View | Details | Raw Unified | Return to bug 50570
Collapse All | Expand All

(-)java/org/apache/catalina/core/LocalStrings.properties (+7 lines)
Lines 59-64 Link Here
59
aprListener.sslInit=Failed to initialize the SSLEngine.
59
aprListener.sslInit=Failed to initialize the SSLEngine.
60
aprListener.tcnValid=Loaded APR based Apache Tomcat Native library {0}.
60
aprListener.tcnValid=Loaded APR based Apache Tomcat Native library {0}.
61
aprListener.flags=APR capabilities: IPv6 [{0}], sendfile [{1}], accept filters [{2}], random [{3}].
61
aprListener.flags=APR capabilities: IPv6 [{0}], sendfile [{1}], accept filters [{2}], random [{3}].
62
aprListener.initializingFIPS=Initializing FIPS mode...
63
aprListener.initializeFIPSSuccess=Successfully entered FIPS mode
64
aprListener.initializeFIPSFailed=Failed to enter FIPS mode
65
aprListener.tooLateForSSLEngine=Cannot setSSLEngine: SSL has already been initialized
66
aprListener.tooLateForSSLRandomSeed=Cannot setSSLRandomSeed: SSL has already been initialized
67
aprListener.tooLateForFIPSMode=Cannot setFIPSMode: SSL has already been initialized
68
62
asyncContextImpl.requestEnded=The request associated with the AsyncContext has already completed processing.
69
asyncContextImpl.requestEnded=The request associated with the AsyncContext has already completed processing.
63
containerBase.alreadyStarted=Container {0} has already been started
70
containerBase.alreadyStarted=Container {0} has already been started
64
containerBase.notConfigured=No basic Valve has been configured
71
containerBase.notConfigured=No basic Valve has been configured
(-)java/org/apache/catalina/core/AprLifecycleListener.java (-1 / +86 lines)
Lines 66-76 Link Here
66
66
67
    // ---------------------------------------------- Properties
67
    // ---------------------------------------------- Properties
68
    protected static String SSLEngine = "on"; //default on
68
    protected static String SSLEngine = "on"; //default on
69
    protected static String FIPSMode = "off"; // default off, valid only when SSLEngine="on"
69
    protected static String SSLRandomSeed = "builtin";
70
    protected static String SSLRandomSeed = "builtin";
70
    protected static boolean sslInitialized = false;
71
    protected static boolean sslInitialized = false;
71
    protected static boolean aprInitialized = false;
72
    protected static boolean aprInitialized = false;
72
    protected static boolean sslAvailable = false;
73
    protected static boolean sslAvailable = false;
73
    protected static boolean aprAvailable = false;
74
    protected static boolean aprAvailable = false;
75
    protected static boolean fipsModeActive = false;
74
76
75
    protected static final Object lock = new Object();
77
    protected static final Object lock = new Object();
76
78
Lines 138-143 Link Here
138
        aprInitialized = false;
140
        aprInitialized = false;
139
        sslInitialized = false; // Well we cleaned the pool in terminate.
141
        sslInitialized = false; // Well we cleaned the pool in terminate.
140
        sslAvailable = false; // Well we cleaned the pool in terminate.
142
        sslAvailable = false; // Well we cleaned the pool in terminate.
143
        fipsModeActive = false;
141
    }
144
    }
142
145
143
    private static void init()
146
    private static void init()
Lines 231-250 Link Here
231
        Method method = clazz.getMethod(methodName, paramTypes);
234
        Method method = clazz.getMethod(methodName, paramTypes);
232
        method.invoke(null, paramValues);
235
        method.invoke(null, paramValues);
233
236
234
235
        methodName = "initialize";
237
        methodName = "initialize";
236
        paramValues[0] = "on".equalsIgnoreCase(SSLEngine)?null:SSLEngine;
238
        paramValues[0] = "on".equalsIgnoreCase(SSLEngine)?null:SSLEngine;
237
        method = clazz.getMethod(methodName, paramTypes);
239
        method = clazz.getMethod(methodName, paramTypes);
238
        method.invoke(null, paramValues);
240
        method.invoke(null, paramValues);
239
241
242
        if("on".equalsIgnoreCase(AprLifecycleListener.FIPSMode))
243
        {
244
            log.info(sm.getString("aprListener.initializingFIPS"));
245
246
            boolean success = initializeFIPS();
247
248
            if(success)
249
            {
250
              log.info(sm.getString("aprListener.initializeFIPSSuccess"));
251
            }
252
            else
253
            {
254
                String errMsg = sm.getString("aprListener.initializeFIPSFailed");
255
                log.error(errMsg);
256
257
                // Do not set sslAvailable=true if FIPS mode fails
258
                // TODO: Allow initializeFIPS to throw it's own exception
259
                // including a real descriptive error message
260
                throw new InvocationTargetException(null, errMsg);
261
            }
262
        }
263
240
        sslAvailable = true;
264
        sslAvailable = true;
241
    }
265
    }
242
266
267
    /**
268
     * Initialize FIPS mode in a way that won't crash if the FIPS libtcnative
269
     * and associated libraries are not available.
