GithubHelp home page GithubHelp logo

i2p / i2p.i2p Goto Github PK

View Code? Open in Web Editor NEW
1.9K 127.0 302.0 456.66 MB

I2P is an anonymizing network, offering a simple layer that identity-sensitive applications can use to securely communicate. All data is wrapped with several layers of encryption, and the network is both distributed and dynamic, with no trusted parties.

Home Page: https://geti2p.net

License: Other

Shell 1.12% Java 87.25% HTML 3.70% JavaScript 1.07% Scala 0.09% Python 0.11% Makefile 0.43% C 0.34% Perl 0.02% CSS 4.82% C++ 0.34% Batchfile 0.08% Roff 0.61% Dockerfile 0.01%
i2p java p2p network router monotone anonymity crypto

i2p.i2p's Introduction

I2P

This is the source code for the reference Java implementation of I2P.

Latest release: https://geti2p.net/download

Installing

See INSTALL.txt or https://geti2p.net/download for installation instructions.

Documentation

https://geti2p.net/how

FAQ: https://geti2p.net/faq

API: http://docs.i2p-projekt.de/javadoc/ or run 'ant javadoc' then start at build/javadoc/index.html

How to contribute / Hack on I2P

Please check out HACKING.md and other documents in the docs directory.

Building packages from source

To get development branch from source control: https://geti2p.net/newdevelopers

Prerequisites

  • Java SDK (preferably Oracle or OpenJDK) 8 or higher
    • Non-linux operating systems and JVMs: See https://trac.i2p2.de/wiki/java
    • Certain subsystems for embedded (core, router, mstreaming, streaming, i2ptunnel) require only Java 6
  • Apache Ant 1.9.8 or higher
  • The xgettext, msgfmt, and msgmerge tools installed from the GNU gettext package http://www.gnu.org/software/gettext/
  • Build environment must use a UTF-8 locale.

Ant build process

On x86 systems do:

ant pkg

On non-x86, use one of the following instead:

ant installer-linux
ant installer-freebsd
ant installer-osx

Run 'ant' with no arguments to see other build options.

Gradle build process

Full builds of installers or updates are not yet possible, but the code can be compiled with:

./gradlew assemble

This will download dependencies over the clearnet by default, including Gradle itself. To download through a SOCKS proxy (e.g. Tor), add the following lines to your ~/.gradle/gradle.properties:

systemProp.socksProxyHost=localhost
systemProp.socksProxyPort=9150

Development builds

Automatic CI builds are available at the continuous integration page.

Docker

For more information how to run I2P in Docker, see Docker.md

Contact info

Need help? See the IRC channel #i2p on irc.freenode.net

Bug reports: https://i2pgit.org/i2p-hackers/i2p.i2p/-/issues http://git.idk.i2p/i2p-hackers/i2p.i2p/-/issues

Contact information, security issues, press inquiries: https://geti2p.net/en/contact

Twitter: @i2p, @geti2p

Licenses

See LICENSE.txt

i2p.i2p's People

Contributors

apsoyka avatar ducki2p avatar echeloni2p avatar eyedeekay avatar hungryhobo avatar hurui200320 avatar jeanluc162 avatar kfeoktistoff avatar kpetku avatar kytvi2p avatar loveisgrief avatar mehdie79 avatar mikalv avatar obscuratus-i2p avatar robertfoss avatar shisheng-1 avatar shoalsteed avatar str4d avatar welterde avatar y2kboy23 avatar zlatinb avatar zzzi2p avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

i2p.i2p's Issues

https://deb.i2p2.de not responding

I'm sorry to open a bug report here for this kind of problem but I've not found a better way.

It's a few weeks the debian reposository is not accessible, is this a know issue?

Unzip to folder

Please unzip to a folder with the project name. E.g. if the installer is run from ~/Downloads/, unzip to ~/Downloads/i2p/.

Observable Timing Discrepancy (Timing Attack)

    return digestHexCache;
}

public boolean digestEquals(byte[] otherDigest) {
    return Arrays.equals(digest, otherDigest);

An attacker can guess the secret value of digest because it is compared using java.util.Arrays.equals, which is vulnerable to timing attacks. Use java.security.MessageDigest.isEqual to compare values securely.
line:154
/core/java/src/org/minidns/record/DelegatingDnssecRR.java#L154)

Floodfill router DoS Mitigation

In light of the recent Floodfill router DDoS. Denial-of-service is an effective means of censorship and I can see attacks like this becoming a bigger concern on the network. Seeing as the basis of this attack is that there simply are too many of floodfill routers, the first step is making it more difficult to create new floodfill routers and have them join:

  1. Each node should have a hard-coded ceiling IP address limit - seeing a floodfill advertisement or a direct connection will count against the IP limit. In practice I think a limit of ~10 would be unlikely to filter legitimate traffic, once the cap is hit - ignore future advertisements for that "unique" floodfill.
  2. Require that floodfill routers generate a unique, timestamped zoro-prefix'ed signature as a proof-of-work that is used for their first advertisement. A CPU bound process local process of a PoW will limit a floodfill router's ability eating community DHT resources. Even generating just one PoW would make floodfilll DoS more difficult to carry out.

