vault: Improve error when unseal key is wrong

2015-03-12 11:27:32 -07:00 · 2015-03-12 11:27:32 -07:00 · 3ed3e23d93
parent 319500748a
commit 3ed3e23d93
3 changed files with 20 additions and 0 deletions
--- a/vault/barrier.go
+++ b/vault/barrier.go
@ -14,6 +14,9 @@ var (
 	// ErrBarrierNotInit is returned if a non-initialized barrier
 	// is attempted to be unsealed.
 	ErrBarrierNotInit = errors.New("Vault is not initialized")
+
+	// ErrBarrierInvalidKey is returned if the Unseal key is invalid
+	ErrBarrierInvalidKey = errors.New("Unseal failed, invalid key")
 )

 const (
--- a/vault/barrier_aes_gcm.go
+++ b/vault/barrier_aes_gcm.go
@ -6,6 +6,7 @@ import (
 	"crypto/rand"
 	"encoding/json"
 	"fmt"
+	"strings"
 	"sync"

 	"github.com/hashicorp/vault/physical"
@ -163,6 +164,9 @@ func (b *AESGCMBarrier) Unseal(key []byte) error {
 	// Decrypt the barrier init key
 	plain, err := b.decrypt(gcm, out.Value)
 	if err != nil {
+		if strings.Contains(err.Error(), "message authentication failed") {
+			return ErrBarrierInvalidKey
+		}
 		return err
 	}
 	defer memzero(plain)
--- a/vault/barrier_test.go
+++ b/vault/barrier_test.go
@ -219,4 +219,17 @@ func testBarrier(t *testing.T, b SecurityBarrier) {
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
+
+	// Reseal should prevent any updates
+	if err := b.Seal(); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Modify the key
+	key[0]++
+
+	// Unseal should fail
+	if err := b.Unseal(key); err != ErrBarrierInvalidKey {
+		t.Fatalf("err: %v", err)
+	}
 }