From e64b9f6751a33d6d4b00e1b17d8c9bfa06043094 Mon Sep 17 00:00:00 2001
From: Harshavardhana <harsha@minio.io>
Date: Wed, 25 Jan 2023 05:16:33 +0530
Subject: [PATCH] fix: disallow SSE-C encrypted objects on replicated buckets
 (#16467)

---
 Makefile                          |  12 +-
 cmd/api-errors.go                 |   9 +
 cmd/apierrorcode_string.go        | 355 +++++++++++++++---------------
 cmd/bucket-handlers.go            |   8 +-
 cmd/bucket-replication.go         |   5 +
 cmd/encryption-v1.go              |   3 +-
 cmd/object-handlers.go            |  15 +-
 cmd/object-multipart-handlers.go  |   7 +-
 docs/bucket/replication/README.md |  10 +
 9 files changed, 238 insertions(+), 186 deletions(-)

diff --git a/Makefile b/Makefile
index fdde3b274..6edbe1be5 100644
--- a/Makefile
+++ b/Makefile
@@ -64,12 +64,18 @@ test-iam: build ## verify IAM (external IDP, etcd backends)
 	@echo "Running tests for IAM (external IDP, etcd backends) with -race"
 	@MINIO_API_REQUESTS_MAX=10000 GORACE=history_size=7 CGO_ENABLED=1 go test -race -tags kqueue -v -run TestIAM* ./cmd
 
-test-replication: install ## verify multi site replication
-	@echo "Running tests for replicating three sites"
-	@(env bash $(PWD)/docs/bucket/replication/setup_3site_replication.sh)
+test-replication-2site:
 	@(env bash $(PWD)/docs/bucket/replication/setup_2site_existing_replication.sh)
+
+test-replication-3site:
+	@(env bash $(PWD)/docs/bucket/replication/setup_3site_replication.sh)
+
+test-delete-replication:
 	@(env bash $(PWD)/docs/bucket/replication/delete-replication.sh)
 
