diff options
author | Ben Laurie <ben@apache.org> | 2005-06-11 14:14:56 +0000 |
---|---|---|
committer | Ben Laurie <ben@apache.org> | 2005-06-11 14:14:56 +0000 |
commit | 0db271851319ca8fef51a3a884ae7dc0b5c5b29b (patch) | |
tree | e08257803fd4f8c72dbe899b885f13f2591d299f | |
parent | 2ae51e77b7cef73df0e78c9959210171ea5e8e9d (diff) | |
download | httpd-0db271851319ca8fef51a3a884ae7dc0b5c5b29b.tar.gz |
Add --enable-fips, FIPSify everything.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/fips-dev@190120 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r-- | README-FIPS | 8 | ||||
-rw-r--r-- | build/program.mk | 8 | ||||
-rw-r--r-- | configure.in | 9 | ||||
-rw-r--r-- | include/http_main.h | 1 | ||||
-rw-r--r-- | include/util_md5.h | 15 | ||||
-rw-r--r-- | modules/ssl/mod_ssl.c | 20 | ||||
-rw-r--r-- | modules/ssl/ssl_engine_config.c | 5 | ||||
-rw-r--r-- | modules/ssl/ssl_engine_init.c | 10 | ||||
-rw-r--r-- | modules/ssl/ssl_engine_rand.c | 25 | ||||
-rw-r--r-- | modules/ssl/ssl_private.h | 4 | ||||
-rw-r--r-- | server/Makefile.in | 2 | ||||
-rw-r--r-- | server/core.c | 6 | ||||
-rw-r--r-- | server/util_md5.c | 33 | ||||
-rw-r--r-- | srclib/apr-util/configure.in | 4 | ||||
-rw-r--r-- | srclib/apr-util/crypto/apr_md4.c | 6 | ||||
-rw-r--r-- | srclib/apr-util/crypto/apr_md5.c | 23 | ||||
-rw-r--r-- | srclib/apr-util/crypto/apr_sha1.c | 31 | ||||
-rw-r--r-- | support/htdbm.c | 14 | ||||
-rw-r--r-- | support/htdigest.c | 13 | ||||
-rw-r--r-- | support/htpasswd.c | 25 |
20 files changed, 236 insertions, 26 deletions
diff --git a/README-FIPS b/README-FIPS index 26f36dc2bf..14aab82cae 100644 --- a/README-FIPS +++ b/README-FIPS @@ -21,7 +21,11 @@ build of the OpenSSL library. Note this branch includes apr and apr-util, while the authors figure out what
to do about apr MD5 and other fips issues are resolved. That work will be
-submitted to the apr project, once the least distruptive change is ascertained.
+submitted to the apr project, once the least distruptive change is
+ascertained.
+
+Note also that even with FIPS mode is off, operations using MD5 are
+not possible.
Stuff FIPS requires
-------------------
@@ -32,3 +36,5 @@ a single chunk (note that this could be relaxed at the cost of more code).
Certificates: must be signed using SHA-1.
+
+Passwords: must be SHA-1 hashed.
