You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by sc...@apache.org on 2011/11/09 22:43:23 UTC
svn commit: r1199985 - in /tomcat/tc7.0.x/trunk:
java/org/apache/catalina/core/AprLifecycleListener.java
java/org/apache/catalina/core/LocalStrings.properties
java/org/apache/tomcat/jni/SSL.java webapps/docs/changelog.xml
Author: schultz
Date: Wed Nov 9 21:43:23 2011
New Revision: 1199985
URL: http://svn.apache.org/viewvc?rev=1199985&view=rev
Log:
Fixed bug #50570 - Allow explicit use of FIPS mode in APR lifecycle listener
- Added "FIPSMode" attribute to AprLifecycleListener that causes OpenSSL to go into FIPS mode
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java
tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/LocalStrings.properties
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java?rev=1199985&r1=1199984&r2=1199985&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java Wed Nov 9 21:43:23 2011
@@ -29,6 +29,7 @@ import org.apache.juli.logging.LogFactor
import org.apache.tomcat.jni.Library;
import org.apache.tomcat.util.ExceptionUtils;
import org.apache.tomcat.util.res.StringManager;
+import org.apache.tomcat.jni.SSL;
@@ -66,11 +67,13 @@ public class AprLifecycleListener
// ---------------------------------------------- Properties
protected static String SSLEngine = "on"; //default on
+ protected static String FIPSMode = "off"; // default off, valid only when SSLEngine="on"
protected static String SSLRandomSeed = "builtin";
protected static boolean sslInitialized = false;
protected static boolean aprInitialized = false;
protected static boolean sslAvailable = false;
protected static boolean aprAvailable = false;
+ protected static boolean fipsModeActive = false;
protected static final Object lock = new Object();
@@ -106,7 +109,7 @@ public class AprLifecycleListener
initializeSSL();
} catch (Throwable t) {
ExceptionUtils.handleThrowable(t);
- log.info(sm.getString("aprListener.sslInit"));
+ log.error(sm.getString("aprListener.sslInit"), t);
}
}
}
@@ -138,6 +141,7 @@ public class AprLifecycleListener
aprInitialized = false;
sslInitialized = false; // Well we cleaned the pool in terminate.
sslAvailable = false; // Well we cleaned the pool in terminate.
+ fipsModeActive = false;
}
private static void init()
@@ -220,6 +224,7 @@ public class AprLifecycleListener
//only once per VM
return;
}
+
sslInitialized = true;
String methodName = "randSet";
@@ -237,6 +242,25 @@ public class AprLifecycleListener
method = clazz.getMethod(methodName, paramTypes);
method.invoke(null, paramValues);
+ if("on".equalsIgnoreCase(AprLifecycleListener.FIPSMode)) {
+ log.info(sm.getString("aprListener.initializingFIPS"));
+
+ int result = SSL.fipsModeSet(1);
+
+ // success is defined as return value = 1
+ if(1 == result) {
+ fipsModeActive = true;
+
+ log.info(sm.getString("aprListener.initializeFIPSSuccess"));
+ } else {
+ // This case should be handled by the native method,
+ // but we'll make absolutely sure, here.
+ log.error(sm.getString("aprListener.initializeFIPSFailed"));
+
+ throw new IllegalStateException(sm.getString("aprListener.initializeFIPSFailed"));
+ }
+ }
+
sslAvailable = true;
}
@@ -245,6 +269,10 @@ public class AprLifecycleListener
}
public void setSSLEngine(String SSLEngine) {
+ // Ensure that the SSLEngine is consistent with that used for SSL init
+ if(sslInitialized)
+ throw new IllegalStateException(sm.getString("aprListener.tooLateForSSLEngine"));
+
AprLifecycleListener.SSLEngine = SSLEngine;
}
@@ -253,7 +281,24 @@ public class AprLifecycleListener
}
public void setSSLRandomSeed(String SSLRandomSeed) {
+ // Ensure that the random seed is consistent with that used for SSL init
+ if(sslInitialized)
+ throw new IllegalStateException(sm.getString("aprListener.tooLateForSSLRandomSeed"));
+
AprLifecycleListener.SSLRandomSeed = SSLRandomSeed;
}
+ public void setFIPSMode(String FIPSMode)
+ {
+ // Ensure that the FIPS mode is consistent with that used for SSL init
+ if(sslInitialized)
+ throw new IllegalStateException(sm.getString("aprListener.tooLateForFIPSMode"));
+
+ AprLifecycleListener.FIPSMode = FIPSMode;
+ }
+
+ public boolean isFIPSModeActive()
+ {
+ return fipsModeActive;
+ }
}
Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/LocalStrings.properties?rev=1199985&r1=1199984&r2=1199985&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/LocalStrings.properties (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/LocalStrings.properties Wed Nov 9 21:43:23 2011
@@ -59,6 +59,13 @@ aprListener.aprDestroy=Failed shutdown o
aprListener.sslInit=Failed to initialize the SSLEngine.
aprListener.tcnValid=Loaded APR based Apache Tomcat Native library {0}.
aprListener.flags=APR capabilities: IPv6 [{0}], sendfile [{1}], accept filters [{2}], random [{3}].
+aprListener.initializingFIPS=Initializing FIPS mode...
+aprListener.initializeFIPSSuccess=Successfully entered FIPS mode
+aprListener.initializeFIPSFailed=Failed to enter FIPS mode
+aprListener.tooLateForSSLEngine=Cannot setSSLEngine: SSL has already been initialized
+aprListener.tooLateForSSLRandomSeed=Cannot setSSLRandomSeed: SSL has already been initialized
+aprListener.tooLateForFIPSMode=Cannot setFIPSMode: SSL has already been initialized
+
asyncContextImpl.requestEnded=The request associated with the AsyncContext has already completed processing.
containerBase.threadedStartFailed=A child container failed during start
containerBase.threadedStopFailed=A child container failed during stop
Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1199985&r1=1199984&r2=1199985&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java Wed Nov 9 21:43:23 2011
@@ -230,6 +230,15 @@ public final class SSL {
public static native int initialize(String engine);
/**
+ * Enable/Disable FIPS Mode.
+ *
+ * @param mode 1 - enable, 0 - disable
+ *
+ * @return FIPS_mode_set return code
+ */
+ public static native int fipsModeSet(int mode);
+
+ /**
* Add content of the file to the PRNG
* @param filename Filename containing random data.
* If null the default file will be tested.
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1199985&r1=1199984&r2=1199985&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Wed Nov 9 21:43:23 2011
@@ -63,6 +63,9 @@
by Joe Kislo and Felix Schumacher. (markt)
</add>
<fix>
+ <bug>50570</bug>: Enable FIPS mode to be set in AprLifecycleListener.
+ Based upon a patch from Chris Beckey. (schultz)
+ <fix>
<bug>51744</bug>: Throw the correct exception if an application attempts
to modify the associated JNDI context. (markt)
</fix>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org