+test-replication: install test-replication-2site test-replication-3site test-delete-replication ## verify multi site replication
+	@echo "Running tests for replicating three sites"
+
 test-site-replication-ldap: install ## verify automatic site replication
 	@echo "Running tests for automatic site replication of IAM (with LDAP)"
 	@(env bash $(PWD)/docs/site-replication/run-multi-site-ldap.sh)
diff --git a/cmd/api-errors.go b/cmd/api-errors.go
index 232fc1555..3adcc1854 100644
--- a/cmd/api-errors.go
+++ b/cmd/api-errors.go
@@ -208,6 +208,8 @@ const (
 	ErrSSEMultipartEncrypted
 	ErrSSEEncryptedObject
 	ErrInvalidEncryptionParameters
+	ErrInvalidEncryptionParametersSSEC
+
 	ErrInvalidSSECustomerAlgorithm
 	ErrInvalidSSECustomerKey
 	ErrMissingSSECustomerKey
@@ -1114,6 +1116,11 @@ var errorCodes = errorCodeMap{
 		Description:    "The encryption parameters are not applicable to this object.",
 		HTTPStatusCode: http.StatusBadRequest,
 	},
+	ErrInvalidEncryptionParametersSSEC: {
+		Code:           "InvalidRequest",
+		Description:    "SSE-C encryption parameters are not supported on replicated bucket.",
+		HTTPStatusCode: http.StatusBadRequest,
+	},
 	ErrInvalidSSECustomerAlgorithm: {
 		Code:           "InvalidArgument",
 		Description:    "Requests specifying Server Side Encryption with Customer provided keys must provide a valid encryption algorithm.",
@@ -2006,6 +2013,8 @@ func toAPIErrorCode(ctx context.Context, err error) (apiErr APIErrorCode) {
 	// SSE errors
 	case errInvalidEncryptionParameters:
 		apiErr = ErrInvalidEncryptionParameters
+	case errInvalidEncryptionParametersSSEC:
+		apiErr = ErrInvalidEncryptionParametersSSEC
 	case crypto.ErrInvalidEncryptionMethod:
 		apiErr = ErrInvalidEncryptionMethod
 	case crypto.ErrInvalidEncryptionKeyID:
diff --git a/cmd/apierrorcode_string.go b/cmd/apierrorcode_string.go
index 96650a049..1e3fd05b7 100644
--- a/cmd/apierrorcode_string.go
+++ b/cmd/apierrorcode_string.go
@@ -137,186 +137,187 @@ func _() {
 	_ = x[ErrSSEMultipartEncrypted-126]
 	_ = x[ErrSSEEncryptedObject-127]
 	_ = x[ErrInvalidEncryptionParameters-128]
-	_ = x[ErrInvalidSSECustomerAlgorithm-129]
-	_ = x[ErrInvalidSSECustomerKey-130]
-	_ = x[ErrMissingSSECustomerKey-131]
-	_ = x[ErrMissingSSECustomerKeyMD5-132]
-	_ = x[ErrSSECustomerKeyMD5Mismatch-133]
-	_ = x[ErrInvalidSSECustomerParameters-134]
-	_ = x[ErrIncompatibleEncryptionMethod-135]
-	_ = x[ErrKMSNotConfigured-136]
-	_ = x[ErrKMSKeyNotFoundException-137]
-	_ = x[ErrNoAccessKey-138]
-	_ = x[ErrInvalidToken-139]
-	_ = x[ErrEventNotification-140]
-	_ = x[ErrARNNotification-141]
-	_ = x[ErrRegionNotification-142]
-	_ = x[ErrOverlappingFilterNotification-143]
-	_ = x[ErrFilterNameInvalid-144]
-	_ = x[ErrFilterNamePrefix-145]
-	_ = x[ErrFilterNameSuffix-146]
-	_ = x[ErrFilterValueInvalid-147]
-	_ = x[ErrOverlappingConfigs-148]
-	_ = x[ErrUnsupportedNotification-149]
-	_ = x[ErrContentSHA256Mismatch-150]
-	_ = x[ErrContentChecksumMismatch-151]
-	_ = x[ErrReadQuorum-152]
-	_ = x[ErrWriteQuorum-153]
-	_ = x[ErrStorageFull-154]
-	_ = x[ErrRequestBodyParse-155]
-	_ = x[ErrObjectExistsAsDirectory-156]
-	_ = x[ErrInvalidObjectName-157]
-	_ = x[ErrInvalidObjectNamePrefixSlash-158]
-	_ = x[ErrInvalidResourceName-159]
-	_ = x[ErrServerNotInitialized-160]
-	_ = x[ErrOperationTimedOut-161]
-	_ = x[ErrClientDisconnected-162]
-	_ = x[ErrOperationMaxedOut-163]
-	_ = x[ErrInvalidRequest-164]
-	_ = x[ErrTransitionStorageClassNotFoundError-165]
-	_ = x[ErrInvalidStorageClass-166]
-	_ = x[ErrBackendDown-167]
-	_ = x[ErrMalformedJSON-168]
-	_ = x[ErrAdminNoSuchUser-169]
-	_ = x[ErrAdminNoSuchGroup-170]
-	_ = x[ErrAdminGroupNotEmpty-171]
-	_ = x[ErrAdminNoSuchJob-172]
-	_ = x[ErrAdminNoSuchPolicy-173]
-	_ = x[ErrAdminPolicyChangeAlreadyApplied-174]
-	_ = x[ErrAdminInvalidArgument-175]
-	_ = x[ErrAdminInvalidAccessKey-176]
-	_ = x[ErrAdminInvalidSecretKey-177]
-	_ = x[ErrAdminConfigNoQuorum-178]
-	_ = x[ErrAdminConfigTooLarge-179]
-	_ = x[ErrAdminConfigBadJSON-180]
-	_ = x[ErrAdminNoSuchConfigTarget-181]
-	_ = x[ErrAdminConfigEnvOverridden-182]
-	_ = x[ErrAdminConfigDuplicateKeys-183]
-	_ = x[ErrAdminConfigInvalidIDPType-184]
-	_ = x[ErrAdminConfigLDAPValidation-185]
-	_ = x[ErrAdminConfigIDPCfgNameAlreadyExists-186]
-	_ = x[ErrAdminConfigIDPCfgNameDoesNotExist-187]
-	_ = x[ErrAdminCredentialsMismatch-188]
-	_ = x[ErrInsecureClientRequest-189]
-	_ = x[ErrObjectTampered-190]
-	_ = x[ErrSiteReplicationInvalidRequest-191]
-	_ = x[ErrSiteReplicationPeerResp-192]
-	_ = x[ErrSiteReplicationBackendIssue-193]
-	_ = x[ErrSiteReplicationServiceAccountError-194]
-	_ = x[ErrSiteReplicationBucketConfigError-195]
-	_ = x[ErrSiteReplicationBucketMetaError-196]
-	_ = x[ErrSiteReplicationIAMError-197]
-	_ = x[ErrSiteReplicationConfigMissing-198]
-	_ = x[ErrAdminRebalanceAlreadyStarted-199]
-	_ = x[ErrAdminRebalanceNotStarted-200]
-	_ = x[ErrAdminBucketQuotaExceeded-201]
-	_ = x[ErrAdminNoSuchQuotaConfiguration-202]
-	_ = x[ErrHealNotImplemented-203]
-	_ = x[ErrHealNoSuchProcess-204]
-	_ = x[ErrHealInvalidClientToken-205]
-	_ = x[ErrHealMissingBucket-206]
-	_ = x[ErrHealAlreadyRunning-207]
-	_ = x[ErrHealOverlappingPaths-208]
-	_ = x[ErrIncorrectContinuationToken-209]
-	_ = x[ErrEmptyRequestBody-210]
-	_ = x[ErrUnsupportedFunction-211]
-	_ = x[ErrInvalidExpressionType-212]
-	_ = x[ErrBusy-213]
-	_ = x[ErrUnauthorizedAccess-214]
