meta-starlingx/meta-stx-integ/recipes-connectivity/haproxy/haproxy-1.7.11/haproxy-1.7.11-tpm-support.patch

From 2fa8fedba0968d1c6d21d2c7fa33c903f8984815 Mon Sep 17 00:00:00 2001
From: Jackie Huang <jackie.huang@windriver.com>
Date: Thu, 25 Jul 2019 15:22:49 +0800
Subject: [PATCH] haproxy tpm support

original author: Kam Nasim <kam.nasim@windriver.com>

rebased for 1.7.11

Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
---
 include/types/global.h |  13 +++++
 src/cfgparse.c         |  28 ++++++++++
 src/haproxy.c          |  26 ++++++++-
 src/ssl_sock.c         | 147 +++++++++++++++++++++++++++++++++++++++++++------
 4 files changed, 197 insertions(+), 17 deletions(-)

diff --git a/include/types/global.h b/include/types/global.h
index 10f3a3c..68f2138 100644
--- a/include/types/global.h
+++ b/include/types/global.h
@@ -37,6 +37,10 @@
 #include <import/51d.h>
 #endif
 
+#ifdef USE_OPENSSL
+#include <openssl/engine.h>
+#endif
+
 #ifndef UNIX_MAX_PATH
 #define UNIX_MAX_PATH 108
 #endif
@@ -79,6 +83,14 @@ enum {
 	SSL_SERVER_VERIFY_REQUIRED = 1,
 };
 
+// WRS: Define a new TPM configuration structure
+struct tpm_conf {
+    char *tpm_object;
+    char *tpm_engine;
+    EVP_PKEY *tpm_key;
+    ENGINE *tpm_engine_ref;
+};
+
 /* FIXME : this will have to be redefined correctly */
 struct global {
 #ifdef USE_OPENSSL
@@ -101,6 +113,7 @@ struct global {
 	char *connect_default_ciphers;
 	int listen_default_ssloptions;
 	int connect_default_ssloptions;
+	struct tpm_conf tpm; // tpm configuration
 #endif
 	unsigned int ssl_server_verify; /* default verify mode on servers side */
 	struct freq_ctr conn_per_sec;
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 3489f7e..0209874 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -1923,6 +1923,34 @@ int cfg_parse_global(const char *file, int linenum, char **args, int kwm)
 				env++;
 		}
 	}
+	else if (!strcmp(args[0], "tpm-object")) {
+		if (global.tpm.tpm_object) {
+			free(global.tpm.tpm_object);
+		}
+#ifdef USE_OPENSSL
+		if (*(args[1]) && (access(args[1], F_OK) != -1)) {
+			global.tpm.tpm_object = strdup(args[1]);
+		}
+#else
+		Alert("parsing [%s:%d] : '%s' is not implemented.\n", file, linenum, args[0]);
+		err_code |= ERR_ALERT | ERR_FATAL;
+		goto out;
+#endif
+    }
+	else if (!strcmp(args[0], "tpm-engine")) {
+		if (global.tpm.tpm_engine) {
+			free(global.tpm.tpm_engine);
+		}
+#ifdef USE_OPENSSL
+		if (*(args[1]) && (access(args[1], F_OK) != -1)) {
+			global.tpm.tpm_engine = strdup(args[1]);
+		}
+#else
+		Alert("parsing [%s:%d] : '%s' is not implemented.\n", file, linenum, args[0]);
+		err_code |= ERR_ALERT | ERR_FATAL;
+		goto out;
+#endif
+    }
 	else {
 		struct cfg_kw_list *kwl;
 		int index;
diff --git a/src/haproxy.c b/src/haproxy.c
index f8a0912..f61dacf 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -1370,6 +1370,24 @@ static void deinit_stick_rules(struct list *rules)
 	}
 }
 
