2.50.2

Signed-off-by: r4sas <r4sas@i2pmail.org>

ChangeLog

@@ -1,7 +1,12 @@
 # for this file format description,
 # see https://github.com/olivierlacan/keep-a-changelog
 
-## [2.50.0] - 2023-12-23
+## [2.50.2] - 2024-01-06
+###Fixed
+- Crash with OpenSSL 3.2.0
+- False positive clock skew detection
+
+## [2.50.1] - 2023-12-23
 ###Fixed
 - Support for new EdDSA usage behavior in OpenSSL 3.2.0
 

contrib/rpm/i2pd-git.spec

@@ -1,7 +1,7 @@
 %define git_hash %(git rev-parse HEAD | cut -c -7)
 
 Name:          i2pd-git
-Version:       2.50.1
+Version:       2.50.2
 Release:       git%{git_hash}%{?dist}
 Summary:       I2P router written in C++
 Conflicts:     i2pd
@@ -144,6 +144,9 @@ getent passwd i2pd >/dev/null || \
 
 
 %changelog
+* Sat Jan 06 2024 orignal <orignal@i2pmail.org> - 2.50.2
+- update to 2.50.2
+
 * Sat Dec 23 2023 r4sas <r4sas@i2pmail.org> - 2.50.1
 - update to 2.50.1
 

contrib/rpm/i2pd.spec

@@ -1,5 +1,5 @@
 Name:          i2pd
-Version:       2.50.1
+Version:       2.50.2
 Release:       1%{?dist}
 Summary:       I2P router written in C++
 Conflicts:     i2pd-git
@@ -142,6 +142,9 @@ getent passwd i2pd >/dev/null || \
 
 
 %changelog
+* Sat Jan 06 2024 orignal <orignal@i2pmail.org> - 2.50.2
+- update to 2.50.2
+
 * Sat Dec 23 2023 r4sas <r4sas@i2pmail.org> - 2.50.1
 - update to 2.50.1
 

debian/changelog

@@ -1,3 +1,9 @@
+i2pd (2.50.2) unstable; urgency=medium
+
+  * updated to version 2.50.2/0.9.61
+
+-- orignal <orignal@i2pmail.org>  Sat, 06 Jan 2024 16:00:00 +0000
+
 i2pd (2.50.1-1) unstable; urgency=medium
 
   * updated to version 2.50.1/0.9.61

libi2pd/NetDb.cpp

@@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2023, The PurpleI2P Project
+* Copyright (c) 2013-2024, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@@ -247,9 +247,10 @@ namespace data
 						m_Requests.RequestComplete (ident, r);
 						return r;
 					}
-					if (r->IsUnreachable ())
+					if (r->IsUnreachable () ||
+					    i2p::util::GetMillisecondsSinceEpoch () + NETDB_EXPIRATION_TIMEOUT_THRESHOLD*1000LL < r->GetTimestamp ())
 					{
-						// delete router as invalid after update
+						// delete router as invalid or from future after update
 						m_RouterInfos.erase (ident);
 						if (wasFloodfill)
 						{
@@ -1019,6 +1020,11 @@ namespace data
 		std::shared_ptr<I2NPMessage> replyMsg;
 		if (lookupType == DATABASE_LOOKUP_TYPE_EXPLORATORY_LOOKUP)
 		{
+			if (!context.IsFloodfill ())
+			{
+				LogPrint (eLogWarning, "NetDb: Exploratory lookup to non-floodfill dropped");
+				return;
+			}	
 			LogPrint (eLogInfo, "NetDb: Exploratory close to ", key, " ", numExcluded, " excluded");
 			std::set<IdentHash> excludedRouters;
 			const uint8_t * excluded_ident = excluded;
@@ -1044,6 +1050,7 @@ namespace data
 			if (lookupType == DATABASE_LOOKUP_TYPE_ROUTERINFO_LOOKUP ||
 				lookupType == DATABASE_LOOKUP_TYPE_NORMAL_LOOKUP)
 			{
+				// try to find router
 				auto router = FindRouter (ident);
 				if (router && !router->IsUnreachable ())
 				{
@@ -1056,17 +1063,26 @@ namespace data
 			if (!replyMsg && (lookupType == DATABASE_LOOKUP_TYPE_LEASESET_LOOKUP ||
 				lookupType == DATABASE_LOOKUP_TYPE_NORMAL_LOOKUP))
 			{
-				auto leaseSet = FindLeaseSet (ident);
+				// try to find leaseset
-				if (!leaseSet)
+				if (context.IsFloodfill ())
+				{	
+					auto leaseSet = FindLeaseSet (ident);
+					if (!leaseSet)
+					{
+						// no leaseset found
+						LogPrint(eLogDebug, "NetDb: Requested LeaseSet not found for ", ident.ToBase32());
+					}
+					else if (!leaseSet->IsExpired ()) // we don't send back expired leasesets
+					{
+						LogPrint (eLogDebug, "NetDb: Requested LeaseSet ", key, " found");
+						replyMsg = CreateDatabaseStoreMsg (ident, leaseSet);
+					}
+				}	
+				else if (lookupType == DATABASE_LOOKUP_TYPE_LEASESET_LOOKUP)
 				{
-					// no lease set found
+					LogPrint (eLogWarning, "NetDb: Explicit LeaseSet lookup to non-floodfill dropped");
-					LogPrint(eLogDebug, "NetDb: Requested LeaseSet not found for ", ident.ToBase32());
+					return;
-				}
+				}	
-				else if (!leaseSet->IsExpired ()) // we don't send back our LeaseSets
-				{
-					LogPrint (eLogDebug, "NetDb: Requested LeaseSet ", key, " found");
-					replyMsg = CreateDatabaseStoreMsg (ident, leaseSet);
-				}
 			}
 
