pkg crypto/fips140, func WithoutEnforcement(func()) #74630
pkg crypto/hpke, func AES128GCM() AEAD #75300
pkg crypto/hpke, func AES256GCM() AEAD #75300
pkg crypto/hpke, func ChaCha20Poly1305() AEAD #75300
pkg crypto/hpke, func DHKEM(ecdh.Curve) KEM #75300
pkg crypto/hpke, func ExportOnly() AEAD #75300
pkg crypto/hpke, func HKDFSHA256() KDF #75300
pkg crypto/hpke, func HKDFSHA384() KDF #75300

	iv, nonce := random[:16], random[16:]

	var aead cipher.AEAD
	switch keyType {
	case kms.AES256:
		mac := hmac.New(sha256.New, s.key)
		mac.Write(iv)
		sealingKey := mac.Sum(nil)

		block, err := aes.NewCipher(sealingKey)
		if err != nil {
			return nil, err
		}
		aead, err = cipher.NewGCM(block)
		if err != nil {
			return nil, err
		}
	case kms.ChaCha20:

type conn interface {
	// Version returns version information about the KMS.
	//
	// TODO(aead): refactor this API call. It does not account
	// for multiple endpoints.
	Version(context.Context) (string, error)

	// APIs returns a list of APIs supported by the KMS server.
	//
	// TODO(aead): remove this API call. It's hardly useful.
	APIs(context.Context) ([]madmin.KMSAPI, error)

        SMBUtil.writeInt4(this.originalMessageSize, aad, index);
        index += 4;

        // Reserved
        SMBUtil.writeInt2(0, aad, index);
        index += 2;

        // Flags
        SMBUtil.writeInt2(this.flags, aad, index);
        index += 2;

        // Session ID (8 bytes)
        SMBUtil.writeInt8(this.sessionId, aad, index);

        return aad;
    }

	MD5, err := hex.DecodeString(md5Hex)
	if err != nil {
		return nil, BadDigest{ // TODO(aead): Return an error that indicates that an invalid ETag has been specified
			ExpectedMD5:   md5Hex,
			CalculatedMD5: "",
		}
	}
	SHA256, err := hex.DecodeString(sha256Hex)
	if err != nil {
		return nil, SHA256Mismatch{ // TODO(aead): Return an error that indicates that an invalid Content-SHA256 has been specified

        // Verify protocol ID (first 4 bytes) - 0xFD534D42 in little-endian
        assertEquals((byte) 0x42, aad[0]);
        assertEquals((byte) 0x4D, aad[1]);
        assertEquals((byte) 0x53, aad[2]);
        assertEquals((byte) 0xFD, aad[3]);

        // Verify signature is zeroed out (16 bytes of zeros)
        for (int i = 4; i < 20; i++) {

// IsEncrypted reports whether the ETag is encrypted.
func (e ETag) IsEncrypted() bool {
	// An encrypted ETag must be at least 32 bytes long.
	// It contains the encrypted ETag value + an authentication
	// code generated by the AEAD cipher.
	//
	// Here is an incorrect implementation of IsEncrypted:
	//
	//   return len(e) > 16 && !bytes.ContainsRune(e, '-')
	//
	// An encrypted ETag may contain some random bytes - e.g.

	MTime                time.Time // Is only set in POST/PUT operations
	Expires              time.Time // Is only used in POST/PUT operations

	DeleteMarker            bool // Is only set in DELETE operations for delete marker replication
	CheckDMReplicationReady bool // Is delete marker ready to be replicated - set only during HEAD

	golang.org/x/sys v0.32.0
	golang.org/x/term v0.31.0
	golang.org/x/time v0.11.0
	google.golang.org/api v0.230.0
	gopkg.in/yaml.v2 v2.4.0
	gopkg.in/yaml.v3 v3.0.1
)

require (
	aead.dev/mem v0.2.0 // indirect
	aead.dev/minisign v0.3.0 // indirect
	cel.dev/expr v0.23.1 // indirect
	cloud.google.com/go v0.120.1 // indirect
	cloud.google.com/go/auth v0.16.0 // indirect

ARG TARGETARCH
ARG RELEASE

ENV GOPATH=/go
ENV CGO_ENABLED=0

# Install curl and minisign
RUN apk add -U --no-cache ca-certificates && \
    apk add -U --no-cache curl && \
    go install aead.dev/minisign/cmd/minisign@v0.2.1

# Download minio binary and signature files
RUN curl -s -q https://dl.min.io/server/minio/hotfixes/linux-${TARGETARCH}/archive/minio.${RELEASE} -o /go/bin/minio && \