Merge pull request #14 from benwwchen/cpp0x

fix support for macOS and Linux & add EAP-MD5 CHAP method

Author: zonyitoo

README.md

@@ -19,6 +19,7 @@ Then you get `sysuh3c` executable file in `/usr/local/bin`.
 -u --user        user account (must!)
 -p --password    password
 -i --iface       network interface (default is eth0)
+-m --method      EAP-MD5 CHAP method [xor/md5] (default xor)
 -d --daemonize   daemonize
 -c --colorize    colorize
 ```

src/eapauth/SConscript

@@ -11,6 +11,7 @@ env.StaticLibrary('eapauth',
     [
         'eapauth.cpp', 
         'eapdef.cpp', 
-        'eaputils.cpp'
+        'eaputils.cpp',
+        'md5.cpp'
     ]
 )

src/eapauth/eapauth.cpp

@@ -1,6 +1,7 @@
 #include "eapdef.h"
 #include "eapauth.h"
 #include "eaputils.h"
+#include "md5.h"
 #include <sys/socket.h>
 #include <sys/ioctl.h>
 #include <sys/time.h>
@@ -18,9 +19,10 @@
 namespace sysuh3c {
 
 EAPAuth::EAPAuth(const std::string &user_name,
-                 const std::string &password, const std::string &iface)
+                 const std::string &password, const std::string &iface,
+                 eap_method method)
     : eapclient(iface),
-      user_name(user_name), user_password(password),
+      user_name(user_name), user_password(password), md5_method(method),
     display_promote([this] (const std::string &os) {
     std::cout << os << std::endl;
 }),
@@ -87,10 +89,28 @@ void EAPAuth::send_response_id(uint8_t packet_id) {
 void EAPAuth::send_response_md5(uint8_t packet_id, const std::vector<uint8_t> &md5data) {
     std::array<uint8_t, 16> chap;
     std::string pwd(user_password);
-    if (pwd.length() < 16)
-        pwd.append(16 - pwd.length(), '\0');
-    for (size_t i = 0; i < chap.size(); ++ i)
-        chap[i] = pwd[i] ^ md5data[i];
+    std::vector<uint8_t> chapbuf; 
+    size_t chapbuflen = 1 + pwd.length() + 16;
+
+    switch (md5_method) {
+        case EAP_METHOD_XOR: // xor(password, md5data)
+            if (pwd.length() < 16)
+                pwd.append(16 - pwd.length(), '\0');
+            for (size_t i = 0; i < chap.size(); ++ i)
+                chap[i] = pwd[i] ^ md5data[i];
+            break;
+        case EAP_METHOD_MD5: // MD5(id + password + md5data)
+        default:
+            chapbuf.push_back(packet_id);
+            chapbuf.insert(chapbuf.end(), pwd.begin(), pwd.end());
+            chapbuf.insert(chapbuf.end(), md5data.begin(), md5data.end());
+
+            MD5_CTX context;
+            MD5_Init(&context);
+            MD5_Update(&context, &chapbuf[0], chapbuflen);
+            MD5_Final(&chap[0], &context);
+            break;
+    }
 
     eapol_t eapol_md5;
     eapol_md5.vers = EAPOL_VERSION;
@@ -104,7 +124,6 @@ void EAPAuth::send_response_md5(uint8_t packet_id, const std::vector<uint8_t> &m
     eapol_md5.eap->data.insert(eapol_md5.eap->data.end(), user_name.begin(), user_name.end());
     eapol_md5.eap->eap_len = eapol_md5.eap->get_len();
     eapol_md5.eapol_len = eapol_md5.get_len();
-
     try {
         eapclient << eapol_md5;
     }
@@ -142,10 +161,9 @@ void EAPAuth::send_response_h3c(uint8_t packet_id) {
 
 void EAPAuth::eap_handler(const eapol_t &eapol_packet) {
     if (eapol_packet.type != EAPOL_EAPPACKET) {
-        status_notify(EAPAUTH_UNKNOWN_PACKET_TYPE);
+        //status_notify(EAPAUTH_UNKNOWN_PACKET_TYPE);
         return;
     }
-
     switch (eapol_packet.eap->code) {
     case EAP_SUCCESS:
         status_notify(EAPAUTH_EAP_SUCCESS);

src/eapauth/eapauth.h

@@ -12,7 +12,7 @@ namespace sysuh3c {
 
 class EAPAuth {
 public:
-    EAPAuth(const std::string &, const std::string &, const std::string &);
+    EAPAuth(const std::string &, const std::string &, const std::string &, eap_method);
     ~EAPAuth();
 
     void auth();
@@ -36,6 +36,7 @@ class EAPAuth {
     EAPClient eapclient;
     std::string user_name;
     std::string user_password;
+    eap_method md5_method;
 
     std::function<void(const std::string &)> display_promote;
     std::function<void(int statno)> status_notify;

src/eapauth/eapdef.h

@@ -78,7 +78,7 @@ struct eapol_t {
 
 struct ethernet_header_t {
     mac_addr_t dest;
