Skip to content

Commit

Permalink
Showing 2 changed files with 32 additions and 10 deletions.
22 changes: 18 additions & 4 deletions server/filestore.go
Original file line number Diff line number Diff line change
@@ -394,13 +394,19 @@ func (fs *fileStore) genEncryptionKeys(context string) (aek cipher.AEAD, bek *ch
return nil, nil, nil, nil, errNoEncryption
}
// Generate key encryption key.
kek, err := chacha20poly1305.NewX(fs.prf([]byte(context)))
rb, err := fs.prf([]byte(context))
if err != nil {
return nil, nil, nil, nil, err
}
kek, err := chacha20poly1305.NewX(rb)
if err != nil {
return nil, nil, nil, nil, err
}
// Generate random asset encryption key seed.
seed = make([]byte, 32)
rand.Read(seed)
if n, err := rand.Read(seed); err != nil || n != 32 {
return nil, nil, nil, nil, err
}
aek, err = chacha20poly1305.NewX(seed)
if err != nil {
return nil, nil, nil, nil, err
@@ -499,7 +505,11 @@ func (fs *fileStore) recoverMsgBlock(fi os.FileInfo, index uint64) (*msgBlock, e
return nil, errBadKeySize
}
// Recover key encryption key.
kek, err := chacha20poly1305.NewX(fs.prf([]byte(fmt.Sprintf("%s:%d", fs.cfg.Name, mb.index))))
rb, err := fs.prf([]byte(fmt.Sprintf("%s:%d", fs.cfg.Name, mb.index)))
if err != nil {
return nil, err
}
kek, err := chacha20poly1305.NewX(rb)
if err != nil {
return nil, err
}
@@ -4470,7 +4480,11 @@ func (fs *fileStore) ConsumerStore(name string, cfg *ConsumerConfig) (ConsumerSt
if o.prf != nil {
if ekey, err := ioutil.ReadFile(path.Join(odir, JetStreamMetaFileKey)); err == nil {
// Recover key encryption key.
kek, err := chacha20poly1305.NewX(fs.prf([]byte(fs.cfg.Name + tsep + o.name)))
rb, err := fs.prf([]byte(fs.cfg.Name + tsep + o.name))
if err != nil {
return nil, err
}
kek, err := chacha20poly1305.NewX(rb)
if err != nil {
return nil, err
}
20 changes: 14 additions & 6 deletions server/jetstream.go
Original file line number Diff line number Diff line change
@@ -183,17 +183,21 @@ func (s *Server) EnableJetStream(config *JetStreamConfig) error {
}

// Function signature to generate a key encryption key.
type keyGen func(context []byte) []byte
type keyGen func(context []byte) ([]byte, error)

// Return a key generation function or nil if encryption not enabled.
// keyGen defined in filestore.go - keyGen func(iv, context []byte) []byte
func (s *Server) jsKeyGen(info string) keyGen {
if ek := s.getOpts().JetStreamKey; ek != _EMPTY_ {
return func(context []byte) []byte {
return func(context []byte) ([]byte, error) {
h := hmac.New(sha256.New, []byte(ek))
h.Write([]byte(info))
h.Write(context)
return h.Sum(nil)
if _, err := h.Write([]byte(info)); err != nil {
return nil, err
}
if _, err := h.Write(context); err != nil {
return nil, err
}
return h.Sum(nil), nil
}
}
return nil
@@ -208,7 +212,11 @@ func (s *Server) decryptMeta(ekey, buf []byte, acc, context string) ([]byte, err
if prf == nil {
return nil, errNoEncryption
}
kek, err := chacha20poly1305.NewX(prf([]byte(context)))
rb, err := prf([]byte(context))
if err != nil {
return nil, err
}
kek, err := chacha20poly1305.NewX(rb)
if err != nil {
return nil, err
}

0 comments on commit a5afa86

Please sign in to comment.