Re: [Openvpn-devel] [PATCH] bash->bourne script cleanup

2010-04-19 Thread Davide Brini 
On Monday 19 April 2010, David Sommerseth wrote:

> I've done a quick test on one of my connections on Fedora 12 without any
> resolvconf package (meaning it invokes the simple cp approach), and it
> worked like a charm.
> 
> Applied to bugfix2.1 and merged into allmerged.
> Commit a9c9a89e96dc1e4e843e05ecadc4349b81606b06

Sorry, I just realized that I didn't change the sha-bang line in client.down. 
Apologies. Fix attached.

-- 
D.
--- openvpn-2.1.1/contrib/pull-resolv-conf/client.down  2010-03-11 21:32:09.0 +
+++ openvpn-2.1.1-a/contrib/pull-resolv-conf/client.down2010-04-19 22:33:53.0 +0100
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh

 # Copyright (c) 2005-2009 OpenVPN Technologies, Inc.
 # Licensed under the GPL version 2

Re: [Openvpn-devel] [PATCH] bash->bourne script cleanup

2010-04-19 Thread David Sommerseth 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 11/03/10 22:41, Davide Brini wrote:
> On Wednesday 10 March 2010, David Sommerseth wrote:
> 
>>> Well, I was actually going to write a patch, but shortly after starting I
>>> found out that it would end up being essentially the same as Gentoo's
>>> scripts. Would it be worth separately maintaining something that has
>>> already been written somewhere else?
>>
>> I would say that if there are things which are distro related, they
>> should either be found only in that distribution or we can consider (if
>> it is considered important by more people) to put distro specific stuff
>> into a separate folder in the OpenVPN source tree.
>>
>> If it is possible to get some up/down scripts which are generic for the
>> vast majority of POSIX sh based distributions, that would be the
>> preferred approach.  If not, then we are back to where we started :)
> 
> Ok, here it goes (it's against 2.1.1). As said, it's basically a complete 
> rewrite that draws many ideas from the Gentoo scripts. These are the main 
> differences from the "old" client.{up,down} scripts:
> 
> - No more bashisms (AFAICT). Should work with any POSIX-compatible shell 
> (which means "almost all reasonably recent shells"), though I've only tested 
> with bash and dash.
> 
> - Unnecessary calls to external tools (sed) removed 
> 
> - Manages multiple DNS and DOMAIN options. Each DNS option becomes a 
> "nameserver" line in the new resolv.conf (up to a maximum of 3). If there's a 
> single DOMAIN option, it becomes a "domain" line in resolv.conf; otherwise, 
> all the domains are listed in a "search" line in resolv.conf (eg "search 
> foo.com example.net").
> 
> - Client.up renames the existing resolv.conf and creates a brand new one; 
> client.down restores it from the saved copy when the VPN terminates (the 
> usual 
> rules about running as root apply). This is how Gentoo does that; the old 
> scripts instead added/removed some lines at the beginning of the file, which 
> looks a less clean approach to me. The rename approach also dramatically 
> simplifies and shortens client.down, as you'll see.
> 
> - Uses resolvconf if it's available (detected by the presence of 
> /sbin/resolvconf) rather than writing to resolv.conf directly. Not sure 
> whether this is a Linux-only thing or other systems use it though.
> 
> A doubt I have is: should the script output its errors as it does now? If 
> yes, 
> is it possible to somehow send them to the main OpenVPN log so they appear 
> among the other normal messages?
> 
> Let me know what you think.

ACK!

I've done a quick test on one of my connections on Fedora 12 without any
resolvconf package (meaning it invokes the simple cp approach), and it
worked like a charm.

Applied to bugfix2.1 and merged into allmerged.
Commit a9c9a89e96dc1e4e843e05ecadc4349b81606b06


kind regards,

David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvMwe0ACgkQDC186MBRfroWOwCeMFu3NO/s6UDeTSjGkmde/DpQ
MtsAn0rqsF7B5/4RIjcF4k7zyoryvhsw
=RuVf
-END PGP SIGNATURE-

Re: [Openvpn-devel] [PATCH] Mention mssfix default value in the man page

2010-04-19 Thread David Sommerseth 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 19/04/10 11:19, Davide Brini wrote:
> On Sunday 18 Apr 2010 23:27:31 David Sommerseth wrote:
> 
>> Added as commit 38025abb47f74363c3ee87ca7265e99a4055459e to bugfix2.1
>> and merged into allmerged.
> 
> Thanks. Though I understand it's not critical, in case you didn't notice, 
> there's also another pending patch I submitted more than one month ago now, 
> about the removal of bashisms in the user-contributed scripts client.up and 
> client.down (plus adding other functionalities):
> 
> http://article.gmane.org/gmane.network.openvpn.devel/3343
> 
> I'm reattaching it here, but see the original message for some 
> discussion/explanation.

Aikes!  I'm sorry for having failed to catch this one!  I'm going to
test it out on one of my Fedora boxes within a couple of days.  If it
plays nicely, I'll give it an ACK and will include it!

