aws_sigv4: fix typos in aws_sigv4.c

Closes #10008

aws_sigv4: consult x-%s-content-sha256 for payload hash

`Curl_output_aws_sigv4()` doesn't always have the whole payload in
memory to generate a real payload hash. this commit allows the

aws_sigv4: consult x-%s-content-sha256 for payload hash

`Curl_output_aws_sigv4()` doesn't always have the whole payload in
memory to generate a real payload hash. this commit allows the user to
pass in a header like `x-amz-content-sha256` to provide their desired
payload hash

some services like s3 require this header, and may support other values
like s3's `UNSIGNED-PAYLOAD` and `STREAMING-AWS4-HMAC-SHA256-PAYLOAD`
with special semantics. servers use this header's value as the payload
hash during signature validation, so it must match what the client uses
to generate the signature

CURLOPT_AWS_SIGV4.3 now describes the content-sha256 interaction

Signed-off-by: Casey Bodley <cbodley@redhat.com>

Closes #9804

show more ...

misc: remove duplicated include files

Closes #9796

http_aws_sigv4: fix strlen() check

The check was off-by-one leading to buffer overflow.

Follow-up to 29c4aa00a16872

Detected by OSS-Fuzz

Closes #9714

aws_sigv4: fix header computation

Handle canonical headers and signed headers creation as explained here:
https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.htm

aws_sigv4: fix header computation

Handle canonical headers and signed headers creation as explained here:
https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html

The algo tells that signed and canonical must contain at last host and
x-amz-date.

So we check whatever thoses are present in the curl http headers list.
If they are, we use the one enter by curl user, otherwise we generate
them. then we to lower, and remove space from each http headers plus
host and x-amz-date, then sort them all by alphabetical order.

This patch also fix a bug with host header, which was ignoring the port.

Closes #7966

show more ...

http_aws_sigv4.c: remove two unusued includes

Closes #9080

copyright: make repository REUSE compliant

Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the

copyright: make repository REUSE compliant

Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the file
`.reuse/dep5`.

This commit also adds a Github workflow to check pull requests and adapts
copyright.pl to the changes.

Closes #8869

show more ...

aws-sigv4: fix potentional NULL pointer arithmetic

We need to check if the strchr() call returns NULL (due to missing
char) before we use the returned value in arithmetic. There is no

aws-sigv4: fix potentional NULL pointer arithmetic

We need to check if the strchr() call returns NULL (due to missing
char) before we use the returned value in arithmetic. There is no
live bug here, but fixing it before it can become for hygiene.

Closes: #8814
Reviewed-by: Daniel Stenberg <daniel@haxx.se>

show more ...

misc: remove strlen for Curl_checkheaders + Curl_checkProxyheaders

Closes #8409

sha256/md5: return errors when init fails

Closes #8133

aws-sigv4: make signature work when post data is binary

User sets the post fields size for binary data. Hence, we should not be
using strlen on it.

Added test 1937 and 1938 to

aws-sigv4: make signature work when post data is binary

User sets the post fields size for binary data. Hence, we should not be
using strlen on it.

Added test 1937 and 1938 to verify.

Closes #7844

show more ...

misc: fix typos in docs and comments

No user facing output from curl/libcurl is changed by this, just
comments.

Closes #7747

infof: remove newline from format strings, always append it

- the data needs to be "line-based" anyway since it's also passed to the
debug callback/application

- it makes info

infof: remove newline from format strings, always append it

- the data needs to be "line-based" anyway since it's also passed to the
debug callback/application

- it makes infof() work like failf() and consistency is good

- there's an assert that triggers on newlines in the format string

- Also removes a few instances of "..."

- Removes the code that would append "..." to the end of the data *iff*
it was truncated in infof()

Closes #7357

show more ...

http: use credentials from transfer, not connection

HTTP auth "accidentally" worked before this cleanup since the code would
always overwrite the connection credentials with the credenti

http: use credentials from transfer, not connection

HTTP auth "accidentally" worked before this cleanup since the code would
always overwrite the connection credentials with the credentials from
the most recent transfer and since HTTP auth is typically done first
thing, this has not been an issue. It was still wrong and subject to
possible race conditions or future breakage if the sequence of functions
would change.

The data.set.str[] strings MUST remain unmodified exactly as set by the
user, and the credentials to use internally are instead set/updated in
state.aptr.*

Added test 675 to verify different credentials used in two requests done
over a reused HTTP connection, which previously behaved wrongly.

Fixes #6542
Closes #6545

show more ...

http: improve AWS HTTP v4 Signature auth

- Add support services without region and service prefixes in
the URL endpoint (ex. Min.IO, GCP, Yandex Cloud, Mail.Ru Cloud Solutions, etc)

http: improve AWS HTTP v4 Signature auth

- Add support services without region and service prefixes in
the URL endpoint (ex. Min.IO, GCP, Yandex Cloud, Mail.Ru Cloud Solutions, etc)
by providing region and service parameters via aws-sigv4 option.
- Add [:region[:service]] suffix to aws-sigv4 option;
- Fix memory allocation errors.
- Refactor memory management.
- Use Curl_http_method instead() STRING_CUSTOMREQUEST.
- Refactor canonical headers generating.
- Remove repeated sha256_to_hex() usage.
- Add some docs fixes.
- Add some codestyle fixes.
- Add overloaded strndup() for debug - curl_dbg_strndup().
- Update tests.

Closes #6524

show more ...

lib: remove conn->data uses

Closes #6499

lib: pass in 'struct Curl_easy *' to most functions

... in most cases instead of 'struct connectdata *' but in some cases in
addition to.

- We mostly operate on transfers and no

lib: pass in 'struct Curl_easy *' to most functions

... in most cases instead of 'struct connectdata *' but in some cases in
addition to.

- We mostly operate on transfers and not connections.

- We need the transfer handle to log, store data and more. Everything in
libcurl is driven by a transfer (the CURL * in the public API).

- This work clarifies and separates the transfers from the connections
better.

- We should avoid "conn->data". Since individual connections can be used
by many transfers when multiplexing, making sure that conn->data
points to the current and correct transfer at all times is difficult
and has been notoriously error-prone over the years. The goal is to
ultimately remove the conn->data pointer for this reason.

Closes #6425

show more ...

misc: fix "warning: empty expression statement has no effect"

Turned several macros into do-while(0) style to allow their use to work
find with semicolon.

Bug: https://github.co

misc: fix "warning: empty expression statement has no effect"

Turned several macros into do-while(0) style to allow their use to work
find with semicolon.

Bug: https://github.com/curl/curl/commit/08e8455dddc5e48e58a12ade3815c01ae3da3b64#commitcomment-45433279
Follow-up to 08e8455dddc5e4
Reported-by: Gisle Vanem
Closes #6376

show more ...

http: introduce AWS HTTP v4 Signature

It is a security process for HTTP.

It doesn't seems to be standard, but it is used by some cloud providers.

Aws:
https://docs.aws.

http: introduce AWS HTTP v4 Signature

It is a security process for HTTP.

It doesn't seems to be standard, but it is used by some cloud providers.

Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually

most of the code is in lib/http_v4_signature.c

Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.

The data extracted from the URL are: the URI, the region,
the host and the API type

example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region

Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash

Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>

Closes #5703

show more ...