sn/object: Verify header/payload checksums received from remote SNs

Follow 4df4aba.

Signed-off-by: Leonard Lyubich <[email protected]>

Author: cthulhu-rider

CHANGELOG.md

@@ -15,6 +15,7 @@ Changelog for NeoFS Node
 - SN does not sign object GET/HEAD responses to requests with API version > v2.17 (#3406)
 - CLI object `head`/`get` commands now verify header/payload checksums of received objects (#3406)
 - IR now verifies header/payload checksums of received objects (#3406)
+- SN now verifies header/payload checksums of objects received from remote SNs (#3406)
 
 ### Removed
 

pkg/services/object/internal/client/client.go

@@ -148,7 +148,6 @@ func GetObject(prm GetObjectPrm) (*GetObjectRes, error) {
 	}
 
 	prm.cliPrm.WithXHeaders(prm.xHeaders...)
-	prm.cliPrm.SkipChecksumVerification()
 
 	obj, rdr, err := prm.cli.ObjectGetInit(prm.ctx, prm.cnr, prm.obj, prm.signer, prm.cliPrm)
 	if err != nil {
@@ -230,7 +229,6 @@ func HeadObject(prm HeadObjectPrm) (*HeadObjectRes, error) {
 	}
 
 	prm.cliPrm.WithXHeaders(prm.xHeaders...)
-	prm.cliPrm.SkipChecksumVerification()
 
 	hdr, err := prm.cli.ObjectHead(prm.ctx, prm.cnr, prm.obj, prm.signer, prm.cliPrm)
 	if err != nil {

pkg/services/object/server.go

@@ -9,6 +9,7 @@ import (
 	"encoding/binary"
 	"errors"
 	"fmt"
+	"hash"
 	"io"
 	"sync"
 	"time"
@@ -712,14 +713,14 @@ func convertHeadPrm(signer ecdsa.PrivateKey, req *protoobject.HeadRequest, resp
 		var hdr *object.Object
 		return hdr, c.ForEachGRPCConn(ctx, func(ctx context.Context, conn *grpc.ClientConn) error {
 			var err error
-			hdr, err = getHeaderFromRemoteNode(ctx, conn, req)
+			hdr, err = getHeaderFromRemoteNode(ctx, conn, req, addr.Object())
 			return err // TODO: log error
 		})
 	})
 	return p, nil
 }
 
-func getHeaderFromRemoteNode(ctx context.Context, conn *grpc.ClientConn, req *protoobject.HeadRequest) (*object.Object, error) {
+func getHeaderFromRemoteNode(ctx context.Context, conn *grpc.ClientConn, req *protoobject.HeadRequest, reqOID oid.ID) (*object.Object, error) {
 	resp, err := protoobject.NewObjectServiceClient(conn).Head(ctx, req)
 	if err != nil {
 		return nil, fmt.Errorf("sending the request failed: %w", err)
@@ -770,6 +771,10 @@ func getHeaderFromRemoteNode(ctx context.Context, conn *grpc.ClientConn, req *pr
 			return nil, errors.New("missing signature")
 		}
 
+		if err := checkHeaderAgainstID(v.Header.Header, reqOID); err != nil {
+			return nil, err
+		}
+
 		hdr = v.Header.Header
 		idSig = v.Header.Signature
 	case *protoobject.HeadResponse_Body_SplitInfo:
@@ -1101,12 +1106,17 @@ func convertGetPrm(signer ecdsa.PrivateKey, req *protoobject.GetRequest, stream
 	}
 
 	var onceResign sync.Once
-	var onceHdr sync.Once
-	var respondedPayload int
 	meta := req.GetMetaHeader()
 	if meta == nil {
 		return getsvc.Prm{}, errors.New("missing meta header")
 	}
+
+	proxyCtx := getProxyContext{
+		req:        req,
+		reqOID:     addr.Object(),
+		respStream: stream,
+	}
+
 	p.SetRequestForwarder(func(ctx context.Context, node client.NodeInfo, c client.MultiAddressClient) (*object.Object, error) {
 		var err error
 		onceResign.Do(func() {
@@ -1122,7 +1132,7 @@ func convertGetPrm(signer ecdsa.PrivateKey, req *protoobject.GetRequest, stream
 		}
 
 		return nil, c.ForEachGRPCConn(ctx, func(ctx context.Context, conn *grpc.ClientConn) error {
-			err := continueGetFromRemoteNode(ctx, conn, req, stream, &onceHdr, &respondedPayload)
+			err := proxyCtx.continueWithConn(ctx, conn)
 			if errors.Is(err, io.EOF) {
 				return nil
 			}
@@ -1132,8 +1142,19 @@ func convertGetPrm(signer ecdsa.PrivateKey, req *protoobject.GetRequest, stream
 	return p, nil
 }
 
