/src/curl/lib/http_aws_sigv4.c
Line | Count | Source |
1 | | /*************************************************************************** |
2 | | * _ _ ____ _ |
3 | | * Project ___| | | | _ \| | |
4 | | * / __| | | | |_) | | |
5 | | * | (__| |_| | _ <| |___ |
6 | | * \___|\___/|_| \_\_____| |
7 | | * |
8 | | * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. |
9 | | * |
10 | | * This software is licensed as described in the file COPYING, which |
11 | | * you should have received as part of this distribution. The terms |
12 | | * are also available at https://curl.se/docs/copyright.html. |
13 | | * |
14 | | * You may opt to use, copy, modify, merge, publish, distribute and/or sell |
15 | | * copies of the Software, and permit persons to whom the Software is |
16 | | * furnished to do so, under the terms of the COPYING file. |
17 | | * |
18 | | * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY |
19 | | * KIND, either express or implied. |
20 | | * |
21 | | * SPDX-License-Identifier: curl |
22 | | * |
23 | | ***************************************************************************/ |
24 | | #include "curl_setup.h" |
25 | | |
26 | | #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_AWS) |
27 | | |
28 | | #include "urldata.h" |
29 | | #include "strcase.h" |
30 | | #include "curlx/strdup.h" |
31 | | #include "http_aws_sigv4.h" |
32 | | #include "curl_sha256.h" |
33 | | #include "transfer.h" |
34 | | #include "curl_trc.h" |
35 | | #include "escape.h" |
36 | | #include "curlx/strparse.h" |
37 | | #include "slist.h" |
38 | | |
39 | | #include <time.h> |
40 | | |
41 | | #define HMAC_SHA256(k, kl, d, dl, o) \ |
42 | 0 | do { \ |
43 | 0 | result = Curl_hmacit(&Curl_HMAC_SHA256, \ |
44 | 0 | (const unsigned char *)(k), \ |
45 | 0 | kl, \ |
46 | 0 | (const unsigned char *)(d), \ |
47 | 0 | dl, o); \ |
48 | 0 | if(result) { \ |
49 | 0 | goto fail; \ |
50 | 0 | } \ |
51 | 0 | } while(0) |
52 | | |
53 | 0 | #define TIMESTAMP_SIZE 17 |
54 | | |
55 | | /* hex-encoded with null-terminator */ |
56 | 0 | #define SHA256_HEX_LENGTH ((2 * CURL_SHA256_DIGEST_LENGTH) + 1) |
57 | | |
58 | 0 | #define MAX_QUERY_COMPONENTS 128 |
59 | | |
60 | | struct pair { |
61 | | struct dynbuf key; |
62 | | struct dynbuf value; |
63 | | }; |
64 | | |
65 | | static void sha256_to_hex(char *dst, unsigned char *sha) |
66 | 0 | { |
67 | 0 | Curl_hexencode(sha, CURL_SHA256_DIGEST_LENGTH, |
68 | 0 | (unsigned char *)dst, SHA256_HEX_LENGTH); |
69 | 0 | } |
70 | | |
71 | | static char *find_date_hdr(struct Curl_easy *data, const char *sig_hdr) |
72 | 0 | { |
73 | 0 | char *tmp = Curl_checkheaders(data, sig_hdr, strlen(sig_hdr)); |
74 | |
|
75 | 0 | if(tmp) |
76 | 0 | return tmp; |
77 | 0 | return Curl_checkheaders(data, STRCONST("Date")); |
78 | 0 | } |
79 | | |
80 | | /* remove whitespace, and lowercase all headers */ |
81 | | static void trim_headers(struct curl_slist *head) |
82 | 0 | { |
83 | 0 | struct curl_slist *l; |
84 | 0 | for(l = head; l; l = l->next) { |
85 | 0 | const char *value; /* to read from */ |
86 | 0 | char *store; |
87 | 0 | size_t colon = strcspn(l->data, ":"); |
88 | 0 | Curl_strntolower(l->data, l->data, colon); |
89 | |
|
90 | 0 | value = &l->data[colon]; |
91 | 0 | if(!*value) |
92 | 0 | continue; |
93 | 0 | ++value; |
94 | 0 | store = (char *)CURL_UNCONST(value); |
95 | | |
96 | | /* skip leading whitespace */ |
97 | 0 | curlx_str_passblanks(&value); |
98 | |
|
99 | 0 | while(*value) { |
100 | 0 | int space = 0; |
101 | 0 | while(ISBLANK(*value)) { |
102 | 0 | value++; |
103 | 0 | space++; |
104 | 0 | } |
105 | 0 | if(space) { |
106 | | /* replace any number of consecutive whitespace with a single space, |
107 | | unless at the end of the string, then nothing */ |
108 | 0 | if(*value) |
109 | 0 | *store++ = ' '; |
110 | 0 | } |
111 | 0 | else |
112 | 0 | *store++ = *value++; |
113 | 0 | } |
114 | 0 | *store = 0; /* null-terminate */ |
115 | 0 | } |
116 | 0 | } |
117 | | |
118 | | /* |
119 | | * Frees all allocated strings in a dynbuf pair array, and the dynbuf itself |
120 | | */ |
121 | | static void pair_array_free(struct pair *pair_array, size_t num_elements) |
122 | 0 | { |
123 | 0 | size_t index; |
124 | |
|
125 | 0 | for(index = 0; index != num_elements; index++) { |
126 | 0 | curlx_dyn_free(&pair_array[index].key); |
127 | 0 | curlx_dyn_free(&pair_array[index].value); |
128 | 0 | } |
129 | 0 | } |
130 | | |
131 | | /* |
132 | | * Frees all allocated strings in a split dynbuf, and the dynbuf itself |
133 | | */ |
134 | | static void dyn_array_free(struct dynbuf *db, size_t num_elements) |
135 | 0 | { |
136 | 0 | size_t index; |
137 | |
|
138 | 0 | for(index = 0; index < num_elements; index++) |
139 | 0 | curlx_dyn_free((&db[index])); |
140 | 0 | } |
141 | | |
142 | | /* |
143 | | * Splits source string by SPLIT_BY, and creates an array of dynbuf in db. |
144 | | * db is initialized by this function. |
145 | | * Caller is responsible for freeing the array elements with dyn_array_free |
146 | | */ |
147 | | |
148 | 0 | #define SPLIT_BY '&' |
149 | | |
150 | | static CURLcode split_to_dyn_array(const char *source, |
151 | | struct dynbuf db[MAX_QUERY_COMPONENTS], |
152 | | size_t *num_splits_out) |
153 | 0 | { |
154 | 0 | CURLcode result = CURLE_OK; |
155 | 0 | size_t len = strlen(source); |
156 | 0 | size_t pos; /* Position in result buffer */ |
157 | 0 | size_t start = 0; /* Start of current segment */ |
158 | 0 | size_t segment_length = 0; |
159 | 0 | size_t index = 0; |
160 | 0 | size_t num_splits = 0; |
161 | | |
162 | | /* Split source_ptr on SPLIT_BY and store the segment offsets and length in |
163 | | * array */ |
