Reject newly-created token if timeskew from server is too large

The Symantec server will apparently accept up to ~3000s/50min of time skew,
and "bake it in" to a newly-created TOTP token. WUT 😱⁉️

See #56 for the confusion that can follow.

Let's not. Reject the token if the timeskew from the server appears to be
greater than 1/3 of the period.

vipaccess/__main__.py

@@ -56,9 +56,12 @@ def provision(p, args):
  otp_secret_b32 = base64.b32encode(otp_secret).upper().decode('ascii')
  print("Checking token against Symantec server...")
  if not vp.check_token(otp_token, otp_secret, session):
- print("WARNING: Something went wrong--the token could not be validated.\n",
- " (check your system time; it differs from the server's by %d seconds)\n" % otp_token['timeskew'],
- file=sys.stderr)
+ p.error("Something went wrong--the token could not be validated.\n"
+ " (Check your system time; it differs from the server's by %d seconds)\n" % otp_token['timeskew'])
+ elif 'period' in otp_token and otp_token['timeskew'] > otp_token['period']/10:
+ p.error("Your system time differs from the server's by %d seconds;\n"
+ " The offset would be 'baked in' to the newly-created token.\n"
+ " Fix system time and try again." % otp_token['timeskew'])
 
  if args.print:
  otp_uri = vp.generate_otp_uri(otp_token, otp_secret, args.issuer)

vipaccess/provision.py

@@ -213,7 +213,7 @@ def check_token(token, secret, session=requests, timestamp=None):
  elif token.get('period'): # TOTP
  otp = totp(secret_hex, period=token['period'], t=timestamp)
  else: # Assume TOTP with default period 30 (FIXME)
- otp = totp(secret_hex)
+ otp = totp(secret_hex, t=timestamp)
  data = {'cr%s'%d:c for d,c in enumerate(otp, 1)}
  data['cred'] = token['id']
  data['continue'] = 'otp_check'