added secure configuration loader (#28)secureconfig

author: Ben Fuhrmannek 2016-03-01 14:55:46 +0100
committer: Ben Fuhrmannek 2016-03-01 14:55:46 +0100
commit: c180da6de0851521cae98a1b385e03a120d5cf61 (patch)
tree: ddd49425cf08f6b70b6cb88858fbe0d1f50d2456
parent: 7060d15d6d2624f81cb3a57ee319fa61ba06ad89 (diff)
6 files changed, 148 insertions, 3 deletions
diff --git a/Changelog b/Changelog
index fbf5709..8c7edae 100644
--- a/Changelog
+++ b/Changelog
@@ -3,6 +3,7 @@
    - removed dead code
    - better debian integration
    - fixed perdir checks
+    - added Juergen Pabel's secure configuration loader to experimental features
 2015-05-21 - 0.9.38
    - removed code compatibility for PHP <5.4 (lots of code + ifdefs)
diff --git a/config.m4 b/config.m4
index c908de9..7a3843e 100644
--- a/config.m4
+++ b/config.m4
@@ -5,7 +5,7 @@ PHP_ARG_ENABLE(suhosin, whether to enable suhosin support,
 [  --enable-suhosin        Enable suhosin support])
 if test "$PHP_SUHOSIN" != "no"; then
-  PHP_NEW_EXTENSION(suhosin, suhosin.c sha256.c memory_limit.c treat_data.c ifilter.c post_handler.c ufilter.c rfc1867_new.c log.c header.c execute.c ex_imp.c session.c aes.c crypt.c, $ext_shared)
+  PHP_NEW_EXTENSION(suhosin, suhosin.c sha256.c memory_limit.c treat_data.c ifilter.c post_handler.c ufilter.c rfc1867_new.c log.c header.c execute.c ex_imp.c session.c aes.c crypt.c secureconfig.c, $ext_shared)
 fi
 PHP_ARG_ENABLE(suhosin-experimental, whether to enable experimental suhosin features,
diff --git a/config.w32 b/config.w32
index ecfe832..1b63bdf 100644
--- a/config.w32
+++ b/config.w32
@@ -4,7 +4,7 @@
 ARG_ENABLE("suhosin", "whether to enable suhosin support", "yes");
 if (PHP_SUHOSIN == "yes") {
-        EXTENSION("suhosin", "suhosin.c sha256.c memory_limit.c treat_data.c ifilter.c post_handler.c ufilter.c rfc1867_new.c log.c header.c execute.c ex_imp.c session.c aes.c crypt.c");
+        EXTENSION("suhosin", "suhosin.c sha256.c memory_limit.c treat_data.c ifilter.c post_handler.c ufilter.c rfc1867_new.c log.c header.c execute.c ex_imp.c session.c aes.c crypt.c secureconfig.c");
        ARG_ENABLE("suhosin-experimental", "Enable experimental suhosin features", "no");
        if (PHP_SUHOSIN_EXPERIMENTAL != "no") {
diff --git a/php_suhosin.h b/php_suhosin.h
index 824ce21..3fa4160 100644
--- a/php_suhosin.h
+++ b/php_suhosin.h
@@ -320,6 +320,9 @@ ZEND_BEGIN_MODULE_GLOBALS(suhosin)
        zend_bool sql_perdir;
        zend_bool misc_perdir;
+        // misc
+        char*   secureconfig_cryptkey;
 ZEND_END_MODULE_GLOBALS(suhosin)
 #ifdef ZTS
@@ -400,6 +403,7 @@ int suhosin_rfc1867_filter(unsigned int event, void *event_data, void **extra TS
 void suhosin_bailout(TSRMLS_D);
 size_t suhosin_strnspn(const char *input, size_t n, const char *accept);
 size_t suhosin_strncspn(const char *input, size_t n, const char *reject);
+void suhosin_hook_secureconfig(TSRMLS_D);
 #endif  /* PHP_SUHOSIN_H */
diff --git a/secureconfig.c b/secureconfig.c
new file mode 100644
index 0000000..075baf0
--- /dev/null
+++ b/secureconfig.c
@@ -0,0 +1,135 @@
+/*
+  +----------------------------------------------------------------------+
+  | Suhosin Version 1                                                    |
+  +----------------------------------------------------------------------+
+  | Copyright (c) 2006-2007 The Hardened-PHP Project                     |
+  | Copyright (c) 2007-2010 SektionEins GmbH                             |
+  +----------------------------------------------------------------------+
+  | This source file is subject to version 3.01 of the PHP license,      |
+  | that is bundled with this package in the file LICENSE, and is        |
+  | available through the world-wide-web at the following url:           |
+  | http://www.php.net/license/3_01.txt                                  |
+  | If you did not receive a copy of the PHP license and are unable to   |
+  | obtain it through the world-wide-web, please send a note to          |
+  | license@php.net so we can mail you a copy immediately.               |
+  +----------------------------------------------------------------------+
+  | Author: Juergen Pabel <jpabel@akkaya.de>                             |
+  +----------------------------------------------------------------------+
+*/
+#ifdef SUHOSIN_EXPERIMENTAL
+#include <stdio.h>
+#include "php.h"
+#include "php_suhosin.h"
+#include "sha256.h"
+static char cryptkey[32];
+/* {{{ proto string secureconfig_encrypt(string plaintext)
+   Encrypt a configuration value using the configured cryptographic key */
+static PHP_FUNCTION(suhosin_secureconfig_encrypt)
+{
+        char *plaintext, *ciphertext;
+        int plaintext_len, ciphertext_len;
+        int i;
+        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &plaintext, &plaintext_len) == FAILURE) {
+                return;
+        }
+        ciphertext = suhosin_encrypt_string(plaintext, plaintext_len, "", 0, cryptkey TSRMLS_CC);
+        if(ciphertext == NULL) {
+                return;
+        }
+        ciphertext_len = strlen(ciphertext);
+        /* undo suhosin_encrypt_string()'s base64 alphabet transformation */
+        for (i=0; i<ciphertext_len; i++) {
+                switch (ciphertext[i]) {
+                        case '-': ciphertext[i]='/'; break;
+                        case '.': ciphertext[i]='='; break;
+                        case '_': ciphertext[i]='+'; break;
+                }
+        }
+        RETURN_STRINGL((char *)ciphertext, ciphertext_len, 1);
+}
+/* }}} */
+/* {{{ proto string secureconfig_decrypt(string ciphertext)
+   Decrypt a configuration value using the configured cryptographic key */
+static PHP_FUNCTION(suhosin_secureconfig_decrypt)
+{
+        char *plaintext, *ciphertext;
+        int plaintext_len, ciphertext_len;
+        int i;
+        
+        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &ciphertext, &ciphertext_len) == FAILURE) {
+                return;
+        }
+        /* redo suhosin_encrypt_string()'s base64 alphabet transformation */
+        for (i=0; i<ciphertext_len; i++) {
+                switch (ciphertext[i]) {
+                        case '/': ciphertext[i]='-'; break;
+                        case '=': ciphertext[i]='.'; break;
+                        case '+': ciphertext[i]='_'; break;
+                }
+        }
+        plaintext = suhosin_decrypt_string(ciphertext, ciphertext_len, "", 0, cryptkey, &plaintext_len, 0 TSRMLS_CC);
+        if(plaintext == NULL || plaintext_len <= 0) {
+                return;
+        }
