From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Tue, 30 Oct 2012 19:07:12 +0000 (+0000)
Subject: Update TLS section to conform to standard used in rlm_ldap and other places...
X-Git-Tag: release_3_0_0_beta1~1625
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6ad89c5d67a26b23593edfb410681d713499413f;p=thirdparty%2Ffreeradius-server.git

Update TLS section to conform to standard used in rlm_ldap and other places...
---

diff --git a/raddb/mods-available/rest b/raddb/mods-available/rest
index 8da011d8033..cbdab3b149b 100644
--- a/raddb/mods-available/rest
+++ b/raddb/mods-available/rest
@@ -7,33 +7,106 @@ rest {
 	# comment out the configuration item below.
 	connect_uri = "http://127.0.0.1/"
 	
-	pool {
-	     start = 5
-	     max = 10
-	     spare = 3
-	     uses = 0
-	     idle_timeout = 100
-	     lifetime = 0
-	}
-
 	authorize {
 		uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?section=authorize"
 		method = "get"
+		tls = ${..tls}
 	}
 	authenticate {
 		uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?section=authenticate"
 		method = "get"
+		tls = ${..tls}
 	}
 	accounting {
 		uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?section=accounting"
 		method = "post"
+		tls = ${..tls}
 	}
 	session {
 		uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?section=checksimul"
 		method = "post"
+		tls = ${..tls}
 	}
 	post-auth {
 		uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?section=post-auth"
 		method = "post"
+		tls = ${..tls}
+	}
+
+	#
+	#  This subsection configures the tls related items
+	#  that control how FreeRADIUS connects to a HTTPS
+	#  server.  
+	#
+	tls {
+#		cacertfile	= ${certdir}/cacert.pem
+#		cacertdir	= ${certdir}
+
+#		certfile	= /path/to/radius.crt
+#		keyfile		= /path/to/radius.key
+#		keypassword	= "supersecret"
+#		randfile	= ${certdir}/random
+
+		#  Server certificate verification requirements.  Can be:
+		#    "no"  (don't even bother trying)
+		#    "yes" (verify the cert was issued by one of the
+		#           trusted CAs)
+		#
+		#  The default is "yes"
+#		verify_cert	= "yes"
+
+		#  Server certificate CN verification requirements.  Can be:
+		#    "no"  (don't even bother trying)
+		#    "yes" (verify the CN in the certificate matches the host
+		#           in the URI)
+		#
+		#  The default is "yes"
+#		verify_cert_cn	= "yes"
+	}
+
+	#
+	#  The connection pool is new for 3.0, and will be used in many
+	#  modules, for all kinds of connection-related activity.
+	#
+	pool {
+		# Number of connections to start
+		start = 5
+
+		# Minimum number of connections to keep open
+		min = 4
+
+		# Maximum number of connections
+		#
+		# If these connections are all in use and a new one
+		# is requested, the request will NOT get a connection.
+		max = 10
+
+		# Spare connections to be left idle
+		#
+		# NOTE: Idle connections WILL be closed if "idle_timeout"
+		# is set.
+		spare = 3
+
+		# Number of uses before the connection is closed
+		#
+		# 0 means "infinite"
+		uses = 0
+
+		# The lifetime (in seconds) of the connection
+		lifetime = 0
+
+		# idle timeout (in seconds).  A connection which is
+		# unused for this length of time will be closed.
+		idle_timeout = 60
+
+		# NOTE: All configuration settings are enforced.  If a
+		# connection is closed because of "idle_timeout",
+		# "uses", or "lifetime", then the total number of
+		# connections MAY fall below "min".  When that
+		# happens, it will open a new connection.  It will
+		# also log a WARNING message.
+		#
+		# The solution is to either lower the "min" connections,
+		# or increase lifetime/idle_timeout.
 	}
 }
diff --git a/src/modules/rlm_rest/rest.c b/src/modules/rlm_rest/rest.c
index 60e576c75c7..451a18890ca 100644
--- a/src/modules/rlm_rest/rest.c
+++ b/src/modules/rlm_rest/rest.c
@@ -2030,62 +2030,62 @@ int rest_request_config(rlm_rest_t *instance, rlm_rest_section_t *section,
 	}
 	
