_compat.h
Author: wrowe
Date: Mon Mar 22 06:55:15 2010
New Revision: 925983
URL: http://svn.apache.org/viewvc?rev=925983&view=rev
Log:
pick a number, 1 to 1m
Modified:
httpd/httpd/branches/2.2.x/STATUS
httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml
httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c
httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c
httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c
httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h
httpd/httpd/branches/2.2.x/modules/ssl/ssl_toolkit_compat.h
Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=925983&r1=925982&r2=925983&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Mon Mar 22 06:55:15 2010
@@ -137,7 +137,7 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
builds of mod_ssl to use 'SSLFIPS off' for portability, but the proper
build of openssl is required for 'SSLFIPS on'.
PR: 46270 [Dr Stephen Henson <steve openssl.org>, William Rowe]
- Trunk patch: http://svn.apache.org/viewvc?rev=&view=rev
+ Trunk patch: http://svn.apache.org/viewvc?rev=925980&view=rev
2.2.x patch: http://people.apache.org/~wrowe/ssl-fips-2.2.patch
+1: wrowe
Modified: httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml?rev=925983&r1=925982&r2=925983&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml Mon Mar 22 06:55:15 2010
@@ -502,6 +502,33 @@ Within HTTP/1.1. At this time no web bro
</directivesynopsis>
<directivesynopsis>
+<name>SSLFIPS</name>
+<description>SSL FIPS mode Switch</description>
+<syntax>SSLFIPS on|off</syntax>
+<default>SSLFIPS off</default>
+<contextlist><context>server config</context></contextlist>
+
+<usage>
+<p>
+This directive toggles the usage of the SSL library FIPS_mode flag.
+It must be set in the global server context and cannot be configured
+with conflicting settings (SSLFIPS on followed by SSLFIPS off or
+similar). The mode applies to all SSL library operations.
+</p>
+<p>
+If httpd was compiled against an SSL library which did not support
+the FIPS_mode flag, <code>SSLFIPS on</code> will fail. Refer to the
+FIPS 140-2 Security Policy document of the SSL provider library for
+specific requirements to use mod_ssl in a FIPS 140-2 approved mode
+of operation; note that mod_ssl itself is not validated, but may be
+described as using FIPS 140-2 validated cryptographic module, when
+all components are assembled and operated under the guidelines imposed
+by the applicable Security Policy.
+</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
<name>SSLProtocol</name>
<description>Configure usable SSL protocol flavors</description>
<syntax>SSLProtocol [+|-]<em>protocol</em> ...</syntax>
Modified: httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c?rev=925983&r1=925982&r2=925983&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c Mon Mar 22 06:55:15 2010
@@ -99,6 +99,9 @@ static const command_rec ssl_config_cmds
SSL_CMD_SRV(Engine, TAKE1,
"SSL switch for the protocol engine "
"(`on', `off')")
+ SSL_CMD_SRV(FIPS, FLAG,
+ "Enable FIPS-140 mode "
+ "(`on', `off')")
SSL_CMD_ALL(CipherSuite, TAKE1,
"Colon-delimited list of permitted SSL Ciphers "
"(`XXX:...:XXX' - see manual)")
Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c?rev=925983&r1=925982&r2=925983&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c Mon Mar 22 06:55:15 2010
@@ -260,6 +260,9 @@ void *ssl_config_server_merge(apr_pool_t
cfgMerge(mc, NULL);
cfgMerge(enabled, SSL_ENABLED_UNSET);
+#ifdef HAVE_FIPS
+ cfgMergeBool(fips);
+#endif
cfgMergeBool(proxy_enabled);
cfgMergeInt(session_cache_timeout);
cfgMergeBool(cipher_server_pref);
@@ -635,6 +638,27 @@ const char *ssl_cmd_SSLEngine(cmd_parms
return "Argument must be On, Off, or Optional";
}
+const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ const char *err;
