monit-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[monit-dev] r206 committed - Added FIPS patch by Lior Okman <address@hid

From: Jan-Henrik Haukeland
Subject: [monit-dev] r206 committed - Added FIPS patch by Lior Okman <address@hidden>
Date: Sat, 24 Jul 2010 13:37:58 +0200 
FYI: The Monit svn repository has been setup to post commits to this mailing 
list. The latest commit follows:

Revision: 206
Author: janhenrik.haukeland
Date: Sat Jul 24 04:27:48 2010
Log: Added FIPS patch by Lior Okman <address@hidden>
http://code.google.com/p/monit/source/detail?r=206

Added:
/trunk/AUTHORS
Modified:
/trunk/CHANGES.txt
/trunk/README
/trunk/l.l
/trunk/monit.pod
/trunk/monitor.h
/trunk/p.y
/trunk/ssl.c
/trunk/ssl.h

=======================================
--- /dev/null
+++ /trunk/AUTHORS      Sat Jul 24 04:27:48 2010
@@ -0,0 +1,40 @@
+Authors:
+
+Jan-Henrik Haukeland <address@hidden>
+Martin Pala <address@hidden>
+Christian Hopp <address@hidden>
+Rory Toma <address@hidden>
+
+Contributors in alphabetical order:
+
+Michael Amster (mamster at webeasy com)
+Philipp Berndt (philipp bernd at gmx net)
+Olivier Beyssac (ob at r14 freenix org)
+Marco Bisioli (bisioli at adriacom it)
+Joe Bryant (JBryant at RiteAid com)
+Will Bryant (will bryant at ecosm com)
+Dave Cheney (dcheney at redbubble com)
+Sébastien Debrard (sebastien.debrard strange-garden com)
+Mark Ferlatte (ferlatte at cryptio net)
+David Fletcher (david at megapico co uk)
+Pierrick Grasland (pierrick grasland at nexcom fr)
+Klaus Heinz (k.heinz.apr.sieben at kh-22 de)
+Peter Holdaway (pholdaway at technocom-wireless com)
+Igor Homyakov (homyakov at altlinux ru)
+Mostafa Hosseini (mostafah at oeone com)
+Francois Isabelle (Francois Isabelle at ca kontron com)
+Oliver Jehle (oliver jehle at monex li)
+Kianusch Sayah Karadji (kianusch sayah karadji at sk-tech net)
+Artyom Khafizov (afk at inbox ru)
+Thomas Lohmueller (thomas at lohmueller ch)
+Bret "Trixter" McDanel (trixter at 0xdecafbad com)
+Arkadiusz Miskiewicz (arekm at pld-linux org)
+Tatsuya Nonogaki (nonotats at asahi email ne jp)
+Lior Okman (lior.okman at gmail.com)
+Thomas "Leppo" Oppel (oppel at kbis de)
+Rick Robino (rrobino at wavedivision com)
+Richard Schwaninger (risc at vmilch at)
+Margarida Sequeira (margarida at openbsd org)
+
+
+
=======================================
--- /trunk/CHANGES.txt  Sat Jul 17 05:48:54 2010
+++ /trunk/CHANGES.txt  Sat Jul 24 04:27:48 2010
@@ -48,6 +48,9 @@
  on Monit host. The automatic credentials registration can be disabled:
     set mmonit http://monit:address@hidden:8080/collector and register without 
credentials

+* Added FIPS OpenSSL module to Monit httpd. Many thanks to Lior Okman
+  for providing the patch.
+
BUGFIXES:

* Show real process uptime - formerly the presented uptime was based on 
create/modify
=======================================
--- /trunk/l.l  Fri Jul  9 10:22:31 2010
+++ /trunk/l.l  Sat Jul 24 04:27:48 2010
@@ -305,6 +305,7 @@
credentials       { return CREDENTIALS; }
register          { return REGISTER; }
fsflag(s)?        { return FSFLAG; }
+fips              { return FIPS; }
{byte}            { return BYTE; }
{kilobyte}        { return KILOBYTE; }
{megabyte}        { return MEGABYTE; }
=======================================
--- /trunk/monit.pod    Fri Jul  9 10:22:31 2010
+++ /trunk/monit.pod    Sat Jul 24 04:27:48 2010
@@ -2581,6 +2581,19 @@
requested to stop and that (any) timeout lock will be removed
from a service when you start it.

