From: Casey Bodley <cbodley@redhat.com>
Date: Fri, 19 Jan 2024 18:56:21 +0000 (-0500)
Subject: rgw/auth/s3: validate x-amz-content-sha256 for empty payloads
X-Git-Tag: testing/wip-xiubli-testing-20240812.080715-reef~11^2~10
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=f8015181084f78a33728b2738148959fd3af9282;p=ceph-ci.git

rgw/auth/s3: validate x-amz-content-sha256 for empty payloads

when is_v4_payload_empty(), we return a null completer so never try to
validate the x-amz-content-sha256 for signed payloads. add this
checksum comparison to get_auth_data_v4() before we create the completer

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 4bb49478fae09ead4646c1baada3bbc9a2555130)
---

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index b28a563bc80..b0f406c40d4 100644
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -5814,6 +5814,19 @@ AWSGeneralAbstractor::get_auth_data_v4(const req_state* const s,
                                      std::placeholders::_3,
                                      s);
 
+  // some ops don't expect a request body at all, so never call complete() to
+  // validate the payload hash. check empty signed payloads now and return a
+  // null completer below
+  constexpr std::string_view empty_sha256sum = // echo -n | sha256sum
+      "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855";
+  if (is_v4_payload_empty(s) &&
+      !is_v4_payload_unsigned(exp_payload_hash) &&
+      exp_payload_hash != empty_sha256sum) {
+    ldpp_dout(s, 4) << "ERROR: empty payload checksum mismatch, expected "
+        << empty_sha256sum << " got " << exp_payload_hash << dendl;
+    throw -ERR_AMZ_CONTENT_SHA256_MISMATCH;
+  }
+
   /* Requests authenticated with the Query Parameters are treated as unsigned.
    * From "Authenticating Requests: Using Query Parameters (AWS Signature
    * Version 4)":