Another approach is a reputation system, and being able to report on reputation solves the problem of a large number of floodfill routers working together and refusing to forwarding traffic.

  1. Use a libp2p-style pub/sub establish a CRDT communal counter (OrbitDB has one of these data types). Each counter is a k/v pair of the hash of the public key of a node on the network so that anyone can lookup a reputation score of a public key using the DHT.
  2. Votes which have been cast by nodes with higher reputation should be seen as more valuable, where as votes cast by nodes without reputation should be seen as less so.
  3. On a regular interval a high-reputation node to establish connections with nodes, and subtract reputation if a message wasn't routed. (not all that unlike PoS elections)

Nodes gain reputation through good actions - and can quickly loose it for misbehaving, which is why judgement needs to be carried out by another trusted node on the network, but not the same node - a randomly elected node, which is similar to Ethereum's Proof of Stake election system.

If i am not mistaken the attacker wants to find as many legitimate floodfill routers out there to flood them with new requests which are then re-transmitted. I don't know how difficult it is to enumerate all floodfill routers. I suspect this is already happening, where a passive observer can collect them all. I'm not sure what we would gain by hiding them, or if hiding the list of routers is even possible.

i2p / Namecoin Integration

Hi!

probably you have heard of Namecoin. Maybe there are ways for us to work together, e.g. make .bit resolve to i2p domains? You are always welcome to our forum.

Cheers,

phelix

ERROR: Failed to start i2ptunnel java.lang.NoClassDefFoundError: jakarta/servlet/ServletException

I previously, for version 2.0.0 I believe, followed the instructions for installation on debian here.

I built this as a docker image.
Everything worked fine.

Today I basically rebuilt it all, to pull in the latest i2p packages.

When starting i2p router, I see errors like these in the logs:

2023/03/22 16:31:23 | ERROR: Failed to start i2ptunnel java.lang.NoClassDefFoundError: jakarta/servlet/ServletException
2023/03/22 16:31:23 | java.lang.NoClassDefFoundError: jakarta/servlet/ServletException
2023/03/22 16:31:23 | 	at java.base/java.lang.Class.getDeclaredConstructors0(Native Method)
2023/03/22 16:31:23 | 	at java.base/java.lang.Class.privateGetDeclaredConstructors(Class.java:3373)
2023/03/22 16:31:23 | 	at java.base/java.lang.Class.getConstructor0(Class.java:3578)
2023/03/22 16:31:23 | 	at java.base/java.lang.Class.getDeclaredConstructor(Class.java:2754)
2023/03/22 16:31:23 | 	at org.eclipse.jetty.server.handler.ContextHandler$StaticContext.createInstance(ContextHandler.java:2902)
2023/03/22 16:31:23 | 	at org.eclipse.jetty.servlet.ServletContextHandler$Context.createInstance(ServletContextHandler.java:1299)
2023/03/22 16:31:23 | 	at org.eclipse.jetty.server.handler.ContextHandler$StaticContext.createServlet(ContextHandler.java:2919)
2023/03/22 16:31:23 | 	at org.eclipse.jetty.servlet.ServletHolder.newInstance(ServletHolder.java:1202)
2023/03/22 16:31:23 | 	at org.eclipse.jetty.servlet.ServletHolder.initServlet(ServletHolder.java:592)
2023/03/22 16:31:23 | 	at org.eclipse.jetty.servlet.ServletHolder.initialize(ServletHolder.java:415)
2023/03/22 16:31:23 | 	at org.eclipse.jetty.servlet.ServletHandler.lambda$initialize$0(ServletHandler.java:750)
2023/03/22 16:31:23 | 	at java.base/java.util.stream.SortedOps$SizedRefSortingSink.end(SortedOps.java:357)
2023/03/22 16:31:23 | 	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:510)
2023/03/22 16:31:23 | 	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
2023/03/22 16:31:23 | 	at java.base/java.util.stream.StreamSpliterators$WrappingSpliterator.forEachRemaining(StreamSpliterators.java:310)
2023/03/22 16:31:23 | 	at java.base/java.util.stream.Streams$ConcatSpliterator.forEachRemaining(Streams.java:735)
2023/03/22 16:31:23 | 	at java.base/java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:762)
2023/03/22 16:31:23 | 	at org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:774)
2023/03/22 16:31:23 | 	at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:379)
2023/03/22 16:31:23 | 	at org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1449)
2023/03/22 16:31:23 | 	at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1414)
2023/03/22 16:31:23 | 	at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:916)
2023/03/22 16:31:23 | 	at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:288)
2023/03/22 16:31:23 | 	at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:524)
2023/03/22 16:31:23 | 	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
2023/03/22 16:31:23 | 	at net.i2p.router.web.WebAppStarter.startWebApp(WebAppStarter.java:126)
2023/03/22 16:31:23 | 	at net.i2p.router.web.WebAppStarter.startWebApp(WebAppStarter.java:101)
2023/03/22 16:31:23 | 	at net.i2p.router.web.RouterConsoleRunner.startConsole(RouterConsoleRunner.java:844)
2023/03/22 16:31:23 | 	at net.i2p.router.web.RouterConsoleRunner.startup(RouterConsoleRunner.java:239)
2023/03/22 16:31:23 | 	at net.i2p.router.startup.RouterAppManager.addAndStart(RouterAppManager.java:54)
2023/03/22 16:31:23 | 	at net.i2p.router.startup.LoadClientAppsJob$RunApp.run(LoadClientAppsJob.java:303)
2023/03/22 16:31:23 | 	at java.base/java.lang.Thread.run(Thread.java:833)
2023/03/22 16:31:23 | 	at net.i2p.util.I2PThread.run(I2PThread.java:103)
2023/03/22 16:31:23 | Caused by: java.lang.ClassNotFoundException: jakarta.servlet.ServletException
2023/03/22 16:31:23 | 	at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:641)
2023/03/22 16:31:23 | 	at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188)
2023/03/22 16:31:23 | 	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:520)
2023/03/22 16:31:23 | 	... 33 more

