Relocate haproxy to stx-integ/base/haproxy

Move content from stx-gplv2 into stx-integ

Packages will be relocated to

stx-integ:
    base/
        bash
        cgcs-users
        cluster-resource-agents
        dpkg
        haproxy
        libfdt
        netpbm
        rpm

    database/
        mariadb

    filesystem/
        iscsi-initiator-utils

    filesystem/drbd/
        drbd-tools

    kernel/kernel-modules/
        drbd
        integrity
        intel-e1000e
        intel-i40e
        intel-i40evf
        intel-ixgbe
        intel-ixgbevf
        qat17
        tpmdd

    ldap/
        ldapscripts

    networking/
        iptables
        net-tools

Change-Id: Ia0510ab3c8879bc0ebd15261db2edaa84b346f20
Story: 2002801
Task: 22687
Signed-off-by: Scott Little <scott.little@windriver.com>
This commit is contained in:
Scott Little 2018-08-01 14:21:59 -04:00
parent dfe8464482
commit ad4ba94235
17 changed files with 1071 additions and 0 deletions

15
base/haproxy/PKG-INFO Normal file
View File

@ -0,0 +1,15 @@
Metadata-Version: 1.1
Name: haproxy
Version: 1.5.18
Summary: Abstract asynchronous event notification library
Home-page:
Author:
Author-email:
License: GPLv2+
Description:
HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high
availability environments.
Platform: UNKNOWN

View File

@ -0,0 +1,2 @@
COPY_LIST="haproxy/*"
TIS_PATCH_VER=7

View File

@ -0,0 +1,27 @@
From 79f025b91d461a948ca6449eb25a11a6c89144b5 Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 16:12:36 -0400
Subject: [PATCH 7/7] WRS: 0001-Update-package-versioning-for-TIS-format.patch
Conflicts:
SPECS/haproxy.spec
---
SPECS/haproxy.spec | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec
index c1547ef..097aa79 100644
--- a/SPECS/haproxy.spec
+++ b/SPECS/haproxy.spec
@@ -8,7 +8,7 @@
Name: haproxy
Version: 1.5.18
-Release: 6%{?dist}
+Release: 6.el7%{?_tis_dist}.%{tis_patch_ver}
Summary: TCP/HTTP proxy and load balancer for high availability environments
Group: System Environment/Daemons
--
1.9.1

View File

@ -0,0 +1,7 @@
spec-include-TiS-config.patch
haproxy-spec-add-init-script.patch
spec-add-haproxy-env-var-patch.patch
meta_remove_bad_logrotate.patch
haproxy-service-file.patch
meta_add_support_for_tpm.patch
0001-Update-package-versioning-for-TIS-format.patch

View File

@ -0,0 +1,26 @@
From c4d74c67ee001af849e7a30e824cc0f8e38ef948 Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 16:12:36 -0400
Subject: [PATCH 5/7] WRS: haproxy-service-file.patch
---
SOURCES/haproxy.service | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/SOURCES/haproxy.service b/SOURCES/haproxy.service
index 2d4c954..c2f1086 100644
--- a/SOURCES/haproxy.service
+++ b/SOURCES/haproxy.service
@@ -4,7 +4,8 @@ After=syslog.target network.target
[Service]
EnvironmentFile=/etc/sysconfig/haproxy
-ExecStart=/usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid $OPTIONS
+ExecStart=/etc/init.d/haproxy start
+ExecStop=/etc/init.d/haproxy stop
ExecReload=/bin/kill -USR2 $MAINPID
KillMode=mixed
--
1.9.1

View File

@ -0,0 +1,47 @@
From 959767df3285a81f1c5650018ed846fe90a68c9d Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 16:12:36 -0400
Subject: [PATCH 2/7] WRS: haproxy-spec-add-init-script.patch
---
SPECS/haproxy.spec | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec
index 42ddeb0..cbd9161 100644
--- a/SPECS/haproxy.spec
+++ b/SPECS/haproxy.spec
@@ -21,6 +21,7 @@ Source2: %{name}.cfg
Source3: %{name}.logrotate
Source4: %{name}.sysconfig
Source5: halog.1
+Source10: %{name}.sh
# WRS
Source6: 503.http
@@ -81,11 +82,14 @@ popd
%{__make} install-bin DESTDIR=%{buildroot} PREFIX=%{_prefix} TARGET="linux2628"
%{__make} install-man DESTDIR=%{buildroot} PREFIX=%{_prefix}
+mkdir -p /etc/init.d
+
%{__install} -p -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service
%{__install} -p -D -m 0640 %{SOURCE2} %{buildroot}%{haproxy_confdir}/%{name}.cfg
%{__install} -p -D -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
%{__install} -p -D -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/%{name}
%{__install} -p -D -m 0644 %{SOURCE5} %{buildroot}%{_mandir}/man1/halog.1
+%{__install} -p -D -m 0755 %{SOURCE10} %{buildroot}/etc/init.d/%{name}
%{__install} -d -m 0755 %{buildroot}%{haproxy_home}
%{__install} -d -m 0755 %{buildroot}%{haproxy_datadir}
%{__install} -d -m 0755 %{buildroot}%{_bindir}
@@ -149,6 +153,7 @@ fi
%{_bindir}/halog
%{_bindir}/iprange
%{_mandir}/man1/*
+/etc/init.d/%{name}
%attr(-,%{haproxy_user},%{haproxy_group}) %dir %{haproxy_home}
# WRS
--
1.9.1

