diff options
author | Sergey Poznyakoff <gray@gnu.org.ua> | 2014-07-09 13:01:57 +0300 |
---|---|---|
committer | Sergey Poznyakoff <gray@gnu.org.ua> | 2014-07-09 23:20:17 +0300 |
commit | 131b6ab56cbec838346fd493f3fe96438e3b58e7 (patch) | |
tree | 1a30a33f6447fcbeba9810542121dc7003d3129a /lib/reqsign.c | |
parent | 7f40bb8674983f8e4fc11fbebe56f88daa812c1a (diff) | |
download | eclat-131b6ab56cbec838346fd493f3fe96438e3b58e7.tar.gz eclat-131b6ab56cbec838346fd493f3fe96438e3b58e7.tar.bz2 |
Implement signature version 4 signing process
* lib/libeclat.h (ec2_param) <encoded>: New member.
(ec2_query) <signature>: Remove.
<headers,region,access_key>: New members
(eclat_query_create): Take two more arguments. All uses changed.
(eclat_query_add_param_encoded)
(eclat_query_add_header): New functions.
* lib/q2url.c (eclat_query_to_url): Don't create Signature param:
it is already in the param list (for v2 process).
* lib/qaddparm.c (eclat_query_add_param_encoded): New function.
(eclat_query_add_header): New function.
* lib/qcreat.c (eclat_query_create): Take region and access key
as additional parameters.
* lib/qencode.c (encode_param): Skip parameters that have encoded
set to true.
* lib/reqsign.c (querysign2): Store access key in AWSAccessKeyId
and the generated signature in the Signature parameters.
(eclat_hex_encode): New function.
(querysign4): Implement signature version 4 signing process.
* src/ec2map.c: Update call to eclat_query_create.
* src/eclat.c: Likewise.
* src/util.c (eclat_send_query): Sign the query and add
requested headers prior to sending.
* doc/eclat.conf.5: Document signature-version.
* NEWS: Likewise.
Diffstat (limited to 'lib/reqsign.c')
-rw-r--r-- | lib/reqsign.c | 230 |
1 files changed, 222 insertions, 8 deletions
diff --git a/lib/reqsign.c b/lib/reqsign.c index d09b938..774f69b 100644 --- a/lib/reqsign.c +++ b/lib/reqsign.c @@ -52,6 +52,7 @@ querysign2(struct ec2_query *req, char *secret) struct pname pn; char *str; char digest[SHA256_DIGEST_SIZE]; + char *signature; size_t siglen; const char *verb; char tsbuf[22]; @@ -60,6 +61,7 @@ querysign2(struct ec2_query *req, char *secret) acc = grecs_txtacc_create(); /* Add default parameters */ + eclat_query_add_param(req, "AWSAccessKeyId", req->access_key); eclat_query_add_param(req, "SignatureMethod", "HmacSHA256"); eclat_query_add_param(req, "SignatureVersion", "2"); @@ -78,11 +80,11 @@ querysign2(struct ec2_query *req, char *secret) qsort(pnames, n, sizeof(pnames[0]), compnames); verb = (req->flags & EC2_QF_POST) ? "POST" : "GET"; - grecs_txtacc_grow(acc, verb, strlen(verb)); + grecs_txtacc_grow_string(acc, verb); grecs_txtacc_grow_char(acc, '\n'); - grecs_txtacc_grow(acc, req->endpoint, strlen(req->endpoint)); + grecs_txtacc_grow_string(acc, req->endpoint); grecs_txtacc_grow_char(acc, '\n'); - grecs_txtacc_grow(acc, req->uri, strlen(req->uri)); + grecs_txtacc_grow_string(acc, req->uri); grecs_txtacc_grow_char(acc, '\n'); /* Append a canonicalized query string */ @@ -95,10 +97,10 @@ querysign2(struct ec2_query *req, char *secret) abort(); if (i != 0) grecs_txtacc_grow_char(acc, '&'); - grecs_txtacc_grow(acc, p->name, strlen(p->name)); + grecs_txtacc_grow_string(acc, p->name); if (p->value) { grecs_txtacc_grow_char(acc, '='); - grecs_txtacc_grow(acc, p->value, strlen(p->value)); + grecs_txtacc_grow_string(acc, p->value); } } grecs_txtacc_grow_char(acc, 0); @@ -107,8 +109,10 @@ querysign2(struct ec2_query *req, char *secret) hmac_sha256(str, strlen(str), secret, strlen(secret), digest); eclat_base64_encode((unsigned char *)digest, sizeof(digest), - (unsigned char**) &req->signature, &siglen); - + (unsigned char**) &signature, &siglen); + eclat_query_add_param_encoded(req, "Signature", signature); + free(signature); + grecs_txtacc_free(acc); free(pnames); @@ -119,10 +123,220 @@ querysign2(struct ec2_query *req, char *secret) */ } +void +eclat_hex_encode(unsigned char *input, size_t inlen, + char **poutput, size_t *poutlen) +{ + size_t l = inlen * 2; + char *p = grecs_malloc(l + 1); + + *poutput = p; + *poutlen = l; + + while (inlen--) { + static char xdig[] = "0123456789abcdef"; + unsigned c = *input++; + + *p++ = xdig[c >> 4]; + *p++ = xdig[c & 0xf]; + } +} + +/* Ref. http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html + */ static void querysign4(struct ec2_query *req, char *secret) { - abort(); + char **pnames; + struct pname pn; + size_t i, n; + struct grecs_txtacc *acc; + char digest[SHA256_DIGEST_SIZE]; + size_t siglen; + const char *verb; + char tsbuf[22]; + time_t t; + char const *p; + char const *payload; + unsigned char *plhash = NULL; + size_t plsize = 0; + char *string_to_sign; + static char algostr[] = "AWS4-HMAC-SHA256"; + static char termstr[] = "aws4_request"; + char *canonical_req; + char *signed_headers; + char *credential; + char *signature; + struct sha256_ctx ctx; + char *service; + size_t service_len; + + service = req->endpoint; + service_len = strcspn(service, "."); + + /* Create text accumulator */ + acc = grecs_txtacc_create(); + + /* Timestamp */ + time(&t); + strftime(tsbuf, sizeof(tsbuf), "%Y%m%dT%H%M%SZ", gmtime(&t)); + + /* Build credential */ + grecs_txtacc_grow_string(acc, req->access_key); + grecs_txtacc_grow_char(acc, '/'); + grecs_txtacc_grow(acc, tsbuf, 8); /* %Y%m%d part only */ + grecs_txtacc_grow_char(acc, '/'); + grecs_txtacc_grow_string(acc, req->region); + grecs_txtacc_grow_char(acc, '/'); + grecs_txtacc_grow(acc, service, service_len); + grecs_txtacc_grow_char(acc, '/'); + grecs_txtacc_grow_string(acc, termstr); + grecs_txtacc_grow_char(acc, 0); + credential = grecs_txtacc_finish(acc, 0); + + /* Signed headers */ + grecs_txtacc_grow_string(acc, "host"); + grecs_txtacc_grow_char(acc, 0); + signed_headers = grecs_txtacc_finish(acc, 0); + + eclat_query_add_header(req, "Host", req->endpoint); + if (!(req->flags & EC2_QF_POST)) { + eclat_query_add_param(req, "X-Amz-Algorithm", algostr); + eclat_query_add_param(req, "X-Amz-Date", tsbuf); + eclat_query_add_param(req, "X-Amz-SignedHeaders", + signed_headers); + eclat_query_add_param(req, "X-Amz-Credential", credential); + } + + /* Encode the query */ + eclat_query_encode(req); + + /* Collect and sort parameter names */ + n = grecs_symtab_count_entries(req->params); + pnames = grecs_calloc(n, sizeof(pnames[0])); + pn.i = 0; + pn.a = pnames; + grecs_symtab_enumerate(req->params, get_param_name, &pn); + qsort(pnames, n, sizeof(pnames[0]), compnames); + + /* Create a canonical request */ + verb = (req->flags & EC2_QF_POST) ? "POST" : "GET"; + grecs_txtacc_grow_string(acc, verb); + grecs_txtacc_grow_char(acc, '\n'); + grecs_txtacc_grow_string(acc, req->uri); + grecs_txtacc_grow_char(acc, '\n'); + /* Append a canonicalized query string */ + for (i = 0; i < n; i++) { + struct ec2_param *p, key; + + key.name = pnames[i]; + p = grecs_symtab_lookup_or_install(req->params, &key, NULL); + if (!p) + abort(); + if (i != 0) + grecs_txtacc_grow_char(acc, '&'); + grecs_txtacc_grow_string(acc, p->name); + if (p->value) { + grecs_txtacc_grow_char(acc, '='); + grecs_txtacc_grow_string(acc, p->value); + } + } + grecs_txtacc_grow_char(acc, '\n'); + + /* CanonicalHeaders */ + grecs_txtacc_grow_string(acc, "host:"); + grecs_txtacc_grow_string(acc, req->endpoint); + grecs_txtacc_grow_char(acc, '\n'); + /* end of headers */ + grecs_txtacc_grow_char(acc, '\n'); + /* Signed Headers */ + grecs_txtacc_grow_string(acc, signed_headers); + grecs_txtacc_grow_char(acc, '\n'); + /* Payload hash */ + if (req->flags & EC2_QF_POST) + /* FIXME: payload = req->query */; + else + payload = ""; + + sha256_init_ctx(&ctx); + sha256_process_bytes(payload, strlen(payload), &ctx); + sha256_finish_ctx(&ctx, digest); + + eclat_hex_encode((unsigned char *)digest, sizeof(digest), + &plhash, &plsize); + grecs_txtacc_grow(acc, plhash, plsize); + free(plhash); + + grecs_txtacc_grow_char(acc, 0); + canonical_req = grecs_txtacc_finish(acc, 0); + + sha256_init_ctx(&ctx); + sha256_process_bytes(canonical_req, strlen(canonical_req), &ctx); + sha256_finish_ctx(&ctx, digest); + eclat_hex_encode((unsigned char *)digest, sizeof(digest), + &canonical_req, &plsize); + + /* Create a string to sign */ + grecs_txtacc_grow_string(acc, algostr); + grecs_txtacc_grow_char(acc, '\n'); + grecs_txtacc_grow_string(acc, tsbuf); + grecs_txtacc_grow_char(acc, '\n'); + /* credential scope: */ + grecs_txtacc_grow(acc, tsbuf, 8); /* %Y%m%d part only */ + grecs_txtacc_grow_char(acc, '/'); + grecs_txtacc_grow_string(acc, req->region); + grecs_txtacc_grow_char(acc, '/'); + grecs_txtacc_grow(acc, service, service_len); + grecs_txtacc_grow_char(acc, '/'); + grecs_txtacc_grow_string(acc, termstr); + grecs_txtacc_grow_char(acc, '\n'); + + /* hashed request */ + grecs_txtacc_grow_string(acc, canonical_req); + + grecs_txtacc_grow_char(acc, 0); + string_to_sign = grecs_txtacc_finish(acc, 0); + + /* Derive a signing key */ + grecs_txtacc_grow_string(acc, "AWS4"); + grecs_txtacc_grow_string(acc, secret); + grecs_txtacc_grow_char(acc, 0); + p = grecs_txtacc_finish(acc, 0); + + hmac_sha256(tsbuf, 8, p, strlen(p), digest); + hmac_sha256(req->region, strlen(req->region), digest, sizeof(digest), + digest); + hmac_sha256(service, service_len, digest, sizeof(digest), + digest); + hmac_sha256(termstr, strlen(termstr), digest, sizeof(digest), + digest); + + /* Calculate the signature */ + hmac_sha256(string_to_sign, strlen(string_to_sign), + digest, sizeof(digest), + digest); + eclat_hex_encode((unsigned char *)digest, sizeof(digest), + &signature, &plsize); + + if (req->flags & EC2_QF_POST) { + /* Build authorization header */ + grecs_txtacc_grow_string(acc, algostr); + grecs_txtacc_grow_string(acc, " Credential="); + grecs_txtacc_grow_string(acc, credential); + grecs_txtacc_grow_string(acc, ", SignedHeaders="); + grecs_txtacc_grow_string(acc, signed_headers); + grecs_txtacc_grow_string(acc, ", Signature="); + grecs_txtacc_grow_string(acc, signature); + grecs_txtacc_grow_char(acc, 0); + p = grecs_txtacc_finish(acc, 0); + eclat_query_add_header(req, "Authorization", p); + } else { + eclat_query_add_param(req, "X-Amz-Signature", signature); + } + free(signature); + grecs_txtacc_free(acc); + /* Encode the query */ + eclat_query_encode(req); } |