Attachment #31226 for bug #56027

View | Details | Raw Unified | Return to bug 56027
Collapse All | Expand All




        method = clazz.getMethod(methodName, paramTypes);
        method.invoke(null, paramValues);

        boolean enterFipsMode;

        if("on".equalsIgnoreCase(FIPSMode)
           || "require".equalsIgnoreCase(FIPSMode)) {
            int fipsModeState = SSL.fipsModeGet();

            if(log.isDebugEnabled())
                log.debug(sm.getString("aprListener.currentFIPSMode",
                                       Integer.valueOf(fipsModeState)));

            // Return values: 0=Not in FIPS mode, 1=In FIPS mode,
            // exception if FIPS totally unavailable
            enterFipsMode = 1 != fipsModeState;

            if("on".equalsIgnoreCase(FIPSMode)) {
                if(!enterFipsMode)
                    log.info(sm.getString("aprListener.skipFIPSInitialization"));
            } else if("require".equalsIgnoreCase(FIPSMode)) {
                if(enterFipsMode)
                {
                    String message = sm.getString("aprListener.alreadyInFIPSMode");
                    log.error(message);
                    throw new IllegalStateException(message);
                }
            }
        }
        else if("enter".equalsIgnoreCase(FIPSMode))
        {
            enterFipsMode = true;
        }
        else
            enterFipsMode = false;

        if(enterFipsMode)
        {
            log.info(sm.getString("aprListener.initializingFIPS"));

            int result = SSL.fipsModeSet(1);

Lines 56-61 Link Here

(-)java/org/apache/catalina/core/LocalStrings.properties (+3 lines)
56	aprListener.sslInit=Failed to initialize the SSLEngine.	56	aprListener.sslInit=Failed to initialize the SSLEngine.
57	aprListener.tcnValid=Loaded APR based Apache Tomcat Native library {0} using APR version {1}.	57	aprListener.tcnValid=Loaded APR based Apache Tomcat Native library {0} using APR version {1}.
58	aprListener.flags=APR capabilities: IPv6 [{0}], sendfile [{1}], accept filters [{2}], random [{3}].	58	aprListener.flags=APR capabilities: IPv6 [{0}], sendfile [{1}], accept filters [{2}], random [{3}].
		59	aprListener.currentFIPSMode=Current FIPS mode: {0}
		60	aprListener.skipFIPSInitialization=Already in FIPS mode; skipping FIPS initialization.
		61	aprListener.alreadyInFIPSMode=AprLifecycleListener requested to force entering FIPS mode, but FIPS mode was already enabled.
59	aprListener.initializingFIPS=Initializing FIPS mode...	62	aprListener.initializingFIPS=Initializing FIPS mode...
60	aprListener.initializeFIPSSuccess=Successfully entered FIPS mode	63	aprListener.initializeFIPSSuccess=Successfully entered FIPS mode
61	aprListener.initializeFIPSFailed=Failed to enter FIPS mode	64	aprListener.initializeFIPSFailed=Failed to enter FIPS mode

Lines 231-236 Link Here

(-)java/org/apache/tomcat/jni/SSL.java (+8 lines)
231	public static native int initialize(String engine);	231	public static native int initialize(String engine);
232		232
233	/**	233	/**
		234	* Get the status of FIPS Mode.
		235	*
		236	* @return 0 If OpenSSL is not in FIPS mode, 1 if OpenSSL is in FIPS Mode.
		237	* @throws Exception If tcnative was not compiled with FIPS Mode available.
		238	*/
		239	public static native int fipsModeGet();
		240
		241	/**
234	* Enable/Disable FIPS Mode.	242	* Enable/Disable FIPS Mode.
235	*	243	*
236	* @param mode 1 - enable, 0 - disable	244	* @param mode 1 - enable, 0 - disable

Lines 112-118 Link Here

(-)webapps/docs/config/listeners.xml (-1 / +6 lines)
112	</attribute>	112	</attribute>
113		113
114	<attribute name="FIPSMode" required="false">	114	<attribute name="FIPSMode" required="false">
115	<p>Set to <code>on</code> to instruct OpenSSL to go into FIPS mode.	115	<p>Set to <code>on</code> to request that OpenSSL be in FIPS mode
		116	(if OpenSSL is already in FIPS mode, it will remain in FIPS mode).
		117	Set to <code>enter</code> to force OpenSSL to enter FIPS mode (an error
		118	will occur if OpenSSL is already in FIPS mode).
		119	Set to <code>require</code> to require that OpenSSL <i>already</i> be
		120	in FIPS mode.
116	FIPS mode <em>requires you to have a FIPS-capable OpenSSL library which	121	FIPS mode <em>requires you to have a FIPS-capable OpenSSL library which
117	you must build yourself</em>.	122	you must build yourself</em>.
118	FIPS mode also requires Tomcat native library version 1.1.23 or later,	123	FIPS mode also requires Tomcat native library version 1.1.23 or later,

Return to bug 56027

Lines 255-261 Link Here

(-)java/org/apache/catalina/core/AprLifecycleListener.java (-1 / +35 lines)
255	method = clazz.getMethod(methodName, paramTypes);	255	method = clazz.getMethod(methodName, paramTypes);
256	method.invoke(null, paramValues);	256	method.invoke(null, paramValues);
257		257
258	if("on".equalsIgnoreCase(FIPSMode)) {	258	boolean enterFipsMode;
		259
		260	if("on".equalsIgnoreCase(FIPSMode)
		261	\|\| "require".equalsIgnoreCase(FIPSMode)) {
		262	int fipsModeState = SSL.fipsModeGet();
		263
		264	if(log.isDebugEnabled())
		265	log.debug(sm.getString("aprListener.currentFIPSMode",
		266	Integer.valueOf(fipsModeState)));
		267
		268	// Return values: 0=Not in FIPS mode, 1=In FIPS mode,
		269	// exception if FIPS totally unavailable
		270	enterFipsMode = 1 != fipsModeState;
		271
		272	if("on".equalsIgnoreCase(FIPSMode)) {
		273	if(!enterFipsMode)
		274	log.info(sm.getString("aprListener.skipFIPSInitialization"));
		275	} else if("require".equalsIgnoreCase(FIPSMode)) {
		276	if(enterFipsMode)
		277	{
		278	String message = sm.getString("aprListener.alreadyInFIPSMode");
		279	log.error(message);
		280	throw new IllegalStateException(message);
		281	}
		282	}
		283	}
		284	else if("enter".equalsIgnoreCase(FIPSMode))
		285	{
		286	enterFipsMode = true;
		287	}
		288	else
		289	enterFipsMode = false;
		290
		291	if(enterFipsMode)
		292	{
259	log.info(sm.getString("aprListener.initializingFIPS"));	293	log.info(sm.getString("aprListener.initializingFIPS"));
260		294
261	int result = SSL.fipsModeSet(1);	295	int result = SSL.fipsModeSet(1);