View File

@ -0,0 +1,42 @@
From a5329bf1468f55c8d6b983e5999c12139dc7479d Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 16:12:36 -0400
Subject: [PATCH 6/7] WRS: meta_add_support_for_tpm.patch
---
SPECS/haproxy.spec | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec
index 3d112e0..c1547ef 100644
--- a/SPECS/haproxy.spec
+++ b/SPECS/haproxy.spec
@@ -30,6 +30,7 @@ Patch1: iprange-return-type.patch
Patch2: haproxy-tcp-user-timeout.patch
Patch3: haproxy-systemd-wrapper-exit-code.patch
Patch4: haproxy-env-var.patch
+Patch5: haproxy-tpm-support.patch
BuildRequires: pcre-devel
BuildRequires: zlib-devel
@@ -41,6 +42,9 @@ Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
+Requires: tpm2-openssl-engine
+
+
%description
HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high
availability environments. Indeed, it can:
@@ -62,6 +66,7 @@ availability environments. Indeed, it can:
%patch2 -p1
%patch3 -p1
%patch4 -p1
+%patch5 -p1
%build
regparm_opts=
--
1.9.1

View File

@ -0,0 +1,40 @@
From 3eac39ba534b92dbcb3a898442b09be7acc389bb Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 16:12:36 -0400
Subject: [PATCH 4/7] WRS: meta_remove_bad_logrotate.patch
---
SPECS/haproxy.spec | 3 ---
1 file changed, 3 deletions(-)
diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec
index af94d46..3d112e0 100644
--- a/SPECS/haproxy.spec
+++ b/SPECS/haproxy.spec
@@ -18,7 +18,6 @@ URL: http://www.haproxy.org/
Source0: http://www.haproxy.org/download/1.5/src/haproxy-%{version}.tar.gz
Source1: %{name}.service
Source2: %{name}.cfg
-Source3: %{name}.logrotate
Source4: %{name}.sysconfig
Source5: halog.1
Source10: %{name}.sh
@@ -88,7 +87,6 @@ mkdir -p /etc/init.d
%{__install} -p -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service
%{__install} -p -D -m 0640 %{SOURCE2} %{buildroot}%{haproxy_confdir}/%{name}.cfg
-%{__install} -p -D -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
%{__install} -p -D -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/%{name}
%{__install} -p -D -m 0644 %{SOURCE5} %{buildroot}%{_mandir}/man1/halog.1
%{__install} -p -D -m 0755 %{SOURCE10} %{buildroot}/etc/init.d/%{name}
@@ -147,7 +145,6 @@ fi
%dir %{haproxy_datadir}
%{haproxy_datadir}/*
%config(noreplace) %{haproxy_confdir}/%{name}.cfg
-%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
%config(noreplace) %{_sysconfdir}/sysconfig/%{name}
%{_unitdir}/%{name}.service
%{_sbindir}/%{name}
--
1.9.1

View File

@ -0,0 +1,32 @@
From 2e37207c026047e2ce1bc9a5278faddfea81c011 Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 16:12:36 -0400
Subject: [PATCH 3/7] WRS: spec-add-haproxy-env-var-patch.patch
---
SPECS/haproxy.spec | 2 ++
1 file changed, 2 insertions(+)
diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec
index cbd9161..af94d46 100644
--- a/SPECS/haproxy.spec
+++ b/SPECS/haproxy.spec
@@ -30,6 +30,7 @@ Patch0: halog-unused-variables.patch
Patch1: iprange-return-type.patch
Patch2: haproxy-tcp-user-timeout.patch
Patch3: haproxy-systemd-wrapper-exit-code.patch
+Patch4: haproxy-env-var.patch
BuildRequires: pcre-devel
BuildRequires: zlib-devel
@@ -61,6 +62,7 @@ availability environments. Indeed, it can:
%patch1 -p0
%patch2 -p1
%patch3 -p1
+%patch4 -p1
%build
regparm_opts=
--
1.9.1