Anyway, it's now in my "queue box" :)


David S.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvMJCYACgkQDC186MBRfrq3bgCgoSpsaDQ7qZmWzH5eucF5UNrN
SykAn2OgmifrzWVvJRSCLU1D2cNZ99Iu
=QUJm
-END PGP SIGNATURE-

Re: [Openvpn-devel] [PATCH] Mention mssfix default value in the man page

2010-04-19 Thread Davide Brini 
On Sunday 18 Apr 2010 23:27:31 David Sommerseth wrote:

> Added as commit 38025abb47f74363c3ee87ca7265e99a4055459e to bugfix2.1
> and merged into allmerged.

Thanks. Though I understand it's not critical, in case you didn't notice, 
there's also another pending patch I submitted more than one month ago now, 
about the removal of bashisms in the user-contributed scripts client.up and 
client.down (plus adding other functionalities):

http://article.gmane.org/gmane.network.openvpn.devel/3343

I'm reattaching it here, but see the original message for some 
discussion/explanation.

-- 
D.
diff -burp openvpn-2.1.1/contrib/pull-resolv-conf/client.up openvpn-2.1.1-a/contrib/pull-resolv-conf/client.up
--- openvpn-2.1.1/contrib/pull-resolv-conf/client.up	2009-10-01 19:02:17.0 +0100
+++ openvpn-2.1.1-a/contrib/pull-resolv-conf/client.up	2010-03-11 21:32:03.0 +
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh

 # Copyright (c) 2005-2009 OpenVPN Technologies, Inc.
 # Licensed under the GPL version 2
@@ -14,7 +14,6 @@
 # Place this in /etc/openvpn/client.up
 # Then, add the following to your /etc/openvpn/.conf:
 #   client
-#   pull dhcp-options
 #   up /etc/openvpn/client.up
 # Next, "chmod a+x /etc/openvpn/client.up"

@@ -22,8 +21,8 @@
 # Note that this script is best served with the companion "client.down"
 # script.

-# Only tested on Gentoo Linux 2005.0 with OpenVPN 2.0
-# It should work with any GNU/Linux with /etc/resolv.conf
+# Tested under Debian lenny with OpenVPN 2.1_rc11
+# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf

 # This runs with the context of the OpenVPN UID/GID 
 # at the time of execution. This generally means that
@@ -38,38 +37,64 @@
 # init variables

 i=1
-j=1
-unset fopt
-unset dns
-unset opt
-
-# Convert ENVs to an array
-
-while fopt=foreign_option_$i; [ -n "${!fopt}" ]; do
-{
-	opt[i-1]=${!fopt}
-	case ${opt[i-1]} in
-		*DOMAIN* ) domain=`echo ${opt[i-1]} | \
-sed -e 's/dhcp-option DOMAIN //g'` ;;
-		*DNS*) dns[j-1]=`echo ${opt[i-1]} | \
-sed -e 's/dhcp-option DNS //g'`
-			   let j++ ;;
+domains=
+fopt=
+ndoms=0
+nns=0
+nl='
+'
+
+# $foreign_option_ is something like 
+# "dhcp-option DOMAIN example.com" (multiple allowed)
+# or
+# "dhcp-option DNS 10.10.10.10" (multiple allowed)
+
+# each DNS option becomes a "nameserver" option in resolv.con
+# if we get one DOMAIN, that becomes "domain" in resolv.conf
+# if we get multiple DOMAINS, those become "search" lines in resolv.conf
+
+while true; do
+  eval fopt=\$foreign_option_${i}
+  [ -z "${fopt}" ] && break
+  
+  case ${fopt} in
+		dhcp-option\ DOMAIN\ *)
+   ndoms=$((ndoms + 1))
+   domains="${domains} ${fopt#dhcp-option DOMAIN }"
+   ;;
+		dhcp-option\ DNS\ *)
+   nns=$((nns + 1))
+   if [ $nns -le 3 ]; then
+ dns="${dns}${dns:+$nl}nameserver ${fopt#dhcp-option DNS }"
+   else
+ printf "%s\n" "Too many nameservers - ignoring after third" >&2
+   fi
+   ;;
+*)
+   printf "%s\n" "Unknown option \"${fopt}\" - ignored" >&2
+   ;; 
 	esac
-	let i++
-}
+  i=$((i + 1))
 done

-# Now, do the work
-
-if [ -n "${dns[*]}" ]; then
-	for i in "${dns[@]}"; do
-		sed -i -e "1,1 i nameserver ${i}" /etc/resolv.conf || die
-	done
+ds=domain
+if [ $ndoms -gt 1 ]; then
+  ds=search
 fi

-if [ -n "${domain}" ]; then
-	sed -i -e "$j,1 i search ${domain}" /etc/resolv.conf || die
+# This is the complete file - "$domains" has a leading space already
+out="# resolv.conf autogenerated by ${0} (${1})${nl}${dns}${nl}${ds}${domains}"
+
+# use resolvconf if it's available
+if [ -x /sbin/resolvconf ] ; then
+  printf "%s\n" "${out}" | /sbin/resolvconf -a "${1}"
+else
+  # Preserve the existing resolv.conf
+  if [ -e /etc/resolv.conf ] ; then
+cp /etc/resolv.conf /etc/resolv.conf.ovpnsave
+  fi
+  printf "%s\n" "${out}" > /etc/resolv.conf
+  chmod 644 /etc/resolv.conf
 fi

