return AWS compliant error if SSE-C key is wrong (#5203)

This PR changes the behavior of DecryptRequest. Instead of returning `object-tampered` if the client provided key is wrong DecryptRequest will return `access-denied`. This is AWS S3 behavior. Fixes #5202
7 years ago · e95c0bb913
parent fce556b8a0
commit e95c0bb913
1 changed files with 3 additions and 1 deletions
--- a/cmd/encryption-v1.go
+++ b/cmd/encryption-v1.go
@ -253,7 +253,9 @@ func DecryptRequest(client io.Writer, r *http.Request, metadata map[string]strin
 		Key: keyEncryptionKey,
 	})
 	if n != 32 || err != nil {
-		return nil, errObjectTampered
+		// Either the provided key does not match or the object was tampered.
+		// To provide strict AWS S3 compatibility we return: access denied.
+		return nil, errSSEKeyMismatch
 	}

 	writer, err := sio.DecryptWriter(client, sio.Config{Key: objectEncryptionKey.Bytes()})