/ *
* Minio Cloud Storage , ( C ) 2017 Minio , Inc .
*
* Licensed under the Apache License , Version 2.0 ( the "License" ) ;
* you may not use this file except in compliance with the License .
* You may obtain a copy of the License at
*
* http : //www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing , software
* distributed under the License is distributed on an "AS IS" BASIS ,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND , either express or implied .
* See the License for the specific language governing permissions and
* limitations under the License .
* /
package cmd
import (
"bytes"
"crypto/md5"
"crypto/rand"
"encoding/base64"
"errors"
"io"
"net/http"
sha256 "github.com/minio/sha256-simd"
"github.com/minio/sio"
)
var (
// AWS errors for invalid SSE-C requests.
errInsecureSSERequest = errors . New ( "Requests specifying Server Side Encryption with Customer provided keys must be made over a secure connection" )
errEncryptedObject = errors . New ( "The object was stored using a form of Server Side Encryption. The correct parameters must be provided to retrieve the object" )
errInvalidSSEAlgorithm = errors . New ( "Requests specifying Server Side Encryption with Customer provided keys must provide a valid encryption algorithm" )
errMissingSSEKey = errors . New ( "Requests specifying Server Side Encryption with Customer provided keys must provide an appropriate secret key" )
errInvalidSSEKey = errors . New ( "The secret key was invalid for the specified algorithm" )
errMissingSSEKeyMD5 = errors . New ( "Requests specifying Server Side Encryption with Customer provided keys must provide the client calculated MD5 of the secret key" )
errSSEKeyMD5Mismatch = errors . New ( "The calculated MD5 hash of the key did not match the hash that was provided" )
errSSEKeyMismatch = errors . New ( "The client provided key does not match the key provided when the object was encrypted" ) // this msg is not shown to the client
// Additional Minio errors for SSE-C requests.
errObjectTampered = errors . New ( "The requested object was modified and may be compromised" )
)
const (
// SSECustomerAlgorithm is the AWS SSE-C algorithm HTTP header key.
SSECustomerAlgorithm = "X-Amz-Server-Side-Encryption-Customer-Algorithm"
// SSECustomerKey is the AWS SSE-C encryption key HTTP header key.
SSECustomerKey = "X-Amz-Server-Side-Encryption-Customer-Key"
// SSECustomerKeyMD5 is the AWS SSE-C encryption key MD5 HTTP header key.
SSECustomerKeyMD5 = "X-Amz-Server-Side-Encryption-Customer-Key-MD5"
)
const (
// SSECustomerKeySize is the size of valid client provided encryption keys in bytes.
// Currently AWS supports only AES256. So the SSE-C key size is fixed to 32 bytes.
SSECustomerKeySize = 32
// SSECustomerAlgorithmAES256 the only valid S3 SSE-C encryption algorithm identifier.
SSECustomerAlgorithmAES256 = "AES256"
)
// SSE-C key derivation, key verification and key update:
// H: Hash function [32 = |H(m)|]
// AE: authenticated encryption scheme, AD: authenticated decryption scheme [m = AD(k, AE(k, m))]
//
// Key derivation:
// Input:
// key := 32 bytes # client provided key
// Re, Rm := 32 bytes, 32 bytes # uniformly random
//
// Seal:
// k := H(key || Re) # object encryption key
// r := H(Rm) # save as object metadata [ServerSideEncryptionIV]
// KeK := H(key || r) # key encryption key
// K := AE(KeK, k) # save as object metadata [ServerSideEncryptionSealedKey]
// ------------------------------------------------------------------------------------------------
// Key verification:
// Input:
// key := 32 bytes # client provided key
// r := 32 bytes # object metadata [ServerSideEncryptionIV]
// K := 32 bytes # object metadata [ServerSideEncryptionSealedKey]
//
// Open:
// KeK := H(key || r) # key encryption key
// k := AD(Kek, K) # object encryption key
// -------------------------------------------------------------------------------------------------
// Key update:
// Input:
// key := 32 bytes # old client provided key
// key' := 32 bytes # new client provided key
// Rm := 32 bytes # uniformly random
// r := 32 bytes # object metadata [ServerSideEncryptionIV]
// K := 32 bytes # object metadata [ServerSideEncryptionSealedKey]
//
// Update:
// 1. open:
// KeK := H(key || r) # key encryption key
// k := AD(Kek, K) # object encryption key
// 2. seal:
// r' := H(Rm) # save as object metadata [ServerSideEncryptionIV]
// KeK' := H(key' || r') # new key encryption key
// K' := AE(KeK', k) # save as object metadata [ServerSideEncryptionSealedKey]
const (
// ServerSideEncryptionIV is a 32 byte randomly generated IV used to derive an
// unique key encryption key from the client provided key. The combination of this value
// and the client-provided key MUST be unique.
ServerSideEncryptionIV = ReservedMetadataPrefix + "Server-Side-Encryption-Iv"
// ServerSideEncryptionSealAlgorithm identifies a combination of a cryptographic hash function and
// an authenticated en/decryption scheme to seal the object encryption key.