diff --git a/build/program.mk b/build/program.mk index 3b5d2abef2..e3030e8dda 100644 --- a/build/program.mk +++ b/build/program.mk @@ -16,7 +16,15 @@ # The build environment was provided by Sascha Schumann. PROGRAM_OBJECTS = $(PROGRAM_SOURCES:.c=.lo) +TOP=/home/ben/work/openssl-0.9.7 + +# XXX: I don't know how to work out the correct path for the real executable +TO_FINGERPRINT = $(PROGRAM_NAME:httpd=.libs/lt-httpd) +FINGERPRINT = $(TO_FINGERPRINT).sha1 $(PROGRAM_NAME): $(PROGRAM_DEPENDENCIES) $(PROGRAM_OBJECTS) $(PROGRAM_PRELINK) $(LINK) $(PROGRAM_LDFLAGS) $(PROGRAM_OBJECTS) $(PROGRAM_LDADD) +# blearg - force libtool to do its stupid magic + -./$(PROGRAM_NAME) --help + TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a $(TO_FINGERPRINT) > $(FINGERPRINT) diff --git a/configure.in b/configure.in index c7e43e9a32..3cd02c7c31 100644 --- a/configure.in +++ b/configure.in @@ -18,6 +18,10 @@ sinclude(build/find_apr.m4) sinclude(build/find_apu.m4) sinclude(acinclude.m4) +dnl Allow FIPS mode +AC_ARG_ENABLE(fips,[Enable FIPS mode (i.e. disable or replace all crypto)], + [AC_DEFINE([AP_FIPS],1,[Set to 1 if FIPS mode is enabled])]) + dnl XXX we can't just use AC_PREFIX_DEFAULT because that isn't subbed in dnl by configure until it is too late. Is that how it should be or not? dnl Something seems broken here. @@ -106,8 +110,11 @@ yes.reconfig) esac if test "$apu_found" = "reconfig"; then + if test "${enable_fips+set}" = set; then + fips_option="--enable-fips" + fi APR_SUBDIR_CONFIG(srclib/apr-util, - [--with-apr=../apr --prefix=$prefix --exec-prefix=$exec_prefix --libdir=$libdir --includedir=$includedir --bindir=$bindir], + [--with-apr=../apr --prefix=$prefix --exec-prefix=$exec_prefix --libdir=$libdir --includedir=$includedir --bindir=$bindir $fips_option], [--enable-layout=*|\'--enable-layout=*]) dnl We must be the last to build and the first to be cleaned AP_BUILD_SRCLIB_DIRS="$AP_BUILD_SRCLIB_DIRS apr-util" diff --git a/include/http_main.h b/include/http_main.h index fcd6236dcf..861a3a133c 100644 --- a/include/http_main.h +++ b/include/http_main.h @@ -35,6 +35,7 @@ extern "C" { /** The name of the Apache executable */ AP_DECLARE_DATA extern const char *ap_server_argv0; +AP_DECLARE_DATA extern const char *ap_server_full_argv0; /** The global server's ServerRoot */ AP_DECLARE_DATA extern const char *ap_server_root; diff --git a/include/util_md5.h b/include/util_md5.h index 16b0e0144c..200ae8e0f5 100644 --- a/include/util_md5.h +++ b/include/util_md5.h @@ -26,7 +26,20 @@ extern "C" { */ #include "apr_md5.h" +#include "ap_config_auto.h" +#ifdef AP_FIPS +/** + * Create a SHA-1 checksum of a string of binary data + * @param a Pool to allocate out of + * @param buf Buffer to generate checksum for + * @param len The length of the buffer + * @return The checksum in hex + * @deffunc char *ap_md5_binary(apr_pool_t *a, const unsigned char *buf, int len) + */ +AP_DECLARE(char *) ap_sha1_binary(apr_pool_t *a, const unsigned char *buf, int len); + +#else /** * Create an MD5 checksum of a given string * @param