-From 2fa8fedba0968d1c6d21d2c7fa33c903f8984815 Mon Sep 17 00:00:00 2001
-From: Jackie Huang <jackie.huang@windriver.com>
-Date: Thu, 25 Jul 2019 15:22:49 +0800
-Subject: [PATCH] haproxy tpm support
-
-original author: Kam Nasim <kam.nasim@windriver.com>
-
-rebased for 1.7.11
-
-Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
----
- include/types/global.h | 13 +++++
- src/cfgparse.c | 28 ++++++++++
- src/haproxy.c | 26 ++++++++-
- src/ssl_sock.c | 147 +++++++++++++++++++++++++++++++++++++++++++------
- 4 files changed, 197 insertions(+), 17 deletions(-)
-
-diff --git a/include/types/global.h b/include/types/global.h
-index 10f3a3c..68f2138 100644
---- a/include/types/global.h
-+++ b/include/types/global.h
-@@ -37,6 +37,10 @@
- #include <import/51d.h>
- #endif
-
-+#ifdef USE_OPENSSL
-+#include <openssl/engine.h>
-+#endif
-+
- #ifndef UNIX_MAX_PATH
- #define UNIX_MAX_PATH 108
- #endif
-@@ -79,6 +83,14 @@ enum {
- SSL_SERVER_VERIFY_REQUIRED = 1,
- };
-
-+// WRS: Define a new TPM configuration structure
-+struct tpm_conf {
-+ char *tpm_object;
-+ char *tpm_engine;
-+ EVP_PKEY *tpm_key;
-+ ENGINE *tpm_engine_ref;
-+};
-+
- /* FIXME : this will have to be redefined correctly */
- struct global {
- #ifdef USE_OPENSSL
-@@ -101,6 +113,7 @@ struct global {
- char *connect_default_ciphers;
- int listen_default_ssloptions;
- int connect_default_ssloptions;
-+ struct tpm_conf tpm; // tpm configuration
- #endif
- unsigned int ssl_server_verify; /* default verify mode on servers side */
- struct freq_ctr conn_per_sec;
-diff --git a/src/cfgparse.c b/src/cfgparse.c
-index 3489f7e..0209874 100644
---- a/src/cfgparse.c
-+++ b/src/cfgparse.c
-@@ -1923,6 +1923,34 @@ int cfg_parse_global(const char *file, int linenum, char **args, int kwm)
- env++;
- }
- }
-+ else if (!strcmp(args[0], "tpm-object")) {
-+ if (global.tpm.tpm_object) {
-+ free(global.tpm.tpm_object);
-+ }
-+#ifdef USE_OPENSSL
-+ if (*(args[1]) && (access(args[1], F_OK) != -1)) {
-+ global.tpm.tpm_object = strdup(args[1]);
-+ }
-+#else
-+ Alert("parsing [%s:%d] : '%s' is not implemented.\n", file, linenum, args[0]);
-+ err_code |= ERR_ALERT | ERR_FATAL;
-+ goto out;
-+#endif
-+ }
-+ else if (!strcmp(args[0], "tpm-engine")) {
-+ if (global.tpm.tpm_engine) {
-+ free(global.tpm.tpm_engine);
-+ }
-+#ifdef USE_OPENSSL
-+ if (*(args[1]) && (access(args[1], F_OK) != -1)) {
-+ global.tpm.tpm_engine = strdup(args[1]);
-+ }
-+#else
-+ Alert("parsing [%s:%d] : '%s' is not implemented.\n", file, linenum, args[0]);
-+ err_code |= ERR_ALERT | ERR_FATAL;
-+ goto out;
-+#endif
-+ }
- else {
- struct cfg_kw_list *kwl;
- int index;
-diff --git a/src/haproxy.c b/src/haproxy.c
-index f8a0912..f61dacf 100644
---- a/src/haproxy.c
-+++ b/src/haproxy.c
-@@ -1370,6 +1370,24 @@ static void deinit_stick_rules(struct list *rules)
- }
- }
-
-+static void deinit_tpm_engine()
-+{
-+ /*
-+ * if the tpm engine is present then
-+ * deinit it, this is needed to
-+ * flush the TPM key handle from TPM memory
-+ */
-+ if (global.tpm.tpm_engine_ref) {
-+ ENGINE_finish(global.tpm.tpm_engine_ref);
-+ }
-+
-+ if (global.tpm.tpm_key) {
-+ EVP_PKEY_free(global.tpm.tpm_key);
-+ }
-+ free(global.tpm.tpm_engine); global.tpm.tpm_engine = NULL;
-+ free(global.tpm.tpm_object); global.tpm.tpm_object = NULL;
-+}
-+
- void deinit(void)
- {
- struct proxy *p = proxy, *p0;
-@@ -1646,7 +1664,13 @@ void deinit(void)
-
- free(uap);
- }
--
-+
-+ /* if HAProxy was in TPM mode then deinit
-+ * that configuration as well.
