Konstantin, On 4/22/14, 12:15 PM, kkoli...@apache.org wrote: > Author: kkolinko > Date: Tue Apr 22 16:15:49 2014 > New Revision: 1589195 > > URL: http://svn.apache.org/r1589195 > Log: > veto, as I think the new options do not work > > Modified: > tomcat/tc6.0.x/trunk/STATUS.txt > > Modified: tomcat/tc6.0.x/trunk/STATUS.txt > URL: > http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1589195&r1=1589194&r2=1589195&view=diff > ============================================================================== > --- tomcat/tc6.0.x/trunk/STATUS.txt (original) > +++ tomcat/tc6.0.x/trunk/STATUS.txt Tue Apr 22 16:15:49 2014 > @@ -105,10 +105,17 @@ PATCHES PROPOSED TO BACKPORT: > http://svn.apache.org/viewvc?view=revision&revision=r1587723 (adapt) > (Note: requires tcnative 1.1.30) > +1: schultz, markt, remm > - +0: kkolinko: > - a) It needs backport of r1588102 as an Exception is thrown by native > code > + -1: kkolinko: > + a) I cannot test (without FIPS-enabled library), but from my code > review > + the new options will not work because you are not setting > + "fipsModeActive" field in AprLifecycleListener.
Perhaps my eyes are not finding this. I see 3 places in the AprLifecycleListener where fipsModeActive flag is set to an explicit value. There does appear to be a bug in that fipsModeActive is not being set to true in the case where OpenSSL was already in FIPS mode, and we aren't going to bother to try to enter it (i.e. FIPSMode="require" and OpenSSL is already in FIPS mode). I'll fix that in trunk and add it to the proposal. > - b) "enterFipsMode = 1 != fipsModeState;" code and comment before it > are wrong. > + Thus AprLifecycleListener.isFIPSModeActive() will return false > + and startup will be aborted. > + > + b) It needs backport of r1588102 as an Exception is thrown by native > code No, it doesn't need that to be backported. One could argue it never needed to be committed in the first place. I would have been happier throwing a better exception than java.lang.Exception, but it seemed like java.lang.Exception was being used everywhere already. > + c) "enterFipsMode = 1 != fipsModeState;" code and comment before it > are wrong. > > FIPS_mode() function of OpenSSL is documented to return non-zero > value when in FIPS mode. You cannot expect it to be '1'. We *must* expect it to be '1'. I've gone through great pains to add in-line documentation explaining the stupidity behind OpenSSL's confusing documentation that "any non-zero value will work as long as that non-zero value is 1". Perhaps this is a case where I should have used FIPS_ON. One could argue that checking for any non-zero value would be more appropriate, here, but it's not /wrong/. -chris
signature.asc
Description: OpenPGP digital signature
