4 files changed, 23 insertions, 29 deletions

diff --git a/src/api/common/signature/body.rs b/src/api/common/signature/body.rs
index 4279d7b5..96be0d5b 100644
--- a/src/api/common/signature/body.rs
+++ b/src/api/common/signature/body.rs
@@ -78,7 +78,7 @@ impl ReqBody {
 			trailer_algorithm,
 		} = self;
 
-		let (frame_tx, mut frame_rx) = mpsc::channel::<Frame<Bytes>>(1);
+		let (frame_tx, mut frame_rx) = mpsc::channel::<Frame<Bytes>>(5);
 
 		let join_checksums = tokio::spawn(async move {
 			while let Some(frame) = frame_rx.recv().await {
diff --git a/src/api/common/signature/mod.rs b/src/api/common/signature/mod.rs
index 78518436..50fbd304 100644
--- a/src/api/common/signature/mod.rs
+++ b/src/api/common/signature/mod.rs
@@ -62,7 +62,6 @@ pub struct VerifiedRequest {
 	pub request: Request<streaming::ReqBody>,
 	pub access_key: Key,
 	pub content_sha256_header: ContentSha256Header,
-	// TODO: oneshot chans to retrieve hashes after reading all body
 }
 
 pub async fn verify_request(
diff --git a/src/api/common/signature/payload.rs b/src/api/common/signature/payload.rs
index 4ca0153f..2d5f8603 100644
--- a/src/api/common/signature/payload.rs
+++ b/src/api/common/signature/payload.rs
@@ -74,21 +74,16 @@ fn parse_x_amz_content_sha256(header: Option<&str>) -> Result<ContentSha256Heade
 		} else {
 			(false, rest)
 		};
-		if algo == AWS4_HMAC_SHA256_PAYLOAD {
-			Ok(ContentSha256Header::StreamingPayload {
-				trailer,
-				signed: true,
-			})
-		} else if algo == UNSIGNED_PAYLOAD {
-			Ok(ContentSha256Header::StreamingPayload {
-				trailer,
-				signed: false,
-			})
-		} else {
-			Err(Error::bad_request(
-				"invalid or unsupported x-amz-content-sha256",
-			))
-		}
+		let signed = match algo {
+			AWS4_HMAC_SHA256_PAYLOAD => true,
+			UNSIGNED_PAYLOAD => false,
+			_ => {
+				return Err(Error::bad_request(
+					"invalid or unsupported x-amz-content-sha256",
+				))
+			}
+		};
+		Ok(ContentSha256Header::StreamingPayload { trailer, signed })
 	} else {
 		let sha256 = hex::decode(header)
 			.ok()
diff --git a/src/api/common/signature/streaming.rs b/src/api/common/signature/streaming.rs
index 70b6e004..64362727 100644
--- a/src/api/common/signature/streaming.rs
+++ b/src/api/common/signature/streaming.rs
@@ -30,22 +30,12 @@ pub fn parse_streaming_body(
 		checked_signature.content_sha256_header
 	);
 
-	let expected_checksums = ExpectedChecksums {
-		sha256: match &checked_signature.content_sha256_header {
-			ContentSha256Header::Sha256Checksum(sha256) => Some(*sha256),
-			_ => None,
-		},
-		..Default::default()
-	};
-
-	let mut checksummer = Checksummer::init(&expected_checksums, false);
-
 	match checked_signature.content_sha256_header {
 		ContentSha256Header::StreamingPayload { signed, trailer } => {
 			// Sanity checks
 			if !signed && !trailer {
 				return Err(Error::bad_request(
-					"STREAMING-UNSIGNED-PAYLOAD is not a valid combination",
+					"STREAMING-UNSIGNED-PAYLOAD without trailer is not a valid combination",
 				));
 			}
 
@@ -64,6 +54,7 @@ pub fn parse_streaming_body(
 			}
 
 			// If trailer header is announced, add the calculation of the requested checksum
+			let mut checksummer = Checksummer::init(&Default::default(), false);
 			let trailer_algorithm = if trailer {
 				let algo = Some(
 					request_trailer_checksum_algorithm(req.headers())?
@@ -128,12 +119,21 @@ pub fn parse_streaming_body(
 				ReqBody {
 					stream: Mutex::new(signed_payload_stream.boxed()),
 					checksummer,
-					expected_checksums,
+					expected_checksums: Default::default(),
 					trailer_algorithm,
 				}
 			}))
 		}
 		_ => Ok(req.map(|body| {
+			let expected_checksums = ExpectedChecksums {
+				sha256: match &checked_signature.content_sha256_header {
+					ContentSha256Header::Sha256Checksum(sha256) => Some(*sha256),
+					_ => None,
+				},
+				..Default::default()
+			};
+			let checksummer = Checksummer::init(&expected_checksums, false);
+
 			let stream = http_body_util::BodyStream::new(body).map_err(Error::from);
 			ReqBody {
 				stream: Mutex::new(stream.boxed()),