From cfd7f1571bbcd4b141ad7d0dd4a4aaee77572df5 Mon Sep 17 00:00:00 2001
From: orignal <i2porignal@yandex.ru>
Date: Tue, 26 Jan 2016 19:02:06 -0500
Subject: [PATCH] check clock skew

---
 NTCPSession.cpp | 21 +++++++++++++++++++++
 NTCPSession.h   |  1 +
 2 files changed, 22 insertions(+)

diff --git a/NTCPSession.cpp b/NTCPSession.cpp
index 8515d1a9..3589c9d2 100644
--- a/NTCPSession.cpp
+++ b/NTCPSession.cpp
@@ -372,6 +372,17 @@ namespace transport
 		buf += 4;
 		buf += paddingLen;	
 
+		// check timestamp
+		auto ts = i2p::util::GetSecondsSinceEpoch ();
+		uint32_t tsA1 = be32toh (tsA);
+		if (tsA1 < ts - NTCP_CLOCK_SKEW || tsA1 > ts + NTCP_CLOCK_SKEW)
+		{
+			LogPrint (eLogError, "NTCP: Phase3 time difference ", ts - tsA1, " exceeds clock skew"); 
+			Terminate ();
+			return;
+		}	
+
+		// check signature
 		SignedData s;
 		s.Insert (m_Establisher->phase1.pubKey, 256); // x
 		s.Insert (m_Establisher->phase2.pubKey, 256); // y
@@ -443,6 +454,16 @@ namespace transport
 		{	
 			m_Decryption.Decrypt(m_ReceiveBuffer, bytes_transferred, m_ReceiveBuffer);
 
+			// check timestamp
+			uint32_t tsB = bufbe32toh (m_Establisher->phase2.encrypted.timestamp);
+			auto ts = i2p::util::GetSecondsSinceEpoch ();
+			if (tsB < ts - NTCP_CLOCK_SKEW || tsB > ts + NTCP_CLOCK_SKEW)
+			{
+				LogPrint (eLogError, "NTCP: Phase4 time difference ", ts - tsB, " exceeds clock skew"); 
+				Terminate ();
+				return;
+			}	
+			
 			// verify signature
 			SignedData s;
 			s.Insert (m_Establisher->phase1.pubKey, 256); // x
diff --git a/NTCPSession.h b/NTCPSession.h
index 7e45137e..12d8b54e 100644
--- a/NTCPSession.h
+++ b/NTCPSession.h
@@ -39,6 +39,7 @@ namespace transport
 	const int NTCP_TERMINATION_TIMEOUT = 120; // 2 minutes
 	const size_t NTCP_DEFAULT_PHASE3_SIZE = 2/*size*/ + i2p::data::DEFAULT_IDENTITY_SIZE/*387*/ + 4/*ts*/ + 15/*padding*/ + 40/*signature*/; // 448 	
 	const int NTCP_BAN_EXPIRATION_TIMEOUT = 70; // in second
+	const int NTCP_CLOCK_SKEW = 60; // in seconds 
 
 	class NTCPServer;
 	class NTCPSession: public TransportSession, public std::enable_shared_from_this<NTCPSession>