From 75ad3164802bc842ff7fc87e0d34823d7ce4d2b8 Mon Sep 17 00:00:00 2001
From: Edwin Rodriguez <edwin.rodriguez1@ibm.com>
Date: Thu, 7 Aug 2025 12:00:01 -0400
Subject: [PATCH] rgw: Update buffer size for HMAC signature and improve
 signature max size calculation

Move SIGNATURE_MAX_SIZE to public interface of AWSEngine::VersionAbstractor
Use SIGNATURE_MAX_SIZE to size buffer in get_v2_signature

Fixes: https://tracker.ceph.com/issues/72442
Signed-off-by: Edwin Rodriguez <edwin.rodriguez1@ibm.com>
---
 src/rgw/rgw_auth_s3.cc | 13 +++++++------
 src/rgw/rgw_rest_s3.h  |  3 ++-
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/src/rgw/rgw_auth_s3.cc b/src/rgw/rgw_auth_s3.cc
index 3cee81c97d2e2..b1cec840b86c8 100644
--- a/src/rgw/rgw_auth_s3.cc
+++ b/src/rgw/rgw_auth_s3.cc
@@ -1024,12 +1024,13 @@ get_v2_signature(CephContext* const cct,
 
   const auto digest = calc_hmac_sha1(secret_key, string_to_sign);
 
-  /* 64 is really enough */;
-  char buf[64];
-  const int ret = ceph_armor(std::begin(buf),
-                             std::begin(buf) + 64,
-                             reinterpret_cast<const char *>(digest.v),
-                             reinterpret_cast<const char *>(digest.v + digest.SIZE));
+  /* Sized for signature */;
+  char buf[AWSEngine::VersionAbstractor::SIGNATURE_MAX_SIZE];
+  const int ret = ceph_armor(
+      std::begin(buf),
+      std::begin(buf) + AWSEngine::VersionAbstractor::SIGNATURE_MAX_SIZE,
+      reinterpret_cast<const char*>(digest.v),
+      reinterpret_cast<const char*>(digest.v + digest.SIZE));
   if (ret < 0) {
     ldout(cct, 10) << "ceph_armor failed" << dendl;
     throw ret;
diff --git a/src/rgw/rgw_rest_s3.h b/src/rgw/rgw_rest_s3.h
index 337f9f4d11a44..c3213a9dfca13 100644
--- a/src/rgw/rgw_rest_s3.h
+++ b/src/rgw/rgw_rest_s3.h
@@ -939,13 +939,14 @@ public:
     static constexpr size_t DIGEST_SIZE_V2 = CEPH_CRYPTO_HMACSHA1_DIGESTSIZE;
     static constexpr size_t DIGEST_SIZE_V4 = CEPH_CRYPTO_HMACSHA256_DIGESTSIZE;
 
+  public:
+
     /* Knowing the signature max size allows us to employ the sstring, and thus
      * avoid dynamic allocations. The multiplier comes from representing digest
      * in the base64-encoded form. */
     static constexpr size_t SIGNATURE_MAX_SIZE = \
       std::max(DIGEST_SIZE_V2, DIGEST_SIZE_V4) * 2 + sizeof('\0');
 
-  public:
     virtual ~VersionAbstractor() {};
 
     using access_key_id_t = std::string_view;
-- 
2.39.5