In the Counter-mode KBKDF implementation, due to the nature of the PRF
(being implemented as a function rather than a hash.Hash instance), we
need to allocate a buffer capable of storing the entire input to the
PRF. This consists of the user-supplied context with 8 additional bytes
(4 before and 4 after) of encoded integers.
If the user supplies a maximally-sized context, the internally allocated
buffer's size computation will overflow, resulting in a runtime panic.
Guard against this condition.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* change default vaule for disable_iss_validation to be true
* mark as deprecated | remove issuer from sample
* deprecation section
* additional informaiton about when fields will be removed
* additional deprecation note under csi provider
* punctuation
* make the deprecation note more noticable
* missing issuer sentence | remove whitespace
* Update website/content/docs/platform/k8s/csi/index.mdx
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
* cleanup
* additional deprecation comments
* fix discovery link
* highlight
* no need to configure the issuer
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
Moved from one of the first items in the navbar down to one of the last. They are not high priority information and should be grouped with upgrade and release notes.
* fixes issue with ttl picker not initially enabling in form field component
* adds changelog entry
* updates test
* updates initial ttl toggle state for default 0s value
* don't log token error on DR Secondary
* stop gauge collector expiration errors on dr secondary
* don't check dr secondary for token create
* see if CI hits panic
* Revert "don't check dr secondary for token create"
This reverts commit c036a1a544d3a20d29d046f1ee239ab1563ce4d9.
* don't check dr secondary for token create
* Revert "see if CI hits panic"
This reverts commit 1e15aa535cac6e4d1684aaf47c8746c094068eb8.
* remove condition on log
* Add extra debugging to help identify failures within mssql test
* Switch up the AssertInitialized method for mssql tests by marking the test as failed instead of
immediately failing, this will also allow us to see what happens even if this assertion fails to the rest
of the test.
* fixes issue with oidc auth method when MetaMask chrome extenstion is used
* adds changelog entry
* updates auth-jwt integration tests
* fixes race condition in runCommands ui-panel helper method where running multiple commands would not always result in the same output order
* Move the ctx capture outside the goroutine to avoid a race
* refactor the toggleable wrapper to avoid races
* Move the capture back outside the goroutine
* defer
* docs for counting tokens without entities
* Update website/content/docs/concepts/client-count.mdx
Co-authored-by: swayne275 <swayne275@gmail.com>
* remove parens in docs
* Update website/content/docs/concepts/client-count.mdx
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* Update website/content/docs/concepts/client-count.mdx
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* update documentation to be consistent with the non-entity token terminology
* Update website/content/docs/concepts/client-count.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update website/content/docs/concepts/client-count.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* add line about client ids to the api docs
* syntax and grammar
Co-authored-by: swayne275 <swayne275@gmail.com>
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Add native Login method for GCP auth backend
* Add native Login method for Azure auth backend
* Add changelog entry
* Use official azure library Environment struct rather than passing string, add timeouts
* Use v1.3.0 which now has interface definition
* Don't throw away error and close resp body
* Back to WithResource so we can support non-Azure URLs for aud
* Restrict ECDSA signatures with NIST P-Curve hashes
When using an ECDSA signature with a NIST P-Curve, we should follow
recommendations from BIS (Section 4.2) and Mozilla's root store policy
(section 5.1.2) to ensure that arbitrary selection of signature_bits
does not exceed what the curve is capable of signing.
Related: #11245
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Switch to certutil.ValidateKeyTypeSignatureLength(...)
Replaces previous calls to certutil.ValidateKeyTypeLength(...) and
certutil.ValidateSignatureLength(...) with a single call, allowing for
curve<->hash validation.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Switch to autodetection of signature_bits
This enables detection of whether the caller manually specified a value
for signature_bits or not; when not manually specified, we can provision
a value that complies with new NIST P-Curve policy.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Select hash function length automatically
Due to our change in behavior (to default to -1 as the value to
signature_bits to allow for automatic hash selection), switch
ValidateKeyTypeSignatureLength(...) to accept a pointer to hashBits and
provision it with valid default values.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Prevent invalid Curve size lookups
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Switch from -1 to 0 as default SignatureBits
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Austin Gebauer