{ ERR_AMZ_CONTENT_SHA256_MISMATCH, {400, "XAmzContentSHA256Mismatch" }},
{ ERR_INVALID_TAG, {400, "InvalidTag"}},
{ ERR_MALFORMED_ACL_ERROR, {400, "MalformedACLError" }},
+ { ERR_INVALID_ENCRYPTION_ALGORITHM, {400, "InvalidEncryptionAlgorithmError" }},
{ ERR_LENGTH_REQUIRED, {411, "MissingContentLength" }},
{ EACCES, {403, "AccessDenied" }},
{ EPERM, {403, "AccessDenied" }},
ldout(s->cct, 5) << "ERROR: Invalid value for header "
<< "x-amz-server-side-encryption-customer-algorithm"
<< dendl;
- return -ERR_INVALID_REQUEST;
+ s->err.message = "The requested encryption algorithm is not valid, must be AES256.";
+ return -ERR_INVALID_ENCRYPTION_ALGORITHM;
}
if (s->cct->_conf->rgw_crypt_require_ssl &&
!s->info.env->exists("SERVER_PORT_SECURE")) {
ldout(s->cct, 5) << "ERROR: Insecure request, rgw_crypt_require_ssl is set" << dendl;
return -ERR_INVALID_REQUEST;
}
+
std::string key_bin = from_base64(
get_crypt_attribute(s->info.env, parts, X_AMZ_SERVER_SIDE_ENCRYPTION_CUSTOMER_KEY) );
if (key_bin.size() != AES_256_CBC::AES_256_KEYSIZE) {
ldout(s->cct, 5) << "ERROR: invalid encryption key size" << dendl;
- return -ERR_INVALID_REQUEST;
+ s->err.message = "Requests specifying Server Side Encryption with Customer provided keys must provide an appropriate secret key.";
+ return -EINVAL;
}
boost::string_view keymd5 =
get_crypt_attribute(s->info.env, parts, X_AMZ_SERVER_SIDE_ENCRYPTION_CUSTOMER_KEY_MD5);
std::string keymd5_bin = from_base64(keymd5);
if (keymd5_bin.size() != CEPH_CRYPTO_MD5_DIGESTSIZE) {
ldout(s->cct, 5) << "ERROR: Invalid key md5 size" << dendl;
- return -ERR_INVALID_DIGEST;
+ s->err.message = "Requests specifying Server Side Encryption with Customer provided keys must provide an appropriate secret key md5.";
+ return -EINVAL;
}
MD5 key_hash;
byte key_hash_res[CEPH_CRYPTO_MD5_DIGESTSIZE];
if (memcmp(key_hash_res, keymd5_bin.c_str(), CEPH_CRYPTO_MD5_DIGESTSIZE) != 0) {
ldout(s->cct, 5) << "ERROR: Invalid key md5 hash" << dendl;
- return -ERR_INVALID_DIGEST;
+ s->err.message = "The calculated MD5 hash of the key did not match the hash that was provided.";
+ return -EINVAL;
}
set_attr(attrs, RGW_ATTR_CRYPT_MODE, "SSE-C-AES256");
const char *req_cust_alg =
s->info.env->get("HTTP_X_AMZ_SERVER_SIDE_ENCRYPTION_CUSTOMER_ALGORITHM", NULL);
- if ((nullptr == req_cust_alg) || (strcmp(req_cust_alg, "AES256") != 0)) {
- ldout(s->cct, 5) << "ERROR: Invalid value for header "
+ if (nullptr == req_cust_alg) {
+ ldout(s->cct, 5) << "ERROR: Request for SSE-C encrypted object missing "
<< "x-amz-server-side-encryption-customer-algorithm"
<< dendl;
- return -ERR_INVALID_REQUEST;
+ s->err.message = "Requests specifying Server Side Encryption with Customer provided keys must provide a valid encryption algorithm.";
+ return -EINVAL;
+ } else if (strcmp(req_cust_alg, "AES256") != 0) {
+ ldout(s->cct, 5) << "ERROR: The requested encryption algorithm is not valid, must be AES256." << dendl;
+ s->err.message = "The requested encryption algorithm is not valid, must be AES256.";
+ return -ERR_INVALID_ENCRYPTION_ALGORITHM;
}
std::string key_bin =
from_base64(s->info.env->get("HTTP_X_AMZ_SERVER_SIDE_ENCRYPTION_CUSTOMER_KEY", ""));
if (key_bin.size() != AES_256_CBC::AES_256_KEYSIZE) {
ldout(s->cct, 5) << "ERROR: Invalid encryption key size" << dendl;
- return -ERR_INVALID_REQUEST;
+ s->err.message = "Requests specifying Server Side Encryption with Customer provided keys must provide an appropriate secret key.";
+ return -EINVAL;
}
std::string keymd5 =
std::string keymd5_bin = from_base64(keymd5);
if (keymd5_bin.size() != CEPH_CRYPTO_MD5_DIGESTSIZE) {
ldout(s->cct, 5) << "ERROR: Invalid key md5 size " << dendl;
- return -ERR_INVALID_DIGEST;
+ s->err.message = "Requests specifying Server Side Encryption with Customer provided keys must provide an appropriate secret key md5.";
+ return -EINVAL;
}
MD5 key_hash;
if ((memcmp(key_hash_res, keymd5_bin.c_str(), CEPH_CRYPTO_MD5_DIGESTSIZE) != 0) ||
(get_str_attribute(attrs, RGW_ATTR_CRYPT_KEYMD5) != keymd5_bin)) {
- return -ERR_INVALID_DIGEST;
+ s->err.message = "The calculated MD5 hash of the key did not match the hash that was provided.";
+ return -EINVAL;
}
auto aes = std::unique_ptr<AES_256_CBC>(new AES_256_CBC(s->cct));
aes->set_key(reinterpret_cast<const uint8_t*>(key_bin.c_str()), AES_256_CBC::AES_256_KEYSIZE);
projects / ceph.git / commitdiff