Obviously nothing works.

This feels like a missed dependency in the i2p package, but maybe I'm mistaken and there is some way to fix this from the OS/container side?

OS used: debian bookworm (slim base image tag)
JDK: OpenJDK 17-jre (installed as dependency for i2p)

The same behaviour exist on x86 and armhf.

Improper Neutralization of CRLF Sequences in HTTP Headers

	SSDPNotifyRequest ssdpReq = new SSDPNotifyRequest();
	ssdpReq.setServer(UPnP.getServerName());
	ssdpReq.setLeaseTime(dev.getLeaseTime());
	ssdpReq.setLocation(devLocation);

lines 661 ,
664, ssdpReq.setUSN(serviceUSN);
686, ssdpReq.setUSN(devUSN);
711, dev.postSearchResponse(ssdpPacket, serviceNT, serviceUSN);
716, dev.postSearchResponse(ssdpPacket, serviceType, serviceUSN);

Unsanitized input from data from a remote resource flows into setHeader and reaches an HTTP header returned to the user. This may allow a malicious input that contain CR/LF to split the http response into two responses and the second response to be controlled by the attacker. This may be used to mount a range of attacks such as cross-site scripting or cache poisoning.

router/java/src/org/cybergarage/upnp/Service.java#L661)

caps=D @ ARM vserver ?

i2p is running at an ARM vserver, but only gets caps = PRD
D == Congested is probably hard coded, because 1st arm here in the past were light headed raspberry pi's ?
But now we have multi cpu ARM vserver - is the "D" still required ?
How can we detect it ?

lscpu

Architecture:             aarch64                                                                                           
  CPU op-mode(s):         32-bit, 64-bit                                                                                    
  Byte Order:             Little Endian                                                                                     
CPU(s):                   6                                                                                                 
  On-line CPU(s) list:    0-5                                                                                               
Vendor ID:                ARM                                                                                               
  Model name:             Neoverse-N1                                                                                       
    Model:                1                                                                                                 
    Thread(s) per core:   1                                                                                                 
    Core(s) per cluster:  6         

I2P Version and Running Environment

I2P version:	2.5.1-0
API version:	0.9.62
Java version:	Debian 17.0.11 (OpenJDK Runtime Environment 17.0.11+9-Debian-1deb12u1)
Wrapper version:	3.5.44
Server version:	9.3.30.v20211001
Servlet version:	Jasper JSP 2.3 Engine (3.1)
JSTL version:	standard-taglib 1.2.0
Platform:	Linux aarch64 6.1.0-20-arm64
Processor:	(armv8)
JBigI status:	Locally optimized library libjbigi-linux-armv8_64.so loaded from file
GMP version:	6.2.0
JBigI version:	4
Encoding:	UTF-8
Charset:	UTF-8
Service:	false
Built:	2024-05-06 19:41:38 UTC
Built By:	idk

Thanks

fresh install with split-config breaks the addressbook

I'm the maintainer for i2p on Gentoo and we found an issue when freshly installing the package. We are using there a split-install, having a directory in /usr/share/i2p for the install and a separated user directory in /var/lib/i2p. The launcher is started in the install dir, with -Di2p.dir.app=/var/lib/i2p/app -Di2p.dir.config=/var/lib/i2p/config -Di2p.dir.router=/var/lib/i2p/router.

Now, when starting the router for the first time, some install files are copied to the user directory. The hosts.txt is put by it in the config dir.
The default config of the addressbook points to some relative files (for eg defaultSettings.put("router_addressbook", "../hosts.txt")), which is only valid in a non-split setup. The addressbook files resides in the router directory, not in the config one. So we end up with an empty addressbook, which isn't even able to sync with subscriptions as no address can be resolved.

