aboutsummaryrefslogtreecommitdiff
path: root/weed/s3api/s3api_put_handlers.go
diff options
context:
space:
mode:
Diffstat (limited to 'weed/s3api/s3api_put_handlers.go')
-rw-r--r--weed/s3api/s3api_put_handlers.go24
1 files changed, 20 insertions, 4 deletions
diff --git a/weed/s3api/s3api_put_handlers.go b/weed/s3api/s3api_put_handlers.go
index fafd2f329..ea797a8bb 100644
--- a/weed/s3api/s3api_put_handlers.go
+++ b/weed/s3api/s3api_put_handlers.go
@@ -100,20 +100,28 @@ func (s3a *S3ApiServer) handleSSEKMSEncryption(r *http.Request, dataReader io.Re
if baseIVHeader != "" {
// Decode the base IV from the header
baseIV, decodeErr := base64.StdEncoding.DecodeString(baseIVHeader)
- if decodeErr != nil || len(baseIV) != 16 {
+ if decodeErr != nil {
+ glog.Errorf("handleSSEKMSEncryption: failed to decode base IV: %v", decodeErr)
+ return nil, nil, nil, s3err.ErrInternalError
+ }
+ if len(baseIV) != 16 {
+ glog.Errorf("handleSSEKMSEncryption: invalid base IV length: %d (expected 16)", len(baseIV))
return nil, nil, nil, s3err.ErrInternalError
}
// Use the provided base IV with unique part offset for multipart upload consistency
+ glog.V(4).Infof("handleSSEKMSEncryption: creating encrypted reader with baseIV=%x, partOffset=%d", baseIV[:8], partOffset)
encryptedReader, sseKey, encErr = CreateSSEKMSEncryptedReaderWithBaseIVAndOffset(dataReader, keyID, encryptionContext, bucketKeyEnabled, baseIV, partOffset)
- glog.V(4).Infof("Using provided base IV %x for SSE-KMS encryption", baseIV[:8])
} else {
// Generate a new IV for single-part uploads
+ glog.V(4).Infof("handleSSEKMSEncryption: creating encrypted reader for single-part (no base IV)")
encryptedReader, sseKey, encErr = CreateSSEKMSEncryptedReaderWithBucketKey(dataReader, keyID, encryptionContext, bucketKeyEnabled)
}
if encErr != nil {
+ glog.Errorf("handleSSEKMSEncryption: encryption failed: %v", encErr)
return nil, nil, nil, s3err.ErrInternalError
}
+ glog.V(3).Infof("handleSSEKMSEncryption: encryption successful, keyID=%s", keyID)
// Prepare SSE-KMS metadata for later header setting
sseKMSMetadata, metaErr := SerializeSSEKMSMetadata(sseKey)
@@ -151,12 +159,20 @@ func (s3a *S3ApiServer) handleSSES3MultipartEncryption(r *http.Request, dataRead
}
// Use the provided base IV with unique part offset for multipart upload consistency
- encryptedReader, _, encErr := CreateSSES3EncryptedReaderWithBaseIV(dataReader, key, baseIV, partOffset)
+ // CRITICAL: Capture the derived IV returned by CreateSSES3EncryptedReaderWithBaseIV
+ // This function calculates adjustedIV = calculateIVWithOffset(baseIV, partOffset)
+ // We MUST store this derived IV in metadata, not the base IV, for decryption to work
+ encryptedReader, derivedIV, encErr := CreateSSES3EncryptedReaderWithBaseIV(dataReader, key, baseIV, partOffset)
if encErr != nil {
return nil, nil, s3err.ErrInternalError
}
- glog.V(4).Infof("handleSSES3MultipartEncryption: using provided base IV %x", baseIV[:8])
+ // Update the key with the derived IV so it gets serialized into chunk metadata
+ // This ensures decryption uses the correct offset-adjusted IV
+ key.IV = derivedIV
+
+ glog.V(4).Infof("handleSSES3MultipartEncryption: using base IV %x, derived IV %x for offset %d",
+ baseIV[:8], derivedIV[:8], partOffset)
return encryptedReader, key, s3err.ErrNone
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-21 00:22:58 +0000