Coverage Report

Created: 2026-07-16 06:10

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/curl/lib/http_aws_sigv4.c
Line
Count
Source
1
/***************************************************************************
2
 *                                  _   _ ____  _
3
 *  Project                     ___| | | |  _ \| |
4
 *                             / __| | | | |_) | |
5
 *                            | (__| |_| |  _ <| |___
6
 *                             \___|\___/|_| \_\_____|
7
 *
8
 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
9
 *
10
 * This software is licensed as described in the file COPYING, which
11
 * you should have received as part of this distribution. The terms
12
 * are also available at https://curl.se/docs/copyright.html.
13
 *
14
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15
 * copies of the Software, and permit persons to whom the Software is
16
 * furnished to do so, under the terms of the COPYING file.
17
 *
18
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19
 * KIND, either express or implied.
20
 *
21
 * SPDX-License-Identifier: curl
22
 *
23
 ***************************************************************************/
24
#include "curl_setup.h"
25
26
#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_AWS)
27
28
#include "urldata.h"
29
#include "strcase.h"
30
#include "curlx/strdup.h"
31
#include "http_aws_sigv4.h"
32
#include "curl_sha256.h"
33
#include "transfer.h"
34
#include "curl_trc.h"
35
#include "escape.h"
36
#include "curlx/strparse.h"
37
#include "slist.h"
38
39
#include <time.h>
40
41
#define HMAC_SHA256(k, kl, d, dl, o)                 \
42
0
  do {                                               \
43
0
    result = Curl_hmacit(&Curl_HMAC_SHA256,          \
44
0
                         (const unsigned char *)(k), \
45
0
                         kl,                         \
46
0
                         (const unsigned char *)(d), \
47
0
                         dl, o);                     \
48
0
    if(result) {                                     \
49
0
      goto fail;                                     \
50
0
    }                                                \
51
0
  } while(0)
52
53
0
#define TIMESTAMP_SIZE 17
54
55
/* hex-encoded with null-terminator */
56
0
#define SHA256_HEX_LENGTH ((2 * CURL_SHA256_DIGEST_LENGTH) + 1)
57
58
0
#define MAX_QUERY_COMPONENTS 128
59
60
struct pair {
61
  struct dynbuf key;
62
  struct dynbuf value;
63
};
64
65
static void sha256_to_hex(char *dst, unsigned char *sha)
66
0
{
67
0
  Curl_hexencode(sha, CURL_SHA256_DIGEST_LENGTH,
68
0
                 (unsigned char *)dst, SHA256_HEX_LENGTH);
69
0
}
70
71
static char *find_date_hdr(struct Curl_easy *data, const char *sig_hdr)
72
0
{
73
0
  char *tmp = Curl_checkheaders(data, sig_hdr, strlen(sig_hdr));
74
75
0
  if(tmp)
76
0
    return tmp;
77
0
  return Curl_checkheaders(data, STRCONST("Date"));
78
0
}
79
80
/* remove whitespace, and lowercase all headers */
81
static void trim_headers(struct curl_slist *head)
82
0
{
83
0
  struct curl_slist *l;
84
0
  for(l = head; l; l = l->next) {
85
0
    const char *value; /* to read from */
86
0
    char *store;
87
0
    size_t colon = strcspn(l->data, ":");
88
0
    Curl_strntolower(l->data, l->data, colon);
89
90
0
    value = &l->data[colon];
91
0
    if(!*value)
92
0
      continue;
93
0
    ++value;
94
0
    store = (char *)CURL_UNCONST(value);
95
96
    /* skip leading whitespace */
97
0
    curlx_str_passblanks(&value);
98
99
0
    while(*value) {
100
0
      int space = 0;
101
0
      while(ISBLANK(*value)) {
102
0
        value++;
103
0
        space++;
104
0
      }
105
0
      if(space) {
106
        /* replace any number of consecutive whitespace with a single space,
107
           unless at the end of the string, then nothing */
108
0
        if(*value)
109
0
          *store++ = ' ';
110
0
      }
111
0
      else
112
0
        *store++ = *value++;
113
0
    }
114
0
    *store = 0; /* null-terminate */
115
0
  }
116
0
}
117
118
/*
119
 * Frees all allocated strings in a dynbuf pair array, and the dynbuf itself
120
 */
121
static void pair_array_free(struct pair *pair_array, size_t num_elements)
122
0
{
123
0
  size_t index;
124
125
0
  for(index = 0; index != num_elements; index++) {
126
0
    curlx_dyn_free(&pair_array[index].key);
127
0
    curlx_dyn_free(&pair_array[index].value);
128
0
  }
129
0
}
130
131
/*
132
 * Frees all allocated strings in a split dynbuf, and the dynbuf itself
133
 */
134
static void dyn_array_free(struct dynbuf *db, size_t num_elements)
135
0
{
136
0
  size_t index;
137
138
0
  for(index = 0; index < num_elements; index++)
139
0
    curlx_dyn_free((&db[index]));
140
0
}
141
142
/*
143
 * Splits source string by SPLIT_BY, and creates an array of dynbuf in db.
144
 * db is initialized by this function.
