From ed28ba5b1700aad54ee352625945632a51b2af10 Mon Sep 17 00:00:00 2001 From: Dengke Date: Wed, 4 Sep 2024 14:22:20 -0700 Subject: [PATCH 1/5] Revert "add content-sha256 header for presign when the signed_body_value is set to UNSIGNED-PAYLOAD (#248)" This reverts commit 1de544597e9739f689e8ad2c055a86656856b3eb. --- .github/workflows/ci.yml | 2 +- source/aws_signing.c | 17 +++++--------- tests/CMakeLists.txt | 2 -- .../v4/post-unsigned-payload/context.json | 13 ----------- .../header-canonical-request.txt | 10 -------- .../header-signature.txt | 1 - .../header-signed-request.txt | 8 ------- .../header-string-to-sign.txt | 4 ---- .../query-canonical-request.txt | 9 -------- .../post-unsigned-payload/query-signature.txt | 1 - .../query-signed-request.txt | 6 ----- .../query-string-to-sign.txt | 4 ---- .../v4/post-unsigned-payload/request.txt | 5 ---- .../v4/post-vanilla/context.json | 2 +- .../post-x-www-form-urlencoded/context.json | 2 +- .../v4a/post-unsigned-payload/context.json | 13 ----------- .../header-canonical-request.txt | 11 --------- .../header-signature.txt | 1 - .../header-signed-request.txt | 9 -------- .../header-string-to-sign.txt | 4 ---- .../v4a/post-unsigned-payload/public-key.json | 4 ---- .../query-canonical-request.txt | 9 -------- .../post-unsigned-payload/query-signature.txt | 1 - .../query-signed-request.txt | 6 ----- .../query-string-to-sign.txt | 4 ---- .../v4a/post-unsigned-payload/request.txt | 5 ---- tests/sigv4_signing_tests.c | 23 ------------------- 27 files changed, 9 insertions(+), 167 deletions(-) delete mode 100644 tests/aws-signing-test-suite/v4/post-unsigned-payload/context.json delete mode 100644 tests/aws-signing-test-suite/v4/post-unsigned-payload/header-canonical-request.txt delete mode 100644 tests/aws-signing-test-suite/v4/post-unsigned-payload/header-signature.txt delete mode 100644 tests/aws-signing-test-suite/v4/post-unsigned-payload/header-signed-request.txt delete mode 100644 tests/aws-signing-test-suite/v4/post-unsigned-payload/header-string-to-sign.txt delete mode 100644 tests/aws-signing-test-suite/v4/post-unsigned-payload/query-canonical-request.txt delete mode 100644 tests/aws-signing-test-suite/v4/post-unsigned-payload/query-signature.txt delete mode 100644 tests/aws-signing-test-suite/v4/post-unsigned-payload/query-signed-request.txt delete mode 100644 tests/aws-signing-test-suite/v4/post-unsigned-payload/query-string-to-sign.txt delete mode 100644 tests/aws-signing-test-suite/v4/post-unsigned-payload/request.txt delete mode 100644 tests/aws-signing-test-suite/v4a/post-unsigned-payload/context.json delete mode 100644 tests/aws-signing-test-suite/v4a/post-unsigned-payload/header-canonical-request.txt delete mode 100644 tests/aws-signing-test-suite/v4a/post-unsigned-payload/header-signature.txt delete mode 100644 tests/aws-signing-test-suite/v4a/post-unsigned-payload/header-signed-request.txt delete mode 100644 tests/aws-signing-test-suite/v4a/post-unsigned-payload/header-string-to-sign.txt delete mode 100644 tests/aws-signing-test-suite/v4a/post-unsigned-payload/public-key.json delete mode 100644 tests/aws-signing-test-suite/v4a/post-unsigned-payload/query-canonical-request.txt delete mode 100644 tests/aws-signing-test-suite/v4a/post-unsigned-payload/query-signature.txt delete mode 100644 tests/aws-signing-test-suite/v4a/post-unsigned-payload/query-signed-request.txt delete mode 100644 tests/aws-signing-test-suite/v4a/post-unsigned-payload/query-string-to-sign.txt delete mode 100644 tests/aws-signing-test-suite/v4a/post-unsigned-payload/request.txt diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9abf07d4..651b3b2b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,7 +6,7 @@ on: - 'main' env: - BUILDER_VERSION: v0.9.64 + BUILDER_VERSION: v0.9.62 BUILDER_SOURCE: releases BUILDER_HOST: https://d19elf31gohf1l.cloudfront.net PACKAGE_NAME: aws-c-auth diff --git a/source/aws_signing.c b/source/aws_signing.c index d88ad139..fe5610e2 100644 --- a/source/aws_signing.c +++ b/source/aws_signing.c @@ -1336,17 +1336,10 @@ static int s_build_canonical_stable_header_list( } } - /* NOTE: Update MAX_AUTHORIZATION_HEADER_COUNT if more headers added */ - } - - /* - * x-amz-content-sha256 (optional) - */ - if (state->config.signed_body_header == AWS_SBHT_X_AMZ_CONTENT_SHA256) { - if (state->config.signature_type == AWS_ST_HTTP_REQUEST_HEADERS || - (state->config.signature_type == AWS_ST_HTTP_REQUEST_QUERY_PARAMS && - aws_byte_cursor_eq(&state->config.signed_body_value, &g_aws_signed_body_value_unsigned_payload))) { - /* Add the x-amz-content-sha256 header for UNSIGNED-PAYLOAD when signing via query params as well. */ + /* + * x-amz-content-sha256 (optional) + */ + if (state->config.signed_body_header == AWS_SBHT_X_AMZ_CONTENT_SHA256) { if (s_add_authorization_header( state, stable_header_list, @@ -1356,6 +1349,8 @@ static int s_build_canonical_stable_header_list( return AWS_OP_ERR; } } + + /* NOTE: Update MAX_AUTHORIZATION_HEADER_COUNT if more headers added */ } *out_required_capacity += aws_array_list_length(stable_header_list) * 2; /* ':' + '\n' per header */ diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 40235cf8..ea81c741 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -236,7 +236,6 @@ add_test_case(sigv4a_post_header_value_case_test) add_test_case(sigv4a_post_vanilla_test) add_test_case(sigv4a_post_vanilla_empty_query_value_test) add_test_case(sigv4a_post_vanilla_query_test) -add_test_case(sigv4a_post_unsigned_payload_test) add_test_case(sigv4a_post_x_www_form_urlencoded_test) add_test_case(sigv4a_post_x_www_form_urlencoded_parameters_test) add_test_case(sigv4a_post_sts_header_after_test) @@ -275,7 +274,6 @@ add_test_case(sigv4_post_header_key_sort_test) add_test_case(sigv4_post_header_value_case_test) add_test_case(sigv4_post_vanilla_test) add_test_case(sigv4_post_vanilla_empty_query_value_test) -add_test_case(sigv4_post_unsigned_payload_test) add_test_case(sigv4_post_vanilla_query_test) add_test_case(sigv4_post_x_www_form_urlencoded_test) add_test_case(sigv4_post_x_www_form_urlencoded_parameters_test) diff --git a/tests/aws-signing-test-suite/v4/post-unsigned-payload/context.json b/tests/aws-signing-test-suite/v4/post-unsigned-payload/context.json deleted file mode 100644 index fb94ba83..00000000 --- a/tests/aws-signing-test-suite/v4/post-unsigned-payload/context.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "credentials": { - "access_key_id": "AKIDEXAMPLE", - "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY" - }, - "expiration_in_seconds": 3600, - "normalize": true, - "region": "us-east-1", - "service": "service", - "sign_body": true, - "signed_body_value": "UNSIGNED-PAYLOAD", - "timestamp": "2015-08-30T12:36:00Z" -} diff --git a/tests/aws-signing-test-suite/v4/post-unsigned-payload/header-canonical-request.txt b/tests/aws-signing-test-suite/v4/post-unsigned-payload/header-canonical-request.txt deleted file mode 100644 index 680f2925..00000000 --- a/tests/aws-signing-test-suite/v4/post-unsigned-payload/header-canonical-request.txt +++ /dev/null @@ -1,10 +0,0 @@ -POST -/ - -content-length:13 -host:example.amazonaws.com -x-amz-content-sha256:UNSIGNED-PAYLOAD -x-amz-date:20150830T123600Z - -content-length;host;x-amz-content-sha256;x-amz-date -UNSIGNED-PAYLOAD \ No newline at end of file diff --git a/tests/aws-signing-test-suite/v4/post-unsigned-payload/header-signature.txt b/tests/aws-signing-test-suite/v4/post-unsigned-payload/header-signature.txt deleted file mode 100644 index 18bfb894..00000000 --- a/tests/aws-signing-test-suite/v4/post-unsigned-payload/header-signature.txt +++ /dev/null @@ -1 +0,0 @@ -9fb60e8938d2178a7d63b49e055d1e65d8f6226f38846e8e0293bf43ce29050c \ No newline at end of file diff --git a/tests/aws-signing-test-suite/v4/post-unsigned-payload/header-signed-request.txt b/tests/aws-signing-test-suite/v4/post-unsigned-payload/header-signed-request.txt deleted file mode 100644 index b29935e2..00000000 --- a/tests/aws-signing-test-suite/v4/post-unsigned-payload/header-signed-request.txt +++ /dev/null @@ -1,8 +0,0 @@ -POST / HTTP/1.1 -Host:example.amazonaws.com -Content-Length:13 -X-Amz-Date:20150830T123600Z -x-amz-content-sha256:UNSIGNED-PAYLOAD -Authorization:AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20150830/us-east-1/service/aws4_request, SignedHeaders=content-length;host;x-amz-content-sha256;x-amz-date, Signature=9fb60e8938d2178a7d63b49e055d1e65d8f6226f38846e8e0293bf43ce29050c - -Param1=value1 diff --git a/tests/aws-signing-test-suite/v4/post-unsigned-payload/header-string-to-sign.txt b/tests/aws-signing-test-suite/v4/post-unsigned-payload/header-string-to-sign.txt deleted file mode 100644 index cce856f6..00000000 --- a/tests/aws-signing-test-suite/v4/post-unsigned-payload/header-string-to-sign.txt +++ /dev/null @@ -1,4 +0,0 @@ -AWS4-HMAC-SHA256 -20150830T123600Z -20150830/us-east-1/service/aws4_request -9dd145dbd195542d88539477304a02796be6488c02842b4fc1b907203adc8663 \ No newline at end of file diff --git a/tests/aws-signing-test-suite/v4/post-unsigned-payload/query-canonical-request.txt b/tests/aws-signing-test-suite/v4/post-unsigned-payload/query-canonical-request.txt deleted file mode 100644 index de88b92d..00000000 --- a/tests/aws-signing-test-suite/v4/post-unsigned-payload/query-canonical-request.txt +++ /dev/null @@ -1,9 +0,0 @@ -POST -/ -X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIDEXAMPLE%2F20150830%2Fus-east-1%2Fservice%2Faws4_request&X-Amz-Date=20150830T123600Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=content-length%3Bhost%3Bx-amz-content-sha256 -content-length:13 -host:example.amazonaws.com -x-amz-content-sha256:UNSIGNED-PAYLOAD - -content-length;host;x-amz-content-sha256 -UNSIGNED-PAYLOAD \ No newline at end of file diff --git a/tests/aws-signing-test-suite/v4/post-unsigned-payload/query-signature.txt b/tests/aws-signing-test-suite/v4/post-unsigned-payload/query-signature.txt deleted file mode 100644 index f8a2c1a6..00000000 --- a/tests/aws-signing-test-suite/v4/post-unsigned-payload/query-signature.txt +++ /dev/null @@ -1 +0,0 @@ -d5b951b200c7f96f239466b3e1978083ccd08678d4aea2b0bebaa6b2cf3d8c13 \ No newline at end of file diff --git a/tests/aws-signing-test-suite/v4/post-unsigned-payload/query-signed-request.txt b/tests/aws-signing-test-suite/v4/post-unsigned-payload/query-signed-request.txt deleted file mode 100644 index 3b977244..00000000 --- a/tests/aws-signing-test-suite/v4/post-unsigned-payload/query-signed-request.txt +++ /dev/null @@ -1,6 +0,0 @@ -POST /?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIDEXAMPLE%2F20150830%2Fus-east-1%2Fservice%2Faws4_request&X-Amz-Date=20150830T123600Z&X-Amz-SignedHeaders=content-length%3Bhost%3Bx-amz-content-sha256&X-Amz-Expires=3600&X-Amz-Signature=d5b951b200c7f96f239466b3e1978083ccd08678d4aea2b0bebaa6b2cf3d8c13 HTTP/1.1 -Host:example.amazonaws.com -Content-Length:13 -x-amz-content-sha256:UNSIGNED-PAYLOAD - -Param1=value1 diff --git a/tests/aws-signing-test-suite/v4/post-unsigned-payload/query-string-to-sign.txt b/tests/aws-signing-test-suite/v4/post-unsigned-payload/query-string-to-sign.txt deleted file mode 100644 index eaa46be5..00000000 --- a/tests/aws-signing-test-suite/v4/post-unsigned-payload/query-string-to-sign.txt +++ /dev/null @@ -1,4 +0,0 @@ -AWS4-HMAC-SHA256 -20150830T123600Z -20150830/us-east-1/service/aws4_request -24b3d8a2ee4f76884e0b2bedfaeb8f4feca93e09d9e53b7d13bc040efd106329 \ No newline at end of file diff --git a/tests/aws-signing-test-suite/v4/post-unsigned-payload/request.txt b/tests/aws-signing-test-suite/v4/post-unsigned-payload/request.txt deleted file mode 100644 index 4b107d53..00000000 --- a/tests/aws-signing-test-suite/v4/post-unsigned-payload/request.txt +++ /dev/null @@ -1,5 +0,0 @@ -POST / HTTP/1.1 -Host:example.amazonaws.com -Content-Length:13 - -Param1=value1 diff --git a/tests/aws-signing-test-suite/v4/post-vanilla/context.json b/tests/aws-signing-test-suite/v4/post-vanilla/context.json index 45771c75..0468d800 100644 --- a/tests/aws-signing-test-suite/v4/post-vanilla/context.json +++ b/tests/aws-signing-test-suite/v4/post-vanilla/context.json @@ -9,4 +9,4 @@ "service": "service", "sign_body": false, "timestamp": "2015-08-30T12:36:00Z" -} +} \ No newline at end of file diff --git a/tests/aws-signing-test-suite/v4/post-x-www-form-urlencoded/context.json b/tests/aws-signing-test-suite/v4/post-x-www-form-urlencoded/context.json index fc4bce6d..0db1df10 100644 --- a/tests/aws-signing-test-suite/v4/post-x-www-form-urlencoded/context.json +++ b/tests/aws-signing-test-suite/v4/post-x-www-form-urlencoded/context.json @@ -9,4 +9,4 @@ "service": "service", "sign_body": true, "timestamp": "2015-08-30T12:36:00Z" -} +} \ No newline at end of file diff --git a/tests/aws-signing-test-suite/v4a/post-unsigned-payload/context.json b/tests/aws-signing-test-suite/v4a/post-unsigned-payload/context.json deleted file mode 100644 index fb94ba83..00000000 --- a/tests/aws-signing-test-suite/v4a/post-unsigned-payload/context.