-	_ = x[ErrExpressionTooLong-215]
-	_ = x[ErrIllegalSQLFunctionArgument-216]
-	_ = x[ErrInvalidKeyPath-217]
-	_ = x[ErrInvalidCompressionFormat-218]
-	_ = x[ErrInvalidFileHeaderInfo-219]
-	_ = x[ErrInvalidJSONType-220]
-	_ = x[ErrInvalidQuoteFields-221]
-	_ = x[ErrInvalidRequestParameter-222]
-	_ = x[ErrInvalidDataType-223]
-	_ = x[ErrInvalidTextEncoding-224]
-	_ = x[ErrInvalidDataSource-225]
-	_ = x[ErrInvalidTableAlias-226]
-	_ = x[ErrMissingRequiredParameter-227]
-	_ = x[ErrObjectSerializationConflict-228]
-	_ = x[ErrUnsupportedSQLOperation-229]
-	_ = x[ErrUnsupportedSQLStructure-230]
-	_ = x[ErrUnsupportedSyntax-231]
-	_ = x[ErrUnsupportedRangeHeader-232]
-	_ = x[ErrLexerInvalidChar-233]
-	_ = x[ErrLexerInvalidOperator-234]
-	_ = x[ErrLexerInvalidLiteral-235]
-	_ = x[ErrLexerInvalidIONLiteral-236]
-	_ = x[ErrParseExpectedDatePart-237]
-	_ = x[ErrParseExpectedKeyword-238]
-	_ = x[ErrParseExpectedTokenType-239]
-	_ = x[ErrParseExpected2TokenTypes-240]
-	_ = x[ErrParseExpectedNumber-241]
-	_ = x[ErrParseExpectedRightParenBuiltinFunctionCall-242]
-	_ = x[ErrParseExpectedTypeName-243]
-	_ = x[ErrParseExpectedWhenClause-244]
-	_ = x[ErrParseUnsupportedToken-245]
-	_ = x[ErrParseUnsupportedLiteralsGroupBy-246]
-	_ = x[ErrParseExpectedMember-247]
-	_ = x[ErrParseUnsupportedSelect-248]
-	_ = x[ErrParseUnsupportedCase-249]
-	_ = x[ErrParseUnsupportedCaseClause-250]
-	_ = x[ErrParseUnsupportedAlias-251]
-	_ = x[ErrParseUnsupportedSyntax-252]
-	_ = x[ErrParseUnknownOperator-253]
-	_ = x[ErrParseMissingIdentAfterAt-254]
-	_ = x[ErrParseUnexpectedOperator-255]
-	_ = x[ErrParseUnexpectedTerm-256]
-	_ = x[ErrParseUnexpectedToken-257]
-	_ = x[ErrParseUnexpectedKeyword-258]
-	_ = x[ErrParseExpectedExpression-259]
-	_ = x[ErrParseExpectedLeftParenAfterCast-260]
-	_ = x[ErrParseExpectedLeftParenValueConstructor-261]
-	_ = x[ErrParseExpectedLeftParenBuiltinFunctionCall-262]
-	_ = x[ErrParseExpectedArgumentDelimiter-263]
-	_ = x[ErrParseCastArity-264]
-	_ = x[ErrParseInvalidTypeParam-265]
-	_ = x[ErrParseEmptySelect-266]
-	_ = x[ErrParseSelectMissingFrom-267]
-	_ = x[ErrParseExpectedIdentForGroupName-268]
-	_ = x[ErrParseExpectedIdentForAlias-269]
-	_ = x[ErrParseUnsupportedCallWithStar-270]
-	_ = x[ErrParseNonUnaryAgregateFunctionCall-271]
-	_ = x[ErrParseMalformedJoin-272]
-	_ = x[ErrParseExpectedIdentForAt-273]
-	_ = x[ErrParseAsteriskIsNotAloneInSelectList-274]
-	_ = x[ErrParseCannotMixSqbAndWildcardInSelectList-275]
-	_ = x[ErrParseInvalidContextForWildcardInSelectList-276]
-	_ = x[ErrIncorrectSQLFunctionArgumentType-277]
-	_ = x[ErrValueParseFailure-278]
-	_ = x[ErrEvaluatorInvalidArguments-279]
-	_ = x[ErrIntegerOverflow-280]
-	_ = x[ErrLikeInvalidInputs-281]
-	_ = x[ErrCastFailed-282]
-	_ = x[ErrInvalidCast-283]
-	_ = x[ErrEvaluatorInvalidTimestampFormatPattern-284]
-	_ = x[ErrEvaluatorInvalidTimestampFormatPatternSymbolForParsing-285]
-	_ = x[ErrEvaluatorTimestampFormatPatternDuplicateFields-286]
-	_ = x[ErrEvaluatorTimestampFormatPatternHourClockAmPmMismatch-287]
-	_ = x[ErrEvaluatorUnterminatedTimestampFormatPatternToken-288]
-	_ = x[ErrEvaluatorInvalidTimestampFormatPatternToken-289]
-	_ = x[ErrEvaluatorInvalidTimestampFormatPatternSymbol-290]
-	_ = x[ErrEvaluatorBindingDoesNotExist-291]
-	_ = x[ErrMissingHeaders-292]
-	_ = x[ErrInvalidColumnIndex-293]
-	_ = x[ErrAdminConfigNotificationTargetsFailed-294]
-	_ = x[ErrAdminProfilerNotEnabled-295]
-	_ = x[ErrInvalidDecompressedSize-296]
-	_ = x[ErrAddUserInvalidArgument-297]
-	_ = x[ErrAdminResourceInvalidArgument-298]
-	_ = x[ErrAdminAccountNotEligible-299]
-	_ = x[ErrAccountNotEligible-300]
-	_ = x[ErrAdminServiceAccountNotFound-301]
-	_ = x[ErrPostPolicyConditionInvalidFormat-302]
-	_ = x[ErrInvalidChecksum-303]
+	_ = x[ErrInvalidEncryptionParametersSSEC-129]
+	_ = x[ErrInvalidSSECustomerAlgorithm-130]
+	_ = x[ErrInvalidSSECustomerKey-131]
+	_ = x[ErrMissingSSECustomerKey-132]
+	_ = x[ErrMissingSSECustomerKeyMD5-133]
+	_ = x[ErrSSECustomerKeyMD5Mismatch-134]
+	_ = x[ErrInvalidSSECustomerParameters-135]
+	_ = x[ErrIncompatibleEncryptionMethod-136]
+	_ = x[ErrKMSNotConfigured-137]
+	_ = x[ErrKMSKeyNotFoundException-138]
+	_ = x[ErrNoAccessKey-139]
+	_ = x[ErrInvalidToken-140]
+	_ = x[ErrEventNotification-141]
+	_ = x[ErrARNNotification-142]
+	_ = x[ErrRegionNotification-143]
+	_ = x[ErrOverlappingFilterNotification-144]
+	_ = x[ErrFilterNameInvalid-145]
+	_ = x[ErrFilterNamePrefix-146]
+	_ = x[ErrFilterNameSuffix-147]
+	_ = x[ErrFilterValueInvalid-148]
+	_ = x[ErrOverlappingConfigs-149]
+	_ = x[ErrUnsupportedNotification-150]
+	_ = x[ErrContentSHA256Mismatch-151]
+	_ = x[ErrContentChecksumMismatch-152]
+	_ = x[ErrReadQuorum-153]
+	_ = x[ErrWriteQuorum-154]
+	_ = x[ErrStorageFull-155]
+	_ = x[ErrRequestBodyParse-156]
+	_ = x[ErrObjectExistsAsDirectory-157]
+	_ = x[ErrInvalidObjectName-158]
+	_ = x[ErrInvalidObjectNamePrefixSlash-159]
+	_ = x[ErrInvalidResourceName-160]
+	_ = x[ErrServerNotInitialized-161]
+	_ = x[ErrOperationTimedOut-162]
+	_ = x[ErrClientDisconnected-163]
+	_ = x[ErrOperationMaxedOut-164]
+	_ = x[ErrInvalidRequest-165]
+	_ = x[ErrTransitionStorageClassNotFoundError-166]
+	_ = x[ErrInvalidStorageClass-167]
+	_ = x[ErrBackendDown-168]
+	_ = x[ErrMalformedJSON-169]
+	_ = x[ErrAdminNoSuchUser-170]
+	_ = x[ErrAdminNoSuchGroup-171]
+	_ = x[ErrAdminGroupNotEmpty-172]
+	_ = x[ErrAdminNoSuchJob-173]
+	_ = x[ErrAdminNoSuchPolicy-174]
