From: Brian Warner Date: Thu, 8 Nov 2007 21:02:36 +0000 (-0700) Subject: mutable: verify incoming share signatures during Publish, it's not that expensive... X-Git-Tag: allmydata-tahoe-0.7.0~240 X-Git-Url: https://git.rkrishnan.org/provisioning?a=commitdiff_plain;h=30a91c84c8232bbb86de6b6406b90d45a5e2d4aa;p=tahoe-lafs%2Ftahoe-lafs.git mutable: verify incoming share signatures during Publish, it's not that expensive and it's a good idea --- diff --git a/src/allmydata/mutable.py b/src/allmydata/mutable.py index 20b0429a..d7a0d669 100644 --- a/src/allmydata/mutable.py +++ b/src/allmydata/mutable.py @@ -745,11 +745,13 @@ class Publish: (seqnum, root_hash, IV, k, N, segsize, datalen, pubkey_s, signature, prefix) = r - # TODO: consider verifying the signature here. It's expensive. - # What can an attacker (in this case the server) accomplish? They - # could make us think that there's a newer version of the file - # out there, which would cause us to throw - # UncoordinatedWriteError (i.e. it's a DoS attack). + # self._pubkey is present because we require read-before-replace + valid = self._pubkey.verify(prefix, signature) + if not valid: + self.log("WEIRD: bad signature from %s shnum %d" % + (shnum, idlib.shortnodeid_b2a(peerid))) + continue + share = (shnum, seqnum, root_hash) current_share_peers.add(shnum, (peerid, seqnum, root_hash) )