Author: schultz Date: Wed Nov 9 21:34:31 2011 New Revision: 1199980 URL: http://svn.apache.org/viewvc?rev=1199980&view=rev Log: Fixed bug #50570 - Allow explicit use of FIPS mode in APR lifecycle listener - Added "FIPSMode" attribute to AprLifecycleListener that causes OpenSSL to go into FIPS mode
Modified: tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties tomcat/trunk/java/org/apache/tomcat/jni/SSL.java Modified: tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java?rev=1199980&r1=1199979&r2=1199980&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java (original) +++ tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java Wed Nov 9 21:34:31 2011 @@ -29,6 +29,7 @@ import org.apache.juli.logging.LogFactor import org.apache.tomcat.jni.Library; import org.apache.tomcat.util.ExceptionUtils; import org.apache.tomcat.util.res.StringManager; +import org.apache.tomcat.jni.SSL; @@ -66,11 +67,13 @@ public class AprLifecycleListener // ---------------------------------------------- Properties protected static String SSLEngine = "on"; //default on + protected static String FIPSMode = "off"; // default off, valid only when SSLEngine="on" protected static String SSLRandomSeed = "builtin"; protected static boolean sslInitialized = false; protected static boolean aprInitialized = false; protected static boolean sslAvailable = false; protected static boolean aprAvailable = false; + protected static boolean fipsModeActive = false; protected static final Object lock = new Object(); @@ -106,7 +109,7 @@ public class AprLifecycleListener initializeSSL(); } catch (Throwable t) { ExceptionUtils.handleThrowable(t); - log.info(sm.getString("aprListener.sslInit")); + log.error(sm.getString("aprListener.sslInit"), t); } } } @@ -138,6 +141,7 @@ public class AprLifecycleListener aprInitialized = false; sslInitialized = false; // Well we cleaned the pool in terminate. sslAvailable = false; // Well we cleaned the pool in terminate. + fipsModeActive = false; } private static void init() @@ -220,6 +224,7 @@ public class AprLifecycleListener //only once per VM return; } + sslInitialized = true; String methodName = "randSet"; @@ -237,6 +242,25 @@ public class AprLifecycleListener method = clazz.getMethod(methodName, paramTypes); method.invoke(null, paramValues); + if("on".equalsIgnoreCase(AprLifecycleListener.FIPSMode)) { + log.info(sm.getString("aprListener.initializingFIPS")); + + int result = SSL.fipsModeSet(1); + + // success is defined as return value = 1 + if(1 == result) { + fipsModeActive = true; + + log.info(sm.getString("aprListener.initializeFIPSSuccess")); + } else { + // This case should be handled by the native method, + // but we'll make absolutely sure, here. + log.error(sm.getString("aprListener.initializeFIPSFailed")); + + throw new IllegalStateException(sm.getString("aprListener.initializeFIPSFailed")); + } + } + sslAvailable = true; } @@ -245,6 +269,10 @@ public class AprLifecycleListener } public void setSSLEngine(String SSLEngine) { + // Ensure that the SSLEngine is consistent with that used for SSL init + if(sslInitialized) + throw new IllegalStateException(sm.getString("aprListener.tooLateForSSLEngine")); + AprLifecycleListener.SSLEngine = SSLEngine; } @@ -253,7 +281,24 @@ public class AprLifecycleListener } public void setSSLRandomSeed(String SSLRandomSeed) { + // Ensure that the random seed is consistent with that used for SSL init + if(sslInitialized) + throw new IllegalStateException(sm.getString("aprListener.tooLateForSSLRandomSeed")); + AprLifecycleListener.SSLRandomSeed = SSLRandomSeed; } + public void setFIPSMode(String FIPSMode) + { + // Ensure that the FIPS mode is consistent with that used for SSL init + if(sslInitialized) + throw new IllegalStateException(sm.getString("aprListener.tooLateForFIPSMode")); + + AprLifecycleListener.FIPSMode = FIPSMode; + } + + public boolean isFIPSModeActive() + { + return fipsModeActive; + } } Modified: tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties?rev=1199980&r1=1199979&r2=1199980&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties (original) +++ tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties Wed Nov 9 21:34:31 2011 @@ -52,6 +52,13 @@ aprListener.aprDestroy=Failed shutdown o aprListener.sslInit=Failed to initialize the SSLEngine. aprListener.tcnValid=Loaded APR based Apache Tomcat Native library {0}. aprListener.flags=APR capabilities: IPv6 [{0}], sendfile [{1}], accept filters [{2}], random [{3}]. +aprListener.initializingFIPS=Initializing FIPS mode... +aprListener.initializeFIPSSuccess=Successfully entered FIPS mode +aprListener.initializeFIPSFailed=Failed to enter FIPS mode +aprListener.tooLateForSSLEngine=Cannot setSSLEngine: SSL has already been initialized +aprListener.tooLateForSSLRandomSeed=Cannot setSSLRandomSeed: SSL has already been initialized +aprListener.tooLateForFIPSMode=Cannot setFIPSMode: SSL has already been initialized + asyncContextImpl.requestEnded=The request associated with the AsyncContext has already completed processing. containerBase.threadedStartFailed=A child container failed during start containerBase.threadedStopFailed=A child container failed during stop Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSL.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1199980&r1=1199979&r2=1199980&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/jni/SSL.java (original) +++ tomcat/trunk/java/org/apache/tomcat/jni/SSL.java Wed Nov 9 21:34:31 2011 @@ -230,6 +230,15 @@ public final class SSL { public static native int initialize(String engine); /** + * Enable/Disable FIPS Mode. + * + * @param mode 1 - enable, 0 - disable + * + * @return FIPS_mode_set return code + */ + public static native int fipsModeSet(int mode); + + /** * Add content of the file to the PRNG * @param filename Filename containing random data. * If null the default file will be tested. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org