| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
secret
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
* Add an option to configure the version used when encrypting data bag
items. This allows users to opt-in to newer encrypted data bag formats
while the default remains compatible with earlier chef versions.
* Add an option to set a minimum valid encrypted data bag item format.
This is useful on the client so that, for example, a MITM attacker
cannot downgrade a v2 EDBI to v1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Authenticated encryption data bag items will be version 2 of the
encrypted data bag item format instead of tacked on to the version 1
format.
Authenticated encryption via OpenSSL cipher was considered, but older
openssl versions do not have, e.g., aes-256-gcm, so we are implementing
encrypt-then-mac with hmac-sha256 on top of existing aes cipher.
Code passes tests but is not yet exposed in configuration. TODO:
* Allow user to set desired version for encrypt.
* Allow user to set minimum required version for decrypt. Without this
change, a MITM could simply change the format version to 1 to bypass
the hmac.
|
|
|
|
|
|
|
|
|
|
| |
In Ci, we occasionally see test failures when decryption with an
incorrect key does not raise an error, but instead returns garbage.
This fixes that issue by adding an HMAC-SHA2-256 of the encrypted data
to the version 1 format. For backwards compatibility, decryption will
continue if the hmac is missing; therefore, this does not increase the
security of encrypted data bag items.
|
| |
|
|
|
|
|
|
|
| |
This properly matches the code in `Chef::EncryptedDataBagItem`:
* Version0Decryptor == legacy YAML-based format
* Version1Decryptor == preferred JSON-based format
|
|
|
|
|
|
|
|
|
|
| |
* Remove references to DEFAULT_SECRET_FILE from
`Chef::EncryptedDataBagItem`.
* Add new `:encrypted_data_bag_secret` value to `Chef::Config`
* Ensure Chef::Config[:encrypted_data_bag_secret] is nil if the secret
does not exist at the default path.
* Updated test coverage in `config_spec` and
`encrypted_data_bag_item_spec`.
|
|
|
|
|
|
|
| |
* prefer `subject` and `let` blocks to instance variables and before
blocks
* `eq` instead of `==`
* remove the 'shoulds' from example descriptions
|
|
|
|
|
|
| |
Adds "cipher" to the metadata fields for encrypted data bag items. This
enables user-configurable ciphers in the future. Cipher is still
hard-coded to aes-256-cbc for now.
|
| |
|
|
|
|
|
|
|
| |
* Use JSON instead of YAML to serialize encrypted data bag values before
encrypting.
* Use a random IV for each encrypted value for resilience against some
types of crypto attacks. Fixes CHEF-3480.
|
|
The opscode/chef repository now only contains the core Chef library code
used by chef-client, knife and chef-solo!
|