164 | 0 | for(pos = 0; pos < len; pos++) { |
165 | 0 | if(source[pos] == SPLIT_BY) { |
166 | 0 | if(segment_length) { |
167 | 0 | curlx_dyn_init(&db[index], segment_length + 1); |
168 | 0 | result = curlx_dyn_addn(&db[index], &source[start], segment_length); |
169 | 0 | if(result) |
170 | 0 | goto fail; |
171 | | |
172 | 0 | segment_length = 0; |
173 | 0 | index++; |
174 | 0 | if(++num_splits == MAX_QUERY_COMPONENTS) { |
175 | 0 | result = CURLE_TOO_LARGE; |
176 | 0 | goto fail; |
177 | 0 | } |
178 | 0 | } |
179 | 0 | start = pos + 1; |
180 | 0 | } |
181 | 0 | else { |
182 | 0 | segment_length++; |
183 | 0 | } |
184 | 0 | } |
185 | | |
186 | 0 | if(segment_length) { |
187 | 0 | curlx_dyn_init(&db[index], segment_length + 1); |
188 | 0 | result = curlx_dyn_addn(&db[index], &source[start], segment_length); |
189 | 0 | if(!result) { |
190 | 0 | if(++num_splits == MAX_QUERY_COMPONENTS) |
191 | 0 | result = CURLE_TOO_LARGE; |
192 | 0 | } |
193 | 0 | } |
194 | 0 | fail: |
195 | 0 | *num_splits_out = num_splits; |
196 | 0 | return result; |
197 | 0 | } |
198 | | |
199 | | static bool is_reserved_char(const char c) |
200 | 0 | { |
201 | 0 | return (ISALNUM(c) || ISURLPUNTCS(c)); |
202 | 0 | } |
203 | | |
204 | | static CURLcode uri_encode_path(struct Curl_str *original_path, |
205 | | struct dynbuf *new_path) |
206 | 0 | { |
207 | 0 | const char *p = curlx_str(original_path); |
208 | 0 | size_t i; |
209 | |
|
210 | 0 | for(i = 0; i < curlx_strlen(original_path); i++) { |
211 | | /* Do not encode slashes or unreserved chars from RFC 3986 */ |
212 | 0 | CURLcode result = CURLE_OK; |
213 | 0 | unsigned char c = p[i]; |
214 | 0 | if(is_reserved_char(c) || c == '/') |
215 | 0 | result = curlx_dyn_addn(new_path, &c, 1); |
216 | 0 | else |
217 | 0 | result = curlx_dyn_addf(new_path, "%%%02X", c); |
218 | 0 | if(result) |
219 | 0 | return result; |
220 | 0 | } |
221 | | |
222 | 0 | return CURLE_OK; |
223 | 0 | } |
224 | | |
225 | | /* Normalize the query part. Make sure %2B is left percent encoded, and not |
226 | | decoded to plus, then encoded to space. |
227 | | */ |
228 | | static CURLcode normalize_query(const char *string, size_t len, |
229 | | struct dynbuf *db) |
230 | 0 | { |
231 | 0 | CURLcode result = CURLE_OK; |
232 | |
|
233 | 0 | while(len && !result) { |
234 | 0 | unsigned char in = (unsigned char)*string; |
235 | 0 | if(('%' == in) && (len > 2) && |
236 | 0 | ISXDIGIT(string[1]) && ISXDIGIT(string[2])) { |
237 | | /* this is two hexadecimal digits following a '%' */ |
238 | 0 | in = (unsigned char)((curlx_hexval(string[1]) << 4) | |
239 | 0 | curlx_hexval(string[2])); |
240 | 0 | string += 3; |
241 | 0 | len -= 3; |
242 | 0 | if(in == '+') { |
243 | | /* decodes to plus, so leave this encoded */ |
244 | 0 | result = curlx_dyn_addn(db, "%2B", 3); |
245 | 0 | continue; |
246 | 0 | } |
247 | 0 | } |
248 | 0 | else { |
249 | 0 | string++; |
250 | 0 | len--; |
251 | 0 | } |
252 | | |
253 | 0 | if(is_reserved_char(in)) |
254 | | /* Escape unreserved chars from RFC 3986 */ |
255 | 0 | result = curlx_dyn_addn(db, &in, 1); |
256 | 0 | else if(in == '+') |
257 | | /* Encode '+' as space */ |
258 | 0 | result = curlx_dyn_add(db, "%20"); |
259 | 0 | else |
260 | 0 | result = curlx_dyn_addf(db, "%%%02X", in); |
261 | 0 | } |
262 | |
|
263 | 0 | return result; |
264 | 0 | } |
265 | | |
266 | | static bool should_urlencode(struct Curl_str *service_name) |
267 | 0 | { |
268 | | /* |
269 | | * These services require unmodified (not additionally URL-encoded) URL |
270 | | * paths. |
271 | | * should_urlencode == true is equivalent to should_urlencode_uri_path |
272 | | * from the AWS SDK. Urls are already normalized by the curl URL parser |
273 | | */ |
274 | 0 | if(curlx_str_cmp(service_name, "s3") || |
275 | 0 | curlx_str_cmp(service_name, "s3-express") || |
276 | 0 | curlx_str_cmp(service_name, "s3-outposts")) { |
277 | 0 | return FALSE; |
278 | 0 | } |
279 | 0 | return TRUE; |
280 | 0 | } |
281 | | |
282 | | /* maximum length for the aws sivg4 parts */ |
283 | 0 | #define MAX_SIGV4_LEN 64 |
284 | 0 | #define DATE_HDR_KEY_LEN (MAX_SIGV4_LEN + sizeof("X--Date")) |
285 | | |
286 | | /* string been x-PROVIDER-date:TIMESTAMP, I need +1 for ':' */ |
287 | 0 | #define DATE_FULL_HDR_LEN (DATE_HDR_KEY_LEN + TIMESTAMP_SIZE + 1) |
288 | | |
289 | | /* alphabetically compare two headers by their name, expecting |
290 | | headers to use ':' at this point */ |
291 | | static int compare_header_names(const char *a, const char *b) |
292 | 0 | { |
293 | 0 | const char *colon_a; |
294 | 0 | const char *colon_b; |
295 | 0 | size_t len_a; |
296 | 0 | size_t len_b; |
297 | 0 | size_t min_len; |
298 | 0 | int cmp; |
299 | |
|
300 | 0 | colon_a = strchr(a, ':'); |
301 | 0 | colon_b = strchr(b, ':'); |
302 | |
|
303 | 0 | DEBUGASSERT(colon_a); |
304 | 0 | DEBUGASSERT(colon_b); |
305 | |
|
306 | 0 | len_a = colon_a ? (size_t)(colon_a - a) : strlen(a); |
307 | 0 | len_b = colon_b ? (size_t)(colon_b - b) : strlen(b); |
308 | |
|
309 | 0 | min_len = (len_a < len_b) ? len_a : len_b; |
310 | |
|
311 | 0 | cmp = strncmp(a, b, min_len); |
312 | | |
313 | | /* return the shorter of the two if one is shorter */ |
314 | 0 | if(!cmp) |
315 | 0 | return (int)(len_a - len_b); |
316 | | |
317 | 0 | return cmp; |
318 | 0 | } |
319 | | |
320 | | /* Merge duplicate header definitions by comma delimiting their values |
321 | | in the order defined the headers are defined, expecting headers to |
322 | | be alpha-sorted and use ':' at this point */ |
323 | | static CURLcode merge_duplicate_headers(struct curl_slist *head) |
324 | 0 | { |
325 | 0 | struct curl_slist *curr = head; |
