From e82bec667059b370b0cfd5df2a34647b8f32829c Mon Sep 17 00:00:00 2001 From: Guus Sliepen Date: Sun, 21 Jul 2013 00:13:38 +0200 Subject: [PATCH 1/1] Forbid protocol version rollback. When we know a node's ECDSA key, we only allow communication via the SPTPS protocol. --- src/protocol_auth.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/src/protocol_auth.c b/src/protocol_auth.c index 05724d6f..f8a3cc3b 100644 --- a/src/protocol_auth.c +++ b/src/protocol_auth.c @@ -324,7 +324,7 @@ bool id_h(connection_t *c, const char *request) { if(c->protocol_major != myself->connection->protocol_major) { logger(DEBUG_ALWAYS, LOG_ERR, "Peer %s (%s) uses incompatible version %d.%d", - c->name, c->hostname, c->protocol_major, c->protocol_minor); + c->name, c->hostname, c->protocol_major, c->protocol_minor); return false; } @@ -346,15 +346,21 @@ bool id_h(connection_t *c, const char *request) { return false; } - if(experimental && c->protocol_minor >= 2) { - if(!read_ecdsa_public_key(c)) - return false; - } + if(experimental) + read_ecdsa_public_key(c); } else { if(c->protocol_minor && !ecdsa_active(c->ecdsa)) c->protocol_minor = 1; } + /* Forbid version rollback for nodes whose ECDSA key we know */ + + if(ecdsa_active(c->ecdsa) && c->protocol_minor < 2) { + logger(DEBUG_ALWAYS, LOG_ERR, "Peer %s (%s) tries to roll back protocol version to %d.%d", + c->name, c->hostname, c->protocol_major, c->protocol_minor); + return false; + } + c->allow_request = METAKEY; if(c->protocol_minor >= 2) { -- 2.39.5