Honor nonce use warning in non-FIPS modes

hashicorp · Aug 31, 2023 · 2aee3db · 2aee3db
1 parent 428d55b
commit 2aee3db
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 10 deletions.
diff --git a/builtin/logical/transit/path_datakey.go b/builtin/logical/transit/path_datakey.go
@@ -9,7 +9,6 @@ import (
 	"encoding/base64"
 	"fmt"
 
-	"github.com/hashicorp/vault/helper/constants"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/errutil"
 	"github.com/hashicorp/vault/sdk/helper/keysutil"
@@ -170,8 +169,8 @@ func (b *backend) pathDatakeyWrite(ctx context.Context, req *logical.Request, d
 		},
 	}
 
-	if constants.IsFIPS() && shouldWarnAboutNonceUsage(p, nonce) {
-		resp.AddWarning("A provided nonce value was used within FIPS mode, this violates FIPS 140 compliance.")
+	if shouldWarnAboutNonceUsage(p, nonce) {
+		resp.AddWarning("A provided nonce value was ignored where a user supplied nonce cannot be specified.")
 	}
 
 	if plaintextAllowed {

diff --git a/builtin/logical/transit/path_encrypt.go b/builtin/logical/transit/path_encrypt.go
@@ -12,8 +12,6 @@ import (
 	"net/http"
 	"reflect"
 
-	"github.com/hashicorp/vault/helper/constants"
-
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/errutil"
 	"github.com/hashicorp/vault/sdk/helper/keysutil"
@@ -473,6 +471,7 @@ func (b *backend) pathEncryptWrite(ctx context.Context, req *logical.Request, d
 
 		if !warnAboutNonceUsage && shouldWarnAboutNonceUsage(p, item.DecodedNonce) {
 			warnAboutNonceUsage = true
+			item.DecodedNonce = nil
 		}
 
 		var factory interface{}
@@ -555,8 +554,8 @@ func (b *backend) pathEncryptWrite(ctx context.Context, req *logical.Request, d
 		}
 	}
 
-	if constants.IsFIPS() && warnAboutNonceUsage {
-		resp.AddWarning("A provided nonce value was used within FIPS mode, this violates FIPS 140 compliance.")
+	if warnAboutNonceUsage {
+		resp.AddWarning("A provided nonce value was ignored where a user supplied nonce cannot be specified.")
 	}
 
 	if req.Operation == logical.CreateOperation && !upserted {

diff --git a/builtin/logical/transit/path_rewrap.go b/builtin/logical/transit/path_rewrap.go
@@ -8,7 +8,6 @@ import (
 	"encoding/base64"
 	"fmt"
 
-	"github.com/hashicorp/vault/helper/constants"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/errutil"
 	"github.com/hashicorp/vault/sdk/helper/keysutil"
@@ -166,6 +165,7 @@ func (b *backend) pathRewrapWrite(ctx context.Context, req *logical.Request, d *
 
 		if !warnAboutNonceUsage && shouldWarnAboutNonceUsage(p, item.DecodedNonce) {
 			warnAboutNonceUsage = true
+			item.DecodedNonce = nil
 		}
 
 		ciphertext, err := p.Encrypt(item.KeyVersion, item.DecodedContext, item.DecodedNonce, plaintext)
@@ -217,8 +217,8 @@ func (b *backend) pathRewrapWrite(ctx context.Context, req *logical.Request, d *
 		}
 	}
 
-	if constants.IsFIPS() && warnAboutNonceUsage {
-		resp.AddWarning("A provided nonce value was used within FIPS mode, this violates FIPS 140 compliance.")
+	if warnAboutNonceUsage {
+		resp.AddWarning("A provided nonce value was ignored where a user supplied nonce cannot be specified.")
 	}
 
 	p.Unlock()