145
 * Caller is responsible for freeing the array elements with dyn_array_free
146
 */
147
148
0
#define SPLIT_BY '&'
149
150
static CURLcode split_to_dyn_array(const char *source,
151
                                   struct dynbuf db[MAX_QUERY_COMPONENTS],
152
                                   size_t *num_splits_out)
153
0
{
154
0
  CURLcode result = CURLE_OK;
155
0
  size_t len = strlen(source);
156
0
  size_t pos;         /* Position in result buffer */
157
0
  size_t start = 0;   /* Start of current segment */
158
0
  size_t segment_length = 0;
159
0
  size_t index = 0;
160
0
  size_t num_splits = 0;
161
162
  /* Split source_ptr on SPLIT_BY and store the segment offsets and length in
163
   * array */
164
0
  for(pos = 0; pos < len; pos++) {
165
0
    if(source[pos] == SPLIT_BY) {
166
0
      if(segment_length) {
167
0
        curlx_dyn_init(&db[index], segment_length + 1);
168
0
        result = curlx_dyn_addn(&db[index], &source[start], segment_length);
169
0
        if(result)
170
0
          goto fail;
171
172
0
        segment_length = 0;
173
0
        index++;
174
0
        if(++num_splits == MAX_QUERY_COMPONENTS) {
175
0
          result = CURLE_TOO_LARGE;
176
0
          goto fail;
177
0
        }
178
0
      }
179
0
      start = pos + 1;
180
0
    }
181
0
    else {
182
0
      segment_length++;
183
0
    }
184
0
  }
185
186
0
  if(segment_length) {
187
0
    curlx_dyn_init(&db[index], segment_length + 1);
188
0
    result = curlx_dyn_addn(&db[index], &source[start], segment_length);
189
0
    if(!result) {
190
0
      if(++num_splits == MAX_QUERY_COMPONENTS)
191
0
        result = CURLE_TOO_LARGE;
192
0
    }
193
0
  }
194
0
fail:
195
0
  *num_splits_out = num_splits;
196
0
  return result;
197
0
}
198
199
static bool is_reserved_char(const char c)
200
0
{
201
0
  return (ISALNUM(c) || ISURLPUNTCS(c));
202
0
}
203
204
static CURLcode uri_encode_path(struct Curl_str *original_path,
205
                                struct dynbuf *new_path)
206
0
{
207
0
  const char *p = curlx_str(original_path);
208
0
  size_t i;
209
210
0
  for(i = 0; i < curlx_strlen(original_path); i++) {
211
    /* Do not encode slashes or unreserved chars from RFC 3986 */
212
0
    CURLcode result = CURLE_OK;
213
0
    unsigned char c = p[i];
214
0
    if(is_reserved_char(c) || c == '/')
215
0
      result = curlx_dyn_addn(new_path, &c, 1);
216
0
    else
217
0
      result = curlx_dyn_addf(new_path, "%%%02X", c);
218
0
    if(result)
219
0
      return result;
220
0
  }
221
222
0
  return CURLE_OK;
223
0
}
224
225
/* Normalize the query part. Make sure %2B is left percent encoded, and not
226
   decoded to plus, then encoded to space.
227
*/
228
static CURLcode normalize_query(const char *string, size_t len,
229
                                struct dynbuf *db)
230
0
{
231
0
  CURLcode result = CURLE_OK;
232
233
0
  while(len && !result) {
234
0
    unsigned char in = (unsigned char)*string;
235
0
    if(('%' == in) && (len > 2) &&
236
0
       ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {
237
      /* this is two hexadecimal digits following a '%' */
238
0
      in = (unsigned char)((curlx_hexval(string[1]) << 4) |
239
0
                           curlx_hexval(string[2]));
240
0
      string += 3;
241
0
      len -= 3;
242
0
      if(in == '+') {
243
        /* decodes to plus, so leave this encoded */
244
0
        result = curlx_dyn_addn(db, "%2B", 3);
245
0
        continue;
246
0
      }
247
0
    }
248
0
    else {
249
0
      string++;
250
0
      len--;
251
0
    }
252
253
0
    if(is_reserved_char(in))
254
      /* Escape unreserved chars from RFC 3986 */
255
0
      result = curlx_dyn_addn(db, &in, 1);
256
0
    else if(in == '+')
257
      /* Encode '+' as space */
258
0
      result = curlx_dyn_add(db, "%20");
259
0
    else
260
0
      result = curlx_dyn_addf(db, "%%%02X", in);
261
0
  }
262
263
0
  return result;
264
0
}
265
266
static bool should_urlencode(struct Curl_str *service_name)
267
0
{
268
  /*
269
   * These services require unmodified (not additionally URL-encoded) URL
270
   * paths.
271
   * should_urlencode == true is equivalent to should_urlencode_uri_path
272
   * from the AWS SDK. Urls are already normalized by the curl URL parser
273
   */
274
0
  if(curlx_str_cmp(service_name, "s3") ||
275
0
     curlx_str_cmp(service_name, "s3-express") ||
276
0
     curlx_str_cmp(service_name, "s3-outposts")) {
277
0
    return FALSE;
278
0
  }
279
0
  return TRUE;
280
0
}
281
282
/* maximum length for the aws sivg4 parts */
283
0
#define MAX_SIGV4_LEN    64
284
0
#define DATE_HDR_KEY_LEN (MAX_SIGV4_LEN + sizeof("X--Date"))
285
286
/* string been x-PROVIDER-date:TIMESTAMP, I need +1 for ':' */
287
0
#define DATE_FULL_HDR_LEN (DATE_HDR_KEY_LEN + TIMESTAMP_SIZE + 1)
288
289
/* alphabetically compare two headers by their name, expecting
290
   headers to use ':' at this point */
291
static int compare_header_names(const char *a, const char *b)
292
0
{
293
0
  const char *colon_a;
294
0
  const char *colon_b;
295
0
  size_t len_a;
296
0
  size_t len_b;
297
0
  size_t min_len;
298
0
  int cmp;
299
300
0
  colon_a = strchr(a, ':');
301
0
  colon_b = strchr(b, ':');
302
303
0
  DEBUGASSERT(colon_a);
304
0
  DEBUGASSERT(colon_b);
305
306
0
  len_a = colon_a ? (size_t)(colon_a - a) : strlen(a);
307
0
  len_b = colon_b ? (size_t)(colon_b - b) : strlen(b);
308
309
0
  min_len = (len_a < len_b) ? len_a : len_b;
310
311
0
  cmp = strncmp(a, b, min_len);
312
313
  /* return the shorter of the two if one is shorter */
314
0
  if(!cmp)
315
0
    return (int)(len_a - len_b);
316
317
0
  return cmp;
318
0
}
319
320
/* Merge duplicate header definitions by comma delimiting their values
321
   in the order defined the headers are defined, expecting headers to
322
   be alpha-sorted and use ':' at this point */
323
