SSU2: Fail IES2 on all session request after retry errors

Don't hexdump for RI errors
Don't throw ISE when sending 2nd retry

history.txt

@@ -1,3 +1,26 @@
+2022-11-01 zzz
+ * GeoIP 2022-11-01
+ * SSU:
+   - Fail SSU2 on all session request after retry errors
+   - Prefer in China
+
+2022-10-19 zzz
+ * Console: Register NavHelper with ClientAppManager as NavService
+ * Debian: Change dependency from transitional package libservlet3.1-java
+   to libjsp-api-java and libservlet-api-java
+ * i2psnark: Register additional instances with NavService
+ * SusiMail: Add icons to the buttons that were missing them (dark theme)
+
+2022-10-17 zzz
+ * Console: CSS fixes for lists in news entries
+ * Tunnels: ConnectChecker fixes
+
+2022-10-16 zzz
+ * SSU2: Use from port in hole punch if different from relay response port
+
+2022-10-15 zzz
+ * i2psnark: Increase piece limit to 64K
+
 2022-10-10 zzz
  * SSU2: Track recently-closed sessions (gitlab #370)
 

router/java/src/net/i2p/router/RouterVersion.java

@@ -18,7 +18,7 @@ public class RouterVersion {
     /** deprecated */
     public final static String ID = "Git";
     public final static String VERSION = CoreVersion.VERSION;
-    public final static long BUILD = 12;
+    public final static long BUILD = 13;
 
     /** for example "-test" */
     public final static String EXTRA = "";

router/java/src/net/i2p/router/transport/udp/InboundEstablishState2.java

@@ -189,6 +189,12 @@ class InboundEstablishState2 extends InboundEstablishState implements SSU2Payloa
             int blocks = SSU2Payload.processPayload(_context, this, payload, offset, length, isHandshake, null);
             if (_log.shouldDebug())
                 _log.debug("Processed " + blocks + " blocks on " + this);
+        } catch (DataFormatException dfe) {
+            // probably RI problems, ban for a while??
+            //_context.blocklist().add(_aliceIP);
+            if (_log.shouldWarn())
+                _log.warn("IES2 payload error", dfe);
+            throw new GeneralSecurityException("IES2 payload error: " + this, dfe);
         } catch (Exception e) {
             if (_log.shouldWarn())
                 _log.warn("IES2 payload error\n" + net.i2p.util.HexDump.dump(payload, 0, length), e);
@@ -494,7 +500,8 @@ class InboundEstablishState2 extends InboundEstablishState implements SSU2Payloa
     /** note that we just sent a Retry packet */
     public synchronized void retryPacketSent() {
         // retry after clock skew
-        if (_currentState == InboundState.IB_STATE_FAILED)
+        if (_currentState == InboundState.IB_STATE_FAILED ||
+            _currentState == InboundState.IB_STATE_RETRY_SENT)
             return;
         if (_currentState != InboundState.IB_STATE_REQUEST_BAD_TOKEN_RECEIVED &&
             _currentState != InboundState.IB_STATE_TOKEN_REQUEST_RECEIVED)
@@ -507,9 +514,24 @@ class InboundEstablishState2 extends InboundEstablishState implements SSU2Payloa
     }
 
     /**
-     *
+     *  All exceptions thrown from here will be fatal. fail() will be called before throwing.
      */
     public synchronized void receiveSessionRequestAfterRetry(UDPPacket packet) throws GeneralSecurityException {
+        try {
+            locked_receiveSessionRequestAfterRetry(packet);
+        } catch (GeneralSecurityException gse) {
+            if (_log.shouldDebug())
+                _log.debug("Session request error after retry", gse);
+            // fail inside synch rather than have Est. Mgr. do it to prevent races
+            fail();
+            throw gse;
+        }
+    }
+
+    /**
+     * @since 0.9.56
+     */
+    private void locked_receiveSessionRequestAfterRetry(UDPPacket packet) throws GeneralSecurityException {
         if (_currentState != InboundState.IB_STATE_RETRY_SENT)
             throw new GeneralSecurityException("Bad state for Session Request after Retry: " + _currentState);
         if (_log.shouldDebug())