 	/*
-	 *	Set SSL authentication parameters
+	 *	Set SSL/TLS authentication parameters
 	 */
-	if (section->certificate_file) {
+	if (section->tls_certfile) {
 		ret = curl_easy_setopt(candle,
 			       	       CURLOPT_SSLCERT,
-				       section->certificate_file);
+				       section->tls_certfile);
 		if (ret != CURLE_OK) goto error;
 	}
 	
-	if (section->file_type == FALSE) {
+	if (section->tls_keyfile) {
 		ret = curl_easy_setopt(candle,
-			       	       CURLOPT_SSLCERT,
-				       "DER");
-		if (ret != CURLE_OK) goto error;
-	}
-	
-	if (section->private_key_file) {
-		ret = curl_easy_setopt(candle,
-			       	       CURLOPT_SSLCERT,
-				       section->private_key_file);
+			       	       CURLOPT_SSLKEY,
+				       section->tls_keyfile);
 		if (ret != CURLE_OK) goto error;
 	}
 
-	if (section->private_key_password) {
+	if (section->tls_keypassword) {
 		ret = curl_easy_setopt(candle,
 			       	       CURLOPT_KEYPASSWD,
-				       section->private_key_password);
+				       section->tls_keypassword);
 		if (ret != CURLE_OK) goto error;
 	}
 	
-	if (section->ca_file) {
+	if (section->tls_cacertfile) {
 		ret = curl_easy_setopt(candle,
 			       	       CURLOPT_ISSUERCERT,
-				       section->ca_file);
+				       section->tls_cacertfile);
 		if (ret != CURLE_OK) goto error;
 	}
 	
-	if (section->ca_path) {
+	if (section->tls_cacertdir) {
 		ret = curl_easy_setopt(candle,
 			       	       CURLOPT_CAPATH,
-				       section->ca_path);
+				       section->tls_cacertdir);
 		if (ret != CURLE_OK) goto error;
 	}
 	
-	if (section->random_file) {
+	if (section->tls_randfile) {
 		ret = curl_easy_setopt(candle,
 			       	       CURLOPT_RANDOM_FILE,
-				       section->random_file);
+				       section->tls_randfile);
 		if (ret != CURLE_OK) goto error;
 	}
 	
-	ret = curl_easy_setopt(candle,
-			       CURLOPT_SSL_VERIFYHOST,
-			       (section->check_cert_cn == TRUE) ?
-				2 : 0);
-	if (ret != CURLE_OK) goto error;
+	if (section->tls_verify_cert) {
+		ret = curl_easy_setopt(candle,
+				       CURLOPT_SSL_VERIFYHOST,
+				       (section->tls_verify_cert_cn == TRUE) ?
+					2 : 0);
+		if (ret != CURLE_OK) goto error;
+	} else {
+		ret = curl_easy_setopt(candle,
+		       CURLOPT_SSL_VERIFYPEER,
+		       0);
+		if (ret != CURLE_OK) goto error;
+	}
 		
 	/*
 	 *	Tell CURL how to get HTTP body content, and how to process
diff --git a/src/modules/rlm_rest/rest.h b/src/modules/rlm_rest/rest.h
index 8e573e1e28d..01115618d04 100644
--- a/src/modules/rlm_rest/rest.h
+++ b/src/modules/rlm_rest/rest.h
@@ -102,15 +102,15 @@ typedef struct rlm_rest_section_t {
 	http_auth_type_t auth;
 	int require_auth;
 	
-	char *certificate_file;
-	int file_type;
-	char *private_key_file;
-	char *private_key_password;
-	char *ca_file;
-	char *ca_path;
-	char *random_file;
-	int check_cert_cn;
-
+	char *tls_certfile;
+	char *tls_keyfile;
+	char *tls_keypassword;
+	char *tls_cacertfile;
+	char *tls_cacertdir;
+	char *tls_randfile;
+	int tls_verify_cert;
+	int tls_verify_cert_cn;
+	
 	int timeout;
 	unsigned int chunk;
 } rlm_rest_section_t;
diff --git a/src/modules/rlm_rest/rlm_rest.c b/src/modules/rlm_rest/rlm_rest.c
index 6b484a1d1dd..1af8c2e1e46 100644
--- a/src/modules/rlm_rest/rlm_rest.c
+++ b/src/modules/rlm_rest/rlm_rest.c
@@ -29,6 +29,30 @@ RCSID("$Id$")
 
