Beispiel #1
0
/*不涉及ether设备未运行处理,比如休眠后唤醒,网卡重置处理*/
int auth802x()
{

	//pcap_if_t *alldevs;
	//pcap_if_t *d;
	//int inum;
	int i = 0;
	pcap_t *adhandle;
	int res;
	char errbuf[PCAP_ERRBUF_SIZE];
	//时间相关
	struct tm *ltime;
	char timestr[16];
	time_t local_tv_sec;
	//抓去相关
	struct pcap_pkthdr *header;
	const u_char *pkt_data;
	u_short len;

	//过滤相关
	//uint8_t	MAC[6];
	//char devicename[100];
	//uint8_t	MAC[6];
	Setting setting;
	
	struct bpf_program fcode;
	char	FilterStr[100];
	bool serverIsFound = false;

	FILE *fp;
	


	long filesize = file_size("setting.ini");
	if (filesize>0)
	{
		fp = fopen("setting.ini", "rb");
		//-------------------OK-----------------------
		//fscanf(fp, "%s\n", dev1.devicename1);
		//fscanf(fp, "%x\t%x\t%x\t%x\t%x\t%x", dev1.MAC1, dev1.MAC1 + 1, dev1.MAC1 + 2, dev1.MAC1 + 3, 
		//	dev1.MAC1 + 4, dev1.MAC1 + 5);
		//------------------OK------------------------
		fscanf(fp, "%s\n%x\t%x\t%x\t%x\t%x\t%x", setting.device, setting.mac, setting.mac + 1, setting.mac + 2, setting.mac + 3,
			setting.mac + 4, setting.mac + 5);
		//------------------BAD--------------------
		//scanf("%x\t%x\t%x\t%x\t%x\t%x", &devicename, &MAC[0], &MAC[1], &MAC[2], &MAC[3], &MAC[4], &MAC[5]);
		//fscanf(fp, "%s\n", &dev1.devicename1);
		//fscanf(stdin, "%s\n%x\t%x\t%x\t%x\t%x\t%x", dev1.devicename1, &dev1.MAC1[0], &dev1.MAC1[1], &dev1.MAC1[2], &dev1.MAC1[3], dev1.MAC1[4], &dev1.MAC1[5]);
		//------------------BAD-------------------
		//fscanf(fp,"%s\n%x\t%x\t%x\t%x\t%x\t%x", &devicename, &MAC[0], &MAC[1], &MAC[2], &MAC[3], &MAC[4], &MAC[5]);
		//fscanf(fp, "%s%x%x%x%x%x%x", devicename, &MAC[0], &MAC[1], &MAC[2], &MAC[3], &MAC[4], &MAC[5]);
		//-----------------BAD----------------
		//fscanf(fp, "%s\n%x\t%x\t%x\t%x\t%x\t%x", devicename, MAC, MAC+1, MAC+2, MAC+3, MAC+4, MAC+5);
		//----------------BAD-------------
		//fscanf(fp, "%s\n%x\t%x\t%x\t%x\t%x\t%x", &devicename, MAC, MAC + 1, MAC + 2, MAC + 3, MAC + 4, MAC + 5);
		//------------------BAD---------------
		//fscanf(fp, "%s\n%x\t%x\t%x\t%x\t%x\t%x", &devicename, &MAC, MAC + 1, MAC + 2, MAC + 3, MAC + 4, MAC + 5);


		printf("\n");
		
		printf("AdapterName:\t%s\n", setting.device);
		printf("AdapterAddr:\t");
		for (i = 0; i < 6; i++){
			printf("%02X%c", setting.mac[i], i == 6 - 1 ? '\n' : '-');
		}
		
