add SSE-C support for HEAD, GET, PUT (#4894)

This change adds server-side-encryption support for HEAD, GET and PUT
operations. This PR only addresses single-part PUTs and GETs without
HTTP ranges.

Further this change adds the concept of reserved object metadata which is required
to make encrypted objects tamper-proof and provide API compatibility to AWS S3.
This PR adds the following reserved metadata entries:
- X-Minio-Internal-Server-Side-Encryption-Iv          ('guarantees' tamper-proof property)
- X-Minio-Internal-Server-Side-Encryption-Kdf         (makes Key-MAC computation negotiable in future)
- X-Minio-Internal-Server-Side-Encryption-Key-Mac     (provides AWS S3 API compatibility)

The prefix `X-Minio_Internal` specifies an internal metadata entry which must not
send to clients. All client requests containing a metadata key starting with `X-Minio-Internal`
must also rejected. This is implemented by a generic-handler.

This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt
server-side-encrypted objects on the client-side. However, clients can encrypted the same object
with CSE and SSE-C.

This PR does not address:
 - SSE-C Copy and Copy part
 - SSE-C GET with HTTP ranges
 - SSE-C multipart PUT
 - SSE-C Gateway

Each point must be addressed in a separate PR.

Added to vendor dir:
 - x/crypto/chacha20poly1305
 - x/crypto/poly1305
 - github.com/minio/sio

cmd/api-errors_test.go

@@ -23,116 +23,48 @@ import (
 	"github.com/minio/minio/pkg/hash"
 )
 
+var toAPIErrorCodeTests = []struct {
+	err     error
+	errCode APIErrorCode
+}{
+	{err: hash.BadDigest{}, errCode: ErrBadDigest},
+	{err: hash.SHA256Mismatch{}, errCode: ErrContentSHA256Mismatch},
+	{err: IncompleteBody{}, errCode: ErrIncompleteBody},
+	{err: ObjectExistsAsDirectory{}, errCode: ErrObjectExistsAsDirectory},
+	{err: BucketNameInvalid{}, errCode: ErrInvalidBucketName},
+	{err: BucketExists{}, errCode: ErrBucketAlreadyOwnedByYou},
+	{err: ObjectNotFound{}, errCode: ErrNoSuchKey},
+	{err: ObjectNameInvalid{}, errCode: ErrInvalidObjectName},
+	{err: InvalidUploadID{}, errCode: ErrNoSuchUpload},
+	{err: InvalidPart{}, errCode: ErrInvalidPart},
+	{err: InsufficientReadQuorum{}, errCode: ErrReadQuorum},
+	{err: InsufficientWriteQuorum{}, errCode: ErrWriteQuorum},
+	{err: UnsupportedDelimiter{}, errCode: ErrNotImplemented},
+	{err: InvalidMarkerPrefixCombination{}, errCode: ErrNotImplemented},
+	{err: InvalidUploadIDKeyCombination{}, errCode: ErrNotImplemented},
+	{err: MalformedUploadID{}, errCode: ErrNoSuchUpload},
+	{err: PartTooSmall{}, errCode: ErrEntityTooSmall},
+	{err: BucketNotEmpty{}, errCode: ErrBucketNotEmpty},
+	{err: BucketNotFound{}, errCode: ErrNoSuchBucket},
+	{err: StorageFull{}, errCode: ErrStorageFull},
+	{err: NotImplemented{}, errCode: ErrNotImplemented},
+	{err: errSignatureMismatch, errCode: ErrSignatureDoesNotMatch},
+
+	// SSE-C errors
+	{err: errInsecureSSERequest, errCode: ErrInsecureSSECustomerRequest},
+	{err: errInvalidSSEAlgorithm, errCode: ErrInvalidSSECustomerAlgorithm},
+	{err: errMissingSSEKey, errCode: ErrMissingSSECustomerKey},
+	{err: errInvalidSSEKey, errCode: ErrInvalidSSECustomerKey},
+	{err: errMissingSSEKeyMD5, errCode: ErrMissingSSECustomerKeyMD5},
+	{err: errSSEKeyMD5Mismatch, errCode: ErrSSECustomerKeyMD5Mismatch},
+	{err: errObjectTampered, errCode: ErrObjectTampered},
+
+	{err: nil, errCode: ErrNone},
+	{err: errors.New("Custom error"), errCode: ErrInternalError}, // Case where err type is unknown.
+}
+
 func TestAPIErrCode(t *testing.T) {
-	testCases := []struct {
-		err     error
-		errCode APIErrorCode
-	}{
-		// Valid cases.
-		{
-			hash.BadDigest{},
-			ErrBadDigest,
-		},
-		{
-			hash.SHA256Mismatch{},
-			ErrContentSHA256Mismatch,
-		},
-		{
-			IncompleteBody{},
-			ErrIncompleteBody,
-		},
-		{
-			ObjectExistsAsDirectory{},
-			ErrObjectExistsAsDirectory,
-		},
-		{
-			BucketNameInvalid{},
-			ErrInvalidBucketName,
-		},
-		{
-			BucketExists{},
-			ErrBucketAlreadyOwnedByYou,
-		},
-		{
-			ObjectNotFound{},
-			ErrNoSuchKey,
-		},
-		{
-			ObjectNameInvalid{},
-			ErrInvalidObjectName,
-		},
-		{
-			InvalidUploadID{},
-			ErrNoSuchUpload,
-		},
-		{
-			InvalidPart{},
-			ErrInvalidPart,
-		},
-		{
-			InsufficientReadQuorum{},
-			ErrReadQuorum,
-		},
-		{
-			InsufficientWriteQuorum{},
-			ErrWriteQuorum,
-		},
-		{
-			UnsupportedDelimiter{},
-			ErrNotImplemented,
-		},
-		{
-			InvalidMarkerPrefixCombination{},
-			ErrNotImplemented,
-		},
-		{
-			InvalidUploadIDKeyCombination{},
-			ErrNotImplemented,
-		},
-		{
-			MalformedUploadID{},
-			ErrNoSuchUpload,
-		},
-		{
-			PartTooSmall{},
-			ErrEntityTooSmall,
-		},
-		{
-			BucketNotEmpty{},
-			ErrBucketNotEmpty,
-		},
-		{
-			BucketNotFound{},
-			ErrNoSuchBucket,
-		},
-		{
-			StorageFull{},
-			ErrStorageFull,
-		},
-		{
-			NotImplemented{},
-			ErrNotImplemented,
-		},
-		{
-			errSignatureMismatch,
-			ErrSignatureDoesNotMatch,
-		}, // End of all valid cases.
-
-		// Case where err is nil.
-		{
-			nil,
-			ErrNone,
-		},
-
-		// Case where err type is unknown.
-		{
-			errors.New("Custom error"),
-			ErrInternalError,
-		},
-	}
-
-	// Validate all the errors with their API error codes.
-	for i, testCase := range testCases {
+	for i, testCase := range toAPIErrorCodeTests {
 		errCode := toAPIErrorCode(testCase.err)
 		if errCode != testCase.errCode {
 			t.Errorf("Test %d: Expected error code %d, got %d", i+1, testCase.errCode, errCode)