keyring: Fix a panic when decrypting aead with empty RSA block. #24383
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tgross
approved these changes
Nov 7, 2024
There was a problem hiding this comment.
Assuming the file itself hasn't been corrupted on-disk, this case is supposed to be protected against by the block above where you've made a change. Older KEK wrapper versions with AEAD-only have the DEK ciphertext in a different field, and we're supposed to be restoring them here.
My hunch would be that there's an issue with those older keys. But unfortunately I tested this out with Nomad 1.4 and did a single-node upgrade to tip and didn't run into any problems.
For the time being, let's get this merged in because it'll prevent a panic.
Clusters that have gone through several upgrades have be found to include keyring material which has an empty RSA block. In more recent versions of Nomad, an empty RSA block is omitted from being written to disk. This results in the panic not being present. Older versions, however, did not have this struct tag meaning we wrote an empty JSON block which is not accounted for in the current version.
jrasell
changed the title
jrasell
added
backport/ent/1.8.x+ent
tgross
approved these changes
Nov 7, 2024
6 tasks
6 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes: #24379
The code path exists in 1.9 and 1.8, so backporting to both even though reports suggest this is only occurring on 1.9.0+.
Clusters that have gone through several upgrades have be found to
include keyring material which has an empty RSA block.
In more recent versions of Nomad, an empty RSA block is omitted
from being written to disk. This results in the panic not being
present. Older versions, however, did not have this struct tag
meaning we wrote an empty JSON block which is not accounted for
in the current version.