326 | 0 | CURLcode result = CURLE_OK; |
327 | |
|
328 | 0 | while(curr) { |
329 | 0 | struct curl_slist *next = curr->next; |
330 | 0 | if(!next) |
331 | 0 | break; |
332 | | |
333 | 0 | if(compare_header_names(curr->data, next->data) == 0) { |
334 | 0 | struct dynbuf buf; |
335 | 0 | const char *colon_next; |
336 | 0 | const char *val_next; |
337 | |
|
338 | 0 | curlx_dyn_init(&buf, CURL_MAX_HTTP_HEADER); |
339 | |
|
340 | 0 | result = curlx_dyn_add(&buf, curr->data); |
341 | 0 | if(result) |
342 | 0 | return result; |
343 | | |
344 | 0 | colon_next = strchr(next->data, ':'); |
345 | 0 | DEBUGASSERT(colon_next); |
346 | 0 | val_next = colon_next + 1; |
347 | |
|
348 | 0 | result = curlx_dyn_addn(&buf, ",", 1); |
349 | 0 | if(result) |
350 | 0 | return result; |
351 | | |
352 | 0 | result = curlx_dyn_add(&buf, val_next); |
353 | 0 | if(result) |
354 | 0 | return result; |
355 | | |
356 | 0 | curlx_free(curr->data); |
357 | 0 | curr->data = curlx_dyn_ptr(&buf); |
358 | |
|
359 | 0 | curr->next = next->next; |
360 | 0 | curlx_free(next->data); |
361 | 0 | curlx_free(next); |
362 | 0 | } |
363 | 0 | else { |
364 | 0 | curr = curr->next; |
365 | 0 | } |
366 | 0 | } |
367 | | |
368 | 0 | return CURLE_OK; |
369 | 0 | } |
370 | | |
371 | | /* timestamp should point to a buffer of at last TIMESTAMP_SIZE bytes */ |
372 | | static CURLcode make_headers(struct Curl_easy *data, |
373 | | const char *hostname, |
374 | | char *timestamp, |
375 | | const char *provider1, |
376 | | size_t plen, /* length of provider1 */ |
377 | | char **date_header, |
378 | | char *content_sha256_header, |
379 | | struct dynbuf *canonical_headers, |
380 | | struct dynbuf *signed_headers) |
381 | 0 | { |
382 | 0 | char date_hdr_key[DATE_HDR_KEY_LEN]; |
383 | 0 | char date_full_hdr[DATE_FULL_HDR_LEN]; |
384 | 0 | struct curl_slist *head = NULL; |
385 | 0 | struct curl_slist *tmp_head = NULL; |
386 | 0 | CURLcode result = CURLE_OUT_OF_MEMORY; |
387 | 0 | struct curl_slist *l; |
388 | 0 | bool again = TRUE; |
389 | |
|
390 | 0 | curl_msnprintf(date_hdr_key, DATE_HDR_KEY_LEN, "X-%.*s-Date", |
391 | 0 | (int)plen, provider1); |
392 | | /* provider1 ucfirst */ |
393 | 0 | Curl_strntolower(&date_hdr_key[2], provider1, plen); |
394 | 0 | date_hdr_key[2] = Curl_raw_toupper(provider1[0]); |
395 | |
|
396 | 0 | curl_msnprintf(date_full_hdr, DATE_FULL_HDR_LEN, |
397 | 0 | "x-%.*s-date:%s", (int)plen, provider1, timestamp); |
398 | | /* provider1 lowercase */ |
399 | 0 | Curl_strntolower(&date_full_hdr[2], provider1, plen); |
400 | |
|
401 | 0 | if(!Curl_checkheaders(data, STRCONST("Host"))) { |
402 | 0 | char *fullhost; |
403 | |
|
404 | 0 | if(data->state.aptr.host) |
405 | 0 | fullhost = curlx_strdup(data->state.aptr.host); |
406 | 0 | else |
407 | 0 | fullhost = curl_maprintf("host:%s", hostname); |
408 | |
|
409 | 0 | if(fullhost) |
410 | 0 | head = Curl_slist_append_nodup(NULL, fullhost); |
411 | 0 | if(!head) { |
412 | 0 | curlx_free(fullhost); |
413 | 0 | goto fail; |
414 | 0 | } |
415 | 0 | } |
416 | | |
417 | 0 | if(*content_sha256_header) { |
418 | 0 | tmp_head = curl_slist_append(head, content_sha256_header); |
419 | 0 | if(!tmp_head) |
420 | 0 | goto fail; |
421 | 0 | head = tmp_head; |
422 | 0 | } |
423 | | |
424 | | /* copy user headers to our header list. the logic is based on how http.c |
425 | | handles user headers. |
426 | | |
427 | | user headers in format 'name:' with no value are used to signal that an |
428 | | internal header of that name should be removed. those user headers are not |
429 | | added to this list. |
430 | | |
431 | | user headers in format 'name;' with no value are used to signal that a |
432 | | header of that name with no value should be sent. those user headers are |
433 | | added to this list but in the format that they will be sent, ie the |
434 | | semi-colon is changed to a colon for format 'name:'. |
435 | | |
436 | | user headers with a value of whitespace only, or without a colon or |
437 | | semi-colon, are not added to this list. |
438 | | */ |
439 | 0 | for(l = data->set.headers; l; l = l->next) { |
440 | 0 | char *dupdata; |
441 | 0 | const char *ptr; |
442 | 0 | const char *sep = strchr(l->data, ':'); |
443 | 0 | if(!sep) |
444 | 0 | sep = strchr(l->data, ';'); |
445 | 0 | if(!sep || (*sep == ':' && !*(sep + 1))) |
446 | 0 | continue; |
447 | 0 | for(ptr = sep + 1; ISBLANK(*ptr); ++ptr) |
448 | 0 | ; |
449 | 0 | if(!*ptr && ptr != sep + 1) /* a value of whitespace only */ |
450 | 0 | continue; |
451 | 0 | dupdata = curlx_strdup(l->data); |
452 | 0 | if(!dupdata) |
453 | 0 | goto fail; |
454 | 0 | dupdata[sep - l->data] = ':'; |
455 | 0 | tmp_head = Curl_slist_append_nodup(head, dupdata); |
456 | 0 | if(!tmp_head) { |
457 | 0 | curlx_free(dupdata); |
458 | 0 | goto fail; |
459 | 0 | } |
460 | 0 | head = tmp_head; |
461 | 0 | } |
462 | | |
463 | 0 | trim_headers(head); |
464 | |
|
465 | 0 | *date_header = find_date_hdr(data, date_hdr_key); |
466 | 0 | if(!*date_header) { |
467 | 0 | tmp_head = curl_slist_append(head, date_full_hdr); |
468 | 0 | if(!tmp_head) |
469 | 0 | goto fail; |
470 | 0 | head = tmp_head; |
471 | 0 | *date_header = curl_maprintf("%s: %s\r\n", date_hdr_key, timestamp); |
472 | 0 | if(!*date_header) |
473 | 0 | goto fail; |
474 | 0 | } |
475 | 0 | else { |
476 | 0 | const char *value; |
477 | 0 | const char *endp; |
478 | 0 | value = strchr(*date_header, ':'); |
479 | 0 | if(!value) { |
480 | 0 | *date_header = NULL; |
481 | 0 | goto fail; |
482 | 0 | } |
483 | 0 | ++value; |
484 | 0 | curlx_str_passblanks(&value); |
485 | 0 | endp = value; |
486 | 0 | while(*endp && ISALNUM(*endp)) |
487 | 0 | ++endp; |
