diff options
author | Jonathan Reams <jbreams@mongodb.com> | 2015-05-22 10:44:39 -0400 |
---|---|---|
committer | Jonathan Reams <jbreams@mongodb.com> | 2015-07-14 13:26:58 -0400 |
commit | 27d655f756492dc5c0848204ee88f449859ef8a9 (patch) | |
tree | 978580659197d3277226f4332045d16a1d05f8d7 | |
parent | 66cb570f7b0e5de6dc4a58238e320fcf65396806 (diff) | |
download | mongo-27d655f756492dc5c0848204ee88f449859ef8a9.tar.gz |
SERVER-18371 Add configure check for SSL/FIPS
-rw-r--r-- | SConstruct | 38 | ||||
-rw-r--r-- | etc/evergreen.yml | 18 | ||||
-rw-r--r-- | jstests/ssl/ssl_fips.js | 5 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager.cpp | 2 |
4 files changed, 48 insertions, 15 deletions
diff --git a/SConstruct b/SConstruct index aaedd510ec3..5e938be0df5 100644 --- a/SConstruct +++ b/SConstruct @@ -232,7 +232,6 @@ add_option( "extralib", "comma separated list of libraries (--extralib js_stati # experimental features add_option( "mm", "use main memory instead of memory mapped files" , 0 , True ) add_option( "ssl" , "Enable SSL" , 0 , True ) -add_option( "ssl-fips-capability", "Enable the ability to activate FIPS 140-2 mode", 0, True ); add_option( "rocksdb" , "Enable RocksDB" , 0 , False ) add_option( "wiredtiger", "Enable wiredtiger", "?", True, "wiredtiger", type="choice", choices=["on", "off"], const="on", default="on") @@ -1158,8 +1157,6 @@ if has_option( "ssl" ): else: env.Append( LIBS=["ssl"] ) env.Append( LIBS=["crypto"] ) - if has_option("ssl-fips-capability"): - env.Append( CPPDEFINES=["MONGO_SSL_FIPS"] ) else: env.Append( MONGO_CRYPTO=["tom"] ) @@ -2279,6 +2276,41 @@ def doConfigure(myenv): # ask each module to configure itself and the build environment. moduleconfig.configure_modules(mongo_modules, conf) + def CheckLinkSSL(context): + test_body = """ + #include <openssl/err.h> + #include <openssl/ssl.h> + #include <stdlib.h> + + int main() { + SSL_library_init(); + SSL_load_error_strings(); + ERR_load_crypto_strings(); + + OpenSSL_add_all_algorithms(); + ERR_free_strings(); + return EXIT_SUCCESS; + } + """ + context.Message("Checking if OpenSSL is available...") + ret = context.TryLink(textwrap.dedent(test_body), ".c") + context.Result(ret) + return ret + conf.AddTest("CheckLinkSSL", CheckLinkSSL) + + if has_option("ssl"): + if not conf.CheckLinkSSL(): + print "SSL is enabled, but is unavailable" + Exit(1) + + if conf.CheckDeclaration( + "FIPS_mode_set", + includes=""" + #include <openssl/crypto.h> + #include <openssl/evp.h> + """): + conf.env.Append(CPPDEFINES=['MONGO_HAVE_FIPS_MODE_SET']) + return conf.Finish() env = doConfigure( env ) diff --git a/etc/evergreen.yml b/etc/evergreen.yml index 59bcf075575..b5f56144a25 100644 --- a/etc/evergreen.yml +++ b/etc/evergreen.yml @@ -2618,7 +2618,7 @@ buildvariants: push_bucket: downloads.10gen.com push_name: linux push_arch: x86_64-enterprise-amzn64 - compile_flags: --ssl --ssl-fips-capability --distmod=amzn64 --release -j$(grep -c ^processor /proc/cpuinfo) --cc=/opt/mongodbtoolchain/bin/gcc --cxx=/opt/mongodbtoolchain/bin/g++ --variant-dir="linux2/release" + compile_flags: --ssl --distmod=amzn64 --release -j$(grep -c ^processor /proc/cpuinfo) --cc=/opt/mongodbtoolchain/bin/gcc --cxx=/opt/mongodbtoolchain/bin/g++ --variant-dir="linux2/release" test_flags: --authMechanism=SCRAM-SHA-1 --continue-on-failure has_debugsymbols: true tasks: @@ -3011,7 +3011,7 @@ buildvariants: push_arch: x86_64-enterprise-windows-64 msi_target: msi content_type: application/zip - compile_flags: --release --64 --ssl --ssl-fips-capability --distmod=windows-64 --extrapath="c:\openssl,c:\sasl,c:\snmp" -j$(grep -c ^processor /proc/cpuinfo) --dynamic-windows --win-version-min=ws08r2 --variant-dir=win32 + compile_flags: --release --64 --ssl --distmod=windows-64 --extrapath="c:\openssl,c:\sasl,c:\snmp" -j$(grep -c ^processor /proc/cpuinfo) --dynamic-windows --win-version-min=ws08r2 --variant-dir=win32 test_flags: --continue-on-failure ext: zip tasks: @@ -3330,7 +3330,7 @@ buildvariants: push_bucket: downloads.10gen.com push_name: linux push_arch: x86_64-enterprise-rhel57 - compile_flags: --ssl --ssl-fips-capability --distmod=rhel57 -j$(grep -c ^processor /proc/cpuinfo) --release --cc=/opt/mongodbtoolchain/bin/gcc --cxx=/opt/mongodbtoolchain/bin/g++ --variant-dir="linux2/release" + compile_flags: --ssl --distmod=rhel57 -j$(grep -c ^processor /proc/cpuinfo) --release --cc=/opt/mongodbtoolchain/bin/gcc --cxx=/opt/mongodbtoolchain/bin/g++ --variant-dir="linux2/release" test_flags: --continue-on-failure has_debugsymbols: true tasks: @@ -3365,7 +3365,7 @@ buildvariants: push_bucket: downloads.10gen.com push_name: linux push_arch: x86_64-enterprise-rhel62 - compile_flags: --ssl --ssl-fips-capability --distmod=rhel62 -j$(grep -c ^processor /proc/cpuinfo) --release --cc=/opt/mongodbtoolchain/bin/gcc --cxx=/opt/mongodbtoolchain/bin/g++ --variant-dir="linux2/release" + compile_flags: --ssl --distmod=rhel62 -j$(grep -c ^processor /proc/cpuinfo) --release --cc=/opt/mongodbtoolchain/bin/gcc --cxx=/opt/mongodbtoolchain/bin/g++ --variant-dir="linux2/release" test_flags: --continue-on-failure has_debugsymbols: true tasks: @@ -3400,7 +3400,7 @@ buildvariants: push_bucket: downloads.10gen.com push_name: linux push_arch: x86_64-enterprise-rhel70 - compile_flags: --ssl --ssl-fips-capability --distmod=rhel70 -j$(grep -c ^processor /proc/cpuinfo) --release --cc=/opt/mongodbtoolchain/bin/gcc --cxx=/opt/mongodbtoolchain/bin/g++ --variant-dir="linux2/release" + compile_flags: --ssl --distmod=rhel70 -j$(grep -c ^processor /proc/cpuinfo) --release --cc=/opt/mongodbtoolchain/bin/gcc --cxx=/opt/mongodbtoolchain/bin/g++ --variant-dir="linux2/release" test_flags: --continue-on-failure has_debugsymbols: true tasks: @@ -3670,7 +3670,7 @@ buildvariants: push_bucket: downloads.10gen.com push_name: linux push_arch: x86_64-enterprise-ubuntu1204 - compile_flags: --ssl --ssl-fips-capability --distmod=ubuntu1204 --release -j$(grep -c ^processor /proc/cpuinfo) --cc=/opt/mongodbtoolchain/bin/gcc --cxx=/opt/mongodbtoolchain/bin/g++ --variant-dir="linux2/release" + compile_flags: --ssl --distmod=ubuntu1204 --release -j$(grep -c ^processor /proc/cpuinfo) --cc=/opt/mongodbtoolchain/bin/gcc --cxx=/opt/mongodbtoolchain/bin/g++ --variant-dir="linux2/release" test_flags: --authMechanism=SCRAM-SHA-1 --continue-on-failure has_debugsymbols: true