a Pool to allocate out of @@ -63,6 +76,8 @@ AP_DECLARE(char *) ap_md5contextTo64(apr_pool_t *p, apr_md5_ctx_t *context); */ AP_DECLARE(char *) ap_md5digest(apr_pool_t *p, apr_file_t *infile); +#endif /*ndef AP_FIPS */ + #ifdef __cplusplus } #endif diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index f973a611f9..448131559d 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -99,9 +99,11 @@ static const command_rec ssl_config_cmds[] = { SSL_CMD_SRV(Engine, TAKE1, "SSL switch for the protocol engine " "(`on', `off')") +#ifdef AP_FIPS SSL_CMD_SRV(FIPS, TAKE1, "Enable FIPS-140 compliance " "(`on', `off')") +#endif SSL_CMD_ALL(CipherSuite, TAKE1, "Colon-delimited list of permitted SSL Ciphers " "(`XXX:...:XXX' - see manual)") @@ -343,7 +345,7 @@ int ssl_init_ssl_connection(conn_rec *c) SSLSrvConfigRec *sc = mySrvConfig(c->base_server); SSL *ssl; SSLConnRec *sslconn = myConnConfig(c); - char *vhost_md5; + char *vhost_digest; modssl_ctx_t *mctx; /* @@ -373,14 +375,20 @@ int ssl_init_ssl_connection(conn_rec *c) return DECLINED; /* XXX */ } - vhost_md5 = ap_md5_binary(c->pool, (unsigned char *)sc->vhost_id, - sc->vhost_id_len); - - if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_md5, +#ifdef AP_FIPS + vhost_digest = ap_sha1_binary(c->pool, (unsigned char *)sc->vhost_id, + sc->vhost_id_len); +#else + vhost_digest = ap_md5_binary(c->pool, (unsigned char *)sc->vhost_id, + sc->vhost_id_len); +#endif + +/* Using only 32 bytes is deliberate */ + if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_digest, APR_MD5_DIGESTSIZE*2)) { ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, - "Unable to set session id context to `%s'", vhost_md5); + "Unable to set session id context to `%s'", vhost_digest); ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server); c->aborted = 1; diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index 16d13024a9..de881ec69d 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -254,7 +254,9 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv) cfgMerge(mc, NULL); cfgMerge(enabled, SSL_ENABLED_UNSET); +#ifdef AP_FIPS cfgMerge(fips, SSL_FIPS_UNSET); // FIPS-XXX: make more than one setting an error? +#endif cfgMergeBool(proxy_enabled); cfgMergeInt(session_cache_timeout); cfgMergeBool(cipher_server_pref); @@ -619,6 +621,8 @@ const char *ssl_cmd_SSLEngine(cmd_parms *cmd, void *dcfg, const char *arg) return "Argument must be On, Off, or Optional"; } + +#ifdef AP_FIPS // FIPS-XXX: this is global, i.e. can only be set once, not per-server. const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, const char *arg) { @@ -635,6 +639,7 @@ const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, const char *arg) return "Argument must be On or Off"; } +#endif const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd, void *dcfg, diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 01b336f2e5..2e7993986f 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -87,9 +87,9 @@ static void ssl_add_version_components(apr_pool_t *p, MODSSL_TMP_KEY_FREE(mc, type, SSL_TMP_KEY_##type##_512); \ MODSSL_TMP_KEY_FREE(mc, type, SSL_TMP_KEY_##type##_1024) +#if AP_FIPS /* FIPS-140 prevents automatic rekeying in child processes, so we have * to do it */ - static void fips_rand_reseed(server_rec *s, apr_pool_t *ptemp) { static int rand_seeded; @@ -100,6 +100,7 @@ static void fips_rand_reseed(server_rec *s, apr_pool_t *ptemp) rand_seeded=1; } } +#endif static void ssl_tmp_keys_free(server_rec *s) { @@ -227,8 +228,10 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, sc->enabled = SSL_ENABLED_FALSE; } +#ifdef AP_FIPS if(sc->fips == SSL_FIPS_UNSET) sc->enabled = SSL_FIPS_FALSE; +#endif if (sc->proxy_enabled == UNSET) { sc->proxy_enabled = FALSE; @@ -265,6 +268,7 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, */ ssl_rand_seed(base_server, ptemp, SSL_RSCTX_STARTUP, "Init: "); +#ifdef AP_FIPS /* Do this after randomness has been seeded */ // XXX: also need to set FIPS mode for APR (i.e. exclude all crypto/randomness from APR) if(!fips_done) { @@ -283,6 +287,7 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, "FIPS mode disabled"); fips_done=1; } +#endif /* * read server private keys/public certs into memory. @@ -1230,8 +1235,9 @@ void ssl_init_Child(apr_pool_t *p, server_rec *s) /* open the mutex lockfile */ ssl_mutex_reinit(s, p); - +#ifdef AP_FIPS fips_rand_reseed(s, p); +#endif } #define MODSSL_CFG_ITEM_FREE(func, item) \ diff --git a/modules/ssl/ssl_engine_rand.c b/modules/ssl/ssl_engine_rand.c index b8c92dda77..10899e491c 100644 --- a/modules/ssl/ssl_engine_rand.c +++ b/modules/ssl/ssl_engine_rand.c @@ -29,6 +29,10 @@ #include "ssl_private.h" +#ifdef AP_FIPS +# include <openssl/fips_rand.h> +#endif + /* _________________________________________________________________ ** ** Support for better seeding of SSL library's RNG @@ -36,6 +40,8 @@ */ static int ssl_rand_choosenum(int, int); + +#ifdef AP_FIPS static int ssl_rand_feedfp(int, apr_pool_t *, apr_file_t *, int); /* Deal with the arcanity of the FIPS PRNG, which requires keying @@ -54,6 +60,13 @@ static void inject_rand(int fips, const void *buf, int num) } RAND_seed(buf, num); } +#else + +static int ssl_rand_feedfp(apr_pool_t *, apr_file_t *, int); + +# define inject_rand(fips, buf, num) RAND_seed(buf, num) + +#endif int ssl_rand_seed(server_rec *s, apr_pool_t *p, ssl_rsctx_t nCtx, char *prefix) { @@ -83,8 +96,12 @@ int ssl_rand_seed(server_rec *s, apr_pool_t *p, ssl_rsctx_t nCtx, char *prefix) if (apr_file_open(&fp, pRandSeed->cpPath, APR_READ, APR_OS_DEFAULT, p) != APR_SUCCESS) continue; +#ifdef AP_FIPS nDone += ssl_rand_feedfp(sc->fips == SSL_FIPS_TRUE, p, fp, pRandSeed->nBytes); +#else + nDone += ssl_rand_feedfp(p, fp, pRandSeed->nBytes); +#endif apr_file_close(fp); } else if (pRandSeed->nSrc == SSL_RSSRC_EXEC) { @@ -99,8 +116,12 @@ int ssl_rand_seed(server_rec *s, apr_pool_t *p, ssl_rsctx_t nCtx, char *prefix) if ((fp = ssl_util_ppopen(s, p, cmd, argv)) == NULL) continue; +#ifdef AP_FIPS nDone += ssl_rand_feedfp(sc->fips == SSL_FIPS_TRUE, p, fp, pRandSeed->nBytes); +#else + nDone += ssl_rand_feedfp(p, fp, pRandSeed->nBytes); +#endif ssl_util_ppclose(s, p, fp); } #ifdef HAVE_SSL_RAND_EGD @@ -156,7 +177,11 @@ int ssl_rand_seed(server_rec *s, apr_pool_t *p, ssl_rsctx_t nCtx, char *prefix) #define BUFSIZE 8192 +#ifdef AP_FIPS static int ssl_rand_feedfp(int fips, apr_pool_t *p, apr_file_t *fp, int nReq) +#else +static int ssl_rand_feedfp(apr_pool_t *p, apr_file_t *fp, int nReq) +#endif { apr_size_t nDone; unsigned char caBuf[BUFSIZE]; diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index 260c348f0a..52431be0a1 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -281,11 +281,13 @@ typedef enum { SSL_ENABLED_OPTIONAL = 3 } ssl_enabled_t; +#ifdef AP_FIPS typedef enum { SSL_FIPS_UNSET = UNSET, SSL_FIPS_FALSE = 0, SSL_FIPS_TRUE = 1 } fips_enabled_t; +#endif /* * Define the SSL requirement structure @@ -442,7 +444,9 @@ typedef struct { struct SSLSrvConfigRec { SSLModConfigRec *mc; ssl_enabled_t enabled; +#ifdef AP_FIPS fips_enabled_t fips; +#endif BOOL proxy_enabled; const char *vhost_id; int vhost_id_len; diff --git a/server/Makefile.in b/server/Makefile.in index 8efcb419d4..0088f4a5a7 100644 --- a/server/Makefile.in +++ b/server/Makefile.in @@ -66,7 +66,7 @@ export_files: rm -f $$tmp exports.c: export_files - $(AWK) -f $(top_srcdir)/build/make_exports.awk `cat $?` > $@ + $(AWK) -f $(top_srcdir)/build/make_exports.awk `cat $?` | $(top_srcdir)/build/fipsify_exports $(top_srcdir)/include/ap_config_auto.h > $@ export_vars.h: export_files $(AWK) -f $(top_srcdir)/build/make_var_export.awk `cat $?` > $@ diff --git a/server/core.c b/server/core.c index 34acc9922c..e9d81999a5 100644 --- a/server/core.c +++ b/server/core.c @@ -3501,8 +3501,14 @@ static int default_handler(request_rec *r) } else { if (bld_content_md5) { +#ifndef AP_NO_FIPS + // FIPS-XXX: is it safe to continue despite this? + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Can't do Content-MD5 in FIPS mode"); +#else apr_table_setn(r->headers_out, "Content-MD5", ap_md5digest(r->pool, fd)); +#endif } /* For platforms where the size of the file may be larger than diff --git a/server/util_md5.c b/server/util_md5.c index 744f3f283a..86b6c257de 100644 --- a/server/util_md5.c +++ b/server/util_md5.c @@ -50,6 +50,38 @@ #include "util_md5.h" #include "util_ebcdic.h" +#ifdef AP_FIPS +#include <openssl/sha.h> + +AP_DECLARE(char *) ap_sha1_binary(apr_pool_t *p, const unsigned char *buf, int length) +{ + const char *hex = "0123456789abcdef"; + SHA_CTX my_sha1; + unsigned char hash[SHA_DIGEST_LENGTH]; + char *r, result[SHA_DIGEST_LENGTH*2+1]; + int i; + + /* + * Take the SHA-1 hash of the string argument. + */ + + SHA1_Init(&my_sha1); +#if APR_CHARSET_EBCDIC +# error no EBCDIC support +#endif + SHA1_Update(&my_sha1, buf, (unsigned int)length); + SHA1_Final(hash, &my_sha1); + + for (i = 0, r = result; i < APR_MD5_DIGESTSIZE; i++) { + *r++ = hex[hash[i] >> 4]; + *r++ = hex[hash[i] & 0xF]; + } + *r = '\0'; + + return apr_pstrndup(p, result, SHA_DIGEST_LENGTH*2); +} + +#else AP_DECLARE(char *) ap_md5_binary(apr_pool_t *p, const