I'm unsure of how to best approach it, I see a few ways to do so but not a clear one (from what I gathered, there is not a dedicated way to know what is the known list of address)

  • should the default config point to the install directory?
    • but files there are not writable, and router_addressbook wants to update it
  • should the migration process actually copy the hosts.txt to the addressbook?
    • there is a bunch of references to "hosts.txt" throughout the code, so I'm scared of having it defined sometimes via the install dir and sometimes via the addressbook

@eyedeekay, btw I registered on git.idk.i2p around a month ago, I would happily continue the conversation there if you accept me :)

i2psnark.upbw.max not applied after restart.

db52cc7 i2psnark: Bandwidth limiter improvements introduced a bug:
i2psnark.upbw.max is not applied during restart.
Though the desired value is present in i2psnark.config file.
i2psnark.downbw.max is not affected.

I think the bug is here:

SnarkManager.java, getBWLimit()

            int maxup = getInt(PROP_UPBW_MAX, DEFAULT_MAX_UP_BW);
            _util.setMaxUpBW(up);
            _bwManager.setUpBWLimit(Math.min(up, maxup) * 1000L);

--> setMaxUpBW is called before the Math.min ?

Thanks.

I2P "B33" / Encrypted Base32 Address Encoding In Rust

Overview

Hello, I'm attempting to work with encrypted leasesets using rust, and am having difficulties calculating the encrypted/blinded destination address. Any attempt at using the derived b33 addresses results in a lookup error being returned:

Corrupt b32 address (or unsupported options)

Implementation

So far this is the function I have written modified from the java implementation

pub fn b33_address(
  public_key_data: &[u8], 
  public_key_type: u8,
  require_secret: bool, 
  client_auth: bool
) -> Option<String> {
    if public_key_type != 7 && public_key_type != 11 {
      return None;
    }
    let mut data_vec = Vec::with_capacity(public_key_data.len()+3);
    data_vec.extend_from_slice(&[0, 0, 0]);
    data_vec.extend_from_slice(public_key_data);
    let summer: Crc<u32> = Crc::<u32>::new(&crc::CRC_32_CKSUM);
    let chk_sum = summer.checksum(&data_vec[3..]);
    if require_secret {
      data_vec[0] = 0x02;
    }
    if client_auth {
      data_vec[0] |= 0x04;
    }
    data_vec[1] = (public_key_type & 0xff) as u8;
    data_vec[2] = (11 & 0xff) as u8;
    data_vec[0] ^= chk_sum as u8;
    data_vec[1] ^= (chk_sum >> 8) as u8;
    data_vec[2] ^= (chk_sum >> 16) as u8;
    Some(format!("{}.b32.i2p", BASE32_I2P.encode(&data_vec)))
}

And here is how I'm testing:

    let pub_key = "3eFx8MpIlacWgW0sooXtYUXsd61WpbmnZscoiDIBlbQ=".to_string();
    let pub_key = BASE64_I2P.decode(pub_key.as_bytes()).unwrap();
    let addr =b33_address(&pub_key[..],7, true, true).unwrap();
    println!("{}", addr);

Note that to generate the base64 string stored in the variable pub_key, I'm using the i2p-rs library, and running the following from

	let (pubkey, seckey) = {
		let mut sam_conn = SamConnection::connect(DEFAULT_API).unwrap();
		sam_conn
			.generate_destination(SignatureType::EdDsaSha512Ed25519)
			.unwrap()
	};
	let decoded = BASE64_I2P.decode(pubkey.as_bytes()).unwrap();
        // the output of this is stored in the `pub_key` variable
	println!("public key {}", BASE64_I2P.encode(&decoded[0..32]));

The result of the test is the following "b33" address m7nz7xpbohymusevu4lic3jmukc62ykf5r322vvfxgtwnrzirazadfnu.b32.i2p however when attempting to navigate to that address using my web browser, I receive the following error message

Corrupt b32 address (or unsupported options)

Key Material

I've included the following keys generated via the SAM api, using sig type 7 (EdDSA_SHA512_Ed25519)

Public Key:

3eFx8MpIlacWgW0sooXtYUXsd61WpbmnZscoiDIBlbTd4XHwykiVpxaBbSyihe1hRex3rValuadmxyiIMgGVtN3hcfDKSJWnFoFtLKKF7WFF7HetVqW5p2bHKIgyAZW03eFx8MpIlacWgW0sooXtYUXsd61WpbmnZscoiDIBlbTd4XHwykiVpxaBbSyihe1hRex3rValuadmxyiIMgGVtN3hcfDKSJWnFoFtLKKF7WFF7HetVqW5p2bHKIgyAZW03eFx8MpIlacWgW0sooXtYUXsd61WpbmnZscoiDIBlbTd4XHwykiVpxaBbSyihe1hRex3rValuadmxyiIMgGVtN3hcfDKSJWnFoFtLKKF7WFF7HetVqW5p2bHKIgyAZW03eFx8MpIlacWgW0sooXtYUXsd61WpbmnZscoiDIBlbTd4XHwykiVpxaBbSyihe1hRex3rValuadmxyiIMgGVtN~I24i13ln4SUng99dgTQX33scumIuRGu38WuL80hc3BQAEAAcAAA==

Secret Key:

