MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-10-29 15:55:00 -04:00
Code Issues Packages Projects Releases Wiki Activity

return Access Denied for invalid SSE keys (#6432)

Browse Source 
This commit fixes are regression in the server regarding
handling SSE requests with wrong SSE-C keys.

The server now returns an AWS S3 compatable API error (access denied)
in case of the SSE key does not match the secret key used during upload.

Fixes #6431
This commit is contained in:
Andreas Auernhammer 2018-09-06 21:31:12 +02:00 committed by Harshavardhana
parent 5c13765168
commit fd8749f42a
3 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/api-errors.go
View File

@ -1441,7 +1441,7 @@ func toAPIErrorCode(err error) (apiErr APIErrorCode) {
apiErr = ErrSSEEncryptedObject apiErr = ErrSSEEncryptedObject
case errInvalidSSEParameters: case errInvalidSSEParameters:
apiErr = ErrInvalidSSECustomerParameters apiErr = ErrInvalidSSECustomerParameters
case crypto.ErrInvalidCustomerKey: case crypto.ErrInvalidCustomerKey, crypto.ErrSecretKeyMismatch:
apiErr = ErrAccessDenied // no access without correct key apiErr = ErrAccessDenied // no access without correct key
case crypto.ErrIncompatibleEncryptionMethod: case crypto.ErrIncompatibleEncryptionMethod:
apiErr = ErrIncompatibleEncryptionMethod apiErr = ErrIncompatibleEncryptionMethod

4
cmd/crypto/error.go
View File

@ -43,6 +43,10 @@ var (
// base64-encoded string or not 256 bits long. // base64-encoded string or not 256 bits long.
ErrInvalidCustomerKey = errors.New("The SSE-C client key is invalid") ErrInvalidCustomerKey = errors.New("The SSE-C client key is invalid")
// ErrSecretKeyMismatch indicates that the provided secret key (SSE-C client key / SSE-S3 KMS key)
// does not match the secret key used during encrypting the object.
ErrSecretKeyMismatch = errors.New("The secret key does not match the secret key used during upload")
// ErrCustomerKeyMD5Mismatch indicates that the SSE-C key MD5 does not match the // ErrCustomerKeyMD5Mismatch indicates that the SSE-C key MD5 does not match the
// computed MD5 sum. This means that the client provided either the wrong key for // computed MD5 sum. This means that the client provided either the wrong key for
// a certain MD5 checksum or the wrong MD5 for a certain key. // a certain MD5 checksum or the wrong MD5 for a certain key.

2
cmd/crypto/key.go
View File

@ -124,7 +124,7 @@ func (key *ObjectKey) Unseal(extKey [32]byte, sealedKey SealedKey, domain, bucke
} }
if n, err := sio.Decrypt(&decryptedKey, bytes.NewReader(sealedKey.Key[:]), unsealConfig); n != 32 || err != nil { if n, err := sio.Decrypt(&decryptedKey, bytes.NewReader(sealedKey.Key[:]), unsealConfig); n != 32 || err != nil {
return err // TODO(aead): upgrade sio to use sio.Error return ErrSecretKeyMismatch
} }
copy(key[:], decryptedKey.Bytes()) copy(key[:], decryptedKey.Bytes())
return nil return nil