MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-05-21 17:43:48 -04:00
Code Issues Packages Projects Releases Wiki Activity

only allow decryption of etag for only sse-s3 (#17335)

Browse Source
This commit is contained in:
Harshavardhana 2023-06-05 13:08:51 -07:00 committed by GitHub
parent f9e07d6143
commit 75c6fc4f02
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 12 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.github/workflows/mint/minio-compress-encrypt.yaml vendored
View File

@ -11,8 +11,9 @@ x-minio-common: &minio-common
MINIO_CI_CD: "on" MINIO_CI_CD: "on"
MINIO_ROOT_USER: "minio" MINIO_ROOT_USER: "minio"
MINIO_ROOT_PASSWORD: "minio123" MINIO_ROOT_PASSWORD: "minio123"
MINIO_COMPRESS: "true" MINIO_COMPRESSION_ENABLE: "on"
MINIO_COMPRESS_MIMETYPES: "*" MINIO_COMPRESSION_MIME_TYPES: "*"
MINIO_COMPRESSION_ALLOW_ENCRYPTION: "on"
MINIO_KMS_SECRET_KEY: "my-minio-key:OSMM+vkKUTCvQs9YL/CVMIMt43HFhkUpqJxTmGl6rYw=" MINIO_KMS_SECRET_KEY: "my-minio-key:OSMM+vkKUTCvQs9YL/CVMIMt43HFhkUpqJxTmGl6rYw="
healthcheck: healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"] test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]

2
.github/workflows/mint/minio-erasure.yaml vendored
View File

@ -11,8 +11,6 @@ x-minio-common: &minio-common
MINIO_CI_CD: "on" MINIO_CI_CD: "on"
MINIO_ROOT_USER: "minio" MINIO_ROOT_USER: "minio"
MINIO_ROOT_PASSWORD: "minio123" MINIO_ROOT_PASSWORD: "minio123"
MINIO_COMPRESS: "true"
MINIO_COMPRESS_MIMETYPES: "*"
MINIO_KMS_SECRET_KEY: "my-minio-key:OSMM+vkKUTCvQs9YL/CVMIMt43HFhkUpqJxTmGl6rYw=" MINIO_KMS_SECRET_KEY: "my-minio-key:OSMM+vkKUTCvQs9YL/CVMIMt43HFhkUpqJxTmGl6rYw="
healthcheck: healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"] test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]

12
cmd/encryption-v1.go
View File

@ -818,8 +818,8 @@ func getDecryptedETag(headers http.Header, objInfo ObjectInfo, copySource bool)
// As per AWS S3 Spec, ETag for SSE-C encrypted objects need not be MD5Sum of the data. // As per AWS S3 Spec, ETag for SSE-C encrypted objects need not be MD5Sum of the data.
// Since server side copy with same source and dest just replaces the ETag, we save // Since server side copy with same source and dest just replaces the ETag, we save
// encrypted content MD5Sum as ETag for both SSE-C and SSE-S3, we standardize the ETag // encrypted content MD5Sum as ETag for both SSE-C and SSE-KMS, we standardize the ETag
// encryption across SSE-C and SSE-S3, and only return last 32 bytes for SSE-C // encryption across SSE-C and SSE-KMS, and only return last 32 bytes for SSE-C
if (crypto.SSEC.IsEncrypted(objInfo.UserDefined) || crypto.S3KMS.IsEncrypted(objInfo.UserDefined)) && !copySource { if (crypto.SSEC.IsEncrypted(objInfo.UserDefined) || crypto.S3KMS.IsEncrypted(objInfo.UserDefined)) && !copySource {
return objInfo.ETag[len(objInfo.ETag)-32:] return objInfo.ETag[len(objInfo.ETag)-32:]
} }
@ -828,15 +828,15 @@ func getDecryptedETag(headers http.Header, objInfo ObjectInfo, copySource bool)
if err != nil { if err != nil {
return objInfo.ETag return objInfo.ETag
} }
return tryDecryptETag(objectEncryptionKey, objInfo.ETag, false) return tryDecryptETag(objectEncryptionKey, objInfo.ETag, true)
} }
// helper to decrypt Etag given object encryption key and encrypted ETag // helper to decrypt Etag given object encryption key and encrypted ETag
func tryDecryptETag(key []byte, encryptedETag string, ssec bool) string { func tryDecryptETag(key []byte, encryptedETag string, sses3 bool) string {
// ETag for SSE-C encrypted objects need not be content MD5Sum.While encrypted // ETag for SSE-C or SSE-KMS encrypted objects need not be content MD5Sum.While encrypted
// md5sum is stored internally, return just the last 32 bytes of hex-encoded and // md5sum is stored internally, return just the last 32 bytes of hex-encoded and
// encrypted md5sum string for SSE-C // encrypted md5sum string for SSE-C
if ssec { if !sses3 {
return encryptedETag[len(encryptedETag)-32:] return encryptedETag[len(encryptedETag)-32:]
} }
var objectKey crypto.ObjectKey var objectKey crypto.ObjectKey

2
cmd/erasure-multipart.go
View File

@ -1094,7 +1094,7 @@ func (er erasureObjects) CompleteMultipartUpload(ctx context.Context, bucket str
// ensure that part ETag is canonicalized to strip off extraneous quotes // ensure that part ETag is canonicalized to strip off extraneous quotes
part.ETag = canonicalizeETag(part.ETag) part.ETag = canonicalizeETag(part.ETag)
expETag := tryDecryptETag(objectEncryptionKey, expPart.ETag, kind != crypto.S3) expETag := tryDecryptETag(objectEncryptionKey, expPart.ETag, kind == crypto.S3)
if expETag != part.ETag { if expETag != part.ETag {
invp := InvalidPart{ invp := InvalidPart{
PartNumber: part.PartNumber, PartNumber: part.PartNumber,

4
cmd/object-multipart-handlers.go
View File

@ -543,7 +543,7 @@ func (api objectAPIHandlers) CopyObjectPartHandler(w http.ResponseWriter, r *htt
} }
if isEncrypted { if isEncrypted {
partInfo.ETag = tryDecryptETag(objectEncryptionKey[:], partInfo.ETag, crypto.SSEC.IsRequested(r.Header)) partInfo.ETag = tryDecryptETag(objectEncryptionKey[:], partInfo.ETag, crypto.S3.IsRequested(r.Header))
} }
response := generateCopyObjectPartResponse(partInfo.ETag, partInfo.LastModified) response := generateCopyObjectPartResponse(partInfo.ETag, partInfo.LastModified)
@ -1165,7 +1165,7 @@ func (api objectAPIHandlers) ListObjectPartsHandler(w http.ResponseWriter, r *ht
} }
} }
for i, p := range listPartsInfo.Parts { for i, p := range listPartsInfo.Parts {
listPartsInfo.Parts[i].ETag = tryDecryptETag(objectEncryptionKey, p.ETag, kind != crypto.S3) listPartsInfo.Parts[i].ETag = tryDecryptETag(objectEncryptionKey, p.ETag, kind == crypto.S3)
listPartsInfo.Parts[i].Size = p.ActualSize listPartsInfo.Parts[i].Size = p.ActualSize
} }
} }