#saltr (irc2p) | I2P+ 2.12.0-1+ >> i2pplus.github.io | skank.i2p | git.skank.i2p | purokishi.i2p | vituperative.github.io/i2pchat | notbob.i2p | ramble.i2p | drop.i2p | shinobi.i2p | wall.i2p | /msg an op for voice

zzz re: jbigi, the review + testing burden seems more trouble than it's worth, but maybe I'm wrong

dr|z3d testing newly compiled jbigi now.

dr|z3d github.com/I2PPlus/i2pplus/commits/master

zzz the other one was CSRF for process-wide nonces (#7 and 8 from first batch)

zzz re: jbigi, I'm asking if you've accepted or rejected their suggestions

dr|z3d some of them, the compilation hardening seemed like an easy win. I've also optimized the build process to produce arch-specific optimizations.

dr|z3d > NC3: Off-by-one: added +1 safety margin to size calculation in convert_mp2j <- attempted fix for that appeared to break modpow.

zzz it's easy if it works on all platforms, it just seems like a big hassle to test

zzz yeah NC3 I fixed, blame jrandom

dr|z3d there were a few obsolete platforms no longer supported by the compiler, removed those.

zzz the fix didn't work?

zzz my fix for NC3 is 1595bbabd9404a1b96ba1b95f7dc3c97b0c836d4

zzz but I didn't test it, seemed obvious

dr|z3d > there were a few obsolete platforms no longer supported by the compiler, removed those.

dr|z3d > this is where I've got to, anyways: update.skank.i2p/reports/i2p_audit_report.html

dr|z3d > re test, YOLO it and encourage people to file issues if the bang up against any :)

dr|z3d speaking of YOLO, here's StormyCloud :)

StormyCloud You know it

dr|z3d all good over there?

zzz the fix didn't work?

zzz my fix for NC3 is 1595bbabd9404a1b96ba1b95f7dc3c97b0c836d4

zzz but I didn't test it, seemed obvious

onon_ disconnects...

zzz dr|z3d, your fix looks like vibe nonsense, take a look at my oneliner

dr|z3d didn't see it, not on github.

dr|z3d nc3? I don't think I've address that one.

zzz NC3 is the jbigi.c change

dr|z3d let's have a look, see what you're on about.

zzz <dr|z3d> > NC3: Off-by-one: added +1 safety margin to size calculation in convert_mp2j <- attempted fix for that appeared to break modpow.

dr|z3d right, so was reverted.

dr|z3d so I don't know what nonsense you're referring to?

zzz the change that you reverted looked like nonsense

zzz guess you agreed

zzz lmk if my oneliner works

dr|z3d 10-4

dr|z3d looks like it wasn't reverted (yet), but it doesn't much look like nonsense, either, just a bit more wordy than your fix, but essentially the same.

dr|z3d yeah, not buying your nonsense accusation, sorry.

zzz for (i = 1; i < size; i++) {

zzz why change to start at 1 instead of 0?

dr|z3d on the contrary, I counter that your fix is nonsense.

dr|z3d analysis:

dr|z3d // I2P+ (correct) apps/i2psnark/java/i2psnark/launc-41

dr|z3d buffer[0] = 0x00; // Set padding to 0x00 apps/i2psnark/java/i2psnark/launc-10

dr|z3d mpz_export(&buffer[1], ...); // Export to buffer[1]+ apps/i2psnark/java/i2psnark/readm-38

dr|z3d for (i = 1; i < size; i++) // Skip buffer[0], invert rest apps/i2ptunnel/java/src/net/i+24 -10

dr|z3d buffer[i] = ~buffer[i]; core/c/jbigi/BUILD_MULTIARCH.md -123

dr|z3d core/c/jbigi/README -183

dr|z3d // Upstream (buggy) core/c/jbigi/README.md +204

dr|z3d buffer[0] = 0x00; // Set padding to 0x00 core/c/jbigi/build-all.sh +1 -1

dr|z3d mpz_export(&buffer[1], ...); // Export to buffer[1]+ core/c/jbigi/build-arm64.sh +21 -4

