From 51f6fe515edf3361d3c7c73eff044dd21afc4bc6 Mon Sep 17 00:00:00 2001 From: Yuriy Syrota Date: Sat, 17 Aug 2024 15:13:12 +0300 Subject: [PATCH] Switch to Signature Canonicalization version 2 --- lib/https.c | 9 +++++++-- tests/mockduo.py | 8 +++++++- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/lib/https.c b/lib/https.c index 2e1c9bb..c31eae5 100644 --- a/lib/https.c +++ b/lib/https.c @@ -660,14 +660,18 @@ https_send(struct https_request *req, const char *method, const char *uri, BIO *b64; HMAC_CTX *hmac; unsigned char MD[SHA512_DIGEST_LENGTH]; - char *qs, *p; + char *qs, *p, date[128]; int i, n, is_get; + time_t t; req->done = 0; + t = time(NULL); + strftime(date, sizeof date, "%a, %d %b %Y %T %z", localtime(&t)); + /* Generate query string and canonical request to sign */ if ((qs = _argv_to_qs(argc, argv)) == NULL || - (asprintf(&p, "%s\n%s\n%s\n%s", method, req->host, uri, qs)) < 0) { + (asprintf(&p, "%s\n%s\n%s\n%s\n%s", date, method, req->host, uri, qs)) < 0) { free(qs); ctx.errstr = strerror(errno); return (HTTPS_ERR_LIB); @@ -688,6 +692,7 @@ https_send(struct https_request *req, const char *method, const char *uri, "User-Agent: %s\r\n", useragent); /* Add signature */ + BIO_printf(req->cbio, "X-Duo-Date: %s\r\n", date); BIO_puts(req->cbio, "Authorization: Basic "); if ((hmac = HMAC_CTX_new()) == NULL) { diff --git a/tests/mockduo.py b/tests/mockduo.py index 129e3a5..93bdc68 100755 --- a/tests/mockduo.py +++ b/tests/mockduo.py @@ -66,7 +66,13 @@ def _verify_sig(self): if ikey != IKEY: return False - canon = [self.method, self.headers["Host"].split(":")[0].lower(), self.path] + # first look for x-duo-date header + datestring = self.headers.get("x-duo-date") + if datestring is None: + # if it doesn't exist, try looking for Date header + datestring = self.headers.get("Date") + + canon = [datestring, self.method, self.headers["Host"].split(":")[0].lower(), self.path] l = [] for k in sorted(self.args.keys()): l.append(