Commit b8fe1ea
committed
fix(pubsub): verify message from matches signing key and prevent seen-cache poisoning
Closes a strict-sign origin spoofing vulnerability in the pubsub stack. A peer
with any valid signing key could publish a signed message whose `from` named a
different peer; receivers attributed the message to the impersonated peer and
the forged `from || seqno` poisoned the seen-cache, suppressing the legitimate
follow-up message from the real author.
Three changes:
* PubsubCrypto.pubsubValidate now rejects messages missing/empty `from`, `key`
or `signature`, returns false (never throws) on un-parseable key/from, and
requires `PeerId.fromPubKey(msg.key) == PeerId(msg.from)` in addition to the
existing signature check.
* PubsubApiImpl.PublisherImpl.publishExt rejects any caller-supplied `from`
that does not match the publisher's signing key, throwing
IllegalArgumentException. Null `from` continues to default to the signing
key's PeerId as before; unsigned publishers (no privKey) are unchanged.
* AbstractRouter no longer leaves a seenMessages entry behind for a message
that fails validation. On both sync and async validation failure the entry
inserted speculatively at the start of `onInbound` is evicted, so a later
legitimate message with the same id is still processed and delivered.
Adds PubsubStrictSignSpoofTest covering forged-from rejection, missing-field
rejection, publishExt mismatch rejection, the matching-from happy path, and an
end-to-end regression test that the seen-cache is no longer poisoned by a
rejected forgery.1 parent 18b0d95 commit b8fe1ea
4 files changed
Lines changed: 359 additions & 4 deletions
File tree
- libp2p/src
- main/kotlin/io/libp2p/pubsub
- test/kotlin/io/libp2p/pubsub
Lines changed: 13 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
226 | 226 | | |
227 | 227 | | |
228 | 228 | | |
229 | | - | |
| 229 | + | |
| 230 | + | |
| 231 | + | |
| 232 | + | |
| 233 | + | |
230 | 234 | | |
231 | 235 | | |
232 | 236 | | |
| |||
240 | 244 | | |
241 | 245 | | |
242 | 246 | | |
243 | | - | |
244 | | - | |
| 247 | + | |
| 248 | + | |
| 249 | + | |
| 250 | + | |
| 251 | + | |
| 252 | + | |
| 253 | + | |
| 254 | + | |
245 | 255 | | |
246 | 256 | | |
247 | 257 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
42 | 42 | | |
43 | 43 | | |
44 | 44 | | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
45 | 55 | | |
46 | 56 | | |
47 | 57 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
| 3 | + | |
3 | 4 | | |
4 | 5 | | |
5 | 6 | | |
6 | 7 | | |
| 8 | + | |
7 | 9 | | |
8 | 10 | | |
9 | 11 | | |
10 | 12 | | |
| 13 | + | |
| 14 | + | |
11 | 15 | | |
12 | 16 | | |
13 | 17 | | |
| |||
17 | 21 | | |
18 | 22 | | |
19 | 23 | | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
20 | 35 | | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
| 71 | + | |
21 | 72 | | |
22 | 73 | | |
23 | 74 | | |
24 | 75 | | |
25 | | - | |
| 76 | + | |
26 | 77 | | |
27 | 78 | | |
28 | 79 | | |
| |||
0 commit comments