fix: Lock access around the AES object for creating the IV and encryp…

…tion.
aws · Oct 15, 2021 · d06fed1 · d06fed1
1 parent 3b40d29
commit d06fed1
Showing 1 changed file with 11 additions and 3 deletions.
diff --git a/src/AWS.Deploy.ServerMode.Client/ServerModeHttpClient.cs b/src/AWS.Deploy.ServerMode.Client/ServerModeHttpClient.cs
@@ -36,6 +36,8 @@ public class ServerModeHttpClientAuthorizationHandler : HttpClientHandler
         private readonly Func<Task<AWSCredentials>> _credentialsGenerator;
         private readonly Aes? _aes;
 
+        private static readonly object AES_LOCK = new object();
+
         internal ServerModeHttpClientAuthorizationHandler(Func<Task<AWSCredentials>> credentialsGenerator, Aes? aes = null)
         {
             _credentialsGenerator = credentialsGenerator;
@@ -73,8 +75,14 @@ public static void AddAuthorizationHeader(HttpRequestMessage request, ImmutableC
             string base64;
             if(aes != null)
             {
-                aes.GenerateIV();
-                var encryptor = aes.CreateEncryptor(aes.Key, aes.IV);
+                byte[] iv;
+                lock (AES_LOCK)
+                {
+                    aes.GenerateIV();
+                    iv = aes.IV;
+                }
+
+                var encryptor = aes.CreateEncryptor(aes.Key, iv);
 
                 using var inputStream = new MemoryStream(Encoding.UTF8.GetBytes(json));
                 using var outputStream = new MemoryStream();
@@ -83,7 +91,7 @@ public static void AddAuthorizationHeader(HttpRequestMessage request, ImmutableC
                     inputStream.CopyTo(encryptStream);
                 }
 
-                base64 = $"{Convert.ToBase64String(aes.IV)} {Convert.ToBase64String(outputStream.ToArray())}";
+                base64 = $"{Convert.ToBase64String(iv)} {Convert.ToBase64String(outputStream.ToArray())}";
             }
             else
             {