add ALLOW_ANY_USER_AGENT to ignore incoming User-Agent strings in SPA…

… packets over HTTP, closes #296

ChangeLog

@@ -1,3 +1,13 @@
+fwknop-2.6.11 (04//2019):
+    - [server] Add ALLOW_ANY_USER_AGENT for ENABLE_SPA_OVER_HTTP mode so that
+      fwknopd will accept any User-Agent string coming from the client. By
+      default this is disabled, so only SPA packets with a User-Agent string
+      that begins with 'Fwknop' will be accepted. Just set this variable to
+      'Y' to override this. Then, on the fwknop client command line, use the
+      --user-agent option to specify any desired User-Agent string. This
+      feature was added to close issue #296 reported by github user
+      @fishcreek.
+
 fwknop-2.6.10 (08/06/2018):
     - [server] Add MAX_FW_TIMEOUT to access.conf stanzas to allow a maximum
       number of seconds for client-specified timeouts in SPA packets. This

Makefile.am

@@ -352,8 +352,10 @@ EXTRA_DIST = \
     test/conf/udp_server_fwknopd.conf \
     test/conf/spa_over_http_fwknopd.conf \
     test/conf/spa_over_http.pcap \
+    test/conf/spa_allow_any_user_agent.pcap \
     test/conf/spa_x_forwarded_for.pcap \
     test/conf/spa_x_forwarded_for_fwknopd.conf \
+    test/conf/spa_allow_any_user_agent_fwknopd.conf \
     test/conf/ipt_snat_fwknopd.conf \
     test/conf/firewd_snat_fwknopd.conf \
     test/conf/ipt_snat_no_translate_ip_fwknopd.conf \

doc/fwknopd.man.asciidoc

@@ -390,6 +390,13 @@ the '@sysconfdir@/fwknop/fwknopd.conf' file for additional details.
     over TCP/80 connections and a web server should be running on the same
     server as *fwknopd*.
 
+*ALLOW_ANY_USER_AGENT* '<Y/N>'::
+    When *fwknopd* is configured to acquire SPA data from HTTP requests (i.e.
+    when ``ENABLE_SPA_OVER_HTTP'' is set to ``Y''), control whether to require
+    the User-Agent from the client to start with the string 'Fwknop'. The
+    default is ``N'' to require this, but if set to ``Y'', then *fwknopd* will
+    allow any User-Agent string to be set on incoming SPA packets.
+
 *ENABLE_X_FORWARDED_FOR* '<Y/N>'::
     Allows *fwknopd* to use the X-Forwarded-for header from a captured SPA
     packet over HTTP as the source IP. This can happen when using SPA through
@@ -398,7 +405,7 @@ the '@sysconfdir@/fwknop/fwknopd.conf' file for additional details.
 *ENABLE_TCP_SERVER* '<Y/N>'::
     Enable the fwknopd TCP server. This is a "dummy" TCP server that will
     accept TCP connection requests on the specified TCPSERV_PORT.
-    If set to "Y", fwknopd will fork off a child process to listen for, and
+    If set to ``Y'', fwknopd will fork off a child process to listen for, and
     accept incoming TCP request. This server only accepts the
     request. It does not otherwise communicate. This is only to allow the
     incoming SPA over TCP packet which is detected via PCAP. The connection
@@ -443,8 +450,8 @@ the '@sysconfdir@/fwknop/fwknopd.conf' file for additional details.
     sniffing interface. In the later case, this can be useful to have fwknopd
     sniff SPA packets that are forwarded through a system and destined for a
     different network. If the sniffing interface is the egress interface for
-    such packets, then this variable will need to be set to "Y" in order for
-    fwknopd to see them. The default is "N" so that fwknopd only looks for SPA
+    such packets, then this variable will need to be set to ``Y'' in order for
+    fwknopd to see them. The default is ``N'' so that fwknopd only looks for SPA
     packets that are received on the sniffing interface (note that this is
     independent of promiscuous mode).
 

server/cmd_opts.h

@@ -56,6 +56,7 @@ static char *config_map[NUMBER_OF_CONFIG_ENTRIES] = {
     "CMD_EXEC_TIMEOUT",
     //"BLACKLIST",
     "ENABLE_SPA_OVER_HTTP",
+    "ALLOW_ANY_USER_AGENT",
     "ENABLE_TCP_SERVER",
     "TCPSERV_PORT",
     "ENABLE_UDP_SERVER",

server/config_init.c

@@ -911,6 +911,16 @@ validate_options(fko_srv_options_t *opts)
         set_config_entry(opts, CONF_ENABLE_SPA_OVER_HTTP,
             DEF_ENABLE_SPA_OVER_HTTP);
 
