diff --git a/crates/phactory/src/nts.rs b/crates/phactory/src/nts.rs index 2f2fe8a8f..9d0c42f4f 100644 --- a/crates/phactory/src/nts.rs +++ b/crates/phactory/src/nts.rs @@ -32,7 +32,9 @@ pub(crate) async fn nts_get_time_secs() -> Result { } fn validate_results(results: Vec) -> Result { - if results.len() < 2 { + const MIN_RESULTS: usize = 2; + const MAX_VARIANCE: u64 = 60; + if results.len() < MIN_RESULTS { anyhow::bail!("Not enough results"); } let average = results.iter().sum::() / results.len() as u64; @@ -41,7 +43,7 @@ fn validate_results(results: Vec) -> Result { .map(|r| (*r as i64 - average as i64).unsigned_abs()) .max() .unwrap_or_default(); - if max_diff > 60 { + if max_diff > MAX_VARIANCE { anyhow::bail!("Time difference is too large: {}", max_diff); } Ok(average) diff --git a/crates/phactory/src/prpc_service.rs b/crates/phactory/src/prpc_service.rs index 234c884cb..7f14669b9 100644 --- a/crates/phactory/src/prpc_service.rs +++ b/crates/phactory/src/prpc_service.rs @@ -1866,6 +1866,8 @@ impl PhactoryApi for Rpc &mut self, request: pb::DcapHandoverChallengeResponse, ) -> RpcResult { + const CLIENT_TIMEOUT_SECS: u64 = 60; + let ntp_now = crate::nts::nts_get_time_secs() .await .map_err(from_display)?; @@ -1884,7 +1886,9 @@ impl PhactoryApi for Rpc return Err(from_display("Invalid challenge")); } // 2. ensure delta time between client and server is within 1 minutes - if challenge.ntp_time_secs > ntp_now || ntp_now - challenge.ntp_time_secs > 60 { + if challenge.ntp_time_secs > ntp_now + || ntp_now - challenge.ntp_time_secs > CLIENT_TIMEOUT_SECS + { return Err(from_display("Invalid NTP time")); } // 3. verify sgx local attestation report to ensure the handover pRuntimes are on the same machine @@ -1897,13 +1901,7 @@ impl PhactoryApi for Rpc if handler_hash != recv_local_report.body.report_data[..32] { return Err(from_display("Invalid challenge handler")); } - // 4. verify challenge block height and report timestamp - // only challenge within 150 blocks (30 minutes) is accepted - let challenge_height = challenge.block_number; - if !(challenge_height <= block_number && block_number - challenge_height <= 150) { - return Err(from_display("Outdated challenge")); - } - // 5. verify pruntime launch date, never handover to old pruntime + // 4. verify pruntime launch date, never handover to old pruntime if !dev_mode { let runtime_state = phactory.runtime_state()?; let my_runtime_timestamp = runtime_state