488 | | /* 16 bytes => "19700101T000000Z" */ |
489 | 0 | if((endp - value) == TIMESTAMP_SIZE - 1) { |
490 | 0 | memcpy(timestamp, value, TIMESTAMP_SIZE - 1); |
491 | 0 | timestamp[TIMESTAMP_SIZE - 1] = 0; |
492 | 0 | } |
493 | 0 | else |
494 | | /* bad timestamp length */ |
495 | 0 | timestamp[0] = 0; |
496 | 0 | *date_header = NULL; |
497 | 0 | } |
498 | | |
499 | | /* alpha-sort by header name in a case sensitive manner */ |
500 | 0 | do { |
501 | 0 | again = FALSE; |
502 | 0 | for(l = head; l; l = l->next) { |
503 | 0 | struct curl_slist *next = l->next; |
504 | |
|
505 | 0 | if(next && compare_header_names(l->data, next->data) > 0) { |
506 | 0 | char *tmp = l->data; |
507 | |
|
508 | 0 | l->data = next->data; |
509 | 0 | next->data = tmp; |
510 | 0 | again = TRUE; |
511 | 0 | } |
512 | 0 | } |
513 | 0 | } while(again); |
514 | |
|
515 | 0 | result = merge_duplicate_headers(head); |
516 | 0 | if(result) |
517 | 0 | goto fail; |
518 | | |
519 | 0 | for(l = head; l; l = l->next) { |
520 | 0 | char *tmp; |
521 | |
|
522 | 0 | if(curlx_dyn_add(canonical_headers, l->data)) |
523 | 0 | goto fail; |
524 | 0 | if(curlx_dyn_add(canonical_headers, "\n")) |
525 | 0 | goto fail; |
526 | | |
527 | 0 | tmp = strchr(l->data, ':'); |
528 | 0 | if(tmp) |
529 | 0 | *tmp = 0; |
530 | |
|
531 | 0 | if(l != head) { |
532 | 0 | if(curlx_dyn_add(signed_headers, ";")) |
533 | 0 | goto fail; |
534 | 0 | } |
535 | 0 | if(curlx_dyn_add(signed_headers, l->data)) |
536 | 0 | goto fail; |
537 | 0 | } |
538 | | |
539 | 0 | result = CURLE_OK; |
540 | 0 | fail: |
541 | 0 | curl_slist_free_all(head); |
542 | |
|
543 | 0 | return result; |
544 | 0 | } |
545 | | |
546 | 0 | #define CONTENT_SHA256_KEY_LEN (MAX_SIGV4_LEN + sizeof("X--Content-Sha256")) |
547 | | /* add 2 for ": " between header name and value */ |
548 | 0 | #define CONTENT_SHA256_HDR_LEN (CONTENT_SHA256_KEY_LEN + 2 + SHA256_HEX_LENGTH) |
549 | | |
550 | | /* try to parse a payload hash from the content-sha256 header */ |
551 | | static const char *parse_content_sha_hdr(struct Curl_easy *data, |
552 | | const char *provider1, |
553 | | size_t plen, |
554 | | size_t *value_len) |
555 | 0 | { |
556 | 0 | char key[CONTENT_SHA256_KEY_LEN]; |
557 | 0 | size_t key_len; |
558 | 0 | const char *value; |
559 | 0 | size_t len; |
560 | |
|
561 | 0 | key_len = curl_msnprintf(key, sizeof(key), "x-%.*s-content-sha256", |
562 | 0 | (int)plen, provider1); |
563 | |
|
564 | 0 | value = Curl_checkheaders(data, key, key_len); |
565 | 0 | if(!value) |
566 | 0 | return NULL; |
567 | | |
568 | 0 | value = strchr(value, ':'); |
569 | 0 | if(!value) |
570 | 0 | return NULL; |
571 | 0 | ++value; |
572 | |
|
573 | 0 | curlx_str_passblanks(&value); |
574 | |
|
575 | 0 | len = strlen(value); |
576 | 0 | while(len > 0 && ISBLANK(value[len - 1])) |
577 | 0 | --len; |
578 | |
|
579 | 0 | *value_len = len; |
580 | 0 | return value; |
581 | 0 | } |
582 | | |
583 | | static CURLcode calc_payload_hash(struct Curl_easy *data, |
584 | | unsigned char *sha_hash, char *sha_hex) |
585 | 0 | { |
586 | 0 | const char *post_data = data->set.postfields; |
587 | 0 | size_t post_data_len = 0; |
588 | 0 | CURLcode result; |
589 | |
|
590 | 0 | if(post_data) { |
591 | 0 | if(data->set.postfieldsize < 0) |
592 | 0 | post_data_len = strlen(post_data); |
593 | 0 | else |
594 | 0 | post_data_len = (size_t)data->set.postfieldsize; |
595 | 0 | } |
596 | 0 | result = Curl_sha256it(sha_hash, (const unsigned char *)post_data, |
597 | 0 | post_data_len); |
598 | 0 | if(!result) |
599 | 0 | sha256_to_hex(sha_hex, sha_hash); |
600 | 0 | return result; |
601 | 0 | } |
602 | | |
603 | 0 | #define S3_UNSIGNED_PAYLOAD "UNSIGNED-PAYLOAD" |
604 | | |
605 | | static CURLcode calc_s3_payload_hash(struct Curl_easy *data, |
606 | | Curl_HttpReq httpreq, |
607 | | const char *provider1, |
608 | | size_t plen, |
609 | | unsigned char *sha_hash, |
610 | | char *sha_hex, char *header) |
611 | 0 | { |
612 | 0 | bool empty_method = (httpreq == HTTPREQ_GET || httpreq == HTTPREQ_HEAD); |
613 | | /* The request method or filesize indicate no request payload */ |
614 | 0 | bool empty_payload = (empty_method || data->set.filesize == 0); |
615 | | /* The POST payload is in memory */ |
616 | 0 | bool post_payload = (httpreq == HTTPREQ_POST && data->set.postfields); |
617 | 0 | CURLcode result = CURLE_OUT_OF_MEMORY; |
618 | |
|
619 | 0 | if(empty_payload || post_payload) { |
620 | | /* Calculate a real hash when we know the request payload */ |
621 | 0 | result = calc_payload_hash(data, sha_hash, sha_hex); |
622 | 0 | if(result) |
623 | 0 | goto fail; |
624 | 0 | } |
625 | 0 | else { |
626 | | /* Fall back to s3's UNSIGNED-PAYLOAD */ |
627 | 0 | size_t len = sizeof(S3_UNSIGNED_PAYLOAD) - 1; |
628 | 0 | DEBUGASSERT(len < SHA256_HEX_LENGTH); /* 16 < 65 */ |
629 | 0 | memcpy(sha_hex, S3_UNSIGNED_PAYLOAD, len); |
630 | 0 | sha_hex[len] = 0; |
631 | 0 | } |
632 | | |
633 | | /* format the required content-sha256 header */ |
634 | 0 | curl_msnprintf(header, CONTENT_SHA256_HDR_LEN, |
635 | 0 | "x-%.*s-content-sha256: %s", (int)plen, provider1, sha_hex); |
636 | |
|
637 | 0 | result = CURLE_OK; |
638 | 0 | fail: |
639 | 0 | return result; |
640 | 0 | } |
641 | | |
642 | | static int compare_func(const void *a, const void *b) |
643 | 0 | { |
644 | 0 | const struct pair *aa = a; |
645 | 0 | const struct pair *bb = b; |
646 | 0 | const size_t aa_key_len = curlx_dyn_len(&aa->key); |
647 | 0 | const size_t bb_key_len = curlx_dyn_len(&bb->key); |
648 | 0 | const size_t aa_value_len = curlx_dyn_len(&aa->value); |
649 | 0 | const size_t bb_value_len = curlx_dyn_len(&bb->value); |
650 | 0 | int compare; |
651 | | |
