Attachment #31406 for bug #56027

View | Details | Raw Unified | Return to bug 56027
Collapse All | Expand All





    protected static final int TCN_REQUIRED_MAJOR = 1;
    protected static final int TCN_REQUIRED_MINOR = 1;
    protected static final int TCN_REQUIRED_PATCH = 30;
    protected static final int TCN_RECOMMENDED_MINOR = 1;
    protected static final int TCN_RECOMMENDED_PV = 30;


    // ---------------------------------------------- Properties

    protected static boolean aprInitialized = false;
    protected static boolean aprAvailable = false;
    protected static boolean fipsModeActive = false;
    /**
     * FIPS_mode documentation states that the return value will be
     * whatever value was originally passed-in to FIPS_mode_set().
     * FIPS_mode_set docs say the argument should be non-zero to enter
     * FIPS mode, and that upon success, the return value will be the
     * same as the argument passed-in. Docs also highly recommend
     * that the value "1" be used "to avoid compatibility issues".
     * In order to avoid the argument and check-value from getting out
     * of sync for some reason, we are using the class constant
     * FIPS_ON here.
     */
    private static final int FIPS_ON = 1;

    protected static final Object lock = new Object();


                    }
                }
                // Failure to initialize FIPS mode is fatal
                if (!(null == FIPSMode || "off".equalsIgnoreCase(FIPSMode)) && !isFIPSModeActive()) {
                    Error e = new Error(
                            sm.getString("aprListener.initializeFIPSFailed"));
                    // Log here, because thrown error might be not logged

        method = clazz.getMethod(methodName, paramTypes);
        method.invoke(null, paramValues);

        final boolean enterFipsMode;

        if("on".equalsIgnoreCase(FIPSMode)
           || "require".equalsIgnoreCase(FIPSMode)) {
            // FIPS_mode documentation states that the return value will be
            // whatever value was originally passed-in to FIPS_mode_set().
            // FIPS_mode_set docs say the argument should be non-zero to enter
            // FIPS mode, and that upon success, the return value will be the
            // same as the argument passed-in. Docs also highly recommend
            // that the value "1" be used "to avoid compatibility issues".
            // In order to avoid the argument and check-value from getting out
            // of sync for some reason, we are using the class constant
            // FIPS_ON here.
            final int fipsModeState = SSL.fipsModeGet();

            if(log.isDebugEnabled())
                log.debug(sm.getString("aprListener.currentFIPSMode",
                                       Integer.valueOf(fipsModeState)));

            // Return values: 0=Not in FIPS mode, 1=In FIPS mode,
            // exception if FIPS totally unavailable
            enterFipsMode = 1 != fipsModeState;

            if("on".equalsIgnoreCase(FIPSMode)) {
                if(!enterFipsMode)
                    log.info(sm.getString("aprListener.skipFIPSInitialization"));
            } else if("require".equalsIgnoreCase(FIPSMode)) {
                if(enterFipsMode) {
                    String message = sm.getString("aprListener.alreadyInFIPSMode");
                    log.error(message);
                    throw new IllegalStateException(message);
                }
            }
        }
        else if("enter".equalsIgnoreCase(FIPSMode)) {
            enterFipsMode = true;
        } else
            enterFipsMode = false;

        if(enterFipsMode) {
            log.info(sm.getString("aprListener.initializingFIPS"));

            // FIPS_mode_set docs say the argument should be non-zero to enter
            // FIPS mode, and that upon success, the return value will be the
            // same as the argument passed-in. Docs also highly recommend
            // that the value "1" be used "to avoid compatibility issues".
            // In order to avoid the argument and check-value from getting out
            // of sync for some reason, we are using the class constant
            // FIPS_ON here.
            final int result = SSL.fipsModeSet(FIPS_ON);

            // success is defined as return value = last argument to FIPS_mode_set()
            if(FIPS_ON == result) {
                fipsModeActive = true;

                log.info(sm.getString("aprListener.initializeFIPSSuccess"));

