rgw: AWSv4 completion verifies the payload's fingerprint only.

Signed-off-by: Radoslaw Zarzynski <rzarzynski@mirantis.com>

diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
index eaca8cc3014bfc772eaf75048b02015577842b1a..43f85ee5f944ce2ff2c23b3f6e851be3c009872a 100644 (file)
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -1697,8 +1697,6 @@ inline ostream& operator<<(ostream& out, const rgw_obj_index_key &o) {
 struct rgw_aws4_auth {
   string date;
   string credential_scope;
-  string signature;
-  string new_signature;
   string seed_signature;
   std::array<unsigned char,
              CEPH_CRYPTO_HMACSHA256_DIGESTSIZE> signing_key;

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 1ef143bed5516e75cb06616f895ab66253a73a32..59c8eb46cb9ac2973bfb49a3ab4adca93b3800a7 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -690,21 +690,13 @@ int RGWOp::verify_op_mask()
 
 int RGWOp::do_aws4_auth_completion()
 {
-  int ret;
-
   if (s->aws4_auth_needs_complete) {
     /* complete */
-    ret = RGW_Auth_S3::authorize_aws4_auth_complete(store, s);
+    int ret = RGW_Auth_S3::authorize_aws4_auth_complete(store, s);
     s->aws4_auth_needs_complete = false;
     if (ret) {
       return ret;
     }
-    /* verify signature */
-    if (s->aws4_auth->signature != s->aws4_auth->new_signature) {
-      ret = -ERR_SIGNATURE_NO_MATCH;
-      ldout(s->cct, 20) << "delayed aws4 auth failed" << dendl;
-      return ret;
-    }
     /* authorization ok */
     dout(10) << "v4 auth ok" << dendl;
   }

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index b467798139924c8f3312624b8dc52314af443b0d..b905ebec091685e2cf362dc35372e846e5fe0427 100644 (file)
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -3390,8 +3390,7 @@ int RGW_Auth_S3::authorize_v4_complete(RGWRados *store, struct req_state *s, con
      * a Canonical Request, and thus verify a Signature. x-amz-content-sha256
      * header lets get the information very early -- before seeing first byte
      * of HTTP body. As a consequence, we can decouple Signature verification
-     * from payload's fingerprint check. Although RadosGW doesn't do that for
-     * now, the situation will definitely change in the future.
+     * from payload's fingerprint check.
      *
      * An HTTP client MUST send x-amz-content-sha256. AFAIK the single exception
      * to that is the case of using Query Parameters for doing the auth In such
@@ -3453,10 +3452,11 @@ int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s, bool force_b
 
   std::string credential;
   std::string signed_hdrs;
+  std::string client_signature;
   int ret = rgw::auth::s3::parse_credentials(s->info,
                                              credential,
                                              signed_hdrs,
-                                             s->aws4_auth->signature,
+                                             client_signature,
                                              s->aws4_auth->date,
                                              using_qs);
   if (ret < 0) {
@@ -3537,8 +3537,7 @@ int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s, bool force_b
      * a Canonical Request, and thus verify a Signature. x-amz-content-sha256
      * header lets get the information very early -- before seeing first byte
      * of HTTP body. As a consequence, we can decouple Signature verification
-     * from payload's fingerprint check. Although RadosGW doesn't do that for
-     * now, the situation will definitely change in the future.
+     * from payload's fingerprint check.
      *
      * An HTTP client MUST send x-amz-content-sha256. AFAIK the single exception
      * to that is the case of using Query Parameters for doing the auth In such
@@ -3584,17 +3583,24 @@ int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s, bool force_b
   s->aws4_auth->signing_key = \
     rgw::auth::s3::get_v4_signing_key(s->cct,
                                       s->aws4_auth->credential_scope, k.key);
-  s->aws4_auth->new_signature = \
+  const std::string server_signature = \
     rgw::auth::s3::get_v4_signature(s->cct, s->aws4_auth->signing_key,
                                     string_to_sign);
 
 
   ldout(s->cct, 10) << "----------------------------- Verifying signatures" << dendl;
-  ldout(s->cct, 10) << "Signature     = " << s->aws4_auth->signature << dendl;
-  ldout(s->cct, 10) << "New Signature = " << s->aws4_auth->new_signature << dendl;
+  ldout(s->cct, 10) << "Signature     = " << client_signature << dendl;
+  ldout(s->cct, 10) << "New Signature = " << server_signature << dendl;
   ldout(s->cct, 10) << "-----------------------------" << dendl;
 
-  s->aws4_auth->seed_signature = s->aws4_auth->new_signature;
+  /* verify signature */
+  if (client_signature != server_signature) {
+    ret = -ERR_SIGNATURE_NO_MATCH;
+    ldout(s->cct, 20) << "delayed aws4 auth failed" << dendl;
+    return ret;
+  }
+
+  s->aws4_auth->seed_signature = server_signature;
 
   /* from rfc2616 - 4.3 Message Body
    *
@@ -3614,14 +3620,7 @@ int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s, bool force_b
       return err;
     }
 
-    /* verify signature */
-
-    if (s->aws4_auth->signature != s->aws4_auth->new_signature) {
-      return -ERR_SIGNATURE_NO_MATCH;
-    }
-
     /* authorization ok */
-
     dout(10) << "v4 auth ok" << dendl;
 
     /* aws4 auth completed */
@@ -3680,13 +3679,6 @@ int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s, bool force_b
         return err;
       }
 
-      /* verify seed signature */
-
-      if (s->aws4_auth->signature != s->aws4_auth->new_signature) {
-        dout(10) << "ERROR: AWS4 seed signature does NOT match!" << dendl;
-        return -ERR_SIGNATURE_NO_MATCH;
-      }
-
       dout(10) << "aws4 seed signature ok... delaying v4 auth" << dendl;
 
       s->aws4_auth_needs_complete = false;