luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

Merge pull request #2270 from hashicorp/pr-2148-slackpad 

Validates gossip encryption key before made persistent in local.keyring.
This commit is contained in:
James Phillips 2016-08-12 11:55:22 -07:00 committed by GitHub
parent 567b354ed2 7d20e2327e
commit ed92f43865
4 changed files with 21 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG.md
View File

@ -91,6 +91,8 @@ BUG FIXES:
fail to start due to open user-mapped sections. [GH-2203] fail to start due to open user-mapped sections. [GH-2203]
* Fixed an issue where large events affecting many nodes could cause infinite intent * Fixed an issue where large events affecting many nodes could cause infinite intent
rebroadcasts, leading to many log messages about intent queue overflows. [GH-1062] rebroadcasts, leading to many log messages about intent queue overflows. [GH-1062]
* Gossip encryption keys are now validated before being made persistent in the
keyring, avoiding delayed feedback at runtime. [GH-1299]
OTHER CHANGES: OTHER CHANGES:

4
command/agent/keyring.go
View File

@ -22,7 +22,9 @@ const (
func initKeyring(path, key string) error { func initKeyring(path, key string) error {
var keys []string var keys []string
if _, err := base64.StdEncoding.DecodeString(key); err != nil { if keyBytes, err := base64.StdEncoding.DecodeString(key); err != nil {
return fmt.Errorf("Invalid key: %s", err)
} else if err := memberlist.ValidateKey(keyBytes); err != nil {
return fmt.Errorf("Invalid key: %s", err) return fmt.Errorf("Invalid key: %s", err)
} }

15
vendor/github.com/hashicorp/memberlist/keyring.go generated vendored
View File

@ -58,6 +58,17 @@ func NewKeyring(keys [][]byte, primaryKey []byte) (*Keyring, error) {
return keyring, nil return keyring, nil
} }
// ValidateKey will check to see if the key is valid and returns an error if not.
//
// key should be either 16, 24, or 32 bytes to select AES-128,
// AES-192, or AES-256.
func ValidateKey(key []byte) error {
if l := len(key); l != 16 && l != 24 && l != 32 {
return fmt.Errorf("key size must be 16, 24 or 32 bytes")
}
return nil
}
// AddKey will install a new key on the ring. Adding a key to the ring will make // AddKey will install a new key on the ring. Adding a key to the ring will make
// it available for use in decryption. If the key already exists on the ring, // it available for use in decryption. If the key already exists on the ring,
// this function will just return noop. // this function will just return noop.
@ -65,8 +76,8 @@ func NewKeyring(keys [][]byte, primaryKey []byte) (*Keyring, error) {
// key should be either 16, 24, or 32 bytes to select AES-128, // key should be either 16, 24, or 32 bytes to select AES-128,
// AES-192, or AES-256. // AES-192, or AES-256.
func (k *Keyring) AddKey(key []byte) error { func (k *Keyring) AddKey(key []byte) error {
if l := len(key); l != 16 && l != 24 && l != 32 { if err := ValidateKey(key); err != nil {
return fmt.Errorf("key size must be 16, 24 or 32 bytes") return err
} }
// No-op if key is already installed // No-op if key is already installed

6
vendor/vendor.json vendored
View File

@ -344,10 +344,10 @@
"revisionTime": "2015-06-09T07:04:31Z" "revisionTime": "2015-06-09T07:04:31Z"
}, },
{ {
"checksumSHA1": "8ytOx52G+38QMK4G194Kl6g6YGY=", "checksumSHA1": "AY1/cRsuWpoJMG0J821TqFo9nDE=",
"path": "github.com/hashicorp/memberlist", "path": "github.com/hashicorp/memberlist",
"revision": "b2053e314b4a87e5f0d2d47aeafd3e03be13da90", "revision": "0c5ba075f8520c65572f001331a1a43b756e01d7",
"revisionTime": "2016-06-21T23:59:43Z" "revisionTime": "2016-08-12T18:27:57Z"
}, },
{ {
"checksumSHA1": "qnlqWJYV81ENr61SZk9c65R1mDo=", "checksumSHA1": "qnlqWJYV81ENr61SZk9c65R1mDo=",