MINOR: acme: add configuration for the crt-store

Add new acme keywords for the ckch_conf parsing, which will be used on a crt-store, a crt line in a frontend, or even a crt-list. The cfg_postparser_acme() is called in order to check if a section referenced elsewhere really exists in the config file.
2025-04-02 11:03:45 +02:00 · 2025-04-02 11:03:45 +02:00 · 2e8c350b95
commit 2e8c350b95
parent 077e2ce84c
4 changed files with 69 additions and 0 deletions
--- a/include/haproxy/acme.h
+++ b/include/haproxy/acme.h
@ -0,0 +1,9 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#ifndef _ACME_H_
+#define _ACME_H_
+
+#include <haproxy/ssl_ckch-t.h>
+
+int ckch_conf_acme_init(void *value, char *buf, struct ckch_data *d, int cli, const char *filename, int linenum, char **err);
+
+#endif
--- a/include/haproxy/ssl_ckch-t.h
+++ b/include/haproxy/ssl_ckch-t.h
@ -67,6 +67,10 @@ struct ckch_conf {
 	char *issuer;
 	char *sctl;
 	int ocsp_update_mode;
+	struct {
+		char *id;
+		char **domains;
+	} acme;
 };

 /*
--- a/src/acme.c
+++ b/src/acme.c
@ -66,6 +66,35 @@ out:
 	return ret;
 }

+/*
+ * ckch_conf acme parser
+ */
+int ckch_conf_acme_init(void *value, char *buf, struct ckch_data *d, int cli, const char *filename, int linenum, char **err)
+{
+	int err_code = 0;
+	struct acme_cfg *cfg;
+
+	cfg = new_acme_cfg(value);
+	if (!cfg) {
+		memprintf(err, "out of memory.\n");
+		err_code |= ERR_FATAL| ERR_ALERT;
+		goto error;
+	}
+
+	if (cfg->linenum == 0) {
+		cfg->filename = strdup(filename);
+                /* store the linenum as a negative value because is the one of
+                 * the crt-store, not the one of the section. It will be replace
+                 * by the one of the section once initialized
+                 */
+                cfg->linenum = -linenum;
+	}
+
+error:
+	return err_code;
+}
+
+
 /* acme section parser
 * Fill the acme_cfgs linked list
 */
@ -312,6 +341,30 @@ out:
 	return err_code;
 }

+/* postparser function checks if the ACME section was declared */
+static int cfg_postparser_acme()
+{
+	struct acme_cfg *tmp_acme = acme_cfgs;
+	int ret = 0;
+
+        /* first check if the ID was already used */
+	while (tmp_acme) {
+		/* if the linenum is not > 0, it means the acme keyword was used without declaring a section, and the
+		 * linenum of the crt-store is stored negatively */
+		if (tmp_acme->linenum <= 0) {
+			ret++;
+			ha_alert("acme '%s' was used on a crt line [%s:%d], but no '%s' section exists!\n",
+			         tmp_acme->name, tmp_acme->filename, -tmp_acme->linenum, tmp_acme->name);
+		}
+		tmp_acme = tmp_acme->next;
+	}
+
+
+	return ret;
+}
+
+REGISTER_CONFIG_POSTPARSER("acme", cfg_postparser_acme);
+
 void deinit_acme()
 {
 	struct acme_cfg *next = NULL;
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@ -26,6 +26,7 @@
 #include <import/ebpttree.h>
 #include <import/ebsttree.h>

+#include <haproxy/acme.h>
 #include <haproxy/applet.h>
 #include <haproxy/base64.h>
 #include <haproxy/cfgparse.h>
@ -4555,6 +4556,8 @@ struct ckch_conf_kws ckch_conf_kws[] = {
 #if defined(HAVE_SSL_OCSP)
 	{ "ocsp-update",  offsetof(struct ckch_conf, ocsp_update_mode), PARSE_TYPE_ONOFF, ocsp_update_init,               },
 #endif
+	{ "acme",         offsetof(struct ckch_conf, acme.id),          PARSE_TYPE_STR,   ckch_conf_acme_init,            },
+	{ "domains",      offsetof(struct ckch_conf, acme.domains),     PARSE_TYPE_ARRAY_SUBSTR,   NULL,            },
 	{ NULL,          -1,                                            PARSE_TYPE_STR,   NULL,                           }
 };