From: William Lallemand <wlallemand@haproxy.com>
Date: Wed, 2 Apr 2025 09:03:45 +0000 (+0200)
Subject: MINOR: acme: add configuration for the crt-store
X-Git-Tag: v3.2-dev11~101
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2e8c350b95620d6b23b8c31f5acb50de2733912f;p=thirdparty%2Fhaproxy.git

MINOR: acme: add configuration for the crt-store

Add new acme keywords for the ckch_conf parsing, which will be used on a
crt-store, a crt line in a frontend, or even a crt-list.

The cfg_postparser_acme() is called in order to check if a section referenced
elsewhere really exists in the config file.
---

diff --git a/include/haproxy/acme.h b/include/haproxy/acme.h
new file mode 100644
index 000000000..6aeae0283
--- /dev/null
+++ b/include/haproxy/acme.h
@@ -0,0 +1,9 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#ifndef _ACME_H_
+#define _ACME_H_
+
+#include <haproxy/ssl_ckch-t.h>
+
+int ckch_conf_acme_init(void *value, char *buf, struct ckch_data *d, int cli, const char *filename, int linenum, char **err);
+
+#endif
diff --git a/include/haproxy/ssl_ckch-t.h b/include/haproxy/ssl_ckch-t.h
index b4ec91f31..01f972045 100644
--- a/include/haproxy/ssl_ckch-t.h
+++ b/include/haproxy/ssl_ckch-t.h
@@ -67,6 +67,10 @@ struct ckch_conf {
 	char *issuer;
 	char *sctl;
 	int ocsp_update_mode;
+	struct {
+		char *id;
+		char **domains;
+	} acme;
 };
 
 /*
diff --git a/src/acme.c b/src/acme.c
index 4b352a0c7..9c97b4138 100644
--- a/src/acme.c
+++ b/src/acme.c
@@ -66,6 +66,35 @@ out:
 	return ret;
 }
 
+/*
+ * ckch_conf acme parser
+ */
+int ckch_conf_acme_init(void *value, char *buf, struct ckch_data *d, int cli, const char *filename, int linenum, char **err)
+{
+	int err_code = 0;
+	struct acme_cfg *cfg;
+
+	cfg = new_acme_cfg(value);
+	if (!cfg) {
+		memprintf(err, "out of memory.\n");
+		err_code |= ERR_FATAL| ERR_ALERT;
+		goto error;
+	}
+
+	if (cfg->linenum == 0) {
+		cfg->filename = strdup(filename);
+                /* store the linenum as a negative value because is the one of
+                 * the crt-store, not the one of the section. It will be replace
+                 * by the one of the section once initialized
+                 */
+                cfg->linenum = -linenum;
+	}
+
+error:
+	return err_code;
+}
+
+
 /* acme section parser
  * Fill the acme_cfgs linked list
  */
@@ -312,6 +341,30 @@ out:
 	return err_code;
 }
 
+/* postparser function checks if the ACME section was declared */
+static int cfg_postparser_acme()
+{
+	struct acme_cfg *tmp_acme = acme_cfgs;
+	int ret = 0;
+
+        /* first check if the ID was already used */
+	while (tmp_acme) {
+		/* if the linenum is not > 0, it means the acme keyword was used without declaring a section, and the
+		 * linenum of the crt-store is stored negatively */
+		if (tmp_acme->linenum <= 0) {
+			ret++;
+			ha_alert("acme '%s' was used on a crt line [%s:%d], but no '%s' section exists!\n",
+			         tmp_acme->name, tmp_acme->filename, -tmp_acme->linenum, tmp_acme->name);
+		}
+		tmp_acme = tmp_acme->next;
+	}
+
+
+	return ret;
+}
+
+REGISTER_CONFIG_POSTPARSER("acme", cfg_postparser_acme);
+
 void deinit_acme()
 {
 	struct acme_cfg *next = NULL;
diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index e8dbc64db..8056cf0cf 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -26,6 +26,7 @@
 #include <import/ebpttree.h>
 #include <import/ebsttree.h>
 
+#include <haproxy/acme.h>
 #include <haproxy/applet.h>
 #include <haproxy/base64.h>
 #include <haproxy/cfgparse.h>
@@ -4555,6 +4556,8 @@ struct ckch_conf_kws ckch_conf_kws[] = {
 #if defined(HAVE_SSL_OCSP)
 	{ "ocsp-update",  offsetof(struct ckch_conf, ocsp_update_mode), PARSE_TYPE_ONOFF, ocsp_update_init,               },
 #endif
+	{ "acme",         offsetof(struct ckch_conf, acme.id),          PARSE_TYPE_STR,   ckch_conf_acme_init,            },
+	{ "domains",      offsetof(struct ckch_conf, acme.domains),     PARSE_TYPE_ARRAY_SUBSTR,   NULL,            },
 	{ NULL,          -1,                                            PARSE_TYPE_STR,   NULL,                           }
 };