dr|z3d for (i = 0; i < size; i++) // Start at 0 - INVERTS PADDING! core/c/jbigi/build-linux64.sh+28 -15

dr|z3d buffer[i] = ~buffer[i]; core/c/jbigi/build-win64.sh +7 -10

dr|z3d core/c/jbigi/build.sh +1 -1

dr|z3d The difference: core/c/jbigi/docs/BUILD_MULTIARC-123

dr|z3d - I2P+: padding stays 0x00 → positive number ✅ core/c/jbigi/docs/README.html -242

dr|z3d - Upstream: padding becomes 0xFF → looks like negative ❌ core/c/jbigi/docs/README.md -189

dr|z3d ▄ core/c/jbigi/download_gmp.sh +6 -4

dr|z3d The upstream version would produce incorrect results for negative numbers because it inverts the sign byte. It's a bug we fixed.

dr|z3d make of the vibes what you will (tm)

dr|z3d > If we start at i=0, we invert the padding byte from 0x00 to 0xFF, which corrupts the sign.

dr|z3d > If we start at i=1, we only invert the actual number bytes, leaving the padding byte correct.

zzz then why didnt it work?

orignal &buffer[1] wtf?

orignal isn't it buffer + 1?

zzz I can't find any text in the reports about inverting the sign byte

zzz NC3 is solely about a buffer overflow

dr|z3d sure, my fix is a superset of the nc3 fix :)

dr|z3d help yourself.

dr|z3d *** pokes zzz in the ribs. ***

zzz ok, if you're fixing stuff not from the report in the same commit, I don't know how to review or analyze it

dr|z3d let's ask orignal, he's the c expert.

dr|z3d orignal: does this look correct? github.com/I2PPlus/i2pplus/blob/ec3d89187d2756d5dfbc151fadda9e7243181453/core/c/jbigi/jbigi/src/jbigi.c#L390

orignal what?

orignal what's your question?

orignal for (i = 1; i < size; i++) {

orignal buffer[i] = ~buffer[i];

orignal why is this?

orignal why does it invert bits?

dr|z3d For negative numbers, GMP stores them as positive magnitude internally. To convert to Java's two's complement: $0.00 spent

dr|z3d 1. Add 1 to the magnitude (line 395: mpz_add_ui(mvalue, mvalue, 1)) ▼ MCP

dr|z3d 2. Export to buffer • filesystem Connected

dr|z3d 3. Invert all bytes except the sign byte (buffer0) • git Connected

dr|z3d • github Disabled

dr|z3d Example: Converting -5: • openevolve Connected

dr|z3d - GMP stores as magnitude 5

dr|z3d - After +1: 6 → exported as 0x06 LSP

dr|z3d - Invert from index 1: 0xF9 (which is -5 in two's complement) LSPs will activate as files are read

dr|z3d The sign byte at buffer0 stays 0x00 to indicate positive - the inversion of the rest makes the overall value negative. Starting at i=0 would corrupt the sign byte.

dr|z3d excuse the cruft.

orignal so, it says that -5 is 0xF9

orignal but 0xF0 = 0x100 - 5

dr|z3d interesting.

dr|z3d from ~6 times faster for modinverse to 9.7

dr|z3d various optimizations: github.com/I2PPlus/i2pplus/blob/master/core/c/jbigi/jbigi/src/jbigi.c

dr|z3d github.com/I2PPlus/i2pplus/commit/8d0bebbfdfc25bfcb224a18b08b6c417edf0f523

John should i test shenandoah and compact object headers in production? i am having a hard time deciding

dr|z3d just do it.

dr|z3d shenandoah, easy win. compact headers, test, see if your ram footprint reduces, report back. run visualvm for better insight into what's happening.

dr|z3d note: both i2p and i2p+ run on java, use the same wrapper files, so the changes you'd make to your config file are equally applicable to both.

