From 8261ae34bde319cf8b7a231a85c71820cc332ef3 Mon Sep 17 00:00:00 2001
From: stephb9959 <stephane.bourque@gmail.com>
Date: Thu, 1 Dec 2022 21:54:08 -0800
Subject: [PATCH] https://telecominfraproject.atlassian.net/browse/WIFI-11869

Signed-off-by: stephb9959 <stephane.bourque@gmail.com>
---
 build                                 |  2 +-
 radsec-config-sample.json             |  1 +
 src/RADSEC_server.h                   | 12 ++++++++----
 src/RESTObjects/RESTAPI_GWobjects.cpp |  2 ++
 src/RESTObjects/RESTAPI_GWobjects.h   |  1 +
 5 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/build b/build
index d1cbcfa5..83233289 100644
--- a/build
+++ b/build
@@ -1 +1 @@
-66
\ No newline at end of file
+67
\ No newline at end of file
diff --git a/radsec-config-sample.json b/radsec-config-sample.json
index d2674161..1ea9fc01 100644
--- a/radsec-config-sample.json
+++ b/radsec-config-sample.json
@@ -16,6 +16,7 @@
                         "weight" : 10,
                         "radsec" : true,
                         "radsecPort" : 2083,
+                        "allowSelfSigned" : false,
                         "radsecSecret" : "radsec",
                         "radsecKey" : "LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUR6RnpXeTZlYXg0QVoxTySG9VUURRZ0FFS3BnWVBHMktPTVd2S0w1Z3NMRXpUc09rREg1M3NHaEQyS3RsRXBDTXVnNDNIZlFnTFVpUgpTR1R2S1l0bDFmbmJaU1lnY0RJdncxdjNYRy9hVDhOY2JBPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=",
                         "radsecCert" : "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNRVENDQWVpZ0F3SUJBZ0lVY3BKS3pVM0Ba0dBMVVFQmhNQ1ZWTXhFekFSQmdOVkJBb1RDa0oxZEhSdmJuZHZiMlF4SFRBYkJnTlZCQU1URkVKMQpkSFJ2Ym5kdmIyUWdVbUZrYzJWaklFTkJNQjRYRFRJeU1EY3dNekExTWpVeE5Gb1hEVEkzTURVeE9UQTFNalV4Ck5Gb3dkVEVMTUFrR0ExVUVCaE1DVlZNeEV6QVJCZ05WQkFvVENrSjFkSFJ2Ym5kdmIyUXhOakEwQmdOVkJBTVQKTFdGeWFXeHBZUzVqWWpFd2FtTnVjemgxYlhCbk9HWnBjRFowTUM1dmNtbHZiaTVoY21WaE1USXdMbU52YlRFWgpNQmNHQ2dtU0pvbVQ4aXhrQVFFVENVZHZiMmRzWlRwVlV6QlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VICkEwSUFCQ3FZR0R4dGlqakZyeWkrWUxDeE0wN0RwQXgrZDdCb1E5aXJaUktRakxvT054MzBJQzFJa1Voazd5bUwKWmRYNTIyVW1JSEF5TDhOYjkxeHYyay9EWEd5amdZa3dnWVl3RGdZRFZSMFBBUUgvQkFRREFnZUFNQk1HQTFVZApKUVFNTUFvR0NDc0dBUVVGQndNQ01Bd0dBMVVkRXdFQi93UUNNQUF3T0FZRFZSMFJCREV3TDRJdFlYSnBiR2xoCkxtTmlNVEJxWTI1ek9IVnRjR2M0Wm1sd05uUXdMbTl5YVc5dUxtRnlaV0V4TWpBdVkyOXRNQmNHQTFVZElBUVEKTUE0d0RBWUtLd1lCQkFIdUtnRUJCVEFLQmdncWhrak9QUVFEQWdOSEFEQkVBaUFwTmM1dUNBSkp6KzVyakdqdwpCWGtOdHE3UU83bWU5dUg5bkNsTDZnSVE5Z0lnUHM2VkVKVW5CcEZ0RktXbFF4eWJ1YlBxYnpJNjBPSERHQ0ExCmhXUk1PS1U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K",
diff --git a/src/RADSEC_server.h b/src/RADSEC_server.h
index 3f3cc731..90842678 100644
--- a/src/RADSEC_server.h
+++ b/src/RADSEC_server.h
@@ -158,6 +158,10 @@ namespace OpenWifi {
 					new Poco::Net::Context(Poco::Net::Context::TLS_CLIENT_USE,
 										   KeyFile_.path(),
 										   CertFile_.path(),""));
+				if(Server_.allowSelfSigned) {
+					SecureContext->setSecurityLevel(Poco::Net::Context::SECURITY_LEVEL_NONE);
+					SecureContext->enableExtendedCertificateVerification(false);
+				}
 
