From d53e560ce0a2e4a038cbb0c52aff2aa3a0c75a84 Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Sat, 18 Jul 2020 17:36:32 -0700 Subject: [PATCH] fix: copyObject key rotation issue (#10085) - copyObject in-place decryption failed due to incorrect verification of headers - do not decode ETag when object is encrypted with SSE-C, so that pre-conditions don't fail prematurely. --- cmd/bucket-policy.go | 3 --- cmd/encryption-v1.go | 16 ++++++++++++---- cmd/object-api-utils.go | 3 ++- cmd/object-handlers.go | 7 ------- 4 files changed, 14 insertions(+), 15 deletions(-) diff --git a/cmd/bucket-policy.go b/cmd/bucket-policy.go index 0128a83df..1c0402648 100644 --- a/cmd/bucket-policy.go +++ b/cmd/bucket-policy.go @@ -75,9 +75,6 @@ func getConditionValues(r *http.Request, lc string, username string, claims map[ if u, err := url.Parse(r.Header.Get(xhttp.AmzCopySource)); err == nil { vid = u.Query().Get("versionId") } - if vid == "" { - vid = r.Header.Get(xhttp.AmzCopySourceVersionID) - } } args := map[string][]string{ diff --git a/cmd/encryption-v1.go b/cmd/encryption-v1.go index 231fb6635..4b26cb8f3 100644 --- a/cmd/encryption-v1.go +++ b/cmd/encryption-v1.go @@ -31,6 +31,7 @@ import ( "strings" "github.com/minio/minio/cmd/crypto" + xhttp "github.com/minio/minio/cmd/http" "github.com/minio/minio/cmd/logger" sha256 "github.com/minio/sha256-simd" "github.com/minio/sio" @@ -809,9 +810,16 @@ func DecryptObjectInfo(info *ObjectInfo, r *http.Request) (encrypted bool, err e } if encrypted { - if (crypto.SSEC.IsEncrypted(info.UserDefined) && !crypto.SSEC.IsRequested(headers)) || - (crypto.S3.IsEncrypted(info.UserDefined) && crypto.SSEC.IsRequested(headers)) { - return encrypted, errEncryptedObject + if crypto.SSEC.IsEncrypted(info.UserDefined) { + if !(crypto.SSEC.IsRequested(headers) || crypto.SSECopy.IsRequested(headers)) { + return encrypted, errEncryptedObject + } + } + + if crypto.S3.IsEncrypted(info.UserDefined) && r.Header.Get(xhttp.AmzCopySource) == "" { + if crypto.SSEC.IsRequested(headers) || crypto.SSECopy.IsRequested(headers) { + return encrypted, errEncryptedObject + } } if _, err = info.DecryptedSize(); err != nil { @@ -819,7 +827,7 @@ func DecryptObjectInfo(info *ObjectInfo, r *http.Request) (encrypted bool, err e } if crypto.IsEncrypted(info.UserDefined) && !crypto.IsMultiPart(info.UserDefined) { - info.ETag = getDecryptedETag(headers, *info, headers.Get(crypto.SSECopyAlgorithm) != "") + info.ETag = getDecryptedETag(headers, *info, false) } } diff --git a/cmd/object-api-utils.go b/cmd/object-api-utils.go index a079ba7aa..419b7352b 100644 --- a/cmd/object-api-utils.go +++ b/cmd/object-api-utils.go @@ -612,7 +612,6 @@ func NewGetObjectReader(rs *HTTPRangeSpec, oi ObjectInfo, opts ObjectOptions, cl } return nil, err } - oi.ETag = getDecryptedETag(h, oi, copySource) // Decrypt the ETag before top layer consumes this value. if opts.CheckPrecondFn != nil && opts.CheckPrecondFn(oi) { // Call the cleanup funcs @@ -622,6 +621,8 @@ func NewGetObjectReader(rs *HTTPRangeSpec, oi ObjectInfo, opts ObjectOptions, cl return nil, PreConditionFailed{} } + oi.ETag = getDecryptedETag(h, oi, false) + // Apply the skipLen and limit on the // decrypted stream decReader = io.LimitReader(ioutil.NewSkipReader(decReader, skipLen), decRangeLength) diff --git a/cmd/object-handlers.go b/cmd/object-handlers.go index f1a123147..426f3e59c 100644 --- a/cmd/object-handlers.go +++ b/cmd/object-handlers.go @@ -612,10 +612,6 @@ func (api objectAPIHandlers) HeadObjectHandler(w http.ResponseWriter, r *http.Re // Set encryption response headers if objectAPI.IsEncryptionSupported() { - if _, err = DecryptObjectInfo(&objInfo, r); err != nil { - writeErrorResponseHeadersOnly(w, toAPIError(ctx, err)) - return - } if crypto.IsEncrypted(objInfo.UserDefined) { switch { case crypto.S3.IsEncrypted(objInfo.UserDefined): @@ -1744,9 +1740,6 @@ func (api objectAPIHandlers) CopyObjectPartHandler(w http.ResponseWriter, r *htt // Note that url.Parse does the unescaping cpSrcPath = u.Path } - if vid == "" { - vid = strings.TrimSpace(r.Header.Get(xhttp.AmzCopySourceVersionID)) - } srcBucket, srcObject := path2BucketObject(cpSrcPath) // If source object is empty or bucket is empty, reply back invalid copy source.