View File

@ -0,0 +1,58 @@
From 419d06285552bc31dce214d37edb925b4a82c68b Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 16:12:36 -0400
Subject: [PATCH 1/7] WRS: spec-include-TiS-config.patch
---
SPECS/haproxy.spec | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec
index b4dde9e..42ddeb0 100644
--- a/SPECS/haproxy.spec
+++ b/SPECS/haproxy.spec
@@ -22,6 +22,9 @@ Source3: %{name}.logrotate
Source4: %{name}.sysconfig
Source5: halog.1
+# WRS
+Source6: 503.http
+
Patch0: halog-unused-variables.patch
Patch1: iprange-return-type.patch
Patch2: haproxy-tcp-user-timeout.patch
@@ -79,7 +82,7 @@ popd
%{__make} install-man DESTDIR=%{buildroot} PREFIX=%{_prefix}
%{__install} -p -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service
-%{__install} -p -D -m 0644 %{SOURCE2} %{buildroot}%{haproxy_confdir}/%{name}.cfg
+%{__install} -p -D -m 0640 %{SOURCE2} %{buildroot}%{haproxy_confdir}/%{name}.cfg
%{__install} -p -D -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
%{__install} -p -D -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/%{name}
%{__install} -p -D -m 0644 %{SOURCE5} %{buildroot}%{_mandir}/man1/halog.1
@@ -106,6 +109,11 @@ do
%{__rm} -f $textfile.old
done
+# WRS
+%{__install} -d 755 %{buildroot}/etc/haproxy/errors/
+%{__install} -m 755 %{SOURCE6} %{buildroot}/etc/haproxy/errors/503.http
+
+
%pre
getent group %{haproxy_group} >/dev/null || groupadd -f -g 188 -r %{haproxy_group}
if ! getent passwd %{haproxy_user} >/dev/null ; then
@@ -143,6 +151,10 @@ fi
%{_mandir}/man1/*
%attr(-,%{haproxy_user},%{haproxy_group}) %dir %{haproxy_home}
+# WRS
+%dir /etc/haproxy/errors/
+/etc/haproxy/errors/*
+
%changelog
* Mon May 01 2017 Ryan O'Hara <rohara@redhat.com> - 1.5.18-6
- Use KillMode=mixed in systemd service file (#1444709)
--
1.9.1

View File

@ -0,0 +1 @@
mirror:Source/haproxy-1.5.18-6.el7.src.rpm

View File

@ -0,0 +1,9 @@
HTTP/1.0 503 Service Unavailable
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>

