From 291a468c87a20473eeea2517ae3395f6be5f218a Mon Sep 17 00:00:00 2001
From: "R.B. Boyer" <public@richardboyer.net>
Date: Tue, 28 Jun 2016 23:19:18 -0500
Subject: [PATCH 1/3] Validate gossip encryption key before made persistent in
 local.keyring

---
 command/agent/keyring.go                          |  4 +++-
 vendor/github.com/hashicorp/memberlist/keyring.go | 15 +++++++++++++--
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/command/agent/keyring.go b/command/agent/keyring.go
index f51b04c0c..e7b8aa4ce 100644
--- a/command/agent/keyring.go
+++ b/command/agent/keyring.go
@@ -22,7 +22,9 @@ const (
 func initKeyring(path, key string) error {
 	var keys []string
 
-	if _, err := base64.StdEncoding.DecodeString(key); err != nil {
+	if keyBytes, err := base64.StdEncoding.DecodeString(key); err != nil {
+		return fmt.Errorf("Invalid key: %s", err)
+	} else if err := memberlist.ValidateKey(keyBytes); err != nil {
 		return fmt.Errorf("Invalid key: %s", err)
 	}
 
diff --git a/vendor/github.com/hashicorp/memberlist/keyring.go b/vendor/github.com/hashicorp/memberlist/keyring.go
index be2201d48..a2774a0ce 100644
--- a/vendor/github.com/hashicorp/memberlist/keyring.go
+++ b/vendor/github.com/hashicorp/memberlist/keyring.go
@@ -58,6 +58,17 @@ func NewKeyring(keys [][]byte, primaryKey []byte) (*Keyring, error) {
 	return keyring, nil
 }
 
+// ValidateKey will check to see if the key is valid and returns an error if not.
+//
+// key should be either 16, 24, or 32 bytes to select AES-128,
+// AES-192, or AES-256.
+func ValidateKey(key []byte) error {
+	if l := len(key); l != 16 && l != 24 && l != 32 {
+		return fmt.Errorf("key size must be 16, 24 or 32 bytes")
+	}
+	return nil
+}
+
 // AddKey will install a new key on the ring. Adding a key to the ring will make
 // it available for use in decryption. If the key already exists on the ring,
 // this function will just return noop.
@@ -65,8 +76,8 @@ func NewKeyring(keys [][]byte, primaryKey []byte) (*Keyring, error) {
 // key should be either 16, 24, or 32 bytes to select AES-128,
 // AES-192, or AES-256.
 func (k *Keyring) AddKey(key []byte) error {
-	if l := len(key); l != 16 && l != 24 && l != 32 {
-		return fmt.Errorf("key size must be 16, 24 or 32 bytes")
+	if err := ValidateKey(key); err != nil {
+		return err
 	}
 
 	// No-op if key is already installed

From a32990f4027fdbeea1391fda1ad15c9b86ec894d Mon Sep 17 00:00:00 2001
From: James Phillips <slackpad@gmail.com>
Date: Fri, 12 Aug 2016 11:43:26 -0700
Subject: [PATCH 2/3] Updates vendor info for memberlist.

---
 vendor/vendor.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/vendor/vendor.json b/vendor/vendor.json
index dcaec3d82..1d0e61fef 100644
--- a/vendor/vendor.json
+++ b/vendor/vendor.json
@@ -344,10 +344,10 @@
 			"revisionTime": "2015-06-09T07:04:31Z"
 		},
 		{
-			"checksumSHA1": "8ytOx52G+38QMK4G194Kl6g6YGY=",
+			"checksumSHA1": "AY1/cRsuWpoJMG0J821TqFo9nDE=",
 			"path": "github.com/hashicorp/memberlist",
-			"revision": "b2053e314b4a87e5f0d2d47aeafd3e03be13da90",
-			"revisionTime": "2016-06-21T23:59:43Z"
+			"revision": "0c5ba075f8520c65572f001331a1a43b756e01d7",
+			"revisionTime": "2016-08-12T18:27:57Z"
 		},
 		{
 			"checksumSHA1": "qnlqWJYV81ENr61SZk9c65R1mDo=",

From 7d20e2327e33899e4ed2ed4964b7144058afd132 Mon Sep 17 00:00:00 2001
From: James Phillips <slackpad@gmail.com>
Date: Fri, 12 Aug 2016 11:53:49 -0700
Subject: [PATCH 3/3] Updates the change log.

---
 CHANGELOG.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 47c619449..4ac38eb9f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -91,6 +91,8 @@ BUG FIXES:
   fail to start due to open user-mapped sections. [GH-2203]
 * Fixed an issue where large events affecting many nodes could cause infinite intent
   rebroadcasts, leading to many log messages about intent queue overflows. [GH-1062]
+* Gossip encryption keys are now validated before being made persistent in the
+  keyring, avoiding delayed feedback at runtime. [GH-1299]
 
 OTHER CHANGES: