Make sure that version number resembles a valid API version

Merge branch 'master' of i2pgit.org:i2p-hackers/i2p.i2p into i2p.i2p.2.6.0-configure-bannable-caps
Banlist: Don't reread the config file multiple times a second, require a restart to reload the config option
2024-04-22 13:42:13 -04:00 · 2024-04-20 15:35:26 -04:00 · 2024-04-20 13:52:55 -04:00 · 2024-04-20 13:20:18 -04:00 · 2024-04-20 13:15:06 -04:00 · 2024-04-20 13:03:23 -04:00
5 changed files with 89 additions and 13 deletions
--- a/core/java/src/net/i2p/util/VersionComparator.java
+++ b/core/java/src/net/i2p/util/VersionComparator.java
@ -115,4 +115,16 @@ public class VersionComparator implements Comparator<String>, Serializable {
            return -1;
        return rv;
    }
+
+    /**
+     * Validate an API version string.
+     * 
+     * @param version
+     * @return true if valid
+     */
+    public static boolean isValid(String version) {
+        if (version.split(".").length != 3)
+            return false;
+        return true;
+    }
 }
--- a/debian-alt/bionic/changelog
+++ b/debian-alt/bionic/changelog
@ -6,7 +6,7 @@ i2p (2.5.0-1~bionic+1) bionic; urgency=medium

 i2p (2.4.0-2~bionic+1) bionic; urgency=medium

-  * New upstream version 2.3.0
+  * New upstream version 2.4.0

 -- idk <hankhill19580@gmail.com>  Wed, 20 Dec 2023 19:28:05 +0000

--- a/debian-alt/doc/debian-build.txt
+++ b/debian-alt/doc/debian-build.txt
@ -71,7 +71,7 @@ reprepro includedeb stable i2p_1.xx.0-1_all.deb
 reprepro includedsc stable i2p_1.xx.0-1.dsc

 # copy built packages from launchpad
-for i in bionic focal jammy kinetic lunar
+for i in bionic focal jammy mantic noble
 do
 	reprepro -v update $i
 done
--- a/router/java/src/net/i2p/router/transport/ntcp/InboundEstablishState.java
+++ b/router/java/src/net/i2p/router/transport/ntcp/InboundEstablishState.java
@ -8,6 +8,7 @@ import java.nio.ByteBuffer;
 import java.security.GeneralSecurityException;
 import java.util.Arrays;
 import java.util.EnumSet;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Set;

@ -38,6 +39,7 @@ import net.i2p.util.ByteArrayStream;
 import net.i2p.util.ByteCache;
 import net.i2p.util.Log;
 import net.i2p.util.SimpleByteCache;
+import net.i2p.util.VersionComparator;

 /**
 *
@ -85,6 +87,7 @@ class InboundEstablishState extends EstablishBase implements NTCP2Payload.Payloa
    // absolute max, let's enforce less
    //private static final int MSG3P2_MAX = BUFFER_SIZE - MSG3P1_SIZE;
    private static final int MSG3P2_MAX = 6000;
+    private HashMap <String, String> _capsPerVersion;

    private static final Set<State> STATES_NTCP2 =
        EnumSet.of(State.IB_NTCP2_INIT, State.IB_NTCP2_GOT_X, State.IB_NTCP2_GOT_PADDING,
@ -97,6 +100,7 @@ class InboundEstablishState extends EstablishBase implements NTCP2Payload.Payloa
        _sz_aliceIdent_tsA_padding_aliceSig = new ByteArrayOutputStream(512);
        _prevEncrypted = SimpleByteCache.acquire(AES_SIZE);
        _curEncrypted = SimpleByteCache.acquire(AES_SIZE);
+        _capsPerVersion = banCapsForVersion();
    }

    /**
@ -689,11 +693,15 @@ class InboundEstablishState extends EstablishBase implements NTCP2Payload.Payloa
            throw new DataFormatException(mismatchMessage + ri);
        }

-        if (ri.getCapabilities().equals("LU") && ri.getVersion().equals("0.9.56")) {
-            _context.banlist().banlistRouter(h, "Slow", null,
-                                             null, _context.clock().now() + 2*60*60*1000);
-            _msg3p2FailReason = NTCPConnection.REASON_BANNED;
-            throw new DataFormatException("Old and slow: " + h);
+        for (String version : _capsPerVersion.keySet()) {
+            if (ri.getVersion().equals(version)) {
+                if (ri.getCapabilities().equals(_capsPerVersion.get(version))) {
+                    _context.banlist().banlistRouter(h, "Slow", null,
+                                                    null, _context.clock().now() + 2*60*60*1000);
+                    _msg3p2FailReason = NTCPConnection.REASON_BANNED;
+                    throw new DataFormatException("Old and slow: " + h);
+                }
+            }
        }

