add value length check to approle createHMAC (#14746)
* add value length check to approle createHMAC * add changelog entry * fix changelog entry
This commit is contained in:
parent
30a404c0a0
commit
1454c8ea88
|
@ -2,6 +2,7 @@ package approle
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
@ -264,6 +265,26 @@ func TestAppRole_RoleLogin(t *testing.T) {
|
||||||
if resp.Auth.Period != period {
|
if resp.Auth.Period != period {
|
||||||
t.Fatalf("expected period value of %d in the response, got: %s", period, resp.Auth.Period)
|
t.Fatalf("expected period value of %d in the response, got: %s", period, resp.Auth.Period)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Test input validation with secret_id that exceeds max length
|
||||||
|
loginData["secret_id"] = strings.Repeat("a", maxHmacInputLength+1)
|
||||||
|
|
||||||
|
loginReq = &logical.Request{
|
||||||
|
Operation: logical.UpdateOperation,
|
||||||
|
Path: "login",
|
||||||
|
Storage: storage,
|
||||||
|
Data: loginData,
|
||||||
|
Connection: &logical.Connection{
|
||||||
|
RemoteAddr: "127.0.0.1",
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
loginResp, err = b.HandleRequest(context.Background(), loginReq)
|
||||||
|
|
||||||
|
expectedErr := "failed to create HMAC of secret_id"
|
||||||
|
if loginResp != nil || err == nil || !strings.Contains(err.Error(), expectedErr) {
|
||||||
|
t.Fatalf("expected login test to fail with error %q, resp: %#v, err: %v", expectedErr, loginResp, err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func generateRenewRequest(s logical.Storage, auth *logical.Auth) *logical.Request {
|
func generateRenewRequest(s logical.Storage, auth *logical.Auth) *logical.Request {
|
||||||
|
|
|
@ -92,12 +92,19 @@ func verifyCIDRRoleSecretIDSubset(secretIDCIDRs []string, roleBoundCIDRList []st
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const maxHmacInputLength = 1024
|
||||||
|
|
||||||
// Creates a SHA256 HMAC of the given 'value' using the given 'key' and returns
|
// Creates a SHA256 HMAC of the given 'value' using the given 'key' and returns
|
||||||
// a hex encoded string.
|
// a hex encoded string.
|
||||||
func createHMAC(key, value string) (string, error) {
|
func createHMAC(key, value string) (string, error) {
|
||||||
if key == "" {
|
if key == "" {
|
||||||
return "", fmt.Errorf("invalid HMAC key")
|
return "", fmt.Errorf("invalid HMAC key")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if len(value) > maxHmacInputLength {
|
||||||
|
return "", fmt.Errorf("value is longer than maximum of %d bytes", maxHmacInputLength)
|
||||||
|
}
|
||||||
|
|
||||||
hm := hmac.New(sha256.New, []byte(key))
|
hm := hmac.New(sha256.New, []byte(key))
|
||||||
hm.Write([]byte(value))
|
hm.Write([]byte(value))
|
||||||
return hex.EncodeToString(hm.Sum(nil)), nil
|
return hex.EncodeToString(hm.Sum(nil)), nil
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
```release-note:bug
|
||||||
|
auth/approle: Add maximum length for input values that result in SHA56 HMAC calculation
|
||||||
|
```
|
Loading…
Reference in New Issue