From b8bd8d6a034c74158ae7a5b241c48df8669dca2e Mon Sep 17 00:00:00 2001
From: kannappanr <30541348+kannappanr@users.noreply.github.com>
Date: Tue, 16 Oct 2018 12:24:27 -0700
Subject: [PATCH] Validate user provided SSE-C key on Head Object API (#6600)

Fixes #6598
---
 cmd/object-handlers.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/cmd/object-handlers.go b/cmd/object-handlers.go
index c85ab1d50..451e6915f 100644
--- a/cmd/object-handlers.go
+++ b/cmd/object-handlers.go
@@ -552,6 +552,11 @@ func (api objectAPIHandlers) HeadObjectHandler(w http.ResponseWriter, r *http.Re
 			case crypto.S3.IsEncrypted(objInfo.UserDefined):
 				w.Header().Set(crypto.SSEHeader, crypto.SSEAlgorithmAES256)
 			case crypto.SSEC.IsEncrypted(objInfo.UserDefined):
+				// Validate the SSE-C Key set in the header.
+				if _, err = crypto.SSEC.UnsealObjectKey(r.Header, objInfo.UserDefined, bucket, object); err != nil {
+					writeErrorResponseHeadersOnly(w, toAPIErrorCode(err))
+					return
+				}
 				w.Header().Set(crypto.SSECAlgorithm, r.Header.Get(crypto.SSECAlgorithm))
 				w.Header().Set(crypto.SSECKeyMD5, r.Header.Get(crypto.SSECKeyMD5))
 			}