From aeabac9181cb711bd6f6c2039e44be5000ef7869 Mon Sep 17 00:00:00 2001
From: Klaus Post <klauspost@gmail.com>
Date: Tue, 18 Feb 2025 08:24:01 -0800
Subject: [PATCH] Test checksum types for invalid combinations (#20953)

---
 cmd/api-errors.go                |  2 ++
 cmd/object-api-options.go        |  7 ++-----
 cmd/object-multipart-handlers.go |  2 +-
 internal/hash/checksum.go        | 16 +++++++++++++++-
 4 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/cmd/api-errors.go b/cmd/api-errors.go
index 6ea04d674..13b135dad 100644
--- a/cmd/api-errors.go
+++ b/cmd/api-errors.go
@@ -2254,6 +2254,8 @@ func toAPIErrorCode(ctx context.Context, err error) (apiErr APIErrorCode) {
 		apiErr = ErrServerNotInitialized
 	case errBucketMetadataNotInitialized:
 		apiErr = ErrBucketMetadataNotInitialized
+	case hash.ErrInvalidChecksum:
+		apiErr = ErrInvalidChecksum
 	}
 
 	// Compression errors
diff --git a/cmd/object-api-options.go b/cmd/object-api-options.go
index ff0a88279..d5ae085e3 100644
--- a/cmd/object-api-options.go
+++ b/cmd/object-api-options.go
@@ -467,13 +467,10 @@ func completeMultipartOpts(ctx context.Context, r *http.Request, bucket, object
 			}
 		}
 	}
+
 	opts.WantChecksum, err = hash.GetContentChecksum(r.Header)
 	if err != nil {
-		return opts, InvalidArgument{
-			Bucket: bucket,
-			Object: object,
-			Err:    fmt.Errorf("invalid/unknown checksum sent: %v", err),
-		}
+		return opts, err
 	}
 	opts.MTime = mtime
 	opts.UserDefined = make(map[string]string)
diff --git a/cmd/object-multipart-handlers.go b/cmd/object-multipart-handlers.go
index 037b1ae21..dfcafbcdf 100644
--- a/cmd/object-multipart-handlers.go
+++ b/cmd/object-multipart-handlers.go
@@ -216,7 +216,7 @@ func (api objectAPIHandlers) NewMultipartUploadHandler(w http.ResponseWriter, r
 
 	checksumType := hash.NewChecksumHeader(r.Header)
 	if checksumType.Is(hash.ChecksumInvalid) {
-		writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequestParameter), r.URL)
+		writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidChecksum), r.URL)
 		return
 	} else if checksumType.IsSet() && !checksumType.Is(hash.ChecksumTrailing) {
 		opts.WantChecksum = &hash.Checksum{Type: checksumType}
diff --git a/internal/hash/checksum.go b/internal/hash/checksum.go
index 4e4c621c2..1018f67a9 100644
--- a/internal/hash/checksum.go
+++ b/internal/hash/checksum.go
@@ -148,8 +148,12 @@ func (c ChecksumType) IsSet() bool {
 // NewChecksumType returns a checksum type based on the algorithm string and obj type.
 func NewChecksumType(alg, objType string) ChecksumType {
 	full := ChecksumFullObject
-	if objType != xhttp.AmzChecksumTypeFullObject {
+	switch objType {
+	case xhttp.AmzChecksumTypeFullObject:
+	case xhttp.AmzChecksumTypeComposite, "":
 		full = 0
+	default:
+		return ChecksumInvalid
 	}
 
 	switch strings.ToUpper(alg) {
@@ -567,6 +571,16 @@ func GetContentChecksum(h http.Header) (*Checksum, error) {
 			}
 		}
 		if res != nil {
+			switch h.Get(xhttp.AmzChecksumType) {
+			case xhttp.AmzChecksumTypeFullObject:
+				if !res.Type.CanMerge() {
+					return nil, ErrInvalidChecksum
+				}
+				res.Type |= ChecksumFullObject
+			case xhttp.AmzChecksumTypeComposite, "":
+			default:
+				return nil, ErrInvalidChecksum
+			}
 			return res, nil
 		}
 	}