+
+ if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ return err;
+ }
+
+#ifdef HAVE_FIPS
+ if ((sc->fips != UNSET) && (sc->fips != (flag ? TRUE : FALSE)))
+ return "Conflicting SSLFIPS options, cannot be both On and Off";
+ sc->fips = flag ? TRUE : FALSE;
+#else
+ if (flag)
+ return "SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS";
+#endif
+
+ return NULL;
+}
+
const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,
void *dcfg,
const char *arg)
Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c?rev=925983&r1=925982&r2=925983&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c Mon Mar 22 06:55:15 2010
@@ -79,12 +79,25 @@ static int ssl_tmp_key_init_rsa(server_r
{
SSLModConfigRec *mc = myModConfig(s);
+#ifdef HAVE_FIPS
+
+ if (FIPS_mode() && bits < 1024) {
+ mc->pTmpKeys[idx] = NULL;
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ "Init: Skipping generating temporary "
+ "%d bit RSA private key in FIPS mode", bits);
+ return OK;
+ }
+
+#endif
+
if (!(mc->pTmpKeys[idx] =
RSA_generate_key(bits, RSA_F4, NULL, NULL)))
{
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Init: Failed to generate temporary "
"%d bit RSA private key", bits);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
return !OK;
}
@@ -96,6 +109,18 @@ static int ssl_tmp_key_init_dh(server_re
{
SSLModConfigRec *mc = myModConfig(s);
+#ifdef HAVE_FIPS
+
+ if (FIPS_mode() && bits < 1024) {
+ mc->pTmpKeys[idx] = NULL;
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ "Init: Skipping generating temporary "
+ "%d bit DH parameters in FIPS mode", bits);
+ return OK;
+ }
+
+#endif
+
if (!(mc->pTmpKeys[idx] =
ssl_dh_GetTmpParam(bits)))
{
@@ -231,6 +256,26 @@ int ssl_init_Module(apr_pool_t *p, apr_p
*/
ssl_rand_seed(base_server, ptemp, SSL_RSCTX_STARTUP, "Init: ");
+#ifdef HAVE_FIPS
+ if(sc->fips) {
+ if (!FIPS_mode())
+ if (FIPS_mode_set(1)) {
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s,
+ "Operating in SSL FIPS mode");
+ }
+ else {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, "FIPS mode failed");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_EMERG, s);
+ ssl_die();
+ }
+ }
+ }
+ else {
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s,
+ "SSL FIPS mode disabled");
+ }
+#endif
+
/*
* read server private keys/public certs into memory.
* decrypting any encrypted keys via configured SSLPassPhraseDialogs
Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h?rev=925983&r1=925982&r2=925983&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h Mon Mar 22 06:55:15 2010
@@ -479,6 +479,9 @@ struct SSLSrvConfigRec {
#ifndef OPENSSL_NO_TLSEXT
ssl_enabled_t strict_sni_vhost_check;
#endif
+#ifdef HAVE_FIPS
+ BOOL fips;
+#endif
};
/**
@@ -562,6 +565,8 @@ const char *ssl_cmd_SSLProxyMachineCert
const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag);
const char *ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag);
+const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag);
+
/** module initialization */
int ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
void ssl_init_Engine(server_rec *, apr_pool_t *);
Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_toolkit_compat.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_toolkit_compat.h?rev=925983&r1=925982&r2=925983&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_toolkit_compat.h (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_toolkit_compat.h Mon Mar 22 06:55:15 2010
@@ -141,6 +141,10 @@ typedef int (modssl_read_bio_cb_fn)(char
#define HAVE_SSL_X509V3_EXT_d2i
+#if (OPENSSL_VERSION_NUMBER >= 0x009080a0) && defined(OPENSSL_FIPS)
+#define HAVE_FIPS
+#endif
+
#ifndef PEM_F_DEF_CALLBACK
#ifdef PEM_F_PEM_DEF_CALLBACK
/** In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */