PSARC/2015/007 Apache FIPS 140-2 mod_ssl module
authorPetr Sumbera <petr.sumbera@oracle.com>
Thu, 15 Jan 2015 05:22:17 -0800
changeset 3648 29c40c98aad3
parent 3647 15356a4ccb21
child 3649 4006eaaa7d29
PSARC/2015/007 Apache FIPS 140-2 mod_ssl module 19173368 Apache should be FIPS-140 ready
components/apache24/Makefile
components/apache24/Solaris/apache24.1m.sunman
components/apache24/Solaris/loadmodules.sed
components/apache24/apache-24.p5m
components/apache24/apache-ssl-fips-140.p5m
components/apache24/apache-ssl.p5m
components/apache24/patches/httpd.conf.patch
components/apache24/patches/ssl-fips-140.patch
components/apache24/patches/ssl.conf.patch
components/apache24/resolve.deps
--- a/components/apache24/Makefile	Thu Jan 08 01:37:15 2015 -0800
+++ b/components/apache24/Makefile	Thu Jan 15 05:22:17 2015 -0800
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved.
 #
 include ../../make-rules/shared-macros.mk
 
@@ -45,6 +45,9 @@
 
 PATCH_LEVEL=0
 
+# We will build two separate mod_ssl versions.
+COMPONENT_POST_UNPACK_ACTION = (cd $(SOURCE_DIR)/modules; $(CP) -r ssl ssl-fips-140)
+
 # Some patches need configure script re-creation.
 COMPONENT_PREP_ACTION +=($(CP) mod_auth_gss/mod_auth_gss.c $(@D)/modules/aaa);
 COMPONENT_PREP_ACTION +=($(CP) mod_auth_gss/mod_auth_gss.html $(@D)/docs/manual/mod);
--- a/components/apache24/Solaris/apache24.1m.sunman	Thu Jan 08 01:37:15 2015 -0800
+++ b/components/apache24/Solaris/apache24.1m.sunman	Thu Jan 15 05:22:17 2015 -0800
@@ -1,6 +1,6 @@
 '\" te
-.\" Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
-.TH apache24 1M "Jul 2014" "SunOS 5.12" "System Administration Commands"
+.\" Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved.
+.TH apache24 1M "Jan 2015" "SunOS 5.12" "System Administration Commands"
 .SH NAME
 apache2 \- Apache HTTP Server Version 2.4 overview
 .SH SYNOPSIS
@@ -28,6 +28,8 @@
 web/server/apache-24/apache-dbd
 web/server/apache-24/apache-ldap
 web/server/apache-24/apache-lua
+web/server/apache-24/apache-ssl
+web/server/apache-24/apache-ssl-fips-140
 .fi
 .in -2
 .sp
@@ -47,9 +49,9 @@
 tab(^G) allbox;
 cw(2.750000i)| cw(2.750000i)
 lw(2.750000i)| lw(2.750000i).
-SMF Property Name^Value 
-httpd/MPM^event (default), prefork or worker 
-httpd/startup_options^valid apachectl options
+SMF Property Name	Value
+httpd/MPM	event (default), prefork or worker
+httpd/startup_options	valid apachectl options
 .TE
 .SH FILES
 .sp
--- a/components/apache24/Solaris/loadmodules.sed	Thu Jan 08 01:37:15 2015 -0800
+++ b/components/apache24/Solaris/loadmodules.sed	Thu Jan 15 05:22:17 2015 -0800
@@ -20,9 +20,10 @@
 #
 
 #
-# Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved.
 #
 /LoadModule auth_gss_module/d
+/LoadModule ssl_fips_module/d
 /LoadModule mpm_event_module /i\
 <IfDefine prefork>\
 LoadModule mpm_prefork_module libexec/mod_mpm_prefork.so\
--- a/components/apache24/apache-24.p5m	Thu Jan 08 01:37:15 2015 -0800
+++ b/components/apache24/apache-24.p5m	Thu Jan 15 05:22:17 2015 -0800
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved.
 #
 <transform file path=usr.*/man/.+ -> default mangler.man.stability uncommitted>
 <transform file link hardlink path=usr/apache2/2.4/build/.* -> \
@@ -269,7 +269,6 @@
 file path=usr/apache2/2.4/libexec/mod_socache_memcache.so
 file path=usr/apache2/2.4/libexec/mod_socache_shmcb.so
 file path=usr/apache2/2.4/libexec/mod_speling.so
-file path=usr/apache2/2.4/libexec/mod_ssl.so
 file path=usr/apache2/2.4/libexec/mod_status.so
 file path=usr/apache2/2.4/libexec/mod_substitute.so
 file path=usr/apache2/2.4/libexec/mod_suexec.so
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/apache24/apache-ssl-fips-140.p5m	Thu Jan 15 05:22:17 2015 -0800
@@ -0,0 +1,53 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+#
+
+# prevents "64bit file in 32bit path" errors
+<transform file path=usr/apache2/2.4/libexec/.*\.so -> \
+    add pkg.linted.userland.action001.2 true>
+
+set name=pkg.fmri \
+    value=pkg:/web/server/apache-24/module/[email protected]$(IPS_COMPONENT_VERSION),$(BUILD_VERSION)
+set name=pkg.summary value="SSL FIPS 140-2 support plugin for Apache Web Server V2.4"
+set name=com.oracle.info.description \
+    value="the SSL FIPS 140-2 support plugins for Apache Web Server V2.4"
+set name=com.oracle.info.tpno value=$(TPNO)
+set name=info.classification \
+    value="org.opensolaris.category.2008:Web Services/Application and Web Servers"
+set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
+set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
+set name=org.opensolaris.arc-caseid value=PSARC/2015/007
+set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
+
+file usr/apache2/2.4/libexec/mod_ssl_fips.so path=usr/apache2/2.4/libexec/mod_ssl-fips-140.so
+
+link path=usr/apache2/2.4/libexec/mod_ssl.so target=mod_ssl-fips-140.so \
+    mediator=openssl mediator-implementation=fips-140
+
+license apache.license license="Apache v2.0"
+
+depend type=require fmri=__TBD pkg.debug.depend.file=lib/openssl/fips-140/$(MACH64)/libssl.so.1.0.0
+
+# Following dependency is not just to make sure that the main Apache
+# package is installed. It also safes guard situation after mod_ssl.so
+# move from there to here.
+depend type=require fmri=__TBD pkg.debug.depend.file=usr/apache2/2.4/bin/httpd
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/apache24/apache-ssl.p5m	Thu Jan 15 05:22:17 2015 -0800
@@ -0,0 +1,51 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+#
+
+# prevents "64bit file in 32bit path" errors
+<transform file path=usr/apache2/2.4/libexec/.*\.so -> \
+    add pkg.linted.userland.action001.2 true>
+
+set name=pkg.fmri \
+    value=pkg:/web/server/apache-24/module/[email protected]$(IPS_COMPONENT_VERSION),$(BUILD_VERSION)
+set name=pkg.summary value="SSL (default) support plugin for Apache Web Server V2.4"
+set name=com.oracle.info.description \
+    value="the SSL (default) support plugins for Apache Web Server V2.4"
+set name=com.oracle.info.tpno value=$(TPNO)
+set name=info.classification \
+    value="org.opensolaris.category.2008:Web Services/Application and Web Servers"
+set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
+set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
+set name=org.opensolaris.arc-caseid value=PSARC/2015/007
+set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
+
+file usr/apache2/2.4/libexec/mod_ssl.so path=usr/apache2/2.4/libexec/mod_ssl-default.so
+
+link path=usr/apache2/2.4/libexec/mod_ssl.so target=mod_ssl-default.so \
+    mediator=openssl mediator-implementation=default mediator-priority=vendor
+
+license apache.license license="Apache v2.0"
+
+# Following dependency is not just to make sure that the main Apache
+# package is installed. It also safes guard situation after mod_ssl.so
+# move from there to here.
+depend type=require fmri=__TBD pkg.debug.depend.file=usr/apache2/2.4/bin/httpd
--- a/components/apache24/patches/httpd.conf.patch	Thu Jan 08 01:37:15 2015 -0800
+++ b/components/apache24/patches/httpd.conf.patch	Thu Jan 15 05:22:17 2015 -0800
@@ -16,7 +16,7 @@
  # Do NOT simply read the instructions in here without understanding
  # what they do.  They're here only as hints or reminders.  If you are unsure
  # consult the online docs. You have been warned.  
[email protected]@ -63,6 +69,12 @@
[email protected]@ -63,6 +69,15 @@
  # Example:
  # LoadModule foo_module modules/mod_foo.so
  #
@@ -24,12 +24,15 @@
 +# mod_session_dbd.so are bundled in separate package "apache-dbd".
 +# Similarly mod_authnz_ldap.so and mod_ldap.so are bundled in
 +# separate package "apache-ldap".
++# Also mediated symbolic link mod_ssl.so pointing to mod_ssl-default.so
++# or mod_ssl-fips-140.so is bundled in separate package "apache-ssl"
++# respectively "apache-ssl-fips-140" package.
 +# And finally mod_lua.so is bundled in separate package "apache-lua".
 +#
  @@[email protected]@
  
  <IfModule unixd_module>
[email protected]@ -74,8 +86,8 @@
[email protected]@ -74,8 +89,8 @@
  # It is usually good practice to create a dedicated user and group for
  # running httpd, as with most system services.
  #
@@ -40,7 +43,7 @@
  
  </IfModule>
  
[email protected]@ -96,7 +108,7 @@
[email protected]@ -96,7 +111,7 @@
  # e-mailed.  This address appears on some server-generated pages, such
  # as error documents.  e.g. [email protected]
  #
@@ -49,7 +52,7 @@
  
  #
  # ServerName gives the name and port that the server uses to identify itself.
[email protected]@ -105,7 +117,7 @@
[email protected]@ -105,7 +120,7 @@
  #
  # If your host doesn't have a registered DNS name, enter its IP address here.
  #
@@ -58,7 +61,7 @@
  
