SSL.java

schultz Wed, 09 Nov 2011 13:34:55 -0800

Author: schultz
Date: Wed Nov  9 21:34:31 2011
New Revision: 1199980

URL: http://svn.apache.org/viewvc?rev=1199980&view=rev
Log:
Fixed bug #50570 - Allow explicit use of FIPS mode in APR lifecycle listener
- Added "FIPSMode" attribute to AprLifecycleListener that causes OpenSSL to go 
into FIPS mode



Modified:
    tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java
    tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties
    tomcat/trunk/java/org/apache/tomcat/jni/SSL.java

Modified: tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java?rev=1199980&r1=1199979&r2=1199980&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/core/AprLifecycleListener.java Wed 
Nov  9 21:34:31 2011
@@ -29,6 +29,7 @@ import org.apache.juli.logging.LogFactor
 import org.apache.tomcat.jni.Library;
 import org.apache.tomcat.util.ExceptionUtils;
 import org.apache.tomcat.util.res.StringManager;
+import org.apache.tomcat.jni.SSL;
 
 
 
@@ -66,11 +67,13 @@ public class AprLifecycleListener
 
     // ---------------------------------------------- Properties
     protected static String SSLEngine = "on"; //default on
+    protected static String FIPSMode = "off"; // default off, valid only when 
SSLEngine="on"
     protected static String SSLRandomSeed = "builtin";
     protected static boolean sslInitialized = false;
     protected static boolean aprInitialized = false;
     protected static boolean sslAvailable = false;
     protected static boolean aprAvailable = false;
+    protected static boolean fipsModeActive = false;
 
     protected static final Object lock = new Object();
 
@@ -106,7 +109,7 @@ public class AprLifecycleListener
                         initializeSSL();
                     } catch (Throwable t) {
                         ExceptionUtils.handleThrowable(t);
-                        log.info(sm.getString("aprListener.sslInit"));
+                        log.error(sm.getString("aprListener.sslInit"), t);
                     }
                 }
             }
@@ -138,6 +141,7 @@ public class AprLifecycleListener
         aprInitialized = false;
         sslInitialized = false; // Well we cleaned the pool in terminate.
         sslAvailable = false; // Well we cleaned the pool in terminate.
+        fipsModeActive = false;
     }
 
     private static void init()
@@ -220,6 +224,7 @@ public class AprLifecycleListener
              //only once per VM
             return;
         }
+
         sslInitialized = true;
 
         String methodName = "randSet";
@@ -237,6 +242,25 @@ public class AprLifecycleListener
         method = clazz.getMethod(methodName, paramTypes);
         method.invoke(null, paramValues);
 
+        if("on".equalsIgnoreCase(AprLifecycleListener.FIPSMode)) {
+            log.info(sm.getString("aprListener.initializingFIPS"));
+
+            int result = SSL.fipsModeSet(1);
+
+            // success is defined as return value = 1
+            if(1 == result) {
+                fipsModeActive = true;
+
+                log.info(sm.getString("aprListener.initializeFIPSSuccess"));
+            } else {
+                // This case should be handled by the native method,
+                // but we'll make absolutely sure, here.
+                log.error(sm.getString("aprListener.initializeFIPSFailed"));
+
+                throw new 
IllegalStateException(sm.getString("aprListener.initializeFIPSFailed"));
+            }
+        }
+
         sslAvailable = true;
     }
 
@@ -245,6 +269,10 @@ public class AprLifecycleListener
     }
 
     public void setSSLEngine(String SSLEngine) {
+        // Ensure that the SSLEngine is consistent with that used for SSL init
+        if(sslInitialized)
+            throw new 
IllegalStateException(sm.getString("aprListener.tooLateForSSLEngine"));
+
         AprLifecycleListener.SSLEngine = SSLEngine;
     }
 
@@ -253,7 +281,24 @@ public class AprLifecycleListener
     }
 
     public void setSSLRandomSeed(String SSLRandomSeed) {
+        // Ensure that the random seed is consistent with that used for SSL 
init
+        if(sslInitialized)
+            throw new 
IllegalStateException(sm.getString("aprListener.tooLateForSSLRandomSeed"));
+
         AprLifecycleListener.SSLRandomSeed = SSLRandomSeed;
     }
 
+    public void setFIPSMode(String FIPSMode)
+    {
+        // Ensure that the FIPS mode is consistent with that used for SSL init
+        if(sslInitialized)
+            throw new 
IllegalStateException(sm.getString("aprListener.tooLateForFIPSMode"));
+
+        AprLifecycleListener.FIPSMode = FIPSMode;
+    }
+
+    public boolean isFIPSModeActive()
+    {
+        return fipsModeActive;
+    }
 }

Modified: tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties?rev=1199980&r1=1199979&r2=1199980&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties 
(original)
+++ tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties Wed Nov  
9 21:34:31 2011
@@ -52,6 +52,13 @@ aprListener.aprDestroy=Failed shutdown o
 aprListener.sslInit=Failed to initialize the SSLEngine.
 aprListener.tcnValid=Loaded APR based Apache Tomcat Native library {0}.
 aprListener.flags=APR capabilities: IPv6 [{0}], sendfile [{1}], accept filters 
[{2}], random [{3}].
+aprListener.initializingFIPS=Initializing FIPS mode...
+aprListener.initializeFIPSSuccess=Successfully entered FIPS mode
+aprListener.initializeFIPSFailed=Failed to enter FIPS mode
+aprListener.tooLateForSSLEngine=Cannot setSSLEngine: SSL has already been 
initialized
+aprListener.tooLateForSSLRandomSeed=Cannot setSSLRandomSeed: SSL has already 
been initialized
+aprListener.tooLateForFIPSMode=Cannot setFIPSMode: SSL has already been 
initialized
+
 asyncContextImpl.requestEnded=The request associated with the AsyncContext has 
already completed processing.
 containerBase.threadedStartFailed=A child container failed during start
 containerBase.threadedStopFailed=A child container failed during stop

Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1199980&r1=1199979&r2=1199980&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/jni/SSL.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/jni/SSL.java Wed Nov  9 21:34:31 2011
@@ -230,6 +230,15 @@ public final class SSL {
     public static native int initialize(String engine);
 
     /**
+     * Enable/Disable FIPS Mode.
+     *
+     * @param mode 1 - enable, 0 - disable
+     *
+     * @return FIPS_mode_set return code
+     */
+    public static native int fipsModeSet(int mode);
+
+    /**
      * Add content of the file to the PRNG
      * @param filename Filename containing random data.
      *        If null the default file will be tested.



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1199980 - in /tomcat/trunk/java/org/apache: catalina/core/AprLifecycleListener.java catalina/core/LocalStrings.properties tomcat/jni/SSL.java

Reply via email to