Don't allow providing original key shares once we've moved on to verification

This commit is contained in:
Jeff Mitchell 2018-05-21 21:02:45 -04:00
parent 4464c3a65f
commit 0b4ead52a0

View file

@ -327,6 +327,10 @@ func (c *Core) BarrierRekeyUpdate(ctx context.Context, key []byte, nonce string)
return nil, logical.CodedError(http.StatusBadRequest, "no barrier rekey in progress")
}
if len(c.barrierRekeyConfig.VerificationKey) > 0 {
return nil, logical.CodedError(http.StatusBadRequest, fmt.Sprintf("rekey operation already finished; verification must be performed; nonce for the verification operation is %q", c.barrierRekeyConfig.VerificationNonce))
}
if nonce != c.barrierRekeyConfig.Nonce {
return nil, logical.CodedError(http.StatusBadRequest, fmt.Sprintf("incorrect nonce supplied; nonce for this rekey operation is %q", c.barrierRekeyConfig.Nonce))
}
@ -554,6 +558,10 @@ func (c *Core) RecoveryRekeyUpdate(ctx context.Context, key []byte, nonce string
return nil, logical.CodedError(http.StatusBadRequest, "no recovery rekey in progress")
}
if len(c.recoveryRekeyConfig.VerificationKey) > 0 {
return nil, logical.CodedError(http.StatusBadRequest, fmt.Sprintf("rekey operation already finished; verification must be performed; nonce for the verification operation is %q", c.recoveryRekeyConfig.VerificationNonce))
}
if nonce != c.recoveryRekeyConfig.Nonce {
return nil, logical.CodedError(http.StatusBadRequest, fmt.Sprintf("incorrect nonce supplied; nonce for this rekey operation is %q", c.recoveryRekeyConfig.Nonce))
}