http_aws_sigv4.c 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
  9. *
  10. * This software is licensed as described in the file COPYING, which
  11. * you should have received as part of this distribution. The terms
  12. * are also available at https://curl.haxx.se/docs/copyright.html.
  13. *
  14. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15. * copies of the Software, and permit persons to whom the Software is
  16. * furnished to do so, under the terms of the COPYING file.
  17. *
  18. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19. * KIND, either express or implied.
  20. *
  21. * SPDX-License-Identifier: curl
  22. *
  23. ***************************************************************************/
  24. #include "curl_setup.h"
  25. #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH)
  26. #include "urldata.h"
  27. #include "strcase.h"
  28. #include "strdup.h"
  29. #include "http_aws_sigv4.h"
  30. #include "curl_sha256.h"
  31. #include "transfer.h"
  32. #include "parsedate.h"
  33. #include "sendf.h"
  34. #include <time.h>
  35. /* The last 3 #include files should be in this order */
  36. #include "curl_printf.h"
  37. #include "curl_memory.h"
  38. #include "memdebug.h"
  39. #include "slist.h"
  40. #define HMAC_SHA256(k, kl, d, dl, o) \
  41. do { \
  42. ret = Curl_hmacit(Curl_HMAC_SHA256, \
  43. (unsigned char *)k, \
  44. (unsigned int)kl, \
  45. (unsigned char *)d, \
  46. (unsigned int)dl, o); \
  47. if(ret) { \
  48. goto fail; \
  49. } \
  50. } while(0)
  51. #define TIMESTAMP_SIZE 17
  52. static void sha256_to_hex(char *dst, unsigned char *sha, size_t dst_l)
  53. {
  54. int i;
  55. DEBUGASSERT(dst_l >= 65);
  56. for(i = 0; i < 32; ++i) {
  57. msnprintf(dst + (i * 2), dst_l - (i * 2), "%02x", sha[i]);
  58. }
  59. }
  60. static char *find_date_hdr(struct Curl_easy *data, const char *sig_hdr)
  61. {
  62. char *tmp = Curl_checkheaders(data, sig_hdr, strlen(sig_hdr));
  63. if(tmp)
  64. return tmp;
  65. return Curl_checkheaders(data, STRCONST("Date"));
  66. }
  67. /* remove whitespace, and lowercase all headers */
  68. static void trim_headers(struct curl_slist *head)
  69. {
  70. struct curl_slist *l;
  71. for(l = head; l; l = l->next) {
  72. char *value; /* to read from */
  73. char *store;
  74. size_t colon = strcspn(l->data, ":");
  75. Curl_strntolower(l->data, l->data, colon);
  76. value = &l->data[colon];
  77. if(!*value)
  78. continue;
  79. ++value;
  80. store = value;
  81. /* skip leading whitespace */
  82. while(*value && ISBLANK(*value))
  83. value++;
  84. while(*value) {
  85. int space = 0;
  86. while(*value && ISBLANK(*value)) {
  87. value++;
  88. space++;
  89. }
  90. if(space) {
  91. /* replace any number of consecutive whitespace with a single space,
  92. unless at the end of the string, then nothing */
  93. if(*value)
  94. *store++ = ' ';
  95. }
  96. else
  97. *store++ = *value++;
  98. }
  99. *store = 0; /* null terminate */
  100. }
  101. }
  102. /* maximum lenth for the aws sivg4 parts */
  103. #define MAX_SIGV4_LEN 64
  104. #define MAX_SIGV4_LEN_TXT "64"
  105. #define DATE_HDR_KEY_LEN (MAX_SIGV4_LEN + sizeof("X--Date"))
  106. #define MAX_HOST_LEN 255
  107. /* FQDN + host: */
