rgw: encryption SSE-C add the details of error msg in response

Signed-off-by: Enming Zhang <enming.zhang@umcloud.com>
(cherry picked from commit 9502549ac2133e969a5f268601b92fd4063c1bd9)

diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
index 13472446314ab16b9128d4377dd5090dab1e07fd..d10577ef455cb19900b9b6aabcfb019254901ef6 100644 (file)
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -76,6 +76,7 @@ rgw_http_errors rgw_http_s3_errors({
     { ERR_AMZ_CONTENT_SHA256_MISMATCH, {400, "XAmzContentSHA256Mismatch" }},
     { ERR_INVALID_TAG, {400, "InvalidTag"}},
     { ERR_MALFORMED_ACL_ERROR, {400, "MalformedACLError" }},
+    { ERR_INVALID_ENCRYPTION_ALGORITHM, {400, "InvalidEncryptionAlgorithmError" }},
     { ERR_LENGTH_REQUIRED, {411, "MissingContentLength" }},
     { EACCES, {403, "AccessDenied" }},
     { EPERM, {403, "AccessDenied" }},

diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
index e6e65aa819fac651a89ccef021ba8c81f07dc6ba..d09ceede24bca03e46c3979ba13aaf7b15407671 100644 (file)
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -216,6 +216,7 @@ using ceph::crypto::MD5;
 #define ERR_ZERO_IN_URL          2211
 #define ERR_MALFORMED_ACL_ERROR  2212
 #define ERR_ZONEGROUP_DEFAULT_PLACEMENT_MISCONFIGURATION 2213
+#define ERR_INVALID_ENCRYPTION_ALGORITHM                 2214
 
 #define ERR_BUSY_RESHARDING      2300
 

diff --git a/src/rgw/rgw_crypt.cc b/src/rgw/rgw_crypt.cc
index 4d5b00ff6baafd0edce91996d6e64c49bed9530c..c5c33e6b84ca1ad163856e758e796da0e1e5e15b 100644 (file)
--- a/src/rgw/rgw_crypt.cc
+++ b/src/rgw/rgw_crypt.cc
@@ -1025,25 +1025,29 @@ int rgw_s3_prepare_encrypt(struct req_state* s,
         ldout(s->cct, 5) << "ERROR: Invalid value for header "
                          << "x-amz-server-side-encryption-customer-algorithm"
                          << dendl;
-        return -ERR_INVALID_REQUEST;
+        s->err.message = "The requested encryption algorithm is not valid, must be AES256.";
+        return -ERR_INVALID_ENCRYPTION_ALGORITHM;
       }
       if (s->cct->_conf->rgw_crypt_require_ssl &&
           !s->info.env->exists("SERVER_PORT_SECURE")) {
         ldout(s->cct, 5) << "ERROR: Insecure request, rgw_crypt_require_ssl is set" << dendl;
         return -ERR_INVALID_REQUEST;
       }
+
       std::string key_bin = from_base64(
           get_crypt_attribute(s->info.env, parts, X_AMZ_SERVER_SIDE_ENCRYPTION_CUSTOMER_KEY) );
       if (key_bin.size() != AES_256_CBC::AES_256_KEYSIZE) {
         ldout(s->cct, 5) << "ERROR: invalid encryption key size" << dendl;
-        return -ERR_INVALID_REQUEST;
+        s->err.message = "Requests specifying Server Side Encryption with Customer provided keys must provide an appropriate secret key.";
+        return -EINVAL;
       }
       boost::string_view keymd5 =
           get_crypt_attribute(s->info.env, parts, X_AMZ_SERVER_SIDE_ENCRYPTION_CUSTOMER_KEY_MD5);
       std::string keymd5_bin = from_base64(keymd5);
       if (keymd5_bin.size() != CEPH_CRYPTO_MD5_DIGESTSIZE) {
         ldout(s->cct, 5) << "ERROR: Invalid key md5 size" << dendl;
-        return -ERR_INVALID_DIGEST;
+        s->err.message = "Requests specifying Server Side Encryption with Customer provided keys must provide an appropriate secret key md5.";
+        return -EINVAL;
       }
       MD5 key_hash;
       byte key_hash_res[CEPH_CRYPTO_MD5_DIGESTSIZE];
@@ -1052,7 +1056,8 @@ int rgw_s3_prepare_encrypt(struct req_state* s,
 
       if (memcmp(key_hash_res, keymd5_bin.c_str(), CEPH_CRYPTO_MD5_DIGESTSIZE) != 0) {
         ldout(s->cct, 5) << "ERROR: Invalid key md5 hash" << dendl;
-        return -ERR_INVALID_DIGEST;
+        s->err.message = "The calculated MD5 hash of the key did not match the hash that was provided.";
+        return -EINVAL;
       }
 
       set_attr(attrs, RGW_ATTR_CRYPT_MODE, "SSE-C-AES256");
@@ -1170,18 +1175,24 @@ int rgw_s3_prepare_decrypt(struct req_state* s,
     const char *req_cust_alg =
         s->info.env->get("HTTP_X_AMZ_SERVER_SIDE_ENCRYPTION_CUSTOMER_ALGORITHM", NULL);
 
-    if ((nullptr == req_cust_alg) || (strcmp(req_cust_alg, "AES256") != 0)) {
-      ldout(s->cct, 5) << "ERROR: Invalid value for header "
+    if (nullptr == req_cust_alg)  {
+      ldout(s->cct, 5) << "ERROR: Request for SSE-C encrypted object missing "
                        << "x-amz-server-side-encryption-customer-algorithm"
                        << dendl;
-      return -ERR_INVALID_REQUEST;
+      s->err.message = "Requests specifying Server Side Encryption with Customer provided keys must provide a valid encryption algorithm.";
+      return -EINVAL;
+    } else if (strcmp(req_cust_alg, "AES256") != 0) {
+      ldout(s->cct, 5) << "ERROR: The requested encryption algorithm is not valid, must be AES256." << dendl;
+      s->err.message = "The requested encryption algorithm is not valid, must be AES256.";
+      return -ERR_INVALID_ENCRYPTION_ALGORITHM;
     }
 
     std::string key_bin =
         from_base64(s->info.env->get("HTTP_X_AMZ_SERVER_SIDE_ENCRYPTION_CUSTOMER_KEY", ""));
     if (key_bin.size() != AES_256_CBC::AES_256_KEYSIZE) {
       ldout(s->cct, 5) << "ERROR: Invalid encryption key size" << dendl;
-      return -ERR_INVALID_REQUEST;
+      s->err.message = "Requests specifying Server Side Encryption with Customer provided keys must provide an appropriate secret key.";
+      return -EINVAL;
     }
 
     std::string keymd5 =
@@ -1189,7 +1200,8 @@ int rgw_s3_prepare_decrypt(struct req_state* s,
     std::string keymd5_bin = from_base64(keymd5);
     if (keymd5_bin.size() != CEPH_CRYPTO_MD5_DIGESTSIZE) {
       ldout(s->cct, 5) << "ERROR: Invalid key md5 size " << dendl;
-      return -ERR_INVALID_DIGEST;
+      s->err.message = "Requests specifying Server Side Encryption with Customer provided keys must provide an appropriate secret key md5.";
+      return -EINVAL;
     }
 
     MD5 key_hash;
@@ -1199,7 +1211,8 @@ int rgw_s3_prepare_decrypt(struct req_state* s,
 
     if ((memcmp(key_hash_res, keymd5_bin.c_str(), CEPH_CRYPTO_MD5_DIGESTSIZE) != 0) ||
         (get_str_attribute(attrs, RGW_ATTR_CRYPT_KEYMD5) != keymd5_bin)) {
-      return -ERR_INVALID_DIGEST;
+      s->err.message = "The calculated MD5 hash of the key did not match the hash that was provided.";
+      return -EINVAL;
     }
     auto aes = std::unique_ptr<AES_256_CBC>(new AES_256_CBC(s->cct));
     aes->set_key(reinterpret_cast<const uint8_t*>(key_bin.c_str()), AES_256_CBC::AES_256_KEYSIZE);