static CURLcode merge_duplicate_headers(struct curl_slist *head)
324
0
{
325
0
  struct curl_slist *curr = head;
326
0
  CURLcode result = CURLE_OK;
327
328
0
  while(curr) {
329
0
    struct curl_slist *next = curr->next;
330
0
    if(!next)
331
0
      break;
332
333
0
    if(compare_header_names(curr->data, next->data) == 0) {
334
0
      struct dynbuf buf;
335
0
      const char *colon_next;
336
0
      const char *val_next;
337
338
0
      curlx_dyn_init(&buf, CURL_MAX_HTTP_HEADER);
339
340
0
      result = curlx_dyn_add(&buf, curr->data);
341
0
      if(result)
342
0
        return result;
343
344
0
      colon_next = strchr(next->data, ':');
345
0
      DEBUGASSERT(colon_next);
346
0
      val_next = colon_next + 1;
347
348
0
      result = curlx_dyn_addn(&buf, ",", 1);
349
0
      if(result)
350
0
        return result;
351
352
0
      result = curlx_dyn_add(&buf, val_next);
353
0
      if(result)
354
0
        return result;
355
356
0
      curlx_free(curr->data);
357
0
      curr->data = curlx_dyn_ptr(&buf);
358
359
0
      curr->next = next->next;
360
0
      curlx_free(next->data);
361
0
      curlx_free(next);
362
0
    }
363
0
    else {
364
0
      curr = curr->next;
365
0
    }
366
0
  }
367
368
0
  return CURLE_OK;
369
0
}
370
371
/* timestamp should point to a buffer of at last TIMESTAMP_SIZE bytes */
372
static CURLcode make_headers(struct Curl_easy *data,
373
                             const char *hostname,
374
                             char *timestamp,
375
                             const char *provider1,
376
                             size_t plen, /* length of provider1 */
377
                             char **date_header,
378
                             char *content_sha256_header,
379
                             struct dynbuf *canonical_headers,
380
                             struct dynbuf *signed_headers)
381
0
{
382
0
  char date_hdr_key[DATE_HDR_KEY_LEN];
383
0
  char date_full_hdr[DATE_FULL_HDR_LEN];
384
0
  struct curl_slist *head = NULL;
385
0
  struct curl_slist *tmp_head = NULL;
386
0
  CURLcode result = CURLE_OUT_OF_MEMORY;
387
0
  struct curl_slist *l;
388
0
  bool again = TRUE;
389
390
0
  curl_msnprintf(date_hdr_key, DATE_HDR_KEY_LEN, "X-%.*s-Date",
391
0
                 (int)plen, provider1);
392
  /* provider1 ucfirst */
393
0
  Curl_strntolower(&date_hdr_key[2], provider1, plen);
394
0
  date_hdr_key[2] = Curl_raw_toupper(provider1[0]);
395
396
0
  curl_msnprintf(date_full_hdr, DATE_FULL_HDR_LEN,
397
0
                 "x-%.*s-date:%s", (int)plen, provider1, timestamp);
398
  /* provider1 lowercase */
399
0
  Curl_strntolower(&date_full_hdr[2], provider1, plen);
400
401
0
  if(!Curl_checkheaders(data, STRCONST("Host"))) {
402
0
    char *fullhost;
403
404
0
    if(data->state.aptr.host)
405
0
      fullhost = curlx_strdup(data->state.aptr.host);
406
0
    else
407
0
      fullhost = curl_maprintf("host:%s", hostname);
408
409
0
    if(fullhost)
410
0
      head = Curl_slist_append_nodup(NULL, fullhost);
411
0
    if(!head) {
412
0
      curlx_free(fullhost);
413
0
      goto fail;
414
0
    }
415
0
  }
416
417
0
  if(*content_sha256_header) {
418
0
    tmp_head = curl_slist_append(head, content_sha256_header);
419
0
    if(!tmp_head)
420
0
      goto fail;
421
0
    head = tmp_head;
422
0
  }
423
424
  /* copy user headers to our header list. the logic is based on how http.c
425
     handles user headers.
426
427
     user headers in format 'name:' with no value are used to signal that an
428
     internal header of that name should be removed. those user headers are not
429
     added to this list.
430
431
     user headers in format 'name;' with no value are used to signal that a
432
     header of that name with no value should be sent. those user headers are
433
     added to this list but in the format that they will be sent, ie the
434
     semi-colon is changed to a colon for format 'name:'.
435
436
     user headers with a value of whitespace only, or without a colon or
437
     semi-colon, are not added to this list.
438
     */
439
0
  for(l = data->set.headers; l; l = l->next) {
440
0
    char *dupdata;
441
0
    const char *ptr;
442
0
    const char *sep = strchr(l->data, ':');
443
0
    if(!sep)
444
0
      sep = strchr(l->data, ';');
445
0
    if(!sep || (*sep == ':' && !*(sep + 1)))
446
0
      continue;
447
0
    for(ptr = sep + 1; ISBLANK(*ptr); ++ptr)
448
0
      ;
449
0
    if(!*ptr && ptr != sep + 1) /* a value of whitespace only */
450
0
      continue;
451
0
    dupdata = curlx_strdup(l->data);
452
0
    if(!dupdata)
453
0
      goto fail;
454
0
    dupdata[sep - l->data] = ':';
455
0
    tmp_head = Curl_slist_append_nodup(head, dupdata);
456
0
    if(!tmp_head) {
457
0
      curlx_free(dupdata);
458
0
      goto fail;
459
0
    }
460
0
    head = tmp_head;
461
0
  }
462
463
0
  trim_headers(head);
464
465
0
  *date_header = find_date_hdr(data, date_hdr_key);
466
0
  if(!*date_header) {
467
0
    tmp_head = curl_slist_append(head, date_full_hdr);
468
0
    if(!tmp_head)
469
0
      goto fail;
470
0
    head = tmp_head;
471
0
    *date_header = curl_maprintf("%s: %s\r\n", date_hdr_key, timestamp);
472
0
    if(!*date_header)
473
0
      goto fail;
474
0
  }
475
0
  else {
476
0
    const char *value;
477
0
    const char *endp;
478
0
    value = strchr(*date_header, ':');
479
0
    if(!value) {
480
0
      *date_header = NULL;
481
0
      goto fail;
482
0
    }
483
0
    ++value;
484
0
    curlx_str_passblanks(&value);
485
0
    endp = value;
486
0
    while(*endp && ISALNUM(*endp))
487
0
      ++endp;
488
    /* 16 bytes => "19700101T000000Z" */
489
0
    if((endp - value) == TIMESTAMP_SIZE - 1) {
490
0
      memcpy(timestamp, value, TIMESTAMP_SIZE - 1);
491
0
      timestamp[TIMESTAMP_SIZE - 1] = 0;
492
0
    }
493
0
    else
494
      /* bad timestamp length */
495
0
      timestamp[0] = 0;
