From 8315b7d4b782127a844693a53801d2115af204f6 Mon Sep 17 00:00:00 2001 From: Seena Fallah Date: Fri, 12 Apr 2024 16:36:43 +0200 Subject: [PATCH] rgw: eliminate ssl enforcement for sse-s3 encryption SSE-S3 Encryption does not include any keys in the headers, thus SSL enforcement is unnecessary. Fixes: https://tracker.ceph.com/issues/65462 Signed-off-by: Seena Fallah --- src/rgw/rgw_crypt.cc | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/src/rgw/rgw_crypt.cc b/src/rgw/rgw_crypt.cc index 58874bf22b9d0..2196e982953f0 100644 --- a/src/rgw/rgw_crypt.cc +++ b/src/rgw/rgw_crypt.cc @@ -1149,13 +1149,13 @@ int rgw_s3_prepare_encrypt(req_state* s, optional_yield y, crypt_attributes.get(X_AMZ_SERVER_SIDE_ENCRYPTION); if (! req_sse.empty()) { - if (s->cct->_conf->rgw_crypt_require_ssl && - !rgw_transport_is_secure(s->cct, *s->info.env)) { - ldpp_dout(s, 5) << "ERROR: insecure request, rgw_crypt_require_ssl is set" << dendl; - return -ERR_INVALID_REQUEST; - } - if (req_sse == "aws:kms") { + if (s->cct->_conf->rgw_crypt_require_ssl && + !rgw_transport_is_secure(s->cct, *s->info.env)) { + ldpp_dout(s, 5) << "ERROR: insecure request, rgw_crypt_require_ssl is set" << dendl; + return -ERR_INVALID_REQUEST; + } + std::string_view context = crypt_attributes.get(X_AMZ_SERVER_SIDE_ENCRYPTION_CONTEXT); std::string cooked_context; @@ -1469,11 +1469,6 @@ int rgw_s3_prepare_decrypt(req_state* s, optional_yield y, /* SSE-S3 */ if (stored_mode == "AES256") { - if (s->cct->_conf->rgw_crypt_require_ssl && - !rgw_transport_is_secure(s->cct, *s->info.env)) { - ldpp_dout(s, 5) << "ERROR: Insecure request, rgw_crypt_require_ssl is set" << dendl; - return -ERR_INVALID_REQUEST; - } /* try to retrieve actual key */ std::string key_id = get_str_attribute(attrs, RGW_ATTR_CRYPT_KEYID); std::string actual_key; -- 2.39.5