Merge pull request #35 from awslabs/SigningImprovments

Changed Sigv4 Signer to cache redundant calculations. Removed user-ag…

Author: JonathanHenson

aws-cpp-sdk-core/include/aws/core/VersionConfig.h

@@ -1,16 +1,16 @@
-/*
-  * Copyright 2010-2015 Amazon.com, Inc. or its affiliates. All Rights Reserved.
-  *
-  * Licensed under the Apache License, Version 2.0 (the "License").
-  * You may not use this file except in compliance with the License.
-  * A copy of the License is located at
-  *
-  *  http://aws.amazon.com/apache2.0
-  *
-  * or in the "license" file accompanying this file. This file is distributed
-  * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
-  * express or implied. See the License for the specific language governing
-  * permissions and limitations under the License.
-  */
-
-#define AWS_SDK_VERSION_STRING "1.0.22"
+/*
+  * Copyright 2010-2015 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+  *
+  * Licensed under the Apache License, Version 2.0 (the "License").
+  * You may not use this file except in compliance with the License.
+  * A copy of the License is located at
+  *
+  *  http://aws.amazon.com/apache2.0
+  *
+  * or in the "license" file accompanying this file. This file is distributed
+  * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+  * express or implied. See the License for the specific language governing
+  * permissions and limitations under the License.
+  */
+
+#define AWS_SDK_VERSION_STRING "1.0.22"

aws-cpp-sdk-core/include/aws/core/auth/AWSAuthSigner.h

@@ -20,6 +20,7 @@
 #include <aws/core/Region.h>
 #include <aws/core/utils/memory/AWSMemory.h>
 #include <aws/core/utils/DateTime.h>
+#include <aws/core/utils/Array.h>
 
 #include <memory>
 #include <atomic>
@@ -127,12 +128,20 @@ namespace Aws
             Aws::String GenerateSignature(const Aws::Auth::AWSCredentials& credentials, const Aws::String& stringToSign, const Aws::String& simpleDate) const;
             Aws::String ComputePayloadHash(Aws::Http::HttpRequest&) const;
             Aws::String GenerateStringToSign(const Aws::String& dateValue, const Aws::String& simpleDate, const Aws::String& canonicalRequestHash) const;
+            const Aws::Utils::ByteBuffer& ComputeLongLivedHash(const Aws::String& secretKey, const Aws::String& simpleDate) const;
 
             std::shared_ptr<Auth::AWSCredentialsProvider> m_credentialsProvider;
             Aws::String m_serviceName;
             Aws::String m_region;
             Aws::UniquePtr<Aws::Utils::Crypto::Sha256> m_hash;
             Aws::UniquePtr<Aws::Utils::Crypto::Sha256HMAC> m_HMAC;
+            //these next four fields are ONLY for caching purposes and do not change
+            //the logical state of the signer. They are marked mutable so the
+            //interface can remain const.
+            mutable Aws::Utils::ByteBuffer m_partialSignature;
+            mutable Aws::String m_currentDateStr;
+            mutable Aws::String m_currentSecretKey;
+            mutable std::mutex m_partialSignatureLock;
             bool m_signPayloads;
             bool m_urlEscapePath;
         };

aws-cpp-sdk-core/source/auth/AWSAuthSigner.cpp

@@ -55,6 +55,7 @@ static const char* X_AMZ_SIGNATURE = "X-Amz-Signature";
 static const char* SIGNING_KEY = "AWS4";
 static const char* LONG_DATE_FORMAT_STR = "%Y%m%dT%H%M%SZ";
 static const char* SIMPLE_DATE_FORMAT_STR = "%Y%m%d";
+static const char* EMPTY_STRING_SHA256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855";
 
 static const char* v4LogTag = "AWSAuthV4Signer";
 
@@ -131,6 +132,8 @@ AWSAuthV4Signer::AWSAuthV4Signer(const std::shared_ptr<Auth::AWSCredentialsProvi
     m_signPayloads(signPayloads),
     m_urlEscapePath(urlEscapePath)
 {
+    //go ahead and warm up the signing cache.
+    ComputeLongLivedHash(credentialsProvider->GetAWSCredentials().GetAWSSecretKey(), DateTime::CalculateGmtTimestampAsString(SIMPLE_DATE_FORMAT_STR));
 }
 
