Remove backwards compatibility and set min_protocol to 7

d496e4b8 · Joanne Hugé · ba573ab7 · d496e4b8 · d496e4b8 · d496e4b8
Commit d496e4b8 authored Jun 25, 2021 by Joanne Hugé
Showing with 53 additions and 83 deletions

re6st/registry.py re6st/registry.py +0 -4

re6st/tunnel.py re6st/tunnel.py +50 -74

re6st/utils.py re6st/utils.py +1 -1

re6st/version.py re6st/version.py +2 -2

re6st/x509.py re6st/x509.py +0 -2

No files found.
--- a/re6st/registry.py
+++ b/re6st/registry.py
@@ -548,10 +548,6 @@ class RegistryServer(object):
            msg = self._queryAddress(peer)
            if msg is None:
                return
-            # Remove country for old nodes
-            if self.getPeerProtocol(cn) < 7:
-                msg = ';'.join(','.join(a.split(',')[:3])
-                               for a in msg.split(';'))
            cert = self.getCert(cn)
        msg = "%s %s" % (peer, msg)
        logging.info("Sending bootstrap peer: %s", msg)

--- a/re6st/tunnel.py
+++ b/re6st/tunnel.py
@@ -195,7 +195,6 @@ class BaseTunnelManager(object):
                              'babel_hmac_sign', 'encrypt',
                              'hello', 'ipv4', 'ipv4_sublen'))
-    _geoiplookup = None
    _forward = None
    _next_rina = True
@@ -229,16 +228,6 @@ class BaseTunnelManager(object):
               } == address_dict:
                address_dict = cache_dict
-        db = os.getenv('GEOIP2_MMDB')
-        if db:
-            from geoip2 import database, errors
-            country = database.Reader(db).country
-            def geoiplookup(ip):
-                try:
-                    return country(ip).country.iso_code.encode()
-                except errors.AddressNotFoundError:
-                    return
-            self._geoiplookup = geoiplookup
        if cache.same_country:
            self._country = {}
@@ -392,62 +381,53 @@ class BaseTunnelManager(object):
        msg = peer.decode(msg)
        if type(msg) is tuple:
          seqno, msg, protocol = msg
-          def handleHello(peer, seqno, msg, retry):
+          if seqno == 2:
-            if seqno == 2:
+              i = len(msg) // 2
-                i = len(msg) // 2
+              h = msg[:i]
-                h = msg[:i]
+              try:
-                try:
+                  peer.verify(msg[i:], h)
-                    peer.verify(msg[i:], h)
+                  peer.newSession(self.cert.decrypt(h), protocol)
-                    peer.newSession(self.cert.decrypt(h), protocol)
+              except (AttributeError, crypto.Error, x509.NewSessionError,
-                except (AttributeError, crypto.Error, x509.NewSessionError,
+                      subprocess.CalledProcessError):
-                        subprocess.CalledProcessError):
+                  logging.debug('ignored new session key from %r',
-                    logging.debug('ignored new session key from %r',
+                                address, exc_info=1)
-                                  address, exc_info=1)
+                  return
-                    return
+              peer.version = self._version \
-                peer.version = self._version \
+                  if self._sendto(to, '\0' + self._version, peer) else ''
-                    if self._sendto(to, '\0' + self._version, peer) else ''
+              return
-                return
+          if seqno:
-            if seqno:
+              h = x509.fingerprint(self.cert.cert).digest()
-                h = x509.fingerprint(self.cert.cert).digest()
+              seqno = msg.startswith(h)
-                seqno = msg.startswith(h)
+              msg = msg[len(h):]
-                msg = msg[len(h):]
+          try:
-            try:
+              cert = self.cert.loadVerify(msg,
-                cert = self.cert.loadVerify(msg,
+                  True, crypto.FILETYPE_ASN1)
-                    True, crypto.FILETYPE_ASN1)
+              stop_date = x509.notAfter(cert)
-                stop_date = x509.notAfter(cert)
+              serial = cert.get_serial_number()
-                serial = cert.get_serial_number()
+              if serial in self.cache.crl:
-                if serial in self.cache.crl:
+                  raise ValueError("revoked")
-                    raise ValueError("revoked")
+          except (x509.VerifyError, ValueError), e:
-            except (x509.VerifyError, ValueError), e:
+              logging.debug('ignored invalid certificate from %r (%s)',
-                if retry:
+                            address, e.args[-1])
-                    return True
+              return
-                logging.debug('ignored invalid certificate from %r (%s)',