Lines 57-62 Link Here

(-)java/org/apache/catalina/core/LocalStrings.properties (+3 lines)
57	aprListener.sslInit=Failed to initialize the SSLEngine.	57	aprListener.sslInit=Failed to initialize the SSLEngine.
58	aprListener.tcnValid=Loaded APR based Apache Tomcat Native library {0} using APR version {1}.	58	aprListener.tcnValid=Loaded APR based Apache Tomcat Native library {0} using APR version {1}.
59	aprListener.flags=APR capabilities: IPv6 [{0}], sendfile [{1}], accept filters [{2}], random [{3}].	59	aprListener.flags=APR capabilities: IPv6 [{0}], sendfile [{1}], accept filters [{2}], random [{3}].
		60	aprListener.currentFIPSMode=Current FIPS mode: {0}
		61	aprListener.skipFIPSInitialization=Already in FIPS mode; skipping FIPS initialization.
		62	aprListener.alreadyInFIPSMode=AprLifecycleListener requested to force entering FIPS mode, but FIPS mode was already enabled.
60	aprListener.initializingFIPS=Initializing FIPS mode...	63	aprListener.initializingFIPS=Initializing FIPS mode...
61	aprListener.initializeFIPSSuccess=Successfully entered FIPS mode	64	aprListener.initializeFIPSSuccess=Successfully entered FIPS mode
62	aprListener.initializeFIPSFailed=Failed to enter FIPS mode	65	aprListener.initializeFIPSFailed=Failed to enter FIPS mode

Lines 230-235 Link Here

(-)java/org/apache/tomcat/jni/SSL.java (+8 lines)
230	public static native int initialize(String engine);	230	public static native int initialize(String engine);
231		231
232	/**	232	/**
		233	* Get the status of FIPS Mode.
		234	*
		235	* @return 0 If OpenSSL is not in FIPS mode, 1 if OpenSSL is in FIPS Mode.
		236	* @throws Exception If tcnative was not compiled with FIPS Mode available.
		237	*/
		238	public static native int fipsModeGet();
		239
		240	/**
233	* Enable/Disable FIPS Mode.	241	* Enable/Disable FIPS Mode.
234	*	242	*
235	* @param mode 1 - enable, 0 - disable	243	* @param mode 1 - enable, 0 - disable

Lines 112-123 Link Here

(-)webapps/docs/config/listeners.xml (-4 / +14 lines)
112	</attribute>	112	</attribute>
113		113
114	<attribute name="FIPSMode" required="false">	114	<attribute name="FIPSMode" required="false">
115	<p>Set to <code>on</code> to instruct OpenSSL to go into FIPS mode.	115	<p>Set to <code>on</code> to request that OpenSSL be in FIPS mode
		116	(if OpenSSL is already in FIPS mode, it will remain in FIPS mode).
		117	Set to <code>enter</code> to force OpenSSL to enter FIPS mode (an error
		118	will occur if OpenSSL is already in FIPS mode).
		119	Set to <code>require</code> to require that OpenSSL <i>already</i> be
		120	in FIPS mode (an error will occur if OpenSSL is not already in FIPS
		121	mode).
116	FIPS mode <em>requires you to have a FIPS-capable OpenSSL library which	122	FIPS mode <em>requires you to have a FIPS-capable OpenSSL library which
117	you must build yourself</em>.	123	you must build yourself</em>.
118	FIPS mode also requires Tomcat native library version 1.1.23 or later,	124	<code>FIPSMode="on"</code> or <code>FIPSMode="require"</code> requires
119	which <em>must be built against the FIPS-compatible OpenSSL</em> library.	125	Tomcat native library version 1.1.30 or later, while
120	If this attribute is "on", <b>SSLEngine</b> must be enabled as well.	126	<code>FIPSMode="enter"</code> can probably be done with Tomcat native
		127	library version 1.2.23 or later -- either of which <em>must be built
		128	against the FIPS-compatible OpenSSL</em> library.
		129	If this attribute is set to any of the above values, <b>SSLEngine</b>
		130	must be enabled as well for any effect.
121	The default value is <code>off</code>.</p>	131	The default value is <code>off</code>.</p>
122	</attribute>	132	</attribute>
123		133

