From 2ef615a3f71309a13477e0ba39a29ce939b7bcc8 Mon Sep 17 00:00:00 2001 From: zzz Date: Wed, 1 Apr 2015 12:50:51 +0000 Subject: [PATCH] I2CP: Allow larger client clock skew (ticket #1503), better error message to client javadocs --- .../java/src/net/i2p/data/i2cp/SessionConfig.java | 15 ++++++++++++--- history.txt | 6 ++++++ router/java/src/net/i2p/router/RouterVersion.java | 2 +- .../router/client/ClientMessageEventListener.java | 10 ++++++++++ .../net/i2p/router/client/LeaseRequestState.java | 2 +- 5 files changed, 30 insertions(+), 5 deletions(-) diff --git a/core/java/src/net/i2p/data/i2cp/SessionConfig.java b/core/java/src/net/i2p/data/i2cp/SessionConfig.java index c4af88db90..de6734349e 100644 --- a/core/java/src/net/i2p/data/i2cp/SessionConfig.java +++ b/core/java/src/net/i2p/data/i2cp/SessionConfig.java @@ -41,15 +41,18 @@ public class SessionConfig extends DataStructureImpl { private Properties _options; /** - * if the client authorized this session more than the specified period ago, - * refuse it, since it may be a replay attack + * If the client authorized this session more than the specified period ago, + * refuse it, since it may be a replay attack. * + * Really? See also ClientManager.REQUEST_LEASESET_TIMEOUT. + * If I2CP replay attacks are a thing, there's a lot more to do. */ - private final static long OFFSET_VALIDITY = 30 * 1000; + private final static long OFFSET_VALIDITY = 3*60*1000; public SessionConfig() { this(null); } + public SessionConfig(Destination dest) { _destination = dest; _creationDate = new Date(Clock.getInstance().now()); @@ -124,6 +127,9 @@ public class SessionConfig extends DataStructureImpl { /** * Verify that the signature matches the destination's signing public key. * + * Note that this also returns false if the creation date is too far in the + * past or future. See tooOld() and getCreationDate(). + * * @return true only if the signature matches */ public boolean verifySignature() { @@ -158,6 +164,9 @@ public class SessionConfig extends DataStructureImpl { return ok; } + /** + * Misnamed, could be too old or too far in the future. + */ public boolean tooOld() { long now = Clock.getInstance().now(); long earliestValid = now - OFFSET_VALIDITY; diff --git a/history.txt b/history.txt index 827ce26be0..4863b4ab37 100644 --- a/history.txt +++ b/history.txt @@ -1,4 +1,10 @@ +2015-04-01 zzz + * I2CP: Allow larger client clock skew (ticket #1503) + * i2psnark: Fix changing data directory on Windows (ticket #1503) + 2015-03-31 zzz + * API: Fix some client-side APIs to honor defaults in Properties; + add javadocs to specify where we do and don't (ticket #1491) * i2ptunnel: Fix multiple SSL outproxies in HTTP client 2015-03-29 zzz diff --git a/router/java/src/net/i2p/router/RouterVersion.java b/router/java/src/net/i2p/router/RouterVersion.java index affa6f41b1..25340f779d 100644 --- a/router/java/src/net/i2p/router/RouterVersion.java +++ b/router/java/src/net/i2p/router/RouterVersion.java @@ -18,7 +18,7 @@ public class RouterVersion { /** deprecated */ public final static String ID = "Monotone"; public final static String VERSION = CoreVersion.VERSION; - public final static long BUILD = 14; + public final static long BUILD = 15; /** for example "-test" */ public final static String EXTRA = "-rc"; diff --git a/router/java/src/net/i2p/router/client/ClientMessageEventListener.java b/router/java/src/net/i2p/router/client/ClientMessageEventListener.java index 0fd8bddcae..e20039b6ec 100644 --- a/router/java/src/net/i2p/router/client/ClientMessageEventListener.java +++ b/router/java/src/net/i2p/router/client/ClientMessageEventListener.java @@ -12,6 +12,7 @@ import java.util.Properties; import net.i2p.CoreVersion; import net.i2p.crypto.SigType; +import net.i2p.data.DataHelper; import net.i2p.data.Destination; import net.i2p.data.Hash; import net.i2p.data.Payload; @@ -213,6 +214,15 @@ class ClientMessageEventListener implements I2CPMessageReader.I2CPMessageEventLi if (stype == null || !stype.isAvailable()) { _log.error("Client requested unsupported signature type " + itype); _runner.disconnectClient("Unsupported signature type " + itype); + } else if (in.tooOld()) { + long skew = _context.clock().now() - in.getCreationDate().getTime(); + String msg = "Create session message client clock skew? "; + if (skew >= 0) + msg += DataHelper.formatDuration(skew) + " in the past"; + else + msg += DataHelper.formatDuration(0 - skew) + " in the future"; + _log.error(msg); + _runner.disconnectClient(msg); } else { _log.error("Signature verification failed on a create session message"); _runner.disconnectClient("Invalid signature on CreateSessionMessage"); diff --git a/router/java/src/net/i2p/router/client/LeaseRequestState.java b/router/java/src/net/i2p/router/client/LeaseRequestState.java index 67968df3b9..03bc2e4fa7 100644 --- a/router/java/src/net/i2p/router/client/LeaseRequestState.java +++ b/router/java/src/net/i2p/router/client/LeaseRequestState.java @@ -29,7 +29,7 @@ class LeaseRequestState { private boolean _successful; /** - * @param expiration absolute time + * @param expiration absolute time, when the request expires (not when the LS expires) */ public LeaseRequestState(Job onGranted, Job onFailed, long expiration, LeaseSet requested) { _onGranted = onGranted;