		/*
		printf("AdapterName:\t%s\n", devicename);
		printf("AdapterAddr:\t");
		for (i = 0; i < 6; i++){
			printf("%02X%c", MAC[i], i == 6 - 1 ? '\n' : '-');
		}
		*/
	}
	else
	{
		//-----------------------------------------------------------------------------------------------
		fp = fopen("setting.ini", "wb");
		/* 查询本机MAC地址 */
		if (GetNameMacfromDevice(setting.mac, setting.device) == -1)
			exit(-1);

		printf("AdapterName:\t%s\n", setting.device);

		printf("AdapterAddr:\t");
		for (i = 0; i < 6; i++){
			printf("%02X%c", setting.mac[i], i == 6 - 1 ? '\n' : '-');
		}

		fprintf(fp, "%s\n%2x\t%2x\t%2x\t%2x\t%2x\t%2x", setting.device, setting.mac[0], setting.mac[1], 
			setting.mac[2], setting.mac[3], setting.mac[4], setting.mac[5]);
	}
	fclose(fp);
	printf("debug:%d\n", file_size("setting.ini"));
	//------------------------------------------------------------------------------
	/* 打开设备 */
	if ((adhandle = pcap_open(setting.device,          // 设备名
		65536,            // 要捕捉的数据包的部分 
		// 65535保证能捕获到不同数据链路层上的每个数据包的全部内容
		PCAP_OPENFLAG_PROMISCUOUS,    // 混杂模式
		1000,             // 读取超时时间
		NULL,             // 远程机器验证
		errbuf            // 错误缓冲池
		)) == NULL)
	{
		fprintf(stderr, "\nUnable to open the adapter. %s is not supported by WinPcap\n", setting.device);
		/* 释放设列表 */
		//pcap_freealldevs(alldevs);
		return -1;
	}

	//printf("\nlistening on %s...\n", d->description);

	//----------------------------------------------------------------------------
	
	

	//捕获发往本机的eap数据包
	sprintf(FilterStr, "(ether proto 0x888e) and (ether dst host %02x:%02x:%02x:%02x:%02x:%02x)",
		setting.mac[0], setting.mac[1], setting.mac[2], setting.mac[3], setting.mac[4], setting.mac[5]);
	pcap_compile(adhandle, &fcode, FilterStr, 1, 0xff);
	pcap_setfilter(adhandle, &fcode);
	/* 主动发起认证会话 */
	SendStartPkt(adhandle, setting.mac);
	printf("client: Start.\n");
	//------------------------------------------------------------------
	while (!serverIsFound )
	{
		res = pcap_next_ex(adhandle, &header, &pkt_data);
		// NOTE: 这里没有检查网线是否接触不良或已被拔下,已处理
		if (res == -1)
		  return -1;

		/* 将时间戳转换成可识别的格式 */
		local_tv_sec = header->ts.tv_sec;
		ltime = localtime(&local_tv_sec);
		strftime(timestr, sizeof timestr, "%H:%M:%S", ltime);

		//dprintf("%s,%.6d len:%d\n", timestr, header->ts.tv_usec, header->len);

		//printf("\n----%d-----\n", res);
		if (res==1 && pkt_data[18] == 1)
		{
			serverIsFound = true;
			len = *(u_short *)(pkt_data + 20);
			len = htons(len);
			//dprintf("\nServer( %02x:%02x:%02x:%02x:%02x:%02x )-->(%02x:%02x:%02x:%02x:%02x:%02x)\neap_id=%d,len=%d\n", 
			//	pkt_data[6], pkt_data[7], pkt_data[8], pkt_data[9], pkt_data[10], pkt_data[11], 
			//	pkt_data[0], pkt_data[1], pkt_data[2], pkt_data[3], pkt_data[4], pkt_data[5], pkt_data[19], len);
		}
		else
		{	// 延时后重试
			if (1 == times)
			{
				printf("\nReconnection is failed.\n");
				return -1;
			}
			printf(",");
			Sleep(1000);
			SendStartPkt(adhandle, setting.mac);
			times--;
			// NOTE: 这里没有检查网线是否接触不良或已被拔下
		}
		
	}
	//-----------------------------------------------------------------------
	// 分情况应答下一个包

	res = pcap_next_ex(adhandle, &header, &pkt_data);
	// NOTE: 这里没有检查网线是否接触不良或已被拔下,已处理
	if (res == -1)
		return -1;
	if (pkt_data[22] == 1)
	{	// 通常情况会收到包Request Identity,应回答Response Identity
		printf("\n[%d] Server: Request Identity!\n", pkt_data[19]);//打印ID
		SendResponseIdentity(adhandle, pkt_data, setting.mac);
		printf("[%d] client: Response Identity.\n", pkt_data[19]);
	}

