Skip to content

Instantly share code, notes, and snippets.

@pulsejet
Created March 23, 2020 12:27
Show Gist options
  • Save pulsejet/7c2baaa2bdd81f1e056f7697c524949f to your computer and use it in GitHub Desktop.
Save pulsejet/7c2baaa2bdd81f1e056f7697c524949f to your computer and use it in GitHub Desktop.
Patch for SoftEther for post-connect auth
--- src/Cedar/Hub.c 2020-03-20 16:17:07.000000000 +0530
+++ src/Cedar/Hub.c 2020-03-23 17:51:52.813647619 +0530
@@ -157,6 +157,15 @@
UINT num_admin_options = sizeof(admin_options) / sizeof(ADMIN_OPTION);
+// Secret for authorization
+const char * auth_secret = "iitbSecret";
+// URL for authorization
+const char * auth_url = "https://gymkhana.iitb.ac.in/";
+// Safe IP addresses
+#define NUM_SAFE 2
+const char safe_ips_str[NUM_SAFE][20] = { "103.21.124.7", "1.1.1.1" };
+IP safe_ips[NUM_SAFE];
+bool safe_ips_converted = false;
// Create an EAP client for the specified Virtual Hub
EAP_CLIENT *HubNewEapClient(CEDAR *cedar, char *hubname, char *client_ip_str, char *username, char *vpn_protocol_state_str)
@@ -3816,6 +3825,104 @@
}
}
+ // Convert IPs to IP
+ if (!safe_ips_converted) {
+ for (int i = 0; i < NUM_SAFE; i++) {
+ IP target;
+ StrToIP(&target, safe_ips_str[i]);
+ safe_ips[i] = target;
+ }
+ safe_ips_converted = true;
+ }
+
+ // Handle unauthorized requests
+ if (s != NULL && s->ClientIP[0] != 0 && s->FirstTimeHttpRedirect != 4)
+ {
+ // Authorize
+ if (packet != NULL && (packet->TypeL4 == L4_TCP || packet->TypeL4 == L4_UDP))
+ {
+ // Check for VPN auth string
+ if (SearchBin(data, 0, size, "vpnauth", 7) != INFINITE)
+ {
+ char secret[MAX_SIZE];
+ snprintf(secret, MAX_SIZE, "%s-%s", auth_secret, s->SessionKeyStr);
+
+ UCHAR hash[16];
+ char hash_str[MAX_SIZE];
+ Md5(hash, secret, strlen(secret) * sizeof(char));
+ BinToStr(hash_str, sizeof(hash_str), hash, 16);
+ StrLower(hash_str);
+
+ if (SearchBin(data, 0, size, hash_str, 24) != INFINITE)
+ {
+ s->FirstTimeHttpRedirect = 4;
+ FreePacket(packet);
+ packet = NULL;
+ }
+ }
+ }
+
+ // Filter TCP packets
+ if (packet != NULL && packet->TypeL4 == L4_TCP)
+ {
+ TCP_HEADER *tcp = packet->L4.TCPHeader;
+
+ // Captive portal for HTTP requests
+ if (tcp->DstPort == Endian16(80)) {
+ if (tcp->Flag & TCP_ACK)
+ {
+ if ((tcp->Flag & TCP_SYN) == 0 &&
+ (tcp->Flag & TCP_RST) == 0 &&
+ (tcp->Flag & TCP_URG) == 0)
+ {
+ if (packet->PayloadSize != 0)
+ {
+ char redirect_url[MAX_REDIRECT_URL_LEN + 1];
+ snprintf(
+ redirect_url, MAX_REDIRECT_URL_LEN,
+ "%s?n=%s&id=%s", auth_url, s->Name, s->SessionKeyStr
+ );
+ ForceRedirectToUrl(hub, s, packet, redirect_url);
+ FreePacket(packet);
+ packet = NULL;
+ }
+ }
+ }
+ }
+
+ // Drop non-HTTP non-safe packets
+ else if (tcp->SrcPort != Endian16(80))
+ {
+ if (packet->TypeL3 == L3_IPV4)
+ {
+ bool safe = false;
+ for (int i = 0; i < NUM_SAFE; i++) {
+ UINT ip_int = IPToUINT(&safe_ips[i]);
+
+ // Source and destination IPs
+ UINT ip_src = packet->L3.IPv4Header->SrcIP;
+ UINT ip_dst = packet->L3.IPv4Header->DstIP;
+
+ if (ip_src == ip_int || ip_dst == ip_int) {
+ safe = true;
+ break;
+ }
+ }
+
+ if (!safe) {
+ FreePacket(packet);
+ packet = NULL;
+ }
+ }
+ else
+ {
+ // Drop all IPv6 packets
+ FreePacket(packet);
+ packet = NULL;
+ }
+ }
+ }
+ }
if (packet != NULL)
{
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment