Permalink
Browse files

Added FIPS patch by Lior Okman <lior.okman@gmail.com>

git-svn-id: http://monit.googlecode.com/svn/trunk@206 808b68a2-07de-11de-a1f0-819f45317607
  • Loading branch information...
1 parent 9d42f30 commit 54ecdf3c9f1611562c585f9691d583e67c66b0b4 janhenrik.haukeland committed Jul 24, 2010
Showing with 148 additions and 11 deletions.
  1. +40 −0 AUTHORS
  2. +3 −0 CHANGES.txt
  3. +1 −1 README
  4. +1 −0 l.l
  5. +13 −0 monit.pod
  6. +3 −0 monitor.h
  7. +12 −0 p.y
  8. +69 −10 ssl.c
  9. +6 −0 ssl.h
View
40 AUTHORS
@@ -0,0 +1,40 @@
+Authors:
+
+Jan-Henrik Haukeland <hauk@tildeslash.com>
+Martin Pala <martinp@tildeslash.com>
+Christian Hopp <chopp@iei.tu-clausthal.de>
+Rory Toma <rory@digeo.com>
+
+Contributors in alphabetical order:
+
+Michael Amster (mamster at webeasy com)
+Philipp Berndt (philipp bernd at gmx net)
+Olivier Beyssac (ob at r14 freenix org)
+Marco Bisioli (bisioli at adriacom it)
+Joe Bryant (JBryant at RiteAid com)
+Will Bryant (will bryant at ecosm com)
+Dave Cheney (dcheney at redbubble com)
+Sébastien Debrard (sebastien.debrard strange-garden com)
+Mark Ferlatte (ferlatte at cryptio net)
+David Fletcher (david at megapico co uk)
+Pierrick Grasland (pierrick grasland at nexcom fr)
+Klaus Heinz (k.heinz.apr.sieben at kh-22 de)
+Peter Holdaway (pholdaway at technocom-wireless com)
+Igor Homyakov (homyakov at altlinux ru)
+Mostafa Hosseini (mostafah at oeone com)
+Francois Isabelle (Francois Isabelle at ca kontron com)
+Oliver Jehle (oliver jehle at monex li)
+Kianusch Sayah Karadji (kianusch sayah karadji at sk-tech net)
+Artyom Khafizov (afk at inbox ru)
+Thomas Lohmueller (thomas at lohmueller ch)
+Bret "Trixter" McDanel (trixter at 0xdecafbad com)
+Arkadiusz Miskiewicz (arekm at pld-linux org)
+Tatsuya Nonogaki (nonotats at asahi email ne jp)
+Lior Okman (lior.okman at gmail.com)
+Thomas "Leppo" Oppel (oppel at kbis de)
+Rick Robino (rrobino at wavedivision com)
+Richard Schwaninger (risc at vmilch at)
+Margarida Sequeira (margarida at openbsd org)
+
+
+
View
3 CHANGES.txt
@@ -48,6 +48,9 @@ NEW FEATURES AND FUNCTIONS:
on Monit host. The automatic credentials registration can be disabled:
set mmonit http://monit:monit@192.168.1.10:8080/collector and register without credentials
+* Added FIPS OpenSSL module to Monit httpd. Many thanks to Lior Okman
+ for providing the patch.
+
BUGFIXES:
* Show real process uptime - formerly the presented uptime was based on create/modify
View
2 README
@@ -54,4 +54,4 @@
You can also look in the mailing list archive for answers:
http://lists.gnu.org/archive/html/monit-general/
-
+
View
1 l.l
@@ -305,6 +305,7 @@ password { return PASSWORD; }
credentials { return CREDENTIALS; }
register { return REGISTER; }
fsflag(s)? { return FSFLAG; }
+fips { return FIPS; }
{byte} { return BYTE; }
{kilobyte} { return KILOBYTE; }
{megabyte} { return MEGABYTE; }
View
13 monit.pod
@@ -2581,6 +2581,19 @@ This ensures that a daemon will not restart a service that you
requested to stop and that (any) timeout lock will be removed
from a service when you start it.
+=head2 FIPS support
+
+Monit built-in web-server support the OpenSSL FIPS module.
+To enable this mode, your OpenSSL library must first be built
+with FIPS support. Then in the Monit control file, simply
+add this I<set> statement at the top;
+
+ set fips
+
+Note that the FIPS module may not be supported in the lates
+version of OpenSSL. So make sure that your version of OpenSSL
+support the FIPS object module before attempting to enable this
+in Monit.
=head2 Monit HTTPD Authentication
View
3 monitor.h
@@ -864,6 +864,9 @@ struct myrun {
} MailFormat;
pthread_mutex_t mutex; /**< Mutex used for service data synchronization */
+#ifdef OPENSSL_FIPS
+ int fipsEnabled; /** TRUE if monit should use FIPS-140 mode */
+#endif
};
View
12 p.y
@@ -303,6 +303,7 @@
%token <url> URLOBJECT
%token <string> TARGET
%token <number> MAXFORWARD
+%token FIPS
%left GREATER LESS EQUAL NOTEQUAL
@@ -329,6 +330,7 @@ statement : setalert
| setstatefile
| setexpectbuffer
| setinit
+ | setfips
| checkproc optproclist
| checkfile optfilelist
| checkfilesys optfilesyslist
