aws-sigv4: make signature work when post data is binary

User sets the post fields size for binary data. Hence, we should not be using strlen on it. Added test 1937 and 1938 to verify. Closes #7844
2026-01-18 17:21:26 +01:00 · 2021-10-12 15:32:27 +05:30
parent 7759552b80
commit 8c6f126279
8 changed files with 219 additions and 3 deletions
--- a/.mailmap
+++ b/.mailmap
@@ -80,3 +80,4 @@ Michał Antoniak <47522782+MAntoniak@users.noreply.github.com>
 Gleb Ivanovsky <gl.ivanovsky@gmail.com>
 Max Dymond <max.dymond@microsoft.com> <max.dymond@metaswitch.com>
 Max Dymond <max.dymond@microsoft.com> <cmeister2@gmail.com>
+Abhinav Singh <theawless@gmail.com>
--- a/lib/http_aws_sigv4.c
+++ b/lib/http_aws_sigv4.c
@@ -92,6 +92,7 @@ CURLcode Curl_output_aws_sigv4(struct Curl_easy *data, bool proxy)
  char *signed_headers = NULL;
  Curl_HttpReq httpreq;
  const char *method;
+  size_t post_data_len;
  const char *post_data = data->set.postfields ? data->set.postfields : "";
  unsigned char sha_hash[32];
  char sha_hex[65];
@@ -281,8 +282,12 @@ CURLcode Curl_output_aws_sigv4(struct Curl_easy *data, bool proxy)
    goto fail;
  }

+  if(data->set.postfieldsize < 0)
+    post_data_len = strlen(post_data);
+  else
+    post_data_len = (size_t)data->set.postfieldsize;
  Curl_sha256it(sha_hash,
-                (const unsigned char *) post_data, strlen(post_data));
+                (const unsigned char *) post_data, post_data_len);
  sha256_to_hex(sha_hex, sha_hash, sizeof(sha_hex));

  Curl_http_method(data, conn, &method, &httpreq);
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -215,7 +215,7 @@ test1800 test1801 \
 test1908 test1909 test1910 test1911 test1912 test1913 test1914 test1915 \
 test1916 test1917 test1918 \
 \
-test1933 test1934 test1935 test1936 \
+test1933 test1934 test1935 test1936 test1937 test1938 \
 \
 test2000 test2001 test2002 test2003 test2004 \
 \
--- a/tests/data/test1937
+++ b/tests/data/test1937
@@ -0,0 +1,72 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP POST
+CURLOPT_AWS_SIGV4
+</keywords>
+</info>
+
+# Server-side
+<reply>
+<data nocheck="yes">
+HTTP/1.1 302 OK
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Type: text/html
+Content-Length: 0
+Location: /%TESTNUMBER0002
+
+</data>
+<data2>
+HTTP/1.1 200 OK
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Type: text/html
+Content-Length: 0
+
+</data2>
+</reply>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+# this relies on the debug feature which allow to set the time
+<features>
+SSL
+debug
+crypto
+</features>
+
+<name>
+HTTP POST with AWS_SIGV4
+</name>
+<tool>
+lib%TESTNUMBER
+</tool>
+
+<command>
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER/testapi/test
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<strip>
+^User-Agent:.*
+^Content-Type:.*
+^Accept:.*
+</strip>
+<protocol nonewline="yes">
+POST /%TESTNUMBER/testapi/test HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Authorization: PROVIDER14-HMAC-SHA256 Credential=keyId/19700101/region/service/provider14_request, SignedHeaders=content-type;host;x-provider2-date, Signature=391e410177d0e9ee80728082446ef69d6b29157fe71f8b4805fce7c186fd956d
+X-Provider2-Date: 19700101T000000Z
+Content-Length: 8
+
+postData
+</protocol>
+</verify>
+</testcase>
--- a/tests/data/test1938
+++ b/tests/data/test1938
--- a/tests/libtest/Makefile.inc
+++ b/tests/libtest/Makefile.inc
@@ -61,7 +61,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect                \
 lib1591 lib1592 lib1593 lib1594 lib1596 \
         lib1905 lib1906 lib1907 lib1908 lib1910 lib1911 lib1912 lib1913 \
         lib1915 lib1916 lib1917 lib1918 lib1933 lib1934 lib1935 lib1936 \
-         lib3010
+ lib1937 lib1938 lib3010

 chkdecimalpoint_SOURCES = chkdecimalpoint.c ../../lib/mprintf.c \
 ../../lib/curl_ctype.c  ../../lib/dynbuf.c ../../lib/strdup.c
@@ -707,6 +707,14 @@ lib1936_SOURCES = lib1936.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
 lib1936_LDADD = $(TESTUTIL_LIBS)
 lib1936_CPPFLAGS = $(AM_CPPFLAGS)