496
0
    *date_header = NULL;
497
0
  }
498
499
  /* alpha-sort by header name in a case sensitive manner */
500
0
  do {
501
0
    again = FALSE;
502
0
    for(l = head; l; l = l->next) {
503
0
      struct curl_slist *next = l->next;
504
505
0
      if(next && compare_header_names(l->data, next->data) > 0) {
506
0
        char *tmp = l->data;
507
508
0
        l->data = next->data;
509
0
        next->data = tmp;
510
0
        again = TRUE;
511
0
      }
512
0
    }
513
0
  } while(again);
514
515
0
  result = merge_duplicate_headers(head);
516
0
  if(result)
517
0
    goto fail;
518
519
0
  for(l = head; l; l = l->next) {
520
0
    char *tmp;
521
522
0
    if(curlx_dyn_add(canonical_headers, l->data))
523
0
      goto fail;
524
0
    if(curlx_dyn_add(canonical_headers, "\n"))
525
0
      goto fail;
526
527
0
    tmp = strchr(l->data, ':');
528
0
    if(tmp)
529
0
      *tmp = 0;
530
531
0
    if(l != head) {
532
0
      if(curlx_dyn_add(signed_headers, ";"))
533
0
        goto fail;
534
0
    }
535
0
    if(curlx_dyn_add(signed_headers, l->data))
536
0
      goto fail;
537
0
  }
538
539
0
  result = CURLE_OK;
540
0
fail:
541
0
  curl_slist_free_all(head);
542
543
0
  return result;
544
0
}
545
546
0
#define CONTENT_SHA256_KEY_LEN (MAX_SIGV4_LEN + sizeof("X--Content-Sha256"))
547
/* add 2 for ": " between header name and value */
548
0
#define CONTENT_SHA256_HDR_LEN (CONTENT_SHA256_KEY_LEN + 2 + SHA256_HEX_LENGTH)
549
550
/* try to parse a payload hash from the content-sha256 header */
551
static const char *parse_content_sha_hdr(struct Curl_easy *data,
552
                                         const char *provider1,
553
                                         size_t plen,
554
                                         size_t *value_len)
555
0
{
556
0
  char key[CONTENT_SHA256_KEY_LEN];
557
0
  size_t key_len;
558
0
  const char *value;
559
0
  size_t len;
560
561
0
  key_len = curl_msnprintf(key, sizeof(key), "x-%.*s-content-sha256",
562
0
                           (int)plen, provider1);
563
564
0
  value = Curl_checkheaders(data, key, key_len);
565
0
  if(!value)
566
0
    return NULL;
567
568
0
  value = strchr(value, ':');
569
0
  if(!value)
570
0
    return NULL;
571
0
  ++value;
572
573
0
  curlx_str_passblanks(&value);
574
575
0
  len = strlen(value);
576
0
  while(len > 0 && ISBLANK(value[len - 1]))
577
0
    --len;
578
579
0
  *value_len = len;
580
0
  return value;
581
0
}
582
583
static CURLcode calc_payload_hash(struct Curl_easy *data,
584
                                  unsigned char *sha_hash, char *sha_hex)
585
0
{
586
0
  const char *post_data = data->set.postfields;
587
0
  size_t post_data_len = 0;
588
0
  CURLcode result;
589
590
0
  if(post_data) {
591
0
    if(data->set.postfieldsize < 0)
592
0
      post_data_len = strlen(post_data);
593
0
    else
594
0
      post_data_len = (size_t)data->set.postfieldsize;
595
0
  }
596
0
  result = Curl_sha256it(sha_hash, (const unsigned char *)post_data,
597
0
                         post_data_len);
598
0
  if(!result)
599
0
    sha256_to_hex(sha_hex, sha_hash);
600
0
  return result;
601
0
}
602
603
0
#define S3_UNSIGNED_PAYLOAD "UNSIGNED-PAYLOAD"
604
605
static CURLcode calc_s3_payload_hash(struct Curl_easy *data,
606
                                     Curl_HttpReq httpreq,
607
                                     const char *provider1,
608
                                     size_t plen,
609
                                     unsigned char *sha_hash,
610
                                     char *sha_hex, char *header)
611
0
{
612
0
  bool empty_method = (httpreq == HTTPREQ_GET || httpreq == HTTPREQ_HEAD);
613
  /* The request method or filesize indicate no request payload */
614
0
  bool empty_payload = (empty_method || data->set.filesize == 0);
615
  /* The POST payload is in memory */
616
0
  bool post_payload = (httpreq == HTTPREQ_POST && data->set.postfields);
617
0
  CURLcode result = CURLE_OUT_OF_MEMORY;
618
619
0
  if(empty_payload || post_payload) {
620
    /* Calculate a real hash when we know the request payload */
621
0
    result = calc_payload_hash(data, sha_hash, sha_hex);
622
0
    if(result)
623
0
      goto fail;
624
0
  }
625
0
  else {
626
    /* Fall back to s3's UNSIGNED-PAYLOAD */
627
0
    size_t len = sizeof(S3_UNSIGNED_PAYLOAD) - 1;
628
0
    DEBUGASSERT(len < SHA256_HEX_LENGTH); /* 16 < 65 */
629
0
    memcpy(sha_hex, S3_UNSIGNED_PAYLOAD, len);
630
0
    sha_hex[len] = 0;
631
0
  }
632
633
  /* format the required content-sha256 header */
634
0
  curl_msnprintf(header, CONTENT_SHA256_HDR_LEN,
635
0
                 "x-%.*s-content-sha256: %s", (int)plen, provider1, sha_hex);
636
637
0
  result = CURLE_OK;
638
0
fail:
639
0
  return result;
640
0
}
641
642
static int compare_func(const void *a, const void *b)
643
0
{
644
0
  const struct pair *aa = a;
645
0
  const struct pair *bb = b;
646
0
  const size_t aa_key_len = curlx_dyn_len(&aa->key);
647
0
  const size_t bb_key_len = curlx_dyn_len(&bb->key);
648
0
  const size_t aa_value_len = curlx_dyn_len(&aa->value);
649
0
  const size_t bb_value_len = curlx_dyn_len(&bb->value);
650
0
  int compare;
651
652
  /* If one element is empty, the other is always sorted higher */
653
654
  /* Compare keys */
655
0
  if((aa_key_len == 0) && (bb_key_len == 0))
656
0
    return 0;
657
0
  if(aa_key_len == 0)
658
0
    return -1;
659
0
  if(bb_key_len == 0)
660
0
    return 1;
661
0
  compare = strcmp(curlx_dyn_ptr(&aa->key), curlx_dyn_ptr(&bb->key));
662
0
  if(compare) {
663
0
    return compare;
664
0
  }
665
666
  /* Compare values */
667
0
  if((aa_value_len == 0) && (bb_value_len == 0))
668
0
    return 0;
669
0
  if(aa_value_len == 0)
670
0
    return -1;
671
0
  if(bb_value_len == 0)
672
0
    return 1;
673
0
  compare = strcmp(curlx_dyn_ptr(&aa->value), curlx_dyn_ptr(&bb->value));
674
675
0
