From cfdd1d9be89ae4b1e9d654ff84512671ff73bc2c Mon Sep 17 00:00:00 2001 From: Andrey Volk Date: Tue, 26 Jan 2021 20:26:14 +0300 Subject: [PATCH] [mod_http_cache] Handle error cases to avoid using uninitialized variables in aws logic. --- src/mod/applications/mod_http_cache/aws.c | 27 +++++++++++++---------- 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/src/mod/applications/mod_http_cache/aws.c b/src/mod/applications/mod_http_cache/aws.c index 740fe2e9c4..cc02b4e5b5 100644 --- a/src/mod/applications/mod_http_cache/aws.c +++ b/src/mod/applications/mod_http_cache/aws.c @@ -144,10 +144,12 @@ static char* aws_s3_signature_key(char* key_signing, switch_aws_s3_profile* aws_ char key_service[SHA256_DIGEST_LENGTH]; char* aws4_secret_access_key = switch_mprintf("AWS4%s", aws_s3_profile->access_key_secret); - hmac256(key_date, SHA256_DIGEST_LENGTH, aws4_secret_access_key, strlen(aws4_secret_access_key), aws_s3_profile->date_stamp); - hmac256(key_region, SHA256_DIGEST_LENGTH, key_date, SHA256_DIGEST_LENGTH, aws_s3_profile->region); - hmac256(key_service, SHA256_DIGEST_LENGTH, key_region, SHA256_DIGEST_LENGTH, "s3"); - hmac256(key_signing, SHA256_DIGEST_LENGTH, key_service, SHA256_DIGEST_LENGTH, "aws4_request"); + if (!hmac256(key_date, SHA256_DIGEST_LENGTH, aws4_secret_access_key, (unsigned int)strlen(aws4_secret_access_key), aws_s3_profile->date_stamp) + || !hmac256(key_region, SHA256_DIGEST_LENGTH, key_date, SHA256_DIGEST_LENGTH, aws_s3_profile->region) + || !hmac256(key_service, SHA256_DIGEST_LENGTH, key_region, SHA256_DIGEST_LENGTH, "s3") + || !hmac256(key_signing, SHA256_DIGEST_LENGTH, key_service, SHA256_DIGEST_LENGTH, "aws4_request")) { + key_signing = NULL; + } switch_safe_free(aws4_secret_access_key); @@ -166,7 +168,7 @@ static char* aws_s3_standardized_query_string(switch_aws_s3_profile* aws_s3_prof char* standardized_query_string; credential = switch_mprintf("%s%%2F%s%%2F%s%%2Fs3%%2Faws4_request", aws_s3_profile->access_key_id, aws_s3_profile->date_stamp, aws_s3_profile->region); - switch_snprintf(expires, 9, "%ld", aws_s3_profile->expires); + switch_snprintf(expires, 9, "%" SWITCH_TIME_T_FMT, aws_s3_profile->expires); standardized_query_string = switch_mprintf( "X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=%s&X-Amz-Date=%s&X-Amz-Expires=%s&X-Amz-SignedHeaders=host", @@ -243,13 +245,14 @@ static char *aws_s3_authentication_create(switch_aws_s3_profile* aws_s3_profile) string_to_sign = aws_s3_string_to_sign(standardized_request, aws_s3_profile); // Get signature_key - aws_s3_signature_key(signature_key, aws_s3_profile); - - // Get signature - hmac256_hex(signature, signature_key, SHA256_DIGEST_LENGTH, string_to_sign); - - // Build final query string - query_param = switch_mprintf("%s&X-Amz-Signature=%s", standardized_query_string, signature); + if (!aws_s3_signature_key(signature_key, aws_s3_profile) + // Get signature + || !hmac256_hex(signature, signature_key, SHA256_DIGEST_LENGTH, string_to_sign)) { + query_param = NULL; + } else { + // Build final query string + query_param = switch_mprintf("%s&X-Amz-Signature=%s", standardized_query_string, signature); + } switch_safe_free(string_to_sign); switch_safe_free(standardized_query_string);