gogrlx/nats-server
1
0
Fork 0
mirror of https://github.com/gogrlx/nats-server.git synced 2026-04-02 03:38:42 -07:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2453 from nats-io/encrypt-checks

Browse Source 
Add in additional checks for failures during filestore encryption.
This commit is contained in:
Derek Collison
2021-08-17 14:55:41 -07:00
committed by GitHub
parent 539cbb0f20 a7cf0ad985
commit a5afa86790
2 changed files with 32 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
server/filestore.go
View File

@@ -394,13 +394,19 @@ func (fs *fileStore) genEncryptionKeys(context string) (aek cipher.AEAD, bek *ch
return nil, nil, nil, nil, errNoEncryption
}
// Generate key encryption key.
kek, err := chacha20poly1305.NewX(fs.prf([]byte(context)))
rb, err := fs.prf([]byte(context))
if err != nil {
return nil, nil, nil, nil, err
}
kek, err := chacha20poly1305.NewX(rb)
if err != nil {
return nil, nil, nil, nil, err
}
// Generate random asset encryption key seed.
seed = make([]byte, 32)
rand.Read(seed)
if n, err := rand.Read(seed); err != nil || n != 32 {
return nil, nil, nil, nil, err
}
aek, err = chacha20poly1305.NewX(seed)
if err != nil {
return nil, nil, nil, nil, err
@@ -499,7 +505,11 @@ func (fs *fileStore) recoverMsgBlock(fi os.FileInfo, index uint64) (*msgBlock, e
return nil, errBadKeySize
}
// Recover key encryption key.
kek, err := chacha20poly1305.NewX(fs.prf([]byte(fmt.Sprintf("%s:%d", fs.cfg.Name, mb.index))))
rb, err := fs.prf([]byte(fmt.Sprintf("%s:%d", fs.cfg.Name, mb.index)))
if err != nil {
return nil, err
}
kek, err := chacha20poly1305.NewX(rb)
if err != nil {
return nil, err
}
@@ -4470,7 +4480,11 @@ func (fs *fileStore) ConsumerStore(name string, cfg *ConsumerConfig) (ConsumerSt
if o.prf != nil {
if ekey, err := ioutil.ReadFile(path.Join(odir, JetStreamMetaFileKey)); err == nil {
// Recover key encryption key.
kek, err := chacha20poly1305.NewX(fs.prf([]byte(fs.cfg.Name + tsep + o.name)))
rb, err := fs.prf([]byte(fs.cfg.Name + tsep + o.name))
if err != nil {
return nil, err
}
kek, err := chacha20poly1305.NewX(rb)
if err != nil {
return nil, err
}

20
server/jetstream.go
View File

@@ -183,17 +183,21 @@ func (s *Server) EnableJetStream(config *JetStreamConfig) error {
}
// Function signature to generate a key encryption key.
type keyGen func(context []byte) []byte
type keyGen func(context []byte) ([]byte, error)
// Return a key generation function or nil if encryption not enabled.
// keyGen defined in filestore.go - keyGen func(iv, context []byte) []byte
func (s *Server) jsKeyGen(info string) keyGen {
if ek := s.getOpts().JetStreamKey; ek != _EMPTY_ {
return func(context []byte) []byte {
return func(context []byte) ([]byte, error) {
h := hmac.New(sha256.New, []byte(ek))
h.Write([]byte(info))
h.Write(context)
return h.Sum(nil)
if _, err := h.Write([]byte(info)); err != nil {
return nil, err
}
if _, err := h.Write(context); err != nil {
return nil, err
}
return h.Sum(nil), nil
}
}
return nil
@@ -208,7 +212,11 @@ func (s *Server) decryptMeta(ekey, buf []byte, acc, context string) ([]byte, err
if prf == nil {
return nil, errNoEncryption
}
kek, err := chacha20poly1305.NewX(prf([]byte(context)))
rb, err := prf([]byte(context))
if err != nil {
return nil, err
}
kek, err := chacha20poly1305.NewX(rb)
if err != nil {
return nil, err
}