From: unobe@cpan.org
To: 9front@9front.org
Subject: [9front] tinc(8) protocol now at 1.0.36?
Date: Sun, 15 Aug 2021 00:22:01 -0700 [thread overview]
Message-ID: <148FA590AEF1CB246DB367302A906D39@smtp.pobox.com> (raw)
tinc(8) states that the peer VPN protocol as of version 1.0.32 is
implemented. I've found
https://github.com/gsliepen/tinc/tree/master/doc , which appears to
describe the protocol. Nothing has changed substantially in those
files for years.
https://www.tinc-vpn.org/documentation/Technical-information.html#Technical-information
doesn't appear to diverge from the github docs.
The software implementation of tinc.org, however, is now at version
1.0.36 and there have been a few bugs that have been reported since
tinc(8) was added to 9front: https://www.tinc-vpn.org/security/ shows
two oracle attacks, one timing attack, and one MITM attack. I can't
tell from the 9front logs if the CVEs have been reviewed to determine
if the 9front version is susceptible, so am trying to spelunk the code
and I don't think it is:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16758 --
9front's version isn't susceptible to the MITM:
/sys/src/cmd/ip/tinc.c:915 doesn't allow it.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16737 and
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16738 --
9front's version isn't really susceptible to what is described. I
don't see in metaauth how CHAL_REPLY could be sent inadvertently.
METAAUTH won't allow unknown ciphers/digests, including NULL. As for
the # of connections, that is managed when ip/tinc starts.
cinap is the only one who has committed changes to tinc(8). So maybe
this is really a question for cinap: can 9front's version be
advertised as supporting 1.0.36?
If so, I've attached a patch that updates the man page and also a
couple typos I saw in the code:
Summary:
Update tinc(8) man page to:
1. state the implementation aligns with 1.0.36 of tinc.org;
2. use same hostname as mentioned in usage line.
Fix typos in tinc.c.
--- //.git/fs/object/da085a2d4cca788686b8f68b2555040cf29dc16c/tree//sys/man/8/tinc
+++ /sys/man/8/tinc
@@ -29,7 +29,7 @@
.SH DESCRIPTION
Tinc implements the mesh peer to peer VPN protocol from
.I https://www.tinc-vpn.org/
-as of version 1.0.32. Within a tinc VPN one can reach all
+as of version 1.0.36. Within a tinc VPN one can reach all
the subnets of all hosts within the network even when not
directly connected to the owning host of the subnet.
.PP
@@ -110,7 +110,7 @@
.TP
.B -n
Sets our hostname to
-.IR myhost .
+.IR myname .
.SH "SEE ALSO"
.IR rsa (8),
.IR ip (3)
--- //.git/fs/object/da085a2d4cca788686b8f68b2555040cf29dc16c/tree//sys/src/cmd/ip/tinc.c
+++ /sys/src/cmd/ip/tinc.c
@@ -76,7 +76,7 @@
Host *src;
Host *dst;
Edge *next; /* next edge on src */
- Edge *rev; /* reverse drection edge */
+ Edge *rev; /* reverse direction edge */
uchar ip[IPaddrlen];
int port;
@@ -1135,7 +1135,7 @@
if(n != 6 || atoi(f[0]) != META_KEY || strlen(f[5]) != 2*n2)
return -1;
if(atoi(f[1]) != EVP_AES256CFB || atoi(f[2]) != EVP_SHA256){
- fprint(2, "%s uses unknown cipher/digest agorithms: %s %s\n",
+ fprint(2, "%s uses unknown cipher/digest algorithms: %s %s\n",
c->host->name, f[1], f[2]);
return -1;
}
next reply other threads:[~2021-08-16 4:48 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-15 7:22 unobe [this message]
2021-08-15 10:01 ` cinap_lenrek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=148FA590AEF1CB246DB367302A906D39@smtp.pobox.com \
--to=unobe@cpan.org \
--cc=9front@9front.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).