-
YACOVM authored
Background: ------------ The previous commit added support in the discovery layer for policies that effect the membership response handling logic. That logic is based on the selfInformation field which is a signed GossipMessage that contains an AliveMessage and is supposed to represent the remote peer that sent the membership request. Even though the message is validated, nothing prevents an attacker to replay a signedMessage he recorded. There is a TODO in the code that says: https://github.com/hyperledger/fabric/blob/master/gossip/discovery/discovery_impl.go#L293 // TODO: make sure somehow that the membership request is "fresh" This is to prevent replay attacks, and: 1) This needs to be addressed for FAB-2007 2) A replay attack can happen anyway if a malicious peer gets hold of such a message early enough befor the attacked peer got the message What's in this commit? ---------------------- This commit leverages the fact that a membership request is point-to-point, and checks that the sender of the membership request is the same peer that is on the other side of the connection. Also removed the TODO since now it's not needed anymore. How is this tested? -------------------- I added a test that creates such a replay attack and spoofs a membership request, and compares it to a valid membership request to demonstrate that the attack prevention works. Change-Id: I8c994b5627189a1d0fb3f6a7d9edbd9a9c021b2c Signed-off-by: Yacov Manevich <yacovm@il.ibm.com>
cde26407