Fix tsig fudge factor

Excellent bug report from freb, about how this fails when a message arrives in the past (because of clock skew). Closes #153
2014-11-11 17:58:12 +00:00 · 2014-11-11 17:58:12 +00:00 · 6e3a9dd0d8
parent 34f43d398b
commit 6e3a9dd0d8
1 changed files with 8 additions and 1 deletions
--- a/tsig.go
+++ b/tsig.go
@ -225,7 +225,14 @@ func TsigVerify(msg []byte, secret, requestMAC string, timersOnly bool) error {
 	}

 	buf := tsigBuffer(stripped, tsig, requestMAC, timersOnly)
-	ti := uint64(time.Now().Unix()) - tsig.TimeSigned
+
+	// Fudge factor works both ways. A message can arrive before it was signed because
+	// of clock skew.
+	now := uint64(time.Now().Unix())
+	ti := now - tsig.TimeSigned
+	if now < tsig.TimeSigned {
+		ti = tsig.TimeSigned - now
+	}
 	if uint64(tsig.Fudge) < ti {
 		return ErrTime
 	}