summaryrefslogtreecommitdiffstats
path: root/src/etc
diff options
context:
space:
mode:
authorJason D. McCormick <jason@mfamily.org>2017-02-04 12:49:29 -0500
committerRenato Botelho <renato@netgate.com>2017-02-07 09:35:14 -0200
commit3d7921e89cd05a6913c5b0833e5cbdd371b34397 (patch)
tree98815ed43afb5fb5478df6b57f3d913b4aae86b5 /src/etc
parentb6461e84e7133c5b6240e0253c13dd4012925777 (diff)
downloadpfsense-3d7921e89cd05a6913c5b0833e5cbdd371b34397.zip
pfsense-3d7921e89cd05a6913c5b0833e5cbdd371b34397.tar.gz
implement AWS API v4 signing
(cherry picked from commit ac5ee07ee1daef2f43e728895290ca6d11efe0f3)
Diffstat (limited to 'src/etc')
-rw-r--r--src/etc/inc/dyndns.class8
-rw-r--r--src/etc/inc/r53.class38
2 files changed, 17 insertions, 29 deletions
diff --git a/src/etc/inc/dyndns.class b/src/etc/inc/dyndns.class
index fff3e9f..ddbea57 100644
--- a/src/etc/inc/dyndns.class
+++ b/src/etc/inc/dyndns.class
@@ -128,7 +128,7 @@
* HE.net IPv6 - Last Tested: 7 July 2013
* HE.net Tunnel - Last Tested: 28 June 2011
* SelfHost - Last Tested: 26 December 2011
- * Amazon Route 53 - Last Tested: 30 August 2016
+ * Amazon Route 53 - Last Tested: 04 February 2017
* DNS-O-Matic - Last Tested: 9 September 2010
* CloudFlare - Last Tested: 05 September 2016
* CloudFlare IPv6 - Last Tested: 17 July 2016
@@ -682,10 +682,10 @@
case 'route53':
require_once("r53.class");
$r53 = new Route53($this->_dnsUser, $this->_dnsPass);
- $apiurl = $r53->getApiUrl($this->_dnsZoneID);
+ list($r53_regionId, $r53_zoneId) = split('/', $this->_dnsZoneID);
+ $apiurl = $r53->getApiUrl($r53_zoneId);
$xmlreq = $r53->getRequestBody($this->_dnsHost, $this->_dnsIP, $this->_dnsTTL);
- $httphead = $r53->getHttpPostHeaders($this->_dnsZoneId, "us-east-1",
- hash("sha256",$xmlreq));
+ $httphead = $r53->getHttpPostHeaders($r53_zoneId, $r53_regionId, hash("sha256",$xmlreq));
curl_setopt($ch, CURLOPT_HTTPHEADER, $httphead);
if($this->_dnsVerboseLog){
log_error(sprintf("Sending reuquest to: %s", $apiurl));
diff --git a/src/etc/inc/r53.class b/src/etc/inc/r53.class
index 21a4a61..4ec4cd9 100644
--- a/src/etc/inc/r53.class
+++ b/src/etc/inc/r53.class
@@ -83,7 +83,7 @@ class Route53
* @return string XML document
*/
public function getRequestBody($fqdn, $ip, $ttl){
- $xmlreq .= "<?xml version=\"1.0\" encoding=\"UTF-8\"?>";
+ $xmlreq = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>";
$xmlreq .= "<ChangeResourceRecordSetsRequest xmlns=\"https://route53.amazonaws.com/doc/2013-04-01/\">";
$xmlreq .= "<ChangeBatch><Changes><Change>";
$xmlreq .= "<Action>UPSERT</Action>";
@@ -123,45 +123,33 @@ class Route53
$amz_date = sprintf("%sT%sZ", gmdate('Ymd'), gmdate('His'));
$date_stamp = gmdate('Ymd');
- $canonical_headers = sprintf("content-type:%s\nhost:%s\n:x-amx-date:%s\n",
+ $canonical_headers = sprintf("content-type:%s\nhost:%s\nx-amz-date:%s\n",
"text/xml", "route53.amazonaws.com", $amz_date);
$signed_headers = "content-type;host;x-amz-date";
- $canonical_request = sprintf("%s\n%s\n/\n/%s\n%s\n%s\n ",
+ $canonical_request = sprintf("%s\n%s\n\n%s\n%s\n%s",
"POST", $canonical_uri, $canonical_headers, $signed_headers, $requestBodySHA256);
-
$algorithm = "AWS4-HMAC-SHA256";
- $credential_scope = sprintf("%s/%s/%s/%s", $date_stamp, $regionId, "route53domains", "aws4_request");
- $string_to_sign = sprintf("%s\n%s\n%s\n%s ",
+ $credential_scope = sprintf("%s/%s/%s/%s", $date_stamp, $regionId, "route53", "aws4_request");
+ $string_to_sign = sprintf("%s\n%s\n%s\n%s",
$algorithm, $amz_date, $credential_scope, hash("sha256", $canonical_request));
- $signing_key = getAWS4SigningKey($this->__secretKey, $date_stamp, $regionId);
- $signature = hash_hmac("sha256", $string_to_sign, $signing_key);
+ $kSecret = sprintf("AWS4%s", $this->__secretKey);
+ $kDate = hash_hmac("sha256", $date_stamp, $kSecret, true);
+ $kRegion = hash_hmac("sha256", $regionId, $kDate, true);
+ $kService = hash_hmac("sha256", "route53", $kRegion, true);
+ $signing_key = hash_hmac("sha256","aws4_request", $kService, true);
+
+ $signature = bin2hex(hash_hmac("sha256", $string_to_sign, $signing_key, true));
- $authorization_header = sprintf("%s Credential=%s/%s, SignedHeader=%s Signature=%s",
+ $authorization_header = sprintf("%s Credential=%s/%s, SignedHeaders=%s, Signature=%s",
$algorithm, $this->__accessKey, $credential_scope, $signed_headers, $signature);
- $httphead[] = array();
$httphead[] = "Content-Type: text/xml";
$httphead[] = sprintf("X-Amz-Date: %s", $amz_date);
$httphead[] = sprintf("Authorization: %s", $authorization_header);
return $httphead;
}
-
- /**
- * Return Signing key
- *
- * @param string secretKey The AWS key
- * @param string dateStamp The AWS signing date in the form YYYYMMDD
- * @param string regionName The AWS region name - e.g. us-east-1
- */
- public function getAWS4SigningKey($secretKey, $dateStamp, $regionName){
- $kSecret = sprintf("AWS4%s", $secretKey);
- $kDate = hash_hmac("sha256", $dateStamp, $kSecret);
- $kRegion = hash_hmac("sha256", $regionName, $kDate);
- $kService = hash_hmac("sha256", "route53domains", $kRegion);
- return hash_hmac("sha256", "aws4_request", $kService);
- }
}
OpenPOWER on IntegriCloud