CLDSRV-848: check x-amz-checksum-[crc64nvme, crc32, crc32C, sha1, sha256] headers

leif-scality · leif-scality · commit 12f1006eb562 · 2026-02-18T18:17:44.000+01:00
diff --git a/lib/Config.js b/lib/Config.js
@@ -556,6 +556,7 @@ function parseIntegrityChecks(config) {
         'bucketPutReplication': true,
         'bucketPutVersioning': true,
         'bucketPutWebsite': true,
+        'bucketPutLogging': true,
         'multiObjectDelete': true,
         'objectPutACL': true,
         'objectPutLegalHold': true,
diff --git a/lib/api/api.js b/lib/api/api.js
@@ -300,15 +300,19 @@ const api = {
                     }
 
                     const buff = Buffer.concat(post, bodyLength);
+                    return validateMethodChecksumNoChunking(request, buff, log)
+                        .then(error => {
+                            if (error) {
+                                return next(error);
+                            }
 
-                    const err = validateMethodChecksumNoChunking(request, buff, log);
-                    if (err) {
-                        return next(err);
-                    }
-
-                    // Convert array of post buffers into one string
-                    request.post = buff.toString();
-                    return next(null, userInfo, authorizationResults, streamingV4Params, infos);
+                            // Convert array of post buffers into one string
+                            request.post = buff.toString();
+                            return next(null, userInfo, authorizationResults, streamingV4Params, infos);
+                        })
+                        .catch(error => {
+                            next(error);
+                        });
                 });
                 return undefined;
             },
diff --git a/lib/api/apiUtils/integrity/validateChecksums.js b/lib/api/apiUtils/integrity/validateChecksums.js
@@ -1,36 +1,157 @@
 const crypto = require('crypto');
+const { Crc32 } = require('@aws-crypto/crc32');
+const { Crc32c } = require('@aws-crypto/crc32c');
+const { CrtCrc64Nvme } = require('@aws-sdk/crc64-nvme-crt');
 const { errors: ArsenalErrors } = require('arsenal');
 const { config } = require('../../../Config');
 
 const ChecksumError = Object.freeze({
     MD5Mismatch: 'MD5Mismatch',
+    XAmzMismatch: 'XAmzMismatch',
     MissingChecksum: 'MissingChecksum',
+    AlgoNotSupported: 'AlgoNotSupported',
+    MultipleChecksumTypes: 'MultipleChecksumTypes',
+    MissingCorresponding: 'MissingCorresponding'
 });
 
+// TEMP
+// https://github.com/aws/aws-sdk-js-v3/issues/6744
+// https://stackoverflow.com/questions/77663519/
+// does-aws-s3-allow-specifying-multiple-checksum-values-crc32-crc32c-sha1-and-s
+// Expecting a single x-amz-checksum- header. Multiple checksum Types are not allowed.
+// XAmzContentChecksumMismatch: The provided 'x-amz-checksum' header does not match what was computed.
+
+// TODO:
+// x-amz-checksum-algorithm x2 different
+// x-amz-checksum-algorithm x2 equal
+// x-amz-checksum-algorithm x2 + x-amz-checksum- valid x2
+// x-amz-checksum-algorithm x2 + x-amz-checksum- invalid x2
+// x-amz-checksum-algorithm x2 + x-amz-checksum- mismatch x2
+
+// What to do about the security vuln package?
+// Should we push only to 9.3???
+
+const algorithms = {
+    'crc64nvme': async data => {
+        const crc = new CrtCrc64Nvme();
+        crc.update(data);
+        const result = await crc.digest();
+        return Buffer.from(result).toString('base64');
+    },
+    'crc32': data => uint32ToBase64(new Crc32().update(data).digest() >>> 0),
+    'crc32c': data => uint32ToBase64(new Crc32c().update(data).digest() >>> 0),
+    'sha1': data => crypto.createHash('sha1').update(data).digest('base64'),
+    'sha256': data => crypto.createHash('sha256').update(data).digest('base64'),
+};
+
+function uint32ToBase64(num) {
+    const buf = Buffer.alloc(4);
+    buf.writeUInt32BE(num, 0);
+    return buf.toString('base64');
+}
+
+async function validateXAmzChecksums(headers, body) {
+    const checksumHeaders = Object.keys(headers).filter(header => header.startsWith('x-amz-checksum-'));
+    const xAmzCheckumCnt = checksumHeaders.length;
+    // console.log(headers, body);
+    if (xAmzCheckumCnt > 1) {
+        return { error: ChecksumError.MultipleChecksumTypes, details: null };
+    }
+
+    if ('x-amz-sdk-checksum-algorithm' in headers) {
+        let algo = headers['x-amz-sdk-checksum-algorithm'];
+        if (typeof algo !== 'string') {
+            return { error: ChecksumError.AlgoNotSupported, details: null }; // What if invalid algo like a number?
+        }
+
+        algo = algo.toLowerCase();
+        if (algo in algorithms === false) {
+            return { error: ChecksumError.AlgoNotSupported, details: null };
+        }
+
+        if (`x-amz-checksum-${algo}` in headers === false) {
+            return { error: ChecksumError.MissingCorresponding, details: null };
+        }
+
+        const expected = headers[`x-amz-checksum-${algo}`];
+        const calculated = await algorithms[algo](body);
+        // console.log('EXPECTED:', expected, calculated);
+        if (expected !== calculated) {
+            return { error: ChecksumError.XAmzMismatch, details: null };
+        }
+
+        return null;
+    }
+
+    if (xAmzCheckumCnt === 0) {
+        return { error: ChecksumError.MissingChecksum, details: null };
+    }
+
+    // No x-amz-sdk-checksum-algorithm we expect one x-amz-checksum-[crc64nvme, crc32, crc32C, sha1, sha256].
+    let algo = checksumHeaders[0].split('-')[3];
+    if (typeof algo !== 'string') {
+        return { error: ChecksumError.AlgoNotSupported, details: null }; // What if invalid algo like a number?
+    }
+
+    algo = algo.toLowerCase();
+    if (algo in algorithms === false) {
+        return { error: ChecksumError.AlgoNotSupported, details: null };;
+    }
+
+    const expected = headers[`x-amz-checksum-${algo}`];
+    const calculated = await algorithms[algo](body);
+    if (expected !== calculated) {
+        return { error: ChecksumError.XAmzMismatch, details: null };
+    }
+
+    return null;
+}
+
 /**
  * validateChecksumsNoChunking - Validate the checksums of a request.
  * @param {object} headers - http headers
  * @param {Buffer} body - http request body
  * @return {object} - error
  */
-function validateChecksumsNoChunking(headers, body) {
-    if (headers && 'content-md5' in headers) {
+async function validateChecksumsNoChunking(headers, body) {
+    if (!headers) {
+        return { error: ChecksumError.MissingChecksum, details: null };
+    }
+
+    let md5Present = false;
+    if ('content-md5' in headers) {
         const md5 = crypto.createHash('md5').update(body).digest('base64');
         if (md5 !== headers['content-md5']) {
             return { error: ChecksumError.MD5Mismatch, details: { calculated: md5, expected: headers['content-md5'] } };
         }
 