3eFx8MpIlacWgW0sooXtYUXsd61WpbmnZscoiDIBlbTd4XHwykiVpxaBbSyihe1hRex3rValuadmxyiIMgGVtN3hcfDKSJWnFoFtLKKF7WFF7HetVqW5p2bHKIgyAZW03eFx8MpIlacWgW0sooXtYUXsd61WpbmnZscoiDIBlbTd4XHwykiVpxaBbSyihe1hRex3rValuadmxyiIMgGVtN3hcfDKSJWnFoFtLKKF7WFF7HetVqW5p2bHKIgyAZW03eFx8MpIlacWgW0sooXtYUXsd61WpbmnZscoiDIBlbTd4XHwykiVpxaBbSyihe1hRex3rValuadmxyiIMgGVtN3hcfDKSJWnFoFtLKKF7WFF7HetVqW5p2bHKIgyAZW03eFx8MpIlacWgW0sooXtYUXsd61WpbmnZscoiDIBlbTd4XHwykiVpxaBbSyihe1hRex3rValuadmxyiIMgGVtN~I24i13ln4SUng99dgTQX33scumIuRGu38WuL80hc3BQAEAAcAAMTRtED335Fs3UCsTmT65U~tnkqMzcfGprDZ6UDKCFp~LPWL73lcud9JTpSk2JIRbskxFLKziPwTi-O2rC4nsjDDxLsHowR--R1bloIjn73S7T-Wcy2FCbZgsi~O~vhKEZohlnCI46GwgNJVwRHr0AvBfe4VrZFfF-ti73alo0Jv3m-C15vReuwS15JW1DN2mFI6FqB4bru0wIqi359JprVgTSrViIdNAmLpVtaoLuCAt-iT6Uhr2F6xncw~yz1UFmqpRQqszUTk09vluEKeWZomc9v7sPUvpCjQKoahD2pP7svlxuAXIDGGrTpNg3U~7vrp1eFXt1y6FzrRI6HzgnVfbU5EIqQTI~FqdQAr9uVV5590LzJfSShF32I83oMWDQ==

Was working then suddenly stopped

Using debian bullseye I installed i2p using the package manager and it was working fine at first. Could access clearnet and i2p sites all I had to do was set my proxy settings to 127.0.0.1 and port 4444 and it worked. Now I am doing exactly the same thing (haven't changed a thing on the computer) but now I can't access either clearnet or i2p websites. Either proxy refused connection or website timeouts on clearnet websites.

It's so annoying when you install a program and it works fine. Then you start it up again after changing absolutely nothing and yet it refuses to work properly. Not sure what's causing it to not work but assuming a bug considering it was working then suddenly stopped and I can still access configuration page etc. and all settings are correct. i2prouter status reports everything running as normal.

multiable Hardcoded Secrets cve

private static final boolean USE_SYSTEM_AES = hasAESNI() && CryptoCheck.isUnlimited();

private static final boolean CACHE = true;
private static final int CACHE_SIZE = 8;
private static final SecretKeySpec ZERO_KEY = new SecretKeySpec(new byte[32], "AES"); line 52

Hardcoded value array {...} is used as a cipher key. Generate the value with a cryptographically strong random number generator such as java.security.SecureRandom instead.
‎core/java/src/net/i2p/crypto/CryptixAESEngine.java
Open this link in a new tab
2 steps in 1 file

Hardcoded Secret

} catch (NoSuchMethodError nsme) {
// JamVM, gij
try {
Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
SecretKeySpec key = new SecretKeySpec(new byte[32], "AES");
27 line

Hardcoded value array {...} is used as a cipher key. Generate the value with a cryptographically strong random number generator such as java.security.SecureRandom instead.
[‎core/java/src/net/i2p/crypto/CryptoCheck.java]

private static final boolean USE_SYSTEM_AES = hasAESNI() && CryptoCheck.isUnlimited();

private static final boolean CACHE = true;
private static final int CACHE_SIZE = 8;
private static final SecretKeySpec ZERO_KEY = new SecretKeySpec(new byte[32], "AES");

line 53

Hardcoded value array {...} is used as a cipher key. Generate the value with a cryptographically strong random number generator such as java.security.SecureRandom instead.
‎core/java/src/net/i2p/crypto/CryptixAESEngine.java

KeyFactory kf = KeyFactory.getInstance("RSA");
// private key is modulus (pubkey) + exponent
BigInteger[] nd = split(pk.getData());
// modulus exponent
KeySpec ks = new RSAPrivateKeySpec(nd[0], nd[1]);
line 513

Hardcoded value array {...} is used as a cipher key. Generate the value with a cryptographically strong random number generator such as java.security.SecureRandom instead.
[‎core/java/src/net/i2p/crypto/SigUtil.java]

multiable Use of Password Hash With Insufficient Computational Effort :CVE

The SHA-1 hash (used in java.security.MessageDigest.getInstance) is insecure. Consider changing it to a secure hash algorithm

boolean useBitzi = true;
    if (SystemVersion.isApache() ||            // Harmony
        SystemVersion.isGNU()) {               // JamVM or gij
        try {

128: MessageDigest.getInstance("SHA-1");

