add value length check to approle createHMAC

builtin/credential/approle/path_login_test.go

@@ -2,6 +2,7 @@ package approle
 
 import (
 	"context"
+	"strings"
 	"testing"
 	"time"
 
@@ -264,6 +265,26 @@ func TestAppRole_RoleLogin(t *testing.T) {
 	if resp.Auth.Period != period {
 		t.Fatalf("expected period value of %d in the response, got: %s", period, resp.Auth.Period)
 	}
+
+	// Test input validation with secret_id that exceeds max length
+	loginData["secret_id"] = strings.Repeat("a", maxHmacInputLength+1)
+
+	loginReq = &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "login",
+		Storage:   storage,
+		Data:      loginData,
+		Connection: &logical.Connection{
+			RemoteAddr: "127.0.0.1",
+		},
+	}
+
+	loginResp, err = b.HandleRequest(context.Background(), loginReq)
+
+	expectedErr := "failed to create HMAC of secret_id"
+	if loginResp != nil || err == nil || !strings.Contains(err.Error(), expectedErr) {
+		t.Fatalf("expected login test to fail with error %q, resp: %#v, err: %v", expectedErr, loginResp, err)
+	}
 }
 
 func generateRenewRequest(s logical.Storage, auth *logical.Auth) *logical.Request {

builtin/credential/approle/validation.go

@@ -92,12 +92,19 @@ func verifyCIDRRoleSecretIDSubset(secretIDCIDRs []string, roleBoundCIDRList []st
 	return nil
 }
 
+const maxHmacInputLength = 1024
+
 // Creates a SHA256 HMAC of the given 'value' using the given 'key' and returns
 // a hex encoded string.
 func createHMAC(key, value string) (string, error) {
 	if key == "" {
 		return "", fmt.Errorf("invalid HMAC key")
 	}
+
+	if len(value) > maxHmacInputLength {
+		return "", fmt.Errorf("value is longer than maximum of %d bytes", maxHmacInputLength)
+	}
+
 	hm := hmac.New(sha256.New, []byte(key))
 	hm.Write([]byte(value))
 	return hex.EncodeToString(hm.Sum(nil)), nil

changelog/14746.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+auth/approle: Add maximum length for input values that result in SHA56 HMAC calculation
+```