 			if (!replyMsg)

libi2pd/SSU2.cpp

@@ -24,7 +24,8 @@ namespace transport
 		m_AddressV4 (boost::asio::ip::address_v4()), m_AddressV6 (boost::asio::ip::address_v6()),
 		m_TerminationTimer (GetService ()), m_CleanupTimer (GetService ()), m_ResendTimer (GetService ()),
 		m_IntroducersUpdateTimer (GetService ()), m_IntroducersUpdateTimerV6 (GetService ()),
-		m_IsPublished (true), m_IsSyncClockFromPeers (true), m_IsThroughProxy (false)
+		m_IsPublished (true), m_IsSyncClockFromPeers (true), m_PendingTimeOffset (0),
+		m_IsThroughProxy (false)
 	{
 	}
 
@@ -209,6 +210,29 @@ namespace transport
 		return ep.port ();
 	}
 
+	void SSU2Server::AdjustTimeOffset (int64_t offset)
+	{
+		if (offset)
+		{	
+			if (m_PendingTimeOffset) // one more
+			{	
+				if (std::abs (m_PendingTimeOffset - offset) < SSU2_CLOCK_SKEW)
+				{	
+					offset = (m_PendingTimeOffset + offset)/2; // average
+					LogPrint (eLogWarning, "SSU2: Clock adjusted by ", offset, " seconds");
+					i2p::util::AdjustTimeOffset (offset);
+				}	
+				else
+					LogPrint (eLogWarning, "SSU2: Time offsets are too different. Clock not adjusted");
+				m_PendingTimeOffset = 0;
+			}
+			else
+				m_PendingTimeOffset = offset; // first 
+		}	
+		else
+			m_PendingTimeOffset = 0; // reset
+	}	
+		
 	boost::asio::ip::udp::socket& SSU2Server::OpenSocket (const boost::asio::ip::udp::endpoint& localEndpoint)
 	{
 		boost::asio::ip::udp::socket& socket = localEndpoint.address ().is_v6 () ? m_SocketV6 : m_SocketV4;

libi2pd/SSU2.h

@@ -66,6 +66,7 @@ namespace transport
 			bool IsSupported (const boost::asio::ip::address& addr) const;
 			uint16_t GetPort (bool v4) const;
 			bool IsSyncClockFromPeers () const { return m_IsSyncClockFromPeers; };
+			void AdjustTimeOffset (int64_t offset);
 
 			void AddSession (std::shared_ptr<SSU2Session> session);
 			void RemoveSession (uint64_t connID);
@@ -161,6 +162,7 @@ namespace transport
 			std::shared_ptr<SSU2Session> m_LastSession;
 			bool m_IsPublished; // if we maintain introducers
 			bool m_IsSyncClockFromPeers;
+			int64_t m_PendingTimeOffset; // during peer test
 
 			// proxy
 			bool m_IsThroughProxy;

libi2pd/SSU2Session.cpp

@@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2022-2023, The PurpleI2P Project
+* Copyright (c) 2022-2024, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@@ -1668,10 +1668,12 @@ namespace transport
 					if (m_Server.IsSyncClockFromPeers ())
 					{
 						if (std::abs (offset) > SSU2_CLOCK_THRESHOLD)
-						{
+						{	
-							LogPrint (eLogWarning, "SSU2: Clock adjusted by ", -offset, " seconds");
+							LogPrint (eLogWarning, "SSU2: Time offset ", offset, " from ", m_RemoteEndpoint);
-							i2p::util::AdjustTimeOffset (-offset);
+							m_Server.AdjustTimeOffset (-offset);
-						}
+						}	
+						else
+							m_Server.AdjustTimeOffset (0);
 					}
 					else if (std::abs (offset) > SSU2_CLOCK_SKEW)
 					{
@@ -2481,6 +2483,8 @@ namespace transport
 			else if (m_Address->IsV6 ())
 				i2p::context.SetTestingV6 (testing);
 		}
+		if (!testing)
+			m_Server.AdjustTimeOffset (0); // reset time offset when testing is over
 	}
 
 	size_t SSU2Session::CreateAddressBlock (uint8_t * buf, size_t len, const boost::asio::ip::udp::endpoint& ep)

libi2pd/Signature.cpp

@@ -18,12 +18,10 @@ namespace crypto
 	EDDSA25519Verifier::EDDSA25519Verifier ():
 		m_Pkey (nullptr)
 	{
-		m_MDCtx = EVP_MD_CTX_create ();
 	}
 
