Address some review feedback

2 years ago · 8e71caa2e3
parent 296639e484
commit 8e71caa2e3
5 changed files with 7 additions and 5 deletions
--- a/go.mod
+++ b/go.mod
@ -106,7 +106,6 @@ require (
 	golang.org/x/exp v0.0.0-20231006140011-7918f672742d
 	golang.org/x/net v0.17.0
 	google.golang.org/genproto/googleapis/api v0.0.0-20231030173426-d783a09b4405
-	gopkg.in/square/go-jose.v2 v2.6.0
 )

 require (
--- a/go.sum
+++ b/go.sum
@ -919,8 +919,6 @@ gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMy
 gopkg.in/inconshreveable/log15.v2 v2.0.0-20180818164646-67afb5ed74ec/go.mod h1:aPpfJ7XW+gOuirDoZ8gHhLh3kZ1B08FtV2bbmy7Jv3s=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
-gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
-gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
--- a/internal/bsr/bsr_open_test.go
+++ b/internal/bsr/bsr_open_test.go
@ -5,6 +5,7 @@ package bsr

 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"testing"

@ -13,7 +14,6 @@ import (
 	"github.com/hashicorp/boundary/internal/storage"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"gopkg.in/square/go-jose.v2/json"
 )

 func TestPopulateMeta(t *testing.T) {
--- a/internal/daemon/worker/handler.go
+++ b/internal/daemon/worker/handler.go
@ -5,6 +5,7 @@ package worker

 import (
 	"context"
+	"crypto/subtle"
 	stderrors "errors"
 	"fmt"
 	"io"
@ -169,7 +170,7 @@ func (w *Worker) handleProxy(listenerCfg *listenerutil.ListenerConfig, sessionMa
 		}

 		if sess.GetTofuToken() != "" {
-			if sess.GetTofuToken() != handshake.GetTofuToken() {
+			if subtle.ConstantTimeCompare([]byte(sess.GetTofuToken()), []byte(handshake.GetTofuToken())) != 1 {
 				event.WriteError(ctx, op, stderrors.New("WARNING: mismatched tofu token"), event.WithInfo("session_id", sessionId))
 				if err = conn.Close(websocket.StatusPolicyViolation, "tofu token not allowed"); err != nil {
 					event.WriteError(ctx, op, err, event.WithInfoMsg("error closing client connection"))
--- a/internal/daemon/worker/worker.go
+++ b/internal/daemon/worker/worker.go
@ -7,6 +7,7 @@ import (
 	"context"
 	"crypto/ed25519"
 	"crypto/rand"
+	"crypto/subtle"
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
@ -780,6 +781,9 @@ func (w *Worker) getSessionTls(sessionManager session.Manager) func(hello *tls.C
 			if len(cs.PeerCertificates) == 0 {
 				return errors.New(ctx, errors.InvalidParameter, op, "no peer certificates provided")
 			}
+			if subtle.ConstantTimeCompare(cs.PeerCertificates[0].Raw, sess.GetCertificate().Raw) != 1 {
+				return errors.New(ctx, errors.InvalidParameter, op, "expected peer certificate to match session certificate")
+			}
 			_, err := cs.PeerCertificates[0].Verify(verifyOpts)
 			return err
 		}