From ccb3c1edc0a45dfaadb5c4a4aa6700d0b8c8d92f Mon Sep 17 00:00:00 2001 From: hechuang Date: Thu, 29 Jun 2017 10:38:23 +0800 Subject: [PATCH] rgw: Data encryption is not follow the AWS agreement MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Encryption request headers should not be sent for GET requests and HEAD requests if your object uses SSE-KMS/SSE-S3 or you’ll get an HTTP 400 BadRequest error. Signed-off-by: hechuang (cherry picked from commit dfe1a7c1e6c470d623c70d83c32cc5b7a921bbc5) --- src/rgw/rgw_crypt.cc | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/rgw/rgw_crypt.cc b/src/rgw/rgw_crypt.cc index 88abd3b833d6..4d5b00ff6baa 100644 --- a/src/rgw/rgw_crypt.cc +++ b/src/rgw/rgw_crypt.cc @@ -1155,6 +1155,12 @@ int rgw_s3_prepare_decrypt(struct req_state* s, int res = 0; std::string stored_mode = get_str_attribute(attrs, RGW_ATTR_CRYPT_MODE); ldout(s->cct, 15) << "Encryption mode: " << stored_mode << dendl; + + const char *req_sse = s->info.env->get("HTTP_X_AMZ_SERVER_SIDE_ENCRYPTION", NULL); + if (nullptr != req_sse && (s->op == OP_GET || s->op == OP_HEAD)) { + return -ERR_INVALID_REQUEST; + } + if (stored_mode == "SSE-C-AES256") { if (s->cct->_conf->rgw_crypt_require_ssl && !s->info.env->exists("SERVER_PORT_SECURE")) { -- 2.47.3