Return to bug 56027

Lines 57-65 Link Here

(-)java/org/apache/catalina/core/AprLifecycleListener.java (-7 / +65 lines)
57		57
58	protected static final int TCN_REQUIRED_MAJOR = 1;	58	protected static final int TCN_REQUIRED_MAJOR = 1;
59	protected static final int TCN_REQUIRED_MINOR = 1;	59	protected static final int TCN_REQUIRED_MINOR = 1;
60	protected static final int TCN_REQUIRED_PATCH = 29;	60	protected static final int TCN_REQUIRED_PATCH = 30;
61	protected static final int TCN_RECOMMENDED_MINOR = 1;	61	protected static final int TCN_RECOMMENDED_MINOR = 1;
62	protected static final int TCN_RECOMMENDED_PV = 29;	62	protected static final int TCN_RECOMMENDED_PV = 30;
63		63
64		64
65	// ---------------------------------------------- Properties	65	// ---------------------------------------------- Properties
Lines 70-75 Link Here
70	protected static boolean aprInitialized = false;	70	protected static boolean aprInitialized = false;
71	protected static boolean aprAvailable = false;	71	protected static boolean aprAvailable = false;
72	protected static boolean fipsModeActive = false;	72	protected static boolean fipsModeActive = false;
		73	/**
		74	* FIPS_mode documentation states that the return value will be
		75	* whatever value was originally passed-in to FIPS_mode_set().
		76	* FIPS_mode_set docs say the argument should be non-zero to enter
		77	* FIPS mode, and that upon success, the return value will be the
		78	* same as the argument passed-in. Docs also highly recommend
		79	* that the value "1" be used "to avoid compatibility issues".
		80	* In order to avoid the argument and check-value from getting out
		81	* of sync for some reason, we are using the class constant
		82	* FIPS_ON here.
		83	*/
		84	private static final int FIPS_ON = 1;
73		85
74	protected static final Object lock = new Object();	86	protected static final Object lock = new Object();
75		87
Lines 110-116 Link Here
110	}	122	}
111	}	123	}
112	// Failure to initialize FIPS mode is fatal	124	// Failure to initialize FIPS mode is fatal
113	if ("on".equalsIgnoreCase(FIPSMode) && !isFIPSModeActive()) {	125	if (!(null == FIPSMode \|\| "off".equalsIgnoreCase(FIPSMode)) && !isFIPSModeActive()) {
114	Error e = new Error(	126	Error e = new Error(
115	sm.getString("aprListener.initializeFIPSFailed"));	127	sm.getString("aprListener.initializeFIPSFailed"));
116	// Log here, because thrown error might be not logged	128	// Log here, because thrown error might be not logged
Lines 252-264 Link Here
252	method = clazz.getMethod(methodName, paramTypes);	264	method = clazz.getMethod(methodName, paramTypes);
253	method.invoke(null, paramValues);	265	method.invoke(null, paramValues);
254		266
255	if("on".equalsIgnoreCase(FIPSMode)) {	267	final boolean enterFipsMode;
		268
		269	if("on".equalsIgnoreCase(FIPSMode)
		270	\|\| "require".equalsIgnoreCase(FIPSMode)) {
		271	// FIPS_mode documentation states that the return value will be
		272	// whatever value was originally passed-in to FIPS_mode_set().
		273	// FIPS_mode_set docs say the argument should be non-zero to enter
		274	// FIPS mode, and that upon success, the return value will be the
		275	// same as the argument passed-in. Docs also highly recommend
		276	// that the value "1" be used "to avoid compatibility issues".
		277	// In order to avoid the argument and check-value from getting out
		278	// of sync for some reason, we are using the class constant
		279	// FIPS_ON here.
		280	final int fipsModeState = SSL.fipsModeGet();
		281
		282	if(log.isDebugEnabled())
		283	log.debug(sm.getString("aprListener.currentFIPSMode",
		284	Integer.valueOf(fipsModeState)));
		285
		286	// Return values: 0=Not in FIPS mode, 1=In FIPS mode,
		287	// exception if FIPS totally unavailable
		288	enterFipsMode = 1 != fipsModeState;
		289
		290	if("on".equalsIgnoreCase(FIPSMode)) {
		291	if(!enterFipsMode)
		292	log.info(sm.getString("aprListener.skipFIPSInitialization"));
		293	} else if("require".equalsIgnoreCase(FIPSMode)) {
		294	if(enterFipsMode) {
		295	String message = sm.getString("aprListener.alreadyInFIPSMode");
		296	log.error(message);
		297	throw new IllegalStateException(message);
		298	}
		299	}
		300	}
		301	else if("enter".equalsIgnoreCase(FIPSMode)) {
		302	enterFipsMode = true;
		303	} else
		304	enterFipsMode = false;
		305
		306	if(enterFipsMode) {
256	log.info(sm.getString("aprListener.initializingFIPS"));	307	log.info(sm.getString("aprListener.initializingFIPS"));
257		308
258	int result = SSL.fipsModeSet(1);	309	// FIPS_mode_set docs say the argument should be non-zero to enter
		310	// FIPS mode, and that upon success, the return value will be the
		311	// same as the argument passed-in. Docs also highly recommend
		312	// that the value "1" be used "to avoid compatibility issues".
		313	// In order to avoid the argument and check-value from getting out
		314	// of sync for some reason, we are using the class constant
		315	// FIPS_ON here.
		316	final int result = SSL.fipsModeSet(FIPS_ON);
259		317
260	// success is defined as return value = 1	318	// success is defined as return value = last argument to FIPS_mode_set()
261	if(1 == result) {	319	if(FIPS_ON == result) {
262	fipsModeActive = true;	320	fipsModeActive = true;
263		321
264	log.info(sm.getString("aprListener.initializeFIPSSuccess"));	322	log.info(sm.getString("aprListener.initializeFIPSSuccess"));