|
|
@ -1200,9 +1200,11 @@ func (s3a *S3ApiServer) decryptSSECChunkView(ctx context.Context, fileChunk *fil |
|
|
return nil, fmt.Errorf("failed to fetch chunk data: %w", err) |
|
|
return nil, fmt.Errorf("failed to fetch chunk data: %w", err) |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
// Decrypt with CTR IV offset adjustment for the view offset within the chunk
|
|
|
|
|
|
|
|
|
// Decrypt with CTR IV offset adjustment for the ABSOLUTE offset in the file
|
|
|
// CTR mode: IV for block N = base_IV + (N / 16)
|
|
|
// CTR mode: IV for block N = base_IV + (N / 16)
|
|
|
adjustedIV := adjustCTRIV(chunkIV, chunkView.OffsetInChunk) |
|
|
|
|
|
|
|
|
// The IV must be adjusted based on the absolute position from the start of the encrypted stream
|
|
|
|
|
|
absoluteOffset := fileChunk.Offset + chunkView.OffsetInChunk |
|
|
|
|
|
adjustedIV := adjustCTRIV(chunkIV, absoluteOffset) |
|
|
return CreateSSECDecryptedReader(encryptedReader, customerKey, adjustedIV) |
|
|
return CreateSSECDecryptedReader(encryptedReader, customerKey, adjustedIV) |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
@ -1229,15 +1231,17 @@ func (s3a *S3ApiServer) decryptSSEKMSChunkView(ctx context.Context, fileChunk *f |
|
|
return nil, fmt.Errorf("failed to fetch chunk data: %w", err) |
|
|
return nil, fmt.Errorf("failed to fetch chunk data: %w", err) |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
// Decrypt with CTR IV offset adjustment
|
|
|
|
|
|
adjustedIV := adjustCTRIV(sseKMSKey.IV, chunkView.OffsetInChunk) |
|
|
|
|
|
|
|
|
// Decrypt with CTR IV offset adjustment for the ABSOLUTE offset in the file
|
|
|
|
|
|
// The IV must be adjusted based on the absolute position from the start of the encrypted stream
|
|
|
|
|
|
absoluteOffset := fileChunk.Offset + chunkView.OffsetInChunk |
|
|
|
|
|
adjustedIV := adjustCTRIV(sseKMSKey.IV, absoluteOffset) |
|
|
adjustedKey := &SSEKMSKey{ |
|
|
adjustedKey := &SSEKMSKey{ |
|
|
KeyID: sseKMSKey.KeyID, |
|
|
KeyID: sseKMSKey.KeyID, |
|
|
EncryptedDataKey: sseKMSKey.EncryptedDataKey, |
|
|
EncryptedDataKey: sseKMSKey.EncryptedDataKey, |
|
|
EncryptionContext: sseKMSKey.EncryptionContext, |
|
|
EncryptionContext: sseKMSKey.EncryptionContext, |
|
|
BucketKeyEnabled: sseKMSKey.BucketKeyEnabled, |
|
|
BucketKeyEnabled: sseKMSKey.BucketKeyEnabled, |
|
|
IV: adjustedIV, |
|
|
IV: adjustedIV, |
|
|
ChunkOffset: chunkView.OffsetInChunk, |
|
|
|
|
|
|
|
|
ChunkOffset: absoluteOffset, |
|
|
} |
|
|
} |
|
|
return CreateSSEKMSDecryptedReader(encryptedReader, adjustedKey) |
|
|
return CreateSSEKMSDecryptedReader(encryptedReader, adjustedKey) |
|
|
} |
|
|
} |
|
|
@ -1263,12 +1267,14 @@ func (s3a *S3ApiServer) decryptSSES3ChunkView(ctx context.Context, fileChunk *fi |
|
|
return nil, fmt.Errorf("failed to deserialize SSE-S3 metadata: %w", err) |
|
|
return nil, fmt.Errorf("failed to deserialize SSE-S3 metadata: %w", err) |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
// Decrypt with CTR IV offset adjustment for the range
|
|
|
|
|
|
|
|
|
// Decrypt with CTR IV offset adjustment for the ABSOLUTE offset in the file
|
|
|
|
|
|
// The IV must be adjusted based on the absolute position from the start of the encrypted stream
|
|
|
iv, err := GetSSES3IV(entry, sseS3Key, keyManager) |
|
|
iv, err := GetSSES3IV(entry, sseS3Key, keyManager) |
|
|
if err != nil { |
|
|
if err != nil { |
|
|
return nil, fmt.Errorf("failed to get SSE-S3 IV: %w", err) |
|
|
return nil, fmt.Errorf("failed to get SSE-S3 IV: %w", err) |
|
|
} |
|
|
} |
|
|
adjustedIV := adjustCTRIV(iv, chunkView.OffsetInChunk) |
|
|
|
|
|
|
|
|
absoluteOffset := fileChunk.Offset + chunkView.OffsetInChunk |
|
|
|
|
|
adjustedIV := adjustCTRIV(iv, absoluteOffset) |
|
|
return CreateSSES3DecryptedReader(encryptedReader, sseS3Key, adjustedIV) |
|
|
return CreateSSES3DecryptedReader(encryptedReader, sseS3Key, adjustedIV) |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
|
chrislu
3 weeks ago