From 8e71caa2e379af1d97105bec40c2668f363fdc38 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Fri, 26 Jan 2024 12:56:09 -0500 Subject: [PATCH] Address some review feedback --- go.mod | 1 - go.sum | 2 -- internal/bsr/bsr_open_test.go | 2 +- internal/daemon/worker/handler.go | 3 ++- internal/daemon/worker/worker.go | 4 ++++ 5 files changed, 7 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index 1d183c3846..e2fe5d6aeb 100644 --- a/go.mod +++ b/go.mod @@ -106,7 +106,6 @@ require ( golang.org/x/exp v0.0.0-20231006140011-7918f672742d golang.org/x/net v0.17.0 google.golang.org/genproto/googleapis/api v0.0.0-20231030173426-d783a09b4405 - gopkg.in/square/go-jose.v2 v2.6.0 ) require ( diff --git a/go.sum b/go.sum index 76287f5358..4739d6059e 100644 --- a/go.sum +++ b/go.sum @@ -919,8 +919,6 @@ gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMy gopkg.in/inconshreveable/log15.v2 v2.0.0-20180818164646-67afb5ed74ec/go.mod h1:aPpfJ7XW+gOuirDoZ8gHhLh3kZ1B08FtV2bbmy7Jv3s= gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc= gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc= -gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI= -gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/internal/bsr/bsr_open_test.go b/internal/bsr/bsr_open_test.go index 59918f212a..b2716d144d 100644 --- a/internal/bsr/bsr_open_test.go +++ b/internal/bsr/bsr_open_test.go @@ -5,6 +5,7 @@ package bsr import ( "context" + "encoding/json" "fmt" "testing" @@ -13,7 +14,6 @@ import ( "github.com/hashicorp/boundary/internal/storage" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "gopkg.in/square/go-jose.v2/json" ) func TestPopulateMeta(t *testing.T) { diff --git a/internal/daemon/worker/handler.go b/internal/daemon/worker/handler.go index e78e63677a..edd460f95e 100644 --- a/internal/daemon/worker/handler.go +++ b/internal/daemon/worker/handler.go @@ -5,6 +5,7 @@ package worker import ( "context" + "crypto/subtle" stderrors "errors" "fmt" "io" @@ -169,7 +170,7 @@ func (w *Worker) handleProxy(listenerCfg *listenerutil.ListenerConfig, sessionMa } if sess.GetTofuToken() != "" { - if sess.GetTofuToken() != handshake.GetTofuToken() { + if subtle.ConstantTimeCompare([]byte(sess.GetTofuToken()), []byte(handshake.GetTofuToken())) != 1 { event.WriteError(ctx, op, stderrors.New("WARNING: mismatched tofu token"), event.WithInfo("session_id", sessionId)) if err = conn.Close(websocket.StatusPolicyViolation, "tofu token not allowed"); err != nil { event.WriteError(ctx, op, err, event.WithInfoMsg("error closing client connection")) diff --git a/internal/daemon/worker/worker.go b/internal/daemon/worker/worker.go index ccf8be1408..f32aca4907 100644 --- a/internal/daemon/worker/worker.go +++ b/internal/daemon/worker/worker.go @@ -7,6 +7,7 @@ import ( "context" "crypto/ed25519" "crypto/rand" + "crypto/subtle" "crypto/tls" "crypto/x509" "fmt" @@ -780,6 +781,9 @@ func (w *Worker) getSessionTls(sessionManager session.Manager) func(hello *tls.C if len(cs.PeerCertificates) == 0 { return errors.New(ctx, errors.InvalidParameter, op, "no peer certificates provided") } + if subtle.ConstantTimeCompare(cs.PeerCertificates[0].Raw, sess.GetCertificate().Raw) != 1 { + return errors.New(ctx, errors.InvalidParameter, op, "expected peer certificate to match session certificate") + } _, err := cs.PeerCertificates[0].Verify(verifyOpts) return err }