Permalink
Browse files

SERVER-8459 add command line flag to enable FIPS mode

See internal SSL build instructions for use of this flag.
  • Loading branch information...
1 parent db10671 commit 14b14fe13bea33fc3bc92c949fc1567f3f69ade9 @milkie milkie committed Feb 7, 2013
View
@@ -152,6 +152,7 @@ add_option( "32" , "whether to force 32 bit" , 0 , True , "force32" )
add_option( "cxx", "compiler to use" , 1 , True )
add_option( "cc", "compiler to use for c" , 1 , True )
+add_option( "ld", "linker to use" , 1 , True )
add_option( "cpppath", "Include path if you have headers in a nonstandard directory" , 1 , True )
add_option( "libpath", "Library path if you have libraries in a nonstandard directory" , 1 , True )
@@ -343,6 +344,9 @@ elif has_option("clang"):
if has_option( "cc" ):
env["CC"] = get_option( "cc" )
+if has_option( "ld" ):
+ env["LINK"] = get_option( "ld" )
+
if env['PYSYSPLATFORM'] in ('linux2', 'freebsd'):
env['LINK_LIBGROUP_START'] = '-Wl,--start-group'
env['LINK_LIBGROUP_END'] = '-Wl,--end-group'
View
@@ -0,0 +1,202 @@
+#!/bin/sh -e
+#
+# Copyright (c) 2005-2011 The OpenSSL Project.
+#
+# Depending on output file name, the script either embeds fingerprint
+# into libcrypto.so or static application. "Static" refers to static
+# libcrypto.a, not [necessarily] application per se.
+#
+# Even though this script is called fipsld, it expects C compiler
+# command line syntax and $FIPSLD_CC or $CC environment variable set
+# and can even be used to compile source files.
+
+#set -x
+
+# Note: edit this to point to your copy of g++ if this is not correct.
+CC="/usr/bin/g++"
+
+# Initially -c wasn't intended to be interpreted here, but it might
+# make life easier for those who want to build FIPS-ified applications
+# with minimal [if any] modifications to their Makefiles...
+( while [ "x$1" != "x" -a "x$1" != "x-c" -a "x$1" != "x-E" ]; do shift; done;
+ [ $# -ge 1 ]
+) && exec ${CC} "$@"
+
+TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)`
+
+# If using an auto-tooled (autoconf/automake/libtool) project,
+# configure will fail when testing the compiler or even performing
+# simple checks. Pass-through to compiler directly if application is
+# is not being linked with libcrypto, allowing auto-tooled applications
+# to utilize fipsld (e.g. CC=/usr/local/ssl/bin/fipsld FIPSLD_CC=gcc
+# ./configure && make). But keep in mind[!] that if certified code
+# resides in a shared library, then fipsld *may not* be used and
+# end-developer should not modify application configuration and build
+# procedures. This is because in-core fingerprint and associated
+# procedures are already embedded into and executed in shared library
+# context.
+case `basename "${TARGET}"` in
+libcrypto*|libfips*|*.dll) ;;
+*) case "$*" in
+ *libcrypto.a*|*-lcrypto*|*fipscanister.o*) ;;
+ *) exec ${CC} "$@" ;;
+ esac
+esac
+
+[ -n "${TARGET}" ] || { echo 'no -o specified'; exit 1; }
+
+# Turn on debugging output?
+( while [ "x$1" != "x" -a "x$1" != "x-DDEBUG_FINGERPRINT_PREMAIN" ]; do shift; done;
+ [ $# -ge 1 ]
+) && set -x
+
+THERE="`echo $0 | sed -e 's|[^/]*$||'`"..
+
+# fipscanister.o can appear in command line
+CANISTER_O=`(while [ "x$1" != "x" ]; do case "$1" in *fipscanister.o) echo $1; exit;; esac; shift; done)`
+if [ -z "${CANISTER_O}" ]; then
+ # If set, FIPSLIBDIR is location of installed validated FIPS module
+ if [ -n "${FIPSLIBDIR}" ]; then
+ CANISTER_O="${FIPSLIBDIR}/fipscanister.o"
+ elif [ -f "${THERE}/fips/fipscanister.o" ]; then
+ CANISTER_O="${THERE}/fips/fipscanister.o"
+ elif [ -f "${THERE}/lib/fipscanister.o" ]; then
+ CANISTER_O="${THERE}/lib/fipscanister.o"
+ fi
+ CANISTER_O_CMD="${CANISTER_O}"
+fi
+[ -f ${CANISTER_O} ] || { echo "unable to find ${CANISTER_O}"; exit 1; }
+
+PREMAIN_C=`dirname "${CANISTER_O}"`/fips_premain.c
+PREMAIN_O=`dirname "${CANISTER_O}"`/fips_premain.o
+
+HMAC_KEY="etaonrishdlcupfm"
+
+case "`(uname -s) 2>/dev/null`" in
+OSF1|IRIX*) _WL_PREMAIN="-Wl,-init,FINGERPRINT_premain" ;;
+HP-UX) _WL_PREMAIN="-Wl,+init,FINGERPRINT_premain" ;;
+AIX) _WL_PREMAIN="-Wl,-binitfini:FINGERPRINT_premain,-bnoobjreorder";;
+Darwin) ( while [ "x$1" != "x" -a "x$1" != "x-dynamiclib" ]; do shift; done;
+ [ $# -ge 1 ]
+ ) && _WL_PREMAIN="-Wl,-init,_FINGERPRINT_premain" ;;
+esac
+
+case "${TARGET}" in
+[!/]*) TARGET=./${TARGET} ;;
+esac
+
+case `basename "${TARGET}"` in
+lib*|*.dll) # must be linking a shared lib...
+ # Shared lib creation can be taking place in the source
+ # directory only, but fipscanister.o can reside elsewhere...
+
+ if [ -x "${THERE}/fips/fips_standalone_sha1" ]; then
+ FINGERTYPE="${THERE}/fips/fips_standalone_sha1"
+ PREMAIN_DSO="${THERE}/fips/fips_premain_dso"
+ elif [ -x "${THERE}/bin/fips_standalone_sha1" ]; then
+ FINGERTYPE="${THERE}/bin/fips_standalone_sha1"
+ PREMAIN_DSO="./fips_premain_dso"
+ fi
+
+ # verify fipspremain.c against its detached signature...
+ ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \
+ diff -w "${PREMAIN_C}.sha1" - || \
+ { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }
+ # verify fipscanister.o against its detached signature...
+ ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \
+ diff -w "${CANISTER_O}.sha1" - || \
+ { echo "${CANISTER_O} fingerprint mismatch"; exit 1; }
+
+ [ -z "${FIPSLD_LIBCRYPTO}" -a -f "${THERE}/libcrypto.a" ] && \
+ FIPSLD_LIBCRYPTO="${THERE}/libcrypto.a"
+
+
+ # Temporarily remove fipscanister.o from libcrypto.a!
+ # We are required to use the standalone copy...
+ if [ -n "${FIPSLD_LIBCRYPTO}" ]; then
+ if ar d "${FIPSLD_LIBCRYPTO}" fipscanister.o; then
+ (ranlib "${FIPSLD_LIBCRYPTO}") 2>/dev/null || :
+ trap 'ar r "${FIPSLD_LIBCRYPTO}" "${CANISTER_O}";
+ (ranlib "${FIPSLD_LIBCRYPTO}") 2>/dev/null || :;
+ sleep 1;
+ touch -c "${TARGET}"' 0
+ fi
+ fi
+
+ /bin/rm -f "${TARGET}"
+ ${CC} -x c "${PREMAIN_C}" -c -o "${PREMAIN_O}"
+ ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
+ "${PREMAIN_O}" \
+ ${_WL_PREMAIN} "$@"
+
+ if [ "x${FIPS_SIG}" != "x" ]; then
+ # embed signature
+ "${FIPS_SIG}" "${TARGET}"
+ [ $? -ne 42 ] && exit $?
+ fi
+
+ # generate signature...
+ SIG=`"${PREMAIN_DSO}" "${TARGET}"`
+
+ /bin/rm -f "${TARGET}"
+ if [ -z "${SIG}" ]; then
+ echo "unable to collect signature"; exit 1
+ fi
+
+ # recompile with signature...
+ ${CC} -x c -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" -c -o "${PREMAIN_O}"
+ ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
+ -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_O}" \
+ ${_WL_PREMAIN} "$@"
+ ;;
+
+*) # must be linking statically...
+ # Static linking can be taking place either in the source
+ # directory or off the installed binary target destination.
+ if [ -x "${THERE}/fips/fips_standalone_sha1" ]; then
+ FINGERTYPE="${THERE}/fips/fips_standalone_sha1"
+ elif [ -x "${THERE}/bin/fips_standalone_sha1" ]; then
+ FINGERTYPE="${THERE}/bin/fips_standalone_sha1"
+ else # Installed tree is expected to contain
+ # lib/fipscanister.o, lib/fipscanister.o.sha1 and
+ # lib/fips_premain.c [not to mention bin/openssl].
+ FINGERTYPE="openssl sha1 -hmac ${HMAC_KEY}"
+ fi
+
+ # verify fipscanister.o against its detached signature...
+ ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \
+ diff -w "${CANISTER_O}.sha1" - || \
+ { echo "${CANISTER_O} fingerprint mismatch"; exit 1; }
+
+ # verify fips_premain.c against its detached signature...
+ ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \
+ diff -w "${PREMAIN_C}.sha1" - || \
+ { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }
+
+ /bin/rm -f "${TARGET}"
+ ${CC} -x c "${PREMAIN_C}" -c -o "${PREMAIN_O}"
+ ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
+ "${PREMAIN_O}" \
+ ${_WL_PREMAIN} "$@"
+
+ if [ "x${FIPS_SIG}" != "x" ]; then
+ # embed signature
+ "${FIPS_SIG}" "${TARGET}"
+ [ $? -ne 42 ] && exit $?
+ fi
+
+ # generate signature...
+ SIG=`"${TARGET}"`
+
+ /bin/rm -f "${TARGET}"
+ if [ -z "${SIG}" ]; then
+ echo "unable to collect signature"; exit 1
+ fi
+
+ # recompile with signature...
+ ${CC} -x c -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" -c -o "${PREMAIN_O}"
+ ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \
+ -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_O}" \
+ ${_WL_PREMAIN} "$@"
+ ;;
+esac
@@ -1292,7 +1292,8 @@ namespace mongo {
cmdLine.sslPEMKeyPassword,
cmdLine.sslCAFile,
cmdLine.sslCRLFile,
- cmdLine.sslWeakCertificateValidation);
+ cmdLine.sslWeakCertificateValidation,
+ cmdLine.sslFIPSMode);
s_sslMgr = new SSLManager(params);
View
@@ -104,6 +104,7 @@ namespace {
("sslCRLFile", po::value<std::string>(&cmdLine.sslCRLFile),
"Certificate Revocation List file for SSL")
("sslWeakCertificateValidation", "allow client to connect without presenting a certificate")
+ ("sslFIPSMode", "activate FIPS 140-2 mode at startup")
#endif
;
@@ -420,12 +421,16 @@ namespace {
log() << "need sslCAFile with sslWeakCertificateValidation" << endl;
return false;
}
+ if (params.count("sslFIPSMode")) {
+ cmdLine.sslFIPSMode = true;
+ }
}
else if (cmdLine.sslPEMKeyFile.size() ||
cmdLine.sslPEMKeyPassword.size() ||
cmdLine.sslCAFile.size() ||
cmdLine.sslCRLFile.size() ||
- cmdLine.sslWeakCertificateValidation) {
+ cmdLine.sslWeakCertificateValidation ||
+ cmdLine.sslFIPSMode) {
log() << "need to enable sslOnNormalPorts" << endl;
return false;
}
View
@@ -138,6 +138,7 @@ namespace mongo {
std::string sslCAFile; // --sslCAFile
std::string sslCRLFile; // --sslCRLFile
bool sslWeakCertificateValidation;
+ bool sslFIPSMode;
#endif
/**
@@ -102,7 +102,8 @@ namespace mongo {
cmdLine.sslPEMKeyPassword,
cmdLine.sslCAFile,
cmdLine.sslCRLFile,
- cmdLine.sslWeakCertificateValidation);
+ cmdLine.sslWeakCertificateValidation,
+ cmdLine.sslFIPSMode);
_ssl = new SSLManager(params);
}
#endif
@@ -109,6 +109,11 @@ namespace mongo {
SSL_library_init();
SSL_load_error_strings();
ERR_load_crypto_strings();
+
+ if (params.fipsMode) {
+ _setupFIPS();
+ }
+
// Add all digests and ciphers to OpenSSL's internal table
// so that encryption/decryption is backwards compatible
OpenSSL_add_all_algorithms();
@@ -158,6 +163,25 @@ namespace mongo {
return 1; // always succeed; we will catch the error in our get_verify_result() call
}
+ static mongo::mutex fipsMtx("FIPS");
+ static bool fipsActivated(false);
+
+ void SSLManager::_setupFIPS() {
+ // Turn on FIPS mode if requested.
+ scoped_lock lk(fipsMtx);
+ if (fipsActivated) {
+ return;
+ }
+ int status = FIPS_mode_set(1);
+ if (!status) {
+ error() << "can't activate FIPS mode: " <<
+ _getSSLErrorMessage(ERR_get_error()) << endl;
+ fassertFailed(16703);
+ }
+ log() << "FIPS 140-2 mode activated" << endl;
+ fipsActivated = true;
+ }
+
bool SSLManager::_setupPEM(const std::string& keyFile , const std::string& password) {
_password = password;
@@ -31,18 +31,21 @@ namespace mongo {
const std::string& pempwd,
const std::string& cafile = "",
const std::string& crlfile = "",
- bool weakCertificateValidation = false) :
+ bool weakCertificateValidation = false,
+ bool fipsMode = false) :
pemfile(pemfile),
pempwd(pempwd),
cafile(cafile),
crlfile(crlfile),
- weakCertificateValidation(weakCertificateValidation) {};
+ weakCertificateValidation(weakCertificateValidation),
+ fipsMode(fipsMode) {};
std::string pemfile;
std::string pempwd;
std::string cafile;
std::string crlfile;
bool weakCertificateValidation;
+ bool fipsMode;
};
class SSLManager {
@@ -119,6 +122,12 @@ namespace mongo {
bool _setupCRL(const std::string& crlFile);
/*
+ * Activate FIPS 140-2 mode, if the server started with a command line
+ * parameter.
+ */
+ void _setupFIPS();
+
+ /*
* Wrapper for SSL_Connect() that handles SSL_ERROR_WANT_READ,
* see SERVER-7940
*/

0 comments on commit 14b14fe

Please sign in to comment.