rgw: teach rgw_s3_prepare_decrypt about source decrypt headers

Co-authored-by: Marcus Watts <mwatts@redhat.com>
Signed-off-by: Seena Fallah <seenafallah@gmail.com>

diff --git a/src/rgw/rgw_crypt.cc b/src/rgw/rgw_crypt.cc
index 880c34d44e80b91ada38d2cd7bd6600beafdee50..97a72b87711df037129906776e3bea846835ec0e 100644 (file)
--- a/src/rgw/rgw_crypt.cc
+++ b/src/rgw/rgw_crypt.cc
@@ -1316,6 +1316,8 @@ int rgw_s3_prepare_decrypt(req_state* s, optional_yield y,
                            std::unique_ptr<BlockCrypt>* block_crypt,
                            std::map<std::string, std::string>& crypt_http_responses)
 {
+  const bool copy_source = s->src_object != nullptr;
+
   int res = 0;
   std::string stored_mode = get_str_attribute(attrs, RGW_ATTR_CRYPT_MODE);
   ldpp_dout(s, 15) << "Encryption mode: " << stored_mode << dendl;
@@ -1331,9 +1333,10 @@ int rgw_s3_prepare_decrypt(req_state* s, optional_yield y,
       ldpp_dout(s, 5) << "ERROR: Insecure request, rgw_crypt_require_ssl is set" << dendl;
       return -ERR_INVALID_REQUEST;
     }
-    const char *req_cust_alg =
-        s->info.env->get("HTTP_X_AMZ_SERVER_SIDE_ENCRYPTION_CUSTOMER_ALGORITHM", NULL);
 
+    const char *sse_c_algo_hdr = copy_source ? "HTTP_X_AMZ_COPY_SOURCE_SERVER_SIDE_ENCRYPTION_CUSTOMER_ALGORITHM" :
+                                               "HTTP_X_AMZ_SERVER_SIDE_ENCRYPTION_CUSTOMER_ALGORITHM";
+    const char *req_cust_alg = s->info.env->get(sse_c_algo_hdr, NULL);
     if (nullptr == req_cust_alg)  {
       ldpp_dout(s, 5) << "ERROR: Request for SSE-C encrypted object missing "
                        << "x-amz-server-side-encryption-customer-algorithm"
@@ -1347,9 +1350,11 @@ int rgw_s3_prepare_decrypt(req_state* s, optional_yield y,
       return -ERR_INVALID_ENCRYPTION_ALGORITHM;
     }
 
+    const char *sse_c_key_hdr = copy_source ? "HTTP_X_AMZ_COPY_SOURCE_SERVER_SIDE_ENCRYPTION_CUSTOMER_KEY" :
+                                              "HTTP_X_AMZ_SERVER_SIDE_ENCRYPTION_CUSTOMER_KEY";
     std::string key_bin;
     try {
-      key_bin = from_base64(s->info.env->get("HTTP_X_AMZ_SERVER_SIDE_ENCRYPTION_CUSTOMER_KEY", ""));
+      key_bin = from_base64(s->info.env->get(sse_c_key_hdr, ""));
     } catch (...) {
       ldpp_dout(s, 5) << "ERROR: rgw_s3_prepare_decrypt invalid encryption key "
                        << "which contains character that is not base64 encoded."
@@ -1366,8 +1371,9 @@ int rgw_s3_prepare_decrypt(req_state* s, optional_yield y,
       return -EINVAL;
     }
 
-    std::string keymd5 =
-        s->info.env->get("HTTP_X_AMZ_SERVER_SIDE_ENCRYPTION_CUSTOMER_KEY_MD5", "");
+    const char *sse_c_key_md5_hdr = copy_source ? "HTTP_X_AMZ_COPY_SOURCE_SERVER_SIDE_ENCRYPTION_CUSTOMER_KEY_MD5" :
+                                                  "HTTP_X_AMZ_SERVER_SIDE_ENCRYPTION_CUSTOMER_KEY_MD5";
+    std::string keymd5 = s->info.env->get(sse_c_key_md5_hdr, "");
     std::string keymd5_bin;
     try {
       keymd5_bin = from_base64(keymd5);
@@ -1380,7 +1386,6 @@ int rgw_s3_prepare_decrypt(req_state* s, optional_yield y,
       return -EINVAL;
     }
 
-
     if (keymd5_bin.size() != CEPH_CRYPTO_MD5_DIGESTSIZE) {
       ldpp_dout(s, 5) << "ERROR: Invalid key md5 size " << dendl;
       s->err.message = "Requests specifying Server Side Encryption with Customer "
@@ -1505,7 +1510,6 @@ int rgw_s3_prepare_decrypt(req_state* s, optional_yield y,
     return 0;
   }
 
-
   /*no decryption*/
   return 0;
 }