Applied patch. Although it had to be done manually - something caused lots of
spurious invisible \240's characters in the below text.
No idea how to rebuild stable, I'll try to get around to it at some point.
On Friday 02 November 2007 04:50, Nomen Nescio wrote:
(please excuse me if this is a duplicate)
Toad,
Recently a message by you was xposted to 0.5 about a crypto weakness you
folks discovered in 0.7 that 0.5 is also subject to.
After some discussion, one individual came up with a patch and procedure for
fixing this on 0.5. While a lot will simply use that patch and build new
freenet.jar executables, there are some who aren't up to it for whatever
reason.
Given the patch and the msg announcing it, would you be willing to create
an 'official' freenet 0.5 build 5108 and make it available at the same place
where the old 0.5 stuff is at http://downloads.freenetproject.org/ ?
BTW- I know you and other freenet devs haven't been in the habit of doing so
but would you also be willing to include a digital signature of some kind?
At least an SHA-1 hash, preferably a detached pgp signature.
Thanks
Here's the message I mentioned, followed by the patch:
- Jack O'Lantern - 2007.10.31 - 20:36:40GMT -
Happy Hallowe'en folks,
a certain Toad recently informed us that the Diffie-Hellman key exchange in
freenet 0.5 has been b0rked for about two years and we please bob for the
solution to the issue ourselves. So, here goes...
1. obtain a JDK (sun5 works), svn, ant and junit.
2. obtain the source:
$ svn co http://freenet.googlecode.com/svn/branches/legacy/stable/
freenet-0.5-5108
$ cd freenet-0.5-5108
$ svn co http://freenet.googlecode.com/svn/branches/legacy/contrib/
contrib
3. copy freenet-ext.jar from your freenet directory into the newly created
freenet-0.5-5108 directory (freenet-ext.jar remains unchanged)
4. obtain the patch I crafted:
freenet:[EMAIL PROTECTED],xYB4spgd2g1ZtJIYN0lfeg/freenet_dh.patch
5. Examine this patch closely. You don't know me. You never know beforehand
if you're about to be tricked or treated, or handled by an incompetent
person.
This patch does the following things:
a. creates a method to check for weak Diffie-Hellman exponents (imported
from freenet 0.7)
b. there are *extremely* few weak exponentials in the number space, so
accidental creation of a weak exponential is *extremely* unlikely;
nevertheless, the patch adds code to prevent creating weak exponents
(imported from freenet 0.7)
c. adds code to abort a Diffie-Hellman key exchange if our peer (Bob)
uses a weak key (logs an error) (two instances)
d. bumps the build number up to 5108. I feel it's justified that we users
hijack the build numbering scheme as the developers don't maintain it
anymore.
6. If you're satisfied, copy this patch into the freenet-0.5-5108 directory.
7. Apply the patch:
$ patch -p1 freenet_dh.patch
8. Build freenet.jar
$ CLASSPATH=freenet-ext.jar ant distclean dist
9. Make a backup of your old freenet.jar (freenet-ext.jar remains in place).
10. Copy the newly built freenet.jar to your freenet directory.
$ cp lib/freenet.jar /path/to/freenet/dir
11. Restart freenet
That's it. Enjoy your shiny new freenet build.
It would be great if someone in contact with the freenet 0.7 developers
could communicate the patch to them. I'm just a user, and some official
acknowledgement that the patch does indeed fix *all* instances of weak
Diffie-Hellman handling is appreciated because, you know, the comments in the
freenet source are not exactly abundant and it's not easy for a newcomer to
find one's way through.
EOM
Here's the patch:
diff -Naur freenet-0.5-5107/build.xml freenet-0.5-5108/build.xml
--- freenet-0.5-5107/build.xml2007-10-31 18:12:46.0 +0100
+++ freenet-0.5-5108/build.xml2007-10-31 18:22:13.0 +0100
@@ -22,8 +22,8 @@
property name=freenet-ext.location
location=${lib}/freenet-ext.jar/
!-- this is where the Contrib directory is supposed to be. Override
this
if necessary --
- property name=contrib.location location=../
- property name=servlet.location
location=${contrib.location}/Contrib/freenet_ext/build_dir/
+ property name=contrib.location location=./
+ property name=servlet.location
location=${contrib.location}/contrib/freenet_ext/build_dir/
!--
=== --
target name=env
diff -Naur freenet-0.5-5107/src/freenet/crypt/DiffieHellman.java
freenet-0.5-5108/src/freenet/crypt/DiffieHellman.java
--- freenet-0.5-5107/src/freenet/crypt/DiffieHellman.java 2007-10-31
18:08:57.0 +0100
+++ freenet-0.5-5108/src/freenet/crypt/DiffieHellman.java 2007-10-31
18:21:34.0 +0100
@@ -11,6 +11,7 @@
import java.util.Stack;
import freenet.Core;
+import freenet.support.Logger;