[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[monit-dev] r206 committed - Added FIPS patch by Lior Okman <address@hid
From: |
Jan-Henrik Haukeland |
Subject: |
[monit-dev] r206 committed - Added FIPS patch by Lior Okman <address@hidden> |
Date: |
Sat, 24 Jul 2010 13:37:58 +0200 |
FYI: The Monit svn repository has been setup to post commits to this mailing
list. The latest commit follows:
Revision: 206
Author: janhenrik.haukeland
Date: Sat Jul 24 04:27:48 2010
Log: Added FIPS patch by Lior Okman <address@hidden>
http://code.google.com/p/monit/source/detail?r=206
Added:
/trunk/AUTHORS
Modified:
/trunk/CHANGES.txt
/trunk/README
/trunk/l.l
/trunk/monit.pod
/trunk/monitor.h
/trunk/p.y
/trunk/ssl.c
/trunk/ssl.h
=======================================
--- /dev/null
+++ /trunk/AUTHORS Sat Jul 24 04:27:48 2010
@@ -0,0 +1,40 @@
+Authors:
+
+Jan-Henrik Haukeland <address@hidden>
+Martin Pala <address@hidden>
+Christian Hopp <address@hidden>
+Rory Toma <address@hidden>
+
+Contributors in alphabetical order:
+
+Michael Amster (mamster at webeasy com)
+Philipp Berndt (philipp bernd at gmx net)
+Olivier Beyssac (ob at r14 freenix org)
+Marco Bisioli (bisioli at adriacom it)
+Joe Bryant (JBryant at RiteAid com)
+Will Bryant (will bryant at ecosm com)
+Dave Cheney (dcheney at redbubble com)
+Sébastien Debrard (sebastien.debrard strange-garden com)
+Mark Ferlatte (ferlatte at cryptio net)
+David Fletcher (david at megapico co uk)
+Pierrick Grasland (pierrick grasland at nexcom fr)
+Klaus Heinz (k.heinz.apr.sieben at kh-22 de)
+Peter Holdaway (pholdaway at technocom-wireless com)
+Igor Homyakov (homyakov at altlinux ru)
+Mostafa Hosseini (mostafah at oeone com)
+Francois Isabelle (Francois Isabelle at ca kontron com)
+Oliver Jehle (oliver jehle at monex li)
+Kianusch Sayah Karadji (kianusch sayah karadji at sk-tech net)
+Artyom Khafizov (afk at inbox ru)
+Thomas Lohmueller (thomas at lohmueller ch)
+Bret "Trixter" McDanel (trixter at 0xdecafbad com)
+Arkadiusz Miskiewicz (arekm at pld-linux org)
+Tatsuya Nonogaki (nonotats at asahi email ne jp)
+Lior Okman (lior.okman at gmail.com)
+Thomas "Leppo" Oppel (oppel at kbis de)
+Rick Robino (rrobino at wavedivision com)
+Richard Schwaninger (risc at vmilch at)
+Margarida Sequeira (margarida at openbsd org)
+
+
+
=======================================
--- /trunk/CHANGES.txt Sat Jul 17 05:48:54 2010
+++ /trunk/CHANGES.txt Sat Jul 24 04:27:48 2010
@@ -48,6 +48,9 @@
on Monit host. The automatic credentials registration can be disabled:
set mmonit http://monit:address@hidden:8080/collector and register without
credentials
+* Added FIPS OpenSSL module to Monit httpd. Many thanks to Lior Okman
+ for providing the patch.
+
BUGFIXES:
* Show real process uptime - formerly the presented uptime was based on
create/modify
=======================================
--- /trunk/l.l Fri Jul 9 10:22:31 2010
+++ /trunk/l.l Sat Jul 24 04:27:48 2010
@@ -305,6 +305,7 @@
credentials { return CREDENTIALS; }
register { return REGISTER; }
fsflag(s)? { return FSFLAG; }
+fips { return FIPS; }
{byte} { return BYTE; }
{kilobyte} { return KILOBYTE; }
{megabyte} { return MEGABYTE; }
=======================================
--- /trunk/monit.pod Fri Jul 9 10:22:31 2010
+++ /trunk/monit.pod Sat Jul 24 04:27:48 2010
@@ -2581,6 +2581,19 @@
requested to stop and that (any) timeout lock will be removed
from a service when you start it.
+=head2 FIPS support
+
+Monit built-in web-server support the OpenSSL FIPS module.
+To enable this mode, your OpenSSL library must first be built
+with FIPS support. Then in the Monit control file, simply
+add this I<set> statement at the top;
+
+ set fips
+
+Note that the FIPS module may not be supported in the lates
+version of OpenSSL. So make sure that your version of OpenSSL
+support the FIPS object module before attempting to enable this
+in Monit.
