diff options
| author | Stefan Fritsch <sf@sfritsch.de> | 2011-12-27 19:42:59 +0100 |
|---|---|---|
| committer | Stefan Fritsch <sf@sfritsch.de> | 2011-12-27 19:42:59 +0100 |
| commit | e8bb7adda7f73e53cdab823e9cab2a49ccbdf188 (patch) | |
| tree | 87b13ae8f9f3b5c0059acca2796667726cddb838 /modules | |
| parent | db26b587c04799e75b6dd0fcd4b46aaa168f9161 (diff) | |
| download | apache2-e8bb7adda7f73e53cdab823e9cab2a49ccbdf188.tar.gz | |
Upstream tarball 2.2.16upstream/2.2.16
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/cache/cache_storage.c | 4 | ||||
| -rw-r--r-- | modules/dav/main/util.c | 3 | ||||
| -rw-r--r-- | modules/filters/NWGNUmakefile | 1 | ||||
| -rw-r--r-- | modules/filters/NWGNUreqtimeout | 258 | ||||
| -rw-r--r-- | modules/filters/mod_filter.c | 3 | ||||
| -rw-r--r-- | modules/filters/mod_reqtimeout.c | 2 | ||||
| -rw-r--r-- | modules/ldap/util_ldap.c | 4 | ||||
| -rw-r--r-- | modules/ldap/util_ldap_cache_mgr.c | 3 | ||||
| -rw-r--r-- | modules/mappers/mod_dir.c | 61 | ||||
| -rw-r--r-- | modules/mappers/mod_rewrite.c | 12 | ||||
| -rw-r--r-- | modules/proxy/mod_proxy.c | 4 | ||||
| -rw-r--r-- | modules/proxy/mod_proxy_ajp.c | 20 | ||||
| -rw-r--r-- | modules/proxy/mod_proxy_http.c | 24 | ||||
| -rw-r--r-- | modules/ssl/mod_ssl.c | 3 | ||||
| -rw-r--r-- | modules/ssl/ssl_engine_config.c | 29 | ||||
| -rw-r--r-- | modules/ssl/ssl_engine_init.c | 51 | ||||
| -rw-r--r-- | modules/ssl/ssl_private.h | 5 | ||||
| -rw-r--r-- | modules/ssl/ssl_toolkit_compat.h | 4 |
18 files changed, 464 insertions, 27 deletions
diff --git a/modules/cache/cache_storage.c b/modules/cache/cache_storage.c index 2fbadc8b..f87f9c9d 100644 --- a/modules/cache/cache_storage.c +++ b/modules/cache/cache_storage.c @@ -479,7 +479,7 @@ apr_status_t cache_generate_key_default(request_rec *r, apr_pool_t* p, * Check if we need to ignore session identifiers in the URL and do so * if needed. */ - path = r->parsed_uri.path; + path = r->uri; querystring = r->parsed_uri.query; if (conf->ignore_session_id->nelts) { int i; @@ -546,7 +546,7 @@ apr_status_t cache_generate_key_default(request_rec *r, apr_pool_t* p, */ cache->key = apr_pstrdup(r->pool, *key); ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, - "cache: Key for entity %s?%s is %s", r->parsed_uri.path, + "cache: Key for entity %s?%s is %s", r->uri, r->parsed_uri.query, *key); return APR_SUCCESS; diff --git a/modules/dav/main/util.c b/modules/dav/main/util.c index 5297b908..6ab880b4 100644 --- a/modules/dav/main/util.c +++ b/modules/dav/main/util.c @@ -624,7 +624,8 @@ static dav_error * dav_process_if_header(request_rec *r, dav_if_header **p_ih) /* 2518 specifies this must be an absolute URI; just take the * relative part for later comparison against r->uri */ - if (apr_uri_parse(r->pool, uri, &parsed_uri) != APR_SUCCESS) { + if (apr_uri_parse(r->pool, uri, &parsed_uri) != APR_SUCCESS + || !parsed_uri.path) { return dav_new_error(r->pool, HTTP_BAD_REQUEST, DAV_ERR_IF_TAGGED, "Invalid URI in tagged If-header."); diff --git a/modules/filters/NWGNUmakefile b/modules/filters/NWGNUmakefile index 04762d60..e3a40664 100644 --- a/modules/filters/NWGNUmakefile +++ b/modules/filters/NWGNUmakefile @@ -156,6 +156,7 @@ TARGET_nlm = \ $(OBJDIR)/charsetl.nlm \ $(OBJDIR)/mod_filter.nlm \ $(OBJDIR)/substitute.nlm \ + $(OBJDIR)/reqtimeout.nlm \ $(EOLIST) # If the zlib libraries source exists then build the mod_deflate module diff --git a/modules/filters/NWGNUreqtimeout b/modules/filters/NWGNUreqtimeout new file mode 100644 index 00000000..bb682fa1 --- /dev/null +++ b/modules/filters/NWGNUreqtimeout @@ -0,0 +1,258 @@ +# +# Declare the sub-directories to be built here +# + +SUBDIRS = \ + $(EOLIST) + +# +# Get the 'head' of the build environment. This includes default targets and +# paths to tools +# + +include $(AP_WORK)\build\NWGNUhead.inc + +# +# build this level's files + +# +# Make sure all needed macro's are defined +# + +# +# These directories will be at the beginning of the include list, followed by +# INCDIRS +# +XINCDIRS += \ + $(AP_WORK)/include \ + $(NWOS) \ + $(AP_WORK)/modules/arch/netware \ + $(APR)/include \ + $(APRUTIL)/include \ + $(APR) \ + $(EOLIST) + +# +# These flags will come after CFLAGS +# +XCFLAGS += \ + $(EOLIST) + +# +# These defines will come after DEFINES +# +XDEFINES += \ + $(EOLIST) + +# +# These flags will be added to the link.opt file +# +XLFLAGS += \ + $(EOLIST) + +# +# These values will be appended to the correct variables based on the value of +# RELEASE +# +ifeq "$(RELEASE)" "debug" +XINCDIRS += \ + $(EOLIST) + +XCFLAGS += \ + $(EOLIST) + +XDEFINES += \ + $(EOLIST) + +XLFLAGS += \ + $(EOLIST) +endif + +ifeq "$(RELEASE)" "noopt" +XINCDIRS += \ + $(EOLIST) + +XCFLAGS += \ + $(EOLIST) + +XDEFINES += \ + $(EOLIST) + +XLFLAGS += \ + $(EOLIST) +endif + +ifeq "$(RELEASE)" "release" +XINCDIRS += \ + $(EOLIST) + +XCFLAGS += \ + $(EOLIST) + +XDEFINES += \ + $(EOLIST) + +XLFLAGS += \ + $(EOLIST) +endif + +# +# These are used by the link target if an NLM is being generated +# This is used by the link 'name' directive to name the nlm. If left blank +# TARGET_nlm (see below) will be used. +# +NLM_NAME = reqtimeout + +# +# This is used by the link '-desc ' directive. +# If left blank, NLM_NAME will be used. +# +NLM_DESCRIPTION = Apache $(VERSION_STR) Request Timeout Module + +# +# This is used by the '-threadname' directive. If left blank, +# NLM_NAME Thread will be used. +# +NLM_THREAD_NAME = $(NLM_NAME) + +# +# If this is specified, it will override VERSION value in +# $(AP_WORK)\build\NWGNUenvironment.inc +# +NLM_VERSION = + +# +# If this is specified, it will override the default of 64K +# +NLM_STACK_SIZE = 8192 + + +# +# If this is specified it will be used by the link '-entry' directive +# +NLM_ENTRY_SYM = _LibCPrelude + +# +# If this is specified it will be used by the link '-exit' directive +# +NLM_EXIT_SYM = _LibCPostlude + +# +# If this is specified it will be used by the link '-check' directive +# +NLM_CHECK_SYM = + +# +# If these are specified it will be used by the link '-flags' directive +# +NLM_FLAGS = AUTOUNLOAD, PSEUDOPREEMPTION + +# +# If this is specified it will be linked in with the XDCData option in the def +# file instead of the default of $(NWOS)/apache.xdc. XDCData can be disabled +# by setting APACHE_UNIPROC in the environment +# +XDCDATA = + +# +# If there is an NLM target, put it here +# +TARGET_nlm = \ + $(OBJDIR)/$(NLM_NAME).nlm \ + $(EOLIST) + +# +# If there is an LIB target, put it here +# +TARGET_lib = \ + $(EOLIST) + +# +# These are the OBJ files needed to create the NLM target above. +# Paths must all use the '/' character +# +FILES_nlm_objs = \ + $(OBJDIR)/mod_reqtimeout.o \ + $(EOLIST) + +# +# These are the LIB files needed to create the NLM target above. +# These will be added as a library command in the link.opt file. +# +FILES_nlm_libs = \ + libcpre.o \ + $(EOLIST) + +# +# These are the modules that the above NLM target depends on to load. +# These will be added as a module command in the link.opt file. +# +FILES_nlm_modules = \ + aprlib \ + libc \ + $(EOLIST) + +# +# If the nlm has