-    mac_addr_t src[6];
+    mac_addr_t src;
     uint16_t type;
 } __attribute__((packed));
 
@@ -96,6 +96,11 @@ enum {
     EAPAUTH_AUTH_MD5
 };
 
+enum eap_method {
+    EAP_METHOD_XOR,
+    EAP_METHOD_MD5
+};
+
 inline std::string strstat(int statno) {
     switch (statno) {
     case EAPAUTH_UNKNOWN_REQUEST_TYPE:

src/eapauth/eaputils.cpp

@@ -83,25 +83,40 @@ EAPClient::EAPClient(const std::string &iface) {
         abort();
     }
 
+    recv_buf.resize(1600);
+
 #elif SYSTEM_DARWIN // FOR Darwin
 
-    if ((bpf_fd = open("/dev/bpf1", O_RDWR)) < 0) {
-        perror("open");
-        abort();
+    FILE* fp;
+    char bpf_num_str[80];
+    fp=popen("sysctl debug.bpf_maxdevices","r");
+    fgets(bpf_num_str,sizeof(bpf_num_str),fp);
+    int bpf_num = strtol(bpf_num_str + 22, NULL, 0);
+    for (int i = 0; i < bpf_num; i++) {
+        std::string bpf_path = "/dev/bpf" + std::to_string(i);
+        if ((bpf_fd = open(bpf_path.c_str(), O_RDWR)) >= 0)
+            break;
+        if (i == bpf_num - 1) {
+            perror("open");
+            abort();
+        }
     }
 
     struct ifreq ifr;
     memset(&ifr, 0, sizeof(ifr));
     strncpy(ifr.ifr_name, iface.c_str(), sizeof(ifr.ifr_name));
 
     struct bpf_program bpfpro;
-    struct timeval timeout;
-    size_t buf_len;
-    if ((ioctl(bpf_fd, BIOCGBLEN, &buf_len) == -1)
-            || (ioctl(bpf_fd, BIOCSETIF, &ifr) == -1)
-            || (ioctl(bpf_fd, BIOCSETF, &bpfpro) == -1)
-            || (ioctl(bpf_fd, BIOCFLUSH) == -1)
-            || (ioctl(bpf_fd, BIOCSRTIMEOUT, &timeout) == -1)) {
+    this->timeout.tv_sec = 30;
+    this->timeout.tv_usec = 0;
+    const int ci_immediate=1, cmplt = 1;
+    size_t buf_len, set_buf_len = 128;
+    if (ioctl(bpf_fd, BIOCSBLEN, &set_buf_len) == -1
+        || ioctl(bpf_fd, BIOCSETIF, &ifr) == -1
+        || ioctl(bpf_fd, BIOCIMMEDIATE, &ci_immediate) == -1
+        || ioctl(bpf_fd, BIOCSHDRCMPLT, &cmplt) == -1
+        || ioctl(bpf_fd, BIOCGBLEN, &buf_len) == -1
+        || ioctl(bpf_fd, BIOCSRTIMEOUT, &this->timeout) == -1) {
         perror("ioctl");
         close(bpf_fd);
         abort();
@@ -136,8 +151,9 @@ EAPClient::EAPClient(const std::string &iface) {
     memcpy(mac_addr, ptr, sizeof(mac_addr));
     delete []macbuf;
 
-    this->timeout.tv_sec = 30;
-    this->timeout.tv_usec = 0;
+    // save mac address
+    memcpy(this->mac_addr, mac_addr, 6);
+
 #else
 #error SYSUH3C doesn't support your platform.
 #endif
@@ -155,6 +171,7 @@ EAPClient::EAPClient(const std::string &iface) {
     copy(begin(mac_addr), end(mac_addr), itr);
     uint16_t etype = htons(ETHERTYPE_PAE);
     *(uint16_t *)(ethernet_header.data() + sizeof(PAE_GROUP_ADDR) + sizeof(mac_addr)) = etype;
+
 }
 
 EAPClient::~EAPClient() {
@@ -183,6 +200,8 @@ EAPClient &EAPClient::recv(eapol_t &eapol) {
                        (struct sockaddr *) &sock_addr, &sock_addr_len)) <= 0) {
         throw EAPAuthException("Socket recv error");
     }
+    // Remove header
+    uint8_t *buf = recv_buf.data() + sizeof(ethernet_header_t);
     #elif SYSTEM_DARWIN
     fd_set readset;
     FD_ZERO(&readset);
@@ -197,10 +216,18 @@ EAPClient &EAPClient::recv(eapol_t &eapol) {
     if ((len = read(bpf_fd, recv_buf.data(), recv_buf.size())) == -1) {
         throw EAPAuthException("BPF read error");
     }
-    #endif
 
+    // check mac address and header
+    ethernet_header_t *ethernet_header = (ethernet_header_t *)(recv_buf.data() + 18);
+    if (memcmp(ethernet_header->dest, this->mac_addr, sizeof(mac_addr_t)) != 0
+        || ethernet_header->type != 0x8e88) {
+        eapol.type = -1;
+        return *this;
+    }
     // Remove header
-    uint8_t *buf = recv_buf.data() + sizeof(ethernet_header_t);
+    uint8_t *buf = recv_buf.data() + 18 + sizeof(ethernet_header_t);
+    #endif
+
     if (len - sizeof(ethernet_header_t) == 0) return *this;
 
     eapol.vers = buf[0];

src/eapauth/eaputils.h

@@ -59,6 +59,7 @@ class EAPClient {
     struct sockaddr_ll sock_addr;
     #elif SYSTEM_DARWIN
     struct sockaddr_dl sock_addr;
+    mac_addr_t mac_addr;
     int bpf_fd;
     struct timeval timeout;
     #endif