+static void deinit_tpm_engine()
+{
+	/*
+     * if the tpm engine is present then
+     * deinit it, this is needed to
+     * flush the TPM key handle from TPM memory
+     */
+	if (global.tpm.tpm_engine_ref) {
+		ENGINE_finish(global.tpm.tpm_engine_ref);
+	}
+
+	if (global.tpm.tpm_key) {
+		EVP_PKEY_free(global.tpm.tpm_key);
+	}
+	free(global.tpm.tpm_engine);  global.tpm.tpm_engine = NULL;
+	free(global.tpm.tpm_object);  global.tpm.tpm_object = NULL;
+}
+
 void deinit(void)
 {
 	struct proxy *p = proxy, *p0;
@@ -1646,7 +1664,13 @@ void deinit(void)
 
 		free(uap);
 	}
-
+    
+	/* if HAProxy was in TPM mode then deinit
+	 * that configuration as well.
+	 */
+	if (global.tpm.tpm_object && global.tpm.tpm_object != '\0')
+		deinit_tpm_engine();
+    
 	userlist_free(userlist);
 
 	cfg_unregister_sections();
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 87b2584..44d0b48 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -51,6 +51,7 @@
 #ifndef OPENSSL_NO_DH
 #include <openssl/dh.h>
 #endif
+#include <openssl/engine.h>
 
 #include <import/lru.h>
 #include <import/xxhash.h>
@@ -2360,6 +2361,80 @@ end:
 	return ret;
 }
 
+/*
+ * initialize the TPM engine and load the 
+ * TPM object as private key within the Engine.
+ * Only do this for the first bind since TPM can
+ * only load 3-4 contexes before it runs out of memory
+ */
+static int ssl_sock_load_tpm_key(SSL_CTX *ctx, char **err) {
+	if (!global.tpm.tpm_object || global.tpm.tpm_object[0] == '\0') {
+		/* not in TPM mode */
+		return -1;
+	}
+	if (!global.tpm.tpm_key) {
+		Warning ("Could not find tpm_key; initializing engine\n");
+		/* no key present; load the dynamic TPM engine */
+		if (global.tpm.tpm_engine && global.tpm.tpm_engine[0]) {
+			ENGINE_load_dynamic();
+			ENGINE *engine = ENGINE_by_id("dynamic");
+			if (!engine) {
+				memprintf(err, "%s Unable to load the dynamic engine "
+				          "(needed for loading custom TPM engine)\n",
+				          err && *err ? *err : "");
+				return 1;
+            }
+
+			ENGINE_ctrl_cmd_string(engine, "SO_PATH", global.tpm.tpm_engine, 0);
+			ENGINE_ctrl_cmd_string(engine, "LOAD", NULL, 0);
+			/* stow away for ENGINE cleanup */
+			global.tpm.tpm_engine_ref = engine;
+
+			if (ENGINE_init(engine) != 1) {
+				const char *error_str = ERR_error_string(ERR_get_error(), NULL); 
+				memprintf(err, "%s Unable to init the TPM engine (%s). Err: %s\n",
+				          err && *err ? *err : "", 
+				          global.tpm.tpm_engine, error_str);
+				goto tpm_err;
+			}
+			EVP_PKEY *pkey = ENGINE_load_private_key(engine, 
+			                                         global.tpm.tpm_object,
+			                                         NULL, NULL);
+			if (!pkey) {
+				const char *error_str = ERR_error_string(ERR_get_error(), NULL); 
+				memprintf(err, "%s Unable to load TPM object (%s). Err: %s\n",
+				          err && *err ? *err : "", 
+				          global.tpm.tpm_object, error_str);
+				goto tpm_err;
+			}
+			global.tpm.tpm_key = pkey;
+		}
+		else { /* no TPM engine found */
+			memprintf(err, "%s TPM engine option not set when TPM mode expected\n",
+			          err && *err ? *err : "");
+			goto tpm_err;
+		}
+	} 
+
+	if (SSL_CTX_use_PrivateKey(ctx, global.tpm.tpm_key) <= 0){
+		const char *error_str = ERR_error_string(ERR_get_error(),
+                                                 NULL);
+		memprintf(err, "%s Invalid private key provided from TPM engine(%s). Err: %s\n",
+		          err && *err ? *err : "", 
+		          global.tpm.tpm_object, error_str);
+		goto tpm_err;
+	}
+
+	return 0;
+
+tpm_err:
+	ENGINE_finish(global.tpm.tpm_engine_ref);
+	global.tpm.tpm_engine_ref = NULL;
+	EVP_PKEY_free(global.tpm.tpm_key);
+	global.tpm.tpm_key = NULL;
+	return 1;
+}
+
 static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf, struct proxy *curproxy, char **sni_filter, int fcount, char **err)
 {
 	int ret;
@@ -2372,26 +2447,54 @@ static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf
 		return 1;
 	}
 
-	if (SSL_CTX_use_PrivateKey_file(ctx, path, SSL_FILETYPE_PEM) <= 0) {
-		memprintf(err, "%sunable to load SSL private key from PEM file '%s'.\n",
-		          err && *err ? *err : "", path);
-		SSL_CTX_free(ctx);
-		return 1;
+	/* NOTE (knasim-wrs): US93721: TPM support
+	 * This SSL context applies to SSL frontends only.
+	 * If the TPM option is set then the Private key 
+	 * is stored in TPM.
+	 *
+	 * Launch the OpenSSL TPM engine and load the TPM
+	 * Private Key. The Public key will still be located
+	 * at the provided path and needs to be loaded as
+	 * per usual.
+	 */
+	if (global.tpm.tpm_object) {
+		ret = ssl_sock_load_tpm_key(ctx, err);
+		if (ret > 0) {
+			/* tpm configuration failed */
+			SSL_CTX_free(ctx);
+			return 1;
+		}
 	}
-
-	ret = ssl_sock_load_cert_chain_file(ctx, path, bind_conf, sni_filter, fcount);
-	if (ret <= 0) {
-		memprintf(err, "%sunable to load SSL certificate from PEM file '%s'.\n",
-		          err && *err ? *err : "", path);
-		if (ret < 0) /* serious error, must do that ourselves */
+	else { /* non TPM mode */
+		if (SSL_CTX_use_PrivateKey_file(ctx, path, SSL_FILETYPE_PEM) <= 0) {
+			memprintf(err, "%sunable to load SSL private key from PEM file '%s'.\n",
+			          err && *err ? *err : "", path);
 			SSL_CTX_free(ctx);
-		return 1;
+			return 1;
+		}
 	}
 
-	if (SSL_CTX_check_private_key(ctx) <= 0) {
-		memprintf(err, "%sinconsistencies between private key and certificate loaded from PEM file '%s'.\n",
-		          err && *err ? *err : "", path);
-		return 1;
+	ret = ssl_sock_load_cert_chain_file(ctx, path, bind_conf, sni_filter, fcount);
+		if (ret <= 0) {
+			memprintf(err, "%sunable to load SSL certificate from PEM file '%s'.\n",
+					  err && *err ? *err : "", path);
+			if (ret < 0) /* serious error, must do that ourselves */
+				SSL_CTX_free(ctx);
+			return 1;
+		}
+
+	/*
+	 * only match the private key to the public key
+	 * for non TPM mode. This op would never work for
+	 * TPM since the private key has been wrapped, whereas
+	 * the public key is still the original one.
+	 */
+	if (!global.tpm.tpm_object) {
+		if (SSL_CTX_check_private_key(ctx) <= 0) {
+			memprintf(err, "%sinconsistencies between private key and certificate loaded from PEM file '%s'.\n",
+			          err && *err ? *err : "", path);
+			return 1;
+		}
 	}
 
 	/* we must not free the SSL_CTX anymore below, since it's already in
@@ -3068,6 +3171,18 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
 		cfgerr++;
 		return cfgerr;
 	}
+
+	/* NOTE (knasim-wrs): US93721: TPM support
+	 * This SSL context applies to SSL backends only.
+	 * Since Titanium backends don't support SSL, there
+	 * is no need to offload these keys in TPM or reuse the
+	 * same TPM key for the frontend engine. 
+	 * 
+	 * If SSL backends are to be supported in the future,
+	 * over TPM, then create a new TPM Engine context and
+	 * load the backend key in TPM, in a similar fashion to
+	 * the frontend key.
+	 */
 	if (srv->ssl_ctx.client_crt) {
 		if (SSL_CTX_use_PrivateKey_file(srv->ssl_ctx.ctx, srv->ssl_ctx.client_crt, SSL_FILETYPE_PEM) <= 0) {
 			Alert("config : %s '%s', server '%s': unable to load SSL private key from PEM file '%s'.\n",
-- 
2.7.4