From 7e0f1eb8b52936d27ac6886df2cf025166fe25e4 Mon Sep 17 00:00:00 2001 From: poornas Date: Thu, 18 Oct 2018 16:05:05 -0700 Subject: [PATCH] Fix: verify client sent md5sum in encrypted PutObjectPart request (#6668) This PR also removes check for SSE-S3 headers as this is not required by S3 specification. --- cmd/object-handlers.go | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/cmd/object-handlers.go b/cmd/object-handlers.go index 90f820f71..9837e4f59 100644 --- a/cmd/object-handlers.go +++ b/cmd/object-handlers.go @@ -1755,6 +1755,7 @@ func (api objectAPIHandlers) PutObjectPartHandler(w http.ResponseWriter, r *http } } + isEncrypted := false if objectAPI.IsEncryptionSupported() && !isCompressed { var li ListPartsInfo li, err = objectAPI.ListObjectParts(ctx, bucket, object, uploadID, 0, 1) @@ -1763,7 +1764,8 @@ func (api objectAPIHandlers) PutObjectPartHandler(w http.ResponseWriter, r *http return } if crypto.IsEncrypted(li.UserDefined) { - if !hasServerSideEncryptionHeader(r.Header) { + isEncrypted = true + if !crypto.SSEC.IsRequested(r.Header) && crypto.SSEC.IsEncrypted(li.UserDefined) { writeErrorResponse(w, ErrSSEMultipartEncrypted, r.URL) return } @@ -1791,7 +1793,7 @@ func (api objectAPIHandlers) PutObjectPartHandler(w http.ResponseWriter, r *http mac.Write(partIDbin[:]) partEncryptionKey := mac.Sum(nil) - reader, err = sio.EncryptReader(reader, sio.Config{Key: partEncryptionKey}) + reader, err = sio.EncryptReader(hashReader, sio.Config{Key: partEncryptionKey}) if err != nil { writeErrorResponse(w, toAPIErrorCode(err), r.URL) return @@ -1807,7 +1809,7 @@ func (api objectAPIHandlers) PutObjectPartHandler(w http.ResponseWriter, r *http } putObjectPart := objectAPI.PutObjectPart - if api.CacheAPI() != nil && !hasServerSideEncryptionHeader(r.Header) { + if api.CacheAPI() != nil && !isEncrypted { putObjectPart = api.CacheAPI().PutObjectPart } partInfo, err := putObjectPart(ctx, bucket, object, uploadID, partID, hashReader, opts)