-        return null;
+        md5Present = true;
+    }
+
+    const err = await validateXAmzChecksums(headers, body);
+    if (err && err.error === ChecksumError.MissingChecksum && !md5Present) {
+        // Return MissingChecksum only if no MD5 and no x-amz-checksum-.
+        return { error: ChecksumError.MissingChecksum, details: null };
+    }
+
+    return err;
+}
+
+async function defaultValidationFunc2(request, body, log) { // Rename
+    const err = await validateChecksumsNoChunking(request.headers, body);
+    if (err) {
+        log.debug('failed checksum validation', { method: request.apiMethod, error: err });
+        return ArsenalErrors.BadDigest; // FIXME: InvalidDigest vs BadDigest
     }
 
-    return { error: ChecksumError.MissingChecksum, details: null };
+    return null;
 }
 
-function defaultValidationFunc(request, body, log) {
-    const err = validateChecksumsNoChunking(request.headers, body);
+async function defaultValidationFunc(request, body, log) { // Rename
+    const err = await validateChecksumsNoChunking(request.headers, body);
     if (err && err.error !== ChecksumError.MissingChecksum) {
         log.debug('failed checksum validation', { method: request.apiMethod }, err);
-        return ArsenalErrors.BadDigest;
+        return ArsenalErrors.BadDigest; // FIXME: InvalidDigest vs BadDigest
     }
 
     return null;
@@ -47,6 +168,7 @@ const methodValidationFunc = Object.freeze({
     'bucketPutReplication': defaultValidationFunc,
     'bucketPutVersioning': defaultValidationFunc,
     'bucketPutWebsite': defaultValidationFunc,
+    'bucketPutLogging': defaultValidationFunc,
     // TODO: DeleteObjects requires a checksum. Should return an error if ChecksumError.MissingChecksum.
     'multiObjectDelete': defaultValidationFunc,
     'objectPutACL': defaultValidationFunc,
@@ -62,14 +184,13 @@ const methodValidationFunc = Object.freeze({
  * @param {object} log - logger
  * @return {object} - error
  */
-function validateMethodChecksumNoChunking(request, body, log) {
+async function validateMethodChecksumNoChunking(request, body, log) {
     if (config.integrityChecks[request.apiMethod]) {
         const validationFunc = methodValidationFunc[request.apiMethod];
         if (!validationFunc) {
-            return null;
+            return null; //await defaultValidationFunc2(request, body, log);
         }
-
-        return validationFunc(request, body, log);
+        return await validationFunc(request, body, log);
     }
 
     return null;
