Use the fwknop User-Agent for wget SSL external IP resolutions

Bug fix to ensure that a User-Agent string can be specified when the
fwknop client uses wget via SSL to resolve the external IP address. This
closes issue #134 on github reported by Barry Allard. The fwknop now
uses the wget '-U' option to specify the User-Agent string with a
default of "Fwknop/<version>". In addition, a new command line argument
"--use-wget-user-agent" to allow the default wget User-Agent string to
apply instead.

CREDITS

@@ -187,6 +187,8 @@ Tim Heckman
 Barry Allard
     - Reported bug in PF support on FreeBSD systems where ALTQ is not available
       would cause new PF rules to not be added (github issue #121).
+    - Suggested the abiliy to specify the HTTP User-Agent when wget is used to
+      resolve the external IP via SSL (github issue #134).
 
 Bill Stubbs
     - Submitted a patch to fix a bug where fwknopd could not handle Ethernet

ChangeLog

@@ -1,4 +1,11 @@
-fwknop-2.6.4 (09//2014):
+fwknop-2.6.4 (10//2014):
+    - Bug fix to ensure that a User-Agent string can be specified when the
+      fwknop client uses wget via SSL to resolve the external IP address. This
+      closes issue #134 on github reported by Barry Allard. The fwknop now
+      uses the wget '-U' option to specify the User-Agent string with a
+      default of "Fwknop/<version>". In addition, a new command line argument
+      "--use-wget-user-agent" to allow the default wget User-Agent string to
+      apply instead.
     - (Gerry Reno) Added support for firewalld to the fwknopd daemon on RHEL 7
       CentOS 7. This is implemented using the current firewalld '--direct
       --passthrough' capability which accepts raw iptables commands. More

client/cmd_opts.h

@@ -50,6 +50,7 @@ enum {
     RESOLVE_HTTP_ONLY,
     RESOLVE_URL,
     USE_HMAC,
+    USE_WGET_USER_AGENT,
     SPA_ICMP_TYPE,
     SPA_ICMP_CODE,
     KEY_LEN,
@@ -147,6 +148,7 @@ static struct option cmd_opts[] =
     {"time-offset-minus",   1, NULL, TIME_OFFSET_MINUS},
     {"user-agent",          1, NULL, 'u'},
     {"use-hmac",            0, NULL, USE_HMAC},
+    {"use-wget-user-agent", 0, NULL, USE_WGET_USER_AGENT},
     {"spoof-user",          1, NULL, 'U'},
     {"verbose",             0, NULL, 'v'},
     {"version",             0, NULL, 'V'},

client/config_init.c

@@ -113,6 +113,7 @@ enum
     FWKNOP_CLI_ARG_KEY_HMAC_BASE64,
     FWKNOP_CLI_ARG_KEY_HMAC,
     FWKNOP_CLI_ARG_USE_HMAC,
+    FWKNOP_CLI_ARG_USE_WGET_USER_AGENT,
     FWKNOP_CLI_ARG_KEY_FILE,
     FWKNOP_CLI_ARG_HMAC_KEY_FILE,
     FWKNOP_CLI_ARG_NAT_ACCESS,
@@ -159,6 +160,7 @@ static fko_var_t fko_var_array[FWKNOP_CLI_LAST_ARG] =
     { "HMAC_KEY_BASE64",       FWKNOP_CLI_ARG_KEY_HMAC_BASE64       },
     { "HMAC_KEY",              FWKNOP_CLI_ARG_KEY_HMAC              },
     { "USE_HMAC",              FWKNOP_CLI_ARG_USE_HMAC              },
+    { "USE_WGET_USER_AGENT",   FWKNOP_CLI_ARG_USE_WGET_USER_AGENT   },
     { "KEY_FILE",              FWKNOP_CLI_ARG_KEY_FILE              },
     { "HMAC_KEY_FILE",         FWKNOP_CLI_ARG_HMAC_KEY_FILE         },
     { "NAT_ACCESS",            FWKNOP_CLI_ARG_NAT_ACCESS            },
@@ -1144,6 +1146,12 @@ parse_rc_param(fko_cli_options_t *options, const char *var_name, char * val)
         if (is_yes_str(val))
             options->use_hmac = 1;
     }
+    /* --use-wget-user-agent */
+    else if (var->pos == FWKNOP_CLI_ARG_USE_WGET_USER_AGENT)
+    {
+        if (is_yes_str(val))
+            options->use_wget_user_agent = 1;
+    }
     /* Key file */
     else if (var->pos == FWKNOP_CLI_ARG_KEY_FILE)
     {
@@ -1380,6 +1388,9 @@ add_single_var_to_rc(FILE* fhandle, short var_pos, fko_cli_options_t *options)
         case FWKNOP_CLI_ARG_USE_HMAC :
             bool_to_yesno(options->use_hmac, val, sizeof(val));
             break;
+        case FWKNOP_CLI_ARG_USE_WGET_USER_AGENT :
+            bool_to_yesno(options->use_wget_user_agent, val, sizeof(val));
+            break;
         case FWKNOP_CLI_ARG_NAT_ACCESS :
             strlcpy(val, options->nat_access_str, sizeof(val));
             break;
@@ -2345,6 +2356,10 @@ config_init(fko_cli_options_t *options, int argc, char **argv)
                 add_var_to_bitmask(FWKNOP_CLI_ARG_USE_HMAC, &var_bitmask);
                 options->use_hmac = 1;
                 break;
+            case USE_WGET_USER_AGENT:
+                add_var_to_bitmask(FWKNOP_CLI_ARG_USE_WGET_USER_AGENT, &var_bitmask);
+                options->use_wget_user_agent = 1;
+                break;
             case FORCE_SAVE_RC_STANZA:
                 options->force_save_rc_stanza = 1;
                 break;

