diff --git a/Cargo.lock b/Cargo.lock index 937a30240a..29f9d86c89 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -6520,6 +6520,7 @@ dependencies = [ "rand 0.8.5", "rand 0.9.2", "reqwest 0.13.1", + "semver 1.0.26", "serde", "serde_json", "time", diff --git a/nym-gateway-probe/Cargo.toml b/nym-gateway-probe/Cargo.toml index b18927be15..7cebd4f98b 100644 --- a/nym-gateway-probe/Cargo.toml +++ b/nym-gateway-probe/Cargo.toml @@ -26,6 +26,7 @@ rand09.workspace = true reqwest = { workspace = true, features = ["socks"] } serde.workspace = true serde_json.workspace = true +semver.workspace = true time = { workspace = true } tokio = { workspace = true, features = [ "process", diff --git a/nym-gateway-probe/src/common/nodes.rs b/nym-gateway-probe/src/common/nodes.rs index 04b2b10cac..c36daff81b 100644 --- a/nym-gateway-probe/src/common/nodes.rs +++ b/nym-gateway-probe/src/common/nodes.rs @@ -12,6 +12,7 @@ use nym_bin_common::build_information::BinaryBuildInformationOwned; use nym_http_api_client::UserAgent; use nym_kkt_ciphersuite::Ciphersuite; use nym_kkt_ciphersuite::{KEM, KEMKeyDigests}; +use nym_lp::packet::version; use nym_lp::peer::{DHPublicKey, LpRemotePeer}; use nym_network_defaults::DEFAULT_NYM_NODE_HTTP_PORT; use nym_node_requests::api::client::NymNodeApiClientExt; @@ -129,16 +130,32 @@ impl DirectoryNode { .copied() .ok_or_else(|| anyhow!("no ip address known"))?; - // let lp_data = description.lewes_protocol.as_ref().and_then(|lp_data| { - // Some(TestedNodeLpDetails { - // address: SocketAddr::new(ip_address, lp_data.control_port), - // expected_kem_key_hashes: lp_data.kem_keys().ok()?, - // expected_signing_key_hashes: lp_data.signing_keys().ok()?, - // x25519: lp_data.x25519, - // // \/ TODO: proper derivation from build version - // lp_version: version::CURRENT, - // }) - // }); + let identity = self.identity(); + + let lp_data = match description.lewes_protocol.as_ref() { + Some(lp_data) => { + // 1. verify the signature, if it's invalid, completely bail on the node + if !lp_data.verify(&identity) { + warn!("{identity} provided malformed lp data"); + bail!("{identity} provided malformed lp data"); + } + + let version: semver::Version = + description.build_information.build_version.parse()?; + let Some(ciphersuite) = Ciphersuite::from_node_version(version) else { + bail!("failed to identify valid ciphersuite for {identity}"); + }; + + Some(TestedNodeLpDetails { + address: SocketAddr::new(ip_address, lp_data.content.control_port), + expected_kem_key_hashes: lp_data.content.kem_keys()?, + x25519: lp_data.content.x25519, + lp_version: version::CURRENT, + ciphersuite, + }) + } + None => None, + }; Ok(TestedNodeDetails { identity: self.identity(), @@ -147,7 +164,7 @@ impl DirectoryNode { authenticator_address, authenticator_version, ip_address: Some(ip_address), - lp_data: None, + lp_data, }) } }