  return compare;
676
0
}
677
678
/* @unittest 1979 */
679
UNITTEST CURLcode canon_path(const char *q, size_t len,
680
                             struct dynbuf *new_path,
681
                             bool do_uri_encode);
682
UNITTEST CURLcode canon_path(const char *q, size_t len,
683
                             struct dynbuf *new_path,
684
                             bool do_uri_encode)
685
0
{
686
0
  CURLcode result = CURLE_OK;
687
688
0
  struct Curl_str original_path;
689
690
0
  curlx_str_assign(&original_path, q, len);
691
692
  /* Normalized path will be either the same or shorter than the original
693
   * path, plus trailing slash */
694
695
0
  if(do_uri_encode)
696
0
    result = uri_encode_path(&original_path, new_path);
697
0
  else
698
0
    result = curlx_dyn_addn(new_path, q, len);
699
700
0
  if(!result) {
701
0
    if(curlx_dyn_len(new_path) == 0)
702
0
      result = curlx_dyn_add(new_path, "/");
703
0
  }
704
705
0
  return result;
706
0
}
707
708
/* @unittest 1980 */
709
UNITTEST CURLcode canon_query(const char *query, struct dynbuf *dq);
710
UNITTEST CURLcode canon_query(const char *query, struct dynbuf *dq)
711
0
{
712
0
  CURLcode result = CURLE_OK;
713
714
0
  struct dynbuf query_array[MAX_QUERY_COMPONENTS];
715
0
  struct pair encoded_query_array[MAX_QUERY_COMPONENTS];
716
0
  size_t num_query_components;
717
0
  size_t counted_query_components = 0;
718
0
  size_t index;
719
720
0
  if(!query)
721
0
    return result;
722
723
0
  result = split_to_dyn_array(query, &query_array[0], &num_query_components);
724
0
  if(result) {
725
0
    goto fail;
726
0
  }
727
728
  /* Create list of pairs, each pair containing an encoded query
729
   * component */
730
731
0
  for(index = 0; index < num_query_components; index++) {
732
0
    const char *in_key;
733
0
    size_t in_key_len;
734
0
    const char *offset;
735
0
    size_t query_part_len = curlx_dyn_len(&query_array[index]);
736
0
    const char *query_part = curlx_dyn_ptr(&query_array[index]);
737
738
0
    in_key = query_part;
739
740
0
    offset = strchr(query_part, '=');
741
    /* If there is no equals, this key has no value */
742
0
    if(!offset) {
743
0
      in_key_len = strlen(in_key);
744
0
    }
745
0
    else {
746
0
      in_key_len = offset - in_key;
747
0
    }
748
749
0
    curlx_dyn_init(&encoded_query_array[index].key,
750
0
      (query_part_len * 3) + 1);
751
0
    curlx_dyn_init(&encoded_query_array[index].value,
752
0
      (query_part_len * 3) + 1);
753
0
    counted_query_components++;
754
755
    /* Decode/encode the key */
756
0
    result = normalize_query(in_key, in_key_len,
757
0
                             &encoded_query_array[index].key);
758
0
    if(result) {
759
0
      goto fail;
760
0
    }
761
762
    /* Decode/encode the value if it exists */
763
0
    if(offset && offset != (query_part + query_part_len - 1)) {
764
0
      size_t in_value_len;
765
0
      const char *in_value = offset + 1;
766
0
      in_value_len = query_part + query_part_len - (offset + 1);
767
0
      result = normalize_query(in_value, in_value_len,
768
0
                               &encoded_query_array[index].value);
769
0
      if(result) {
770
0
        goto fail;
771
0
      }
772
0
    }
773
0
    else {
774
      /* If there is no value, the value is an empty string */
775
0
      curlx_dyn_init(&encoded_query_array[index].value, 2);
776
0
      result = curlx_dyn_addn(&encoded_query_array[index].value, "", 1);
777
0
    }
778
779
0
    if(result) {
780
0
      goto fail;
781
0
    }
782
0
  }
783
784
  /* Sort the encoded query components by key and value */
785
0
  qsort(&encoded_query_array, num_query_components,
786
0
        sizeof(struct pair), compare_func);
787
788
  /* Append the query components together to make a full query string */
789
0
  for(index = 0; index < num_query_components; index++) {
790
791
0
    if(index)
792
0
      result = curlx_dyn_addn(dq, "&", 1);
793
0
    if(!result) {
794
0
      const char *key_ptr = curlx_dyn_ptr(&encoded_query_array[index].key);
795
0
      const char *value_ptr = curlx_dyn_ptr(&encoded_query_array[index].value);
796
0
      size_t vlen = curlx_dyn_len(&encoded_query_array[index].value);
797
0
      if(value_ptr && vlen) {
798
0
        result = curlx_dyn_addf(dq, "%s=%s", key_ptr, value_ptr);
799
0
      }
800
0
      else {
801
        /* Empty value is always encoded to key= */
802
0
        result = curlx_dyn_addf(dq, "%s=", key_ptr);
803
0
      }
804
0
    }
805
0
    if(result)
806
0
      break;
807
0
  }
808
809
0
fail:
810
0
  if(counted_query_components)
811
    /* the encoded_query_array might not be initialized yet */
812
0
    pair_array_free(&encoded_query_array[0], counted_query_components);
813
0
  dyn_array_free(&query_array[0], num_query_components);
814
0
  return result;
815
0
}
816
817
static CURLcode parse_sigv4_params(struct Curl_easy *data,
818
                                   const char *hostname,
819
                                   struct Curl_str *provider0,
820
                                   struct Curl_str *provider1,
821
                                   struct Curl_str *region,
822
                                   struct Curl_str *service)
823
0
{
824
0
  const char *line = data->set.str[STRING_AWS_SIGV4];
825
0
  if(!line || !*line)
826
0
    line = "aws:amz";
827
828
  /* provider0[:provider1[:region[:service]]]
829
830
     No string can be longer than N bytes of non-whitespace
831
  */
832
0
  if(curlx_str_until(&line, provider0, MAX_SIGV4_LEN, ':')) {
833
0
    failf(data, "first aws-sigv4 provider cannot be empty");
834
0
    return CURLE_BAD_FUNCTION_ARGUMENT;
835
0
  }
836
0
  if(curlx_str_single(&line, ':') ||
837
0
     curlx_str_until(&line, provider1, MAX_SIGV4_LEN, ':')) {
838
0
    *provider1 = *provider0;
839
0
  }
840
0
