Tunnel: don't trigger FortiGate password blocking on wrong password.

caeies · caeies · commit 30586fcbbfcc · 2025-09-09T09:55:11.000+02:00
diff --git a/src/config.c b/src/config.c
@@ -64,6 +64,7 @@ const struct vpn_config invalid_cfg = {
 	.use_syslog = -1,
 	.half_internet_routes = -1,
 	.persistent = -1,
+	.backoff_sleep = UINT_MAX,
 #if HAVE_USR_SBIN_PPPD
 	.pppd_log = NULL,
 	.pppd_plugin = NULL,
diff --git a/src/config.h b/src/config.h
@@ -112,6 +112,9 @@ struct vpn_config {
 	int			half_internet_routes;
 
 	unsigned int		persistent;
+	/* Used to store sleep time between attempts (as tunnel struct is cleaned). */
+	unsigned int		backoff_sleep;
+
 
 #if HAVE_USR_SBIN_PPPD
 	char			*pppd_log;
diff --git a/src/main.c b/src/main.c
@@ -242,6 +242,7 @@ int main(int argc, char *argv[])
 		.use_syslog = 0,
 		.half_internet_routes = 0,
 		.persistent = 0,
+		.backoff_sleep = 0,
 #if HAVE_RESOLVCONF
 		.use_resolvconf = USE_RESOLVCONF,
 #endif
diff --git a/src/tunnel.c b/src/tunnel.c
@@ -1381,11 +1381,22 @@ int run_tunnel(struct vpn_config *config)
 	if (ret != 1) {
 		log_error("Could not authenticate to gateway. Please check the password, client certificate, etc.\n");
 		log_debug("%s (%d)\n", err_http_str(ret), ret);
+		/* We should do a back off attempt here no ? */
+		/* As FortiGate kick us after 3 attempts just increase quickly the */
+		/* tries. */
+		/* Maybe we should force the exit or reask for password ? */
+		if (tunnel.config->persistent != 0) {
+			if (tunnel.config->backoff_sleep <= 3600)
+				tunnel.config->backoff_sleep += 60;
+			sleep(tunnel.config->backoff_sleep);
+		}
 		ret = 1;
 		goto err_tunnel;
 	}
 	log_info("Authenticated.\n");
 	log_debug("Cookie: %s\n", tunnel.cookie);
+	/* Reset backoff timing */
+	tunnel.config->backoff_sleep = 0;
 
 	ret = auth_request_vpn_allocation(&tunnel);
 	if (ret != 1) {
