From 4b59e2dcfbb59024e4991e9431f7eb8a35ce95d4 Mon Sep 17 00:00:00 2001
From: Paul Lettich <paul.lettich@netknights.it>
Date: Fri, 20 Aug 2021 16:40:44 +0200
Subject: [PATCH 1/2] Fix encoding issues with passwords

FreeRADIUS handles passwords as byte-strings. How the client or the
plugin encode/decode these bytes is up to them.
Some VPNs seem to use ISO-latin encoding, other UTF-8.
With this fix we try to guess the encoding using a built-in perl
module and decode it accordingly before URL-encoding it for privacyIDEA.
---
 privacyidea_radius.pm | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/privacyidea_radius.pm b/privacyidea_radius.pm
index bd1bb97..87be1c7 100644
--- a/privacyidea_radius.pm
+++ b/privacyidea_radius.pm
@@ -161,7 +161,7 @@ use Try::Tiny;
 use JSON;
 use Time::HiRes qw( gettimeofday tv_interval );
 use URI::Encode;
-
+use Encode::Guess;
 
 # use ...
 # This is very important ! Without this script will not get the filled hashes from main.
@@ -423,6 +423,15 @@ sub authenticate {
             my @p = split(/\0/, $password);
             $password = @p[0];
         }
+        # Encode password
+        my $decoder = Encode::Guess->guess($password);
+        if ( ! ref($decoder) ) {
+            radiusd::radlog( Info, "Could not find valid password encoding. Sending password as-is." );
+            radiusd::radlog( Debug, $decoder );
+        } else {
+            &radiusd::radlog( Info, "Password encoding guessed: " . $decoder->name);
+            $password = $decoder->decode($password);
+        }
         $params{"pass"} = $password;
     } elsif ( $Config->{ADD_EMPTY_PASS} =~ /true/i ) {
         $params{"pass"} = "";

From 93a55720d18550602c3b97efd97acbbd5ad34cd8 Mon Sep 17 00:00:00 2001
From: Paul Lettich <paul.lettich@netknights.it>
Date: Fri, 20 Aug 2021 16:49:30 +0200
Subject: [PATCH 2/2] Add link to docs

---
 privacyidea_radius.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/privacyidea_radius.pm b/privacyidea_radius.pm
index 87be1c7..5bdc1a3 100644
--- a/privacyidea_radius.pm
+++ b/privacyidea_radius.pm
@@ -423,7 +423,7 @@ sub authenticate {
             my @p = split(/\0/, $password);
             $password = @p[0];
         }
-        # Encode password
+        # Decode password (from <https://perldoc.perl.org/Encode::Guess#Encode::Guess-%3Eguess($data)>)
         my $decoder = Encode::Guess->guess($password);
         if ( ! ref($decoder) ) {
             radiusd::radlog( Info, "Could not find valid password encoding. Sending password as-is." );