static inline void process_request(int fd) { int rlen = recv(fd,rbuf,BUF_LEN,0); char path[128]; if(rlen > 0) { rbuf[rlen] = 0; if(http_get_path(rbuf, rlen, path)) { process_sendfile(fd, path); } else { send(fd,sbuf,sbuf_len,0); } } event_free(fd); }
void optionally_add_header(HMAC_CTX *ctx, struct http_txn *txn, const char* header_name, int header_len) { struct hdr_ctx hdr_ctx = {.idx = 0}; char *begin = NULL; char *end = NULL; if(http_find_header2(header_name, header_len, txn->req.sol, &txn->hdr_idx, &hdr_ctx)) { begin = hdr_ctx.line + hdr_ctx.val; end = begin + hdr_ctx.vlen; } // For Date, haproxy does a silly thing where it considers the ',' to be a field separator while(http_find_header2(header_name, header_len, txn->req.sol, &txn->hdr_idx, &hdr_ctx)) { end = hdr_ctx.line + hdr_ctx.val + hdr_ctx.vlen; } if(begin) { HMAC_Update(ctx, (unsigned char*)begin, end - begin); } HMAC_Update(ctx, (unsigned const char*)"\n", 1); } void make_aws_signature(char *retval, const char *key, int key_len, struct http_txn *txn) { struct http_msg *msg = &txn->req; static int loaded_engines = 0; if(!loaded_engines) { ENGINE_load_builtin_engines(); ENGINE_register_all_complete(); loaded_engines = 1; } static unsigned char raw_sig[SIG_SIZE]; HMAC_CTX ctx; HMAC_CTX_init(&ctx); HMAC_Init_ex(&ctx, key, key_len, EVP_sha1(), NULL); HMAC_Update(&ctx, (unsigned char*)msg->sol + msg->som, msg->sl.rq.m_l); HMAC_Update(&ctx, (unsigned const char*)"\n", 1); ADD_HEADER(&ctx, txn, "Content-MD5"); ADD_HEADER(&ctx, txn, "Content-Type"); ADD_HEADER(&ctx, txn, "Date"); void *header_sorter = HeaderSorter_new("x-amz-"); for_each_header(txn, header_sorter, &HeaderSorter_add); HeaderSorter_update(header_sorter, &ctx); HeaderSorter_delete(header_sorter); header_sorter = NULL; char *rel_uri = http_get_path(txn); char *uri_end = msg->sol + msg->sl.rq.u + txn->req.sl.rq.u_l; CanonicalizeResource(&ctx, rel_uri, uri_end - rel_uri); unsigned int sig_len = sizeof(raw_sig); HMAC_Final(&ctx, raw_sig, &sig_len); HMAC_CTX_cleanup(&ctx); BIO *mem_output_stream, *b64_filter; BUF_MEM *output_buffer; b64_filter = BIO_new(BIO_f_base64()); mem_output_stream = BIO_new(BIO_s_mem()); b64_filter = BIO_push(b64_filter, mem_output_stream); BIO_write(b64_filter, raw_sig, sig_len); (void) BIO_flush(b64_filter); BIO_get_mem_ptr(b64_filter, &output_buffer); memcpy(retval, output_buffer->data, output_buffer->length-1); BIO_free_all(b64_filter); } int s3_resign(struct session *s, struct buffer *req, struct proxy *px) { // TODO: Enable support for query string signatures? static struct hdr_exp *exp = NULL; if(!exp) { exp = calloc(1, sizeof(struct hdr_exp)); exp->preg = calloc(1, sizeof(regex_t)); exp->replace = strdup(px->s3_auth_header); exp->action = ACT_REPLACE; regcomp((regex_t*)exp->preg, "^Authorization:.*$", REG_EXTENDED | REG_ICASE); } if(!px->s3_auth_header || !px->s3_key) { printf("In s3_resign but have null config fields?"); return 0; } struct http_txn *txn = &s->txn; struct hdr_ctx authorization_header = {.idx = 0}; int ret = http_find_header2("Authorization", 13, txn->req.sol, &txn->hdr_idx, &authorization_header); if(!ret) { printf("No Authorization, so pass through unsigned."); return 0; } // Using exp->replace is only OK because haproxy is single-threaded, so the buffer // will only serve 1 request at a time. make_aws_signature((char*)exp->replace + px->s3_auth_header_colon, px->s3_key, px->s3_key_len, txn); apply_filter_to_req_headers(s, req, exp); return 0; }