From b97fd470a5ef45c36023eaaff2c86cec8f7e8df7 Mon Sep 17 00:00:00 2001 From: Takeshi Nakatani Date: Fri, 23 Feb 2024 03:00:59 +0000 Subject: [PATCH] Abort for SSE-KMS encryption type and not SSL/TLS specified --- doc/man/s3fs.1.in | 1 + src/curl.cpp | 7 +++++++ src/s3fs_help.cpp | 2 ++ 3 files changed, 10 insertions(+) diff --git a/doc/man/s3fs.1.in b/doc/man/s3fs.1.in index 08f6caf..d929edf 100644 --- a/doc/man/s3fs.1.in +++ b/doc/man/s3fs.1.in @@ -110,6 +110,7 @@ You can use "k" for short "kmsid". If you san specify SSE-KMS type with your in AWS KMS, you can set it after "kmsid:" (or "k:"). If you specify only "kmsid" ("k"), you need to set AWSSSEKMSID environment which value is . You must be careful about that you can not use the KMS id which is not same EC2 region. +Additionally, if you specify SSE-KMS, your endpoints must use Secure Sockets Layer(SSL) or Transport Layer Security(TLS). .TP \fB\-o\fR load_sse_c - specify SSE-C keys Specify the custom-provided encryption keys file path for decrypting at downloading. diff --git a/src/curl.cpp b/src/curl.cpp index ff86ddd..eeefdd1 100644 --- a/src/curl.cpp +++ b/src/curl.cpp @@ -898,6 +898,13 @@ bool S3fsCurl::FinalCheckSse() S3FS_PRN_ERR("sse type is SSE-KMS, but signature type is not v4. SSE-KMS require signature v4."); return false; } + + // SSL/TLS is required for KMS + // + if(!is_prefix(s3host.c_str(), "https://")){ + S3FS_PRN_ERR("The sse type is SSE-KMS, but it is not configured to use SSL/TLS. SSE-KMS requires SSL/TLS communication."); + return false; + } return true; } S3FS_PRN_ERR("sse type is unknown(%d).", static_cast(S3fsCurl::ssetype)); diff --git a/src/s3fs_help.cpp b/src/s3fs_help.cpp index bf2bad5..fad50a6 100644 --- a/src/s3fs_help.cpp +++ b/src/s3fs_help.cpp @@ -128,6 +128,8 @@ static constexpr char help_string[] = " environment which value is . You must be careful\n" " about that you can not use the KMS id which is not same EC2\n" " region.\n" + " Additionally, if you specify SSE-KMS, your endpoints must use\n" + " Secure Sockets Layer(SSL) or Transport Layer Security(TLS).\n" "\n" " load_sse_c - specify SSE-C keys\n" " Specify the custom-provided encryption keys file path for decrypting\n"