[server] bug fix to handle SPA packets via http

ChangeLog

@@ -1,3 +1,8 @@
+fwknop-2.6.3 (05//2014):
+    - [server] Bug fix to handle SPA packets over HTTP by making sure to honor
+      the ENABLE_SPA_OVER_HTTP fwknopd.conf variable and to properly account
+      for SPA packet lengths when delivered via HTTP.
+
 fwknop-2.6.2 (04/28/2014):
     - [libfko] fix double free bug in SPA parser discovered with the new
       python SPA payload fuzzer (see the 'spa_encoding_fuzzing' branch which

Makefile.am

@@ -275,6 +275,8 @@ EXTRA_DIST = \
     test/conf/subnet_source_match_access.conf \
     test/conf/tcp_pcap_filter_fwknopd.conf \
     test/conf/tcp_server_fwknopd.conf \
+    test/conf/spa_over_http_fwknopd.conf \
+    test/conf/spa_over_http.pcap \
     test/conf/snat_fwknopd.conf \
     test/conf/snat_no_translate_ip_fwknopd.conf \
     test/conf/spa_replay.pcap \

server/incoming_spa.c

@@ -91,7 +91,7 @@ preprocess_spa_data(fko_srv_options_t *opts, const char *src_ip)
      * starts with "GET /" and the user agent starts with "Fwknop", then
      * assume it is a SPA over HTTP request.
     */
-    if(strncasecmp(opts->config[CONF_ENABLE_SPA_OVER_HTTP], "N", 1) == 0
+    if(strncasecmp(opts->config[CONF_ENABLE_SPA_OVER_HTTP], "Y", 1) == 0
       && strncasecmp(ndx, "GET /", 5) == 0
       && strstr(ndx, "User-Agent: Fwknop") != NULL)
     {
@@ -104,6 +104,7 @@ preprocess_spa_data(fko_srv_options_t *opts, const char *src_ip)
          * client), and reset the SPA message itself.
         */
         strlcpy((char *)spa_pkt->packet_data, ndx+5, pkt_data_len);
+        pkt_data_len -= 5;
 
         for(i=0; i<pkt_data_len; i++)
         {
@@ -119,6 +120,8 @@ preprocess_spa_data(fko_srv_options_t *opts, const char *src_ip)
 
             ndx++;
         }
+
+        spa_pkt->packet_data_len = pkt_data_len = i;
     }
 
     /* Require base64-encoded data

test/conf/spa_over_http_fwknopd.conf

@@ -0,0 +1 @@
+ENABLE_SPA_OVER_HTTP        Y;

test/test-fwknop.pl

@@ -35,6 +35,7 @@ our $gpg_client_home_dir = "$conf_dir/client-gpg";
 our $gpg_client_home_dir_no_pw = "$conf_dir/client-gpg-no-pw";
 our $replay_pcap_file     = "$conf_dir/spa_replay.pcap";
 our $multi_pkts_pcap_file = "$conf_dir/multi_pkts.pcap";
+our $spa_over_http_pcap_file = "$conf_dir/spa_over_http.pcap";
 
 our $lib_dir = '../lib/.libs';
 
@@ -112,6 +113,7 @@ our %cf = (
     'gpg_no_pw_hmac_serverdir_access' => "$conf_dir/gpg_no_pw_hmac_serverdir_access.conf",
     'gpg_no_pw_hmac_sha512_access' => "$conf_dir/gpg_no_pw_hmac_sha512_access.conf",
     'tcp_server'                   => "$conf_dir/tcp_server_fwknopd.conf",
+    'spa_over_http'                => "$conf_dir/spa_over_http_fwknopd.conf",
     'tcp_pcap_filter'              => "$conf_dir/tcp_pcap_filter_fwknopd.conf",
     'icmp_pcap_filter'             => "$conf_dir/icmp_pcap_filter_fwknopd.conf",
     'open_ports_access'            => "$conf_dir/open_ports_access.conf",

test/tests/basic_operations.pl

@@ -2333,6 +2333,24 @@
         ],
         'positive_output_matches' => [qr/PW\s.*not\sproperly/],
     },
+    {
+        'category' => 'basic operations',
+        'subcategory' => 'server',
+        'detail'   => 'GPG pw != HMAC key',
+        'function' => \&server_conf_files,
+        'fwknopd_cmdline' => $server_rewrite_conf_files,
+        'exec_err' => $YES,
+        'server_access_file' => [
+            'SOURCE                         any',
+            'HMAC_KEY                       testtest',
+            'GPG_DECRYPT_PW                 testtest'
+        ],
+        'server_conf_file' => [
+            '### comment'
+        ],
+        'positive_output_matches' => [qr/encryption\spassphrase/],
+    },
+
     {
         'category' => 'basic operations',
         'subcategory' => 'server',
@@ -2810,6 +2828,40 @@
         ],
         'positive_output_matches' => [qr/requires.*enabled/],
     },
+    {
+        'category' => 'basic operations',
+        'subcategory' => 'server',
+        'detail'   => 'iptables FORCE_SNAT + NAT',
+        'function' => \&server_conf_files,
+        'fwknopd_cmdline' => $server_rewrite_conf_files,
+        'exec_err' => $YES,
+        'server_access_file' => [
+            'SOURCE         any',
+            'KEY            testtest',
+            'FORCE_SNAT     1.2.3.4'
+        ],
+        'server_conf_file' => [
+            'ENABLE_IPT_FORWARDING      Y'
+        ],
+        'positive_output_matches' => [qr/must\salso\sbe\sused/],
+    },
+    {
+        'category' => 'basic operations',
+        'subcategory' => 'server',
+        'detail'   => 'iptables FORCE_MASQUERADE + NAT',
+        'function' => \&server_conf_files,
+        'fwknopd_cmdline' => $server_rewrite_conf_files,
+        'exec_err' => $YES,
+        'server_access_file' => [
+            'SOURCE                 any',
+            'KEY                    testtest',
+            'FORCE_MASQUERADE       Y'
+        ],
+        'server_conf_file' => [
+            'ENABLE_IPT_FORWARDING      Y'
+        ],
+        'positive_output_matches' => [qr/must\salso\sbe\sused/],
+    },
 
     {
         'category' => 'basic operations',

test/tests/rijndael_hmac.pl

@@ -184,6 +184,20 @@
         'fw_rule_created' => $NEW_RULE_REQUIRED,
         'fw_rule_removed' => $NEW_RULE_REMOVED,
     },
+    {
+        'category' => 'Rijndael+HMAC',
+        'subcategory' => 'server',
+        'detail'   => '--pcap-file SPA over http',
+        'function' => \&process_pcap_file_directly,
+        'cmdline'  => '',
+        'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'spa_over_http'} -a $cf{'hmac_sha256_access'} " .
+            "-d $default_digest_file -p $default_pid_file " .
+            "--pcap-file $spa_over_http_pcap_file --foreground $verbose_str " .
+            "--pcap-filter 'port 80' " .
+            "--verbose --verbose --verbose",
+        'fw_rule_created' => $NEW_RULE_REQUIRED,
+        'fw_rule_removed' => $NEW_RULE_REMOVED,
+    },
 
     {
         'category' => 'Rijndael+HMAC',