View File

@ -0,0 +1,245 @@
Index: haproxy-1.5.11/src/cfgparse.c
===================================================================
--- haproxy-1.5.11.orig/src/cfgparse.c
+++ haproxy-1.5.11/src/cfgparse.c
@@ -5789,12 +5789,19 @@ out:
*/
int readcfgfile(const char *file)
{
- char thisline[LINESIZE];
+ char *thisline;
+ int linesize = LINESIZE;
FILE *f;
int linenum = 0;
int err_code = 0;
struct cfg_section *cs = NULL;
struct cfg_section *ics;
+ int readbytes = 0;
+
+ if ((thisline = malloc(sizeof(*thisline) * linesize)) == NULL) {
+ Alert("parsing [%s] : out of memory.\n", file);
+ return -1;
+ }
/* Register internal sections */
if (!cfg_register_section("listen", cfg_parse_listen) ||
@@ -5810,11 +5817,14 @@ int readcfgfile(const char *file)
if ((f=fopen(file,"r")) == NULL)
return -1;
- while (fgets(thisline, sizeof(thisline), f) != NULL) {
+next_line:
+ while (fgets(thisline + readbytes, linesize - readbytes, f) != NULL) {
int arg, kwm = KWM_STD;
char *end;
char *args[MAX_LINE_ARGS + 1];
char *line = thisline;
+ int dquote = 0; /* double quote */
+ int squote = 0; /* simple quote */
linenum++;
@@ -5824,11 +5834,25 @@ int readcfgfile(const char *file)
/* Check if we reached the limit and the last char is not \n.
* Watch out for the last line without the terminating '\n'!
*/
- Alert("parsing [%s:%d]: line too long, limit: %d.\n",
- file, linenum, (int)sizeof(thisline)-1);
- err_code |= ERR_ALERT | ERR_FATAL;
+ char *newline;
+ int newlinesize = linesize * 2;
+
+ newline = realloc(thisline, sizeof(*thisline) * newlinesize);
+ if (newline == NULL) {
+ Alert("parsing [%s:%d]: line too long, cannot allocate memory.\n",
+ file, linenum);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ continue;
+ }
+
+ readbytes = linesize - 1;
+ linesize = newlinesize;
+ thisline = newline;
+ continue;
}
+ readbytes = 0;
+
/* skip leading spaces */
while (isspace((unsigned char)*line))
line++;
@@ -5837,10 +5861,26 @@ int readcfgfile(const char *file)
args[arg] = line;
while (*line && arg < MAX_LINE_ARGS) {
- /* first, we'll replace \\, \<space>, \#, \r, \n, \t, \xXX with their
- * C equivalent value. Other combinations left unchanged (eg: \1).
- */
- if (*line == '\\') {
+ if (*line == '"' && !squote) { /* double quote outside single quotes */
+ if (dquote)
+ dquote = 0;
+ else
+ dquote = 1;
+ memmove(line, line + 1, end - line);
+ end--;
+ }
+ else if (*line == '\'' && !dquote) { /* single quote outside double quotes */
+ if (squote)
+ squote = 0;
+ else
+ squote = 1;
+ memmove(line, line + 1, end - line);
+ end--;
+ }
+ else if (*line == '\\' && !squote) {
+ /* first, we'll replace \\, \<space>, \#, \r, \n, \t, \xXX with their
+ * C equivalent value. Other combinations left unchanged (eg: \1).
+ */
int skip = 0;
if (line[1] == ' ' || line[1] == '\\' || line[1] == '#') {
*line = line[1];
@@ -5872,6 +5912,15 @@ int readcfgfile(const char *file)
Alert("parsing [%s:%d] : invalid or incomplete '\\x' sequence in '%s'.\n", file, linenum, args[0]);
err_code |= ERR_ALERT | ERR_FATAL;
}
+ } else if (line[1] == '"') {
+ *line = '"';
+ skip = 1;
+ } else if (line[1] == '\'') {
+ *line = '\'';
+ skip = 1;
+ } else if (line[1] == '$' && dquote) { /* escaping of $ only inside double quotes */
+ *line = '$';
+ skip = 1;
}
if (skip) {
memmove(line + 1, line + 1 + skip, end - (line + skip));
@@ -5879,23 +5928,117 @@ int readcfgfile(const char *file)
}
line++;
}
- else if (*line == '#' || *line == '\n' || *line == '\r') {
+ else if ((!squote && !dquote && *line == '#') || *line == '\n' || *line == '\r') {
/* end of string, end of loop */
*line = 0;
break;
}
- else if (isspace((unsigned char)*line)) {
+ else if (!squote && !dquote && isspace((unsigned char)*line)) {
/* a non-escaped space is an argument separator */
*line++ = '\0';
while (isspace((unsigned char)*line))
line++;
args[++arg] = line;
}
+ else if (dquote && *line == '$') {
+ /* environment variables are evaluated inside double quotes */
+ char *var_beg;
+ char *var_end;
+ char save_char;
+ char *value;
+ int val_len;
+ int newlinesize;
+ int braces = 0;
+
+ var_beg = line + 1;
+ var_end = var_beg;
+
+ if (*var_beg == '{') {
+ var_beg++;
+ var_end++;
+ braces = 1;
+ }
+
+ if (!isalpha((int)(unsigned char)*var_beg) && *var_beg != '_') {
+ Alert("parsing [%s:%d] : Variable expansion: Unrecognized character '%c' in variable name.\n", file, linenum, *var_beg);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto next_line; /* skip current line */
+ }
+
+ while (isalnum((int)(unsigned char)*var_end) || *var_end == '_')
+ var_end++;
+
+ save_char = *var_end;
+ *var_end = '\0';
+ value = getenv(var_beg);
+ *var_end = save_char;
+ val_len = value ? strlen(value) : 0;
+
+ if (braces) {
+ if (*var_end == '}') {
+ var_end++;
+ braces = 0;
+ } else {
+ Alert("parsing [%s:%d] : Variable expansion: Mismatched braces.\n", file, linenum);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto next_line; /* skip current line */
+ }
+ }
+
+ newlinesize = (end - thisline) - (var_end - line) + val_len + 1;
+
+ /* if not enough space in thisline */
+ if (newlinesize > linesize) {
+ char *newline;
+
+ newline = realloc(thisline, newlinesize * sizeof(*thisline));
+ if (newline == NULL) {
+ Alert("parsing [%s:%d] : Variable expansion: Not enough memory.\n", file, linenum);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto next_line; /* slip current line */
+ }
+ /* recompute pointers if realloc returns a new pointer */
+ if (newline != thisline) {
+ int i;
+ int diff;
+
+ for (i = 0; i <= arg; i++) {
+ diff = args[i] - thisline;
+ args[i] = newline + diff;
+ }
+
+ diff = var_end - thisline;
+ var_end = newline + diff;
+ diff = end - thisline;
+ end = newline + diff;
+ diff = line - thisline;
+ line = newline + diff;
+ thisline = newline;
+ }
+ linesize = newlinesize;
+ }
+
+ /* insert value inside the line */
+ memmove(line + val_len, var_end, end - var_end + 1);
+ memcpy(line, value, val_len);
+ end += val_len - (var_end - line);
+ line += val_len;
+ }
else {
line++;
}
}
+ if (dquote) {
+ Alert("parsing [%s:%d] : Mismatched double quotes.\n", file, linenum);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ }
+
+ if (squote) {
+ Alert("parsing [%s:%d] : Mismatched simple quotes.\n", file, linenum);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ }
+
/* empty line */
if (!**args)
continue;
@@ -5966,6 +6109,7 @@ int readcfgfile(const char *file)
break;
}
cursection = NULL;
+ free(thisline);
fclose(f);
return err_code;
}

