Skip to content

Commit

Permalink
Fix decryption of raft bootstrap challenge in multi-seal scenarios. (#…
Browse files Browse the repository at this point in the history
  • Loading branch information
victorr authored Dec 9, 2024
1 parent 7d26c54 commit 703897b
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 18 deletions.
3 changes: 3 additions & 0 deletions changelog/29117.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
core/seal (enterprise): Fix decryption of the raft bootstrap challenge when using seal high availability.
```
3 changes: 2 additions & 1 deletion vault/core.go
Original file line number Diff line number Diff line change
Expand Up @@ -234,7 +234,8 @@ type unlockInformation struct {
}

type raftInformation struct {
challenge *wrapping.BlobInfo
// challenge is in ciphertext
challenge []byte
leaderClient *api.Client
leaderBarrierConfig *SealConfig
nonVoter bool
Expand Down
24 changes: 7 additions & 17 deletions vault/raft.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,10 @@ import (
"sync/atomic"
"time"

"github.com/golang/protobuf/proto"
"github.com/hashicorp/go-cleanhttp"
"github.com/hashicorp/go-discover"
discoverk8s "github.com/hashicorp/go-discover/provider/k8s"
"github.com/hashicorp/go-hclog"
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
"github.com/hashicorp/go-secure-stdlib/tlsutil"
"github.com/hashicorp/go-uuid"
goversion "github.com/hashicorp/go-version"
Expand Down Expand Up @@ -1029,13 +1027,8 @@ func (c *Core) getRaftChallenge(leaderInfo *raft.LeaderJoinInfo) (*raftInformati
return nil, fmt.Errorf("error decoding raft bootstrap challenge: %w", err)
}

eBlob := &wrapping.BlobInfo{}
if err := proto.Unmarshal(challengeRaw, eBlob); err != nil {
return nil, fmt.Errorf("error decoding raft bootstrap challenge: %w", err)
}

return &raftInformation{
challenge: eBlob,
challenge: challengeRaw,
leaderClient: apiClient,
leaderBarrierConfig: &sealConfig,
}, nil
Expand Down Expand Up @@ -1353,15 +1346,6 @@ func (c *Core) joinRaftSendAnswer(ctx context.Context, sealAccess seal.Access, r
return errors.New("raft is already initialized")
}

multiWrapValue := &seal.MultiWrapValue{
Generation: sealAccess.Generation(),
Slots: []*wrapping.BlobInfo{raftInfo.challenge},
}
plaintext, _, err := sealAccess.Decrypt(ctx, multiWrapValue, nil)
if err != nil {
return fmt.Errorf("error decrypting challenge: %w", err)
}

parsedClusterAddr, err := url.Parse(c.ClusterAddr())
if err != nil {
return fmt.Errorf("error parsing cluster address: %w", err)
Expand All @@ -1377,6 +1361,12 @@ func (c *Core) joinRaftSendAnswer(ctx context.Context, sealAccess seal.Access, r
}
}

sealer := NewSealAccessSealer(sealAccess, c.logger, "bootstrap_challenge_read")
plaintext, err := sealer.Open(context.Background(), raftInfo.challenge)
if err != nil {
return fmt.Errorf("error decrypting challenge: %w", err)
}

answerReq := raftInfo.leaderClient.NewRequest("PUT", "/v1/sys/storage/raft/bootstrap/answer")
if err := answerReq.SetJSONBody(map[string]interface{}{
"answer": base64.StdEncoding.EncodeToString(plaintext),
Expand Down

0 comments on commit 703897b

Please sign in to comment.