From 2aee3dbdc11c4e333ecb20503539c7993b24ee57 Mon Sep 17 00:00:00 2001 From: "Scott G. Miller" Date: Thu, 31 Aug 2023 14:24:00 -0500 Subject: [PATCH] Honor nonce use warning in non-FIPS modes --- builtin/logical/transit/path_datakey.go | 5 ++--- builtin/logical/transit/path_encrypt.go | 7 +++---- builtin/logical/transit/path_rewrap.go | 6 +++--- 3 files changed, 8 insertions(+), 10 deletions(-) diff --git a/builtin/logical/transit/path_datakey.go b/builtin/logical/transit/path_datakey.go index 9a82eceb2a..c5b47d8b17 100644 --- a/builtin/logical/transit/path_datakey.go +++ b/builtin/logical/transit/path_datakey.go @@ -9,7 +9,6 @@ import ( "encoding/base64" "fmt" - "github.com/hashicorp/vault/helper/constants" "github.com/hashicorp/vault/sdk/framework" "github.com/hashicorp/vault/sdk/helper/errutil" "github.com/hashicorp/vault/sdk/helper/keysutil" @@ -170,8 +169,8 @@ func (b *backend) pathDatakeyWrite(ctx context.Context, req *logical.Request, d }, } - if constants.IsFIPS() && shouldWarnAboutNonceUsage(p, nonce) { - resp.AddWarning("A provided nonce value was used within FIPS mode, this violates FIPS 140 compliance.") + if shouldWarnAboutNonceUsage(p, nonce) { + resp.AddWarning("A provided nonce value was ignored where a user supplied nonce cannot be specified.") } if plaintextAllowed { diff --git a/builtin/logical/transit/path_encrypt.go b/builtin/logical/transit/path_encrypt.go index 390b0eaef0..a80a0d58ea 100644 --- a/builtin/logical/transit/path_encrypt.go +++ b/builtin/logical/transit/path_encrypt.go @@ -12,8 +12,6 @@ import ( "net/http" "reflect" - "github.com/hashicorp/vault/helper/constants" - "github.com/hashicorp/vault/sdk/framework" "github.com/hashicorp/vault/sdk/helper/errutil" "github.com/hashicorp/vault/sdk/helper/keysutil" @@ -473,6 +471,7 @@ func (b *backend) pathEncryptWrite(ctx context.Context, req *logical.Request, d if !warnAboutNonceUsage && shouldWarnAboutNonceUsage(p, item.DecodedNonce) { warnAboutNonceUsage = true + item.DecodedNonce = nil } var factory interface{} @@ -555,8 +554,8 @@ func (b *backend) pathEncryptWrite(ctx context.Context, req *logical.Request, d } } - if constants.IsFIPS() && warnAboutNonceUsage { - resp.AddWarning("A provided nonce value was used within FIPS mode, this violates FIPS 140 compliance.") + if warnAboutNonceUsage { + resp.AddWarning("A provided nonce value was ignored where a user supplied nonce cannot be specified.") } if req.Operation == logical.CreateOperation && !upserted { diff --git a/builtin/logical/transit/path_rewrap.go b/builtin/logical/transit/path_rewrap.go index e8d17358e8..04d3bb6941 100644 --- a/builtin/logical/transit/path_rewrap.go +++ b/builtin/logical/transit/path_rewrap.go @@ -8,7 +8,6 @@ import ( "encoding/base64" "fmt" - "github.com/hashicorp/vault/helper/constants" "github.com/hashicorp/vault/sdk/framework" "github.com/hashicorp/vault/sdk/helper/errutil" "github.com/hashicorp/vault/sdk/helper/keysutil" @@ -166,6 +165,7 @@ func (b *backend) pathRewrapWrite(ctx context.Context, req *logical.Request, d * if !warnAboutNonceUsage && shouldWarnAboutNonceUsage(p, item.DecodedNonce) { warnAboutNonceUsage = true + item.DecodedNonce = nil } ciphertext, err := p.Encrypt(item.KeyVersion, item.DecodedContext, item.DecodedNonce, plaintext) @@ -217,8 +217,8 @@ func (b *backend) pathRewrapWrite(ctx context.Context, req *logical.Request, d * } } - if constants.IsFIPS() && warnAboutNonceUsage { - resp.AddWarning("A provided nonce value was used within FIPS mode, this violates FIPS 140 compliance.") + if warnAboutNonceUsage { + resp.AddWarning("A provided nonce value was ignored where a user supplied nonce cannot be specified.") } p.Unlock()