-+ */
-+ if (global.tpm.tpm_object && global.tpm.tpm_object != '\0')
-+ deinit_tpm_engine();
-+
- userlist_free(userlist);
-
- cfg_unregister_sections();
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
-index 87b2584..44d0b48 100644
---- a/src/ssl_sock.c
-+++ b/src/ssl_sock.c
-@@ -51,6 +51,7 @@
- #ifndef OPENSSL_NO_DH
- #include <openssl/dh.h>
- #endif
-+#include <openssl/engine.h>
-
- #include <import/lru.h>
- #include <import/xxhash.h>
-@@ -2360,6 +2361,80 @@ end:
- return ret;
- }
-
-+/*
-+ * initialize the TPM engine and load the
-+ * TPM object as private key within the Engine.
-+ * Only do this for the first bind since TPM can
-+ * only load 3-4 contexes before it runs out of memory
-+ */
-+static int ssl_sock_load_tpm_key(SSL_CTX *ctx, char **err) {
-+ if (!global.tpm.tpm_object || global.tpm.tpm_object[0] == '\0') {
-+ /* not in TPM mode */
-+ return -1;
-+ }
-+ if (!global.tpm.tpm_key) {
-+ Warning ("Could not find tpm_key; initializing engine\n");
-+ /* no key present; load the dynamic TPM engine */
-+ if (global.tpm.tpm_engine && global.tpm.tpm_engine[0]) {
-+ ENGINE_load_dynamic();
-+ ENGINE *engine = ENGINE_by_id("dynamic");
-+ if (!engine) {
-+ memprintf(err, "%s Unable to load the dynamic engine "
-+ "(needed for loading custom TPM engine)\n",
-+ err && *err ? *err : "");
-+ return 1;
-+ }
-+
-+ ENGINE_ctrl_cmd_string(engine, "SO_PATH", global.tpm.tpm_engine, 0);
-+ ENGINE_ctrl_cmd_string(engine, "LOAD", NULL, 0);
-+ /* stow away for ENGINE cleanup */
-+ global.tpm.tpm_engine_ref = engine;
-+
-+ if (ENGINE_init(engine) != 1) {
-+ const char *error_str = ERR_error_string(ERR_get_error(), NULL);
-+ memprintf(err, "%s Unable to init the TPM engine (%s). Err: %s\n",
-+ err && *err ? *err : "",
-+ global.tpm.tpm_engine, error_str);
-+ goto tpm_err;
-+ }
-+ EVP_PKEY *pkey = ENGINE_load_private_key(engine,
-+ global.tpm.tpm_object,
-+ NULL, NULL);
-+ if (!pkey) {
-+ const char *error_str = ERR_error_string(ERR_get_error(), NULL);
-+ memprintf(err, "%s Unable to load TPM object (%s). Err: %s\n",
-+ err && *err ? *err : "",
-+ global.tpm.tpm_object, error_str);
-+ goto tpm_err;
-+ }
-+ global.tpm.tpm_key = pkey;
-+ }
-+ else { /* no TPM engine found */
-+ memprintf(err, "%s TPM engine option not set when TPM mode expected\n",
-+ err && *err ? *err : "");
-+ goto tpm_err;
-+ }
-+ }
-+
-+ if (SSL_CTX_use_PrivateKey(ctx, global.tpm.tpm_key) <= 0){
-+ const char *error_str = ERR_error_string(ERR_get_error(),
-+ NULL);
-+ memprintf(err, "%s Invalid private key provided from TPM engine(%s). Err: %s\n",
-+ err && *err ? *err : "",
-+ global.tpm.tpm_object, error_str);
-+ goto tpm_err;
-+ }
-+
-+ return 0;
-+
-+tpm_err:
-+ ENGINE_finish(global.tpm.tpm_engine_ref);
-+ global.tpm.tpm_engine_ref = NULL;
-+ EVP_PKEY_free(global.tpm.tpm_key);
-+ global.tpm.tpm_key = NULL;
-+ return 1;
-+}
-+
- static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf, struct proxy *curproxy, char **sni_filter, int fcount, char **err)
- {
- int ret;
-@@ -2372,26 +2447,54 @@ static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf
- return 1;
- }
-
-- if (SSL_CTX_use_PrivateKey_file(ctx, path, SSL_FILETYPE_PEM) <= 0) {
-- memprintf(err, "%sunable to load SSL private key from PEM file '%s'.\n",
-- err && *err ? *err : "", path);
-- SSL_CTX_free(ctx);
-- return 1;
-+ /* NOTE (knasim-wrs): US93721: TPM support
-+ * This SSL context applies to SSL frontends only.
