From 28409f9ae55e8c02d01f679b48a8b082ccd2657c Mon Sep 17 00:00:00 2001
From: Marcus Watts <mwatts@redhat.com>
Date: Fri, 28 Jan 2022 05:32:14 -0500
Subject: [PATCH] rgw/crypt - fix sse-s3 logic.

The previous logic path was overly eager to do sse-s3.  This version
ensures that the "no-encryption" case does not default to sse-s3.
It also removes some argument sanity checking which is now down before
this code is reached.

Signed-off-by: Marcus Watts <mwatts@redhat.com>
---
 src/rgw/rgw_crypt.cc | 18 +++++-------------
 1 file changed, 5 insertions(+), 13 deletions(-)

diff --git a/src/rgw/rgw_crypt.cc b/src/rgw/rgw_crypt.cc
index 22a2e2e3ce18b..767e995ed60a9 100644
--- a/src/rgw/rgw_crypt.cc
+++ b/src/rgw/rgw_crypt.cc
@@ -1189,17 +1189,8 @@ int rgw_s3_prepare_encrypt(struct req_state* s,
         return -EINVAL;
       }
     } else {
-      /* x-amz-server-side-encryption not present or empty */
-      std::string_view key_id =
-	crypt_attributes.get(X_AMZ_SERVER_SIDE_ENCRYPTION_AWS_KMS_KEY_ID);
-      if (!key_id.empty()) {
-        ldpp_dout(s, 5) << "ERROR: SSE-KMS encryption request is missing the header "
-                         << "x-amz-server-side-encryption"
-                         << dendl;
-        s->err.message = "Server Side Encryption with KMS managed key requires "
-                         "HTTP header x-amz-server-side-encryption : aws:kms";
-        return -EINVAL;
-      }
+  /*no encryption*/
+      return 0;
     }
 
     /* from here on we are only handling SSE-S3 (req_sse=="AES256") */
@@ -1289,9 +1280,10 @@ int rgw_s3_prepare_encrypt(struct req_state* s,
       ::ceph::crypto::zeroize_for_security(actual_key, sizeof(actual_key));
       return 0;
     }
+    s->err.message = "Request specifies Server Side Encryption "
+                     "but server configuration does not support this.";
+    return -EINVAL;
   }
-  /*no encryption*/
-  return 0;
 }
 
 
-- 
2.39.5