From ccefe007a90f9bb170355e058558b4637dc1a359 Mon Sep 17 00:00:00 2001 From: Grant Zhang Date: Sat, 21 Jan 2017 01:10:18 +0000 Subject: [PATCH 1/2] ssl: add basic support for OpenSSL crypto engine This patch adds the global 'ssl-engine' keyword. First arg is an engine identifier followed by a list of default_algorithms the engine will operate. If the openssl version is too old, an error is reported when the option is used. --- doc/configuration.txt | 16 +++++++++ src/ssl_sock.c | 86 +++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 102 insertions(+) diff --git a/doc/configuration.txt b/doc/configuration.txt index 06a1a2a..37e2e01 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -591,6 +591,7 @@ The following keywords are supported in the "global" section : - spread-checks - server-state-base - server-state-file + - ssl-engine - tune.buffers.limit - tune.buffers.reserve - tune.bufsize @@ -1265,6 +1266,21 @@ spread-checks <0..50, in percent> and +/- 50%. A value between 2 and 5 seems to show good results. The default value remains at 0. +ssl-engine [algo ] + Sets the OpenSSL engine to . List of valid values for may be + obtained using the command "openssl engine". This statement may be used + multiple times, it will simply enable multiple crypto engines. Referencing an + unsupported engine will prevent haproxy from starting. Note that many engines + will lead to lower HTTPS performance than pure software with recent + processors. The optional command "algo" sets the default algorithms an ENGINE + will supply using the OPENSSL function ENGINE_set_default_string(). A value + of "ALL" uses the engine for all cryptographic operations. If no list of + algo is specified then the value of "ALL" is used. A comma-seperated list + of different algorithms may be specified, including: RSA, DSA, DH, EC, RAND, + CIPHERS, DIGESTS, PKEY, PKEY_CRYPTO, PKEY_ASN1. This is the same format that + openssl configuration file uses: + https://www.openssl.org/docs/man1.0.2/apps/config.html + tune.buffers.limit Sets a hard limit on the number of buffers which may be allocated per process. The default value is zero which means unlimited. The minimum non-zero value diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 48ad1b2..971c5a9 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -52,6 +52,7 @@ #ifndef OPENSSL_NO_DH #include #endif +#include #include #include @@ -178,6 +179,8 @@ static int ssl_capture_ptr_index = -1; struct list tlskeys_reference = LIST_HEAD_INIT(tlskeys_reference); #endif +static unsigned int openssl_engines_initialized; + #ifndef OPENSSL_NO_DH static int ssl_dh_ptr_index = -1; static DH *global_dh = NULL; @@ -273,6 +276,42 @@ struct ocsp_cbk_arg { }; }; +static int ssl_init_single_engine(const char *engine_id, const char *def_algorithms) +{ + int err_code = ERR_ABORT; + ENGINE *engine; + + /* grab the structural reference to the engine */ + engine = ENGINE_by_id(engine_id); + if (engine == NULL) { + Alert("ssl-engine %s: failed to get structural reference\n", engine_id); + goto fail_get; + } + + if (!ENGINE_init(engine)) { + /* the engine couldn't initialise, release it */ + Alert("ssl-engine %s: failed to initialize\n", engine_id); + goto fail_init; + } + + if (ENGINE_set_default_string(engine, def_algorithms) == 0) { + Alert("ssl-engine %s: failed on ENGINE_set_default_string\n", engine_id); + goto fail_set_method; + } + err_code = 0; + +fail_set_method: + /* release the functional reference from ENGINE_init() */ + ENGINE_finish(engine); + +fail_init: + /* release the structural reference from ENGINE_by_id() */ + ENGINE_free(engine); + +fail_get: + return err_code; +} + /* * This function returns the number of seconds elapsed * since the Epoch, 1970-01-01 00:00:00 +0000 (UTC) and the @@ -6956,6 +6995,48 @@ static int ssl_parse_global_ca_crt_base(char **args, int section_type, struct pr return 0; } +/* parse the "ssl-engine" keyword in global section. + * Returns <0 on alert, >0 on warning, 0 on success. + */ +static int ssl_parse_global_ssl_engine(char **args, int section_type, struct proxy *curpx, + struct proxy *defpx, const char *file, int line, + char **err) +{ + char *algo; + int ret = -1; + + if (*(args[1]) == 0) { + memprintf(err, "global statement '%s' expects a valid engine name as an argument.", args[0]); + return ret; + } + + if (*(args[2]) == 0) { + /* if no list of algorithms is given, it defaults to ALL */ + algo = strdup("ALL"); + goto add_engine; + } + + /* otherwise the expected format is ssl-engine algo */ + if (strcmp(args[2], "algo") != 0) { + memprintf(err, "global statement '%s' expects to have algo keyword.", args[0]); + return ret; + } + + if (*(args[3]) == 0) { + memprintf(err, "global statement '%s' expects algorithm names as an argument.", args[0]); + return ret; + } + algo = strdup(args[3]); + +add_engine: + if (ssl_init_single_engine(args[1], algo)==0) { + openssl_engines_initialized++; + ret = 0; + } + free(algo); + return ret; +} + /* parse the "ssl-default-bind-ciphers" / "ssl-default-server-ciphers" keywords * in global section. Returns <0 on alert, >0 on warning, 0 on success. */ @@ -7563,6 +7644,7 @@ static struct cfg_kw_list cfg_kws = {ILH, { #ifndef OPENSSL_NO_DH { CFG_GLOBAL, "ssl-dh-param-file", ssl_parse_global_dh_param_file }, #endif + { CFG_GLOBAL, "ssl-engine", ssl_parse_global_ssl_engine }, { CFG_GLOBAL, "tune.ssl.cachesize", ssl_parse_global_int }, #ifndef OPENSSL_NO_DH { CFG_GLOBAL, "tune.ssl.default-dh-param", ssl_parse_global_default_dh }, @@ -7636,6 +7718,7 @@ static void __ssl_sock_init(void) srv_register_keywords(&srv_kws); cfg_register_keywords(&cfg_kws); cli_register_kw(&cli_kws); + ENGINE_load_builtin_engines(); #if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0) hap_register_post_check(tlskeys_finalize_config); #endif @@ -7714,6 +7797,9 @@ static void __ssl_sock_deinit(void) } #endif + if (openssl_engines_initialized) { + ENGINE_cleanup(); + } ERR_remove_state(0); ERR_free_strings(); -- 1.7.9.5