tasks: @@ -3705,7 +3705,7 @@ buildvariants: push_bucket: downloads.10gen.com push_name: linux push_arch: x86_64-enterprise-ubuntu1404 - compile_flags: --ssl --ssl-fips-capability --distmod=ubuntu1404 --release -j$(grep -c ^processor /proc/cpuinfo) --cc=/opt/mongodbtoolchain/bin/gcc --cxx=/opt/mongodbtoolchain/bin/g++ --variant-dir="linux2/release" + compile_flags: --ssl --distmod=ubuntu1404 --release -j$(grep -c ^processor /proc/cpuinfo) --cc=/opt/mongodbtoolchain/bin/gcc --cxx=/opt/mongodbtoolchain/bin/g++ --variant-dir="linux2/release" test_flags: --authMechanism=SCRAM-SHA-1 --continue-on-failure has_debugsymbols: true tasks: @@ -3744,7 +3744,7 @@ buildvariants: push_bucket: downloads.10gen.com push_name: linux push_arch: x86_64-enterprise-suse11 - compile_flags: --ssl --ssl-fips-capability --distmod=suse11 --release -j$(grep -c ^processor /proc/cpuinfo) --cc=/opt/mongodbtoolchain/bin/gcc --cxx=/opt/mongodbtoolchain/bin/g++ --variant-dir="linux2/release" + compile_flags: --ssl --distmod=suse11 --release -j$(grep -c ^processor /proc/cpuinfo) --cc=/opt/mongodbtoolchain/bin/gcc --cxx=/opt/mongodbtoolchain/bin/g++ --variant-dir="linux2/release" test_flags: --authMechanism=SCRAM-SHA-1 --continue-on-failure has_debugsymbols: true tasks: @@ -3907,7 +3907,7 @@ buildvariants: push_bucket: downloads.10gen.com push_name: linux push_arch: x86_64-enterprise-debian71 - compile_flags: --ssl --ssl-fips-capability --distmod=debian71 --release -j$(grep -c ^processor /proc/cpuinfo) --cc=/opt/mongodbtoolchain/bin/gcc --cxx=/opt/mongodbtoolchain/bin/g++ --variant-dir="linux2/release" + compile_flags: --ssl --distmod=debian71 --release -j$(grep -c ^processor /proc/cpuinfo) --cc=/opt/mongodbtoolchain/bin/gcc --cxx=/opt/mongodbtoolchain/bin/g++ --variant-dir="linux2/release" test_flags: --authMechanism=SCRAM-SHA-1 --continue-on-failure has_debugsymbols: true tasks: diff --git a/jstests/ssl/ssl_fips.js b/jstests/ssl/ssl_fips.js index 10d51aef54b..696e0cc883a 100644 --- a/jstests/ssl/ssl_fips.js +++ b/jstests/ssl/ssl_fips.js @@ -17,8 +17,9 @@ var mongo = runMongoProgram("mongo", "--port", port1, "--ssl", "--sslAllowInvali // if mongo shell didn't start/connect properly if (mongo != 0) { print("mongod failed to start, checking for FIPS support"); - assert(rawMongoProgramOutput().match( - /this version of mongodb was not compiled with FIPS support/)); + mongoOutput = rawMongoProgramOutput() + assert(mongoOutput.match(/this version of mongodb was not compiled with FIPS support/) || + mongoOutput.match(/FIPS_mode_set:fips mode not supported/)) } else { // verify that auth works, SERVER-18051 diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp index 30c76950b31..3d0dcd47624 100644 --- a/src/mongo/util/net/ssl_manager.cpp +++ b/src/mongo/util/net/ssl_manager.cpp @@ -579,7 +579,7 @@ namespace mongo { // Turn on FIPS mode if requested. // OPENSSL_FIPS must be defined by the OpenSSL headers, plus MONGO_SSL_FIPS // must be defined via a MongoDB build flag. -#if defined(OPENSSL_FIPS) && defined(MONGO_SSL_FIPS) +#if defined(MONGO_HAVE_FIPS_MODE_SET) int status = FIPS_mode_set(1); if (!status) { severe() << "can't activate FIPS mode: " << |