From 58800a12e021b6b03966f7f0b7b4de6efafaeb53 Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Fri, 26 Jan 2024 12:56:09 -0500
Subject: [PATCH] Address some review feedback

---
 go.mod                            | 2 +-
 internal/bsr/bsr_open_test.go     | 2 +-
 internal/daemon/worker/handler.go | 3 ++-
 internal/daemon/worker/worker.go  | 4 ++++
 4 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index faaf01cd82..7100277057 100644
--- a/go.mod
+++ b/go.mod
@@ -104,7 +104,6 @@ require (
 	golang.org/x/exp v0.0.0-20231006140011-7918f672742d
 	golang.org/x/net v0.17.0
 	google.golang.org/genproto/googleapis/api v0.0.0-20231012201019-e917dd12ba7a
-	gopkg.in/square/go-jose.v2 v2.5.1
 )
 
 require (
@@ -201,6 +200,7 @@ require (
 	golang.org/x/time v0.3.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20231030173426-d783a09b4405 // indirect
+	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	gorm.io/driver/sqlite v1.5.3 // indirect
diff --git a/internal/bsr/bsr_open_test.go b/internal/bsr/bsr_open_test.go
index 59918f212a..b2716d144d 100644
--- a/internal/bsr/bsr_open_test.go
+++ b/internal/bsr/bsr_open_test.go
@@ -5,6 +5,7 @@ package bsr
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"testing"
 
@@ -13,7 +14,6 @@ import (
 	"github.com/hashicorp/boundary/internal/storage"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"gopkg.in/square/go-jose.v2/json"
 )
 
 func TestPopulateMeta(t *testing.T) {
diff --git a/internal/daemon/worker/handler.go b/internal/daemon/worker/handler.go
index 83ea6e0ba0..97e6ff538b 100644
--- a/internal/daemon/worker/handler.go
+++ b/internal/daemon/worker/handler.go
@@ -5,6 +5,7 @@ package worker
 
 import (
 	"context"
+	"crypto/subtle"
 	stderrors "errors"
 	"fmt"
 	"io"
@@ -169,7 +170,7 @@ func (w *Worker) handleProxy(listenerCfg *listenerutil.ListenerConfig, sessionMa
 		}
 
 		if sess.GetTofuToken() != "" {
-			if sess.GetTofuToken() != handshake.GetTofuToken() {
+			if subtle.ConstantTimeCompare([]byte(sess.GetTofuToken()), []byte(handshake.GetTofuToken())) != 1 {
 				event.WriteError(ctx, op, stderrors.New("WARNING: mismatched tofu token"), event.WithInfo("session_id", sessionId))
 				if err = conn.Close(websocket.StatusPolicyViolation, "tofu token not allowed"); err != nil {
 					event.WriteError(ctx, op, err, event.WithInfoMsg("error closing client connection"))
diff --git a/internal/daemon/worker/worker.go b/internal/daemon/worker/worker.go
index cd7a28ec22..7ecbfec506 100644
--- a/internal/daemon/worker/worker.go
+++ b/internal/daemon/worker/worker.go
@@ -7,6 +7,7 @@ import (
 	"context"
 	"crypto/ed25519"
 	"crypto/rand"
+	"crypto/subtle"
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
@@ -783,6 +784,9 @@ func (w *Worker) getSessionTls(sessionManager session.Manager) func(hello *tls.C
 			if len(cs.PeerCertificates) == 0 {
 				return errors.New(ctx, errors.InvalidParameter, op, "no peer certificates provided")
 			}
+			if subtle.ConstantTimeCompare(cs.PeerCertificates[0].Raw, sess.GetCertificate().Raw) != 1 {
+				return errors.New(ctx, errors.InvalidParameter, op, "expected peer certificate to match session certificate")
+			}
 			_, err := cs.PeerCertificates[0].Verify(verifyOpts)
 			return err
 		}