From 703897b242330656285fe48556fa143a30a2208a Mon Sep 17 00:00:00 2001 From: Victor Rodriguez Date: Mon, 9 Dec 2024 14:50:22 +0100 Subject: [PATCH] Fix decryption of raft bootstrap challenge in multi-seal scenarios. (#29117) --- changelog/29117.txt | 3 +++ vault/core.go | 3 ++- vault/raft.go | 24 +++++++----------------- 3 files changed, 12 insertions(+), 18 deletions(-) create mode 100644 changelog/29117.txt diff --git a/changelog/29117.txt b/changelog/29117.txt new file mode 100644 index 000000000000..cd12b03551b6 --- /dev/null +++ b/changelog/29117.txt @@ -0,0 +1,3 @@ +```release-note:bug +core/seal (enterprise): Fix decryption of the raft bootstrap challenge when using seal high availability. +``` diff --git a/vault/core.go b/vault/core.go index d9e7ad62de50..fd9ac93126aa 100644 --- a/vault/core.go +++ b/vault/core.go @@ -234,7 +234,8 @@ type unlockInformation struct { } type raftInformation struct { - challenge *wrapping.BlobInfo + // challenge is in ciphertext + challenge []byte leaderClient *api.Client leaderBarrierConfig *SealConfig nonVoter bool diff --git a/vault/raft.go b/vault/raft.go index cfffcf10196a..bf8f223afc02 100644 --- a/vault/raft.go +++ b/vault/raft.go @@ -16,12 +16,10 @@ import ( "sync/atomic" "time" - "github.com/golang/protobuf/proto" "github.com/hashicorp/go-cleanhttp" "github.com/hashicorp/go-discover" discoverk8s "github.com/hashicorp/go-discover/provider/k8s" "github.com/hashicorp/go-hclog" - wrapping "github.com/hashicorp/go-kms-wrapping/v2" "github.com/hashicorp/go-secure-stdlib/tlsutil" "github.com/hashicorp/go-uuid" goversion "github.com/hashicorp/go-version" @@ -1029,13 +1027,8 @@ func (c *Core) getRaftChallenge(leaderInfo *raft.LeaderJoinInfo) (*raftInformati return nil, fmt.Errorf("error decoding raft bootstrap challenge: %w", err) } - eBlob := &wrapping.BlobInfo{} - if err := proto.Unmarshal(challengeRaw, eBlob); err != nil { - return nil, fmt.Errorf("error decoding raft bootstrap challenge: %w", err) - } - return &raftInformation{ - challenge: eBlob, + challenge: challengeRaw, leaderClient: apiClient, leaderBarrierConfig: &sealConfig, }, nil @@ -1353,15 +1346,6 @@ func (c *Core) joinRaftSendAnswer(ctx context.Context, sealAccess seal.Access, r return errors.New("raft is already initialized") } - multiWrapValue := &seal.MultiWrapValue{ - Generation: sealAccess.Generation(), - Slots: []*wrapping.BlobInfo{raftInfo.challenge}, - } - plaintext, _, err := sealAccess.Decrypt(ctx, multiWrapValue, nil) - if err != nil { - return fmt.Errorf("error decrypting challenge: %w", err) - } - parsedClusterAddr, err := url.Parse(c.ClusterAddr()) if err != nil { return fmt.Errorf("error parsing cluster address: %w", err) @@ -1377,6 +1361,12 @@ func (c *Core) joinRaftSendAnswer(ctx context.Context, sealAccess seal.Access, r } } + sealer := NewSealAccessSealer(sealAccess, c.logger, "bootstrap_challenge_read") + plaintext, err := sealer.Open(context.Background(), raftInfo.challenge) + if err != nil { + return fmt.Errorf("error decrypting challenge: %w", err) + } + answerReq := raftInfo.leaderClient.NewRequest("PUT", "/v1/sys/storage/raft/bootstrap/answer") if err := answerReq.SetJSONBody(map[string]interface{}{ "answer": base64.StdEncoding.EncodeToString(plaintext),