From adaae26bbce0690975460398f392d4ba3517ebf6 Mon Sep 17 00:00:00 2001 From: Andreas Auernhammer Date: Fri, 7 May 2021 23:40:57 +0200 Subject: [PATCH] sse-kms: fix single-part object decryption (#12257) This commit fixes a bug in the single-part object decryption that is triggered in case of SSE-KMS. Before, it was assumed that the encryption is either SSE-C or SSE-S3. In case of SSE-KMS the SSE-C branch was executed. This lead to an invalid SSE-C algorithm error. This commit fixes this by inverting the `if-else` logic. Now, the SSE-C branch only gets executed when SSE-C headers are present. Signed-off-by: Andreas Auernhammer --- cmd/encryption-v1.go | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/cmd/encryption-v1.go b/cmd/encryption-v1.go index 8b2efbdd3..ed6fd4459 100644 --- a/cmd/encryption-v1.go +++ b/cmd/encryption-v1.go @@ -375,15 +375,14 @@ func decryptObjectInfo(key []byte, bucket, object string, metadata map[string]st // DecryptRequestWithSequenceNumberR - same as // DecryptRequestWithSequenceNumber but with a reader func DecryptRequestWithSequenceNumberR(client io.Reader, h http.Header, bucket, object string, seqNumber uint32, metadata map[string]string) (io.Reader, error) { - if crypto.S3.IsEncrypted(metadata) { - return newDecryptReader(client, nil, bucket, object, seqNumber, metadata) + if crypto.SSEC.IsEncrypted(metadata) { + key, err := ParseSSECustomerHeader(h) + if err != nil { + return nil, err + } + return newDecryptReader(client, key, bucket, object, seqNumber, metadata) } - - key, err := ParseSSECustomerHeader(h) - if err != nil { - return nil, err - } - return newDecryptReader(client, key, bucket, object, seqNumber, metadata) + return newDecryptReader(client, nil, bucket, object, seqNumber, metadata) } // DecryptCopyRequestR - same as DecryptCopyRequest, but with a