+	_ = x[ErrAdminPolicyChangeAlreadyApplied-175]
+	_ = x[ErrAdminInvalidArgument-176]
+	_ = x[ErrAdminInvalidAccessKey-177]
+	_ = x[ErrAdminInvalidSecretKey-178]
+	_ = x[ErrAdminConfigNoQuorum-179]
+	_ = x[ErrAdminConfigTooLarge-180]
+	_ = x[ErrAdminConfigBadJSON-181]
+	_ = x[ErrAdminNoSuchConfigTarget-182]
+	_ = x[ErrAdminConfigEnvOverridden-183]
+	_ = x[ErrAdminConfigDuplicateKeys-184]
+	_ = x[ErrAdminConfigInvalidIDPType-185]
+	_ = x[ErrAdminConfigLDAPValidation-186]
+	_ = x[ErrAdminConfigIDPCfgNameAlreadyExists-187]
+	_ = x[ErrAdminConfigIDPCfgNameDoesNotExist-188]
+	_ = x[ErrAdminCredentialsMismatch-189]
+	_ = x[ErrInsecureClientRequest-190]
+	_ = x[ErrObjectTampered-191]
+	_ = x[ErrSiteReplicationInvalidRequest-192]
+	_ = x[ErrSiteReplicationPeerResp-193]
+	_ = x[ErrSiteReplicationBackendIssue-194]
+	_ = x[ErrSiteReplicationServiceAccountError-195]
+	_ = x[ErrSiteReplicationBucketConfigError-196]
+	_ = x[ErrSiteReplicationBucketMetaError-197]
+	_ = x[ErrSiteReplicationIAMError-198]
+	_ = x[ErrSiteReplicationConfigMissing-199]
+	_ = x[ErrAdminRebalanceAlreadyStarted-200]
+	_ = x[ErrAdminRebalanceNotStarted-201]
+	_ = x[ErrAdminBucketQuotaExceeded-202]
+	_ = x[ErrAdminNoSuchQuotaConfiguration-203]
+	_ = x[ErrHealNotImplemented-204]
+	_ = x[ErrHealNoSuchProcess-205]
+	_ = x[ErrHealInvalidClientToken-206]
+	_ = x[ErrHealMissingBucket-207]
+	_ = x[ErrHealAlreadyRunning-208]
+	_ = x[ErrHealOverlappingPaths-209]
+	_ = x[ErrIncorrectContinuationToken-210]
+	_ = x[ErrEmptyRequestBody-211]
+	_ = x[ErrUnsupportedFunction-212]
+	_ = x[ErrInvalidExpressionType-213]
+	_ = x[ErrBusy-214]
+	_ = x[ErrUnauthorizedAccess-215]
+	_ = x[ErrExpressionTooLong-216]
+	_ = x[ErrIllegalSQLFunctionArgument-217]
+	_ = x[ErrInvalidKeyPath-218]
+	_ = x[ErrInvalidCompressionFormat-219]
+	_ = x[ErrInvalidFileHeaderInfo-220]
+	_ = x[ErrInvalidJSONType-221]
+	_ = x[ErrInvalidQuoteFields-222]
+	_ = x[ErrInvalidRequestParameter-223]
+	_ = x[ErrInvalidDataType-224]
+	_ = x[ErrInvalidTextEncoding-225]
+	_ = x[ErrInvalidDataSource-226]
+	_ = x[ErrInvalidTableAlias-227]
+	_ = x[ErrMissingRequiredParameter-228]
+	_ = x[ErrObjectSerializationConflict-229]
+	_ = x[ErrUnsupportedSQLOperation-230]
+	_ = x[ErrUnsupportedSQLStructure-231]
+	_ = x[ErrUnsupportedSyntax-232]
+	_ = x[ErrUnsupportedRangeHeader-233]
+	_ = x[ErrLexerInvalidChar-234]
+	_ = x[ErrLexerInvalidOperator-235]
+	_ = x[ErrLexerInvalidLiteral-236]
+	_ = x[ErrLexerInvalidIONLiteral-237]
+	_ = x[ErrParseExpectedDatePart-238]
+	_ = x[ErrParseExpectedKeyword-239]
+	_ = x[ErrParseExpectedTokenType-240]
+	_ = x[ErrParseExpected2TokenTypes-241]
+	_ = x[ErrParseExpectedNumber-242]
+	_ = x[ErrParseExpectedRightParenBuiltinFunctionCall-243]
+	_ = x[ErrParseExpectedTypeName-244]
+	_ = x[ErrParseExpectedWhenClause-245]
+	_ = x[ErrParseUnsupportedToken-246]
+	_ = x[ErrParseUnsupportedLiteralsGroupBy-247]
+	_ = x[ErrParseExpectedMember-248]
+	_ = x[ErrParseUnsupportedSelect-249]
+	_ = x[ErrParseUnsupportedCase-250]
+	_ = x[ErrParseUnsupportedCaseClause-251]
+	_ = x[ErrParseUnsupportedAlias-252]
+	_ = x[ErrParseUnsupportedSyntax-253]
+	_ = x[ErrParseUnknownOperator-254]
+	_ = x[ErrParseMissingIdentAfterAt-255]
+	_ = x[ErrParseUnexpectedOperator-256]
+	_ = x[ErrParseUnexpectedTerm-257]
+	_ = x[ErrParseUnexpectedToken-258]
+	_ = x[ErrParseUnexpectedKeyword-259]
+	_ = x[ErrParseExpectedExpression-260]
+	_ = x[ErrParseExpectedLeftParenAfterCast-261]
+	_ = x[ErrParseExpectedLeftParenValueConstructor-262]
+	_ = x[ErrParseExpectedLeftParenBuiltinFunctionCall-263]
+	_ = x[ErrParseExpectedArgumentDelimiter-264]
+	_ = x[ErrParseCastArity-265]
+	_ = x[ErrParseInvalidTypeParam-266]
+	_ = x[ErrParseEmptySelect-267]
+	_ = x[ErrParseSelectMissingFrom-268]
+	_ = x[ErrParseExpectedIdentForGroupName-269]
+	_ = x[ErrParseExpectedIdentForAlias-270]
+	_ = x[ErrParseUnsupportedCallWithStar-271]
+	_ = x[ErrParseNonUnaryAgregateFunctionCall-272]
+	_ = x[ErrParseMalformedJoin-273]
+	_ = x[ErrParseExpectedIdentForAt-274]
+	_ = x[ErrParseAsteriskIsNotAloneInSelectList-275]
+	_ = x[ErrParseCannotMixSqbAndWildcardInSelectList-276]
+	_ = x[ErrParseInvalidContextForWildcardInSelectList-277]
+	_ = x[ErrIncorrectSQLFunctionArgumentType-278]
+	_ = x[ErrValueParseFailure-279]
+	_ = x[ErrEvaluatorInvalidArguments-280]
+	_ = x[ErrIntegerOverflow-281]
+	_ = x[ErrLikeInvalidInputs-282]
+	_ = x[ErrCastFailed-283]
+	_ = x[ErrInvalidCast-284]
+	_ = x[ErrEvaluatorInvalidTimestampFormatPattern-285]
+	_ = x[ErrEvaluatorInvalidTimestampFormatPatternSymbolForParsing-286]
+	_ = x[ErrEvaluatorTimestampFormatPatternDuplicateFields-287]
+	_ = x[ErrEvaluatorTimestampFormatPatternHourClockAmPmMismatch-288]
+	_ = x[ErrEvaluatorUnterminatedTimestampFormatPatternToken-289]
+	_ = x[ErrEvaluatorInvalidTimestampFormatPatternToken-290]
+	_ = x[ErrEvaluatorInvalidTimestampFormatPatternSymbol-291]
+	_ = x[ErrEvaluatorBindingDoesNotExist-292]
+	_ = x[ErrMissingHeaders-293]
+	_ = x[ErrInvalidColumnIndex-294]
+	_ = x[ErrAdminConfigNotificationTargetsFailed-295]
+	_ = x[ErrAdminProfilerNotEnabled-296]
+	_ = x[ErrInvalidDecompressedSize-297]
+	_ = x[ErrAddUserInvalidArgument-298]
+	_ = x[ErrAdminResourceInvalidArgument-299]
+	_ = x[ErrAdminAccountNotEligible-300]
+	_ = x[ErrAccountNotEligible-301]
+	_ = x[ErrAdminServiceAccountNotFound-302]
+	_ = x[ErrPostPolicyConditionInvalidFormat-303]
+	_ = x[ErrInvalidChecksum-304]
 }
 