a msg file, put it's path here +# +FILE_nlm_msg = + +# +# If the nlm has a hlp file put it's path here +# +FILE_nlm_hlp = + +# +# If this is specified, it will override $(NWOS)\copyright.txt. +# +FILE_nlm_copyright = + +# +# Any additional imports go here +# +FILES_nlm_Ximports = \ + @$(APR)/aprlib.imp \ + @$(NWOS)/httpd.imp \ + @libc.imp \ + $(EOLIST) + +# +# Any symbols exported to here +# +FILES_nlm_exports = \ + reqtimeout_module \ + $(EOLIST) + +# +# These are the OBJ files needed to create the LIB target above. +# Paths must all use the '/' character +# +FILES_lib_objs = \ + $(EOLIST) + +# +# implement targets and dependancies (leave this section alone) +# + +libs :: $(OBJDIR) $(TARGET_lib) + +nlms :: libs $(TARGET_nlm) + +# +# Updated this target to create necessary directories and copy files to the +# correct place. (See $(AP_WORK)\build\NWGNUhead.inc for examples) +# +install :: nlms FORCE + +# +# Any specialized rules here +# + +# +# Include the 'tail' makefile that has targets that depend on variables defined +# in this makefile +# + +include $(AP_WORK)\build\NWGNUtail.inc + + diff --git a/modules/filters/mod_filter.c b/modules/filters/mod_filter.c index 73893642..c09f3f93 100644 --- a/modules/filters/mod_filter.c +++ b/modules/filters/mod_filter.c @@ -346,7 +346,8 @@ static apr_status_t filter_harness(ap_filter_t *f, apr_bucket_brigade *bb) harness_ctx *ctx = f->ctx; ap_filter_rec_t *filter = f->frec; - if (f->r->status != 200) { + if (f->r->status != 200 + && !apr_table_get(f->r->subprocess_env, "filter-errordocs")) { ap_remove_output_filter(f); return ap_pass_brigade(f->next, bb); } diff --git a/modules/filters/mod_reqtimeout.c b/modules/filters/mod_reqtimeout.c index 215a04c0..4aec0fcd 100644 --- a/modules/filters/mod_reqtimeout.c +++ b/modules/filters/mod_reqtimeout.c @@ -155,7 +155,7 @@ static apr_status_t reqtimeout_filter(ap_filter_t *f, extend_timeout(ccfg, bb); } - if (rv == APR_TIMEUP) { + if (APR_STATUS_IS_TIMEUP(rv)) { ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, f->c, "Request %s read timeout", ccfg->type); } diff --git a/modules/ldap/util_ldap.c b/modules/ldap/util_ldap.c index a894b6ea..08f21496 100644 --- a/modules/ldap/util_ldap.c +++ b/modules/ldap/util_ldap.c @@ -1837,6 +1837,9 @@ static void *util_ldap_create_config(apr_pool_t *p, server_rec *s) return st; } +/* cache-related settings are not merged here, but in the post_config hook, + * since the cache has not yet sprung to life + */ static void *util_ldap_merge_config(apr_pool_t *p, void *basev, void *overridesv) { @@ -1983,6 +1986,7 @@ static int util_ldap_post_config(apr_pool_t *p, apr_pool_t *plog, st_vhost->cache_shm = st->cache_shm; st_vhost->cache_rmm = st->cache_rmm; st_vhost->cache_file = st->cache_file; + st_vhost->util_ldap_cache = st->util_ldap_cache; ap_log_error(APLOG_MARK, APLOG_DEBUG, result, s, "LDAP merging Shared Cache conf: shm=0x%pp rmm=0x%pp " "for VHOST: %s", st->cache_shm, st->cache_rmm, diff --git a/modules/ldap/util_ldap_cache_mgr.c b/modules/ldap/util_ldap_cache_mgr.c index 6bb066ab..b0283715 100644 --- a/modules/ldap/util_ldap_cache_mgr.c +++ b/modules/ldap/util_ldap_cache_mgr.c @@ -605,7 +605,8 @@ char *util_ald_cache_display(request_rec *r, util_ldap_state_t *st) if (!util_ldap_cache) { - return "<tr valign='top'><td nowrap colspan=7>Cache has not been enabled/initialised.</td></tr>"; + ap_rputs("<tr valign='top'><td nowrap colspan=7>Cache has not been enabled/initialised.