+        RETURN_STRINGL((char *)plaintext, plaintext_len, 1);
+}
+/* }}} */
+/* {{{ suhosin_secureconfig_functions[]
+ */
+static function_entry suhosin_secureconfig_functions[] = {
+        PHP_NAMED_FE(secureconfig_encrypt, PHP_FN(suhosin_secureconfig_encrypt), NULL)
+        PHP_NAMED_FE(secureconfig_decrypt, PHP_FN(suhosin_secureconfig_decrypt), NULL)
+        {NULL, NULL, NULL}
+};
+/* }}} */
+void suhosin_hook_secureconfig(TSRMLS_D)
+{
+        char* key;
+        suhosin_SHA256_CTX ctx;
+        // TSRMLS_FETCH();
+        
+        /* check if we already have secureconfig support */
+        if (zend_hash_exists(CG(function_table), "secureconfig_encrypt", sizeof("secureconfig_encrypt"))) {
+                return;         
+        }
+        key = SUHOSIN_G(secureconfig_cryptkey);
+        if (key != NULL) {
+                suhosin_SHA256Init(&ctx);
+                suhosin_SHA256Update(&ctx, (unsigned char*)key, strlen(key));
+                suhosin_SHA256Final((unsigned char *)cryptkey, &ctx);
+        } else {
+                memset(cryptkey, 0x55 /*fallback key with alternating bits*/, 32);
+        }
+        /* add the secureconfig functions */
+#ifndef ZEND_ENGINE_2
+        zend_register_functions(suhosin_secureconfig_functions, NULL, MODULE_PERSISTENT TSRMLS_CC);
+#else
+        zend_register_functions(NULL, suhosin_secureconfig_functions, NULL, MODULE_PERSISTENT TSRMLS_CC);
+#endif
+}
+#endif /* SUHOSIN_EXPERIMENTAL */
+/*
+ * Local variables:
+ * tab-width: 4
+ * c-basic-offset: 4
+ * End:
+ * vim600: sw=4 ts=4 fdm=marker
+ * vim<600: sw=4 ts=4
+ */
diff --git a/suhosin.c b/suhosin.c
index dede702..93dfd08 100644
--- a/suhosin.c
+++ b/suhosin.c
@@ -907,6 +907,8 @@ PHP_INI_BEGIN()
        STD_ZEND_INI_BOOLEAN("suhosin.srand.ignore", "1", ZEND_INI_SYSTEM|ZEND_INI_PERDIR, OnUpdateMiscBool, srand_ignore,zend_suhosin_globals, suhosin_globals)
        STD_ZEND_INI_BOOLEAN("suhosin.mt_srand.ignore", "1", ZEND_INI_SYSTEM|ZEND_INI_PERDIR, OnUpdateMiscBool, mt_srand_ignore,zend_suhosin_globals,   suhosin_globals)
+        STD_PHP_INI_ENTRY("suhosin.secureconfig.cryptkey", "", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateMiscString, secureconfig_cryptkey, zend_suhosin_globals, suhosin_globals)
 PHP_INI_END()
 /* }}} */
@@ -1051,7 +1053,10 @@ PHP_MINIT_FUNCTION(suhosin)
        suhosin_hook_memory_limit(TSRMLS_C);
        suhosin_hook_sha256(TSRMLS_C);
        suhosin_hook_ex_imp(TSRMLS_C);
+#ifdef SUHOSIN_EXPERIMENTAL
+        suhosin_hook_secureconfig(TSRMLS_C);
+#endif
+        
 #if PHP_VERSION_ID < 50500
        /* register the logo for phpinfo */
        php_register_info_logo(SUHOSIN_LOGO_GUID, "image/jpeg", suhosin_logo, sizeof(suhosin_logo));
author	Ben Fuhrmannek	2016-03-01 14:55:46 +0100
committer	Ben Fuhrmannek	2016-03-01 14:55:46 +0100
commit	c180da6de0851521cae98a1b385e03a120d5cf61 (patch)
tree	ddd49425cf08f6b70b6cb88858fbe0d1f50d2456
parent	7060d15d6d2624f81cb3a57ee319fa61ba06ad89 (diff)

diff --git a/Changelog b/Changelog index fbf5709..8c7edae 100644 --- a/Changelog +++ b/Changelog
@@ -3,6 +3,7 @@
3	- removed dead code	3	- removed dead code
4	- better debian integration	4	- better debian integration
5	- fixed perdir checks	5	- fixed perdir checks