-const _APIErrorCode_name = "NoneAccessDeniedBadDigestEntityTooSmallEntityTooLargePolicyTooLargeIncompleteBodyInternalErrorInvalidAccessKeyIDAccessKeyDisabledInvalidBucketNameInvalidDigestInvalidRangeInvalidRangePartNumberInvalidCopyPartRangeInvalidCopyPartRangeSourceInvalidMaxKeysInvalidEncodingMethodInvalidMaxUploadsInvalidMaxPartsInvalidPartNumberMarkerInvalidPartNumberInvalidRequestBodyInvalidCopySourceInvalidMetadataDirectiveInvalidCopyDestInvalidPolicyDocumentInvalidObjectStateMalformedXMLMissingContentLengthMissingContentMD5MissingRequestBodyErrorMissingSecurityHeaderNoSuchBucketNoSuchBucketPolicyNoSuchBucketLifecycleNoSuchLifecycleConfigurationInvalidLifecycleWithObjectLockNoSuchBucketSSEConfigNoSuchCORSConfigurationNoSuchWebsiteConfigurationReplicationConfigurationNotFoundErrorRemoteDestinationNotFoundErrorReplicationDestinationMissingLockRemoteTargetNotFoundErrorReplicationRemoteConnectionErrorReplicationBandwidthLimitErrorBucketRemoteIdenticalToSourceBucketRemoteAlreadyExistsBucketRemoteLabelInUseBucketRemoteArnTypeInvalidBucketRemoteArnInvalidBucketRemoteRemoveDisallowedRemoteTargetNotVersionedErrorReplicationSourceNotVersionedErrorReplicationNeedsVersioningErrorReplicationBucketNeedsVersioningErrorReplicationDenyEditErrorReplicationNoExistingObjectsObjectRestoreAlreadyInProgressNoSuchKeyNoSuchUploadInvalidVersionIDNoSuchVersionNotImplementedPreconditionFailedRequestTimeTooSkewedSignatureDoesNotMatchMethodNotAllowedInvalidPartInvalidPartOrderAuthorizationHeaderMalformedMalformedPOSTRequestPOSTFileRequiredSignatureVersionNotSupportedBucketNotEmptyAllAccessDisabledPolicyInvalidVersionMissingFieldsMissingCredTagCredMalformedInvalidRegionInvalidServiceS3InvalidServiceSTSInvalidRequestVersionMissingSignTagMissingSignHeadersTagMalformedDateMalformedPresignedDateMalformedCredentialDateMalformedCredentialRegionMalformedExpiresNegativeExpiresAuthHeaderEmptyExpiredPresignRequestRequestNotReadyYetUnsignedHeadersMissingDateHeaderInvalidQuerySignatureAlgoInvalidQueryParamsBucketAlreadyOwnedByYouInvalidDurationBucketAlreadyExistsMetadataTooLargeUnsupportedMetadataMaximumExpiresSlowDownInvalidPrefixMarkerBadRequestKeyTooLongErrorInvalidBucketObjectLockConfigurationObjectLockConfigurationNotFoundObjectLockConfigurationNotAllowedNoSuchObjectLockConfigurationObjectLockedInvalidRetentionDatePastObjectLockRetainDateUnknownWORMModeDirectiveBucketTaggingNotFoundObjectLockInvalidHeadersInvalidTagDirectivePolicyAlreadyAttachedPolicyNotAttachedInvalidEncryptionMethodInvalidEncryptionKeyIDInsecureSSECustomerRequestSSEMultipartEncryptedSSEEncryptedObjectInvalidEncryptionParametersInvalidSSECustomerAlgorithmInvalidSSECustomerKeyMissingSSECustomerKeyMissingSSECustomerKeyMD5SSECustomerKeyMD5MismatchInvalidSSECustomerParametersIncompatibleEncryptionMethodKMSNotConfiguredKMSKeyNotFoundExceptionNoAccessKeyInvalidTokenEventNotificationARNNotificationRegionNotificationOverlappingFilterNotificationFilterNameInvalidFilterNamePrefixFilterNameSuffixFilterValueInvalidOverlappingConfigsUnsupportedNotificationContentSHA256MismatchContentChecksumMismatchReadQuorumWriteQuorumStorageFullRequestBodyParseObjectExistsAsDirectoryInvalidObjectNameInvalidObjectNamePrefixSlashInvalidResourceNameServerNotInitializedOperationTimedOutClientDisconnectedOperationMaxedOutInvalidRequestTransitionStorageClassNotFoundErrorInvalidStorageClassBackendDownMalformedJSONAdminNoSuchUserAdminNoSuchGroupAdminGroupNotEmptyAdminNoSuchJobAdminNoSuchPolicyAdminPolicyChangeAlreadyAppliedAdminInvalidArgumentAdminInvalidAccessKeyAdminInvalidSecretKeyAdminConfigNoQuorumAdminConfigTooLargeAdminConfigBadJSONAdminNoSuchConfigTargetAdminConfigEnvOverriddenAdminConfigDuplicateKeysAdminConfigInvalidIDPTypeAdminConfigLDAPValidationAdminConfigIDPCfgNameAlreadyExistsAdminConfigIDPCfgNameDoesNotExistAdminCredentialsMismatchInsecureClientRequestObjectTamperedSiteReplicationInvalidRequestSiteReplicationPeerRespSiteReplicationBackendIssueSiteReplicationServiceAccountErrorSiteReplicationBucketConfigErrorSiteReplicationBucketMetaErrorSiteReplicationIAMErrorSiteReplicationConfigMissingAdminRebalanceAlreadyStartedAdminRebalanceNotStartedAdminBucketQuotaExceededAdminNoSuchQuotaConfigurationHealNotImplementedHealNoSuchProcessHealInvalidClientTokenHealMissingBucketHealAlreadyRunningHealOverlappingPathsIncorrectContinuationTokenEmptyRequestBodyUnsupportedFunctionInvalidExpressionTypeBusyUnauthorizedAccessExpressionTooLongIllegalSQLFunctionArgumentInvalidKeyPathInvalidCompressionFormatInvalidFileHeaderInfoInvalidJSONTypeInvalidQuoteFieldsInvalidRequestParameterInvalidDataTypeInvalidTextEncodingInvalidDataSourceInvalidTableAliasMissingRequiredParameterObjectSerializationConflictUnsupportedSQLOperationUnsupportedSQLStructureUnsupportedSyntaxUnsupportedRangeHeaderLexerInvalidCharLexerInvalidOperatorLexerInvalidLiteralLexerInvalidIONLiteralParseExpectedDatePartParseExpectedKeywordParseExpectedTokenTypeParseExpected2TokenTypesParseExpectedNumberParseExpectedRightParenBuiltinFunctionCallParseExpectedTypeNameParseExpectedWhenClauseParseUnsupportedTokenParseUnsupportedLiteralsGroupByParseExpectedMemberParseUnsupportedSelectParseUnsupportedCaseParseUnsupportedCaseClauseParseUnsupportedAliasParseUnsupportedSyntaxParseUnknownOperatorParseMissingIdentAfterAtParseUnexpectedOperatorParseUnexpectedTermParseUnexpectedTokenParseUnexpectedKeywordParseExpectedExpressionParseExpectedLeftParenAfterCastParseExpectedLeftParenValueConstructorParseExpectedLeftParenBuiltinFunctionCallParseExpectedArgumentDelimiterParseCastArityParseInvalidTypeParamParseEmptySelectParseSelectMissingFromParseExpectedIdentForGroupNameParseExpectedIdentForAliasParseUnsupportedCallWithStarParseNonUnaryAgregateFunctionCallParseMalformedJoinParseExpectedIdentForAtParseAsteriskIsNotAloneInSelectListParseCannotMixSqbAndWildcardInSelectListParseInvalidContextForWildcardInSelectListIncorrectSQLFunctionArgumentTypeValueParseFailureEvaluatorInvalidArgumentsIntegerOverflowLikeInvalidInputsCastFailedInvalidCastEvaluatorInvalidTimestampFormatPatternEvaluatorInvalidTimestampFormatPatternSymbolForParsingEvaluatorTimestampFormatPatternDuplicateFieldsEvaluatorTimestampFormatPatternHourClockAmPmMismatchEvaluatorUnterminatedTimestampFormatPatternTokenEvaluatorInvalidTimestampFormatPatternTokenEvaluatorInvalidTimestampFormatPatternSymbolEvaluatorBindingDoesNotExistMissingHeadersInvalidColumnIndexAdminConfigNotificationTargetsFailedAdminProfilerNotEnabledInvalidDecompressedSizeAddUserInvalidArgumentAdminResourceInvalidArgumentAdminAccountNotEligibleAccountNotEligibleAdminServiceAccountNotFoundPostPolicyConditionInvalidFormatInvalidChecksum"
+const _APIErrorCode_name = "NoneAccessDeniedBadDigestEntityTooSmallEntityTooLargePolicyTooLargeIncompleteBodyInternalErrorInvalidAccessKeyIDAccessKeyDisabledInvalidBucketNameInvalidDigestInvalidRangeInvalidRangePartNumberInvalidCopyPartRangeInvalidCopyPartRangeSourceInvalidMaxKeysInvalidEncodingMethodInvalidMaxUploadsInvalidMaxPartsInvalidPartNumberMarkerInvalidPartNumberInvalidRequestBodyInvalidCopySourceInvalidMetadataDirectiveInvalidCopyDestInvalidPolicyDocumentInvalidObjectStateMalformedXMLMissingContentLengthMissingContentMD5MissingRequestBodyErrorMissingSecurityHeaderNoSuchBucketNoSuchBucketPolicyNoSuchBucketLifecycleNoSuchLifecycleConfigurationInvalidLifecycleWithObjectLockNoSuchBucketSSEConfigNoSuchCORSConfigurationNoSuchWebsiteConfigurationReplicationConfigurationNotFoundErrorRemoteDestinationNotFoundErrorReplicationDestinationMissingLockRemoteTargetNotFoundErrorReplicationRemoteConnectionErrorReplicationBandwidthLimitErrorBucketRemoteIdenticalToSourceBucketRemoteAlreadyExistsBucketRemoteLabelInUseBucketRemoteArnTypeInvalidBucketRemoteArnInvalidBucketRemoteRemoveDisallowedRemoteTargetNotVersionedErrorReplicationSourceNotVersionedErrorReplicationNeedsVersioningErrorReplicationBucketNeedsVersioningErrorReplicationDenyEditErrorReplicationNoExistingObjectsObjectRestoreAlreadyInProgressNoSuchKeyNoSuchUploadInvalidVersionIDNoSuchVersionNotImplementedPreconditionFailedRequestTimeTooSkewedSignatureDoesNotMatchMethodNotAllowedInvalidPartInvalidPartOrderAuthorizationHeaderMalformedMalformedPOSTRequestPOSTFileRequiredSignatureVersionNotSupportedBucketNotEmptyAllAccessDisabledPolicyInvalidVersionMissingFieldsMissingCredTagCredMalformedInvalidRegionInvalidServiceS3InvalidServiceSTSInvalidRequestVersionMissingSignTagMissingSignHeadersTagMalformedDateMalformedPresignedDateMalformedCredentialDateMalformedCredentialRegionMalformedExpiresNegativeExpiresAuthHeaderEmptyExpiredPresignRequestRequestNotReadyYetUnsignedHeadersMissingDateHeaderInvalidQuerySignatureAlgoInvalidQueryParamsBucketAlreadyOwnedByYouInvalidDurationBucketAlreadyExistsMetadataTooLargeUnsupportedMetadataMaximumExpiresSlowDownInvalidPrefixMarkerBadRequestKeyTooLongErrorInvalidBucketObjectLockConfigurationObjectLockConfigurationNotFoundObjectLockConfigurationNotAllowedNoSuchObjectLockConfigurationObjectLockedInvalidRetentionDatePastObjectLockRetainDateUnknownWORMModeDirectiveBucketTaggingNotFoundObjectLockInvalidHeadersInvalidTagDirectivePolicyAlreadyAttachedPolicyNotAttachedInvalidEncryptionMethodInvalidEncryptionKeyIDInsecureSSECustomerRequestSSEMultipartEncryptedSSEEncryptedObjectInvalidEncryptionParametersInvalidEncryptionParametersSSECInvalidSSECustomerAlgorithmInvalidSSECustomerKeyMissingSSECustomerKeyMissingSSECustomerKeyMD5SSECustomerKeyMD5MismatchInvalidSSECustomerParametersIncompatibleEncryptionMethodKMSNotConfiguredKMSKeyNotFoundExceptionNoAccessKeyInvalidTokenEventNotificationARNNotificationRegionNotificationOverlappingFilterNotificationFilterNameInvalidFilterNamePrefixFilterNameSuffixFilterValueInvalidOverlappingConfigsUnsupportedNotificationContentSHA256MismatchContentChecksumMismatchReadQuorumWriteQuorumStorageFullRequestBodyParseObjectExistsAsDirectoryInvalidObjectNameInvalidObjectNamePrefixSlashInvalidResourceNameServerNotInitializedOperationTimedOutClientDisconnectedOperationMaxedOutInvalidRequestTransitionStorageClassNotFoundErrorInvalidStorageClassBackendDownMalformedJSONAdminNoSuchUserAdminNoSuchGroupAdminGroupNotEmptyAdminNoSuchJobAdminNoSuchPolicyAdminPolicyChangeAlreadyAppliedAdminInvalidArgumentAdminInvalidAccessKeyAdminInvalidSecretKeyAdminConfigNoQuorumAdminConfigTooLargeAdminConfigBadJSONAdminNoSuchConfigTargetAdminConfigEnvOverriddenAdminConfigDuplicateKeysAdminConfigInvalidIDPTypeAdminConfigLDAPValidationAdminConfigIDPCfgNameAlreadyExistsAdminConfigIDPCfgNameDoesNotExistAdminCredentialsMismatchInsecureClientRequestObjectTamperedSiteReplicationInvalidRequestSiteReplicationPeerRespSiteReplicationBackendIssueSiteReplicationServiceAccountErrorSiteReplicationBucketConfigErrorSiteReplicationBucketMetaErrorSiteReplicationIAMErrorSiteReplicationConfigMissingAdminRebalanceAlreadyStartedAdminRebalanceNotStartedAdminBucketQuotaExceededAdminNoSuchQuotaConfigurationHealNotImplementedHealNoSuchProcessHealInvalidClientTokenHealMissingBucketHealAlreadyRunningHealOverlappingPathsIncorrectContinuationTokenEmptyRequestBodyUnsupportedFunctionInvalidExpressionTypeBusyUnauthorizedAccessExpressionTooLongIllegalSQLFunctionArgumentInvalidKeyPathInvalidCompressionFormatInvalidFileHeaderInfoInvalidJSONTypeInvalidQuoteFieldsInvalidRequestParameterInvalidDataTypeInvalidTextEncodingInvalidDataSourceInvalidTableAliasMissingRequiredParameterObjectSerializationConflictUnsupportedSQLOperationUnsupportedSQLStructureUnsupportedSyntaxUnsupportedRangeHeaderLexerInvalidCharLexerInvalidOperatorLexerInvalidLiteralLexerInvalidIONLiteralParseExpectedDatePartParseExpectedKeywordParseExpectedTokenTypeParseExpected2TokenTypesParseExpectedNumberParseExpectedRightParenBuiltinFunctionCallParseExpectedTypeNameParseExpectedWhenClauseParseUnsupportedTokenParseUnsupportedLiteralsGroupByParseExpectedMemberParseUnsupportedSelectParseUnsupportedCaseParseUnsupportedCaseClauseParseUnsupportedAliasParseUnsupportedSyntaxParseUnknownOperatorParseMissingIdentAfterAtParseUnexpectedOperatorParseUnexpectedTermParseUnexpectedTokenParseUnexpectedKeywordParseExpectedExpressionParseExpectedLeftParenAfterCastParseExpectedLeftParenValueConstructorParseExpectedLeftParenBuiltinFunctionCallParseExpectedArgumentDelimiterParseCastArityParseInvalidTypeParamParseEmptySelectParseSelectMissingFromParseExpectedIdentForGroupNameParseExpectedIdentForAliasParseUnsupportedCallWithStarParseNonUnaryAgregateFunctionCallParseMalformedJoinParseExpectedIdentForAtParseAsteriskIsNotAloneInSelectListParseCannotMixSqbAndWildcardInSelectListParseInvalidContextForWildcardInSelectListIncorrectSQLFunctionArgumentTypeValueParseFailureEvaluatorInvalidArgumentsIntegerOverflowLikeInvalidInputsCastFailedInvalidCastEvaluatorInvalidTimestampFormatPatternEvaluatorInvalidTimestampFormatPatternSymbolForParsingEvaluatorTimestampFormatPatternDuplicateFieldsEvaluatorTimestampFormatPatternHourClockAmPmMismatchEvaluatorUnterminatedTimestampFormatPatternTokenEvaluatorInvalidTimestampFormatPatternTokenEvaluatorInvalidTimestampFormatPatternSymbolEvaluatorBindingDoesNotExistMissingHeadersInvalidColumnIndexAdminConfigNotificationTargetsFailedAdminProfilerNotEnabledInvalidDecompressedSizeAddUserInvalidArgumentAdminResourceInvalidArgumentAdminAccountNotEligibleAccountNotEligibleAdminServiceAccountNotFoundPostPolicyConditionInvalidFormatInvalidChecksum"
 
