From 6b8316d510f771629325e0afba0de33c508b0ce9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joan=20L=C3=B3pez=20de=20la=20Franca=20Beltran?= <5459617+joanlopez@users.noreply.github.com> Date: Thu, 4 Aug 2022 09:37:53 +0200 Subject: [PATCH] Encryption: Fall back to AES-CFB on empty algorithm metadata (#53266) --- pkg/services/encryption/service/service.go | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/pkg/services/encryption/service/service.go b/pkg/services/encryption/service/service.go index 7a8d3709677..59f96889f7d 100644 --- a/pkg/services/encryption/service/service.go +++ b/pkg/services/encryption/service/service.go @@ -108,7 +108,7 @@ func (s *Service) Decrypt(ctx context.Context, payload []byte, secret string) ([ algorithm string toDecrypt []byte ) - algorithm, toDecrypt, err = deriveEncryptionAlgorithm(payload) + algorithm, toDecrypt, err = s.deriveEncryptionAlgorithm(payload) if err != nil { return nil, err } @@ -125,7 +125,7 @@ func (s *Service) Decrypt(ctx context.Context, payload []byte, secret string) ([ return decrypted, err } -func deriveEncryptionAlgorithm(payload []byte) (string, []byte, error) { +func (s *Service) deriveEncryptionAlgorithm(payload []byte) (string, []byte, error) { if len(payload) == 0 { return "", nil, fmt.Errorf("unable to derive encryption algorithm") } @@ -150,6 +150,19 @@ func deriveEncryptionAlgorithm(payload []byte) (string, []byte, error) { return "", nil, err } + // For historical reasons, I guess a bug introduced in the past, + // the algorithm metadata could be missing at this point. + // + // Until now, it hasn't failed because we're used to fall back + // to the default encryption algorithm. + // + // Therefore, we want to keep doing the same to be able to + // decrypt legacy secrets. + if string(algorithm) == "" { + s.log.Warn("Encryption algorithm derivation found an empty string", "error", err) + return encryption.AesCfb, payload, nil + } + return string(algorithm), payload, nil }