ServerSideEncryptionSealAlgorithm = ReservedMetadataPrefix + "Server-Side-Encryption-Seal-Algorithm"
// ServerSideEncryptionSealedKey is the sealed object encryption key. The sealed key can be decrypted
// by the key encryption key derived from the client provided key and the server-side-encryption IV.
ServerSideEncryptionSealedKey = ReservedMetadataPrefix + "Server-Side-Encryption-Sealed-Key"
)
// SSESealAlgorithmDareSha256 specifies DARE as authenticated en/decryption scheme and SHA256 as cryptographic
// hash function.
const SSESealAlgorithmDareSha256 = "DARE-SHA256"
// IsSSECustomerRequest returns true if the given HTTP header
// contains server-side-encryption with customer provided key fields.
func IsSSECustomerRequest ( header http . Header ) bool {
return header . Get ( SSECustomerAlgorithm ) != "" || header . Get ( SSECustomerKey ) != "" || header . Get ( SSECustomerKeyMD5 ) != ""
}
// ParseSSECustomerRequest parses the SSE-C header fields of the provided request.
// It returns the client provided key on success.
func ParseSSECustomerRequest ( r * http . Request ) ( key [ ] byte , err error ) {
if ! globalIsSSL { // minio only supports HTTP or HTTPS requests not both at the same time
// we cannot use r.TLS == nil here because Go's http implementation reflects on
// the net.Conn and sets the TLS field of http.Request only if it's an tls.Conn.
// Minio uses a BufConn (wrapping a tls.Conn) so the type check within the http package
// will always fail -> r.TLS is always nil even for TLS requests.
return nil , errInsecureSSERequest
}
header := r . Header
if algorithm := header . Get ( SSECustomerAlgorithm ) ; algorithm != SSECustomerAlgorithmAES256 {
return nil , errInvalidSSEAlgorithm
}
if header . Get ( SSECustomerKey ) == "" {
return nil , errMissingSSEKey
}
if header . Get ( SSECustomerKeyMD5 ) == "" {
return nil , errMissingSSEKeyMD5
}
key , err = base64 . StdEncoding . DecodeString ( header . Get ( SSECustomerKey ) )
if err != nil {
return nil , errInvalidSSEKey
}
header . Del ( SSECustomerKey ) // make sure we do not save the key by accident
if len ( key ) != SSECustomerKeySize {
return nil , errInvalidSSEKey
}
keyMD5 , err := base64 . StdEncoding . DecodeString ( header . Get ( SSECustomerKeyMD5 ) )
if err != nil {
return nil , errSSEKeyMD5Mismatch
}
if md5Sum := md5 . Sum ( key ) ; ! bytes . Equal ( md5Sum [ : ] , keyMD5 ) {
return nil , errSSEKeyMD5Mismatch
}
return key , nil
}
// EncryptRequest takes the client provided content and encrypts the data
// with the client provided key. It also marks the object as client-side-encrypted
// and sets the correct headers.
func EncryptRequest ( content io . Reader , r * http . Request , metadata map [ string ] string ) ( io . Reader , error ) {
key , err := ParseSSECustomerRequest ( r )
if err != nil {
return nil , err
}
delete ( metadata , SSECustomerKey ) // make sure we do not save the key by accident
// security notice:
// - If the first 32 bytes of the random value are ever repeated under the same client-provided
// key the encrypted object will not be tamper-proof. [ P(coll) ~= 1 / 2^(256 / 2)]
// - If the last 32 bytes of the random value are ever repeated under the same client-provided
// key an adversary may be able to extract the object encryption key. This depends on the
// authenticated en/decryption scheme. The DARE format will generate an 8 byte nonce which must
// be repeated in addition to reveal the object encryption key.
// [ P(coll) ~= 1 / 2^((256 + 64) / 2) ]
nonce := make ( [ ] byte , 64 ) // generate random values for key derivation
if _ , err = io . ReadFull ( rand . Reader , nonce ) ; err != nil {
return nil , err
}
sha := sha256 . New ( ) // derive object encryption key
sha . Write ( key )
sha . Write ( nonce [ : 32 ] )
objectEncryptionKey := sha . Sum ( nil )
iv := sha256 . Sum256 ( nonce [ 32 : ] ) // derive key encryption key
sha = sha256 . New ( )
sha . Write ( key )
sha . Write ( iv [ : ] )
keyEncryptionKey := sha . Sum ( nil )
sealedKey := bytes . NewBuffer ( nil ) // sealedKey := 16 byte header + 32 byte payload + 16 byte tag
n , err := sio . Encrypt ( sealedKey , bytes . NewReader ( objectEncryptionKey ) , sio . Config {
Key : keyEncryptionKey ,
} )
if n != 64 || err != nil {
return nil , errors . New ( "failed to seal object encryption key" ) // if this happens there's a bug in the code (may panic ?)