		6	- added Juergen Pabel's secure configuration loader to experimental features
6		7
7	2015-05-21 - 0.9.38	8	2015-05-21 - 0.9.38
8	- removed code compatibility for PHP <5.4 (lots of code + ifdefs)	9	- removed code compatibility for PHP <5.4 (lots of code + ifdefs)


diff --git a/config.m4 b/config.m4 index c908de9..7a3843e 100644 --- a/config.m4 +++ b/config.m4
@@ -5,7 +5,7 @@ PHP_ARG_ENABLE(suhosin, whether to enable suhosin support,
5	[ --enable-suhosin Enable suhosin support])	5	[ --enable-suhosin Enable suhosin support])
6		6
7	if test "$PHP_SUHOSIN" != "no"; then	7	if test "$PHP_SUHOSIN" != "no"; then
8	PHP_NEW_EXTENSION(suhosin, suhosin.c sha256.c memory_limit.c treat_data.c ifilter.c post_handler.c ufilter.c rfc1867_new.c log.c header.c execute.c ex_imp.c session.c aes.c crypt.c, $ext_shared)	8	PHP_NEW_EXTENSION(suhosin, suhosin.c sha256.c memory_limit.c treat_data.c ifilter.c post_handler.c ufilter.c rfc1867_new.c log.c header.c execute.c ex_imp.c session.c aes.c crypt.c secureconfig.c, $ext_shared)
9	fi	9	fi
10		10
11	PHP_ARG_ENABLE(suhosin-experimental, whether to enable experimental suhosin features,	11	PHP_ARG_ENABLE(suhosin-experimental, whether to enable experimental suhosin features,


diff --git a/config.w32 b/config.w32 index ecfe832..1b63bdf 100644 --- a/config.w32 +++ b/config.w32
@@ -4,7 +4,7 @@
4	ARG_ENABLE("suhosin", "whether to enable suhosin support", "yes");	4	ARG_ENABLE("suhosin", "whether to enable suhosin support", "yes");
5		5
6	if (PHP_SUHOSIN == "yes") {	6	if (PHP_SUHOSIN == "yes") {
7	EXTENSION("suhosin", "suhosin.c sha256.c memory_limit.c treat_data.c ifilter.c post_handler.c ufilter.c rfc1867_new.c log.c header.c execute.c ex_imp.c session.c aes.c crypt.c");	7	EXTENSION("suhosin", "suhosin.c sha256.c memory_limit.c treat_data.c ifilter.c post_handler.c ufilter.c rfc1867_new.c log.c header.c execute.c ex_imp.c session.c aes.c crypt.c secureconfig.c");
8	ARG_ENABLE("suhosin-experimental", "Enable experimental suhosin features", "no");	8	ARG_ENABLE("suhosin-experimental", "Enable experimental suhosin features", "no");
9		9
10	if (PHP_SUHOSIN_EXPERIMENTAL != "no") {	10	if (PHP_SUHOSIN_EXPERIMENTAL != "no") {


diff --git a/php_suhosin.h b/php_suhosin.h index 824ce21..3fa4160 100644 --- a/php_suhosin.h +++ b/php_suhosin.h
@@ -320,6 +320,9 @@ ZEND_BEGIN_MODULE_GLOBALS(suhosin)
320	zend_bool sql_perdir;	320	zend_bool sql_perdir;
321	zend_bool misc_perdir;	321	zend_bool misc_perdir;
322		322
		323	// misc
		324	char* secureconfig_cryptkey;
		325
323	ZEND_END_MODULE_GLOBALS(suhosin)	326	ZEND_END_MODULE_GLOBALS(suhosin)
324		327
325	#ifdef ZTS	328	#ifdef ZTS
@@ -400,6 +403,7 @@ int suhosin_rfc1867_filter(unsigned int event, void event_data, void *extra TS
400	void suhosin_bailout(TSRMLS_D);	403	void suhosin_bailout(TSRMLS_D);
401	size_t suhosin_strnspn(const char input, size_t n, const char accept);	404	size_t suhosin_strnspn(const char input, size_t n, const char accept);
402	size_t suhosin_strncspn(const char input, size_t n, const char reject);	405	size_t suhosin_strncspn(const char input, size_t n, const char reject);
		406	void suhosin_hook_secureconfig(TSRMLS_D);
403		407
404		408
405	#endif /* PHP_SUHOSIN_H */	409	#endif /* PHP_SUHOSIN_H */


diff --git a/secureconfig.c b/secureconfig.c new file mode 100644 index 0000000..075baf0 --- /dev/null +++ b/secureconfig.c