652 | | /* If one element is empty, the other is always sorted higher */ |
653 | | |
654 | | /* Compare keys */ |
655 | 0 | if((aa_key_len == 0) && (bb_key_len == 0)) |
656 | 0 | return 0; |
657 | 0 | if(aa_key_len == 0) |
658 | 0 | return -1; |
659 | 0 | if(bb_key_len == 0) |
660 | 0 | return 1; |
661 | 0 | compare = strcmp(curlx_dyn_ptr(&aa->key), curlx_dyn_ptr(&bb->key)); |
662 | 0 | if(compare) { |
663 | 0 | return compare; |
664 | 0 | } |
665 | | |
666 | | /* Compare values */ |
667 | 0 | if((aa_value_len == 0) && (bb_value_len == 0)) |
668 | 0 | return 0; |
669 | 0 | if(aa_value_len == 0) |
670 | 0 | return -1; |
671 | 0 | if(bb_value_len == 0) |
672 | 0 | return 1; |
673 | 0 | compare = strcmp(curlx_dyn_ptr(&aa->value), curlx_dyn_ptr(&bb->value)); |
674 | |
|
675 | 0 | return compare; |
676 | 0 | } |
677 | | |
678 | | /* @unittest 1979 */ |
679 | | UNITTEST CURLcode canon_path(const char *q, size_t len, |
680 | | struct dynbuf *new_path, |
681 | | bool do_uri_encode); |
682 | | UNITTEST CURLcode canon_path(const char *q, size_t len, |
683 | | struct dynbuf *new_path, |
684 | | bool do_uri_encode) |
685 | 0 | { |
686 | 0 | CURLcode result = CURLE_OK; |
687 | |
|
688 | 0 | struct Curl_str original_path; |
689 | |
|
690 | 0 | curlx_str_assign(&original_path, q, len); |
691 | | |
692 | | /* Normalized path will be either the same or shorter than the original |
693 | | * path, plus trailing slash */ |
694 | |
|
695 | 0 | if(do_uri_encode) |
696 | 0 | result = uri_encode_path(&original_path, new_path); |
697 | 0 | else |
698 | 0 | result = curlx_dyn_addn(new_path, q, len); |
699 | |
|
700 | 0 | if(!result) { |
701 | 0 | if(curlx_dyn_len(new_path) == 0) |
702 | 0 | result = curlx_dyn_add(new_path, "/"); |
703 | 0 | } |
704 | |
|
705 | 0 | return result; |
706 | 0 | } |
707 | | |
708 | | /* @unittest 1980 */ |
709 | | UNITTEST CURLcode canon_query(const char *query, struct dynbuf *dq); |
710 | | UNITTEST CURLcode canon_query(const char *query, struct dynbuf *dq) |
711 | 0 | { |
712 | 0 | CURLcode result = CURLE_OK; |
713 | |
|
714 | 0 | struct dynbuf query_array[MAX_QUERY_COMPONENTS]; |
715 | 0 | struct pair encoded_query_array[MAX_QUERY_COMPONENTS]; |
716 | 0 | size_t num_query_components; |
717 | 0 | size_t counted_query_components = 0; |
718 | 0 | size_t index; |
719 | |
|
720 | 0 | if(!query) |
721 | 0 | return result; |
722 | | |
723 | 0 | result = split_to_dyn_array(query, &query_array[0], &num_query_components); |
724 | 0 | if(result) { |
725 | 0 | goto fail; |
726 | 0 | } |
727 | | |
728 | | /* Create list of pairs, each pair containing an encoded query |
729 | | * component */ |
730 | | |
731 | 0 | for(index = 0; index < num_query_components; index++) { |
732 | 0 | const char *in_key; |
733 | 0 | size_t in_key_len; |
734 | 0 | const char *offset; |
735 | 0 | size_t query_part_len = curlx_dyn_len(&query_array[index]); |
736 | 0 | const char *query_part = curlx_dyn_ptr(&query_array[index]); |
737 | |
|
738 | 0 | in_key = query_part; |
739 | |
|
740 | 0 | offset = strchr(query_part, '='); |
741 | | /* If there is no equals, this key has no value */ |
742 | 0 | if(!offset) { |
743 | 0 | in_key_len = strlen(in_key); |
744 | 0 | } |
745 | 0 | else { |
746 | 0 | in_key_len = offset - in_key; |
747 | 0 | } |
748 | |
|
749 | 0 | curlx_dyn_init(&encoded_query_array[index].key, |
750 | 0 | (query_part_len * 3) + 1); |
751 | 0 | curlx_dyn_init(&encoded_query_array[index].value, |
752 | 0 | (query_part_len * 3) + 1); |
753 | 0 | counted_query_components++; |
754 | | |
755 | | /* Decode/encode the key */ |
756 | 0 | result = normalize_query(in_key, in_key_len, |
757 | 0 | &encoded_query_array[index].key); |
758 | 0 | if(result) { |
759 | 0 | goto fail; |
760 | 0 | } |
761 | | |
762 | | /* Decode/encode the value if it exists */ |
763 | 0 | if(offset && offset != (query_part + query_part_len - 1)) { |
764 | 0 | size_t in_value_len; |
765 | 0 | const char *in_value = offset + 1; |
766 | 0 | in_value_len = query_part + query_part_len - (offset + 1); |
767 | 0 | result = normalize_query(in_value, in_value_len, |
768 | 0 | &encoded_query_array[index].value); |
769 | 0 | if(result) { |
770 | 0 | goto fail; |
771 | 0 | } |
772 | 0 | } |
773 | 0 | else { |
774 | | /* If there is no value, the value is an empty string */ |
775 | 0 | curlx_dyn_init(&encoded_query_array[index].value, 2); |
776 | 0 | result = curlx_dyn_addn(&encoded_query_array[index].value, "", 1); |
777 | 0 | } |
778 | | |
779 | 0 | if(result) { |
780 | 0 | goto fail; |
781 | 0 | } |
782 | 0 | } |
783 | | |
784 | | /* Sort the encoded query components by key and value */ |
785 | 0 | qsort(&encoded_query_array, num_query_components, |
786 | 0 | sizeof(struct pair), compare_func); |
787 | | |
788 | | /* Append the query components together to make a full query string */ |
789 | 0 | for(index = 0; index < num_query_components; index++) { |
790 | |
|
791 | 0 | if(index) |
792 | 0 | result = curlx_dyn_addn(dq, "&", 1); |
793 | 0 | if(!result) { |
794 | 0 | const char *key_ptr = curlx_dyn_ptr(&encoded_query_array[index].key); |
795 | 0 | const char *value_ptr = curlx_dyn_ptr(&encoded_query_array[index].value); |
796 | 0 | size_t vlen = curlx_dyn_len(&encoded_query_array[index].value); |
797 | 0 | if(value_ptr && vlen) { |
798 | 0 | result = curlx_dyn_addf(dq, "%s=%s", key_ptr, value_ptr); |
799 | 0 | } |
800 | 0 | else { |
801 | | /* Empty value is always encoded to key= */ |
802 | 0 | result = curlx_dyn_addf(dq, "%s=", key_ptr); |
803 | 0 | } |
804 | 0 | } |
805 | 0 | if(result) |
806 | 0 | break; |
807 | 0 | } |
808 | |
|
809 | 0 | fail: |
810 | 0 | if(counted_query_components) |
