Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[libbeat] Panic when using inline SSL certificate.key #23820

Closed
andrewkroh opened this issue Feb 2, 2021 · 3 comments · Fixed by #23858
Closed

[libbeat] Panic when using inline SSL certificate.key #23820

andrewkroh opened this issue Feb 2, 2021 · 3 comments · Fixed by #23858
Labels
bug libbeat Team:Elastic-Agent Label for the Agent team

Comments

@andrewkroh
Copy link
Member

My key is 241 bytes, but the code requires the cert and key length to be at least 256 bytes or else it panics.

beats/libbeat/common/transport/tlscommon/tls.go

Lines 217 to 218 in 39e144d

// Take a substring of the certificate so we do not leak the whole certificate or private key in the log.
debugStr := certificate[0:256] + "..." 

runtime error: slice bounds out of range [:256] with length 241

github.com/elastic/beats/v7/libbeat/cmd/instance.Run.func1.1
	/Users/akroh/go/src/github.com/elastic/beats/libbeat/cmd/instance/beat.go:168
runtime.gopanic
	/Users/akroh/.gvm/versions/go1.15.5.darwin.amd64/src/runtime/panic.go:969
runtime.goPanicSliceAlen
	/Users/akroh/.gvm/versions/go1.15.5.darwin.amd64/src/runtime/panic.go:98
github.com/elastic/beats/v7/libbeat/common/transport/tlscommon.NewPEMReader
	/Users/akroh/go/src/github.com/elastic/beats/libbeat/common/transport/tlscommon/tls.go:218
github.com/elastic/beats/v7/libbeat/common/transport/tlscommon.ReadPEMFile
	/Users/akroh/go/src/github.com/elastic/beats/libbeat/common/transport/tlscommon/tls.go:79
github.com/elastic/beats/v7/libbeat/common/transport/tlscommon.LoadCertificate
	/Users/akroh/go/src/github.com/elastic/beats/libbeat/common/transport/tlscommon/tls.go:57
github.com/elastic/beats/v7/libbeat/common/transport/tlscommon.LoadTLSServerConfig
	/Users/akroh/go/src/github.com/elastic/beats/libbeat/common/transport/tlscommon/server_config.go:67
github.com/elastic/beats/v7/x-pack/filebeat/input/http_endpoint.newHTTPEndpoint
	/Users/akroh/go/src/github.com/elastic/beats/x-pack/filebeat/input/http_endpoint/input.go:57
github.com/elastic/beats/v7/x-pack/filebeat/input/http_endpoint.configure
	/Users/akroh/go/src/github.com/elastic/beats/x-pack/filebeat/input/http_endpoint/input.go:46
github.com/elastic/beats/v7/filebeat/input/v2/input-stateless.InputManager.Create
	/Users/akroh/go/src/github.com/elastic/beats/filebeat/input/v2/input-stateless/stateless.go:66
github.com/elastic/beats/v7/filebeat/input/v2.(*Loader).Configure
	/Users/akroh/go/src/github.com/elastic/beats/filebeat/input/v2/loader.go:110
github.com/elastic/beats/v7/filebeat/input/v2/compat.(*factory).Create
	/Users/akroh/go/src/github.com/elastic/beats/filebeat/input/v2/compat/compat.go:83
github.com/elastic/beats/v7/filebeat/input/v2/compat.composeFactory.Create
	/Users/akroh/go/src/github.com/elastic/beats/filebeat/input/v2/compat/composed.go:62
github.com/elastic/beats/v7/filebeat/channel.RunnerFactoryWithCommonInputSettings.func1
	/Users/akroh/go/src/github.com/elastic/beats/filebeat/channel/runner.go:98
github.com/elastic/beats/v7/filebeat/channel.(*onCreateFactory).Create
	/Users/akroh/go/src/github.com/elastic/beats/filebeat/channel/runner.go:67
github.com/elastic/beats/v7/filebeat/beater.(*crawler).startInput
	/Users/akroh/go/src/github.com/elastic/beats/filebeat/beater/crawler.go:131
github.com/elastic/beats/v7/filebeat/beater.(*crawler).Start
	/Users/akroh/go/src/github.com/elastic/beats/filebeat/beater/crawler.go:75
github.com/elastic/beats/v7/filebeat/beater.(*Filebeat).Run
	/Users/akroh/go/src/github.com/elastic/beats/filebeat/beater/filebeat.go:345
github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).launch
	/Users/akroh/go/src/github.com/elastic/beats/libbeat/cmd/instance/beat.go:473
github.com/elastic/beats/v7/libbeat/cmd/instance.Run.func1
	/Users/akroh/go/src/github.com/elastic/beats/libbeat/cmd/instance/beat.go:192
github.com/elastic/beats/v7/libbeat/cmd/instance.Run
	/Users/akroh/go/src/github.com/elastic/beats/libbeat/cmd/instance/beat.go:193
github.com/elastic/beats/v7/libbeat/cmd.genRunCmd.func1
	/Users/akroh/go/src/github.com/elastic/beats/libbeat/cmd/run.go:36
github.com/spf13/cobra.(*Command).execute
	/Users/akroh/go/pkg/mod/github.com/spf13/cobra@v0.0.5/command.go:830
github.com/spf13/cobra.(*Command).ExecuteC
	/Users/akroh/go/pkg/mod/github.com/spf13/cobra@v0.0.5/command.go:914
github.com/spf13/cobra.(*Command).Execute
	/Users/akroh/go/pkg/mod/github.com/spf13/cobra@v0.0.5/command.go:864
main.main
	/Users/akroh/go/src/github.com/elastic/beats/x-pack/filebeat/main.go:22
runtime.main
	/Users/akroh/.gvm/versions/go1.15.5.darwin.amd64/src/runtime/proc.go:204