 AWSAuthV4Signer::~AWSAuthV4Signer()
@@ -322,45 +325,9 @@ Aws::String AWSAuthV4Signer::GenerateSignature(const AWSCredentials& credentials
 
     Aws::StringStream ss;
 
-    //now we do the complicated part of deriving a signing key.
-    Aws::String signingKey(SIGNING_KEY);
-    signingKey.append(credentials.GetAWSSecretKey());
-
-    //we use digest only for the derivation process.
-    auto hashResult = m_HMAC->Calculate(ByteBuffer((unsigned char*)simpleDate.c_str(), simpleDate.length()),
-        ByteBuffer((unsigned char*)signingKey.c_str(), signingKey.length()));
-    if (!hashResult.IsSuccess())
-    {
-        AWS_LOGSTREAM_ERROR(v4LogTag, "Failed to hmac (sha256) date string \"" << simpleDate << "\"");
-        return "";
-    }
-
-    auto kDate = hashResult.GetResult();
-    hashResult = m_HMAC->Calculate(ByteBuffer((unsigned char*)m_region.c_str(), m_region.length()), kDate);
-    if (!hashResult.IsSuccess())
-    {
-        AWS_LOGSTREAM_ERROR(v4LogTag, "Failed to hmac (sha256) region string \"" << m_region << "\"");
-        return "";
-    }
-
-    auto kRegion = hashResult.GetResult();
-    hashResult = m_HMAC->Calculate(ByteBuffer((unsigned char*)m_serviceName.c_str(), m_serviceName.length()), kRegion);
-    if (!hashResult.IsSuccess())
-    {
-        AWS_LOGSTREAM_ERROR(v4LogTag, "Failed to hmac (sha256) service string \"" << m_serviceName << "\"");
-        return "";
-    }
-
-    auto kService = hashResult.GetResult();
-    hashResult = m_HMAC->Calculate(ByteBuffer((unsigned char*)AWS4_REQUEST, strlen(AWS4_REQUEST)), kService);
-    if (!hashResult.IsSuccess())
-    {
-        AWS_LOGSTREAM_ERROR(v4LogTag, "Unable to hmac (sha256) request string \"" << AWS4_REQUEST << "\"");
-        return "";
-    }
-
-    auto kSigning = hashResult.GetResult();
-    hashResult = m_HMAC->Calculate(ByteBuffer((unsigned char*)stringToSign.c_str(), stringToSign.length()), kSigning);
+    auto& partialSignature = ComputeLongLivedHash(credentials.GetAWSSecretKey(), simpleDate);
+        
+    auto hashResult = m_HMAC->Calculate(ByteBuffer((unsigned char*)stringToSign.c_str(), stringToSign.length()), partialSignature);
     if (!hashResult.IsSuccess())
     {
         AWS_LOGSTREAM_ERROR(v4LogTag, "Unable to hmac (sha256) final string \"" << stringToSign << "\"");
@@ -378,9 +345,14 @@ Aws::String AWSAuthV4Signer::GenerateSignature(const AWSCredentials& credentials
 
 Aws::String AWSAuthV4Signer::ComputePayloadHash(Aws::Http::HttpRequest& request) const
 {
+    if (!request.GetContentBody())
+    {
+        AWS_LOGSTREAM_DEBUG(v4LogTag, "Using cached empty string sha256 " << EMPTY_STRING_SHA256 << " because payload is empty.");
+        return EMPTY_STRING_SHA256;
+    }
+
     //compute hash on payload if it exists.
-    auto hashResult = request.GetContentBody() ? m_hash->Calculate(*request.GetContentBody())
-        : m_hash->Calculate("");
+    auto hashResult =  m_hash->Calculate(*request.GetContentBody());
 
     if(request.GetContentBody())
     {
@@ -411,3 +383,64 @@ Aws::String AWSAuthV4Signer::GenerateStringToSign(const Aws::String& dateValue,
 