[‎core/java/src/net/i2p/crypto/SHA1.java

 */
public static MessageDigest getInstance() {
    if (!_useBitzi) {
        try {

65: return MessageDigest.getInstance("SHA-1");
[‎core/java/src/com/nettgryppa/security/HashCash.java

    throw new IllegalArgumentException("Resource may not contain a colon.");

HashCash result = new HashCash();

179: MessageDigest md = MessageDigest.getInstance("SHA1");

[‎core/java/src/com/nettgryppa/security/HashCash.java]

 *  @return 16 bytes, or null on error
 */
public static byte[] md5Sum(byte[] data) {
    try {

229: MessageDigest md = MessageDigest.getInstance("MD5");

[‎core/java/src/net/i2p/util/PasswordManager.java] core/java/src/net/i2p/util/PasswordManager.java#L229)

The MD5 hash (used in java.security.MessageDigest.getInstance) is insecure. Consider changing it to a secure hash algorithm

    // for backwards compatability.  next time we have a backwards
    // incompatible change, we should update this by removing ", 32"
    // SEE NOTES ABOVE
    try {

108: MessageDigest md = MessageDigest.getInstance("MD5");

/router/java/src/net/i2p/router/transport/udp/SSUHMACGenerator.java#L108)

	s.append(ipInt);
	s.append('+');
	s.append(inetSalt);
	MessageDigest md;

95: md = MessageDigest.getInstance("SHA1");

apps/imagegen/identicon/core/src/main/java/com/docuverse/identicon/IdenticonUtil.java#L95)

Many sites not accessible with 2.3.0 docker image

The latest Docker image running 2.3.0-1 is unable to connect to most sites. Planet I2P works fine, but many others, such as notbob and the I2P forum, present an error screen that says "The website was not reachable, because it uses encryption options that are not supported by your I2P or Java version."

It was working under 2.2.0. Because I upgraded I also tested with a fresh config and still get the same error.

Docker instructions out of date

Greetings and thank you for your great work!

I have to report that I ran into issues with Docker and docker-compose lately, and I hope I‘m in the right spot here to address what I found.

So when updating today after some weeks of operation, my whole setup basically died. As I found out, the reason is that I‘m told e.g. here to mount my config to /i2p/.i2p, but now everything sits directly in /i2p inside the container. So I ended up with an ignored folder where my config etc. sits and stuff like router.config is duplicated in i2p but only contains very brief defaults, so nothing works.

Pinning the image in my docker-compose.yaml like so does the trick for now: image: geti2p/i2p:i2p-i2p-2.1.0 This way though, I‘m cut off from updates etc., so I‘d rather know how I‘m supposed to mount my config etc. into the container - over time, my .i2p folder accumulated some stuff and mounting every file manually into the container doesn‘t seem feasible to me.

Again, thanks for the effort of maintaining this for already two decades, and regards!

Inadequate Encryption Strength CVE multiables

if (_log.shouldLog(Log.INFO))
_log.info("Loaded total of " + totalAdds + " new trusted certificates");

    try {
        SSLContext sslc = SSLContext.getInstance("TLS");

line:430

Implement secure HTTPS communication. Consider using latest TLSv1.2 instead of javax.net.ssl.SSLContext.getInstance.
[‎core/java/src/net/i2p/util/SSLEepGet.java]

    return false;
    }
    InputStream fis = null;
    try {
        SSLContext sslc = SSLContext.getInstance("TLS");

line:141

Implement secure HTTPS communication. Consider using latest TLSv1.2 instead of javax.net.ssl.SSLContext.getInstance.
[‎router/java/src/net/i2p/router/client/SSLClientListenerRunner.java]

        // don't continue, since we didn't load the system keystore, we have nothing.
        throw new GeneralSecurityException(msg);
    }

529: SSLContext sslc = SSLContext.getInstance("TLS");

Implement secure HTTPS communication. Consider using latest TLSv1.2 instead of javax.net.ssl.SSLContext.getInstance.
[‎core/java/src/net/i2p/util/I2PSSLSocketFactory.java]

   }

    InputStream fis = null;
    try {

#198 SSLContext sslc = SSLContext.getInstance("TLS");

Implement secure HTTPS communication. Consider using latest TLSv1.2 instead of javax.net.ssl.SSLContext.getInstance.
[‎apps/i2ptunnel/java/src/net/i2p/i2ptunnel/SSLClientUtil.java]

    }

    InputStream fis = null;
    try {
        SSLContext sslc = SSLContext.getInstance("TLS");

163:

[‎apps/sam/java/src/net/i2p/sam/client/SSLUtil.java]

    }

    InputStream fis = null;
    try {
        SSLContext sslc = SSLContext.getInstance("TLS");

162:
[‎apps/sam/java/src/net/i2p/sam/SSLUtil.java

learn how to fix
https://learn.snyk.io/lesson/insecure-hash/?authenticate=automatic

Use of Hardcoded Credentials

*/
public static KeyStore createKeyStore(File ksFile, String password)
throws GeneralSecurityException, IOException {
boolean exists = ksFile != null && ksFile.exists();
char[] pwchars = password != null ? password.toCharArray() : null;

