1 /***************************************************************************
3 * Project ___| | | | _ \| |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
8 * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at https://curl.haxx.se/docs/copyright.html.
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
21 * SPDX-License-Identifier: curl
23 ***************************************************************************/
25 #include "curl_setup.h"
27 #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH)
32 #include "http_aws_sigv4.h"
33 #include "curl_sha256.h"
37 #include "parsedate.h"
42 /* The last 3 #include files should be in this order */
43 #include "curl_printf.h"
44 #include "curl_memory.h"
49 #define HMAC_SHA256(k, kl, d, dl, o) \
51 ret = Curl_hmacit(Curl_HMAC_SHA256, \
55 (unsigned int)dl, o); \
61 #define TIMESTAMP_SIZE 17
63 static void sha256_to_hex(char *dst, unsigned char *sha, size_t dst_l)
67 DEBUGASSERT(dst_l >= 65);
68 for(i = 0; i < 32; ++i) {
69 msnprintf(dst + (i * 2), dst_l - (i * 2), "%02x", sha[i]);
73 static char *find_date_hdr(struct Curl_easy *data, const char *sig_hdr)
75 char *tmp = Curl_checkheaders(data, sig_hdr, strlen(sig_hdr));
79 return Curl_checkheaders(data, STRCONST("Date"));
82 /* remove whitespace, and lowercase all headers */
83 static void trim_headers(struct curl_slist *head)
86 for(l = head; l; l = l->next) {
87 char *value; /* to read from */
89 size_t colon = strcspn(l->data, ":");
90 Curl_strntolower(l->data, l->data, colon);
92 value = &l->data[colon];
98 /* skip leading whitespace */
99 while(*value && ISBLANK(*value))
104 while(*value && ISBLANK(*value)) {
109 /* replace any number of consecutive whitespace with a single space,
110 unless at the end of the string, then nothing */
117 *store = 0; /* null terminate */
121 /* maximum lenth for the aws sivg4 parts */
122 #define MAX_SIGV4_LEN 64
123 #define MAX_SIGV4_LEN_TXT "64"
125 #define DATE_HDR_KEY_LEN (MAX_SIGV4_LEN + sizeof("X--Date"))
127 #define MAX_HOST_LEN 255
129 #define FULL_HOST_LEN (MAX_HOST_LEN + sizeof("host:"))
131 /* string been x-PROVIDER-date:TIMESTAMP, I need +1 for ':' */
132 #define DATE_FULL_HDR_LEN (DATE_HDR_KEY_LEN + TIMESTAMP_SIZE + 1)
134 /* timestamp should point to a buffer of at last TIMESTAMP_SIZE bytes */
135 static CURLcode make_headers(struct Curl_easy *data,
136 const char *hostname,
140 struct dynbuf *canonical_headers,
141 struct dynbuf *signed_headers)
143 char date_hdr_key[DATE_HDR_KEY_LEN];
144 char date_full_hdr[DATE_FULL_HDR_LEN];
145 struct curl_slist *head = NULL;
146 struct curl_slist *tmp_head = NULL;
147 CURLcode ret = CURLE_OUT_OF_MEMORY;
148 struct curl_slist *l;
152 Curl_strntolower(provider1, provider1, strlen(provider1));
153 provider1[0] = Curl_raw_toupper(provider1[0]);
155 msnprintf(date_hdr_key, DATE_HDR_KEY_LEN, "X-%s-Date", provider1);
157 /* provider1 lowercase */
158 Curl_strntolower(provider1, provider1, 1); /* first byte only */
159 msnprintf(date_full_hdr, DATE_FULL_HDR_LEN,