-var _APIErrorCode_index = [...]uint16{0, 4, 16, 25, 39, 53, 67, 81, 94, 112, 129, 146, 159, 171, 193, 213, 239, 253, 274, 291, 306, 329, 346, 364, 381, 405, 420, 441, 459, 471, 491, 508, 531, 552, 564, 582, 603, 631, 661, 682, 705, 731, 768, 798, 831, 856, 888, 918, 947, 972, 994, 1020, 1042, 1070, 1099, 1133, 1164, 1201, 1225, 1253, 1283, 1292, 1304, 1320, 1333, 1347, 1365, 1385, 1406, 1422, 1433, 1449, 1477, 1497, 1513, 1541, 1555, 1572, 1592, 1605, 1619, 1632, 1645, 1661, 1678, 1699, 1713, 1734, 1747, 1769, 1792, 1817, 1833, 1848, 1863, 1884, 1902, 1917, 1934, 1959, 1977, 2000, 2015, 2034, 2050, 2069, 2083, 2091, 2110, 2120, 2135, 2171, 2202, 2235, 2264, 2276, 2296, 2320, 2344, 2365, 2389, 2408, 2429, 2446, 2469, 2491, 2517, 2538, 2556, 2583, 2610, 2631, 2652, 2676, 2701, 2729, 2757, 2773, 2796, 2807, 2819, 2836, 2851, 2869, 2898, 2915, 2931, 2947, 2965, 2983, 3006, 3027, 3050, 3060, 3071, 3082, 3098, 3121, 3138, 3166, 3185, 3205, 3222, 3240, 3257, 3271, 3306, 3325, 3336, 3349, 3364, 3380, 3398, 3412, 3429, 3460, 3480, 3501, 3522, 3541, 3560, 3578, 3601, 3625, 3649, 3674, 3699, 3733, 3766, 3790, 3811, 3825, 3854, 3877, 3904, 3938, 3970, 4000, 4023, 4051, 4079, 4103, 4127, 4156, 4174, 4191, 4213, 4230, 4248, 4268, 4294, 4310, 4329, 4350, 4354, 4372, 4389, 4415, 4429, 4453, 4474, 4489, 4507, 4530, 4545, 4564, 4581, 4598, 4622, 4649, 4672, 4695, 4712, 4734, 4750, 4770, 4789, 4811, 4832, 4852, 4874, 4898, 4917, 4959, 4980, 5003, 5024, 5055, 5074, 5096, 5116, 5142, 5163, 5185, 5205, 5229, 5252, 5271, 5291, 5313, 5336, 5367, 5405, 5446, 5476, 5490, 5511, 5527, 5549, 5579, 5605, 5633, 5666, 5684, 5707, 5742, 5782, 5824, 5856, 5873, 5898, 5913, 5930, 5940, 5951, 5989, 6043, 6089, 6141, 6189, 6232, 6276, 6304, 6318, 6336, 6372, 6395, 6418, 6440, 6468, 6491, 6509, 6536, 6568, 6583}
+var _APIErrorCode_index = [...]uint16{0, 4, 16, 25, 39, 53, 67, 81, 94, 112, 129, 146, 159, 171, 193, 213, 239, 253, 274, 291, 306, 329, 346, 364, 381, 405, 420, 441, 459, 471, 491, 508, 531, 552, 564, 582, 603, 631, 661, 682, 705, 731, 768, 798, 831, 856, 888, 918, 947, 972, 994, 1020, 1042, 1070, 1099, 1133, 1164, 1201, 1225, 1253, 1283, 1292, 1304, 1320, 1333, 1347, 1365, 1385, 1406, 1422, 1433, 1449, 1477, 1497, 1513, 1541, 1555, 1572, 1592, 1605, 1619, 1632, 1645, 1661, 1678, 1699, 1713, 1734, 1747, 1769, 1792, 1817, 1833, 1848, 1863, 1884, 1902, 1917, 1934, 1959, 1977, 2000, 2015, 2034, 2050, 2069, 2083, 2091, 2110, 2120, 2135, 2171, 2202, 2235, 2264, 2276, 2296, 2320, 2344, 2365, 2389, 2408, 2429, 2446, 2469, 2491, 2517, 2538, 2556, 2583, 2614, 2641, 2662, 2683, 2707, 2732, 2760, 2788, 2804, 2827, 2838, 2850, 2867, 2882, 2900, 2929, 2946, 2962, 2978, 2996, 3014, 3037, 3058, 3081, 3091, 3102, 3113, 3129, 3152, 3169, 3197, 3216, 3236, 3253, 3271, 3288, 3302, 3337, 3356, 3367, 3380, 3395, 3411, 3429, 3443, 3460, 3491, 3511, 3532, 3553, 3572, 3591, 3609, 3632, 3656, 3680, 3705, 3730, 3764, 3797, 3821, 3842, 3856, 3885, 3908, 3935, 3969, 4001, 4031, 4054, 4082, 4110, 4134, 4158, 4187, 4205, 4222, 4244, 4261, 4279, 4299, 4325, 4341, 4360, 4381, 4385, 4403, 4420, 4446, 4460, 4484, 4505, 4520, 4538, 4561, 4576, 4595, 4612, 4629, 4653, 4680, 4703, 4726, 4743, 4765, 4781, 4801, 4820, 4842, 4863, 4883, 4905, 4929, 4948, 4990, 5011, 5034, 5055, 5086, 5105, 5127, 5147, 5173, 5194, 5216, 5236, 5260, 5283, 5302, 5322, 5344, 5367, 5398, 5436, 5477, 5507, 5521, 5542, 5558, 5580, 5610, 5636, 5664, 5697, 5715, 5738, 5773, 5813, 5855, 5887, 5904, 5929, 5944, 5961, 5971, 5982, 6020, 6074, 6120, 6172, 6220, 6263, 6307, 6335, 6349, 6367, 6403, 6426, 6449, 6471, 6499, 6522, 6540, 6567, 6599, 6614}
 