Do not hardcode passwords in code. Found hardcoded password used in
core/java/src/net/i2p/crypto/KeyStoreUtil.java#L155)

following lines 155,170,204,223,245,251,258,1021,1050,1152,1184,1209,1443,

DEFAULT_KEYSTORE_PASSWORD.toCharArray());

password.toCharArray() :

ksPW.toCharArray()

apps/i2pcontrol/java/net/i2p/i2pcontrol/security/SecurityManager.java#L43)


``` **
 * Manage the password storing for I2PControl.
 */
public class SecurityManager {
    public final static String DEFAULT_AUTH_PASSWORD = "itoopie";

multiable SSRF server side request forgery CVE

n sanitized input from data from a remote resource flows into openConnection, where it is used as an URL to perform a request. This may result in a Server-Side Request Forgery vulnerability.
‎router/java/src/org/cybergarage/xml/Parser.java:97

‎router/java/src/org/cybergarage/xml/Parser.java:135
‎core/java/src/net/i2p/util/EepGet.java:310
‎router/java/src/org/cybergarage/xml/Parser.java:160

".i2p" make it flexible

I was wondering if possible to modify this condition inseted of ".i2p" make it accepting any/flexible ending is that possible or has been discussed before. for example I need to set my domain ppp.y is it possible not to use ppp.i2p ?

path: i2p.i2p\core\java\src\net\i2p\client\naming\EepGetAndAddNamingService.java
if (hostname.length() < 516 && hostname.endsWith(".i2p") && ! hostname.endsWith(".b32.i2p")) {

Link to an Irc2P client on I2P router console home

Not that it's too difficult to connect an existing IRC client to the Irc2P network, but I think it would be nice to have an icon on the homepage for easy access.

I'm not really a web developer, but it seems like all you'd need to do is include a javascript IRC client configured to point to localhost:6668. Freenode's webchat does this using qwebirc (https://webchat.freenode.net/).

If we think this would be useful/feasible, I could have a go at implementing this myself.

Doesn't work

Latest version of i2p installed from the debian repository. Connecting to i2p websites gives connection reset error, connecting to clearnet gives connection refused error.

Any chance of this software ever working properly or shall I just forget about it.

4 open redirects CVE

Open Redirect

url = url.substring(0, qq);
buf.append(url);
if (q != null && q.length() > 0)
buf.append(q.replace("&", "&")); // no you don't html escape the redirect header
resp.setHeader("Location", buf.toString());
line # 2480

[‎apps/susimail/src/src/i2p/susi/webmail/WebMail.java]
Open this link in a new tab

   url = url.substring(0, url.length() - 5);
    buf.append(url);
    if (p.length() > 0)
        buf.append(p.replace("&amp;", "&"));  // no you don't html escape the redirect header
    resp.setHeader("Location", buf.toString());

line 1617

Unsanitized input from the request URL flows into setHeader, where it is used as an URL to redirect the user. This may result in an Open Redirect vulnerability.
[‎apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java]

Unsanitized input from the request URL flows into setHeader, where it is used as an URL to redirect the user. This may result in an Open Redirect vulnerability.
[‎apps/routerconsole/jsp/index.jsp:50]

Unsanitized input from the request URL flows into setHeader, where it is used as an URL to redirect the user. This may result in an Open Redirect vulnerability.
[‎apps/routerconsole/java/src/net/i2p/router/web/HostCheckHandler.java:193]

Router Password

After my initial setup on Windows went perfectly I set a username and password. I can no longer login with the combination I chose. How can I have this reset?

Docker arm images

Are there any plans on updating the docker image to support ARM?

  • Jason

Improper Neutralization of CRLF Sequences in HTTP Headers number 2

Unsanitized input from data from a remote resource flows into setHeader and reaches an HTTP header returned to the user. This may allow a malicious input that contain CR/LF to split the http response into two responses and the second response to be controlled by the attacker. This may be used to mount a range of attacks such as cross-site scripting or cache poisoning.

router/java/src/org/cybergarage/upnp/Device.java#L485)

functions causing issues
ssdpRes.setST
ssdpReq.setUSN
ssdpReq.setNT
childDevice.announce
announce
device

########################################################
return null;
Node devNode = rootNode.getNode(Device.ELEM_NAME);
if (devNode == null)
return null;
return new Device(rootNode, devNode);
###################################################
Node devNode = getDeviceNode();
Node aux = null;
//
aux = devNode.getParentNode().getParentNode();
return new Device(aux);
######################################################
if (isRootDevice() == true) {
String devNT = getNotifyDeviceNT();
String devUSN = getNotifyDeviceUSN();
ssdpReq.setNT(devNT);
ssdpReq.setUSN(devUSN);
######################################################
ssdpReq.setUSN(devUSN);
ssdpSock.post(ssdpReq);

		String devUDN = getUDN();