unsigned char *buf, int length) { const char *hex = "0123456789abcdef"; @@ -170,3 +202,4 @@ AP_DECLARE(char *) ap_md5digest(apr_pool_t *p, apr_file_t *infile) return ap_md5contextTo64(p, &context); } +#endif /*ndef AP_FIPS */ diff --git a/srclib/apr-util/configure.in b/srclib/apr-util/configure.in index 2534eb14c6..14af50c6f6 100644 --- a/srclib/apr-util/configure.in +++ b/srclib/apr-util/configure.in @@ -16,6 +16,10 @@ sinclude(build/find_apr.m4) sinclude(build/dbm.m4) sinclude(build/dbd.m4) +dnl Allow FIPS mode +AC_ARG_ENABLE(fips,[Enable FIPS mode (i.e. disable or replace all crypto)], + [AC_DEFINE([APU_FIPS],1,[Set to 1 if FIPS mode is enabled])]) + dnl Generate ./config.nice for reproducing runs of configure dnl APR_CONFIG_NICE(config.nice) diff --git a/srclib/apr-util/crypto/apr_md4.c b/srclib/apr-util/crypto/apr_md4.c index 6b9d9f4b39..18300693de 100644 --- a/srclib/apr-util/crypto/apr_md4.c +++ b/srclib/apr-util/crypto/apr_md4.c @@ -41,6 +41,7 @@ #include "apr_strings.h" #include "apr_md4.h" #include "apr_lib.h" +#include "apu_config.h" #if APR_HAVE_STRING_H #include <string.h> @@ -49,9 +50,10 @@ #include <unistd.h> #endif +#ifndef APU_FIPS /* Constants for MD4Transform routine. */ - + #define S11 3 #define S12 7 #define S13 11 @@ -402,3 +404,5 @@ APU_DECLARE(apr_status_t) apr_MD4InitEBCDIC(apr_xlate_t *xlate) return APR_SUCCESS; } #endif + +#endif /*ndef APU_FIPS */ diff --git a/srclib/apr-util/crypto/apr_md5.c b/srclib/apr-util/crypto/apr_md5.c index 40942e30db..a07ba4debe 100644 --- a/srclib/apr-util/crypto/apr_md5.c +++ b/srclib/apr-util/crypto/apr_md5.c @@ -76,6 +76,13 @@ #include <pthread.h> #endif +/* + * Define the Magic String prefix that identifies a password as being + * hashed using our algorithm. + */ +static const char *apr1_id = "$apr1$"; + +#ifndef APU_FIPS /* Constants for MD5Transform routine. */ @@ -462,12 +469,6 @@ APU_DECLARE(apr_status_t) apr_MD5InitEBCDIC(apr_xlate_t *xlate) #endif /* - * Define the Magic String prefix that identifies a password as being - * hashed using our algorithm. - */ -static const char *apr1_id = "$apr1$"; - -/* * The following MD5 password encryption code was largely borrowed from * the FreeBSD 3.0 /usr/src/lib/libcrypt/crypt.c file, which is * licenced as stated at the top of this file. @@ -665,6 +666,8 @@ static void crypt_mutex_unlock(void) #endif #endif +#endif /* ndef APU_FIPS */ + /* * Validate a plaintext password against a smashed one. Uses either * crypt() (if available) or apr_md5_encode() or apr_sha1_base64(), depending @@ -680,15 +683,22 @@ APU_DECLARE(apr_status_t) apr_password_validate(const char *passwd, char *crypt_pw; #endif if (!strncmp(hash, apr1_id, strlen(apr1_id))) { +#ifdef APU_FIPS + return APR_EMISMATCH; +#else /* * The hash was created using our custom algorithm. */ apr_md5_encode(passwd, hash, sample, sizeof(sample)); +#endif } else if (!strncmp(hash, APR_SHA1PW_ID, APR_SHA1PW_IDLEN)) { apr_sha1_base64(passwd, strlen(passwd), sample); } else { +#ifdef APU_FIPS + return APR_EMISMATCH; +#else /* * It's not our