160 "x-%s-date:%s", provider1, timestamp);
162 if(Curl_checkheaders(data, STRCONST("Host"))) {
166 char full_host[FULL_HOST_LEN + 1];
168 if(data->state.aptr.host) {
171 if(strlen(data->state.aptr.host) > FULL_HOST_LEN) {
172 ret = CURLE_URL_MALFORMAT;
175 strcpy(full_host, data->state.aptr.host);
176 /* remove /r/n as the separator for canonical request must be '\n' */
177 pos = strcspn(full_host, "\n\r");
181 if(strlen(hostname) > MAX_HOST_LEN) {
182 ret = CURLE_URL_MALFORMAT;
185 msnprintf(full_host, FULL_HOST_LEN, "host:%s", hostname);
188 head = curl_slist_append(NULL, full_host);
194 for(l = data->set.headers; l; l = l->next) {
195 tmp_head = curl_slist_append(head, l->data);
203 *date_header = find_date_hdr(data, date_hdr_key);
205 tmp_head = curl_slist_append(head, date_full_hdr);
209 *date_header = curl_maprintf("%s: %s", date_hdr_key, timestamp);
214 *date_header = strdup(*date_header);
218 value = strchr(*date_header, ':');
222 while(ISBLANK(*value))
224 strncpy(timestamp, value, TIMESTAMP_SIZE - 1);
225 timestamp[TIMESTAMP_SIZE - 1] = 0;
228 /* alpha-sort in a case sensitive manner */
231 for(l = head; l; l = l->next) {
232 struct curl_slist *next = l->next;
234 if(next && strcmp(l->data, next->data) > 0) {
237 l->data = next->data;
244 for(l = head; l; l = l->next) {
247 if(Curl_dyn_add(canonical_headers, l->data))
249 if(Curl_dyn_add(canonical_headers, "\n"))
252 tmp = strchr(l->data, ':');
257 if(Curl_dyn_add(signed_headers, ";"))
260 if(Curl_dyn_add(signed_headers, l->data))
266 curl_slist_free_all(head);
271 CURLcode Curl_output_aws_sigv4(struct Curl_easy *data, bool proxy)
273 CURLcode ret = CURLE_OUT_OF_MEMORY;
274 struct connectdata *conn = data->conn;
277 char provider0[MAX_SIGV4_LEN + 1]="";
278 char provider1[MAX_SIGV4_LEN + 1]="";
279 char region[MAX_SIGV4_LEN + 1]="";
280 char service[MAX_SIGV4_LEN + 1]="";
281 const char *hostname = conn->host.name;
284 char timestamp[TIMESTAMP_SIZE];
286 struct dynbuf canonical_headers;
287 struct dynbuf signed_headers;
288 char *date_header = NULL;
289 const char *post_data = data->set.postfields;
290 size_t post_data_len = 0;
291 unsigned char sha_hash[32];
293 char *canonical_request = NULL;
294 char *request_type = NULL;
295 char *credential_scope = NULL;
296 char *str_to_sign = NULL;
297 const char *user = data->state.aptr.user ? data->state.aptr.user : "";
299 unsigned char sign0[32] = {0};
300 unsigned char sign1[32] = {0};
301 char *auth_headers = NULL;
306 if(Curl_checkheaders(data, STRCONST("Authorization"))) {
307 /* Authorization already present, Bailing out */
311 /* we init thoses buffers here, so goto fail will free initialized dynbuf */
312 Curl_dyn_init(&canonical_headers, CURL_MAX_HTTP_HEADER);
313 Curl_dyn_init(&signed_headers, CURL_MAX_HTTP_HEADER);
317 * Google and Outscale use the same OSC or GOOG,
318 * but Amazon uses AWS and AMZ for header arguments.
319 * AWS is the default because most of non-amazon providers
320 * are still using aws:amz as a prefix.
322 arg = data->set.str[STRING_AWS_SIGV4] ?