  #
  # Deny access to the entirety of your server's filesystem. You must
[email protected]@ -314,6 +326,10 @@
[email protected]@ -314,6 +329,10 @@
      #
      #AddType text/html .shtml
      #AddOutputFilter INCLUDES .shtml
@@ -69,7 +72,7 @@
  </IfModule>
  
  #
[email protected]@ -355,48 +371,22 @@
[email protected]@ -355,48 +374,22 @@
  
  # Supplemental configuration
  #
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/apache24/patches/ssl-fips-140.patch	Thu Jan 15 05:22:17 2015 -0800
@@ -0,0 +1,69 @@
+Patch origin: in-house
+Patch status: Solaris-specific; not suitable for upstream
+
+Will build SSL FIPS version of mod_ssl. Note that modules/ssl-fips-140
+need to be copied from modules/ssl before it can be applied.
+It also makes sure that both mod_ssl versions contains right RPATH.
+
+--- modules/ssl/config.m4
++++ modules/ssl/config.m4
[email protected]@ -44,6 +44,7 @@
+            # structure, so ask libtool to hide everything else:
+            APR_ADDTO(MOD_SSL_LDADD, [-export-symbols-regex ssl_module])
+         fi
++        APR_ADDTO(MOD_LDFLAGS, [-R/lib/openssl/default/64])
+     else
+         enable_ssl=no
+     fi
+--- modules/ssl-fips-140/config.m4
++++ modules/ssl-fips-140/config.m4
[email protected]@ -14,7 +14,7 @@
+ dnl limitations under the License.
+ 
+ dnl #  start of module specific part
+-APACHE_MODPATH_INIT(ssl)
++APACHE_MODPATH_INIT(ssl-fips-140)
+ 
+ dnl #  list of module object files
+ ssl_objs="dnl
[email protected]@ -36,7 +36,7 @@
+ ssl_util_ocsp.lo dnl
+ "
+ dnl #  hook module into the Autoconf mechanism (--enable-ssl option)
+-APACHE_MODULE(ssl, [SSL/TLS support (mod_ssl)], $ssl_objs, , most, [
++APACHE_MODULE(ssl_fips, [SSL/TLS support (mod_ssl)], $ssl_objs, , most, [
+     APACHE_CHECK_OPENSSL
+     if test "$ac_cv_openssl" = "yes" ; then
+         if test "x$enable_ssl" = "xshared"; then
[email protected]@ -44,14 +44,13 @@
+            # structure, so ask libtool to hide everything else:
+            APR_ADDTO(MOD_SSL_LDADD, [-export-symbols-regex ssl_module])
+         fi
++        APR_ADDTO(MOD_CFLAGS, [-I/usr/include/openssl/fips-140])
++        APR_ADDTO(MOD_LDFLAGS, [-R/lib/openssl/fips-140/64])
+     else
+         enable_ssl=no
+     fi
+ ])
+ 
+-# Ensure that other modules can pick up mod_ssl.h
+-APR_ADDTO(INCLUDES, [-I\$(top_srcdir)/$modpath_current])
+-
+ dnl #  end of module specific part
+ APACHE_MODPATH_FINISH
+ 
+--- acinclude.m4
++++ acinclude.m4
[email protected]@ -591,6 +591,12 @@
+   ])
+   if test "x$ac_cv_openssl" = "xyes"; then
+     AC_DEFINE(HAVE_OPENSSL, 1, [Define if OpenSSL is available])
++
++    APR_ADDTO(MOD_LDFLAGS, [$ap_openssl_libs])
++    APR_ADDTO(LIBS, [$ap_openssl_libs])
++    APR_SETVAR(ab_LDFLAGS, [$MOD_LDFLAGS])
++    APACHE_SUBST(ab_CFLAGS)
++    APACHE_SUBST(ab_LDFLAGS)
+   fi
+ ])
+ 
--- a/components/apache24/patches/ssl.conf.patch	Thu Jan 08 01:37:15 2015 -0800
+++ b/components/apache24/patches/ssl.conf.patch	Thu Jan 15 05:22:17 2015 -0800
@@ -15,7 +15,18 @@
  
  
  #
[email protected]@ -81,7 +81,7 @@
[email protected]@ -42,6 +42,10 @@
+ ##  the main server and all SSL-enabled virtual hosts.
+ ##
+ 
++#   Enable FIPS 140 mode, this requires the openssl pkg mediator
++#   be set to install the fips-140 version of OpenSSL and mod_ssl.
++#SSLFIPS on 
++
+ #   SSL Cipher Suite:
+ #   List the ciphers that the client is permitted to negotiate.
+ #   See the mod_ssl documentation for a complete list.
[email protected]@ -81,7 +85,7 @@
  
  #   General setup for the virtual host
  DocumentRoot "@[email protected]"
--- a/components/apache24/resolve.deps	Thu Jan 08 01:37:15 2015 -0800
+++ b/components/apache24/resolve.deps	Thu Jan 15 05:22:17 2015 -0800
@@ -7,6 +7,7 @@
 library/openldap
 library/pcre
 library/security/openssl
+library/security/openssl/openssl-fips-140
 library/zlib
 runtime/lua
 runtime/perl-512