NetDB: Don't use DSA-SHA1 routers for lookups, stores, or tunnel peers

Don't use non-ElGamal routers for lookups or stores
Prevent DSA-SHA1 routers from auto-floodfill

router/java/src/net/i2p/router/networkdb/kademlia/FloodfillMonitorJob.java

@@ -6,6 +6,7 @@ import net.i2p.crypto.EncType;
 import net.i2p.crypto.SigType;
 import net.i2p.data.Hash;
 import net.i2p.data.router.RouterAddress;
+import net.i2p.data.router.RouterIdentity;
 import net.i2p.data.router.RouterInfo;
 import net.i2p.router.Job;
 import net.i2p.router.JobImpl;
@@ -141,8 +142,11 @@ class FloodfillMonitorJob extends JobImpl {
         if (ri == null)
             return false;
 
+        RouterIdentity ident = ri.getIdentity();
+        if (ident.getSigningPublicKey().getType() == SigType.DSA_SHA1)
+            return false;
         // temp until router ratchet SKM implemented
-        if (ri.getIdentity().getPublicKey().getType() != EncType.ELGAMAL_2048)
+        if (ident.getPublicKey().getType() != EncType.ELGAMAL_2048)
             return false;
 
         char bw = ri.getBandwidthTier().charAt(0);

router/java/src/net/i2p/router/networkdb/kademlia/IterativeSearchJob.java

@@ -122,9 +122,6 @@ public class IterativeSearchJob extends FloodSearchJob {
             !SystemVersion.isApache() && !SystemVersion.isGNU() &&
             NativeBigInteger.isNative();
 
-    //private static final String MIN_QUERY_VERSION = SigType.EdDSA_SHA512_Ed25519.getSupportedSince();
-    private static final String MIN_QUERY_VERSION = StoreJob.MIN_STORE_VERSION;
-
     /**
      *  Lookup using exploratory tunnels
      */
@@ -323,12 +320,10 @@ public class IterativeSearchJob extends FloodSearchJob {
                 // querying old floodfills that don't know about those sig types.
                 // This is also more recent than the version that supports encrypted replies,
                 // so we won't request unencrypted replies anymore either.
-                String v = ri.getVersion();
+                if (!StoreJob.shouldStoreTo(ri)) {
-                String since = MIN_QUERY_VERSION;
-                if (VersionComparator.comp(v, since) < 0) {
                     failed(peer, false);
                     if (_log.shouldInfo())
-                        _log.info(getJobId() + ": not sending query to old version " + v + ": " + peer);
+                        _log.info(getJobId() + ": not sending query to old router: " + ri);
                     return;
                 }
             }

router/java/src/net/i2p/router/networkdb/kademlia/StoreJob.java

@@ -24,6 +24,7 @@ import net.i2p.data.router.RouterInfo;
 import net.i2p.data.TunnelId;
 import net.i2p.data.i2np.DatabaseStoreMessage;
 import net.i2p.data.i2np.I2NPMessage;
+import net.i2p.data.router.RouterIdentity;
 import net.i2p.kademlia.KBucketSet;
 import net.i2p.router.Job;
 import net.i2p.router.JobImpl;
@@ -630,7 +631,15 @@ abstract class StoreJob extends JobImpl {
      */
     static boolean shouldStoreTo(RouterInfo ri) {
         String v = ri.getVersion();
-        return VersionComparator.comp(v, MIN_STORE_VERSION) >= 0;
+        if (VersionComparator.comp(v, MIN_STORE_VERSION) < 0)
+            return false;
+        RouterIdentity ident = ri.getIdentity();
+        if (ident.getSigningPublicKey().getType() == SigType.DSA_SHA1)
+            return false;
+        // temp until router ratchet SKM implemented
+        if (ident.getPublicKey().getType() != EncType.ELGAMAL_2048)
+            return false;
+        return true;
     }
 
     /** @since 0.9.38 */

router/java/src/net/i2p/router/tunnel/pool/TunnelPeerSelector.java

@@ -18,6 +18,7 @@ import net.i2p.crypto.SigType;
 import net.i2p.data.DataFormatException;
 import net.i2p.data.DataHelper;
 import net.i2p.data.Hash;
+import net.i2p.data.router.RouterIdentity;
 import net.i2p.data.router.RouterInfo;
 import net.i2p.router.LeaseSetKeys;
 import net.i2p.router.Router;
@@ -485,7 +486,10 @@ public abstract class TunnelPeerSelector extends ConnectChecker {
             maxLen++;
         if (cap.length() <= maxLen)
             return true;
-        EncType type = peer.getIdentity().getPublicKey().getType();
+        RouterIdentity ident = peer.getIdentity();
+        if (ident.getSigningPublicKey().getType() == SigType.DSA_SHA1)
+            return true;
+        EncType type = ident.getPublicKey().getType();
         if (!LeaseSetKeys.SET_BOTH.contains(type))
             return true;