 func (i APIErrorCode) String() string {
 	if i < 0 || i >= APIErrorCode(len(_APIErrorCode_index)-1) {
diff --git a/cmd/bucket-handlers.go b/cmd/bucket-handlers.go
index 6030d4d23..c4ad33ed4 100644
--- a/cmd/bucket-handlers.go
+++ b/cmd/bucket-handlers.go
@@ -1062,11 +1062,17 @@ func (api objectAPIHandlers) PostPolicyBucketHandler(w http.ResponseWriter, r *h
 		return
 	}
 
-	if crypto.Requested(formValues) && !HasSuffix(object, SlashSeparator) { // handle SSE requests
+	if crypto.Requested(formValues) {
 		if crypto.SSECopy.IsRequested(r.Header) {
 			writeErrorResponse(ctx, w, toAPIError(ctx, errInvalidEncryptionParameters), r.URL)
 			return
 		}
+
+		if crypto.SSEC.IsRequested(r.Header) && isReplicationEnabled(ctx, bucket) {
+			writeErrorResponse(ctx, w, toAPIError(ctx, errInvalidEncryptionParametersSSEC), r.URL)
+			return
+		}
+
 		var (
 			reader io.Reader
 			keyID  string
diff --git a/cmd/bucket-replication.go b/cmd/bucket-replication.go
index 139bf0faa..bf6d0024e 100644
--- a/cmd/bucket-replication.go
+++ b/cmd/bucket-replication.go
@@ -74,6 +74,11 @@ const (
 	ReplicationWorkerMultiplier = 1.5
 )
 
