handle incoming packets with ML-DSA signature

2025-04-22 08:56:35 +02:00 · 2025-04-21 21:25:51 -04:00 · 2025-04-21 21:25:51 -04:00 · 724d8bde4e
commit 724d8bde4e
parent 9bd2b8df76
4 changed files with 40 additions and 20 deletions
--- a/libi2pd/Identity.cpp
+++ b/libi2pd/Identity.cpp
@ -433,7 +433,7 @@ namespace data
 				{
 					// for post-quantum
 					uint8_t * signingKey = new uint8_t[keyLen];
-					memcpy (signingKey, m_StandardIdentity.signingKey, 384);
+					memcpy (signingKey, m_StandardIdentity, 384);
 					size_t excessLen = keyLen - 384;
 					memcpy (signingKey + 384, m_ExtendedBufferPtr + 4, excessLen); // right after signing and crypto key types
 					verifier->SetPublicKey (signingKey);
--- a/libi2pd/LeaseSet.h
+++ b/libi2pd/LeaseSet.h
@ -59,8 +59,11 @@ namespace data
 	};

 	typedef std::function<bool(const Lease & l)> LeaseInspectFunc;
-
+#if OPENSSL_PQ
+	const size_t MAX_LS_BUFFER_SIZE = 8192;
+#else
 	const size_t MAX_LS_BUFFER_SIZE = 4096;
+#endif	
 	const size_t LEASE_SIZE = 44; // 32 + 4 + 8
 	const size_t LEASE2_SIZE = 40; // 32 + 4 + 4
 	const uint8_t MAX_NUM_LEASES = 16;
--- a/libi2pd/Streaming.cpp
+++ b/libi2pd/Streaming.cpp
@ -450,29 +450,42 @@ namespace stream

 		if (flags & PACKET_FLAG_SIGNATURE_INCLUDED)
 		{
-			uint8_t signature[256];
+			bool verified = false;
 			auto signatureLen = m_TransientVerifier ? m_TransientVerifier->GetSignatureLen () : m_RemoteIdentity->GetSignatureLen ();
-			if(signatureLen <= sizeof(signature))
-			{
-				memcpy (signature, optionData, signatureLen);
-				memset (const_cast<uint8_t *>(optionData), 0, signatureLen);
-				bool verified = m_TransientVerifier ?
-					m_TransientVerifier->Verify (packet->GetBuffer (), packet->GetLength (), signature) :
-					m_RemoteIdentity->Verify (packet->GetBuffer (), packet->GetLength (), signature);
-				if (!verified)
-				{
-					LogPrint (eLogError, "Streaming: Signature verification failed, sSID=", m_SendStreamID, ", rSID=", m_RecvStreamID);
-					Close ();
-					flags |= PACKET_FLAG_CLOSE;
-				}
-				memcpy (const_cast<uint8_t *>(optionData), signature, signatureLen);
-				optionData += signatureLen;
-			}
-			else
+			if (signatureLen > packet->GetLength ())
 			{
 				LogPrint (eLogError, "Streaming: Signature too big, ", signatureLen, " bytes");
 				return false;
+			}	
+			if(signatureLen <= 256)
+			{
+				// standard
+				uint8_t signature[256];
+				memcpy (signature, optionData, signatureLen);
+				memset (const_cast<uint8_t *>(optionData), 0, signatureLen);
+				verified = m_TransientVerifier ?
+					m_TransientVerifier->Verify (packet->GetBuffer (), packet->GetLength (), signature) :
+					m_RemoteIdentity->Verify (packet->GetBuffer (), packet->GetLength (), signature);
+				if (verified)
+					memcpy (const_cast<uint8_t *>(optionData), signature, signatureLen);
 			}
+			else
+			{
+				// post quantum
+				std::vector<uint8_t> signature(signatureLen);
+				memcpy (signature.data (), optionData, signatureLen);
+				memset (const_cast<uint8_t *>(optionData), 0, signatureLen);
+				verified = m_TransientVerifier ?
+					m_TransientVerifier->Verify (packet->GetBuffer (), packet->GetLength (), signature.data ()) :
+					m_RemoteIdentity->Verify (packet->GetBuffer (), packet->GetLength (), signature.data ());
+			}
+			if (verified)
+				optionData += signatureLen;
+			else
+			{
+				LogPrint (eLogError, "Streaming: Signature verification failed, sSID=", m_SendStreamID, ", rSID=", m_RecvStreamID);
+				return false;
+			}	
 		}
 		if (immediateAckRequested)
 			SendQuickAck ();
--- a/libi2pd/Streaming.h
+++ b/libi2pd/Streaming.h
@ -51,7 +51,11 @@ namespace stream

 	const size_t STREAMING_MTU = 1730;
 	const size_t STREAMING_MTU_RATCHETS = 1812;
+#if OPENSSL_PQ	
+	const size_t MAX_PACKET_SIZE = 8192;
+#else
 	const size_t MAX_PACKET_SIZE = 4096;
+#endif	
 	const size_t COMPRESSION_THRESHOLD_SIZE = 66;
 	const int MAX_NUM_RESEND_ATTEMPTS = 10;
 	const int INITIAL_WINDOW_SIZE = 10;