From 70d58a75a9e5567f0d4aac256cb44b3931482023 Mon Sep 17 00:00:00 2001
From: chrislu <chris.lu@gmail.com>
Date: Sun, 16 Nov 2025 16:38:00 -0800
Subject: [PATCH] fix SSE-C IV Mismatch

---
 weed/s3api/s3api_object_handlers.go | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/weed/s3api/s3api_object_handlers.go b/weed/s3api/s3api_object_handlers.go
index 5abf48eb3..30833b24c 100644
--- a/weed/s3api/s3api_object_handlers.go
+++ b/weed/s3api/s3api_object_handlers.go
@@ -3024,13 +3024,10 @@ func (s3a *S3ApiServer) createMultipartSSECDecryptedReader(r *http.Request, prox
 					return nil, fmt.Errorf("failed to decode IV for SSE-C chunk %s: %v", chunk.GetFileIdString(), ivErr)
 				}
 
-				// Calculate the correct IV for this chunk using within-part offset
-				var chunkIV []byte
-				if ssecMetadata.PartOffset > 0 {
-					chunkIV = calculateIVWithOffset(iv, ssecMetadata.PartOffset)
-				} else {
-					chunkIV = iv
-				}
+				// Note: For multipart SSE-C, each part was encrypted with offset=0
+				// So we use the stored IV directly without offset adjustment
+				// PartOffset is stored for informational purposes, but encryption uses offset=0
+				chunkIV := iv
 
 				decryptedReader, decErr := CreateSSECDecryptedReader(chunkReader, customerKey, chunkIV)
 				if decErr != nil {