 				for(const auto &ca:CaCertFiles_) {
 					Poco::Crypto::X509Certificate	cert(ca.path());
@@ -172,7 +176,10 @@ namespace OpenWifi {
 					poco_information(Logger_, "Attempting to connect");
 					Socket_->connect(Destination, Poco::Timespan(100, 0));
 					Socket_->completeHandshake();
-					Socket_->verifyPeerCertificate();
+
+					if(!Server_.allowSelfSigned) {
+						Socket_->verifyPeerCertificate();
+					}
 
 					if(Socket_->havePeerCertificate()) {
 						Peer_Cert_ = std::make_unique<Poco::Crypto::X509Certificate>(Socket_->peerCertificate());
@@ -194,9 +201,6 @@ namespace OpenWifi {
 						*Socket_,
 						Poco::NObserver<RADSEC_server, Poco::Net::ShutdownNotification>(
 							*this, &RADSEC_server::onShutdown));
-					Socket_->setBlocking(false);
-					Socket_->setNoDelay(true);
-					Socket_->setKeepAlive(true);
 
 					Connected_ = true;
 					poco_information(Logger_,fmt::format("Connected. CN={}",CommonName()));
diff --git a/src/RESTObjects/RESTAPI_GWobjects.cpp b/src/RESTObjects/RESTAPI_GWobjects.cpp
index 5c3539d8..1e7712b3 100644
--- a/src/RESTObjects/RESTAPI_GWobjects.cpp
+++ b/src/RESTObjects/RESTAPI_GWobjects.cpp
@@ -394,6 +394,7 @@ namespace OpenWifi::GWObjects {
 		field_to_json(Obj,"secret",secret);
 		field_to_json(Obj,"certificate",certificate);
 		field_to_json(Obj,"radsec",radsec);
+		field_to_json(Obj,"allowSelfSigned",allowSelfSigned);
 		field_to_json(Obj,"radsecPort",radsecPort);
 		field_to_json(Obj,"radsecSecret",radsecSecret);
 		field_to_json(Obj,"radsecCacerts",radsecCacerts);
@@ -412,6 +413,7 @@ namespace OpenWifi::GWObjects {
 			field_from_json(Obj,"secret",secret);
 			field_from_json(Obj,"certificate",certificate);
 			field_from_json(Obj,"radsec",radsec);
+			field_from_json(Obj,"allowSelfSigned",allowSelfSigned);
 			field_from_json(Obj,"radsecSecret",radsecSecret);
 			field_from_json(Obj,"radsecPort",radsecPort);
 			field_from_json(Obj,"radsecCacerts",radsecCacerts);
diff --git a/src/RESTObjects/RESTAPI_GWobjects.h b/src/RESTObjects/RESTAPI_GWobjects.h
index 453676cd..7484c8d5 100644
--- a/src/RESTObjects/RESTAPI_GWobjects.h
+++ b/src/RESTObjects/RESTAPI_GWobjects.h
@@ -266,6 +266,7 @@ namespace OpenWifi::GWObjects {
 		std::string secret;
 		std::string certificate;
 		bool 		radsec=false;
+		bool 		allowSelfSigned=false;
 		uint16_t 	radsecPort=2083;
 		std::string radsecSecret;
 		std::string radsecKey;