 	EDDSA25519Verifier::~EDDSA25519Verifier ()
 	{
-		EVP_MD_CTX_destroy (m_MDCtx);
 		EVP_PKEY_free (m_Pkey);
 	}
 
@@ -35,8 +33,17 @@ namespace crypto
 
 	bool EDDSA25519Verifier::Verify (const uint8_t * buf, size_t len, const uint8_t * signature) const
 	{
-		EVP_DigestVerifyInit (m_MDCtx, NULL, NULL, NULL, m_Pkey);
+		if (m_Pkey)
-		return EVP_DigestVerify (m_MDCtx, signature, 64, buf, len);
+		{	
+			EVP_MD_CTX * ctx = EVP_MD_CTX_create ();
+			EVP_DigestVerifyInit (ctx, NULL, NULL, NULL, m_Pkey);
+			auto ret = EVP_DigestVerify (ctx, signature, 64, buf, len);
+			EVP_MD_CTX_destroy (ctx);	
+			return ret;	
+		}	
+		else
+			LogPrint (eLogError, "EdDSA verification key is not set");
+		return false;
 	}
 
 #else
@@ -101,7 +108,7 @@ namespace crypto
 
 #if OPENSSL_EDDSA
 	EDDSA25519Signer::EDDSA25519Signer (const uint8_t * signingPrivateKey, const uint8_t * signingPublicKey):
-		m_MDCtx (nullptr), m_Pkey (nullptr), m_Fallback (nullptr)
+		m_Pkey (nullptr), m_Fallback (nullptr)
 	{
 		m_Pkey = EVP_PKEY_new_raw_private_key (EVP_PKEY_ED25519, NULL, signingPrivateKey, 32);
 		uint8_t publicKey[EDDSA25519_PUBLIC_KEY_LENGTH];
@@ -111,30 +118,35 @@ namespace crypto
 		{
 			LogPrint (eLogWarning, "EdDSA public key mismatch. Fallback");
 			m_Fallback = new EDDSA25519SignerCompat (signingPrivateKey, signingPublicKey);
+			EVP_PKEY_free (m_Pkey);
+			m_Pkey = nullptr;
 		}
-		else
-			m_MDCtx = EVP_MD_CTX_create ();
 	}
 
 	EDDSA25519Signer::~EDDSA25519Signer ()
 	{
 		if (m_Fallback) delete m_Fallback;
-		EVP_MD_CTX_destroy (m_MDCtx);
+		if (m_Pkey) EVP_PKEY_free (m_Pkey);
-		EVP_PKEY_free (m_Pkey);
 	}
 
 	void EDDSA25519Signer::Sign (const uint8_t * buf, int len, uint8_t * signature) const
 	{
-		if (m_Fallback) return m_Fallback->Sign (buf, len, signature);
+		if (m_Fallback) 
-		else
+			return m_Fallback->Sign (buf, len, signature);
+		else if (m_Pkey)
 		{
+				
+			EVP_MD_CTX * ctx = EVP_MD_CTX_create ();
 			size_t l = 64;
 			uint8_t sig[64]; // temporary buffer for signature. openssl issue #7232
-			EVP_DigestSignInit (m_MDCtx, NULL, NULL, NULL, m_Pkey);
+			EVP_DigestSignInit (ctx, NULL, NULL, NULL, m_Pkey);
-			if (!EVP_DigestSign (m_MDCtx, sig, &l, buf, len))
+			if (!EVP_DigestSign (ctx, sig, &l, buf, len))
 				LogPrint (eLogError, "EdDSA signing failed");
 			memcpy (signature, sig, 64);
+			EVP_MD_CTX_destroy (ctx);
 		}
+		else
+			LogPrint (eLogError, "EdDSA signing key is not set");
 	}
 #endif
 }

libi2pd/Signature.h

@@ -304,7 +304,6 @@ namespace crypto
 		private:
 
 #if OPENSSL_EDDSA
-			EVP_MD_CTX * m_MDCtx;
 			EVP_PKEY * m_Pkey;
 #else
 			EDDSAPoint m_PublicKey;
@@ -342,7 +341,6 @@ namespace crypto
 
 		private:
 
-			EVP_MD_CTX * m_MDCtx;
 			EVP_PKEY * m_Pkey;
 			EDDSA25519SignerCompat * m_Fallback;
 	};

libi2pd/version.h

@@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2023, The PurpleI2P Project
+* Copyright (c) 2013-2024, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@@ -19,7 +19,7 @@
 
 #define I2PD_VERSION_MAJOR 2
 #define I2PD_VERSION_MINOR 50
-#define I2PD_VERSION_MICRO 1
+#define I2PD_VERSION_MICRO 2
 #define I2PD_VERSION_PATCH 0
 #ifdef GITVER
 	#define I2PD_VERSION XSTRINGIZE(GITVER)