811 | | /* the encoded_query_array might not be initialized yet */ |
812 | 0 | pair_array_free(&encoded_query_array[0], counted_query_components); |
813 | 0 | dyn_array_free(&query_array[0], num_query_components); |
814 | 0 | return result; |
815 | 0 | } |
816 | | |
817 | | static CURLcode parse_sigv4_params(struct Curl_easy *data, |
818 | | const char *hostname, |
819 | | struct Curl_str *provider0, |
820 | | struct Curl_str *provider1, |
821 | | struct Curl_str *region, |
822 | | struct Curl_str *service) |
823 | 0 | { |
824 | 0 | const char *line = data->set.str[STRING_AWS_SIGV4]; |
825 | 0 | if(!line || !*line) |
826 | 0 | line = "aws:amz"; |
827 | | |
828 | | /* provider0[:provider1[:region[:service]]] |
829 | | |
830 | | No string can be longer than N bytes of non-whitespace |
831 | | */ |
832 | 0 | if(curlx_str_until(&line, provider0, MAX_SIGV4_LEN, ':')) { |
833 | 0 | failf(data, "first aws-sigv4 provider cannot be empty"); |
834 | 0 | return CURLE_BAD_FUNCTION_ARGUMENT; |
835 | 0 | } |
836 | 0 | if(curlx_str_single(&line, ':') || |
837 | 0 | curlx_str_until(&line, provider1, MAX_SIGV4_LEN, ':')) { |
838 | 0 | *provider1 = *provider0; |
839 | 0 | } |
840 | 0 | else if(curlx_str_single(&line, ':') || |
841 | 0 | curlx_str_until(&line, region, MAX_SIGV4_LEN, ':') || |
842 | 0 | curlx_str_single(&line, ':') || |
843 | 0 | curlx_str_until(&line, service, MAX_SIGV4_LEN, ':')) { |
844 | | /* nothing to do */ |
845 | 0 | } |
846 | |
|
847 | 0 | if(!curlx_strlen(service)) { |
848 | 0 | const char *p = hostname; |
849 | 0 | if(curlx_str_until(&p, service, MAX_SIGV4_LEN, '.') || |
850 | 0 | curlx_str_single(&p, '.')) { |
851 | 0 | failf(data, "aws-sigv4: service missing in parameters and hostname"); |
852 | 0 | return CURLE_URL_MALFORMAT; |
853 | 0 | } |
854 | | |
855 | 0 | infof(data, "aws_sigv4: picked service %.*s from host", |
856 | 0 | (int)curlx_strlen(service), curlx_str(service)); |
857 | |
|
858 | 0 | if(!curlx_strlen(region)) { |
859 | 0 | if(curlx_str_until(&p, region, MAX_SIGV4_LEN, '.') || |
860 | 0 | curlx_str_single(&p, '.')) { |
861 | 0 | failf(data, "aws-sigv4: region missing in parameters and hostname"); |
862 | 0 | return CURLE_URL_MALFORMAT; |
863 | 0 | } |
864 | 0 | infof(data, "aws_sigv4: picked region %.*s from host", |
865 | 0 | (int)curlx_strlen(region), curlx_str(region)); |
866 | 0 | } |
867 | 0 | } |
868 | | |
869 | 0 | return CURLE_OK; |
870 | 0 | } |
871 | | |
872 | | static CURLcode get_payload_hash(struct Curl_easy *data, |
873 | | Curl_HttpReq httpreq, |
874 | | struct Curl_str *provider0, |
875 | | struct Curl_str *provider1, |
876 | | struct Curl_str *service, |
877 | | unsigned char *sha_hash, |
878 | | char *sha_hex, |
879 | | char *content_sha256_hdr, |
880 | | const char **payload_hash_out, |
881 | | size_t *payload_hash_len_out) |
882 | 0 | { |
883 | 0 | *payload_hash_out = |
884 | 0 | parse_content_sha_hdr(data, curlx_str(provider1), |
885 | 0 | curlx_strlen(provider1), payload_hash_len_out); |
886 | |
|
887 | 0 | if(!*payload_hash_out) { |
888 | 0 | CURLcode result; |
889 | | /* AWS S3 requires a x-amz-content-sha256 header, and supports special |
890 | | * values like UNSIGNED-PAYLOAD */ |
891 | 0 | bool sign_as_s3 = curlx_str_casecompare(provider0, "aws") && |
892 | 0 | curlx_str_casecompare(service, "s3"); |
893 | |
|
894 | 0 | if(sign_as_s3) |
895 | 0 | result = calc_s3_payload_hash(data, httpreq, curlx_str(provider1), |
896 | 0 | curlx_strlen(provider1), sha_hash, |
897 | 0 | sha_hex, content_sha256_hdr); |
898 | 0 | else |
899 | 0 | result = calc_payload_hash(data, sha_hash, sha_hex); |
900 | 0 | if(result) |
901 | 0 | return result; |
902 | | |
903 | 0 | *payload_hash_out = sha_hex; |
904 | | /* may be shorter than SHA256_HEX_LENGTH, like S3_UNSIGNED_PAYLOAD */ |
905 | 0 | *payload_hash_len_out = strlen(sha_hex); |
906 | 0 | } |
907 | 0 | return CURLE_OK; |
908 | 0 | } |
909 | | |
910 | | static CURLcode get_timestamp(char *timestamp, size_t stampsize) |
911 | 0 | { |
912 | 0 | time_t clock; |
913 | 0 | struct tm tm; |
914 | 0 | CURLcode result; |
915 | |
|
916 | 0 | #ifdef DEBUGBUILD |
917 | 0 | { |
918 | 0 | char *force_timestamp = getenv("CURL_FORCETIME"); |
919 | 0 | if(force_timestamp) |
920 | 0 | clock = 0; |
921 | 0 | else |
922 | 0 | clock = time(NULL); |
923 | 0 | } |
924 | | #else |
925 | | clock = time(NULL); |
926 | | #endif |
927 | 0 | result = curlx_gmtime(clock, &tm); |
928 | 0 | if(result) |
929 | 0 | return result; |
930 | | |
931 | 0 | if(!strftime(timestamp, stampsize, "%Y%m%dT%H%M%SZ", &tm)) |
932 | 0 | return CURLE_OUT_OF_MEMORY; |
933 | | |
934 | 0 | return CURLE_OK; |
935 | 0 | } |
936 | | |
937 | | static CURLcode make_canonical_request(struct Curl_easy *data, |
938 | | const char *hostname, |
939 | | char *timestamp, |
940 | | struct Curl_str *provider1, |
941 | | struct Curl_str *service, |
942 | | const char *method, |
943 | | const char *payload_hash, |
944 | | size_t payload_hash_len, |
945 | | char **date_header_out, |
946 | | char *content_sha256_hdr, |
947 | | struct dynbuf *canonical_headers, |
948 | | struct dynbuf *signed_headers, |
949 | | char **canonical_request_out) |
950 | 0 | { |
951 | 0 | struct dynbuf canonical_query; |
952 | 0 | struct dynbuf canonical_path; |
953 | 0 | CURLcode result; |
954 | |
|
955 | 0 | curlx_dyn_init(&canonical_query, CURL_MAX_HTTP_HEADER); |
956 | 0 | curlx_dyn_init(&canonical_path, CURL_MAX_HTTP_HEADER); |
957 | |
|
958 | 0 | result = make_headers(data, hostname, timestamp, |
959 | 0 | curlx_str(provider1), curlx_strlen(provider1), |
960 | 0 | date_header_out, content_sha256_hdr, |
961 | 0 | canonical_headers, signed_headers); |
