diff options
author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2016-01-21 08:54:59 -0600 |
---|---|---|
committer | Paul Kehrer <paul.l.kehrer@gmail.com> | 2016-01-21 08:54:59 -0600 |
commit | a418e96e08537e77b86c7eff8975e0c76b251797 (patch) | |
tree | e358b7def421ef7c2414e13897f4b124934efa1d | |
parent | f0546c66551099b69a69b6d3db9b439aeb8bea08 (diff) | |
download | cryptography-a418e96e08537e77b86c7eff8975e0c76b251797.tar.gz cryptography-a418e96e08537e77b86c7eff8975e0c76b251797.tar.bz2 cryptography-a418e96e08537e77b86c7eff8975e0c76b251797.zip |
fernet fix: ignore the timestamp entirely when no ttl is set
Previously if the token claimed to have been generated more than 60
seconds in the future we would raise InvalidToken even if ttl was set
to None.
-rw-r--r-- | src/cryptography/fernet.py | 6 | ||||
-rw-r--r-- | tests/test_fernet.py | 9 |
2 files changed, 13 insertions, 2 deletions
diff --git a/src/cryptography/fernet.py b/src/cryptography/fernet.py index 6fbe9f27..99eb10e5 100644 --- a/src/cryptography/fernet.py +++ b/src/cryptography/fernet.py @@ -91,8 +91,10 @@ class Fernet(object): if ttl is not None: if timestamp + ttl < current_time: raise InvalidToken - if current_time + _MAX_CLOCK_SKEW < timestamp: - raise InvalidToken + + if current_time + _MAX_CLOCK_SKEW < timestamp: + raise InvalidToken + h = HMAC(self._signing_key, hashes.SHA256(), backend=self._backend) h.update(data[:-32]) try: diff --git a/tests/test_fernet.py b/tests/test_fernet.py index 0b93f017..c272eec0 100644 --- a/tests/test_fernet.py +++ b/tests/test_fernet.py @@ -103,6 +103,15 @@ class TestFernet(object): with pytest.raises(TypeError): f.decrypt(u"") + def test_timestamp_ignored_no_ttl(self, monkeypatch, backend): + f = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend) + pt = b"encrypt me" + token = f.encrypt(pt) + ts = "1985-10-26T01:20:01-07:00" + current_time = calendar.timegm(iso8601.parse_date(ts).utctimetuple()) + monkeypatch.setattr(time, "time", lambda: current_time) + assert f.decrypt(token, ttl=None) == pt + @pytest.mark.parametrize("message", [b"", b"Abc!", b"\x00\xFF\x00\x80"]) def test_roundtrips(self, message, backend): f = Fernet(Fernet.generate_key(), backend=backend) |