algorithm, so feed it to crypt() if possible. */ @@ -728,6 +738,7 @@ APU_DECLARE(apr_status_t) apr_password_validate(const char *passwd, apr_cpystrn(sample, crypt_pw, sizeof(sample) - 1); crypt_mutex_unlock(); #endif +#endif /*ndef APU_FIPS */ } return (strcmp(sample, hash) == 0) ? APR_SUCCESS : APR_EMISMATCH; } diff --git a/srclib/apr-util/crypto/apr_sha1.c b/srclib/apr-util/crypto/apr_sha1.c index 0b139127e6..ca2cf87489 100644 --- a/srclib/apr-util/crypto/apr_sha1.c +++ b/srclib/apr-util/crypto/apr_sha1.c @@ -48,11 +48,14 @@ #include "apr_base64.h" #include "apr_strings.h" #include "apr_lib.h" +#include "apu_config.h" #if APR_CHARSET_EBCDIC #include "apr_xlate.h" #endif /*APR_CHARSET_EBCDIC*/ #include <string.h> +#ifndef APU_FIPS + /* a bit faster & bigger, if defined */ #define UNROLL_LOOPS @@ -344,7 +347,6 @@ APU_DECLARE(void) apr_sha1_final(unsigned char digest[APR_SHA1_DIGESTSIZE], } } - APU_DECLARE(void) apr_sha1_base64(const char *clear, int len, char *out) { int l; @@ -370,3 +372,30 @@ APU_DECLARE(void) apr_sha1_base64(const char *clear, int len, char *out) * output of base64 encoded SHA1 is always 28 chars + APR_SHA1PW_IDLEN */ } +#else /*def APR_FIPS */ + +APU_DECLARE(void) apr_sha1_base64(const char *clear, int len, char *out) +{ + int l; + apr_byte_t digest[APR_SHA1_DIGESTSIZE]; + + if (strncmp(clear, APR_SHA1PW_ID, APR_SHA1PW_IDLEN) == 0) { + clear += APR_SHA1PW_IDLEN; + } + + SHA1(clear, len, digest); + + /* private marker. */ + apr_cpystrn(out, APR_SHA1PW_ID, APR_SHA1PW_IDLEN + 1); + + /* SHA1 hash is always 20 chars */ + l = apr_base64_encode_binary(out + APR_SHA1PW_IDLEN, digest, sizeof(digest)); + out[l + APR_SHA1PW_IDLEN] = '\0'; + + /* + * output of base64 encoded SHA1 is always 28 chars + APR_SHA1PW_IDLEN + */ +} + +#endif /*def APR_FIPS */ + diff --git a/support/htdbm.c b/support/htdbm.c index 69c0d2db82..8151805d89 100644 --- a/support/htdbm.c +++ b/support/htdbm.c @@ -32,6 +32,7 @@ #include "apr_md5.h" #include "apr_sha1.h" #include "apr_dbm.h" +#include "ap_config_auto.h" #if APR_HAVE_STDLIB_H #include <stdlib.h> @@ -63,7 +64,9 @@ #define MAX_STRING_LEN 256 #define ALG_PLAIN 0 -#define ALG_APMD5 1 +#ifndef AP_FIPS +# define ALG_APMD5 1 +#endif #define ALG_APSHA 2 #if APR_HAVE_CRYPT_H @@ -161,8 +164,12 @@ static apr_status_t htdbm_init(apr_pool_t **pool, htdbm_t **hdbm) } #endif /*APR_CHARSET_EBCDIC*/ +#ifdef AP_FIPS + (*hdbm)->alg = ALG_APSHA; +#else /* Set MD5 as default */ (*hdbm)->alg = ALG_APMD5; +#endif (*hdbm)->type = "default"; return APR_SUCCESS; } @@ -298,6 +305,7 @@ static apr_status_t htdbm_make(htdbm_t *htdbm) apr_sha1_base64(htdbm->userpass,strlen(htdbm->userpass),cpw); break; +#ifndef AP_FIPS case ALG_APMD5: (void) srand((int) time((time_t *) NULL)); to64(&salt[0], rand(), 8); @@ -305,6 +313,8 @@ static apr_status_t htdbm_make(htdbm_t *htdbm) apr_md5_encode((const char *)htdbm->userpass, (const char *)salt, cpw, sizeof(cpw)); break; +#endif + case ALG_PLAIN: /* XXX this len limitation is not in sync with any HTTPd len. */ apr_cpystrn(cpw,htdbm->userpass,sizeof(cpw)); @@ -458,9 +468,11 @@ int main(int argc, const char * const argv[]) need_pwd = 0; cmd = HTDBM_DELETE; break; +#ifndef AP_FIPS case 'm': h->alg = ALG_APMD5; break; +#endif case 'p': h->alg = ALG_PLAIN; break; diff --git a/support/htdigest.c b/support/htdigest.c index f90a672c59..8cacee403a 100644 --- a/support/htdigest.c +++ b/support/htdigest.c @@ -33,6 +33,9 @@ #include "apr_general.h" #include "apr_signal.h" #include "apr_strings.h" /* for apr_pstrdup() */ +#include "ap_config_auto.h" + +#ifndef AP_FIPS #define APR_WANT_STDIO #define APR_WANT_STRFUNC @@ -289,3 +292,13 @@ int main(int argc, const char * const argv[]) return 0; } + +#else /*def AP_FIPS */ + +int main(int argc, const char * const argv[]) +{ + fprintf(stderr,"HTTP Digest uses MD5 and so is not available if FIPS mode.\n"); + exit(1); +} + +#endif diff --git a/support/htpasswd.c b/support/htpasswd.c index 20764636a2..0ae1ecb4c1 100644 --- a/support/htpasswd.c +++ b/support/htpasswd.c @@ -45,6 +45,7 @@ #include "apr_file_io.h" #include "apr_general.h" #include "apr_signal.h" +#include "ap_config_auto.h" #if APR_HAVE_STDIO_H #include <stdio.h> @@ -82,8 +83,10 @@ #define MAX_STRING_LEN 256 #define ALG_PLAIN 0 -#define ALG_CRYPT 1 -#define ALG_APMD5 2 +#ifndef AP_FIPS +# define ALG_CRYPT 1 +# define ALG_APMD5 2 +#endif #define ALG_APSHA 3 #define ERR_FILEPERM 1 @@ -132,7 +135,9 @@ static int mkrecord(char *user, char *record, apr_size_t rlen, char *passwd, char cpw[120]; char pwin[MAX_STRING_LEN]; char pwv[MAX_STRING_LEN]; +#ifndef AP_FIPS char salt[9]; +#endif apr_size_t bufsize; if (passwd != NULL) { @@ -161,6 +166,7 @@ static int mkrecord(char *user, char *record, apr_size_t rlen, char *passwd, apr_sha1_base64(pw,strlen(pw),cpw); break; +#ifndef AP_FIPS case ALG_APMD5: (void) srand((int) time((time_t *) NULL)); to64(&salt[0], rand(), 8); @@ -169,13 +175,14 @@ static int mkrecord(char *user, char *record, apr_size_t rlen, char *passwd, apr_md5_encode((const char *)pw, (const char *)salt, cpw, sizeof(cpw)); break; +#endif case ALG_PLAIN: /* XXX this len limitation is not in sync with any HTTPd len. */ apr_cpystrn(cpw,pw,sizeof(cpw)); break; -#if !(defined(WIN32) || defined(NETWARE)) +#if !(defined(WIN32) || defined(NETWARE)) && !defined(AP_FIPS) case ALG_CRYPT: default: (void) srand((int) time((time_t *) NULL)); @@ -306,18 +313,20 @@ static void check_args(apr_pool_t *pool, int argc, const char *const argv[], *mask |= APHTP_NOFILE; args_left--; } +#ifndef AP_FIPS else if (*arg == 'm') { *alg = ALG_APMD5; } + else if (*arg == 'd') { + *alg = ALG_CRYPT; + } +#endif else if (*arg == 's') { *alg = ALG_APSHA; } else if (*arg == 'p') { *alg = ALG_PLAIN; } - else if (*arg == 'd') { - *alg = ALG_CRYPT; - } else if (*arg == 'b') { *mask |= APHTP_NONINTERACTIVE; args_left++; @@ -400,7 +409,11 @@ int main(int argc, const char * const argv[]) char *scratch, cp[MAX_STRING_LEN]; int found = 0; int i; +#ifdef AP_FIPS + int alg = ALG_APSHA; +#else int alg = ALG_CRYPT; +#endif int mask = 0; apr_pool_t *pool; int existing_file = 0; |