Use the fwknop User-Agent for wget SSL external IP resolutions

Bug fix to ensure that a User-Agent string can be specified when the fwknop client uses wget via SSL to resolve the external IP address. This closes issue #134 on github reported by Barry Allard. The fwknop now uses the wget '-U' option to specify the User-Agent string with a default of "Fwknop/<version>". In addition, a new command line argument "--use-wget-user-agent" to allow the default wget User-Agent string to apply instead.
2014-09-27 23:23:12 -04:00 · 2014-09-27 23:23:12 -04:00 · 50434c5c4c
commit 50434c5c4c
parent aae72a9470
11 changed files with 107 additions and 5 deletions
--- a/2
+++ b/2
@ -187,6 +187,8 @@ Tim Heckman
 Barry Allard
    - Reported bug in PF support on FreeBSD systems where ALTQ is not available
      would cause new PF rules to not be added (github issue #121).
+    - Suggested the abiliy to specify the HTTP User-Agent when wget is used to
+      resolve the external IP via SSL (github issue #134).

 Bill Stubbs
    - Submitted a patch to fix a bug where fwknopd could not handle Ethernet
--- a/9
+++ b/9
@ -1,4 +1,11 @@
-fwknop-2.6.4 (09//2014):
+fwknop-2.6.4 (10//2014):
+    - Bug fix to ensure that a User-Agent string can be specified when the
+      fwknop client uses wget via SSL to resolve the external IP address. This
+      closes issue #134 on github reported by Barry Allard. The fwknop now
+      uses the wget '-U' option to specify the User-Agent string with a
+      default of "Fwknop/<version>". In addition, a new command line argument
+      "--use-wget-user-agent" to allow the default wget User-Agent string to
+      apply instead.
    - (Gerry Reno) Added support for firewalld to the fwknopd daemon on RHEL 7
      CentOS 7. This is implemented using the current firewalld '--direct
      --passthrough' capability which accepts raw iptables commands. More
--- a/client/cmd_opts.h
+++ b/client/cmd_opts.h
@ -50,6 +50,7 @@ enum {
    RESOLVE_HTTP_ONLY,
    RESOLVE_URL,
    USE_HMAC,
+    USE_WGET_USER_AGENT,
    SPA_ICMP_TYPE,
    SPA_ICMP_CODE,
    KEY_LEN,
@ -147,6 +148,7 @@ static struct option cmd_opts[] =
    {"time-offset-minus",   1, NULL, TIME_OFFSET_MINUS},
    {"user-agent",          1, NULL, 'u'},
    {"use-hmac",            0, NULL, USE_HMAC},
+    {"use-wget-user-agent", 0, NULL, USE_WGET_USER_AGENT},
    {"spoof-user",          1, NULL, 'U'},
    {"verbose",             0, NULL, 'v'},
    {"version",             0, NULL, 'V'},
--- a/client/config_init.c
+++ b/client/config_init.c
@ -113,6 +113,7 @@ enum
    FWKNOP_CLI_ARG_KEY_HMAC_BASE64,
    FWKNOP_CLI_ARG_KEY_HMAC,
    FWKNOP_CLI_ARG_USE_HMAC,
+    FWKNOP_CLI_ARG_USE_WGET_USER_AGENT,
    FWKNOP_CLI_ARG_KEY_FILE,
    FWKNOP_CLI_ARG_HMAC_KEY_FILE,
    FWKNOP_CLI_ARG_NAT_ACCESS,
@ -159,6 +160,7 @@ static fko_var_t fko_var_array[FWKNOP_CLI_LAST_ARG] =
    { "HMAC_KEY_BASE64",       FWKNOP_CLI_ARG_KEY_HMAC_BASE64       },
    { "HMAC_KEY",              FWKNOP_CLI_ARG_KEY_HMAC              },
    { "USE_HMAC",              FWKNOP_CLI_ARG_USE_HMAC              },
+    { "USE_WGET_USER_AGENT",   FWKNOP_CLI_ARG_USE_WGET_USER_AGENT   },
    { "KEY_FILE",              FWKNOP_CLI_ARG_KEY_FILE              },
    { "HMAC_KEY_FILE",         FWKNOP_CLI_ARG_HMAC_KEY_FILE         },
    { "NAT_ACCESS",            FWKNOP_CLI_ARG_NAT_ACCESS            },
@ -1144,6 +1146,12 @@ parse_rc_param(fko_cli_options_t *options, const char *var_name, char * val)
        if (is_yes_str(val))
            options->use_hmac = 1;
    }
+    /* --use-wget-user-agent */
+    else if (var->pos == FWKNOP_CLI_ARG_USE_WGET_USER_AGENT)
+    {
+        if (is_yes_str(val))
+            options->use_wget_user_agent = 1;
+    }
    /* Key file */
    else if (var->pos == FWKNOP_CLI_ARG_KEY_FILE)
    {
