summaryrefslogtreecommitdiff
path: root/modules/ssl
diff options
context:
space:
mode:
Diffstat (limited to 'modules/ssl')
-rw-r--r--modules/ssl/mod_ssl.c3
-rw-r--r--modules/ssl/ssl_engine_config.c29
-rw-r--r--modules/ssl/ssl_engine_init.c51
-rw-r--r--modules/ssl/ssl_private.h5
-rw-r--r--modules/ssl/ssl_toolkit_compat.h4
5 files changed, 92 insertions, 0 deletions
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index 37c13731..5edb1c82 100644
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -99,6 +99,9 @@ static const command_rec ssl_config_cmds[] = {
SSL_CMD_SRV(Engine, TAKE1,
"SSL switch for the protocol engine "
"(`on', `off')")
+ SSL_CMD_SRV(FIPS, FLAG,
+ "Enable FIPS-140 mode "
+ "(`on', `off')")
SSL_CMD_ALL(CipherSuite, TAKE1,
"Colon-delimited list of permitted SSL Ciphers "
"(`XXX:...:XXX' - see manual)")
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index e983f1e4..d800bb6d 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -175,6 +175,9 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
#ifndef OPENSSL_NO_TLSEXT
sc->strict_sni_vhost_check = SSL_ENABLED_UNSET;
#endif
+#ifdef HAVE_FIPS
+ sc->fips = UNSET;
+#endif
modssl_ctx_init_proxy(sc, p);
@@ -269,6 +272,9 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
#ifndef OPENSSL_NO_TLSEXT
cfgMerge(strict_sni_vhost_check, SSL_ENABLED_UNSET);
#endif
+#ifdef HAVE_FIPS
+ cfgMergeBool(fips);
+#endif
modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
@@ -635,6 +641,29 @@ const char *ssl_cmd_SSLEngine(cmd_parms *cmd, void *dcfg, const char *arg)
return "Argument must be On, Off, or Optional";
}
+const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag)
+{
+#ifdef HAVE_FIPS
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+#endif
+ const char *err;
+
+ if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ return err;
+ }
+
+#ifdef HAVE_FIPS
+ if ((sc->fips != UNSET) && (sc->fips != (BOOL)(flag ? TRUE : FALSE)))
+ return "Conflicting SSLFIPS options, cannot be both On and Off";
+ sc->fips = flag ? TRUE : FALSE;
+#else
+ if (flag)
+ return "SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS";
+#endif
+
+ return NULL;
+}
+
const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,
void *dcfg,
const char *arg)
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index d4f9171d..00580b84 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -79,12 +79,25 @@ static int ssl_tmp_key_init_rsa(server_rec *s,
{
SSLModConfigRec *mc = myModConfig(s);
+#ifdef HAVE_FIPS
+
+ if (FIPS_mode() && bits < 1024) {
+ mc->pTmpKeys[idx] = NULL;
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ "Init: Skipping generating temporary "
+ "%d bit RSA private key in FIPS mode", bits);
+ return OK;
+ }
+
+#endif
+
if (!(mc->pTmpKeys[idx] =
RSA_generate_key(bits, RSA_F4, NULL, NULL)))
{
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Init: Failed to generate temporary "
"%d bit RSA private key", bits);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
return !OK;
}
@@ -96,6 +109,18 @@ static int ssl_tmp_key_init_dh(server_rec *s,
{
SSLModConfigRec *mc = myModConfig(s);
+#ifdef HAVE_FIPS
+
+ if (FIPS_mode() && bits < 1024) {
+ mc->pTmpKeys[idx] = NULL;
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ "Init: Skipping generating temporary "
+ "%d bit DH parameters in FIPS mode", bits);
+ return OK;
+ }
+
+#endif
+
if (!(mc->pTmpKeys[idx] =
ssl_dh_GetTmpParam(bits)))
{
@@ -208,6 +233,11 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
sc->server->pphrase_dialog_type = SSL_PPTYPE_BUILTIN;
}
+#ifdef HAVE_FIPS
+ if (sc->fips == UNSET) {
+ sc->fips = FALSE;
+ }
+#endif
}
#if APR_HAS_THREADS
@@ -231,6 +261,26 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
*/
ssl_rand_seed(base_server, ptemp, SSL_RSCTX_STARTUP, "Init: ");
+#ifdef HAVE_FIPS
+ if(sc->fips) {
+ if (!FIPS_mode()) {
+ if (FIPS_mode_set(1)) {
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s,
+ "Operating in SSL FIPS mode");
+ }
+ else {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, "FIPS mode failed");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_EMERG, s);
+ ssl_die();
+ }
+ }
+ }
+ else {
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s,
+ "SSL FIPS mode disabled");
+ }
+#endif
+
/*
* read server private keys/public certs into memory.
* decrypting any encrypted keys via configured SSLPassPhraseDialogs
@@ -1250,6 +1300,7 @@ static void ssl_init_ctx_cleanup_proxy(modssl_ctx_t *mctx)
if (mctx->pkp->certs) {
sk_X509_INFO_pop_free(mctx->pkp->certs, X509_INFO_free);
+ mctx->pkp->certs = NULL;
}
}
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index 0613f0d2..af6d0f72 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -479,6 +479,9 @@ struct SSLSrvConfigRec {
#ifndef OPENSSL_NO_TLSEXT
ssl_enabled_t strict_sni_vhost_check;
#endif
+#ifdef HAVE_FIPS
+ BOOL fips;
+#endif
};
/**
@@ -562,6 +565,8 @@ const char *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *, void *, const c
const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag);
const char *ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag);
+const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag);
+
/** module initialization */
int ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
void ssl_init_Engine(server_rec *, apr_pool_t *);
diff --git a/modules/ssl/ssl_toolkit_compat.h b/modules/ssl/ssl_toolkit_compat.h
index a841eccd..369516b2 100644
--- a/modules/ssl/ssl_toolkit_compat.h
+++ b/modules/ssl/ssl_toolkit_compat.h
@@ -141,6 +141,10 @@ typedef int (modssl_read_bio_cb_fn)(char*,int,int,void*);
#define HAVE_SSL_X509V3_EXT_d2i
+#if (OPENSSL_VERSION_NUMBER >= 0x009080a0) && defined(OPENSSL_FIPS)
+#define HAVE_FIPS
+#endif
+
#ifndef PEM_F_DEF_CALLBACK
#ifdef PEM_F_PEM_DEF_CALLBACK
/** In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-04 04:37:09 +0000