Skip to content

Commit

Permalink
Simplify encryption check
Browse files Browse the repository at this point in the history
Signed-off-by: Knut Ahlers <knut@ahlers.me>
  • Loading branch information
Luzifer committed Nov 8, 2023
1 parent e8003bb commit 9e33158
Showing 1 changed file with 2 additions and 20 deletions.
22 changes: 2 additions & 20 deletions api.go
Original file line number Diff line number Diff line change
@@ -1,12 +1,9 @@
package main

import (
"bytes"
"encoding/base64"
"encoding/json"
"errors"
"fmt"
"io"
"net/http"
"strconv"
"strings"
Expand Down Expand Up @@ -45,8 +42,6 @@ type apiRequest struct {
Secret string `json:"secret"`
}

var opensslEncHeader = []byte("Salted__")

func newAPI(s storage.Storage, c *metrics.Collector) *apiServer {
return &apiServer{
collector: c,
Expand Down Expand Up @@ -184,7 +179,7 @@ func (apiServer) jsonResponse(res http.ResponseWriter, status int, response any)
}
}

func (a apiServer) sanityCheckSecret(secret string) (reason string, err error) {
func (apiServer) sanityCheckSecret(secret string) (reason string, err error) {
if secret == "" {
return errorReasonSecretMissing, errors.New("secret missing")
}
Expand All @@ -193,22 +188,9 @@ func (a apiServer) sanityCheckSecret(secret string) (reason string, err error) {
return errorReasonSecretSize, errors.New("secret size exceeds maximum")
}

if err = a.secretContainsCryptoHeader(secret); err != nil && cust.RejectUnencryptedSecrets {
if cust.RejectUnencryptedSecrets && !strings.HasPrefix(secret, "U2FsdGVkX1") {
return errorReasonSecretUnencrypted, fmt.Errorf("checking secret encryption: %w", err)
}

return "", nil
}

func (apiServer) secretContainsCryptoHeader(secret string) (err error) {
header := make([]byte, len(opensslEncHeader))
if _, err = io.ReadFull(base64.NewDecoder(base64.StdEncoding, strings.NewReader(secret)), header); err != nil {
return fmt.Errorf("reading header: %w", err)
}

if !bytes.Equal(header, opensslEncHeader) {
return fmt.Errorf("header does not match")
}

return nil
}

0 comments on commit 9e33158

Please sign in to comment.