1 /***************************************************************************
2 * _ _ ____ _
3 * Project ___| | | | _ \| |
4 * / __| | | | |_) | |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
7 *
8 * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
9 *
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at https://curl.haxx.se/docs/copyright.html.
13 *
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
17 *
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
20 *
21 ***************************************************************************/
22
23 #include "curl_setup.h"
24
25 #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH)
26
27 #include "urldata.h"
28 #include "strcase.h"
29 #include "strdup.h"
30 #include "vauth/vauth.h"
31 #include "vauth/digest.h"
32 #include "http_aws_sigv4.h"
33 #include "curl_sha256.h"
34 #include "transfer.h"
35
36 #include "strcase.h"
37 #include "parsedate.h"
38 #include "sendf.h"
39
40 #include <time.h>
41
42 /* The last 3 #include files should be in this order */
43 #include "curl_printf.h"
44 #include "curl_memory.h"
45 #include "memdebug.h"
46
47 #define HMAC_SHA256(k, kl, d, dl, o) \
48 do { \
49 ret = Curl_hmacit(Curl_HMAC_SHA256, \
50 (unsigned char *)k, \
51 (unsigned int)kl, \
52 (unsigned char *)d, \
53 (unsigned int)dl, o); \
54 if(ret != CURLE_OK) { \
55 goto fail; \
56 } \
57 } while(0)
58
sha256_to_hex(char * dst,unsigned char * sha,size_t dst_l)59 static void sha256_to_hex(char *dst, unsigned char *sha, size_t dst_l)
60 {
61 int i;
62
63 DEBUGASSERT(dst_l >= 65);
64 for(i = 0; i < 32; ++i) {
65 curl_msnprintf(dst + (i * 2), dst_l - (i * 2), "%02x", sha[i]);
66 }
67 }
68
Curl_output_aws_sigv4(struct Curl_easy * data,bool proxy)69 CURLcode Curl_output_aws_sigv4(struct Curl_easy *data, bool proxy)
70 {
71 CURLcode ret = CURLE_OUT_OF_MEMORY;
72 struct connectdata *conn = data->conn;
73 size_t len;
74 const char *tmp0;
75 const char *tmp1;
76 char *provider0_low = NULL;
77 char *provider0_up = NULL;
78 char *provider1_low = NULL;
79 char *provider1_mid = NULL;
80 char *region = NULL;
81 char *service = NULL;
82 const char *hostname = conn->host.name;
83 #ifdef DEBUGBUILD
84 char *force_timestamp;
85 #endif
86 time_t clock;
87 struct tm tm;
88 char timestamp[17];
89 char date[9];
90 const char *content_type = Curl_checkheaders(data, "Content-Type");
91 char *canonical_headers = NULL;
92 char *signed_headers = NULL;
93 Curl_HttpReq httpreq;
94 const char *method;
95 size_t post_data_len;
96 const char *post_data = data->set.postfields ? data->set.postfields : "";
97 unsigned char sha_hash[32];
98 char sha_hex[65];
99 char *canonical_request = NULL;
100 char *request_type = NULL;
101 char *credential_scope = NULL;
102 char *str_to_sign = NULL;
103 const char *user = data->state.aptr.user ? data->state.aptr.user : "";
104 const char *passwd = data->state.aptr.passwd ? data->state.aptr.passwd : "";
105 char *secret = NULL;
106 unsigned char tmp_sign0[32] = {0};
107 unsigned char tmp_sign1[32] = {0};
108 char *auth_headers = NULL;
109
110 DEBUGASSERT(!proxy);
111 (void)proxy;
112
113 if(Curl_checkheaders(data, "Authorization")) {
114 /* Authorization already present, Bailing out */
115 return CURLE_OK;
116 }
117
118 /*
119 * Parameters parsing
120 * Google and Outscale use the same OSC or GOOG,
121 * but Amazon uses AWS and AMZ for header arguments.
122 * AWS is the default because most of non-amazon providers
123 * are still using aws:amz as a prefix.
124 */
125 tmp0 = data->set.str[STRING_AWS_SIGV4] ?
126 data->set.str[STRING_AWS_SIGV4] : "aws:amz";
127 tmp1 = strchr(tmp0, ':');
128 len = tmp1 ? (size_t)(tmp1 - tmp0) : strlen(tmp0);
129 if(len < 1) {
130 infof(data, "first provider can't be empty");
131 ret = CURLE_BAD_FUNCTION_ARGUMENT;
132 goto fail;
133 }
134 provider0_low = malloc(len + 1);
135 provider0_up = malloc(len + 1);
136 if(!provider0_low || !provider0_up) {
137 goto fail;
138 }
139 Curl_strntolower(provider0_low, tmp0, len);
140 provider0_low[len] = '\0';
141 Curl_strntoupper(provider0_up, tmp0, len);
142 provider0_up[len] = '\0';
143
144 if(tmp1) {
145 tmp0 = tmp1 + 1;
146 tmp1 = strchr(tmp0, ':');
147 len = tmp1 ? (size_t)(tmp1 - tmp0) : strlen(tmp0);
148 if(len < 1) {
149 infof(data, "second provider can't be empty");
150 ret = CURLE_BAD_FUNCTION_ARGUMENT;
151 goto fail;
152 }
153 provider1_low = malloc(len + 1);
154 provider1_mid = malloc(len + 1);
155 if(!provider1_low || !provider1_mid) {
156 goto fail;
157 }
158 Curl_strntolower(provider1_low, tmp0, len);
159 provider1_low[len] = '\0';
160 Curl_strntolower(provider1_mid, tmp0, len);
161 provider1_mid[0] = Curl_raw_toupper(provider1_mid[0]);
162 provider1_mid[len] = '\0';
163
164 if(tmp1) {
165 tmp0 = tmp1 + 1;
166 tmp1 = strchr(tmp0, ':');
167 len = tmp1 ? (size_t)(tmp1 - tmp0) : strlen(tmp0);
168 if(len < 1) {
169 infof(data, "region can't be empty");
170 ret = CURLE_BAD_FUNCTION_ARGUMENT;
171 goto fail;
172 }
173 region = Curl_memdup(tmp0, len + 1);
174 if(!region) {
175 goto fail;
176 }
177 region[len] = '\0';
178
179 if(tmp1) {
180 tmp0 = tmp1 + 1;
181 service = strdup(tmp0);
182 if(!service) {
183 goto fail;
184 }
185 if(strlen(service) < 1) {
186 infof(data, "service can't be empty");
187 ret = CURLE_BAD_FUNCTION_ARGUMENT;
188 goto fail;
189 }
190 }
191 }
192 }
193 else {
194 provider1_low = Curl_memdup(provider0_low, len + 1);
195 provider1_mid = Curl_memdup(provider0_low, len + 1);
196 if(!provider1_low || !provider1_mid) {
197 goto fail;
198 }
199 provider1_mid[0] = Curl_raw_toupper(provider1_mid[0]);
200 }
201
202 if(!service) {
203 tmp0 = hostname;
204 tmp1 = strchr(tmp0, '.');
205 len = tmp1 - tmp0;
206 if(!tmp1 || len < 1) {
207 infof(data, "service missing in parameters or hostname");
208 ret = CURLE_URL_MALFORMAT;
209 goto fail;
210 }
211 service = Curl_memdup(tmp0, len + 1);
212 if(!service) {
213 goto fail;
214 }
215 service[len] = '\0';
216
217 if(!region) {
218 tmp0 = tmp1 + 1;
219 tmp1 = strchr(tmp0, '.');
220 len = tmp1 - tmp0;
221 if(!tmp1 || len < 1) {
222 infof(data, "region missing in parameters or hostname");
223 ret = CURLE_URL_MALFORMAT;
224 goto fail;
225 }
226 region = Curl_memdup(tmp0, len + 1);
227 if(!region) {
228 goto fail;
229 }
230 region[len] = '\0';
231 }
232 }
233
234 #ifdef DEBUGBUILD
235 force_timestamp = getenv("CURL_FORCETIME");
236 if(force_timestamp)
237 clock = 0;
238 else
239 time(&clock);
240 #else
241 time(&clock);
242 #endif
243 ret = Curl_gmtime(clock, &tm);
244 if(ret != CURLE_OK) {
245 goto fail;
246 }
247 if(!strftime(timestamp, sizeof(timestamp), "%Y%m%dT%H%M%SZ", &tm)) {
248 goto fail;
249 }
250 memcpy(date, timestamp, sizeof(date));
251 date[sizeof(date) - 1] = 0;
252
253 if(content_type) {
254 content_type = strchr(content_type, ':');
255 if(!content_type) {
256 ret = CURLE_FAILED_INIT;
257 goto fail;
258 }
259 content_type++;
260 /* Skip whitespace now */
261 while(*content_type == ' ' || *content_type == '\t')
262 ++content_type;
263
264 canonical_headers = curl_maprintf("content-type:%s\n"
265 "host:%s\n"
266 "x-%s-date:%s\n",
267 content_type,
268 hostname,
