DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

add ALLOW_ANY_USER_AGENT to ignore incoming User-Agent strings in SPA packets over HTTP, closes #296

Browse Source
This commit is contained in:
Michael Rash 2019-03-11 21:56:21 -07:00
parent 2857a9cb1b
commit fb69921fdd
11 changed files with 61 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ChangeLog
View File

@ -1,3 +1,13 @@
fwknop-2.6.11 (04//2019):
- [server] Add ALLOW_ANY_USER_AGENT for ENABLE_SPA_OVER_HTTP mode so that
fwknopd will accept any User-Agent string coming from the client. By
default this is disabled, so only SPA packets with a User-Agent string
that begins with 'Fwknop' will be accepted. Just set this variable to
'Y' to override this. Then, on the fwknop client command line, use the
--user-agent option to specify any desired User-Agent string. This
feature was added to close issue #296 reported by github user
@fishcreek.
fwknop-2.6.10 (08/06/2018):
- [server] Add MAX_FW_TIMEOUT to access.conf stanzas to allow a maximum
number of seconds for client-specified timeouts in SPA packets. This

2
Makefile.am
View File

@ -352,8 +352,10 @@ EXTRA_DIST = \
test/conf/udp_server_fwknopd.conf \
test/conf/spa_over_http_fwknopd.conf \
test/conf/spa_over_http.pcap \
test/conf/spa_allow_any_user_agent.pcap \
test/conf/spa_x_forwarded_for.pcap \
test/conf/spa_x_forwarded_for_fwknopd.conf \
test/conf/spa_allow_any_user_agent_fwknopd.conf \
test/conf/ipt_snat_fwknopd.conf \
test/conf/firewd_snat_fwknopd.conf \
test/conf/ipt_snat_no_translate_ip_fwknopd.conf \

13
doc/fwknopd.man.asciidoc
View File

@ -390,6 +390,13 @@ the '@sysconfdir@/fwknop/fwknopd.conf' file for additional details.
over TCP/80 connections and a web server should be running on the same
server as *fwknopd*.
*ALLOW_ANY_USER_AGENT* '<Y/N>'::
When *fwknopd* is configured to acquire SPA data from HTTP requests (i.e.
when ``ENABLE_SPA_OVER_HTTP'' is set to ``Y''), control whether to require
the User-Agent from the client to start with the string 'Fwknop'. The
default is ``N'' to require this, but if set to ``Y'', then *fwknopd* will
allow any User-Agent string to be set on incoming SPA packets.
*ENABLE_X_FORWARDED_FOR* '<Y/N>'::
Allows *fwknopd* to use the X-Forwarded-for header from a captured SPA
packet over HTTP as the source IP. This can happen when using SPA through
@ -398,7 +405,7 @@ the '@sysconfdir@/fwknop/fwknopd.conf' file for additional details.
*ENABLE_TCP_SERVER* '<Y/N>'::
Enable the fwknopd TCP server. This is a "dummy" TCP server that will
accept TCP connection requests on the specified TCPSERV_PORT.
If set to "Y", fwknopd will fork off a child process to listen for, and
If set to ``Y'', fwknopd will fork off a child process to listen for, and
accept incoming TCP request. This server only accepts the
request. It does not otherwise communicate. This is only to allow the
incoming SPA over TCP packet which is detected via PCAP. The connection
@ -443,8 +450,8 @@ the '@sysconfdir@/fwknop/fwknopd.conf' file for additional details.
sniffing interface. In the later case, this can be useful to have fwknopd
sniff SPA packets that are forwarded through a system and destined for a
different network. If the sniffing interface is the egress interface for
such packets, then this variable will need to be set to "Y" in order for
fwknopd to see them. The default is "N" so that fwknopd only looks for SPA
such packets, then this variable will need to be set to ``Y'' in order for
fwknopd to see them. The default is ``N'' so that fwknopd only looks for SPA
packets that are received on the sniffing interface (note that this is
independent of promiscuous mode).

1
server/cmd_opts.h
View File

@ -56,6 +56,7 @@ static char *config_map[NUMBER_OF_CONFIG_ENTRIES] = {
"CMD_EXEC_TIMEOUT",
//"BLACKLIST",
"ENABLE_SPA_OVER_HTTP",
"ALLOW_ANY_USER_AGENT",
"ENABLE_TCP_SERVER",
"TCPSERV_PORT",
"ENABLE_UDP_SERVER",

10
server/config_init.c
View File

@ -911,6 +911,16 @@ validate_options(fko_srv_options_t *opts)
set_config_entry(opts, CONF_ENABLE_SPA_OVER_HTTP,
DEF_ENABLE_SPA_OVER_HTTP);
/* When CONF_ENABLE_SPA_OVER_HTTP is enabled, control whether to require the
* User-Agent string to begin with 'Fwknop'. The default is 'N', but setting
* this to 'Y' in the fwknopd.conf file allows any User-Agent to be used.
* Then, from the client, a custom User-Agent can be set with the
* '--user-agent' command line option.
*/
if(opts->config[CONF_ALLOW_ANY_USER_AGENT] == NULL)
set_config_entry(opts, CONF_ALLOW_ANY_USER_AGENT,
DEF_ALLOW_ANY_USER_AGENT);
/* Enable TCP server.
*/
if(opts->config[CONF_ENABLE_TCP_SERVER] == NULL)

