gazagnaire.org / ocaml-auth
User authentication and session management for web applications
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

http, s3, requests: align canonicalize_value with boto3 + SDKs, add adversarial + interop tests

Researched what real SigV4 implementations do with quoted strings in
header values. boto3 (_header_value = ' '.join(v.split())), AWS Java
SDK v2 (SignerUtils.trimAll), and AWS Go SDK v2 (v4.stripExcessSpaces)
all treat the value as an opaque byte string and collapse every run
of ASCII whitespace to a single space -- no exception for double-
quoted segments. The AWS SigV4 spec itself says the same.

Our previous implementation followed RFC 7230 §3.2.3 and preserved
interior whitespace inside quoted strings. That silently produces
signatures that disagree with every major SDK the moment a header
like x-amz-meta-note carries a quoted value. Switch to the collapse-
all rule so we match the ecosystem.

- http: canonicalize_value uses a single pass matching Python's
[' '.join(v.split())] without any pre-trim so ASCII whitespace
(SP, HTAB, LF, CR, VT, FF) is handled consistently. mli cites
boto3 / SDK equivalents and documents the intentional deviation
from RFC 7230.

- ocaml-http adversarial tests: 22 cases covering empty, quoted
empties, unmatched quotes, backslashes in/out of quotes,
adjacent/multiple quoted segments, high-byte UTF-8, idempotence,
large inputs, many quoted segments, case preservation,
comma-list preservation.

- ocaml-http boto3 interop (new): scripts/generate.py dumps 36
(input, expected) pairs via botocore._header_value, hex-encoded
CSV. test.ml checks Headers.canonicalize_value byte-for-byte.
Regenerate via dune build @regen-traces.

- ocaml-requests RFC 9421 signature module: 14 adversarial tests
covering whitespace irrelevance at outer bounds, significance of
interior whitespace, case sensitivity, content tampering,
multi-line combining, ;bs byte-sequence handling, cross-component
isolation, and end-to-end verify-side roundtrips.

- ocaml-s3: SigV4 test updated from 'quoted string preserved' to
'quoted string collapsed' to reflect the corrected behaviour.

All 36 boto3 interop fixtures match byte-for-byte. All 16 RFC 9421
Appendix B vectors still pass.

Thomas Gazagnaire 3fa1dfb1 41a370ed

+3
+3
fuzz/fuzz_auth.mli
··· 1 + (** Fuzz tests for the {!Auth} library: random bearer-token, basic-auth, and 2 + HTTP-header round-trips that catch crashes the unit tests miss. *) 3 + 1 4 val suite : string * Alcobar.test_case list 2 5 (** [suite] is the fuzz test suite. *)