FidoNet Echomail Archive
sync_programming

<<< Previous Index Next >>>

From: Digital Man
To: mark lewis
Date: 2019-06-14 13:42:06
Subject: possible CRYPT bug with no session password

  Re: possible CRYPT bug with no session password
  By: mark lewis to Digital Man on Fri Jun 14 2019 10:47 am

 >
 >  On 2019 Jun 13 22:34:52, you wrote to me:
 >
 >  >> when they connect inbound, they are sending this...
 >  >>
 >  >> OPT CRYPT
 >  >> [...]
 >  >> VER BinkIT/2.17,JSBinkP/1.114,sbbs3.17c/Linux binkp/1.1
 >
 >  DM> That means the remote BinkIT system has a session password configured
 >  DM> for your node. From binkp.js 1.114 ('-' is the same as a blank/no
 >  DM> password):
 >
 >  DM>        if (!this.plain_auth_only && password !== '-')
 >  DM>                this.sendCmd(this.command.M_NUL, "OPT CRYPT");
 >
 > are you saying that if there is no session level password, we should have a
 > '-' in the session password field in echocfg??

No. The BinkP protocol processes a blank password as '-' and the
binkit/binkp script automatically converts blank passwords to '-' and
compares as such.

 > i actually had nothing in the password field in my echocfg

That would be correct.

 > and then also in
 > my binkd.conf... i've since added a '-' to my binkd.conf after reviewing my
 > old configuration from my dead/defnuct system...

binkd requires the '-' if you have other fields following the password.

 >  >> there is only a tic password set in echocfg... no other passwords are
 >  >> set between the two systems...
 >
 >  DM> How do you know? according to the information you provided, it
 >  DM> certainly seems the remote system has a session password configured.
 >
 > they posted me a copy of my entry in their sbbsecho.ini file... it looked
 > exactly like the one i have for them...
 >
 > ----->8 snip 8<-----
 > [node:XXXXXXXXXXXXXXXXXX]
 >         Name = XXXXXXXXXXXX
 >         Comment =
 >         Archive = None
 >         PacketType = 2+
 >         PacketPwd =
 >         AreaFix = false
 >         AreaFixPwd =
 >         SessionPwd =
 >         TicFilePwd = XXXXXXXX
 >         Inbox =
 >         Outbox =
 >         Passive = false
 >         Direct = true
 >         Notify = false
 >         Keys =
 >         Status = Normal
 >         LocalAddress = XXXXXXXXXXXX
 >         GroupHub =
 >         BinkpHost =
 >         BinkpPort = 24554
 >         BinkpPoll = false
 >         BinkpPlainAuthOnly = false
 >         BinkpAllowPlainAuth = true
 >         BinkpAllowPlainText = true
 >         BinkpSourceAddress = XXXXXXXXXXXXXXXXX

Perhaps they made a copy/past error.

 > ----->8 snip 8<-----
 >
 >  >> i tried setting -nomd on their node line but since they are
requesting
 >  >> CRYPT, we cannot talk... binkd does not have, that i can
find, an option
 >  >> to turn off CRYPT per node...
 >
 >  DM> Setting a blank password in BinkIT will stop the CRYPT option for
 >  DM> outbound connections. The only way to disable it for inbound
 >  DM> connections is the new global plain-text-only option.
 >
 > ahhh, ok... i wasn't sure how that worked... granted, i've not been into the
 > code in several weeks...
 >
 >  >> i'm aware that binkit.js is v2.25 and binkp.js v1.118 and there has
 >  >> been some recent work done in this area of the code...
 >
 >  DM> All about disabling CRAM-MD5 and encryption because my uplink was
 >  DM> having issues that couldn't be easily debugged when those features
 >  DM> were used.
 >
 > i know that feeling... especially when CRYPT is used and the conversation is
 > encrypted so you can't tell what's being sent/received when capturing the
 > raw network packets...
 >
 >  >> with the above versions, i'm thinking that we're missing something
 >  >> since we seem to be setting CRYPT even when there is no session level
 >  >> password defined...
 >
 >  DM> I don't think so.
 >
 > i don't understand what's happening, then...
 >
 >  >> i don't know if having that node update to the latest binkp.js and/or
 >  >> binkit.js will fix this particular problem with requesting CRYPT when
 >  >> there is no session level password set, though...
 >
 >  DM> Shouldn't make any difference in that regard (for outbound connections
 >  DM> from BinkIT).
 >
 > hummm...

Uh huh.

                                            digital man

This Is Spinal Tap quote #16:
David St. Hubbins: I believe virtually everything I read...
Norco, CA WX: 72.2F, 59.0% humidity, 5 mph E wind, 0.00 inches rain/24hrs
--- SBBSecho 3.07-Linux
 * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
SEEN-BY: 103/705 154/10 203/0 218/700 221/0 229/426 240/5832 261/38 280/464
SEEN-BY: 280/5003 396/45 423/120 633/0 267 280 281 384 412 509 712/848 770/1
@PATH: 103/705 280/464 712/848 633/280 267


<<< Previous Index Next >>>