Fix decrypting secrets in alerting migration (#41061)

pkg/util/encryption.go

@@ -1,10 +1,12 @@
 package util
 
 import (
+	"bytes"
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/rand"
 	"crypto/sha256"
+	"encoding/base64"
 	"errors"
 	"fmt"
 	"io"
@@ -12,12 +14,22 @@ import (
 	"golang.org/x/crypto/pbkdf2"
 )
 
-const saltLength = 8
+const (
+	saltLength                   = 8
+	aesCfb                       = "aes-cfb"
+	aesGcm                       = "aes-gcm"
+	encryptionAlgorithmDelimiter = '*'
+)
 
 // Decrypt decrypts a payload with a given secret.
 // Deprecated. Do not use it.
 // Use encryption.Service instead.
 func Decrypt(payload []byte, secret string) ([]byte, error) {
+	alg, payload, err := deriveEncryptionAlgorithm(payload)
+	if err != nil {
+		return nil, err
+	}
+
 	if len(payload) < saltLength {
 		return nil, fmt.Errorf("unable to compute salt")
 	}
@@ -32,11 +44,60 @@ func Decrypt(payload []byte, secret string) ([]byte, error) {
 		return nil, err
 	}
 
+	switch alg {
+	case aesGcm:
+		return decryptGCM(block, payload)
+	default:
+		return decryptCFB(block, payload)
+	}
+}
+
+func deriveEncryptionAlgorithm(payload []byte) (string, []byte, error) {
+	if len(payload) == 0 {
+		return "", nil, fmt.Errorf("unable to derive encryption algorithm")
+	}
+
+	if payload[0] != encryptionAlgorithmDelimiter {
+		return aesCfb, payload, nil // backwards compatibility
+	}
+
+	payload = payload[1:]
+	algDelim := bytes.Index(payload, []byte{encryptionAlgorithmDelimiter})
+	if algDelim == -1 {
+		return aesCfb, payload, nil // backwards compatibility
+	}
+
+	algB64 := payload[:algDelim]
+	payload = payload[algDelim+1:]
+
+	alg := make([]byte, base64.RawStdEncoding.DecodedLen(len(algB64)))
+
+	_, err := base64.RawStdEncoding.Decode(alg, algB64)
+	if err != nil {
+		return "", nil, err
+	}
+
+	return string(alg), payload, nil
+}
+
+func decryptGCM(block cipher.Block, payload []byte) ([]byte, error) {
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+
+	nonce := payload[saltLength : saltLength+gcm.NonceSize()]
+	ciphertext := payload[saltLength+gcm.NonceSize():]
+	return gcm.Open(nil, nonce, ciphertext, nil)
+}
+
+func decryptCFB(block cipher.Block, payload []byte) ([]byte, error) {
 	// The IV needs to be unique, but not secure. Therefore it's common to
 	// include it at the beginning of the ciphertext.
 	if len(payload) < aes.BlockSize {
 		return nil, errors.New("payload too short")
 	}
+
 	iv := payload[saltLength : saltLength+aes.BlockSize]
 	payload = payload[saltLength+aes.BlockSize:]
 	payloadDst := make([]byte, len(payload))

pkg/util/encryption_test.go

@@ -32,6 +32,18 @@ func TestEncryption(t *testing.T) {
 		_, err := Decrypt([]byte(""), "1234")
 		require.Error(t, err)
 
-		assert.Equal(t, "unable to compute salt", err.Error())
+		assert.Equal(t, "unable to derive encryption algorithm", err.Error())
+	})
+
+	t.Run("decrypting secrets with algorithm metadata", func(t *testing.T) {
+		// Slice of bytes that corresponds to the following legacy ciphertext:
+		// - 'my very secret secret key' as a payload
+		// - '1234' as a secret
+		// - 'aes-cfb' as an encryption algorithm
+		// Has algorithm prefix
+		encrypted := []byte{0x2a, 0x59, 0x57, 0x56, 0x7a, 0x4c, 0x57, 0x4e, 0x6d, 0x59, 0x67, 0x2a, 0x7a, 0x35, 0x64, 0x57, 0x64, 0x37, 0x6b, 0x38, 0x77, 0x9a, 0xda, 0x7a, 0x1a, 0x24, 0x42, 0x22, 0x5f, 0x3d, 0x2e, 0xf, 0xd2, 0xad, 0x53, 0xa6, 0x69, 0x61, 0x5a, 0xe1, 0x9c, 0xc3, 0xda, 0x13, 0x80, 0xdc, 0x3e, 0x87, 0x49, 0xbf, 0xe7, 0x2d, 0xc1, 0x8f, 0x48, 0x26, 0x45, 0xe8, 0x1b, 0xe7, 0x51}
+		decrypted, err := Decrypt(encrypted, "1234")
+		require.NoError(t, err)
+		assert.Equal(t, "my very secret secret key", string(decrypted))
 	})
 }