-func continueGetFromRemoteNode(ctx context.Context, conn *grpc.ClientConn, req *protoobject.GetRequest, stream *getStream, onceHdr *sync.Once, respondedPayload *int) error {
-	getStream, err := protoobject.NewObjectServiceClient(conn).Get(ctx, req)
+type getProxyContext struct {
+	req        *protoobject.GetRequest
+	reqOID     oid.ID
+	respStream *getStream
+
+	onceHdr          sync.Once
+	respondedPayload int
+	payloadHashCheck []byte
+	payloadHashGot   hash.Hash
+}
+
+func (x *getProxyContext) continueWithConn(ctx context.Context, conn *grpc.ClientConn) error {
+	getStream, err := protoobject.NewObjectServiceClient(conn).Get(ctx, x.req)
 	if err != nil {
 		return fmt.Errorf("stream opening failed: %w", err)
 	}
@@ -1147,6 +1168,9 @@ func continueGetFromRemoteNode(ctx context.Context, conn *grpc.ClientConn, req *
 				if !headWas {
 					return io.ErrUnexpectedEOF
 				}
+				if !bytes.Equal(x.payloadHashGot.Sum(nil), x.payloadHashCheck) {
+					return errors.New("received payload mismatches checksum from header")
+				}
 				return io.EOF
 			}
 			return fmt.Errorf("reading the response failed: %w", err)
@@ -1167,6 +1191,17 @@ func continueGetFromRemoteNode(ctx context.Context, conn *grpc.ClientConn, req *
 			if v == nil || v.Init == nil {
 				return errors.New("nil header oneof field")
 			}
+
+			if v.Init.Header == nil {
+				return errors.New("invalid response: missing header")
+			}
+			if v.Init.Header.PayloadHash == nil {
+				return errors.New("invalid response: invalid header: missing payload hash")
+			}
+			if err := checkHeaderAgainstID(v.Init.Header, x.reqOID); err != nil {
+				return err
+			}
+
 			mo := &protoobject.Object{
 				ObjectId:  v.Init.ObjectId,
 				Signature: v.Init.Signature,
@@ -1177,27 +1212,31 @@ func continueGetFromRemoteNode(ctx context.Context, conn *grpc.ClientConn, req *
 			if err != nil {
 				return err
 			}
-			onceHdr.Do(func() {
-				err = stream.WriteHeader(obj)
+			x.onceHdr.Do(func() {
+				err = x.respStream.WriteHeader(obj)
 			})
 			if err != nil {
 				return fmt.Errorf("could not write object header in Get forwarder: %w", err)
 			}
+
+			x.payloadHashCheck = v.Init.Header.PayloadHash.Sum
+			x.payloadHashGot = sha256.New()
 		case *protoobject.GetResponse_Body_Chunk:
 			if !headWas {
 				return errors.New("incorrect message sequence")
 			}
 			fullChunk := v.Chunk
-			respChunk := chunkToSend(*respondedPayload, readPayload, fullChunk)
+			respChunk := chunkToSend(x.respondedPayload, readPayload, fullChunk)
 			if len(respChunk) == 0 {
 				readPayload += len(fullChunk)
 				continue
 			}
-			if err := stream.WriteChunk(respChunk); err != nil {
+			if err := x.respStream.WriteChunk(respChunk); err != nil {
 				return fmt.Errorf("could not write object chunk in Get forwarder: %w", err)
 			}
 			readPayload += len(fullChunk)
-			*respondedPayload += len(respChunk)
+			x.respondedPayload += len(respChunk)
+			x.payloadHashGot.Write(respChunk) // never returns an error according to docs
 		case *protoobject.GetResponse_Body_SplitInfo:
 			if v == nil || v.SplitInfo == nil {
 				return errors.New("nil split info oneof field")
@@ -2261,3 +2300,14 @@ func needSignGetResponse(req interface {
 	mjr := ver.GetMajor() // NPE-safe
 	return mjr < 2 || mjr == 2 && ver.GetMinor() <= 17
 }
+
+func checkHeaderAgainstID(hdr *protoobject.Header, id oid.ID) error {
+	b := make([]byte, hdr.MarshaledSize())
+	hdr.MarshalStable(b)
+
+	if oid.NewFromObjectHeaderBinary(b) != id {
+		return errors.New("received header mismatches ID")
+	}
+
+	return nil
+}