From e95c0bb91335862487033652649780b555321080 Mon Sep 17 00:00:00 2001
From: Andreas Auernhammer <aead@mail.de>
Date: Mon, 20 Nov 2017 23:04:10 +0100
Subject: [PATCH] return AWS compliant error if SSE-C key is wrong (#5203)

This PR changes the behavior of DecryptRequest.
Instead of returning `object-tampered` if the client provided
key is wrong DecryptRequest will return `access-denied`.

This is AWS S3 behavior.

Fixes #5202
---
 cmd/encryption-v1.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/cmd/encryption-v1.go b/cmd/encryption-v1.go
index 496376fe1..69e3be5f6 100644
--- a/cmd/encryption-v1.go
+++ b/cmd/encryption-v1.go
@@ -253,7 +253,9 @@ func DecryptRequest(client io.Writer, r *http.Request, metadata map[string]strin
 		Key: keyEncryptionKey,
 	})
 	if n != 32 || err != nil {
-		return nil, errObjectTampered
+		// Either the provided key does not match or the object was tampered.
+		// To provide strict AWS S3 compatibility we return: access denied.
+		return nil, errSSEKeyMismatch
 	}
 
 	writer, err := sio.DecryptWriter(client, sio.Config{Key: objectEncryptionKey.Bytes()})