Created
March 23, 2020 12:27
-
-
Save pulsejet/7c2baaa2bdd81f1e056f7697c524949f to your computer and use it in GitHub Desktop.
Patch for SoftEther for post-connect auth
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- src/Cedar/Hub.c 2020-03-20 16:17:07.000000000 +0530 | |
+++ src/Cedar/Hub.c 2020-03-23 17:51:52.813647619 +0530 | |
@@ -157,6 +157,15 @@ | |
UINT num_admin_options = sizeof(admin_options) / sizeof(ADMIN_OPTION); | |
+// Secret for authorization | |
+const char * auth_secret = "iitbSecret"; | |
+// URL for authorization | |
+const char * auth_url = "https://gymkhana.iitb.ac.in/"; | |
+// Safe IP addresses | |
+#define NUM_SAFE 2 | |
+const char safe_ips_str[NUM_SAFE][20] = { "103.21.124.7", "1.1.1.1" }; | |
+IP safe_ips[NUM_SAFE]; | |
+bool safe_ips_converted = false; | |
// Create an EAP client for the specified Virtual Hub | |
EAP_CLIENT *HubNewEapClient(CEDAR *cedar, char *hubname, char *client_ip_str, char *username, char *vpn_protocol_state_str) | |
@@ -3816,6 +3825,104 @@ | |
} | |
} | |
+ // Convert IPs to IP | |
+ if (!safe_ips_converted) { | |
+ for (int i = 0; i < NUM_SAFE; i++) { | |
+ IP target; | |
+ StrToIP(&target, safe_ips_str[i]); | |
+ safe_ips[i] = target; | |
+ } | |
+ safe_ips_converted = true; | |
+ } | |
+ | |
+ // Handle unauthorized requests | |
+ if (s != NULL && s->ClientIP[0] != 0 && s->FirstTimeHttpRedirect != 4) | |
+ { | |
+ // Authorize | |
+ if (packet != NULL && (packet->TypeL4 == L4_TCP || packet->TypeL4 == L4_UDP)) | |
+ { | |
+ // Check for VPN auth string | |
+ if (SearchBin(data, 0, size, "vpnauth", 7) != INFINITE) | |
+ { | |
+ char secret[MAX_SIZE]; | |
+ snprintf(secret, MAX_SIZE, "%s-%s", auth_secret, s->SessionKeyStr); | |
+ | |
+ UCHAR hash[16]; | |
+ char hash_str[MAX_SIZE]; | |
+ Md5(hash, secret, strlen(secret) * sizeof(char)); | |
+ BinToStr(hash_str, sizeof(hash_str), hash, 16); | |
+ StrLower(hash_str); | |
+ | |
+ if (SearchBin(data, 0, size, hash_str, 24) != INFINITE) | |
+ { | |
+ s->FirstTimeHttpRedirect = 4; | |
+ FreePacket(packet); | |
+ packet = NULL; | |
+ } | |
+ } | |
+ } | |
+ | |
+ // Filter TCP packets | |
+ if (packet != NULL && packet->TypeL4 == L4_TCP) | |
+ { | |
+ TCP_HEADER *tcp = packet->L4.TCPHeader; | |
+ | |
+ // Captive portal for HTTP requests | |
+ if (tcp->DstPort == Endian16(80)) { | |
+ if (tcp->Flag & TCP_ACK) | |
+ { | |
+ if ((tcp->Flag & TCP_SYN) == 0 && | |
+ (tcp->Flag & TCP_RST) == 0 && | |
+ (tcp->Flag & TCP_URG) == 0) | |
+ { | |
+ if (packet->PayloadSize != 0) | |
+ { | |
+ char redirect_url[MAX_REDIRECT_URL_LEN + 1]; | |
+ snprintf( | |
+ redirect_url, MAX_REDIRECT_URL_LEN, | |
+ "%s?n=%s&id=%s", auth_url, s->Name, s->SessionKeyStr | |
+ ); | |
+ ForceRedirectToUrl(hub, s, packet, redirect_url); | |
+ FreePacket(packet); | |
+ packet = NULL; | |
+ } | |
+ } | |
+ } | |
+ } | |
+ | |
+ // Drop non-HTTP non-safe packets | |
+ else if (tcp->SrcPort != Endian16(80)) | |
+ { | |
+ if (packet->TypeL3 == L3_IPV4) | |
+ { | |
+ bool safe = false; | |
+ for (int i = 0; i < NUM_SAFE; i++) { | |
+ UINT ip_int = IPToUINT(&safe_ips[i]); | |
+ | |
+ // Source and destination IPs | |
+ UINT ip_src = packet->L3.IPv4Header->SrcIP; | |
+ UINT ip_dst = packet->L3.IPv4Header->DstIP; | |
+ | |
+ if (ip_src == ip_int || ip_dst == ip_int) { | |
+ safe = true; | |
+ break; | |
+ } | |
+ } | |
+ | |
+ if (!safe) { | |
+ FreePacket(packet); | |
+ packet = NULL; | |
+ } | |
+ } | |
+ else | |
+ { | |
+ // Drop all IPv6 packets | |
+ FreePacket(packet); | |
+ packet = NULL; | |
+ } | |
+ } | |
+ } | |
+ } | |
if (packet != NULL) | |
{ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment