Skip to content

Commit

Permalink
backport of commit 91ec1a7
Browse files Browse the repository at this point in the history
  • Loading branch information
sgmiller authored Dec 4, 2023
1 parent b0b53cf commit c43e081
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 9 deletions.
3 changes: 3 additions & 0 deletions changelog/24336.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
core: Fix a timeout initializing Vault by only using a short timeout persisting barrier keyring encryption counts.
```
33 changes: 24 additions & 9 deletions vault/barrier_aes_gcm.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@ const (

autoRotateCheckInterval = 5 * time.Minute
legacyRotateReason = "legacy rotation"
// The keyring is persisted before the root key.
keyringTimeout = 1 * time.Second
)

// Versions of the AESGCM storage methodology
Expand Down Expand Up @@ -208,11 +210,18 @@ func (b *AESGCMBarrier) Initialize(ctx context.Context, key, sealKey []byte, rea
// persistKeyring is used to write out the keyring using the
// root key to encrypt it.
func (b *AESGCMBarrier) persistKeyring(ctx context.Context, keyring *Keyring) error {
const (
// The keyring is persisted before the root key.
keyringTimeout = 1 * time.Second
)
return b.persistKeyringInternal(ctx, keyring, false)
}

// persistKeyringBestEffort is like persistKeyring but 'best effort', ie times out early
// for non critical keyring writes (encryption/rotation tracking)
func (b *AESGCMBarrier) persistKeyringBestEffort(ctx context.Context, keyring *Keyring) error {
return b.persistKeyringInternal(ctx, keyring, true)
}

// persistKeyring is used to write out the keyring using the
// root key to encrypt it.
func (b *AESGCMBarrier) persistKeyringInternal(ctx context.Context, keyring *Keyring, bestEffort bool) error {
// Create the keyring entry
keyringBuf, err := keyring.Serialize()
defer memzero(keyringBuf)
Expand All @@ -238,10 +247,16 @@ func (b *AESGCMBarrier) persistKeyring(ctx context.Context, keyring *Keyring) er
Value: value,
}

// We reduce the timeout on the initial 'put' but if this succeeds we will
// allow longer later on when we try to persist the root key .
ctxKeyring, cancelKeyring := context.WithTimeout(ctx, keyringTimeout)
defer cancelKeyring()
ctxKeyring := ctx

if bestEffort {
// We reduce the timeout on the initial 'put' but if this succeeds we will
// allow longer later on when we try to persist the root key .
var cancelKeyring func()
ctxKeyring, cancelKeyring = context.WithTimeout(ctx, keyringTimeout)
defer cancelKeyring()
}

if err := b.backend.Put(ctxKeyring, pe); err != nil {
return fmt.Errorf("failed to persist keyring: %w", err)
}
Expand Down Expand Up @@ -1228,7 +1243,7 @@ func (b *AESGCMBarrier) persistEncryptions(ctx context.Context) error {
newEncs := upe + 1
activeKey.Encryptions += uint64(newEncs)
newKeyring := b.keyring.Clone()
err := b.persistKeyring(ctx, newKeyring)
err := b.persistKeyringBestEffort(ctx, newKeyring)
if err != nil {
return err
}
Expand Down

0 comments on commit c43e081

Please sign in to comment.