962 | 0 | if(result) |
963 | 0 | goto fail; |
964 | | |
965 | 0 | result = canon_query(data->state.up.query, &canonical_query); |
966 | 0 | if(result) |
967 | 0 | goto fail; |
968 | | |
969 | 0 | result = canon_path(data->state.up.path, strlen(data->state.up.path), |
970 | 0 | &canonical_path, |
971 | 0 | should_urlencode(service)); |
972 | 0 | if(result) |
973 | 0 | goto fail; |
974 | | |
975 | 0 | *canonical_request_out = |
976 | 0 | curl_maprintf("%s\n" /* HTTPRequestMethod */ |
977 | 0 | "%s\n" /* CanonicalURI */ |
978 | 0 | "%s\n" /* CanonicalQueryString */ |
979 | 0 | "%s\n" /* CanonicalHeaders */ |
980 | 0 | "%s\n" /* SignedHeaders */ |
981 | 0 | "%.*s", /* HashedRequestPayload in hex */ |
982 | 0 | method, |
983 | 0 | curlx_dyn_ptr(&canonical_path), |
984 | 0 | curlx_dyn_ptr(&canonical_query) ? |
985 | 0 | curlx_dyn_ptr(&canonical_query) : "", |
986 | 0 | curlx_dyn_ptr(canonical_headers), |
987 | 0 | curlx_dyn_ptr(signed_headers), |
988 | 0 | (int)payload_hash_len, payload_hash); |
989 | 0 | if(!*canonical_request_out) { |
990 | 0 | result = CURLE_OUT_OF_MEMORY; |
991 | 0 | goto fail; |
992 | 0 | } |
993 | | |
994 | 0 | result = CURLE_OK; |
995 | 0 | fail: |
996 | 0 | curlx_dyn_free(&canonical_query); |
997 | 0 | curlx_dyn_free(&canonical_path); |
998 | 0 | return result; |
999 | 0 | } |
1000 | | |
1001 | | static CURLcode make_string_to_sign(struct Curl_easy *data, |
1002 | | struct Curl_str *provider0, |
1003 | | struct Curl_str *region, |
1004 | | struct Curl_str *service, |
1005 | | const char *date, |
1006 | | const char *timestamp, |
1007 | | const char *canonical_request, |
1008 | | char **request_type_out, |
1009 | | char **credential_scope_out, |
1010 | | char **str_to_sign_out) |
1011 | 0 | { |
1012 | 0 | char *request_type; |
1013 | 0 | char *credential_scope; |
1014 | 0 | char *str_to_sign; |
1015 | 0 | unsigned char sha_hash[CURL_SHA256_DIGEST_LENGTH]; |
1016 | 0 | char sha_hex[SHA256_HEX_LENGTH]; |
1017 | |
|
1018 | 0 | request_type = curl_maprintf("%.*s4_request", |
1019 | 0 | (int)curlx_strlen(provider0), |
1020 | 0 | curlx_str(provider0)); |
1021 | 0 | if(!request_type) |
1022 | 0 | return CURLE_OUT_OF_MEMORY; |
1023 | | |
1024 | | /* provider0 is lowercased *after* curl_maprintf() so that the buffer |
1025 | | can be written to */ |
1026 | 0 | Curl_strntolower(request_type, request_type, curlx_strlen(provider0)); |
1027 | |
|
1028 | 0 | credential_scope = curl_maprintf("%s/%.*s/%.*s/%s", date, |
1029 | 0 | (int)curlx_strlen(region), |
1030 | 0 | curlx_str(region), |
1031 | 0 | (int)curlx_strlen(service), |
1032 | 0 | curlx_str(service), |
1033 | 0 | request_type); |
1034 | 0 | if(!credential_scope) { |
1035 | 0 | curlx_free(request_type); |
1036 | 0 | return CURLE_OUT_OF_MEMORY; |
1037 | 0 | } |
1038 | | |
1039 | 0 | if(Curl_sha256it(sha_hash, (const unsigned char *)canonical_request, |
1040 | 0 | strlen(canonical_request))) { |
1041 | 0 | curlx_free(request_type); |
1042 | 0 | curlx_free(credential_scope); |
1043 | 0 | return CURLE_OUT_OF_MEMORY; |
1044 | 0 | } |
1045 | | |
1046 | 0 | sha256_to_hex(sha_hex, sha_hash); |
1047 | | |
1048 | | /* |
1049 | | * Google allows using RSA key instead of HMAC, so this code might change |
1050 | | * in the future. For now we only support HMAC. |
1051 | | */ |
1052 | 0 | str_to_sign = curl_maprintf("%.*s4-HMAC-SHA256\n" /* Algorithm */ |
1053 | 0 | "%s\n" /* RequestDateTime */ |
1054 | 0 | "%s\n" /* CredentialScope */ |
1055 | 0 | "%s", /* HashedCanonicalRequest in hex */ |
1056 | 0 | (int)curlx_strlen(provider0), |
1057 | 0 | curlx_str(provider0), |
1058 | 0 | timestamp, |
1059 | 0 | credential_scope, |
1060 | 0 | sha_hex); |
1061 | 0 | if(!str_to_sign) { |
1062 | 0 | curlx_free(request_type); |
1063 | 0 | curlx_free(credential_scope); |
1064 | 0 | return CURLE_OUT_OF_MEMORY; |
1065 | 0 | } |
1066 | | |
1067 | | /* make provider0 part done uppercase */ |
1068 | 0 | Curl_strntoupper(str_to_sign, curlx_str(provider0), |
1069 | 0 | curlx_strlen(provider0)); |
1070 | |
|
1071 | 0 | infof(data, "aws_sigv4: String to sign (enclosed in []) - [%s]", |
1072 | 0 | str_to_sign); |
1073 | |
|
1074 | 0 | *request_type_out = request_type; |
1075 | 0 | *credential_scope_out = credential_scope; |
1076 | 0 | *str_to_sign_out = str_to_sign; |
1077 | 0 | return CURLE_OK; |
1078 | 0 | } |
1079 | | |
1080 | | static CURLcode sign_and_set_auth_headers(struct Curl_easy *data, |
1081 | | struct Curl_str *provider0, |
1082 | | struct Curl_str *region, |
1083 | | struct Curl_str *service, |
1084 | | const char *request_type, |
1085 | | const char *credential_scope, |
1086 | | const char *date, |
1087 | | const char *str_to_sign, |
1088 | | const char *date_header, |
1089 | | const char *content_sha256_hdr, |
1090 | | struct dynbuf *signed_headers) |
1091 | 0 | { |
1092 | 0 | CURLcode result = CURLE_OUT_OF_MEMORY; |
1093 | 0 | const char *passwd = Curl_creds_passwd(data->state.creds); |
1094 | 0 | char *secret = NULL; |
1095 | 0 | unsigned char sign0[CURL_SHA256_DIGEST_LENGTH] = { 0 }; |
1096 | 0 | unsigned char sign1[CURL_SHA256_DIGEST_LENGTH] = { 0 }; |
1097 | 0 | char sha_hex[SHA256_HEX_LENGTH]; |
1098 | 0 | char *auth_headers = NULL; |
1099 | 0 | char *user = curl_escape(Curl_creds_user(data->state.creds), 0); |
1100 | 0 | if(!user) |
1101 | 0 | return CURLE_OUT_OF_MEMORY; |
1102 | | |
1103 | 0 | secret = curl_maprintf("%.*s4%s", (int)curlx_strlen(provider0), |
1104 | 0 | curlx_str(provider0), passwd); |
1105 | 0 | if(!secret) |
1106 | 0 | goto fail; |
1107 | | /* make provider0 part done uppercase */ |
1108 | 0 | Curl_strntoupper(secret, curlx_str(provider0), curlx_strlen(provider0)); |
