scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-30 18:17:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

backport of commit 91ec1a788b (#24362)

Browse Source 
Co-authored-by: Scott Miller <smiller@hashicorp.com>
This commit is contained in:
hc-github-team-secure-vault-core
2023-12-04 17:58:15 -05:00
committed by GitHub
parent b0b53cf811
commit 79f170d0f0
2 changed files with 27 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
changelog/24336.txt Normal file
View File

@@ -0,0 +1,3 @@
```release-note:bug
core: Fix a timeout initializing Vault by only using a short timeout persisting barrier keyring encryption counts.
```

33
vault/barrier_aes_gcm.go
View File

@@ -34,6 +34,8 @@ const (
autoRotateCheckInterval = 5 * time.Minute autoRotateCheckInterval = 5 * time.Minute
legacyRotateReason = "legacy rotation" legacyRotateReason = "legacy rotation"
// The keyring is persisted before the root key.
keyringTimeout = 1 * time.Second
) )
// Versions of the AESGCM storage methodology // Versions of the AESGCM storage methodology
@@ -208,11 +210,18 @@ func (b *AESGCMBarrier) Initialize(ctx context.Context, key, sealKey []byte, rea
// persistKeyring is used to write out the keyring using the // persistKeyring is used to write out the keyring using the
// root key to encrypt it. // root key to encrypt it.
func (b *AESGCMBarrier) persistKeyring(ctx context.Context, keyring *Keyring) error { func (b *AESGCMBarrier) persistKeyring(ctx context.Context, keyring *Keyring) error {
const ( return b.persistKeyringInternal(ctx, keyring, false)
// The keyring is persisted before the root key. }
keyringTimeout = 1 * time.Second
)
// persistKeyringBestEffort is like persistKeyring but 'best effort', ie times out early
// for non critical keyring writes (encryption/rotation tracking)
func (b *AESGCMBarrier) persistKeyringBestEffort(ctx context.Context, keyring *Keyring) error {
return b.persistKeyringInternal(ctx, keyring, true)
}
// persistKeyring is used to write out the keyring using the
// root key to encrypt it.
func (b *AESGCMBarrier) persistKeyringInternal(ctx context.Context, keyring *Keyring, bestEffort bool) error {
// Create the keyring entry // Create the keyring entry
keyringBuf, err := keyring.Serialize() keyringBuf, err := keyring.Serialize()
defer memzero(keyringBuf) defer memzero(keyringBuf)
@@ -238,10 +247,16 @@ func (b *AESGCMBarrier) persistKeyring(ctx context.Context, keyring *Keyring) er
Value: value, Value: value,
} }
// We reduce the timeout on the initial 'put' but if this succeeds we will ctxKeyring := ctx
// allow longer later on when we try to persist the root key .
ctxKeyring, cancelKeyring := context.WithTimeout(ctx, keyringTimeout) if bestEffort {
defer cancelKeyring() // We reduce the timeout on the initial 'put' but if this succeeds we will
// allow longer later on when we try to persist the root key .
var cancelKeyring func()
ctxKeyring, cancelKeyring = context.WithTimeout(ctx, keyringTimeout)
defer cancelKeyring()
}
if err := b.backend.Put(ctxKeyring, pe); err != nil { if err := b.backend.Put(ctxKeyring, pe); err != nil {
return fmt.Errorf("failed to persist keyring: %w", err) return fmt.Errorf("failed to persist keyring: %w", err)
} }
@@ -1228,7 +1243,7 @@ func (b *AESGCMBarrier) persistEncryptions(ctx context.Context) error {
newEncs := upe + 1 newEncs := upe + 1
activeKey.Encryptions += uint64(newEncs) activeKey.Encryptions += uint64(newEncs)
newKeyring := b.keyring.Clone() newKeyring := b.keyring.Clone()
err := b.persistKeyring(ctx, newKeyring) err := b.persistKeyringBestEffort(ctx, newKeyring)
if err != nil { if err != nil {
return err return err
} }