# HG changeset patch # User Petr Sumbera # Date 1421328137 28800 # Node ID 29c40c98aad32315d925b63703fd3392f1955b31 # Parent 15356a4ccb21cf053701901634de8eae8c02c0bf PSARC/2015/007 Apache FIPS 140-2 mod_ssl module 19173368 Apache should be FIPS-140 ready diff -r 15356a4ccb21 -r 29c40c98aad3 components/apache24/Makefile --- a/components/apache24/Makefile Thu Jan 08 01:37:15 2015 -0800 +++ b/components/apache24/Makefile Thu Jan 15 05:22:17 2015 -0800 @@ -18,7 +18,7 @@ # # CDDL HEADER END # -# Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved. # include ../../make-rules/shared-macros.mk @@ -45,6 +45,9 @@ PATCH_LEVEL=0 +# We will build two separate mod_ssl versions. +COMPONENT_POST_UNPACK_ACTION = (cd $(SOURCE_DIR)/modules; $(CP) -r ssl ssl-fips-140) + # Some patches need configure script re-creation. COMPONENT_PREP_ACTION +=($(CP) mod_auth_gss/mod_auth_gss.c $(@D)/modules/aaa); COMPONENT_PREP_ACTION +=($(CP) mod_auth_gss/mod_auth_gss.html $(@D)/docs/manual/mod); diff -r 15356a4ccb21 -r 29c40c98aad3 components/apache24/Solaris/apache24.1m.sunman --- a/components/apache24/Solaris/apache24.1m.sunman Thu Jan 08 01:37:15 2015 -0800 +++ b/components/apache24/Solaris/apache24.1m.sunman Thu Jan 15 05:22:17 2015 -0800 @@ -1,6 +1,6 @@ '\" te -.\" Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved. -.TH apache24 1M "Jul 2014" "SunOS 5.12" "System Administration Commands" +.\" Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved. +.TH apache24 1M "Jan 2015" "SunOS 5.12" "System Administration Commands" .SH NAME apache2 \- Apache HTTP Server Version 2.4 overview .SH SYNOPSIS @@ -28,6 +28,8 @@ web/server/apache-24/apache-dbd web/server/apache-24/apache-ldap web/server/apache-24/apache-lua +web/server/apache-24/apache-ssl +web/server/apache-24/apache-ssl-fips-140 .fi .in -2 .sp @@ -47,9 +49,9 @@ tab(^G) allbox; cw(2.750000i)| cw(2.750000i) lw(2.750000i)| lw(2.750000i). -SMF Property Name^Value -httpd/MPM^event (default), prefork or worker -httpd/startup_options^valid apachectl options +SMF Property Name Value +httpd/MPM event (default), prefork or worker +httpd/startup_options valid apachectl options .TE .SH FILES .sp diff -r 15356a4ccb21 -r 29c40c98aad3 components/apache24/Solaris/loadmodules.sed --- a/components/apache24/Solaris/loadmodules.sed Thu Jan 08 01:37:15 2015 -0800 +++ b/components/apache24/Solaris/loadmodules.sed Thu Jan 15 05:22:17 2015 -0800 @@ -20,9 +20,10 @@ # # -# Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved. # /LoadModule auth_gss_module/d +/LoadModule ssl_fips_module/d /LoadModule mpm_event_module /i\ \ LoadModule mpm_prefork_module libexec/mod_mpm_prefork.so\ diff -r 15356a4ccb21 -r 29c40c98aad3 components/apache24/apache-24.p5m --- a/components/apache24/apache-24.p5m Thu Jan 08 01:37:15 2015 -0800 +++ b/components/apache24/apache-24.p5m Thu Jan 15 05:22:17 2015 -0800 @@ -18,7 +18,7 @@ # # CDDL HEADER END # -# Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved. # default mangler.man.stability uncommitted> \ @@ -269,7 +269,6 @@ file path=usr/apache2/2.4/libexec/mod_socache_memcache.so file path=usr/apache2/2.4/libexec/mod_socache_shmcb.so file path=usr/apache2/2.4/libexec/mod_speling.so -file path=usr/apache2/2.4/libexec/mod_ssl.so file path=usr/apache2/2.4/libexec/mod_status.so file path=usr/apache2/2.4/libexec/mod_substitute.so file path=usr/apache2/2.4/libexec/mod_suexec.so diff -r 15356a4ccb21 -r 29c40c98aad3 components/apache24/apache-ssl-fips-140.p5m --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/apache24/apache-ssl-fips-140.p5m Thu Jan 15 05:22:17 2015 -0800 @@ -0,0 +1,53 @@ +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# +# Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. +# + +# prevents "64bit file in 32bit path" errors + \ + add pkg.linted.userland.action001.2 true> + +set name=pkg.fmri \ + value=pkg:/web/server/apache-24/module/apache-ssl-fips-140@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION) +set name=pkg.summary value="SSL FIPS 140-2 