Fix verification bug in Namecoin.

P2P full-block by-hash retrieval wasn't verifying that the received block had a header whose hash matched the requested hash. This probably made it trivially easy to falsify name records, since any internally valid block supplied by a malicious P2P peer (or a MITM attacker) would be accepted, and the name transactions in it trusted as valid, even if the block had (for example) minimum difficulty. The REST Merkle API is unaffected. There's a reason I haven't deployed libdohj-namecoin to end users yet; this is that reason. Review takes time.
2025-02-01 07:42:17 +00:00 · 2016-07-21 19:59:20 +00:00 · 2016-07-21 19:59:20 +00:00 · 0237a504c4
commit 0237a504c4
parent faadcca7ad
1 changed files with 7 additions and 0 deletions
--- a/namecoin/src/main/java/org/libdohj/names/NameLookupByBlockHashOneFullBlock.java
+++ b/namecoin/src/main/java/org/libdohj/names/NameLookupByBlockHashOneFullBlock.java
@ -42,6 +42,13 @@ public class NameLookupByBlockHashOneFullBlock implements NameLookupByBlockHash
        // The full block hasn't been verified in any way!
        // So let's do that now.
        
+        if (! nameFullBlock.getHash().equals(blockHash)) {
+            throw new Exception("Block hash mismatch!");
+        }
+        
+        // Now we know that the received block actually does have a header that matches the hash that we requested.
+        // However, that doesn't mean that the block's contents are valid.
+        
        final EnumSet<Block.VerifyFlag> flags = EnumSet.noneOf(Block.VerifyFlag.class);
        nameFullBlock.verify(-1, flags);