PSARC/2015/007 Apache FIPS 140-2 mod_ssl module
19173368 Apache should be FIPS-140 ready
--- a/components/apache24/Makefile Thu Jan 08 01:37:15 2015 -0800
+++ b/components/apache24/Makefile Thu Jan 15 05:22:17 2015 -0800
@@ -18,7 +18,7 @@
#
# CDDL HEADER END
#
-# Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved.
#
include ../../make-rules/shared-macros.mk
@@ -45,6 +45,9 @@
PATCH_LEVEL=0
+# We will build two separate mod_ssl versions.
+COMPONENT_POST_UNPACK_ACTION = (cd $(SOURCE_DIR)/modules; $(CP) -r ssl ssl-fips-140)
+
# Some patches need configure script re-creation.
COMPONENT_PREP_ACTION +=($(CP) mod_auth_gss/mod_auth_gss.c $(@D)/modules/aaa);
COMPONENT_PREP_ACTION +=($(CP) mod_auth_gss/mod_auth_gss.html $(@D)/docs/manual/mod);
--- a/components/apache24/Solaris/apache24.1m.sunman Thu Jan 08 01:37:15 2015 -0800
+++ b/components/apache24/Solaris/apache24.1m.sunman Thu Jan 15 05:22:17 2015 -0800
@@ -1,6 +1,6 @@
'\" te
-.\" Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
-.TH apache24 1M "Jul 2014" "SunOS 5.12" "System Administration Commands"
+.\" Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved.
+.TH apache24 1M "Jan 2015" "SunOS 5.12" "System Administration Commands"
.SH NAME
apache2 \- Apache HTTP Server Version 2.4 overview
.SH SYNOPSIS
@@ -28,6 +28,8 @@
web/server/apache-24/apache-dbd
web/server/apache-24/apache-ldap
web/server/apache-24/apache-lua
+web/server/apache-24/apache-ssl
+web/server/apache-24/apache-ssl-fips-140
.fi
.in -2
.sp
@@ -47,9 +49,9 @@
tab(^G) allbox;
cw(2.750000i)| cw(2.750000i)
lw(2.750000i)| lw(2.750000i).
-SMF Property Name^Value
-httpd/MPM^event (default), prefork or worker
-httpd/startup_options^valid apachectl options
+SMF Property Name Value
+httpd/MPM event (default), prefork or worker
+httpd/startup_options valid apachectl options
.TE
.SH FILES
.sp
--- a/components/apache24/Solaris/loadmodules.sed Thu Jan 08 01:37:15 2015 -0800
+++ b/components/apache24/Solaris/loadmodules.sed Thu Jan 15 05:22:17 2015 -0800
@@ -20,9 +20,10 @@
#
#
-# Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved.
#
/LoadModule auth_gss_module/d
+/LoadModule ssl_fips_module/d
/LoadModule mpm_event_module /i\
<IfDefine prefork>\
LoadModule mpm_prefork_module libexec/mod_mpm_prefork.so\
--- a/components/apache24/apache-24.p5m Thu Jan 08 01:37:15 2015 -0800
+++ b/components/apache24/apache-24.p5m Thu Jan 15 05:22:17 2015 -0800
@@ -18,7 +18,7 @@
#
# CDDL HEADER END
#
-# Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved.
#
<transform file path=usr.*/man/.+ -> default mangler.man.stability uncommitted>
<transform file link hardlink path=usr/apache2/2.4/build/.* -> \
@@ -269,7 +269,6 @@
file path=usr/apache2/2.4/libexec/mod_socache_memcache.so
file path=usr/apache2/2.4/libexec/mod_socache_shmcb.so
file path=usr/apache2/2.4/libexec/mod_speling.so
-file path=usr/apache2/2.4/libexec/mod_ssl.so
file path=usr/apache2/2.4/libexec/mod_status.so
file path=usr/apache2/2.4/libexec/mod_substitute.so
file path=usr/apache2/2.4/libexec/mod_suexec.so
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/apache24/apache-ssl-fips-140.p5m Thu Jan 15 05:22:17 2015 -0800
@@ -0,0 +1,53 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+#
+
+# prevents "64bit file in 32bit path" errors
+<transform file path=usr/apache2/2.4/libexec/.*\.so -> \
+ add pkg.linted.userland.action001.2 true>
+
+set name=pkg.fmri \
+ value=pkg:/web/server/apache-24/module/apache-ssl-fips-140@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION)
+set name=pkg.summary value="SSL FIPS 140-2 support plugin for Apache Web Server V2.4"
+set name=com.oracle.info.description \
+ value="the SSL FIPS 140-2 support plugins for Apache Web Server V2.4"
+set name=com.oracle.info.tpno value=$(TPNO)
+set name=info.classification \
+ value="org.opensolaris.category.2008:Web Services/Application and Web Servers"
+set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
+set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
+set name=org.opensolaris.arc-caseid value=PSARC/2015/007
+set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
+
+file usr/apache2/2.4/libexec/mod_ssl_fips.so path=usr/apache2/2.4/libexec/mod_ssl-fips-140.so
+
+link path=usr/apache2/2.4/libexec/mod_ssl.so target=mod_ssl-fips-140.so \
+ mediator=openssl mediator-implementation=fips-140
+
+license apache.license license="Apache v2.0"
+
+depend type=require fmri=__TBD pkg.debug.depend.file=lib/openssl/fips-140/$(MACH64)/libssl.so.1.0.0
+
+# Following dependency is not just to make sure that the main Apache
+# package is installed. It also safes guard situation after mod_ssl.so
+# move from there to here.
