From fb1529ccfedd29e5dbb92fa151cc80df7e74219a Mon Sep 17 00:00:00 2001
From: chrislu <chris.lu@gmail.com>
Date: Mon, 1 Dec 2025 22:46:05 -0800
Subject: [PATCH] Address review: fail explicitly if baseIV is empty for SSE-S3
 chunk encryption

If DestinationIV is not set when encrypting SSE-S3 chunks, the chunk would
be created without SseMetadata, causing GetObject decryption to fail later.
Now fails explicitly with a clear error message.

Note: calculateIVWithOffset returns ([]byte, int) not ([]byte, error) - the
int is a skip amount for intra-block alignment, not an error code.
---
 weed/s3api/s3api_streaming_copy.go | 29 +++++++++++++++--------------
 1 file changed, 15 insertions(+), 14 deletions(-)

diff --git a/weed/s3api/s3api_streaming_copy.go b/weed/s3api/s3api_streaming_copy.go
index 1759e8f91..94729c003 100644
--- a/weed/s3api/s3api_streaming_copy.go
+++ b/weed/s3api/s3api_streaming_copy.go
@@ -509,21 +509,22 @@ func (scm *StreamingCopyManager) createChunkFromData(data []byte, offset int64,
 			if sseKey, ok := encSpec.DestinationKey.(*SSES3Key); ok {
 				// Calculate chunk-specific IV using base IV and chunk offset
 				baseIV := encSpec.DestinationIV
-				if len(baseIV) > 0 {
-					chunkIV, _ := calculateIVWithOffset(baseIV, offset)
-					// Create chunk key with the chunk-specific IV
-					chunkSSEKey := &SSES3Key{
-						Key:       sseKey.Key,
-						KeyID:     sseKey.KeyID,
-						Algorithm: sseKey.Algorithm,
-						IV:        chunkIV,
-					}
-					chunkMetadata, serErr := SerializeSSES3Metadata(chunkSSEKey)
-					if serErr != nil {
-						return nil, fmt.Errorf("failed to serialize chunk SSE-S3 metadata: %w", serErr)
-					}
-					chunk.SseMetadata = chunkMetadata
+				if len(baseIV) == 0 {
+					return nil, fmt.Errorf("SSE-S3 encryption requires DestinationIV to be set for chunk at offset %d", offset)
 				}
+				chunkIV, _ := calculateIVWithOffset(baseIV, offset)
+				// Create chunk key with the chunk-specific IV
+				chunkSSEKey := &SSES3Key{
+					Key:       sseKey.Key,
+					KeyID:     sseKey.KeyID,
+					Algorithm: sseKey.Algorithm,
+					IV:        chunkIV,
+				}
+				chunkMetadata, serErr := SerializeSSES3Metadata(chunkSSEKey)
+				if serErr != nil {
+					return nil, fmt.Errorf("failed to serialize chunk SSE-S3 metadata: %w", serErr)
+				}
+				chunk.SseMetadata = chunkMetadata
 			}
 		}
 	}