From 71f7c712cda29dd3583c6f9782ce3734c9f3080c Mon Sep 17 00:00:00 2001
From: zzz <zzz@mail.i2p>
Date: Fri, 21 Oct 2016 18:21:12 +0000
Subject: [PATCH] NetDB: Disallow RSA for RI or LS

---
 core/java/src/net/i2p/data/DatabaseEntry.java          | 10 +++++++++-
 .../kademlia/KademliaNetworkDatabaseFacade.java        |  3 ++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/core/java/src/net/i2p/data/DatabaseEntry.java b/core/java/src/net/i2p/data/DatabaseEntry.java
index 32f358879f..6c2ee37cb9 100644
--- a/core/java/src/net/i2p/data/DatabaseEntry.java
+++ b/core/java/src/net/i2p/data/DatabaseEntry.java
@@ -13,6 +13,8 @@ import java.util.Arrays;
 
 import net.i2p.I2PAppContext;
 import net.i2p.crypto.DSAEngine;
+import net.i2p.crypto.SigAlgo;
+import net.i2p.crypto.SigType;
 
 /**
  *<p>
@@ -206,6 +208,12 @@ public abstract class DatabaseEntry extends DataStructureImpl {
         if (data == null)
             return false;
         // if the data is non-null the SPK will be non-null
-        return DSAEngine.getInstance().verifySignature(_signature, data, getSigningPublicKey());
+        SigningPublicKey spk = getSigningPublicKey();
+        SigType type = spk.getType();
+        // As of 0.9.28, disallow RSA as it's so slow it could be
+        // used as a DoS
+        if (type == null || type.getBaseAlgorithm() == SigAlgo.RSA)
+            return false;
+        return DSAEngine.getInstance().verifySignature(_signature, data, spk);
     }
 }
diff --git a/router/java/src/net/i2p/router/networkdb/kademlia/KademliaNetworkDatabaseFacade.java b/router/java/src/net/i2p/router/networkdb/kademlia/KademliaNetworkDatabaseFacade.java
index 2e2152ceac..6c4f1bae6e 100644
--- a/router/java/src/net/i2p/router/networkdb/kademlia/KademliaNetworkDatabaseFacade.java
+++ b/router/java/src/net/i2p/router/networkdb/kademlia/KademliaNetworkDatabaseFacade.java
@@ -19,6 +19,7 @@ import java.util.Iterator;
 import java.util.Map;
 import java.util.Set;
 
+import net.i2p.crypto.SigAlgo;
 import net.i2p.crypto.SigType;
 import net.i2p.data.Certificate;
 import net.i2p.data.DatabaseEntry;
@@ -1080,7 +1081,7 @@ public class KademliaNetworkDatabaseFacade extends NetworkDatabaseFacade {
                     try {
                         KeyCertificate kc = c.toKeyCertificate();
                         SigType type = kc.getSigType();
-                        if (type == null || !type.isAvailable()) {
+                        if (type == null || !type.isAvailable() || type.getBaseAlgorithm() == SigAlgo.RSA) {
                             failPermanently(d);
                             String stype = (type != null) ? type.toString() : Integer.toString(kc.getSigTypeCode());
                             if (_log.shouldLog(Log.WARN))
-- 
GitLab