  else if(curlx_str_single(&line, ':') ||
841
0
          curlx_str_until(&line, region, MAX_SIGV4_LEN, ':') ||
842
0
          curlx_str_single(&line, ':') ||
843
0
          curlx_str_until(&line, service, MAX_SIGV4_LEN, ':')) {
844
    /* nothing to do */
845
0
  }
846
847
0
  if(!curlx_strlen(service)) {
848
0
    const char *p = hostname;
849
0
    if(curlx_str_until(&p, service, MAX_SIGV4_LEN, '.') ||
850
0
       curlx_str_single(&p, '.')) {
851
0
      failf(data, "aws-sigv4: service missing in parameters and hostname");
852
0
      return CURLE_URL_MALFORMAT;
853
0
    }
854
855
0
    infof(data, "aws_sigv4: picked service %.*s from host",
856
0
          (int)curlx_strlen(service), curlx_str(service));
857
858
0
    if(!curlx_strlen(region)) {
859
0
      if(curlx_str_until(&p, region, MAX_SIGV4_LEN, '.') ||
860
0
         curlx_str_single(&p, '.')) {
861
0
        failf(data, "aws-sigv4: region missing in parameters and hostname");
862
0
        return CURLE_URL_MALFORMAT;
863
0
      }
864
0
      infof(data, "aws_sigv4: picked region %.*s from host",
865
0
            (int)curlx_strlen(region), curlx_str(region));
866
0
    }
867
0
  }
868
869
0
  return CURLE_OK;
870
0
}
871
872
static CURLcode get_payload_hash(struct Curl_easy *data,
873
                                 Curl_HttpReq httpreq,
874
                                 struct Curl_str *provider0,
875
                                 struct Curl_str *provider1,
876
                                 struct Curl_str *service,
877
                                 unsigned char *sha_hash,
878
                                 char *sha_hex,
879
                                 char *content_sha256_hdr,
880
                                 const char **payload_hash_out,
881
                                 size_t *payload_hash_len_out)
882
0
{
883
0
  *payload_hash_out =
884
0
    parse_content_sha_hdr(data, curlx_str(provider1),
885
0
                          curlx_strlen(provider1), payload_hash_len_out);
886
887
0
  if(!*payload_hash_out) {
888
0
    CURLcode result;
889
    /* AWS S3 requires a x-amz-content-sha256 header, and supports special
890
     * values like UNSIGNED-PAYLOAD */
891
0
    bool sign_as_s3 = curlx_str_casecompare(provider0, "aws") &&
892
0
                      curlx_str_casecompare(service, "s3");
893
894
0
    if(sign_as_s3)
895
0
      result = calc_s3_payload_hash(data, httpreq, curlx_str(provider1),
896
0
                                    curlx_strlen(provider1), sha_hash,
897
0
                                    sha_hex, content_sha256_hdr);
898
0
    else
899
0
      result = calc_payload_hash(data, sha_hash, sha_hex);
900
0
    if(result)
901
0
      return result;
902
903
0
    *payload_hash_out = sha_hex;
904
    /* may be shorter than SHA256_HEX_LENGTH, like S3_UNSIGNED_PAYLOAD */
905
0
    *payload_hash_len_out = strlen(sha_hex);
906
0
  }
907
0
  return CURLE_OK;
908
0
}
909
910
static CURLcode get_timestamp(char *timestamp, size_t stampsize)
911
0
{
912
0
  time_t clock;
913
0
  struct tm tm;
914
0
  CURLcode result;
915
916
0
#ifdef DEBUGBUILD
917
0
  {
918
0
    char *force_timestamp = getenv("CURL_FORCETIME");
919
0
    if(force_timestamp)
920
0
      clock = 0;
921
0
    else
922
0
      clock = time(NULL);
923
0
  }
924
#else
925
  clock = time(NULL);
926
#endif
927
0
  result = curlx_gmtime(clock, &tm);
928
0
  if(result)
929
0
    return result;
930
931
0
  if(!strftime(timestamp, stampsize, "%Y%m%dT%H%M%SZ", &tm))
932
0
    return CURLE_OUT_OF_MEMORY;
933
934
0
  return CURLE_OK;
935
0
}
936
937
static CURLcode make_canonical_request(struct Curl_easy *data,
938
                                       const char *hostname,
939
                                       char *timestamp,
940
                                       struct Curl_str *provider1,
941
                                       struct Curl_str *service,
942
                                       const char *method,
943
                                       const char *payload_hash,
944
                                       size_t payload_hash_len,
945
                                       char **date_header_out,
946
                                       char *content_sha256_hdr,
947
                                       struct dynbuf *canonical_headers,
948
                                       struct dynbuf *signed_headers,
949
                                       char **canonical_request_out)
950
0
{
951
0
  struct dynbuf canonical_query;
952
0
  struct dynbuf canonical_path;
953
0
  CURLcode result;
954
955
0
  curlx_dyn_init(&canonical_query, CURL_MAX_HTTP_HEADER);
956
0
  curlx_dyn_init(&canonical_path, CURL_MAX_HTTP_HEADER);
957
958
0
  result = make_headers(data, hostname, timestamp,
959
0
                        curlx_str(provider1), curlx_strlen(provider1),
960
0
                        date_header_out, content_sha256_hdr,
961
0
                        canonical_headers, signed_headers);
962
0
  if(result)
963
0
    goto fail;
964
965
0
  result = canon_query(data->state.up.query, &canonical_query);
966
0
  if(result)
967
0
    goto fail;
968
969
0
  result = canon_path(data->state.up.path, strlen(data->state.up.path),
970
0
                      &canonical_path,
971
0
                      should_urlencode(service));
972
0
  if(result)
973
0
    goto fail;
974
975
0
  *canonical_request_out =
976
0
    curl_maprintf("%s\n" /* HTTPRequestMethod */
977
0
                  "%s\n" /* CanonicalURI */
978
0
                  "%s\n" /* CanonicalQueryString */
979
0
                  "%s\n" /* CanonicalHeaders */
980
0
                  "%s\n" /* SignedHeaders */
981
0
                  "%.*s",  /* HashedRequestPayload in hex */
982
0
                  method,
983
0
                  curlx_dyn_ptr(&canonical_path),
984
0
                  curlx_dyn_ptr(&canonical_query) ?
