diff options
| author | Eric Milkie <milkie@10gen.com> | 2014-07-29 16:45:23 -0400 |
|---|---|---|
| committer | Eric Milkie <milkie@10gen.com> | 2014-07-29 16:47:37 -0400 |
| commit | bde74aaee9c11bc238f998373ecc27f19d6f8318 (patch) | |
| tree | 630f918f6bf16a903b81f6f58655f3d0905681fa | |
| parent | 2ec547c158e1bd7e0339288e0b7ed33ba46e58f6 (diff) | |
| download | mongo-bde74aaee9c11bc238f998373ecc27f19d6f8318.tar.gz | |
SERVER-9482 add flag to enable activation of FIPS mode (off by default)
(cherry picked from commit 81676bfa36c68b1247f0e08b666e33c3e3875755)
Conflicts:
SConstruct
| -rw-r--r-- | SConstruct | 3 | ||||
| -rw-r--r-- | src/mongo/util/net/ssl_manager.cpp | 12 |
2 files changed, 10 insertions, 5 deletions
diff --git a/SConstruct b/SConstruct index 3b306c6dd07..2a1e091363a 100644 --- a/SConstruct +++ b/SConstruct @@ -223,6 +223,7 @@ add_option( "no-glibc-check" , "don't check for new versions of glibc" , 0 , Fal add_option( "mm", "use main memory instead of memory mapped files" , 0 , True ) add_option( "asio" , "Use Asynchronous IO (NOT READY YET)" , 0 , True ) add_option( "ssl" , "Enable SSL" , 0 , True ) +add_option( "ssl-fips-capability", "Enable the ability to activate FIPS 140-2 mode", 0, True ); # library choices add_option( "usev8" , "use v8 for javascript" , 0 , True ) @@ -895,6 +896,8 @@ if has_option( "ssl" ): else: env.Append( LIBS=["ssl"] ) env.Append( LIBS=["crypto"] ) + if has_option("ssl-fips-capability"): + env.Append( CPPDEFINES=["MONGO_SSL_FIPS"] ) try: umask = os.umask(022) diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp index c9fa0d7beb7..a40b1c3132d 100644 --- a/src/mongo/util/net/ssl_manager.cpp +++ b/src/mongo/util/net/ssl_manager.cpp @@ -508,17 +508,19 @@ namespace mongo { void SSLManager::_setupFIPS() { // Turn on FIPS mode if requested. -#ifdef OPENSSL_FIPS + // OPENSSL_FIPS must be defined by the OpenSSL headers, plus MONGO_SSL_FIPS + // must be defined via a MongoDB build flag. +#if defined(OPENSSL_FIPS) && defined(MONGO_SSL_FIPS) int status = FIPS_mode_set(1); if (!status) { - error() << "can't activate FIPS mode: " << + severe() << "can't activate FIPS mode: " << getSSLErrorMessage(ERR_get_error()) << endl; - fassertFailed(16703); + fassertFailedNoTrace(16703); } log() << "FIPS 140-2 mode activated" << endl; #else - error() << "this version of mongodb was not compiled with FIPS support"; - fassertFailed(17089); + severe() << "this version of mongodb was not compiled with FIPS support"; + fassertFailedNoTrace(17089); #endif } |