269 provider1_low, timestamp);
270 signed_headers = curl_maprintf("content-type;host;x-%s-date",
271 provider1_low);
272 }
273 else {
274 canonical_headers = curl_maprintf("host:%s\n"
275 "x-%s-date:%s\n",
276 hostname,
277 provider1_low, timestamp);
278 signed_headers = curl_maprintf("host;x-%s-date", provider1_low);
279 }
280
281 if(!canonical_headers || !signed_headers) {
282 goto fail;
283 }
284
285 if(data->set.postfieldsize < 0)
286 post_data_len = strlen(post_data);
287 else
288 post_data_len = (size_t)data->set.postfieldsize;
289 Curl_sha256it(sha_hash,
290 (const unsigned char *) post_data, post_data_len);
291 sha256_to_hex(sha_hex, sha_hash, sizeof(sha_hex));
292
293 Curl_http_method(data, conn, &method, &httpreq);
294
295 canonical_request =
296 curl_maprintf("%s\n" /* HTTPRequestMethod */
297 "%s\n" /* CanonicalURI */
298 "%s\n" /* CanonicalQueryString */
299 "%s\n" /* CanonicalHeaders */
300 "%s\n" /* SignedHeaders */
301 "%s", /* HashedRequestPayload in hex */
302 method,
303 data->state.up.path,
304 data->state.up.query ? data->state.up.query : "",
305 canonical_headers,
306 signed_headers,
307 sha_hex);
308 if(!canonical_request) {
309 goto fail;
310 }
311
312 request_type = curl_maprintf("%s4_request", provider0_low);
313 if(!request_type) {
314 goto fail;
315 }
316
317 credential_scope = curl_maprintf("%s/%s/%s/%s",
318 date, region, service, request_type);
319 if(!credential_scope) {
320 goto fail;
321 }
322
323 Curl_sha256it(sha_hash, (unsigned char *) canonical_request,
324 strlen(canonical_request));
325 sha256_to_hex(sha_hex, sha_hash, sizeof(sha_hex));
326
327 /*
328 * Google allow to use rsa key instead of HMAC, so this code might change
329 * In the future, but for now we support only HMAC version
330 */
331 str_to_sign = curl_maprintf("%s4-HMAC-SHA256\n" /* Algorithm */
332 "%s\n" /* RequestDateTime */
333 "%s\n" /* CredentialScope */
334 "%s", /* HashedCanonicalRequest in hex */
335 provider0_up,
336 timestamp,
337 credential_scope,
338 sha_hex);
339 if(!str_to_sign) {
340 goto fail;
341 }
342
343 secret = curl_maprintf("%s4%s", provider0_up, passwd);
344 if(!secret) {
345 goto fail;
346 }
347
348 HMAC_SHA256(secret, strlen(secret),
349 date, strlen(date), tmp_sign0);
350 HMAC_SHA256(tmp_sign0, sizeof(tmp_sign0),
351 region, strlen(region), tmp_sign1);
352 HMAC_SHA256(tmp_sign1, sizeof(tmp_sign1),
353 service, strlen(service), tmp_sign0);
354 HMAC_SHA256(tmp_sign0, sizeof(tmp_sign0),
355 request_type, strlen(request_type), tmp_sign1);
356 HMAC_SHA256(tmp_sign1, sizeof(tmp_sign1),
357 str_to_sign, strlen(str_to_sign), tmp_sign0);
358
359 sha256_to_hex(sha_hex, tmp_sign0, sizeof(sha_hex));
360
361 auth_headers = curl_maprintf("Authorization: %s4-HMAC-SHA256 "
362 "Credential=%s/%s, "
363 "SignedHeaders=%s, "
364 "Signature=%s\r\n"
365 "X-%s-Date: %s\r\n",
366 provider0_up,
367 user,
368 credential_scope,
369 signed_headers,
370 sha_hex,
371 provider1_mid,
372 timestamp);
373 if(!auth_headers) {
374 goto fail;
375 }
376
377 Curl_safefree(data->state.aptr.userpwd);
378 data->state.aptr.userpwd = auth_headers;
379 data->state.authhost.done = TRUE;
380 ret = CURLE_OK;
381
382 fail:
383 free(provider0_low);
384 free(provider0_up);
385 free(provider1_low);
386 free(provider1_mid);
387 free(region);
388 free(service);
389 free(canonical_headers);
390 free(signed_headers);
391 free(canonical_request);
392 free(request_type);
393 free(credential_scope);
394 free(str_to_sign);
395 free(secret);
396 return ret;
397 }
398
399 #endif /* !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH) */
400