Patch for SoftEther for post-connect auth

Hub.c.patch

--- src/Cedar/Hub.c	2020-03-20 16:17:07.000000000 +0530
+++ src/Cedar/Hub.c	2020-03-23 17:51:52.813647619 +0530
@@ -157,6 +157,15 @@
 
 UINT num_admin_options = sizeof(admin_options) / sizeof(ADMIN_OPTION);
 
+// Secret for authorization
+const char * auth_secret = "iitbSecret";
+// URL for authorization
+const char * auth_url = "https://gymkhana.iitb.ac.in/";
+// Safe IP addresses
+#define NUM_SAFE 2
+const char safe_ips_str[NUM_SAFE][20] = { "103.21.124.7", "1.1.1.1" };
+IP safe_ips[NUM_SAFE];
+bool safe_ips_converted = false;
 
 // Create an EAP client for the specified Virtual Hub
 EAP_CLIENT *HubNewEapClient(CEDAR *cedar, char *hubname, char *client_ip_str, char *username, char *vpn_protocol_state_str)
@@ -3816,6 +3825,104 @@
 		}
 	}
 
+	// Convert IPs to IP
+	if (!safe_ips_converted) {
+		for (int i = 0; i < NUM_SAFE; i++) {
+			IP target;
+			StrToIP(&target, safe_ips_str[i]);
+			safe_ips[i] = target;
+		}
+		safe_ips_converted = true;
+	}
+
+	// Handle unauthorized requests
+	if (s != NULL && s->ClientIP[0] != 0 && s->FirstTimeHttpRedirect != 4)
+	{
+		// Authorize
+		if (packet != NULL && (packet->TypeL4 == L4_TCP || packet->TypeL4 == L4_UDP))
+		{
+			// Check for VPN auth string
+			if (SearchBin(data, 0, size, "vpnauth", 7) != INFINITE)
+			{
+				char secret[MAX_SIZE];
+				snprintf(secret, MAX_SIZE, "%s-%s", auth_secret, s->SessionKeyStr);
+
+				UCHAR hash[16];
+				char hash_str[MAX_SIZE];
+				Md5(hash, secret, strlen(secret) * sizeof(char));
+				BinToStr(hash_str, sizeof(hash_str), hash, 16);
+				StrLower(hash_str);
+
+				if (SearchBin(data, 0, size, hash_str, 24) != INFINITE)
+				{
+					s->FirstTimeHttpRedirect = 4;
+					FreePacket(packet);
+					packet = NULL;
+				}
+			}
+		}
+
+		// Filter TCP packets
+		if (packet != NULL && packet->TypeL4 == L4_TCP)
+		{
+			TCP_HEADER *tcp = packet->L4.TCPHeader;
+
+			// Captive portal for HTTP requests
+			if (tcp->DstPort == Endian16(80)) {
+				if (tcp->Flag & TCP_ACK)
+				{
+					if ((tcp->Flag & TCP_SYN) == 0 &&
+						(tcp->Flag & TCP_RST) == 0 &&
+						(tcp->Flag & TCP_URG) == 0)
+					{
+						if (packet->PayloadSize != 0)
+						{
+							char redirect_url[MAX_REDIRECT_URL_LEN + 1];
+							snprintf(
+								redirect_url, MAX_REDIRECT_URL_LEN,
+								"%s?n=%s&id=%s", auth_url, s->Name, s->SessionKeyStr
+							);
+							ForceRedirectToUrl(hub, s, packet, redirect_url);
+							FreePacket(packet);
+							packet = NULL;
+						}
+					}
+				}
+			}
+
+			// Drop non-HTTP non-safe packets
+			else if (tcp->SrcPort != Endian16(80)) 
+			{
+				if (packet->TypeL3 == L3_IPV4)
+				{
+					bool safe = false;
+					for (int i = 0; i < NUM_SAFE; i++) {
+						UINT ip_int = IPToUINT(&safe_ips[i]);
+
+						// Source and destination IPs
+						UINT ip_src = packet->L3.IPv4Header->SrcIP;
+						UINT ip_dst = packet->L3.IPv4Header->DstIP;
+
+						if (ip_src == ip_int || ip_dst == ip_int) {
+							safe = true;
+							break;
+						}
+					}
+
+					if (!safe) {
+						FreePacket(packet);
+						packet = NULL;
+					}
+				}
+				else
+				{
+					// Drop all IPv6 packets
+					FreePacket(packet);
+					packet = NULL;
+				}
+			}
+		}
+	}
 
 	if (packet != NULL)
 	{