Skip to content

Commit

Permalink
Use constants and remove unnecessary check
Browse files Browse the repository at this point in the history
  • Loading branch information
@kvinwang
kvinwang committed Feb 18, 2024
1 parent 3e79f16 commit dc1c040
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 10 deletions.
6 changes: 4 additions & 2 deletions crates/phactory/src/nts.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,9 @@ pub(crate) async fn nts_get_time_secs() -> Result<u64> {
}

fn validate_results(results: Vec<u64>) -> Result<u64> {
if results.len() < 2 {
const MIN_RESULTS: usize = 2;
const MAX_VARIANCE: u64 = 60;
if results.len() < MIN_RESULTS {
anyhow::bail!("Not enough results");
}
let average = results.iter().sum::<u64>() / results.len() as u64;
Expand All @@ -41,7 +43,7 @@ fn validate_results(results: Vec<u64>) -> Result<u64> {
.map(|r| (*r as i64 - average as i64).unsigned_abs())
.max()
.unwrap_or_default();
if max_diff > 60 {
if max_diff > MAX_VARIANCE {
anyhow::bail!("Time difference is too large: {}", max_diff);
}
Ok(average)
Expand Down
14 changes: 6 additions & 8 deletions crates/phactory/src/prpc_service.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1866,6 +1866,8 @@ impl<Platform: pal::Platform + Serialize + DeserializeOwned> PhactoryApi for Rpc
&mut self,
request: pb::DcapHandoverChallengeResponse,
) -> RpcResult<pb::DcapHandoverWorkerKey> {
const CLIENT_TIMEOUT_SECS: u64 = 60;

let ntp_now = crate::nts::nts_get_time_secs()
.await
.map_err(from_display)?;
Expand All @@ -1884,7 +1886,9 @@ impl<Platform: pal::Platform + Serialize + DeserializeOwned> PhactoryApi for Rpc
return Err(from_display("Invalid challenge"));
}
// 2. ensure delta time between client and server is within 1 minutes
if challenge.ntp_time_secs > ntp_now || ntp_now - challenge.ntp_time_secs > 60 {
if challenge.ntp_time_secs > ntp_now
|| ntp_now - challenge.ntp_time_secs > CLIENT_TIMEOUT_SECS
{
return Err(from_display("Invalid NTP time"));
}
// 3. verify sgx local attestation report to ensure the handover pRuntimes are on the same machine
Expand All @@ -1897,13 +1901,7 @@ impl<Platform: pal::Platform + Serialize + DeserializeOwned> PhactoryApi for Rpc
if handler_hash != recv_local_report.body.report_data[..32] {
return Err(from_display("Invalid challenge handler"));
}
// 4. verify challenge block height and report timestamp
// only challenge within 150 blocks (30 minutes) is accepted
let challenge_height = challenge.block_number;
if !(challenge_height <= block_number && block_number - challenge_height <= 150) {
return Err(from_display("Outdated challenge"));
}
// 5. verify pruntime launch date, never handover to old pruntime
// 4. verify pruntime launch date, never handover to old pruntime
if !dev_mode {
let runtime_state = phactory.runtime_state()?;
let my_runtime_timestamp = runtime_state
Expand Down

0 comments on commit dc1c040

Please sign in to comment.