From 624624f06f0f4e392b96d2d73bd34359da952c52 Mon Sep 17 00:00:00 2001 From: Casey Bodley Date: Fri, 19 Jan 2024 13:56:21 -0500 Subject: [PATCH] rgw/auth/s3: validate x-amz-content-sha256 for empty payloads when is_v4_payload_empty(), we return a null completer so never try to validate the x-amz-content-sha256 for signed payloads. add this checksum comparison to get_auth_data_v4() before we create the completer Signed-off-by: Casey Bodley (cherry picked from commit 4bb49478fae09ead4646c1baada3bbc9a2555130) --- src/rgw/rgw_rest_s3.cc | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index 69b18a4d29bab..fa008ace900e2 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -5697,6 +5697,19 @@ AWSGeneralAbstractor::get_auth_data_v4(const req_state* const s, std::placeholders::_3, s); + // some ops don't expect a request body at all, so never call complete() to + // validate the payload hash. check empty signed payloads now and return a + // null completer below + constexpr std::string_view empty_sha256sum = // echo -n | sha256sum + "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"; + if (is_v4_payload_empty(s) && + !is_v4_payload_unsigned(exp_payload_hash) && + exp_payload_hash != empty_sha256sum) { + ldpp_dout(s, 4) << "ERROR: empty payload checksum mismatch, expected " + << empty_sha256sum << " got " << exp_payload_hash << dendl; + throw -ERR_AMZ_CONTENT_SHA256_MISMATCH; + } + /* Requests authenticated with the Query Parameters are treated as unsigned. * From "Authenticating Requests: Using Query Parameters (AWS Signature * Version 4)": -- 2.39.5