prevent IV collisions for awskms

bincyber · Oct 25, 2023 · 96c73cd · 96c73cd
1 parent 9ff66ea
commit 96c73cd
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/providers/awskms/kms.go b/providers/awskms/kms.go
@@ -8,6 +8,7 @@ import (
 	"encoding/binary"
 	"fmt"
 	"io"
+	"sync/atomic"
 	"time"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
@@ -33,6 +34,9 @@ type KMSCrypter struct {
 	// encryptedKeyLength is the length of the DEK.
 	encryptedKeyLength uint8
 
+	// encryptedKeyEncryptionCount is the number of encryptions performed with the current key
+	encryptedKeyEncryptionCount atomic.Uint64
+
 	// cipherBlock is the 256-bit AES GCM block cipher.
 	aesgcm cipher.AEAD
 
@@ -105,10 +109,8 @@ func (k *KMSCrypter) Encrypt(w io.Writer, r io.Reader) error {
 		return errors.Wrap(err, "failed to read from io.Reader")
 	}
 
-	nonce, err := sqlcrypter.GenerateBytes(k.aesgcm.NonceSize())
-	if err != nil {
-		return errors.Wrap(err, "failed to generate 12-byte random nonce")
-	}
+	nonce := make([]byte, 12)
+	binary.LittleEndian.PutUint64(nonce[4:], k.encryptedKeyEncryptionCount.Add(1))
 
 	ciphertext := k.aesgcm.Seal(nil, nonce, src.Bytes(), nil)