check introset timestamps

include/llarp/service/IntroSet.hpp

@@ -129,7 +129,7 @@ namespace llarp
       DecodeKey(llarp_buffer_t key, llarp_buffer_t* buf);
 
       bool
-      VerifySignature(llarp_crypto* crypto) const;
+      Verify(llarp_crypto* crypto) const;
     };
   }  // namespace service
 }  // namespace llarp

llarp/dht/context.cpp

@@ -327,10 +327,9 @@ namespace llarp
       bool
       Validate(const service::IntroSet &value) const
       {
-        if(!value.VerifySignature(parent->Crypto()))
+        if(!value.Verify(parent->Crypto()))
         {
-          llarp::LogWarn(
-              "Got introset with invalid signature from service lookup");
+          llarp::LogWarn("Got invalid introset from service lookup");
           return false;
         }
         if(value.A.Addr() != target)
@@ -552,9 +551,9 @@ namespace llarp
       bool
       Validate(const service::IntroSet &introset) const
       {
-        if(!introset.VerifySignature(parent->Crypto()))
+        if(!introset.Verify(parent->Crypto()))
         {
-          llarp::LogWarn("got introset from tag lookup with invalid signature");
+          llarp::LogWarn("got invalid introset from tag lookup");
           return false;
         }
         if(introset.topic != target)

llarp/dht/got_intro.cpp

@@ -28,10 +28,10 @@ namespace llarp
 
       for(const auto &introset : I)
       {
-        if(!introset.VerifySignature(crypto))
+        if(!introset.Verify(crypto))
         {
           llarp::LogWarn(
-              "Invalid introset signature while handling direct GotIntro "
+              "Invalid introset while handling direct GotIntro "
               "from ",
               From);
           return false;

llarp/dht/publish_intro.cpp

@@ -50,9 +50,9 @@ namespace llarp
         return false;
       }
       auto &dht = ctx->impl;
-      if(!I.VerifySignature(&dht.router->crypto))
+      if(!I.Verify(&dht.router->crypto))
       {
-        llarp::LogWarn("invalid introset signature, ", I);
+        llarp::LogWarn("invalid introset: ", I);
         return false;
       }
       if(I.W && !I.W->IsValid(dht.router->crypto.shorthash))

llarp/service.cpp

@@ -290,7 +290,7 @@ namespace llarp
     }
 
     bool
-    IntroSet::VerifySignature(llarp_crypto* crypto) const
+    IntroSet::Verify(llarp_crypto* crypto) const
     {
       byte_t tmp[MAX_INTROSET_SIZE];
       auto buf = llarp::StackBuffer< decltype(tmp) >(tmp);
@@ -302,7 +302,25 @@ namespace llarp
       // rewind and resize buffer
       buf.sz  = buf.cur - buf.base;
       buf.cur = buf.base;
-      return A.Verify(crypto, buf, Z);
+      if(!A.Verify(crypto, buf, Z))
+        return false;
+      // validate PoW
+      if(W && !W->IsValid(crypto->shorthash))
+        return false;
+      // valid timestamps
+      auto now = llarp_time_now_ms();
+      for(const auto& intro : I)
+      {
+        if(intro.expiresAt >= now
+           && intro.expiresAt - now > DEFAULT_PATH_LIFETIME)
+        {
+          if(W && intro.expiresAt - W->extendedLifetime > DEFAULT_PATH_LIFETIME)
+            return false;
+          else if(W == nullptr)
+            return false;
+        }
+      }
+      return !IsExpired(now);
     }
 
     bool

llarp/service/endpoint.cpp

@@ -271,10 +271,10 @@ namespace llarp
       std::set< IntroSet > remote;
       for(const auto& introset : msg->I)
       {
-        if(!introset.VerifySignature(crypto))
+        if(!introset.Verify(crypto))
         {
-          llarp::LogInfo("invalid introset signature for ", introset,
-                         " on endpoint ", Name());
+          llarp::LogInfo("invalid introset ", introset, " on endpoint ",
+                         Name());
           if(m_Identity.pub == introset.A && m_CurrentPublishTX == msg->T)
           {
             IntroSetPublishFail();
@@ -1204,6 +1204,8 @@ namespace llarp
                                          const RouterContact& prev,
                                          RouterContact& cur, size_t hop)
     {
+      if(remoteIntro.router.IsZero())
+        return false;
       if(hop == numHops - 1)
       {
         if(llarp_nodedb_get_rc(db, remoteIntro.router, cur))

test/hiddenservice_unittest.cpp

@@ -31,16 +31,17 @@ TEST_F(HiddenServiceTest, TestGenerateIntroSet)
   llarp::service::Address addr;
   ASSERT_TRUE(ident.pub.CalculateAddress(addr.data()));
   llarp::service::IntroSet I;
+  auto now = llarp_time_now_ms();
   while(I.I.size() < 10)
   {
     llarp::service::Introduction intro;
-    intro.expiresAt = 1000;
+    intro.expiresAt = now + (DEFAULT_PATH_LIFETIME / 2);
     intro.router.Randomize();
     intro.pathID.Randomize();
     I.I.push_back(intro);
   }
   ASSERT_TRUE(ident.SignIntroSet(I, Crypto()));
-  ASSERT_TRUE(I.VerifySignature(Crypto()));
+  ASSERT_TRUE(I.Verify(Crypto()));
 };
 
 TEST_F(HiddenServiceTest, TestAddressToFromString)