Add validation for nonce size when we aren't in convergent encryption mode within transit backend (#13690)

* Add validation for nonce size when we aren't in convergent encryption mode within transit backend

* Add changelog entry
This commit is contained in:
divyapola5 2022-01-19 13:02:49 +05:30 committed by GitHub
parent be3a9b2571
commit d9c9d06710
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 30 additions and 0 deletions

View File

@ -578,6 +578,31 @@ func TestTransit_BatchEncryptionCase12(t *testing.T) {
} }
} }
// Case13: Incorrect input for nonce when we aren't in convergent encryption should fail the operation
func TestTransit_BatchEncryptionCase13(t *testing.T) {
var err error
b, s := createBackendWithStorage(t)
batchInput := []interface{}{
map[string]interface{}{"plaintext": "bXkgc2VjcmV0IGRhdGE=", "nonce": "YmFkbm9uY2U="},
}
batchData := map[string]interface{}{
"batch_input": batchInput,
}
batchReq := &logical.Request{
Operation: logical.CreateOperation,
Path: "encrypt/my-key",
Storage: s,
Data: batchData,
}
_, err = b.HandleRequest(context.Background(), batchReq)
if err != nil {
t.Fatal(err)
}
}
// Test that the fast path function decodeBatchRequestItems behave like mapstructure.Decode() to decode []BatchRequestItem. // Test that the fast path function decodeBatchRequestItems behave like mapstructure.Decode() to decode []BatchRequestItem.
func TestTransit_decodeBatchRequestItems(t *testing.T) { func TestTransit_decodeBatchRequestItems(t *testing.T) {
tests := []struct { tests := []struct {

3
changelog/13690.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
secrets/transit: Ensure that Vault does not panic for invalid nonce size when we aren't in convergent encryption mode.
```

View File

@ -1655,6 +1655,8 @@ func (p *Policy) SymmetricEncryptRaw(ver int, encKey, plaintext []byte, opts Sym
if err != nil { if err != nil {
return nil, errutil.InternalError{Err: err.Error()} return nil, errutil.InternalError{Err: err.Error()}
} }
} else if len(nonce) != aead.NonceSize() {
return nil, errutil.UserError{Err: fmt.Sprintf("base64-decoded nonce must be %d bytes long but given %d bytes", aead.NonceSize(), len(nonce))}
} }
// Encrypt and tag with AEAD // Encrypt and tag with AEAD