Added max-password-retries config option

That makes the number of retries prior to banning the IP
configurable.

doc/sample.config

@@ -198,6 +198,10 @@ auth-timeout = 40
 # a failed authentication attempt.
 min-reauth-time = 120
 
+# The maximum number of password retries before applying the min-reauth-time
+# delay. Set to zero to disable.
+max-password-retries = 5
+
 # Cookie timeout (in seconds)
 # Once a client is authenticated he's provided a cookie with
 # which he can reconnect. That cookie will be invalided if not

src/config.c

@@ -35,6 +35,7 @@
 #include <auth/radius.h>
 #include <auth/plain.h>
 #include <auth/gssapi.h>
+#include <auth/common.h>
 #include <sec-mod-sup-config.h>
 
 #include <sys/types.h>
@@ -73,6 +74,7 @@ static struct cfg_options available_options[] = {
 	{ .name = "compression", .type = OPTION_BOOLEAN, .mandatory = 0 },
 	{ .name = "no-compress-limit", .type = OPTION_NUMERIC, .mandatory = 0 },
 	{ .name = "tcp-port", .type = OPTION_NUMERIC, .mandatory = 0 },
+	{ .name = "max-password-retries", .type = OPTION_NUMERIC, .mandatory = 0 },
 	{ .name = "udp-port", .type = OPTION_NUMERIC, .mandatory = 0 },
 	{ .name = "keepalive", .type = OPTION_NUMERIC, .mandatory = 0 },
 	{ .name = "dpd", .type = OPTION_NUMERIC, .mandatory = 0 },
@@ -799,6 +801,12 @@ unsigned urlfw_size = 0;
 
 	READ_NUMERIC("max-clients", config->max_clients);
 	READ_NUMERIC("min-reauth-time", config->min_reauth_time);
+
+	config->max_password_retries = -1;
+	READ_NUMERIC("max-password-retries", config->max_password_retries);
+	if (config->max_password_retries == -1)
+		config->max_password_retries = MAX_PASSWORD_TRIES;
+
 	READ_NUMERIC("max-same-clients", config->max_same_clients);
 
 	val = get_option("run-as-user", NULL);

src/ocserv-args.def

@@ -273,6 +273,10 @@ auth-timeout = 40
 # a failed authentication attempt.
 min-reauth-time = 120
 
+# The maximum number of password retries before applying the min-reauth-time
+# delay. Set to zero to disable.
+max-password-retries = 5
+
 # Cookie timeout (in seconds)
 # Once a client is authenticated he's provided a cookie with
 # which he can reconnect. That cookie will be invalided if not

src/sec-mod-ban.c

@@ -39,7 +39,6 @@
 #include <vpn.h>
 #include <tlslib.h>
 #include <sec-mod.h>
-#include <auth/common.h>
 #include <ccan/hash/hash.h>
 #include <ccan/htable/htable.h>
 
@@ -139,7 +138,7 @@ void add_ip_to_ban_list(sec_mod_st *sec, const char *ip, unsigned attempts, time
 	e->failed_attempts += attempts;
 	e->expires = reset_time;
 
-	if (e->failed_attempts >= MAX_PASSWORD_TRIES) {
+	if (sec->config->max_password_retries > 0 && e->failed_attempts >= sec->config->max_password_retries) {
 		seclog(sec, LOG_INFO,"added IP '%s' (with failed attempts %d) to ban list, will be reset at: %s", ip, e->failed_attempts, ctime(&reset_time));
 	} else {
 		seclog(sec, LOG_DEBUG,"added failed attempt for IP '%s' to ban list, will be reset at: %s", ip, ctime(&reset_time));
@@ -191,7 +190,8 @@ unsigned check_if_banned(sec_mod_st *sec, const char *ip)
 		if (now > e->expires)
 			return 0;
 
-		if (e->failed_attempts >= MAX_PASSWORD_TRIES)
+		if (sec->config->max_password_retries > 0 &&
+		    e->failed_attempts >= sec->config->max_password_retries)
 			return 1;
 	}
 	return 0;

src/vpn.h

@@ -286,6 +286,7 @@ struct cfg_st {
 	unsigned rekey_method; /* REKEY_METHOD_ */
 
 	time_t min_reauth_time;	/* after a failed auth, how soon one can reauthenticate -> in seconds */
+	int max_password_retries;	/* the number of retries allowed prior to applying min_reauth_time */
 
 	unsigned isolate; /* whether seccomp should be enabled or not */