diff options
Diffstat (limited to 'src/api/s3/encryption.rs')
-rw-r--r-- | src/api/s3/encryption.rs | 22 |
1 files changed, 12 insertions, 10 deletions
diff --git a/src/api/s3/encryption.rs b/src/api/s3/encryption.rs index 29b26a37..f13333b2 100644 --- a/src/api/s3/encryption.rs +++ b/src/api/s3/encryption.rs @@ -37,14 +37,14 @@ const X_AMZ_SERVER_SIDE_ENCRYPTION_CUSTOMER_ALGORITHM: HeaderName = const X_AMZ_SERVER_SIDE_ENCRYPTION_CUSTOMER_KEY: HeaderName = HeaderName::from_static("x-amz-server-side-encryption-customer-key"); const X_AMZ_SERVER_SIDE_ENCRYPTION_CUSTOMER_KEY_MD5: HeaderName = - HeaderName::from_static("x-amz-server-side-encryption-customer-key-MD5"); + HeaderName::from_static("x-amz-server-side-encryption-customer-key-md5"); const X_AMZ_COPY_SOURCE_SERVER_SIDE_ENCRYPTION_CUSTOMER_ALGORITHM: HeaderName = HeaderName::from_static("x-amz-copy-source-server-side-encryption-customer-algorithm"); const X_AMZ_COPY_SOURCE_SERVER_SIDE_ENCRYPTION_CUSTOMER_KEY: HeaderName = HeaderName::from_static("x-amz-copy-source-server-side-encryption-customer-key"); const X_AMZ_COPY_SOURCE_SERVER_SIDE_ENCRYPTION_CUSTOMER_KEY_MD5: HeaderName = - HeaderName::from_static("x-amz-copy-source-server-side-encryption-customer-key-MD5"); + HeaderName::from_static("x-amz-copy-source-server-side-encryption-customer-key-md5"); const CUSTOMER_ALGORITHM_AES256: HeaderValue = HeaderValue::from_static("AES256"); @@ -52,8 +52,7 @@ type StreamNonce = aes_gcm::aead::stream::Nonce<Aes256Gcm, StreamLE31<Aes256Gcm> type StreamNonceSize = aes_gcm::aead::stream::NonceSize<Aes256Gcm, StreamLE31<Aes256Gcm>>; const STREAM_ENC_PLAIN_CHUNK_SIZE: usize = 0x1000; // 4096 bytes -const STREAM_ENC_CYPER_CHUNK_SIZE: usize = - STREAM_ENC_CYPER_CHUNK_SIZE + <Aes256Gcm as AeadCore>::TagSize::to_usize(); +const STREAM_ENC_CYPER_CHUNK_SIZE: usize = STREAM_ENC_PLAIN_CHUNK_SIZE + 16; #[derive(Clone, Copy)] pub enum EncryptionParams { @@ -65,6 +64,10 @@ pub enum EncryptionParams { } impl EncryptionParams { + pub fn is_encrypted(&self) -> bool { + matches!(self, Self::SseC { .. }) + } + pub fn new_from_req( garage: &Garage, req: &Request<impl Body>, @@ -117,7 +120,7 @@ impl EncryptionParams { key: Option<Key<Aes256Gcm>>, obj_enc: &'a ObjectVersionEncryption, ) -> Result<(Self, Cow<'a, ObjectVersionHeaders>), Error> { - match (key, obj_enc) { + match (key, &obj_enc) { ( Some(client_key), ObjectVersionEncryption::SseC { @@ -136,7 +139,7 @@ impl EncryptionParams { let plaintext = enc.decrypt_blob(&headers)?; let headers = ObjectVersionHeaders::decode(&plaintext) .ok_or_internal_error("Could not decode encrypted headers")?; - Ok((enc, Cow::Borrowed(&headers))) + Ok((enc, Cow::Owned(headers))) } (None, ObjectVersionEncryption::Plaintext { headers }) => { Ok((Self::Plaintext, Cow::Borrowed(headers))) @@ -157,8 +160,7 @@ impl EncryptionParams { ) -> Result<ObjectVersionEncryption, Error> { match self { Self::SseC { - client_key, - compression_level, + compression_level, .. } => { let plaintext = h.encode().map_err(GarageError::from)?; let ciphertext = self.encrypt_blob(&plaintext)?; @@ -367,7 +369,7 @@ impl Stream for DecryptStream { if this.buf.len() >= nonce_size { let nonce = this.buf.take_exact(nonce_size).unwrap(); let nonce = Nonce::from_slice(nonce.as_ref()); - *this.cipher = Some(DecryptorLE31::new(&self.key, nonce)); + *this.cipher = Some(DecryptorLE31::new(&this.key, nonce)); break; } @@ -405,7 +407,7 @@ impl Stream for DecryptStream { let chunk = this.buf.take_max(STREAM_ENC_CYPER_CHUNK_SIZE); // TODO: use decrypt_last for last chunk - let res = this.cipher.as_ref().unwrap().decrypt_next(chunk.as_ref()); + let res = this.cipher.as_mut().unwrap().decrypt_next(chunk.as_ref()); match res { Ok(bytes) => Poll::Ready(Some(Ok(bytes.into()))), Err(_) => Poll::Ready(Some(Err(std::io::Error::new( |