1109 | |
|
1110 | 0 | HMAC_SHA256(secret, strlen(secret), date, strlen(date), sign0); |
1111 | 0 | HMAC_SHA256(sign0, sizeof(sign0), |
1112 | 0 | curlx_str(region), curlx_strlen(region), sign1); |
1113 | 0 | HMAC_SHA256(sign1, sizeof(sign1), |
1114 | 0 | curlx_str(service), curlx_strlen(service), sign0); |
1115 | 0 | HMAC_SHA256(sign0, sizeof(sign0), |
1116 | 0 | request_type, strlen(request_type), sign1); |
1117 | 0 | HMAC_SHA256(sign1, sizeof(sign1), |
1118 | 0 | str_to_sign, strlen(str_to_sign), sign0); |
1119 | | |
1120 | 0 | sha256_to_hex(sha_hex, sign0); |
1121 | |
|
1122 | 0 | infof(data, "aws_sigv4: Signature - %s", sha_hex); |
1123 | |
|
1124 | 0 | auth_headers = curl_maprintf("Authorization: %.*s4-HMAC-SHA256 " |
1125 | 0 | "Credential=%s/%s, " |
1126 | 0 | "SignedHeaders=%s, " |
1127 | 0 | "Signature=%s\r\n" |
1128 | 0 | "%s" |
1129 | 0 | "%s%s", |
1130 | 0 | (int)curlx_strlen(provider0), |
1131 | 0 | curlx_str(provider0), |
1132 | 0 | user, |
1133 | 0 | credential_scope, |
1134 | 0 | curlx_dyn_ptr(signed_headers), |
1135 | 0 | sha_hex, |
1136 | | /* |
1137 | | * date_header is added here, only if it was not |
1138 | | * user-specified (using CURLOPT_HTTPHEADER). |
1139 | | * date_header includes \r\n |
1140 | | */ |
1141 | 0 | date_header ? date_header : "", |
1142 | 0 | content_sha256_hdr, |
1143 | 0 | content_sha256_hdr[0] ? "\r\n": ""); |
1144 | 0 | if(!auth_headers) |
1145 | 0 | goto fail; |
1146 | | |
1147 | | /* provider 0 uppercase */ |
1148 | 0 | Curl_strntoupper(&auth_headers[sizeof("Authorization: ") - 1], |
1149 | 0 | curlx_str(provider0), curlx_strlen(provider0)); |
1150 | |
|
1151 | 0 | curlx_free(data->req.hd_auth); |
1152 | 0 | data->req.hd_auth = auth_headers; |
1153 | 0 | data->state.authhost.done = TRUE; |
1154 | 0 | result = CURLE_OK; |
1155 | |
|
1156 | 0 | fail: |
1157 | 0 | curlx_free(user); |
1158 | 0 | curlx_free(secret); |
1159 | 0 | return result; |
1160 | 0 | } |
1161 | | |
1162 | | CURLcode Curl_output_aws_sigv4(struct Curl_easy *data) |
1163 | 0 | { |
1164 | 0 | CURLcode result = CURLE_OUT_OF_MEMORY; |
1165 | 0 | struct Curl_str provider0 = { NULL, 0 }; |
1166 | 0 | struct Curl_str provider1 = { NULL, 0 }; |
1167 | 0 | struct Curl_str region = { NULL, 0 }; |
1168 | 0 | struct Curl_str service = { NULL, 0 }; |
1169 | 0 | const char *hostname = data->state.origin->hostname; |
1170 | 0 | char timestamp[TIMESTAMP_SIZE]; |
1171 | 0 | char date[9]; |
1172 | 0 | struct dynbuf canonical_headers; |
1173 | 0 | struct dynbuf signed_headers; |
1174 | 0 | char *date_header = NULL; |
1175 | 0 | Curl_HttpReq httpreq; |
1176 | 0 | const char *method = NULL; |
1177 | 0 | const char *payload_hash = NULL; |
1178 | 0 | size_t payload_hash_len = 0; |
1179 | 0 | unsigned char sha_hash[CURL_SHA256_DIGEST_LENGTH]; |
1180 | 0 | char sha_hex[SHA256_HEX_LENGTH]; |
1181 | 0 | char content_sha256_hdr[CONTENT_SHA256_HDR_LEN + 2] = ""; /* add \r\n */ |
1182 | 0 | char *canonical_request = NULL; |
1183 | 0 | char *request_type = NULL; |
1184 | 0 | char *credential_scope = NULL; |
1185 | 0 | char *str_to_sign = NULL; |
1186 | |
|
1187 | 0 | if(data->set.path_as_is) { |
1188 | 0 | failf(data, "Cannot use sigv4 authentication with path-as-is flag"); |
1189 | 0 | return CURLE_BAD_FUNCTION_ARGUMENT; |
1190 | 0 | } |
1191 | | |
1192 | 0 | if(Curl_checkheaders(data, STRCONST("Authorization"))) |
1193 | | /* Authorization already present, Bailing out */ |
1194 | 0 | return CURLE_OK; |
1195 | | |
1196 | | /* we init those buffers here, so goto fail will free initialized dynbuf */ |
1197 | 0 | curlx_dyn_init(&canonical_headers, CURL_MAX_HTTP_HEADER); |
1198 | 0 | curlx_dyn_init(&signed_headers, CURL_MAX_HTTP_HEADER); |
1199 | |
|
1200 | 0 | result = parse_sigv4_params(data, hostname, &provider0, &provider1, |
1201 | 0 | ®ion, &service); |
1202 | 0 | if(!result) { |
1203 | 0 | Curl_http_method(data, &method, &httpreq); |
1204 | 0 | result = get_payload_hash(data, httpreq, &provider0, &provider1, &service, |
1205 | 0 | sha_hash, sha_hex, content_sha256_hdr, |
1206 | 0 | &payload_hash, &payload_hash_len); |
1207 | 0 | } |
1208 | |
|
1209 | 0 | if(!result) |
1210 | 0 | result = get_timestamp(timestamp, sizeof(timestamp)); |
1211 | |
|
1212 | 0 | if(!result) |
1213 | 0 | result = make_canonical_request(data, hostname, timestamp, |
1214 | 0 | &provider1, &service, |
1215 | 0 | method, payload_hash, payload_hash_len, |
1216 | 0 | &date_header, content_sha256_hdr, |
1217 | 0 | &canonical_headers, &signed_headers, |
1218 | 0 | &canonical_request); |
1219 | 0 | if(!result) { |
1220 | | /* the timestamp might have been updated in make_canonical_request */ |
1221 | 0 | memcpy(date, timestamp, sizeof(date) - 1); |
1222 | 0 | date[sizeof(date) - 1] = 0; |
1223 | |
|
1224 | 0 | result = make_string_to_sign(data, &provider0, ®ion, &service, |
1225 | 0 | date, timestamp, canonical_request, |
1226 | 0 | &request_type, &credential_scope, |
1227 | 0 | &str_to_sign); |
1228 | 0 | } |
1229 | 0 | if(!result) |
1230 | 0 | result = sign_and_set_auth_headers(data, &provider0, ®ion, &service, |
1231 | 0 | request_type, credential_scope, |
1232 | 0 | date, str_to_sign, date_header, |
1233 | 0 | content_sha256_hdr, &signed_headers); |
1234 | |
|
1235 | 0 | curlx_dyn_free(&canonical_headers); |
1236 | 0 | curlx_dyn_free(&signed_headers); |
1237 | 0 | curlx_free(canonical_request); |
1238 | 0 | curlx_free(request_type); |
1239 | 0 | curlx_free(credential_scope); |
1240 | 0 | curlx_free(str_to_sign); |
1241 | 0 | curlx_free(date_header); |
1242 | 0 | return result; |
1243 | 0 | } |
1244 | | |
1245 | | #endif /* !CURL_DISABLE_HTTP && !CURL_DISABLE_AWS */ |