View File

@ -0,0 +1,319 @@
From a2a25214f6f4913b774bdd6c0b80d3ea424d3a1b Mon Sep 17 00:00:00 2001
From: Kam Nasim <kam.nasim@windriver.com>
Date: Wed, 22 Mar 2017 12:07:24 -0400
Subject: [PATCH] haproxy tpm support
---
include/types/global.h | 13 +++++
src/cfgparse.c | 28 ++++++++++
src/haproxy.c | 26 ++++++++-
src/ssl_sock.c | 147 +++++++++++++++++++++++++++++++++++++++++++------
4 files changed, 197 insertions(+), 17 deletions(-)
diff --git a/include/types/global.h b/include/types/global.h
index f1525ae..2e9c077 100644
--- a/include/types/global.h
+++ b/include/types/global.h
@@ -30,6 +30,10 @@
#include <types/proxy.h>
#include <types/task.h>
+#ifdef USE_OPENSSL
+#include <openssl/engine.h>
+#endif
+
#ifndef UNIX_MAX_PATH
#define UNIX_MAX_PATH 108
#endif
@@ -71,6 +75,14 @@ enum {
SSL_SERVER_VERIFY_REQUIRED = 1,
};
+// WRS: Define a new TPM configuration structure
+struct tpm_conf {
+ char *tpm_object;
+ char *tpm_engine;
+ EVP_PKEY *tpm_key;
+ ENGINE *tpm_engine_ref;
+};
+
/* FIXME : this will have to be redefined correctly */
struct global {
#ifdef USE_OPENSSL
@@ -87,6 +99,7 @@ struct global {
char *connect_default_ciphers;
int listen_default_ssloptions;
int connect_default_ssloptions;
+ struct tpm_conf tpm; // tpm configuration
#endif
unsigned int ssl_server_verify; /* default verify mode on servers side */
struct freq_ctr conn_per_sec;
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 6a7f80c..3bc6e79 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -1541,6 +1541,34 @@ int cfg_parse_global(const char *file, int linenum, char **args, int kwm)
goto out;
#endif
}
+ else if (!strcmp(args[0], "tpm-object")) {
+ if (global.tpm.tpm_object) {
+ free(global.tpm.tpm_object);
+ }
+#ifdef USE_OPENSSL
+ if (*(args[1]) && (access(args[1], F_OK) != -1)) {
+ global.tpm.tpm_object = strdup(args[1]);
+ }
+#else
+ Alert("parsing [%s:%d] : '%s' is not implemented.\n", file, linenum, args[0]);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto out;
+#endif
+ }
+ else if (!strcmp(args[0], "tpm-engine")) {
+ if (global.tpm.tpm_engine) {
+ free(global.tpm.tpm_engine);
+ }
+#ifdef USE_OPENSSL
+ if (*(args[1]) && (access(args[1], F_OK) != -1)) {
+ global.tpm.tpm_engine = strdup(args[1]);
+ }
+#else
+ Alert("parsing [%s:%d] : '%s' is not implemented.\n", file, linenum, args[0]);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto out;
+#endif
+ }
else {
struct cfg_kw_list *kwl;
int index;
diff --git a/src/haproxy.c b/src/haproxy.c
index 862697d..2a1a0dc 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -959,6 +959,24 @@ static void deinit_stick_rules(struct list *rules)
}
}
+static void deinit_tpm_engine()
+{
+ /*
+ * if the tpm engine is present then
+ * deinit it, this is needed to
+ * flush the TPM key handle from TPM memory
+ */
+ if (global.tpm.tpm_engine_ref) {
+ ENGINE_finish(global.tpm.tpm_engine_ref);
+ }
+
+ if (global.tpm.tpm_key) {
+ EVP_PKEY_free(global.tpm.tpm_key);
+ }
+ free(global.tpm.tpm_engine); global.tpm.tpm_engine = NULL;
+ free(global.tpm.tpm_object); global.tpm.tpm_object = NULL;
+}
+
void deinit(void)
{
struct proxy *p = proxy, *p0;
@@ -1218,7 +1236,13 @@ void deinit(void)
free(uap);
}
-
+
+ /* if HAProxy was in TPM mode then deinit
+ * that configuration as well.
+ */
+ if (global.tpm.tpm_object && global.tpm.tpm_object != '\0')
+ deinit_tpm_engine();
+
userlist_free(userlist);
protocol_unbind_all();
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index ead4c7b..4e16026 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -50,6 +50,7 @@
#ifndef OPENSSL_NO_DH
#include <openssl/dh.h>
#endif
+#include <openssl/engine.h>
#include <common/buffer.h>
#include <common/compat.h>
@@ -1115,6 +1116,80 @@ end:
return ret;
}
+/*
+ * initialize the TPM engine and load the
+ * TPM object as private key within the Engine.
+ * Only do this for the first bind since TPM can
+ * only load 3-4 contexes before it runs out of memory
+ */
+static int ssl_sock_load_tpm_key(SSL_CTX *ctx, char **err) {
+ if (!global.tpm.tpm_object || global.tpm.tpm_object[0] == '\0') {
+ /* not in TPM mode */
+ return -1;
+ }
+ if (!global.tpm.tpm_key) {
+ Warning ("Could not find tpm_key; initializing engine\n");
+ /* no key present; load the dynamic TPM engine */
+ if (global.tpm.tpm_engine && global.tpm.tpm_engine[0]) {
+ ENGINE_load_dynamic();
+ ENGINE *engine = ENGINE_by_id("dynamic");
+ if (!engine) {
+ memprintf(err, "%s Unable to load the dynamic engine "
+ "(needed for loading custom TPM engine)\n",
+ err && *err ? *err : "");
+ return 1;
+ }
+
+ ENGINE_ctrl_cmd_string(engine, "SO_PATH", global.tpm.tpm_engine, 0);
+ ENGINE_ctrl_cmd_string(engine, "LOAD", NULL, 0);
