fix(crypto): fix a data race in ECDSAService EE-6502 (#561)

andres-portainer · web-flow · commit d402002e607c · 2024-01-02T18:01:54.000-03:00
diff --git a/crypto/ecdsa.go b/crypto/ecdsa.go
@@ -7,6 +7,7 @@ import (
 	"encoding/base64"
 	"encoding/hex"
 	"math/big"
+	"sync"
 
 	"github.com/portainer/agent"
 )
@@ -16,6 +17,7 @@ import (
 type ECDSAService struct {
 	publicKey *ecdsa.PublicKey
 	secret    string
+	mu        sync.Mutex
 }
 
 // NewECDSAService returns a pointer to a ECDSAService.
@@ -29,6 +31,9 @@ func NewECDSAService(secret string) *ECDSAService {
 // IsAssociated tells if the service is associated with a public key
 // or if it's secured behind  a secret
 func (service *ECDSAService) IsAssociated() bool {
+	service.mu.Lock()
+	defer service.mu.Unlock()
+
 	return service.publicKey != nil || service.secret != ""
 }
 
@@ -53,6 +58,9 @@ func (service *ECDSAService) VerifySignature(signature, key string) (bool, error
 }
 
 func (service *ECDSAService) decodeAndParsePublicKey(key string) (*ecdsa.PublicKey, error) {
+	service.mu.Lock()
+	defer service.mu.Unlock()
+
 	if service.publicKey != nil {
 		return service.publicKey, nil
 	}

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@ import (`
`7`	`7`	`"encoding/base64"`
`8`	`8`	`"encoding/hex"`
`9`	`9`	`"math/big"`
	`10`	`+ "sync"`
`10`	`11`
`11`	`12`	`"github.com/portainer/agent"`
`12`	`13`	`)`
`@@ -16,6 +17,7 @@ import (`
`16`	`17`	`type ECDSAService struct {`
`17`	`18`	`publicKey *ecdsa.PublicKey`
`18`	`19`	`secret string`
	`20`	`+ mu sync.Mutex`
`19`	`21`	`}`
`20`	`22`
`21`	`23`	`// NewECDSAService returns a pointer to a ECDSAService.`
`@@ -29,6 +31,9 @@ func NewECDSAService(secret string) *ECDSAService {`
`29`	`31`	`// IsAssociated tells if the service is associated with a public key`
`30`	`32`	`// or if it's secured behind a secret`
`31`	`33`	`func (service *ECDSAService) IsAssociated() bool {`
	`34`	`+ service.mu.Lock()`
	`35`	`+ defer service.mu.Unlock()`
	`36`	`+`
`32`	`37`	`return service.publicKey != nil \|\| service.secret != ""`
`33`	`38`	`}`
`34`	`39`
`@@ -53,6 +58,9 @@ func (service *ECDSAService) VerifySignature(signature, key string) (bool, error`
`53`	`58`	`}`
`54`	`59`
`55`	`60`	`func (service ECDSAService) decodeAndParsePublicKey(key string) (ecdsa.PublicKey, error) {`
	`61`	`+ service.mu.Lock()`
	`62`	`+ defer service.mu.Unlock()`
	`63`	`+`
`56`	`64`	`if service.publicKey != nil {`
`57`	`65`	`return service.publicKey, nil`
`58`	`66`	`}`