[9front] tinc(8) protocol now at 1.0.36?

[unobe@cpan.org]

tinc(8) states that the peer VPN protocol as of version 1.0.32 is
implemented.  I've found
https://github.com/gsliepen/tinc/tree/master/doc , which appears to
describe the protocol.  Nothing has changed substantially in those
files for years.
https://www.tinc-vpn.org/documentation/Technical-information.html#Technical-information
doesn't appear to diverge from the github docs.

The software implementation of tinc.org, however, is now at version
1.0.36 and there have been a few bugs that have been reported since
tinc(8) was added to 9front: https://www.tinc-vpn.org/security/ shows
two oracle attacks, one timing attack, and one MITM attack.  I can't
tell from the 9front logs if the CVEs have been reviewed to determine
if the 9front version is susceptible, so am trying to spelunk the code
and I don't think it is:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16758 --
9front's version isn't susceptible to the MITM:
/sys/src/cmd/ip/tinc.c:915 doesn't allow it.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16737 and
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16738 --
9front's version isn't really susceptible to what is described.  I
don't see in metaauth how CHAL_REPLY could be sent inadvertently.
METAAUTH won't allow unknown ciphers/digests, including NULL.  As for
the # of connections, that is managed when ip/tinc starts.

cinap is the only one who has committed changes to tinc(8).  So maybe
this is really a question for cinap: can 9front's version be
advertised as supporting 1.0.36?

If so, I've attached a patch that updates the man page and also a
couple typos I saw in the code:

Summary:
  Update tinc(8) man page to:
    1.  state the implementation aligns with 1.0.36 of tinc.org;
    2.  use same hostname as mentioned in usage line.
  Fix typos in tinc.c.
--- //.git/fs/object/da085a2d4cca788686b8f68b2555040cf29dc16c/tree//sys/man/8/tinc
+++ /sys/man/8/tinc
@@ -29,7 +29,7 @@
 .SH DESCRIPTION
 Tinc implements the mesh peer to peer VPN protocol from
 .I https://www.tinc-vpn.org/
-as of version 1.0.32. Within a tinc VPN one can reach all
+as of version 1.0.36. Within a tinc VPN one can reach all
 the subnets of all hosts within the network even when not
 directly connected to the owning host of the subnet.
 .PP
@@ -110,7 +110,7 @@
 .TP
 .B -n
 Sets our hostname to
-.IR myhost .
+.IR myname .
 .SH "SEE ALSO"
 .IR rsa (8),
 .IR ip (3)
--- //.git/fs/object/da085a2d4cca788686b8f68b2555040cf29dc16c/tree//sys/src/cmd/ip/tinc.c
+++ /sys/src/cmd/ip/tinc.c
@@ -76,7 +76,7 @@
 	Host	*src;
 	Host	*dst;
 	Edge	*next;	/* next edge on src */
-	Edge	*rev;	/* reverse drection edge */
+	Edge	*rev;	/* reverse direction edge */
 
 	uchar	ip[IPaddrlen];
 	int	port;
@@ -1135,7 +1135,7 @@
 	if(n != 6 || atoi(f[0]) != META_KEY || strlen(f[5]) != 2*n2)
 		return -1;
 	if(atoi(f[1]) != EVP_AES256CFB || atoi(f[2]) != EVP_SHA256){
-		fprint(2, "%s uses unknown cipher/digest agorithms: %s %s\n",
+		fprint(2, "%s uses unknown cipher/digest algorithms: %s %s\n",
 			c->host->name, f[1], f[2]);
 		return -1;
 	}