+func isReplicationEnabled(ctx context.Context, bucketName string) bool {
+	rc, _ := getReplicationConfig(ctx, bucketName)
+	return rc != nil
+}
+
 // gets replication config associated to a given bucket name.
 func getReplicationConfig(ctx context.Context, bucketName string) (rc *replication.Config, err error) {
 	rCfg, _, err := globalBucketMetadataSys.GetReplicationConfig(ctx, bucketName)
diff --git a/cmd/encryption-v1.go b/cmd/encryption-v1.go
index 8ab4f91b1..0e3c928cf 100644
--- a/cmd/encryption-v1.go
+++ b/cmd/encryption-v1.go
@@ -55,7 +55,8 @@ var (
 	// Additional MinIO errors for SSE-C requests.
 	errObjectTampered = errors.New("The requested object was modified and may be compromised")
 	// error returned when invalid encryption parameters are specified
-	errInvalidEncryptionParameters = errors.New("The encryption parameters are not applicable to this object")
+	errInvalidEncryptionParameters     = errors.New("The encryption parameters are not applicable to this object")
+	errInvalidEncryptionParametersSSEC = errors.New("SSE-C encryption parameters are not supported on this bucket")
 )
 
 const (
diff --git a/cmd/object-handlers.go b/cmd/object-handlers.go
index a9163fc33..d9dd259f3 100644
--- a/cmd/object-handlers.go
+++ b/cmd/object-handlers.go
@@ -1812,12 +1812,17 @@ func (api objectAPIHandlers) PutObjectHandler(w http.ResponseWriter, r *http.Req
 		metadata[ReservedMetadataPrefixLower+ReplicationStatus] = dsc.PendingStatus()
 	}
 	var objectEncryptionKey crypto.ObjectKey
-	if crypto.Requested(r.Header) && !HasSuffix(object, SlashSeparator) { // handle SSE requests
+	if crypto.Requested(r.Header) {
 		if crypto.SSECopy.IsRequested(r.Header) {
 			writeErrorResponse(ctx, w, toAPIError(ctx, errInvalidEncryptionParameters), r.URL)
 			return
 		}
 
+		if crypto.SSEC.IsRequested(r.Header) && isReplicationEnabled(ctx, bucket) {
+			writeErrorResponse(ctx, w, toAPIError(ctx, errInvalidEncryptionParametersSSEC), r.URL)
+			return
+		}
+
 		reader, objectEncryptionKey, err = EncryptRequest(hashReader, r, bucket, object, metadata)
 		if err != nil {
 			writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
@@ -1866,7 +1871,7 @@ func (api objectAPIHandlers) PutObjectHandler(w http.ResponseWriter, r *http.Req
 		return
 	}
 
-	if r.Header.Get(xMinIOExtract) == "true" && strings.HasSuffix(object, archiveExt) {
+	if r.Header.Get(xMinIOExtract) == "true" && HasSuffix(object, archiveExt) {
 		opts := ObjectOptions{VersionID: objInfo.VersionID, MTime: objInfo.ModTime}
 		if _, err := updateObjectMetadataWithZipInfo(ctx, objectAPI, bucket, object, opts); err != nil {
 			writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
@@ -2152,11 +2157,15 @@ func (api objectAPIHandlers) PutObjectExtractHandler(w http.ResponseWriter, r *h
 		}
 
 		var objectEncryptionKey crypto.ObjectKey
-		if crypto.Requested(r.Header) && !HasSuffix(object, SlashSeparator) { // handle SSE requests
+		if crypto.Requested(r.Header) {
 			if crypto.SSECopy.IsRequested(r.Header) {
 				return errInvalidEncryptionParameters
 			}
 
+			if crypto.SSEC.IsRequested(r.Header) && isReplicationEnabled(ctx, bucket) {
+				return errInvalidEncryptionParametersSSEC
+			}
+
 			reader, objectEncryptionKey, err = EncryptRequest(hashReader, r, bucket, object, metadata)
 			if err != nil {
 				return err
diff --git a/cmd/object-multipart-handlers.go b/cmd/object-multipart-handlers.go
index 0ba1dd606..8400fbb93 100644
--- a/cmd/object-multipart-handlers.go
+++ b/cmd/object-multipart-handlers.go
@@ -101,6 +101,11 @@ func (api objectAPIHandlers) NewMultipartUploadHandler(w http.ResponseWriter, r
 	encMetadata := map[string]string{}
 
 	if crypto.Requested(r.Header) {
+		if crypto.SSEC.IsRequested(r.Header) && isReplicationEnabled(ctx, bucket) {
+			writeErrorResponse(ctx, w, toAPIError(ctx, errInvalidEncryptionParametersSSEC), r.URL)
+			return
+		}
+
 		if err = setEncryptionMetadata(r, bucket, object, encMetadata); err != nil {
 			writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
 			return
@@ -993,7 +998,7 @@ func (api objectAPIHandlers) CompleteMultipartUploadHandler(w http.ResponseWrite
 		writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
 		return
 	}
-	if r.Header.Get(xMinIOExtract) == "true" && strings.HasSuffix(object, archiveExt) {
+	if r.Header.Get(xMinIOExtract) == "true" && HasSuffix(object, archiveExt) {
 		opts := ObjectOptions{VersionID: objInfo.VersionID, MTime: objInfo.ModTime}
 		if _, err := updateObjectMetadataWithZipInfo(ctx, objectAPI, bucket, object, opts); err != nil {
 			writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
diff --git a/docs/bucket/replication/README.md b/docs/bucket/replication/README.md
index 794507f16..41bc247cf 100644
--- a/docs/bucket/replication/README.md
+++ b/docs/bucket/replication/README.md
@@ -264,6 +264,16 @@ When Bucket Versioning with excluded prefixes are configured objects matching th
 
 In the above sample config, objects under prefixes matching any of the `ExcludedPrefixes` glob patterns will neither be versioned nor replicated.
 
+### SSE-C Encryption
+
+MinIO does not support SSE-C encrypted objects on replicated buckets, any application uploading SSE-C encrypted objects will be rejected with an error on replicated buckets.
+
+#### Rationale
+
+- SSE-C requires application to remember the keys for all GET/PUT operations, any unfortunate loss of keys would automatically mean the objects cannot be accessed anymore.
+- SSE-C is hardly adopted by most widely used applications, applications prefer server to manage the keys via SSE-KMS or SSE-S3.
+- MinIO recommends applications to use SSE-KMS, SSE-S3 for simpler, safer and robust encryption mechanism for replicated buckets.
+
 ## Explore Further
 
 - [MinIO Bucket Replication Design](https://github.com/minio/minio/blob/master/docs/bucket/replication/DESIGN.md)