985
0
                  curlx_dyn_ptr(&canonical_query) : "",
986
0
                  curlx_dyn_ptr(canonical_headers),
987
0
                  curlx_dyn_ptr(signed_headers),
988
0
                  (int)payload_hash_len, payload_hash);
989
0
  if(!*canonical_request_out) {
990
0
    result = CURLE_OUT_OF_MEMORY;
991
0
    goto fail;
992
0
  }
993
994
0
  result = CURLE_OK;
995
0
fail:
996
0
  curlx_dyn_free(&canonical_query);
997
0
  curlx_dyn_free(&canonical_path);
998
0
  return result;
999
0
}
1000
1001
static CURLcode make_string_to_sign(struct Curl_easy *data,
1002
                                    struct Curl_str *provider0,
1003
                                    struct Curl_str *region,
1004
                                    struct Curl_str *service,
1005
                                    const char *date,
1006
                                    const char *timestamp,
1007
                                    const char *canonical_request,
1008
                                    char **request_type_out,
1009
                                    char **credential_scope_out,
1010
                                    char **str_to_sign_out)
1011
0
{
1012
0
  char *request_type;
1013
0
  char *credential_scope;
1014
0
  char *str_to_sign;
1015
0
  unsigned char sha_hash[CURL_SHA256_DIGEST_LENGTH];
1016
0
  char sha_hex[SHA256_HEX_LENGTH];
1017
1018
0
  request_type = curl_maprintf("%.*s4_request",
1019
0
                               (int)curlx_strlen(provider0),
1020
0
                               curlx_str(provider0));
1021
0
  if(!request_type)
1022
0
    return CURLE_OUT_OF_MEMORY;
1023
1024
  /* provider0 is lowercased *after* curl_maprintf() so that the buffer
1025
     can be written to */
1026
0
  Curl_strntolower(request_type, request_type, curlx_strlen(provider0));
1027
1028
0
  credential_scope = curl_maprintf("%s/%.*s/%.*s/%s", date,
1029
0
                                   (int)curlx_strlen(region),
1030
0
                                   curlx_str(region),
1031
0
                                   (int)curlx_strlen(service),
1032
0
                                   curlx_str(service),
1033
0
                                   request_type);
1034
0
  if(!credential_scope) {
1035
0
    curlx_free(request_type);
1036
0
    return CURLE_OUT_OF_MEMORY;
1037
0
  }
1038
1039
0
  if(Curl_sha256it(sha_hash, (const unsigned char *)canonical_request,
1040
0
                   strlen(canonical_request))) {
1041
0
    curlx_free(request_type);
1042
0
    curlx_free(credential_scope);
1043
0
    return CURLE_OUT_OF_MEMORY;
1044
0
  }
1045
1046
0
  sha256_to_hex(sha_hex, sha_hash);
1047
1048
  /*
1049
   * Google allows using RSA key instead of HMAC, so this code might change
1050
   * in the future. For now we only support HMAC.
1051
   */
1052
0
  str_to_sign = curl_maprintf("%.*s4-HMAC-SHA256\n" /* Algorithm */
1053
0
                              "%s\n" /* RequestDateTime */
1054
0
                              "%s\n" /* CredentialScope */
1055
0
                              "%s",  /* HashedCanonicalRequest in hex */
1056
0
                              (int)curlx_strlen(provider0),
1057
0
                              curlx_str(provider0),
1058
0
                              timestamp,
1059
0
                              credential_scope,
1060
0
                              sha_hex);
1061
0
  if(!str_to_sign) {
1062
0
    curlx_free(request_type);
1063
0
    curlx_free(credential_scope);
1064
0
    return CURLE_OUT_OF_MEMORY;
1065
0
  }
1066
1067
  /* make provider0 part done uppercase */
1068
0
  Curl_strntoupper(str_to_sign, curlx_str(provider0),
1069
0
                   curlx_strlen(provider0));
1070
1071
0
  infof(data, "aws_sigv4: String to sign (enclosed in []) - [%s]",
1072
0
        str_to_sign);
1073
1074
0
  *request_type_out = request_type;
1075
0
  *credential_scope_out = credential_scope;
1076
0
  *str_to_sign_out = str_to_sign;
1077
0
  return CURLE_OK;
1078
0
}
1079
1080
static CURLcode sign_and_set_auth_headers(struct Curl_easy *data,
1081
                                          struct Curl_str *provider0,
1082
                                          struct Curl_str *region,
1083
                                          struct Curl_str *service,
1084
                                          const char *request_type,
1085
                                          const char *credential_scope,
1086
                                          const char *date,
1087
                                          const char *str_to_sign,
1088
                                          const char *date_header,
1089
                                          const char *content_sha256_hdr,
1090
                                          struct dynbuf *signed_headers)
1091
0
{
1092
0
  CURLcode result = CURLE_OUT_OF_MEMORY;
1093
0
  const char *passwd = Curl_creds_passwd(data->state.creds);
1094
0
  char *secret = NULL;
1095
0
  unsigned char sign0[CURL_SHA256_DIGEST_LENGTH] = { 0 };
1096
0
  unsigned char sign1[CURL_SHA256_DIGEST_LENGTH] = { 0 };
1097
0
  char sha_hex[SHA256_HEX_LENGTH];
1098
0
  char *auth_headers = NULL;
1099
0
  char *user = curl_escape(Curl_creds_user(data->state.creds), 0);
1100
0
  if(!user)
1101
0
    return CURLE_OUT_OF_MEMORY;
1102
1103
0
  secret = curl_maprintf("%.*s4%s", (int)curlx_strlen(provider0),
1104
0
                         curlx_str(provider0), passwd);
1105
0
  if(!secret)
1106
0
    goto fail;
1107
  /* make provider0 part done uppercase */
1108
0
  Curl_strntoupper(secret, curlx_str(provider0), curlx_strlen(provider0));
1109
1110
0
  HMAC_SHA256(secret, strlen(secret), date, strlen(date), sign0);
1111
0
  HMAC_SHA256(sign0, sizeof(sign0),
1112
0
              curlx_str(region), curlx_strlen(region), sign1);
1113
0
  HMAC_SHA256(sign1, sizeof(sign1),
1114
0
              curlx_str(service), curlx_strlen(service), sign0);
1115
0
  HMAC_SHA256(sign0, sizeof(sign0),
1116
0
              request_type, strlen(request_type), sign1);
1117
0
  HMAC_SHA256(sign1, sizeof(sign1),
1118
0
              str_to_sign, strlen(str_to_sign), sign0);
1119
1120
0
  sha256_to_hex(sha_hex, sign0);
1121
1122
0
  infof(data, "aws_sigv4: Signature - %s", sha_hex);
1123
1124
0
  auth_headers = curl_maprintf("Authorization: %.*s4-HMAC-SHA256 "
1125
0
                               "Credential=%s/%s, "
1126
0
                               "SignedHeaders=%s, "
1127
0
                               "Signature=%s\r\n"
1128
0
                               "%s"
1129
0
                               "%s%s",
1130
0
                               (int)curlx_strlen(provider0),
1131
0
                               curlx_str(provider0),
1132
0
                               user,
1133
0
                               credential_scope,
1134
0
                               curlx_dyn_ptr(signed_headers),
1135
0
                               sha_hex,
1136
                               /*
1137
                                * date_header is added here, only if it was not
1138
                                * user-specified (using CURLOPT_HTTPHEADER).
