From a418e96e08537e77b86c7eff8975e0c76b251797 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Thu, 21 Jan 2016 08:54:59 -0600
Subject: fernet fix: ignore the timestamp entirely when no ttl is set

Previously if the token claimed to have been generated more than 60
seconds in the future we would raise InvalidToken even if ttl was set
to None.
---
 src/cryptography/fernet.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/cryptography/fernet.py b/src/cryptography/fernet.py
index 6fbe9f27..99eb10e5 100644
--- a/src/cryptography/fernet.py
+++ b/src/cryptography/fernet.py
@@ -91,8 +91,10 @@ class Fernet(object):
         if ttl is not None:
             if timestamp + ttl < current_time:
                 raise InvalidToken
-        if current_time + _MAX_CLOCK_SKEW < timestamp:
-            raise InvalidToken
+
+            if current_time + _MAX_CLOCK_SKEW < timestamp:
+                raise InvalidToken
+
         h = HMAC(self._signing_key, hashes.SHA256(), backend=self._backend)
         h.update(data[:-32])
         try:
-- 
cgit v1.2.3