@@ -516,6 +518,13 @@ setinit : SET INIT {
}
;
+setfips : SET FIPS {
+ #ifdef OPENSSL_FIPS
+ Run.fipsEnabled = TRUE;
+ #endif
+ }
+ ;
+
setlog : SET LOGFILE PATH {
if (!Run.logfile || ihp.logfile) {
ihp.logfile = TRUE;
@@ -1896,6 +1905,9 @@ static void preparse() {
Run.localhostname = xstrdup(localhost);
depend_list = NULL;
Run.handler_init = TRUE;
+#ifdef OPENSSL_FIPS
+ Run.fipsEnabled = FALSE;
+#endif
for (i = 0; i <= HANDLER_MAX; i++)
Run.handler_queue[i] = 0;
/*
View
79 ssl.c
@@ -337,8 +337,18 @@ ssl_server_connection *init_ssl_server(char *pemfile, char *clientpemfile) {
start_ssl();
ssl_server = new_ssl_server_connection(pemfile, clientpemfile);
-
- if(!(ssl_server->method= SSLv23_server_method())) {
+ SSL_METHOD *server_method = NULL;
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode()) {
+ server_method = TLSv1_server_method();
+ }
+ else {
+ server_method = SSLv23_server_method();
+ }
+#else
+ server_method = SSLv23_server_method();
+#endif
+ if(!(ssl_server->method= server_method)) {
LogError("%s: Cannot initialize the SSL method -- %s\n", prog, SSLERROR);
goto sslerror;
}
@@ -667,15 +677,41 @@ ssl_connection *new_ssl_connection(char *clientpemfile, int sslversion) {
switch (sslversion) {
case SSL_VERSION_AUTO:
- ssl->method = SSLv23_client_method();
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode()) {
+ ssl->method = TLSv1_client_method();
+ } else {
+#endif
+ ssl->method = SSLv23_client_method();
+#ifdef OPENSSL_FIPS
+ }
+#endif
break;
case SSL_VERSION_SSLV2:
- ssl->method = SSLv2_client_method();
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode()) {
+ LogError("SSLv2 is not allowed in FIPS mode - use TLSv1");
+ goto sslerror;
+ } else {
+#endif
+ ssl->method = SSLv2_client_method();
+#ifdef OPENSSL_FIPS
+ }
+#endif
break;
case SSL_VERSION_SSLV3:
- ssl->method = SSLv3_client_method();
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode()) {
+ LogError("SSLv3 is not allowed in FIPS mode - use TLSv1");
+ goto sslerror;
+ } else {
+#endif
+ ssl->method = SSLv3_client_method();
+#ifdef OPENSSL_FIPS
+ }
+#endif
break;
case SSL_VERSION_TLS:
@@ -1019,11 +1055,17 @@ static int update_ssl_cert_data(ssl_connection *ssl) {
if(!(ssl->cert = SSL_get_peer_certificate(ssl->handler)))
return FALSE;
- ssl->cert_issuer= X509_NAME_oneline (X509_get_issuer_name(ssl->cert), 0, 0);
- ssl->cert_subject= X509_NAME_oneline (X509_get_subject_name(ssl->cert), 0, 0);
- X509_digest(ssl->cert, EVP_md5(), md5, &ssl->cert_md5_len);
- ssl->cert_md5= (unsigned char *)xstrdup((char *)md5);
-
+#ifdef OPENSSL_FIPS
+ if (!FIPS_mode()) {
+ /* In FIPS-140 mode, MD5 is unavailable. */
+#endif
+ ssl->cert_issuer= X509_NAME_oneline (X509_get_issuer_name(ssl->cert), 0, 0);
+ ssl->cert_subject= X509_NAME_oneline (X509_get_subject_name(ssl->cert), 0, 0);
+ X509_digest(ssl->cert, EVP_md5(), md5, &ssl->cert_md5_len);
+ ssl->cert_md5= (unsigned char *)xstrdup((char *)md5);
+#ifdef OPENSSL_FIPS
+ }
+#endif
return TRUE;
}
@@ -1052,6 +1094,18 @@ static ssl_server_connection *new_ssl_server_connection(char * pemfile,
}
+#ifdef OPENSSL_FIPS
+/**
+ * Enable FIPS mode, if it isn't enabled yet.
+ */
+void enable_fips_mode()
+{
+ if (!FIPS_mode()) {
+ ASSERT(FIPS_mode_set(1));
+ LogInfo("FIPS-140 mode is enabled\n");
+ }
+}
+#endif
/**
* Start SSL support library. It has to be run before the SSL support
@@ -1061,6 +1115,11 @@ static ssl_server_connection *new_ssl_server_connection(char * pemfile,
static int start_ssl() {
if(! ssl_initialized) {
+#ifdef OPENSSL_FIPS
+ if (Run.fipsEnabled) {
+ enable_fips_mode();
+ }
+#endif
int i;
int locks = CRYPTO_num_locks();
View
6 ssl.h
@@ -38,6 +38,9 @@
#include <openssl/pem.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
#endif
#define SSL_VERSION_AUTO 0
@@ -102,6 +105,9 @@ int recv_ssl_socket(ssl_connection *, void *, int, int);
ssl_connection *new_ssl_connection(char *, int);
ssl_connection *insert_accepted_ssl_socket(ssl_server_connection *);
ssl_server_connection *init_ssl_server(char *, char *);
+#ifdef OPENSSL_FIPS
+void enable_fips_mode();
+#endif
#else

0 comments on commit 54ecdf3

Please sign in to comment.