+depend type=require fmri=__TBD pkg.debug.depend.file=usr/apache2/2.4/bin/httpd
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/apache24/apache-ssl.p5m Thu Jan 15 05:22:17 2015 -0800
@@ -0,0 +1,51 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+#
+
+# prevents "64bit file in 32bit path" errors
+<transform file path=usr/apache2/2.4/libexec/.*\.so -> \
+ add pkg.linted.userland.action001.2 true>
+
+set name=pkg.fmri \
+ value=pkg:/web/server/apache-24/module/apache-ssl@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION)
+set name=pkg.summary value="SSL (default) support plugin for Apache Web Server V2.4"
+set name=com.oracle.info.description \
+ value="the SSL (default) support plugins for Apache Web Server V2.4"
+set name=com.oracle.info.tpno value=$(TPNO)
+set name=info.classification \
+ value="org.opensolaris.category.2008:Web Services/Application and Web Servers"
+set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
+set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
+set name=org.opensolaris.arc-caseid value=PSARC/2015/007
+set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
+
+file usr/apache2/2.4/libexec/mod_ssl.so path=usr/apache2/2.4/libexec/mod_ssl-default.so
+
+link path=usr/apache2/2.4/libexec/mod_ssl.so target=mod_ssl-default.so \
+ mediator=openssl mediator-implementation=default mediator-priority=vendor
+
+license apache.license license="Apache v2.0"
+
+# Following dependency is not just to make sure that the main Apache
+# package is installed. It also safes guard situation after mod_ssl.so
+# move from there to here.
+depend type=require fmri=__TBD pkg.debug.depend.file=usr/apache2/2.4/bin/httpd
--- a/components/apache24/patches/httpd.conf.patch Thu Jan 08 01:37:15 2015 -0800
+++ b/components/apache24/patches/httpd.conf.patch Thu Jan 15 05:22:17 2015 -0800
@@ -16,7 +16,7 @@
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
-@@ -63,6 +69,12 @@
+@@ -63,6 +69,15 @@
# Example:
# LoadModule foo_module modules/mod_foo.so
#
@@ -24,12 +24,15 @@
+# mod_session_dbd.so are bundled in separate package "apache-dbd".
+# Similarly mod_authnz_ldap.so and mod_ldap.so are bundled in
+# separate package "apache-ldap".
++# Also mediated symbolic link mod_ssl.so pointing to mod_ssl-default.so
++# or mod_ssl-fips-140.so is bundled in separate package "apache-ssl"
++# respectively "apache-ssl-fips-140" package.
+# And finally mod_lua.so is bundled in separate package "apache-lua".
+#
@@LoadModule@@
<IfModule unixd_module>
-@@ -74,8 +86,8 @@
+@@ -74,8 +89,8 @@
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
@@ -40,7 +43,7 @@
</IfModule>
-@@ -96,7 +108,7 @@
+@@ -96,7 +111,7 @@
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. [email protected]
#
@@ -49,7 +52,7 @@
#
# ServerName gives the name and port that the server uses to identify itself.
-@@ -105,7 +117,7 @@
+@@ -105,7 +120,7 @@
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
@@ -58,7 +61,7 @@
#
# Deny access to the entirety of your server's filesystem. You must
-@@ -314,6 +326,10 @@
+@@ -314,6 +329,10 @@
#
#AddType text/html .shtml
#AddOutputFilter INCLUDES .shtml
@@ -69,7 +72,7 @@
</IfModule>
#
-@@ -355,48 +371,22 @@
+@@ -355,48 +374,22 @@
# Supplemental configuration
#
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/apache24/patches/ssl-fips-140.patch Thu Jan 15 05:22:17 2015 -0800
@@ -0,0 +1,69 @@
+Patch origin: in-house
+Patch status: Solaris-specific; not suitable for upstream
+
+Will build SSL FIPS version of mod_ssl. Note that modules/ssl-fips-140
+need to be copied from modules/ssl before it can be applied.