</td></tr>", r); + return NULL; } if (r->args && strlen(r->args)) { diff --git a/modules/mappers/mod_dir.c b/modules/mappers/mod_dir.c index 9eb10ab6..e3a9537b 100644 --- a/modules/mappers/mod_dir.c +++ b/modules/mappers/mod_dir.c @@ -40,6 +40,7 @@ typedef enum { typedef struct dir_config_struct { apr_array_header_t *index_names; slash_cfg do_slash; + const char *dflt; } dir_config_rec; #define DIR_CMD_PERMS OR_INDEXES @@ -65,6 +66,9 @@ static const char *configure_slash(cmd_parms *cmd, void *d_, int arg) static const command_rec dir_cmds[] = { + AP_INIT_TAKE1("FallbackResource", ap_set_string_slot, + (void*)APR_OFFSETOF(dir_config_rec, dflt), + DIR_CMD_PERMS, "Set a default handler"), AP_INIT_ITERATE("DirectoryIndex", add_index, NULL, DIR_CMD_PERMS, "a list of file names"), AP_INIT_FLAG("DirectorySlash", configure_slash, NULL, DIR_CMD_PERMS, @@ -90,9 +94,64 @@ static void *merge_dir_configs(apr_pool_t *p, void *basev, void *addv) new->index_names = add->index_names ? add->index_names : base->index_names; new->do_slash = (add->do_slash == SLASH_UNSET) ? base->do_slash : add->do_slash; + new->dflt = add->dflt ? add->dflt : base->dflt; return new; } +static int fixup_dflt(request_rec *r) +{ + dir_config_rec *d = ap_get_module_config(r->per_dir_config, &dir_module); + const char *name_ptr; + request_rec *rr; + int error_notfound = 0; + if ((r->finfo.filetype != APR_NOFILE) || (r->handler != NULL)) { + return DECLINED; + } + name_ptr = d->dflt; + if (name_ptr == NULL) { + return DECLINED; + } + /* XXX: if DefaultHandler points to something that doesn't exist, + * this may recurse until it hits the limit for internal redirects + * before returning an Internal Server Error. + */ + + /* The logic of this function is basically cloned and simplified + * from fixup_dir below. See the comments there. + */ + if (r->args != NULL) { + name_ptr = apr_pstrcat(r->pool, name_ptr, "?", r->args, NULL); + } + rr = ap_sub_req_lookup_uri(name_ptr, r, r->output_filters); + if (rr->status == HTTP_OK + && ( (rr->handler && !strcmp(rr->handler, "proxy-server")) + || rr->finfo.filetype == APR_REG)) { + ap_internal_fast_redirect(rr, r); + return OK; + } + else if (ap_is_HTTP_REDIRECT(rr->status)) { + + apr_pool_join(r->pool, rr->pool); + r->notes = apr_table_overlay(r->pool, r->notes, rr->notes); + r->headers_out = apr_table_overlay(r->pool, r->headers_out, + rr->headers_out); + r->err_headers_out = apr_table_overlay(r->pool, r->err_headers_out, + rr->err_headers_out); + error_notfound = rr->status; + } + else if (rr->status && rr->status != HTTP_NOT_FOUND + && rr->status != HTTP_OK) { + error_notfound = rr->status; + } + + ap_destroy_sub_req(rr); + if (error_notfound) { + return error_notfound; + } + + /* nothing for us to do, pass on through */ + return DECLINED; +} static int fixup_dir(request_rec *r) { dir_config_rec *d; @@ -242,7 +301,9 @@ static int fixup_dir(request_rec *r) static void register_hooks(apr_pool_t *p) { + /* the order of these is of no consequence */ ap_hook_fixups(fixup_dir,NULL,NULL,APR_HOOK_LAST); + ap_hook_fixups(fixup_dflt,NULL,NULL,APR_HOOK_LAST); } module AP_MODULE_DECLARE_DATA dir_module = { diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c index d5bd5679..5b58f5b3 100644 --- a/modules/mappers/mod_rewrite.c +++ b/modules/mappers/mod_rewrite.c @@ -2349,12 +2349,14 @@ static void do_expand_env(data_item *env, rewrite_ctx *ctx) name = do_expand(env->data, ctx, NULL); if ((val = ap_strchr(name, ':')) != NULL) { *val++ = '\0'; - - apr_table_set(ctx->r->subprocess_env, name, val); - rewritelog((ctx->r, 5, NULL, "setting env variable '%s' to '%s'", - name, val)); + } else { + val = ""; } + apr_table_set(ctx->r->subprocess_env, name, val); + rewritelog((ctx->r, 5, NULL, "setting env variable '%s' to '%s'", + name, val)); + env = env->next; } @@ -3014,7 +3016,7 @@ static const char *cmd_rewritelock(cmd_parms *cmd, void *dconf, const char *a1) lockname = ap_server_root_relative(cmd->pool, a1); if (!lockname) { - return apr_pstrcat(cmd->pool, "Invalid RewriteLock path ", a1); + return apr_pstrcat(cmd->pool, "Invalid RewriteLock path ", a1, NULL); } return NULL; diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c index 70dddbb5..6a370563 100644 --- a/modules/proxy/mod_proxy.c +++ b/modules/proxy/mod_proxy.c @@ -1362,7 +1362,7 @@ static const char * if (err) return apr_pstrcat(cmd->temp_pool, "ProxyPass ", err, NULL); } else { - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, cmd->server, + ap_log_error(APLOG_MARK, APLOG_INFO, 0, cmd->server, "worker %s already used by another worker", worker->name); } PROXY_COPY_CONF_PARAMS(worker, conf); @@ -1779,7 +1779,7 @@ static const char *add_member(cmd_parms *cmd, void *dummy, const char *arg) if ((err = ap_proxy_add_worker(&worker, cmd->pool, conf, name)) != NULL) return apr_pstrcat(cmd->temp_pool, "BalancerMember ", err, NULL); } else { - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, cmd->server, + ap_log_error(APLOG_MARK, APLOG_INFO, 0, cmd->server, "worker %s already used by another worker", worker->name); } PROXY_COPY_CONF_PARAMS(worker, conf); diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c index fa8c41f8..78f8e402 100644 --- a/modules/proxy/mod_proxy_ajp.c +++ b/modules/proxy/mod_proxy_ajp.c @@ -450,15 +450,18 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r, } } else { + apr_status_t rv; + e = apr_bucket_transient_create(send_body_chunk_buff, size, r->connection->bucket_alloc); APR_BRIGADE_INSERT_TAIL(output_brigade, e); if ((conn->worker->flush_packets == flush_on) || ((conn->worker->flush_packets == flush_auto) && - (apr_poll(conn_poll, 1, &conn_poll_fd, - conn->worker->flush_wait) - == APR_TIMEUP) ) ) { + ((rv = apr_poll(conn_poll, 1, &conn_poll_fd, + conn->worker->flush_wait)) + != APR_SUCCESS) && + APR_STATUS_IS_TIMEUP(rv))) { e = apr_bucket_flush_create(r->connection->bucket_alloc); APR_BRIGADE_INSERT_TAIL(output_brigade, e); } @@ -580,8 +583,17 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r, */ if (data_sent) { ap_proxy_backend_broke(r, output_brigade); - } else + } else if (!send_body && (is_idempotent(r) == METHOD_IDEMPOTENT)) { + /* + * This is only non fatal when we have not sent (parts) of a possible + * request body so far (we do not store it and thus cannot sent it + * again) and the method is idempotent. In this case we can dare to + * retry it with a different worker if we are a balancer member. + */ rv = HTTP_SERVICE_UNAVAILABLE; + } else { + rv = HTTP_INTERNAL_SERVER_ERROR; + } } /* diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c index 7e4767f9..83d4e23a 100644 --- a/modules/proxy/mod_proxy_http.c +++ b/modules/proxy/mod_proxy_http.c @@ -1400,8 +1400,8 @@ apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r, if (len <= 0) { ap_log_rerror(APLOG_MARK, APLOG_ERR, rc, r, "proxy: error reading status line from remote " - "server %s", backend->hostname); - if (rc == APR_TIMEUP) { + "server %s:%d", backend->hostname, backend->port); + if (APR_STATUS_IS_TIMEUP(rc)) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "proxy: read timeout"); } @@ -1417,14 +1417,14 @@ apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r, * we normally would