John where do you put the jvm options in wrapper.config and how do you put them i am confused

John i am trying to be careful

dr|z3d once you've installed visualvm, you'll want to add the following to your wrapper.config file, adjust the numbers as required:

dr|z3d wrapper.java.additional.10=-Dcom.sun.management.jmxremote

dr|z3d wrapper.java.additional.11=-Dcom.sun.management.jmxremote.port=1099

dr|z3d wrapper.java.additional.12=-Dcom.sun.management.jmxremote.local.only=false

dr|z3d wrapper.java.additional.13=-Dcom.sun.management.jmxremote.authenticate=false

dr|z3d wrapper.java.additional.13=-Dcom.sun.management.jmxremote.ssl=false

John what about for shenandoah and compact object headers

dr|z3d same format as per the lines above, you'd use something like (adjust additional.numbers as required):

dr|z3d wrapper.java.additional.3=-XX:+PerfDisableSharedMem

dr|z3d wrapper.java.additional.4=-XX:+UseShenandoahGC

dr|z3d wrapper.java.additional.5=-XX:ShenandoahGCMode=adaptive

dr|z3d wrapper.java.additional.6=-XX:+CompactObjectHeaders

dr|z3d wrapper.java.additional.7=-XX:+AlwaysPreTouch

John is disabling shared mem necessary

John also does visualvm work for normal jre or will i have to replace normal jre with jdk?

dr|z3d no. but advised.

dr|z3d required jdk.

John ah ok

John good to know

dr|z3d > -XX:+PerfDisableSharedMem prevents random GC pauses by using anonymous memory instead of writing performance counters to disk files in /tmp/hsperfdata.

John good to know

John is it fine if i shut down the i2p router to replace jre openjdk with jdk openjdk and install visualvm and to apply the changes?

RN :þ

John ok i am going to do that

dr|z3d should be fine.

dr|z3d just make sure you have java25 or later (jdk)

zzz glad I missed the GC convo, I know nothing ))

dr|z3d :)

dr|z3d tldr; both ZGC and Shenandoah have very fast routines, and the CompressObjectHeader argument is meant to significantly reduce memory usage. whether they're worth enabling is an open question.

dr|z3d javacodegeeks.com/2026/04/the-jvm-garbage-collector-decision-in-2026-g1-vs-zgc-vs-shenandoah-for-real-workloads.html

zzz so back to the CSRF on the process nonces, they're kindof a pain to get rid of, not sure if it will really help or not. thoughts?

dr|z3d gotta run, back in a bit.

zzz ok I'm going to look at it a little closer

dr|z3d so, nonces, what's the general idea re removal?

dr|z3d I've already removed them for the tunnel manager, wasn't that difficult, was interfering with the js, the intention being to reimplement at some point.

dr|z3d maybe I'm missing the bottomlineit refs?

zzz there's no process-wide nonces in i2ptunnel, they're all session afaik

zzz it's in console and snark. HIGH-3 and HIGH-4 from the first batch

dr|z3d oh, then I'm not entirely sure what the point of reference is.

zzz they call them "static" nonces which isn't quite right but close enough

zzz so you haven't looked at HIGH-3 and HIGH-4 yet?

dr|z3d possibly because I overlooked the first audit file you sent.

zzz lol ok

zzz numbered 7 and 8 on my first spreadsheet

zzz the static nonces are kinda lazy programmering so not surprised they show up in an audit but also not sure it matters

dr|z3d ok, now I think I have them: update.skank.i2p/reports/i2p_audit_report.html

zzz pls dont make it public

dr|z3d oh, ok, my bad.

zzz nothing's as bad as they say but lets not make things any harder on ourselves ))

dr|z3d sorry, didn't realize, silly me.

dr|z3d console csrf proposal via pm, zzz.

zzz all this stuff prevents you from getting the static nonce and using it next week

zzz but nothing prevents you from using it right away, and isn't that the real issue?

dr|z3d yeah, maybe. it's all very hypothetical, though.

dr|z3d we could just enforce a console password and be done with the issue, no?

zzz sure

zzz trying to figure out if anything less is helpful at all

dr|z3d nonce + cookie, maybe?

dr|z3d I'm still trying to understand how an attacker would acquire a router nonce in the first place.

dr|z3d could also use javascript session nonces, maybe. dunno if that would help.

zzz the report lays it out

zzz but there's still browser preventions and CSP headers and stuff

dr|z3d yeah, right. so basically, all this comes down to is a hacker having local access to your box?

dr|z3d in which case, you're already cooked.

zzz no, it would be an XHR to localhost on some malicious site

zzz to snarf the nonce then a POST to localhost

zzz and the browser didnt' block it

dr|z3d ok, well, there's some easy wins in there, we need to be setting cookies to samesite=lax. and form-actions to self. not a total fix, but definitely worth doing.

dr|z3d *form-action -> developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/form-action

dr|z3d if you got a test exploit you can wing my direction, please do.

dr|z3d not sure if we could set samesite to strict, might break stuff, hence lax.

