mirror of
https://github.com/grafana/grafana.git
synced 2024-12-26 00:41:20 -06:00
Fix decrypting secrets in alerting migration (#41061)
This commit is contained in:
parent
b9e0a41f5a
commit
ff086df3b5
@ -1,10 +1,12 @@
|
||||
package util
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/aes"
|
||||
"crypto/cipher"
|
||||
"crypto/rand"
|
||||
"crypto/sha256"
|
||||
"encoding/base64"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
@ -12,12 +14,22 @@ import (
|
||||
"golang.org/x/crypto/pbkdf2"
|
||||
)
|
||||
|
||||
const saltLength = 8
|
||||
const (
|
||||
saltLength = 8
|
||||
aesCfb = "aes-cfb"
|
||||
aesGcm = "aes-gcm"
|
||||
encryptionAlgorithmDelimiter = '*'
|
||||
)
|
||||
|
||||
// Decrypt decrypts a payload with a given secret.
|
||||
// Deprecated. Do not use it.
|
||||
// Use encryption.Service instead.
|
||||
func Decrypt(payload []byte, secret string) ([]byte, error) {
|
||||
alg, payload, err := deriveEncryptionAlgorithm(payload)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if len(payload) < saltLength {
|
||||
return nil, fmt.Errorf("unable to compute salt")
|
||||
}
|
||||
@ -32,11 +44,60 @@ func Decrypt(payload []byte, secret string) ([]byte, error) {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
switch alg {
|
||||
case aesGcm:
|
||||
return decryptGCM(block, payload)
|
||||
default:
|
||||
return decryptCFB(block, payload)
|
||||
}
|
||||
}
|
||||
|
||||
func deriveEncryptionAlgorithm(payload []byte) (string, []byte, error) {
|
||||
if len(payload) == 0 {
|
||||
return "", nil, fmt.Errorf("unable to derive encryption algorithm")
|
||||
}
|
||||
|
||||
if payload[0] != encryptionAlgorithmDelimiter {
|
||||
return aesCfb, payload, nil // backwards compatibility
|
||||
}
|
||||
|
||||
payload = payload[1:]
|
||||
algDelim := bytes.Index(payload, []byte{encryptionAlgorithmDelimiter})
|
||||
if algDelim == -1 {
|
||||
return aesCfb, payload, nil // backwards compatibility
|
||||
}
|
||||
|
||||
algB64 := payload[:algDelim]
|
||||
payload = payload[algDelim+1:]
|
||||
|
||||
alg := make([]byte, base64.RawStdEncoding.DecodedLen(len(algB64)))
|
||||
|
||||
_, err := base64.RawStdEncoding.Decode(alg, algB64)
|
||||
if err != nil {
|
||||
return "", nil, err
|
||||
}
|
||||
|
||||
return string(alg), payload, nil
|
||||
}
|
||||
|
||||
func decryptGCM(block cipher.Block, payload []byte) ([]byte, error) {
|
||||
gcm, err := cipher.NewGCM(block)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
nonce := payload[saltLength : saltLength+gcm.NonceSize()]
|
||||
ciphertext := payload[saltLength+gcm.NonceSize():]
|
||||
return gcm.Open(nil, nonce, ciphertext, nil)
|
||||
}
|
||||
|
||||
func decryptCFB(block cipher.Block, payload []byte) ([]byte, error) {
|
||||
// The IV needs to be unique, but not secure. Therefore it's common to
|
||||
// include it at the beginning of the ciphertext.
|
||||
if len(payload) < aes.BlockSize {
|
||||
return nil, errors.New("payload too short")
|
||||
}
|
||||
|
||||
iv := payload[saltLength : saltLength+aes.BlockSize]
|
||||
payload = payload[saltLength+aes.BlockSize:]
|
||||
payloadDst := make([]byte, len(payload))
|
||||
|
@ -32,6 +32,18 @@ func TestEncryption(t *testing.T) {
|
||||
_, err := Decrypt([]byte(""), "1234")
|
||||
require.Error(t, err)
|
||||
|
||||
assert.Equal(t, "unable to compute salt", err.Error())
|
||||
assert.Equal(t, "unable to derive encryption algorithm", err.Error())
|
||||
})
|
||||
|
||||
t.Run("decrypting secrets with algorithm metadata", func(t *testing.T) {
|
||||
// Slice of bytes that corresponds to the following legacy ciphertext:
|
||||
// - 'my very secret secret key' as a payload
|
||||
// - '1234' as a secret
|
||||
// - 'aes-cfb' as an encryption algorithm
|
||||
// Has algorithm prefix
|
||||
encrypted := []byte{0x2a, 0x59, 0x57, 0x56, 0x7a, 0x4c, 0x57, 0x4e, 0x6d, 0x59, 0x67, 0x2a, 0x7a, 0x35, 0x64, 0x57, 0x64, 0x37, 0x6b, 0x38, 0x77, 0x9a, 0xda, 0x7a, 0x1a, 0x24, 0x42, 0x22, 0x5f, 0x3d, 0x2e, 0xf, 0xd2, 0xad, 0x53, 0xa6, 0x69, 0x61, 0x5a, 0xe1, 0x9c, 0xc3, 0xda, 0x13, 0x80, 0xdc, 0x3e, 0x87, 0x49, 0xbf, 0xe7, 0x2d, 0xc1, 0x8f, 0x48, 0x26, 0x45, 0xe8, 0x1b, 0xe7, 0x51}
|
||||
decrypted, err := Decrypt(encrypted, "1234")
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, "my very secret secret key", string(decrypted))
|
||||
})
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user