270
     * 
271
     * @param initializeFIPS
272
     * @return
273
     */
274
	private static boolean initializeFIPS()
275
        throws NoSuchMethodException
276
	{
277
		try
278
        {
279
            Class<?> clazz = Class.forName("org.apache.tomcat.jni.SSL");
280
	        String methodName = "fipsModeSet";
281
	        Method method = clazz.getMethod(methodName, new Class[]{Integer.class});
282
	        Object[] fipsParamValues = new Object[]{Integer.valueOf(1)};
283
		    Object result = method.invoke(null, fipsParamValues);
284
285
		    if(result instanceof Integer)
286
		    {
287
                // success is defined as return value = 1
288
		    	fipsModeActive = (1 == ((Integer)result).intValue());
289
290
		    	return fipsModeActive;
291
		    }
292
		    else
293
                log.info( sm.getString("aprListener.fipsModeSetInvalid") );
294
        }
295
        catch(InvocationTargetException ite)
296
        {
297
            log.info(sm.getString("aprListener.fipsModeUnavailable") + ": " + ite.getMessage());
298
	    } 
299
        catch (Throwable t)
300
        {
301
            log.error(sm.getString("aprListener.initializeFIPSFailed", System.getProperty("java.library.path")), t);
302
	    }
303
304
        return false;
305
	}
306
243
    public String getSSLEngine() {
307
    public String getSSLEngine() {
244
        return SSLEngine;
308
        return SSLEngine;
245
    }
309
    }
246
310
247
    public void setSSLEngine(String SSLEngine) {
311
    public void setSSLEngine(String SSLEngine) {
312
        // Ensure that the SSLEngine is consistent with that used for SSL init
313
        if(sslInitialized)
314
            throw new IllegalStateException(sm.getString("aprListener.tooLateForSSLEngine"));
315
248
        AprLifecycleListener.SSLEngine = SSLEngine;
316
        AprLifecycleListener.SSLEngine = SSLEngine;
249
    }
317
    }
250
318
Lines 253-259 Link Here
253
    }
321
    }
254
322
255
    public void setSSLRandomSeed(String SSLRandomSeed) {
323
    public void setSSLRandomSeed(String SSLRandomSeed) {
324
        // Ensure that the random seed is consistent with that used for SSL init
325
        if(sslInitialized)
326
            throw new IllegalStateException(sm.getString("aprListener.tooLateForSSLRandomSeed"));
327
256
        AprLifecycleListener.SSLRandomSeed = SSLRandomSeed;
328
        AprLifecycleListener.SSLRandomSeed = SSLRandomSeed;
257
    }
329
    }
258
330
331
    public void setFIPSMode(String FIPSMode)
332
    {
333
        // Ensure that the FIPS mode is consistent with that used for SSL init
334
        if(sslInitialized)
335
            throw new IllegalStateException(sm.getString("aprListener.tooLateForFIPSMode"));
336
337
        AprLifecycleListener.FIPSMode = FIPSMode;
338
    }
339
340
    public boolean isFIPSModeActive()
341
    {
342
        return fipsModeActive;
343
    }
259
}
344
}
(-)java/org/apache/tomcat/jni/SSL.java (+14 lines)
Lines 230-235 Link Here
230
    public static native int initialize(String engine);
230
    public static native int initialize(String engine);
231
231
232
    /**
232
    /**
233
     * Enable/Disable FIPS Mode.
234
     *
235
     * @param mode 1 - enable, 0 - disable
236
     *
237
     * @return FIPS_mode_set return code
238
     */
239
    public static int fipsModeSet(Integer mode)
240
    {
241
    	return fipsModeSet(mode.intValue());
242
    }
243
244
    public static native int fipsModeSet(int mode);
245
246
    /**
233
     * Add content of the file to the PRNG
247
     * Add content of the file to the PRNG
234
     * @param filename Filename containing random data.
248
     * @param filename Filename containing random data.
235
     *        If null the default file will be tested.
249
     *        If null the default file will be tested.

Return to bug 50570