From 1c3baa07222f6435f54d1af95b4d469cc6dd3f58 Mon Sep 17 00:00:00 2001
From: Humble Chirammal <hchiramm@redhat.com>
Date: Mon, 7 Feb 2022 19:28:11 +0530
Subject: [PATCH] rbd: add AAD(additionalAuthData) while unwrapping the DEK

As we are using optional additional auth data while wrapping
the DEK, we have to send the same additionally while unwrapping.

Error:
```
 failed to unwrap the DEK: kp.Error: ..(INVALID_FIELD_ERR)',
 reasons='[INVALID_FIELD_ERR: The field `ciphertext` must be: the
 original base64 encoded ciphertext from the wrap operation
```

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
---
 internal/kms/keyprotect.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/internal/kms/keyprotect.go b/internal/kms/keyprotect.go
index 5982dc5d8..bb6c02493 100644
--- a/internal/kms/keyprotect.go
+++ b/internal/kms/keyprotect.go
@@ -251,7 +251,8 @@ func (kms *keyProtectKMS) DecryptDEK(volumeID, encryptedDEK string) (string, err
 			err)
 	}
 
-	result, err := kms.client.Unwrap(context.TODO(), kms.customerRootKey, ciphertextBlob, nil)
+	aadVolID := []string{volumeID}
+	result, err := kms.client.Unwrap(context.TODO(), kms.customerRootKey, ciphertextBlob, &aadVolID)
 	if err != nil {
 		return "", fmt.Errorf("failed to unwrap the DEK: %w", err)
 	}