@ -1380,6 +1388,9 @@ add_single_var_to_rc(FILE* fhandle, short var_pos, fko_cli_options_t *options)
        case FWKNOP_CLI_ARG_USE_HMAC :
            bool_to_yesno(options->use_hmac, val, sizeof(val));
            break;
+        case FWKNOP_CLI_ARG_USE_WGET_USER_AGENT :
+            bool_to_yesno(options->use_wget_user_agent, val, sizeof(val));
+            break;
        case FWKNOP_CLI_ARG_NAT_ACCESS :
            strlcpy(val, options->nat_access_str, sizeof(val));
            break;
@ -2345,6 +2356,10 @@ config_init(fko_cli_options_t *options, int argc, char **argv)
                add_var_to_bitmask(FWKNOP_CLI_ARG_USE_HMAC, &var_bitmask);
                options->use_hmac = 1;
                break;
+            case USE_WGET_USER_AGENT:
+                add_var_to_bitmask(FWKNOP_CLI_ARG_USE_WGET_USER_AGENT, &var_bitmask);
+                options->use_wget_user_agent = 1;
+                break;
            case FORCE_SAVE_RC_STANZA:
                options->force_save_rc_stanza = 1;
                break;
--- a/client/fwknop.8.in
+++ b/client/fwknop.8.in
@ -2,12 +2,12 @@
 .\"     Title: fwknop
 .\"    Author: [see the "AUTHORS" section]
 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 07/27/2014
+.\"      Date: 09/27/2014
 .\"    Manual: Fwknop Client
 .\"    Source: Fwknop Client
 .\"  Language: English
 .\"
-.TH "FWKNOP" "8" "07/27/2014" "Fwknop Client" "Fwknop Client"
+.TH "FWKNOP" "8" "09/27/2014" "Fwknop Client" "Fwknop Client"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@ -637,6 +637,22 @@ Set the HTTP User\-Agent for resolving the external IP via
 \fB\-R\fR, or for sending SPA packets over HTTP\&.
 .RE
 .PP
+\fB\-\-use\-wget\-user\-agent\fR
+.RS 4
+By default when the
+\fBfwknop\fR
+client resolves the external IP with
+\fBwget\fR
+via SSL, it sets the User\-Agent to \(lqFwknop/<version>\(rq unless it was already manually specified with the
+\fB\-\-user\-agent\fR
+option mentioned above\&. However, the
+\fB\-\-user\-wget\-user\-agent\fR
+option lets the default
+\fBwget\fR
+User\-Agent string apply without influence from
+\fBfwknop\fR\&.
+.RE
+.PP
 \fB\-U, \-\-spoof\-user\fR=\fI<user>\fR
 .RS 4
 Specify the username that is included within SPA packet\&. This allows the
@ -966,6 +982,15 @@ Load an encryption key/password from a file (\fI\-G, \-\-get\-key\fR)\&.
 Set the HTTP User\-Agent for resolving the external IP via \-R, or for sending SPA packets over HTTP (\fI\-u, \-\-user\-agent\fR)\&.
 .RE
 .PP
+\fBUSE_WGET_USER_AGENT\fR \fI<Y/N>\fR
+.RS 4
+Allow default
+\fBwget\fR
+User\-Agent string to be used when resolving the external IP instead of a User\-Agent supplied by the
+\fBfwknop\fR
+client\&.
+.RE
+.PP
 \fBNAT_ACCESS\fR \fI<internalIP:forwardPort>\fR
 .RS 4
 Gain NAT access to an internal service protected by the fwknop server (\fI\-N, \-\-nat\-access\fR)\&.
--- a/client/fwknop_common.h
+++ b/client/fwknop_common.h
@ -63,7 +63,7 @@
 #define HTTP_BACKUP_RESOLVE_HOST    "www.cipherdyne.com"
 #define HTTP_RESOLVE_URL            "/cgi-bin/myip"
 #define WGET_RESOLVE_URL_SSL        "https://" HTTP_RESOLVE_HOST HTTP_RESOLVE_URL
-#define WGET_RESOLVE_ARGS           " --secure-protocol=auto --quiet -O - "
+#define WGET_RESOLVE_ARGS           " --secure-protocol=auto --quiet"
 #define HTTP_MAX_REQUEST_LEN        2000
 #define HTTP_MAX_RESPONSE_LEN       2000
 #define HTTP_MAX_USER_AGENT_LEN     100
@ -131,6 +131,7 @@ typedef struct fko_cli_options
    int  resolve_http_only;
    char *resolve_url;
    char http_user_agent[HTTP_MAX_USER_AGENT_LEN];
+    unsigned char use_wget_user_agent;
    char *wget_bin;

    /* HTTP proxy support
--- a/client/http_resolve_host.c
+++ b/client/http_resolve_host.c
@ -331,6 +331,19 @@ resolve_ip_https(fko_cli_options_t *options)
    */
    strlcat(wget_ssl_cmd, WGET_RESOLVE_ARGS, sizeof(wget_ssl_cmd));