  108. #define FULL_HOST_LEN (MAX_HOST_LEN + sizeof("host:"))
  109. /* string been x-PROVIDER-date:TIMESTAMP, I need +1 for ':' */
  110. #define DATE_FULL_HDR_LEN (DATE_HDR_KEY_LEN + TIMESTAMP_SIZE + 1)
  111. /* timestamp should point to a buffer of at last TIMESTAMP_SIZE bytes */
  112. static CURLcode make_headers(struct Curl_easy *data,
  113. const char *hostname,
  114. char *timestamp,
  115. char *provider1,
  116. char **date_header,
  117. struct dynbuf *canonical_headers,
  118. struct dynbuf *signed_headers)
  119. {
  120. char date_hdr_key[DATE_HDR_KEY_LEN];
  121. char date_full_hdr[DATE_FULL_HDR_LEN];
  122. struct curl_slist *head = NULL;
  123. struct curl_slist *tmp_head = NULL;
  124. CURLcode ret = CURLE_OUT_OF_MEMORY;
  125. struct curl_slist *l;
  126. int again = 1;
  127. /* provider1 mid */
  128. Curl_strntolower(provider1, provider1, strlen(provider1));
  129. provider1[0] = Curl_raw_toupper(provider1[0]);
  130. msnprintf(date_hdr_key, DATE_HDR_KEY_LEN, "X-%s-Date", provider1);
  131. /* provider1 lowercase */
  132. Curl_strntolower(provider1, provider1, 1); /* first byte only */
  133. msnprintf(date_full_hdr, DATE_FULL_HDR_LEN,
  134. "x-%s-date:%s", provider1, timestamp);
  135. if(Curl_checkheaders(data, STRCONST("Host"))) {
  136. head = NULL;
  137. }
  138. else {
  139. char full_host[FULL_HOST_LEN + 1];
  140. if(data->state.aptr.host) {
  141. size_t pos;
  142. if(strlen(data->state.aptr.host) > FULL_HOST_LEN) {
  143. ret = CURLE_URL_MALFORMAT;
  144. goto fail;
  145. }
  146. strcpy(full_host, data->state.aptr.host);
  147. /* remove /r/n as the separator for canonical request must be '\n' */
  148. pos = strcspn(full_host, "\n\r");
  149. full_host[pos] = 0;
  150. }
  151. else {
  152. if(strlen(hostname) > MAX_HOST_LEN) {
  153. ret = CURLE_URL_MALFORMAT;
  154. goto fail;
  155. }
  156. msnprintf(full_host, FULL_HOST_LEN, "host:%s", hostname);
  157. }
  158. head = curl_slist_append(NULL, full_host);
  159. if(!head)
  160. goto fail;
  161. }
  162. for(l = data->set.headers; l; l = l->next) {
  163. tmp_head = curl_slist_append(head, l->data);
  164. if(!tmp_head)
  165. goto fail;
  166. head = tmp_head;
  167. }
  168. trim_headers(head);
  169. *date_header = find_date_hdr(data, date_hdr_key);
  170. if(!*date_header) {
  171. tmp_head = curl_slist_append(head, date_full_hdr);
  172. if(!tmp_head)
  173. goto fail;
  174. head = tmp_head;
  175. *date_header = curl_maprintf("%s: %s", date_hdr_key, timestamp);
  176. }
  177. else {
  178. char *value;
  179. *date_header = strdup(*date_header);
  180. if(!*date_header)
  181. goto fail;
  182. value = strchr(*date_header, ':');
  183. if(!value)
  184. goto fail;
  185. ++value;
  186. while(ISBLANK(*value))
  187. ++value;
  188. strncpy(timestamp, value, TIMESTAMP_SIZE - 1);
  189. timestamp[TIMESTAMP_SIZE - 1] = 0;
  190. }
  191. /* alpha-sort in a case sensitive manner */
  192. do {
  193. again = 0;
  194. for(l = head; l; l = l->next) {
  195. struct curl_slist *next = l->next;
  196. if(next && strcmp(l->data, next->data) > 0) {
  197. char *tmp = l->data;
  198. l->data = next->data;
  199. next->data = tmp;
  200. again = 1;
  201. }
  202. }
  203. } while(again);