     return ss.str();
 }
+
+const Aws::Utils::Array<unsigned char>& AWSAuthV4Signer::ComputeLongLivedHash(const Aws::String& secretKey, const Aws::String& simpleDate) const
+{
+    //only compute this once and use it until either the credentials change, or the date changes.
+    if (m_currentDateStr != simpleDate || m_currentSecretKey != secretKey)
+    {
+        std::lock_guard<std::mutex> locker(m_partialSignatureLock);
+        if (m_currentDateStr != simpleDate || m_currentSecretKey != secretKey)
+        {
+            m_currentSecretKey = secretKey;
+            m_currentDateStr = simpleDate;
+
+            //now we do the complicated part of deriving a signing key.
+            Aws::String signingKey(SIGNING_KEY);
+            
+            signingKey.append(m_currentSecretKey);
+
+            //we use digest only for the derivation process.
+            auto hashResult = m_HMAC->Calculate(ByteBuffer((unsigned char*)simpleDate.c_str(), simpleDate.length()),
+                ByteBuffer((unsigned char*)signingKey.c_str(), signingKey.length()));
+
+            if (!hashResult.IsSuccess())
+            {
+                AWS_LOGSTREAM_ERROR(v4LogTag, "Failed to hmac (sha256) date string \"" << simpleDate << "\"");
+                m_partialSignature = ByteBuffer();
+                return m_partialSignature;
+            }
+
+            auto kDate = hashResult.GetResult();
+            hashResult = m_HMAC->Calculate(ByteBuffer((unsigned char*)m_region.c_str(), m_region.length()), kDate);
+            if (!hashResult.IsSuccess())
+            {
+                AWS_LOGSTREAM_ERROR(v4LogTag, "Failed to hmac (sha256) region string \"" << m_region << "\"");
+                m_partialSignature = ByteBuffer();
+                return m_partialSignature;
+            }
+
+            auto kRegion = hashResult.GetResult();
+            hashResult = m_HMAC->Calculate(ByteBuffer((unsigned char*)m_serviceName.c_str(), m_serviceName.length()), kRegion);
+            if (!hashResult.IsSuccess())
+            {
+                AWS_LOGSTREAM_ERROR(v4LogTag, "Failed to hmac (sha256) service string \"" << m_serviceName << "\"");
+                m_partialSignature = ByteBuffer();
+                return m_partialSignature;
+            }
+
+            auto kService = hashResult.GetResult();
+            hashResult = m_HMAC->Calculate(ByteBuffer((unsigned char*)AWS4_REQUEST, strlen(AWS4_REQUEST)), kService);
+            if (!hashResult.IsSuccess())
+            {
+                AWS_LOGSTREAM_ERROR(v4LogTag, "Unable to hmac (sha256) request string \"" << AWS4_REQUEST << "\"");
+                m_partialSignature = ByteBuffer();
+                return m_partialSignature;
+            }
+
+            m_partialSignature = hashResult.GetResult();
+        }
+    }
+
+    return m_partialSignature;
+}

aws-cpp-sdk-core/source/client/AWSClient.cpp

@@ -257,14 +257,16 @@ HttpResponseOutcome AWSClient::AttemptOneRequest(const Aws::String& uri,
 HttpResponseOutcome AWSClient::AttemptOneRequest(const Aws::String& uri, HttpMethod method) const
 {
     std::shared_ptr<HttpRequest> httpRequest(CreateHttpRequest(uri, method, Aws::Utils::Stream::DefaultResponseStreamFactoryMethod));
-    AddCommonHeaders(*httpRequest);
-
+    
     if (!m_signer->SignRequest(*httpRequest))
     {
         AWS_LOG_ERROR(AWS_CLIENT_LOG_TAG, "Request signing failed. Returning error.");
         return HttpResponseOutcome(); // TODO: make a real error when error revamp reaches branch (SIGNING_ERROR)
     }
 
+    //user agent and headers like that shouldn't be signed for the sake of compatibility with proxies which MAY mutate that header.
+    AddCommonHeaders(*httpRequest);
+
     AWS_LOG_DEBUG(AWS_CLIENT_LOG_TAG, "Request Successfully signed");
     std::shared_ptr<HttpResponse> httpResponse(
         m_httpClient->MakeRequest(*httpRequest, m_readRateLimiter.get(), m_writeRateLimiter.get()));