 #include "rest.h"
 
+/*
+ *	TLS Configuration
+ */
+static CONF_PARSER tls_config[] = {
+	{ "cacertfile", PW_TYPE_FILENAME,
+	  offsetof(rlm_rest_section_t,tls_cacertfile), NULL, NULL},
+	{ "cacertdir", PW_TYPE_FILENAME,
+	  offsetof(rlm_rest_section_t,tls_cacertdir), NULL, NULL},
+	{ "certfile", PW_TYPE_FILENAME,
+	  offsetof(rlm_rest_section_t,tls_certfile), NULL, NULL},
+	{ "keyfile", PW_TYPE_FILENAME,
+	  offsetof(rlm_rest_section_t,tls_keyfile), NULL, NULL },
+	{ "keypassword", PW_TYPE_STRING_PTR,
+	  offsetof(rlm_rest_section_t, tls_keypassword), NULL, NULL },
+	{ "randfile", PW_TYPE_STRING_PTR, /* OK if it changes on HUP */
+	  offsetof(rlm_rest_section_t,tls_randfile), NULL, NULL },
+	{ "verify_cert", PW_TYPE_BOOLEAN,
+	  offsetof(rlm_rest_section_t, tls_verify_cert), NULL, "yes" },
+	{ "verify_cert_cn", PW_TYPE_BOOLEAN,
+	  offsetof(rlm_rest_section_t, tls_verify_cert_cn), NULL, "yes" },
+	
+	{ NULL, -1, 0, NULL, NULL }
+};
+
 /*
  *	A mapping of configuration file names to internal variables.
  *
@@ -56,30 +80,15 @@ static const CONF_PARSER section_config[] = {
 	{ "require_auth", PW_TYPE_BOOLEAN,
 	 offsetof(rlm_rest_section_t, require_auth), NULL, "no"},
 
-	/* SSL authentication */
-	{ "certificate_file", PW_TYPE_FILENAME,
-	  offsetof(rlm_rest_section_t, certificate_file), NULL, NULL },
-	{ "pem_file_type", PW_TYPE_BOOLEAN,
-	  offsetof(rlm_rest_section_t, file_type), NULL, "yes" },
-	{ "private_key_file", PW_TYPE_FILENAME,
-	  offsetof(rlm_rest_section_t, private_key_file), NULL, NULL },
-	{ "private_key_password", PW_TYPE_STRING_PTR,
-	  offsetof(rlm_rest_section_t, private_key_password), NULL, NULL },  
-	{ "CA_file", PW_TYPE_FILENAME,
-	  offsetof(rlm_rest_section_t, ca_file), NULL, NULL },
-	{ "CA_path", PW_TYPE_FILENAME,
-	  offsetof(rlm_rest_section_t, ca_path), NULL, NULL },
-	{ "random_file", PW_TYPE_STRING_PTR,
-	  offsetof(rlm_rest_section_t, random_file), NULL, NULL },
-	{ "check_cert_cn", PW_TYPE_BOOLEAN,
-	  offsetof(rlm_rest_section_t, check_cert_cn), NULL, "yes"},
-	  
 	/* Transfer configuration */
 	{ "timeout", PW_TYPE_INTEGER, 
 	 offsetof(rlm_rest_section_t, timeout),    NULL, "0" },
 	{ "chunk", PW_TYPE_INTEGER,
 	 offsetof(rlm_rest_section_t, chunk), 	   NULL, "0" },
 
+	/* TLS Parameters */
+	{ "tls", PW_TYPE_SUBSECTION, 0, NULL, (const void *) tls_config },
+
 	{ NULL, -1, 0, NULL, NULL }
 };