  204. for(l = head; l; l = l->next) {
  205. char *tmp;
  206. if(Curl_dyn_add(canonical_headers, l->data))
  207. goto fail;
  208. if(Curl_dyn_add(canonical_headers, "\n"))
  209. goto fail;
  210. tmp = strchr(l->data, ':');
  211. if(tmp)
  212. *tmp = 0;
  213. if(l != head) {
  214. if(Curl_dyn_add(signed_headers, ";"))
  215. goto fail;
  216. }
  217. if(Curl_dyn_add(signed_headers, l->data))
  218. goto fail;
  219. }
  220. ret = CURLE_OK;
  221. fail:
  222. curl_slist_free_all(head);
  223. return ret;
  224. }
  225. #define CONTENT_SHA256_KEY_LEN (MAX_SIGV4_LEN + sizeof("X--Content-Sha256"))
  226. /* try to parse a payload hash from the content-sha256 header */
  227. static char *parse_content_sha_hdr(struct Curl_easy *data,
  228. const char *provider1,
  229. size_t *value_len)
  230. {
  231. char key[CONTENT_SHA256_KEY_LEN];
  232. size_t key_len;
  233. char *value;
  234. size_t len;
  235. key_len = msnprintf(key, sizeof(key), "x-%s-content-sha256", provider1);
  236. value = Curl_checkheaders(data, key, key_len);
  237. if(!value)
  238. return NULL;
  239. value = strchr(value, ':');
  240. if(!value)
  241. return NULL;
  242. ++value;
  243. while(*value && ISBLANK(*value))
  244. ++value;
  245. len = strlen(value);
  246. while(len > 0 && ISBLANK(value[len-1]))
  247. --len;
  248. *value_len = len;
  249. return value;
  250. }
  251. CURLcode Curl_output_aws_sigv4(struct Curl_easy *data, bool proxy)
  252. {
  253. CURLcode ret = CURLE_OUT_OF_MEMORY;
  254. struct connectdata *conn = data->conn;
  255. size_t len;
  256. const char *arg;
  257. char provider0[MAX_SIGV4_LEN + 1]="";
  258. char provider1[MAX_SIGV4_LEN + 1]="";
  259. char region[MAX_SIGV4_LEN + 1]="";
  260. char service[MAX_SIGV4_LEN + 1]="";
  261. const char *hostname = conn->host.name;
  262. time_t clock;
  263. struct tm tm;
  264. char timestamp[TIMESTAMP_SIZE];
  265. char date[9];
  266. struct dynbuf canonical_headers;
  267. struct dynbuf signed_headers;
  268. char *date_header = NULL;
  269. char *payload_hash = NULL;
  270. size_t payload_hash_len = 0;
  271. const char *post_data = data->set.postfields;
  272. size_t post_data_len = 0;
  273. unsigned char sha_hash[32];
  274. char sha_hex[65];
  275. char *canonical_request = NULL;
  276. char *request_type = NULL;
  277. char *credential_scope = NULL;
  278. char *str_to_sign = NULL;
  279. const char *user = data->state.aptr.user ? data->state.aptr.user : "";
  280. char *secret = NULL;
  281. unsigned char sign0[32] = {0};
  282. unsigned char sign1[32] = {0};
  283. char *auth_headers = NULL;
  284. DEBUGASSERT(!proxy);
  285. (void)proxy;
  286. if(Curl_checkheaders(data, STRCONST("Authorization"))) {
  287. /* Authorization already present, Bailing out */
  288. return CURLE_OK;
  289. }
  290. /* we init thoses buffers here, so goto fail will free initialized dynbuf */
  291. Curl_dyn_init(&canonical_headers, CURL_MAX_HTTP_HEADER);
  292. Curl_dyn_init(&signed_headers, CURL_MAX_HTTP_HEADER);
  293. /*
  294. * Parameters parsing
  295. * Google and Outscale use the same OSC or GOOG,
  296. * but Amazon uses AWS and AMZ for header arguments.
  297. * AWS is the default because most of non-amazon providers
  298. * are still using aws:amz as a prefix.