+=head2 FIPS support
+
+Monit built-in web-server support the OpenSSL FIPS module.
+To enable this mode, your OpenSSL library must first be built
+with FIPS support. Then in the Monit control file, simply
+add this I<set> statement at the top;
+
+ set fips
+
+Note that the FIPS module may not be supported in the lates
+version of OpenSSL. So make sure that your version of OpenSSL
+support the FIPS object module before attempting to enable this
+in Monit.

=head2 Monit HTTPD Authentication

=======================================
--- /trunk/monitor.h    Tue Jun 29 06:24:41 2010
+++ /trunk/monitor.h    Sat Jul 24 04:27:48 2010
@@ -864,6 +864,9 @@
  } MailFormat;

  pthread_mutex_t mutex;    /**< Mutex used for service data synchronization */
+#ifdef OPENSSL_FIPS
+  int fipsEnabled;                /** TRUE if monit should use FIPS-140 mode */
+#endif
};


=======================================
--- /trunk/p.y  Fri Jul  9 10:22:31 2010
+++ /trunk/p.y  Sat Jul 24 04:27:48 2010
@@ -303,6 +303,7 @@
%token <url> URLOBJECT
%token <string> TARGET
%token <number> MAXFORWARD
+%token FIPS

%left GREATER LESS EQUAL NOTEQUAL

@@ -329,6 +330,7 @@
                | setstatefile
                | setexpectbuffer
                | setinit
+                | setfips
                | checkproc optproclist
                | checkfile optfilelist
                | checkfilesys optfilesyslist
@@ -516,6 +518,13 @@
                  }
                ;

+setfips         : SET FIPS {
+                  #ifdef OPENSSL_FIPS
+                    Run.fipsEnabled = TRUE;
+                  #endif
+                  }
+                ;
+
setlog          : SET LOGFILE PATH   {
                   if (!Run.logfile || ihp.logfile) {
                     ihp.logfile = TRUE;
@@ -1896,6 +1905,9 @@
  Run.localhostname       = xstrdup(localhost);
  depend_list             = NULL;
  Run.handler_init        = TRUE;
+#ifdef OPENSSL_FIPS
+  Run.fipsEnabled         = FALSE;
+#endif
  for (i = 0; i <= HANDLER_MAX; i++)
    Run.handler_queue[i] = 0;
  /*
=======================================
--- /trunk/ssl.c        Fri Jan  8 03:20:43 2010
+++ /trunk/ssl.c        Sat Jul 24 04:27:48 2010
@@ -337,8 +337,18 @@
    start_ssl();

  ssl_server = new_ssl_server_connection(pemfile, clientpemfile);
-
-  if(!(ssl_server->method= SSLv23_server_method())) {
+  SSL_METHOD *server_method = NULL;
+#ifdef OPENSSL_FIPS
+  if (FIPS_mode()) {
+         server_method = TLSv1_server_method();
+  }
+  else {
+         server_method = SSLv23_server_method();
+  }
+#else
+  server_method = SSLv23_server_method();
+#endif
+  if(!(ssl_server->method= server_method)) {
    LogError("%s: Cannot initialize the SSL method -- %s\n", prog, SSLERROR);
    goto sslerror;
  }
@@ -667,15 +677,41 @@
  switch (sslversion) {

  case SSL_VERSION_AUTO:
-    ssl->method = SSLv23_client_method();
+#ifdef OPENSSL_FIPS
+         if (FIPS_mode()) {
+           ssl->method = TLSv1_client_method();
+         } else {
+#endif
+               ssl->method = SSLv23_client_method();
+#ifdef OPENSSL_FIPS
+         }
+#endif
    break;

