From: Alan T. DeKok Date: Wed, 19 Jun 2024 12:37:54 +0000 (-0400) Subject: add totp-time-offset X-Git-Tag: release_3_2_5~45 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=654aadcd13ddb6a073396dd0b8a45736879371ee;p=thirdparty%2Ffreeradius-server.git add totp-time-offset document it and use it --- diff --git a/raddb/mods-available/totp b/raddb/mods-available/totp index 90ee796aee3..a68a3177fc9 100644 --- a/raddb/mods-available/totp +++ b/raddb/mods-available/totp @@ -39,6 +39,16 @@ # # and then run that locally to get an image. # +# +# Some tokens get severely out of sync with local time. It is +# possible to offset the definition of "now" for one token by setting: +# +# &control:TOTP-Time-Offset := 120 +# +# This is a signed integer, with allowed values between -600 to +600. +# The offset is added to to the current time, to get the tokens idea +# of "now". +# totp { # # Default time step between time changes diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal index 7871fe11eff..52b9bb8750a 100644 --- a/share/dictionary.freeradius.internal +++ b/share/dictionary.freeradius.internal @@ -303,6 +303,8 @@ VALUE Proxy-Tunneled-Request-As-EAP No 0 VALUE Proxy-Tunneled-Request-As-EAP Yes 1 ATTRIBUTE Temp-Home-Server-String 1198 string +ATTRIBUTE TOTP-Time-Offset 1199 signed + # # Range: 1200-1279 # EAP-SIM (and other EAP type) weirdness. diff --git a/src/modules/rlm_totp/rlm_totp.c b/src/modules/rlm_totp/rlm_totp.c index 52325c01c81..d58e1ee56ff 100644 --- a/src/modules/rlm_totp/rlm_totp.c +++ b/src/modules/rlm_totp/rlm_totp.c @@ -508,6 +508,12 @@ static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(void *instance, REQUEST *re keylen = len; } + vp = fr_pair_find_by_num(request->config, PW_TOTP_TIME_OFFSET, 0, TAG_ANY); + if (vp && (vp->vp_signed > -600) && (vp->vp_signed < 600)) { + RDEBUG("Using TOTP-Time-Offset = %d", vp->vp_signed); + now += vp->vp_signed; + } + if (totp_cmp(request, now, key, keylen, password->vp_strvalue, instance) == 0) { /* * Forbid using a key more than once.