From: Alan T. DeKok Date: Thu, 7 Apr 2011 14:18:27 +0000 (+0200) Subject: Add allow_retry and retry_msg functionality X-Git-Tag: release_2_1_11~60 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2372161353111225ab00fd00c42ff1b51eb78735;p=thirdparty%2Ffreeradius-server.git Add allow_retry and retry_msg functionality Based on a patch from John Hayward. Setting "allow_retry=0" and "retry_msg = hello" seems to help with EAP-MSCHAPv2 and cached passwords... --- diff --git a/raddb/modules/mschap b/raddb/modules/mschap index 4aedf27eccd..57393dc6dcc 100644 --- a/raddb/modules/mschap +++ b/raddb/modules/mschap @@ -68,4 +68,11 @@ mschap { # Open Directory. It has no effect on other systems. # # use_open_directory = yes + + # On failure, set (or not) the MS-CHAP error code saying + # "retries allowed". +# allow_retry = yes + + # An optional retry message. +# retry_msg = "Re-enter (or reset) the password" } diff --git a/src/modules/rlm_mschap/rlm_mschap.c b/src/modules/rlm_mschap/rlm_mschap.c index c512018f6cc..de3bdb104de 100644 --- a/src/modules/rlm_mschap/rlm_mschap.c +++ b/src/modules/rlm_mschap/rlm_mschap.c @@ -137,6 +137,8 @@ typedef struct rlm_mschap_t { const char *xlat_name; char *ntlm_auth; const char *auth_type; + int allow_retry; + char *retry_msg; #ifdef __APPLE__ int open_directory; #endif @@ -534,6 +536,10 @@ static const CONF_PARSER module_config[] = { offsetof(rlm_mschap_t, passwd_file), NULL, NULL }, { "ntlm_auth", PW_TYPE_STRING_PTR, offsetof(rlm_mschap_t, ntlm_auth), NULL, NULL }, + { "allow_retry", PW_TYPE_BOOLEAN, + offsetof(rlm_mschap_t, allow_retry), NULL, "yes" }, + { "retry_msg", PW_TYPE_STRING_PTR, + offsetof(rlm_mschap_t, retry_msg), NULL, NULL }, #ifdef __APPLE__ { "use_open_directory", PW_TYPE_BOOLEAN, offsetof(rlm_mschap_t,open_directory), NULL, "yes" }, @@ -1127,10 +1133,7 @@ static int mschap_authenticate(void * instance, REQUEST *request) response->vp_octets + offset, nthashhash, do_ntlm_auth) < 0) { RDEBUG2("MS-CHAP-Response is incorrect."); - mschap_add_reply(request, &request->reply->vps, - *response->vp_octets, - "MS-CHAP-Error", "E=691 R=1", 9); - return RLM_MODULE_REJECT; + goto do_error; } chap = 1; @@ -1238,10 +1241,28 @@ static int mschap_authenticate(void * instance, REQUEST *request) if (do_mschap(inst, request, nt_password, mschapv1_challenge, response->vp_octets + 26, nthashhash, do_ntlm_auth) < 0) { + int i; + char buffer[128]; + RDEBUG2("FAILED: MS-CHAP2-Response is incorrect"); + + do_error: + snprintf(buffer, sizeof(buffer), "E=691 R=%d", + inst->allow_retry); + + if (inst->retry_msg) { + snprintf(buffer + 9, sizeof(buffer), " C="); + for (i = 0; i < 16; i++) { + snprintf(buffer + 12 + i*2, + sizeof(buffer), "%02x", + fr_rand() & 0xff); + } + snprintf(buffer + 12 + 32, sizeof(buffer) - 45, + " V=3 M=%s", inst->retry_msg); + } mschap_add_reply(request, &request->reply->vps, - *response->vp_octets, - "MS-CHAP-Error", "E=691 R=1", 9); + *response->vp_octets, "MS-CHAP-Error", + buffer, strlen(buffer)); return RLM_MODULE_REJECT; }