handle timeouts */ if (r->proxyreq == PROXYREQ_REVERSE && c->keepalives && - rc != APR_TIMEUP) { + !APR_STATUS_IS_TIMEUP(rc)) { apr_bucket *eos; ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "proxy: Closing connection to client because" - " reading from backend server %s failed. Number" - " of keepalives %i", backend->hostname, - c->keepalives); + " reading from backend server %s:%d failed." + " Number of keepalives %i", backend->hostname, + backend->port, c->keepalives); ap_proxy_backend_broke(r, bb); /* * Add an EOC bucket to signal the ap_http_header_filter @@ -1449,14 +1449,17 @@ apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r, APR_BUCKET_INSERT_BEFORE(eos, e); } ap_pass_brigade(r->output_filters, bb); + /* Mark the backend connection for closing */ + backend->close = 1; /* Need to return OK to avoid sending an error message */ return OK; } else if (!c->keepalives) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "proxy: NOT Closing connection to client" - " although reading from backend server %s" - " failed.", backend->hostname); + " although reading from backend server %s:%d" + " failed.", backend->hostname, + backend->port); } return ap_proxyerror(r, HTTP_BAD_GATEWAY, "Error reading from remote server"); @@ -1561,8 +1564,9 @@ apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r, */ apr_table_unset(r->headers_out, "Content-Length"); ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, - "proxy: server %s returned Transfer-Encoding" - " and Content-Length", backend->hostname); + "proxy: server %s:%d returned Transfer-Encoding" + " and Content-Length", backend->hostname, + backend->port); backend->close += 1; } diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index 37c13731..5edb1c82 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -99,6 +99,9 @@ static const command_rec ssl_config_cmds[] = { SSL_CMD_SRV(Engine, TAKE1, "SSL switch for the protocol engine " "(`on', `off')") + SSL_CMD_SRV(FIPS, FLAG, + "Enable FIPS-140 mode " + "(`on', `off')") SSL_CMD_ALL(CipherSuite, TAKE1, "Colon-delimited list of permitted SSL Ciphers " "(`XXX:...:XXX' - see manual)") diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index e983f1e4..d800bb6d 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -175,6 +175,9 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p) #ifndef OPENSSL_NO_TLSEXT sc->strict_sni_vhost_check = SSL_ENABLED_UNSET; #endif +#ifdef HAVE_FIPS + sc->fips = UNSET; +#endif modssl_ctx_init_proxy(sc, p); @@ -269,6 +272,9 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv) #ifndef OPENSSL_NO_TLSEXT cfgMerge(strict_sni_vhost_check, SSL_ENABLED_UNSET); #endif +#ifdef HAVE_FIPS + cfgMergeBool(fips); +#endif modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy); @@ -635,6 +641,29 @@ const char *ssl_cmd_SSLEngine(cmd_parms *cmd, void *dcfg, const char *arg) return "Argument must be On, Off, or Optional"; } +const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag) +{ +#ifdef HAVE_FIPS + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); +#endif + const char *err; + + if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + return err; + } + +#ifdef HAVE_FIPS + if ((sc->fips != UNSET) && (sc->fips != (BOOL)(flag ? TRUE : FALSE))) + return "Conflicting SSLFIPS options, cannot be both On and Off"; + sc->fips = flag ? TRUE : FALSE; +#else + if (flag) + return "SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS"; +#endif + + return NULL; +} + const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd, void *dcfg, const char *arg) diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index d4f9171d..00580b84 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -79,12 +79,25 @@ static int ssl_tmp_key_init_rsa(server_rec *s, { SSLModConfigRec *mc = myModConfig(s); +#ifdef HAVE_FIPS + + if (FIPS_mode() && bits < 1024) { + mc->pTmpKeys[idx] = NULL; + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Init: Skipping generating temporary " + "%d bit RSA private key in FIPS mode", bits); + return OK; + } + +#endif + if (!