support plugin for Apache Web Server V2.4" +set name=com.oracle.info.description \ + value="the SSL FIPS 140-2 support plugins for Apache Web Server V2.4" +set name=com.oracle.info.tpno value=$(TPNO) +set name=info.classification \ + value="org.opensolaris.category.2008:Web Services/Application and Web Servers" +set name=info.source-url value=$(COMPONENT_ARCHIVE_URL) +set name=info.upstream-url value=$(COMPONENT_PROJECT_URL) +set name=org.opensolaris.arc-caseid value=PSARC/2015/007 +set name=org.opensolaris.consolidation value=$(CONSOLIDATION) + +file usr/apache2/2.4/libexec/mod_ssl_fips.so path=usr/apache2/2.4/libexec/mod_ssl-fips-140.so + +link path=usr/apache2/2.4/libexec/mod_ssl.so target=mod_ssl-fips-140.so \ + mediator=openssl mediator-implementation=fips-140 + +license apache.license license="Apache v2.0" + +depend type=require fmri=__TBD pkg.debug.depend.file=lib/openssl/fips-140/$(MACH64)/libssl.so.1.0.0 + +# Following dependency is not just to make sure that the main Apache +# package is installed. It also safes guard situation after mod_ssl.so +# move from there to here. +depend type=require fmri=__TBD pkg.debug.depend.file=usr/apache2/2.4/bin/httpd diff -r 15356a4ccb21 -r 29c40c98aad3 components/apache24/apache-ssl.p5m --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/apache24/apache-ssl.p5m Thu Jan 15 05:22:17 2015 -0800 @@ -0,0 +1,51 @@ +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# +# Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. +# + +# prevents "64bit file in 32bit path" errors + \ + add pkg.linted.userland.action001.2 true> + +set name=pkg.fmri \ + value=pkg:/web/server/apache-24/module/apache-ssl@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION) +set name=pkg.summary value="SSL (default) support plugin for Apache Web Server V2.4" +set name=com.oracle.info.description \ + value="the SSL (default) support plugins for Apache Web Server V2.4" +set name=com.oracle.info.tpno value=$(TPNO) +set name=info.classification \ + value="org.opensolaris.category.2008:Web Services/Application and Web Servers" +set name=info.source-url value=$(COMPONENT_ARCHIVE_URL) +set name=info.upstream-url value=$(COMPONENT_PROJECT_URL) +set name=org.opensolaris.arc-caseid value=PSARC/2015/007 +set name=org.opensolaris.consolidation value=$(CONSOLIDATION) + +file usr/apache2/2.4/libexec/mod_ssl.so path=usr/apache2/2.4/libexec/mod_ssl-default.so + +link path=usr/apache2/2.4/libexec/mod_ssl.so target=mod_ssl-default.so \ + mediator=openssl mediator-implementation=default mediator-priority=vendor + +license apache.license license="Apache v2.0" + +# Following dependency is not just to make sure that the main Apache +# package is installed. It also safes guard situation after mod_ssl.so +# move from there to here. +depend type=require fmri=__TBD pkg.debug.depend.file=usr/apache2/2.4/bin/httpd diff -r 15356a4ccb21 -r 29c40c98aad3 components/apache24/patches/httpd.conf.patch --- a/components/apache24/patches/httpd.conf.patch Thu Jan 08 01:37:15 2015 -0800 +++ b/components/apache24/patches/httpd.conf.patch Thu Jan 15 05:22:17 2015 -0800 @@ -16,7 +16,7 @@ # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. -@@ -63,6 +69,12 @@ +@@ -63,6 +69,15 @@ # Example: # LoadModule foo_module modules/mod_foo.so # @@ -24,12 +24,15 @@ +# mod_session_dbd.so are bundled in separate package "apache-dbd". +# Similarly mod_authnz_ldap.so and mod_ldap.so are bundled in +# separate package "apache-ldap". ++# Also mediated symbolic link mod_ssl.so pointing to mod_ssl-default.so ++# or mod_ssl-fips-140.so is bundled in separate package "apache-ssl" ++# respectively "apache-ssl-fips-140" package. +# And finally mod_lua.so is bundled in separate package "apache-lua". +# @@LoadModule@@ -@@ -74,8 +86,8 @@ +@@ -74,8 +89,8 @@ # It is usually good practice to create a dedicated user and group for # running httpd, as with most system services. # @@ -40,7 +43,7 @@ -@@ -96,7 +108,7 @@ +@@ -96,7 +111,7 @@ # e-mailed. This address