From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.2 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED
	autolearn=no autolearn_force=no version=3.4.4
Received: (qmail 16633 invoked from network); 25 Sep 2021 22:38:40 -0000
Received: from 4ess.inri.net (216.126.196.42)
  by inbox.vuxu.org with ESMTPUTF8; 25 Sep 2021 22:38:40 -0000
Received: from mail.9lab.org ([168.119.8.41]) by 4ess; Sat Sep 25 18:32:38 -0400 2021
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=9lab.org; s=20210803;
	t=1632603765;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to; bh=FNlb/0dkvBGX/ZO5izqFs4WoBpIXR02KmxWTCziD/5k=;
	b=lxlTvJrh5X1NwKo1uBahUPsDO9FipnNWUu99jFUNherTc/xkXrg6X9U3o+znUUKUN2SQ2W
	y2m+bFX3OIXF4T+0ND/PJFr1uqU6bRvlSo002B32lKdX9/YWQDpr6Q8T/bq09XKX0sirmw
	t0GGFfzDll1FnA2zBEGATPowrusURO0=
Received: from ken.9lab.home (host-185-64-155-70.ecsnet.at [185.64.155.70])
	by mail.9lab.org (OpenSMTPD) with ESMTPSA id d6dcb669 (TLSv1.2:ECDHE-RSA-CHACHA20-POLY1305:256:NO);
	Sat, 25 Sep 2021 23:02:45 +0200 (CEST)
Message-ID: <2CF3F3480387891CA0B470F06B562914@9lab.org>
To: 9front@9front.org
CC: ori@eigenstate.org, igor@lab.org, unobe@cpan.org
Date: Sat, 25 Sep 2021 23:04:12 +0200
From: igor@9lab.org
In-Reply-To: <025882E34BB769F0DFE94E4EC294FD86@eigenstate.org>
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="upas-qiepopjyzyngkngufocdpiagub"
List-ID: <9front.9front.org>
List-Help: <http://lists.9front.org>
X-Glyph: ➈
X-Bullshit: webscale framework firewall 
Subject: Re: [9front] cmd/vnc: enable connecting to recent Darwin releases (patch)
Reply-To: 9front@9front.org
Precedence: bulk

This is a multi-part message in MIME format.
--upas-qiepopjyzyngkngufocdpiagub
Content-Disposition: inline
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit

Quoth ori@eigenstate.org:
> Quoth unobe@cpan.org:
[…]
> > I don't know if it's appropriate to mention in the man page that the
> > connection to OS X cannot be encrypted, so tunneling w/ssh is advised.
[…]
> It's worth mentioning that vnc auth in general is
> a joke, and some other mechanism, like sshnet,
> should be used for encryption.

Attached is a patch (git/import) that incorporates the modification to
vnc/auth.c enabling connections to Darwin hosts, as well as the
suggestions made to improve /sys/man/1/vnc.

Here is the inline version:

<snip>
From: Igor Böhm <igor@9lab.org>
Date: Sat, 25 Sep 2021 20:40:47 +0000
Subject: [PATCH] vncv: enable connecting to Darwin hosts


Tested on MacOS Catalina and Big Sur releases.

Update man page to highlight weak encryption of vnc, recommending to
tunnel via ssh (thanks unobe).

---
diff 235ef367d793db705b1b4ef20913c697eccd13a6 8abecdeed7f761e5a502bd1500ebbf2bc4962b43
--- a/sys/man/1/vnc	Sat Sep 25 18:57:58 2021
+++ b/sys/man/1/vnc	Sat Sep 25 22:40:47 2021
@@ -201,9 +201,12 @@
 If the remote frame buffer is larger than the local screen,
 only the upper left corner can be accessed.
 .PP
+.I Vncs
+and
+.I vncv
+encryption is not secure.  It's advisable to tunnel through
+ssh or some other secure protocol.
+.PP
 .I Vncv
 does no verification of the TLS certificate presented
 by the server.
-.PP
-.I Vncv
-supports only version 3.3 of the RFB protocol.
--- a/sys/src/cmd/vnc/auth.c	Sat Sep 25 18:57:58 2021
+++ b/sys/src/cmd/vnc/auth.c	Sat Sep 25 22:40:47 2021
@@ -33,6 +33,8 @@
 		v->vers = 37;
 	else if(strncmp(msg, "RFB 003.008\n", VerLen) == 0)
 		v->vers = 38;
+	else if(strncmp(msg, "RFB 003.889\n", VerLen) == 0)
+		v->vers = 38;  /* Darwin */
 	else /* RFC6143: Any other should be treated as 3.3. */
 		v->vers = 33;
 
<snap>

Cheers,
Igor
--upas-qiepopjyzyngkngufocdpiagub
Content-Disposition: attachment; filename=vnc.darwin.patch
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit

From: Igor Böhm <igor@9lab.org>
Date: Sat, 25 Sep 2021 20:40:47 +0000
Subject: [PATCH] vncv: enable connecting to Darwin hosts


Tested on MacOS Catalina and Big Sur releases.

Update man page to highlight weak encryption of vnc, recommending to
tunnel via ssh (thanks ori, unobe).

---
diff 235ef367d793db705b1b4ef20913c697eccd13a6 8abecdeed7f761e5a502bd1500ebbf2bc4962b43
--- a/sys/man/1/vnc	Sat Sep 25 18:57:58 2021
+++ b/sys/man/1/vnc	Sat Sep 25 22:40:47 2021
@@ -201,9 +201,12 @@
 If the remote frame buffer is larger than the local screen,
 only the upper left corner can be accessed.
 .PP
+.I Vncs
+and
+.I vncv
+encryption is not secure.  It's advisable to tunnel through
+ssh or some other secure protocol.
+.PP
 .I Vncv
 does no verification of the TLS certificate presented
 by the server.
-.PP
-.I Vncv
-supports only version 3.3 of the RFB protocol.
--- a/sys/src/cmd/vnc/auth.c	Sat Sep 25 18:57:58 2021
+++ b/sys/src/cmd/vnc/auth.c	Sat Sep 25 22:40:47 2021
@@ -33,6 +33,8 @@
 		v->vers = 37;
 	else if(strncmp(msg, "RFB 003.008\n", VerLen) == 0)
 		v->vers = 38;
+	else if(strncmp(msg, "RFB 003.889\n", VerLen) == 0)
+		v->vers = 38;  /* Darwin */
 	else /* RFC6143: Any other should be treated as 3.3. */
 		v->vers = 33;
 
--upas-qiepopjyzyngkngufocdpiagub--