-# all done...
 exit 0
diff -burp openvpn-2.1.1/contrib/pull-resolv-conf/client.down openvpn-2.1.1-a/contrib/pull-resolv-conf/client.down
--- openvpn-2.1.1/contrib/pull-resolv-conf/client.down	2009-10-01 19:02:17.0 +0100
+++ openvpn-2.1.1-a/contrib/pull-resolv-conf/client.down	2010-03-11 21:32:09.0 +
@@ -14,7 +14,6 @@
 # Place this in /etc/openvpn/client.down
 # Then, add the following to your /etc/openvpn/.conf:
 #   client
-#   pull dhcp-options
 #   up /etc/openvpn/client.up
 #   down /etc/openvpn/client.down
 # Next, "chmod a+x /etc/openvpn/client.down"
@@ -23,8 +22,8 @@
 # Note that this script is best served with the companion "client.up"
 # script.

-# Only tested on Gentoo Linux 2005.0 with OpenVPN 2.0
-# It should work with any GNU/Linux with /etc/resolv.conf
+# Tested under Debian lenny with OpenVPN 2.1_rc11
+# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf

 # This runs with the context of the OpenVPN UID/GID 
 # at the time of execution. This generally means that
@@

Re: [Openvpn-devel] man page patch

2010-04-19 Thread Jan Just Keijser 

Hi,

David Sommerseth wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 16/04/10 19:48, Jan Just Keijser wrote:
  

man page patch to fix (based on the git page).

- explicit-exit-notify text is misleading : parameter [n] is the number 
of attempts not the number of retries


- I would make a statement that a section starting with 'so I would make 
a statement' does not belong in a man page



--- new-openvpn.82010-04-16 19:16:08.427860657 +0200
+++ jjk-openvpn.82010-04-16 19:46:01.374609848 +0200
@@ -3308,8 +3308,8 @@
 option will tell the server to immediately close its client instance object
 rather than waiting for a timeout.  The
 .B n
-parameter (default=1) controls the maximum number of retries that the 
client

-will attempt to resend the exit notification message.
+parameter (default=1) controls the maximum number of attempts that the 
client

+will make to send the exit notification message.



ACK

  

 .\"*
 .SS Data Channel Encryption Options:
 These options are meaningful for both Static & TLS-negotiated key modes
@@ -3591,7 +3591,7 @@
 OpenVPN adds to the IPSec model by limiting the window size in time as 
well as

 sequence space.
 
-OpenVPN also adds TCP transport as an option (not offered by IPSec) in 
which
+OpenVPN also adds TCP transport as an option (not offered by plain 
IPSec) in which



Does some IPSec implementations support TCP transport?  I thought that
IPSec was OSI layer 3 (network) traffic, while TCP starts on OSI layer 4
(transport).

  
at least Cisco support IPSec-over-TCP , similarly to IPSec-over-UDP (aka 
NAT traversal)



 case OpenVPN can adopt a very strict attitude towards message deletion and
 reordering:  Don't allow it.  Since TCP guarantees reliability, any packet
 loss or reordering event can be assumed to be an attack.
@@ -3601,11 +3601,6 @@
 message deletion or reordering attack which falls within the normal
 operational parameters of IP networks.
 
-So I would make the statement that one should never tunnel a non-IP 
protocol
-or UDP application protocol over UDP, if the protocol might be 
vulnerable to a
-message deletion or reordering attack that falls within the normal 
operating
-parameters of what is to be expected from the physical IP layer.  The 
problem

-is easily fixed by simply using TCP as the VPN transport layer.




Even though I do agree with you that a "personal message" should not be
in a man page, I also do see the importance of the message given here.
But it can be understood as controversial for some, as it is formulated
in a biased way.  If the message given is false, it should be removed as
well.  But I'd rather see this whole paragraph being rephrased, reworked
and become a bit more unbiased towards the TCP/UDP discussion.

Now it can be understood that TCP is the best security solution - but
that's when you only read this little paragraph.  Changing from TCP to
UDP also got it's fair share of advantages and disadvantages as well,
which should be covered somehow in the man page.


  
to me the last paragraph seems like a rehash of the previous one, with 
wording like "I would make a statement bla bla" . I don't know who wrote 
the original paragraph but at the very least the wording should be 
changed such that

- it is no longer a personal message
- it adds value to the paragraph above.
I tried rewriting the Personal Message paragraph myself but ended up 
with something almost identical to the paragraph right above it.




Could we please split these three changes into three different patches,
as they cover three different parts of the man page and tracking their
changes separately is cleaner when people try to figure out what was
discussed and which conclusions was made.
  

no problem; I'll send another man page patch.

cheers,

JJK