rgw/auth/s3: validate x-amz-content-sha256 for empty payloads

author Casey Bodley <cbodley@redhat.com>

Fri, 19 Jan 2024 18:56:21 +0000 (13:56 -0500)

committer Casey Bodley <cbodley@redhat.com>

Fri, 19 Jan 2024 18:57:36 +0000 (13:57 -0500)
author Casey Bodley <cbodley@redhat.com>
Fri, 19 Jan 2024 18:56:21 +0000 (13:56 -0500)
committer Casey Bodley <cbodley@redhat.com>
Fri, 19 Jan 2024 18:57:36 +0000 (13:57 -0500)
diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc

index 9791cab8a71e08439c6ebe0e3f29d0f54addf276..a91814c737dce79f901e64c3aa01aad94dd4c990 100644 (file)
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -5805,6 +5805,19 @@ AWSGeneralAbstractor::get_auth_data_v4(const req_state* const s,
                                       std::placeholders::_3,
                                       s);
  
+  // some ops don't expect a request body at all, so never call complete() to
+  // validate the payload hash. check empty signed payloads now and return a
+  // null completer below
+  constexpr std::string_view empty_sha256sum = // echo -n | sha256sum
+      "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855";
+  if (is_v4_payload_empty(s) &&
+      !is_v4_payload_unsigned(exp_payload_hash) &&
+      exp_payload_hash != empty_sha256sum) {
+    ldpp_dout(s, 4) << "ERROR: empty payload checksum mismatch, expected "
+        << empty_sha256sum << " got " << exp_payload_hash << dendl;
+    throw -ERR_AMZ_CONTENT_SHA256_MISMATCH;
+  }
+
    /* Requests authenticated with the Query Parameters are treated as unsigned.
     * From "Authenticating Requests: Using Query Parameters (AWS Signature
     * Version 4)":
author	Casey Bodley <cbodley@redhat.com>
	Fri, 19 Jan 2024 18:56:21 +0000 (13:56 -0500)
committer	Casey Bodley <cbodley@redhat.com>
	Fri, 19 Jan 2024 18:57:36 +0000 (13:57 -0500)