From: William A. Rowe Jr <wrowe@apache.org>
Date: Mon, 22 Mar 2010 06:57:34 +0000 (+0000)
Subject: Revert premature commit, sorry.  It's time to stop using -m :/
X-Git-Tag: 2.2.16~95
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a0ad59a01825ddbe9a2777e29798ae7494b2fd1c;p=thirdparty%2Fapache%2Fhttpd.git

Revert premature commit, sorry.  It's time to stop using -m :/

Of course r925983 is one more way to review this patch,
if you like.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@925984 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml
index eeb3a7a0b50..f441b725565 100644
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -501,33 +501,6 @@ Within HTTP/1.1. At this time no web browsers support RFC 2817.</p>
 </usage>
 </directivesynopsis>
 
-<directivesynopsis>
-<name>SSLFIPS</name>
-<description>SSL FIPS mode Switch</description>
-<syntax>SSLFIPS on|off</syntax>
-<default>SSLFIPS off</default>
-<contextlist><context>server config</context></contextlist>
-
-<usage>
-<p>
-This directive toggles the usage of the SSL library FIPS_mode flag.
-It must be set in the global server context and cannot be configured
-with conflicting settings (SSLFIPS on followed by SSLFIPS off or 
-similar).  The mode applies to all SSL library operations.
-</p>
-<p>
-If httpd was compiled against an SSL library which did not support
-the FIPS_mode flag, <code>SSLFIPS on</code> will fail.  Refer to the
-FIPS 140-2 Security Policy document of the SSL provider library for
-specific requirements to use mod_ssl in a FIPS 140-2 approved mode
-of operation; note that mod_ssl itself is not validated, but may be
-described as using FIPS 140-2 validated cryptographic module, when
-all components are assembled and operated under the guidelines imposed
-by the applicable Security Policy.
-</p>
-</usage>
-</directivesynopsis>
-
 <directivesynopsis>
 <name>SSLProtocol</name>
 <description>Configure usable SSL protocol flavors</description>
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index 5edb1c82e6c..37c13731523 100644
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -99,9 +99,6 @@ static const command_rec ssl_config_cmds[] = {
     SSL_CMD_SRV(Engine, TAKE1,
                 "SSL switch for the protocol engine "
                 "(`on', `off')")
-    SSL_CMD_SRV(FIPS, FLAG,
-                "Enable FIPS-140 mode "
-                "(`on', `off')")
     SSL_CMD_ALL(CipherSuite, TAKE1,
                 "Colon-delimited list of permitted SSL Ciphers "
                 "(`XXX:...:XXX' - see manual)")
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 876a6836ed5..e983f1e4e04 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -260,9 +260,6 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
 
     cfgMerge(mc, NULL);
     cfgMerge(enabled, SSL_ENABLED_UNSET);
-#ifdef HAVE_FIPS
-    cfgMergeBool(fips);
-#endif
     cfgMergeBool(proxy_enabled);
     cfgMergeInt(session_cache_timeout);
     cfgMergeBool(cipher_server_pref);
@@ -638,27 +635,6 @@ const char *ssl_cmd_SSLEngine(cmd_parms *cmd, void *dcfg, const char *arg)
     return "Argument must be On, Off, or Optional";
 }
 
-const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag)
-{
-    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
-    const char *err;
-
-    if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
-        return err;
-    }
-
-#ifdef HAVE_FIPS
-    if ((sc->fips != UNSET) && (sc->fips != (flag ? TRUE : FALSE)))
-        return "Conflicting SSLFIPS options, cannot be both On and Off";
-    sc->fips = flag ? TRUE : FALSE;
-#else
-    if (flag)
-        return "SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS";
-#endif
-
-    return NULL;
-}
-
 const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,
                                    void *dcfg,
                                    const char *arg)
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 6270e56dda1..d4f9171dfe3 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -79,25 +79,12 @@ static int ssl_tmp_key_init_rsa(server_rec *s,
 {
     SSLModConfigRec *mc = myModConfig(s);
 
-#ifdef HAVE_FIPS
-
-    if (FIPS_mode() && bits < 1024) {
-        mc->pTmpKeys[idx] = NULL;
-        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
-                     "Init: Skipping generating temporary "
-                     "%d bit RSA private key in FIPS mode", bits);
-        return OK;
-    }
-
-#endif
-
     if (!(mc->pTmpKeys[idx] =
           RSA_generate_key(bits, RSA_F4, NULL, NULL)))
     {
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                      "Init: Failed to generate temporary "
                      "%d bit RSA private key", bits);
-        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
         return !OK;
     }
 
@@ -109,18 +96,6 @@ static int ssl_tmp_key_init_dh(server_rec *s,
 {
     SSLModConfigRec *mc = myModConfig(s);
 
-#ifdef HAVE_FIPS
-
-    if (FIPS_mode() && bits < 1024) {
-        mc->pTmpKeys[idx] = NULL;
-        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
-                     "Init: Skipping generating temporary "
-                     "%d bit DH parameters in FIPS mode", bits);
-        return OK;
-    }
-
-#endif
-
     if (!(mc->pTmpKeys[idx] =
           ssl_dh_GetTmpParam(bits)))
     {
@@ -256,26 +231,6 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
      */
     ssl_rand_seed(base_server, ptemp, SSL_RSCTX_STARTUP, "Init: ");
 
-#ifdef HAVE_FIPS
-    if(sc->fips) {
-        if (!FIPS_mode())
-            if (FIPS_mode_set(1)) {
-                ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s,
-                             "Operating in SSL FIPS mode");
-            }
-            else {
-                ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, "FIPS mode failed");
-                ssl_log_ssl_error(APLOG_MARK, APLOG_EMERG, s);
-                ssl_die();
-            }
-        }
-    }
-    else {
-        ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s,
-                     "SSL FIPS mode disabled");
-    }
-#endif
-
     /*
      * read server private keys/public certs into memory.
      * decrypting any encrypted keys via configured SSLPassPhraseDialogs
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index af6d0f7259b..0613f0d213a 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -479,9 +479,6 @@ struct SSLSrvConfigRec {
 #ifndef OPENSSL_NO_TLSEXT
     ssl_enabled_t    strict_sni_vhost_check;
 #endif
-#ifdef HAVE_FIPS
-    BOOL             fips;
-#endif
 };
 
 /**
@@ -565,8 +562,6 @@ const char  *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *, void *, const c
 const char  *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag);
 const char  *ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag);
 
-const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag);
-
 /**  module initialization  */
 int          ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
 void         ssl_init_Engine(server_rec *, apr_pool_t *);
diff --git a/modules/ssl/ssl_toolkit_compat.h b/modules/ssl/ssl_toolkit_compat.h
index 369516b2d51..a841eccda7b 100644
--- a/modules/ssl/ssl_toolkit_compat.h
+++ b/modules/ssl/ssl_toolkit_compat.h
@@ -141,10 +141,6 @@ typedef int (modssl_read_bio_cb_fn)(char*,int,int,void*);
 
 #define HAVE_SSL_X509V3_EXT_d2i
 
-#if (OPENSSL_VERSION_NUMBER >= 0x009080a0) && defined(OPENSSL_FIPS)
-#define HAVE_FIPS
-#endif
-
 #ifndef PEM_F_DEF_CALLBACK
 #ifdef PEM_F_PEM_DEF_CALLBACK
 /** In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */