Router: Validate family sig at startup

when loaded from router.info, and discard if invalid or when family changed. This fixes some routers out there with bad sigs. Don't loop forever through LoadRouterInfoJob.

Router: Validate family sig at startup
8c59c514 · zzz · 93493a6d · 8c59c514
Unverified Commit 8c59c514 authored 3 years ago by zzz
--- a/router/java/src/net/i2p/router/startup/LoadRouterInfoJob.java
+++ b/router/java/src/net/i2p/router/startup/LoadRouterInfoJob.java
@@ -104,11 +104,32 @@ class LoadRouterInfoJob extends JobImpl {
                if (_log.shouldLog(Log.DEBUG))
                    _log.debug("Reading in routerInfo from " + rif.getAbsolutePath() + " and it has " + info.getAddresses().size() + " addresses");
                // don't reuse if family name changed
-                if (DataHelper.eq(info.getOption(FamilyKeyCrypto.OPT_NAME),
-                                  getContext().getProperty(FamilyKeyCrypto.PROP_FAMILY_NAME))) {
+                String oldFamily = info.getOption(FamilyKeyCrypto.OPT_NAME);
+                if (oldFamily == null) {
                    _us = info;
+                } else if (oldFamily.equals(getContext().getProperty(FamilyKeyCrypto.PROP_FAMILY_NAME))) {
+                    // This keeps the signature the same across restarts,
+                    // which is good because ECDSA creates a different signature each time,
+                    // but in some situations such as leaving and re-joining or recreating a family,
+                    // or copying router.info to a new router,
+                    // could lead to a bad signature being perpetuated forever.
+                    // Here we ignore and delete router.info if the sig is invalid.
+                    FamilyKeyCrypto fkc = getContext().router().getFamilyKeyCrypto();
+                    if (fkc != null && fkc.verifyOurFamily(info)) {
+                        _us = info;
+                    } else {
+                        _log.logAlways(Log.WARN, "NetDb family keys are invalid");
+                        // close and delete so we don't infinite loop
+                        try { fis1.close(); } catch (IOException ioe2) {}
+                        fis1 = null;
+                        rif.delete();
+                    }
                } else {
                    _log.logAlways(Log.WARN, "NetDb family name changed");
+                    // close and delete so we don't infinite loop
+                    try { fis1.close(); } catch (IOException ioe2) {}
+                    fis1 = null;
+                    rif.delete();
                }
            }