Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Client::update_root should verify fetched metadata is expected version #253

Open
erickt opened this issue Dec 6, 2019 · 1 comment
Open

Client::update_root should verify fetched metadata is expected version #253

erickt opened this issue Dec 6, 2019 · 1 comment

Comments

@erickt
Copy link
Collaborator

erickt commented Dec 6, 2019

When tuf::Client::update_root downloads root metadata from a server, it's currently not checking that that metadata's version matches the expected version. So this means if we are currently on version 5.root.json, when we try to download 6.root.json the server could actually give us version 7. We should make sure the metadata matches the expected version.
@erickt
Copy link
Collaborator Author

erickt commented Dec 6, 2019

Here is the relevant section of the spec:

1.4. Check for a rollback attack. The version number of the trusted root metadata file (version N) must be less than or equal to the version number of the new root metadata file (version N+1). Effectively, this means checking that the version number signed in the new root metadata file is indeed N+1. If the version of the new root metadata file is less than the trusted metadata file, discard it, abort the update cycle, and report the rollback attack. On the next update cycle, begin at step 0 and version N of the root metadata file.

@erickt erickt mentioned this issue Feb 4, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@erickt