diff --git a/security/vault.go b/security/vault.go index 73f76aba..7274e22a 100644 --- a/security/vault.go +++ b/security/vault.go @@ -18,7 +18,9 @@ import ( ) const ( - vaultName = ".gaia_vault" + vaultName = ".gaia_vault" + secretCheckKey = "GAIA_CHECK_SECRET" + secretCheckValue = "!CHECK_ME!" ) // VaultAPI defines a set of apis that a Vault must provide in order to be a Gaia Vault. @@ -190,6 +192,8 @@ func (v *Vault) encrypt(data []byte) (string, error) { // User has deleted all the secrets. the file will be empty. return "", nil } + secretCheck := fmt.Sprintf("\n%s=%s", secretCheckKey, secretCheckValue) + data = append(data, []byte(secretCheck)...) paddedPassword := v.pad(v.cert) ci := base64.URLEncoding.EncodeToString(paddedPassword) block, err := aes.NewCipher([]byte(ci[:aes.BlockSize])) @@ -241,6 +245,10 @@ func (v *Vault) decrypt(data []byte) ([]byte, error) { if err != nil { return []byte{}, err } + + if !bytes.Contains(unpadMsg, []byte(secretCheckValue)) { + return []byte{}, errors.New("possible mistyped password") + } return unpadMsg, nil } @@ -253,11 +261,8 @@ func (v *Vault) parseToMap(data []byte) error { row := bytes.Split(data, []byte("\n")) for _, r := range row { d := bytes.Split(r, []byte("=")) - if len(d) < 2 { - // It is possible that if there is a password failure it's not caught - // by the padding process. Here it will be caught because we can't - // marshal the data into proper k/v pairs. - return errors.New("possible mistyped password") + if bytes.Equal(d[0], []byte(secretCheckKey)) { + continue } v.data[string(d[0])] = d[1] } diff --git a/security/vault_test.go b/security/vault_test.go index e3a60522..87d3547c 100644 --- a/security/vault_test.go +++ b/security/vault_test.go @@ -138,7 +138,7 @@ func TestCloseLoadSecretsWithInvalidPassword(t *testing.T) { t.Fatal(err) } v.data = make(map[string][]byte, 0) - v.cert = []byte("invalid") + v.cert = []byte("tset") err = v.LoadSecrets() if err == nil { t.Fatal("error should not have been nil.")