MINOR: acme: add configuration for the crt-store

Add new acme keywords for the ckch_conf parsing, which will be used on a
crt-store, a crt line in a frontend, or even a crt-list.

The cfg_postparser_acme() is called in order to check if a section referenced
elsewhere really exists in the config file.

diff --git a/include/haproxy/acme.h b/include/haproxy/acme.h
new file mode 100644 (file)
index 0000000..6aeae02
--- /dev/null
+++ b/include/haproxy/acme.h
@@ -0,0 +1,9 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#ifndef _ACME_H_
+#define _ACME_H_
+
+#include <haproxy/ssl_ckch-t.h>
+
+int ckch_conf_acme_init(void *value, char *buf, struct ckch_data *d, int cli, const char *filename, int linenum, char **err);
+
+#endif

diff --git a/include/haproxy/ssl_ckch-t.h b/include/haproxy/ssl_ckch-t.h
index b4ec91f31e4a67d8d2cbe7033ff4ff4a43d4cda1..01f9720458b60aa46fcb83138adb0fcd004cd35a 100644 (file)
--- a/include/haproxy/ssl_ckch-t.h
+++ b/include/haproxy/ssl_ckch-t.h
@@ -67,6 +67,10 @@ struct ckch_conf {
        char *issuer;
        char *sctl;
        int ocsp_update_mode;
+       struct {
+               char *id;
+               char **domains;
+       } acme;
 };
 
 /*

diff --git a/src/acme.c b/src/acme.c
index 4b352a0c7e582af88288e6e53e7e23d3f75d19ed..9c97b4138cf64eb8455f9f8b242ca450efac3753 100644 (file)
--- a/src/acme.c
+++ b/src/acme.c
@@ -66,6 +66,35 @@ out:
        return ret;
 }
 
+/*
+ * ckch_conf acme parser
+ */
+int ckch_conf_acme_init(void *value, char *buf, struct ckch_data *d, int cli, const char *filename, int linenum, char **err)
+{
+       int err_code = 0;
+       struct acme_cfg *cfg;
+
+       cfg = new_acme_cfg(value);
+       if (!cfg) {
+               memprintf(err, "out of memory.\n");
+               err_code |= ERR_FATAL| ERR_ALERT;
+               goto error;
+       }
+
+       if (cfg->linenum == 0) {
+               cfg->filename = strdup(filename);
+                /* store the linenum as a negative value because is the one of
+                 * the crt-store, not the one of the section. It will be replace
+                 * by the one of the section once initialized
+                 */
+                cfg->linenum = -linenum;
+       }
+
+error:
+       return err_code;
+}
+
+
 /* acme section parser
  * Fill the acme_cfgs linked list
  */
@@ -312,6 +341,30 @@ out:
        return err_code;
 }
 
+/* postparser function checks if the ACME section was declared */
+static int cfg_postparser_acme()
+{
+       struct acme_cfg *tmp_acme = acme_cfgs;
+       int ret = 0;
+
+        /* first check if the ID was already used */
+       while (tmp_acme) {
+               /* if the linenum is not > 0, it means the acme keyword was used without declaring a section, and the
+                * linenum of the crt-store is stored negatively */
+               if (tmp_acme->linenum <= 0) {
+                       ret++;
+                       ha_alert("acme '%s' was used on a crt line [%s:%d], but no '%s' section exists!\n",
+                                tmp_acme->name, tmp_acme->filename, -tmp_acme->linenum, tmp_acme->name);
+               }
+               tmp_acme = tmp_acme->next;
+       }
+
+
+       return ret;
+}
+
+REGISTER_CONFIG_POSTPARSER("acme", cfg_postparser_acme);
+
 void deinit_acme()
 {
        struct acme_cfg *next = NULL;

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index e8dbc64db1170e5401c2237938a7b70be3a18176..8056cf0cfb6839b0501ee4d905a80a2dc2dadd61 100644 (file)
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -26,6 +26,7 @@
 #include <import/ebpttree.h>
 #include <import/ebsttree.h>
 
+#include <haproxy/acme.h>
 #include <haproxy/applet.h>
 #include <haproxy/base64.h>
 #include <haproxy/cfgparse.h>
@@ -4555,6 +4556,8 @@ struct ckch_conf_kws ckch_conf_kws[] = {
 #if defined(HAVE_SSL_OCSP)
        { "ocsp-update",  offsetof(struct ckch_conf, ocsp_update_mode), PARSE_TYPE_ONOFF, ocsp_update_init,               },
 #endif
+       { "acme",         offsetof(struct ckch_conf, acme.id),          PARSE_TYPE_STR,   ckch_conf_acme_init,            },
+       { "domains",      offsetof(struct ckch_conf, acme.domains),     PARSE_TYPE_ARRAY_SUBSTR,   NULL,            },
        { NULL,          -1,                                            PARSE_TYPE_STR,   NULL,                           }
 };