        try {
@ -781,4 +789,28 @@ class InboundEstablishState extends EstablishBase implements NTCP2Payload.Payloa
            _msg3tmp = null;
        }
    }
+
+    /**
+     * get a list of caps and versions which should be soft-banned from the router.config file
+     * 
+     * @since 0.5.63
+     * @return a map of caps and versions
+     */
+    private HashMap<String, String> banCapsForVersion() {
+        HashMap caps = new HashMap<String, String>();
+        if (_log.shouldDebug())
+            _log.debug("Performance check: reading router.config file for ban version/caps pairs");
+        String[] pairs = _context.getProperty("router.banVersionCaps", "0.9.56:LU").split(",");
+        for (String pair : pairs) {
+            String[] split = pair.split(":");
+            if (split.length == 2) {
+                String validatedVersion = split[0];
+                if (!VersionComparator.isValid(validatedVersion))
+                    continue;
+                String validatedCaps = split[1];
+                caps.put(validatedVersion, validatedCaps);
+            }
+        }
+        return caps;
+    }
 }
--- a/router/java/src/net/i2p/router/transport/udp/InboundEstablishState2.java
+++ b/router/java/src/net/i2p/router/transport/udp/InboundEstablishState2.java
@ -9,6 +9,7 @@ import java.net.UnknownHostException;
 import java.security.GeneralSecurityException;
 import java.util.Arrays;
 import java.util.ArrayList;
+import java.util.HashMap;
 import java.util.List;

 import com.southernstorm.noise.protocol.ChaChaPolyCipherState;
@ -61,6 +62,7 @@ class InboundEstablishState2 extends InboundEstablishState implements SSU2Payloa
    private int _mtu;
    private PeerState2 _pstate;
    private List<UDPPacket> _queuedDataPackets;
+    private HashMap <String, String> _capsPerVersion;
    
    // testing
    private static final boolean ENFORCE_TOKEN = true;
@ -101,6 +103,7 @@ class InboundEstablishState2 extends InboundEstablishState implements SSU2Payloa
            throw new GeneralSecurityException("Identical Conn IDs");
        int type = data[off + TYPE_OFFSET] & 0xff;
        long token = DataHelper.fromLong8(data, off + TOKEN_OFFSET);
+        _capsPerVersion = banCapsForVersion();
        if (type == TOKEN_REQUEST_FLAG_BYTE) {
            if (_log.shouldDebug())
                _log.debug("Got token request from: " + _aliceSocketAddress);
@ -345,12 +348,16 @@ class InboundEstablishState2 extends InboundEstablishState implements SSU2Payloa
        if (!"2".equals(ra.getOption("v")))
            throw new RIException("bad SSU2 v", REASON_VERSION);

-        if (ri.getCapabilities().equals("LU") && ri.getVersion().equals("0.9.56")) {
-            _context.banlist().banlistRouter(h, "Slow", null,
-                                             null, _context.clock().now() + 2*60*60*1000);
-            if (ri.verifySignature())
-                _context.blocklist().add(_aliceIP);
-            throw new RIException("Old and slow: " + h, REASON_BANNED);
+        for (String version : _capsPerVersion.keySet()) {
+            if (ri.getVersion().equals(version)) {
+                if (ri.getCapabilities().equals(_capsPerVersion.get(version))) {
+                    _context.banlist().banlistRouter(h, "Slow", null,
+                    null, _context.clock().now() + 2*60*60*1000);
+                    if (ri.verifySignature())
+                        _context.blocklist().add(_aliceIP);
+                    throw new RIException("Old and slow: " + h, REASON_BANNED);
+                }
+            }
        }

        String smtu = ra.getOption(UDPAddress.PROP_MTU);
@ -1040,6 +1047,31 @@ class InboundEstablishState2 extends InboundEstablishState implements SSU2Payloa
        }
    }
    
+    /**
+     * get a list of caps and versions which should be soft-banned from the router.config file
+     * 
+     * 
+     * @since 0.9.63
+     * @return a map of caps and versions
+     */
+    private HashMap<String, String> banCapsForVersion() {
+        HashMap caps = new HashMap<String, String>();
+        if (_log.shouldDebug())
+            _log.debug("Performance check: reading router.config file for ban version/caps pairs");
+        String[] pairs = _context.getProperty("router.banVersionCaps", "0.9.56:LU").split(",");
+        for (String pair : pairs) {
+            String[] split = pair.split(":");
+            if (split.length == 2) {
+                String validatedVersion = split[0];
+                if (!VersionComparator.isValid(validatedVersion))
+                    continue;
+                String validatedCaps = split[1];
+                caps.put(validatedVersion, validatedCaps);
+            }
+        }
+        return caps;
+    }
+
    @Override
    public String toString() {            
        StringBuilder buf = new StringBuilder(128);
Author	SHA1	Message	Date
eyedeekay	2b363611ce	Make sure that version number resembles a valid API version	2024-04-22 13:42:13 -04:00
eyedeekay	b0f4e69ded	Merge branch 'master' of i2pgit.org:i2p-hackers/i2p.i2p into i2p.i2p.2.6.0-configure-bannable-caps	2024-04-20 15:35:26 -04:00
eyedeekay	d0fe41cc5a	Banlist: Don't reread the config file multiple times a second, require a restart to reload the config option	2024-04-20 13:52:55 -04:00
eyedeekay	408b0bf951	Banlist: fix copypasta error	2024-04-20 13:20:18 -04:00
eyedeekay	b46c3209a6	Banlist: add debug option to discern if you're reading router.config	2024-04-20 13:15:06 -04:00
eyedeekay	6c6d40f1ea	Banlist: fix unchecked operations in IBES/2.java	2024-04-20 13:03:23 -04:00
eyedeekay	e58b8ea956	Router: enable a config option for adding bannable routers by version/cap combination	2024-04-18 00:11:47 -04:00
eyedeekay	de16c3f537	Increment bionic changelog	2024-04-13 10:51:05 -04:00
eyedeekay	f57703ed77	update checklist.md	2024-04-13 10:38:38 -04:00