Decrypt message above 16k #1342
Conversation
|
|
||
| from argon2.low_level import Type, hash_secret_raw | ||
| from Crypto.Cipher import AES, ChaCha20_Poly1305 | ||
|
|
||
| _NONCE_LEN = 8 | ||
| # Encrypted message format: |
There was a problem hiding this comment.
Where do you get this information?
There was a problem hiding this comment.
Also it was present in the current code
There was a problem hiding this comment.
And information that is mentioned in the later part is present in the sio implementation:
There was a problem hiding this comment.
- Please point https://github.com/minio/madmin-go/blob/main/encrypt.go#L43-L49 instead of repeating it here.
- I don't see more than 16k implementation in
madmin-go. Could you point why do we need that?
There was a problem hiding this comment.
- I don't understand. What are you asking me to do?
- It's located in the sio implementation. As of now smaller messages work as intended. Unfortunately, the responses that contain 16k bytes are not decrypted at all. In the official sio-go implementation (by secure-io, that is internally used by madmin-go) the payload is split into many smaller chunks. By default the buffer size (it is chunk size) contains 16K bytes. Not to mention that madmin-go uses the default configuration.
There was a problem hiding this comment.
If you want to reproduce the issue try to create above 3k buckets with members (with long names). Then try to call an endpoint responsible for listing entities with their affiliation (see an issue, related to this PR)
There was a problem hiding this comment.
If you want to reproduce the issue try to create above 3k buckets with members (with long names). Then try to call an endpoint responsible for listing entities with their affiliation
For this scenario, what API have you used to reproduce the issue?
There was a problem hiding this comment.
For example (minioadmin, so prefixed with proper path):
idp/ldap/policy-entities
idp/builtin/policy-entities
list-users for bigger instances…
There was a problem hiding this comment.
Anything with potentially more capacious response. 16k is the limit
|
|
||
| from argon2.low_level import Type, hash_secret_raw | ||
| from Crypto.Cipher import AES, ChaCha20_Poly1305 | ||
|
|
||
| _NONCE_LEN = 8 | ||
| # Encrypted message format: |
There was a problem hiding this comment.
- Please point https://github.com/minio/madmin-go/blob/main/encrypt.go#L43-L49 instead of repeating it here.
- I don't see more than 16k implementation in
madmin-go. Could you point why do we need that?
|
Squashed commits |
| return ChaCha20Poly1305CipherProvider() | ||
| return None | ||
|
|
||
|
|
||
| def decrypt(payload: bytes, password: str) -> bytes: |
There was a problem hiding this comment.
We would need to have reader interface than handling bytes here.
I am working on this including size > 16KiB for encrypt and decrypt.
|
Please refer #1345. Feel free to test it and close this PR accordingly |
Current behavior
As of now decrypting in
crypto.pyworks only for small messages. This does affect an entireminioadminmodule.Introduced solution
Partition the message into smaller chunks. Decode every chunk separately
Related issues