From 1454c8ea88092c18a384b6d133e73921797a7d17 Mon Sep 17 00:00:00 2001 From: Chris Capurso <1036769+ccapurso@users.noreply.github.com> Date: Tue, 29 Mar 2022 14:43:35 -0400 Subject: [PATCH] add value length check to approle createHMAC (#14746) * add value length check to approle createHMAC * add changelog entry * fix changelog entry --- builtin/credential/approle/path_login_test.go | 21 +++++++++++++++++++ builtin/credential/approle/validation.go | 7 +++++++ changelog/14746.txt | 3 +++ 3 files changed, 31 insertions(+) create mode 100644 changelog/14746.txt diff --git a/builtin/credential/approle/path_login_test.go b/builtin/credential/approle/path_login_test.go index 86dcf8b83..9d1facf52 100644 --- a/builtin/credential/approle/path_login_test.go +++ b/builtin/credential/approle/path_login_test.go @@ -2,6 +2,7 @@ package approle import ( "context" + "strings" "testing" "time" @@ -264,6 +265,26 @@ func TestAppRole_RoleLogin(t *testing.T) { if resp.Auth.Period != period { t.Fatalf("expected period value of %d in the response, got: %s", period, resp.Auth.Period) } + + // Test input validation with secret_id that exceeds max length + loginData["secret_id"] = strings.Repeat("a", maxHmacInputLength+1) + + loginReq = &logical.Request{ + Operation: logical.UpdateOperation, + Path: "login", + Storage: storage, + Data: loginData, + Connection: &logical.Connection{ + RemoteAddr: "127.0.0.1", + }, + } + + loginResp, err = b.HandleRequest(context.Background(), loginReq) + + expectedErr := "failed to create HMAC of secret_id" + if loginResp != nil || err == nil || !strings.Contains(err.Error(), expectedErr) { + t.Fatalf("expected login test to fail with error %q, resp: %#v, err: %v", expectedErr, loginResp, err) + } } func generateRenewRequest(s logical.Storage, auth *logical.Auth) *logical.Request { diff --git a/builtin/credential/approle/validation.go b/builtin/credential/approle/validation.go index 3a5f93925..7a129b99a 100644 --- a/builtin/credential/approle/validation.go +++ b/builtin/credential/approle/validation.go @@ -92,12 +92,19 @@ func verifyCIDRRoleSecretIDSubset(secretIDCIDRs []string, roleBoundCIDRList []st return nil } +const maxHmacInputLength = 1024 + // Creates a SHA256 HMAC of the given 'value' using the given 'key' and returns // a hex encoded string. func createHMAC(key, value string) (string, error) { if key == "" { return "", fmt.Errorf("invalid HMAC key") } + + if len(value) > maxHmacInputLength { + return "", fmt.Errorf("value is longer than maximum of %d bytes", maxHmacInputLength) + } + hm := hmac.New(sha256.New, []byte(key)) hm.Write([]byte(value)) return hex.EncodeToString(hm.Sum(nil)), nil diff --git a/changelog/14746.txt b/changelog/14746.txt new file mode 100644 index 000000000..4c22a7c22 --- /dev/null +++ b/changelog/14746.txt @@ -0,0 +1,3 @@ +```release-note:bug +auth/approle: Add maximum length for input values that result in SHA56 HMAC calculation +```