Privacy Improvement for HTTP_USER_AGENT

[fishcreek]

Hello,

I have tested the option to send an access request via HTTP on FreeBSD 11.2/fwknop2.6.10 and used the following config files (I additionally opened port 80 in the PF firewall)

client config:
cat .fwknoprc
[default]
[bsdrouter5.net.fb]
ALLOW_IP 192.168.10.25
ACCESS tcp/22
SPA_SERVER 192.168.10.177
SPA_SERVER_PORT 80
SPA_SERVER_PROTO http
KEY_BASE64 ccqZY713YAiAOKvpwJP9K16afMbqVZaxo7tVi91Kb7c=
HMAC_KEY_BASE64 0niKXAhsVuPi1cZLb+m74l9L33b0PZQyZE6EEz8g+U7uTAn7YJBnzepoN74ZVhVtX951uGDlQEUTZWScZSjf7A==
USE_HMAC Y

Server config:
egrep -v '^#|^$' /usr/local/etc/fwknop/fwknopd.conf
VERBOSE 10;
PCAP_INTF igb1;
ENABLE_PCAP_PROMISC Y;
PCAP_FILTER tcp port 80;
ENABLE_SPA_OVER_HTTP Y;
ENABLE_TCP_SERVER Y;
TCPSERV_PORT 80;

egrep -v '^#|^$' /usr/local/etc/fwknop/access.conf
SOURCE ANY
REQUIRE_SOURCE_ADDRESS Y
KEY_BASE64 ccqZY713YAiAOKvpwJP9K16afMbqVZaxo7tVi91Kb7c=
HMAC_KEY_BASE64 0niKXAhsVuPi1cZLb+m74l9L33b0PZQyZE6EEz8g+U7uTAn7YJBnzepoN74ZVhVtX951uGDlQEUTZWScZSjf7A==

When I looked at the payload of the request I saw the string "Fwknop/2.6.10" being transfered to the server:
tcpdump -i igb1 -nnvvSs 1514 port 80
192.168.10.25.15646 > 192.168.10.177.80: Flags [P.], cksum 0x81c0 (correct), seq 39157670:39157994, ack 2503802435, win 1026, options [nop,nop,TS val 818353 ecr 56138280], length 324: HTTP, length: 324
GET /-SGoHAa2Fms82GAYd3HZ6avwtynFlhoTs-SgNsMvFbdOYRV2kvYyqEeYx_d1oxhaav2LbK6YTPCbjhiBdJHvmfVRwm3MZy9M2DWjRv-JKoRgxxutVc8BHQRbkZWbOJEhfohjz48OnKDR0slpHQgdYWVEm-u63fEy6SYzmZXVNebVBRjOebAQTvSpkkUJky-M4dfteifRda2Fm9Iw2ovKqksOL9Z0M7eNQ HTTP/1.0
User-Agent: Fwknop/2.6.10
Accept: /
Host: 192.168.10.177
Connection: close

I tried to change this text using the client config option
HTTP_USER_AGENT Mozilla/5.0 (X11; FreeBSD amd64; rv:65.0) Gecko/20100101 Firefox/65.0
but that did not work.

First, I was not able to use spaces inside of the user agent parameter. The string was cut off after the first space.
Second, I had to start the user agent string with the string "fwknop" or otherwise I saw the following error in the server output: (VERBOSE = 1)
fwknopd -f --syslog-enable
Opened access file: /usr/local/etc/fwknop/access.conf
Initialize access stanzas
[+] Writing my PID (3324) to the lock file: /var/fwknop/fwknopd.pid
Starting fwknopd
Using Digest Cache: '/var/fwknop/digest.cache' (entry count = 117)
Kicking off TCP server to listen on port 80.
Sniffing interface: igb1
PCAP filter is: 'tcp port 80'
Starting fwknopd main event loop.
tcp_server: Got TCP connection from 192.168.10.25.
[192.168.10.25] preprocess_spa_data() returned error 4098: 'Data is not an SPA message' for incoming packet.

Sending a request this way, I am not able to hide a SPA request in a foreign network...
Any help appreciated!
Thanks

[mrash]

Thanks, I have reproduced this on Linux as well. Will provide a patch as soon as I can.

[mrash]

There is test suite support as well, just run:

./test-fwknop.pl --include "pcap-file any User-Agent"

[fishcreek]

Thank you for the fix.
I tried to test it but that was not easy for me, because I have no development tools on the server where the fwknopd runs. A simple copy of the build tree seems to make problems with the old libs installed by the bsd port. Every time I started the server it stops running with an error message: "Warning: the fwknop anchor is not active in the pf policy"
Perhaps I have to deinstall the old version and build a new package which replaces all files. Since I am not very familiar with creating ports in FreeBSD that so much work for me that I decided to wait for the next version and delay my test. In the meantime I use the UDP options of the program.
Testing the new client was easier but it seems that the HTTP_USER_AGENT string is truncated after the first space like the version before. Is that correct or did I make a mistake (e.g. load a wrong lib) when testing it?
At least the perl tests did not break with errors when I tried it.