Lines 57-65
Link Here
|
57 |
|
57 |
|
58 |
protected static final int TCN_REQUIRED_MAJOR = 1; |
58 |
protected static final int TCN_REQUIRED_MAJOR = 1; |
59 |
protected static final int TCN_REQUIRED_MINOR = 1; |
59 |
protected static final int TCN_REQUIRED_MINOR = 1; |
60 |
protected static final int TCN_REQUIRED_PATCH = 29; |
60 |
protected static final int TCN_REQUIRED_PATCH = 30; |
61 |
protected static final int TCN_RECOMMENDED_MINOR = 1; |
61 |
protected static final int TCN_RECOMMENDED_MINOR = 1; |
62 |
protected static final int TCN_RECOMMENDED_PV = 29; |
62 |
protected static final int TCN_RECOMMENDED_PV = 30; |
63 |
|
63 |
|
64 |
|
64 |
|
65 |
// ---------------------------------------------- Properties |
65 |
// ---------------------------------------------- Properties |
Lines 70-75
Link Here
|
70 |
protected static boolean aprInitialized = false; |
70 |
protected static boolean aprInitialized = false; |
71 |
protected static boolean aprAvailable = false; |
71 |
protected static boolean aprAvailable = false; |
72 |
protected static boolean fipsModeActive = false; |
72 |
protected static boolean fipsModeActive = false; |
|
|
73 |
/** |
74 |
* FIPS_mode documentation states that the return value will be |
75 |
* whatever value was originally passed-in to FIPS_mode_set(). |
76 |
* FIPS_mode_set docs say the argument should be non-zero to enter |
77 |
* FIPS mode, and that upon success, the return value will be the |
78 |
* same as the argument passed-in. Docs also highly recommend |
79 |
* that the value "1" be used "to avoid compatibility issues". |
80 |
* In order to avoid the argument and check-value from getting out |
81 |
* of sync for some reason, we are using the class constant |
82 |
* FIPS_ON here. |
83 |
*/ |
84 |
private static final int FIPS_ON = 1; |
73 |
|
85 |
|
74 |
protected static final Object lock = new Object(); |
86 |
protected static final Object lock = new Object(); |
75 |
|
87 |
|
Lines 110-116
Link Here
|
110 |
} |
122 |
} |
111 |
} |
123 |
} |
112 |
// Failure to initialize FIPS mode is fatal |
124 |
// Failure to initialize FIPS mode is fatal |
113 |
if ("on".equalsIgnoreCase(FIPSMode) && !isFIPSModeActive()) { |
125 |
if (!(null == FIPSMode || "off".equalsIgnoreCase(FIPSMode)) && !isFIPSModeActive()) { |
114 |
Error e = new Error( |
126 |
Error e = new Error( |
115 |
sm.getString("aprListener.initializeFIPSFailed")); |
127 |
sm.getString("aprListener.initializeFIPSFailed")); |
116 |
// Log here, because thrown error might be not logged |
128 |
// Log here, because thrown error might be not logged |
Lines 252-264
Link Here
|
252 |
method = clazz.getMethod(methodName, paramTypes); |
264 |
method = clazz.getMethod(methodName, paramTypes); |
253 |
method.invoke(null, paramValues); |
265 |
method.invoke(null, paramValues); |
254 |
|
266 |
|
255 |
if("on".equalsIgnoreCase(FIPSMode)) { |
267 |
final boolean enterFipsMode; |
|
|
268 |
|
269 |
if("on".equalsIgnoreCase(FIPSMode) |
270 |
|| "require".equalsIgnoreCase(FIPSMode)) { |
271 |
// FIPS_mode documentation states that the return value will be |
272 |
// whatever value was originally passed-in to FIPS_mode_set(). |
273 |
// FIPS_mode_set docs say the argument should be non-zero to enter |
274 |
// FIPS mode, and that upon success, the return value will be the |
275 |
// same as the argument passed-in. Docs also highly recommend |
276 |
// that the value "1" be used "to avoid compatibility issues". |
277 |
// In order to avoid the argument and check-value from getting out |
278 |
// of sync for some reason, we are using the class constant |
279 |
// FIPS_ON here. |
280 |
final int fipsModeState = SSL.fipsModeGet(); |
281 |
|
282 |
if(log.isDebugEnabled()) |
283 |
log.debug(sm.getString("aprListener.currentFIPSMode", |
284 |
Integer.valueOf(fipsModeState))); |
285 |
|
286 |
// Return values: 0=Not in FIPS mode, 1=In FIPS mode, |
287 |
// exception if FIPS totally unavailable |
288 |
enterFipsMode = 1 != fipsModeState; |
289 |
|
290 |
if("on".equalsIgnoreCase(FIPSMode)) { |
291 |
if(!enterFipsMode) |
292 |
log.info(sm.getString("aprListener.skipFIPSInitialization")); |
293 |
} else if("require".equalsIgnoreCase(FIPSMode)) { |
294 |
if(enterFipsMode) { |
295 |
String message = sm.getString("aprListener.alreadyInFIPSMode"); |
296 |
log.error(message); |
297 |
throw new IllegalStateException(message); |
298 |
} |
299 |
} |
300 |
} |
301 |
else if("enter".equalsIgnoreCase(FIPSMode)) { |
302 |
enterFipsMode = true; |
303 |
} else |
304 |
enterFipsMode = false; |
305 |
|
306 |
if(enterFipsMode) { |
256 |
log.info(sm.getString("aprListener.initializingFIPS")); |
307 |
log.info(sm.getString("aprListener.initializingFIPS")); |
257 |
|
308 |
|
258 |
int result = SSL.fipsModeSet(1); |
309 |
// FIPS_mode_set docs say the argument should be non-zero to enter |
|
|
310 |
// FIPS mode, and that upon success, the return value will be the |
311 |
// same as the argument passed-in. Docs also highly recommend |
312 |
// that the value "1" be used "to avoid compatibility issues". |
313 |
// In order to avoid the argument and check-value from getting out |
314 |
// of sync for some reason, we are using the class constant |
315 |
// FIPS_ON here. |
316 |
final int result = SSL.fipsModeSet(FIPS_ON); |
259 |
|
317 |
|
260 |
// success is defined as return value = 1 |
318 |
// success is defined as return value = last argument to FIPS_mode_set() |
261 |
if(1 == result) { |
319 |
if(FIPS_ON == result) { |
262 |
fipsModeActive = true; |
320 |
fipsModeActive = true; |
263 |
|
321 |
|
264 |
log.info(sm.getString("aprListener.initializeFIPSSuccess")); |
322 |
log.info(sm.getString("aprListener.initializeFIPSSuccess")); |