From: Enming Zhang Date: Fri, 25 Aug 2017 11:37:52 +0000 (+0800) Subject: rgw: encryption SSE-C add the details of error msg in response X-Git-Tag: v13.0.1~617^2~3 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=9502549ac2133e969a5f268601b92fd4063c1bd9;p=ceph.git rgw: encryption SSE-C add the details of error msg in response Signed-off-by: Enming Zhang --- diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc index 02b807efc1e..3179675e99e 100644 --- a/src/rgw/rgw_common.cc +++ b/src/rgw/rgw_common.cc @@ -76,6 +76,7 @@ rgw_http_errors rgw_http_s3_errors({ { ERR_AMZ_CONTENT_SHA256_MISMATCH, {400, "XAmzContentSHA256Mismatch" }}, { ERR_INVALID_TAG, {400, "InvalidTag"}}, { ERR_MALFORMED_ACL_ERROR, {400, "MalformedACLError" }}, + { ERR_INVALID_ENCRYPTION_ALGORITHM, {400, "InvalidEncryptionAlgorithmError" }}, { ERR_LENGTH_REQUIRED, {411, "MissingContentLength" }}, { EACCES, {403, "AccessDenied" }}, { EPERM, {403, "AccessDenied" }}, diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h index f0e061cb010..ad6de5158ff 100644 --- a/src/rgw/rgw_common.h +++ b/src/rgw/rgw_common.h @@ -215,6 +215,7 @@ using ceph::crypto::MD5; #define ERR_ZERO_IN_URL 2211 #define ERR_MALFORMED_ACL_ERROR 2212 #define ERR_ZONEGROUP_DEFAULT_PLACEMENT_MISCONFIGURATION 2213 +#define ERR_INVALID_ENCRYPTION_ALGORITHM 2214 #define ERR_BUSY_RESHARDING 2300 diff --git a/src/rgw/rgw_crypt.cc b/src/rgw/rgw_crypt.cc index e5e0b8cb265..c79653965d1 100644 --- a/src/rgw/rgw_crypt.cc +++ b/src/rgw/rgw_crypt.cc @@ -1022,25 +1022,29 @@ int rgw_s3_prepare_encrypt(struct req_state* s, ldout(s->cct, 5) << "ERROR: Invalid value for header " << "x-amz-server-side-encryption-customer-algorithm" << dendl; - return -ERR_INVALID_REQUEST; + s->err.message = "The requested encryption algorithm is not valid, must be AES256."; + return -ERR_INVALID_ENCRYPTION_ALGORITHM; } if (s->cct->_conf->rgw_crypt_require_ssl && !s->info.env->exists("SERVER_PORT_SECURE")) { ldout(s->cct, 5) << "ERROR: Insecure request, rgw_crypt_require_ssl is set" << dendl; return -ERR_INVALID_REQUEST; } + std::string key_bin = from_base64( get_crypt_attribute(s->info.env, parts, X_AMZ_SERVER_SIDE_ENCRYPTION_CUSTOMER_KEY) ); if (key_bin.size() != AES_256_CBC::AES_256_KEYSIZE) { ldout(s->cct, 5) << "ERROR: invalid encryption key size" << dendl; - return -ERR_INVALID_REQUEST; + s->err.message = "Requests specifying Server Side Encryption with Customer provided keys must provide an appropriate secret key."; + return -EINVAL; } boost::string_view keymd5 = get_crypt_attribute(s->info.env, parts, X_AMZ_SERVER_SIDE_ENCRYPTION_CUSTOMER_KEY_MD5); std::string keymd5_bin = from_base64(keymd5); if (keymd5_bin.size() != CEPH_CRYPTO_MD5_DIGESTSIZE) { ldout(s->cct, 5) << "ERROR: Invalid key md5 size" << dendl; - return -ERR_INVALID_DIGEST; + s->err.message = "Requests specifying Server Side Encryption with Customer provided keys must provide an appropriate secret key md5."; + return -EINVAL; } MD5 key_hash; byte key_hash_res[CEPH_CRYPTO_MD5_DIGESTSIZE]; @@ -1049,7 +1053,8 @@ int rgw_s3_prepare_encrypt(struct req_state* s, if (memcmp(key_hash_res, keymd5_bin.c_str(), CEPH_CRYPTO_MD5_DIGESTSIZE) != 0) { ldout(s->cct, 5) << "ERROR: Invalid key md5 hash" << dendl; - return -ERR_INVALID_DIGEST; + s->err.message = "The calculated MD5 hash of the key did not match the hash that was provided."; + return -EINVAL; } set_attr(attrs, RGW_ATTR_CRYPT_MODE, "SSE-C-AES256"); @@ -1161,18 +1166,24 @@ int rgw_s3_prepare_decrypt(struct req_state* s, const char *req_cust_alg = s->info.env->get("HTTP_X_AMZ_SERVER_SIDE_ENCRYPTION_CUSTOMER_ALGORITHM", NULL); - if ((nullptr == req_cust_alg) || (strcmp(req_cust_alg, "AES256") != 0)) { - ldout(s->cct, 5) << "ERROR: Invalid value for header " + if (nullptr == req_cust_alg) { + ldout(s->cct, 5) << "ERROR: Request for SSE-C encrypted object missing " << "x-amz-server-side-encryption-customer-algorithm" << dendl; - return -ERR_INVALID_REQUEST; + s->err.message = "Requests specifying Server Side Encryption with Customer provided keys must provide a valid encryption algorithm."; + return -EINVAL; + } else if (strcmp(req_cust_alg, "AES256") != 0) { + ldout(s->cct, 5) << "ERROR: The requested encryption algorithm is not valid, must be AES256." << dendl; + s->err.message = "The requested encryption algorithm is not valid, must be AES256."; + return -ERR_INVALID_ENCRYPTION_ALGORITHM; } std::string key_bin = from_base64(s->info.env->get("HTTP_X_AMZ_SERVER_SIDE_ENCRYPTION_CUSTOMER_KEY", "")); if (key_bin.size() != AES_256_CBC::AES_256_KEYSIZE) { ldout(s->cct, 5) << "ERROR: Invalid encryption key size" << dendl; - return -ERR_INVALID_REQUEST; + s->err.message = "Requests specifying Server Side Encryption with Customer provided keys must provide an appropriate secret key."; + return -EINVAL; } std::string keymd5 = @@ -1180,7 +1191,8 @@ int rgw_s3_prepare_decrypt(struct req_state* s, std::string keymd5_bin = from_base64(keymd5); if (keymd5_bin.size() != CEPH_CRYPTO_MD5_DIGESTSIZE) { ldout(s->cct, 5) << "ERROR: Invalid key md5 size " << dendl; - return -ERR_INVALID_DIGEST; + s->err.message = "Requests specifying Server Side Encryption with Customer provided keys must provide an appropriate secret key md5."; + return -EINVAL; } MD5 key_hash; @@ -1190,7 +1202,8 @@ int rgw_s3_prepare_decrypt(struct req_state* s, if ((memcmp(key_hash_res, keymd5_bin.c_str(), CEPH_CRYPTO_MD5_DIGESTSIZE) != 0) || (get_str_attribute(attrs, RGW_ATTR_CRYPT_KEYMD5) != keymd5_bin)) { - return -ERR_INVALID_DIGEST; + s->err.message = "The calculated MD5 hash of the key did not match the hash that was provided."; + return -EINVAL; } auto aes = std::unique_ptr(new AES_256_CBC(s->cct)); aes->set_key(reinterpret_cast(key_bin.c_str()), AES_256_CBC::AES_256_KEYSIZE);