	// 重设过滤器,只捕获华为802.1X认证设备发来的包(包括多播Request Identity / Request AVAILABLE)
	sprintf(FilterStr, "(ether proto 0x888e) and (ether src host %02x:%02x:%02x:%02x:%02x:%02x)",
		pkt_data[6], pkt_data[7], pkt_data[8], pkt_data[9], pkt_data[10], pkt_data[11]);
	//printf("%s", FilterStr);
	pcap_compile(adhandle, &fcode, FilterStr, 1, 0xff);
	pcap_setfilter(adhandle, &fcode);

	//------------------------------------------------------------------------
	times = 30;//重置最大请求数
	// 进入循环体,不断处理认证请求
	for (;;)
	{
		// 调用pcap_next_ex()函数捕获数据包
		//-------------------------------------------进入等代阶段----------
		while ((res = pcap_next_ex(adhandle, &header, &pkt_data) )!= 1)
		{
			printf("."); // 若捕获失败或无数据,则等1秒后重试
			Sleep(1000);     // 直到成功捕获到一个数据包后再跳出
			// NOTE: 这里没有检查网线是否已被拔下或插口接触不良,已处理
			if (res == -1){
				printf("Error reading the packets: %s\n", pcap_geterr(adhandle));
				return -1;
			}
		}
		//-------------------------------------------------------------------

		// 根据收到的Request,回复相应的Response包
		if (pkt_data[18] == REQUEST)
		{
			switch ((EAP_Type)pkt_data[22])
			{
			case IDENTITY:
				printf("\n[%d] Server: Request Identity!\n", pkt_data[19]);
				SendResponseIdentity(adhandle, pkt_data, setting.mac);
				printf("\n[%d] client: Response Identity.\n", pkt_data[19]);
				break;
			case MD5:
				printf("\n[%d] Server: Request MD5-Challenge!\n", pkt_data[19]);
				SendResponseMD5(adhandle, pkt_data);
				printf("\n[%d] client: Response MD5-Challenge.\n", pkt_data[19]);
				break;
			default:
				printf("\n[%d] Server: Request (type:%d)!\n", pkt_data[19], (EAP_Type)pkt_data[22]);
				printf("Error! Unexpected request type\n");
				exit(-1);
				break;
			}
			//break;//退出for循环
		}
		else if ((EAP_Code)pkt_data[18] == FAILURE)
		{	// 处理认证失败信息
			printf("\n[%d] Server: Failure.\n", pkt_data[19]);
			if (1 == times)
			{
				printf("Reconnection is failed.---from Forward @SCUT\n");
				return -1;
			}
			//重新认证开始
			Sleep(1000);
			SendStartPkt(adhandle, setting.mac);
			times--;
			//break;
		}
		else if ((EAP_Code)pkt_data[18] == SUCCESS)
		{
			printf("\n[%d] Server: Success.\n", pkt_data[19]);
			// 刷新IP地址
			times = 20;
			//break;
		}
		else
		{
			printf("\n[%d] Server: (H3C data)\n", pkt_data[19]);
			// TODO: 这里没有处理华为自定义数据包
			break;
		}
	}

	return 0;
}
Beispiel #2
0
int Authentication(const char *UserName, const char *Password, const char *DeviceName)
{
	char    errbuf[PCAP_ERRBUF_SIZE];
	pcap_t    *adhandle; // adapter handle
	uint8_t    MAC[6];

	char    FilterStr[100];
	struct bpf_program    fcode;
	const int DefaultTimeout=1000;//设置接收超时参数,单位ms

	// NOTE: 这里没有检查网线是否已插好,网线插口可能接触不良

	/* 打开适配器(网卡) */
	adhandle = pcap_open_live(DeviceName,65536,1,DefaultTimeout,errbuf);
	if (adhandle==NULL) {
		fprintf(stderr, "%s\n", errbuf); 
		EXIT(-1);
	}

