mirror of
https://github.com/hashicorp/vault.git
synced 2026-02-03 20:40:45 -05:00
Honor nonce use warning in non-FIPS modes
This commit is contained in:
Scott G. Miller
parent
428d55b4c8
commit
2aee3dbdc1
3 changed files with 8 additions and 10 deletions
|
|
@ -9,7 +9,6 @@ import (
|
|||
"encoding/base64"
|
||||
"fmt"
|
||||
|
||||
"github.com/hashicorp/vault/helper/constants"
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
"github.com/hashicorp/vault/sdk/helper/errutil"
|
||||
"github.com/hashicorp/vault/sdk/helper/keysutil"
|
||||
|
|
@ -170,8 +169,8 @@ func (b *backend) pathDatakeyWrite(ctx context.Context, req *logical.Request, d
|
|||
},
|
||||
}
|
||||
|
||||
if constants.IsFIPS() && shouldWarnAboutNonceUsage(p, nonce) {
|
||||
resp.AddWarning("A provided nonce value was used within FIPS mode, this violates FIPS 140 compliance.")
|
||||
if shouldWarnAboutNonceUsage(p, nonce) {
|
||||
resp.AddWarning("A provided nonce value was ignored where a user supplied nonce cannot be specified.")
|
||||
}
|
||||
|
||||
if plaintextAllowed {
|
||||
|
|
|
|||
|
|
@ -12,8 +12,6 @@ import (
|
|||
"net/http"
|
||||
"reflect"
|
||||
|
||||
"github.com/hashicorp/vault/helper/constants"
|
||||
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
"github.com/hashicorp/vault/sdk/helper/errutil"
|
||||
"github.com/hashicorp/vault/sdk/helper/keysutil"
|
||||
|
|
@ -473,6 +471,7 @@ func (b *backend) pathEncryptWrite(ctx context.Context, req *logical.Request, d
|
|||
|
||||
if !warnAboutNonceUsage && shouldWarnAboutNonceUsage(p, item.DecodedNonce) {
|
||||
warnAboutNonceUsage = true
|
||||
item.DecodedNonce = nil
|
||||
}
|
||||
|
||||
var factory interface{}
|
||||
|
|
@ -555,8 +554,8 @@ func (b *backend) pathEncryptWrite(ctx context.Context, req *logical.Request, d
|
|||
}
|
||||
}
|
||||
|
||||
if constants.IsFIPS() && warnAboutNonceUsage {
|
||||
resp.AddWarning("A provided nonce value was used within FIPS mode, this violates FIPS 140 compliance.")
|
||||
if warnAboutNonceUsage {
|
||||
resp.AddWarning("A provided nonce value was ignored where a user supplied nonce cannot be specified.")
|
||||
}
|
||||
|
||||
if req.Operation == logical.CreateOperation && !upserted {
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ import (
|
|||
"encoding/base64"
|
||||
"fmt"
|
||||
|
||||
"github.com/hashicorp/vault/helper/constants"
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
"github.com/hashicorp/vault/sdk/helper/errutil"
|
||||
"github.com/hashicorp/vault/sdk/helper/keysutil"
|
||||
|
|
@ -166,6 +165,7 @@ func (b *backend) pathRewrapWrite(ctx context.Context, req *logical.Request, d *
|
|||
|
||||
if !warnAboutNonceUsage && shouldWarnAboutNonceUsage(p, item.DecodedNonce) {
|
||||
warnAboutNonceUsage = true
|
||||
item.DecodedNonce = nil
|
||||
}
|
||||
|
||||
ciphertext, err := p.Encrypt(item.KeyVersion, item.DecodedContext, item.DecodedNonce, plaintext)
|
||||
|
|
@ -217,8 +217,8 @@ func (b *backend) pathRewrapWrite(ctx context.Context, req *logical.Request, d *
|
|||
}
|
||||
}
|
||||
|
||||
if constants.IsFIPS() && warnAboutNonceUsage {
|
||||
resp.AddWarning("A provided nonce value was used within FIPS mode, this violates FIPS 140 compliance.")
|
||||
if warnAboutNonceUsage {
|
||||
resp.AddWarning("A provided nonce value was ignored where a user supplied nonce cannot be specified.")
|
||||
}
|
||||
|
||||
p.Unlock()
|
||||
|
|
|
|||
Loading…
Reference in a new issue