=head2 Monit HTTPD Authentication
=======================================
--- /trunk/monitor.h Tue Jun 29 06:24:41 2010
+++ /trunk/monitor.h Sat Jul 24 04:27:48 2010
@@ -864,6 +864,9 @@
} MailFormat;
pthread_mutex_t mutex; /**< Mutex used for service data synchronization */
+#ifdef OPENSSL_FIPS
+ int fipsEnabled; /** TRUE if monit should use FIPS-140 mode */
+#endif
};
=======================================
--- /trunk/p.y Fri Jul 9 10:22:31 2010
+++ /trunk/p.y Sat Jul 24 04:27:48 2010
@@ -303,6 +303,7 @@
%token <url> URLOBJECT
%token <string> TARGET
%token <number> MAXFORWARD
+%token FIPS
%left GREATER LESS EQUAL NOTEQUAL
@@ -329,6 +330,7 @@
| setstatefile
| setexpectbuffer
| setinit
+ | setfips
| checkproc optproclist
| checkfile optfilelist
| checkfilesys optfilesyslist
@@ -516,6 +518,13 @@
}
;
+setfips : SET FIPS {
+ #ifdef OPENSSL_FIPS
+ Run.fipsEnabled = TRUE;
+ #endif
+ }
+ ;
+
setlog : SET LOGFILE PATH {
if (!Run.logfile || ihp.logfile) {
ihp.logfile = TRUE;
@@ -1896,6 +1905,9 @@
Run.localhostname = xstrdup(localhost);
depend_list = NULL;
Run.handler_init = TRUE;
+#ifdef OPENSSL_FIPS
+ Run.fipsEnabled = FALSE;
+#endif
for (i = 0; i <= HANDLER_MAX; i++)
Run.handler_queue[i] = 0;
/*
=======================================
--- /trunk/ssl.c Fri Jan 8 03:20:43 2010
+++ /trunk/ssl.c Sat Jul 24 04:27:48 2010
@@ -337,8 +337,18 @@
start_ssl();
ssl_server = new_ssl_server_connection(pemfile, clientpemfile);
-
- if(!(ssl_server->method= SSLv23_server_method())) {
+ SSL_METHOD *server_method = NULL;
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode()) {
+ server_method = TLSv1_server_method();
+ }
+ else {
+ server_method = SSLv23_server_method();
+ }
+#else
+ server_method = SSLv23_server_method();
+#endif
+ if(!(ssl_server->method= server_method)) {
LogError("%s: Cannot initialize the SSL method -- %s\n", prog, SSLERROR);
goto sslerror;
}
@@ -667,15 +677,41 @@
switch (sslversion) {
case SSL_VERSION_AUTO:
- ssl->method = SSLv23_client_method();
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode()) {
+ ssl->method = TLSv1_client_method();
+ } else {
+#endif
+ ssl->method = SSLv23_client_method();
+#ifdef OPENSSL_FIPS
+ }
+#endif
break;
case SSL_VERSION_SSLV2:
- ssl->method = SSLv2_client_method();
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode()) {
+ LogError("SSLv2 is not allowed in FIPS mode - use TLSv1");
+ goto sslerror;
+ } else {
+#endif
+ ssl->method = SSLv2_client_method();
+#ifdef OPENSSL_FIPS
+ }
+#endif
break;
case SSL_VERSION_SSLV3:
- ssl->method = SSLv3_client_method();
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode()) {
+ LogError("SSLv3 is not allowed in FIPS mode - use TLSv1");
+ goto sslerror;
+ } else {
+#endif
+ ssl->method = SSLv3_client_method();
+#ifdef OPENSSL_FIPS
+ }
+#endif
break;
case SSL_VERSION_TLS:
@@ -1019,11 +1055,17 @@
if(!(ssl->cert = SSL_get_peer_certificate(ssl->handler)))
return FALSE;
- ssl->cert_issuer= X509_NAME_oneline (X509_get_issuer_name(ssl->cert), 0, 0);
- ssl->cert_subject= X509_NAME_oneline (X509_get_subject_name(ssl->cert), 0,
0);
- X509_digest(ssl->cert, EVP_md5(), md5, &ssl->cert_md5_len);
- ssl->cert_md5= (unsigned char *)xstrdup((char *)md5);
-
+#ifdef OPENSSL_FIPS
+ if (!FIPS_mode()) {
+ /* In FIPS-140 mode, MD5 is unavailable. */
+#endif
+ ssl->cert_issuer= X509_NAME_oneline (X509_get_issuer_name(ssl->cert), 0,
0);
+ ssl->cert_subject= X509_NAME_oneline (X509_get_subject_name(ssl->cert), 0,
0);
+ X509_digest(ssl->cert, EVP_md5(), md5, &ssl->cert_md5_len);
+ ssl->cert_md5= (unsigned char *)xstrdup((char *)md5);
+#ifdef OPENSSL_FIPS
+ }
+#endif
return TRUE;
}
@@ -1052,6 +1094,18 @@
}
+#ifdef OPENSSL_FIPS
+/**
+ * Enable FIPS mode, if it isn't enabled yet.
+ */
+void enable_fips_mode()
+{
+ if (!FIPS_mode()) {
+ ASSERT(FIPS_mode_set(1));
+ LogInfo("FIPS-140 mode is enabled\n");
+ }
+}
+#endif
/**
* Start SSL support library. It has to be run before the SSL support
@@ -1061,6 +1115,11 @@
static int start_ssl() {
if(! ssl_initialized) {
+#ifdef OPENSSL_FIPS
+ if (Run.fipsEnabled) {
+ enable_fips_mode();
+ }
+#endif
int i;
int locks = CRYPTO_num_locks();
=======================================
--- /trunk/ssl.h Fri Jan 8 03:20:43 2010
+++ /trunk/ssl.h Sat Jul 24 04:27:48 2010
@@ -38,7 +38,10 @@
#include <openssl/pem.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
#endif
+#endif
#define SSL_VERSION_AUTO 0
#define SSL_VERSION_SSLV2 1
@@ -102,6 +105,9 @@
ssl_connection *new_ssl_connection(char *, int);
ssl_connection *insert_accepted_ssl_socket(ssl_server_connection *);
ssl_server_connection *init_ssl_server(char *, char *);
+#ifdef OPENSSL_FIPS
+void enable_fips_mode();
+#endif
#else
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [monit-dev] r206 committed - Added FIPS patch by Lior Okman <address@hidden>,
Jan-Henrik Haukeland <=