	/* 查询本机MAC地址 */
	GetMacFromDevice(MAC, DeviceName);

	/*
	* 设置过滤器:
	* 初始情况下只捕获发往本机的802.1X认证会话,不接收多播信息(避免误捕获其他客户端发出的多播信息)
	* 进入循环体前可以重设过滤器,那时再开始接收多播信息
	*/
	sprintf(FilterStr, "(ether proto 0x888e) and (ether dst host %02x:%02x:%02x:%02x:%02x:%02x)",
		MAC[0],MAC[1],MAC[2],MAC[3],MAC[4],MAC[5]);
	pcap_compile(adhandle, &fcode, FilterStr, 1, 0xff);
	pcap_setfilter(adhandle, &fcode);


START_AUTHENTICATION:
	{
		int retcode;
		struct pcap_pkthdr *header;
		const uint8_t    *captured;
		uint8_t    ethhdr[14]={0}; // ethernet header
		uint8_t    ip[4]={0};    // ip address

		/* 主动发起认证会话 */
		SendStartPkt(adhandle, MAC);
		DPRINTF("[ ] Client: Start.\n");

		/* 等待认证服务器的回应 */
		bool serverIsFound = false;
		while (!serverIsFound)
		{
			retcode = pcap_next_ex(adhandle, &header, &captured);
			if (retcode==1 && (EAP_Code)captured[18]==REQUEST)
				serverIsFound = true;
			else
			{    // 延时后重试
				sleep(1); DPRINTF(".");
				SendStartPkt(adhandle, MAC);
				// NOTE: 这里没有检查网线是否接触不良或已被拔下
			}
		}

		// 填写应答包的报头(以后无须再修改)
		// 默认以单播方式应答802.1X认证设备发来的Request
		memcpy(ethhdr+0, captured+6, 6);
		memcpy(ethhdr+6, MAC, 6);
		ethhdr[12] = 0x88;
		ethhdr[13] = 0x8e;

		// 收到的第一个包可能是Request Notification。取决于校方网络配置
		if ((EAP_Type)captured[22] == NOTIFICATION)
		{
			DPRINTF("[%d] Server: Request Notification!\n", captured[19]);
			// 发送Response Notification
			SendResponseNotification(adhandle, captured, ethhdr);
			DPRINTF("    Client: Response Notification.\n");

			// 继续接收下一个Request包
			retcode = pcap_next_ex(adhandle, &header, &captured);
			assert(retcode==1);
			assert((EAP_Code)captured[18] == REQUEST);
		}

		// 分情况应答下一个包
		if ((EAP_Type)captured[22] == IDENTITY)
		{    // 通常情况会收到包Request Identity,应回答Response Identity
			DPRINTF("[%d] Server: Request Identity!\n", captured[19]);
			GetIpFromDevice(ip, DeviceName);
			SendResponseIdentity(adhandle, captured, ethhdr, ip, UserName);
			DPRINTF("[%d] Client: Response Identity.\n", (EAP_ID)captured[19]);
		}
		else if ((EAP_Type)captured[22] == AVAILABLE)
		{    // 遇到AVAILABLE包时需要特殊处理
			// 中南财经政法大学目前使用的格式:
			// 收到第一个Request AVAILABLE时要回答Response Identity
			DPRINTF("[%d] Server: Request AVAILABLE!\n", captured[19]);
			GetIpFromDevice(ip, DeviceName);
			SendResponseIdentity(adhandle, captured, ethhdr, ip, UserName);
			DPRINTF("[%d] Client: Response Identity.\n", (EAP_ID)captured[19]);
		}
		else if ((EAP_Type)captured[22] == ALLOCATED)
		{
			//ALLOCATED
		}
		// 重设过滤器,只捕获华为802.1X认证设备发来的包(包括多播Request Identity / Request AVAILABLE)
		sprintf(FilterStr, "(ether proto 0x888e) and (ether src host %02x:%02x:%02x:%02x:%02x:%02x)",
			captured[6],captured[7],captured[8],captured[9],captured[10],captured[11]);
		pcap_compile(adhandle, &fcode, FilterStr, 1, 0xff);
		pcap_setfilter(adhandle, &fcode);