client/fwknop.8.in

@@ -2,12 +2,12 @@
 .\"     Title: fwknop
 .\"    Author: [see the "AUTHORS" section]
 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 07/27/2014
+.\"      Date: 09/27/2014
 .\"    Manual: Fwknop Client
 .\"    Source: Fwknop Client
 .\"  Language: English
 .\"
-.TH "FWKNOP" "8" "07/27/2014" "Fwknop Client" "Fwknop Client"
+.TH "FWKNOP" "8" "09/27/2014" "Fwknop Client" "Fwknop Client"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -637,6 +637,22 @@ Set the HTTP User\-Agent for resolving the external IP via
 \fB\-R\fR, or for sending SPA packets over HTTP\&.
 .RE
 .PP
+\fB\-\-use\-wget\-user\-agent\fR
+.RS 4
+By default when the
+\fBfwknop\fR
+client resolves the external IP with
+\fBwget\fR
+via SSL, it sets the User\-Agent to \(lqFwknop/<version>\(rq unless it was already manually specified with the
+\fB\-\-user\-agent\fR
+option mentioned above\&. However, the
+\fB\-\-user\-wget\-user\-agent\fR
+option lets the default
+\fBwget\fR
+User\-Agent string apply without influence from
+\fBfwknop\fR\&.
+.RE
+.PP
 \fB\-U, \-\-spoof\-user\fR=\fI<user>\fR
 .RS 4
 Specify the username that is included within SPA packet\&. This allows the
@@ -966,6 +982,15 @@ Load an encryption key/password from a file (\fI\-G, \-\-get\-key\fR)\&.
 Set the HTTP User\-Agent for resolving the external IP via \-R, or for sending SPA packets over HTTP (\fI\-u, \-\-user\-agent\fR)\&.
 .RE
 .PP
+\fBUSE_WGET_USER_AGENT\fR \fI<Y/N>\fR
+.RS 4
+Allow default
+\fBwget\fR
+User\-Agent string to be used when resolving the external IP instead of a User\-Agent supplied by the
+\fBfwknop\fR
+client\&.
+.RE
+.PP
 \fBNAT_ACCESS\fR \fI<internalIP:forwardPort>\fR
 .RS 4
 Gain NAT access to an internal service protected by the fwknop server (\fI\-N, \-\-nat\-access\fR)\&.

client/fwknop_common.h

@@ -63,7 +63,7 @@
 #define HTTP_BACKUP_RESOLVE_HOST    "www.cipherdyne.com"
 #define HTTP_RESOLVE_URL            "/cgi-bin/myip"
 #define WGET_RESOLVE_URL_SSL        "https://" HTTP_RESOLVE_HOST HTTP_RESOLVE_URL
-#define WGET_RESOLVE_ARGS           " --secure-protocol=auto --quiet -O - "
+#define WGET_RESOLVE_ARGS           " --secure-protocol=auto --quiet"
 #define HTTP_MAX_REQUEST_LEN        2000
 #define HTTP_MAX_RESPONSE_LEN       2000
 #define HTTP_MAX_USER_AGENT_LEN     100
@@ -131,6 +131,7 @@ typedef struct fko_cli_options
     int  resolve_http_only;
     char *resolve_url;
     char http_user_agent[HTTP_MAX_USER_AGENT_LEN];
+    unsigned char use_wget_user_agent;
     char *wget_bin;
 
     /* HTTP proxy support

client/http_resolve_host.c

@@ -331,6 +331,19 @@ resolve_ip_https(fko_cli_options_t *options)
     */
     strlcat(wget_ssl_cmd, WGET_RESOLVE_ARGS, sizeof(wget_ssl_cmd));
 
