MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-07 12:52:58 -05:00
Code Issues Packages Projects Releases Wiki Activity

add consistent nonce to make multipart deterministic per part (#20359)

Browse Source 
This change adds a consistent nonce to ensure
that multipart uploads are deterministic on a 
per-part basis.

Thanks to @klauspost for the work here minio/sio@3cd3734
This commit is contained in:
Harshavardhana
2024-08-31 11:25:48 -07:00
committed by GitHub
parent 6c746843ac
commit 7a34c88d73
3 changed files with 24 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
cmd/object-multipart-handlers.go
View File

@@ -20,6 +20,7 @@ package cmd
import (
"bufio"
"context"
"fmt"
"io"
"net/http"
"net/url"
@@ -44,6 +45,7 @@ import (
"github.com/minio/minio/internal/fips"
"github.com/minio/minio/internal/handlers"
"github.com/minio/minio/internal/hash"
"github.com/minio/minio/internal/hash/sha256"
xhttp "github.com/minio/minio/internal/http"
"github.com/minio/minio/internal/logger"
"github.com/minio/mux"
@@ -516,8 +518,16 @@ func (api objectAPIHandlers) CopyObjectPartHandler(w http.ResponseWriter, r *htt
}
copy(objectEncryptionKey[:], key)
var nonce [12]byte
tmp := sha256.Sum256([]byte(fmt.Sprint(uploadID, partID)))
copy(nonce[:], tmp[:12])
partEncryptionKey := objectEncryptionKey.DerivePartKey(uint32(partID))
encReader, err := sio.EncryptReader(reader, sio.Config{Key: partEncryptionKey[:], CipherSuites: fips.DARECiphers()})
encReader, err := sio.EncryptReader(reader, sio.Config{
Key: partEncryptionKey[:],
CipherSuites: fips.DARECiphers(),
Nonce: &nonce,
})
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
return
@@ -806,7 +816,16 @@ func (api objectAPIHandlers) PutObjectPartHandler(w http.ResponseWriter, r *http
// We add a buffer on bigger files to reduce the number of syscalls upstream.
in = bufio.NewReaderSize(hashReader, encryptBufferSize)
}
reader, err = sio.EncryptReader(in, sio.Config{Key: partEncryptionKey[:], CipherSuites: fips.DARECiphers()})
var nonce [12]byte
tmp := sha256.Sum256([]byte(fmt.Sprint(uploadID, partID)))
copy(nonce[:], tmp[:12])
reader, err = sio.EncryptReader(in, sio.Config{
Key: partEncryptionKey[:],
CipherSuites: fips.DARECiphers(),
Nonce: &nonce,
})
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
return