diff options
| -rwxr-xr-x | local/require-signed-push | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/local/require-signed-push b/local/require-signed-push index 20bc2e1..447e14a 100755 --- a/local/require-signed-push +++ b/local/require-signed-push @@ -98,7 +98,7 @@ verify_pusher_clock() { # Timestamps: # T0: nonce generation time (server, trusted input) - # T1: nonce signature time (client, untrusted input!) + # T1: nonce signature START time (client, untrusted input!) # T2: signed-nonce receive time (server, trusted input) T0="$SERVER_NONCE_TIME" T1="$PUSHER_SIGN_TIME" @@ -111,9 +111,11 @@ verify_pusher_clock() { # T2-T0: how long the roundtrip took (only contains trusted inputs) # - will only be negative if the server clock jump backwards during the round-trip! # - # T2-T1: how long it took the client to send the signed nonce back (depends on untrusted input) + # T2-T1: how long it took the client to sign their timestamp & nonce and + # send it back (depends on untrusted input) # - will be negative if the client (T1) has a clock AHEAD of server (T2), # e.g. clock is "fast" + # - MAY contain delay from smartcards/tokens requiring interaction. DELTA_T1_T0=$(( T1 - T0 )) DELTA_T2_T0=$(( T2 - T0 )) DELTA_T2_T1=$(( T2 - T1 )) |