echelon/i2p.i2p
1
0
Fork 0
forked from I2P_Developers/i2p.i2p
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

NetDB: Don't use DSA-SHA1 routers for lookups, stores, or tunnel peers

Browse Source 
Don't use non-ElGamal routers for lookups or stores
Prevent DSA-SHA1 routers from auto-floodfill
This commit is contained in:
zzz
2020-10-09 13:46:37 +00:00
parent 8737a6a4fd
commit 999c4c51a2
4 changed files with 22 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
router/java/src/net/i2p/router/networkdb/kademlia/FloodfillMonitorJob.java
View File

@ -6,6 +6,7 @@ import net.i2p.crypto.EncType;
import net.i2p.crypto.SigType;
import net.i2p.data.Hash;
import net.i2p.data.router.RouterAddress;
import net.i2p.data.router.RouterIdentity;
import net.i2p.data.router.RouterInfo;
import net.i2p.router.Job;
import net.i2p.router.JobImpl;
@ -141,8 +142,11 @@ class FloodfillMonitorJob extends JobImpl {
if (ri == null)
return false;
RouterIdentity ident = ri.getIdentity();
if (ident.getSigningPublicKey().getType() == SigType.DSA_SHA1)
return false;
// temp until router ratchet SKM implemented
if (ri.getIdentity().getPublicKey().getType() != EncType.ELGAMAL_2048)
if (ident.getPublicKey().getType() != EncType.ELGAMAL_2048)
return false;
char bw = ri.getBandwidthTier().charAt(0);

9
router/java/src/net/i2p/router/networkdb/kademlia/IterativeSearchJob.java
View File

@ -122,9 +122,6 @@ public class IterativeSearchJob extends FloodSearchJob {
!SystemVersion.isApache() && !SystemVersion.isGNU() &&
NativeBigInteger.isNative();
//private static final String MIN_QUERY_VERSION = SigType.EdDSA_SHA512_Ed25519.getSupportedSince();
private static final String MIN_QUERY_VERSION = StoreJob.MIN_STORE_VERSION;
/**
* Lookup using exploratory tunnels
*/
@ -323,12 +320,10 @@ public class IterativeSearchJob extends FloodSearchJob {
// querying old floodfills that don't know about those sig types.
// This is also more recent than the version that supports encrypted replies,
// so we won't request unencrypted replies anymore either.
String v = ri.getVersion();
String since = MIN_QUERY_VERSION;
if (VersionComparator.comp(v, since) < 0) {
if (!StoreJob.shouldStoreTo(ri)) {
failed(peer, false);
if (_log.shouldInfo())
_log.info(getJobId() + ": not sending query to old version " + v + ": " + peer);
_log.info(getJobId() + ": not sending query to old router: " + ri);
return;
}
}

11
router/java/src/net/i2p/router/networkdb/kademlia/StoreJob.java
View File

@ -24,6 +24,7 @@ import net.i2p.data.router.RouterInfo;
import net.i2p.data.TunnelId;
import net.i2p.data.i2np.DatabaseStoreMessage;
import net.i2p.data.i2np.I2NPMessage;
import net.i2p.data.router.RouterIdentity;
import net.i2p.kademlia.KBucketSet;
import net.i2p.router.Job;
import net.i2p.router.JobImpl;
@ -630,7 +631,15 @@ abstract class StoreJob extends JobImpl {
*/
static boolean shouldStoreTo(RouterInfo ri) {
String v = ri.getVersion();
return VersionComparator.comp(v, MIN_STORE_VERSION) >= 0;
if (VersionComparator.comp(v, MIN_STORE_VERSION) < 0)
return false;
RouterIdentity ident = ri.getIdentity();
if (ident.getSigningPublicKey().getType() == SigType.DSA_SHA1)
return false;
// temp until router ratchet SKM implemented
if (ident.getPublicKey().getType() != EncType.ELGAMAL_2048)
return false;
return true;
}
/** @since 0.9.38 */

6
router/java/src/net/i2p/router/tunnel/pool/TunnelPeerSelector.java
View File

@ -18,6 +18,7 @@ import net.i2p.crypto.SigType;
import net.i2p.data.DataFormatException;
import net.i2p.data.DataHelper;
import net.i2p.data.Hash;
import net.i2p.data.router.RouterIdentity;
import net.i2p.data.router.RouterInfo;
import net.i2p.router.LeaseSetKeys;
import net.i2p.router.Router;
@ -485,7 +486,10 @@ public abstract class TunnelPeerSelector extends ConnectChecker {
maxLen++;
if (cap.length() <= maxLen)
return true;
EncType type = peer.getIdentity().getPublicKey().getType();
RouterIdentity ident = peer.getIdentity();
if (ident.getSigningPublicKey().getType() == SigType.DSA_SHA1)
return true;
EncType type = ident.getPublicKey().getType();
if (!LeaseSetKeys.SET_BOTH.contains(type))
return true;