+ /* stow away for ENGINE cleanup */
+ global.tpm.tpm_engine_ref = engine;
+
+ if (ENGINE_init(engine) != 1) {
+ const char *error_str = ERR_error_string(ERR_get_error(), NULL);
+ memprintf(err, "%s Unable to init the TPM engine (%s). Err: %s\n",
+ err && *err ? *err : "",
+ global.tpm.tpm_engine, error_str);
+ goto tpm_err;
+ }
+ EVP_PKEY *pkey = ENGINE_load_private_key(engine,
+ global.tpm.tpm_object,
+ NULL, NULL);
+ if (!pkey) {
+ const char *error_str = ERR_error_string(ERR_get_error(), NULL);
+ memprintf(err, "%s Unable to load TPM object (%s). Err: %s\n",
+ err && *err ? *err : "",
+ global.tpm.tpm_object, error_str);
+ goto tpm_err;
+ }
+ global.tpm.tpm_key = pkey;
+ }
+ else { /* no TPM engine found */
+ memprintf(err, "%s TPM engine option not set when TPM mode expected\n",
+ err && *err ? *err : "");
+ goto tpm_err;
+ }
+ }
+
+ if (SSL_CTX_use_PrivateKey(ctx, global.tpm.tpm_key) <= 0){
+ const char *error_str = ERR_error_string(ERR_get_error(),
+ NULL);
+ memprintf(err, "%s Invalid private key provided from TPM engine(%s). Err: %s\n",
+ err && *err ? *err : "",
+ global.tpm.tpm_object, error_str);
+ goto tpm_err;
+ }
+
+ return 0;
+
+tpm_err:
+ ENGINE_finish(global.tpm.tpm_engine_ref);
+ global.tpm.tpm_engine_ref = NULL;
+ EVP_PKEY_free(global.tpm.tpm_key);
+ global.tpm.tpm_key = NULL;
+ return 1;
+}
+
static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf, struct proxy *curproxy, char **sni_filter, int fcount, char **err)
{
int ret;
@@ -1127,26 +1202,54 @@ static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf
return 1;
}
- if (SSL_CTX_use_PrivateKey_file(ctx, path, SSL_FILETYPE_PEM) <= 0) {
- memprintf(err, "%sunable to load SSL private key from PEM file '%s'.\n",
- err && *err ? *err : "", path);
- SSL_CTX_free(ctx);
- return 1;
+ /* NOTE (knasim-wrs): US93721: TPM support
+ * This SSL context applies to SSL frontends only.
+ * If the TPM option is set then the Private key
+ * is stored in TPM.
+ *
+ * Launch the OpenSSL TPM engine and load the TPM
+ * Private Key. The Public key will still be located
+ * at the provided path and needs to be loaded as
+ * per usual.
+ */
+ if (global.tpm.tpm_object) {
+ ret = ssl_sock_load_tpm_key(ctx, err);
+ if (ret > 0) {
+ /* tpm configuration failed */
+ SSL_CTX_free(ctx);
+ return 1;
+ }
}
-
- ret = ssl_sock_load_cert_chain_file(ctx, path, bind_conf, sni_filter, fcount);
- if (ret <= 0) {
- memprintf(err, "%sunable to load SSL certificate from PEM file '%s'.\n",
- err && *err ? *err : "", path);
- if (ret < 0) /* serious error, must do that ourselves */
+ else { /* non TPM mode */
+ if (SSL_CTX_use_PrivateKey_file(ctx, path, SSL_FILETYPE_PEM) <= 0) {
+ memprintf(err, "%sunable to load SSL private key from PEM file '%s'.\n",
+ err && *err ? *err : "", path);
SSL_CTX_free(ctx);
- return 1;
+ return 1;
+ }
}
- if (SSL_CTX_check_private_key(ctx) <= 0) {
- memprintf(err, "%sinconsistencies between private key and certificate loaded from PEM file '%s'.\n",
- err && *err ? *err : "", path);
- return 1;
+ ret = ssl_sock_load_cert_chain_file(ctx, path, bind_conf, sni_filter, fcount);
+ if (ret <= 0) {
+ memprintf(err, "%sunable to load SSL certificate from PEM file '%s'.\n",
+ err && *err ? *err : "", path);
+ if (ret < 0) /* serious error, must do that ourselves */
+ SSL_CTX_free(ctx);
+ return 1;
+ }
+
+ /*
+ * only match the private key to the public key
+ * for non TPM mode. This op would never work for
+ * TPM since the private key has been wrapped, whereas
+ * the public key is still the original one.
+ */
+ if (!global.tpm.tpm_object) {
+ if (SSL_CTX_check_private_key(ctx) <= 0) {
+ memprintf(err, "%sinconsistencies between private key and certificate loaded from PEM file '%s'.\n",
+ err && *err ? *err : "", path);
+ return 1;
+ }
}
/* we must not free the SSL_CTX anymore below, since it's already in
@@ -1725,6 +1828,18 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
cfgerr++;
return cfgerr;
}
+
+ /* NOTE (knasim-wrs): US93721: TPM support
+ * This SSL context applies to SSL backends only.
+ * Since Titanium backends don't support SSL, there
+ * is no need to offload these keys in TPM or reuse the
+ * same TPM key for the frontend engine.
+ *
+ * If SSL backends are to be supported in the future,
+ * over TPM, then create a new TPM Engine context and
+ * load the backend key in TPM, in a similar fashion to
+ * the frontend key.
+ */
if (srv->ssl_ctx.client_crt) {
if (SSL_CTX_use_PrivateKey_file(srv->ssl_ctx.ctx, srv->ssl_ctx.client_crt, SSL_FILETYPE_PEM) <= 0) {
Alert("config : %s '%s', server '%s': unable to load SSL private key from PEM file '%s'.\n",
--
1.8.3.1