1139
                                * date_header includes \r\n
1140
                                */
1141
0
                               date_header ? date_header : "",
1142
0
                               content_sha256_hdr,
1143
0
                               content_sha256_hdr[0] ? "\r\n": "");
1144
0
  if(!auth_headers)
1145
0
    goto fail;
1146
1147
  /* provider 0 uppercase */
1148
0
  Curl_strntoupper(&auth_headers[sizeof("Authorization: ") - 1],
1149
0
                   curlx_str(provider0), curlx_strlen(provider0));
1150
1151
0
  curlx_free(data->req.hd_auth);
1152
0
  data->req.hd_auth = auth_headers;
1153
0
  data->state.authhost.done = TRUE;
1154
0
  result = CURLE_OK;
1155
1156
0
fail:
1157
0
  curlx_free(user);
1158
0
  curlx_free(secret);
1159
0
  return result;
1160
0
}
1161
1162
CURLcode Curl_output_aws_sigv4(struct Curl_easy *data)
1163
0
{
1164
0
  CURLcode result = CURLE_OUT_OF_MEMORY;
1165
0
  struct Curl_str provider0 = { NULL, 0 };
1166
0
  struct Curl_str provider1 = { NULL, 0 };
1167
0
  struct Curl_str region = { NULL, 0 };
1168
0
  struct Curl_str service = { NULL, 0 };
1169
0
  const char *hostname = data->state.origin->hostname;
1170
0
  char timestamp[TIMESTAMP_SIZE];
1171
0
  char date[9];
1172
0
  struct dynbuf canonical_headers;
1173
0
  struct dynbuf signed_headers;
1174
0
  char *date_header = NULL;
1175
0
  Curl_HttpReq httpreq;
1176
0
  const char *method = NULL;
1177
0
  const char *payload_hash = NULL;
1178
0
  size_t payload_hash_len = 0;
1179
0
  unsigned char sha_hash[CURL_SHA256_DIGEST_LENGTH];
1180
0
  char sha_hex[SHA256_HEX_LENGTH];
1181
0
  char content_sha256_hdr[CONTENT_SHA256_HDR_LEN + 2] = ""; /* add \r\n */
1182
0
  char *canonical_request = NULL;
1183
0
  char *request_type = NULL;
1184
0
  char *credential_scope = NULL;
1185
0
  char *str_to_sign = NULL;
1186
1187
0
  if(data->set.path_as_is) {
1188
0
    failf(data, "Cannot use sigv4 authentication with path-as-is flag");
1189
0
    return CURLE_BAD_FUNCTION_ARGUMENT;
1190
0
  }
1191
1192
0
  if(Curl_checkheaders(data, STRCONST("Authorization")))
1193
    /* Authorization already present, Bailing out */
1194
0
    return CURLE_OK;
1195
1196
  /* we init those buffers here, so goto fail will free initialized dynbuf */
1197
0
  curlx_dyn_init(&canonical_headers, CURL_MAX_HTTP_HEADER);
1198
0
  curlx_dyn_init(&signed_headers, CURL_MAX_HTTP_HEADER);
1199
1200
0
  result = parse_sigv4_params(data, hostname, &provider0, &provider1,
1201
0
                              &region, &service);
1202
0
  if(!result) {
1203
0
    Curl_http_method(data, &method, &httpreq);
1204
0
    result = get_payload_hash(data, httpreq, &provider0, &provider1, &service,
1205
0
                              sha_hash, sha_hex, content_sha256_hdr,
1206
0
                              &payload_hash, &payload_hash_len);
1207
0
  }
1208
1209
0
  if(!result)
1210
0
    result = get_timestamp(timestamp, sizeof(timestamp));
1211
1212
0
  if(!result)
1213
0
    result = make_canonical_request(data, hostname, timestamp,
1214
0
                                    &provider1, &service,
1215
0
                                    method, payload_hash, payload_hash_len,
1216
0
                                    &date_header, content_sha256_hdr,
1217
0
                                    &canonical_headers, &signed_headers,
1218
0
                                    &canonical_request);
1219
0
  if(!result) {
1220
    /* the timestamp might have been updated in make_canonical_request */
1221
0
    memcpy(date, timestamp, sizeof(date) - 1);
1222
0
    date[sizeof(date) - 1] = 0;
1223
1224
0
    result = make_string_to_sign(data, &provider0, &region, &service,
1225
0
                                 date, timestamp, canonical_request,
1226
0
                                 &request_type, &credential_scope,
1227
0
                                 &str_to_sign);
1228
0
  }
1229
0
  if(!result)
1230
0
    result = sign_and_set_auth_headers(data, &provider0, &region, &service,
1231
0
                                       request_type, credential_scope,
1232
0
                                       date, str_to_sign, date_header,
1233
0
                                       content_sha256_hdr, &signed_headers);
1234
1235
0
  curlx_dyn_free(&canonical_headers);
1236
0
  curlx_dyn_free(&signed_headers);
1237
0
  curlx_free(canonical_request);
1238
0
  curlx_free(request_type);
1239
0
  curlx_free(credential_scope);
1240
0
  curlx_free(str_to_sign);
1241
0
  curlx_free(date_header);
1242
0
  return result;
1243
0
}
1244
1245
#endif /* !CURL_DISABLE_HTTP && !CURL_DISABLE_AWS */