MEDIUM: ssl: ssl-load-extra-del-ext work only with .crt

In order to be compatible with the "set ssl cert" command of the CLI,
this patch restrict the ssl-load-extra-del-ext to files with a ".crt"
extension in the configuration.

Related to issue #785.

Should be backported where 8e8581e ("MINOR: ssl: 'ssl-load-extra-del-ext'
removes the certificate extension") was backported.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 4d413be5f2e04e3ffa1eb60ce45c22601ccc8707..5e38889e2893274f50d7bd012efdc2c1993c469c 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -1377,9 +1377,11 @@ ssl-dh-param-file <file>
 ssl-load-extra-del-ext
   This setting allows to configure the way HAProxy does the lookup for the
   extra SSL files. By default HAProxy adds a new extension to the filename.
-  (ex: with "foobar.pem" load "foobar.pem.key"). With this option enabled,
+  (ex: with "foobar.crt" load "foobar.crt.key"). With this option enabled,
   HAProxy removes the extension before adding the new one (ex: with
-  "foobar.pem" load "foobar.key").
+  "foobar.crt" load "foobar.key").
+
+  Your crt file must have a ".crt" extension for this option to work.
 
   This option is not compatible with bundle extensions (.ecdsa, .rsa. .dsa)
   and won't try to remove them.

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index be7bd2971b1ee40014c5d1ac8a165fdfb8f72ba3..198ac634ac22dc47f5a4f569f7f2984b747ac893 100644 (file)
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -272,28 +272,17 @@ int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_chain *c
                goto end;
        }
 
-       /* remove the  extension */
+       /* remove the ".crt" extension */
        if (global_ssl.extra_files_noext) {
                char *ext;
 
                /* look for the extension */
                if ((ext = strrchr(fp->area, '.'))) {
-                       int n;
-                       int found_ext = 0; /* bundle extension found ? */
 
-                       ext++; /* we need to compare the ext after the dot */
-
-                       for (n = 0; n < SSL_SOCK_NUM_KEYTYPES; n++) {
-                               if (!strcmp(ext, SSL_SOCK_KEYTYPE_NAMES[n])) {
-                                       found_ext = 1;
-                               }
-                       }
-
-                       ext--;
-                       if (!found_ext) /* if it wasn't a bundle extension we remove it */
+                       if (!strcmp(ext, ".crt")) {
                                *ext = '\0';
-
-                       fp->data = strlen(fp->area);
+                               fp->data = strlen(fp->area);
+                       }
                }
 
        }
@@ -1545,6 +1534,7 @@ static int cli_parse_set_cert(char **args, char *payload, struct appctx *appctx,
                end = strrchr(buf->area, '.');
                if (end && *cert_exts[i].ext && (!strcmp(end + 1, cert_exts[i].ext))) {
                        *end = '\0';
+                       buf->data = strlen(buf->area);
                        type = cert_exts[i].type;
                        break;
                }
@@ -1557,9 +1547,26 @@ static int cli_parse_set_cert(char **args, char *payload, struct appctx *appctx,
        if (ckchs_transaction.path) {
                /* if there is an ongoing transaction, check if this is the same file */
                if (strcmp(ckchs_transaction.path, buf->area) != 0) {
-                       memprintf(&err, "The ongoing transaction is about '%s' but you are trying to set '%s'\n", ckchs_transaction.path, buf->area);
-                       errcode |= ERR_ALERT | ERR_FATAL;
-                       goto end;
+                       /* we didn't find the transaction, must try more cases below */
+
+                       /* if the del-ext option is activated we should try to take a look at a ".crt" too. */
+                       if (type != CERT_TYPE_PEM && global_ssl.extra_files_noext) {
+                               if (!chunk_strcat(buf, ".crt")) {
+                                       memprintf(&err, "%sCan't allocate memory\n", err ? err : "");
+                                       errcode |= ERR_ALERT | ERR_FATAL;
+                                       goto end;
+                               }
+
+                               if (strcmp(ckchs_transaction.path, buf->area) != 0) {
+                                       /* remove .crt of the error message */
+                                       *(b_orig(buf) + b_data(buf) + strlen(".crt")) = '\0';
+                                       b_sub(buf, strlen(".crt"));
+
+                                       memprintf(&err, "The ongoing transaction is about '%s' but you are trying to set '%s'\n", ckchs_transaction.path, buf->area);
+                                       errcode |= ERR_ALERT | ERR_FATAL;
+                                       goto end;
+                               }
+                       }
                }
 
                appctx->ctx.ssl.old_ckchs = ckchs_transaction.new_ckchs;
@@ -1568,6 +1575,18 @@ static int cli_parse_set_cert(char **args, char *payload, struct appctx *appctx,
 
                /* lookup for the certificate in the tree */
                appctx->ctx.ssl.old_ckchs = ckchs_lookup(buf->area);
+
+               if (!appctx->ctx.ssl.old_ckchs) {
+                       /* if the del-ext option is activated we should try to take a look at a ".crt" too. */
+                       if (type != CERT_TYPE_PEM && global_ssl.extra_files_noext) {
+                               if (!chunk_strcat(buf, ".crt")) {
+                                       memprintf(&err, "%sCan't allocate memory\n", err ? err : "");
+                                       errcode |= ERR_ALERT | ERR_FATAL;
+                                       goto end;
+                               }
+                               appctx->ctx.ssl.old_ckchs = ckchs_lookup(buf->area);
+                       }
+               }
        }
 
        if (!appctx->ctx.ssl.old_ckchs) {