@@ -0,0 +1,135 @@
		1	/*
		2	+----------------------------------------------------------------------+
		3	\| Suhosin Version 1 \|
		4	+----------------------------------------------------------------------+
		5	\| Copyright (c) 2006-2007 The Hardened-PHP Project \|
		6	\| Copyright (c) 2007-2010 SektionEins GmbH \|
		7	+----------------------------------------------------------------------+
		8	\| This source file is subject to version 3.01 of the PHP license, \|
		9	\| that is bundled with this package in the file LICENSE, and is \|
		10	\| available through the world-wide-web at the following url: \|
		11	\| http://www.php.net/license/3_01.txt \|
		12	\| If you did not receive a copy of the PHP license and are unable to \|
		13	\| obtain it through the world-wide-web, please send a note to \|
		14	\| license@php.net so we can mail you a copy immediately. \|
		15	+----------------------------------------------------------------------+
		16	\| Author: Juergen Pabel <jpabel@akkaya.de> \|
		17	+----------------------------------------------------------------------+
		18	*/
		19
		20	#ifdef SUHOSIN_EXPERIMENTAL
		21	#include <stdio.h>
		22	#include "php.h"
		23	#include "php_suhosin.h"
		24	#include "sha256.h"
		25
		26	static char cryptkey[32];
		27
		28	/* {{{ proto string secureconfig_encrypt(string plaintext)
		29	Encrypt a configuration value using the configured cryptographic key */
		30	static PHP_FUNCTION(suhosin_secureconfig_encrypt)
		31	{
		32	char plaintext, ciphertext;
		33	int plaintext_len, ciphertext_len;
		34	int i;
		35	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &plaintext, &plaintext_len) == FAILURE) {
		36	return;
		37	}
		38	ciphertext = suhosin_encrypt_string(plaintext, plaintext_len, "", 0, cryptkey TSRMLS_CC);
		39	if(ciphertext == NULL) {
		40	return;
		41	}
		42	ciphertext_len = strlen(ciphertext);
		43	/* undo suhosin_encrypt_string()'s base64 alphabet transformation */
		44	for (i=0; i<ciphertext_len; i++) {
		45	switch (ciphertext[i]) {
		46	case '-': ciphertext[i]='/'; break;
		47	case '.': ciphertext[i]='='; break;
		48	case '_': ciphertext[i]='+'; break;
		49	}
		50	}
		51	RETURN_STRINGL((char *)ciphertext, ciphertext_len, 1);
		52	}
		53
		54	/* }}} */
		55
		56
		57	/* {{{ proto string secureconfig_decrypt(string ciphertext)
		58	Decrypt a configuration value using the configured cryptographic key */
		59	static PHP_FUNCTION(suhosin_secureconfig_decrypt)
		60	{
		61	char plaintext, ciphertext;
		62	int plaintext_len, ciphertext_len;
		63	int i;
		64
		65	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &ciphertext, &ciphertext_len) == FAILURE) {
		66	return;
		67	}
		68
		69	/* redo suhosin_encrypt_string()'s base64 alphabet transformation */
		70	for (i=0; i<ciphertext_len; i++) {
		71	switch (ciphertext[i]) {
		72	case '/': ciphertext[i]='-'; break;
		73	case '=': ciphertext[i]='.'; break;
		74	case '+': ciphertext[i]='_'; break;
		75	}
		76	}
		77	plaintext = suhosin_decrypt_string(ciphertext, ciphertext_len, "", 0, cryptkey, &plaintext_len, 0 TSRMLS_CC);
		78	if(plaintext == NULL \|\| plaintext_len <= 0) {
		79	return;
		80	}
		81	RETURN_STRINGL((char *)plaintext, plaintext_len, 1);
		82	}
		83
		84	/* }}} */
		85
		86