  299. */
  300. arg = data->set.str[STRING_AWS_SIGV4] ?
  301. data->set.str[STRING_AWS_SIGV4] : "aws:amz";
  302. /* provider1[:provider2[:region[:service]]]
  303. No string can be longer than N bytes of non-whitespace
  304. */
  305. (void)sscanf(arg, "%" MAX_SIGV4_LEN_TXT "[^:]"
  306. ":%" MAX_SIGV4_LEN_TXT "[^:]"
  307. ":%" MAX_SIGV4_LEN_TXT "[^:]"
  308. ":%" MAX_SIGV4_LEN_TXT "s",
  309. provider0, provider1, region, service);
  310. if(!provider0[0]) {
  311. failf(data, "first provider can't be empty");
  312. ret = CURLE_BAD_FUNCTION_ARGUMENT;
  313. goto fail;
  314. }
  315. else if(!provider1[0])
  316. strcpy(provider1, provider0);
  317. if(!service[0]) {
  318. char *hostdot = strchr(hostname, '.');
  319. if(!hostdot) {
  320. failf(data, "service missing in parameters and hostname");
  321. ret = CURLE_URL_MALFORMAT;
  322. goto fail;
  323. }
  324. len = hostdot - hostname;
  325. if(len > MAX_SIGV4_LEN) {
  326. failf(data, "service too long in hostname");
  327. ret = CURLE_URL_MALFORMAT;
  328. goto fail;
  329. }
  330. strncpy(service, hostname, len);
  331. service[len] = '\0';
  332. if(!region[0]) {
  333. const char *reg = hostdot + 1;
  334. const char *hostreg = strchr(reg, '.');
  335. if(!hostreg) {
  336. failf(data, "region missing in parameters and hostname");
  337. ret = CURLE_URL_MALFORMAT;
  338. goto fail;
  339. }
  340. len = hostreg - reg;
  341. if(len > MAX_SIGV4_LEN) {
  342. failf(data, "region too long in hostname");
  343. ret = CURLE_URL_MALFORMAT;
  344. goto fail;
  345. }
  346. strncpy(region, reg, len);
  347. region[len] = '\0';
  348. }
  349. }
  350. #ifdef DEBUGBUILD
  351. {
  352. char *force_timestamp = getenv("CURL_FORCETIME");
  353. if(force_timestamp)
  354. clock = 0;
  355. else
  356. time(&clock);
  357. }
  358. #else
  359. time(&clock);
  360. #endif
  361. ret = Curl_gmtime(clock, &tm);
  362. if(ret) {
  363. goto fail;
  364. }
  365. if(!strftime(timestamp, sizeof(timestamp), "%Y%m%dT%H%M%SZ", &tm)) {
  366. ret = CURLE_OUT_OF_MEMORY;
  367. goto fail;
  368. }
  369. ret = make_headers(data, hostname, timestamp, provider1,
  370. &date_header, &canonical_headers, &signed_headers);
  371. if(ret)
  372. goto fail;
  373. ret = CURLE_OUT_OF_MEMORY;
  374. memcpy(date, timestamp, sizeof(date));
  375. date[sizeof(date) - 1] = 0;
  376. payload_hash = parse_content_sha_hdr(data, provider1, &payload_hash_len);
  377. if(!payload_hash) {
  378. if(post_data) {
  379. if(data->set.postfieldsize < 0)
  380. post_data_len = strlen(post_data);
  381. else
  382. post_data_len = (size_t)data->set.postfieldsize;
  383. }
  384. if(Curl_sha256it(sha_hash, (const unsigned char *) post_data,
  385. post_data_len))
  386. goto fail;
  387. sha256_to_hex(sha_hex, sha_hash, sizeof(sha_hex));
  388. payload_hash = sha_hex;
  389. payload_hash_len = strlen(sha_hex);
  390. }
  391. {
  392. Curl_HttpReq httpreq;
  393. const char *method;
  394. Curl_http_method(data, conn, &method, &httpreq);
  395. canonical_request =
  396. curl_maprintf("%s\n" /* HTTPRequestMethod */
  397. "%s\n" /* CanonicalURI */