}
reader , err := sio . EncryptReader ( content , sio . Config { Key : objectEncryptionKey } )
if err != nil {
return nil , errInvalidSSEKey
}
metadata [ ServerSideEncryptionIV ] = base64 . StdEncoding . EncodeToString ( iv [ : ] )
metadata [ ServerSideEncryptionSealAlgorithm ] = SSESealAlgorithmDareSha256
metadata [ ServerSideEncryptionSealedKey ] = base64 . StdEncoding . EncodeToString ( sealedKey . Bytes ( ) )
return reader , nil
}
// DecryptRequest decrypts the object with the client provided key. It also removes
// the client-side-encryption metadata from the object and sets the correct headers.
func DecryptRequest ( client io . Writer , r * http . Request , metadata map [ string ] string ) ( io . WriteCloser , error ) {
key , err := ParseSSECustomerRequest ( r )
if err != nil {
return nil , err
}
delete ( metadata , SSECustomerKey ) // make sure we do not save the key by accident
if metadata [ ServerSideEncryptionSealAlgorithm ] != SSESealAlgorithmDareSha256 { // currently DARE-SHA256 is the only option
return nil , errObjectTampered
}
iv , err := base64 . StdEncoding . DecodeString ( metadata [ ServerSideEncryptionIV ] )
if err != nil || len ( iv ) != 32 {
return nil , errObjectTampered
}
sealedKey , err := base64 . StdEncoding . DecodeString ( metadata [ ServerSideEncryptionSealedKey ] )
if err != nil || len ( sealedKey ) != 64 {
return nil , errObjectTampered
}
sha := sha256 . New ( ) // derive key encryption key
sha . Write ( key )
sha . Write ( iv )
keyEncryptionKey := sha . Sum ( nil )
objectEncryptionKey := bytes . NewBuffer ( nil ) // decrypt object encryption key
n , err := sio . Decrypt ( objectEncryptionKey , bytes . NewReader ( sealedKey ) , sio . Config {
Key : keyEncryptionKey ,
} )
if n != 32 || err != nil {
// Either the provided key does not match or the object was tampered.
// To provide strict AWS S3 compatibility we return: access denied.
return nil , errSSEKeyMismatch
}
writer , err := sio . DecryptWriter ( client , sio . Config { Key : objectEncryptionKey . Bytes ( ) } )
if err != nil {
return nil , errInvalidSSEKey
}
delete ( metadata , ServerSideEncryptionIV )
delete ( metadata , ServerSideEncryptionSealAlgorithm )
delete ( metadata , ServerSideEncryptionSealedKey )
return writer , nil
}
// IsEncrypted returns true if the object is marked as encrypted.
func ( o * ObjectInfo ) IsEncrypted ( ) bool {
if _ , ok := o . UserDefined [ ServerSideEncryptionIV ] ; ok {
return true
}
if _ , ok := o . UserDefined [ ServerSideEncryptionSealAlgorithm ] ; ok {
return true
}
if _ , ok := o . UserDefined [ ServerSideEncryptionSealedKey ] ; ok {
return true
}
return false
}
// DecryptedSize returns the size of the object after decryption in bytes.
// It returns an error if the object is not encrypted or marked as encrypted
// but has an invalid size.
// DecryptedSize panics if the referred object is not encrypted.
func ( o * ObjectInfo ) DecryptedSize ( ) ( int64 , error ) {
if ! o . IsEncrypted ( ) {
panic ( "cannot compute decrypted size of an object which is not encrypted" )
}
if o . Size == 0 {
return o . Size , nil
}
size := ( o . Size / ( 32 + 64 * 1024 ) ) * ( 64 * 1024 )
if mod := o . Size % ( 32 + 64 * 1024 ) ; mod > 0 {
if mod < 33 {
return - 1 , errObjectTampered // object is not 0 size but smaller than the smallest valid encrypted object
}
size += mod - 32
}
return size , nil
}
// EncryptedSize returns the size of the object after encryption.
// An encrypted object is always larger than a plain object
// except for zero size objects.
func ( o * ObjectInfo ) EncryptedSize ( ) int64 {
size := ( o . Size / ( 64 * 1024 ) ) * ( 32 + 64 * 1024 )
if mod := o . Size % ( 64 * 1024 ) ; mod > 0 {
size += mod + 32
}
return size
}
// DecryptObjectInfo tries to decrypt the provided object if it is encrypted.
// It fails if the object is encrypted and the HTTP headers don't contain
// SSE-C headers or the object is not encrypted but SSE-C headers are provided. (AWS behavior)
// DecryptObjectInfo returns 'ErrNone' if the object is not encrypted or the
// decryption succeeded.
//
// DecryptObjectInfo also returns whether the object is encrypted or not.
func DecryptObjectInfo ( info * ObjectInfo , headers http . Header ) ( apiErr APIErrorCode , encrypted bool ) {
if apiErr , encrypted = ErrNone , info . IsEncrypted ( ) ; ! encrypted && IsSSECustomerRequest ( headers ) {
apiErr = ErrInvalidEncryptionParameters
} else if encrypted {
if ! IsSSECustomerRequest ( headers ) {
apiErr = ErrSSEEncryptedObject
return
}
var err error
if info . Size , err = info . DecryptedSize ( ) ; err != nil {
apiErr = toAPIErrorCode ( err )
}
}
return
}