add value length check to approle createHMAC (#14746)

* add value length check to approle createHMAC

* add changelog entry

* fix changelog entry
This commit is contained in:
Chris Capurso 2022-03-29 14:43:35 -04:00 committed by GitHub
parent 30a404c0a0
commit 1454c8ea88
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 31 additions and 0 deletions

View File

@ -2,6 +2,7 @@ package approle
import ( import (
"context" "context"
"strings"
"testing" "testing"
"time" "time"
@ -264,6 +265,26 @@ func TestAppRole_RoleLogin(t *testing.T) {
if resp.Auth.Period != period { if resp.Auth.Period != period {
t.Fatalf("expected period value of %d in the response, got: %s", period, resp.Auth.Period) t.Fatalf("expected period value of %d in the response, got: %s", period, resp.Auth.Period)
} }
// Test input validation with secret_id that exceeds max length
loginData["secret_id"] = strings.Repeat("a", maxHmacInputLength+1)
loginReq = &logical.Request{
Operation: logical.UpdateOperation,
Path: "login",
Storage: storage,
Data: loginData,
Connection: &logical.Connection{
RemoteAddr: "127.0.0.1",
},
}
loginResp, err = b.HandleRequest(context.Background(), loginReq)
expectedErr := "failed to create HMAC of secret_id"
if loginResp != nil || err == nil || !strings.Contains(err.Error(), expectedErr) {
t.Fatalf("expected login test to fail with error %q, resp: %#v, err: %v", expectedErr, loginResp, err)
}
} }
func generateRenewRequest(s logical.Storage, auth *logical.Auth) *logical.Request { func generateRenewRequest(s logical.Storage, auth *logical.Auth) *logical.Request {

View File

@ -92,12 +92,19 @@ func verifyCIDRRoleSecretIDSubset(secretIDCIDRs []string, roleBoundCIDRList []st
return nil return nil
} }
const maxHmacInputLength = 1024
// Creates a SHA256 HMAC of the given 'value' using the given 'key' and returns // Creates a SHA256 HMAC of the given 'value' using the given 'key' and returns
// a hex encoded string. // a hex encoded string.
func createHMAC(key, value string) (string, error) { func createHMAC(key, value string) (string, error) {
if key == "" { if key == "" {
return "", fmt.Errorf("invalid HMAC key") return "", fmt.Errorf("invalid HMAC key")
} }
if len(value) > maxHmacInputLength {
return "", fmt.Errorf("value is longer than maximum of %d bytes", maxHmacInputLength)
}
hm := hmac.New(sha256.New, []byte(key)) hm := hmac.New(sha256.New, []byte(key))
hm.Write([]byte(value)) hm.Write([]byte(value))
return hex.EncodeToString(hm.Sum(nil)), nil return hex.EncodeToString(hm.Sum(nil)), nil

3
changelog/14746.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
auth/approle: Add maximum length for input values that result in SHA56 HMAC calculation
```