  398. "%s\n" /* CanonicalQueryString */
  399. "%s\n" /* CanonicalHeaders */
  400. "%s\n" /* SignedHeaders */
  401. "%.*s", /* HashedRequestPayload in hex */
  402. method,
  403. data->state.up.path,
  404. data->state.up.query ? data->state.up.query : "",
  405. Curl_dyn_ptr(&canonical_headers),
  406. Curl_dyn_ptr(&signed_headers),
  407. (int)payload_hash_len, payload_hash);
  408. if(!canonical_request)
  409. goto fail;
  410. }
  411. /* provider 0 lowercase */
  412. Curl_strntolower(provider0, provider0, strlen(provider0));
  413. request_type = curl_maprintf("%s4_request", provider0);
  414. if(!request_type)
  415. goto fail;
  416. credential_scope = curl_maprintf("%s/%s/%s/%s",
  417. date, region, service, request_type);
  418. if(!credential_scope)
  419. goto fail;
  420. if(Curl_sha256it(sha_hash, (unsigned char *) canonical_request,
  421. strlen(canonical_request)))
  422. goto fail;
  423. sha256_to_hex(sha_hex, sha_hash, sizeof(sha_hex));
  424. /* provider 0 uppercase */
  425. Curl_strntoupper(provider0, provider0, strlen(provider0));
  426. /*
  427. * Google allows using RSA key instead of HMAC, so this code might change
  428. * in the future. For now we ony support HMAC.
  429. */
  430. str_to_sign = curl_maprintf("%s4-HMAC-SHA256\n" /* Algorithm */
  431. "%s\n" /* RequestDateTime */
  432. "%s\n" /* CredentialScope */
  433. "%s", /* HashedCanonicalRequest in hex */
  434. provider0,
  435. timestamp,
  436. credential_scope,
  437. sha_hex);
  438. if(!str_to_sign) {
  439. goto fail;
  440. }
  441. /* provider 0 uppercase */
  442. secret = curl_maprintf("%s4%s", provider0,
  443. data->state.aptr.passwd ?
  444. data->state.aptr.passwd : "");
  445. if(!secret)
  446. goto fail;
  447. HMAC_SHA256(secret, strlen(secret), date, strlen(date), sign0);
  448. HMAC_SHA256(sign0, sizeof(sign0), region, strlen(region), sign1);
  449. HMAC_SHA256(sign1, sizeof(sign1), service, strlen(service), sign0);
  450. HMAC_SHA256(sign0, sizeof(sign0), request_type, strlen(request_type), sign1);
  451. HMAC_SHA256(sign1, sizeof(sign1), str_to_sign, strlen(str_to_sign), sign0);
  452. sha256_to_hex(sha_hex, sign0, sizeof(sha_hex));
  453. /* provider 0 uppercase */
  454. auth_headers = curl_maprintf("Authorization: %s4-HMAC-SHA256 "
  455. "Credential=%s/%s, "
  456. "SignedHeaders=%s, "
  457. "Signature=%s\r\n"
  458. "%s\r\n",
  459. provider0,
  460. user,
  461. credential_scope,
  462. Curl_dyn_ptr(&signed_headers),
  463. sha_hex,
  464. date_header);
  465. if(!auth_headers) {
  466. goto fail;
  467. }
  468. Curl_safefree(data->state.aptr.userpwd);
  469. data->state.aptr.userpwd = auth_headers;
  470. data->state.authhost.done = TRUE;
  471. ret = CURLE_OK;
  472. fail:
  473. Curl_dyn_free(&canonical_headers);
  474. Curl_dyn_free(&signed_headers);
  475. free(canonical_request);
  476. free(request_type);
  477. free(credential_scope);
  478. free(str_to_sign);
  479. free(secret);
  480. free(date_header);
  481. return ret;
  482. }
  483. #endif /* !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH) */