vault: Improve error when unseal key is wrong

vault/barrier.go

@@ -14,6 +14,9 @@ var (
 	// ErrBarrierNotInit is returned if a non-initialized barrier
 	// is attempted to be unsealed.
 	ErrBarrierNotInit = errors.New("Vault is not initialized")
+
+	// ErrBarrierInvalidKey is returned if the Unseal key is invalid
+	ErrBarrierInvalidKey = errors.New("Unseal failed, invalid key")
 )
 
 const (

vault/barrier_aes_gcm.go

@@ -6,6 +6,7 @@ import (
 	"crypto/rand"
 	"encoding/json"
 	"fmt"
+	"strings"
 	"sync"
 
 	"github.com/hashicorp/vault/physical"
@@ -163,6 +164,9 @@ func (b *AESGCMBarrier) Unseal(key []byte) error {
 	// Decrypt the barrier init key
 	plain, err := b.decrypt(gcm, out.Value)
 	if err != nil {
+		if strings.Contains(err.Error(), "message authentication failed") {
+			return ErrBarrierInvalidKey
+		}
 		return err
 	}
 	defer memzero(plain)

vault/barrier_test.go

@@ -219,4 +219,17 @@ func testBarrier(t *testing.T, b SecurityBarrier) {
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
+
+	// Reseal should prevent any updates
+	if err := b.Seal(); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Modify the key
+	key[0]++
+
+	// Unseal should fail
+	if err := b.Unseal(key); err != ErrBarrierInvalidKey {
+		t.Fatalf("err: %v", err)
+	}
 }