+It also makes sure that both mod_ssl versions contains right RPATH.
+
+--- modules/ssl/config.m4
++++ modules/ssl/config.m4
+@@ -44,6 +44,7 @@
+ # structure, so ask libtool to hide everything else:
+ APR_ADDTO(MOD_SSL_LDADD, [-export-symbols-regex ssl_module])
+ fi
++ APR_ADDTO(MOD_LDFLAGS, [-R/lib/openssl/default/64])
+ else
+ enable_ssl=no
+ fi
+--- modules/ssl-fips-140/config.m4
++++ modules/ssl-fips-140/config.m4
+@@ -14,7 +14,7 @@
+ dnl limitations under the License.
+
+ dnl # start of module specific part
+-APACHE_MODPATH_INIT(ssl)
++APACHE_MODPATH_INIT(ssl-fips-140)
+
+ dnl # list of module object files
+ ssl_objs="dnl
+@@ -36,7 +36,7 @@
+ ssl_util_ocsp.lo dnl
+ "
+ dnl # hook module into the Autoconf mechanism (--enable-ssl option)
+-APACHE_MODULE(ssl, [SSL/TLS support (mod_ssl)], $ssl_objs, , most, [
++APACHE_MODULE(ssl_fips, [SSL/TLS support (mod_ssl)], $ssl_objs, , most, [
+ APACHE_CHECK_OPENSSL
+ if test "$ac_cv_openssl" = "yes" ; then
+ if test "x$enable_ssl" = "xshared"; then
+@@ -44,14 +44,13 @@
+ # structure, so ask libtool to hide everything else:
+ APR_ADDTO(MOD_SSL_LDADD, [-export-symbols-regex ssl_module])
+ fi
++ APR_ADDTO(MOD_CFLAGS, [-I/usr/include/openssl/fips-140])
++ APR_ADDTO(MOD_LDFLAGS, [-R/lib/openssl/fips-140/64])
+ else
+ enable_ssl=no
+ fi
+ ])
+
+-# Ensure that other modules can pick up mod_ssl.h
+-APR_ADDTO(INCLUDES, [-I\$(top_srcdir)/$modpath_current])
+-
+ dnl # end of module specific part
+ APACHE_MODPATH_FINISH
+
+--- acinclude.m4
++++ acinclude.m4
+@@ -591,6 +591,12 @@
+ ])
+ if test "x$ac_cv_openssl" = "xyes"; then
+ AC_DEFINE(HAVE_OPENSSL, 1, [Define if OpenSSL is available])
++
++ APR_ADDTO(MOD_LDFLAGS, [$ap_openssl_libs])
++ APR_ADDTO(LIBS, [$ap_openssl_libs])
++ APR_SETVAR(ab_LDFLAGS, [$MOD_LDFLAGS])
++ APACHE_SUBST(ab_CFLAGS)
++ APACHE_SUBST(ab_LDFLAGS)
+ fi
+ ])
+
--- a/components/apache24/patches/ssl.conf.patch Thu Jan 08 01:37:15 2015 -0800
+++ b/components/apache24/patches/ssl.conf.patch Thu Jan 15 05:22:17 2015 -0800
@@ -15,7 +15,18 @@
#
-@@ -81,7 +81,7 @@
+@@ -42,6 +42,10 @@
+ ## the main server and all SSL-enabled virtual hosts.
+ ##
+
++# Enable FIPS 140 mode, this requires the openssl pkg mediator
++# be set to install the fips-140 version of OpenSSL and mod_ssl.
++#SSLFIPS on
++
+ # SSL Cipher Suite:
+ # List the ciphers that the client is permitted to negotiate.
+ # See the mod_ssl documentation for a complete list.
+@@ -81,7 +85,7 @@
# General setup for the virtual host
DocumentRoot "@exp_htdocsdir@"
--- a/components/apache24/resolve.deps Thu Jan 08 01:37:15 2015 -0800
+++ b/components/apache24/resolve.deps Thu Jan 15 05:22:17 2015 -0800
@@ -7,6 +7,7 @@
library/openldap
library/pcre
library/security/openssl
+library/security/openssl/openssl-fips-140
library/zlib
runtime/lua
runtime/perl-512