fix(sigv4): harden replay window and compares#15
Closed
houseme wants to merge 9 commits into
Closed
Conversation
houseme
force-pushed
the
houseme/issue-3555-sigv4-hardening
branch
from
aa2f397 to
c5018e0
Compare
…via config Restore deterministic timestamps in existing SigV4 and POST policy tests, using presigned_url_max_skew_time_secs: u32::MAX to bypass clock-skew enforcement instead of switching to OffsetDateTime::now_utc(). - Derive stale-request offsets from config in new regression tests - Remove now-unused fmt_current_amz_date from tests.rs - Apply clippy field_reassign_with_default fix
…skew Expose the `now` instant and `S3Config` snapshot as explicit parameters so callers control timing and the caller resolves the config snapshot. Removes the hidden `now_utc()` call and `.snapshot()` resolution inside the function.
Per AWS SigV4 spec, the date in the credential scope must match the date in the x-amz-date header/form-field. Previously the verifier ignored the credential date; add explicit checks in all three SigV4 paths (header auth, POST signature, presigned URL).
Nugine
force-pushed
the
houseme/issue-3555-sigv4-hardening
branch
from
17fbaa3 to
095afbd
Compare
Per AWS SigV4 spec, the signed POST policy must contain eq conditions for x-amz-date, x-amz-credential, and x-amz-algorithm that match the submitted form fields exactly. This closes a replay-window bypass where the clock-skew check trusted the unsigned form field x-amz-date while the signing key only bound YYYYMMDD. - Add PostPolicy::eq_condition_value helper - Validate policy conditions in v4_check_post_signature, before clock-skew check and signature verification - Update test fixtures to include required eq conditions
Nugine
force-pushed
the
houseme/issue-3555-sigv4-hardening
branch
from
095afbd to
43e4f3b
Compare
…TODO - Move x-amz-date extraction, credential-date validation, and clock-skew check before the secret key lookup in v4_check_header_auth so stale requests are rejected before I/O. - Replace remaining S3Error::new + set_message patterns in the new credential-date checks with the s3_error! macro for consistency. - Add TODO in v4_check_post_signature noting the double policy parse (signature verification + later prepare stage) as an optimization target.
Nugine
force-pushed
the
houseme/issue-3555-sigv4-hardening
branch
from
6ef5e4b to
70090fe
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Related Tracking
rustfs/rustfs#3520rustfs/rustfs#3555Verification
cargo fmt --allcargo fmt --all --checkcargo test -p s3s v4_header_auth_rejects_stale_request_time -- --nocapturecargo test -p s3s v4_post_signature_rejects_stale_request_time -- --nocapturecargo test -p s3s sig_v4_signatures_match_reports_match_and_mismatch -- --nocapturecargo test -p s3sjust ci-rustNotes