You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2020/05/01 15:15:59 UTC
svn commit: r1877261 - in /httpd/httpd/trunk/modules/ssl:
ssl_engine_config.c ssl_engine_init.c ssl_private.h
Author: jorton
Date: Fri May 1 15:15:59 2020
New Revision: 1877261
URL: http://svn.apache.org/viewvc?rev=1877261&view=rev
Log:
Move FIPS mode config option to SSLModConfigRec since it is a global
SSL library setting. Additionally, always log the FIPS mode since it
can be set outside of the httpd config.
* modules/ssl/ssl_private.h (SSLModConfigRec): Move fips field here.
(SSLSrvConfigRec): ... from here.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLFIPS): Adjust for fips
field move.
* modules/ssl/ssl_engine_init.c (ssl_init_Module): Adjust for fips
field move. Always log the OpenSSL FIPS mode state even if SSLFIPS
is not used.
Modified:
httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
httpd/httpd/trunk/modules/ssl/ssl_private.h
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1877261&r1=1877260&r2=1877261&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Fri May 1 15:15:59 2020
@@ -82,6 +82,9 @@ SSLModConfigRec *ssl_config_global_creat
#ifdef HAVE_OPENSSL_KEYLOG
mc->keylog_file = NULL;
#endif
+#ifdef HAVE_FIPS
+ mc->fips = UNSET;
+#endif
apr_pool_userdata_set(mc, SSL_MOD_CONFIG_KEY,
apr_pool_cleanup_null,
@@ -228,9 +231,6 @@ static SSLSrvConfigRec *ssl_config_serve
#ifdef HAVE_TLSEXT
sc->strict_sni_vhost_check = SSL_ENABLED_UNSET;
#endif
-#ifdef HAVE_FIPS
- sc->fips = UNSET;
-#endif
#ifndef OPENSSL_NO_COMP
sc->compression = UNSET;
#endif
@@ -365,9 +365,6 @@ void *ssl_config_server_merge(apr_pool_t
#ifdef HAVE_TLSEXT
cfgMerge(strict_sni_vhost_check, SSL_ENABLED_UNSET);
#endif
-#ifdef HAVE_FIPS
- cfgMergeBool(fips);
-#endif
#ifndef OPENSSL_NO_COMP
cfgMergeBool(compression);
#endif
@@ -846,7 +843,7 @@ const char *ssl_cmd_SSLEngine(cmd_parms
const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag)
{
#ifdef HAVE_FIPS
- SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ SSLModConfigRec *mc = myModConfig(cmd->server);
#endif
const char *err;
@@ -855,9 +852,9 @@ const char *ssl_cmd_SSLFIPS(cmd_parms *c
}
#ifdef HAVE_FIPS
- if ((sc->fips != UNSET) && (sc->fips != (BOOL)(flag ? TRUE : FALSE)))
+ if ((mc->fips != UNSET) && (mc->fips != (BOOL)(flag ? TRUE : FALSE)))
return "Conflicting SSLFIPS options, cannot be both On and Off";
- sc->fips = flag ? TRUE : FALSE;
+ mc->fips = flag ? TRUE : FALSE;
#else
if (flag)
return "SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS";
@@ -2650,9 +2647,6 @@ static void ssl_srv_dump(SSLSrvConfigRec
DMP_LONG( "SSLSessionCacheTimeout", sc->session_cache_timeout);
DMP_ON_OFF("SSLInsecureRenegotiation", sc->insecure_reneg);
DMP_ON_OFF("SSLStrictSNIVHostCheck", sc->strict_sni_vhost_check);
-#ifdef HAVE_FIPS
- DMP_ON_OFF("SSLFIPS", sc->fips);
-#endif
DMP_ON_OFF("SSLSessionTickets", sc->session_tickets);
}
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1877261&r1=1877260&r2=1877261&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Fri May 1 15:15:59 2020
@@ -299,12 +299,6 @@ apr_status_t ssl_init_Module(apr_pool_t
if (sc->server && sc->server->pphrase_dialog_type == SSL_PPTYPE_UNSET) {
sc->server->pphrase_dialog_type = SSL_PPTYPE_BUILTIN;
}
-
-#ifdef HAVE_FIPS
- if (sc->fips == UNSET) {
- sc->fips = FALSE;
- }
-#endif
}
#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
@@ -331,27 +325,28 @@ apr_status_t ssl_init_Module(apr_pool_t
ssl_rand_seed(base_server, ptemp, SSL_RSCTX_STARTUP, "Init: ");
#ifdef HAVE_FIPS
- /* ### The FIPS setting is global and must be the same in all
- * SSLSrvConfigRecs, should be in SSLModConfigRec really. */
- sc = mySrvConfig(base_server);
- if (sc->fips) {
- if (!FIPS_mode()) {
- if (FIPS_mode_set(1)) {
- ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, base_server, APLOGNO(01884)
- "Operating in SSL FIPS mode");
- apr_pool_cleanup_register(p, NULL, modssl_fips_cleanup,
- apr_pool_cleanup_null);
- }
- else {
- ap_log_error(APLOG_MARK, APLOG_EMERG, 0, base_server, APLOGNO(01885) "FIPS mode failed");
- ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, base_server);
- return ssl_die(base_server);
- }
+ if (!FIPS_mode() && mc->fips == TRUE) {
+ if (!FIPS_mode_set(1)) {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, base_server, APLOGNO(01885)
+ "Could not enable FIPS mode");
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, base_server);
+ return ssl_die(base_server);
}
+
+ apr_pool_cleanup_register(p, NULL, modssl_fips_cleanup,
+ apr_pool_cleanup_null);
+ }
+
+ /* Log actual FIPS mode which the SSL library is operating under,
+ * which may have been set outside of the mod_ssl
+ * configuration. */
+ if (FIPS_mode()) {
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, base_server, APLOGNO(01884)
+ MODSSL_LIBRARY_NAME " has FIPS mode enabled");
}
else {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, base_server, APLOGNO(01886)
- "SSL FIPS mode disabled");
+ MODSSL_LIBRARY_NAME " has FIPS mode disabled");
}
#endif
Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1877261&r1=1877260&r2=1877261&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Fri May 1 15:15:59 2020
@@ -619,6 +619,10 @@ typedef struct {
/* Used for logging if SSLKEYLOGFILE is set at startup. */
apr_file_t *keylog_file;
#endif
+
+#ifdef HAVE_FIPS
+ BOOL fips;
+#endif
} SSLModConfigRec;
/** Structure representing configured filenames for certs and keys for
@@ -771,9 +775,6 @@ struct SSLSrvConfigRec {
#ifdef HAVE_TLSEXT
ssl_enabled_t strict_sni_vhost_check;
#endif
-#ifdef HAVE_FIPS
- BOOL fips;
-#endif
#ifndef OPENSSL_NO_COMP
BOOL compression;
#endif