Fix decrypted object size and key derivation in CopyObjectPart (#6141)

This commit fixes the size calculation for multipart objects. The decrypted size of an encrypted multipart object is the sum of the decrypted part sizes. Also fixes the key derivation in CopyObjectPart. Instead of using the same object-encryption-key for each part now an unique per-part key is derived. Updates #6139
2025-11-09 13:39:46 -05:00 · 2018-07-12 18:29:56 +02:00
parent 44865596db
commit 15771ebe8d
2 changed files with 23 additions and 6 deletions
--- a/cmd/object-handlers.go
+++ b/cmd/object-handlers.go
@@ -1077,7 +1077,6 @@ func (api objectAPIHandlers) CopyObjectPartHandler(w http.ResponseWriter, r *htt
 				return
 			}

-			// Calculating object encryption key
 			var objectEncryptionKey []byte
 			objectEncryptionKey, err = decryptObjectInfo(key, dstBucket, dstObject, li.UserDefined)
 			if err != nil {
@@ -1086,7 +1085,13 @@ func (api objectAPIHandlers) CopyObjectPartHandler(w http.ResponseWriter, r *htt
 				return
 			}

-			reader, err = sio.EncryptReader(reader, sio.Config{Key: objectEncryptionKey})
+			var partIDbin [4]byte
+			binary.LittleEndian.PutUint32(partIDbin[:], uint32(partID)) // marshal part ID
+
+			mac := hmac.New(sha256.New, objectEncryptionKey) // derive part encryption key from part ID and object key
+			mac.Write(partIDbin[:])
+			partEncryptionKey := mac.Sum(nil)
+			reader, err = sio.EncryptReader(reader, sio.Config{Key: partEncryptionKey})
 			if err != nil {
 				pipeWriter.CloseWithError(err)
 				writeErrorResponse(w, toAPIErrorCode(err), r.URL)