  case SSL_VERSION_SSLV2:
-    ssl->method = SSLv2_client_method();
+#ifdef OPENSSL_FIPS
+       if (FIPS_mode()) {
+         LogError("SSLv2 is not allowed in FIPS mode - use TLSv1");
+         goto sslerror;
+       } else {
+#endif
+         ssl->method = SSLv2_client_method();
+#ifdef OPENSSL_FIPS
+       }
+#endif
    break;

  case SSL_VERSION_SSLV3:
-    ssl->method = SSLv3_client_method();
+#ifdef OPENSSL_FIPS
+       if (FIPS_mode()) {
+         LogError("SSLv3 is not allowed in FIPS mode - use TLSv1");
+         goto sslerror;
+       } else {
+#endif
+      ssl->method = SSLv3_client_method();
+#ifdef OPENSSL_FIPS
+       }
+#endif
    break;

  case SSL_VERSION_TLS:
@@ -1019,11 +1055,17 @@
  if(!(ssl->cert = SSL_get_peer_certificate(ssl->handler)))
    return FALSE;

-  ssl->cert_issuer= X509_NAME_oneline (X509_get_issuer_name(ssl->cert), 0, 0);
-  ssl->cert_subject= X509_NAME_oneline (X509_get_subject_name(ssl->cert), 0, 
0);
-  X509_digest(ssl->cert, EVP_md5(), md5, &ssl->cert_md5_len);
-  ssl->cert_md5= (unsigned char *)xstrdup((char *)md5);
-
+#ifdef OPENSSL_FIPS
+  if (!FIPS_mode()) {
+    /* In FIPS-140 mode, MD5 is unavailable. */
+#endif
+    ssl->cert_issuer= X509_NAME_oneline (X509_get_issuer_name(ssl->cert), 0, 
0);
+    ssl->cert_subject= X509_NAME_oneline (X509_get_subject_name(ssl->cert), 0, 
0);
+    X509_digest(ssl->cert, EVP_md5(), md5, &ssl->cert_md5_len);
+    ssl->cert_md5= (unsigned char *)xstrdup((char *)md5);
+#ifdef OPENSSL_FIPS
+  }
+#endif
  return TRUE;

}
@@ -1052,6 +1094,18 @@

}

+#ifdef OPENSSL_FIPS
+/**
+ * Enable FIPS mode, if it isn't enabled yet.
+ */
+void enable_fips_mode()
+{
+       if (!FIPS_mode()) {
+               ASSERT(FIPS_mode_set(1));
+               LogInfo("FIPS-140 mode is enabled\n");
+       }
+}
+#endif

/**
 * Start SSL support library. It has to be run before the SSL support
@@ -1061,6 +1115,11 @@
static int start_ssl() {

  if(! ssl_initialized) {
+#ifdef OPENSSL_FIPS
+       if (Run.fipsEnabled) {
+               enable_fips_mode();
+       }
+#endif
    int i;
    int locks = CRYPTO_num_locks();

=======================================
--- /trunk/ssl.h        Fri Jan  8 03:20:43 2010
+++ /trunk/ssl.h        Sat Jul 24 04:27:48 2010
@@ -38,7 +38,10 @@
#include <openssl/pem.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
#endif
+#endif

#define SSL_VERSION_AUTO       0
#define SSL_VERSION_SSLV2      1
@@ -102,6 +105,9 @@
ssl_connection        *new_ssl_connection(char *, int);
ssl_connection        *insert_accepted_ssl_socket(ssl_server_connection *);
ssl_server_connection *init_ssl_server(char *, char *);
+#ifdef OPENSSL_FIPS
+void                   enable_fips_mode();
+#endif


#else
reply via email to
[Prev in Thread] Current Thread [Next in Thread]