return AWS compliant error if SSE-C key is wrong (#5203)

This PR changes the behavior of DecryptRequest.
Instead of returning `object-tampered` if the client provided
key is wrong DecryptRequest will return `access-denied`.

This is AWS S3 behavior.

Fixes #5202
This commit is contained in:
Andreas Auernhammer 2017-11-20 23:04:10 +01:00 committed by Dee Koder
parent fce556b8a0
commit e95c0bb913

View File

@ -253,7 +253,9 @@ func DecryptRequest(client io.Writer, r *http.Request, metadata map[string]strin
Key: keyEncryptionKey,
})
if n != 32 || err != nil {
return nil, errObjectTampered
// Either the provided key does not match or the object was tampered.
// To provide strict AWS S3 compatibility we return: access denied.
return nil, errSSEKeyMismatch
}
writer, err := sio.DecryptWriter(client, sio.Config{Key: objectEncryptionKey.Bytes()})