#622. Force SU3 verification by reseed.verify

2024-11-10 00:00:29 +03:00 · 2016-10-11 15:02:23 -04:00 · 2016-10-11 15:02:23 -04:00 · fe8a0c1a6b
commit fe8a0c1a6b
parent f0d098d0ef
3 changed files with 56 additions and 42 deletions
--- a/Config.cpp
+++ b/Config.cpp
@ -150,6 +150,7 @@ namespace config {
 	
 	options_description reseed("Reseed options");	
 	reseed.add_options()
+	  ("reseed.verify", value<bool>()->default_value(false), "Verify .su3 signature")	
 	  ("reseed.file", value<std::string>()->default_value(""),  "Path to .su3 file")
 #ifdef MESHNET
 	  ("reseed.urls", value<std::string>()->default_value("https://reseed.i2p.rocks:8443/"),  "Reseed URLs, separated by comma")
--- a/Reseed.cpp
+++ b/Reseed.cpp
@ -131,6 +131,9 @@ namespace data
 		s.read (signerID, signerIDLength); // signerID
 		signerID[signerIDLength] = 0;
 		
+		bool verify; i2p::config::GetOption("reseed.verify", verify);
+		if (verify)
+		{ 
 			//try to verify signature
 			auto it = m_SigningKeys.find (signerID);
 			if (it != m_SigningKeys.end ())
@ -162,6 +165,8 @@ namespace data
 						// we can't use RSA_verify due wrong padding in SU3
 						if (memcmp (enSigBuf + (signatureLength - 64), digest, 64))
 							LogPrint (eLogWarning, "Reseed: SU3 signature verification failed");
+						else
+							verify = false; // verified
 						delete[] enSigBuf;
 						BN_free (s); BN_free (n);
 						BN_CTX_free (bnctx);
@ -176,6 +181,13 @@ namespace data
 			}
 			else
 				LogPrint (eLogWarning, "Reseed: Certificate for ", signerID, " not loaded");
+		}
+
+		if (verify) // not verified
+		{
+			LogPrint (eLogError, "Reseed: SU3 verification failed");
+			return 0;
+		}	

 		// handle content
 		int numFiles = 0;
--- a/docs/configuration.md
+++ b/docs/configuration.md
@ -72,8 +72,9 @@ All options below still possible in cmdline, but better write it in config file:
 * --upnp.name=          - Name i2pd appears in UPnP forwardings list. I2Pd by default  

 * --precomputation.elgamal=  - Use ElGamal precomputated tables. false for x64 and true for other platforms by default  
-* --reseed.file         - Full path to SU3 file to reseed from  
-* --reseed.urls         - Reseed URLs, separated by comma
+* --reseed.verify=      - Request SU3 signature verification  
+* --reseed.file=        - Full path to SU3 file to reseed from  
+* --reseed.urls=        - Reseed URLs, separated by comma

 * --limits.transittunnels=  - Override maximum number of transit tunnels. 2500 by default