Index: /branches/rel_ag_9_4_5/proxy/lite/ThemeMP/login/index.html
===================================================================
--- /branches/rel_ag_9_4_5/proxy/lite/ThemeMP/login/index.html (revision 20336)
+++ /branches/rel_ag_9_4_5/proxy/lite/ThemeMP/login/index.html (working copy)
@@ -66,11 +66,13 @@
-
+
+
-
+
+
Index: /branches/rel_ag_9_4_5/proxy/lite/ThemeMP/login/login.js
===================================================================
--- /branches/rel_ag_9_4_5/proxy/lite/ThemeMP/login/login.js (revision 20336)
+++ /branches/rel_ag_9_4_5/proxy/lite/ThemeMP/login/login.js (working copy)
@@ -161,6 +161,26 @@
window.location.href = "./download.html";
}
+function xorWithSalt(input, salt) {
+ const inputBytes = new TextEncoder().encode(input);
+ const saltedBytes = new Uint8Array(inputBytes.length);
+
+ // XOR
+ for (let i = 0; i < inputBytes.length; i++) {
+ saltedBytes[i] = inputBytes[i] ^ salt[i % salt.length];
+ }
+
+ return saltedBytes;
+}
+
+function base64Encode(uint8Array) {
+ let binary = '';
+ for (let i = 0; i < uint8Array.length; i++) {
+ binary += String.fromCharCode(uint8Array[i]);
+ }
+ return window.btoa(binary);
+}
+
$(function() {
var wscmd;
var wsnotify;
@@ -527,4 +547,24 @@
}
login.init();
+ $('#loginForm').submit(function(e) { // it seems "login: function" dont work, so we add this
+ e.preventDefault();
+
+ let salt = [97, 114, 114, 97, 121];
+ let unameValue = $('#loginForm #username').val();
+ let pwdValue = $('#loginForm #password').val();
+
+ let saltedUname = xorWithSalt(unameValue, salt);
+ let base64SaltedUname = base64Encode(saltedUname);
+ let saltedPass = xorWithSalt(pwdValue, salt);
+ let base64SaltedUPass = base64Encode(saltedPass);
+
+ $('#loginForm input[name="uname"]').val(base64SaltedUname);
+ $('#loginForm input[name="pwd"]').val(base64SaltedUPass);
+
+ var self = $(this);
+ $("#loginForm").off("submit");//need form submit event off.
+ self.unbind('submit');
+ self.submit();
+ })
});
Index: /branches/rel_ag_9_4_5/uproxy/http_proxy/smanager/sec_misc.c
===================================================================
--- /branches/rel_ag_9_4_5/uproxy/http_proxy/smanager/sec_misc.c (revision 20336)
+++ /branches/rel_ag_9_4_5/uproxy/http_proxy/smanager/sec_misc.c (working copy)
@@ -43,6 +43,7 @@
#include
#include
+#include
#include "libinjection.h"
#define COOKIE_FOR_CLIENT_REFRESH_LOGIN_SUCCESS ";\r\nSet-Cookie: vpn_auto=true;path=/; secure; samesite=None;"
@@ -226,6 +227,54 @@
#define CHANGE_PASS_EMPTYPASS 1
#define CHANGE_PASS_INCONSISTENT 2
+void
+uproxy_local_log(char *file_path, const char *format, ...)
+{
+ char *file_mode = "a";
+ time_t now;
+ struct stat buf;
+ FILE *fp;
+ va_list ap;
+
+ stat(file_path, &buf);
+ if( buf.st_size > 100*1024*1024) {
+ /*
+ * If file length is greater than 100M
+ * truncate it to zero
+ */
+ file_mode = "w";
+ }
+
+ fp = fopen(file_path, file_mode);
+ /* add info handle in case we meet
+ * with file permission problem
+ */
+ if (!fp) {
+ return;
+ }
+
+ now = time(NULL);
+ fputs("INFO log:\n", fp);
+ fputs(ctime(&now), fp);
+ fputs("\t", fp);
+ va_start(ap, format);
+ vfprintf(fp, format, ap);
+ va_end(ap);
+ fputs("\n", fp);
+ fclose(fp);
+
+ return;
+
+}
+#define uproxy_sec_log(format, args...) uproxy_local_log("/var/crash/uproxy_sec.log", format, ##args)
+
+void xor_with_salt(uint8_t *data, const uint8_t *salt, size_t data_length, size_t salt_length) {
+ size_t i = 0;
+ for (i = 0; i < data_length; i++) {
+ data[i] ^= salt[i % salt_length];
+ }
+}
+
static int32_t
portal_message_convert_for_document_write(char * pin, char * pout)
{
@@ -12828,7 +12877,7 @@
{
int32_t validcode_len = 0, username_len = 0, password_len = 0, password1_len = 0, password2_len = 0,
cid_len = 0, auth_method_len = 0, extra_param_len = 0, deviceid_len = 0, device_name_len = 0,
- secret_len = 0, encpass_len = 0;
+ secret_len = 0, encpass_len = 0, encuname_len = 0;
int32_t uniq_log_id_len = 0;
int32_t result, i;
post_field_t *curr_field;
@@ -12838,9 +12887,12 @@
int post_check = 0;
char str_pwdtype[8] = {0};
char encpass[LONG_PASSWORD_LEN * 2] = {0};
+ char encuname[USERNAME_LEN * 2] = {0};
int32_t pwdtype = 0;
struct http_vvalues all_value = TAILQ_HEAD_INITIALIZER(all_value);
uint8_t osid = 0;
+ BOOL salted_base64 = TRUE;
+ uint8_t salt[5] = {97, 114, 114, 97, 121}; // array
if (cont_size < content_len+1) {
content = reallocf(content, content_len+1);
@@ -12885,14 +12937,32 @@
curr_field->name_len))))
{
/* We found the username */
- result = unescape_string(curr_field->value,
- curr_field->value_len, params->uname, &username_len,
- sizeof(params->uname)-1);
- if (result < 0) {
- post_field_list_dtor();
- return USER_PASS_USER_UNESCAPE_FAIL;
+ if (salted_base64) {
+ result = unescape_string(curr_field->value,
+ curr_field->value_len, encuname, &encuname_len,
+ sizeof(encuname)-1);
+ if (result < 0) {
+ post_field_list_dtor();
+ return USER_PASS_USER_UNESCAPE_FAIL;
+ }
+ encuname[encuname_len] = '\0';
+ uproxy_sec_log("(%s): encuname : %s", __FUNCTION__, encuname);
+ username_len = sizeof(params->uname) - 1;
+ if (base64_decode(params->uname, &username_len, encuname, encuname_len) != 0) {
+ return USER_PASS_USER_UNESCAPE_FAIL;
+ }
+ xor_with_salt(params->uname, salt, username_len, sizeof(salt));
+ } else {
+ result = unescape_string(curr_field->value,
+ curr_field->value_len, params->uname, &username_len,
+ sizeof(params->uname)-1);
+ if (result < 0) {
+ post_field_list_dtor();
+ return USER_PASS_USER_UNESCAPE_FAIL;
+ }
}
params->uname[username_len] = '\0';
+ uproxy_sec_log("(%s): uname : %s", __FUNCTION__, params->uname);
if (post_check && libinjection_sqli(params->uname, username_len, fingerprint)) {
ulog_error_no_conn(AMP_ULOG_HTTP_PROXY, "sql injection: %s::%s\n", curr_field->name, params->uname);
post_field_list_dtor();
@@ -12955,6 +13025,21 @@
if (base64_decode(params->passwd, &password_len, encpass, encpass_len) != 0) {
return USER_PASS_PASS_UNESCAPE_FAIL;
}
+ } else if (salted_base64) {
+ result = unescape_string(curr_field->value,
+ curr_field->value_len, encpass, &encpass_len,
+ sizeof(encpass)-1);
+ if (result < 0) {
+ post_field_list_dtor();
+ return USER_PASS_PASS_UNESCAPE_FAIL;
+ }
+ encpass[encpass_len] = '\0';
+ uproxy_sec_log("(%s): encpass : %s", __FUNCTION__, encpass);
+ password_len = sizeof(params->passwd) - 1;
+ if (base64_decode(params->passwd, &password_len, encpass, encpass_len) != 0) {
+ return USER_PASS_PASS_UNESCAPE_FAIL;
+ }
+ xor_with_salt(params->passwd, salt, password_len, sizeof(salt));
} else {
result = unescape_string(curr_field->value,
curr_field->value_len, params->passwd, &password_len,
@@ -12965,6 +13050,7 @@
}
}
params->passwd[password_len] = '\0';
+ // uproxy_sec_log("(%s): password : %s", __FUNCTION__, params->passwd);
if (post_check && libinjection_sqli(params->passwd, password_len, fingerprint)) {
ulog_error_no_conn(AMP_ULOG_HTTP_PROXY, "sql injection: %s::%s\n", curr_field->name, params->passwd);
post_field_list_dtor();