Merge branch 'develop'

talkincode · Dec 30, 2023 · 5cf74e3 · 5cf74e3
2 parents 19f38c8 + f871aea
commit 5cf74e3
Show file tree

Hide file tree

Showing 12 changed files with 659 additions and 179 deletions.
diff --git a/app/constant.go b/app/constant.go
@@ -9,6 +9,7 @@ const (
 	ConfigRadiusIgnorePwd             = "RadiusIgnorePwd"
 	ConfigRadiusAccountingHistoryDays = "AccountingHistoryDays"
 	ConfigRadiusAcctInterimInterval   = "AcctInterimInterval"
+	ConfigRadiusEapMethod             = "RadiusEapMethod"
 
 	ConfigTR069AccessAddress           = "TR069AccessAddress"
 	ConfigTR069AccessPassword          = "TR069AccessPassword"
@@ -39,4 +40,5 @@ var ConfigConstants = []string{
 	ConfigRadiusIgnorePwd,
 	ConfigRadiusAccountingHistoryDays,
 	ConfigRadiusAcctInterimInterval,
+	ConfigRadiusEapMethod,
 }
diff --git a/app/initdb.go b/app/initdb.go
@@ -59,6 +59,8 @@ func (a *Application) checkSettings() {
 			checkConfig(sortid, "radius", ConfigRadiusAccountingHistoryDays, "disabled", "Radius accounting logging expire days")
 		case ConfigRadiusAcctInterimInterval:
 			checkConfig(sortid, "radius", ConfigRadiusAcctInterimInterval, "disabled", "Radius default Acctounting interim interval")
+		case ConfigRadiusEapMethod:
+			checkConfig(sortid, "radius", ConfigRadiusEapMethod, "eap-md5", "Radius eap method")
 
 		}
 	}

diff --git a/assets/buildinfo.txt b/assets/buildinfo.txt
@@ -1,8 +1,8 @@
-BuildVersion=latest v8.0.4 2023-12-28 23:05:59
+BuildVersion=latest v8.0.4 2023-12-31 03:10:51
 ReleaseVersion=v8.0.4
-BuildTime=2023-12-28 23:05:59
+BuildTime=2023-12-31 03:10:51
 BuildName=toughradius
-CommitID=735a24489c73b3a4c530610412ef8404f2f93ccc
-CommitDate=Wed, 29 Nov 2023 14:28:20 +0800
+CommitID=8add7ca3ca44fb2c53d130115854f0e5f2e2b032
+CommitDate=Thu, 28 Dec 2023 23:06:09 +0800
 CommitUser=jamiesun.net@gmail.com
-CommitSubject=2023-11-29 14:27:38 : v8.0.4  #159  eap support
+CommitSubject=2023-12-28 23:05:59 : translate
diff --git a/assets/static/views/settings.js b/assets/static/views/settings.js
@@ -107,6 +107,11 @@ settingsUi.getRadiusConfigView = function (citem) {
                         view: "counter", name: "AccountingHistoryDays", labelPosition: "top", label: tr("global", "Radius accounting logging expire days"),
                         bottomLabel: tr("settings", "Radius logging expire days, set according to the disk size. ")
                     },
+                    {
+                        view: "radio", name: "RadiusEapMethod", labelPosition: "top", label: tr("settings", "EAP certification methodology"),
+                        options: ["noeap","eap-md5", "eap-mschapv2"],
+                        bottomLabel: tr("settings", "eap certification methodology")
+                    },
                     {
                         view: "radio", name: "RadiusIgnorePwd", labelPosition: "top", label: tr("settings", "Ignore Passowrd check"),
                         options: [{id: 'enabled', value: gtr("Yes")}, {id: 'disabled', value: gtr("No")}],

diff --git a/assets/static/views/settings.min.js b/assets/static/views/settings.min.js
diff --git a/toughradius/auth_passwd_check.go b/toughradius/auth_passwd_check.go
@@ -74,51 +74,72 @@ func (s *AuthService) CheckPassword(r *radius.Request, username, localpassword s
 	return nil
 }
 
