Privacy Improvement for HTTP_USER_AGENT

[fishcreek]

Hello,

I have tested the option to send an access request via HTTP on FreeBSD 11.2/fwknop2.6.10 and used the following config files (I additionally opened port 80 in the PF firewall)

client config: cat .fwknoprc [default] [bsdrouter5.net.fb] ALLOW_IP 192.168.10.25 ACCESS tcp/22 SPA_SERVER 192.168.10.177 SPA_SERVER_PORT 80 SPA_SERVER_PROTO http KEY_BASE64 ccqZY713YAiAOKvpwJP9K16afMbqVZaxo7tVi91Kb7c= HMAC_KEY_BASE64 0niKXAhsVuPi1cZLb+m74l9L33b0PZQyZE6EEz8g+U7uTAn7YJBnzepoN74ZVhVtX951uGDlQEUTZWScZSjf7A== USE_HMAC Y

Server config: egrep -v '^#|^$' /usr/local/etc/fwknop/fwknopd.conf VERBOSE 10; PCAP_INTF igb1; ENABLE_PCAP_PROMISC Y; PCAP_FILTER tcp port 80; ENABLE_SPA_OVER_HTTP Y; ENABLE_TCP_SERVER Y; TCPSERV_PORT 80;

egrep -v '^#|^$' /usr/local/etc/fwknop/access.conf SOURCE ANY REQUIRE_SOURCE_ADDRESS Y KEY_BASE64 ccqZY713YAiAOKvpwJP9K16afMbqVZaxo7tVi91Kb7c= HMAC_KEY_BASE64 0niKXAhsVuPi1cZLb+m74l9L33b0PZQyZE6EEz8g+U7uTAn7YJBnzepoN74ZVhVtX951uGDlQEUTZWScZSjf7A==

When I looked at the payload of the request I saw the string "Fwknop/2.6.10" being transfered to the server: tcpdump -i igb1 -nnvvSs 1514 port 80 192.168.10.25.15646 > 192.168.10.177.80: Flags [P.], cksum 0x81c0 (correct), seq 39157670:39157994, ack 2503802435, win 1026, options [nop,nop,TS val 818353 ecr 56138280], length 324: HTTP, length: 324 GET /-SGoHAa2Fms82GAYd3HZ6avwtynFlhoTs-SgNsMvFbdOYRV2kvYyqEeYx_d1oxhaav2LbK6YTPCbjhiBdJHvmfVRwm3MZy9M2DWjRv-JKoRgxxutVc8BHQRbkZWbOJEhfohjz48OnKDR0slpHQgdYWVEm-u63fEy6SYzmZXVNebVBRjOebAQTvSpkkUJky-M4dfteifRda2Fm9Iw2ovKqksOL9Z0M7eNQ HTTP/1.0 User-Agent: Fwknop/2.6.10 Accept: / Host: 192.168.10.177 Connection: close

I tried to change this text using the client config option HTTP_USER_AGENT Mozilla/5.0 (X11; FreeBSD amd64; rv:65.0) Gecko/20100101 Firefox/65.0 but that did not work.

First, I was not able to use spaces inside of the user agent parameter. The string was cut off after the first space. Second, I had to start the user agent string with the string "fwknop" or otherwise I saw the following error in the server output: (VERBOSE = 1) fwknopd -f --syslog-enable Opened access file: /usr/local/etc/fwknop/access.conf Initialize access stanzas [+] Writing my PID (3324) to the lock file: /var/fwknop/fwknopd.pid Starting fwknopd Using Digest Cache: '/var/fwknop/digest.cache' (entry count = 117) Kicking off TCP server to listen on port 80. Sniffing interface: igb1 PCAP filter is: 'tcp port 80' Starting fwknopd main event loop. tcp_server: Got TCP connection from 192.168.10.25. [192.168.10.25] preprocess_spa_data() returned error 4098: 'Data is not an SPA message' for incoming packet.

Sending a request this way, I am not able to hide a SPA request in a foreign network... Any help appreciated! Thanks

[mrash]

Thanks, I have reproduced this on Linux as well. Will provide a patch as soon as I can.

[mrash]

There is test suite support as well, just run:

./test-fwknop.pl --include "pcap-file any User-Agent"

[fishcreek]

Thank you for the fix. I tried to test it but that was not easy for me, because I have no development tools on the server where the fwknopd runs. A simple copy of the build tree seems to make problems with the old libs installed by the bsd port. Every time I started the server it stops running with an error message: "Warning: the fwknop anchor is not active in the pf policy" Perhaps I have to deinstall the old version and build a new package which replaces all files. Since I am not very familiar with creating ports in FreeBSD that so much work for me that I decided to wait for the next version and delay my test. In the meantime I use the UDP options of the program. Testing the new client was easier but it seems that the HTTP_USER_AGENT string is truncated after the first space like the version before. Is that correct or did I make a mistake (e.g. load a wrong lib) when testing it? At least the perl tests did not break with errors when I tried it.