I2P Address: [http://git.idk.i2p]

Skip to content
Snippets Groups Projects
Unverified Commit 9e2bb1ad authored by zzz's avatar zzz
Browse files

Transports: Check RI in handshake for matching IP

parent 10e05960
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
router/java/src/net/i2p/router/transport/ntcp/InboundEstablishState.java
+ 28
3
View file @ 9e2bb1ad
......@@ -629,15 +629,32 @@ class InboundEstablishState extends EstablishBase implements NTCP2Payload.Payloa
throw new DataFormatException("no NTCP in RI: " + ri);
}
String s = null;
String mismatchMessage = null;
byte[] realIP = _con.getRemoteIP();
for (RouterAddress addr : addrs) {
String v = addr.getOption("v");
if (v == null ||
(!v.equals(NTCPTransport.NTCP2_VERSION) && !v.startsWith(NTCPTransport.NTCP2_VERSION_ALT))) {
continue;
}
s = addr.getOption("s");
if (s != null)
break;
if (s == null)
s = addr.getOption("s");
if (realIP != null) {
byte[] infoIP = addr.getIP();
if (infoIP != null && infoIP.length == realIP.length) {
if (infoIP.length == 16) {
if ((((int) infoIP[0]) & 0xfe) == 0x02)
continue; // ygg
if (DataHelper.eq(realIP, 0, infoIP, 0, 8))
continue;
} else {
if (DataHelper.eq(realIP, infoIP))
continue;
}
// We will ban and throw below after checking s
mismatchMessage = "IP mismatch actual IP " + Addresses.toString(realIP) + " in RI: ";
}
}
}
if (s == null) {
_msg3p2FailReason = NTCPConnection.REASON_S_MISMATCH;
......@@ -661,6 +678,14 @@ class InboundEstablishState extends EstablishBase implements NTCP2Payload.Payloa
boolean ok = verifyInbound(h);
if (!ok)
throw new DataFormatException("NTCP2 verifyInbound() fail");
// s is verified, we may now ban the hash
if (mismatchMessage != null) {
_context.banlist().banlistRouter(h, "IP mismatch", null, null, _context.clock().now() + 2*60*60*1000);
_msg3p2FailReason = NTCPConnection.REASON_BANNED;
throw new DataFormatException(mismatchMessage + ri);
}
try {
RouterInfo old = _context.netDb().store(h, ri);
if (flood && !ri.equals(old)) {
......
router/java/src/net/i2p/router/transport/udp/InboundEstablishState2.java
+ 22
0
View file @ 9e2bb1ad
......@@ -248,6 +248,7 @@ class InboundEstablishState2 extends InboundEstablishState implements SSU2Payloa
boolean isIPv6 = _aliceIP.length == 16;
List<RouterAddress> addrs = _transport.getTargetAddresses(ri);
RouterAddress ra = null;
String mismatchMessage = null;
for (RouterAddress addr : addrs) {
// skip SSU 1 address w/o "s"
if (addrs.size() > 1 && addr.getTransportStyle().equals("SSU") && addr.getOption("s") == null)
......@@ -266,6 +267,20 @@ class InboundEstablishState2 extends InboundEstablishState implements SSU2Payloa
continue;
}
ra = addr;
byte[] infoIP = ra.getIP();
if (infoIP != null && infoIP.length == _aliceIP.length) {
if (isIPv6) {
if ((((int) infoIP[0]) & 0xfe) == 0x02)
continue; // ygg
if (DataHelper.eq(_aliceIP, 0, infoIP, 0, 8))
continue;
} else {
if (DataHelper.eq(_aliceIP, infoIP))
continue;
}
// We will ban and throw below after checking signature
mismatchMessage = "IP mismatch actual IP " + Addresses.toString(_aliceIP) + " in RI: ";
}
break;
}
......@@ -312,6 +327,13 @@ class InboundEstablishState2 extends InboundEstablishState implements SSU2Payloa
throw new RIException("SSU2 network ID mismatch", REASON_NETID);
}
if (mismatchMessage != null) {
_context.banlist().banlistRouter(h, "IP mismatch", null, null, _context.clock().now() + 2*60*60*1000);
if (ri.verifySignature())
_context.blocklist().add(_aliceIP);
throw new RIException(mismatchMessage + ri, REASON_BANNED);
}
if (!"2".equals(ra.getOption("v")))
throw new RIException("bad SSU2 v", REASON_VERSION);
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Base32 Address: [http://7qeve4v2chmjdqlwpa3vl7aojf3nodbku7vepnjwrsxljzqipz6a.b32.i2p] Onion Address: [http://47ggr2fa3vnwfyhvgskzdmr3i32eijwymxohtxsls45dulmriwxszjad.onion]