appears on some server-generated pages, such # as error documents. e.g. admin@your-domain.com # @@ -49,7 +52,7 @@ # # ServerName gives the name and port that the server uses to identify itself. -@@ -105,7 +117,7 @@ +@@ -105,7 +120,7 @@ # # If your host doesn't have a registered DNS name, enter its IP address here. # @@ -58,7 +61,7 @@ # # Deny access to the entirety of your server's filesystem. You must -@@ -314,6 +326,10 @@ +@@ -314,6 +329,10 @@ # #AddType text/html .shtml #AddOutputFilter INCLUDES .shtml @@ -69,7 +72,7 @@ # -@@ -355,48 +371,22 @@ +@@ -355,48 +374,22 @@ # Supplemental configuration # diff -r 15356a4ccb21 -r 29c40c98aad3 components/apache24/patches/ssl-fips-140.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/apache24/patches/ssl-fips-140.patch Thu Jan 15 05:22:17 2015 -0800 @@ -0,0 +1,69 @@ +Patch origin: in-house +Patch status: Solaris-specific; not suitable for upstream + +Will build SSL FIPS version of mod_ssl. Note that modules/ssl-fips-140 +need to be copied from modules/ssl before it can be applied. +It also makes sure that both mod_ssl versions contains right RPATH. + +--- modules/ssl/config.m4 ++++ modules/ssl/config.m4 +@@ -44,6 +44,7 @@ + # structure, so ask libtool to hide everything else: + APR_ADDTO(MOD_SSL_LDADD, [-export-symbols-regex ssl_module]) + fi ++ APR_ADDTO(MOD_LDFLAGS, [-R/lib/openssl/default/64]) + else + enable_ssl=no + fi +--- modules/ssl-fips-140/config.m4 ++++ modules/ssl-fips-140/config.m4 +@@ -14,7 +14,7 @@ + dnl limitations under the License. + + dnl # start of module specific part +-APACHE_MODPATH_INIT(ssl) ++APACHE_MODPATH_INIT(ssl-fips-140) + + dnl # list of module object files + ssl_objs="dnl +@@ -36,7 +36,7 @@ + ssl_util_ocsp.lo dnl + " + dnl # hook module into the Autoconf mechanism (--enable-ssl option) +-APACHE_MODULE(ssl, [SSL/TLS support (mod_ssl)], $ssl_objs, , most, [ ++APACHE_MODULE(ssl_fips, [SSL/TLS support (mod_ssl)], $ssl_objs, , most, [ + APACHE_CHECK_OPENSSL + if test "$ac_cv_openssl" = "yes" ; then + if test "x$enable_ssl" = "xshared"; then +@@ -44,14 +44,13 @@ + # structure, so ask libtool to hide everything else: + APR_ADDTO(MOD_SSL_LDADD, [-export-symbols-regex ssl_module]) + fi ++ APR_ADDTO(MOD_CFLAGS, [-I/usr/include/openssl/fips-140]) ++ APR_ADDTO(MOD_LDFLAGS, [-R/lib/openssl/fips-140/64]) + else + enable_ssl=no + fi + ]) + +-# Ensure that other modules can pick up mod_ssl.h +-APR_ADDTO(INCLUDES, [-I\$(top_srcdir)/$modpath_current]) +- + dnl # end of module specific part + APACHE_MODPATH_FINISH + +--- acinclude.m4 ++++ acinclude.m4 +@@ -591,6 +591,12 @@ + ]) + if test "x$ac_cv_openssl" = "xyes"; then + AC_DEFINE(HAVE_OPENSSL, 1, [Define if OpenSSL is available]) ++ ++ APR_ADDTO(MOD_LDFLAGS, [$ap_openssl_libs]) ++ APR_ADDTO(LIBS, [$ap_openssl_libs]) ++ APR_SETVAR(ab_LDFLAGS, [$MOD_LDFLAGS]) ++ APACHE_SUBST(ab_CFLAGS) ++ APACHE_SUBST(ab_LDFLAGS) + fi + ]) + diff -r 15356a4ccb21 -r 29c40c98aad3 components/apache24/patches/ssl.conf.patch --- a/components/apache24/patches/ssl.conf.patch Thu Jan 08 01:37:15 2015 -0800 +++ b/components/apache24/patches/ssl.conf.patch Thu Jan 15 05:22:17 2015 -0800 @@ -15,7 +15,18 @@ # -@@ -81,7 +81,7 @@ +@@ -42,6 +42,10 @@ + ## the main server and all SSL-enabled virtual hosts. + ## + ++# Enable FIPS 140 mode, this requires the openssl pkg mediator ++# be set to install the fips-140 version of OpenSSL and mod_ssl. ++#SSLFIPS on ++ + # SSL Cipher Suite: + # List the ciphers that the client is permitted to negotiate. + # See the mod_ssl documentation for a complete list. +@@ -81,7 +85,7 @@ # General setup for the virtual host DocumentRoot "@exp_htdocsdir@" diff -r 15356a4ccb21 -r 29c40c98aad3 components/apache24/resolve.deps --- a/components/apache24/resolve.deps Thu Jan 08 01:37:15 2015 -0800 +++ b/components/apache24/resolve.deps Thu Jan 15 05:22:17 2015 -0800 @@ -7,6 +7,7 @@ library/openldap library/pcre library/security/openssl +library/security/openssl/openssl-fips-140 library/zlib runtime/lua runtime/perl-512