323 data->set.str[STRING_AWS_SIGV4] : "aws:amz";
325 /* provider1[:provider2[:region[:service]]]
327 No string can be longer than N bytes of non-whitespace
329 (void)sscanf(arg, "%" MAX_SIGV4_LEN_TXT "[^:]"
330 ":%" MAX_SIGV4_LEN_TXT "[^:]"
331 ":%" MAX_SIGV4_LEN_TXT "[^:]"
332 ":%" MAX_SIGV4_LEN_TXT "s",
333 provider0, provider1, region, service);
335 failf(data, "first provider can't be empty");
336 ret = CURLE_BAD_FUNCTION_ARGUMENT;
339 else if(!provider1[0])
340 strcpy(provider1, provider0);
343 char *hostdot = strchr(hostname, '.');
345 failf(data, "service missing in parameters and hostname");
346 ret = CURLE_URL_MALFORMAT;
349 len = hostdot - hostname;
350 if(len > MAX_SIGV4_LEN) {
351 failf(data, "service too long in hostname");
352 ret = CURLE_URL_MALFORMAT;
355 strncpy(service, hostname, len);
359 const char *reg = hostdot + 1;
360 const char *hostreg = strchr(reg, '.');
362 failf(data, "region missing in parameters and hostname");
363 ret = CURLE_URL_MALFORMAT;
367 if(len > MAX_SIGV4_LEN) {
368 failf(data, "region too long in hostname");
369 ret = CURLE_URL_MALFORMAT;
372 strncpy(region, reg, len);
379 char *force_timestamp = getenv("CURL_FORCETIME");
388 ret = Curl_gmtime(clock, &tm);
392 if(!strftime(timestamp, sizeof(timestamp), "%Y%m%dT%H%M%SZ", &tm)) {
393 ret = CURLE_OUT_OF_MEMORY;
397 ret = make_headers(data, hostname, timestamp, provider1,
398 &date_header, &canonical_headers, &signed_headers);
401 ret = CURLE_OUT_OF_MEMORY;
403 memcpy(date, timestamp, sizeof(date));
404 date[sizeof(date) - 1] = 0;
407 if(data->set.postfieldsize < 0)
408 post_data_len = strlen(post_data);
410 post_data_len = (size_t)data->set.postfieldsize;
412 if(Curl_sha256it(sha_hash, (const unsigned char *) post_data,
416 sha256_to_hex(sha_hex, sha_hash, sizeof(sha_hex));
419 Curl_HttpReq httpreq;
422 Curl_http_method(data, conn, &method, &httpreq);
425 curl_maprintf("%s\n" /* HTTPRequestMethod */
426 "%s\n" /* CanonicalURI */
427 "%s\n" /* CanonicalQueryString */
428 "%s\n" /* CanonicalHeaders */
429 "%s\n" /* SignedHeaders */
430 "%s", /* HashedRequestPayload in hex */
433 data->state.up.query ? data->state.up.query : "",
434 Curl_dyn_ptr(&canonical_headers),
435 Curl_dyn_ptr(&signed_headers),
437 if(!canonical_request)
441 /* provider 0 lowercase */
442 Curl_strntolower(provider0, provider0, strlen(provider0));
443 request_type = curl_maprintf("%s4_request", provider0);
447 credential_scope = curl_maprintf("%s/%s/%s/%s",
448 date, region, service, request_type);
449 if(!credential_scope)
452 if(Curl_sha256it(sha_hash, (unsigned char *) canonical_request,
453 strlen(canonical_request)))
456 sha256_to_hex(sha_hex, sha_hash, sizeof(sha_hex));
458 /* provider 0 uppercase */
459 Curl_strntoupper(provider0, provider0, strlen(provider0));
462 * Google allows using RSA key instead of HMAC, so this code might change
463 * in the future. For now we ony support HMAC.
465 str_to_sign = curl_maprintf("%s4-HMAC-SHA256\n" /* Algorithm */
466 "%s\n" /* RequestDateTime */
467 "%s\n" /* CredentialScope */
468 "%s", /* HashedCanonicalRequest in hex */
477 /* provider 0 uppercase */
478 secret = curl_maprintf("%s4%s", provider0,
479 data->state.aptr.passwd ?
480 data->state.aptr.passwd : "");
484 HMAC_SHA256(secret, strlen(secret), date, strlen(date), sign0);
485 HMAC_SHA256(sign0, sizeof(sign0), region, strlen(region), sign1);
486 HMAC_SHA256(sign1, sizeof(sign1), service, strlen(service), sign0);
487 HMAC_SHA256(sign0, sizeof(sign0), request_type, strlen(request_type), sign1);
488 HMAC_SHA256(sign1, sizeof(sign1), str_to_sign, strlen(str_to_sign), sign0);
490 sha256_to_hex(sha_hex, sign0, sizeof(sha_hex));
492 /* provider 0 uppercase */
493 auth_headers = curl_maprintf("Authorization: %s4-HMAC-SHA256 "
501 Curl_dyn_ptr(&signed_headers),
508 Curl_safefree(data->state.aptr.userpwd);
509 data->state.aptr.userpwd = auth_headers;
510 data->state.authhost.done = TRUE;
514 Curl_dyn_free(&canonical_headers);
515 Curl_dyn_free(&signed_headers);
516 free(canonical_request);
518 free(credential_scope);
525 #endif /* !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH) */