Swift3

Bug #1765834
Comment #13

Comment 13 for bug 1765834

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-10-23: Fix merged to swift (stable/rocky)

#13

Reviewed: https://review.opendev.org/689883
Committed: https://git.openstack.org/cgit/openstack/swift/commit/?id=423f96293b6eb43504b5370e893c280697ed23c9
Submitter: Zuul
Branch: stable/rocky

commit 423f96293b6eb43504b5370e893c280697ed23c9
Author: Tim Burke <email address hidden>
Date: Tue Dec 11 15:29:35 2018 -0800

Verify client input for v4 signatures

This is a combination of 2 commits.

==========

    Previously, we would use the X-Amz-Content-SHA256 value when calculating
    signatures, but wouldn't actually check the content that was sent. This
    would allow a malicious third party that managed to capture the headers
    for an object upload to overwrite that with arbitrary content provided
    they could do so within the 5-minute clock-skew window.

    Now, we wrap the wsgi.input that's sent on to the proxy-server app to
    hash content as it's read and raise an error if there's a mismatch. Note
    that clients using presigned-urls to upload have no defense against a
    similar replay attack.

    Notwithstanding the above security consideration, this *also* provides
    better assurances that the client's payload was received correctly. Note
    that this *does not* attempt to send an etag in footers, however, so the
    proxy-to-object-server connection is not guarded against bit-flips.

In the future, Swift will hopefully grow a way to perform SHA256
verification on the object-server. This would offer two main benefits:

      - End-to-end message integrity checking.
      - Move CPU load of calculating the hash from the proxy (which is
        somewhat CPU-bound) to the object-server (which tends to have CPU to
        spare).

Closes-Bug: 1765834
(cherry picked from commit 3a8f5dbf9c49fdf1cf2d0b7ba35b82f25f88e634)

----------

s3api: Allow clients to upload with UNSIGNED-PAYLOAD

    (Some versions of?) awscli/boto3 will do v4 signatures but send a
    Content-MD5 for end-to-end validation. Since a X-Amz-Content-SHA256
    is still required to calculate signatures, it uses UNSIGNED-PAYLOAD
    similar to how signatures work for pre-signed URLs.

Look for UNSIGNED-PAYLOAD and skip SHA256 validation if set.

(cherry picked from commit 82e446a8a0c0fd6a81f06717b76ed3d1be26a281)
(cherry picked from commit 6ed165cf3f65329beaef9977a5fec24ce3ac0b39)

==========

Change-Id: I61eb12455c37376be4d739eee55a5f439216f0e9

Reviewed:  https://review.opendev.org/689883
Committed: https://git.openstack.org/cgit/openstack/swift/commit/?id=423f96293b6eb43504b5370e893c280697ed23c9
Submitter: Zuul
Branch:    stable/rocky

commit 423f96293b6eb43504b5370e893c280697ed23c9
Author: Tim Burke <tim.burke@gmail.com>
Date:   Tue Dec 11 15:29:35 2018 -0800

Verify client input for v4 signatures
    
    This is a combination of 2 commits.
    
    ==========
    
    Previously, we would use the X-Amz-Content-SHA256 value when calculating
    signatures, but wouldn't actually check the content that was sent. This
    would allow a malicious third party that managed to capture the headers
    for an object upload to overwrite that with arbitrary content provided
    they could do so within the 5-minute clock-skew window.
    
    Now, we wrap the wsgi.input that's sent on to the proxy-server app to
    hash content as it's read and raise an error if there's a mismatch. Note
    that clients using presigned-urls to upload have no defense against a
    similar replay attack.
    
    Notwithstanding the above security consideration, this *also* provides
    better assurances that the client's payload was received correctly. Note
    that this *does not* attempt to send an etag in footers, however, so the
    proxy-to-object-server connection is not guarded against bit-flips.
    
    In the future, Swift will hopefully grow a way to perform SHA256
    verification on the object-server. This would offer two main benefits:
    
      - End-to-end message integrity checking.
      - Move CPU load of calculating the hash from the proxy (which is
        somewhat CPU-bound) to the object-server (which tends to have CPU to
        spare).
    
    Closes-Bug: 1765834
    (cherry picked from commit 3a8f5dbf9c49fdf1cf2d0b7ba35b82f25f88e634)
    
    ----------
    
    s3api: Allow clients to upload with UNSIGNED-PAYLOAD
    
    (Some versions of?) awscli/boto3 will do v4 signatures but send a
    Content-MD5 for end-to-end validation. Since a X-Amz-Content-SHA256
    is still required to calculate signatures, it uses UNSIGNED-PAYLOAD
    similar to how signatures work for pre-signed URLs.
    
    Look for UNSIGNED-PAYLOAD and skip SHA256 validation if set.
    
    (cherry picked from commit 82e446a8a0c0fd6a81f06717b76ed3d1be26a281)
    (cherry picked from commit 6ed165cf3f65329beaef9977a5fec24ce3ac0b39)
    
    ==========
    
    Change-Id: I61eb12455c37376be4d739eee55a5f439216f0e9