+    /* When CONF_ENABLE_SPA_OVER_HTTP is enabled, control whether to require the
+     * User-Agent string to begin with 'Fwknop'. The default is 'N', but setting
+     * this to 'Y' in the fwknopd.conf file allows any User-Agent to be used.
+     * Then, from the client, a custom User-Agent can be set with the
+     * '--user-agent' command line option.
+    */
+    if(opts->config[CONF_ALLOW_ANY_USER_AGENT] == NULL)
+        set_config_entry(opts, CONF_ALLOW_ANY_USER_AGENT,
+            DEF_ALLOW_ANY_USER_AGENT);
+
     /* Enable TCP server.
     */
     if(opts->config[CONF_ENABLE_TCP_SERVER] == NULL)

server/fwknopd_common.h

@@ -108,6 +108,7 @@
   #define DEF_SUDO_EXE                   "/usr/bin/sudo"
 #endif
 #define DEF_ENABLE_SPA_OVER_HTTP        "N"
+#define DEF_ALLOW_ANY_USER_AGENT        "N"
 #define DEF_ENABLE_TCP_SERVER           "N"
 #define DEF_TCPSERV_PORT                "62201"
 #if USE_LIBPCAP
@@ -257,6 +258,7 @@ enum {
     CONF_CMD_EXEC_TIMEOUT,
     //CONF_BLACKLIST,
     CONF_ENABLE_SPA_OVER_HTTP,
+    CONF_ALLOW_ANY_USER_AGENT,
     CONF_ENABLE_TCP_SERVER,
     CONF_TCPSERV_PORT,
     CONF_ENABLE_UDP_SERVER,

server/incoming_spa.c

@@ -96,14 +96,21 @@ preprocess_spa_data(const fko_srv_options_t *opts, spa_pkt_info_t *spa_pkt, spa_
      * assume it is a SPA over HTTP request.
     */
     if(strncasecmp(opts->config[CONF_ENABLE_SPA_OVER_HTTP], "Y", 1) == 0
-      && strncasecmp(ndx, "GET /", 5) == 0
-      && strstr(ndx, "User-Agent: Fwknop") != NULL)
+      && strncasecmp(ndx, "GET /", 5) == 0)
     {
         /* This looks like an HTTP request, so let's see if we are
          * configured to accept such request and if so, find the SPA
          * data.
         */
 
+        /* First see if we require the User-Agent to start with 'Fwknop'
+        */
+        if(strncasecmp(opts->config[CONF_ALLOW_ANY_USER_AGENT], "N", 1) == 0
+          && strstr(ndx, "User-Agent: Fwknop") == NULL)
+        {
+            return(SPA_MSG_BAD_DATA);
+        }
+
         /* Process X-Forwarded-For header */
 
         xff = strcasestr(ndx, "X-Forwarded-For: ");

test/conf/spa_allow_any_user_agent_fwknopd.conf

@@ -0,0 +1,2 @@
+ENABLE_SPA_OVER_HTTP        Y;
+ALLOW_ANY_USER_AGENT        Y;

test/test-fwknop.pl

@@ -45,6 +45,7 @@
 our $fcs_pcap_file        = "$conf_dir/fcs_spa.pcap";
 our $spa_over_http_pcap_file = "$conf_dir/spa_over_http.pcap";
 our $spa_x_forwarded_for_pcap_file = "$conf_dir/spa_x_forwarded_for.pcap";
+our $spa_allow_any_user_agent_pcap_file = "$conf_dir/spa_allow_any_user_agent.pcap";
 
 our $lib_dir = '../lib/.libs';
 
@@ -637,6 +638,7 @@
     'udp_server'                   => "$conf_dir/udp_server_fwknopd.conf",
     'spa_over_http'                => "$conf_dir/spa_over_http_fwknopd.conf",
     'spa_x_forwarded_for'          => "$conf_dir/spa_x_forwarded_for_fwknopd.conf",
+    'spa_allow_any_user_agent'     => "$conf_dir/spa_allow_any_user_agent_fwknopd.conf",
     'tcp_pcap_filter'              => "$conf_dir/tcp_pcap_filter_fwknopd.conf",
     'icmp_pcap_filter'             => "$conf_dir/icmp_pcap_filter_fwknopd.conf",
     'open_ports_access'            => "$conf_dir/open_ports_access.conf",

test/tests/rijndael_hmac.pl

@@ -611,6 +611,19 @@
             "--verbose --verbose --verbose",
         'server_positive_output_matches' => [qr/Added access rule.*\sfor 1.2.3.4/],
     },
+    {
+        'category' => 'Rijndael+HMAC',
+        'subcategory' => 'server',
+        'detail'   => '--pcap-file any User-Agent',
+        'function' => \&process_pcap_file_directly,
+        'cmdline'  => '',
+        'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'spa_allow_any_user_agent'} -a $cf{'hmac_access'} " .
+            "-d $default_digest_file -p $default_pid_file " .
+            "--pcap-file $spa_allow_any_user_agent_pcap_file --foreground $verbose_str " .
+            "--pcap-filter 'port 80' " .
+            "--verbose --verbose --verbose",
+        'server_positive_output_matches' => [qr/Added access rule.*\sfor 1.2.3.4/],
+    },
 
     {
         'category' => 'Rijndael+HMAC',