		87	/* {{{ suhosin_secureconfig_functions[]
		88	*/
		89	static function_entry suhosin_secureconfig_functions[] = {
		90	PHP_NAMED_FE(secureconfig_encrypt, PHP_FN(suhosin_secureconfig_encrypt), NULL)
		91	PHP_NAMED_FE(secureconfig_decrypt, PHP_FN(suhosin_secureconfig_decrypt), NULL)
		92	{NULL, NULL, NULL}
		93	};
		94	/* }}} */
		95
		96
		97	void suhosin_hook_secureconfig(TSRMLS_D)
		98	{
		99	char* key;
		100	suhosin_SHA256_CTX ctx;
		101
		102	// TSRMLS_FETCH();
		103
		104	/* check if we already have secureconfig support */
		105	if (zend_hash_exists(CG(function_table), "secureconfig_encrypt", sizeof("secureconfig_encrypt"))) {
		106	return;
		107	}
		108
		109	key = SUHOSIN_G(secureconfig_cryptkey);
		110	if (key != NULL) {
		111	suhosin_SHA256Init(&ctx);
		112	suhosin_SHA256Update(&ctx, (unsigned char*)key, strlen(key));
		113	suhosin_SHA256Final((unsigned char *)cryptkey, &ctx);
		114	} else {
		115	memset(cryptkey, 0x55 /fallback key with alternating bits/, 32);
		116	}
		117
		118	/* add the secureconfig functions */
		119	#ifndef ZEND_ENGINE_2
		120	zend_register_functions(suhosin_secureconfig_functions, NULL, MODULE_PERSISTENT TSRMLS_CC);
		121	#else
		122	zend_register_functions(NULL, suhosin_secureconfig_functions, NULL, MODULE_PERSISTENT TSRMLS_CC);
		123	#endif
		124	}
		125
		126	#endif /* SUHOSIN_EXPERIMENTAL */
		127
		128	/*
		129	* Local variables:
		130	* tab-width: 4
		131	* c-basic-offset: 4
		132	* End:
		133	* vim600: sw=4 ts=4 fdm=marker
		134	* vim<600: sw=4 ts=4
		135	*/


diff --git a/suhosin.c b/suhosin.c index dede702..93dfd08 100644 --- a/suhosin.c +++ b/suhosin.c
@@ -907,6 +907,8 @@ PHP_INI_BEGIN()
907	STD_ZEND_INI_BOOLEAN("suhosin.srand.ignore", "1", ZEND_INI_SYSTEM\|ZEND_INI_PERDIR, OnUpdateMiscBool, srand_ignore,zend_suhosin_globals, suhosin_globals)	907	STD_ZEND_INI_BOOLEAN("suhosin.srand.ignore", "1", ZEND_INI_SYSTEM\|ZEND_INI_PERDIR, OnUpdateMiscBool, srand_ignore,zend_suhosin_globals, suhosin_globals)
908	STD_ZEND_INI_BOOLEAN("suhosin.mt_srand.ignore", "1", ZEND_INI_SYSTEM\|ZEND_INI_PERDIR, OnUpdateMiscBool, mt_srand_ignore,zend_suhosin_globals, suhosin_globals)	908	STD_ZEND_INI_BOOLEAN("suhosin.mt_srand.ignore", "1", ZEND_INI_SYSTEM\|ZEND_INI_PERDIR, OnUpdateMiscBool, mt_srand_ignore,zend_suhosin_globals, suhosin_globals)
909		909
		910	STD_PHP_INI_ENTRY("suhosin.secureconfig.cryptkey", "", PHP_INI_SYSTEM\|PHP_INI_PERDIR, OnUpdateMiscString, secureconfig_cryptkey, zend_suhosin_globals, suhosin_globals)
		911
910	PHP_INI_END()	912	PHP_INI_END()
911	/* }}} */	913	/* }}} */
912		914
@@ -1051,7 +1053,10 @@ PHP_MINIT_FUNCTION(suhosin)
1051	suhosin_hook_memory_limit(TSRMLS_C);	1053	suhosin_hook_memory_limit(TSRMLS_C);
1052	suhosin_hook_sha256(TSRMLS_C);	1054	suhosin_hook_sha256(TSRMLS_C);
1053	suhosin_hook_ex_imp(TSRMLS_C);	1055	suhosin_hook_ex_imp(TSRMLS_C);
1054		1056	#ifdef SUHOSIN_EXPERIMENTAL
		1057	suhosin_hook_secureconfig(TSRMLS_C);
		1058	#endif
		1059
1055	#if PHP_VERSION_ID < 50500	1060	#if PHP_VERSION_ID < 50500
1056	/* register the logo for phpinfo */	1061	/* register the logo for phpinfo */
1057	php_register_info_logo(SUHOSIN_LOGO_GUID, "image/jpeg", suhosin_logo, sizeof(suhosin_logo));	1062	php_register_info_logo(SUHOSIN_LOGO_GUID, "image/jpeg", suhosin_logo, sizeof(suhosin_logo));