Filebeat config:

filebeat.inputs:
- type: http_endpoint
  listen_address: 0.0.0.0
  listen_port: 7443
  url: /
  prefix: foo
  secret.header: Authorization
  secret.value: abc123
  ssl:
    certificate: |
      -----BEGIN CERTIFICATE-----
      MIIBmzCCAUCgAwIBAgIRAOQpDyaFimzmueynALHkFEcwCgYIKoZIzj0EAwIwJjEk
      MCIGA1UEChMbVEVTVCAtIEVsYXN0aWMgSW50ZWdyYXRpb25zMB4XDTIxMDIwMjE1
      NTkxMFoXDTQxMDEyODE1NTkxMFowJjEkMCIGA1UEChMbVEVTVCAtIEVsYXN0aWMg
      SW50ZWdyYXRpb25zMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBc7UEvBd+5SG
      Z6QQfgBaPh/VAlf7ovpa/wfSmbHfBhee+dTvdAO1p90lannCkZmc7OfWAlQ1eTgJ
      QW668CJwE6NPME0wDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMB
      MAwGA1UdEwEB/wQCMAAwGAYDVR0RBBEwD4INZWxhc3RpYy1hZ2VudDAKBggqhkjO
      PQQDAgNJADBGAiEAhpGWL4lxsdb3+hHv0y4ppw6B7IJJLCeCwHLyHt2Dkx4CIQD6
      OEU+yuHzbWa18JVkHafxwnpwQmxwZA3VNitM/AyGTQ==
      -----END CERTIFICATE-----
    key: |
      -----BEGIN PRIVATE KEY-----
      MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgFDQJ1CPLXrUbUFqj
      ED8dqsGuVQdcPK7CHpsCeTtAgQqhRANCAAQFztQS8F37lIZnpBB+AFo+H9UCV/ui
      +lr/B9KZsd8GF5751O90A7Wn3SVqecKRmZzs59YCVDV5OAlBbrrwInAT
      -----END PRIVATE KEY-----
  tags:
    - zoom-webhook
    - forwarded

output.console.pretty: true
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Feb 2, 2021
@andrewkroh
Copy link
Member Author

A key could be as small as 64 bytes for something like ed25519. For example:

-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIEbr70Bf+wYk/kPO5NaHNWD1wt1CoXrb9E05Yesf98nF
-----END PRIVATE KEY-----

@andrewkroh
Copy link
Member Author

@ph Thinking about the comment in the code, I wonder if we even want to leak part of the key in logs. Perhaps we should put a static string like inline in this case.

@ph ph added the Team:Elastic-Agent Label for the Agent team label Feb 2, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/agent (Team:Agent)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Feb 2, 2021
ph added a commit to ph/beats that referenced this issue Feb 4, 2021
@ph
Panic when using inline SSL certificate or key
4c08fa4 
When the key or certificate was smaller than 256bytes the system was
throwing a panic, the problem was generate by a debug message. Instead
of logging part of the keys or certificate in the log we are just
writing "inline".

Fixes: elastic#23820
@ph ph mentioned this issue Feb 4, 2021
Merged
6 tasks
@ph ph closed this as completed in #23858 Feb 9, 2021
ph added a commit that referenced this issue Feb 9, 2021
@ph
Panic when using inline SSL certificate or key (#23858)
359cd74 
* Panic when using inline SSL certificate or key

When the key or certificate was smaller than 256bytes the system was
throwing a panic, the problem was generate by a debug message. Instead
of logging part of the keys or certificate in the log we are just
writing "inline".

Fixes: #23820

* changelog
@ph ph mentioned this issue Feb 9, 2021
Merged
6 tasks
ph added a commit to ph/beats that referenced this issue Feb 9, 2021
@ph
Panic when using inline SSL certificate or key (elastic#23858)
c5b1e07 
* Panic when using inline SSL certificate or key

When the key or certificate was smaller than 256bytes the system was
throwing a panic, the problem was generate by a debug message. Instead
of logging part of the keys or certificate in the log we are just
writing "inline".

Fixes: elastic#23820

* changelog

(cherry picked from commit 359cd74)
ph added a commit that referenced this issue Feb 11, 2021
@ph
Cherry-pick #23858 to 7.x: Panic when using inline SSL certificate or…
8758310 
… key (#23949)

* Panic when using inline SSL certificate or key (#23858)

* Panic when using inline SSL certificate or key

When the key or certificate was smaller than 256bytes the system was
throwing a panic, the problem was generate by a debug message. Instead
of logging part of the keys or certificate in the log we are just
writing "inline".

Fixes: #23820

* changelog

(cherry picked from commit 359cd74)

* Changelog
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug libbeat Team:Elastic-Agent Label for the Agent team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Panic when using inline SSL certificate or key ph/beats
3 participants
@ph @andrewkroh @elasticmachine