+lib1937_SOURCES = lib1937.c $(SUPPORTFILES)
+lib1937_LDADD = $(TESTUTIL_LIBS)
+lib1937_CPPFLAGS = $(AM_CPPFLAGS)
+
+lib1938_SOURCES = lib1938.c $(SUPPORTFILES)
+lib1938_LDADD = $(TESTUTIL_LIBS)
+lib1938_CPPFLAGS = $(AM_CPPFLAGS)
+
 lib3010_SOURCES = lib3010.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
 lib3010_LDADD = $(TESTUTIL_LIBS)
 lib3010_CPPFLAGS = $(AM_CPPFLAGS)
--- a/tests/libtest/lib1937.c
+++ b/tests/libtest/lib1937.c
@@ -0,0 +1,64 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.haxx.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ ***************************************************************************/
+
+#include "test.h"
+
+#include "memdebug.h"
+
+int test(char *URL)
+{
+  CURL *curl;
+  CURLcode res = TEST_ERR_MAJOR_BAD;
+  struct curl_slist *list = NULL;
+
+  if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) {
+    fprintf(stderr, "curl_global_init() failed\n");
+    return TEST_ERR_MAJOR_BAD;
+  }
+
+  curl = curl_easy_init();
+  if(!curl) {
+    fprintf(stderr, "curl_easy_init() failed\n");
+    curl_global_cleanup();
+    return TEST_ERR_MAJOR_BAD;
+  }
+
+  test_setopt(curl, CURLOPT_VERBOSE, 1L);
+  test_setopt(curl, CURLOPT_POST, 1L);
+  test_setopt(curl, CURLOPT_AWS_SIGV4, "provider1:provider2:region:service");
+  test_setopt(curl, CURLOPT_USERPWD, "keyId:SecretKey");
+  test_setopt(curl, CURLOPT_HEADER, 0L);
+  test_setopt(curl, CURLOPT_URL, URL);
+  list = curl_slist_append(list, "Content-Type: application/json");
+  test_setopt(curl, CURLOPT_HTTPHEADER, list);
+  test_setopt(curl, CURLOPT_POSTFIELDS, "postData");
+
+  res = curl_easy_perform(curl);
+
+test_cleanup:
+
+  curl_slist_free_all(list);
+  curl_easy_cleanup(curl);
+  curl_global_cleanup();
+
+  return res;
+}
--- a/tests/libtest/lib1938.c
+++ b/tests/libtest/lib1938.c
@@ -0,0 +1,66 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.haxx.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ ***************************************************************************/
+
+#include "test.h"
+
+#include "memdebug.h"
+
+int test(char *URL)
+{
+  CURL *curl;
+  CURLcode res = TEST_ERR_MAJOR_BAD;
+  struct curl_slist *list = NULL;
+  unsigned char data[] = {0x70, 0x6f, 0x73, 0x74, 0, 0x44, 0x61, 0x74, 0x61};
+
+  if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) {
+    fprintf(stderr, "curl_global_init() failed\n");
+    return TEST_ERR_MAJOR_BAD;
+  }
+
+  curl = curl_easy_init();
+  if(!curl) {
+    fprintf(stderr, "curl_easy_init() failed\n");
+    curl_global_cleanup();
+    return TEST_ERR_MAJOR_BAD;
+  }
+
+  test_setopt(curl, CURLOPT_VERBOSE, 1L);
+  test_setopt(curl, CURLOPT_POST, 1L);
+  test_setopt(curl, CURLOPT_AWS_SIGV4, "provider1:provider2:region:service");
+  test_setopt(curl, CURLOPT_USERPWD, "keyId:SecretKey");
+  test_setopt(curl, CURLOPT_HEADER, 0L);
+  test_setopt(curl, CURLOPT_URL, URL);
+  list = curl_slist_append(list, "Content-Type: application/json");
+  test_setopt(curl, CURLOPT_HTTPHEADER, list);
+  test_setopt(curl, CURLOPT_POSTFIELDS, data);
+  test_setopt(curl, CURLOPT_POSTFIELDSIZE, (long)sizeof(data));
+
+  res = curl_easy_perform(curl);
+
+test_cleanup:
+
+  curl_slist_free_all(list);
+  curl_easy_cleanup(curl);
+  curl_global_cleanup();
+
+  return res;
+}