(mc->pTmpKeys[idx] = RSA_generate_key(bits, RSA_F4, NULL, NULL))) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "Init: Failed to generate temporary " "%d bit RSA private key", bits); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); return !OK; } @@ -96,6 +109,18 @@ static int ssl_tmp_key_init_dh(server_rec *s, { SSLModConfigRec *mc = myModConfig(s); +#ifdef HAVE_FIPS + + if (FIPS_mode() && bits < 1024) { + mc->pTmpKeys[idx] = NULL; + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Init: Skipping generating temporary " + "%d bit DH parameters in FIPS mode", bits); + return OK; + } + +#endif + if (!(mc->pTmpKeys[idx] = ssl_dh_GetTmpParam(bits))) { @@ -208,6 +233,11 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, sc->server->pphrase_dialog_type = SSL_PPTYPE_BUILTIN; } +#ifdef HAVE_FIPS + if (sc->fips == UNSET) { + sc->fips = FALSE; + } +#endif } #if APR_HAS_THREADS @@ -231,6 +261,26 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, */ ssl_rand_seed(base_server, ptemp, SSL_RSCTX_STARTUP, "Init: "); +#ifdef HAVE_FIPS + if(sc->fips) { + if (!FIPS_mode()) { + if (FIPS_mode_set(1)) { + ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, + "Operating in SSL FIPS mode"); + } + else { + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, "FIPS mode failed"); + ssl_log_ssl_error(APLOG_MARK, APLOG_EMERG, s); + ssl_die(); + } + } + } + else { + ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, + "SSL FIPS mode disabled"); + } +#endif + /* * read server private keys/public certs into memory. * decrypting any encrypted keys via configured SSLPassPhraseDialogs @@ -1250,6 +1300,7 @@ static void ssl_init_ctx_cleanup_proxy(modssl_ctx_t *mctx) if (mctx->pkp->certs) { sk_X509_INFO_pop_free(mctx->pkp->certs, X509_INFO_free); + mctx->pkp->certs = NULL; } } diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index 0613f0d2..af6d0f72 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -479,6 +479,9 @@ struct SSLSrvConfigRec { #ifndef OPENSSL_NO_TLSEXT ssl_enabled_t strict_sni_vhost_check; #endif +#ifdef HAVE_FIPS + BOOL fips; +#endif }; /** @@ -562,6 +565,8 @@ const char *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *, void *, const c const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag); const char *ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag); +const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag); + /** module initialization */ int ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); void ssl_init_Engine(server_rec *, apr_pool_t *); diff --git a/modules/ssl/ssl_toolkit_compat.h b/modules/ssl/ssl_toolkit_compat.h index a841eccd..369516b2 100644 --- a/modules/ssl/ssl_toolkit_compat.h +++ b/modules/ssl/ssl_toolkit_compat.h @@ -141,6 +141,10 @@ typedef int (modssl_read_bio_cb_fn)(char*,int,int,void*); #define HAVE_SSL_X509V3_EXT_d2i +#if (OPENSSL_VERSION_NUMBER >= 0x009080a0) && defined(OPENSSL_FIPS) +#define HAVE_FIPS +#endif + #ifndef PEM_F_DEF_CALLBACK #ifdef PEM_F_PEM_DEF_CALLBACK /** In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */ |