From d8dc9be9412b8103f4f6b68e45ba84d0d21507c1 Mon Sep 17 00:00:00 2001
From: Damien Stuart <dstart@dstuart.org>
Date: Tue, 29 Dec 2009 20:16:52 +0000
Subject: [PATCH] Added check for SPA packet age against the MAX_SPA_PACKET_AGE
 if ENABLE SPA_PACKET_AGING is set to "Y" in the conf file.  Made the digest
 cache check only of ENABLE_DIGEST_PERSISTENCE is "Y".

git-svn-id: file:///home/mbr/svn/fwknop/trunk@176 510a4753-2344-4c79-9c09-4d669213fbeb
---
 Makefile.am             |  2 +-
 server/config_init.c    | 28 ++++++++++---------
 server/fwknopd_common.h | 14 ++++++++++
 server/incoming_spa.c   | 61 +++++++++++++++++++++++++++++++++++------
 server/replay_dbm.c     | 10 +++----
 5 files changed, 88 insertions(+), 27 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 97b0309d..6f2f8e2d 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -15,7 +15,7 @@ SUBDIRS = \
     doc 
 
 EXTRA_DIST = \
-	m4 \
+    m4 \
     perl/legacy \
     perl/FKO/README \
     perl/FKO/inc/Devel/CheckLib.pm \
diff --git a/server/config_init.c b/server/config_init.c
index 5ac4b888..dc663d66 100644
--- a/server/config_init.c
+++ b/server/config_init.c
@@ -288,17 +288,25 @@ config_init(fko_srv_options_t *opts, int argc, char **argv)
     */
     optind = 0;
 
-    /* First, scan the command-line args for an alternate configuration
-     * file.  If we find it, use it, otherwise use the default.
-     * We also grab any override config files as well.
+    /* First, scan the command-line args for -h/--help or an alternate
+     * configuration file. If we find an alternate config file, use it,
+     * otherwise use the default.  We also grab any override config files
+     * as well.
     */
     while ((cmd_arg = getopt_long(argc, argv,
             GETOPTS_OPTION_STRING, cmd_opts, &index)) != -1) {
 
+        /* If help is wanted, give it and exit.
+        */
+        switch(cmd_arg) {
+            case 'h':
+                usage();
+                exit(EXIT_SUCCESS);
+                break;
+
         /* Look for configuration file arg.
         */
-        if(cmd_arg == 'c')
-        {
+        case 'c':
             set_config_entry(opts, CONF_CONFIG_FILE, optarg);
             got_conf_file++;
 
@@ -306,14 +314,12 @@ config_init(fko_srv_options_t *opts, int argc, char **argv)
             */
             if(got_override_config > 0)
                 break;
-        }
 
         /* Look for override configuration file arg.
         */
-        if(cmd_arg == 'O')
-        {
+        case 'O':
             set_config_entry(opts, CONF_OVERRIDE_CONFIG, optarg);
-            got_conf_file++;
+            got_override_config++;
 
             /* If we already have the conf_file option, we are done.
             */
@@ -406,10 +412,6 @@ config_init(fko_srv_options_t *opts, int argc, char **argv)
             case GPG_KEY:
                 set_config_entry(opts, CONF_GPG_KEY, optarg);
                 break;
-            case 'h':
-                usage();
-                exit(EXIT_SUCCESS);
-                break;
             case 'i':
                 set_config_entry(opts, CONF_PCAP_INTF, optarg);
                 break;
diff --git a/server/fwknopd_common.h b/server/fwknopd_common.h
index b2051109..d0dbf6c7 100644
--- a/server/fwknopd_common.h
+++ b/server/fwknopd_common.h
@@ -79,6 +79,20 @@ enum {
     SPA_CAP_MODE_TCP
 };
 
+/* SPA message handling status code
+ */
+enum {
+    SPA_MSG_SUCCESS = 0,
+    SPA_MSG_BAD_DATA,
+    SPA_MSG_FKO_CTX_ERROR,
+    SPA_MSG_DIGEST_ERROR,
+    SPA_MSG_DIGEST_CACHE_ERROR,
+    SPA_MSG_REPLAY,
+    SPA_MSG_TOO_OLD,
+    SPA_MSG_ACCESS_DENIED,
+    SPA_MSG_ERROR
+};
+
 /* Configuration file parameter tags.
  * This will correspond to entries in the configuration parameters
  * array.
diff --git a/server/incoming_spa.c b/server/incoming_spa.c
index 70748ada..c2790eeb 100644
--- a/server/incoming_spa.c
+++ b/server/incoming_spa.c
@@ -5,7 +5,7 @@
  *
  * Author:  Damien S. Stuart
  *
- * Purpose: The pcap capture routines for fwknopd.
+ * Purpose: Process an incoming SPA data packet for fwknopd.
  *
  * Copyright (C) 2009 Damien Stuart (dstuart@dstuart.org)
  *
@@ -27,22 +27,26 @@
 #include "incoming_spa.h"
 #include "log_msg.h"
 
-/* The pcap capture routine.
+/* Process the SPA packet data
 */
 int
 incoming_spa(fko_srv_options_t *opts)
 {
     fko_ctx_t       ctx;
     int             res;
+    time_t          spa_ts, now_ts;
+    int             ts_diff;
 
     spa_pkt_info_t *spa_pkt = &(opts->spa_pkt);
 
     /* Sanity check
     */
     if(spa_pkt->packet_data_len <= 0)
-        return;
+        return(SPA_MSG_BAD_DATA);
 
+/* --DSS temp */
 fprintf(stderr, "SPA Packet: '%s'\n", spa_pkt->packet_data);
+/* --DSS temp */
 
     /* Get the decryption key
     */
@@ -61,19 +65,60 @@ fprintf(stderr, "SPA Packet: '%s'\n", spa_pkt->packet_data);
 
     if(res != FKO_SUCCESS)
     {
-        fprintf(stderr, "Error creating fko context: %s\n", fko_errstr(res));
-        return(-1);
+        log_msg(LOG_WARNING|LOG_STDERR, "Error creating fko context: %s",
+            fko_errstr(res));
+        return(SPA_MSG_FKO_CTX_ERROR);
     }
 
+/* --DSS temp */
 fprintf(stderr, "Decode res = %i\n", res);
+display_ctx(ctx);
+/* --DSS temp */
+
+    if(strncasecmp(opts->config[CONF_ENABLE_DIGEST_PERSISTENCE], "Y", 1) == 0)
+    {
+        res = replay_check(opts, ctx);
+        if(res != SPA_MSG_SUCCESS)
+            goto clean_and_bail;
+    }
+
+    /* Check packet age if so configured.
+    */
+    if(strncasecmp(opts->config[CONF_ENABLE_SPA_PACKET_AGING], "Y", 1) == 0)
+    {
+        if(fko_get_timestamp(ctx, &spa_ts) != FKO_SUCCESS)
+        {
+            log_msg(LOG_WARNING|LOG_STDERR, "Error getting SPA timestamp: %s",
+                fko_errstr(res));
+            res = SPA_MSG_ERROR;
+            goto clean_and_bail;
+        }
+
+        time(&now_ts);
+
+        ts_diff = now_ts - spa_ts;
+
+        if(ts_diff > atoi(opts->config[CONF_MAX_SPA_PACKET_AGE]))
+        {
+            log_msg(LOG_WARNING|LOG_STDERR, "SPA data is too old (%i seconds).",
+                ts_diff);
+            res = SPA_MSG_TOO_OLD;
+            goto clean_and_bail;
+        }
+    }
+
+    /* Additional access checks
+    */
+    // TODO: Finish me
 
 
-    display_ctx(ctx);
+    /* Send to the firewall rule processor.
+    */
+    // TODO: Finish me
 
-    res = replay_check(opts, ctx);
 
+clean_and_bail:
     fko_destroy(ctx);
-
     return(res);
 }
 
diff --git a/server/replay_dbm.c b/server/replay_dbm.c
index 3e5ec993..5462277c 100644
--- a/server/replay_dbm.c
+++ b/server/replay_dbm.c
@@ -146,7 +146,7 @@ replay_check(fko_srv_options_t *opts, fko_ctx_t ctx)
         log_msg(LOG_WARNING|LOG_STDERR, "Error getting digest from SPA data: %s",
             fko_errstr(res));
 
-        return(-1);
+        return(SPA_MSG_DIGEST_ERROR);
     }
 
     digest_len = strlen(digest);
@@ -171,7 +171,7 @@ replay_check(fko_srv_options_t *opts, fko_ctx_t ctx)
             MY_DBM_STRERROR(errno)
         );
 
-        return(-1);
+        return(SPA_MSG_DIGEST_CACHE_ERROR);
     }
 
     db_ent = MY_DBM_FETCH(rpdb, db_key);
@@ -232,7 +232,7 @@ replay_check(fko_srv_options_t *opts, fko_ctx_t ctx)
         free(db_ent.dptr);
 #endif
 
-        res = 1;
+        res = SPA_MSG_REPLAY;
     } else {
         /* This is a new SPA packet that needs to be added to the cache.
         */
@@ -249,10 +249,10 @@ replay_check(fko_srv_options_t *opts, fko_ctx_t ctx)
                 MY_DBM_STRERROR(errno)
             );
 
-            res = -1;
+            res = SPA_MSG_DIGEST_CACHE_ERROR;
         }
 
-        res = 0;
+        res = SPA_MSG_SUCCESS;
     } 
 
     MY_DBM_CLOSE(rpdb);