+    /* See whether we're supposed to change the default wget user agent
+    */
+    if(! options->use_wget_user_agent)
+    {
+        strlcat(wget_ssl_cmd, " -U '", sizeof(wget_ssl_cmd));
+        strlcat(wget_ssl_cmd, options->http_user_agent, sizeof(wget_ssl_cmd));
+        strlcat(wget_ssl_cmd, "'", sizeof(wget_ssl_cmd));
+    }
+
+    /* We collect the IP from wget's stdout
+    */
+    strlcat(wget_ssl_cmd, " -O - ", sizeof(wget_ssl_cmd));
+
    if(options->resolve_url != NULL)
    {
        if(strncasecmp(options->resolve_url, "https", 5) != 0)
--- a/doc/fwknop.man.asciidoc
+++ b/doc/fwknop.man.asciidoc
@ -515,6 +515,13 @@ SPA OPTIONS
    Set the HTTP User-Agent for resolving the external IP via *-R*, or for
    sending SPA packets over HTTP.

+*--use-wget-user-agent*::
+    By default when the *fwknop* client resolves the external IP with *wget*
+    via SSL, it sets the User-Agent to ``Fwknop/<version>'' unless it was
+    already manually specified with the *--user-agent* option mentioned above.
+    However, the *--user-wget-user-agent* option lets the default *wget*
+    User-Agent string apply without influence from *fwknop*.
+
 *-U, --spoof-user*='<user>'::
    Specify the username that is included within SPA packet. This allows
    the *fwknop* client to satisfy any non-root *REQUIRE_USERNAME* keyword
@ -752,6 +759,10 @@ description and its matching command-line option(s):
    Set the HTTP User-Agent for resolving the external IP via -R, or for
    sending SPA packets over HTTP ('-u, --user-agent').

+*USE_WGET_USER_AGENT* '<Y/N>'::
+    Allow default *wget* User-Agent string to be used when resolving the
+    external IP instead of a User-Agent supplied by the *fwknop* client.
+
 *NAT_ACCESS* '<internalIP:forwardPort>'::
    Gain NAT access to an internal service protected by the fwknop server
    ('-N, --nat-access').
--- a/test/conf/fwknoprc_hmac_https_resolve
+++ b/test/conf/fwknoprc_hmac_https_resolve
@ -18,4 +18,5 @@ USE_GPG_AGENT               N
 RESOLVE_IP_HTTPS            Y
 HTTP_USER_AGENT             FwknopTestSuite/2.6
 WGET_CMD                    wget
+USE_WGET_USER_AGENT         Y
 RESOLVE_URL                 https://www.cipherdyne.org/cgi-bin/myip
--- a/test/tests/basic_operations.pl
+++ b/test/tests/basic_operations.pl
@ -1426,6 +1426,19 @@
        'exec_err' => $NO,
        'rc_positive_output_matches' => [qr/RESOLVE_IP_HTTPS.*Y/],
    },
+    {
+        'category' => 'basic operations',
+        'subcategory' => 'client save rc file',
+        'detail'   => '-R wget user-agent',
+        'function' => \&client_rc_file,
+        'cmdline'  => "$client_save_rc_args -n default -R --use-wget-user-agent",
+        'save_rc_stanza' => [{'name' => 'default',
+                'vars' => {'KEY' => 'testtest', 'HMAC_KEY' => 'hmactest',
+                    'HMAC_DIGEST_TYPE' => 'SHA1'}}],
+        'exec_err' => $NO,
+        'rc_positive_output_matches' => [qr/USE_WGET_USER_AGENT.*Y/],
+    },
+
    {
        'category' => 'basic operations',
        'subcategory' => 'client save rc file',
--- a/test/tests/rijndael_hmac.pl
+++ b/test/tests/rijndael_hmac.pl
@ -693,7 +693,7 @@
    {
        'category' => 'Rijndael+HMAC',
        'subcategory' => 'client+server',
-        'detail'   => 'client IP resolve URL + user agent',
+        'detail'   => 'client IP resolve URL + user-agent',
        'function' => \&spa_cycle,
        'cmdline'  => "$client_ip_resolve_hmac_args --resolve-url $resolve_url_with_port -u FwknopTestSuite/2.6",
        'no_ip_check' => 1,
@ -702,6 +702,18 @@
        'fw_rule_removed' => $NEW_RULE_REMOVED,
        'key_file' => $cf{'rc_hmac_b64_key'},
    },
+    {
+        'category' => 'Rijndael+HMAC',
+        'subcategory' => 'client+server',
+        'detail'   => 'client IP wget user-agent',
+        'function' => \&spa_cycle,
+        'cmdline'  => "$client_ip_resolve_hmac_args --use-wget-user-agent",
+        'no_ip_check' => 1,
+        'fwknopd_cmdline' => "$fwknopdCmd $default_server_hmac_conf_args $intf_str",
+        'fw_rule_created' => $NEW_RULE_REQUIRED,
+        'fw_rule_removed' => $NEW_RULE_REMOVED,
+        'key_file' => $cf{'rc_hmac_b64_key'},
+    },
    {
        'category' => 'Rijndael+HMAC',
        'subcategory' => 'client+server',