John hello

dr|z3d web.dev/articles/samesite-cookies-explained

dr|z3d what up, John

John i have been thinking about beta testing i2p and compiling i2p myself because i like using bleeding edge software but i dont know if doing so could decrease my anonymity

John java i2p specificially

dr|z3d sometimes yes, mostly no.

dr|z3d if there's a code change that causes your router to stand out vs release versions, you may compromise your anonymity to some degree if you announce to people you're running it.

dr|z3d those changes don't happen all the time, but occasionally they do.

dr|z3d normally zzz will announce those types of changes on his site when they happen. (zzz.i2p)

John i would like to beta test i2p as i like using bleeding edge software and usually bleeding edges gets bug fixes and patches first and i can catch bugs and help the i2p project by reporting these bugs but i worry about beta i2p decreasing my anonymity

John also where do you translate i2p for?

John i want to check if java i2p has already been translated in my language and if not help translate it

John good to know

dr|z3d check /configui in your console, that's the first step. enable your language, see what the coverage is like.

John ok i checked and seems like my language is already mostly translated

dr|z3d I'd refer you to i2p.net/en/get-involved/guides/translator-guide but it appears it may be out of date. StormyCloud!

John ever since they updated the i2p website over to hugo i have noticed lots of pages from the website from the past are missing

John and also why is the mascot inconsistent nowadays?

John seems like ai was used but i could be wrong

dr|z3d site's been renovated, if you think it's missing information that should be there, let StormyCloud know.

John i could do that but i dont know how

John also when i tried installing visualvm it didnt work because my java version was too new

StormyCloud Open an issue on the GitHub page

John good to know

John also how do you make a i2p router? i have been thinking of making one in the future but i dont know how you make a i2p router

John also stormycloud where is the github page for the i2p website could you give a link to it for convenience or no?

dr|z3d informing StormyCloud is mostly a question of saying his name here, followed by a comma or a colon, and then outlining what you think is missing.

dr|z3d how did you try installing it?

dr|z3d the download from here will work with java25 -> visualvm.github.io

dr|z3d how you make an i2p router is outside of the scope of this conversation.

John i am using java 26 and i installed it using my package manager

StormyCloud github.com/i2p/i2p.www

dr|z3d visualvm from the link about will work with java25.

dr|z3d it might work with java26, but probably not.

John yes but i dont think it works with java 26

dr|z3d so if you want to run it, you'd need to downgrade java to 25.

dr|z3d assuming it doesn't work with java26. the version in your repo may well be older than the one on the website.

John let me try downloading it from the website

John also why is the i2p website on github and not on a self hosted git repository on i2p?

dr|z3d it's on both.

dr|z3d (afaik)

dr|z3d git.idk.i2p

John if that is true good to know

John also where would the question of making a i2p router be in scope?

dr|z3d nowhere.

John also i installed visualvm this time from the official website and it still didnt work

John it complains my java version is too new

dr|z3d it's one of those questions that would elicit a response like, "if you have to ask, you probably need to go and spend the next 3 years learning how to code."

dr|z3d like i said, you may need to downgrade to java25.

John ok

John also what happened to ramble?

John seems like its gone

dr|z3d eyedeekay is in the process of writing an i2p router in go. it's not something you just casually undertake because you have a couple of hours of free time.

dr|z3d outage. need to talk to the hoster.

dr|z3d (I need to talk to the hoster)

John fair but i dont think eyedeekay hosts ramble

dr|z3d he doesn't, the two are unrelated.

John anyways thank you for answering my questions for now i will be silent for now

dr|z3d you're welcome.