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "credentials": { - "access_key_id": "AKIDEXAMPLE", - "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY" - }, - "expiration_in_seconds": 3600, - "normalize": true, - "region": "us-east-1", - "service": "service", - "sign_body": true, - "signed_body_value": "UNSIGNED-PAYLOAD", - "timestamp": "2015-08-30T12:36:00Z" -} diff --git a/tests/aws-signing-test-suite/v4a/post-unsigned-payload/header-canonical-request.txt b/tests/aws-signing-test-suite/v4a/post-unsigned-payload/header-canonical-request.txt deleted file mode 100644 index 073ad369..00000000 --- a/tests/aws-signing-test-suite/v4a/post-unsigned-payload/header-canonical-request.txt +++ /dev/null @@ -1,11 +0,0 @@ -POST -/ - -content-length:13 -host:example.amazonaws.com -x-amz-content-sha256:UNSIGNED-PAYLOAD -x-amz-date:20150830T123600Z -x-amz-region-set:us-east-1 - -content-length;host;x-amz-content-sha256;x-amz-date;x-amz-region-set -UNSIGNED-PAYLOAD \ No newline at end of file diff --git a/tests/aws-signing-test-suite/v4a/post-unsigned-payload/header-signature.txt b/tests/aws-signing-test-suite/v4a/post-unsigned-payload/header-signature.txt deleted file mode 100644 index ce28747f..00000000 --- a/tests/aws-signing-test-suite/v4a/post-unsigned-payload/header-signature.txt +++ /dev/null @@ -1 +0,0 @@ -3046022100aa754cb9eca1113d88f54d83dc8635b6dd9b0f362e5e6c79c82da930521feb70022100c7f572b03542548c0c66eae6ff77202a175c923219fa413d7619d298618016c3 \ No newline at end of file diff --git a/tests/aws-signing-test-suite/v4a/post-unsigned-payload/header-signed-request.txt b/tests/aws-signing-test-suite/v4a/post-unsigned-payload/header-signed-request.txt deleted file mode 100644 index d04efcb2..00000000 --- a/tests/aws-signing-test-suite/v4a/post-unsigned-payload/header-signed-request.txt +++ /dev/null @@ -1,9 +0,0 @@ -POST / HTTP/1.1 -Host:example.amazonaws.com -Content-Length:13 -X-Amz-Date:20150830T123600Z -X-Amz-Region-Set:us-east-1 -x-amz-content-sha256:UNSIGNED-PAYLOAD -Authorization:AWS4-ECDSA-P256-SHA256 Credential=AKIDEXAMPLE/20150830/service/aws4_request, SignedHeaders=content-length;host;x-amz-content-sha256;x-amz-date;x-amz-region-set, Signature=3044022076c0a0e1ec8d3e40dd3d3f9c395c30e9ba7552096b4d8c34596646df2b665c6c0220615a2b2132265e969088895332db7f9b6c9daa957b42a9047d94e392f521d6fb - -Param1=value1 diff --git a/tests/aws-signing-test-suite/v4a/post-unsigned-payload/header-string-to-sign.txt b/tests/aws-signing-test-suite/v4a/post-unsigned-payload/header-string-to-sign.txt deleted file mode 100644 index 0935d114..00000000 --- a/tests/aws-signing-test-suite/v4a/post-unsigned-payload/header-string-to-sign.txt +++ /dev/null @@ -1,4 +0,0 @@ -AWS4-ECDSA-P256-SHA256 -20150830T123600Z -20150830/service/aws4_request -1aa2f34080974173be96cdbddf2e5df2e48a425c6c3ab6cd770c254aaf4898df \ No newline at end of file diff --git a/tests/aws-signing-test-suite/v4a/post-unsigned-payload/public-key.json b/tests/aws-signing-test-suite/v4a/post-unsigned-payload/public-key.json deleted file mode 100644 index 379dcb21..00000000 --- a/tests/aws-signing-test-suite/v4a/post-unsigned-payload/public-key.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "X":"b6618f6a65740a99e650b33b6b4b5bd0d43b176d721a3edfea7e7d2d56d936b1", - "Y":"865ed22a7eadc9c5cb9d2cbaca1b3699139fedc5043dc6661864218330c8e518" -} diff --git a/tests/aws-signing-test-suite/v4a/post-unsigned-payload/query-canonical-request.txt b/tests/aws-signing-test-suite/v4a/post-unsigned-payload/query-canonical-request.txt deleted file mode 100644 index be03e0c4..00000000 --- a/tests/aws-signing-test-suite/v4a/post-unsigned-payload/query-canonical-request.txt +++ /dev/null @@ -1,9 +0,0 @@ -POST -/ -X-Amz-Algorithm=AWS4-ECDSA-P256-SHA256&X-Amz-Credential=AKIDEXAMPLE%2F20150830%2Fservice%2Faws4_request&X-Amz-Date=20150830T123600Z&X-Amz-Expires=3600&X-Amz-Region-Set=us-east-1&X-Amz-SignedHeaders=content-length%3Bhost%3Bx-amz-content-sha256 -content-length:13 -host:example.amazonaws.com -x-amz-content-sha256:UNSIGNED-PAYLOAD - -content-length;host;x-amz-content-sha256 -UNSIGNED-PAYLOAD \ No newline at end of file diff --git a/tests/aws-signing-test-suite/v4a/post-unsigned-payload/query-signature.txt b/tests/aws-signing-test-suite/v4a/post-unsigned-payload/query-signature.txt deleted file mode 100644 index 543ab076..00000000 --- a/tests/aws-signing-test-suite/v4a/post-unsigned-payload/query-signature.txt +++ /dev/null @@ -1 +0,0 @@ -304402203e661f9bc2dc93d9c858e08018d79ad36055eaae449d81321773df4df92d367202204064dfbaec5b2e2860d36b6d11d4eda90b18ff62c8ac14f90e288ef37bcfe15e \ No newline at end of file diff --git a/tests/aws-signing-test-suite/v4a/post-unsigned-payload/query-signed-request.txt b/tests/aws-signing-test-suite/v4a/post-unsigned-payload/query-signed-request.txt deleted file mode 100644 index a31db27b..00000000 --- a/tests/aws-signing-test-suite/v4a/post-unsigned-payload/query-signed-request.txt +++ /dev/null @@ -1,6 +0,0 @@ -POST /?X-Amz-Algorithm=AWS4-ECDSA-P256-SHA256&X-Amz-Credential=AKIDEXAMPLE%2F20150830%2Fservice%2Faws4_request&X-Amz-Date=20150830T123600Z&X-Amz-SignedHeaders=content-length%3Bhost%3Bx-amz-content-sha256&X-Amz-Expires=3600&X-Amz-Region-Set=us-east-1&X-Amz-Signature=3045022100b32d20d894fb447713b4ba31a7983b04a7c7551b597dbd0b5478af0cc98ee33802201b4d03ad196f18baa962102b166eec484819c34be71a56e10b494146ebe043cc HTTP/1.1 -Host:example.amazonaws.com -Content-Length:13 -x-amz-content-sha256:UNSIGNED-PAYLOAD - -Param1=value1 diff --git a/tests/aws-signing-test-suite/v4a/post-unsigned-payload/query-string-to-sign.txt b/tests/aws-signing-test-suite/v4a/post-unsigned-payload/query-string-to-sign.txt deleted file mode 100644 index 0767ddc9..00000000 --- a/tests/aws-signing-test-suite/v4a/post-unsigned-payload/query-string-to-sign.txt +++ /dev/null @@ -1,4 +0,0 @@ -AWS4-ECDSA-P256-SHA256 -20150830T123600Z -20150830/service/aws4_request -41fc1ad3ae67d78001e68d2e0e3149bd0f6f45f44ae68b3e615c2ee4183aa2d1 \ No newline at end of file diff --git a/tests/aws-signing-test-suite/v4a/post-unsigned-payload/request.txt b/tests/aws-signing-test-suite/v4a/post-unsigned-payload/request.txt deleted file mode 100644 index 4b107d53..00000000 --- a/tests/aws-signing-test-suite/v4a/post-unsigned-payload/request.txt +++ /dev/null @@ -1,5 +0,0 @@ -POST / HTTP/1.1 -Host:example.amazonaws.com -Content-Length:13 - -Param1=value1 diff --git a/tests/sigv4_signing_tests.c b/tests/sigv4_signing_tests.c index 7076561d..3437c03a 100644 --- a/tests/sigv4_signing_tests.c +++ b/tests/sigv4_signing_tests.c @@ -209,7 +209,6 @@ struct v4_test_context { struct aws_credentials *credentials; bool should_normalize; bool should_sign_body; - struct aws_string *signed_body_value; uint64_t expiration_in_seconds; struct aws_input_stream *payload_stream; struct aws_ecc_key_pair *signing_key; @@ -243,7 +242,6 @@ static void s_v4_test_context_clean_up(struct v4_test_context *context) { aws_string_destroy(context->region_config); aws_string_destroy(context->service); aws_string_destroy(context->timestamp); - aws_string_destroy(context->signed_body_value); aws_credentials_release(context->credentials); aws_mutex_clean_up(&context->lock); @@ -267,7 +265,6 @@ AWS_STATIC_STRING_FROM_LITERAL(s_service_name, "service"); AWS_STATIC_STRING_FROM_LITERAL(s_timestamp_name, "timestamp"); AWS_STATIC_STRING_FROM_LITERAL(s_normalize_name, "normalize"); AWS_STATIC_STRING_FROM_LITERAL(s_body_name, "sign_body"); -AWS_STATIC_STRING_FROM_LITERAL(s_signed_body_value_name, "signed_body_value"); AWS_STATIC_STRING_FROM_LITERAL(s_expiration_name, "expiration_in_seconds"); AWS_STATIC_STRING_FROM_LITERAL(s_omit_token_name, "omit_session_token"); @@ -388,20 +385,6 @@ static int s_v4_test_context_parse_context_file(struct v4_test_context *context) aws_json_value_get_boolean(body_node, &context->should_sign_body); - struct aws_json_value *signed_body_value_node = - aws_json_value_get_from_object(document_root, aws_byte_cursor_from_string(s_signed_body_value_name)); - if (signed_body_value_node != NULL && aws_json_value_is_string(signed_body_value_node)) { - struct aws_byte_cursor signed_body_value_cursor; - /* Optional field. If not set, ignore it. */ - if (aws_json_value_get_string(signed_body_value_node, &signed_body_value_cursor) == AWS_OP_ERR) { - goto done; - } - context->signed_body_value = aws_string_new_from_cursor(context->allocator, &signed_body_value_cursor); - if (context->signed_body_value == NULL) { - goto done; - } - } - struct aws_json_value *expiration_node = aws_json_value_get_from_object(document_root, aws_byte_cursor_from_string(s_expiration_name)); if (expiration_node == NULL || !aws_json_value_is_number(expiration_node)) { @@ -604,10 +587,6 @@ static int s_v4_test_context_init_signing_config( } else { context->config->signed_body_value = g_aws_signed_body_value_empty_sha256; } - if (context->signed_body_value) { - /* Override the signed body value */ - context->config->signed_body_value = aws_byte_cursor_from_string(context->signed_body_value); - } context->config->credentials = context->credentials; context->config->expiration_in_seconds = context->expiration_in_seconds; @@ -1428,7 +1407,6 @@ DECLARE_SIGV4A_TEST_SUITE_CASE(post_header_value_case, "post-header-value-case") DECLARE_SIGV4A_TEST_SUITE_CASE(post_vanilla, "post-vanilla"); DECLARE_SIGV4A_TEST_SUITE_CASE(post_vanilla_empty_query_value, "post-vanilla-empty-query-value"); DECLARE_SIGV4A_TEST_SUITE_CASE(post_vanilla_query, "post-vanilla-query"); -DECLARE_SIGV4A_TEST_SUITE_CASE(post_unsigned_payload, "post-unsigned-payload"); DECLARE_SIGV4A_TEST_SUITE_CASE(post_x_www_form_urlencoded, "post-x-www-form-urlencoded"); DECLARE_SIGV4A_TEST_SUITE_CASE(post_x_www_form_urlencoded_parameters, "post-x-www-form-urlencoded-parameters"); DECLARE_SIGV4A_TEST_SUITE_CASE(get_vanilla_with_session_token, "get-vanilla-with-session-token"); @@ -1492,7 +1470,6 @@ DECLARE_SIGV4_TEST_SUITE_CASE(post_header_value_case, "post-header-value-case"); DECLARE_SIGV4_TEST_SUITE_CASE(post_vanilla, "post-vanilla"); DECLARE_SIGV4_TEST_SUITE_CASE(post_vanilla_empty_query_value, "post-vanilla-empty-query-value"); DECLARE_SIGV4_TEST_SUITE_CASE(post_vanilla_query, "post-vanilla-query"); -DECLARE_SIGV4_TEST_SUITE_CASE(post_unsigned_payload, "post-unsigned-payload"); DECLARE_SIGV4_TEST_SUITE_CASE(post_x_www_form_urlencoded, "post-x-www-form-urlencoded"); DECLARE_SIGV4_TEST_SUITE_CASE(post_x_www_form_urlencoded_parameters, "post-x-www-form-urlencoded-parameters"); DECLARE_SIGV4_TEST_SUITE_CASE(get_vanilla_with_session_token, "get-vanilla-with-session-token"); From 81bf752e555991fc45e56bf8ae741b3526fc8368 Mon Sep 17 00:00:00 2001 From: Dengke Date: Wed, 4 Sep 2024 14:31:42 -0700 Subject: [PATCH 2/5] Add the workaround --- source/aws_signing.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/source/aws_signing.c b/source/aws_signing.c index fe5610e2..7996e1de 100644 --- a/source/aws_signing.c +++ b/source/aws_signing.c @@ -1351,6 +1351,20 @@ static int s_build_canonical_stable_header_list( } /* NOTE: Update MAX_AUTHORIZATION_HEADER_COUNT if more headers added */ + } else if (state->config.signature_type == AWS_ST_HTTP_REQUEST_QUERY_PARAMS) { + /* NOTES: TEMPORAY WORKAROUND FOR VPC Lattice. SHALL BE REMOVED IN NEAR FUTURE */ + if (aws_byte_cursor_eq_c_str(&state->config.service, "vpc-lattice-svcs")) { + /* Add unsigned payload as `x-amz-content-sha256` header to the canonical request when signing through query + * params. */ + if (s_add_authorization_header( + state, + stable_header_list, + out_required_capacity, + s_amz_content_sha256_header_name, + g_aws_signed_body_value_unsigned_payload)) { + return AWS_OP_ERR; + } + } } *out_required_capacity += aws_array_list_length(stable_header_list) * 2; /* ':' + '\n' per header */ From c6265639be65634b97f31f9cc8194799c7bfbdb8 Mon Sep 17 00:00:00 2001 From: Dengke Date: Wed, 4 Sep 2024 14:39:15 -0700 Subject: [PATCH 3/5] also always set unsigned payload for vpc lattice --- source/aws_signing.c | 115 +++++++++++++++++++++++-------------------- 1 file changed, 62 insertions(+), 53 deletions(-) diff --git a/source/aws_signing.c b/source/aws_signing.c index 7996e1de..09faf76f 100644 --- a/source/aws_signing.c +++ b/source/aws_signing.c @@ -1351,19 +1351,19 @@ static int s_build_canonical_stable_header_list( } /* NOTE: Update MAX_AUTHORIZATION_HEADER_COUNT if more headers added */ - } else if (state->config.signature_type == AWS_ST_HTTP_REQUEST_QUERY_PARAMS) { + } else if ( + state->config.signature_type == AWS_ST_HTTP_REQUEST_QUERY_PARAMS && + aws_byte_cursor_eq_c_str(&state->config.service, "vpc-lattice-svcs")) { /* NOTES: TEMPORAY WORKAROUND FOR VPC Lattice. SHALL BE REMOVED IN NEAR FUTURE */ - if (aws_byte_cursor_eq_c_str(&state->config.service, "vpc-lattice-svcs")) { - /* Add unsigned payload as `x-amz-content-sha256` header to the canonical request when signing through query - * params. */ - if (s_add_authorization_header( - state, - stable_header_list, - out_required_capacity, - s_amz_content_sha256_header_name, - g_aws_signed_body_value_unsigned_payload)) { - return AWS_OP_ERR; - } + /* Add unsigned payload as `x-amz-content-sha256` header to the canonical request when signing through query + * params. */ + if (s_add_authorization_header( + state, + stable_header_list, + out_required_capacity, + s_amz_content_sha256_header_name, + g_aws_signed_body_value_unsigned_payload)) { + return