-func (s *AuthService) CheckMsChapPassword(username, password string, challenge, response []byte, radAccept *radius.Packet) error {
-	if len(challenge) == 16 && len(response) == 50 {
-		ident := response[0]
-		peerChallenge := response[2:18]
-		peerResponse := response[26:50]
-		byteUser := []byte(username)
-		bytePwd := []byte(password)
-		ntResponse, err := rfc2759.GenerateNTResponse(challenge, peerChallenge, byteUser, bytePwd)
+// CheckMsChapPassword 非 EAP 模式的验证
+func (s *AuthService) CheckMsChapPassword(
+	username, password string,
+	challenge, response []byte,
+	radAccept *radius.Packet,
+) error {
+	if len(challenge) != 16 || len(response) != 50 {
+		return NewAuthError(app.MetricsRadiusRejectPasswdError,
+			"user mschap access reject challenge len or response len error")
+	}
+	ident := response[0]
+	peerChallenge := response[2:18]
+	peerResponse := response[26:50]
+	return s.CheckMsChapV2Password(username, password, challenge, ident, peerChallenge, peerResponse, radAccept)
+}
+
+// CheckMsChapV2Password EAP 模式的验证
+func (s *AuthService) CheckMsChapV2Password(
+	username,
+	password string,
+	challenge []byte,
+	ident byte,
+	peerChallenge,
+	peerResponse []byte,
+	radAccept *radius.Packet,
+) error {
+	byteUser := []byte(username)
+	bytePwd := []byte(password)
+	ntResponse, err := rfc2759.GenerateNTResponse(challenge, peerChallenge, byteUser, bytePwd)
+	if err != nil {
+		return NewAuthError(app.MetricsRadiusRejectPasswdError,
+			"user mschap access mschap access cannot generate ntResponse")
+	}
+
+	if bytes.Equal(ntResponse, peerResponse) {
+		recvKey, err := rfc3079.MakeKey(ntResponse, bytePwd, false)
 		if err != nil {
 			return NewAuthError(app.MetricsRadiusRejectPasswdError,
-				"user mschap access mschap access cannot generate ntResponse")
+				"user mschap access cannot make recvKey")
 		}
 
-		if bytes.Equal(ntResponse, peerResponse) {
-			recvKey, err := rfc3079.MakeKey(ntResponse, bytePwd, false)
-			if err != nil {
-				return NewAuthError(app.MetricsRadiusRejectPasswdError,
-					"user mschap access cannot make recvKey")
-			}
-
-			sendKey, err := rfc3079.MakeKey(ntResponse, bytePwd, true)
-			if err != nil {
-				return NewAuthError(app.MetricsRadiusRejectPasswdError,
-					"user mschap access cannot make sendKey")
-			}
+		sendKey, err := rfc3079.MakeKey(ntResponse, bytePwd, true)
+		if err != nil {
+			return NewAuthError(app.MetricsRadiusRejectPasswdError,
+				"user mschap access cannot make sendKey")
+		}
 
-			authenticatorResponse, err := rfc2759.GenerateAuthenticatorResponse(challenge, peerChallenge, ntResponse, byteUser, bytePwd)
-			if err != nil {
-				return NewAuthError(app.MetricsRadiusRejectPasswdError,
-					"user mschap access  cannot generate authenticator response")
-			}
+		authenticatorResponse, err := rfc2759.GenerateAuthenticatorResponse(challenge, peerChallenge, ntResponse, byteUser, bytePwd)
+		if err != nil {
+			return NewAuthError(app.MetricsRadiusRejectPasswdError,
+				"user mschap access  cannot generate authenticator response")
+		}
 
-			success := make([]byte, 43)
-			success[0] = ident
-			copy(success[1:], authenticatorResponse)
+		success := make([]byte, 43)
+		success[0] = ident
+		copy(success[1:], authenticatorResponse)
 
-			microsoft.MSCHAP2Success_Add(radAccept, []byte(success))
-			microsoft.MSMPPERecvKey_Add(radAccept, recvKey)
-			microsoft.MSMPPESendKey_Add(radAccept, sendKey)
-			microsoft.MSMPPEEncryptionPolicy_Add(radAccept, microsoft.MSMPPEEncryptionPolicy_Value_EncryptionAllowed)
-			microsoft.MSMPPEEncryptionTypes_Add(radAccept, microsoft.MSMPPEEncryptionTypes_Value_RC440or128BitAllowed)
-			return nil
-		}
+		microsoft.MSCHAP2Success_Add(radAccept, []byte(success))
+		microsoft.MSMPPERecvKey_Add(radAccept, recvKey)
+		microsoft.MSMPPESendKey_Add(radAccept, sendKey)
+		microsoft.MSMPPEEncryptionPolicy_Add(radAccept, microsoft.MSMPPEEncryptionPolicy_Value_EncryptionAllowed)
+		microsoft.MSMPPEEncryptionTypes_Add(radAccept, microsoft.MSMPPEEncryptionTypes_Value_RC440or128BitAllowed)
+		return nil
 	}
+
 	return NewAuthError(app.MetricsRadiusRejectPasswdError,
-		"user mschap access reject challenge len or response len error")
+		"user mschap access reject password error")
 
 }
diff --git a/toughradius/packet_format.go b/toughradius/packet_format.go
@@ -38,13 +38,15 @@ var Ipv4Format = func(src []byte) string {
 var EapMessageFormat = func(attr []byte) string {
 	// 解析EAP消息
 	eap := &EAPMessage{
-		Code:       attr[0],
-		Identifier: attr[1],
-		Length:     binary.BigEndian.Uint16(attr[2:4]),
+		EAPHeader: EAPHeader{
+			Code:       attr[0],
+			Identifier: attr[1],
+			Length:     binary.BigEndian.Uint16(attr[2:4]),
+		},
 	}
 	if len(attr) >= 5 {
 		eap.Type = attr[4]
-		eap.Data = &ByteData{attr[5:]}
+		eap.Data = attr[5:]
 	}
 
 	return eap.String()

diff --git a/toughradius/radius.go b/toughradius/radius.go
@@ -54,6 +54,8 @@ type EapState struct {
 	Username  string
 	Challenge []byte
 	StateID   string
+	EapMethad string
+	Success   bool
 }
 
 type RadiusService struct {
@@ -133,7 +135,6 @@ func (s *RadiusService) GetValidUser(usernameOrMac string, macauth bool) (user *
 	return user, nil
 }
 
-
 // GetUserForAcct 获取用户, 不判断用户过期等状态
 func (s *RadiusService) GetUserForAcct(username string) (user *models.RadiusUser, err error) {
 	err = app.GDB().
@@ -195,6 +196,14 @@ func (s *RadiusService) GetStringConfig(name string, defval string) string {
 	return val
 }
 
+func (s *RadiusService) GetEapMethod() string {
+	val := app.GApp().GetSettingsStringValue("radius", app.ConfigRadiusEapMethod)
+	if val == "" {
+		return "eap-md5"
+	}
+	return val
+}
+
 func GetNetRadiusOnlineFromRequest(r *radius.Request, vr *VendorRequest, vpe *models.NetVpe, nasrip string) models.RadiusOnline {
 	acctInputOctets := int(rfc2866.AcctInputOctets_Get(r.Packet))
 	acctInputGigawords := int(rfc2869.AcctInputGigawords_Get(r.Packet))
@@ -388,11 +397,13 @@ func (s *RadiusService) CheckRequestSecret(r *radius.Packet, secret []byte) {
 }
 
 // State add
-func (s *RadiusService) AddEapState(stateid, username string, challenge []byte) {
+func (s *RadiusService) AddEapState(stateid, username string, challenge []byte, eapMethad string) {
 	s.EapStateCache[stateid] = EapState{
-		Username: username,
-		StateID:  stateid,
+		Username:  username,
+		StateID:   stateid,
 		Challenge: challenge,
+		EapMethad: eapMethad,
+		Success:   false,
 	}
 }