From 359cd7490cf3e3bd2cf7327780901fdd151be55b Mon Sep 17 00:00:00 2001 From: Pier-Hugues Pellerin Date: Tue, 9 Feb 2021 15:16:23 -0500 Subject: [PATCH] Panic when using inline SSL certificate or key (#23858) * Panic when using inline SSL certificate or key When the key or certificate was smaller than 256bytes the system was throwing a panic, the problem was generate by a debug message. Instead of logging part of the keys or certificate in the log we are just writing "inline". Fixes: #23820 * changelog --- CHANGELOG.next.asciidoc | 1 + libbeat/common/transport/tlscommon/tls.go | 4 +- .../common/transport/tlscommon/tls_test.go | 43 +++++++++++++++++++ 3 files changed, 45 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 6fd75d8f430..a2cc2c10da8 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -31,6 +31,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - API address is a required setting in `add_cloudfoundry_metadata`. {pull}21759[21759] - Update to ECS 1.7.0. {pull}22571[22571] - Add support for SCRAM-SHA-512 and SCRAM-SHA-256 in Kafka output. {pull}12867[12867] +- Fix panic with inline SSL when the certificate or key were small than 256 bytes. {pull}23820[23820] *Auditbeat* diff --git a/libbeat/common/transport/tlscommon/tls.go b/libbeat/common/transport/tlscommon/tls.go index ba44310727c..e5388eaf8ce 100644 --- a/libbeat/common/transport/tlscommon/tls.go +++ b/libbeat/common/transport/tlscommon/tls.go @@ -214,9 +214,7 @@ type PEMReader struct { // NewPEMReader returns a new PEMReader. func NewPEMReader(certificate string) (*PEMReader, error) { if IsPEMString(certificate) { - // Take a substring of the certificate so we do not leak the whole certificate or private key in the log. - debugStr := certificate[0:256] + "..." - return &PEMReader{reader: ioutil.NopCloser(strings.NewReader(certificate)), debugStr: debugStr}, nil + return &PEMReader{reader: ioutil.NopCloser(strings.NewReader(certificate)), debugStr: "inline"}, nil } r, err := os.Open(certificate) diff --git a/libbeat/common/transport/tlscommon/tls_test.go b/libbeat/common/transport/tlscommon/tls_test.go index 45c0ebf1f7f..5d610af5bf4 100644 --- a/libbeat/common/transport/tlscommon/tls_test.go +++ b/libbeat/common/transport/tlscommon/tls_test.go @@ -546,6 +546,7 @@ NHy+PwkYsHhbrPl4dgStTNXLenJLIJ+Ke0Pcld4ZPfYdSyu/Tv4rNswZBNpNsW9K nygO9KTJuUiBrLr0AHEnqko= -----END PRIVATE KEY----- ` + t.Run("embed", func(t *testing.T) { // Create a dummy configuration and append the CA after. cfg, err := load(` @@ -568,6 +569,48 @@ supported_protocols: null assert.NotNil(t, tlsC) }) + t.Run("embed small key", func(t *testing.T) { + // Create a dummy configuration and append the CA after. + cfg, err := load(` +enabled: true +verification_mode: null +certificate: null +key: null +key_passphrase: null +certificate_authorities: +cipher_suites: null +curve_types: null +supported_protocols: null + `) + certificate := ` +-----BEGIN CERTIFICATE----- +MIIBmzCCAUCgAwIBAgIRAOQpDyaFimzmueynALHkFEcwCgYIKoZIzj0EAwIwJjEk +MCIGA1UEChMbVEVTVCAtIEVsYXN0aWMgSW50ZWdyYXRpb25zMB4XDTIxMDIwMjE1 +NTkxMFoXDTQxMDEyODE1NTkxMFowJjEkMCIGA1UEChMbVEVTVCAtIEVsYXN0aWMg +SW50ZWdyYXRpb25zMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBc7UEvBd+5SG +Z6QQfgBaPh/VAlf7ovpa/wfSmbHfBhee+dTvdAO1p90lannCkZmc7OfWAlQ1eTgJ +QW668CJwE6NPME0wDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMB +MAwGA1UdEwEB/wQCMAAwGAYDVR0RBBEwD4INZWxhc3RpYy1hZ2VudDAKBggqhkjO +PQQDAgNJADBGAiEAhpGWL4lxsdb3+hHv0y4ppw6B7IJJLCeCwHLyHt2Dkx4CIQD6 +OEU+yuHzbWa18JVkHafxwnpwQmxwZA3VNitM/AyGTQ== +-----END CERTIFICATE----- +` + key := ` +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgFDQJ1CPLXrUbUFqj +ED8dqsGuVQdcPK7CHpsCeTtAgQqhRANCAAQFztQS8F37lIZnpBB+AFo+H9UCV/ui ++lr/B9KZsd8GF5751O90A7Wn3SVqecKRmZzs59YCVDV5OAlBbrrwInAT +-----END PRIVATE KEY----- +` + cfg.Certificate.Certificate = certificate + cfg.Certificate.Key = key + + tlsC, err := LoadTLSConfig(cfg) + assert.NoError(t, err) + + assert.NotNil(t, tlsC) + }) + t.Run("From disk", func(t *testing.T) { k, err := ioutil.TempFile("", "certificate.key") k.WriteString(key)