aherman
/
boundary
mirror of https://github.com/hashicorp/boundary
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Address some review feedback

Browse Source
pull/4490/head
Jeff Mitchell 2 years ago
parent 64be29ac1b
commit 58800a12e0
4 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File

2
go.mod
Unescape View File

@ -104,7 +104,6 @@ require (
golang.org/x/exp v0.0.0-20231006140011-7918f672742d
golang.org/x/net v0.17.0
google.golang.org/genproto/googleapis/api v0.0.0-20231012201019-e917dd12ba7a
gopkg.in/square/go-jose.v2 v2.5.1
)
require (
@ -201,6 +200,7 @@ require (
golang.org/x/time v0.3.0 // indirect
google.golang.org/appengine v1.6.8 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20231030173426-d783a09b4405 // indirect
gopkg.in/square/go-jose.v2 v2.5.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
gorm.io/driver/sqlite v1.5.3 // indirect

2
internal/bsr/bsr_open_test.go
Unescape View File

@ -5,6 +5,7 @@ package bsr
import (
"context"
"encoding/json"
"fmt"
"testing"
@ -13,7 +14,6 @@ import (
"github.com/hashicorp/boundary/internal/storage"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"gopkg.in/square/go-jose.v2/json"
)
func TestPopulateMeta(t *testing.T) {

3
internal/daemon/worker/handler.go
Unescape View File

@ -5,6 +5,7 @@ package worker
import (
"context"
"crypto/subtle"
stderrors "errors"
"fmt"
"io"
@ -169,7 +170,7 @@ func (w *Worker) handleProxy(listenerCfg *listenerutil.ListenerConfig, sessionMa
}
if sess.GetTofuToken() != "" {
if sess.GetTofuToken() != handshake.GetTofuToken() {
if subtle.ConstantTimeCompare([]byte(sess.GetTofuToken()), []byte(handshake.GetTofuToken())) != 1 {
event.WriteError(ctx, op, stderrors.New("WARNING: mismatched tofu token"), event.WithInfo("session_id", sessionId))
if err = conn.Close(websocket.StatusPolicyViolation, "tofu token not allowed"); err != nil {
event.WriteError(ctx, op, err, event.WithInfoMsg("error closing client connection"))

4
internal/daemon/worker/worker.go
Unescape View File

@ -7,6 +7,7 @@ import (
"context"
"crypto/ed25519"
"crypto/rand"
"crypto/subtle"
"crypto/tls"
"crypto/x509"
"fmt"
@ -783,6 +784,9 @@ func (w *Worker) getSessionTls(sessionManager session.Manager) func(hello *tls.C
if len(cs.PeerCertificates) == 0 {
return errors.New(ctx, errors.InvalidParameter, op, "no peer certificates provided")
}
if subtle.ConstantTimeCompare(cs.PeerCertificates[0].Raw, sess.GetCertificate().Raw) != 1 {
return errors.New(ctx, errors.InvalidParameter, op, "expected peer certificate to match session certificate")
}
_, err := cs.PeerCertificates[0].Verify(verifyOpts)
return err
}

Write Preview
Loading…
Cancel
Save