[9front] tinc(8) protocol now at 1.0.36?

[9front] tinc(8) protocol now at 1.0.36?

[unobe]

tinc(8) states that the peer VPN protocol as of version 1.0.32 is
implemented.  I've found
https://github.com/gsliepen/tinc/tree/master/doc , which appears to
describe the protocol.  Nothing has changed substantially in those
files for years.
https://www.tinc-vpn.org/documentation/Technical-information.html#Technical-information
doesn't appear to diverge from the github docs.

The software implementation of tinc.org, however, is now at version
1.0.36 and there have been a few bugs that have been reported since
tinc(8) was added to 9front: https://www.tinc-vpn.org/security/ shows
two oracle attacks, one timing attack, and one MITM attack.  I can't
tell from the 9front logs if the CVEs have been reviewed to determine
if the 9front version is susceptible, so am trying to spelunk the code
and I don't think it is:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16758 --
9front's version isn't susceptible to the MITM:
/sys/src/cmd/ip/tinc.c:915 doesn't allow it.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16737 and
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16738 --
9front's version isn't really susceptible to what is described.  I
don't see in metaauth how CHAL_REPLY could be sent inadvertently.
METAAUTH won't allow unknown ciphers/digests, including NULL.  As for
the # of connections, that is managed when ip/tinc starts.

cinap is the only one who has committed changes to tinc(8).  So maybe
this is really a question for cinap: can 9front's version be
advertised as supporting 1.0.36?

If so, I've attached a patch that updates the man page and also a
couple typos I saw in the code:

Summary:
  Update tinc(8) man page to:
    1.  state the implementation aligns with 1.0.36 of tinc.org;
    2.  use same hostname as mentioned in usage line.
  Fix typos in tinc.c.
--- //.git/fs/object/da085a2d4cca788686b8f68b2555040cf29dc16c/tree//sys/man/8/tinc
+++ /sys/man/8/tinc
@@ -29,7 +29,7 @@
 .SH DESCRIPTION
 Tinc implements the mesh peer to peer VPN protocol from
 .I https://www.tinc-vpn.org/
-as of version 1.0.32. Within a tinc VPN one can reach all
+as of version 1.0.36. Within a tinc VPN one can reach all
 the subnets of all hosts within the network even when not
 directly connected to the owning host of the subnet.
 .PP
@@ -110,7 +110,7 @@
 .TP
 .B -n
 Sets our hostname to
-.IR myhost .
+.IR myname .
 .SH "SEE ALSO"
 .IR rsa (8),
 .IR ip (3)
--- //.git/fs/object/da085a2d4cca788686b8f68b2555040cf29dc16c/tree//sys/src/cmd/ip/tinc.c
+++ /sys/src/cmd/ip/tinc.c
@@ -76,7 +76,7 @@
 	Host	*src;
 	Host	*dst;
 	Edge	*next;	/* next edge on src */
-	Edge	*rev;	/* reverse drection edge */
+	Edge	*rev;	/* reverse direction edge */
 
 	uchar	ip[IPaddrlen];
 	int	port;
@@ -1135,7 +1135,7 @@
 	if(n != 6 || atoi(f[0]) != META_KEY || strlen(f[5]) != 2*n2)
 		return -1;
 	if(atoi(f[1]) != EVP_AES256CFB || atoi(f[2]) != EVP_SHA256){
-		fprint(2, "%s uses unknown cipher/digest agorithms: %s %s\n",
+		fprint(2, "%s uses unknown cipher/digest algorithms: %s %s\n",
 			c->host->name, f[1], f[2]);
 		return -1;
 	}

Re: [9front] tinc(8) protocol now at 1.0.36?

[cinap_lenrek]

thanks for the review!

> cinap is the only one who has committed changes to tinc(8).  So maybe
> this is really a question for cinap: can 9front's version be
> advertised as supporting 1.0.36?

yes, that is fine. it is good to check if we made similar implementation
mistakes as the original tinc. even tho our implementation is completely
independent and doesnt use any of the original tinc code.

the protocol is actually 1.0, as described in the technical information.

there is also a 1.1 protocol, that is not implemented by us.

thanks for fixing the spelling errors, i have applied your patch.

--
cinap