From de127ed8253b6a7af8bb43b87397d7c3d6346b5b Mon Sep 17 00:00:00 2001 From: Iesan Remus Date: Fri, 13 Jun 2025 10:42:26 +0300 Subject: [PATCH 1/2] BAU-27506 Use of Hardcoded Cryptographic Key fixes --- src/request.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/src/request.c b/src/request.c index dd66863..03d4614 100644 --- a/src/request.c +++ b/src/request.c @@ -52,6 +52,9 @@ #define USER_AGENT_SIZE 256 #define REQUEST_STACK_SIZE 32 #define SIGNATURE_SCOPE_SIZE 64 +#define AWS4_PREFIX "AWS4" +#define AWS4_SERVICE "s3" +#define AWS4_REQUEST "aws4_request" //#define SIGNATURE_DEBUG @@ -1002,8 +1005,8 @@ static S3Status compose_auth_header(const RequestParams *params, awsRegion = params->bucketContext.authRegion; } char scope[sizeof(values->requestDateISO8601) + sizeof(awsRegion) + - sizeof("//s3/aws4_request") + 1]; - snprintf(scope, sizeof(scope), "%.8s/%s/s3/aws4_request", + 2 /* slashes */ + sizeof(AWS4_SERVICE) + 1 /* slash */ + sizeof(AWS4_REQUEST)]; + snprintf(scope, sizeof(scope), "%.8s/%s/" AWS4_SERVICE "/" AWS4_REQUEST, values->requestDateISO8601, awsRegion); char stringToSign[17 + 17 + sizeof(values->requestDateISO8601) + @@ -1017,7 +1020,7 @@ static S3Status compose_auth_header(const RequestParams *params, const char *secretAccessKey = params->bucketContext.secretAccessKey; char accessKey[strlen(secretAccessKey) + 5]; - snprintf(accessKey, sizeof(accessKey), "AWS4%s", secretAccessKey); + snprintf(accessKey, sizeof(accessKey), AWS4_PREFIX "%s", secretAccessKey); #ifdef __APPLE__ unsigned char dateKey[S3_SHA256_DIGEST_LENGTH]; @@ -1031,7 +1034,7 @@ static S3Status compose_auth_header(const RequestParams *params, dateRegionServiceKey); unsigned char signingKey[S3_SHA256_DIGEST_LENGTH]; CCHmac(kCCHmacAlgSHA256, dateRegionServiceKey, S3_SHA256_DIGEST_LENGTH, - "aws4_request", strlen("aws4_request"), signingKey); + AWS4_REQUEST, strlen(AWS4_REQUEST), signingKey); unsigned char finalSignature[S3_SHA256_DIGEST_LENGTH]; CCHmac(kCCHmacAlgSHA256, signingKey, S3_SHA256_DIGEST_LENGTH, stringToSign, @@ -1051,7 +1054,7 @@ static S3Status compose_auth_header(const RequestParams *params, (const unsigned char*) "s3", 2, dateRegionServiceKey, NULL); unsigned char signingKey[S3_SHA256_DIGEST_LENGTH]; HMAC(sha256evp, dateRegionServiceKey, S3_SHA256_DIGEST_LENGTH, - (const unsigned char*) "aws4_request", strlen("aws4_request"), + (const unsigned char*) AWS4_REQUEST, strlen(AWS4_REQUEST), signingKey, NULL); @@ -1068,8 +1071,9 @@ static S3Status compose_auth_header(const RequestParams *params, } snprintf(values->authCredential, sizeof(values->authCredential), - "%s/%.8s/%s/s3/aws4_request", params->bucketContext.accessKeyId, - values->requestDateISO8601, awsRegion); + "%s/%.8s/%s/" AWS4_SERVICE "/" AWS4_REQUEST, + params->bucketContext.accessKeyId, + values->requestDateISO8601, awsRegion) snprintf(values->authorizationHeader, sizeof(values->authorizationHeader), From 6604613fef21684bdf9f93f81fd5cf2064fb5abb Mon Sep 17 00:00:00 2001 From: Remus Iesan Date: Thu, 23 Oct 2025 09:26:49 +0300 Subject: [PATCH 2/2] BAU-27506 Add additional comments --- src/request.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/request.c b/src/request.c index 03d4614..8e23e00 100644 --- a/src/request.c +++ b/src/request.c @@ -52,6 +52,9 @@ #define USER_AGENT_SIZE 256 #define REQUEST_STACK_SIZE 32 #define SIGNATURE_SCOPE_SIZE 64 +// CWE-321: Use of Hardcoded Cryptographic Key +// The "AWS4" prefix is required by AWS Signature V4 spec and is NOT a secret key. +// The real cryptographic key is provided at runtime (not hardcoded). #define AWS4_PREFIX "AWS4" #define AWS4_SERVICE "s3" #define AWS4_REQUEST "aws4_request"