From: Nick Porter <nick@portercomputing.co.uk>
Date: Fri, 20 Jun 2025 14:00:08 +0000 (+0100)
Subject: Add ftp:// support to rlm_crl
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5d742a9578abf2aab54dcb486e60410f1e8e0676;p=thirdparty%2Ffreeradius-server.git

Add ftp:// support to rlm_crl
---

diff --git a/doc/antora/modules/reference/pages/raddb/mods-available/crl.adoc b/doc/antora/modules/reference/pages/raddb/mods-available/crl.adoc
index c2683668ea..27c159f262 100644
--- a/doc/antora/modules/reference/pages/raddb/mods-available/crl.adoc
+++ b/doc/antora/modules/reference/pages/raddb/mods-available/crl.adoc
@@ -43,6 +43,14 @@ server details to fetch the CRL from
 
 
 
+ftp:: Expansion to use when URI scheme is ftp
+
+If any CRLs need to be retrieved by FTP GET calls
+then configure and enable the `ftp` module to
+support this.
+
+
+
 force_expiry:: Maximum time between expiring CRLs
 
 If the `nextUpdate` attribute of a CRL is closer than this interval
@@ -80,6 +88,7 @@ crl {
 		dynamic {
 			http = %rest('GET', "%uri.safe(%{CRL.CDP-URL})")
 #			ldap = %ldap(%ldap.uri.safe("%{CRL.CDP-URL}"))
+#			ftp = %ftp.get(%uri.safe("%{CRL.CDP-URL}"))
 		}
 	}
 #	force_expiry = 7d
diff --git a/raddb/mods-available/crl b/raddb/mods-available/crl
index 8c66b3e7eb..dfdb0b4961 100644
--- a/raddb/mods-available/crl
+++ b/raddb/mods-available/crl
@@ -49,6 +49,15 @@ crl {
 			#  server details to fetch the CRL from
 			#
 #			ldap = %ldap(%ldap.uri.safe("%{CRL.CDP-URL}"))
+
+			#
+			#  ftp:: Expansion to use when URI scheme is ftp
+			#
+			#  If any CRLs need to be retrieved by FTP GET calls
+			#  then configure and enable the `ftp` module to
+			#  support this.
+			#
+#			ftp = %ftp.get(%uri.safe("%{CRL.CDP-URL}"))
 		}
 	}
 
diff --git a/src/modules/rlm_crl/rlm_crl.c b/src/modules/rlm_crl/rlm_crl.c
index 0d129d6b0e..e0482fe920 100644
--- a/src/modules/rlm_crl/rlm_crl.c
+++ b/src/modules/rlm_crl/rlm_crl.c
@@ -131,6 +131,7 @@ fr_dict_attr_autoload_t rlm_crl_dict_attr[] = {
 typedef struct {
 	tmpl_t				*http_exp;			//!< The xlat expansion used to retrieve the CRL via http://
 	tmpl_t				*ldap_exp;			//!< The xlat expansion used to retrieve the CRL via ldap://
+	tmpl_t				*ftp_exp;			//!< The xlat expansion used to retrieve the CRL via ftp://
 	fr_value_box_t			serial;				//!< The serial to check
 	fr_value_box_list_head_t	*cdp; 				//!< The CRL distribution points
 } rlm_crl_env_t;
@@ -154,6 +155,7 @@ static const call_env_method_t crl_env = {
 				((call_env_parser_t[]) {
 					{ FR_CALL_ENV_PARSE_ONLY_OFFSET("http", FR_TYPE_OCTETS, CALL_ENV_FLAG_REQUIRED, rlm_crl_env_t, http_exp )},
 					{ FR_CALL_ENV_PARSE_ONLY_OFFSET("ldap", FR_TYPE_OCTETS, CALL_ENV_FLAG_NONE, rlm_crl_env_t, ldap_exp )},
+					{ FR_CALL_ENV_PARSE_ONLY_OFFSET("ftp", FR_TYPE_OCTETS, CALL_ENV_FLAG_NONE, rlm_crl_env_t, ftp_exp )},
 					CALL_ENV_TERMINATOR
 				}))},
 				CALL_ENV_TERMINATOR
@@ -454,6 +456,12 @@ static int crl_tmpl_yield(request_t *request, rlm_crl_env_t *env, rlm_crl_rctx_t
 			return 0;
 		}
 		vpt = env->ldap_exp;
+	} else if (strncmp(rctx->cdp_url->vb_strvalue, "ftp", 3) == 0) {
+		if (!env->ftp_exp) {
+			RWARN("CRL URI %pV requires FTP, but the crl module ftp expansion is not configured", rctx->cdp_url);
+			return 0;
+		}
+		vpt = env->ftp_exp;
 	} else {
 		RERROR("Unsupported URI scheme in CRL URI %pV", rctx->cdp_url);
 		return -1;