View File

@ -0,0 +1,80 @@
# this config needs haproxy-1.1.28 or haproxy-1.2.1
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
#log loghost local0 info
maxconn 4096
chroot /usr/share/haproxy
uid 99
gid 99
daemon
#debug
#quiet
defaults
log global
mode http
option httplog
option dontlognull
retries 3
option redispatch
maxconn 2000
timeout connect 5000
timeout client 50000
timeout server 50000
listen appli1-rewrite 0.0.0.0:10001
cookie SERVERID rewrite
balance roundrobin
server app1_1 192.168.34.23:8080 cookie app1inst1 check inter 2000 rise 2 fall 5
server app1_2 192.168.34.32:8080 cookie app1inst2 check inter 2000 rise 2 fall 5
server app1_3 192.168.34.27:8080 cookie app1inst3 check inter 2000 rise 2 fall 5
server app1_4 192.168.34.42:8080 cookie app1inst4 check inter 2000 rise 2 fall 5
listen appli2-insert 0.0.0.0:10002
option httpchk
balance roundrobin
cookie SERVERID insert indirect nocache
server inst1 192.168.114.56:80 cookie server01 check inter 2000 fall 3
server inst2 192.168.114.56:81 cookie server02 check inter 2000 fall 3
capture cookie vgnvisitor= len 32
option httpclose # disable keep-alive
rspidel ^Set-cookie:\ IP= # do not let this cookie tell our internal IP address
listen appli3-relais 0.0.0.0:10003
dispatch 192.168.135.17:80
listen appli4-backup 0.0.0.0:10004
option httpchk /index.html
option persist
balance roundrobin
server inst1 192.168.114.56:80 check inter 2000 fall 3
server inst2 192.168.114.56:81 check inter 2000 fall 3 backup
listen ssl-relay 0.0.0.0:8443
option ssl-hello-chk
balance source
server inst1 192.168.110.56:443 check inter 2000 fall 3
server inst2 192.168.110.57:443 check inter 2000 fall 3
server back1 192.168.120.58:443 backup
listen appli5-backup 0.0.0.0:10005
option httpchk *
balance roundrobin
cookie SERVERID insert indirect nocache
server inst1 192.168.114.56:80 cookie server01 check inter 2000 fall 3
server inst2 192.168.114.56:81 cookie server02 check inter 2000 fall 3
server inst3 192.168.114.57:80 backup check inter 2000 fall 3
capture cookie ASPSESSION len 32
timeout server 20000
option httpclose # disable keep-alive
option checkcache # block response if set-cookie & cacheable
rspidel ^Set-cookie:\ IP= # do not let this cookie tell our internal IP address
errorloc 502 http://192.168.114.58/error502.html
errorfile 503 /etc/haproxy/errors/503.http

120
base/haproxy/haproxy/haproxy.sh Executable file
View File

@ -0,0 +1,120 @@
#!/bin/sh
### BEGIN INIT INFO
# Provides: HA-Proxy
# Required-Start: networking
# Required-Stop: networking
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: HA-Proxy TCP/HTTP reverse proxy
# Description: HA-Proxy is a TCP/HTTP reverse proxy
### END INIT INFO
PATH=/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/sbin/haproxy
NAME=haproxy
DESC="HA-Proxy TCP/HTTP reverse proxy"
PIDFILE="/var/run/$NAME.pid"
TPM_DATA_DIR="/var/run/TPM_haproxy/"
OPTS="-D -f /etc/haproxy/haproxy.cfg -p $PIDFILE"
RETVAL=0
# This is only needed till TPM In-Kernel
# ResourceMgr comes in
remove_TPM_transients () {
_HANDLES=`find $TPM_DATA_DIR -type f -name "hp*.bin" -printf "%f "`
for handle in $_HANDLES; do
handle_addr=`echo $handle | sed 's/hp\([0-9]*\)\.bin/\1/g'`
tss2_flushcontext -ha $handle_addr &> /dev/null
done
rm -f $TPM_DATA_DIR/*
}
start() {
if [ -e $PIDFILE ]; then
PIDDIR=/proc/$(cat $PIDFILE)
if [ -d $PIDDIR ]; then
echo "$DESC already running."
return
else
echo "Removing stale PID file $PIDFILE"
rm -f $PIDFILE
fi
fi
# TODO: This is a temporary workaround till
# we eventually add a resource manager for TPM
mkdir -p $TPM_DATA_DIR
echo -n "Starting $NAME: "
TPM_DATA_DIR=$TPM_DATA_DIR start-stop-daemon --start --pidfile $PIDFILE -x "$DAEMON" -- $OPTS
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
echo "done."
else
remove_TPM_transients
echo "failed."
fi
}
stop() {
if [ ! -e $PIDFILE ]; then return; fi
echo -n "Stopping $DESC..."
start-stop-daemon --stop --quiet --retry 3 --oknodo --pidfile $PIDFILE -x "$DAEMON"
if [ -n "`pidof $DAEMON`" ] ; then
pkill -KILL -f $DAEMON
fi
echo "done."
rm -f $PIDFILE
rm -f /var/lock/subsys/$NAME
remove_TPM_transients
}
status()
{
pid=`cat $PIDFILE 2>/dev/null`
if [ -n "$pid" ]; then
if ps -p $pid &>/dev/null ; then
echo "$DESC is running"
RETVAL=0
return
else
RETVAL=1
fi
fi
echo "$DESC is not running"
RETVAL=1
}
check() {
/usr/sbin/$NAME -c -q -V -f /etc/$NAME/$NAME.cfg
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart|force-reload|reload)
stop
start
;;
status)
status
;;
check)
check
;;
*)
echo "Usage: $0 {start|stop|force-reload|restart|reload|status|check}"
RETVAL=1
;;
esac
exit $RETVAL

View File

@ -131,3 +131,4 @@ base/cgcs-users
base/cluster-resource-agents
base/libfdt
base/bash
base/haproxy