handler/PUT: Handle signature verification through a custom reader. (#2066)

Change brings in a new signVerifyReader which provides a io.Reader
compatible reader, additionally implements Verify() function.

Verify() function validates the signature present in the incoming
request. This approach is choosen to avoid complexities involved
in using io.Pipe().

Thanks to Krishna for his inputs on this.

Fixes #2058
Fixes #2054
Fixes #2087

signature-v4.go

@@ -216,6 +216,11 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, validate
 		return ErrInvalidAccessKeyID
 	}
 
+	// Hashed payload mismatch, return content sha256 mismatch.
+	if hashedPayload != req.URL.Query().Get("X-Amz-Content-Sha256") {
+		return ErrContentSHA256Mismatch
+	}
+
 	// Verify if region is valid.
 	sRegion := preSignValues.Credential.scope.region
 	// Should validate region, only if region is set. Some operations
@@ -235,9 +240,8 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, validate
 	query := make(url.Values)
 	if req.URL.Query().Get("X-Amz-Content-Sha256") != "" {
 		query.Set("X-Amz-Content-Sha256", hashedPayload)
-	} else {
-		hashedPayload = "UNSIGNED-PAYLOAD"
 	}
+
 	query.Set("X-Amz-Algorithm", signV4Algorithm)
 
 	if time.Now().UTC().Sub(preSignValues.Date) > time.Duration(preSignValues.Expires) {
@@ -331,6 +335,11 @@ func doesSignatureMatch(hashedPayload string, r *http.Request, validateRegion bo
 		return err
 	}
 
+	// Hashed payload mismatch, return content sha256 mismatch.
+	if hashedPayload != req.Header.Get("X-Amz-Content-Sha256") {
+		return ErrContentSHA256Mismatch
+	}
+
 	// Extract all the signed headers along with its values.
 	extractedSignedHeaders := extractSignedHeaders(signV4Values.SignedHeaders, req.Header)