- Remove ITBM, change record length from 236 to 218 bytes
- Fix check of blank record in BuildReplyHandler
- Fix offset constants for short record in BuildRequestRecord
- Fix BuildMessageTestStandalone test 6 (short inbound)
- ITBM class removal TODO
- Add new internal-only ShortTunnelBuildReplyMessage,
for processing of STBM as a reply.
- Add support for inbound tunnel tests to TunnelBuildMessageStandalone.
The ITBM test is WIP.
- Add checks for unset plaintext record in ITBM and OTBRM
WIP, still disabled, proposal not complete
- Use ChaCha20 to encrypt/decrypt records
- Add OTBRM methods for plaintext record
- Add OTBRM checks for correct plaintext slot number
- Add BRR checks to prevent use of nonexistent AES key/IV
- Set plaintext reply at OBEP in BuildHandler
- Allow OTBRM in InboundMessageDistributor
- Remove timing measurements in BuildMessageProcessor.decrypt()
- Add test to BuildMessageTestStandalone for outbound build
- Add check for all replies to BuildMessageTestStandalone
- Log tweaks
Older miniupnpd 2.0 will send a SSDP search response with an IPv6 location to a IPv4 address,
but newer ones 2.2 won't. So we need to also bind to an IPv6 address for the SSDP search
to receive the router's IPv6 location. Then we can bind to our public IPv6 address
for a port forward and it will work when miniupnpd is configured for "secure".
Also, don't bind a POST request to a mismatched v4/v6 address.
- Generate and parse short record format
- Encrypt and decrypt short records
- Register handlers for 3 new messages ITBM/STBM/OTBRM
- Send ITBM/STBM if all hops support it (disabled)
- Reply with OTBRM at OBEP if STBM received (disabled)
- Send STBM at IBGW if ITBM received (disabled)
- Add logic for when to send new messages
- ChaCha encryption of other short records
- Fix compare logic in ITBM parser (ticket #2814)
All is still preliminary, disabled, untested; proposal is still incomplete
Still todo:
- Fill in plaintext record for ITBM/OTBRM
- OTBRM key/tag
Jetty server high CPU when client send data length > 17408
This affects SSL connections only, which is not part of our default setup.
Adapted from workaround at:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w
Put the new checks directly in the unwrap() method,
rather than subclassing SslConnection, as that would require config file changes.
Timer was not getting rescheduled in all cases,
so testComplete() was never called,
so no more tests could run.
Always remove test when testComplete() is called.
Log tweaks