AWS_OP_ERR; } } @@ -1527,66 +1527,75 @@ static int s_build_canonical_payload(struct aws_signing_state_aws *state) { struct aws_hash *hash = NULL; int result = AWS_OP_ERR; - if (state->config.signed_body_value.len == 0) { - /* No value provided by user, so we must calculate it */ - hash = aws_sha256_new(allocator); - if (hash == NULL) { - return AWS_OP_ERR; - } - - if (aws_byte_buf_init(&body_buffer, allocator, BODY_READ_BUFFER_SIZE) || - aws_byte_buf_init(&digest_buffer, allocator, AWS_SHA256_LEN)) { - goto on_cleanup; - } - - struct aws_input_stream *payload_stream = NULL; - if (aws_signable_get_payload_stream(signable, &payload_stream)) { + if (state->config.signature_type == AWS_ST_HTTP_REQUEST_QUERY_PARAMS && + aws_byte_cursor_eq_c_str(&state->config.service, "vpc-lattice-svcs")) { + /* NOTES: TEMPORAY WORKAROUND FOR VPC Lattice. SHALL BE REMOVED IN NEAR FUTURE */ + /* ALWAYS USE UNSIGNED-PAYLOAD FOR VPC Lattice. */ + if (aws_byte_buf_append_dynamic(payload_hash_buffer, &g_aws_signed_body_value_unsigned_payload)) { goto on_cleanup; } + } else { + if (state->config.signed_body_value.len == 0) { + /* No value provided by user, so we must calculate it */ + hash = aws_sha256_new(allocator); + if (hash == NULL) { + return AWS_OP_ERR; + } - if (payload_stream != NULL) { - if (aws_input_stream_seek(payload_stream, 0, AWS_SSB_BEGIN)) { + if (aws_byte_buf_init(&body_buffer, allocator, BODY_READ_BUFFER_SIZE) || + aws_byte_buf_init(&digest_buffer, allocator, AWS_SHA256_LEN)) { goto on_cleanup; } - struct aws_stream_status payload_status; - AWS_ZERO_STRUCT(payload_status); + struct aws_input_stream *payload_stream = NULL; + if (aws_signable_get_payload_stream(signable, &payload_stream)) { + goto on_cleanup; + } - while (!payload_status.is_end_of_stream) { - /* reset the temporary body buffer; we can calculate the hash in window chunks */ - body_buffer.len = 0; - if (aws_input_stream_read(payload_stream, &body_buffer)) { + if (payload_stream != NULL) { + if (aws_input_stream_seek(payload_stream, 0, AWS_SSB_BEGIN)) { goto on_cleanup; } - if (body_buffer.len > 0) { - struct aws_byte_cursor body_cursor = aws_byte_cursor_from_buf(&body_buffer); - aws_hash_update(hash, &body_cursor); + struct aws_stream_status payload_status; + AWS_ZERO_STRUCT(payload_status); + + while (!payload_status.is_end_of_stream) { + /* reset the temporary body buffer; we can calculate the hash in window chunks */ + body_buffer.len = 0; + if (aws_input_stream_read(payload_stream, &body_buffer)) { + goto on_cleanup; + } + + if (body_buffer.len > 0) { + struct aws_byte_cursor body_cursor = aws_byte_cursor_from_buf(&body_buffer); + aws_hash_update(hash, &body_cursor); + } + + if (aws_input_stream_get_status(payload_stream, &payload_status)) { + goto on_cleanup; + } } - if (aws_input_stream_get_status(payload_stream, &payload_status)) { + /* reset the input stream for sending */ + if (aws_input_stream_seek(payload_stream, 0, AWS_SSB_BEGIN)) { goto on_cleanup; } } - /* reset the input stream for sending */ - if (aws_input_stream_seek(payload_stream, 0, AWS_SSB_BEGIN)) { + if (aws_hash_finalize(hash, &digest_buffer, 0)) { goto on_cleanup; } - } - - if (aws_hash_finalize(hash, &digest_buffer, 0)) { - goto on_cleanup; - } - struct aws_byte_cursor digest_cursor = aws_byte_cursor_from_buf(&digest_buffer); - if (aws_hex_encode_append_dynamic(&digest_cursor, payload_hash_buffer)) { - goto on_cleanup; - } - } else { - /* Use value provided in config */ - if (aws_byte_buf_append_dynamic(payload_hash_buffer, &state->config.signed_body_value)) { - goto on_cleanup; + struct aws_byte_cursor digest_cursor = aws_byte_cursor_from_buf(&digest_buffer); + if (aws_hex_encode_append_dynamic(&digest_cursor, payload_hash_buffer)) { + goto on_cleanup; + } + } else { + /* Use value provided in config */ + if (aws_byte_buf_append_dynamic(payload_hash_buffer, &state->config.signed_body_value)) { + goto on_cleanup; + } } } From 75a2b99fded7da7e437fc17302a3e0104239b8cf Mon Sep 17 00:00:00 2001 From: Dengke Date: Wed, 4 Sep 2024 14:42:52 -0700 Subject: [PATCH 4/5] this is better --- source/aws_signing.c | 94 ++++++++++++++++++++++---------------------- 1 file changed, 48 insertions(+), 46 deletions(-) diff --git a/source/aws_signing.c b/source/aws_signing.c index 09faf76f..a51f80be 100644 --- a/source/aws_signing.c +++ b/source/aws_signing.c @@ -1531,71 +1531,73 @@ static int s_build_canonical_payload(struct aws_signing_state_aws *state) { aws_byte_cursor_eq_c_str(&state->config.service, "vpc-lattice-svcs")) { /* NOTES: TEMPORAY WORKAROUND FOR VPC Lattice. SHALL BE REMOVED IN NEAR FUTURE */ /* ALWAYS USE UNSIGNED-PAYLOAD FOR VPC Lattice. */ - if (aws_byte_buf_append_dynamic(payload_hash_buffer, &g_aws_signed_body_value_unsigned_payload)) { + if (aws_byte_buf_append_dynamic(payload_hash_buffer, &g_aws_signed_body_value_unsigned_payload) == + AWS_OP_SUCCESS) { + result = AWS_OP_SUCCESS; + } + goto on_cleanup; + } + + if (state->config.signed_body_value.len == 0) { + /* No value provided by user, so we must calculate it */ + hash = aws_sha256_new(allocator); + if (hash == NULL) { + return AWS_OP_ERR; + } + + if (aws_byte_buf_init(&body_buffer, allocator, BODY_READ_BUFFER_SIZE) || + aws_byte_buf_init(&digest_buffer, allocator, AWS_SHA256_LEN)) { goto on_cleanup; } - } else { - if (state->config.signed_body_value.len == 0) { - /* No value provided by user, so we must calculate it */ - hash = aws_sha256_new(allocator); - if (hash == NULL) { - return AWS_OP_ERR; - } - if (aws_byte_buf_init(&body_buffer, allocator, BODY_READ_BUFFER_SIZE) || - aws_byte_buf_init(&digest_buffer, allocator, AWS_SHA256_LEN)) { - goto on_cleanup; - } + struct aws_input_stream *payload_stream = NULL; + if (aws_signable_get_payload_stream(signable, &payload_stream)) { + goto on_cleanup; + } - struct aws_input_stream *payload_stream = NULL; - if (aws_signable_get_payload_stream(signable, &payload_stream)) { + if (payload_stream != NULL) { + if (aws_input_stream_seek(payload_stream, 0, AWS_SSB_BEGIN)) { goto on_cleanup; } - if (payload_stream != NULL) { - if (aws_input_stream_seek(payload_stream, 0, AWS_SSB_BEGIN)) { + struct aws_stream_status payload_status; + AWS_ZERO_STRUCT(payload_status); + + while (!payload_status.is_end_of_stream) { + /* reset the temporary body buffer; we can calculate the hash in window chunks */ + body_buffer.len = 0; + if (aws_input_stream_read(payload_stream, &body_buffer)) { goto on_cleanup; } - struct aws_stream_status payload_status; - AWS_ZERO_STRUCT(payload_status); - - while (!payload_status.is_end_of_stream) { - /* reset the temporary body buffer; we can calculate the hash in window chunks */ - body_buffer.len = 0; - if (aws_input_stream_read(payload_stream, &body_buffer)) { - goto on_cleanup; - } - - if (body_buffer.len > 0) { - struct aws_byte_cursor body_cursor = aws_byte_cursor_from_buf(&body_buffer); - aws_hash_update(hash, &body_cursor); - } - - if (aws_input_stream_get_status(payload_stream, &payload_status)) { - goto on_cleanup; - } + if (body_buffer.len > 0) { + struct aws_byte_cursor body_cursor = aws_byte_cursor_from_buf(&body_buffer); + aws_hash_update(hash, &body_cursor); } - /* reset the input stream for sending */ - if (aws_input_stream_seek(payload_stream, 0, AWS_SSB_BEGIN)) { + if (aws_input_stream_get_status(payload_stream, &payload_status)) { goto on_cleanup; } } - if (aws_hash_finalize(hash, &digest_buffer, 0)) { + /* reset the input stream for sending */ + if (aws_input_stream_seek(payload_stream, 0, AWS_SSB_BEGIN)) { goto on_cleanup; } + } - struct aws_byte_cursor digest_cursor = aws_byte_cursor_from_buf(&digest_buffer); - if (aws_hex_encode_append_dynamic(&digest_cursor, payload_hash_buffer)) { - goto on_cleanup; - } - } else { - /* Use value provided in config */ - if (aws_byte_buf_append_dynamic(payload_hash_buffer, &state->config.signed_body_value)) { - goto on_cleanup; - } + if (aws_hash_finalize(hash, &digest_buffer, 0)) { + goto on_cleanup; + } + + struct aws_byte_cursor digest_cursor = aws_byte_cursor_from_buf(&digest_buffer); + if (aws_hex_encode_append_dynamic(&digest_cursor, payload_hash_buffer)) { + goto on_cleanup; + } + } else { + /* Use value provided in config */ + if (aws_byte_buf_append_dynamic(payload_hash_buffer, &state->config.signed_body_value)) { + goto on_cleanup; } } From 5c5dcd1dd5fe4e9d222ffa3b1f9968dc5691ac54 Mon Sep 17 00:00:00 2001 From: Dengke Date: Wed, 4 Sep 2024 14:50:55 -0700 Subject: [PATCH 5/5] keep the builder change --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 651b3b2b..9abf07d4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,7 +6,7 @@ on: - 'main' env: - BUILDER_VERSION: v0.9.62 + BUILDER_VERSION: v0.9.64 BUILDER_SOURCE: releases BUILDER_HOST: https://d19elf31gohf1l.cloudfront.net PACKAGE_NAME: aws-c-auth