diff --git a/command/agent/keyring.go b/command/agent/keyring.go index f51b04c0c3..e7b8aa4ce1 100644 --- a/command/agent/keyring.go +++ b/command/agent/keyring.go @@ -22,7 +22,9 @@ const ( func initKeyring(path, key string) error { var keys []string - if _, err := base64.StdEncoding.DecodeString(key); err != nil { + if keyBytes, err := base64.StdEncoding.DecodeString(key); err != nil { + return fmt.Errorf("Invalid key: %s", err) + } else if err := memberlist.ValidateKey(keyBytes); err != nil { return fmt.Errorf("Invalid key: %s", err) } diff --git a/vendor/github.com/hashicorp/memberlist/keyring.go b/vendor/github.com/hashicorp/memberlist/keyring.go index be2201d488..a2774a0ce0 100644 --- a/vendor/github.com/hashicorp/memberlist/keyring.go +++ b/vendor/github.com/hashicorp/memberlist/keyring.go @@ -58,6 +58,17 @@ func NewKeyring(keys [][]byte, primaryKey []byte) (*Keyring, error) { return keyring, nil } +// ValidateKey will check to see if the key is valid and returns an error if not. +// +// key should be either 16, 24, or 32 bytes to select AES-128, +// AES-192, or AES-256. +func ValidateKey(key []byte) error { + if l := len(key); l != 16 && l != 24 && l != 32 { + return fmt.Errorf("key size must be 16, 24 or 32 bytes") + } + return nil +} + // AddKey will install a new key on the ring. Adding a key to the ring will make // it available for use in decryption. If the key already exists on the ring, // this function will just return noop. @@ -65,8 +76,8 @@ func NewKeyring(keys [][]byte, primaryKey []byte) (*Keyring, error) { // key should be either 16, 24, or 32 bytes to select AES-128, // AES-192, or AES-256. func (k *Keyring) AddKey(key []byte) error { - if l := len(key); l != 16 && l != 24 && l != 32 { - return fmt.Errorf("key size must be 16, 24 or 32 bytes") + if err := ValidateKey(key); err != nil { + return err } // No-op if key is already installed