diff --git a/net/secureservice/credential.go b/net/secureservice/credential.go index 7cf325b2..04ee9b15 100644 --- a/net/secureservice/credential.go +++ b/net/secureservice/credential.go @@ -1,12 +1,15 @@ package secureservice import ( + "strings" + + "go.uber.org/zap" + "golang.org/x/exp/slices" + "github.com/anyproto/any-sync/commonspace/object/accountdata" "github.com/anyproto/any-sync/net/secureservice/handshake" "github.com/anyproto/any-sync/net/secureservice/handshake/handshakeproto" "github.com/anyproto/any-sync/util/crypto" - "go.uber.org/zap" - "golang.org/x/exp/slices" ) func newNoVerifyChecker(protoVersion uint32, compatibleProtoVersions []uint32, clientVersion string) handshake.CredentialChecker { @@ -34,6 +37,11 @@ func (n noVerifyChecker) CheckCredential(remotePeerId string, cred *handshakepro err = handshake.ErrIncompatibleVersion return } + // Hotfix for a bad version + if strings.Contains(cred.ClientVersion, "middle:v0.36.6") { + err = handshake.ErrIncompatibleVersion + return + } return handshake.Result{ ProtoVersion: cred.Version, ClientVersion: cred.ClientVersion, @@ -103,6 +111,11 @@ func (p *peerSignVerifier) CheckCredential(remotePeerId string, cred *handshakep err = handshake.ErrInvalidCredentials return } + // Hotfix for a bad version + if strings.Contains(cred.ClientVersion, "middle:v0.36.6") { + err = handshake.ErrIncompatibleVersion + return + } return handshake.Result{ Identity: msg.Identity, ProtoVersion: cred.Version, diff --git a/net/secureservice/credential_test.go b/net/secureservice/credential_test.go index 428661d7..94e24f19 100644 --- a/net/secureservice/credential_test.go +++ b/net/secureservice/credential_test.go @@ -1,12 +1,14 @@ package secureservice import ( + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "github.com/anyproto/any-sync/commonspace/object/accountdata" "github.com/anyproto/any-sync/net/secureservice/handshake" "github.com/anyproto/any-sync/testutil/accounttest" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - "testing" ) func TestPeerSignVerifier_CheckCredential(t *testing.T) { @@ -58,6 +60,27 @@ func TestIncompatibleVersion(t *testing.T) { assert.EqualError(t, err, handshake.ErrInvalidCredentials.Error()) } +func TestIncompatibleVersion_Issue4423(t *testing.T) { + a1 := newTestAccData(t) + a2 := newTestAccData(t) + identity2, _ := a2.SignKey.GetPublic().Marshall() + + cc1 := newPeerSignVerifier(1, []uint32{1}, "Linux:0.43.3/middle:v0.36.6/any-sync:v0.5.11", a1) + cc2 := newPeerSignVerifier(1, []uint32{1}, "test:v1", a2) + + c1 := a2.PeerId + c2 := a1.PeerId + + cr1 := cc1.MakeCredentials(c1) + cr2 := cc2.MakeCredentials(c2) + res, err := cc1.CheckCredential(c1, cr2) + assert.NoError(t, err) + assert.Equal(t, identity2, res.Identity) + + _, err = cc2.CheckCredential(c2, cr1) + assert.ErrorIs(t, err, handshake.ErrIncompatibleVersion) +} + func newTestAccData(t *testing.T) *accountdata.AccountKeys { as := accounttest.AccountTestService{} require.NoError(t, as.Init(nil))