-+ * If the TPM option is set then the Private key
-+ * is stored in TPM.
-+ *
-+ * Launch the OpenSSL TPM engine and load the TPM
-+ * Private Key. The Public key will still be located
-+ * at the provided path and needs to be loaded as
-+ * per usual.
-+ */
-+ if (global.tpm.tpm_object) {
-+ ret = ssl_sock_load_tpm_key(ctx, err);
-+ if (ret > 0) {
-+ /* tpm configuration failed */
-+ SSL_CTX_free(ctx);
-+ return 1;
-+ }
- }
--
-- ret = ssl_sock_load_cert_chain_file(ctx, path, bind_conf, sni_filter, fcount);
-- if (ret <= 0) {
-- memprintf(err, "%sunable to load SSL certificate from PEM file '%s'.\n",
-- err && *err ? *err : "", path);
-- if (ret < 0) /* serious error, must do that ourselves */
-+ else { /* non TPM mode */
-+ if (SSL_CTX_use_PrivateKey_file(ctx, path, SSL_FILETYPE_PEM) <= 0) {
-+ memprintf(err, "%sunable to load SSL private key from PEM file '%s'.\n",
-+ err && *err ? *err : "", path);
- SSL_CTX_free(ctx);
-- return 1;
-+ return 1;
-+ }
- }
-
-- if (SSL_CTX_check_private_key(ctx) <= 0) {
-- memprintf(err, "%sinconsistencies between private key and certificate loaded from PEM file '%s'.\n",
-- err && *err ? *err : "", path);
-- return 1;
-+ ret = ssl_sock_load_cert_chain_file(ctx, path, bind_conf, sni_filter, fcount);
-+ if (ret <= 0) {
-+ memprintf(err, "%sunable to load SSL certificate from PEM file '%s'.\n",
-+ err && *err ? *err : "", path);
-+ if (ret < 0) /* serious error, must do that ourselves */
-+ SSL_CTX_free(ctx);
-+ return 1;
-+ }
-+
-+ /*
-+ * only match the private key to the public key
-+ * for non TPM mode. This op would never work for
-+ * TPM since the private key has been wrapped, whereas
-+ * the public key is still the original one.
-+ */
-+ if (!global.tpm.tpm_object) {
-+ if (SSL_CTX_check_private_key(ctx) <= 0) {
-+ memprintf(err, "%sinconsistencies between private key and certificate loaded from PEM file '%s'.\n",
-+ err && *err ? *err : "", path);
-+ return 1;
-+ }
- }
-
- /* we must not free the SSL_CTX anymore below, since it's already in
-@@ -3068,6 +3171,18 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
- cfgerr++;
- return cfgerr;
- }
-+
-+ /* NOTE (knasim-wrs): US93721: TPM support
-+ * This SSL context applies to SSL backends only.
-+ * Since Titanium backends don't support SSL, there
-+ * is no need to offload these keys in TPM or reuse the
-+ * same TPM key for the frontend engine.
-+ *
-+ * If SSL backends are to be supported in the future,
-+ * over TPM, then create a new TPM Engine context and
-+ * load the backend key in TPM, in a similar fashion to
-+ * the frontend key.
-+ */
- if (srv->ssl_ctx.client_crt) {
- if (SSL_CTX_use_PrivateKey_file(srv->ssl_ctx.ctx, srv->ssl_ctx.client_crt, SSL_FILETYPE_PEM) <= 0) {
- Alert("config : %s '%s', server '%s': unable to load SSL private key from PEM file '%s'.\n",
---
-2.7.4
-