personal_interest_mirrors/nebula
1
0
Fork 0
mirror of https://github.com/slackhq/nebula.git synced 2025-11-22 08:24:25 +01:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Always disconnect block listed hosts (#858)

Browse Source
This commit is contained in:
Nate Brown
2023-05-04 16:09:42 -05:00
committed by GitHub
parent 5fe8f45d05
commit 702e1c59bd
4 changed files with 22 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
cert/cert.go
View File

@@ -393,7 +393,7 @@ func (nc *NebulaCertificate) Expired(t time.Time) bool {
// Verify will ensure a certificate is good in all respects (expiry, group membership, signature, cert blocklist, etc)
func (nc *NebulaCertificate) Verify(t time.Time, ncp *NebulaCAPool) (bool, error) {
if ncp.IsBlocklisted(nc) {
return false, fmt.Errorf("certificate has been blocked")
return false, ErrBlockListed
}
signer, err := ncp.GetCAForCert(nc)
@@ -402,15 +402,15 @@ func (nc *NebulaCertificate) Verify(t time.Time, ncp *NebulaCAPool) (bool, error
}
if signer.Expired(t) {
return false, fmt.Errorf("root certificate is expired")
return false, ErrRootExpired
}
if nc.Expired(t) {
return false, fmt.Errorf("certificate is expired")
return false, ErrExpired
}
if !nc.CheckSignature(signer.Details.PublicKey) {
return false, fmt.Errorf("certificate signature did not match")
return false, ErrSignatureMismatch
}
if err := nc.CheckRootConstrains(signer); err != nil {