+          p = utils.binFromSubnet(x509.subnetFromCert(cert))
-                              address, e.args[-1])
+          if p != peer.prefix:
-                return
+              if not prefix.startswith(p):
-            p = utils.binFromSubnet(x509.subnetFromCert(cert))
+                  logging.debug('received %s/%s cert from wrong source %r',
-            if p != peer.prefix:
+                                int(p, 2), len(p), address)
-                if not prefix.startswith(p):
+                  return
-                    logging.debug('received %s/%s cert from wrong source %r',
+              peer = x509.Peer(p)
-                                  int(p, 2), len(p), address)
+              insort(self._peers, peer)
-                    return
+          peer.cert = cert
-                peer = x509.Peer(p)
+          peer.serial = serial
-                insort(self._peers, peer)
+          peer.stop_date = stop_date
-            peer.cert = cert
+          self.selectTimeout(stop_date, self.invalidatePeers, False)
-            peer.serial = serial
+          if seqno:
-            peer.stop_date = stop_date
+              self._sendto(to, peer.hello(self.cert, protocol))
-            self.selectTimeout(stop_date, self.invalidatePeers, False)
+          else:
-            if seqno:
+              msg = peer.hello0(self.cert.cert)
-                self._sendto(to, peer.hello(self.cert, protocol))
+              if msg and self._sendto(to, msg):
-            else:
+                  peer.hello0Sent()
-                msg = peer.hello0(self.cert.cert)
-                if msg and self._sendto(to, msg):
-                    peer.hello0Sent()
-          if handleHello(peer, seqno, msg, seqno):
-            # It is possible to reconstruct the original message because
-            # the serialization of the protocol version is always unique.
-            msg = utils.packInteger(protocol) + msg
-            protocol = 0
-            handleHello(peer, seqno, msg, False)
        elif msg:
            # We got a valid and non-empty message. Always reply
            # something so that the sender knows we're still connected.
@@ -471,11 +451,6 @@ class BaseTunnelManager(object):
                        return
                    self._makeTunnel(peer, msg)
            else:
-                if peer:
-                    # Don't send country to old nodes
-                    if self._getPeer(peer).protocol < 7:
-                        return ';'.join(','.join(a.split(',')[:3]) for a in
-                            ';'.join(self._address.itervalues()).split(';'))
                return ';'.join(self._address.itervalues())
        elif not code: # network version
            if peer:
@@ -886,12 +861,13 @@ class TunnelManager(BaseTunnelManager):
            if x[2] in self._disable_proto:
                continue
            if same_country:
+                if len(x) < 4:
+                    continue
                family, ip = resolve(*x[:3])
                my_country = self._country.get(family, self._conf_country)
                if my_country:
                    for ip in ip:
-                        # Use geoip if there is no country in the address
+                        country = x[3]
-                        country = x[3] if len(x) > 3 else self._geoiplookup(ip)
                        if country and (country != my_country
                                        if my_country in same_country else
                                        country in same_country):

--- a/re6st/utils.py
+++ b/re6st/utils.py
@@ -233,7 +233,7 @@ def ipFromBin(ip, suffix=''):
 def dump_address(address):
    return ';'.join(map(','.join, address))
-# Yield ip, port, protocol, and country if it is in the address
+# Yield ip, port, protocol, and country
 def parse_address(address_list):
    for address in address_list.split(';'):
        try:

--- a/re6st/version.py
+++ b/re6st/version.py
@@ -32,8 +32,8 @@ if dirty:
 # they are intended to the network admin.
 # Only 'protocol' is important and it must be increased whenever they would be
 # a wish to force an update of nodes.
-protocol = 7
+protocol = 8
-min_protocol = 1
+min_protocol = 7
 if __name__ == "__main__":
    print version
--- a/re6st/x509.py
+++ b/re6st/x509.py
@@ -229,8 +229,6 @@ class Peer(object):
    def hello0(self, cert):
        if self._hello < time.time():
            try:
-                # Always assume peer is not old, in case it has just upgraded,
-                # else we would be stuck with the old protocol.
                msg = ('\0\0\0\1'
                    + PACKED_PROTOCOL
                    + fingerprint(self.cert).digest())