+    /* See whether we're supposed to change the default wget user agent
+    */
+    if(! options->use_wget_user_agent)
+    {
+        strlcat(wget_ssl_cmd, " -U '", sizeof(wget_ssl_cmd));
+        strlcat(wget_ssl_cmd, options->http_user_agent, sizeof(wget_ssl_cmd));
+        strlcat(wget_ssl_cmd, "'", sizeof(wget_ssl_cmd));
+    }
+
+    /* We collect the IP from wget's stdout
+    */
+    strlcat(wget_ssl_cmd, " -O - ", sizeof(wget_ssl_cmd));
+
     if(options->resolve_url != NULL)
     {
         if(strncasecmp(options->resolve_url, "https", 5) != 0)

doc/fwknop.man.asciidoc

@@ -515,6 +515,13 @@ SPA OPTIONS
     Set the HTTP User-Agent for resolving the external IP via *-R*, or for
     sending SPA packets over HTTP.
 
+*--use-wget-user-agent*::
+    By default when the *fwknop* client resolves the external IP with *wget*
+    via SSL, it sets the User-Agent to ``Fwknop/<version>'' unless it was
+    already manually specified with the *--user-agent* option mentioned above.
+    However, the *--user-wget-user-agent* option lets the default *wget*
+    User-Agent string apply without influence from *fwknop*.
+
 *-U, --spoof-user*='<user>'::
     Specify the username that is included within SPA packet. This allows
     the *fwknop* client to satisfy any non-root *REQUIRE_USERNAME* keyword
@@ -752,6 +759,10 @@ description and its matching command-line option(s):
     Set the HTTP User-Agent for resolving the external IP via -R, or for
     sending SPA packets over HTTP ('-u, --user-agent').
 
+*USE_WGET_USER_AGENT* '<Y/N>'::
+    Allow default *wget* User-Agent string to be used when resolving the
+    external IP instead of a User-Agent supplied by the *fwknop* client.
+
 *NAT_ACCESS* '<internalIP:forwardPort>'::
     Gain NAT access to an internal service protected by the fwknop server
     ('-N, --nat-access').

test/conf/fwknoprc_hmac_https_resolve

@@ -18,4 +18,5 @@ USE_GPG_AGENT               N
 RESOLVE_IP_HTTPS            Y
 HTTP_USER_AGENT             FwknopTestSuite/2.6
 WGET_CMD                    wget
+USE_WGET_USER_AGENT         Y
 RESOLVE_URL                 https://www.cipherdyne.org/cgi-bin/myip

test/tests/basic_operations.pl

@@ -1426,6 +1426,19 @@
         'exec_err' => $NO,
         'rc_positive_output_matches' => [qr/RESOLVE_IP_HTTPS.*Y/],
     },
+    {
+        'category' => 'basic operations',
+        'subcategory' => 'client save rc file',
+        'detail'   => '-R wget user-agent',
+        'function' => \&client_rc_file,
+        'cmdline'  => "$client_save_rc_args -n default -R --use-wget-user-agent",
+        'save_rc_stanza' => [{'name' => 'default',
+                'vars' => {'KEY' => 'testtest', 'HMAC_KEY' => 'hmactest',
+                    'HMAC_DIGEST_TYPE' => 'SHA1'}}],
+        'exec_err' => $NO,
+        'rc_positive_output_matches' => [qr/USE_WGET_USER_AGENT.*Y/],
+    },
+
     {
         'category' => 'basic operations',
         'subcategory' => 'client save rc file',

test/tests/rijndael_hmac.pl

@@ -693,7 +693,7 @@
     {
         'category' => 'Rijndael+HMAC',
         'subcategory' => 'client+server',
-        'detail'   => 'client IP resolve URL + user agent',
+        'detail'   => 'client IP resolve URL + user-agent',
         'function' => \&spa_cycle,
         'cmdline'  => "$client_ip_resolve_hmac_args --resolve-url $resolve_url_with_port -u FwknopTestSuite/2.6",
         'no_ip_check' => 1,
@@ -702,6 +702,18 @@
         'fw_rule_removed' => $NEW_RULE_REMOVED,
         'key_file' => $cf{'rc_hmac_b64_key'},
     },
+    {
+        'category' => 'Rijndael+HMAC',
+        'subcategory' => 'client+server',
+        'detail'   => 'client IP wget user-agent',
+        'function' => \&spa_cycle,
+        'cmdline'  => "$client_ip_resolve_hmac_args --use-wget-user-agent",
+        'no_ip_check' => 1,
+        'fwknopd_cmdline' => "$fwknopdCmd $default_server_hmac_conf_args $intf_str",
+        'fw_rule_created' => $NEW_RULE_REQUIRED,
+        'fw_rule_removed' => $NEW_RULE_REMOVED,
+        'key_file' => $cf{'rc_hmac_b64_key'},
+    },
     {
         'category' => 'Rijndael+HMAC',
         'subcategory' => 'client+server',