From 3417656d6e35bd5c6e4687bb7d008be6d8c73b43 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Sat, 23 Nov 2013 07:47:23 -0800
Subject: Handle the clock skew check

---
 cryptography/fernet.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/cryptography/fernet.py b/cryptography/fernet.py
index aa46b36f..2ae0ae8b 100644
--- a/cryptography/fernet.py
+++ b/cryptography/fernet.py
@@ -57,6 +57,8 @@ bool Cryptography_constant_time_compare(uint8_t *a, size_t len_a, uint8_t *b,
 }
 """)
 
+_MAX_CLOCK_SKEW = 60
+
 
 class Fernet(object):
     def __init__(self, key, backend=None):
@@ -117,6 +119,8 @@ class Fernet(object):
         if ttl is not None:
             if struct.unpack(">Q", timestamp)[0] + ttl < current_time:
                 raise InvalidToken
+        if current_time + _MAX_CLOCK_SKEW < struct.unpack(">Q", timestamp)[0]:
+            raise InvalidToken
         h = HMAC(self.signing_key, hashes.SHA256(), self.backend)
         h.update(data[:-32])
         hmac = h.finalize()
-- 
cgit v1.2.3