From 0237a504c44986874d6340cae727342a1a2df21a Mon Sep 17 00:00:00 2001 From: JeremyRand Date: Thu, 21 Jul 2016 19:59:20 +0000 Subject: [PATCH] Fix verification bug in Namecoin. P2P full-block by-hash retrieval wasn't verifying that the received block had a header whose hash matched the requested hash. This probably made it trivially easy to falsify name records, since any internally valid block supplied by a malicious P2P peer (or a MITM attacker) would be accepted, and the name transactions in it trusted as valid, even if the block had (for example) minimum difficulty. The REST Merkle API is unaffected. There's a reason I haven't deployed libdohj-namecoin to end users yet; this is that reason. Review takes time. --- .../libdohj/names/NameLookupByBlockHashOneFullBlock.java | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/namecoin/src/main/java/org/libdohj/names/NameLookupByBlockHashOneFullBlock.java b/namecoin/src/main/java/org/libdohj/names/NameLookupByBlockHashOneFullBlock.java index a0a87c3a..dbcbfde7 100644 --- a/namecoin/src/main/java/org/libdohj/names/NameLookupByBlockHashOneFullBlock.java +++ b/namecoin/src/main/java/org/libdohj/names/NameLookupByBlockHashOneFullBlock.java @@ -42,6 +42,13 @@ public class NameLookupByBlockHashOneFullBlock implements NameLookupByBlockHash // The full block hasn't been verified in any way! // So let's do that now. + if (! nameFullBlock.getHash().equals(blockHash)) { + throw new Exception("Block hash mismatch!"); + } + + // Now we know that the received block actually does have a header that matches the hash that we requested. + // However, that doesn't mean that the block's contents are valid. + final EnumSet flags = EnumSet.noneOf(Block.VerifyFlag.class); nameFullBlock.verify(-1, flags);