Move FIPS mode config option to SSLModConfigRec since it is a global

SSL library setting.  Additionally, always log the FIPS mode since it
can be set outside of the httpd config.

* modules/ssl/ssl_private.h (SSLModConfigRec): Move fips field here.
  (SSLSrvConfigRec): ... from here.

* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLFIPS): Adjust for fips
  field move.

* modules/ssl/ssl_engine_init.c (ssl_init_Module): Adjust for fips
  field move.  Always log the OpenSSL FIPS mode state even if SSLFIPS
  is not used.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877261 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index c92d77f7c0ace1bf2dffc2ff715986469b48ff66..8c6c4e57e08ca3d1c4809c4d3d9a8691bcd8aa6c 100644 (file)
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -82,6 +82,9 @@ SSLModConfigRec *ssl_config_global_create(server_rec *s)
 #ifdef HAVE_OPENSSL_KEYLOG
     mc->keylog_file = NULL;
 #endif
+#ifdef HAVE_FIPS
+    mc->fips = UNSET;
+#endif
 
     apr_pool_userdata_set(mc, SSL_MOD_CONFIG_KEY,
                           apr_pool_cleanup_null,
@@ -228,9 +231,6 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
 #ifdef HAVE_TLSEXT
     sc->strict_sni_vhost_check = SSL_ENABLED_UNSET;
 #endif
-#ifdef HAVE_FIPS
-    sc->fips                   = UNSET;
-#endif
 #ifndef OPENSSL_NO_COMP
     sc->compression            = UNSET;
 #endif
@@ -365,9 +365,6 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
 #ifdef HAVE_TLSEXT
     cfgMerge(strict_sni_vhost_check, SSL_ENABLED_UNSET);
 #endif
-#ifdef HAVE_FIPS
-    cfgMergeBool(fips);
-#endif
 #ifndef OPENSSL_NO_COMP
     cfgMergeBool(compression);
 #endif
@@ -846,7 +843,7 @@ const char *ssl_cmd_SSLEngine(cmd_parms *cmd, void *dcfg, const char *arg)
 const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag)
 {
 #ifdef HAVE_FIPS
-    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    SSLModConfigRec *mc = myModConfig(cmd->server);
 #endif
     const char *err;
 
@@ -855,9 +852,9 @@ const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag)
     }
 
 #ifdef HAVE_FIPS
-    if ((sc->fips != UNSET) && (sc->fips != (BOOL)(flag ? TRUE : FALSE)))
+    if ((mc->fips != UNSET) && (mc->fips != (BOOL)(flag ? TRUE : FALSE)))
         return "Conflicting SSLFIPS options, cannot be both On and Off";
-    sc->fips = flag ? TRUE : FALSE;
+    mc->fips = flag ? TRUE : FALSE;
 #else
     if (flag)
         return "SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS";
@@ -2650,9 +2647,6 @@ static void ssl_srv_dump(SSLSrvConfigRec *sc, apr_pool_t *p,
     DMP_LONG(  "SSLSessionCacheTimeout", sc->session_cache_timeout);
     DMP_ON_OFF("SSLInsecureRenegotiation", sc->insecure_reneg);
     DMP_ON_OFF("SSLStrictSNIVHostCheck", sc->strict_sni_vhost_check);
-#ifdef HAVE_FIPS
-    DMP_ON_OFF("SSLFIPS", sc->fips);
-#endif
     DMP_ON_OFF("SSLSessionTickets", sc->session_tickets);
 }
 

diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index ff9f1ad21a2110d186b0d3a41eb0e4c5ea017ed8..b1b8d9e44f4d7a82fafc0763c33045bb95bd3c3d 100644 (file)
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -299,12 +299,6 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
         if (sc->server && sc->server->pphrase_dialog_type == SSL_PPTYPE_UNSET) {
             sc->server->pphrase_dialog_type = SSL_PPTYPE_BUILTIN;
         }
-
-#ifdef HAVE_FIPS
-        if (sc->fips == UNSET) {
-            sc->fips = FALSE;
-        }
-#endif
     }
 
 #if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
@@ -331,27 +325,28 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
     ssl_rand_seed(base_server, ptemp, SSL_RSCTX_STARTUP, "Init: ");
 
 #ifdef HAVE_FIPS
-    /* ### The FIPS setting is global and must be the same in all
-     * SSLSrvConfigRecs, should be in SSLModConfigRec really. */
-    sc = mySrvConfig(base_server);
-    if (sc->fips) {
-        if (!FIPS_mode()) {
-            if (FIPS_mode_set(1)) {
-                ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, base_server, APLOGNO(01884)
-                             "Operating in SSL FIPS mode");
-                apr_pool_cleanup_register(p, NULL, modssl_fips_cleanup,
-                                          apr_pool_cleanup_null);
-            }
-            else {
-                ap_log_error(APLOG_MARK, APLOG_EMERG, 0, base_server, APLOGNO(01885) "FIPS mode failed");
-                ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, base_server);
-                return ssl_die(base_server);
-            }
+    if (!FIPS_mode() && mc->fips == TRUE) {
+        if (!FIPS_mode_set(1)) {
+            ap_log_error(APLOG_MARK, APLOG_EMERG, 0, base_server, APLOGNO(01885)
+                         "Could not enable FIPS mode");
+            ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, base_server);
+            return ssl_die(base_server);
         }
+
+        apr_pool_cleanup_register(p, NULL, modssl_fips_cleanup,
+                                  apr_pool_cleanup_null);
+    }
+
+    /* Log actual FIPS mode which the SSL library is operating under,
+     * which may have been set outside of the mod_ssl
+     * configuration. */
+    if (FIPS_mode()) {
+        ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, base_server, APLOGNO(01884)
+                     MODSSL_LIBRARY_NAME " has FIPS mode enabled");
     }
     else {
         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, base_server, APLOGNO(01886)
-                     "SSL FIPS mode disabled");
+                     MODSSL_LIBRARY_NAME " has FIPS mode disabled");
     }
 #endif
 

diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index d8213eef7eb20f855f3683acfb6aa2b185ed8500..0f588978317f855f8b9a30162d42a08fe1d94e39 100644 (file)
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -619,6 +619,10 @@ typedef struct {
     /* Used for logging if SSLKEYLOGFILE is set at startup. */
     apr_file_t      *keylog_file;
 #endif
+
+#ifdef HAVE_FIPS
+    BOOL             fips;
+#endif
 } SSLModConfigRec;
 
 /** Structure representing configured filenames for certs and keys for
@@ -771,9 +775,6 @@ struct SSLSrvConfigRec {
 #ifdef HAVE_TLSEXT
     ssl_enabled_t    strict_sni_vhost_check;
 #endif
-#ifdef HAVE_FIPS
-    BOOL             fips;
-#endif
 #ifndef OPENSSL_NO_COMP
     BOOL             compression;
 #endif