		ssdpReq.setNT(devUDN);

#########################################################
ssdpSock.post(ssdpReq);

		String devUDN = getUDN();
		ssdpReq.setNT(devUDN);
		ssdpReq.setUSN(devUDN);

#############################################################
// uuid:device-UUID::urn:schemas-upnp-org:device:deviceType:v
String devNT = getNotifyDeviceTypeNT();
String devUSN = getNotifyDeviceTypeUSN();
ssdpReq.setNT(devNT);
#############################################################
ServiceList serviceList = getServiceList();
int serviceCnt = serviceList.size();
for (int n = 0; n < serviceCnt; n++) {
Service service = serviceList.getService(n);
service.announce(bindAddr);
#############################################################
DeviceList childDeviceList = getDeviceList();
int childDeviceCnt = childDeviceList.size();
for (int n = 0; n < childDeviceCnt; n++) {
Device childDevice = childDeviceList.getDevice(n);
childDevice.announce(bindAddr);
##############################################################
if (bindAddresses[j] == null || bindAddresses[j].length() == 0)
continue;
int ssdpCount = getSSDPAnnounceCount();
for (int i = 0; i < ssdpCount; i++)
announce(bindAddresses[j]);
##############################################################
// uuid:device-UUID(::upnp:rootdevice)*
if (isRootDevice() == true) {
String devNT = getNotifyDeviceNT();
String devUSN = getNotifyDeviceUSN();
ssdpReq.setNT(devNT);
###############################################################
if (isRootDevice() == true) {
String devNT = getNotifyDeviceNT();
String devUSN = getNotifyDeviceUSN();
ssdpReq.setNT(devNT);
ssdpReq.setUSN(devUSN);
################################################################
// uuid:device-UUID::urn:schemas-upnp-org:device:deviceType:v
String devNT = getNotifyDeviceTypeNT();
String devUSN = getNotifyDeviceTypeUSN();
ssdpReq.setNT(devNT);
#######################################################
// uuid:device-UUID::urn:schemas-upnp-org:device:deviceType:v
String devNT = getNotifyDeviceTypeNT();
String devUSN = getNotifyDeviceTypeUSN();
ssdpReq.setNT(devNT);
ssdpReq.setUSN(devUSN);
###############################################
SSDPSearchResponse ssdpRes = new SSDPSearchResponse();
ssdpRes.setLeaseTime(getLeaseTime());
ssdpRes.setDate(cal);
ssdpRes.setST(st);

Use of Hardcoded, Security-relevant Constants

private static final String PROP_LS_SPK = "i2cp.leaseSetSigningPrivateKey";
// LS 2
public static final String PROP_LS_TYPE = "i2cp.leaseSetType";
private static final String PROP_LS_ENCTYPE = "i2cp.leaseSetEncType";
private static final String PROP_SECRET = "i2cp.leaseSetSecret";

line:70
Avoid hardcoding values that are meant to be secret. Found hardcoded secret.

core/java/src/net/i2p/client/impl/RequestLeaseSetMessageHandler.java#L70)

slow

erorro no connect

Can't access I2P router.

i2p
I still can access eepsites, but I just can't access the router, and this happened after the last update.

i2psnark themes behave different

i2psnark themes behave different

dark: ok
light: torrent names are central aligned, not left-aligned, clear messages button not working
ubergine: ok
vanilla torrent names are central aligned, not left-aligned,

Please make all themes behave the same, I like the light/vanilla one :-)

Thanks.

"headless" installer is not "headless"

java -jar i2pinstall_0.9.22.jar -console prompts for info, is there a way, or can you add a way to actually install this without any prompting? Thanks.

router memory usage huge and not limitid by jvm size

hi,

docker, 2.1.0-2 and 2.0.0.

router console says:
image

compose is set with this:
image

docker stats says:
image
so, i dont know where the 2496MB limit comes from.

the memory amount keeps filling until the max, then i looks like i2p crashes and restarts. Cant find any logs that show me an error.

//--
removed the compose JVM_XMX environment variable:
image

2 uses of risky/ broken cryptograhic alogrithm CVE

line #22
// a NoSuchAlgorithmException
} catch (NoSuchMethodError nsme) {
// JamVM, gij
try {
Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");

The CBC mode used in javax.crypto.Cipher.getInstance does not provide integrity. Consided using Galois/Counter Mode.
[‎core/java/src/net/i2p/crypto/CryptoCheck.java]

line 272
private Cipher acquire() {
Cipher rv = _ciphers.poll();
if (rv == null) {
try {
rv = Cipher.getInstance("AES/CBC/NoPadding");

The CBC mode used in javax.crypto.Cipher.getInstance does not provide integrity. Consided using Galois/Counter Mode.
[‎core/java/src/net/i2p/crypto/CryptixAESEngine.java]

stack guard error

On startup, I get the following error:

Starting I2P 2.3.0-4
OpenJDK 64-Bit Server VM warning: You have loaded library /tmp/i2p-DBusBrQL.tmp/libjbigi.so which might have disabled stack guard. The VM will try to fix the stack guard now.
It's highly recommended that you fix the library with 'execstack -c <libfile>', or link it with '-z noexecstack'.

I am running image geti2p/i2p:latest.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.