		// 进入循环体
		for (;;)
		{
			// 调用pcap_next_ex()函数捕获数据包
			while (pcap_next_ex(adhandle, &header, &captured) != 1)
			{
				DPRINTF("."); // 若捕获失败,则等1秒后重试
				sleep(1);// 直到成功捕获到一个数据包后再跳出
				// NOTE: 这里没有检查网线是否已被拔下或插口接触不良
			}

			// 根据收到的Request,回复相应的Response包
			if ((EAP_Code)captured[18] == REQUEST)
			{
				switch ((EAP_Type)captured[22])
				{
				case IDENTITY:
					DPRINTF("[%d] Server: Request Identity!\n", (EAP_ID)captured[19]);
					GetIpFromDevice(ip, DeviceName);
					SendResponseIdentity(adhandle, captured, ethhdr, ip, UserName);
					DPRINTF("[%d] Client: Response Identity.\n", (EAP_ID)captured[19]);
					break;
				case AVAILABLE:
					DPRINTF("[%d] Server: Request AVAILABLE!\n", (EAP_ID)captured[19]);
					GetIpFromDevice(ip, DeviceName);
					SendResponseAvailable(adhandle, captured, ethhdr, ip, UserName);
					DPRINTF("[%d] Client: Response AVAILABLE.\n", (EAP_ID)captured[19]);
					break;
				case MD5:
					DPRINTF("[%d] Server: Request MD5-Challenge!\n", (EAP_ID)captured[19]);
					SendResponseMD5(adhandle, captured, ethhdr, UserName, Password);
					DPRINTF("[%d] Client: Response MD5-Challenge.\n", (EAP_ID)captured[19]);
					break;
				case NOTIFICATION:
					DPRINTF("[%d] Server: Request Notification!\n", captured[19]);
					SendResponseNotification(adhandle, captured, ethhdr);
					DPRINTF("Client: Response Notification.\n");
					break;
				case ALLOCATED:
					DPRINTF("[%d] Server:Request Normal Verfication.\n",captured[19]);
					SendResponseH3C(adhandle,captured,ethhdr,UserName,Password);
					DPRINTF("[%d] Client: Response Allocated(Password).\n", (EAP_ID)captured[19]);
					break;
				default:
					DPRINTF("[%d] Server: Request (type:%d)!\n", (EAP_ID)captured[19], (EAP_Type)captured[22]);
					DPRINTF("Error! Unexpected request type\n");
					EXIT(-1);
					break;
				}
			}
			else if ((EAP_Code)captured[18] == FAILURE)
			{    // 处理认证失败信息
				uint8_t errtype = captured[22];
				uint8_t msgsize = captured[23];
				const char *msg = (const char*) &captured[24];
				DPRINTF("[%d] Server: Failure.\n", (EAP_ID)captured[19]);
				if (errtype==0x09 && msgsize>0)
				{    // 输出错误提示消息
					fprintf(stderr, "%s\n", msg);
					// 已知的几种错误如下
					// E2531:用户名不存在
					// E2535:Service is paused
					// E2542:该用户帐号已经在别处登录
					// E2547:接入时段限制
					// E2553:密码错误
					// E2602:认证会话不存在
					// E3137:客户端版本号无效
					EXIT(-1);
				}
				else if (errtype==0x08) // 可能网络无流量时服务器结束此次802.1X认证会话
				{    // 遇此情况客户端立刻发起新的认证会话
					goto START_AUTHENTICATION;
				}
				else
				{
					DPRINTF("errtype=0x%02x\n", errtype);
					EXIT(-1);
				}
			}
			else if ((EAP_Code)captured[18] == SUCCESS)
			{
				DPRINTF("[%d] Server: Success.\n", captured[19]);
				// 刷新IP地址
				system("ipconfig /release");
				system("ipconfig /release6");
				system("ipconfig /renew");
				system("ipconfig /renew6");
				break;
			}
			else
			{
				DPRINTF("[%d] Server: (H3C data)\n", captured[19]);
				// TODO: 这里没有处理华为自定义数据包 
			}
		}
	}
	return (0);
}