2
server/fwknopd_common.h
View File

@ -108,6 +108,7 @@
#define DEF_SUDO_EXE "/usr/bin/sudo"
#endif
#define DEF_ENABLE_SPA_OVER_HTTP "N"
#define DEF_ALLOW_ANY_USER_AGENT "N"
#define DEF_ENABLE_TCP_SERVER "N"
#define DEF_TCPSERV_PORT "62201"
#if USE_LIBPCAP
@ -257,6 +258,7 @@ enum {
CONF_CMD_EXEC_TIMEOUT,
//CONF_BLACKLIST,
CONF_ENABLE_SPA_OVER_HTTP,
CONF_ALLOW_ANY_USER_AGENT,
CONF_ENABLE_TCP_SERVER,
CONF_TCPSERV_PORT,
CONF_ENABLE_UDP_SERVER,

11
server/incoming_spa.c
View File

@ -96,14 +96,21 @@ preprocess_spa_data(const fko_srv_options_t *opts, spa_pkt_info_t *spa_pkt, spa_
* assume it is a SPA over HTTP request.
*/
if(strncasecmp(opts->config[CONF_ENABLE_SPA_OVER_HTTP], "Y", 1) == 0
&& strncasecmp(ndx, "GET /", 5) == 0
&& strstr(ndx, "User-Agent: Fwknop") != NULL)
&& strncasecmp(ndx, "GET /", 5) == 0)
{
/* This looks like an HTTP request, so let's see if we are
* configured to accept such request and if so, find the SPA
* data.
*/
/* First see if we require the User-Agent to start with 'Fwknop'
*/
if(strncasecmp(opts->config[CONF_ALLOW_ANY_USER_AGENT], "N", 1) == 0
&& strstr(ndx, "User-Agent: Fwknop") == NULL)
{
return(SPA_MSG_BAD_DATA);
}
/* Process X-Forwarded-For header */
xff = strcasestr(ndx, "X-Forwarded-For: ");

BIN
test/conf/spa_allow_any_user_agent.pcap Normal file
View File

Binary file not shown.

2
test/conf/spa_allow_any_user_agent_fwknopd.conf Normal file
View File

@ -0,0 +1,2 @@
ENABLE_SPA_OVER_HTTP Y;
ALLOW_ANY_USER_AGENT Y;

2
test/test-fwknop.pl
View File

@ -45,6 +45,7 @@ our $multi_pkts_pcap_file = "$conf_dir/multi_pkts.pcap";
our $fcs_pcap_file = "$conf_dir/fcs_spa.pcap";
our $spa_over_http_pcap_file = "$conf_dir/spa_over_http.pcap";
our $spa_x_forwarded_for_pcap_file = "$conf_dir/spa_x_forwarded_for.pcap";
our $spa_allow_any_user_agent_pcap_file = "$conf_dir/spa_allow_any_user_agent.pcap";
our $lib_dir = '../lib/.libs';
@ -637,6 +638,7 @@ our %cf = (
'udp_server' => "$conf_dir/udp_server_fwknopd.conf",
'spa_over_http' => "$conf_dir/spa_over_http_fwknopd.conf",
'spa_x_forwarded_for' => "$conf_dir/spa_x_forwarded_for_fwknopd.conf",
'spa_allow_any_user_agent' => "$conf_dir/spa_allow_any_user_agent_fwknopd.conf",
'tcp_pcap_filter' => "$conf_dir/tcp_pcap_filter_fwknopd.conf",
'icmp_pcap_filter' => "$conf_dir/icmp_pcap_filter_fwknopd.conf",
'open_ports_access' => "$conf_dir/open_ports_access.conf",

13
test/tests/rijndael_hmac.pl
View File

@ -611,6 +611,19 @@
"--verbose --verbose --verbose",
'server_positive_output_matches' => [qr/Added access rule.*\sfor 1.2.3.4/],
},
{
'category' => 'Rijndael+HMAC',
'subcategory' => 'server',
'detail' => '--pcap-file any User-Agent',
'function' => \&process_pcap_file_directly,
'cmdline' => '',
'fwknopd_cmdline' => "$fwknopdCmd -c $cf{'spa_allow_any_user_agent'} -a $cf{'hmac_access'} " .
"-d $default_digest_file -p $default_pid_file " .
"--pcap-file $spa_allow_any_user_agent_pcap_file --foreground $verbose_str " .
"--pcap-filter 'port 80' " .
"--verbose --verbose --verbose",
'server_positive_output_matches' => [qr/Added access rule.*\sfor 1.2.3.4/],
},
{
'category' => 'Rijndael+HMAC',