Exit if loading an invalid identity from disk (#2058)

* Exit if loading an invalid identity from disk Previously, if an invalid identity was loaded from disk, ZeroTier would generate a new identity & chug along and generate a brand new identity as if nothing happened. When running in containers, this introduces the possibility for key matter loss; especially when running in containers where the identity files are mounted in the container read only. In this case, ZT will continue chugging along with a brand new identity with no possibility of recovering the private key. ZeroTier should exit upon loading of invalid identity.public/identity.secret #2056 * add validation test for #2056
2025-08-21 05:43:59 -07:00 · 2023-07-18 14:10:31 -04:00 · 2023-07-18 14:10:31 -04:00 · 5a36b315a3
commit 5a36b315a3
parent b67cd2cf7a
5 changed files with 95 additions and 5 deletions
--- a/.github/workflows/report.sh
+++ b/.github/workflows/report.sh
@ -13,3 +13,9 @@ echo -e "\nBytes of memory definitely lost: $DEFINITELY_LOST"
 if [[ "$DEFINITELY_LOST" -gt 0 ]]; then
      exit 1
 fi
+
+EXIT_TEST_FAILED=$(cat *test-results/*summary.json | jq .exit_test_failed)
+
+if [[ "$EXIT_TEST_FAILED" -gt 0 ]]; then
+      exit 1
+fi
--- a/.github/workflows/validate-1m-linux.sh
+++ b/.github/workflows/validate-1m-linux.sh
@ -9,6 +9,8 @@ ZTO_VER=$(git describe --tags $(git rev-list --tags --max-count=1))
 ZTO_COMMIT=$(git rev-parse HEAD)
 ZTO_COMMIT_SHORT=$(git rev-parse --short HEAD)
 TEST_DIR_PREFIX="$ZTO_VER-$ZTO_COMMIT_SHORT-test-results"
+EXIT_TEST_FAILED=0
+
 echo "Performing test on: $ZTO_VER-$ZTO_COMMIT_SHORT"
 TEST_FILEPATH_PREFIX="$TEST_DIR_PREFIX/$ZTO_COMMIT_SHORT"
 mkdir $TEST_DIR_PREFIX
@ -18,6 +20,9 @@ mkdir $TEST_DIR_PREFIX
 ################################################################################
 main() {
 	echo -e "\nRunning test for $RUN_LENGTH seconds"
+
+	check_exit_on_invalid_identity
+
 	NS1="ip netns exec ns1"
 	NS2="ip netns exec ns2"

@ -390,7 +395,8 @@ main() {
  "mean_latency_ping_netns": $POSSIBLY_LOST,
  "mean_pdv_random": $POSSIBLY_LOST,
  "mean_pdv_netns": $POSSIBLY_LOST,
-  "mean_perf_netns": $POSSIBLY_LOST
+  "mean_perf_netns": $POSSIBLY_LOST,
+  "exit_test_failed": $EXIT_TEST_FAILED
 }
 EOF
 	)
@ -431,4 +437,28 @@ spam_cli() {
 	done
 }

+check_exit_on_invalid_identity() {
+	echo "Checking ZeroTier exits on invalid identity..."
+	mkdir -p $(pwd)/exit_test
+	ZT1="sudo ./zerotier-one -p9999 $(pwd)/exit_test"
+	echo "asdfasdfasdfasdf" > $(pwd)/exit_test/identity.secret
+	echo "asdfasdfasdfasdf" > $(pwd)/exit_test/authtoken.secret
+
+	echo "Launch ZeroTier with an invalid identity"
+	$ZT1 &
+	my_pid=$!
+
+	echo "Waiting 5 secons"
+	sleep 5
+
+	# check if process is running
+	kill -0 $my_pid
+	if [ $? -eq 0 ]; then
+		EXIT_TEST_FAILED=1
+		echo "Exit test FAILED: Process still running after being fed an invalid identity"
+	else
+		echo "Exit test PASSED"
+	fi
+}
+
 main "$@"