diff options
author | Jason D. McCormick <jason@mfamily.org> | 2017-02-03 20:21:02 -0500 |
---|---|---|
committer | Renato Botelho <renato@netgate.com> | 2017-02-07 09:35:13 -0200 |
commit | b6461e84e7133c5b6240e0253c13dd4012925777 (patch) | |
tree | c48e4889090df2116c184c5f7fcebd3ef7dd45e4 /src/etc | |
parent | 6b416a15240e67454e6c97e3059790c0c7cc14c5 (diff) | |
download | pfsense-b6461e84e7133c5b6240e0253c13dd4012925777.zip pfsense-b6461e84e7133c5b6240e0253c13dd4012925777.tar.gz |
commit initial fix; need to add hooks for region to zone id
(cherry picked from commit cb5961d1fa64a45cbec5ef5d677b57f8d62f50b5)
Diffstat (limited to 'src/etc')
-rw-r--r-- | src/etc/inc/dyndns.class | 3 | ||||
-rw-r--r-- | src/etc/inc/r53.class | 61 |
2 files changed, 50 insertions, 14 deletions
diff --git a/src/etc/inc/dyndns.class b/src/etc/inc/dyndns.class index 6b78402..fff3e9f 100644 --- a/src/etc/inc/dyndns.class +++ b/src/etc/inc/dyndns.class @@ -684,7 +684,8 @@ $r53 = new Route53($this->_dnsUser, $this->_dnsPass); $apiurl = $r53->getApiUrl($this->_dnsZoneID); $xmlreq = $r53->getRequestBody($this->_dnsHost, $this->_dnsIP, $this->_dnsTTL); - $httphead = $r53->getHttpPostHeaders(strlen($xmlreq)); + $httphead = $r53->getHttpPostHeaders($this->_dnsZoneId, "us-east-1", + hash("sha256",$xmlreq)); curl_setopt($ch, CURLOPT_HTTPHEADER, $httphead); if($this->_dnsVerboseLog){ log_error(sprintf("Sending reuquest to: %s", $apiurl)); diff --git a/src/etc/inc/r53.class b/src/etc/inc/r53.class index cc50d4a..21a4a61 100644 --- a/src/etc/inc/r53.class +++ b/src/etc/inc/r53.class @@ -102,7 +102,7 @@ class Route53 /** * Return API URL * - * @param string $zoneid Amazone Zone ID + * @param string $zoneid Amazon Zone ID * @return string URL */ public function getApiUrl($zoneid){ @@ -112,21 +112,56 @@ class Route53 /** * Return HTTP post headers * - * @param int $bodylen length of the POST bost body + * @param string zoneId Amazon Zone + * @param string regionId Amazon Region Code (e.g. us-east-1) + * @param string requestBodySHA256 SHA256 hash of the request body * @return Array headers */ - public function getHttpPostHeaders($bodylen){ - $reqdate = gmdate('D, d M Y H:i:s e'); + public function getHttpPostHeaders($zoneId, $regionId, $requestBodySHA256){ + + $canonical_uri = sprintf("/2013-04-01/hostedzone/%s/rrset", $zoneId); + $amz_date = sprintf("%sT%sZ", gmdate('Ymd'), gmdate('His')); + $date_stamp = gmdate('Ymd'); + + $canonical_headers = sprintf("content-type:%s\nhost:%s\n:x-amx-date:%s\n", + "text/xml", "route53.amazonaws.com", $amz_date); + + $signed_headers = "content-type;host;x-amz-date"; + + $canonical_request = sprintf("%s\n%s\n/\n/%s\n%s\n%s\n ", + "POST", $canonical_uri, $canonical_headers, $signed_headers, $requestBodySHA256); + + $algorithm = "AWS4-HMAC-SHA256"; + $credential_scope = sprintf("%s/%s/%s/%s", $date_stamp, $regionId, "route53domains", "aws4_request"); + $string_to_sign = sprintf("%s\n%s\n%s\n%s ", + $algorithm, $amz_date, $credential_scope, hash("sha256", $canonical_request)); + $signing_key = getAWS4SigningKey($this->__secretKey, $date_stamp, $regionId); + + $signature = hash_hmac("sha256", $string_to_sign, $signing_key); + + $authorization_header = sprintf("%s Credential=%s/%s, SignedHeader=%s Signature=%s", + $algorithm, $this->__accessKey, $credential_scope, $signed_headers, $signature); + $httphead[] = array(); - $httphead[] = sprintf("Date: %s", $reqdate); - $httphead[] = "Content-Type: text/plain"; - $httphead[] = sprintf("Content-Length: %d", $bodylen); - /* to avoid having user to know their AWS Region, for now use V3 */ - $httphead[] = sprintf( - "X-Amzn-Authorization: AWS3-HTTPS AWSAccessKeyId=%s,Algorithm=HMACSHA256,SignedHeaders=date,Signature=%s", - $this->__accessKey, - base64_encode(hash_hmac("sha256", $reqdate, $this->__secretKey, true)) - ); + $httphead[] = "Content-Type: text/xml"; + $httphead[] = sprintf("X-Amz-Date: %s", $amz_date); + $httphead[] = sprintf("Authorization: %s", $authorization_header); return $httphead; } + + /** + * Return Signing key + * + * @param string secretKey The AWS key + * @param string dateStamp The AWS signing date in the form YYYYMMDD + * @param string regionName The AWS region name - e.g. us-east-1 + */ + public function getAWS4SigningKey($secretKey, $dateStamp, $regionName){ + $kSecret = sprintf("AWS4%s", $secretKey); + $kDate = hash_hmac("sha256", $dateStamp, $kSecret); + $kRegion = hash_hmac("sha256", $regionName, $kDate); + $kService = hash_hmac("sha256", "route53domains", $kRegion); + return hash_hmac("sha256", "aws4_request", $kService); + } } + |